Analysis Overview
SHA256
ef9e3b30f58b6c19aa42bc39dac0685f15cc52e71608bd2e45114c77b961ef50
Threat Level: Known bad
The file ef9e3b30f58b6c19aa42bc39dac0685f15cc52e71608bd2e45114c77b961ef50N was found to be: Known bad.
Malicious Activity Summary
Berbew
Berbew family
Adds autorun key to be loaded by Explorer.exe on startup
Loads dropped DLL
Executes dropped EXE
Drops file in System32 directory
Program crash
System Location Discovery: System Language Discovery
Unsigned PE
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-07 07:46
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-07 07:46
Reported
2024-11-07 07:48
Platform
win7-20240729-en
Max time kernel
62s
Max time network
17s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kfodfh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kageia32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jfcabd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Khgkpl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Koaclfgl.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kbhbai32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jgjkfi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jpepkk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jpepkk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Klecfkff.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Khgkpl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kocpbfei.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jllqplnp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jfcabd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kdphjm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kageia32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Users\Admin\AppData\Local\Temp\ef9e3b30f58b6c19aa42bc39dac0685f15cc52e71608bd2e45114c77b961ef50N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kdphjm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Libjncnc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jnofgg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kfodfh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jbclgf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Klecfkff.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Lplbjm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jpjifjdg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Libjncnc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jgjkfi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jbclgf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jjjdhc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jllqplnp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jbfilffm.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kmimcbja.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jbfilffm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jipaip32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kekkiq32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Koaclfgl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jpjifjdg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jhenjmbb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Keioca32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kmimcbja.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kbhbai32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jjjdhc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jipaip32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jikhnaao.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Keioca32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kekkiq32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jikhnaao.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jhenjmbb.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lplbjm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Users\Admin\AppData\Local\Temp\ef9e3b30f58b6c19aa42bc39dac0685f15cc52e71608bd2e45114c77b961ef50N.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jnofgg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kocpbfei.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kdbepm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kdbepm32.exe | N/A |
Berbew
Berbew family
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Jbfilffm.exe | C:\Windows\SysWOW64\Jllqplnp.exe | N/A |
| File created | C:\Windows\SysWOW64\Jipaip32.exe | C:\Windows\SysWOW64\Jbfilffm.exe | N/A |
| File created | C:\Windows\SysWOW64\Ebenek32.dll | C:\Windows\SysWOW64\Jipaip32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kdphjm32.exe | C:\Windows\SysWOW64\Kocpbfei.exe | N/A |
| File created | C:\Windows\SysWOW64\Ccmkid32.dll | C:\Windows\SysWOW64\Jpepkk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lpgcln32.dll | C:\Windows\SysWOW64\Jfcabd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jnofgg32.exe | C:\Windows\SysWOW64\Jhenjmbb.exe | N/A |
| File created | C:\Windows\SysWOW64\Jlflfm32.dll | C:\Windows\SysWOW64\Kdbepm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jgjkfi32.exe | C:\Users\Admin\AppData\Local\Temp\ef9e3b30f58b6c19aa42bc39dac0685f15cc52e71608bd2e45114c77b961ef50N.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jpepkk32.exe | C:\Windows\SysWOW64\Jikhnaao.exe | N/A |
| File created | C:\Windows\SysWOW64\Jbclgf32.exe | C:\Windows\SysWOW64\Jpepkk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jjjdhc32.exe | C:\Windows\SysWOW64\Jbclgf32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jbfilffm.exe | C:\Windows\SysWOW64\Jllqplnp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jjjdhc32.exe | C:\Windows\SysWOW64\Jbclgf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dnhanebc.dll | C:\Windows\SysWOW64\Jjjdhc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Lplbjm32.exe | C:\Windows\SysWOW64\Libjncnc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Lbjofi32.exe | C:\Windows\SysWOW64\Lplbjm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jpjifjdg.exe | C:\Windows\SysWOW64\Jipaip32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jfcabd32.exe | C:\Windows\SysWOW64\Jpjifjdg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Keioca32.exe | C:\Windows\SysWOW64\Jnofgg32.exe | N/A |
| File created | C:\Windows\SysWOW64\Abqcpo32.dll | C:\Windows\SysWOW64\Jnofgg32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Khgkpl32.exe | C:\Windows\SysWOW64\Keioca32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jfcabd32.exe | C:\Windows\SysWOW64\Jpjifjdg.exe | N/A |
| File created | C:\Windows\SysWOW64\Keioca32.exe | C:\Windows\SysWOW64\Jnofgg32.exe | N/A |
| File created | C:\Windows\SysWOW64\Khgkpl32.exe | C:\Windows\SysWOW64\Keioca32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kocpbfei.exe | C:\Windows\SysWOW64\Klecfkff.exe | N/A |
| File created | C:\Windows\SysWOW64\Pbkboega.dll | C:\Windows\SysWOW64\Khgkpl32.exe | N/A |
| File created | C:\Windows\SysWOW64\Klecfkff.exe | C:\Windows\SysWOW64\Kekkiq32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jpjifjdg.exe | C:\Windows\SysWOW64\Jipaip32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kfodfh32.exe | C:\Windows\SysWOW64\Kdphjm32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kbhbai32.exe | C:\Windows\SysWOW64\Kageia32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dlcdel32.dll | C:\Windows\SysWOW64\Libjncnc.exe | N/A |
| File created | C:\Windows\SysWOW64\Jllqplnp.exe | C:\Windows\SysWOW64\Jjjdhc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jhenjmbb.exe | C:\Windows\SysWOW64\Jfcabd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kmkkio32.dll | C:\Windows\SysWOW64\Jhenjmbb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Koaclfgl.exe | C:\Windows\SysWOW64\Khgkpl32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kdbepm32.exe | C:\Windows\SysWOW64\Kmimcbja.exe | N/A |
| File created | C:\Windows\SysWOW64\Jikhnaao.exe | C:\Windows\SysWOW64\Jgjkfi32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Klecfkff.exe | C:\Windows\SysWOW64\Kekkiq32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hnnikfij.dll | C:\Windows\SysWOW64\Kocpbfei.exe | N/A |
| File created | C:\Windows\SysWOW64\Ipafocdg.dll | C:\Windows\SysWOW64\Lplbjm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mebgijei.dll | C:\Windows\SysWOW64\Jbclgf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Eplpdepa.dll | C:\Windows\SysWOW64\Jpjifjdg.exe | N/A |
| File created | C:\Windows\SysWOW64\Kmimcbja.exe | C:\Windows\SysWOW64\Kfodfh32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kmimcbja.exe | C:\Windows\SysWOW64\Kfodfh32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lplbjm32.exe | C:\Windows\SysWOW64\Libjncnc.exe | N/A |
| File created | C:\Windows\SysWOW64\Ffakjm32.dll | C:\Windows\SysWOW64\Klecfkff.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Libjncnc.exe | C:\Windows\SysWOW64\Kbhbai32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jpbpbbdb.dll | C:\Users\Admin\AppData\Local\Temp\ef9e3b30f58b6c19aa42bc39dac0685f15cc52e71608bd2e45114c77b961ef50N.exe | N/A |
| File created | C:\Windows\SysWOW64\Dfaaak32.dll | C:\Windows\SysWOW64\Jikhnaao.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jbclgf32.exe | C:\Windows\SysWOW64\Jpepkk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ckmhkeef.dll | C:\Windows\SysWOW64\Jllqplnp.exe | N/A |
| File created | C:\Windows\SysWOW64\Agioom32.dll | C:\Windows\SysWOW64\Koaclfgl.exe | N/A |
| File created | C:\Windows\SysWOW64\Kbhbai32.exe | C:\Windows\SysWOW64\Kageia32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bndneq32.dll | C:\Windows\SysWOW64\Kageia32.exe | N/A |
| File created | C:\Windows\SysWOW64\Qmeedp32.dll | C:\Windows\SysWOW64\Jgjkfi32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jipaip32.exe | C:\Windows\SysWOW64\Jbfilffm.exe | N/A |
| File created | C:\Windows\SysWOW64\Kocpbfei.exe | C:\Windows\SysWOW64\Klecfkff.exe | N/A |
| File created | C:\Windows\SysWOW64\Kdbepm32.exe | C:\Windows\SysWOW64\Kmimcbja.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kageia32.exe | C:\Windows\SysWOW64\Kdbepm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Libjncnc.exe | C:\Windows\SysWOW64\Kbhbai32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lbjofi32.exe | C:\Windows\SysWOW64\Lplbjm32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jnofgg32.exe | C:\Windows\SysWOW64\Jhenjmbb.exe | N/A |
| File created | C:\Windows\SysWOW64\Kekkiq32.exe | C:\Windows\SysWOW64\Koaclfgl.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jgjkfi32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Khgkpl32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kekkiq32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kbhbai32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kdbepm32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ef9e3b30f58b6c19aa42bc39dac0685f15cc52e71608bd2e45114c77b961ef50N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jjjdhc32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jllqplnp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jfcabd32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jhenjmbb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Keioca32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Koaclfgl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lbjofi32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jpepkk32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kdphjm32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kfodfh32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jpjifjdg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kmimcbja.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kageia32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jbfilffm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jipaip32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Libjncnc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lplbjm32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jikhnaao.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jbclgf32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jnofgg32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Klecfkff.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kocpbfei.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jjjdhc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kfodfh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipafocdg.dll" | C:\Windows\SysWOW64\Lplbjm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Jgjkfi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jpepkk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jbclgf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Jhenjmbb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Keioca32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Kekkiq32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Libjncnc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlcdel32.dll" | C:\Windows\SysWOW64\Libjncnc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpbpbbdb.dll" | C:\Users\Admin\AppData\Local\Temp\ef9e3b30f58b6c19aa42bc39dac0685f15cc52e71608bd2e45114c77b961ef50N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpgcln32.dll" | C:\Windows\SysWOW64\Jfcabd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Koaclfgl.