Analysis Overview
SHA256
e0e564152103ccc6baa8ee750788b444287ecb56489cb7bfa0317bad93a1a5cb
Threat Level: Known bad
The file e0e564152103ccc6baa8ee750788b444287ecb56489cb7bfa0317bad93a1a5cbN was found to be: Known bad.
Malicious Activity Summary
Berbew
Berbew family
Adds autorun key to be loaded by Explorer.exe on startup
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Program crash
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 15:44
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 15:44
Reported
2024-11-09 15:46
Platform
win7-20240903-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cpfmmf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cnmfdb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jondnnbk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Lclicpkm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kklkcn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lbafdlod.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bqgmfkhg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Clojhf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Iliebpfc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jondnnbk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ljfapjbi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pkcbnanl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Akcomepg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cgaaah32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cmpgpond.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Users\Admin\AppData\Local\Temp\e0e564152103ccc6baa8ee750788b444287ecb56489cb7bfa0317bad93a1a5cbN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Iliebpfc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Lhknaf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pkcbnanl.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Abpcooea.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bmbgfkje.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cbblda32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cbblda32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Knmdeioh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Lbafdlod.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cpfmmf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cgaaah32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Apgagg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bkjdndjo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bfioia32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Lonpma32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Locjhqpa.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lfhhjklc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Locjhqpa.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kpgffe32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kklkcn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Lkjjma32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Acfmcc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Acfmcc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Adnpkjde.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bfioia32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Eecafd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Fkpjnkig.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bchfhfeh.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hpnkbpdd.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Apgagg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Coacbfii.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jimbkh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Adnpkjde.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Coacbfii.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cnmfdb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ghdgfbkl.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bchfhfeh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Abpcooea.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Knmdeioh.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ljfapjbi.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Clojhf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kcgphp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Akcomepg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lhknaf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Qpbglhjq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ahebaiac.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bniajoic.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ieomef32.exe | N/A |
Berbew
Berbew family
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Kpgffe32.exe | C:\Windows\SysWOW64\Jondnnbk.exe | N/A |
| File created | C:\Windows\SysWOW64\Nhfpnk32.dll | C:\Windows\SysWOW64\Kcgphp32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Lonpma32.exe | C:\Windows\SysWOW64\Knmdeioh.exe | N/A |
| File created | C:\Windows\SysWOW64\Gfnafi32.dll | C:\Windows\SysWOW64\Akcomepg.exe | N/A |
| File created | C:\Windows\SysWOW64\Ihkhkcdl.dll | C:\Windows\SysWOW64\Bniajoic.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Clojhf32.exe | C:\Windows\SysWOW64\Cgaaah32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cnmfdb32.exe | C:\Windows\SysWOW64\Clojhf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jendoajo.dll | C:\Windows\SysWOW64\Acfmcc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Coacbfii.exe | C:\Windows\SysWOW64\Bmbgfkje.exe | N/A |
| File created | C:\Windows\SysWOW64\Cefkjiak.dll | C:\Windows\SysWOW64\Fkpjnkig.exe | N/A |
| File created | C:\Windows\SysWOW64\Bjlkhpje.dll | C:\Windows\SysWOW64\Lfhhjklc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Lbafdlod.exe | C:\Windows\SysWOW64\Locjhqpa.exe | N/A |
| File created | C:\Windows\SysWOW64\Ckmcef32.dll | C:\Windows\SysWOW64\Pleofj32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bmbgfkje.exe | C:\Windows\SysWOW64\Bfioia32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pcaibd32.dll | C:\Windows\SysWOW64\Cnmfdb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dejdjfjb.dll | C:\Windows\SysWOW64\Hpnkbpdd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Lclicpkm.exe | C:\Windows\SysWOW64\Lhfefgkg.exe | N/A |
| File created | C:\Windows\SysWOW64\Locjhqpa.exe | C:\Windows\SysWOW64\Ljfapjbi.exe | N/A |
| File created | C:\Windows\SysWOW64\Cofdbf32.dll | C:\Windows\SysWOW64\Lkjjma32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kklkcn32.exe | C:\Windows\SysWOW64\Kpgffe32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Knmdeioh.exe | C:\Windows\SysWOW64\Kcgphp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Efeckm32.dll | C:\Windows\SysWOW64\Cgaaah32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kcgphp32.exe | C:\Windows\SysWOW64\Kklkcn32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ljfapjbi.exe | C:\Windows\SysWOW64\Lclicpkm.exe | N/A |
| File created | C:\Windows\SysWOW64\Binbknik.dll | C:\Windows\SysWOW64\Ahebaiac.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bkjdndjo.exe | C:\Windows\SysWOW64\Adnpkjde.exe | N/A |
| File created | C:\Windows\SysWOW64\Aacinhhc.dll | C:\Windows\SysWOW64\Apgagg32.exe | N/A |
| File created | C:\Windows\SysWOW64\Clojhf32.exe | C:\Windows\SysWOW64\Cgaaah32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Fgdnnl32.exe | C:\Windows\SysWOW64\Eecafd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Fkpjnkig.exe | C:\Windows\SysWOW64\Fgdnnl32.exe | N/A |
| File created | C:\Windows\SysWOW64\Iliebpfc.exe | C:\Windows\SysWOW64\Ieomef32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kcacjhob.dll | C:\Windows\SysWOW64\Lhfefgkg.exe | N/A |
| File created | C:\Windows\SysWOW64\Ljfapjbi.exe | C:\Windows\SysWOW64\Lclicpkm.exe | N/A |
| File created | C:\Windows\SysWOW64\Abpcooea.exe | C:\Windows\SysWOW64\Akcomepg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Adnpkjde.exe | C:\Windows\SysWOW64\Abpcooea.exe | N/A |
| File created | C:\Windows\SysWOW64\Aglfmjon.dll | C:\Windows\SysWOW64\Abpcooea.exe | N/A |
| File created | C:\Windows\SysWOW64\Bniajoic.exe | C:\Windows\SysWOW64\Bkjdndjo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Eecafd32.exe | C:\Users\Admin\AppData\Local\Temp\e0e564152103ccc6baa8ee750788b444287ecb56489cb7bfa0317bad93a1a5cbN.exe | N/A |
| File created | C:\Windows\SysWOW64\Hpnkbpdd.exe | C:\Windows\SysWOW64\Ghdgfbkl.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Qpbglhjq.exe | C:\Windows\SysWOW64\Pleofj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kaqnpc32.dll | C:\Windows\SysWOW64\Cpfmmf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Niebgj32.dll | C:\Windows\SysWOW64\Clojhf32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Fkpjnkig.exe | C:\Windows\SysWOW64\Fgdnnl32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jmgnph32.dll | C:\Windows\SysWOW64\Jondnnbk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Pleofj32.exe | C:\Windows\SysWOW64\Pkcbnanl.exe | N/A |
| File created | C:\Windows\SysWOW64\Acfmcc32.exe | C:\Windows\SysWOW64\Apgagg32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ahebaiac.exe | C:\Windows\SysWOW64\Acfmcc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cgaaah32.exe | C:\Windows\SysWOW64\Cpfmmf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ahebaiac.exe | C:\Windows\SysWOW64\Acfmcc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cmpgpond.exe | C:\Windows\SysWOW64\Cnmfdb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gbdcic32.dll | C:\Windows\SysWOW64\Ghdgfbkl.exe | N/A |
| File created | C:\Windows\SysWOW64\Lfhhjklc.exe | C:\Windows\SysWOW64\Lonpma32.exe | N/A |
| File created | C:\Windows\SysWOW64\Apgagg32.exe | C:\Windows\SysWOW64\Qpbglhjq.exe | N/A |
| File created | C:\Windows\SysWOW64\Mhniklfm.dll | C:\Windows\SysWOW64\Kklkcn32.exe | N/A |
| File created | C:\Windows\SysWOW64\Djmlem32.dll | C:\Windows\SysWOW64\Ljfapjbi.exe | N/A |
| File created | C:\Windows\SysWOW64\Ogdjhp32.dll | C:\Windows\SysWOW64\Bmbgfkje.exe | N/A |
| File created | C:\Windows\SysWOW64\Ghdgfbkl.exe | C:\Windows\SysWOW64\Fkpjnkig.exe | N/A |
| File created | C:\Windows\SysWOW64\Lhfefgkg.exe | C:\Windows\SysWOW64\Lfhhjklc.exe | N/A |
| File created | C:\Windows\SysWOW64\Lloeec32.dll | C:\Windows\SysWOW64\Bchfhfeh.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Coacbfii.exe | C:\Windows\SysWOW64\Bmbgfkje.exe | N/A |
| File created | C:\Windows\SysWOW64\Cnmfdb32.exe | C:\Windows\SysWOW64\Clojhf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Andpoahc.dll | C:\Windows\SysWOW64\Kpgffe32.exe | N/A |
| File created | C:\Windows\SysWOW64\Nlbjim32.dll | C:\Windows\SysWOW64\Pkcbnanl.exe | N/A |
| File created | C:\Windows\SysWOW64\Cgaaah32.exe | C:\Windows\SysWOW64\Cpfmmf32.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Dpapaj32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bqgmfkhg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bchfhfeh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bmbgfkje.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cpfmmf32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cnmfdb32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cmpgpond.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Abpcooea.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jimbkh32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pkcbnanl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Acfmcc32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Adnpkjde.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Fgdnnl32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Hpnkbpdd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ieomef32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Locjhqpa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bkjdndjo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Eecafd32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lonpma32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lkjjma32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Qpbglhjq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Coacbfii.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Clojhf32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kklkcn32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pleofj32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ahebaiac.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Akcomepg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bniajoic.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cgaaah32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Fkpjnkig.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lhfefgkg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ljfapjbi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lbafdlod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bfioia32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dpapaj32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lfhhjklc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kpgffe32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Apgagg32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jondnnbk.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ghdgfbkl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Iliebpfc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kcgphp32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Knmdeioh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lclicpkm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lhknaf32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cbblda32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\e0e564152103ccc6baa8ee750788b444287ecb56489cb7bfa0317bad93a1a5cbN.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Kpgffe32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Kcgphp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Lfhhjklc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Akcomepg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Binbknik.dll" | C:\Windows\SysWOW64\Ahebaiac.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cgaaah32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\e0e564152103ccc6baa8ee750788b444287ecb56489cb7bfa0317bad93a1a5cbN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cefkjiak.dll" | C:\Windows\SysWOW64\Fkpjnkig.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ieomef32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ljfapjbi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Acfmcc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efeckm32.dll" | C:\Windows\SysWOW64\Cgaaah32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} | C:\Users\Admin\AppData\Local\Temp\e0e564152103ccc6baa8ee750788b444287ecb56489cb7bfa0317bad93a1a5cbN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Lhfefgkg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bkjdndjo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bchfhfeh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bfioia32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjlkhpje.dll" | C:\Windows\SysWOW64\Lfhhjklc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cmpgpond.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll" | C:\Windows\SysWOW64\Cmpgpond.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Fkpjnkig.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbdcic32.dll" | C:\Windows\SysWOW64\Ghdgfbkl.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Abpcooea.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nefamd32.dll" | C:\Windows\SysWOW64\Cbblda32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cpfmmf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmaibil.dll" | C:\Windows\SysWOW64\Eecafd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kcgphp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Apgagg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Abpcooea.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebaijflc.dll" | C:\Windows\SysWOW64\Fgdnnl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hofpgamj.dll" | C:\Windows\SysWOW64\Ieomef32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Iliebpfc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jimbkh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kpgffe32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Adnpkjde.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bkjdndjo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bniajoic.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbhnia32.dll" | C:\Windows\SysWOW64\Bfioia32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Clojhf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgfeei32.dll" | C:\Windows\SysWOW64\Jimbkh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Lhfefgkg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlbjim32.dll" | C:\Windows\SysWOW64\Pkcbnanl.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cbblda32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bchfhfeh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lloeec32.dll" | C:\Windows\SysWOW64\Bchfhfeh.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Hpnkbpdd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hpnkbpdd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Lonpma32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Pleofj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ahebaiac.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Clojhf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcaibd32.dll" | C:\Windows\SysWOW64\Cnmfdb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\e0e564152103ccc6baa8ee750788b444287ecb56489cb7bfa0317bad93a1a5cbN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ghdgfbkl.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Jondnnbk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Andpoahc.dll" | C:\Windows\SysWOW64\Kpgffe32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Lfhhjklc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Lhknaf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Adnpkjde.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bniajoic.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bmbgfkje.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Lkjjma32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Pleofj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Acfmcc32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e0e564152103ccc6baa8ee750788b444287ecb56489cb7bfa0317bad93a1a5cbN.exe
