Analysis Overview
SHA256
381270b97a462e0707f20b5d8e124da6940b783bc3f1caa63356ec8ce2160258
Threat Level: Known bad
The file 381270b97a462e0707f20b5d8e124da6940b783bc3f1caa63356ec8ce2160258N was found to be: Known bad.
Malicious Activity Summary
Adds autorun key to be loaded by Explorer.exe on startup
Berbew family
Berbew
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Program crash
System Location Discovery: System Language Discovery
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 09:52
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 09:52
Reported
2024-11-10 09:54
Platform
win7-20240903-en
Max time kernel
29s
Max time network
17s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Users\Admin\AppData\Local\Temp\381270b97a462e0707f20b5d8e124da6940b783bc3f1caa63356ec8ce2160258N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kbkameaf.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lphhenhc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mieeibkn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mapjmehi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mmihhelk.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nigome32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Npagjpcd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Npagjpcd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kfmjgeaj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mmldme32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jfknbe32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lgjfkk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Lgjfkk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mpmapm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mgalqkbk.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mmldme32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ngdifkpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Users\Admin\AppData\Local\Temp\381270b97a462e0707f20b5d8e124da6940b783bc3f1caa63356ec8ce2160258N.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kbkameaf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Lpjdjmfp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mencccop.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Naimccpo.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kmjojo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Knklagmb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Lgmcqkkh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Lphhenhc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kkolkk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Lndohedg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Migbnb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mencccop.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jfknbe32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Knklagmb.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kegqdqbl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mpmapm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mffimglk.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Migbnb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Modkfi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mbpgggol.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kfmjgeaj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Nenobfak.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kegqdqbl.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mapjmehi.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ngdifkpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kkolkk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mhhfdo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Modkfi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mkmhaj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Naimccpo.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jjdmmdnh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Lghjel32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Liplnc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mieeibkn.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mbpgggol.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mmihhelk.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nenobfak.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kmjojo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lghjel32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ndhipoob.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nlcnda32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Nigome32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lpjdjmfp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ndjfeo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Liplnc32.exe | N/A |
Berbew
Berbew family
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\Modkfi32.exe | C:\Windows\SysWOW64\Migbnb32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mmldme32.exe | C:\Windows\SysWOW64\Mkmhaj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Giegfm32.dll | C:\Windows\SysWOW64\Kbbngf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kbkameaf.exe | C:\Windows\SysWOW64\Kegqdqbl.exe | N/A |
| File created | C:\Windows\SysWOW64\Lghjel32.exe | C:\Windows\SysWOW64\Kbkameaf.exe | N/A |
| File created | C:\Windows\SysWOW64\Lgmcqkkh.exe | C:\Windows\SysWOW64\Lndohedg.exe | N/A |
| File created | C:\Windows\SysWOW64\Liplnc32.exe | C:\Windows\SysWOW64\Lphhenhc.exe | N/A |
| File created | C:\Windows\SysWOW64\Mpmapm32.exe | C:\Windows\SysWOW64\Lpjdjmfp.exe | N/A |
| File created | C:\Windows\SysWOW64\Mkmhaj32.exe | C:\Windows\SysWOW64\Mgalqkbk.exe | N/A |