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Kdbepm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} | C:\Users\Admin\AppData\Local\Temp\ef9e3b30f58b6c19aa42bc39dac0685f15cc52e71608bd2e45114c77b961ef50N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jipaip32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Koaclfgl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kdbepm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikbilijo.dll" | C:\Windows\SysWOW64\Jbfilffm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jbfilffm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffakjm32.dll" | C:\Windows\SysWOW64\Klecfkff.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kocpbfei.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Kfodfh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bodilc32.dll" | C:\Windows\SysWOW64\Kfodfh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bndneq32.dll" | C:\Windows\SysWOW64\Kageia32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jllqplnp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmhkeef.dll" | C:\Windows\SysWOW64\Jllqplnp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Jbfilffm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmkkio32.dll" | C:\Windows\SysWOW64\Jhenjmbb.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID | C:\Users\Admin\AppData\Local\Temp\ef9e3b30f58b6c19aa42bc39dac0685f15cc52e71608bd2e45114c77b961ef50N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Jpepkk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mebgijei.dll" | C:\Windows\SysWOW64\Jbclgf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kekkiq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kdphjm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\ef9e3b30f58b6c19aa42bc39dac0685f15cc52e71608bd2e45114c77b961ef50N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agioom32.dll" | C:\Windows\SysWOW64\Koaclfgl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipbkjl32.dll" | C:\Windows\SysWOW64\Kbhbai32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node | C:\Users\Admin\AppData\Local\Temp\ef9e3b30f58b6c19aa42bc39dac0685f15cc52e71608bd2e45114c77b961ef50N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmeedp32.dll" | C:\Windows\SysWOW64\Jgjkfi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Jikhnaao.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jnofgg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcjeje32.dll" | C:\Windows\SysWOW64\Kdphjm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Lplbjm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\ef9e3b30f58b6c19aa42bc39dac0685f15cc52e71608bd2e45114c77b961ef50N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Jjjdhc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Jpjifjdg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Kocpbfei.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Lplbjm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jikhnaao.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Kmimcbja.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Libjncnc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Keioca32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jfcabd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbkboega.dll" | C:\Windows\SysWOW64\Khgkpl32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Jllqplnp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Jbclgf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Jfcabd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcdapknb.dll" | C:\Windows\SysWOW64\Keioca32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alhpic32.dll" | C:\Windows\SysWOW64\Kmimcbja.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kbhbai32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfaaak32.dll" | C:\Windows\SysWOW64\Jikhnaao.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eplpdepa.dll" | C:\Windows\SysWOW64\Jpjifjdg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Jnofgg32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ef9e3b30f58b6c19aa42bc39dac0685f15cc52e71608bd2e45114c77b961ef50N.exe
"C:\Users\Admin\AppData\Local\Temp\ef9e3b30f58b6c19aa42bc39dac0685f15cc52e71608bd2e45114c77b961ef50N.exe"
C:\Windows\SysWOW64\Jgjkfi32.exe
C:\Windows\system32\Jgjkfi32.exe
C:\Windows\SysWOW64\Jikhnaao.exe
C:\Windows\system32\Jikhnaao.exe
C:\Windows\SysWOW64\Jpepkk32.exe
C:\Windows\system32\Jpepkk32.exe
C:\Windows\SysWOW64\Jbclgf32.exe
C:\Windows\system32\Jbclgf32.exe
C:\Windows\SysWOW64\Jjjdhc32.exe
C:\Windows\system32\Jjjdhc32.exe
C:\Windows\SysWOW64\Jllqplnp.exe
C:\Windows\system32\Jllqplnp.exe
C:\Windows\SysWOW64\Jbfilffm.exe
C:\Windows\system32\Jbfilffm.exe
C:\Windows\SysWOW64\Jipaip32.exe
C:\Windows\system32\Jipaip32.exe
C:\Windows\SysWOW64\Jpjifjdg.exe
C:\Windows\system32\Jpjifjdg.exe
C:\Windows\SysWOW64\Jfcabd32.exe
C:\Windows\system32\Jfcabd32.exe
C:\Windows\SysWOW64\Jhenjmbb.exe
C:\Windows\system32\Jhenjmbb.exe
C:\Windows\SysWOW64\Jnofgg32.exe
C:\Windows\system32\Jnofgg32.exe
C:\Windows\SysWOW64\Keioca32.exe
C:\Windows\system32\Keioca32.exe
C:\Windows\SysWOW64\Khgkpl32.exe
C:\Windows\system32\Khgkpl32.exe
C:\Windows\SysWOW64\Koaclfgl.exe
C:\Windows\system32\Koaclfgl.exe
C:\Windows\SysWOW64\Kekkiq32.exe
C:\Windows\system32\Kekkiq32.exe
C:\Windows\SysWOW64\Klecfkff.exe
C:\Windows\system32\Klecfkff.exe
C:\Windows\SysWOW64\Kocpbfei.exe
C:\Windows\system32\Kocpbfei.exe
C:\Windows\SysWOW64\Kdphjm32.exe
C:\Windows\system32\Kdphjm32.exe
C:\Windows\SysWOW64\Kfodfh32.exe
C:\Windows\system32\Kfodfh32.exe
C:\Windows\SysWOW64\Kmimcbja.exe
C:\Windows\system32\Kmimcbja.exe
C:\Windows\SysWOW64\Kdbepm32.exe
C:\Windows\system32\Kdbepm32.exe
C:\Windows\SysWOW64\Kageia32.exe
C:\Windows\system32\Kageia32.exe
C:\Windows\SysWOW64\Kbhbai32.exe
C:\Windows\system32\Kbhbai32.exe
C:\Windows\SysWOW64\Libjncnc.exe
C:\Windows\system32\Libjncnc.exe
C:\Windows\SysWOW64\Lplbjm32.exe
C:\Windows\system32\Lplbjm32.exe
C:\Windows\SysWOW64\Lbjofi32.exe
C:\Windows\system32\Lbjofi32.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2800 -s 140
Network
Files
memory/2188-0-0x0000000000400000-0x000000000043F000-memory.dmp
\Windows\SysWOW64\Jgjkfi32.exe
| MD5 | ed2f8e62c46228749a45086266100062 |
| SHA1 | 4d39896697547a482f71aa4aa5d6348ce2cba307 |
| SHA256 | ddbe2a8c86ae6e3a30b90bac934a3dd9aaec97903aba08e9e101022795088e1c |
| SHA512 | ab70198f46ef1df7c5d5d1edded3d152ad48372bff31a4ce55348d4e929582268c39e3d700203c4338bd79ff9c06e7e508fc8623b5beeb4628341622838d128f |
memory/2376-14-0x0000000000400000-0x000000000043F000-memory.dmp
C:\Windows\SysWOW64\Jikhnaao.exe
| MD5 | e495583774bd14c6e4e74ad384dfabd8 |
| SHA1 | af766670f5247eca215aacac558017b5f64275d4 |
| SHA256 | 377ec12481f13faa6b3b437e872ddc58055705d8354beb093c7efb3acaf97842 |
| SHA512 | 4751a09e91ca86537213b64c1796e2f352c08a5173f8dc2c8e9cf46468c93cdb5b131130126925ffa75ca8dd52f7cc1349bf781d2dbf191ab744b82b786a8921 |
memory/2776-32-0x0000000000400000-0x000000000043F000-memory.dmp
C:\Windows\SysWOW64\Jpepkk32.exe
| MD5 | 5cd198d00558ca06e0c7eb941a616b7f |
| SHA1 | 43cd8b1fc1425b80ab3ea227a1c7f247b97a5044 |
| SHA256 | 489213aecc60de3b2162aaa28767a7c93965c0def799662bdafde14bbfaf8411 |
| SHA512 | 1e67664621e7f3f2fb2915f47ce5c6d8e78f013034abfb8378202d1c8a8a59e774365b1030b04f0e8355cf4b95d851e0a681c0a022290605c055c6bbf574920d |
memory/2720-57-0x0000000000400000-0x000000000043F000-memory.dmp
memory/1776-84-0x0000000000400000-0x000000000043F000-memory.dmp
memory/3056-112-0x0000000000400000-0x000000000043F000-memory.dmp
memory/2052-126-0x0000000000400000-0x000000000043F000-memory.dmp
memory/2824-141-0x0000000000400000-0x000000000043F000-memory.dmp
memory/2620-151-0x0000000000400000-0x000000000043F000-memory.dmp
memory/484-180-0x0000000000400000-0x000000000043F000-memory.dmp
memory/848-209-0x0000000000400000-0x000000000043F000-memory.dmp
memory/2468-235-0x0000000000400000-0x000000000043F000-memory.dmp
memory/796-256-0x0000000000400000-0x000000000043F000-memory.dmp
memory/1664-300-0x0000000000400000-0x000000000043F000-memory.dmp
memory/2860-331-0x0000000000400000-0x000000000043F000-memory.dmp
memory/2800-338-0x0000000000400000-0x000000000043F000-memory.dmp
memory/2860-337-0x0000000000250000-0x000000000028F000-memory.dmp
memory/2860-336-0x0000000000250000-0x000000000028F000-memory.dmp
C:\Windows\SysWOW64\Lbjofi32.exe
| MD5 | acfdabdfaefa381167f9f19c4ff426cd |
| SHA1 | 03e0f31d6c98b063fb1cde6207fe8c366e0e26e8 |
| SHA256 | 091fd505ccb7a36d0557c7a58d7d07d379a4603331ed2397e30ea1ce8c1f7ffe |
| SHA512 | 45d8edd72f2e23e574f004ab3d0c129497800f1b2acc235cc3f579ee7509b989a5487133b93681ed63ed412c363ee62808de2eea8be45eabfb8a37fa66de4535 |
memory/1480-330-0x0000000000260000-0x000000000029F000-memory.dmp
memory/1480-329-0x0000000000260000-0x000000000029F000-memory.dmp
C:\Windows\SysWOW64\Lplbjm32.exe
| MD5 | aa1060c69c9536f08f31c3e935f42681 |
| SHA1 | 66ff608fea548a029b8769c4f0a625b08f47a877 |
| SHA256 | 5543cd9e2e3fb64397d3be719d8546baef296dfc8c30e6b5e5300443bbd2104a |
| SHA512 | da5e1a0c1038fb6bc6f1a95ea2c0d0678f21993ec2e8cb60042e05a58defad13582c825fa792997ab65d8791d7a00d3c1b479f9e17dbb33f7b29fd80b6aa0d7e |
memory/1480-319-0x0000000000400000-0x000000000043F000-memory.dmp
memory/2520-318-0x0000000000280000-0x00000000002BF000-memory.dmp
C:\Windows\SysWOW64\Libjncnc.exe
| MD5 | 92cc718f390ca2b2b4acdccc15593ee4 |
| SHA1 | ee5178793e6673fbae57484e96ab0efc16392cfe |
| SHA256 | 10c0300e90797121aecb3d683d1fbfe1392c53943b39116076d57b75f0a1e282 |
| SHA512 | 584bf3cd6b2e1d8803422f99a65293f1b92a2d808d6fc8d55c1b4142b8a822e67452a24950448dfedb1b5b1b802ee7a2998c4d4add88d414124e7d4af2b1111f |
memory/2520-309-0x0000000000400000-0x000000000043F000-memory.dmp
C:\Windows\SysWOW64\Kbhbai32.exe
| MD5 | 9f53b13a7612ca308dbad27326662bfe |
| SHA1 | 844f40c6b764e6926285f4bc78f18357a197eb8c |
| SHA256 | 074c2971a6d86e9c1233315212b40ad5e2d21e3552ebf5a68fc8bd008bb896ec |
| SHA512 | 1267e37f5144aaf38c55e8a9002a2f67202fa0beabe590f57f9434e403a35c5ed1f85eb5bfc5146213083bc2a7d356c1fff8a9f45afa35a6a404f4e67743a7b8 |
memory/2304-299-0x0000000000250000-0x000000000028F000-memory.dmp
C:\Windows\SysWOW64\Kageia32.exe
| MD5 | e4b6a530b1112a07eefcf3226e6f36ac |
| SHA1 | 18bf710eddb1b87c7f9b478cf1cf1676bcf31498 |
| SHA256 | dcaeb30a72fe276b36d881283025759751dc562df0273630bdc83f26243a6e85 |
| SHA512 | 4e95ab434b8ff88fd82adf9f52da7d7a450261de24b50a88cca6aa675cc4bf5cb32539163b41c52290881e615894cd25856280695d6deff0e98d242394a02c74 |
memory/2304-290-0x0000000000400000-0x000000000043F000-memory.dmp
memory/2104-289-0x00000000002D0000-0x000000000030F000-memory.dmp
C:\Windows\SysWOW64\Kdbepm32.exe
| MD5 | 694b3ad2cdc100e39ef568175de75834 |
| SHA1 | 569886a656767b662f774135a69e4af848588fd9 |
| SHA256 | 500454c1e160873338834ae8ceee2d6d8e5d58b4b4de02216a54b6af70717b44 |
| SHA512 | 57c26b3f08284a087b6307a6dc0725d9d857185d8677153b4c89e85bc155f6b4b1d871ac0efe9cdce1505f3650c5692295fc1b1a650540201495e36efbe17a0f |
memory/2104-277-0x0000000000400000-0x000000000043F000-memory.dmp
memory/1888-276-0x0000000000250000-0x000000000028F000-memory.dmp
memory/1888-275-0x0000000000250000-0x000000000028F000-memory.dmp
C:\Windows\SysWOW64\Kmimcbja.exe
| MD5 | 87f29e43c9ba7148e59e0587449ee78c |
| SHA1 | 7e9fd895e292a3d2261e2f1797d4d0610fda1ef3 |
| SHA256 | 7096d8ae03f131a3f4b0afdffa63f0e5357c784fb882880d248a1a3fc59eee5e |
| SHA512 | 32380bd6d3c5fdd677d8b3ed77fe7f9eb4510f5ac0e19bb3fab343193423db42c598b40f4d56e802c43f96dee8d440de1c1e38f626ae46139aac04f493c2adb2 |
memory/1888-270-0x0000000000400000-0x000000000043F000-memory.dmp
memory/796-269-0x0000000000250000-0x000000000028F000-memory.dmp
memory/1016-255-0x00000000002E0000-0x000000000031F000-memory.dmp
memory/1016-254-0x00000000002E0000-0x000000000031F000-memory.dmp
C:\Windows\SysWOW64\Kfodfh32.exe
| MD5 | df5367e5a4a81797aaa4329cf1ccffc9 |
| SHA1 | b0076f0b45a780a35b7450d8157693bae168a70b |
| SHA256 | ddfb6b38d8c4931f3343074aa25aab7d57ab684cf1e9e3ea61425c9e741fa60c |
| SHA512 | aa7dafdfd16c614c34d51a0f2882488112cc8dec485e012e96210e5c7571fc983395f19a821a7dbbdf3acb29d7fcd5b30d22c6a304571d8ea69bf8bbea980770 |
C:\Windows\SysWOW64\Kdphjm32.exe
| MD5 | 7701a5f47eb26881870132810743dee5 |
| SHA1 | 3cb6d824d76038f11dc69986bac66be6dc76bd9b |
| SHA256 | 09982e9c23f6d1e244857c83ad6947a83a276a98e41184888465a337118d80ce |
| SHA512 | b630eebfd20f5c55ffe84e4c1dd15905bc2b511668a9280a5456d6faf51aaac9deb19a4c1ceccad5043ac2fd16f45bae88e59120bf2ba97de62be59bc1f69720 |