"C:\Users\Admin\AppData\Local\Temp\e0e564152103ccc6baa8ee750788b444287ecb56489cb7bfa0317bad93a1a5cbN.exe"
C:\Windows\SysWOW64\Eecafd32.exe
C:\Windows\system32\Eecafd32.exe
C:\Windows\SysWOW64\Fgdnnl32.exe
C:\Windows\system32\Fgdnnl32.exe
C:\Windows\SysWOW64\Fkpjnkig.exe
C:\Windows\system32\Fkpjnkig.exe
C:\Windows\SysWOW64\Ghdgfbkl.exe
C:\Windows\system32\Ghdgfbkl.exe
C:\Windows\SysWOW64\Hpnkbpdd.exe
C:\Windows\system32\Hpnkbpdd.exe
C:\Windows\SysWOW64\Ieomef32.exe
C:\Windows\system32\Ieomef32.exe
C:\Windows\SysWOW64\Iliebpfc.exe
C:\Windows\system32\Iliebpfc.exe
C:\Windows\SysWOW64\Jimbkh32.exe
C:\Windows\system32\Jimbkh32.exe
C:\Windows\SysWOW64\Jondnnbk.exe
C:\Windows\system32\Jondnnbk.exe
C:\Windows\SysWOW64\Kpgffe32.exe
C:\Windows\system32\Kpgffe32.exe
C:\Windows\SysWOW64\Kklkcn32.exe
C:\Windows\system32\Kklkcn32.exe
C:\Windows\SysWOW64\Kcgphp32.exe
C:\Windows\system32\Kcgphp32.exe
C:\Windows\SysWOW64\Knmdeioh.exe
C:\Windows\system32\Knmdeioh.exe
C:\Windows\SysWOW64\Lonpma32.exe
C:\Windows\system32\Lonpma32.exe
C:\Windows\SysWOW64\Lfhhjklc.exe
C:\Windows\system32\Lfhhjklc.exe
C:\Windows\SysWOW64\Lhfefgkg.exe
C:\Windows\system32\Lhfefgkg.exe
C:\Windows\SysWOW64\Lclicpkm.exe
C:\Windows\system32\Lclicpkm.exe
C:\Windows\SysWOW64\Ljfapjbi.exe
C:\Windows\system32\Ljfapjbi.exe
C:\Windows\SysWOW64\Locjhqpa.exe
C:\Windows\system32\Locjhqpa.exe
C:\Windows\SysWOW64\Lbafdlod.exe
C:\Windows\system32\Lbafdlod.exe
C:\Windows\SysWOW64\Lhknaf32.exe
C:\Windows\system32\Lhknaf32.exe
C:\Windows\SysWOW64\Lkjjma32.exe
C:\Windows\system32\Lkjjma32.exe
C:\Windows\SysWOW64\Pkcbnanl.exe
C:\Windows\system32\Pkcbnanl.exe
C:\Windows\SysWOW64\Pleofj32.exe
C:\Windows\system32\Pleofj32.exe
C:\Windows\SysWOW64\Qpbglhjq.exe
C:\Windows\system32\Qpbglhjq.exe
C:\Windows\SysWOW64\Apgagg32.exe
C:\Windows\system32\Apgagg32.exe
C:\Windows\SysWOW64\Acfmcc32.exe
C:\Windows\system32\Acfmcc32.exe
C:\Windows\SysWOW64\Ahebaiac.exe
C:\Windows\system32\Ahebaiac.exe
C:\Windows\SysWOW64\Akcomepg.exe
C:\Windows\system32\Akcomepg.exe
C:\Windows\SysWOW64\Abpcooea.exe
C:\Windows\system32\Abpcooea.exe
C:\Windows\SysWOW64\Adnpkjde.exe
C:\Windows\system32\Adnpkjde.exe
C:\Windows\SysWOW64\Bkjdndjo.exe
C:\Windows\system32\Bkjdndjo.exe
C:\Windows\SysWOW64\Bniajoic.exe
C:\Windows\system32\Bniajoic.exe
C:\Windows\SysWOW64\Bqgmfkhg.exe
C:\Windows\system32\Bqgmfkhg.exe
C:\Windows\SysWOW64\Bchfhfeh.exe
C:\Windows\system32\Bchfhfeh.exe
C:\Windows\SysWOW64\Bfioia32.exe
C:\Windows\system32\Bfioia32.exe
C:\Windows\SysWOW64\Bmbgfkje.exe
C:\Windows\system32\Bmbgfkje.exe
C:\Windows\SysWOW64\Coacbfii.exe
C:\Windows\system32\Coacbfii.exe
C:\Windows\SysWOW64\Cbblda32.exe
C:\Windows\system32\Cbblda32.exe
C:\Windows\SysWOW64\Cpfmmf32.exe
C:\Windows\system32\Cpfmmf32.exe
C:\Windows\SysWOW64\Cgaaah32.exe
C:\Windows\system32\Cgaaah32.exe
C:\Windows\SysWOW64\Clojhf32.exe
C:\Windows\system32\Clojhf32.exe
C:\Windows\SysWOW64\Cnmfdb32.exe
C:\Windows\system32\Cnmfdb32.exe
C:\Windows\SysWOW64\Cmpgpond.exe
C:\Windows\system32\Cmpgpond.exe
C:\Windows\SysWOW64\Dpapaj32.exe
C:\Windows\system32\Dpapaj32.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 144
Network
Files
memory/3008-0-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Eecafd32.exe
| MD5 | 0fdc8d38d19240c3b24764e440695927 |
| SHA1 | 4de7e9157cd45a6e8887d28a4c880b7fea42cb8f |
| SHA256 | 5ece827dfd8b862f2b2b6f22c48a2ab60cb0f6d17d986a12a03e97b3c6856d08 |
| SHA512 | e93d57910ea148b97255d303ecbe6929c621475b033df3717dcc6c9bb580216a29a284aee68d6d6e2f9f2a1324bf97cd450d7b443a03661df8597268885753d2 |
memory/3008-17-0x00000000002D0000-0x0000000000303000-memory.dmp
C:\Windows\SysWOW64\Fgdnnl32.exe
| MD5 | 482d7275a5d5a69f0e76a463fe8baf7f |
| SHA1 | 5e217d91c3199d767e2de25be520d597a4b013be |
| SHA256 | 414665a2b6bf60e862b26d9dbe6636cafba68379d44bc0e64474632be89047a0 |
| SHA512 | 6380371c317974c604df71aa23e1a0c8d9164156d349b760d259b830922f245b07267f5e630c3593d42c0bc842aae0356c51082360cf129ee139e274f9ecfdc0 |
memory/816-31-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3008-30-0x00000000002D0000-0x0000000000303000-memory.dmp
memory/816-34-0x0000000000290000-0x00000000002C3000-memory.dmp
memory/2096-33-0x0000000000400000-0x0000000000433000-memory.dmp
memory/816-32-0x0000000000290000-0x00000000002C3000-memory.dmp
\Windows\SysWOW64\Fkpjnkig.exe
| MD5 | 40b8c22717a7a843cd1e73ff0a54ffff |
| SHA1 | 3c3b1f30bac197eb8781272d44ebdb2f3048253f |
| SHA256 | 798d89e4c2cbea1afeb57b863b5264384d6642824843e9d1165f6e8524522e1f |
| SHA512 | 9398e62f9ae36f62128f1e694016400028fd1948657160c3c030ff26f0187058743f9dce8e1ec03d3f7a07b4e0e0d165b987d12a15974e5354bbab1f93f67348 |
memory/1912-49-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2096-42-0x0000000000250000-0x0000000000283000-memory.dmp
memory/2096-41-0x0000000000250000-0x0000000000283000-memory.dmp
memory/2820-59-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Ghdgfbkl.exe
| MD5 | 010f0d2d6e6253f36797ed2239f40f05 |
| SHA1 | 0863b91a8a7fdcdd41c17d92a7394dd038000265 |
| SHA256 | ab849f96e65b7258372e6d187bb51461caf380492df516ce5561e4e83474d9a7 |
| SHA512 | bfe0c076c1550d1598317203de1ce307e9acbf1203c5193d0766acda3311ce0426f85470dc497b893c7f3602d87489554d6c8baaf5bdf90d4a9fd3caef376598 |
memory/1912-57-0x0000000000440000-0x0000000000473000-memory.dmp
memory/1912-56-0x0000000000440000-0x0000000000473000-memory.dmp
memory/2820-67-0x0000000000250000-0x0000000000283000-memory.dmp
\Windows\SysWOW64\Hpnkbpdd.exe
| MD5 | 2ae95c72ae988262ff3352547561f4fe |
| SHA1 | dcf9d0a5293af82026746472cdf76f7f16b551ee |
| SHA256 | 9fc23b6777fdf66d23c6b1ed4186dc71b492c45ca7d77bb66a5d4928f6edc4fb |
| SHA512 | 2570632ca688e9ccc516408000a1f656bc358a0f7d29c5cc807a8ee5d44fe664ad5f98950b81eed4b18bfd95be362860018571325dc3b9805acc45bdd9d290ba |
memory/2848-73-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Ieomef32.exe
| MD5 | 6692043edcedcc154f742f287b5f9314 |
| SHA1 | 579031405960870a00b6658ab8eb837ffe45a4e2 |
| SHA256 | 67db99742181a4eeccc820ec8f381825b7047982155f616b6aed3c571bbdd970 |
| SHA512 | 8f61b3825c2ab522e2cd4170b93c8791cd23aa9767dad4153706cec02e3d65058240d963b124e93197e5923c796d29262714543b4c09187c99590ff2d48c8e58 |
memory/1804-87-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2848-86-0x0000000000440000-0x0000000000473000-memory.dmp
\Windows\SysWOW64\Iliebpfc.exe
| MD5 | 4729cf49041da07e766b9595f45465a6 |
| SHA1 | a5354f46d336bfb5895b9d436e22bd88069dd5d1 |
| SHA256 | bb85cab8757cdabcabce5a9c3d66f3e1d6b88140e21e434f3d21b801398863ff |
| SHA512 | 445b490fdc2ebbb798e3f43a599084a4ad50731f772268fea966f7bf7617e6b8db3579551565144a9e15263f57f653a9c3f17e39c8a67e57ab98ca866bc04eac |
memory/2628-100-0x0000000000400000-0x0000000000433000-memory.dmp
\Windows\SysWOW64\Jimbkh32.exe
| MD5 | 21dba74cc998e2f8013470b93340e6d3 |
| SHA1 | ca962902b490c9adadd5c6694f6dec06501c716b |
| SHA256 | 7e22c7d29f6fa5744a9dd2bdb70974a7cf8bd5b7ec4b7c257b3be0d135e701a6 |
| SHA512 | 822f74610bddc36ecdd7f24f2672e5289004236046126ff3f03b6b68b252dd62d625347fb1ed169380d10d110f484e9b9984fb97e4e2d44bc6acd6d6f74ba92d |
memory/2628-108-0x00000000002D0000-0x0000000000303000-memory.dmp
memory/1712-114-0x0000000000400000-0x0000000000433000-memory.dmp
\Windows\SysWOW64\Jondnnbk.exe
| MD5 | bc6aad0506f5116c63eac60948b5bd9d |
| SHA1 | f2c0fbb56fc327bddcc974f91950d6e378581abe |
| SHA256 | 0493d4a582f066a35c9153604efaf4f6c746f3bb6e7a8678bad9cd5df861cfa3 |
| SHA512 | 1c9e1eece5b307a7c8a364975ed779616c5ea0b87c40c372f04ff7d00b8167b5392201779f92f50a63bfd5272afac4b618222c64b9dec6ceb6cb8e97c586cfc4 |
memory/2468-129-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1712-127-0x0000000000440000-0x0000000000473000-memory.dmp
memory/1712-126-0x0000000000440000-0x0000000000473000-memory.dmp
\Windows\SysWOW64\Kpgffe32.exe
| MD5 | 9390fe35e4ff15368b10d1ff8b0ef502 |
| SHA1 | c6e0c55d462b3ea019b47d7a0140b9e69d75a39c |
| SHA256 | e712c445adca16813f877bcfcc444c3491a9518b1fc80b6b5df0470375f25376 |
| SHA512 | a1c85004e5ff23a7d59a7672a3db1e77e7d2eed9a4cc7460f884cad8d7954ca0d196a08ac0bd169771275bef9200913e2a815195e9676d4d1f16e7587897f3be |
memory/808-143-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Kklkcn32.exe
| MD5 | 85d9fe2ca79244aac59425940b3f5767 |
| SHA1 | 1d7f83002ea42377eb0898344625679f2f5dc784 |
| SHA256 | 45140c0613e3e5a304d1abcc9b8ee6ec98d54b487a29f083c3ed388b60d103e7 |
| SHA512 | 31686817a9c272b68adcfb82b79b0b97aaf721e5afd79687fd4ea4658c770bf724a456be761ca43929b8696adead01642f752af88b38e12a2df2b398ef0cce71 |
memory/2476-155-0x0000000000400000-0x0000000000433000-memory.dmp
\Windows\SysWOW64\Kcgphp32.exe
| MD5 | decf640c03339f5eaa1fada0c683d029 |
| SHA1 | 44813d8b87c9e01e4b0865ba77ad9efe20d7efeb |
| SHA256 | 0e61bd48404ca5e19e4c79957b39ebfd92ef9c3c7e44fcffa2436e700f6ba0c6 |
| SHA512 | 0eece59a07eace99e825ea214f5863023018320f531356fb85901e8bc7481d83873db33b6081eb5d815eadc05702b9dc5e6537e3fbae1363c72563605ffd5872 |
memory/1168-168-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2448-181-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Lonpma32.exe
| MD5 | 5ffcf4e23394828dbee7e7add964fab5 |
| SHA1 | 0a2573bcf0f4d0eba72f4b63dd7c4982f6067c0f |
| SHA256 | 2ae0d2f5ca6a3fe55ea948524e4a35a50400ac5ac860efba875bcb791a9c3d4a |
| SHA512 | 40535a1522d46de50813355cb7d3fa6353c3b3fcfbdc282e6ac37359097aa8a6e67387df25cca9cd7dc76d9b3c0ca6ded204a40d932b5a27ac7e99c48d9f3010 |
C:\Windows\SysWOW64\Lfhhjklc.exe
| MD5 | c38f2c2020f840f447dabdc0ff4afbef |
| SHA1 | 037a5d164b1f1bd13ac0ed67f267a8bfb68bbb94 |
| SHA256 | 2bace8706f380c7c5151e5712bda2de8f979bde1eaa4d6fcc1a8224020271bee |
| SHA512 | 01c9080dd87d7459a79d561273222e678178dad6ca7d36dcbbdae8231f47c95fc2ef4ab0ff18499436f287e65811c9fe619319b16c054abe8a88cfdc4c80749a |
C:\Windows\SysWOW64\Lhfefgkg.exe
| MD5 | 956cd896ee61d22d6b63e1994f5ef598 |
| SHA1 | ba80e6f8c003309a4bbb188e6510a74229c68159 |
| SHA256 | ba31eb788804d232b3a4ae72a8f5e1d83b527846ae459c78d99a48c1e69ebb31 |
| SHA512 | 368225b0f65a224f4da07d932f0b508d5da792fe0608d8ae6468b2e738760e63dc6c5cb3b8e335363c1c6782113403e58a733e167360809ce09a115ec7d37536 |
memory/2136-220-0x0000000000400000-0x0000000000433000-memory.dmp
memory/284-230-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1924-249-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1772-271-0x0000000000400000-0x0000000000433000-memory.dmp
memory/956-270-0x0000000000290000-0x00000000002C3000-memory.dmp
memory/956-269-0x0000000000290000-0x00000000002C3000-memory.dmp
C:\Windows\SysWOW64\Lhknaf32.exe
| MD5 | 7f6178c242c2cfb3d457bc65d17ba18a |
| SHA1 | d3fd9d8af20579ef689a585dc4e0725384242226 |
| SHA256 | c45c09fd6e9ebbba52a051fb21f2b73d311ad9f6ef3e2660458839d48d8569e7 |
| SHA512 | 0b8d13d89b7ff94f3ddba0588eae249ea4bda249087ea838d852ed8ce2568852212f99a4cd61574efb1ce5ef7a614c0222ea73616da118b70bfb3be66106e031 |
memory/956-260-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1924-259-0x0000000000280000-0x00000000002B3000-memory.dmp
C:\Windows\SysWOW64\Lbafdlod.exe
| MD5 | c3a6ed79c1df462280c17f9537a52c4e |
| SHA1 | 4f2e83aa1ac01ba84013be26a19f0598d2e712a3 |
| SHA256 | 9e7cf521cb73a7195133603ac95694ee31de10439d1e7728d45d5e73ea1e1af8 |
| SHA512 | 33ae7e5041baee20f4665bca7bde79a33c12681fbeba9c8de77fdf7724a8dc14090fb08422e792174538b32aac24337a8ddec8269a56246358c681e885844400 |
memory/1924-255-0x0000000000280000-0x00000000002B3000-memory.dmp
memory/1868-248-0x00000000002F0000-0x0000000000323000-memory.dmp
C:\Windows\SysWOW64\Locjhqpa.exe
| MD5 | 479637fd53f2033e4b0e7ec63ff44480 |
| SHA1 | 9a76b539002c818ef874abe36358c66c6a56e34b |
| SHA256 | e0afe0025629085dc794bc054b7ab7c3abe0f8f6648bf593a819cab95bde2ec6 |
| SHA512 | 50c1d5b4e87ef1773748c7e27498b9f60af8509dc4c3e54f892c8d58768fa6b5d2f7002b81f51a038bbf0313164c7f8afc21de8ff20e2aea7da73b0f9039ecbb |
memory/1868-239-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Ljfapjbi.exe
| MD5 | 01dc966e10f802d5b221e0d4eaed3647 |
| SHA1 | 471a92caea8a5b777676ab8c5c42d51bf8171c97 |
| SHA256 | 3de1c5251cc3c159a90b1bd99618a9e4543d4cec717c17facab417c29ff1bd9f |
| SHA512 | 159590f81a6b0ba77c13a0d1f578042f7a199c0485bea2868c16c532e5016cd1575733bfbee881c5f776fc21d7dce0b0fd3f2f888ef49f26d331ea8e9e688632 |
C:\Windows\SysWOW64\Lclicpkm.exe
| MD5 | cf9b5c391cd531a73f14978604421d5e |
| SHA1 | 31c200e6cc2a388a1678fae0a34d4160c7c3eeba |
| SHA256 | e5f84b74436a59e58fc8a4bf3aaa7fc8bb8683d7c1ee9b6aed78b0d618456337 |
| SHA512 | 8763423ff2a76425ecab2395189b57050a23ff8ac8894344c9f7f4425c3f6182cbedeab65fdf7ec15fa58e8a3bb027b7ad8c1402fa8ec29f12662542a9e503b0 |
memory/1704-207-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2388-194-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Knmdeioh.exe
| MD5 | 27cc267c2601bc91474e9835663d9217 |
| SHA1 | a5e5fe5354325c14baf5abe08034e42d8fbc771c |
| SHA256 | 3c06eec864fc1decec70d8820a848c249c08f3418e47a2d87b56842edda83a50 |
| SHA512 | 0290ff9a6e88a99be240fc6e7b8d27c0ad40c8c87e1ddb213261d99f232f8d87c8de91ff0276a82e3f484368febbc0a358eed38e4719b71093e94f433554f46f |
memory/1772-277-0x0000000000440000-0x0000000000473000-memory.dmp
memory/1772-281-0x0000000000440000-0x0000000000473000-memory.dmp
C:\Windows\SysWOW64\Lkjjma32.exe
| MD5 | daa138dea2bc42e89d91927878cae202 |
| SHA1 | 7382c32aa097a7855388fea7b06158fbeca678dd |
| SHA256 | d32c648e31b94a8cc559b1cebb0a01ddf4cfbfc7af2b01158a023e06138c7e60 |
| SHA512 | 14dc5e5d873445141279c91d3d941e926f9634f2fe65a4eea261b53c609477cf16e8d14868d3a1b50f5ca0516d87f79ddcc2fd7b9d0a75dcd69109ca849c18de |
memory/316-282-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Pkcbnanl.exe
| MD5 | 21ed197d1a360de97feecaeecddfc716 |
| SHA1 | 421505837c636f1bdc3ad2b377065779fac18914 |
| SHA256 | 0937e5f9a04811ea2560b65be2a181e06a469719f8565d0a9ad5ea49801dd88f |
| SHA512 | 9f313f7aea09c2879437fefb9458abdc02cb3cb0782336867b6c6a3a5bead0a6c3552a746dc31e7b75ee4f4bc0176293206ebac0f8718a9e32cf0eef3ac98f67 |
memory/2172-292-0x0000000000400000-0x0000000000433000-memory.dmp
memory/316-291-0x00000000002D0000-0x0000000000303000-memory.dmp
C:\Windows\SysWOW64\Pleofj32.exe
| MD5 | d274dc34b588b8114e56c066b02a4304 |
| SHA1 | fb3f4a896326cf9ae89cd046176c3c4e85b18ef9 |
| SHA256 | c44ff7d563fccfe6858a1da50a79e94ef75491dc6ba1cc317b835ed9a4e0437d |
| SHA512 | 58972ddbe4d4e2109efddea4f01a31d4fa08b928c50221314543a3980946b20c1cb81a6112679a8c96594377957997ed77e33c622a5d37bc68d042de9880bd7a |
memory/2172-301-0x0000000000250000-0x0000000000283000-memory.dmp
memory/2172-303-0x0000000000250000-0x0000000000283000-memory.dmp
memory/1740-302-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2148-314-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1740-313-0x0000000000250000-0x0000000000283000-memory.dmp
memory/1740-312-0x0000000000250000-0x0000000000283000-memory.dmp
C:\Windows\SysWOW64\Qpbglhjq.exe
| MD5 | 11ceff3fa4d2a321c50d410360b1f69e |
| SHA1 | be44cdb215464d379ec1ff29121aaf2912ff8c52 |
| SHA256 | c1130a78901fc6fa7d6d082917f956b0287ee2fcc4e8e0fc4e58d336eceda0ba |
| SHA512 | d6b0e74e15ed4907053135c4b9cea21901b226e0eeb0ce1a567b41bf71b599d661130b69bf301b6e1b832c89f5efa4b5a0974627a410e2c4de11cad7c9ff5043 |
memory/2148-320-0x0000000000440000-0x0000000000473000-memory.dmp
C:\Windows\SysWOW64\Apgagg32.exe
| MD5 | 269eac0419f7abb3b03b00aa906cf140 |
| SHA1 | 9f378b5b1460a129af4461c20dcb089be6ffa9d1 |
| SHA256 | 495f558b9a0b135dbf126376089df68ae3b7cb95a69a0037b52cc6b079ad026e |
| SHA512 | 820611a640252e71adf41dee04f95c48b5941a36bbc7a0b4a7eeeeaa7a3d4824e30fd4718bdcd4dd7c6b3c87e4e46ea9337c7f7226a1d9a7e7065bb3a4b02bc0 |
memory/2244-328-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2380-334-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2244-333-0x00000000002D0000-0x0000000000303000-memory.dmp
C:\Windows\SysWOW64\Acfmcc32.exe
| MD5 | 3e9c18b630cc4bcdcb33e1bb9d6144bf |
| SHA1 | 61a13bf1920aead19eb23434e9b6497875b1f3fe |
| SHA256 | 205e4ff38a2cf70a293276fecba261378e2b6e37b2c84348844f2513ffa87f4f |
| SHA512 | a3e043459a26a1dabf88c1c978403f017576d56c636d7484ba3755f833de49245c28a1cc437abf70488f4c2a6ba40b52bcb4236c761f17375c8373c7508fc95c |
memory/2380-340-0x0000000000250000-0x0000000000283000-memory.dmp
C:\Windows\SysWOW64\Ahebaiac.exe
| MD5 | 150a83b19438ac9c4fd73dd977d66ece |
| SHA1 | 13f2f0ca85c8f0e8f6acabbafb4687077e7e4495 |
| SHA256 | f481d89aaece33e181034a0af138cc4c392e474e104efa1fe14dee3a0942bfc5 |
| SHA512 | 75c945b2c957364a03e6332403d04acf6c2fb3543acca2e48476a70820879f53a6a0fcc78a64e79ee2e8f5910f606a292b4ceac7c1bab2d467458de6a7cb63f8 |
memory/2380-344-0x0000000000250000-0x0000000000283000-memory.dmp
C:\Windows\SysWOW64\Akcomepg.exe
| MD5 | f2c40919b4bc2d77e0cd5dded07a955f |
| SHA1 | 12a83a02af19fb041ba1ecdb35f08fb41eefa873 |
| SHA256 | 07bfe91e789340ab396e5b099ca8f6c28609b471c4c7c8978f07dff521927c56 |
| SHA512 | c46a543be7ed72fe0b5d519c140c9f1f94152c86dd8f4e0bca20344b8d14ee749b3db3fc42c3d45a687eb3e5edade9c031a7c9fdf58ae65c6e4dcba8cbb24f7d |
memory/3008-350-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2792-356-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2096-355-0x0000000000250000-0x0000000000283000-memory.dmp
memory/3008-354-0x00000000002D0000-0x0000000000303000-memory.dmp
C:\Windows\SysWOW64\Abpcooea.exe
| MD5 | 3585148723f7c8ca817f9e97e5885300 |
| SHA1 | 636cbcd9f8806ecc9b786c7200a9713a06abaa92 |
| SHA256 | 6fdadba398872d92ab968b80198f5c3a32be6c50f70e10d74253c86d7e9f9e5e |
| SHA512 | 4328cc132c07127f20838863637302c45733998e0f6b910168853b4b93bbd797fc8fc11b2159f46826751f5672f44518b4964156da8ae65b89dd8b42e3af7ff2 |
memory/2096-365-0x0000000000250000-0x0000000000283000-memory.dmp
memory/2868-370-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1912-371-0x0000000000440000-0x0000000000473000-memory.dmp
memory/2868-373-0x0000000000270000-0x00000000002A3000-memory.dmp
C:\Windows\SysWOW64\Adnpkjde.exe
| MD5 | 84c475666bd5ecf41fec82912edb2ffd |
| SHA1 | 87490d250a08a0f58bf268669c7ef800d2a7c024 |
| SHA256 | 6e77d9a38c257c3c6ab3487d448a60d081254dbf05c3cdcfc6aa0246da1e5040 |
| SHA512 | 3e5cb0691216e389423a2cc55096b6c9707209aa78842bfc738363ac33c88645ce37d21bccfda34d705e88a589ece617d296a6207e2f51b414c08ee1ff0b7f77 |
memory/2820-377-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2848-386-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Bkjdndjo.exe
| MD5 | 632476521d9a4eca96617f4dbc49ab66 |
| SHA1 | 160c600f43441beea80d6b7e4513eb2e2f1b17b9 |
| SHA256 | 9d8a5471688d5aff686d369ae5d438e3a4cdd7fad97ae7c7618800f7040e0b19 |
| SHA512 | bc2ab2a3877ee285599785af1d8f2e5ba238b7573329d7dea409e007f8d5a83844ffb8ce66649eed49717e2b03659b6159b7d4ad5d6f7d7ec1d75faa76efda81 |
memory/2908-392-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2616-398-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1804-397-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2848-395-0x0000000000440000-0x0000000000473000-memory.dmp
C:\Windows\SysWOW64\Bniajoic.exe
| MD5 | 622eec769006e4a0a9f66f9ad54af0fd |
| SHA1 | c16ac64328f20bfce63a91e18483bf88eb0aa7ae |
| SHA256 | 33d60fe12bd7b6e37c9b9e3128f427f0543b5bdc57667495dd1bdc60b165eb8d |
| SHA512 | 1d1e18a28a5695c511a58f0967c76fd8430bb94cb98eadc55125f7e46ec1d6865929a6185c860455d02291d67372746180d2b9ace713f3effa4d59e35476f931 |
C:\Windows\SysWOW64\Bqgmfkhg.exe
| MD5 | 4a1a039a53e08076215fde12d59a9088 |
| SHA1 | 91e343223023406afae9b36a228d6bb5f04561cf |
| SHA256 | 85fdd03b2592c332cfb97ddf6f64808934627f902a03eaf830cab5c99202f440 |
| SHA512 | 00097caec469df1372a5d7266589706d70613758d4753e5b55cb912ac97a23ed0e46ab3df1ac347d582fcd8d86e4910334377b39fb73b5d2d69357bb078fdcb5 |
memory/2628-407-0x0000000000400000-0x0000000000433000-memory.dmp
memory/940-412-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Bchfhfeh.exe
| MD5 | 8095d7aad82abc15e7b9372dd0c16e2e |
| SHA1 | 42c4378619a8852fa1cc3e7d522ae262b4a30df0 |
| SHA256 | 8e96a51f8e4a6b2ba9ec70aa2a6ad8090b5eb4b7bba6aec0d139eff1d2412913 |
| SHA512 | f6593eafa034a7f0182c9ff2c5a730e1b1269e9c316f1bd327471001423f4a126597559de748cb3888d3ca05500351f7316734c486d940fb81ace1a95c9af6d0 |
memory/1848-419-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1712-418-0x0000000000400000-0x0000000000433000-memory.dmp
memory/940-417-0x0000000000440000-0x0000000000473000-memory.dmp
memory/1712-424-0x0000000000440000-0x0000000000473000-memory.dmp
memory/1848-426-0x00000000002D0000-0x0000000000303000-memory.dmp
C:\Windows\SysWOW64\Bfioia32.exe
| MD5 | f10da8d3cec921f47041cb87f381e83b |
| SHA1 | c60387ebea1b3ccb27ffbf96c6d6a1854ba42d59 |
| SHA256 | 4546dbe38a09a064088cdb9cac99364bb0ed8b504d739ed436c17cb24e7771ad |
| SHA512 | 121c5a5fc536e00c402bf5a2d2adbdb90c0ecddf29492aa17053b39e09eb463d990513717c0b25a1f84637c6a135a99b1cc84fc0c1bd8c61924afa4aa13dc511 |
memory/2468-431-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1712-430-0x0000000000440000-0x0000000000473000-memory.dmp
C:\Windows\SysWOW64\Bmbgfkje.exe
| MD5 | 19d7d61ab125e114c65e6348f67799c4 |
| SHA1 | c3309cc378bb64b7a482fcc098f75d34611260c7 |
| SHA256 | 118efa532ef3c4b51a85a5ede6e619cd76f4c9931147685ec8833a0d080f5595 |
| SHA512 | 7e333a482d82d6a4475b4813a8c1f4a0a9514fa5a5b9349d21b7dd41f4d28401c031786f19b6b85985f54cc6d8be81593d65cf48280a117778327f4aaa8a1bdc |
memory/1596-443-0x0000000000400000-0x0000000000433000-memory.dmp
memory/808-442-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2468-441-0x0000000000260000-0x0000000000293000-memory.dmp
memory/1956-440-0x0000000000250000-0x0000000000283000-memory.dmp
memory/1596-449-0x0000000000250000-0x0000000000283000-memory.dmp
C:\Windows\SysWOW64\Coacbfii.exe
| MD5 | ef6f96fc40c24b86f8ad8902c6d72ba3 |
| SHA1 | b6a614f5d40210308bb356543f841694b19318c0 |
| SHA256 | 81224311dc7b438d78d70064a00915696ae0a1dd83fea1ad5ebe7d1aa9260130 |
| SHA512 | de4fb4fbdf567a25269a47220026742738ee70879b63075683e21355988f1192a2841214b3369203bdd96f7282fbf7a8106242bcdb316c036893c222d07cd04a |
memory/2260-460-0x0000000000250000-0x0000000000283000-memory.dmp
C:\Windows\SysWOW64\Cbblda32.exe
| MD5 | 7b84ec50580e8c61340ceff0c2b586b7 |
| SHA1 | 07880892ec3a4b0a1c3da39dd1233ed59d0f56e0 |
| SHA256 | 44da0b70b69a7b379543dc1640446a9972af4bdc5ad91599090d7f7c5d76545a |
| SHA512 | ff2abfe84166e78ced1bd597518451449042e1346f72054ffb72b8a273f8e6d39c1b11c782dc9ec8f92f4fbbc58e632c8f086ef06977585e7ec53a0123b74545 |
memory/1168-465-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2260-464-0x0000000000250000-0x0000000000283000-memory.dmp
memory/2260-459-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2476-458-0x0000000000400000-0x0000000000433000-memory.dmp
memory/572-471-0x00000000005D0000-0x0000000000603000-memory.dmp
C:\Windows\SysWOW64\Cpfmmf32.exe
| MD5 | a1649293337b22c11f4788be665ec02b |
| SHA1 | ac9ec408df5ae70f2f889c4edf2f51c359b89419 |
| SHA256 | 462063dcd908b8fce0347bb4deafad63010bbe2218597c13f815a505a9c6ce54 |
| SHA512 | c724d630c1fd81d1f42920a60b8fa789de74fd6f4302c1414ee9fa695aae9139cad9fd70175b5cf65cacdab8584773397d008cb1bdd067cc032468fc747f07cf |
memory/2448-475-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1480-480-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Cgaaah32.exe
| MD5 | 69ff62a1e0ea4a85904f5cb57bb93b57 |
| SHA1 | 61ec6c68276c9a961750ea8a15c2f29356ba6f4b |
| SHA256 | 20b9e051a9c07305416468d415e157f054b6183ee7d5524ac0736b5df84c5c59 |
| SHA512 | 98f9ebe19e719a1576a2cf805e8e450ff33b12e46065a18f1593eaf206aa45ae5b6b499f9d0a0945724ee2a5cfb83da345c54fb13413aff2a663cd277eff719c |
memory/2388-486-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1480-485-0x0000000000440000-0x0000000000473000-memory.dmp
C:\Windows\SysWOW64\Clojhf32.exe
| MD5 | 0bfd93d38cfb52835c2671c16035add9 |
| SHA1 | 10d701a1286f8bfd6c42d8884c543e684035d489 |
| SHA256 | a150a0a4e0109480ed0b4b96b74cb4f721fe4b149f3b5d83111d4b506e9ec4d3 |
| SHA512 | b64c6ce2d8f823ab94f6dcf89be80fbd476edf71248ea51ce426618310062ac66d42aa79125ff0e408d77855cc36ef2fbd8fd43cf94275d217ca3d71b32dce65 |
memory/1704-503-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Cnmfdb32.exe
| MD5 | f205d7e193e34f9cdac4c4941f3b8e21 |
| SHA1 | cbf1e4da90146ca28d775e2a93dc9e0ab1c60689 |
| SHA256 | b412f0a3597b1ef3767fcf626b84380f1193c44a8411f867a566b7de396949be |
| SHA512 | cb000676bf1f29aa7b0f2948b1e3eaacc9d32b499ea8fc786b62e8fc883b30da819fa3d391d86356c14a2b317260817d471cead4e4507af2723d055c77836b16 |
C:\Windows\SysWOW64\Cmpgpond.exe
| MD5 | 7585a80da377fdb3271a8d9d2002bdfc |
| SHA1 | e090d497fb5bb77562d509792a7f823f58b16fd7 |
| SHA256 | cfb7a47785d462e30be937cad8c6351de725048425ddb8e9cc90c41548e269fb |
| SHA512 | a277429c99f5f1bce6f77996a5bf56009d4c27a6178888da5fd881294ada9574d549737cf079098584db05983ef62318d0379922740cfcb9b970fca619e48ce8 |
C:\Windows\SysWOW64\Dpapaj32.exe
| MD5 | 398fcd29167d0f43e5eb43b13d57565f |
| SHA1 | af6eaec2a836cbce9d52bb33601902ed85af03ef |
| SHA256 | 1907738b1ea35eb30c8fccd1de7be0ef9f21b565197cdf9419fe89d0e0a0b24a |
| SHA512 | 006f1fcec674b6c86db0a097c49c725a2b282db3e029c7b7328b2116a9360bb413b4a06b0bf0ebde28734ae28efed1a1b7daa0fb8d75c3607d3e94fb5a6a86df |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 15:44
Reported
2024-11-09 15:46
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
95s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mnnkgl32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jgeghp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ldipha32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bdpaeehj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dkceokii.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lqmmmmph.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jgkdbacp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Lcggio32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Gmojkj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jcfggkac.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pccahbmn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ahofoogd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mahnhhod.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pahpfc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jleijb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Knenkbio.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ljceqb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Agdcpkll.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mnnkgl32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gigaka32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jgkdbacp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pkegpb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Aefjii32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hoobdp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mgnlkfal.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hpabni32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Inlihl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Albpkc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dmohno32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Glgcbf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Qjfmkk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Okgaijaj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Olanmgig.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Aolblopj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bnoddcef.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Fijkdmhn.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lcimdh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pdmdnadc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kdigadjo.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mjokgg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bebjdgmj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Clchbqoo.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fpdcag32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kgipcogp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hbhboolf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Nfaemp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bkphhgfc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Boeebnhp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ebimgcfi.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Glgcbf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mmfkhmdi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kmaopfjm.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Aogiap32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gmojkj32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mmhgmmbf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mjlhgaqp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Alqjpi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Idfaefkd.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mccfdmmo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mccfdmmo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hlbcnd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Amcehdod.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Akamff32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kdmqmc32.exe | N/A |
Berbew
Berbew family
Executes dropped EXE
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Bdbnjdfg.exe | C:\Windows\SysWOW64\Boeebnhp.exe | N/A |
| File created | C:\Windows\SysWOW64\Hiaafn32.dll | C:\Windows\SysWOW64\Gemkelcd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Klcekpdo.exe | C:\Windows\SysWOW64\Keimof32.exe | N/A |
| File created | C:\Windows\SysWOW64\Efeichoo.dll | C:\Windows\SysWOW64\Cimmggfl.exe | N/A |
| File created | C:\Windows\SysWOW64\Gologg32.dll | C:\Windows\SysWOW64\Ikdcmpnl.exe | N/A |
| File created | C:\Windows\SysWOW64\Hehkga32.dll | C:\Windows\SysWOW64\Nabfjpak.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Gncchb32.exe | C:\Windows\SysWOW64\Gnqfcbnj.exe | N/A |
| File created | C:\Windows\SysWOW64\Jenmcggo.exe | C:\Windows\SysWOW64\Jleijb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Chfegk32.exe | C:\Windows\SysWOW64\Ckbemgcp.exe | N/A |
| File created | C:\Windows\SysWOW64\Jofill32.dll | C:\Windows\SysWOW64\Flqdlnde.exe | N/A |
| File created | C:\Windows\SysWOW64\Fgaemg32.dll | C:\Windows\SysWOW64\Kgninn32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cndeii32.exe | C:\Windows\SysWOW64\Clchbqoo.exe | N/A |
| File created | C:\Windows\SysWOW64\Pagbaglh.exe | C:\Windows\SysWOW64\Pfandnla.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Pdmdnadc.exe | C:\Windows\SysWOW64\Phfcipoo.exe | N/A |