memory/1016-249-0x0000000000400000-0x000000000043F000-memory.dmp
memory/2468-248-0x00000000002E0000-0x000000000031F000-memory.dmp
C:\Windows\SysWOW64\Kocpbfei.exe
| MD5 | df33a2ec047fea81ec05cad95daeb86c |
| SHA1 | eb564740f4dfb3e86652663906ec2badcaa6a0d0 |
| SHA256 | dc84ad496a70f866aa36b4a665b6fc6712c94cde1ef6f4fcebf2ce9d6807f7d3 |
| SHA512 | 09f7423c3b1e04dfbcb768bfde1768ac128b699368dffb1f433da9a3c72b7492402d6c18db4cfe061f63f7955f3245ed111041e9966f950f2e03c7f13109aac6 |
memory/1164-234-0x0000000000250000-0x000000000028F000-memory.dmp
memory/1164-233-0x0000000000250000-0x000000000028F000-memory.dmp
C:\Windows\SysWOW64\Klecfkff.exe
| MD5 | b6b34af828c70506bb95a0b88017ce8f |
| SHA1 | 9004b0441d002731487d740b2e4fd920d461e750 |
| SHA256 | df61acce046f1f80c477c824a7b96afc9b5a6ed2628cf00bce5ac018094f9803 |
| SHA512 | 4e800161bccc48cce788826f38838c000f75b934eb0c8c7ebd86a68c0bb4e78fe268641317550aac95b11a170213e0562d02f39013fa6a80c2585834654bfe2f |
memory/1164-228-0x0000000000400000-0x000000000043F000-memory.dmp
memory/848-227-0x0000000000250000-0x000000000028F000-memory.dmp
memory/848-222-0x0000000000250000-0x000000000028F000-memory.dmp
C:\Windows\SysWOW64\Kekkiq32.exe
| MD5 | cc735360f30b810a477416b7136163a8 |
| SHA1 | b11f664e9672aca0baf17d503369006e27139c22 |
| SHA256 | bd5a0012ef3fd6ce18d3ff31d25f8fa38ef5e586923eee228a47f5c3d7203b29 |
| SHA512 | 65d02655f9cc13da99e776cded736c8865caf8fb433813819e049b72c0fd38fe233bc442067c04b71a00f85cdf4e38e9c1f9deec53ab2ce2cfdfbb907005c929 |
memory/2340-208-0x00000000002D0000-0x000000000030F000-memory.dmp
memory/2340-207-0x00000000002D0000-0x000000000030F000-memory.dmp
C:\Windows\SysWOW64\Koaclfgl.exe
| MD5 | 9e72902778473be743411574027647bc |
| SHA1 | 66331d1e174036261647822785186f345c03e106 |
| SHA256 | 710b8afb8fde400d605bd0f0a0f245fcfe9da97590ef8931c58554e4f6087c9c |
| SHA512 | 9b29dd9191daeac1f97ec05b1c55b11d681dafe201801af24eab56c3c3144f96e824a7d0ea88dd5327b63d08685f973dfbb78dd664d10ba8463a76c50404b8fe |
memory/2340-198-0x0000000000400000-0x000000000043F000-memory.dmp
memory/484-193-0x0000000000250000-0x000000000028F000-memory.dmp
C:\Windows\SysWOW64\Khgkpl32.exe
| MD5 | 5781c4654ef7e7045d027c2d7f7186e4 |
| SHA1 | a04a0408a533d2fc295b420beeac37ee0c91e876 |
| SHA256 | 80c88635a1036a0c8cba2306285292f8d65ca7a6aae75a7da01f68146c3027af |
| SHA512 | bb7ecc90c721248bff9b8acc80fb46cecd24c223566966a30f8002cd829b562ae4dbba20b9e4a3483e15cdbf8cc821c84b2b8246e633e59332e17b2554f8ca3d |
memory/2932-179-0x0000000000250000-0x000000000028F000-memory.dmp
memory/2932-178-0x0000000000250000-0x000000000028F000-memory.dmp
C:\Windows\SysWOW64\Keioca32.exe
| MD5 | adb710cfbaeb124ed2071abdc83c060d |
| SHA1 | 34032627f26b73218effd890d5262c1365939a20 |
| SHA256 | 52533e7b2c20e12de4a4914c45b982c9262a79737b0c69cf6e011d452ecac770 |
| SHA512 | 52bf812b0b8a57320d179d077e0fe1ffb63342b3ea0e1506484aad0b4c1b3379b775c39827e5fee2d1b11b96d6692cec58a080de6d01ab69431bcfdec8558c92 |
memory/2932-169-0x0000000000400000-0x000000000043F000-memory.dmp
memory/2620-164-0x0000000000250000-0x000000000028F000-memory.dmp
C:\Windows\SysWOW64\Jnofgg32.exe
| MD5 | d0fcf82fd1945fc48fc00209074a7b20 |
| SHA1 | dd3329490f7a94d0a392b78706ab886e7d1b94e6 |
| SHA256 | 1211e9cd701605deb587a7c4041df87744becb3d3255c43c2df6141ebb2335c5 |
| SHA512 | e6b86bb3fbed9d8ffe9612317cba46b289165b0786c34cb87b7fc600fccd9e2ec4a739b532e3df979bc71f3f7557910bd2a8b64ab42d5ed0cbdc5cd5365c10df |
memory/2824-150-0x0000000000330000-0x000000000036F000-memory.dmp
C:\Windows\SysWOW64\Jhenjmbb.exe
| MD5 | 51e565ef54320e4bc66bb1289f53ce18 |
| SHA1 | b3d238378962d9b2344bcc64831348d839af3819 |
| SHA256 | f63d4d06a5affc1a8104af71b6064cbc62fe88a0b5adc8b11e596477e1d07857 |
| SHA512 | a9638c4bb71a34a2039ae8af0d9f192269befac9bf0bb2dc74c0bc1190bf20629ca3008ab6021462cf64efa68fe363d4cede05b284a413a7b03c11e4575e9599 |
memory/2052-139-0x0000000000250000-0x000000000028F000-memory.dmp
C:\Windows\SysWOW64\Jfcabd32.exe
| MD5 | 8285dbb155d844f9ecf7bac1427de000 |
| SHA1 | 40938b7409244b3be920086151dea73486d4715f |
| SHA256 | d9ca62b9b96648eba89f13bd37aae8abd92f4333d270ffe25ec0d5f0c4f82c1a |
| SHA512 | 2d5e848e933d75a30e18cc720ab7cd48f0417cf46890eeabe1cbe3d93c0d91e652b0a5a088af777f0591dc0d3a714739f070ea6b363c6171f14a6f551bb216e0 |
memory/3056-125-0x0000000000250000-0x000000000028F000-memory.dmp
C:\Windows\SysWOW64\Jpjifjdg.exe
| MD5 | 465691b6c4b680d8c72d51c381a09989 |
| SHA1 | fd9f3da357707a17fcda1dc132c79d340a7680f9 |
| SHA256 | 16bc869b6e653942e0772135d0d5c938f1560aea64f96abff3af2995cb1cca32 |
| SHA512 | 423db92c5b4c14df2e73d7dabe186cc6b36985d37d4664ddcdad96b4cc78aec25727c354c4379ea8d60d30da4757e29b1f52390192d49cd0d320e8df5a0b323e |
memory/2440-111-0x0000000000440000-0x000000000047F000-memory.dmp
C:\Windows\SysWOW64\Jipaip32.exe
| MD5 | 4a018d725a330c396449eb18e23277c5 |
| SHA1 | 7ad4222cfaeff40da4a9b979c9c69547103011ea |
| SHA256 | fb16e6b23db1c49ba1bc0889770a778fa3171d52e9e05c4fbad00fca999c7f90 |
| SHA512 | 097c6174c7fc9b796722a00a1476aef4e5a82ac19e859a54f8ee782715d148f30e6e35d8c5ec33686db11e9cc9981ec206dbb30ffc7bb71e1f2fa4e1a81da0f1 |
memory/2440-95-0x0000000000400000-0x000000000043F000-memory.dmp
memory/1776-94-0x0000000000250000-0x000000000028F000-memory.dmp
C:\Windows\SysWOW64\Jbfilffm.exe
| MD5 | 8716ee7716309a0c0e0427c83826a480 |
| SHA1 | 449160263efb63dd184949694063d6a2f583d717 |
| SHA256 | ef52f4163b9b176b6ee28de85986f923e29cab8266c26742d71225226f989ed6 |
| SHA512 | 280877230abadec40d21148a62386c0b01e845e9e1f962020c556fee9995344ffb19459674c7fa1a5b0d148ba8f6743263019c3ed9315c5d4547273209d8498f |
C:\Windows\SysWOW64\Jllqplnp.exe
| MD5 | 1a5803752d62b77c30618f9e2174affe |
| SHA1 | 52299255e3ef72f7707b6afd38d814e841dcbbeb |
| SHA256 | 6c1a65cb4fa01d2debfefcee5dd796468f447a90eeead70fbc0a4ff6873fb9ee |
| SHA512 | 5416b8723f4a588881328809c5017fd12a39513d32ab51f613d1f8b238f94d0c3f9fc301f816675c4e502ef4dc76bce58c7c53e80bf81d0f929bb1faf0c147c0 |
memory/2596-68-0x0000000000400000-0x000000000043F000-memory.dmp
memory/2720-67-0x0000000000440000-0x000000000047F000-memory.dmp
C:\Windows\SysWOW64\Jjjdhc32.exe
| MD5 | 493c2ed7cc133e9a58585d2b21bcd972 |
| SHA1 | f3f0b2f70e15723695421a2ac08a2796a6682967 |
| SHA256 | 12c18817f0be0c4e2937d973cddc6cd9e1ff27bce8e2607185fabbe86aa6b41c |
| SHA512 | 17e943fe5061a7f58b4cd7388d6faec113673cb2ddcfa3cbe45076b6b12275275d7b27da04f4f79feea2800fbeb0dda59da5116b745f2a7e6dc4c9bc0eec67c1 |
C:\Windows\SysWOW64\Jbclgf32.exe
| MD5 | 51b95a834fa64cd7d0a158c7239dd4ea |
| SHA1 | 799e9c78bdb50021fe17ce893ec319ffe855f9ef |
| SHA256 | 61075458009c401d4acd830edb64da5f5a149229234cc5fce52251ba00912690 |
| SHA512 | 7b2f21e1f110607efa6c98621dfc8e1f97fed760fb7b70100764b451cc55d0a9bc0fad6867d211df7d4ef12e7c34639f8fd9b8f062fb0d4b39c1e47b329b4124 |
memory/2724-45-0x0000000000400000-0x000000000043F000-memory.dmp
memory/2188-13-0x0000000000440000-0x000000000047F000-memory.dmp
memory/2188-12-0x0000000000440000-0x000000000047F000-memory.dmp
memory/2720-356-0x0000000000400000-0x000000000043F000-memory.dmp
memory/2376-355-0x0000000000400000-0x000000000043F000-memory.dmp
memory/2188-354-0x0000000000400000-0x000000000043F000-memory.dmp
memory/2596-353-0x0000000000400000-0x000000000043F000-memory.dmp
memory/3056-352-0x0000000000400000-0x000000000043F000-memory.dmp
memory/484-351-0x0000000000400000-0x000000000043F000-memory.dmp
memory/2440-350-0x0000000000400000-0x000000000043F000-memory.dmp
memory/1776-349-0x0000000000400000-0x000000000043F000-memory.dmp
memory/2052-348-0x0000000000400000-0x000000000043F000-memory.dmp
memory/2620-347-0x0000000000400000-0x000000000043F000-memory.dmp
memory/2468-346-0x0000000000400000-0x000000000043F000-memory.dmp
memory/848-345-0x0000000000400000-0x000000000043F000-memory.dmp
memory/796-344-0x0000000000400000-0x000000000043F000-memory.dmp
memory/2104-343-0x0000000000400000-0x000000000043F000-memory.dmp
memory/2304-342-0x0000000000400000-0x000000000043F000-memory.dmp
memory/1664-341-0x0000000000400000-0x000000000043F000-memory.dmp
memory/2520-340-0x0000000000400000-0x000000000043F000-memory.dmp
memory/1480-339-0x0000000000400000-0x000000000043F000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-07 07:46
Reported
2024-11-07 07:48
Platform
win10v2004-20241007-en
Max time kernel
91s
Max time network
92s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Iikhfg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pnonbk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hkikkeeo.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lpqiemge.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mmlpoqpg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Fhqcam32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hkmefd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jehokgge.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dobfld32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fojlngce.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ifgbnlmj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Imdgqfbd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Lgokmgjm.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Miifeq32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cffdpghg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kedoge32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Lbjlfi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ojaelm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ojaelm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pqmjog32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ceqnmpfo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cdfkolkf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ikpaldog.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pjeoglgc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pcncpbmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Belebq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dopigd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ndcdmikd.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pfhfan32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hecmijim.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Imoneg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pgllfp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ngpccdlj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nfgmjqop.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pfhfan32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bffkij32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cmgjgcgo.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Npmagine.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pgioqq32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dopigd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lmppcbjd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pmoahijl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Nckndeni.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pdpmpdbd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cjpckf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fhgjblfq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Likjcbkc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ceqnmpfo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Nnlhfn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Afhohlbj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hiefcj32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mgddhf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pjeoglgc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Glhonj32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gfembo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mnebeogl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ocbddc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Flnlhk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ildkgc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ncdgcf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pdmpje32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Npfkgjdn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ncianepl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Qmmnjfnl.exe | N/A |
Berbew
Berbew family
Executes dropped EXE
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\Hopnqdan.exe | C:\Windows\SysWOW64\Hiefcj32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Odkjng32.exe | C:\Windows\SysWOW64\Olcbmj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lnlden32.dll | C:\Windows\SysWOW64\Pgllfp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bcebhoii.exe | C:\Windows\SysWOW64\Bebblb32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Belebq32.exe | C:\Windows\SysWOW64\Bmemac32.exe | N/A |
| File created | C:\Windows\SysWOW64\Oijgnaaa.dll | C:\Windows\SysWOW64\Fckajehi.exe | N/A |
| File created | C:\Windows\SysWOW64\Mgddhf32.exe | C:\Windows\SysWOW64\Mdehlk32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Pncgmkmj.exe | C:\Windows\SysWOW64\Pgioqq32.exe | N/A |
| File created | C:\Windows\SysWOW64\Acjclpcf.exe | C:\Windows\SysWOW64\Ampkof32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bmngqdpj.exe | C:\Windows\SysWOW64\Bfdodjhm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bfkedibe.exe | C:\Windows\SysWOW64\Beihma32.exe | N/A |
| File created | C:\Windows\SysWOW64\Eheqhpfp.dll | C:\Windows\SysWOW64\Iefioj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Aminee32.exe | C:\Windows\SysWOW64\Ajkaii32.exe | N/A |
| File created | C:\Windows\SysWOW64\Fpdaoioe.dll | C:\Windows\SysWOW64\Daconoae.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ildkgc32.exe | C:\Windows\SysWOW64\Iifokh32.exe | N/A |
| File created | C:\Windows\SysWOW64\Nnlhfn32.exe | C:\Windows\SysWOW64\Ngbpidjh.exe | N/A |
| File created | C:\Windows\SysWOW64\Nckndeni.exe | C:\Windows\SysWOW64\Npmagine.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Oqfdnhfk.exe | C:\Windows\SysWOW64\Onhhamgg.exe | N/A |
| File created | C:\Windows\SysWOW64\Hpoddikd.dll | C:\Windows\SysWOW64\Acnlgp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Fhjfhl32.exe | C:\Windows\SysWOW64\Ffkjlp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Iccbgbmg.dll | C:\Windows\SysWOW64\Ifgbnlmj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jmmjgejj.exe | C:\Windows\SysWOW64\Jefbfgig.exe | N/A |
| File created | C:\Windows\SysWOW64\Djkahqga.dll | C:\Windows\SysWOW64\Klgqcqkl.exe | N/A |
| File created | C:\Windows\SysWOW64\Mdjagjco.exe | C:\Windows\SysWOW64\Mpoefk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ofqpqo32.exe | C:\Windows\SysWOW64\Ocbddc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ojaelm32.exe | C:\Windows\SysWOW64\Ogbipa32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kgngca32.dll | C:\Windows\SysWOW64\Qfcfml32.exe | N/A |
| File created | C:\Windows\SysWOW64\Fohoigfh.exe | C:\Windows\SysWOW64\Edbklofb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cegdnopg.exe | C:\Windows\SysWOW64\Calhnpgn.exe | N/A |
| File created | C:\Windows\SysWOW64\Hhqeiena.dll | C:\Windows\SysWOW64\Bcjlcn32.exe | N/A |
| File created | C:\Windows\SysWOW64\Oomibind.dll | C:\Windows\SysWOW64\Pmdkch32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lbkdpj32.dll | C:\Windows\SysWOW64\Gdcdbl32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gnchkk32.dll | C:\Windows\SysWOW64\Iemppiab.exe | N/A |
| File created | C:\Windows\SysWOW64\Likjcbkc.exe | C:\Windows\SysWOW64\Lpcfkm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Miemjaci.exe | C:\Windows\SysWOW64\Mckemg32.exe | N/A |
| File created | C:\Windows\SysWOW64\Qjkmdp32.dll | C:\Windows\SysWOW64\Ncdgcf32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dobfld32.exe | C:\Windows\SysWOW64\Ddmaok32.exe | N/A |
| File created | C:\Windows\SysWOW64\Flnlhk32.exe | C:\Windows\SysWOW64\Fojlngce.exe | N/A |
| File created | C:\Windows\SysWOW64\Nffbangm.dll | C:\Windows\SysWOW64\Jplfcpin.exe | N/A |
| File created | C:\Windows\SysWOW64\Nfgmjqop.exe | C:\Windows\SysWOW64\Ncianepl.exe | N/A |
| File created | C:\Windows\SysWOW64\Qgqeappe.exe | C:\Windows\SysWOW64\Qceiaa32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Fkffog32.exe | C:\Windows\SysWOW64\Fhgjblfq.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Lmppcbjd.exe | C:\Windows\SysWOW64\Leihbeib.exe | N/A |
| File created | C:\Windows\SysWOW64\Gbmgladp.dll | C:\Windows\SysWOW64\Ngpccdlj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Pcncpbmd.exe | C:\Windows\SysWOW64\Pmdkch32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Acjclpcf.exe | C:\Windows\SysWOW64\Ampkof32.exe | N/A |
| File created | C:\Windows\SysWOW64\Agoabn32.exe | C:\Windows\SysWOW64\Aepefb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Agjbpg32.dll | C:\Windows\SysWOW64\Dopigd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ildkgc32.exe | C:\Windows\SysWOW64\Iifokh32.exe | N/A |
| File created | C:\Windows\SysWOW64\Klimip32.exe | C:\Windows\SysWOW64\Klgqcqkl.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Npjebj32.exe | C:\Windows\SysWOW64\Nnlhfn32.exe | N/A |
| File created | C:\Windows\SysWOW64\Imoneg32.exe | C:\Windows\SysWOW64\Iehfdi32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Gdcdbl32.exe | C:\Windows\SysWOW64\Gcagkdba.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hbgmcnhf.exe | C:\Windows\SysWOW64\Hkmefd32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ibcmom32.exe | C:\Windows\SysWOW64\Ilidbbgl.exe | N/A |
| File created | C:\Windows\SysWOW64\Knkffk32.dll | C:\Windows\SysWOW64\Flnlhk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mfadpi32.dll | C:\Windows\SysWOW64\Iifokh32.exe | N/A |
| File created | C:\Windows\SysWOW64\Coffpf32.dll | C:\Windows\SysWOW64\Ndcdmikd.exe | N/A |
| File created | C:\Windows\SysWOW64\Llmglb32.dll | C:\Windows\SysWOW64\Opdghh32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cffdpghg.exe | C:\Windows\SysWOW64\Ceehho32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dddhpjof.exe | C:\Windows\SysWOW64\Daekdooc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Fkciihgg.exe | C:\Windows\SysWOW64\Ffgqqaip.exe | N/A |
| File created | C:\Windows\SysWOW64\Ogibpb32.dll | C:\Windows\SysWOW64\Likjcbkc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mgkjhe32.exe | C:\Windows\SysWOW64\Mcpnhfhf.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Dmllipeg.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Klimip32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ngbpidjh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Anogiicl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Onhhamgg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bmngqdpj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Gbgdlq32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Imdgqfbd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jfoiokfb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jmknaell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ncdgcf32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pfhfan32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Qceiaa32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Daconoae.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lmdina32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mmbfpp32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ofqpqo32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Qgcbgo32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Aminee32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Hkikkeeo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ogkcpbam.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pjeoglgc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cdabcm32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Odkjng32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Opakbi32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dfiafg32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Gkaejf32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ilghlc32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lpcfkm32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mmlpoqpg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Opdghh32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Fckajehi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Gcfqfc32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Olcbmj32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pcncpbmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bcebhoii.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Iefioj32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Miifeq32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ampkof32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Beeoaapl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Glhonj32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ikpaldog.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Iifokh32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Iikhfg32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jlkagbej.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dobfld32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Fhgjblfq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Gdeqhl32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Himldi32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Klqcioba.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bebblb32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Fojlngce.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nphhmj32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Qqfmde32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dfpgffpm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pnfdcjkg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Olmeci32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pdfjifjo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pgllfp32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Fohoigfh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Fhjfhl32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jlbgha32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Leihbeib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nfgmjqop.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Aqppkd32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Jbhfjljd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Qmmnjfnl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gdeqhl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adecfl32.dll" | C:\Windows\SysWOW64\Icifbang.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ildkgc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ibnccmbo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flakmgga.dll" | C:\Windows\SysWOW64\Ibcmom32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingapb32.dll" | C:\Windows\SysWOW64\Jlbgha32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oadacmff.dll" | C:\Windows\SysWOW64\Ojgbfocc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmmebhb.dll" | C:\Windows\SysWOW64\Aqncedbp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ajkaii32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll" | C:\Windows\SysWOW64\Cnffqf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ceqnmpfo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Fohoigfh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihoofe32.dll" | C:\Windows\SysWOW64\Imdgqfbd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ibqpimpl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Mgddhf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnodjf32.dll" | C:\Windows\SysWOW64\Ogifjcdp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Afhohlbj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll" | C:\Windows\SysWOW64\Cndikf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Hmfkoh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djoeni32.dll" | C:\Windows\SysWOW64\Odkjng32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ibnccmbo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jlbgha32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Lbjlfi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Aepefb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll" | C:\Windows\SysWOW64\Dddhpjof.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deeiam32.dll" | C:\Windows\SysWOW64\Pgioqq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Fhqcam32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jlkagbej.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Lmiciaaj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Lphoelqn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgepdkpo.dll" | C:\Windows\SysWOW64\Npmagine.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ogkcpbam.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Pjeoglgc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Agoabn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Beeoaapl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll" | C:\Windows\SysWOW64\Cnnlaehj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naoncahj.dll" | C:\Windows\SysWOW64\Hkikkeeo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hkmefd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ikpaldog.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ilidbbgl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jholncde.dll" | C:\Windows\SysWOW64\Mckemg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Nnjlpo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pemfincl.dll" | C:\Windows\SysWOW64\Nnjlpo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpaekf32.dll" | C:\Windows\SysWOW64\Onhhamgg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmgabj32.dll" | C:\Windows\SysWOW64\Oqfdnhfk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Afmhck32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bcjlcn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nffbangm.dll" | C:\Windows\SysWOW64\Jplfcpin.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Njefqo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Opdghh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Pgllfp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Gkaejf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgnkd32.dll" | C:\Windows\SysWOW64\Nnneknob.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ojoign32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gokgpogl.dll" | C:\Windows\SysWOW64\Qgqeappe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Afmhck32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cndikf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibbmq32.dll" | C:\Windows\SysWOW64\Ngbpidjh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ocdqjceo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ampkof32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cmnpgb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Lmdina32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ef9e3b30f58b6c19aa42bc39dac0685f15cc52e71608bd2e45114c77b961ef50N.exe