| File created | C:\Windows\SysWOW64\Fihnomjp.exe | C:\Windows\SysWOW64\Enbjad32.exe | N/A |
| File created | C:\Windows\SysWOW64\Fboqkn32.dll | C:\Windows\SysWOW64\Lnangaoa.exe | N/A |
| File created | C:\Windows\SysWOW64\Pdbeojmh.dll | C:\Windows\SysWOW64\Moipoh32.exe | N/A |
| File created | C:\Windows\SysWOW64\Nknobkje.exe | C:\Windows\SysWOW64\Mjellmbp.exe | N/A |
| File created | C:\Windows\SysWOW64\Lmpkadnm.exe | C:\Windows\SysWOW64\Lcggio32.exe | N/A |
| File created | C:\Windows\SysWOW64\Aogiap32.exe | C:\Windows\SysWOW64\Qhmqdemc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Aefjii32.exe | C:\Windows\SysWOW64\Aolblopj.exe | N/A |
| File created | C:\Windows\SysWOW64\Bdgged32.exe | C:\Windows\SysWOW64\Bnmoijje.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Boenhgdd.exe | C:\Windows\SysWOW64\Baannc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Eiieicml.exe | C:\Windows\SysWOW64\Emphocjj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jklinohd.exe | C:\Windows\SysWOW64\Jpfepf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ncdmbe32.dll | C:\Windows\SysWOW64\Mmpdhboj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ncnofeof.exe | C:\Windows\SysWOW64\Nnafno32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mgnlkfal.exe | C:\Windows\SysWOW64\Mmhgmmbf.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Boihcf32.exe | C:\Windows\SysWOW64\Bphgeo32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cacckp32.exe | C:\Windows\SysWOW64\Ckjknfnh.exe | N/A |
| File created | C:\Windows\SysWOW64\Hdhedh32.exe | C:\Windows\SysWOW64\Hgdejd32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Aogiap32.exe | C:\Windows\SysWOW64\Qhmqdemc.exe | N/A |
| File created | C:\Windows\SysWOW64\Aamknj32.exe | C:\Windows\SysWOW64\Aefjii32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bdcebook.dll | C:\Windows\SysWOW64\Albpkc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Enigke32.exe | C:\Windows\SysWOW64\Emhkdmlg.exe | N/A |
| File created | C:\Windows\SysWOW64\Jencdebl.dll | C:\Windows\SysWOW64\Ljhnlb32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Nfaemp32.exe | C:\Windows\SysWOW64\Npgmpf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bphgeo32.exe | C:\Windows\SysWOW64\Bogkmgba.exe | N/A |
| File created | C:\Windows\SysWOW64\Jleijb32.exe | C:\Windows\SysWOW64\Jekqmhia.exe | N/A |
| File created | C:\Windows\SysWOW64\Bjbmjjno.dll | C:\Windows\SysWOW64\Klahfp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dddjmo32.dll | C:\Windows\SysWOW64\Phfcipoo.exe | N/A |
| File created | C:\Windows\SysWOW64\Bghgmioe.dll | C:\Windows\SysWOW64\Cogddd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Agdcpkll.exe | C:\Windows\SysWOW64\Aoioli32.exe | N/A |
| File created | C:\Windows\SysWOW64\Qcanijap.dll | C:\Windows\SysWOW64\Akamff32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ccbadp32.exe | C:\Windows\SysWOW64\Cimmggfl.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ipmbjgpi.exe | C:\Windows\SysWOW64\Ikpjbq32.exe | N/A |
| File created | C:\Windows\SysWOW64\Clchbqoo.exe | C:\Windows\SysWOW64\Cfipef32.exe | N/A |
| File created | C:\Windows\SysWOW64\Iinjhh32.exe | C:\Windows\SysWOW64\Imgicgca.exe | N/A |
| File created | C:\Windows\SysWOW64\Dafipibl.dll | C:\Windows\SysWOW64\Jklinohd.exe | N/A |
| File created | C:\Windows\SysWOW64\Ejljgqdp.dll | C:\Windows\SysWOW64\Jqknkedi.exe | N/A |
| File created | C:\Windows\SysWOW64\Lajlbmed.dll | C:\Windows\SysWOW64\Kjjiej32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mnpabe32.exe | C:\Windows\SysWOW64\Mkadfj32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Pagbaglh.exe | C:\Windows\SysWOW64\Pfandnla.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bkphhgfc.exe | C:\Windows\SysWOW64\Bdfpkm32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Emphocjj.exe | C:\Windows\SysWOW64\Efafgifc.exe | N/A |
| File created | C:\Windows\SysWOW64\Jdodkebj.exe | C:\Windows\SysWOW64\Jlhljhbg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jjlmclqa.exe | C:\Windows\SysWOW64\Jdodkebj.exe | N/A |
| File created | C:\Windows\SysWOW64\Dnpdegjp.exe | C:\Windows\SysWOW64\Dmohno32.exe | N/A |
| File created | C:\Windows\SysWOW64\Migmpjdh.dll | C:\Windows\SysWOW64\Iidphgcn.exe | N/A |
| File created | C:\Windows\SysWOW64\Ljhpog32.dll | C:\Windows\SysWOW64\Nnfgcd32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cfbcke32.exe | C:\Windows\SysWOW64\Cohkokgj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Eoideh32.exe | C:\Windows\SysWOW64\Enigke32.exe | N/A |
| File created | C:\Windows\SysWOW64\Phganm32.exe | C:\Windows\SysWOW64\Pahpfc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Idfaefkd.exe | C:\Windows\SysWOW64\Inlihl32.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Dkqaoe32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Gikdkj32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Iinjhh32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Klahfp32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kjlopc32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nahgoe32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Flqdlnde.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Enigke32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Hpofii32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Efblbbqd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Chfegk32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ofmdio32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pccahbmn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ebimgcfi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Emoadlfo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nqbpojnp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nabfjpak.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Fihnomjp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Hpqldc32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ilqoobdd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kncaec32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ipmbjgpi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kdmqmc32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kdbjhbbd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Njhgbp32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pdhkcb32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Offnhpfo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Oghghb32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Inlihl32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dfnbgc32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Fmkqpkla.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Oakbehfe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bdfpkm32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Injmcmej.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mcecjmkl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Boeebnhp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Olanmgig.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mmhgmmbf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kmkbfeab.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mmpdhboj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Aefjii32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Chnbbqpn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cohkokgj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Hlhccj32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Iggjga32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jgeghp32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nqmfdj32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Imgicgca.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jjpode32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kpanan32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pagbaglh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\e0e564152103ccc6baa8ee750788b444287ecb56489cb7bfa0317bad93a1a5cbN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Hblkjo32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jenmcggo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bnfihkqm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pdmdnadc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Gfokoelp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lmpkadnm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ncabfkqo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Qaqegecm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Enbjad32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Fpkibf32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jleijb32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Clchbqoo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dijbno32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Mgnlkfal.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmocfo32.dll" | C:\Windows\SysWOW64\Pdmdnadc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Emphocjj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Enigke32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpmhce32.dll" | C:\Windows\SysWOW64\Enigke32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jcfggkac.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkoaeldi.dll" | C:\Windows\SysWOW64\Bphgeo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cnfkdb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ccbadp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dfdpad32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cdmfllhn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoaedogc.dll" | C:\Windows\SysWOW64\Pkegpb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bkgeainn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kdmqmc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cndeii32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjjfon32.dll" | C:\Windows\SysWOW64\Kmkbfeab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgmioggn.dll" | C:\Windows\SysWOW64\Fihnomjp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eodolnaf.dll" | C:\Windows\SysWOW64\Fflohaij.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Fbelcblk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dafppp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Llflea32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jpfepf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhfgeigk.dll" | C:\Windows\SysWOW64\Olanmgig.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Aekddhcb.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bkgeainn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glfdiedd.dll" | C:\Windows\SysWOW64\Dpkmal32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hlbcnd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaagdbfm.dll" | C:\Windows\SysWOW64\Ocohmc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aamebb32.dll" | C:\Windows\SysWOW64\Ckjknfnh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Chnlgjlb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leifdf32.dll" | C:\Windows\SysWOW64\Aolblopj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Amcehdod.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Lenicahg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Pefabkej.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bdgged32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cobhcgin.dll" | C:\Windows\SysWOW64\Lacdmh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kdbjhbbd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ocaebc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chkolm32.dll" | C:\Windows\SysWOW64\Mmnhcb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jefjbddd.dll" | C:\Windows\SysWOW64\Jenmcggo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdflmg32.dll" | C:\Windows\SysWOW64\Pddhbipj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiaafn32.dll" | C:\Windows\SysWOW64\Gemkelcd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ibfnqmpf.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Hlhccj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kgninn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Qhmqdemc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jekqmhia.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Mmnhcb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Omegjomb.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Oplfkeob.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cmjemflb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eleeje32.dll" | C:\Windows\SysWOW64\Lmpkadnm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Backpf32.dll" | C:\Windows\SysWOW64\Hloqml32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bnfihkqm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdjljdk.dll" | C:\Windows\SysWOW64\Lckiihok.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbiipkjk.dll" | C:\Windows\SysWOW64\Mmkkmc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Kjlopc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lihcbd32.dll" | C:\Windows\SysWOW64\Oplfkeob.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghdief32.dll" | C:\Windows\SysWOW64\Lcnmin32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abklmb32.dll" | C:\Windows\SysWOW64\Chnbbqpn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Glgcbf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ibfnqmpf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbmock32.dll" | C:\Windows\SysWOW64\Jpfepf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbgbpn32.dll" | C:\Windows\SysWOW64\Mcecjmkl.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e0e564152103ccc6baa8ee750788b444287ecb56489cb7bfa0317bad93a1a5cbN.exe
"C:\Users\Admin\AppData\Local\Temp\e0e564152103ccc6baa8ee750788b444287ecb56489cb7bfa0317bad93a1a5cbN.exe"
C:\Windows\SysWOW64\Llflea32.exe
C:\Windows\system32\Llflea32.exe
C:\Windows\SysWOW64\Lacdmh32.exe
C:\Windows\system32\Lacdmh32.exe
C:\Windows\SysWOW64\Mahnhhod.exe
C:\Windows\system32\Mahnhhod.exe
C:\Windows\SysWOW64\Mnnkgl32.exe
C:\Windows\system32\Mnnkgl32.exe
C:\Windows\SysWOW64\Mjellmbp.exe
C:\Windows\system32\Mjellmbp.exe
C:\Windows\SysWOW64\Nknobkje.exe
C:\Windows\system32\Nknobkje.exe
C:\Windows\SysWOW64\Nahgoe32.exe
C:\Windows\system32\Nahgoe32.exe
C:\Windows\SysWOW64\Okchnk32.exe
C:\Windows\system32\Okchnk32.exe
C:\Windows\SysWOW64\Okgaijaj.exe
C:\Windows\system32\Okgaijaj.exe
C:\Windows\SysWOW64\Oaajed32.exe
C:\Windows\system32\Oaajed32.exe
C:\Windows\SysWOW64\Oklkdi32.exe
C:\Windows\system32\Oklkdi32.exe
C:\Windows\SysWOW64\Pllgnl32.exe
C:\Windows\system32\Pllgnl32.exe
C:\Windows\SysWOW64\Pahpfc32.exe
C:\Windows\system32\Pahpfc32.exe
C:\Windows\SysWOW64\Phganm32.exe
C:\Windows\system32\Phganm32.exe
C:\Windows\SysWOW64\Qhlkilba.exe
C:\Windows\system32\Qhlkilba.exe
C:\Windows\SysWOW64\Qaflgago.exe
C:\Windows\system32\Qaflgago.exe
C:\Windows\SysWOW64\Akoqpg32.exe
C:\Windows\system32\Akoqpg32.exe
C:\Windows\SysWOW64\Akamff32.exe
C:\Windows\system32\Akamff32.exe
C:\Windows\SysWOW64\Alqjpi32.exe
C:\Windows\system32\Alqjpi32.exe
C:\Windows\SysWOW64\Bcddcbab.exe
C:\Windows\system32\Bcddcbab.exe
C:\Windows\SysWOW64\Bblnindg.exe
C:\Windows\system32\Bblnindg.exe
C:\Windows\SysWOW64\Cmcolgbj.exe
C:\Windows\system32\Cmcolgbj.exe
C:\Windows\SysWOW64\Cimmggfl.exe
C:\Windows\system32\Cimmggfl.exe
C:\Windows\SysWOW64\Ccbadp32.exe
C:\Windows\system32\Ccbadp32.exe
C:\Windows\SysWOW64\Cmjemflb.exe
C:\Windows\system32\Cmjemflb.exe
C:\Windows\SysWOW64\Dckdjomg.exe
C:\Windows\system32\Dckdjomg.exe
C:\Windows\SysWOW64\Dihlbf32.exe
C:\Windows\system32\Dihlbf32.exe
C:\Windows\SysWOW64\Efafgifc.exe
C:\Windows\system32\Efafgifc.exe
C:\Windows\SysWOW64\Emphocjj.exe
C:\Windows\system32\Emphocjj.exe
C:\Windows\SysWOW64\Eiieicml.exe
C:\Windows\system32\Eiieicml.exe
C:\Windows\SysWOW64\Fpbmfn32.exe
C:\Windows\system32\Fpbmfn32.exe
C:\Windows\SysWOW64\Fbhpch32.exe
C:\Windows\system32\Fbhpch32.exe
C:\Windows\SysWOW64\Flqdlnde.exe
C:\Windows\system32\Flqdlnde.exe
C:\Windows\SysWOW64\Gbmingjo.exe
C:\Windows\system32\Gbmingjo.exe
C:\Windows\SysWOW64\Gigaka32.exe
C:\Windows\system32\Gigaka32.exe