"C:\Users\Admin\AppData\Local\Temp\ef9e3b30f58b6c19aa42bc39dac0685f15cc52e71608bd2e45114c77b961ef50N.exe"
C:\Windows\SysWOW64\Eadopc32.exe
C:\Windows\system32\Eadopc32.exe
C:\Windows\SysWOW64\Edbklofb.exe
C:\Windows\system32\Edbklofb.exe
C:\Windows\SysWOW64\Fohoigfh.exe
C:\Windows\system32\Fohoigfh.exe
C:\Windows\SysWOW64\Fhqcam32.exe
C:\Windows\system32\Fhqcam32.exe
C:\Windows\SysWOW64\Fojlngce.exe
C:\Windows\system32\Fojlngce.exe
C:\Windows\SysWOW64\Flnlhk32.exe
C:\Windows\system32\Flnlhk32.exe
C:\Windows\SysWOW64\Ffgqqaip.exe
C:\Windows\system32\Ffgqqaip.exe
C:\Windows\SysWOW64\Fkciihgg.exe
C:\Windows\system32\Fkciihgg.exe
C:\Windows\SysWOW64\Fckajehi.exe
C:\Windows\system32\Fckajehi.exe
C:\Windows\SysWOW64\Fhgjblfq.exe
C:\Windows\system32\Fhgjblfq.exe
C:\Windows\SysWOW64\Fkffog32.exe
C:\Windows\system32\Fkffog32.exe
C:\Windows\SysWOW64\Ffkjlp32.exe
C:\Windows\system32\Ffkjlp32.exe
C:\Windows\SysWOW64\Fhjfhl32.exe
C:\Windows\system32\Fhjfhl32.exe
C:\Windows\SysWOW64\Gbbkaako.exe
C:\Windows\system32\Gbbkaako.exe
C:\Windows\SysWOW64\Glhonj32.exe
C:\Windows\system32\Glhonj32.exe
C:\Windows\SysWOW64\Gcagkdba.exe
C:\Windows\system32\Gcagkdba.exe
C:\Windows\SysWOW64\Gdcdbl32.exe
C:\Windows\system32\Gdcdbl32.exe
C:\Windows\SysWOW64\Gbgdlq32.exe
C:\Windows\system32\Gbgdlq32.exe
C:\Windows\SysWOW64\Gfbploob.exe
C:\Windows\system32\Gfbploob.exe
C:\Windows\SysWOW64\Gdeqhl32.exe
C:\Windows\system32\Gdeqhl32.exe
C:\Windows\SysWOW64\Gcfqfc32.exe
C:\Windows\system32\Gcfqfc32.exe
C:\Windows\SysWOW64\Gfembo32.exe
C:\Windows\system32\Gfembo32.exe
C:\Windows\SysWOW64\Gkaejf32.exe
C:\Windows\system32\Gkaejf32.exe
C:\Windows\SysWOW64\Gblngpbd.exe
C:\Windows\system32\Gblngpbd.exe
C:\Windows\SysWOW64\Hiefcj32.exe
C:\Windows\system32\Hiefcj32.exe
C:\Windows\SysWOW64\Hopnqdan.exe
C:\Windows\system32\Hopnqdan.exe
C:\Windows\SysWOW64\Hckjacjg.exe
C:\Windows\system32\Hckjacjg.exe
C:\Windows\SysWOW64\Hbpgbo32.exe
C:\Windows\system32\Hbpgbo32.exe
C:\Windows\SysWOW64\Hmfkoh32.exe
C:\Windows\system32\Hmfkoh32.exe
C:\Windows\SysWOW64\Hkikkeeo.exe
C:\Windows\system32\Hkikkeeo.exe
C:\Windows\SysWOW64\Himldi32.exe
C:\Windows\system32\Himldi32.exe
C:\Windows\SysWOW64\Hkkhqd32.exe
C:\Windows\system32\Hkkhqd32.exe
C:\Windows\SysWOW64\Hecmijim.exe
C:\Windows\system32\Hecmijim.exe
C:\Windows\SysWOW64\Hkmefd32.exe
C:\Windows\system32\Hkmefd32.exe
C:\Windows\SysWOW64\Hbgmcnhf.exe
C:\Windows\system32\Hbgmcnhf.exe
C:\Windows\SysWOW64\Iefioj32.exe
C:\Windows\system32\Iefioj32.exe
C:\Windows\SysWOW64\Ikpaldog.exe
C:\Windows\system32\Ikpaldog.exe
C:\Windows\SysWOW64\Icgjmapi.exe
C:\Windows\system32\Icgjmapi.exe
C:\Windows\SysWOW64\Iehfdi32.exe
C:\Windows\system32\Iehfdi32.exe
C:\Windows\SysWOW64\Imoneg32.exe
C:\Windows\system32\Imoneg32.exe
C:\Windows\SysWOW64\Icifbang.exe
C:\Windows\system32\Icifbang.exe
C:\Windows\SysWOW64\Ifgbnlmj.exe
C:\Windows\system32\Ifgbnlmj.exe
C:\Windows\SysWOW64\Iifokh32.exe
C:\Windows\system32\Iifokh32.exe
C:\Windows\SysWOW64\Ildkgc32.exe
C:\Windows\system32\Ildkgc32.exe
C:\Windows\SysWOW64\Ibnccmbo.exe
C:\Windows\system32\Ibnccmbo.exe
C:\Windows\SysWOW64\Iemppiab.exe
C:\Windows\system32\Iemppiab.exe
C:\Windows\SysWOW64\Imdgqfbd.exe
C:\Windows\system32\Imdgqfbd.exe
C:\Windows\SysWOW64\Ilghlc32.exe
C:\Windows\system32\Ilghlc32.exe
C:\Windows\SysWOW64\Ibqpimpl.exe
C:\Windows\system32\Ibqpimpl.exe
C:\Windows\SysWOW64\Iikhfg32.exe
C:\Windows\system32\Iikhfg32.exe
C:\Windows\SysWOW64\Ilidbbgl.exe
C:\Windows\system32\Ilidbbgl.exe
C:\Windows\SysWOW64\Ibcmom32.exe
C:\Windows\system32\Ibcmom32.exe
C:\Windows\SysWOW64\Jfoiokfb.exe
C:\Windows\system32\Jfoiokfb.exe
C:\Windows\SysWOW64\Jimekgff.exe
C:\Windows\system32\Jimekgff.exe
C:\Windows\SysWOW64\Jlkagbej.exe
C:\Windows\system32\Jlkagbej.exe
C:\Windows\SysWOW64\Jfaedkdp.exe
C:\Windows\system32\Jfaedkdp.exe
C:\Windows\SysWOW64\Jmknaell.exe
C:\Windows\system32\Jmknaell.exe
C:\Windows\SysWOW64\Jbhfjljd.exe
C:\Windows\system32\Jbhfjljd.exe
C:\Windows\SysWOW64\Jefbfgig.exe
C:\Windows\system32\Jefbfgig.exe
C:\Windows\SysWOW64\Jmmjgejj.exe
C:\Windows\system32\Jmmjgejj.exe
C:\Windows\SysWOW64\Jplfcpin.exe
C:\Windows\system32\Jplfcpin.exe
C:\Windows\SysWOW64\Jehokgge.exe
C:\Windows\system32\Jehokgge.exe
C:\Windows\SysWOW64\Jlbgha32.exe
C:\Windows\system32\Jlbgha32.exe
C:\Windows\SysWOW64\Jcioiood.exe
C:\Windows\system32\Jcioiood.exe
C:\Windows\SysWOW64\Jifhaenk.exe
C:\Windows\system32\Jifhaenk.exe
C:\Windows\SysWOW64\Jcllonma.exe
C:\Windows\system32\Jcllonma.exe
C:\Windows\SysWOW64\Klgqcqkl.exe
C:\Windows\system32\Klgqcqkl.exe
C:\Windows\SysWOW64\Klimip32.exe
C:\Windows\system32\Klimip32.exe
C:\Windows\SysWOW64\Klljnp32.exe
C:\Windows\system32\Klljnp32.exe
C:\Windows\SysWOW64\Kedoge32.exe
C:\Windows\system32\Kedoge32.exe
C:\Windows\SysWOW64\Kmkfhc32.exe
C:\Windows\system32\Kmkfhc32.exe
C:\Windows\SysWOW64\Kfckahdj.exe
C:\Windows\system32\Kfckahdj.exe
C:\Windows\SysWOW64\Klqcioba.exe
C:\Windows\system32\Klqcioba.exe
C:\Windows\SysWOW64\Lbjlfi32.exe
C:\Windows\system32\Lbjlfi32.exe
C:\Windows\SysWOW64\Leihbeib.exe
C:\Windows\system32\Leihbeib.exe
C:\Windows\SysWOW64\Lmppcbjd.exe
C:\Windows\system32\Lmppcbjd.exe
C:\Windows\SysWOW64\Lbmhlihl.exe
C:\Windows\system32\Lbmhlihl.exe
C:\Windows\SysWOW64\Lekehdgp.exe
C:\Windows\system32\Lekehdgp.exe
C:\Windows\SysWOW64\Lmbmibhb.exe
C:\Windows\system32\Lmbmibhb.exe
C:\Windows\SysWOW64\Lpqiemge.exe
C:\Windows\system32\Lpqiemge.exe
C:\Windows\SysWOW64\Lboeaifi.exe
C:\Windows\system32\Lboeaifi.exe
C:\Windows\SysWOW64\Lenamdem.exe
C:\Windows\system32\Lenamdem.exe
C:\Windows\SysWOW64\Lmdina32.exe
C:\Windows\system32\Lmdina32.exe
C:\Windows\SysWOW64\Lpcfkm32.exe
C:\Windows\system32\Lpcfkm32.exe
C:\Windows\SysWOW64\Likjcbkc.exe
C:\Windows\system32\Likjcbkc.exe
C:\Windows\SysWOW64\Lljfpnjg.exe
C:\Windows\system32\Lljfpnjg.exe
C:\Windows\SysWOW64\Lgokmgjm.exe
C:\Windows\system32\Lgokmgjm.exe
C:\Windows\SysWOW64\Lmiciaaj.exe
C:\Windows\system32\Lmiciaaj.exe
C:\Windows\SysWOW64\Lphoelqn.exe
C:\Windows\system32\Lphoelqn.exe
C:\Windows\SysWOW64\Mdckfk32.exe
C:\Windows\system32\Mdckfk32.exe
C:\Windows\SysWOW64\Mgagbf32.exe
C:\Windows\system32\Mgagbf32.exe
C:\Windows\SysWOW64\Medgncoe.exe
C:\Windows\system32\Medgncoe.exe
C:\Windows\SysWOW64\Mmlpoqpg.exe
C:\Windows\system32\Mmlpoqpg.exe
C:\Windows\SysWOW64\Mpjlklok.exe
C:\Windows\system32\Mpjlklok.exe
C:\Windows\SysWOW64\Mdehlk32.exe
C:\Windows\system32\Mdehlk32.exe
C:\Windows\SysWOW64\Mgddhf32.exe
C:\Windows\system32\Mgddhf32.exe
C:\Windows\SysWOW64\Mlampmdo.exe
C:\Windows\system32\Mlampmdo.exe
C:\Windows\SysWOW64\Mckemg32.exe
C:\Windows\system32\Mckemg32.exe
C:\Windows\SysWOW64\Miemjaci.exe
C:\Windows\system32\Miemjaci.exe
C:\Windows\SysWOW64\Mpoefk32.exe
C:\Windows\system32\Mpoefk32.exe
C:\Windows\SysWOW64\Mdjagjco.exe
C:\Windows\system32\Mdjagjco.exe
C:\Windows\SysWOW64\Mmbfpp32.exe
C:\Windows\system32\Mmbfpp32.exe
C:\Windows\SysWOW64\Mpablkhc.exe
C:\Windows\system32\Mpablkhc.exe
C:\Windows\SysWOW64\Mcpnhfhf.exe
C:\Windows\system32\Mcpnhfhf.exe
C:\Windows\SysWOW64\Mgkjhe32.exe
C:\Windows\system32\Mgkjhe32.exe
C:\Windows\SysWOW64\Miifeq32.exe
C:\Windows\system32\Miifeq32.exe
C:\Windows\SysWOW64\Mnebeogl.exe
C:\Windows\system32\Mnebeogl.exe
C:\Windows\SysWOW64\Ndokbi32.exe
C:\Windows\system32\Ndokbi32.exe
C:\Windows\SysWOW64\Ngmgne32.exe
C:\Windows\system32\Ngmgne32.exe
C:\Windows\SysWOW64\Nngokoej.exe
C:\Windows\system32\Nngokoej.exe
C:\Windows\SysWOW64\Npfkgjdn.exe
C:\Windows\system32\Npfkgjdn.exe
C:\Windows\SysWOW64\Ncdgcf32.exe
C:\Windows\system32\Ncdgcf32.exe
C:\Windows\SysWOW64\Ngpccdlj.exe
C:\Windows\system32\Ngpccdlj.exe
C:\Windows\SysWOW64\Nnjlpo32.exe
C:\Windows\system32\Nnjlpo32.exe
C:\Windows\SysWOW64\Nphhmj32.exe
C:\Windows\system32\Nphhmj32.exe
C:\Windows\SysWOW64\Ndcdmikd.exe
C:\Windows\system32\Ndcdmikd.exe
C:\Windows\SysWOW64\Ngbpidjh.exe
C:\Windows\system32\Ngbpidjh.exe
C:\Windows\SysWOW64\Nnlhfn32.exe
C:\Windows\system32\Nnlhfn32.exe
C:\Windows\SysWOW64\Npjebj32.exe
C:\Windows\system32\Npjebj32.exe
C:\Windows\SysWOW64\Ncianepl.exe
C:\Windows\system32\Ncianepl.exe
C:\Windows\SysWOW64\Nfgmjqop.exe
C:\Windows\system32\Nfgmjqop.exe
C:\Windows\SysWOW64\Nnneknob.exe
C:\Windows\system32\Nnneknob.exe
C:\Windows\SysWOW64\Npmagine.exe
C:\Windows\system32\Npmagine.exe
C:\Windows\SysWOW64\Nckndeni.exe
C:\Windows\system32\Nckndeni.exe
C:\Windows\SysWOW64\Nggjdc32.exe
C:\Windows\system32\Nggjdc32.exe
C:\Windows\SysWOW64\Njefqo32.exe
C:\Windows\system32\Njefqo32.exe
C:\Windows\SysWOW64\Olcbmj32.exe
C:\Windows\system32\Olcbmj32.exe
C:\Windows\SysWOW64\Odkjng32.exe
C:\Windows\system32\Odkjng32.exe
C:\Windows\SysWOW64\Ogifjcdp.exe
C:\Windows\system32\Ogifjcdp.exe
C:\Windows\SysWOW64\Ojgbfocc.exe
C:\Windows\system32\Ojgbfocc.exe
C:\Windows\SysWOW64\Opakbi32.exe
C:\Windows\system32\Opakbi32.exe
C:\Windows\SysWOW64\Ogkcpbam.exe
C:\Windows\system32\Ogkcpbam.exe
C:\Windows\SysWOW64\Oneklm32.exe
C:\Windows\system32\Oneklm32.exe
C:\Windows\SysWOW64\Opdghh32.exe
C:\Windows\system32\Opdghh32.exe
C:\Windows\SysWOW64\Ocbddc32.exe
C:\Windows\system32\Ocbddc32.exe
C:\Windows\SysWOW64\Ofqpqo32.exe
C:\Windows\system32\Ofqpqo32.exe
C:\Windows\SysWOW64\Onhhamgg.exe
C:\Windows\system32\Onhhamgg.exe
C:\Windows\SysWOW64\Oqfdnhfk.exe
C:\Windows\system32\Oqfdnhfk.exe
C:\Windows\SysWOW64\Ocdqjceo.exe
C:\Windows\system32\Ocdqjceo.exe
C:\Windows\SysWOW64\Ojoign32.exe
C:\Windows\system32\Ojoign32.exe
C:\Windows\SysWOW64\Olmeci32.exe
C:\Windows\system32\Olmeci32.exe
C:\Windows\SysWOW64\Ocgmpccl.exe
C:\Windows\system32\Ocgmpccl.exe
C:\Windows\SysWOW64\Ogbipa32.exe
C:\Windows\system32\Ogbipa32.exe
C:\Windows\SysWOW64\Ojaelm32.exe
C:\Windows\system32\Ojaelm32.exe
C:\Windows\SysWOW64\Pmoahijl.exe
C:\Windows\system32\Pmoahijl.exe
C:\Windows\SysWOW64\Pdfjifjo.exe
C:\Windows\system32\Pdfjifjo.exe
C:\Windows\SysWOW64\Pfhfan32.exe
C:\Windows\system32\Pfhfan32.exe
C:\Windows\SysWOW64\Pnonbk32.exe
C:\Windows\system32\Pnonbk32.exe
C:\Windows\SysWOW64\Pqmjog32.exe
C:\Windows\system32\Pqmjog32.exe
C:\Windows\SysWOW64\Pggbkagp.exe
C:\Windows\system32\Pggbkagp.exe
C:\Windows\SysWOW64\Pjeoglgc.exe
C:\Windows\system32\Pjeoglgc.exe
C:\Windows\SysWOW64\Pmdkch32.exe
C:\Windows\system32\Pmdkch32.exe
C:\Windows\SysWOW64\Pcncpbmd.exe
C:\Windows\system32\Pcncpbmd.exe
C:\Windows\SysWOW64\Pgioqq32.exe
C:\Windows\system32\Pgioqq32.exe
C:\Windows\SysWOW64\Pncgmkmj.exe
C:\Windows\system32\Pncgmkmj.exe
C:\Windows\SysWOW64\Pdmpje32.exe
C:\Windows\system32\Pdmpje32.exe
C:\Windows\SysWOW64\Pgllfp32.exe
C:\Windows\system32\Pgllfp32.exe
C:\Windows\SysWOW64\Pnfdcjkg.exe
C:\Windows\system32\Pnfdcjkg.exe
C:\Windows\SysWOW64\Pdpmpdbd.exe
C:\Windows\system32\Pdpmpdbd.exe
C:\Windows\SysWOW64\Qnhahj32.exe
C:\Windows\system32\Qnhahj32.exe
C:\Windows\SysWOW64\Qqfmde32.exe
C:\Windows\system32\Qqfmde32.exe
C:\Windows\SysWOW64\Qceiaa32.exe
C:\Windows\system32\Qceiaa32.exe
C:\Windows\SysWOW64\Qgqeappe.exe
C:\Windows\system32\Qgqeappe.exe
C:\Windows\SysWOW64\Qfcfml32.exe
C:\Windows\system32\Qfcfml32.exe
C:\Windows\SysWOW64\Qmmnjfnl.exe
C:\Windows\system32\Qmmnjfnl.exe
C:\Windows\SysWOW64\Qqijje32.exe
C:\Windows\system32\Qqijje32.exe
C:\Windows\SysWOW64\Qgcbgo32.exe
C:\Windows\system32\Qgcbgo32.exe
C:\Windows\SysWOW64\Ajanck32.exe
C:\Windows\system32\Ajanck32.exe
C:\Windows\SysWOW64\Ampkof32.exe
C:\Windows\system32\Ampkof32.exe
C:\Windows\SysWOW64\Acjclpcf.exe
C:\Windows\system32\Acjclpcf.exe
C:\Windows\SysWOW64\Afhohlbj.exe
C:\Windows\system32\Afhohlbj.exe
C:\Windows\SysWOW64\Anogiicl.exe
C:\Windows\system32\Anogiicl.exe
C:\Windows\SysWOW64\Aqncedbp.exe
C:\Windows\system32\Aqncedbp.exe
C:\Windows\SysWOW64\Afjlnk32.exe
C:\Windows\system32\Afjlnk32.exe
C:\Windows\SysWOW64\Ajfhnjhq.exe
C:\Windows\system32\Ajfhnjhq.exe
C:\Windows\SysWOW64\Aqppkd32.exe
C:\Windows\system32\Aqppkd32.exe
C:\Windows\SysWOW64\Acnlgp32.exe
C:\Windows\system32\Acnlgp32.exe
C:\Windows\SysWOW64\Afmhck32.exe
C:\Windows\system32\Afmhck32.exe
C:\Windows\SysWOW64\Andqdh32.exe
C:\Windows\system32\Andqdh32.exe
C:\Windows\SysWOW64\Aabmqd32.exe
C:\Windows\system32\Aabmqd32.exe
C:\Windows\SysWOW64\Acqimo32.exe
C:\Windows\system32\Acqimo32.exe
C:\Windows\SysWOW64\Ajkaii32.exe
C:\Windows\system32\Ajkaii32.exe
C:\Windows\SysWOW64\Aminee32.exe
C:\Windows\system32\Aminee32.exe
C:\Windows\SysWOW64\Aepefb32.exe
C:\Windows\system32\Aepefb32.exe
C:\Windows\SysWOW64\Agoabn32.exe
C:\Windows\system32\Agoabn32.exe
C:\Windows\SysWOW64\Bjmnoi32.exe
C:\Windows\system32\Bjmnoi32.exe
C:\Windows\SysWOW64\Bebblb32.exe
C:\Windows\system32\Bebblb32.exe
C:\Windows\SysWOW64\Bcebhoii.exe
C:\Windows\system32\Bcebhoii.exe
C:\Windows\SysWOW64\Bfdodjhm.exe
C:\Windows\system32\Bfdodjhm.exe
C:\Windows\SysWOW64\Bmngqdpj.exe
C:\Windows\system32\Bmngqdpj.exe
C:\Windows\SysWOW64\Beeoaapl.exe
C:\Windows\system32\Beeoaapl.exe
C:\Windows\SysWOW64\Bffkij32.exe
C:\Windows\system32\Bffkij32.exe
C:\Windows\SysWOW64\Bjagjhnc.exe
C:\Windows\system32\Bjagjhnc.exe
C:\Windows\SysWOW64\Balpgb32.exe
C:\Windows\system32\Balpgb32.exe
C:\Windows\SysWOW64\Bcjlcn32.exe
C:\Windows\system32\Bcjlcn32.exe
C:\Windows\SysWOW64\Bjddphlq.exe
C:\Windows\system32\Bjddphlq.exe
C:\Windows\SysWOW64\Bmbplc32.exe
C:\Windows\system32\Bmbplc32.exe
C:\Windows\SysWOW64\Beihma32.exe
C:\Windows\system32\Beihma32.exe
C:\Windows\SysWOW64\Bfkedibe.exe
C:\Windows\system32\Bfkedibe.exe
C:\Windows\SysWOW64\Bmemac32.exe
C:\Windows\system32\Bmemac32.exe
C:\Windows\SysWOW64\Belebq32.exe
C:\Windows\system32\Belebq32.exe
C:\Windows\SysWOW64\Chjaol32.exe
C:\Windows\system32\Chjaol32.exe
C:\Windows\SysWOW64\Cndikf32.exe
C:\Windows\system32\Cndikf32.exe
C:\Windows\SysWOW64\Cmgjgcgo.exe
C:\Windows\system32\Cmgjgcgo.exe
C:\Windows\SysWOW64\Cdabcm32.exe
C:\Windows\system32\Cdabcm32.exe
C:\Windows\SysWOW64\Cfpnph32.exe
C:\Windows\system32\Cfpnph32.exe
C:\Windows\SysWOW64\Cnffqf32.exe
C:\Windows\system32\Cnffqf32.exe
C:\Windows\SysWOW64\Ceqnmpfo.exe
C:\Windows\system32\Ceqnmpfo.exe
C:\Windows\SysWOW64\Chokikeb.exe
C:\Windows\system32\Chokikeb.exe
C:\Windows\SysWOW64\Cfbkeh32.exe
C:\Windows\system32\Cfbkeh32.exe
C:\Windows\SysWOW64\Cagobalc.exe
C:\Windows\system32\Cagobalc.exe
C:\Windows\SysWOW64\Cdfkolkf.exe
C:\Windows\system32\Cdfkolkf.exe
C:\Windows\SysWOW64\Cjpckf32.exe
C:\Windows\system32\Cjpckf32.exe
C:\Windows\SysWOW64\Cmnpgb32.exe
C:\Windows\system32\Cmnpgb32.exe
C:\Windows\SysWOW64\Ceehho32.exe
C:\Windows\system32\Ceehho32.exe
C:\Windows\SysWOW64\Cffdpghg.exe
C:\Windows\system32\Cffdpghg.exe
C:\Windows\SysWOW64\Cnnlaehj.exe
C:\Windows\system32\Cnnlaehj.exe
C:\Windows\SysWOW64\Calhnpgn.exe
C:\Windows\system32\Calhnpgn.exe
C:\Windows\SysWOW64\Cegdnopg.exe
C:\Windows\system32\Cegdnopg.exe
C:\Windows\SysWOW64\Dfiafg32.exe
C:\Windows\system32\Dfiafg32.exe
C:\Windows\SysWOW64\Dopigd32.exe
C:\Windows\system32\Dopigd32.exe
C:\Windows\SysWOW64\Danecp32.exe
C:\Windows\system32\Danecp32.exe
C:\Windows\SysWOW64\Ddmaok32.exe
C:\Windows\system32\Ddmaok32.exe
C:\Windows\SysWOW64\Dobfld32.exe
C:\Windows\system32\Dobfld32.exe
C:\Windows\SysWOW64\Dmefhako.exe
C:\Windows\system32\Dmefhako.exe
C:\Windows\SysWOW64\Ddonekbl.exe
C:\Windows\system32\Ddonekbl.exe
C:\Windows\SysWOW64\Dfnjafap.exe
C:\Windows\system32\Dfnjafap.exe
C:\Windows\SysWOW64\Dodbbdbb.exe
C:\Windows\system32\Dodbbdbb.exe
C:\Windows\SysWOW64\Daconoae.exe
C:\Windows\system32\Daconoae.exe
C:\Windows\SysWOW64\Dhmgki32.exe
C:\Windows\system32\Dhmgki32.exe
C:\Windows\SysWOW64\Dfpgffpm.exe
C:\Windows\system32\Dfpgffpm.exe
C:\Windows\SysWOW64\Daekdooc.exe
C:\Windows\system32\Daekdooc.exe
C:\Windows\SysWOW64\Dddhpjof.exe
C:\Windows\system32\Dddhpjof.exe
C:\Windows\SysWOW64\Dknpmdfc.exe
C:\Windows\system32\Dknpmdfc.exe
C:\Windows\SysWOW64\Dmllipeg.exe
C:\Windows\system32\Dmllipeg.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 7196 -ip 7196
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7196 -s 396
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.209.201.84.in-addr.arpa | udp |
Files
memory/3392-0-0x0000000000400000-0x000000000043F000-memory.dmp
memory/3392-1-0x0000000000431000-0x0000000000432000-memory.dmp
C:\Windows\SysWOW64\Eadopc32.exe
| MD5 | 6f68b2a8067e77974a19449803cee807 |
| SHA1 | a06bfbf3ff41f20484ff854eb690d48792134da6 |
| SHA256 | 9cb13a39666539b432c0c63f7a5f48d27de8f29e5c3b60a3e53a5c0e7053a9ea |
| SHA512 | 5492431917dcbc0dd7a01424a5b8e088924949a0a4db52c69aea7403c2735402855e8505383ab1f50410aeec057962a6cbefb3dbbec145ca53b34e816ea8e8fa |
memory/1144-9-0x0000000000400000-0x000000000043F000-memory.dmp
C:\Windows\SysWOW64\Edbklofb.exe
| MD5 | 676be99b208fba1e8301a96001368a08 |
| SHA1 | bd162562f0235ff7e587c6395fd33dc146c53e6e |
| SHA256 | 95958191114570269bdd0c4d0d9991b400dd2c679d64065c3072a3c4fd51415f |
| SHA512 | e10640ffb3565e4575d69dcfa968520564b9c0b7ead87feda1c13cafeec28e2a9634fc3a778ef38628dc82cafaee1691c1e2200ca3cf875101d7bb8c6220d9ae |
memory/3480-17-0x0000000000400000-0x000000000043F000-memory.dmp
memory/4876-24-0x0000000000400000-0x000000000043F000-memory.dmp
C:\Windows\SysWOW64\Fohoigfh.exe
| MD5 | 3f82126e7256572919bd6f754cfe560e |
| SHA1 | 0ee2a41c884ae15389481b64b57362076b1faf68 |
| SHA256 | ef3eef3ece666cb7bc21ae8a40d61771deb289d398bb3044a709a97f36d0130b |
| SHA512 | 3be60849e1668063bda0288acb893367b33a9eb1620294ad691baa09c5488f6340c8638d83096f6384f51d354043d1f7c15989c625f8434785878ecf41822f5e |
memory/3500-32-0x0000000000400000-0x000000000043F000-memory.dmp
C:\Windows\SysWOW64\Fhqcam32.exe
| MD5 | 8d2fa03e544f3ac81ded574273819b8e |
| SHA1 | ff12df5135066f3080a5bba82bca9dfeaf094df7 |
| SHA256 | a51525fa09f4ae5aaa1adcf822acb9949996e8e219a37370aa12a766d60a3b6d |
| SHA512 | 915fd89cdd31cffc8efdeb6f175fd94d92dbe9b85003e0fd1e2f511b45d727ada5620467ed466cd113cf7d45ef6dc17235e2d3360c0f70ec90e9943ff5dbdf11 |
memory/1972-41-0x0000000000400000-0x000000000043F000-memory.dmp
C:\Windows\SysWOW64\Fojlngce.exe
| MD5 | a43b1cbefaa5b80de730260bc408c612 |
| SHA1 | 41c3bace33dce97cf780cab19e94c8ec2f3223fe |
| SHA256 | 3b9c49249adb239c2bf8702934abaee5bac4ef54a4054a6bc0cd595b5309c9bf |
| SHA512 | 8591c76ff5d57bca2046cd3415176446022bcfc5f81fe8879c2b87e7948603eb8f22a6aeaa328e6ea396522c787b7ea18ef1bdfaff15056fcffb969275709990 |
C:\Windows\SysWOW64\Flnlhk32.exe
| MD5 | aa2e74df596738f506aaa59c959abe52 |
| SHA1 | 1f7bbc178142e5201eb59765e2eb9d82aebaeffa |
| SHA256 | 0d27411cea19d8128ce5d85d276c777ca3d5cfae64531279820d4ed9d458fd16 |
| SHA512 | cc9860ab4cefa9d0461280133d6e87696f02983af51ce38316afd76961ea798f38956c1a04b66fd002dd14f8245c67de8c20976284aef553e2d28f9c9d307eda |
memory/3516-49-0x0000000000400000-0x000000000043F000-memory.dmp
C:\Windows\SysWOW64\Ffgqqaip.exe
| MD5 | f8c5716975c5fcb6a60633f70f792e47 |
| SHA1 | 3e3c19d41005b906f9ca0b87c09c491a40480430 |
| SHA256 | f8032128f31cee79cd60926a1505ac1586f1c99fdd62bd00d74fc8a14cc93fb9 |
| SHA512 | 666745f093080c4dfb80a1680e925bd39f6850f51b61a308c41dbd9cf82cb3ea9d1b5c847e4d20e37b47de0a5f9762a711e7e89a7cdc7b42aecce47dcb6ddab8 |
memory/4204-56-0x0000000000400000-0x000000000043F000-memory.dmp
C:\Windows\SysWOW64\Fkciihgg.exe
| MD5 | e27a7c91d92beaebf1a7ce8cf9f500a8 |
| SHA1 | 7b7053b61642ab173cc091fe5271b022e266cc47 |
| SHA256 | 97f144c9d0a72b9c8c4525bc604118c9091aa035add6dd6369b08daa7be4659b |
| SHA512 | b1f24cfc953913132369802986d2fc6af5251c9d604ea015709b1f8aa870bcda832c071d275a831e4e7e6d31ffae5007502572aeed33c0e3f6822cd365d04e67 |
C:\Windows\SysWOW64\Fkciihgg.exe
| MD5 | df8655adbdbd15198257fa93ed7fb066 |
| SHA1 | 9c7fd85816a1fcbe3d377e1a5b332f5fdac1f73d |
| SHA256 | 98ad03ee495c72d47b7c7d45f7314b8066fd13319ab45e2a1a3934d26161d9d2 |
| SHA512 | 57307860f5a7fbf7d5ad3a2ced218b10eb15eb1b4fc72bf5dd9a5446bff29c6456a1b45fc54a05c3642517da51d8197ae9b89a24cb7f22c9bd6f86be0ca2c2ec |
memory/4912-65-0x0000000000400000-0x000000000043F000-memory.dmp
C:\Windows\SysWOW64\Fckajehi.exe
| MD5 | 1b0b50f63ed5405cba87b8b65d6f1f47 |
| SHA1 | 10c73b25075571384c1ac0aef65da382a62ec166 |
| SHA256 | daa82f724fa7f83e17591f0e7b63e90fa3ea23b1016c4dfbe7fef19d4ac24017 |
| SHA512 | 4051dc9743920e2a293a66b07999b0e8b6d4ab6510748e842c0e0b2791e6fa04d4982cc8fc203a9aea977cc562e1896cc1091c4a012431d0c6ac004afc0d4e78 |
memory/4992-72-0x0000000000400000-0x000000000043F000-memory.dmp
C:\Windows\SysWOW64\Fhgjblfq.exe
| MD5 | 33a90afc899c4c19386b659d71a9cdc6 |
| SHA1 | 1d8e12fa5868a66202ba554e9be517665522e3ec |
| SHA256 | 3bf845a4d0b15caab12248babf396424fa7687817439de384011df953d436fe8 |
| SHA512 | 5a1f48dd0422fcb896cb8dfbecf13b641ca705a6f5476f15a02f7f416916ae32d2fe37089d31ec3bcf27797bbc4e600367bece7b8ddaf79eaa0e886a963b32ad |
memory/3460-81-0x0000000000400000-0x000000000043F000-memory.dmp
C:\Windows\SysWOW64\Fkffog32.exe
| MD5 | 62bb07eb0ee3f748b82fd200722b49f9 |
| SHA1 | 6835bd57dd625f0b23cb611c7c62ff1b5655c7e7 |
| SHA256 | f7e89ca64a0370821e447c1e76e026801227556687d371deb4235fa03e4f38cc |
| SHA512 | 6a2a21a515b793c365f02b9ff2d566f22182bb17ef771acd83a30bbba0248cb8c43bc6fd0690f921ff30c5202f36b747c396a3dbe2f7f60bd2f7fffd6436730d |
memory/4700-88-0x0000000000400000-0x000000000043F000-memory.dmp
C:\Windows\SysWOW64\Ffkjlp32.exe
| MD5 | fe0178f2ca8b305ea69b26f34fe54a6c |
| SHA1 | ff9ad02840a1d37ccbed729b41315b29c024bda4 |
| SHA256 | 8f51bfe69db5d904d4e31171e700a4c513b90fd07f0fd51d0b83ae5d28f3cda6 |
| SHA512 | 8a6d40675c3afc5bb737839e2b0f676506571e2786aad4bf3c83bbcf25193ce3e311590c833c246001deb5972c84530fa103d4c040ba76be8afd9e0d2794516c |
memory/4516-99-0x0000000000400000-0x000000000043F000-memory.dmp
C:\Windows\SysWOW64\Fhjfhl32.exe
| MD5 | 156911e102ce9f46679caa9ffa860a1f |
| SHA1 | 03f9bb3afbf8df88b30bbfc54085865a1fd9df7a |
| SHA256 | 0e6944e37731ed6b2a6ef826adf7718192234ff39591e3076d92900f69e9e35b |
| SHA512 | 2fc9b52ff7d4730286227538f25363436612b9d9f371c64b4cf004842d0de61cb4c781c45087b41b04a97fc55016bbefa89e246ceac87bebbee78d43c741cf88 |
memory/2464-104-0x0000000000400000-0x000000000043F000-memory.dmp
C:\Windows\SysWOW64\Gbbkaako.exe
| MD5 | 873f28dfffe3e8b2a0ddf8781b8d7b95 |
| SHA1 | 7e8e09f7ff742bc582fc35a82732a2043aefb612 |
| SHA256 | 0707a0ac01fde30b4baf1f5c9e1f34fa6afe2c494bbc4af6dd21297d566383dc |
| SHA512 | 7b2c0bbc498e2babf659ae24eff8b10bb0dd45a44842c98c1d4abee9920a615a2fdbad17ebfecba52f713ebd43ff757dc29bb73b5b317b866ae19122b6b5cbaf |
memory/2184-113-0x0000000000400000-0x000000000043F000-memory.dmp
C:\Windows\SysWOW64\Glhonj32.exe
| MD5 | a581581db78092e2b5bafc58a8fe031d |
| SHA1 | 1d5debbe0206291e330246887ec03c50612c3239 |
| SHA256 | c19b38c03b91f0fdf557081c8e765da54f55123f5b2e9f0e5cfc10adc378d0df |
| SHA512 | b26ccedda05f1243de311599bd416d041bf4422a8faf50277048bda53ead8077707d10ff7ccc536f16ecef3f18fcb2fc5bcea1a49f9dda4b200baa8c8622c56f |
memory/1820-121-0x0000000000400000-0x000000000043F000-memory.dmp
C:\Windows\SysWOW64\Gcagkdba.exe
| MD5 | bd3b22a4b3e2666d811f4884d3b13ade |
| SHA1 | f2f107d7af1d74e4d0c2fdbc06fa9fc4fa689446 |
| SHA256 | df8fd630c6c8397bf0099ca37e56e7f9861ac0901508fb318fe749cce69011ba |
| SHA512 | 60b912f04ac1a54c967aa79b580a88ceb1c541288b9c4c4d5c1d17d965521bc91fea78e1f475b8a663d49da27cf88cf618bbb3be1ac244812ed12ce72c7ac54b |
memory/4176-128-0x0000000000400000-0x000000000043F000-memory.dmp
C:\Windows\SysWOW64\Gdcdbl32.exe
| MD5 | a0df73ba2352361ee47d69911c92a777 |
| SHA1 | 8020be7f87131dbbec9590058f2e9ccd37e5a221 |
| SHA256 | 0c4dfcb662db4721be851fcb5ad9f46f94593f23b54f8bdfe3ee193cb097a125 |
| SHA512 | 09c9075ef0172e10117b51f8d6266ddb15f2036ad0b3f1fd6e792a3ba3c3e59a7b4c92bc3b42a89c820bda58b204326587472f98ee24d66fb9c83ad156869dbb |
memory/3576-137-0x0000000000400000-0x000000000043F000-memory.dmp
C:\Windows\SysWOW64\Gbgdlq32.exe
| MD5 | 7ff836a8ee8778c55db3a42489cd52f7 |
| SHA1 | 9331ca9502722f6797ccf9df911bf6012d03838d |
| SHA256 | c874c967fd5368550643594deb4893b83558b8d3f948a84cc2a54921c19a33fb |
| SHA512 | 794a12c8b78b17ede6a159cb7827dd853a75495185e9184e5bf27be85a38182d9b1e4c07bac57d4ac65d66b1234c5d2e32e3783c5d099fcc4336ca77ba9f0b76 |
memory/3380-144-0x0000000000400000-0x000000000043F000-memory.dmp
C:\Windows\SysWOW64\Gfbploob.exe
| MD5 | dd8e6e8c09fe9446c76b064591cc0d53 |
| SHA1 | dfdbf30bb84bfe77c358513ad8c19e5c8174f2ae |
| SHA256 | 0b923203e4db7cfcc36b9fd91f5e31436b936b9eafad54929642c5dd1588615b |
| SHA512 | 9aac19e323c22a65a7778f5c43458623a5a7f74e3fed2035caadeaae766db23656366e4409cee479e578ea18552c0cdbaa6163f78f1d4c2cae18dec0f863d9ad |