C:\Windows\SysWOW64\Gmdjapgb.exe
C:\Windows\system32\Gmdjapgb.exe
C:\Windows\SysWOW64\Gkhkjd32.exe
C:\Windows\system32\Gkhkjd32.exe
C:\Windows\SysWOW64\Gfokoelp.exe
C:\Windows\system32\Gfokoelp.exe
C:\Windows\SysWOW64\Gphphj32.exe
C:\Windows\system32\Gphphj32.exe
C:\Windows\SysWOW64\Hloqml32.exe
C:\Windows\system32\Hloqml32.exe
C:\Windows\SysWOW64\Hgdejd32.exe
C:\Windows\system32\Hgdejd32.exe
C:\Windows\SysWOW64\Hdhedh32.exe
C:\Windows\system32\Hdhedh32.exe
C:\Windows\SysWOW64\Hpofii32.exe
C:\Windows\system32\Hpofii32.exe
C:\Windows\SysWOW64\Hginecde.exe
C:\Windows\system32\Hginecde.exe
C:\Windows\SysWOW64\Hpabni32.exe
C:\Windows\system32\Hpabni32.exe
C:\Windows\SysWOW64\Hlhccj32.exe
C:\Windows\system32\Hlhccj32.exe
C:\Windows\SysWOW64\Hgmgqc32.exe
C:\Windows\system32\Hgmgqc32.exe
C:\Windows\SysWOW64\Ingpmmgm.exe
C:\Windows\system32\Ingpmmgm.exe
C:\Windows\SysWOW64\Icdheded.exe
C:\Windows\system32\Icdheded.exe
C:\Windows\SysWOW64\Injmcmej.exe
C:\Windows\system32\Injmcmej.exe
C:\Windows\SysWOW64\Icfekc32.exe
C:\Windows\system32\Icfekc32.exe
C:\Windows\SysWOW64\Inlihl32.exe
C:\Windows\system32\Inlihl32.exe
C:\Windows\SysWOW64\Idfaefkd.exe
C:\Windows\system32\Idfaefkd.exe
C:\Windows\SysWOW64\Ikpjbq32.exe
C:\Windows\system32\Ikpjbq32.exe
C:\Windows\SysWOW64\Ipmbjgpi.exe
C:\Windows\system32\Ipmbjgpi.exe
C:\Windows\SysWOW64\Iggjga32.exe
C:\Windows\system32\Iggjga32.exe
C:\Windows\SysWOW64\Ipoopgnf.exe
C:\Windows\system32\Ipoopgnf.exe
C:\Windows\SysWOW64\Ikdcmpnl.exe
C:\Windows\system32\Ikdcmpnl.exe
C:\Windows\SysWOW64\Jlfpdh32.exe
C:\Windows\system32\Jlfpdh32.exe
C:\Windows\SysWOW64\Jgkdbacp.exe
C:\Windows\system32\Jgkdbacp.exe
C:\Windows\SysWOW64\Jlhljhbg.exe
C:\Windows\system32\Jlhljhbg.exe
C:\Windows\SysWOW64\Jdodkebj.exe
C:\Windows\system32\Jdodkebj.exe
C:\Windows\SysWOW64\Jjlmclqa.exe
C:\Windows\system32\Jjlmclqa.exe
C:\Windows\SysWOW64\Jpfepf32.exe
C:\Windows\system32\Jpfepf32.exe
C:\Windows\SysWOW64\Jklinohd.exe
C:\Windows\system32\Jklinohd.exe
C:\Windows\SysWOW64\Jlmfeg32.exe
C:\Windows\system32\Jlmfeg32.exe
C:\Windows\SysWOW64\Jcgnbaeo.exe
C:\Windows\system32\Jcgnbaeo.exe
C:\Windows\SysWOW64\Jqknkedi.exe
C:\Windows\system32\Jqknkedi.exe
C:\Windows\SysWOW64\Jgeghp32.exe
C:\Windows\system32\Jgeghp32.exe
C:\Windows\SysWOW64\Kmaopfjm.exe
C:\Windows\system32\Kmaopfjm.exe
C:\Windows\SysWOW64\Kdigadjo.exe
C:\Windows\system32\Kdigadjo.exe
C:\Windows\SysWOW64\Kkconn32.exe
C:\Windows\system32\Kkconn32.exe
C:\Windows\SysWOW64\Kmdlffhj.exe
C:\Windows\system32\Kmdlffhj.exe
C:\Windows\SysWOW64\Kgipcogp.exe
C:\Windows\system32\Kgipcogp.exe
C:\Windows\SysWOW64\Kdmqmc32.exe
C:\Windows\system32\Kdmqmc32.exe
C:\Windows\SysWOW64\Kjjiej32.exe
C:\Windows\system32\Kjjiej32.exe
C:\Windows\SysWOW64\Kgninn32.exe
C:\Windows\system32\Kgninn32.exe
C:\Windows\SysWOW64\Kmkbfeab.exe
C:\Windows\system32\Kmkbfeab.exe
C:\Windows\SysWOW64\Kdbjhbbd.exe
C:\Windows\system32\Kdbjhbbd.exe
C:\Windows\SysWOW64\Lklbdm32.exe
C:\Windows\system32\Lklbdm32.exe
C:\Windows\SysWOW64\Lmmolepp.exe
C:\Windows\system32\Lmmolepp.exe
C:\Windows\SysWOW64\Lcggio32.exe
C:\Windows\system32\Lcggio32.exe
C:\Windows\SysWOW64\Lmpkadnm.exe
C:\Windows\system32\Lmpkadnm.exe
C:\Windows\SysWOW64\Ljclki32.exe
C:\Windows\system32\Ljclki32.exe
C:\Windows\SysWOW64\Ldipha32.exe
C:\Windows\system32\Ldipha32.exe
C:\Windows\SysWOW64\Ljfhqh32.exe
C:\Windows\system32\Ljfhqh32.exe
C:\Windows\SysWOW64\Lcnmin32.exe
C:\Windows\system32\Lcnmin32.exe
C:\Windows\SysWOW64\Lndagg32.exe
C:\Windows\system32\Lndagg32.exe
C:\Windows\SysWOW64\Lenicahg.exe
C:\Windows\system32\Lenicahg.exe
C:\Windows\SysWOW64\Mminhceb.exe
C:\Windows\system32\Mminhceb.exe
C:\Windows\SysWOW64\Mccfdmmo.exe
C:\Windows\system32\Mccfdmmo.exe
C:\Windows\SysWOW64\Mmkkmc32.exe
C:\Windows\system32\Mmkkmc32.exe
C:\Windows\SysWOW64\Mcecjmkl.exe
C:\Windows\system32\Mcecjmkl.exe
C:\Windows\SysWOW64\Mjokgg32.exe
C:\Windows\system32\Mjokgg32.exe
C:\Windows\SysWOW64\Mmnhcb32.exe
C:\Windows\system32\Mmnhcb32.exe
C:\Windows\SysWOW64\Mchppmij.exe
C:\Windows\system32\Mchppmij.exe
C:\Windows\SysWOW64\Mmpdhboj.exe
C:\Windows\system32\Mmpdhboj.exe
C:\Windows\SysWOW64\Mkadfj32.exe
C:\Windows\system32\Mkadfj32.exe
C:\Windows\SysWOW64\Mnpabe32.exe
C:\Windows\system32\Mnpabe32.exe
C:\Windows\SysWOW64\Nclikl32.exe
C:\Windows\system32\Nclikl32.exe
C:\Windows\SysWOW64\Nlfnaicd.exe
C:\Windows\system32\Nlfnaicd.exe
C:\Windows\SysWOW64\Nabfjpak.exe
C:\Windows\system32\Nabfjpak.exe
C:\Windows\SysWOW64\Ncabfkqo.exe
C:\Windows\system32\Ncabfkqo.exe
C:\Windows\SysWOW64\Nnfgcd32.exe
C:\Windows\system32\Nnfgcd32.exe
C:\Windows\SysWOW64\Nhokljge.exe
C:\Windows\system32\Nhokljge.exe
C:\Windows\SysWOW64\Nnicid32.exe
C:\Windows\system32\Nnicid32.exe
C:\Windows\SysWOW64\Njpdnedf.exe
C:\Windows\system32\Njpdnedf.exe
C:\Windows\SysWOW64\Najmjokc.exe
C:\Windows\system32\Najmjokc.exe
C:\Windows\SysWOW64\Onnmdcjm.exe
C:\Windows\system32\Onnmdcjm.exe
C:\Windows\SysWOW64\Odjeljhd.exe
C:\Windows\system32\Odjeljhd.exe
C:\Windows\SysWOW64\Olanmgig.exe
C:\Windows\system32\Olanmgig.exe
C:\Windows\SysWOW64\Odmbaj32.exe
C:\Windows\system32\Odmbaj32.exe
C:\Windows\SysWOW64\Oldjcg32.exe
C:\Windows\system32\Oldjcg32.exe
C:\Windows\SysWOW64\Omegjomb.exe
C:\Windows\system32\Omegjomb.exe
C:\Windows\SysWOW64\Ojigdcll.exe
C:\Windows\system32\Ojigdcll.exe
C:\Windows\SysWOW64\Oeokal32.exe
C:\Windows\system32\Oeokal32.exe
C:\Windows\SysWOW64\Omjpeo32.exe
C:\Windows\system32\Omjpeo32.exe
C:\Windows\SysWOW64\Pddhbipj.exe
C:\Windows\system32\Pddhbipj.exe
C:\Windows\SysWOW64\Poimpapp.exe
C:\Windows\system32\Poimpapp.exe
C:\Windows\SysWOW64\Phaahggp.exe
C:\Windows\system32\Phaahggp.exe
C:\Windows\SysWOW64\Poliea32.exe
C:\Windows\system32\Poliea32.exe
C:\Windows\SysWOW64\Pefabkej.exe
C:\Windows\system32\Pefabkej.exe
C:\Windows\SysWOW64\Pdkoch32.exe
C:\Windows\system32\Pdkoch32.exe
C:\Windows\SysWOW64\Pkegpb32.exe
C:\Windows\system32\Pkegpb32.exe
C:\Windows\SysWOW64\Paoollik.exe
C:\Windows\system32\Paoollik.exe
C:\Windows\SysWOW64\Pldcjeia.exe
C:\Windows\system32\Pldcjeia.exe
C:\Windows\SysWOW64\Qmepam32.exe
C:\Windows\system32\Qmepam32.exe
C:\Windows\SysWOW64\Qemhbj32.exe
C:\Windows\system32\Qemhbj32.exe
C:\Windows\SysWOW64\Qmhlgmmm.exe
C:\Windows\system32\Qmhlgmmm.exe
C:\Windows\SysWOW64\Qhmqdemc.exe
C:\Windows\system32\Qhmqdemc.exe
C:\Windows\SysWOW64\Aogiap32.exe
C:\Windows\system32\Aogiap32.exe
C:\Windows\SysWOW64\Aeaanjkl.exe
C:\Windows\system32\Aeaanjkl.exe
C:\Windows\SysWOW64\Aknifq32.exe
C:\Windows\system32\Aknifq32.exe
C:\Windows\SysWOW64\Aahbbkaq.exe
C:\Windows\system32\Aahbbkaq.exe
C:\Windows\SysWOW64\Aolblopj.exe
C:\Windows\system32\Aolblopj.exe
C:\Windows\SysWOW64\Aefjii32.exe
C:\Windows\system32\Aefjii32.exe
C:\Windows\SysWOW64\Aamknj32.exe
C:\Windows\system32\Aamknj32.exe
C:\Windows\SysWOW64\Albpkc32.exe
C:\Windows\system32\Albpkc32.exe
C:\Windows\SysWOW64\Aekddhcb.exe
C:\Windows\system32\Aekddhcb.exe
C:\Windows\SysWOW64\Bnfihkqm.exe
C:\Windows\system32\Bnfihkqm.exe
C:\Windows\SysWOW64\Bdpaeehj.exe
C:\Windows\system32\Bdpaeehj.exe
C:\Windows\SysWOW64\Boeebnhp.exe
C:\Windows\system32\Boeebnhp.exe
C:\Windows\SysWOW64\Bdbnjdfg.exe
C:\Windows\system32\Bdbnjdfg.exe
C:\Windows\SysWOW64\Bohbhmfm.exe
C:\Windows\system32\Bohbhmfm.exe
C:\Windows\SysWOW64\Bebjdgmj.exe
C:\Windows\system32\Bebjdgmj.exe
C:\Windows\SysWOW64\Bllbaa32.exe
C:\Windows\system32\Bllbaa32.exe
C:\Windows\SysWOW64\Bnmoijje.exe
C:\Windows\system32\Bnmoijje.exe
C:\Windows\SysWOW64\Bdgged32.exe
C:\Windows\system32\Bdgged32.exe
C:\Windows\SysWOW64\Bnoknihb.exe
C:\Windows\system32\Bnoknihb.exe
C:\Windows\SysWOW64\Bheplb32.exe
C:\Windows\system32\Bheplb32.exe
C:\Windows\SysWOW64\Cfipef32.exe
C:\Windows\system32\Cfipef32.exe
C:\Windows\SysWOW64\Clchbqoo.exe
C:\Windows\system32\Clchbqoo.exe
C:\Windows\SysWOW64\Cndeii32.exe
C:\Windows\system32\Cndeii32.exe
C:\Windows\SysWOW64\Cdnmfclj.exe
C:\Windows\system32\Cdnmfclj.exe
C:\Windows\SysWOW64\Cocacl32.exe
C:\Windows\system32\Cocacl32.exe
C:\Windows\SysWOW64\Cdpjlb32.exe
C:\Windows\system32\Cdpjlb32.exe
C:\Windows\SysWOW64\Cnindhpg.exe
C:\Windows\system32\Cnindhpg.exe
C:\Windows\SysWOW64\Chnbbqpn.exe
C:\Windows\system32\Chnbbqpn.exe
C:\Windows\SysWOW64\Cohkokgj.exe
C:\Windows\system32\Cohkokgj.exe
C:\Windows\SysWOW64\Cfbcke32.exe
C:\Windows\system32\Cfbcke32.exe
C:\Windows\SysWOW64\Dokgdkeh.exe
C:\Windows\system32\Dokgdkeh.exe
C:\Windows\SysWOW64\Dfdpad32.exe
C:\Windows\system32\Dfdpad32.exe
C:\Windows\SysWOW64\Dmohno32.exe
C:\Windows\system32\Dmohno32.exe
C:\Windows\SysWOW64\Dnpdegjp.exe
C:\Windows\system32\Dnpdegjp.exe
C:\Windows\SysWOW64\Dkceokii.exe
C:\Windows\system32\Dkceokii.exe
C:\Windows\SysWOW64\Dfiildio.exe
C:\Windows\system32\Dfiildio.exe
C:\Windows\SysWOW64\Dbpjaeoc.exe
C:\Windows\system32\Dbpjaeoc.exe
C:\Windows\SysWOW64\Dijbno32.exe
C:\Windows\system32\Dijbno32.exe
C:\Windows\SysWOW64\Dfnbgc32.exe
C:\Windows\system32\Dfnbgc32.exe
C:\Windows\SysWOW64\Emhkdmlg.exe
C:\Windows\system32\Emhkdmlg.exe
C:\Windows\SysWOW64\Enigke32.exe
C:\Windows\system32\Enigke32.exe
C:\Windows\SysWOW64\Eoideh32.exe
C:\Windows\system32\Eoideh32.exe
C:\Windows\SysWOW64\Efblbbqd.exe
C:\Windows\system32\Efblbbqd.exe
C:\Windows\SysWOW64\Ebimgcfi.exe
C:\Windows\system32\Ebimgcfi.exe
C:\Windows\SysWOW64\Eehicoel.exe
C:\Windows\system32\Eehicoel.exe
C:\Windows\SysWOW64\Emoadlfo.exe
C:\Windows\system32\Emoadlfo.exe
C:\Windows\SysWOW64\Efgemb32.exe
C:\Windows\system32\Efgemb32.exe
C:\Windows\SysWOW64\Enbjad32.exe
C:\Windows\system32\Enbjad32.exe
C:\Windows\SysWOW64\Fihnomjp.exe
C:\Windows\system32\Fihnomjp.exe
C:\Windows\SysWOW64\Fflohaij.exe
C:\Windows\system32\Fflohaij.exe
C:\Windows\SysWOW64\Fijkdmhn.exe
C:\Windows\system32\Fijkdmhn.exe
C:\Windows\SysWOW64\Fpdcag32.exe
C:\Windows\system32\Fpdcag32.exe
C:\Windows\SysWOW64\Ffnknafg.exe
C:\Windows\system32\Ffnknafg.exe
C:\Windows\SysWOW64\Fbelcblk.exe
C:\Windows\system32\Fbelcblk.exe
C:\Windows\SysWOW64\Fechomko.exe
C:\Windows\system32\Fechomko.exe
C:\Windows\SysWOW64\Fmkqpkla.exe
C:\Windows\system32\Fmkqpkla.exe
C:\Windows\SysWOW64\Fpkibf32.exe
C:\Windows\system32\Fpkibf32.exe
C:\Windows\SysWOW64\Gehbjm32.exe
C:\Windows\system32\Gehbjm32.exe
C:\Windows\SysWOW64\Gmojkj32.exe
C:\Windows\system32\Gmojkj32.exe
C:\Windows\SysWOW64\Gnqfcbnj.exe
C:\Windows\system32\Gnqfcbnj.exe
C:\Windows\SysWOW64\Gncchb32.exe
C:\Windows\system32\Gncchb32.exe
C:\Windows\SysWOW64\Gemkelcd.exe
C:\Windows\system32\Gemkelcd.exe
C:\Windows\SysWOW64\Glgcbf32.exe
C:\Windows\system32\Glgcbf32.exe
C:\Windows\SysWOW64\Gbalopbn.exe
C:\Windows\system32\Gbalopbn.exe
C:\Windows\SysWOW64\Gikdkj32.exe
C:\Windows\system32\Gikdkj32.exe
C:\Windows\SysWOW64\Gpelhd32.exe
C:\Windows\system32\Gpelhd32.exe
C:\Windows\SysWOW64\Gmimai32.exe
C:\Windows\system32\Gmimai32.exe
C:\Windows\SysWOW64\Gojiiafp.exe
C:\Windows\system32\Gojiiafp.exe
C:\Windows\SysWOW64\Hpiecd32.exe
C:\Windows\system32\Hpiecd32.exe
C:\Windows\SysWOW64\Hbhboolf.exe
C:\Windows\system32\Hbhboolf.exe
C:\Windows\SysWOW64\Hoobdp32.exe
C:\Windows\system32\Hoobdp32.exe
C:\Windows\SysWOW64\Hehkajig.exe
C:\Windows\system32\Hehkajig.exe
C:\Windows\SysWOW64\Hlbcnd32.exe
C:\Windows\system32\Hlbcnd32.exe
C:\Windows\SysWOW64\Hblkjo32.exe
C:\Windows\system32\Hblkjo32.exe
C:\Windows\SysWOW64\Hpqldc32.exe
C:\Windows\system32\Hpqldc32.exe
C:\Windows\SysWOW64\Hfjdqmng.exe
C:\Windows\system32\Hfjdqmng.exe
C:\Windows\SysWOW64\Hmdlmg32.exe
C:\Windows\system32\Hmdlmg32.exe
C:\Windows\SysWOW64\Imgicgca.exe
C:\Windows\system32\Imgicgca.exe
C:\Windows\SysWOW64\Iinjhh32.exe
C:\Windows\system32\Iinjhh32.exe
C:\Windows\SysWOW64\Ipgbdbqb.exe
C:\Windows\system32\Ipgbdbqb.exe
C:\Windows\SysWOW64\Ibfnqmpf.exe
C:\Windows\system32\Ibfnqmpf.exe
C:\Windows\SysWOW64\Iipfmggc.exe
C:\Windows\system32\Iipfmggc.exe
C:\Windows\SysWOW64\Iefgbh32.exe
C:\Windows\system32\Iefgbh32.exe
C:\Windows\SysWOW64\Ilqoobdd.exe
C:\Windows\system32\Ilqoobdd.exe
C:\Windows\SysWOW64\Ickglm32.exe
C:\Windows\system32\Ickglm32.exe
C:\Windows\SysWOW64\Iidphgcn.exe
C:\Windows\system32\Iidphgcn.exe
C:\Windows\SysWOW64\Jekqmhia.exe
C:\Windows\system32\Jekqmhia.exe
C:\Windows\SysWOW64\Jleijb32.exe
C:\Windows\system32\Jleijb32.exe
C:\Windows\SysWOW64\Jenmcggo.exe
C:\Windows\system32\Jenmcggo.exe
C:\Windows\SysWOW64\Jlgepanl.exe
C:\Windows\system32\Jlgepanl.exe
C:\Windows\SysWOW64\Jilfifme.exe
C:\Windows\system32\Jilfifme.exe
C:\Windows\SysWOW64\Jpenfp32.exe
C:\Windows\system32\Jpenfp32.exe
C:\Windows\SysWOW64\Jllokajf.exe
C:\Windows\system32\Jllokajf.exe
C:\Windows\SysWOW64\Jcfggkac.exe
C:\Windows\system32\Jcfggkac.exe
C:\Windows\SysWOW64\Jjpode32.exe
C:\Windows\system32\Jjpode32.exe
C:\Windows\SysWOW64\Komhll32.exe
C:\Windows\system32\Komhll32.exe
C:\Windows\SysWOW64\Klahfp32.exe
C:\Windows\system32\Klahfp32.exe
C:\Windows\SysWOW64\Koodbl32.exe
C:\Windows\system32\Koodbl32.exe
C:\Windows\SysWOW64\Keimof32.exe
C:\Windows\system32\Keimof32.exe
C:\Windows\SysWOW64\Klcekpdo.exe
C:\Windows\system32\Klcekpdo.exe
C:\Windows\SysWOW64\Kncaec32.exe
C:\Windows\system32\Kncaec32.exe
C:\Windows\SysWOW64\Kpanan32.exe
C:\Windows\system32\Kpanan32.exe
C:\Windows\SysWOW64\Kgkfnh32.exe
C:\Windows\system32\Kgkfnh32.exe
C:\Windows\SysWOW64\Knenkbio.exe
C:\Windows\system32\Knenkbio.exe
C:\Windows\SysWOW64\Kjlopc32.exe
C:\Windows\system32\Kjlopc32.exe
C:\Windows\SysWOW64\Lgpoihnl.exe
C:\Windows\system32\Lgpoihnl.exe
C:\Windows\SysWOW64\Lnjgfb32.exe
C:\Windows\system32\Lnjgfb32.exe
C:\Windows\SysWOW64\Ljqhkckn.exe
C:\Windows\system32\Ljqhkckn.exe
C:\Windows\SysWOW64\Lqkqhm32.exe
C:\Windows\system32\Lqkqhm32.exe
C:\Windows\SysWOW64\Lcimdh32.exe
C:\Windows\system32\Lcimdh32.exe
C:\Windows\SysWOW64\Ljceqb32.exe
C:\Windows\system32\Ljceqb32.exe
C:\Windows\SysWOW64\Lqmmmmph.exe
C:\Windows\system32\Lqmmmmph.exe
C:\Windows\SysWOW64\Lckiihok.exe
C:\Windows\system32\Lckiihok.exe
C:\Windows\SysWOW64\Lnangaoa.exe
C:\Windows\system32\Lnangaoa.exe
C:\Windows\SysWOW64\Ljhnlb32.exe
C:\Windows\system32\Ljhnlb32.exe
C:\Windows\SysWOW64\Mmfkhmdi.exe
C:\Windows\system32\Mmfkhmdi.exe
C:\Windows\SysWOW64\Modgdicm.exe
C:\Windows\system32\Modgdicm.exe
C:\Windows\SysWOW64\Mmhgmmbf.exe
C:\Windows\system32\Mmhgmmbf.exe
C:\Windows\SysWOW64\Mgnlkfal.exe
C:\Windows\system32\Mgnlkfal.exe
C:\Windows\SysWOW64\Mjlhgaqp.exe
C:\Windows\system32\Mjlhgaqp.exe
C:\Windows\SysWOW64\Moipoh32.exe
C:\Windows\system32\Moipoh32.exe
C:\Windows\SysWOW64\Mqimikfj.exe
C:\Windows\system32\Mqimikfj.exe
C:\Windows\SysWOW64\Mcgiefen.exe
C:\Windows\system32\Mcgiefen.exe
C:\Windows\SysWOW64\Mjaabq32.exe
C:\Windows\system32\Mjaabq32.exe
C:\Windows\SysWOW64\Mqkiok32.exe
C:\Windows\system32\Mqkiok32.exe
C:\Windows\SysWOW64\Nqmfdj32.exe
C:\Windows\system32\Nqmfdj32.exe
C:\Windows\SysWOW64\Nnafno32.exe
C:\Windows\system32\Nnafno32.exe
C:\Windows\SysWOW64\Ncnofeof.exe
C:\Windows\system32\Ncnofeof.exe
C:\Windows\SysWOW64\Njhgbp32.exe
C:\Windows\system32\Njhgbp32.exe
C:\Windows\SysWOW64\Nqbpojnp.exe
C:\Windows\system32\Nqbpojnp.exe
C:\Windows\SysWOW64\Ncqlkemc.exe
C:\Windows\system32\Ncqlkemc.exe
C:\Windows\SysWOW64\Nnfpinmi.exe
C:\Windows\system32\Nnfpinmi.exe
C:\Windows\SysWOW64\Npgmpf32.exe
C:\Windows\system32\Npgmpf32.exe
C:\Windows\SysWOW64\Nfaemp32.exe
C:\Windows\system32\Nfaemp32.exe
C:\Windows\SysWOW64\Ngqagcag.exe
C:\Windows\system32\Ngqagcag.exe
C:\Windows\SysWOW64\Omnjojpo.exe
C:\Windows\system32\Omnjojpo.exe
C:\Windows\SysWOW64\Oplfkeob.exe
C:\Windows\system32\Oplfkeob.exe
C:\Windows\SysWOW64\Offnhpfo.exe
C:\Windows\system32\Offnhpfo.exe
C:\Windows\SysWOW64\Oakbehfe.exe
C:\Windows\system32\Oakbehfe.exe
C:\Windows\SysWOW64\Onocomdo.exe
C:\Windows\system32\Onocomdo.exe
C:\Windows\SysWOW64\Oghghb32.exe
C:\Windows\system32\Oghghb32.exe
C:\Windows\SysWOW64\Ocohmc32.exe
C:\Windows\system32\Ocohmc32.exe
C:\Windows\SysWOW64\Ofmdio32.exe
C:\Windows\system32\Ofmdio32.exe
C:\Windows\SysWOW64\Ocaebc32.exe
C:\Windows\system32\Ocaebc32.exe
C:\Windows\SysWOW64\Pfoann32.exe
C:\Windows\system32\Pfoann32.exe
C:\Windows\SysWOW64\Pmiikh32.exe
C:\Windows\system32\Pmiikh32.exe
C:\Windows\SysWOW64\Pccahbmn.exe
C:\Windows\system32\Pccahbmn.exe
C:\Windows\SysWOW64\Pfandnla.exe
C:\Windows\system32\Pfandnla.exe
C:\Windows\SysWOW64\Pagbaglh.exe
C:\Windows\system32\Pagbaglh.exe
C:\Windows\SysWOW64\Pjpfjl32.exe
C:\Windows\system32\Pjpfjl32.exe
C:\Windows\SysWOW64\Pdhkcb32.exe
C:\Windows\system32\Pdhkcb32.exe
C:\Windows\SysWOW64\Pjbcplpe.exe
C:\Windows\system32\Pjbcplpe.exe
C:\Windows\SysWOW64\Palklf32.exe
C:\Windows\system32\Palklf32.exe
C:\Windows\SysWOW64\Phfcipoo.exe
C:\Windows\system32\Phfcipoo.exe
C:\Windows\SysWOW64\Pdmdnadc.exe
C:\Windows\system32\Pdmdnadc.exe
C:\Windows\SysWOW64\Qjfmkk32.exe
C:\Windows\system32\Qjfmkk32.exe
C:\Windows\SysWOW64\Qaqegecm.exe
C:\Windows\system32\Qaqegecm.exe
C:\Windows\SysWOW64\Qhjmdp32.exe
C:\Windows\system32\Qhjmdp32.exe
C:\Windows\SysWOW64\Qdaniq32.exe
C:\Windows\system32\Qdaniq32.exe
C:\Windows\SysWOW64\Afpjel32.exe
C:\Windows\system32\Afpjel32.exe
C:\Windows\SysWOW64\Ahofoogd.exe
C:\Windows\system32\Ahofoogd.exe
C:\Windows\SysWOW64\Aoioli32.exe
C:\Windows\system32\Aoioli32.exe
C:\Windows\SysWOW64\Agdcpkll.exe
C:\Windows\system32\Agdcpkll.exe
C:\Windows\SysWOW64\Adhdjpjf.exe
C:\Windows\system32\Adhdjpjf.exe
C:\Windows\SysWOW64\Amcehdod.exe
C:\Windows\system32\Amcehdod.exe
C:\Windows\SysWOW64\Bdmmeo32.exe
C:\Windows\system32\Bdmmeo32.exe
C:\Windows\SysWOW64\Bkgeainn.exe
C:\Windows\system32\Bkgeainn.exe
C:\Windows\SysWOW64\Baannc32.exe
C:\Windows\system32\Baannc32.exe
C:\Windows\SysWOW64\Boenhgdd.exe
C:\Windows\system32\Boenhgdd.exe
C:\Windows\SysWOW64\Bgpcliao.exe
C:\Windows\system32\Bgpcliao.exe
C:\Windows\SysWOW64\Bogkmgba.exe
C:\Windows\system32\Bogkmgba.exe
C:\Windows\SysWOW64\Bphgeo32.exe
C:\Windows\system32\Bphgeo32.exe
C:\Windows\SysWOW64\Boihcf32.exe
C:\Windows\system32\Boihcf32.exe
C:\Windows\SysWOW64\Bdfpkm32.exe
C:\Windows\system32\Bdfpkm32.exe
C:\Windows\SysWOW64\Bkphhgfc.exe
C:\Windows\system32\Bkphhgfc.exe
C:\Windows\SysWOW64\Bnoddcef.exe
C:\Windows\system32\Bnoddcef.exe
C:\Windows\SysWOW64\Cdimqm32.exe
C:\Windows\system32\Cdimqm32.exe
C:\Windows\SysWOW64\Ckbemgcp.exe
C:\Windows\system32\Ckbemgcp.exe
C:\Windows\SysWOW64\Chfegk32.exe
C:\Windows\system32\Chfegk32.exe
C:\Windows\SysWOW64\Coqncejg.exe
C:\Windows\system32\Coqncejg.exe
C:\Windows\SysWOW64\Cdmfllhn.exe
C:\Windows\system32\Cdmfllhn.exe
C:\Windows\SysWOW64\Ckgohf32.exe
C:\Windows\system32\Ckgohf32.exe
C:\Windows\SysWOW64\Cnfkdb32.exe
C:\Windows\system32\Cnfkdb32.exe
C:\Windows\SysWOW64\Cdpcal32.exe
C:\Windows\system32\Cdpcal32.exe
C:\Windows\SysWOW64\Ckjknfnh.exe
C:\Windows\system32\Ckjknfnh.exe
C:\Windows\SysWOW64\Cacckp32.exe
C:\Windows\system32\Cacckp32.exe
C:\Windows\SysWOW64\Chnlgjlb.exe
C:\Windows\system32\Chnlgjlb.exe
C:\Windows\SysWOW64\Cogddd32.exe
C:\Windows\system32\Cogddd32.exe
C:\Windows\SysWOW64\Dafppp32.exe
C:\Windows\system32\Dafppp32.exe
C:\Windows\SysWOW64\Dgcihgaj.exe
C:\Windows\system32\Dgcihgaj.exe
C:\Windows\SysWOW64\Dpkmal32.exe
C:\Windows\system32\Dpkmal32.exe
C:\Windows\SysWOW64\Dkqaoe32.exe
C:\Windows\system32\Dkqaoe32.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 9208 -ip 9208
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9208 -s 400
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
memory/4812-0-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4812-1-0x0000000000431000-0x0000000000432000-memory.dmp
C:\Windows\SysWOW64\Llflea32.exe
| MD5 | db6a77fb84325b4b66f75fdfa08e6220 |
| SHA1 | 41e1e99d628c1ce17a5dc296d5b55de739950947 |
| SHA256 | affb03f46fc0eb380ee782f7f23a58e10859ebd78d56a20911e0413c7a9e74d4 |
| SHA512 | 57413b94128ccea204290eafbdd1fd361a3aa36e64d7c2251e8eeb81d1cfd88290b1e9cbf04cf47954aec64b4d5a789b92e3f89bf28369db5e03dbd939257246 |
memory/3672-9-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Lacdmh32.exe
| MD5 | 9e4e5d86d49e90c84ce253793cab638f |
| SHA1 | 1a304dc905ad0befd1a8d7662ba4ddc1a9e6dc7a |
| SHA256 | e9c4b338b35f854a64d2020fe70a3e953ce7903d67a8e96939c1d9513db914dc |
| SHA512 | ba8d9757dcd466ee69e3699ac191b3e1e5a854389c95e5a59f6085d49d130c979865dde4434e371bea71177fe14b8ea23a5e5ea2a6c6b336ec153d61258e6947 |
memory/2640-16-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Mahnhhod.exe
| MD5 | c487a2fa5d5ecc399e084e84846b082b |
| SHA1 | abb5bc9a2eba1513f28d92ace094bf8a524b278a |
| SHA256 | 49933b2ff9dcda00208acb0f9b27faa233bae6f32c952d4d4b97853fa97d3f2e |
| SHA512 | 337eaeac8fa150217fe2661b27063f0bd7efe90ac25f2a636eaf34df446352f77e455500f39d887095a2f05e03883f221ada0f9c71c88c726f71c347ced08c5b |
memory/2544-24-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Mnnkgl32.exe
| MD5 | 01bf03de436c6038236e35ed64a77a13 |
| SHA1 | b9e5d5b8b1ce014aab04674081e5b963b82c8be7 |
| SHA256 | 2b8a79f207e061c53dd9a910141b5ce0ca9defab733e7ec0fa0ed2ed88322301 |
| SHA512 | 86836f43f3e807743c9f216957059a4aa223286a545bd70d34ed5124daae1f00865c5c4026d6157b41aed00bffa0c538a8c1b3c9739d47d7817ee0eee164b791 |
memory/3060-33-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Mjellmbp.exe
| MD5 | 1ae5cfbdf07b353f6e549fa308437008 |
| SHA1 | 122d77ca3423e7cee1fc1fa1a47054b057a01be7 |
| SHA256 | eeed1c4ec79a2ec702c640d31f93036dfaa658277831be7e4c52d2d7f3ce15f5 |
| SHA512 | 6cf6c211324a142644823970f6f346b0f14c8032bbd7a3776cbe5fb9517614818ced66351fa243c6831ba54496f4bc843c1dcc5ee01871f24a4ae935276da5b9 |
memory/1848-40-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Nknobkje.exe
| MD5 | 287268a0436b01c182176064cd482101 |
| SHA1 | 3b38a46f1a12a93218aeb48a81beab883218e436 |
| SHA256 | 06fae4c14f80aa2c1ed7afe860ad602ee14f44d2901b15039bef09985e5320d4 |
| SHA512 | 95816feab72378881d330a63d1a35a11a1a33bae9e814bc7974e58460623f33631065519c1db24f63bf27e1ed0d315f9cf56babea597e16b5878eb6e26b18b15 |
memory/752-53-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Nahgoe32.exe
| MD5 | 847a7d90dc415ee3f89fdeee4f92f71f |
| SHA1 | 513bd215b8820a760baed5601d9381075b923293 |
| SHA256 | a54e59cdc9430edd44446beba896ee34d7f3a0c5e1198ea84a91f65a9233d2bf |
| SHA512 | 6dd820983bc906bbc0ff19a93066ab9330a82eb59b866500d492735083d5aec2cc768d11feac0c88f7acd177fa44ad84bdc2558a5188cff2340b124f7f71dc88 |
memory/3644-57-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Okchnk32.exe
| MD5 | 85c668b61938b542604088b73c5c9ae1 |
| SHA1 | 3de80498fbe10de689179d3e6255d184ecc7b7a4 |
| SHA256 | 0eb14a71fe42e895ce150113576fe6fc41355b5e77fd1caa63ed2b9dc5e39835 |
| SHA512 | b0f3919c9a33fc253dc760ca3dd2727c30e3065af54368441ea3644fbc1c1507bc3c3a1540a58ef840e24218cf5f227ded68137154e857eafd6ae0fa6f20f95c |
memory/4916-64-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Okgaijaj.exe
| MD5 | fbac5e62fdcf705f2d08e4d36fd38cdb |
| SHA1 | c1d3a23435694f9153619f8fe978fc177500d6a1 |
| SHA256 | 9446555a4da999a19c5eb4ab8ce500a1fe875b0de6017f8e4ec13e1b3ac1235a |
| SHA512 | d29db5ce6fa14b296ce19427237224098d6f510ce2405b3de5956c637e567784a9d52d6c8924d420ad497aa6789ea95095bec2ef140e4724058095382d1a05ef |
memory/312-73-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Oaajed32.exe
| MD5 | 83d1914a3b89f39f9a235fe6a456a53a |
| SHA1 | 19377d10a932341938a7ffbb7d358d459c5c4aa7 |
| SHA256 | d60b243ad9c2755dda9002177ce2f4b52547f46273e781dc340b4855a6cf9b0b |
| SHA512 | 9b094c1d77525805659944c755568a40b334b2ae1bb8c6614746f505fd2280b108784dac8647ceb4998427031a5bf1adf2a6654e414379bf8040e166094478fd |
memory/1216-80-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Oklkdi32.exe
| MD5 | 153d29b7a68dfcc255045fd7fbc00fc5 |
| SHA1 | fb79c7d96faf3dded080997e6f4905a971a17357 |
| SHA256 | 6b4766909d647055494d4b1b32e3381c8291288098667e959a38df58f4e65f6d |
| SHA512 | 964c6e90b52844d97b0b4b652ee1ff07b49efbe04d9aa491a2ffe5baf50b24abab501df070f9895d128a281092cce0e9557fb41a288d93282948690abd4086df |
memory/5060-89-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Pllgnl32.exe
| MD5 | 36c9befa186eb2d5b0fc20a7afea669f |
| SHA1 | d86e03ba3ac8208603be709fe1a3a87f3f1e3545 |
| SHA256 | a1e59b6b2c78364e97c96070a6ec8d5b684359bdd966197be21ad696003b12f5 |
| SHA512 | be7ba557542f243e92b9e73d4130b1526473ed889c8122477718b62636b08c31e2f075e4f2573d6994cc70f676f75a7820475f82a9d2542040a67b6a5b1e1e6b |
memory/220-101-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Pahpfc32.exe
| MD5 | 6c9715ef6ecad352aee0330fc9e40124 |
| SHA1 | c2dac21abf9cf5226596f0851a625492a71db7f9 |
| SHA256 | 64e53bfce73f61def3b73e03d71f2fb749dc76e4d207d1a2daadf6ee97ecb8f3 |
| SHA512 | c0369c5d5293ad65d25f4db69b0a99e64fc4b10621380651b18f474177c01184c3e5566b8c78eb2a484931bcfbfee46a4111bda0d57524cd2abd55ff03e0685f |
memory/1524-105-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Phganm32.exe
| MD5 | 7a1cc3a6bbc142d8ffa92363e7695ec9 |
| SHA1 | 8ca49a3c398244bd0b18f20ef29ec73d6214bfd4 |
| SHA256 | 3c796d93e6859d1499d74450af9fcdb2f69ac6764c22a35a897fdd0a09f598c9 |
| SHA512 | 18f195809e45a3c4e963682ab92f62c2f314703772d4957ebe73ae42547396704ff374cebe215697700831c7db555924c9df8e4248079f2d2a75857b49567558 |
memory/4652-113-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Qhlkilba.exe
| MD5 | e8a658901d2b6f3fa8b656e8b8253a33 |
| SHA1 | 7c1f66cbc41be1d66a78ef3dc2bd4b74ddc721ce |
| SHA256 | 264967448ff53464a67b03b45cb565e9ec0e74337db9b3133c2b01a85c826075 |
| SHA512 | 3d072f1f64c7f59e225f07389f9125f6833677528505672ffe3e6b832c82d29afef1712984c213898b10cf06ad3cef14ff44c90ae11ab0fc8a06d9c20a69888c |
memory/1340-120-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Qaflgago.exe
| MD5 | e649f4ac16754cf6f87a0e0d8ce5269a |
| SHA1 | b0480d704b1bce3e045d1a0575ccb74e24aea4c1 |
| SHA256 | e111a168358e46723e8f79ce061db54fbdb931f36f9745e212c9e26947a2ba0c |
| SHA512 | 7ee0d19c6b05e9f55b9a3fff1b2ea88da1d7a88cd7bcec9162355c64c634b482451d1a7b0c9dcc0e661f0677593f64013b4b8ffabd729d51a00a5108dd977548 |
memory/4472-128-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Akoqpg32.exe
| MD5 | 71ad7349c80d1eccc14e518efae0a10c |
| SHA1 | 22f6a06804fa602333f24403f9644f329c714db0 |
| SHA256 | bcb0ea85b1cde71d71839f39e3b581f0a384dfa664f2c60daf148463b03c9e19 |
| SHA512 | a820bce4eb97920ac2ec37bfbc716d182f218c6675360e749ee84554cfab6539eef3fe24226ea8280854f82719dab648a78ff10251e8eb0870c66b9c16b4b95d |
memory/4588-136-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Akamff32.exe
| MD5 | 1072716113099847d8af7ceef2276a8f |
| SHA1 | efb1bcbce28709147a0bacc453fec82121b108ee |
| SHA256 | 5a0ba6d6d974ea2393aab0abbb0465c5e7a7220ab676a50ae249ed1c23a8b4aa |
| SHA512 | 22343043ec7c49f6a0c1cb1c4f1d73eb07cd15f3fbb7658460c117e8cfa3c3663106e51964c2bc7679a6afaaed7b6be3b7c9e65604d5acdd0b507e7c1794b88e |
memory/2952-145-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Alqjpi32.exe
| MD5 | d2c579cb6df26ebd09045bb6cdfa27e4 |
| SHA1 | 68f19e810326449a67ccec7f07303146f37fc09a |
| SHA256 | ab7dc1cca4067bf5a45362645722ed991a26a3473ff509385ea17fb77d5c2385 |
| SHA512 | fd6719503cd5b978e8f124472e527acf326f2dca7421782ad2627280c9e51bcf30db25bf616752547192268b687a82acd84c64a06878b7fd0044834ba776c916 |
memory/2524-153-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4952-160-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Bcddcbab.exe
| MD5 | 284e0aaecc8948165031297bc06a2c53 |
| SHA1 | 0e364024ff852dd541e987cd4224ec2b39fb9794 |
| SHA256 | a1bd7f07e18a1dd4ed363f15c5d17d935b8019cd0f97a5844e00cb2e517bb34d |
| SHA512 | 95deffbcb57288873204fd52a7deafce3651592e9ec9cee39a65062826fbedb028abf667cfdd9d6a6948af1118da1598fb3447fe8efa3b4857d614a36040f3fb |
C:\Windows\SysWOW64\Bblnindg.exe
| MD5 | 06bbfe3e1f0e7146744210c0846e4ebb |
| SHA1 | cefc9f2a12e0c460b11c26d80c1508a1608b3472 |
| SHA256 | c79b4e15334c20c102ddab75408d0da27d897abedfb02f706cfe18e0715ba49c |
| SHA512 | 762dc765fda6eb692d72f57f2cade47c3c3f8c3ec6535c00f76c67feb62934572eae604729c169bbbc5188501e0fc707f89decc83a6639c84986a10b9cb0e558 |
memory/756-168-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Cmcolgbj.exe
| MD5 | 812e8696844f57d82865bee9b41f7bfd |
| SHA1 | 17dfd1ad8f25c02a9f0a22485b9736491e677800 |
| SHA256 | aeaf62556cf28140f0c7cbca1c16ea88781ff24175ad0ee324c3f9ac66763730 |
| SHA512 | bc7040c15ba330b6ce356696f5dde451d6ceb889fa8059382598ad2adb3e1d931ecb19e85a86e44b35ff71fd41ca0c007c6307b755405be6115d235bfd6d1fa2 |
memory/1572-177-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Cimmggfl.exe
| MD5 | 56691832a2a010a849855d86dc34c7d4 |
| SHA1 | afabe92efc5c5ee0619248af803f89da6eed87e4 |
| SHA256 | 9358a39dedcc31e5ba9babac815a1992385fa0de0a3da88c82797d235b0ffcd7 |
| SHA512 | dd2cd2b17b996af64d4fb25247994a92d8561c93391dd96fefa0d3941745599b49bed92b0fcee4d8186868df7b671313c0161b632a4ebe5cbf008d9156e3e20e |
memory/2648-184-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3756-193-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Ccbadp32.exe
| MD5 | dc5982c6167114e793e3a18ae2ff0de2 |
| SHA1 | fb424e7ca733684e4469f8a75495b730fcc947da |
| SHA256 | 37ee6f5ac56033400a6166f60a5794796887d95b37175d6d6d52aa6224e9d386 |
| SHA512 | 047494ace68ffb171c7c146360474186512c978a465ec572447e5cfb779c4f8af40ae3e642fd384236fb41ea833e6457c4d2b0656440ac81b2a45232a113b633 |
C:\Windows\SysWOW64\Cmjemflb.exe
| MD5 | 5de69376de11968ea18860542c92ef6c |
| SHA1 | a773b34ed48bfc5c1c57b759ffeb1e3d2dd6b9bf |
| SHA256 | 4bfc86199734d99cee603f4a83fb93306fd1bbae7a673706e1042b4d7d88909a |
| SHA512 | c0ac499733fc2134ee8075e83078e29ca65f2e0158d9c70bfdd3c70d18d4041387e350f4ccca47f92ac60c581fb54025e7609de7f667bda32d01966f2769339b |
memory/1944-201-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Dckdjomg.exe
| MD5 | 7a8e7a3072a44385ec336a22b3912897 |
| SHA1 | 6e924c2ab5c2f55a4951fdf9aafe691ba43597ef |
| SHA256 | 366fa31ef643ad3026e86e61155d1df34a875b1a09ac893b9384fd8f615aeb8b |
| SHA512 | 336c1eaa48e26b22d357b46b2026ecc16435b8fe1b3bec87423aac974e075f964a7723543f1f34cf9e47ad972bb346ca8a040ee6d94a252b7a882e9331d46cd2 |
memory/2752-208-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Dihlbf32.exe
| MD5 | bf1e5c836dd0a3ba36a01284912682b5 |
| SHA1 | ad26e447b48886a996cd0d81f9e25ff7495c604e |
| SHA256 | abd3a3c9d8c9f618e50aedb7af40cff511f4db313c2f1d7cf39fd39c4ad5606e |
| SHA512 | 66da6982af0475357da5cc6ac0dad419b5372f98e8fea7c7d9b7a7e8428ad46eff6acdc79a8c7a92c3b77bd8827d54ccae2b12b18419905748df807b833deb7e |
memory/4336-217-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Efafgifc.exe
| MD5 | c0daa3f24828b6d51e3149051ff79320 |
| SHA1 | 9af917b3994f0dd3b259a81676427ca523f081f0 |
| SHA256 | 484ecd2fe82f0ea48e5cf1a0202c90031199af9d0b4df23419b48ef73a7328c2 |
| SHA512 | 2b6cfe6516bd84dfaa60d14ff7e8966d3b9784f8527144996ed1ef6d76435883bfd062b9fbb83988e51ded1a733768c5f703970f92d1301074215472fad7bff8 |
memory/3304-224-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Emphocjj.exe
| MD5 | 1e228d2101f3d516bc19a6d2584a8040 |
| SHA1 | 5ef78618e8c51b8ba4d02e4355d9ac2630cfd410 |
| SHA256 | 7c7e542505a4bda06e446aebb0364d9a97a6936353a576df4a089d12ea1d7116 |
| SHA512 | 8c829a8c866834982d9782e709ba77ba6bccc59cb6f96ca9643b6567e52d504dc083c25058e144579050d65909eae2d18d0bd393c2cb7ff99d34b93c46e6c611 |
memory/468-232-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Eiieicml.exe
| MD5 | 3f87122be8f84cf84ecc89d8881630e7 |
| SHA1 | 42a20fb527d8701460937bc0704a6857541c9a55 |
| SHA256 | a69eb62a3339685e6a5ff34c00e1beed79e3ca1fb04f82880bbe337f591c423f |
| SHA512 | bbb42511ff3fe0d647237ef44351d249807a706f2b808a0e7a4d6c6d07f59a24e481484669b4a211c66ca551f45c4a166c117a8d5770b0a2be4aa96cb736bbbd |
memory/2320-241-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Fpbmfn32.exe
| MD5 | aaf5e1887ed765908f2de28c0a7df370 |
| SHA1 | 0f4d3c65f1163e6096a3412600b6e9bd91012054 |
| SHA256 | a8dd1ad9d861df74e0b93eb096899c310d8619336f5a22a3fb83f582b91cd0ec |
| SHA512 | 427cc5da287b70ffc365f5f27f63a42103ed9fb3e01a9f8b05db5b3fabe7c753da137630857acf291df832baacfc3c5c121532fbd50e44cf084d94406cebfa20 |
memory/2892-249-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Fbhpch32.exe
| MD5 | 217197b47fc9f16c1601c1fd79d1879f |
| SHA1 | e14ce057936d53f258ae26b6b3b4e00a0c374394 |
| SHA256 | ca31578e16300959494077f50ecdfad171b4894595b000a316742723e4b714c8 |
| SHA512 | d25a9ae0e78d3f5db1f38c8ffcaabec606c00938936f6cad08c16243eaed03dc23e78e737f10d17cb2e72860980975ab1db86eccf818b364c9805a21496a287d |
memory/5052-256-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1120-263-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1780-269-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Gigaka32.exe
| MD5 | e8c86ba7946d2cfe2ba4b05b2abd6281 |
| SHA1 | d07bfe1ef276cd0f467b096e5a135bf6e9b12419 |
| SHA256 | 41783003fc33a6605f7db24afc355c226403c3b242df2fb4b226bd8be0e0211a |