memory/1448-153-0x0000000000400000-0x000000000043F000-memory.dmp
C:\Windows\SysWOW64\Gdeqhl32.exe
| MD5 | bb2b4f6e109903df2e721c913cea6d0e |
| SHA1 | 95adb5218020f853c9304ccc81391557b98ff3bb |
| SHA256 | 0acbcb1fbda76c6a853db242249a058387f0145519482347568870fe6d486f6b |
| SHA512 | c57fa7282a85cda5c728f17249d4f003ed50c229b2f1ae27dd30d0de802d735edbc57b308b1a112257f080dcb8424324a27d17672b280b2012458cc8c82b3999 |
memory/2020-161-0x0000000000400000-0x000000000043F000-memory.dmp
C:\Windows\SysWOW64\Gcfqfc32.exe
| MD5 | 071944288f56e871b3df28b88e3a8367 |
| SHA1 | cd1bbdd9f88e76ae804a23a129867ee6789edeec |
| SHA256 | 2b8ffa94314e73a7ac85832da8af58658fa05dea063f55e09227076691df471e |
| SHA512 | c600ceca540c1dc88a575f04d35e4f129c46369c8d6b8c78cd072a93aec68661271e5689af76edf1970ca1cddd112d65d9d0a5d92d8f136e2706358cf1797b9a |
memory/2956-174-0x0000000000400000-0x000000000043F000-memory.dmp
C:\Windows\SysWOW64\Gfembo32.exe
| MD5 | 2fdc8dac3860441799689783cd61ebbb |
| SHA1 | 2ac275b9d65d02ac8758dc4d14ff1bb5b9550dfa |
| SHA256 | 3b6b7a355d0c669ec0d137754a9359488ad76167895df46b6af4191dece47823 |
| SHA512 | ab7a9158eb9f3fb1593287b72ecc8bf112675b68d25a714fde2d16b7b31a2080a51eb822150cb09b09a83be1181658a8160a7e45224a4858873d8d1028ed5012 |
C:\Windows\SysWOW64\Gkaejf32.exe
| MD5 | 5a6e64138c7e348a3705d9f39cebaa59 |
| SHA1 | d484d12113802c8b9a8cd1e92caf65bdf99807bb |
| SHA256 | 17c137c83d807f4bf59e86e83231ccd80c73058da7459f0b5b3f68df9a85cdfb |
| SHA512 | 5cbb5a8573ef2014a85f900dd4ba0dcec8da38fac889640683e6976152b84c6a46d18652f7ca08245a4d4e7e77842888f4446b7b8379ec7a23316a81fa44cefe |
memory/4540-184-0x0000000000400000-0x000000000043F000-memory.dmp
memory/4768-181-0x0000000000400000-0x000000000043F000-memory.dmp
C:\Windows\SysWOW64\Gblngpbd.exe
| MD5 | f7e7116386e2c8c0502f11e581547698 |
| SHA1 | 244f71bdd3c5c5ab3f32e84b7f0b6f3a62c232fe |
| SHA256 | 5cd8a921ec37922bc7f772911ce396105b0baf891c22af7c09a843a1cb097920 |
| SHA512 | c5cafe34221f71b4b897a2c36b82aa4f36717d9824535323dd02f54690e2aa22abd457a22abeffaf8d7254dbc1920dcf424cd69524dc376ba9e3a765963aca02 |
memory/1860-193-0x0000000000400000-0x000000000043F000-memory.dmp
memory/892-200-0x0000000000400000-0x000000000043F000-memory.dmp
C:\Windows\SysWOW64\Hiefcj32.exe
| MD5 | 7e3e4adbbc0dd69d2961fa090dab0ecc |
| SHA1 | df296ec700e2ee50d23488c8e0edef9cb0041a40 |
| SHA256 | 8186cef5fcadc663c1819d3fe76ca846022706dc7901ffb51f7b6a0bcd815453 |
| SHA512 | 7668a3309408c143390acf68a6cdc8081c495d5cd994d4e5fd9e99ae26374f9ee64a700472256789d7dfe0b1835644c0e92d6cfe3d09cf172692272eb097df37 |
C:\Windows\SysWOW64\Hopnqdan.exe
| MD5 | d5cefa70ca47eec400a5609d97c91a2c |
| SHA1 | a1b38cc1f19552c3c08ab9ea296343a2153ce6bc |
| SHA256 | 58b17da854aeb32f547ea7ab1aee1a65c94a8d65a6c7670ce9e96f7e35f9de20 |
| SHA512 | bfc5b545ff91587191ee122f0c68025e246b752f3de47621e3e678fb3bf5d24fc14421b3e307fc9223450b36af7608a33970636b84ac872edf24596055c0ef6b |
memory/1096-213-0x0000000000400000-0x000000000043F000-memory.dmp
C:\Windows\SysWOW64\Hckjacjg.exe
| MD5 | 1d877ea1e13a684d5a833de5384703e4 |
| SHA1 | 40a75d7e0c6b3e41361d1f78d1ab921d1764fdb5 |
| SHA256 | 544f174aec04ef0d613e770b71df81ede3845b25d7bf174650ff02c2e158896e |
| SHA512 | a0ef368892f3be890d6771033345bcbfc72e05c2a85ed019e019d45e77cff1d57b2fc56899c47a8ab74a19afd6ffbcf0048ca76caaacfdd6561b65681c885592 |
memory/1432-217-0x0000000000400000-0x000000000043F000-memory.dmp
memory/552-224-0x0000000000400000-0x000000000043F000-memory.dmp
C:\Windows\SysWOW64\Hbpgbo32.exe
| MD5 | 990e7bd7a01180797b1a0df3c5c7b939 |
| SHA1 | 3917f7c712bc990d8cd46b5bfb20816d8a0b51d1 |
| SHA256 | db2739219d00dd5dea7a7a30fe905e8360bd1c1e4179b589fa490ea65d6e6969 |
| SHA512 | 688c94b1771f89faa4f09f1c3930239d521842ca91088e5c7dfa9023b17f13e3e88af68fb408009e3fec0e2c1984be2a2bc7604fcd1ef611c48d0a1b42e79a7e |
C:\Windows\SysWOW64\Hmfkoh32.exe
| MD5 | 7bcebfeb175aac463c6f95a7e661d884 |
| SHA1 | 8b43b9a1a8015c500a4b2f88d91b39006898ac12 |
| SHA256 | 0dbdc81f7e1f0080099242487c050561732bfda014d2057313141ba8ffb04f98 |
| SHA512 | fba8a903daa25657d150e9a5cc11f13881c06e1fc8ce900991956cd80448da6e08ecd802ec285098c7ec163336975cd66a4ac96d36f518eefd16f2e2649f5e9b |
memory/4980-233-0x0000000000400000-0x000000000043F000-memory.dmp
C:\Windows\SysWOW64\Hkikkeeo.exe
| MD5 | 3133d7acae1baf5f506f23310a7f3069 |
| SHA1 | 07f9ccf0b68e72d129a527c2db185eb08582ce72 |
| SHA256 | 1cc5378f1ef8ffd5a11994fa1261123f81f0f2b3cf6c00ff64ef9e761637df35 |
| SHA512 | 7175be2a285ff47360555249735abc4443d6c7dde18f42e05b78001669ee44a621942d3374efa2d6e7903603cba44425a4eec3451a9cc4aebd35e363c2923e02 |
memory/4592-240-0x0000000000400000-0x000000000043F000-memory.dmp
C:\Windows\SysWOW64\Himldi32.exe
| MD5 | 035d3c2d1fd256452cde5a9e527491d0 |
| SHA1 | d21b61468fd1af58b5bef8e052acaaabdcc41e4d |
| SHA256 | 05293551f51106d3e626bb5499c6d85632db7ade9c35c8e14df31dab09721b69 |
| SHA512 | 73882cf8b5af1126f0725932b12011df6e076d954c905ecfa093426367a703d013864cb06e17e0bd020f76c312fd4d6975f59cf8c5e3d4dc82f9b0616cffe0a4 |
memory/1008-248-0x0000000000400000-0x000000000043F000-memory.dmp
C:\Windows\SysWOW64\Hkkhqd32.exe
| MD5 | f23e56a3c838ae65dff60df8b7147869 |
| SHA1 | 71f23701f909485a9e8cb127734c0c094087d552 |
| SHA256 | 0ca563a8575bfadeb5d8d3340984d418075f5cf2d53dd70ccb06fd56704c4cd6 |
| SHA512 | 905a65e2e9eb16545ce2cc0e732da6bf39c53773bbe908eda5703bc7dd5f66a7dcb988ddbc5506c25f87370830df3244274b2865262588364767e1da0d14f910 |
memory/3832-257-0x0000000000400000-0x000000000043F000-memory.dmp
C:\Windows\SysWOW64\Hecmijim.exe
| MD5 | 9a567c3d1a8763e414c891a37648166f |
| SHA1 | 39531d5761b852b92df37027ae7df13253d77631 |
| SHA256 | 26dbeff3293058748834078ecf5ed2a991ac6df9cda2ad1df03b6442abde11ee |
| SHA512 | 49f03e5783a4553fad9ad87e4d42d5b69d62c1ba034431255fc3962bb902f92c3969759f414a3adf71ab524e10936683d04c61090aae172abae8fd93d37690ea |
memory/1572-263-0x0000000000400000-0x000000000043F000-memory.dmp
memory/4988-269-0x0000000000400000-0x000000000043F000-memory.dmp
memory/2712-275-0x0000000000400000-0x000000000043F000-memory.dmp
memory/8-281-0x0000000000400000-0x000000000043F000-memory.dmp
memory/1788-287-0x0000000000400000-0x000000000043F000-memory.dmp
memory/428-293-0x0000000000400000-0x000000000043F000-memory.dmp
memory/2400-299-0x0000000000400000-0x000000000043F000-memory.dmp
memory/4784-305-0x0000000000400000-0x000000000043F000-memory.dmp
memory/1172-311-0x0000000000400000-0x000000000043F000-memory.dmp
memory/1844-317-0x0000000000400000-0x000000000043F000-memory.dmp
memory/876-323-0x0000000000400000-0x000000000043F000-memory.dmp
memory/3944-329-0x0000000000400000-0x000000000043F000-memory.dmp
memory/3772-335-0x0000000000400000-0x000000000043F000-memory.dmp
memory/4764-341-0x0000000000400000-0x000000000043F000-memory.dmp
memory/3512-347-0x0000000000400000-0x000000000043F000-memory.dmp
C:\Windows\SysWOW64\Ilghlc32.exe
| MD5 | faeb7039f8f3a7d85bc91aaf930f7436 |
| SHA1 | 9fbd83c37f59e4d362f7457f13ddbf7d57dc42a0 |
| SHA256 | 887efb1ab2b5242b3675a77addea01c52a6251522490b543b3ca524c40075506 |
| SHA512 | 6da8cc607ff82f0b8a092e44c061daec63cc753ba12328792a2719a51300547715f5c982e43b1dc58d94656add5e1b3254fdfb03fabf7fd3f7ee20b04d253df6 |
memory/3304-353-0x0000000000400000-0x000000000043F000-memory.dmp
memory/380-359-0x0000000000400000-0x000000000043F000-memory.dmp
memory/4548-365-0x0000000000400000-0x000000000043F000-memory.dmp
memory/2996-371-0x0000000000400000-0x000000000043F000-memory.dmp
memory/1320-378-0x0000000000400000-0x000000000043F000-memory.dmp
C:\Windows\SysWOW64\Jfoiokfb.exe
| MD5 | b791e579788e6e8d854ec0ade7910dcd |
| SHA1 | c89bb7002788c40d451287860407fce8ca216d18 |
| SHA256 | 6f15d3d493ac427bc658c4c9b0b9acb5b5d6621f7f813592b0c49efdc52fb4a5 |
| SHA512 | 43c01ca33472889200e58635da63f6b7cdde18524d9d33dd8e24255bde7ecf5eb559b8bcf0802caba2c2e59805b54a6aa37e87530e96bb22b92582e412946a0c |
memory/2032-387-0x0000000000400000-0x000000000043F000-memory.dmp
memory/4740-389-0x0000000000400000-0x000000000043F000-memory.dmp
C:\Windows\SysWOW64\Jlkagbej.exe
| MD5 | 2a9b6171b1536ae3381c1cbf5b2c4367 |
| SHA1 | 571cdeeeb6c85d13e393328f8968e0ea662ffa31 |
| SHA256 | 1c024db875a74c9c2c1d358c01615e7ae43ef6d5672921733742c55ec27f4581 |
| SHA512 | 2e83e5c688c9b39e14f816de34279b86e650682878dea128bc09c8897e97f0c981d55ecea4f055a5aeb6ce8a1fe78bb7edb1c6dab434e222af80bdaa18136803 |
memory/1608-395-0x0000000000400000-0x000000000043F000-memory.dmp
memory/4720-401-0x0000000000400000-0x000000000043F000-memory.dmp
memory/5004-407-0x0000000000400000-0x000000000043F000-memory.dmp
memory/2920-413-0x0000000000400000-0x000000000043F000-memory.dmp
memory/4804-419-0x0000000000400000-0x000000000043F000-memory.dmp
memory/768-425-0x0000000000400000-0x000000000043F000-memory.dmp
memory/5052-431-0x0000000000400000-0x000000000043F000-memory.dmp
C:\Windows\SysWOW64\Jehokgge.exe
| MD5 | cd66f37b9868db618d5581204daf07bd |
| SHA1 | 08012e1d6088bd52106065623ca6c8a7a22d27c8 |
| SHA256 | b6658b514617a527b817edaa6c2e7f6eb1bfa73c270825c4b9ec21ff3e7e45c8 |
| SHA512 | e556f90fd0c34c389e2bb579a63a3e1d975c8fc9d88de998801d856dbc5bcac6c90901501a795e3861ed50065cdc78b30fcdd3ad439e655ed4145ccc1d97a3de |
memory/2644-437-0x0000000000400000-0x000000000043F000-memory.dmp
memory/1668-443-0x0000000000400000-0x000000000043F000-memory.dmp
memory/5116-449-0x0000000000400000-0x000000000043F000-memory.dmp
memory/4800-455-0x0000000000400000-0x000000000043F000-memory.dmp
memory/2880-461-0x0000000000400000-0x000000000043F000-memory.dmp
memory/2168-467-0x0000000000400000-0x000000000043F000-memory.dmp
memory/1344-473-0x0000000000400000-0x000000000043F000-memory.dmp
C:\Windows\SysWOW64\Klljnp32.exe
| MD5 | 7d9eb30d68ed847de0d019340d255034 |
| SHA1 | 94eb17f1d71245463621044872b99baa3062d781 |
| SHA256 | c2f1063d674a0665da903cc4da801c82651affba56071d28985f64f9d93e41ff |
| SHA512 | b28a02bd3c68be4902ba0064f6bf881e095d4b33d98a9c53737451f205a28877810bcfe62dd76e4a52d0ca0362fe8eb21d494c216868d405967c4353b89e6244 |
memory/4760-479-0x0000000000400000-0x000000000043F000-memory.dmp
memory/4380-485-0x0000000000400000-0x000000000043F000-memory.dmp
C:\Windows\SysWOW64\Kmkfhc32.exe
| MD5 | 0bfe8f190636ddcd231f135a82a5977c |
| SHA1 | eb6702ece56b9c9258f6700b15aa4faba798922f |
| SHA256 | 529cf10c8d8eb9c600e62431ea26e789415593de56f5d7b49c75eee86d8b082b |
| SHA512 | f5d88cbe398abefe2d0386eabeb255b721d49a7b1393eccab9c991649a01b6dc82db90ee1cc5c28bfbd72967a0de9d98efa34ed3d4b5289d8ead3edfb9cc46f3 |
memory/756-491-0x0000000000400000-0x000000000043F000-memory.dmp
memory/2108-497-0x0000000000400000-0x000000000043F000-memory.dmp
memory/2984-503-0x0000000000400000-0x000000000043F000-memory.dmp
C:\Windows\SysWOW64\Lbjlfi32.exe
| MD5 | dbac07c51afd3d91a24216847fb680d4 |
| SHA1 | 1a42e2ae30b90652e844dc8f4e3857362aa15108 |
| SHA256 | 0a4bc5c4ce8ab8387443f94320bbebeea4db353d6ed60fedfcb1ecb5975d698c |
| SHA512 | efcc3264f53810d8a46b6fbcd5608c467e4cf33538a08bbfa0e4916a4c286449500a2576d640b34ff45eea621f6ca082b7c291897b7f4880f4f58746f272fdff |
memory/532-509-0x0000000000400000-0x000000000043F000-memory.dmp
memory/1620-515-0x0000000000400000-0x000000000043F000-memory.dmp
C:\Windows\SysWOW64\Lmppcbjd.exe
| MD5 | 30d60edf503bef263db31c6ebbcedd9d |
| SHA1 | 392f9a48859a01e159531b18d256a0ac8103145f |
| SHA256 | d6dd001790c90c09456624fcfe84474756476b12e4ad5c2c30a07b88b30680b9 |
| SHA512 | a9a87600d4c7c1d2c19b1c82e4c1e062a669538d3db4b0b3b4520ef4c9aa3c26cb87a39b182c461fe96291aa893ae617dcf15627408f4ccf168c1b3b67ccaede |
memory/2544-521-0x0000000000400000-0x000000000043F000-memory.dmp
C:\Windows\SysWOW64\Lbmhlihl.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/4324-527-0x0000000000400000-0x000000000043F000-memory.dmp
memory/3424-533-0x0000000000400000-0x000000000043F000-memory.dmp
memory/3392-539-0x0000000000400000-0x000000000043F000-memory.dmp
memory/3536-540-0x0000000000400000-0x000000000043F000-memory.dmp
memory/2788-546-0x0000000000400000-0x000000000043F000-memory.dmp
memory/1144-552-0x0000000000400000-0x000000000043F000-memory.dmp
memory/3704-553-0x0000000000400000-0x000000000043F000-memory.dmp
memory/1032-562-0x0000000000400000-0x000000000043F000-memory.dmp
memory/3480-559-0x0000000000400000-0x000000000043F000-memory.dmp
memory/4876-566-0x0000000000400000-0x000000000043F000-memory.dmp
memory/3644-567-0x0000000000400000-0x000000000043F000-memory.dmp
memory/3500-573-0x0000000000400000-0x000000000043F000-memory.dmp
memory/3984-575-0x0000000000400000-0x000000000043F000-memory.dmp
memory/1972-580-0x0000000000400000-0x000000000043F000-memory.dmp
memory/1336-585-0x0000000000400000-0x000000000043F000-memory.dmp
memory/4408-588-0x0000000000400000-0x000000000043F000-memory.dmp
memory/3516-587-0x0000000000400000-0x000000000043F000-memory.dmp
memory/4204-594-0x0000000000400000-0x000000000043F000-memory.dmp
C:\Windows\SysWOW64\Mlampmdo.exe
| MD5 | 6b74f408371402b13738026203e65e35 |
| SHA1 | 6448477206de1083c8d30a673669859c2f244229 |