| SHA512 | 62263c2f9863bf30a817f6014cbec18e445d1758014aff3b03b47aa84635875e99f272e232717d855d3e7de297acebe09b4282d33332255e0f7b575048be34a5 |
memory/396-275-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Gmdjapgb.exe
| MD5 | fded890382d47902ad58d1a1830b29a3 |
| SHA1 | d89ebb75aedfa86cfd9b12a478c056c675d48d3d |
| SHA256 | f9d8333c013a2114ad35e40b605a59ca9fc977f4b739adb30fddb5e357954a8b |
| SHA512 | 361a1db36042936b243d34bb44359de26ad9e5284c1835200ea1dd4f3052bead9153fe6955bdaff88df7d74b58ac4da1352e7895d61765457160e6531cc50671 |
memory/1980-281-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1468-287-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3056-293-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Gphphj32.exe
| MD5 | 49a58afa0e6741329d4cf44ae6ad98e8 |
| SHA1 | 34cccd8eb386f3f9775b21f4e86b4efc3e031b57 |
| SHA256 | 85233086ef0ac972e743ab048e36b31f8ea5d31eaceec3a552d9bb538eadb6e3 |
| SHA512 | e41d302c01645cc00fe0adce11bf4826cd4e717d687fc13d9a6c12606a729a9fbd6e4cbb9de7f07a5f5cb34dbabdefa5cab22e201a38c88de403b336509b016f |
memory/2340-299-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1956-305-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Hgdejd32.exe
| MD5 | 121e0c185b249d48fc8775f47607c272 |
| SHA1 | 928ef59bd696ef8e5e92399a01e4b7e40b64798f |
| SHA256 | 36915ca98b0edf6da497633c23acc017e8cb063e52aa53b429813f4696a2a80e |
| SHA512 | 966961018c9a03ba5a9cfd7ae7c475da6b649bffc5d51861a2cbf5baa85515c05a8684d1c80be1e934c7deb7634fd5e627f5a4bfb9d74ef96cca7e55cf62dbc6 |
memory/2156-311-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Hdhedh32.exe
| MD5 | e9227653eb0b5b4d0d652902bf50eab0 |
| SHA1 | cb42ea0a30300d1058a6cc7ac0995d4ab0be5303 |
| SHA256 | 014aa9c8e44ea9eef6f5c41e9f5e9e5b3313bef2d3dae69a38e86262927f071e |
| SHA512 | f72f47dbb3da14f094957fb2e0bd05a6e978378fa15c82d470e3fe023f85e6f3e1d9ad96531af08ca5a6bccf53f4cd4038c66ba309f43dbed3739332f0cc3e57 |
memory/5048-317-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4760-323-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3988-329-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Hpabni32.exe
| MD5 | 181a1aa1ffcf87611bfe870ec1e29254 |
| SHA1 | 49f2459a3b741ca6b257b9460dd75c10e6bb3a6e |
| SHA256 | 6500685364995e22fc808613c4a7b5ca3da9c84acab3a106e3a7b98f54a00759 |
| SHA512 | 75cbcf71144f38da341553b969812e5698ca14f98c8b4281e772e593bf13e8c61e9f060bc5d67e21ae6b22750c7c42b5b5ae084b0f0b26b2e9246f1a51a4a922 |
memory/1040-335-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Hlhccj32.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/208-341-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2404-347-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3732-353-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1756-359-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1984-365-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3388-371-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1632-377-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4380-383-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4488-389-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3980-395-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4800-401-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1672-407-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3456-413-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3592-419-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4004-425-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2368-431-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1456-437-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1656-443-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3196-449-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4328-455-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3804-461-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Jcgnbaeo.exe
| MD5 | 2cc5916d613d293402839145e6228499 |
| SHA1 | 54f35c02fb4222023ebca90c0ae0c3560b31f7fa |
| SHA256 | 40fd06755326d067a2e62ca8a2915e400d6d784acc37c8a102a1d9b6421ea64a |
| SHA512 | 24d4c918c221005151e67c5ccc7dd8400ce8a8b4f4b46edce8c1fc9319c3b5b651cd53c4bf9d61fe86c3661d619e9ce684b3282f714b2ce00c0c2663689832c1 |
memory/3572-467-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4872-473-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4528-479-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1476-489-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1816-491-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2456-497-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4888-503-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Kgipcogp.exe
| MD5 | 641dfae1dd35ae8ec9d400e256829000 |
| SHA1 | 47d682b3982112a8a50595239700c79835731d72 |
| SHA256 | d9a5fc431c6b473eda560273eb2fe3d07ed4ffef7695a0dc4ba6cab1eed6622f |
| SHA512 | 4c80a90765da27494eb2b6249e0d2226a4b7d88d0ef0fbd58a9bb15d1526472111b4683d0b84c736835bb9e8ec33b31725804273fb2d537efbdfaae0053cc179 |
memory/5028-509-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4348-515-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Kjjiej32.exe
| MD5 | f70ca5502173a72042c4e9ab46216c81 |
| SHA1 | ff87a276af013f5db897dd9d3c630d504fa25b7f |
| SHA256 | 50386e80e022231235437c1bb389e75897d11d3ba157513e72e284c03d442806 |
| SHA512 | 3bf47eca606d92e80d5a7ba73f194ffe3bdca20036d4b6375a0fd3b9f3aa9a64f8cdd06b9760f371aba8a8e2f3929fd0f5462cd58903b2833d57dc36e522a41b |
memory/1496-521-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3820-527-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4160-533-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5012-540-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4812-539-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4512-546-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4948-557-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3672-552-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1528-560-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2640-559-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Lmpkadnm.exe
| MD5 | 207ecf1f073eda689cd7a33013fb1ba0 |
| SHA1 | 73325cb37f6b089d93ef556edb17d4c2e55b1b4d |
| SHA256 | 829b70a6511d3e6920827bbebf38e6a8af216d091222a9f6fa6ab0f88594ffde |
| SHA512 | 052d7b577e081a0d7233dab416e9aa6365465997cc444123fb4d68b907f779932c490360efb755fd51d6a4f84f6fff4d42153f4c625b7f3e7765a4c4e4a56c91 |
memory/2544-566-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3560-571-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3060-574-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2948-575-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Ldipha32.exe
| MD5 | 5a48164f2407a48a4c1194fbe70dc09c |
| SHA1 | c9791cc05d1567b866a807065fbbd9b082d96682 |
| SHA256 | 0eaa9ffcf0b4c0c8a550ecb4d5524ccd41627ec330c1f49424919cc0fd56e8e3 |
| SHA512 | 8f0ab60275b298b237267e7a4725fe4509afe85ee55bcdc9a30c8da4c12e0d7414ee3d3bf041fe6ad4b43215a2b77897f6b9cfc6982cd8e61fb3806518a2b590 |
memory/1848-581-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4764-582-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4680-589-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1648-597-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3644-596-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Lenicahg.exe
| MD5 | 9658338864c643f1af3f6f1ee7794b78 |
| SHA1 | 65b066e7caf78b307503ecf1ec581a87007ed0c2 |
| SHA256 | 93412212dcc8e5bb17cc1da2e69002c8cb4f27ad3ba4f727569765ed1544ffcd |
| SHA512 | 40e03f6b2e6ec1bc570e2b8138f55f6c1b537d913f5b336cf0a8c8b9876ce55068584cbab8501dabc508c91b71c12bc6feaf83eb25cf0739b5df51dbefafe744 |
C:\Windows\SysWOW64\Mccfdmmo.exe
| MD5 | fc2bb89944751b88dadbfadf607c803e |
| SHA1 | ca6eba70e5a6325f63233540bc03b61b30067c14 |
| SHA256 | 16e76b6772005ed37157802f0ebdabf45ce0782078bd8a36364228419d5865e3 |
| SHA512 | 0c98fdb55a30ad56c7f45ff027a388ff81d8170a01ab9dfc31626ba9c40754f9c4606c6ed79fb0116eb7d693568fce7a586731582ae595b5ffc50d130eab2f21 |
C:\Windows\SysWOW64\Mchppmij.exe
| MD5 | 535d7b01ad45bd97942c5e66b26af2af |
| SHA1 | 923bce2576221dd1f397c3ad63f404b25098fda1 |
| SHA256 | 42d2eff665a4c3f054f43ee0b0f80642b5f4cdf5aec3852e9ff5050116701818 |
| SHA512 | 58e4c15303a3bb81886bc0caa6256af9ce295cbff3561d2d6215844a9d7e410dac2aa9060c6dc79da6fe00a3aba2270a794a4f1828aa2a5e1fc9ffb7212ddbbb |
C:\Windows\SysWOW64\Nclikl32.exe
| MD5 | 38f6950d02af57ecb268b791da84ef87 |
| SHA1 | 1530720a3e09bb5bb9aa3065ba97cf41f4f3b124 |
| SHA256 | a164004573c67116bd05c3be07dbccdfedbcfe595f7819875fd4068e9e3267bf |
| SHA512 | a013ef1306d30973189b7fb862d9122b93d480d783e2f778b2bf962fffe83e088f7df3e892ded728e6b96331996d475dac93d56e02cb2271c0c2041c3534ecc0 |
C:\Windows\SysWOW64\Nnfgcd32.exe
| MD5 | c6d20c0cb9bb0d47a2a2313372b5f96e |
| SHA1 | c1ce72b6e25865855ee39d8a6a2018d5f9647b8c |
| SHA256 | b251758c85f349eefd248bba6c14a0366fbadaff8fe501928440215c50d7653d |
| SHA512 | eb3dc18e1f30f4cb9db2b0273534dd613dd53e96bf16bd9d77edf29a2e5e2637766343291c20d852909f9d7e5e9d986ece5a2a0a5d2c4abcba414600848bf337 |
C:\Windows\SysWOW64\Nnicid32.exe
| MD5 | 7fdca4df9ef81f49f6089fef6982aad0 |
| SHA1 | be319c953bc05a8e2aa9c260a8c9afa70b103f7a |
| SHA256 | b7de423e78d65a182af04f5bcb5ec1d0e70c9730e5b4c12459e415ce87b90cfe |
| SHA512 | 6019e9795863364b4a6361487f4128734672e6dd75a2f8362cabaf4858dab6b122eef23c6ed0af40d8b6a4e862c8b05e7b4f9d211dc984d74f88dee600845e79 |
C:\Windows\SysWOW64\Najmjokc.exe
| MD5 | 396ee3b73049ae63e692503c82bff477 |
| SHA1 | 3970b865a8c376b7060a6ef9dffddbce8c691a13 |
| SHA256 | d5c8daf24a5b9219dc59c6859f127ce7d48665ca5b8da19b404178ba99c9c12b |
| SHA512 | eb18af07aee15040fe62f9b7ea8e220e25773914a01b3feb019def859bdaf72b33d8500e31595bf6843fe5b00440a0958e0a1298ed553cb4539119bf8d6bf723 |
C:\Windows\SysWOW64\Odjeljhd.exe
| MD5 | 6ea98b622f494c75ac64aa9c7b059ee7 |
| SHA1 | a555c8422a2c77134dd6b044390407821f4b8564 |
| SHA256 | b2403d28a5ece1ba083a91fb3787617a772dbd68f37ede14aa2af492cdf0d277 |
| SHA512 | 5a62cf062bb7f50bbc6b9fd0e4cf1dea825be6dd3b4ac93612e373470ba2556c7f366edddad4fc151810cabe66ba97984bb7d07f21bb753ae5ce9684e9ba616a |
C:\Windows\SysWOW64\Omegjomb.exe
| MD5 | 4d8e3859749cecb54a5b05e806115c61 |
| SHA1 | 05303e174b4ab6b2119033454144c32fd89b0fa2 |
| SHA256 | c176985b1ac3ae149787982e234b5f601dc50ec0222c266e097060b7d2303e24 |
| SHA512 | dc251ab606e92e1126ff422451bbf0ab656cf52e17ce0f66ab6825a9ed7b799d13e464ab5fdf70dfcc81db407756c9eeb3c66d4d322e71fd78040bac27c6b705 |
C:\Windows\SysWOW64\Oeokal32.exe
| MD5 | b32ab180317b7455174578352afcdc31 |
| SHA1 | 82e3671481eafc87122ec9a921233d4572d22cbc |
| SHA256 | 5c9a5fc7fcc6449008958dae03840fd073b819cd0264c12a2e004dbef51a2281 |
| SHA512 | 3f6d3199d7b27df36000a56d96c1e46ee68e8f6947a3be3c83432dd564adf27efada34458e604684f12e3d5cc5a50c90e11f3f91cf2f5c25756071edb6ae6b0f |
C:\Windows\SysWOW64\Pddhbipj.exe
| MD5 | b0b1d225f0056df663b4d368b0aca8a4 |
| SHA1 | 16b21f3430203f75500d5d9100ded57f369f127f |
| SHA256 | 24d2fec9bbaf760d7fc2336d965ad8ad4eeba4b8b444b94c1bcdca0a70372586 |
| SHA512 | 1978b7952fcb9df8013d8e2254fef527c6bc78eeb332350bb7b4cbb14b67147cd0dfeb79fa6cef6858a6f5bcc525ff834f6d039ad873302b6a5c6ec9f468d969 |
C:\Windows\SysWOW64\Paoollik.exe
| MD5 | a445001b8dcaace14b4da42371bc99cc |
| SHA1 | 7d9205b0acc7984e227860e35aa767259ef2d216 |
| SHA256 | ef148f434ac8a0416f67a261d3c78938ddfd9f66f16e233457aaecec7a7febbf |
| SHA512 | af3453a0a414fef5a6b8b0fb2a9ec3de1b5b4600e3a747facb4a1f5f121cfae97cf99dd733019402aa920184625e951e1f16596e69c4e3c25766c1a602f98468 |
C:\Windows\SysWOW64\Qemhbj32.exe
| MD5 | 8979b37eaba29b238493e1a8f45b067b |
| SHA1 | 87286bc3a3c8370197364344593f0b4cca61e008 |
| SHA256 | 05343cd27a72d458782969230af350a930ae7cd71678b94de8cabb762b4d64c5 |
| SHA512 | 726057ed8f3c58ca47c101dff49aee5703d54057ab05e322f8fc06c788783552bf4dac2f7316fc8af5e092bd633188fe8f740f6c7009782791488218ed713cfa |
C:\Windows\SysWOW64\Aahbbkaq.exe
| MD5 | 161fac8fa0d7905708a346a548a023af |
| SHA1 | ce93c32f6e1115f2bf30ef3d7183aac40f4e8d3f |
| SHA256 | 77b328edad21ae8e864436bd76c3a3b396982cddb570d175aaa1e3276b8fc564 |
| SHA512 | ce3d6cb8c629098734e24c7df9d63179fcd379a280611b3dcfdda5f75371b4fd1abe6fdce94bbad0b7baf52c310efc26c0247447e1bb72eb0dce0acd92f57e4c |
C:\Windows\SysWOW64\Aefjii32.exe
| MD5 | c660aebf094b2d0cb153f68f42f26607 |
| SHA1 | 5d5356508d337ac488c941d51721ea93f50ec9f3 |
| SHA256 | 3dee9c5eca8d9bad866a538e10361855c8ff4255f2a40f241bd789c48e2420f3 |
| SHA512 | dc0ba56ce625381fbc4fd79e73c92fba6b7c578e77f0c27cd0845cb4518c06175e546569df3225c2a47ee0f52c628c2926a315f7ca27ad00fbbce9b93b322955 |
C:\Windows\SysWOW64\Albpkc32.exe
| MD5 | 3de5e37570c8a505b6257645a36d664c |
| SHA1 | bd77b5300d33f9f6e6cd04ac58249afdca7827d6 |
| SHA256 | 27b091d0289f0f6b5f1cce3081363fc0d709a5fe3dbaa5bd6357043b975429a0 |
| SHA512 | 3c6e00e2fbd74d0abb51d899ffb1359eebc5f55cf85f652e846a45cb9732c158458f46124de1573a60051faea0de202e8e56367e9a34bd77a052d4b76178cb3d |
C:\Windows\SysWOW64\Aekddhcb.exe
| MD5 | 13dd90a3d7c8be73ced2e97a49be9aa8 |
| SHA1 | 5563af1da61ab8e95f8a07b0fa184673c5f05a19 |
| SHA256 | d9e9f487a7a8db2a92fb8df83c2e2958f768219f0072ca2ae3e201622cf7c0d6 |
| SHA512 | e5440352d629d6e3a27fac9a7c77e56f354ee5fdd73270fb1ef661066788d46bddb3c40b29c14061472e3d2055ef5aeead19eca7e55a6e1236d5fe734271db4a |
C:\Windows\SysWOW64\Bdpaeehj.exe
| MD5 | 3a9033ac92c2724509293bf5f5b283f5 |
| SHA1 | 943b9c499476d44422651f0f725617a21b92ac45 |
| SHA256 | 7336bf6eefc8fdef14fa48d68f77187132cc3a2a743c919729cb63b2d8c16392 |
| SHA512 | bd5fd546963f43962a9ab1ffd4c0f5b47f541463be50c0cbcc9bc7806bd35e891cb3e0afbee2d45373c90afce2d26071c2d1379a2a0c0c6542b150eb3e09b967 |
C:\Windows\SysWOW64\Bebjdgmj.exe
| MD5 | 4974e85cc1b83b2cad4860d5b7313a58 |
| SHA1 | c0ed7e07854edad605e7de987d587ae0005dcae6 |
| SHA256 | e589e7a974e4355943d6c670fb6cdc1cd11d1ecc23a96d02526ac9559957aab0 |
| SHA512 | 3916bd85721128a0f2b4ebab4d626ca306721842bcd127db8d67f2887017f9628b52fe55bf1d06857d06cf0c770b438db9119d4f7c64d409222fa27cb687d593 |
C:\Windows\SysWOW64\Bdgged32.exe
| MD5 | 33b4d0135d07c593ead1d7d950c55746 |
| SHA1 | 2ea07fc7bda9cd8cf9a244ea2de3898d013a6299 |
| SHA256 | 940f630488c02e12afa900a5de670e878f97e07b0e51c26c84702ddad0367589 |
| SHA512 | 9b33901de4f2c9469667690c0c2bd4d3f8ca15b582cf8e13fb5e20583d925497aa381901eb8ea8801b4073b974dd2bf5d6af88fae03d1cbc64a72fdebcec4416 |
C:\Windows\SysWOW64\Bheplb32.exe
| MD5 | 3aca9b36d36efd247bac2243894848ad |
| SHA1 | 12617692a5ed2411b39f2d3d9a4fb467f1300b66 |
| SHA256 | 0774bd1d8c4169c1158db3d23ca21dbd3794f3672993e50615c51a0e0369fbd0 |
| SHA512 | 592cfc9f66f31215ae3813018db12424156135d5130d3c4595c05fcdd837360d60132510be3146638c860ff365512d0fbc0c064cd3d79a2cbcbc6f588a9e0b0b |
C:\Windows\SysWOW64\Cdpjlb32.exe
| MD5 | 8e25ffd0513579f2c3bb1bfed33b7928 |
| SHA1 | 5ee20a85eb53141c594b2ce18e2f2cb5bab7cbd6 |
| SHA256 | 182ed48f59cb79fabe12d60b91907ef85ebff69bf64aff478c5abc09cdd5fc9d |
| SHA512 | 4d38359dfb0d1056a5d8d2d473d9ef66361b49b8e5a1caa49ee5bd0f460128d5e13e5c9831af23db59633ff64d46778588943fceb592cba33c2dc288de95e18e |
C:\Windows\SysWOW64\Cfbcke32.exe
| MD5 | 39037a1fd96f0bc490cc012ad568800a |
| SHA1 | cab8ea06c7af1e04096772051d6aea0f81d767ae |
| SHA256 | c5adbd5269a3817b962f1532bb79204ed7422a1f677cc660911e66e39ae488ab |
| SHA512 | 6e59f90d2b588b9c4fab192356a05037bec815f30e069c583946175d205064c11196a7ff6f54a2d49348d1b3d7f7184803c6d634bb79a505f1bbfc780a24b785 |
C:\Windows\SysWOW64\Dnpdegjp.exe
| MD5 | 3cdcc9c41999e0cf3b14af5600e1acc1 |
| SHA1 | 1a1699400fadc6bd0d5ea7e0b25d6b8758d0c628 |
| SHA256 | 0bfe00b495a6a34a72d623165df92db4446a8712e4fde2686857a1b6e090a4ba |
| SHA512 | ab7377f42add3ba641841de7dc51bf69abaf55f4738961c4aa440d6e9d9e45399e15962a566c7b017bd9583282c7d93af0af2a847835976b13668e1c50a7da31 |
C:\Windows\SysWOW64\Dfiildio.exe
| MD5 | d8880b760da5deb92d44ab9f40d7b33a |
| SHA1 | fabd80fee53110d6a400efbfcb22132aa26617ea |
| SHA256 | 709a7caf62d5ea8cbcea306f49a31a3462f39550e7431b497470f9846d900461 |
| SHA512 | 9df7700f225b24210c41e754541f32284f914f1d4c832589bad7241f7aff9ec95285f140d34f7fddbd7a2077141bb35004014ce2c87df42b2237c061c993e559 |
C:\Windows\SysWOW64\Dijbno32.exe
| MD5 | 10abb36eb9450423edb53077c8257aac |
| SHA1 | 428a36c531392873b09fa3024e4ca59ab2c70571 |
| SHA256 | 6a5e1d746a553be24437d96fe83463a075880976251871d39bd91e8563808e30 |