| SHA256 | af420c2c679ac888bd09b93f94d02a6cfae2645f65f69f49bda4929cca375bd0 |
| SHA512 | dd69358795e44ab3ee68f931728821623cfefc690b85ca48862f4582e4cd62587f8308ed7db819aafda8ff80477ec183fa564e117498ecae8e4aad3535e8b6dd |
C:\Windows\SysWOW64\Mmbfpp32.exe
| MD5 | d925eecd03e2b686bcca2f95692d569d |
| SHA1 | addd5fa5d8614e370acbb51418f5e31c307b29ef |
| SHA256 | 2eb2d4ca80d37bf0cbbc4fdce289da5e8a8c580b2a9ec7667d1243a216eca224 |
| SHA512 | 770c5a04caab39f2df76acca04e90c72acb434166ce3f361fc4bb0443632806a5b3a20c1e33fa42ca5ebf4c317b576066231e6b1b0090f1dbb7f03446ddddca3 |
C:\Windows\SysWOW64\Ndokbi32.exe
| MD5 | 341939d7608a61c955145090df739d29 |
| SHA1 | 42b181cfac6674568c8d8193bdb09db3e03a5e26 |
| SHA256 | 50d5a888b068033d8242c5ba0c3450e778c1041a55ce44218d9df54f0624366e |
| SHA512 | a14bd07c4a4d49cfd10a45e1bbd38cc5f5b37e7e7b491761fcb6cedf2b1066b5270c966ed4eb197151e0819be4dfedd86abce7d84d7d2fdb7ec9f1561ab89be4 |
C:\Windows\SysWOW64\Nngokoej.exe
| MD5 | 8c88ea395763c708701051035179bf21 |
| SHA1 | b3c63142425c2ad386dcf4416b28e52aa1af6ba7 |
| SHA256 | 00f7890ab1fa5eb38765c0b536c807243acb714aef4817374db2dc73894b815a |
| SHA512 | 2bace306efe64b579dac80bc642a9c354d562c4498857e5fabf047aaf987a165dabedb23f1ff370ce32f31117c834296464ac66fcdaa058a6f7300e2914ab487 |
C:\Windows\SysWOW64\Ngbpidjh.exe
| MD5 | 4ebe225222eee1b6eda6e915c49ee8f8 |
| SHA1 | 826b4dcdb4da26f249c25cc1419d7845a168d055 |
| SHA256 | 4c2b337769548215f1625444eb0a2a01c884d8d19e43f33c3a4ccc175364dc72 |
| SHA512 | 9e23a757e3cb8a2b21adbfb7cddfe3405d598d75ae820d737ca9494bdde51076ae0e0a3932d76adab373298739632a82a353ac9062287651672334f8bdb3d749 |
C:\Windows\SysWOW64\Npjebj32.exe
| MD5 | b3409cc7cec6f997d433b579c60c03bd |
| SHA1 | 60a831f524562170acabdbb4542f68830ed33865 |
| SHA256 | f3aca966e3f4342233efed6e3fd5f08761dded3823c2a54bbbae6051605e0109 |
| SHA512 | 8015010ba1cbbf4ec9a519738667c1e7028fd4530062dfbfd5eec4292c767e07fe4babede3e8d5f325f962144503276f8eb2984f28c92c899056e5573a4f0c4e |
C:\Windows\SysWOW64\Nfgmjqop.exe
| MD5 | 8ecb632e6a2f08a5e10423fa1c8ae0a9 |
| SHA1 | b9dcf83858180953715cfa344a947ddebb2abee2 |
| SHA256 | 4a3880677bab5986b831a907bed9c8de1212ea4cc5e8e4ea708ff14da9410a83 |
| SHA512 | 16b66fe4bbf3c5e0df792d33063871f623759ed0142ae66c842baff5346b1281172ec8ebfcd8cfe8f4deb6b0c7f4c1325f8b771ca98765ecec78b976eeaeb33d |
C:\Windows\SysWOW64\Odkjng32.exe
| MD5 | 01d16e9ac60ecdb144ee4f28c660a5fb |
| SHA1 | d67c92678bca7802104b63a020d95fa10b7ddc2d |
| SHA256 | 23fc33fe1fa4a5dff1f85cbf919c27b32aa83cd2e4243e9199b6770c9c57267e |
| SHA512 | 750bd21336e3492839d6abe11de742aacc1114ffad8d9aa3ce229e1ce32df19840d73fae2069d59f5ce3c7efec1ad76689c1467a6b04d7515d305d0dd7062bf4 |
C:\Windows\SysWOW64\Ogkcpbam.exe
| MD5 | 71a5575d77a6a4898168e3e6bb95ff1c |
| SHA1 | c763587436a548feb0955d30b616edc22c433c1c |
| SHA256 | dd77bc5210cbb81dec734aa7155596310490ce6c0f3b078477b63cdb1c8f27e6 |
| SHA512 | 9eb0e42262eca9ea361502f89dc71982250915365f3e994086252c8d0de827e2982e6a323529f4ac4a13d84726206c5d2c85e149035fb55a662114cdbfe6a7e4 |
C:\Windows\SysWOW64\Ocdqjceo.exe
| MD5 | e84ce40dcfa25807f4653573f74c5fce |
| SHA1 | 6f586873bac620c48b3fb8d262640a920817ff77 |
| SHA256 | 7efd54bf37a573996115ae3d011b4a646768ca4d8aca61f0e15063e7435b718a |
| SHA512 | f34537394b0b210052cfadb7f38a47cf84db77d25c8b86c95a16b8821b9b70a1e95d07357bb0ef52cbc87b8c5e60f5bbd1da5f4eea2e23afae72a6e149130b09 |
C:\Windows\SysWOW64\Pdfjifjo.exe
| MD5 | 17f7d6622814e3e2c8637465c6e901ae |
| SHA1 | 0e0df2d64181def5637a64c8702e20c4c4ba4615 |
| SHA256 | 23bf85d343940336f570b6a130106d1865f209ad4b10210a0e82b1a50dd9e895 |
| SHA512 | 0af388fd41bbf1705c56e79f7c3cf49433858bf97b3e3d78b31609e690446c4f1692149138d4f76291b7c14ddb260363045b5ab27dac6002c8893a944f6c090f |
C:\Windows\SysWOW64\Pqmjog32.exe
| MD5 | 3e51f9dd787dda3f6fad9cd452c2cf77 |
| SHA1 | c1e72d796cf24ec168efd3b64f0744c99caaaa22 |
| SHA256 | 776203e823d8b2054710f50eeb295c6939f00f41d0ce67a0e41a57a73ee2f258 |
| SHA512 | ee3d60b479adcdf5a194c42b5221daafe9c528c04e76fba871b835e5486ba6388aabaa98dd50e4a40b1d129f374f00d2a4e3379dbe1f36e02c13c9ee245764c7 |
C:\Windows\SysWOW64\Pncgmkmj.exe
| MD5 | 92a46eb8b197f8729afda764248f414a |
| SHA1 | d57c36c349a31423adaa1f93963053f444209067 |
| SHA256 | bde3785e17fb9c36a2a3615c85e22b40a14ab45078cae6940df439b64b8d27df |
| SHA512 | 051b1c1c32a373a7e9b476b3b6ef38a20b8177a7eef19b455a6c673eeb129eac7063827ab51bee1c402050f06182a0232a95bcf71c4031f7968aa94a6a26a820 |
C:\Windows\SysWOW64\Pgllfp32.exe
| MD5 | fdb1f54d521f453bcb98009804315311 |
| SHA1 | a69d08750aecab8a3df4d6e95d683baf3f09bbdb |
| SHA256 | 945c958e941139ac3c6581d835e95bb455f05484f38de8f13437bd7f5da4a8bd |
| SHA512 | e4c755485f3206f18118ab3774cf782dc78a9a48769cf9d561a1819c58f767fec6fd7f8779e732d208ef4c7af5240ef8185df2349a90d8b00e762c9b89194943 |
C:\Windows\SysWOW64\Qgcbgo32.exe
| MD5 | b5801de0c3c756c599fcbcb91af94836 |
| SHA1 | e380883920dd55bc494d17729ab63aa03ef8b846 |
| SHA256 | d93f05ad90945f4d4a91d7ea2639bc711122e56ae6b051f0a53e73fbd84a43e3 |
| SHA512 | cd91e291e6bb295f2aa45a4bd8096dab887605d81f60a8abd949d66db260e5b8235e1d783e193530a6f89c425a9d1c5a84dcfc6ecde8b1358b76ac0f105a9020 |
C:\Windows\SysWOW64\Ampkof32.exe
| MD5 | 54968be3fcf6243cf660bf339808aa2d |
| SHA1 | 748bbb78b9ed84a301259ce6d45beacfe7368747 |
| SHA256 | 3686aeb862f4d5a3dd68c7e9ea52d3de75d5684c8ea1bfd2e4da90013039ee3c |
| SHA512 | bdfc8888c18e6f07b0ab60b6bec2162eea89d59d37c5cced6bb4acffc902279f314afba68d49d97b07ff1c676d5bda56e75c2789819775565cad89a80ba072e3 |
C:\Windows\SysWOW64\Afhohlbj.exe
| MD5 | deb7cd25071bb204ec25e16f3b71ad5e |
| SHA1 | 2097fd474b046317d6b600066172390f4439557e |
| SHA256 | c9acfdb704e12678ebe90264ea5c80b65bd4c776aca185cdaa6c922c4b4fdba2 |
| SHA512 | 31cdc336f00473e8285d88a94fbdcdedfd6fca9a59a36210e50ca4ca7f4066ce994a93af7765dbf976ed9b5cb41171c46dd300655b8b768aeec437fc06c6d9db |
C:\Windows\SysWOW64\Aqncedbp.exe
| MD5 | 0f73c643a718a8ef10a4ab984827c4f1 |
| SHA1 | 2646488e461722c59f08a86d9b406485e758661a |
| SHA256 | 97efa16875bff0f2ff768e9271bf40c96e1993ed4def052d34d76f920dd9a514 |
| SHA512 | 5dbb87e49e082927a0f5b1306b4db6cf73735797b8bce831643e84e1c2fa44781bb6ab8b8dc838defacacdf24d2c064998cccba8ea1bd7d474a61bcb65b5e161 |
C:\Windows\SysWOW64\Aqppkd32.exe
| MD5 | e23ac8b86af3726714c4513ead7d2697 |
| SHA1 | 50b00ec9ff17621f54de2da5c02f1f737cb3018d |
| SHA256 | 1ca12cd9658f298d65e73b938efa797d032f757c7186c0251c35ba70250180c4 |
| SHA512 | 6ebf0857614cc665e352211e6ead71c7cdd6c09b9dca5ed06e792b3b59925972b03f55094905991c74bf6927cc48ba7891d005a99f5eb0d1ad7fd5f125da6259 |
C:\Windows\SysWOW64\Aabmqd32.exe
| MD5 | 878d2a1e6a23d7af288481a5385a3ea2 |
| SHA1 | 936535c475b3557a1cf586a7877e931688f1b8a8 |
| SHA256 | 87596fed718fbbf427ff8381900dbf9a552bd89a2d972312e76316fcf9c64db9 |
| SHA512 | ba645957522f1b205ebc9ba726a2983450de3cb15eec365a1c4694776670aae05b4cabeecad5eed34c8e8437d2984316053b8ec6d8e08f33210ea95fc922e89c |
C:\Windows\SysWOW64\Ajkaii32.exe
| MD5 | 7283a6b6b60879dbd064c8dfb73c9317 |
| SHA1 | 783bb9c4365e1d48eb2588b52e4fdc4fc52919e0 |
| SHA256 | 9b60868f7a5398946f9e7b8e8451617584c2a968a7a8c00b530791e99c7e794a |
| SHA512 | eb9eea789103dde8240f3f75ca231ce99903ae1523147f7a3e959d58fd834858c7846b0e3336862532ce1f2c3658d64a0038c41fcac1f4d44b500a3586df7cb1 |
C:\Windows\SysWOW64\Bjmnoi32.exe
| MD5 | 57d87e34d69309d5d71c760adf30ede1 |
| SHA1 | 6cb8355559536f3c48e1aff79e3fc3b71c45ead0 |
| SHA256 | 1562c7e2cb96397ad00a5231fdb32b0ec3f540b605885d660485526911f9f921 |
| SHA512 | b6e30bc53ea97218233c8c14cc5169c4009f4531d5dc0dfcd6c9f622cf2e1b74fdd5b2fd8a462bc2edf6839ab39a7fbdebe94fb1090250e7e1fae5b027adce64 |
C:\Windows\SysWOW64\Bfdodjhm.exe
| MD5 | cf9a56ab8fe115f1208d6aff4c2fa524 |
| SHA1 | 8fe554730812bb68808d6b07d7c89f548981c643 |
| SHA256 | fba722294baf35506b7bb8322eec80ae85c17505297583748d98142aca878b8d |
| SHA512 | 91f9bc928a15c5f9d3095393802aa3694317dd9aee7e980d996e3322a216c040063255095c606631ad181112e6f67d1fb6b3aea4ba8e471ce0a207ed372d287c |
C:\Windows\SysWOW64\Balpgb32.exe
| MD5 | 0abb7e5222d75f67902d4abb60d2ef2c |
| SHA1 | 13bc743c45ab8d7ea06fe19c5a47d2a7a458c4af |
| SHA256 | 4a6ee712bff0679883a1f80b457ce50414a9de5aa73d99646ddec1aa828f55de |
| SHA512 | ada59e1456643a8675b724c1a25f378ec405a89371f5b6341b6a550079a8e3a924a835d12b18a1b1e2b8fc8350464bc58c1b3eb08671ab1456f5d90266376f2d |
C:\Windows\SysWOW64\Bjddphlq.exe
| MD5 | c914b8b9e13ad04ec03cc6a13292e00a |
| SHA1 | f24420e5ebcc682dcdc51b3b0269f478ada3ccbb |
| SHA256 | 1f151c616b21a5844b677bd99bc99703f11ec98c281777f360e7b70178857e55 |
| SHA512 | 51ebc1a3d3bfc9ffd3cbd16e63aa2b65302597def959cb64d80fe863fe056318b1ff3f461fda3421d8053e9151e65fb6ead2bfda240374ab9664aa6a2d900312 |
C:\Windows\SysWOW64\Bfkedibe.exe
| MD5 | 4587dbc533e23b3c45b5777db26a0040 |
| SHA1 | 6ca3a5cafa7c9a27c8d7670156cc277b0f33714b |
| SHA256 | f6c92dfa618a9413423f86d9dcfa4f799cb00c2bc8ca661a3e8e2052ee6db655 |
| SHA512 | 62ec981fc0df4f2e9cef704c474db90a0a4d9705e0bbccafa86a328672776538bf5ea9ec359838c0bb442b5d02503af3b8c4e169063879003724357a912bf21c |
C:\Windows\SysWOW64\Belebq32.exe
| MD5 | cab0cce764685b73d82457c1b278bdcf |
| SHA1 | 9533fa3586f82cab7ce151a65ee098659d63053f |
| SHA256 | b44437a080f544292707c9d3e330ddd58a644ffc6e91027b3cf4433be32522f6 |
| SHA512 | 430dcab75d846586e79b33954907ee6bbc78c73369aaa27a613d0888c42930e87115640d915c1fa0aaca4bc186d4abb18b817078707be476420762bf02d5b4d7 |
C:\Windows\SysWOW64\Cmgjgcgo.exe
| MD5 | 188d20f46cc47a8bff55a7b00bb4e200 |
| SHA1 | cde0f43aeca969d63fc893f6c7410dfd57d9a482 |
| SHA256 | a6b332f628bacd5e6b9a291586c1c29066bde7ab07e061c46675fd9ec8d6f23c |
| SHA512 | d8a14c8ba744eb0c14fc72aef6cfcde289d5fecdf90d8188a07e865945f66bec759c1473540af04b0a0a7a82a2f0ea42ae236cbfdf1d4a9411bb556acc14282d |
C:\Windows\SysWOW64\Cnffqf32.exe
| MD5 | 33f18d0aeda1b705f7b6f55cea034363 |
| SHA1 | 11d01f26f3931a9816317135ff31dba7558b8e71 |
| SHA256 | ca62fa11ac73ec4076de3bc561441e30938df015c0c44340c80ad31ccdc90fdd |
| SHA512 | b62f3517bff2635a58d750d17ad51f14cfe836b073ce3aed93ad28d2f1cd42c7e1d7d70c8ea99854a36fe0ffd2d863825301c43711f96296d960984a90c6bfff |
C:\Windows\SysWOW64\Cfbkeh32.exe
| MD5 | 2421c7a2416452e04d20cfc261ba25d0 |
| SHA1 | 8fb5810afd854010b66cbbaa5883f6190fd03583 |
| SHA256 | 8fe246bcd26f874fed9ecc6422724fce476108ac0a2422faff378a0c773f2c51 |
| SHA512 | b5c07c4ebc1eb6f15d3aa709fcc253f51a9065e2e9455a1c1b1f59df58392b63643bf1ae5053e13fa2ad82401e28949b26b8bd78a8247b1cc217756bfb542130 |
C:\Windows\SysWOW64\Cagobalc.exe
| MD5 | 0b33816efd27b35eef9939de31f22c9d |
| SHA1 | e8fb05d0802275b957dfdfb00a91561b4a7cff71 |
| SHA256 | 5e2eff3414831b3ac8a40f0947968cfcba4e6ab0c079f6698230e4fdb0307e97 |
| SHA512 | b68b7448cacbabe77ec9fa09947ed6dbbdc8e4d4ac99a907848e3c8a6ab8da4488f20f880d253940605d41c8b95598edc1834f13caea1722f014365fc19f2a31 |
C:\Windows\SysWOW64\Dfiafg32.exe
| MD5 | dfe21269a32ef45ffdb7be81be07d6af |
| SHA1 | 627e023522194aa86d237e626e721611767a8b7d |
| SHA256 | 4fb3c755d782bc5e1e1d2e724c1bed931a506e7f6d3ab6bdf1f1b8d1fe4ae3f7 |
| SHA512 | bbf0a4dffcf892500a6eb5401948a60779a5dec24e90ac69b3050d49566aacee0aff1e8d1fb537733d8345ff4331c963971708ccc843c99d4e3f6b02ec46b4ee |
C:\Windows\SysWOW64\Ddmaok32.exe
| MD5 | 5cd152f8fd62f0ddf3afb0603ed741d6 |
| SHA1 | 958842f742a22cd88efd44f89100acb284034015 |
| SHA256 | b0e9bb1fcce5cd9e4260c5d8548dd3e5416eaddbfb4b32deffad83dc3b0c7b7b |
| SHA512 | 7762233f68aac729a3a0d456c7db9f78744c768e66df9ddc1ec9975c0e40a598a90403f0a87c6c81073bc3f3680f51973bb7c43a40071fa6a5e61e0a03b369e5 |
C:\Windows\SysWOW64\Dfnjafap.exe
| MD5 | 7487a5a4c7b0d7c8f494eb8b5718e753 |
| SHA1 | 104707b4b56659cdb3211bb3480c85bd77c5d54a |
| SHA256 | 8708da03231557e9db5239de15ab21a2c4ab1ef2ca453b0f619854768793f5bc |
| SHA512 | 77edf18c8b5981c8ce2fcb6ea26f5b14d168ec1b5edea2304f4133e0236d41857a3a3b347eba96f2d1e6beb647af265fc9967dcac88cb9b18058e6c1dcca1278 |
C:\Windows\SysWOW64\Dfpgffpm.exe
| MD5 | 8ed0b0099010f03092bae1911ebe4e0f |
| SHA1 | 79484ddf4e856626152b8cc33fff356ddb56475c |
| SHA256 | 3c0ea18e51ed65a06bf219df2e51fb6303e5389e1f5e43536495179430be248e |
| SHA512 | 3a4ff8d91054653f53e9fee47a5bab879388b2149b586e04dfadf8ed00dfb39281e4cea20ccb17847252081eacbbcd3d67b6589197a2af8a87566d34d2314b26 |
C:\Windows\SysWOW64\Dddhpjof.exe
| MD5 | 619f2a13b22ac9a78a96d57f6da47ba0 |
| SHA1 | 6be4b17480bb617f8d59ce0088544399cac75fc6 |
| SHA256 | fd30df947ac8fdeac80693a09da9fcde7688b8eb742ce02ed48e1f4b59a485bc |
| SHA512 | 79ee81e9cafc8b1b237363bac369ade6f18284648d5493a4a29ff82b5ba4c6fd34c510f89a683e8cd1d6d1dc89421459e6f787870043e42b5da156f5c201d370 |
C:\Windows\SysWOW64\Dmllipeg.exe
| MD5 | 8ccfb4f758ea0d17f7d34e5aa0bb938f |
| SHA1 | 61d4d990450e5b6fe8ad772692374f089af7f189 |
| SHA256 | b689a71a5b75d694f4777f73a4470b1a23f2b260f7716abb6d53f7d77a08fcd1 |
| SHA512 | 32caee9059c98f4b3b71518c182541626dd5e86ab6e75e9e360e3b469970e430046a98df39ddeaa3088cf1fa3df6b1d75f47e2fff6476ac885a57113f32e46c5 |