| SHA512 | 570168284a0235a0c14bcc553505a24b0e633f755452540f58afc20e50a8742faa6e7ec9db42999fef4422a2fd48f25731fe764985d79b9b34c46d9c1da92618 |
C:\Windows\SysWOW64\Enigke32.exe
| MD5 | 39ea8187505f0383cc91c7834597395d |
| SHA1 | 36ac58bc7d77ae00716b4ec6f0f4b34623e9e45c |
| SHA256 | 26d2d8004385e25dd91a5f5ddb1eb6d13b11d58ea7e9448a14239baa32651489 |
| SHA512 | 0fe2da837a28e3e0c4f533a223c539bdda64d2f51c0cb10467d8e7591a1be0d62af6e5967cc5639c75a45fe092b8dd83acf0391106999d449a38b493b42aa139 |
C:\Windows\SysWOW64\Efblbbqd.exe
| MD5 | fee254069f4bc4b87250eb3df54d6d65 |
| SHA1 | 006246a8ea4e121825d51b0b5763f46cbdaf2605 |
| SHA256 | 06d221e3796218e945d26272b62e33245ff0ec8e130bf8ec108350f7beb8e4ba |
| SHA512 | 5f2d097f2ca816b086e2b214c6bf225562abeff524a991f058caeb747d232d0a09b32c9e43c4947f9c1b9285da79a7eca9da744733846cdea18d8f98d379e717 |
C:\Windows\SysWOW64\Efgemb32.exe
| MD5 | 25707e2883276b484951975c2fb28bea |
| SHA1 | 9ff9c4fd4d8c75a7ef00fdb1d2e502c02bd38f72 |
| SHA256 | d04f76aec9268c1efcc445c3c1c848e8867fb0b7eb18aeaaf6e6bf8888718a11 |
| SHA512 | 8c45ddf1f9accd3cb7d49e82ba72c19861e503bfa34d7b949f4371a3d729de1e3a20b58d50017c0db53034a56bdcacfcfa6d6efac16aa215a25dfb888003b690 |
C:\Windows\SysWOW64\Fihnomjp.exe
| MD5 | 15f998383fe2dc4fea1edeea7afa3fad |
| SHA1 | 920a28aa8505b3f670b108e2529f23c3b9d3e7c8 |
| SHA256 | f25ff6ffe894a2b8b151e24e8922cc3a92217603ee687310386722856234b84e |
| SHA512 | 1feae274ecedd836441d50d0c2f38a5b01d4d232ae82a25c85550d887a3e48a96666021dad20eded067602fd091522d21a5b9592b4e82516de05ccc62c68738b |
C:\Windows\SysWOW64\Ffnknafg.exe
| MD5 | 17232e849059a3d1f4abe2e1c671484f |
| SHA1 | fba17052822ac4b7faf65fd1fa535bfe4a9c47b9 |
| SHA256 | e91f18af775dec87ee0b47e6426f48781e3ec6e8b833a358d42b455c18e12529 |
| SHA512 | d10d501751af24f8507435ba5f9475d799754bd76a65b5b55473c30621aada0849df4229c6910d269455ef21e9a119fccdcc88f69c6be969881b3ef4bee69aa6 |
C:\Windows\SysWOW64\Fmkqpkla.exe
| MD5 | adf45d194f590ce2a3e1a3adc08722b1 |
| SHA1 | 1eea575231a353674cb1c121f93db05efcda7aba |
| SHA256 | 85ae03702a82ef0d0b170438be0610bca0fa3e2c60ec06565f98883dde1634f4 |
| SHA512 | f0df7ff89396550f45eef74d614c122fa60a7dcc43ce20887d00c72176807f7d48da0c5dd8d0da9f3950f0e53c1e1576fd63c24667f4392379edda821c54f20f |
C:\Windows\SysWOW64\Gnqfcbnj.exe
| MD5 | 45d27cbacd5398ac42f64756e361b448 |
| SHA1 | 742378cfc81d44472673bcb8c3d3b44794a53942 |
| SHA256 | 70906fa8b6edabd898309bd0870fa07ccc3897ab4529bd3287c8d62bd7fb3d14 |
| SHA512 | ed1164696df9453dbfa7934b340a4a00500611b7404eaefd6c8e90d8a7f7857ae5b09f3b734d80243158f720a3dc566a9c645a384589647f49e847e8e548a810 |
C:\Windows\SysWOW64\Gpelhd32.exe
| MD5 | 3869314ba7ccff9d06d6e8b02b11bd58 |
| SHA1 | a4d17a3a5994aff160ab9941541bf70dfba7a24d |
| SHA256 | 6b6a66c2daac0689a6ca7cc16978c8f5ed6df361210a961fb651aaaa9160d05f |
| SHA512 | 41f40a14b56d45d3b0187aafa9a24f5d43d38b681f79e35ad125f413c88588059f48685e547f38d10a0d367359758db4d62c4fdcf0324e69e3dad6f9ae075e12 |
C:\Windows\SysWOW64\Gojiiafp.exe
| MD5 | b433b46f433845a47e1989c3d9584842 |
| SHA1 | 8262cf5918325fee6c16e59a185f9905e9724421 |
| SHA256 | 2672548071fbccd9da84fe605a58dc84ec6328f39a7b425b62e85e0ff5c5981b |
| SHA512 | 56c720b975eb006ffbb517162646b09beccbf0a05b2ad8b73b104900500edf4e9cde7e2324f8f57d89cfc846d517e4a3b8738fd760aa84157be009af4a135df6 |
C:\Windows\SysWOW64\Hbhboolf.exe
| MD5 | 065aab9dcfe6b88051bf15e362cbbcfe |
| SHA1 | 3d60762e16904b84a748d13262d8c5d44fab2001 |
| SHA256 | 207e808d357e8393f59963a9b4cd96bdb8a98d454fbad9163f549450c297ad90 |
| SHA512 | 27cff16ac7528c161f05d3ce1d6ad8786851d786d745d9196a10f12975cde36c1f22a2c75212f659d1d41c12868bdd05b66dae27581060b218b004cbdf807417 |
C:\Windows\SysWOW64\Hblkjo32.exe
| MD5 | 5ab8fffca587fe3cf3d292accc64d2db |
| SHA1 | 92f2df420d38f71f6b5196eff8adfb884ff599f0 |
| SHA256 | 1b601ecc7fa34967468ff7c9720c22aa8e4e81fce505baf3d979e858767d1e5e |
| SHA512 | 12b3d0ab51d461cadcb7f410e66222c6c408a5756c12048c4e1bdbd870db36bbabc4f5d32abc8de5cca58785f6427a8a46f5dc0396d461cdf6658eb5e395478b |
C:\Windows\SysWOW64\Hmdlmg32.exe
| MD5 | 1616840668d496feee4d144ef381c989 |
| SHA1 | c656fb9042a183bbc087394913af56d44a4fbdc5 |
| SHA256 | 75f75072d8fa3045ac891247d4a73eaad881833b849a0f4fa1af62286993597a |
| SHA512 | 1027715cefdc30e962cdb8a542190de3f226b10c7fc924580a259740187277d3d1be5c1e0815ab76376246d93fba0b1525b020365639d39026112241a8ac93c2 |
C:\Windows\SysWOW64\Imgicgca.exe
| MD5 | 9ccf9da557ad878ea25259a0c41eebc3 |
| SHA1 | 15be3482ce1cd24f6b580257239c2bd4e7aa6933 |
| SHA256 | cc272aca0ccc8cc235cd4baf5f528ea78bf2710a1e979e4609b10483ae0d1c04 |
| SHA512 | 2d4501ba43e21e3df8bd156dc183b231b2b34ce630226cc61fb24656e4d41114d35c60cad12d71f1bb7ffec94d7e3342cefed2bdc1994ffbd88e87068445647b |
C:\Windows\SysWOW64\Iipfmggc.exe
| MD5 | 1c4d5bcba33b9c563ae26689f504505e |
| SHA1 | 887dc3b683f0e774c21de10ea18be796cc98f0a9 |
| SHA256 | 78b7c357dbdba4375af117c527e923e82b8161216db0e6ee4cf22a596ad284b3 |
| SHA512 | 5570597246f398b16be612cf8260a796794272a878d2c2bd53d0c9e3305ec3ca77ee5b649fedbf05262670c0d00e6649b6d5447aeddb01bf8c640b1481f70b8a |
C:\Windows\SysWOW64\Iidphgcn.exe
| MD5 | 8e050b888c485fff2ce60bb95a19a91b |
| SHA1 | e15d596df46aa4f6ce0db335210adbd4395d4659 |
| SHA256 | 0d766c1019162354043b2990f3a2f4a93e94dd7fa4a65a668138bfc3c5109e42 |
| SHA512 | aa7a9e25cded8568e1dc30ece17b709e7e9939f00f04984c41159e2813a66f19e7c1c3629e3e6f32f91a0bddca4a9e5de07e117d8c6bbaa081856beee9a61f0e |
C:\Windows\SysWOW64\Jleijb32.exe
| MD5 | 8e7dcc23e5edfd54fca1271ff7791e7f |
| SHA1 | 29d5c099999fe9f98cb70de76a7ed32a9cefcc27 |
| SHA256 | 8a06343b5a5bf26c868b2612570a80bc2b9e6033933df64fc11767fd2bef7a7a |
| SHA512 | 994ae850d508d1bc3a69136e66a5134d9e3ce3b612b5b0cb6c50331aa1ea1a47edd37ec59eb0b1fdfc995310300bf448260132233b46acd64e39ed1b23d5a95b |
C:\Windows\SysWOW64\Jlgepanl.exe
| MD5 | 3ced29c8b19867ba68503346fa73d94d |
| SHA1 | 9a033c1655d7c5104433c5e027311d9abaa2b24e |
| SHA256 | bd9465d28b534fb5f7734ed06327d2dcd64177ebb3f0f41d062d596831117019 |
| SHA512 | 242446d20e67cb569e93395d61571d3b7d1681681440235e72c752c8b744b2f994b6855327bfc2162c602c63fa04bc63377d52d5cd75c01d59f344d299b169b9 |
C:\Windows\SysWOW64\Jpenfp32.exe
| MD5 | cde10f2026a9b5e72a1f738127c021ee |
| SHA1 | cf2a774df19a7fe0e9fceb19804d01b004f1a612 |
| SHA256 | d53bd1684237820af119ff8e02842ef2c280c4dac79a31628771e9ae04556db8 |
| SHA512 | 3882db7c8ffbb78d38d6d61a92d7a478f64bdb31df499439789c4e73b873703e3c5423858a0ecb2dbb707926a173364c78792a488e57111d8cbecb351ded56f2 |
C:\Windows\SysWOW64\Komhll32.exe
| MD5 | f56b1cea3ee6c6ab4f553210d479a5b5 |
| SHA1 | 20c438d0b46ddd15a59b680c6a581bca6207351b |
| SHA256 | 174fa1abc1ebddbfdc2653514aeb994b1058b22b1412d1b30e16517ca6e2383b |
| SHA512 | df9b73cdfead0a6bd828f77d18b061fccace868e1ed4fc7e0ec9d181fa2ff5e01c1b6d74048de2cc5d6398c97d325add370e0350e088954075bae673b1a6ebb6 |
C:\Windows\SysWOW64\Klcekpdo.exe
| MD5 | 18d3f5de4e4c4fd3ead6757883da82bc |
| SHA1 | f6140d2e1f7f5a2de86bce1e546b62de6f11a461 |
| SHA256 | 72e2da61acf6198371be776e56b89bc4a8c6ce243f31e7564f32c759dfb81946 |
| SHA512 | 437a8a15f80a57eb7452f57d059bc607ca25b9540e4260238813a71524120d6b62e5d1916df65295f0c871fd604f49614c54a987dcf606422cf4643b4d934e64 |
C:\Windows\SysWOW64\Knenkbio.exe
| MD5 | ca33211cd5ccf86a6c4d6099a0d79b37 |
| SHA1 | 45383c361bcce38bcc36770e61feab5cecb9ef3b |
| SHA256 | 6e62cefc10dfc45c4176a031560fd2245090c37f5ec02819d98d72d1e5ff317b |
| SHA512 | 4e0065066bb2e2bd3795211dccf516a5b2b2a4803f9ba561d5623839187c3a0dfbe296171d3b41566545fb1b0aa61beaf907aaf7ca973322f69f064c93c18ef9 |
C:\Windows\SysWOW64\Kjlopc32.exe
| MD5 | 71037a9194117d000985e7075a9e2e6d |
| SHA1 | af0a4f44e2d26b2c0b631edf4f2064025ddc0394 |
| SHA256 | bba195fefd16c7233e68e99e6c819d172f8c2edd50534838fd4ff1305976e732 |
| SHA512 | a4311c3e4bc475f96f8d5256073267d7c8c6413d5c2f2e4a724dc757f504507797b4842a3874c3c8f658c0536d7cc9f7e2d3195b228727da7e17c6e27403adee |
C:\Windows\SysWOW64\Lnjgfb32.exe
| MD5 | 45bb68684c82fb3f9977c1762378a4b7 |
| SHA1 | 2db640ade862d4285a5959c07e7bc8f166e593ac |
| SHA256 | d485433f4e83f065cf9eda13c07b4c87a55818d84dab054a7ea4dc34da6e5a45 |
| SHA512 | c668589853d2afefdefeb7a652bbde4907a9a495b9e90dbd53fc09fdb2ab5591c034d0f1fbc57b4035e61ced34760b38e34022042ddff8eb38e59f120fb18849 |
C:\Windows\SysWOW64\Lnangaoa.exe
| MD5 | e1b9a53e83ed8ec8f4110234dc391bab |
| SHA1 | de187950bdf5874a5cb51e4bcd0f626d5400339f |
| SHA256 | a5bc592767b8b5e2deeea2114c6e7a4e33416fa15511508d47a389f0071d38f2 |
| SHA512 | c24b7d079835affd25b70a35f053e0b8c841e599511a920a629138777f5324d302a995fb7a092b875d97b1ff7740b9c3b7e46c9326c66f1f1833fdf212c4817b |
C:\Windows\SysWOW64\Modgdicm.exe
| MD5 | 0e3d0ff15df52d8842e377ae254edd27 |
| SHA1 | 93d722644b8d299c000399fa118e4071a28ebc59 |
| SHA256 | c009823d98d2a609f35062986d5a66438e6c57b1e6c814b0d46cb2ec879d35b3 |
| SHA512 | be3d0cdaf5a56276c7b82a19c5d510227dc845ac34162e571c67a09859739a28f0e4bcbb917806647c1c68b26813f39c68d0b0c134ea2ebaba24646e7ec1ce51 |
C:\Windows\SysWOW64\Moipoh32.exe
| MD5 | 1bd0ce90bdca7635fc416fdabd6d7bbb |
| SHA1 | 46453fb3a17d8aa5e1a46f8fa1a17a55271a74de |
| SHA256 | acd4134cb0e512039a33780bcc74c0f7cbc11ff1bc64414704b5268b7e4dcf6f |
| SHA512 | 22ef1fa744a3f09c549f0931f67fc48ff493982fc4327fdb7b89d8377f7a2aaf03625de5d88ac604b1ab298122cb623ed2c2da9059a8229a589fa5fbb4dd2054 |
C:\Windows\SysWOW64\Mqkiok32.exe
| MD5 | 25a46198e018712f8742606378c48299 |
| SHA1 | 585134123a69e5b7a08a8d0f60234b14c1e3aaa0 |
| SHA256 | 3778890a9072b9205163d3788e99bbcf9b6dfd96dd5aadcf6ebb95a1854668e3 |
| SHA512 | b7d345b53216461c87d0d4261349de4c90fae3d43a362b5be102187bab805a8a0574762282f1adb85098e374734cc507ed1ae6d5eb14518b93b00d3201d59ebb |
C:\Windows\SysWOW64\Nqmfdj32.exe
| MD5 | a1a61c376a238ab1401c681961866785 |
| SHA1 | 3d97d2edb1acadd0c462b78bfded0d247a1ef90b |
| SHA256 | 477b8c07d14ad47670264bb0d30bc53f91a37f715c0a206755920ce306ff03ed |
| SHA512 | f462a8c39981ec0c7b9d15189ae94c74d53529b5494aa675f86e2e3cb0ea7dde868b0e8e85c10f4515f251bc81b446e68650348b1fd9a69db415ff3d76860df8 |
C:\Windows\SysWOW64\Nnfpinmi.exe
| MD5 | bab881359077487355f74225682c01ec |
| SHA1 | 3ecee7716eb9e610bda443ae963139218c3016da |
| SHA256 | 306418f95626be9109542ffbec0c85cb04ed2721112ebcad378f2a07b36967ee |
| SHA512 | dc61c96a308ea3b9b3dfedba2e9f2f89854276bfce4ee37d7904198b008fa78280348b6c6cde3cebeb92b52c316de876eb36d74f8d4f775c160c6e9dcc2eca8e |
C:\Windows\SysWOW64\Nfaemp32.exe
| MD5 | f31ddbb78d60e94d287959ce50f74ea2 |
| SHA1 | 8c189f4cbb1ef94affa6716df2cc60e059bc0a4d |
| SHA256 | 360d4ddd2b4447cf008148c651c22cf10330dcea9652224ad69be23e536928eb |
| SHA512 | 32362d37de9bc9ded967deb29b4685b57dc94ec0c720d1ba53b0b433c9efeef1e917b4423b72cf8dca5d1c69fafc63af1ee481eb38102379a36d7b1c8ef87ff4 |
C:\Windows\SysWOW64\Oakbehfe.exe
| MD5 | af9b5e98e3d5da4cef31b34781f03cbe |
| SHA1 | 998f58e20eba6f101cbc1b41f36a8b5934612474 |
| SHA256 | 013b2dbed26d5dd46914b83923fb325d5b903e17d1846c3f8928927812f28ff1 |
| SHA512 | f08229b9ad856efce6fbfb01108ae85315610edabdd193393cc165b2fc79a2032453f0cc06d4cad446149935dbeda3437deef86fc7c7eb3ffe72cf232edf0f1e |
C:\Windows\SysWOW64\Oghghb32.exe
| MD5 | 75ee040a21cbca8b2dad54a61ac2b640 |
| SHA1 | feb496bfefcdd537f9d6f23aa4f8320675aa9f54 |
| SHA256 | f50c012ec300d5aef11d03e245a8d6f6a2f6338f8db35c39eeb433b13ee07cd8 |
| SHA512 | 199a605e810f7e4c1dee077756054a277795b6c10889ea776aa8a0d4d5a7e3a777052bc059cd8d213fd0fd31353d24a086343a38ee0f633bea417710f2ae2764 |
C:\Windows\SysWOW64\Ofmdio32.exe
| MD5 | f2243c197976696e80edc54adec0306a |
| SHA1 | 279610e5fcbfa3cc7a4e03c2945b99fdbe6449ea |
| SHA256 | ef5caaafc7eaf1718d786a288b5e583b0a32d48b20cd0cc0e52f92e40d3fb9b8 |
| SHA512 | 66f4b6f3e5afaded6ee7d53c8525e7bc40ed4a58cc2cebf5b93077ef144837cd3f45c950cc651de4d39aba1d031dc2763b9c7e44fe164d9fa8589373c9fbf95e |
C:\Windows\SysWOW64\Pagbaglh.exe
| MD5 | 888f90dd80c08673d80d5d01a9d55b6d |
| SHA1 | 838f8db8f3f3475c54213d0403f41aa67a0805ef |
| SHA256 | 89a6f66df9842c7fd8a6117488ffc6aeeb68aac1f4b6580b026c486615e49be6 |
| SHA512 | 047e3b7b18c0c490e156b3f80086d0d55d42e43b343b0ac82326d1ae51df36c089fa2a22878a8edcbfd9d99a4f6a0520d7ce0dc07299206c2536e5055b5fcc0b |
C:\Windows\SysWOW64\Pjpfjl32.exe
| MD5 | 232d4b445e54833a0714ec17e8c0e84e |
| SHA1 | 97eadabadb1997d0a22e8ded34f819d8b5d13801 |
| SHA256 | 5b9d474e704b5739c44cd3942c5b5a35d736001d23efcedb8c686445196cbb89 |
| SHA512 | 928e280fab992a32677198494d0bcfdf70342abe6f69dfbe733a4caf1d783def4379c8d7b1ec2fddfb3672e57b6aaefc2bb358f963010dbd33b18bfe8de70c01 |
C:\Windows\SysWOW64\Phfcipoo.exe
| MD5 | 680226a96f4831574465a8c145c2954c |
| SHA1 | 1455f2776b3237c43628325a3d7d902071e7267b |
| SHA256 | 7d90529f295879aaa73397a28a5bb86a312e1ffab5fec8c2f687f892d38a7e21 |
| SHA512 | 335f4948ed2a5b8c94b9be493f3871c4498b52b46b3cb453717dee7e2915fe7c0be69444ca23f5dd59bd588f7c8a4270a29f25ea884fba3d88e1652abf24b53e |
C:\Windows\SysWOW64\Qhjmdp32.exe
| MD5 | a9c33f6fab58d06d5764bec6f9c7461e |
| SHA1 | 7b2063ef21549b358465e4ea30cf4f946d6431b9 |
| SHA256 | 567b3af8ee70d42b1f9f402ff908096f382b5202413b86ea6dae7c4c18a4a1f0 |
| SHA512 | b31591106242d323f98e74b5df289a4b10edfdcc34d06f8045160c2ff92e73f7367f2a9e07eca1b4758d0e2c15e535e4d85c523e4531ccce11df0a180b70cc6a |
C:\Windows\SysWOW64\Afpjel32.exe
| MD5 | 41d793a52ddf2f06c84f968ecb60dc67 |
| SHA1 | 7d7a0e521c1c6ce8e09fa599dabca79049f1889f |
| SHA256 | e54310d14da3315b2e86ea5a4c949d1e5a8294ddb67baf80324be57cc59d9648 |
| SHA512 | e508bb3baead4f814d818eeda3b6ff20cc6800c36e92b74802f806b1822f2e59d8255f3bfc56d98a751a4220c86aae35b2a451cb28e48654ecf43ba2e5ad6ac6 |
C:\Windows\SysWOW64\Aoioli32.exe
| MD5 | 6d09b117157afa69836091a8224add59 |
| SHA1 | 9059d37ecf375143fd1b6af6417020d4fe3402bf |
| SHA256 | e14b503e1168db335e58934a46847bdba055ecbf9fc9bc4c3cf6746c87d8d9b9 |
| SHA512 | ebd2919e02f83fccee7e50d02319eea0ac6d22f04840a22209dda1a5873f0f9b9a660cea9e2056382de241c35edf3ebac4ff14a1bc4c1f11fcc3df7cf2fc00e6 |
C:\Windows\SysWOW64\Agdcpkll.exe
| MD5 | f817ede8a0bebccf2d1125532d6973cd |
| SHA1 | ac8241ab3c38a244113e28b4cb7a5dcf308c72ab |
| SHA256 | b3b0d7087f034659e725e6f64763e020dcee7979e7937811f9effe99387065d4 |
| SHA512 | 48836002e87cfaedbb6f79cd55a8ab0c43b6f82b7c0107de2fbe36b4527f2d816b9dd63529e3fc56a6d6494980a36576fe08f3a61bd4245b7f77db1f797f7628 |
C:\Windows\SysWOW64\Baannc32.exe
| MD5 | aab176a635a1b730758fe7e7236a2dc8 |
| SHA1 | 6794a8effb4fa0970d49c87e008db9c681940e6a |
| SHA256 | 79aeb267f11f9d3b8dcc1d2a19dbe44c7604994371508e665cbf2384e6789724 |
| SHA512 | 3bdef1371bab44929e22aa1bf8c6e620bb2cd0b4a15d268fb6af4d0447a3c3593ba36386d65fe5c16a37f40ffef415e56c1994afbd0c82bcfd5802add43f1b2f |
C:\Windows\SysWOW64\Boenhgdd.exe
| MD5 | b4b6021a9f9c33c6efd7adc16a687948 |
| SHA1 | 18cce2e7cb9364cc2ab9e041d1555c126b1b967b |
| SHA256 | d6a6f895de440de67e25336bb65c72209ad01268188028c5fa3ac0e1e2a94675 |
| SHA512 | abf5e40fac52c08c9f75cac37397d443a1bb052e7983c87e3e4573bb66ee719429385c92b56504ffd1efd1ce641bbc6ab083468b9035e56d50e6628bc81f28d8 |
C:\Windows\SysWOW64\Bphgeo32.exe
| MD5 | 86b97821b88c233b64b490fc618652d2 |
| SHA1 | 389c032d943aa676bf32d1b1d1311c5a1bddff98 |
| SHA256 | b5e60abbf9d67afb5bfe59194cf88b3e59adcedb134edd073bec65b3579831b8 |
| SHA512 | b1f4f0d4c0e2ffc112835034cf51d4e735eb833b7fc3333680ac2c25f5fb9a98634febd0dc899654e7207d7397c7510e986a4808782e1ac678e75f684a6d594a |
C:\Windows\SysWOW64\Ckbemgcp.exe
| MD5 | 536a019588a9448b86395d8ce6de659b |
| SHA1 | a1163ad2bc894b1745fdee5b0d01e1a0fc47afd2 |
| SHA256 | 86811d8b4f4edd760bd716264969c550d17e1932416f46d528d1aa12c427d3cb |
| SHA512 | 6248cda95609d608d8e8a3e567febdbb671c11abee32a92c8225add46513be8e157ca0b4912e1eb661ea0810d2e804cca2033a302539355273076885bab61ef5 |
C:\Windows\SysWOW64\Dgcihgaj.exe
| MD5 | ee3c0b929051bf6fd7f84a83db181095 |
| SHA1 | 5285776e4644563b83760c7c0fbe720fb4671e1e |
| SHA256 | 75c8e3f1c7ca6e5b0e161f345a95db39135bd23e81f1c5ac393f3e6c8145b597 |
| SHA512 | ba1115f93f19f09521fb49f0bc8ea9e8181690d6f8eee5f167aa897e5b8711ac2ad4c7126e0ea6c2603c0b474f4cccbccf5de5d896423a2efb6e57e77aa5ab08 |
C:\Windows\SysWOW64\Dkqaoe32.exe
| MD5 | 3673967332850f685b70fbdb654c1e65 |
| SHA1 | 49b1c918ab8e0d32e244622f01af1428ff479e0c |
| SHA256 | a56053abee4ea4c875b85dd3c4735a5ff5ec101aafdee485be2be45cd4f7b59b |
| SHA512 | 6689ec89e451e302b23de07663f69b96361845bee0ff1f6f80372f62a0c28d467d2ac4a6b3274d8a2d54d3ab3bdadb49d8c47852a864a9afd4df7846a8ffd2ff |