| File created | C:\Windows\SysWOW64\Egnhob32.dll | C:\Windows\SysWOW64\Naimccpo.exe | N/A |
| File created | C:\Windows\SysWOW64\Ihlfca32.dll | C:\Windows\SysWOW64\Kkolkk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mmihhelk.exe | C:\Windows\SysWOW64\Mencccop.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ndjfeo32.exe | C:\Windows\SysWOW64\Nlcnda32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mpmapm32.exe | C:\Windows\SysWOW64\Lpjdjmfp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Lndohedg.exe | C:\Windows\SysWOW64\Lgjfkk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mieeibkn.exe | C:\Windows\SysWOW64\Mffimglk.exe | N/A |
| File created | C:\Windows\SysWOW64\Modkfi32.exe | C:\Windows\SysWOW64\Migbnb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mmldme32.exe | C:\Windows\SysWOW64\Mkmhaj32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Nigome32.exe | C:\Windows\SysWOW64\Ndjfeo32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kegqdqbl.exe | C:\Windows\SysWOW64\Kkolkk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Nigome32.exe | C:\Windows\SysWOW64\Ndjfeo32.exe | N/A |
| File created | C:\Windows\SysWOW64\Eeieql32.dll | C:\Windows\SysWOW64\Knklagmb.exe | N/A |
| File created | C:\Windows\SysWOW64\Migbnb32.exe | C:\Windows\SysWOW64\Mapjmehi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Migbnb32.exe | C:\Windows\SysWOW64\Mapjmehi.exe | N/A |
| File created | C:\Windows\SysWOW64\Nlhgoqhh.exe | C:\Windows\SysWOW64\Nenobfak.exe | N/A |
| File created | C:\Windows\SysWOW64\Lpjdjmfp.exe | C:\Windows\SysWOW64\Liplnc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kbbngf32.exe | C:\Windows\SysWOW64\Jfknbe32.exe | N/A |
| File created | C:\Windows\SysWOW64\Nafmbhpm.dll | C:\Users\Admin\AppData\Local\Temp\381270b97a462e0707f20b5d8e124da6940b783bc3f1caa63356ec8ce2160258N.exe | N/A |
| File created | C:\Windows\SysWOW64\Gnddig32.dll | C:\Windows\SysWOW64\Lgmcqkkh.exe | N/A |
| File created | C:\Windows\SysWOW64\Naimccpo.exe | C:\Windows\SysWOW64\Ngdifkpi.exe | N/A |
| File created | C:\Windows\SysWOW64\Mehjml32.dll | C:\Windows\SysWOW64\Npagjpcd.exe | N/A |
| File created | C:\Windows\SysWOW64\Hoaebk32.dll | C:\Windows\SysWOW64\Kegqdqbl.exe | N/A |
| File created | C:\Windows\SysWOW64\Mencccop.exe | C:\Windows\SysWOW64\Mbpgggol.exe | N/A |
| File created | C:\Windows\SysWOW64\Nlcnda32.exe | C:\Windows\SysWOW64\Ndhipoob.exe | N/A |
| File created | C:\Windows\SysWOW64\Mapjmehi.exe | C:\Windows\SysWOW64\Mhhfdo32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lamajm32.dll | C:\Windows\SysWOW64\Nenobfak.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ndhipoob.exe | C:\Windows\SysWOW64\Naimccpo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Nenobfak.exe | C:\Windows\SysWOW64\Npagjpcd.exe | N/A |
| File created | C:\Windows\SysWOW64\Qaqkcf32.dll | C:\Windows\SysWOW64\Mgalqkbk.exe | N/A |
| File created | C:\Windows\SysWOW64\Ogjgkqaa.dll | C:\Windows\SysWOW64\Ndhipoob.exe | N/A |
| File created | C:\Windows\SysWOW64\Mmdcie32.dll | C:\Windows\SysWOW64\Lghjel32.exe | N/A |
| File created | C:\Windows\SysWOW64\Fdilgioe.dll | C:\Windows\SysWOW64\Lndohedg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mbpgggol.exe | C:\Windows\SysWOW64\Modkfi32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Nlhgoqhh.exe | C:\Windows\SysWOW64\Nenobfak.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kbbngf32.exe | C:\Windows\SysWOW64\Jfknbe32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Knklagmb.exe | C:\Windows\SysWOW64\Kmjojo32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Liplnc32.exe | C:\Windows\SysWOW64\Lphhenhc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mkmhaj32.exe | C:\Windows\SysWOW64\Mgalqkbk.exe | N/A |
| File created | C:\Windows\SysWOW64\Cgmgbeon.dll | C:\Windows\SysWOW64\Mkmhaj32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Lgjfkk32.exe | C:\Windows\SysWOW64\Lghjel32.exe | N/A |
| File created | C:\Windows\SysWOW64\Fbpljhnf.dll | C:\Windows\SysWOW64\Mmldme32.exe | N/A |
| File created | C:\Windows\SysWOW64\Npagjpcd.exe | C:\Windows\SysWOW64\Nigome32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lgjfkk32.exe | C:\Windows\SysWOW64\Lghjel32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hebpjd32.dll | C:\Windows\SysWOW64\Jjdmmdnh.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Lgmcqkkh.exe | C:\Windows\SysWOW64\Lndohedg.exe | N/A |
| File created | C:\Windows\SysWOW64\Nenobfak.exe | C:\Windows\SysWOW64\Npagjpcd.exe | N/A |
| File created | C:\Windows\SysWOW64\Jfknbe32.exe | C:\Windows\SysWOW64\Jjdmmdnh.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Npagjpcd.exe | C:\Windows\SysWOW64\Nigome32.exe | N/A |
| File created | C:\Windows\SysWOW64\Oqaedifk.dll | C:\Windows\SysWOW64\Ndjfeo32.exe | N/A |
| File created | C:\Windows\SysWOW64\Eppddhlj.dll | C:\Windows\SysWOW64\Ngdifkpi.exe | N/A |
| File created | C:\Windows\SysWOW64\Mahqjm32.dll | C:\Windows\SysWOW64\Nigome32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kbkameaf.exe | C:\Windows\SysWOW64\Kegqdqbl.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mmihhelk.exe | C:\Windows\SysWOW64\Mencccop.exe | N/A |
| File created | C:\Windows\SysWOW64\Nkeghkck.dll | C:\Windows\SysWOW64\Mencccop.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Nlhgoqhh.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lpjdjmfp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mhhfdo32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mmldme32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nlcnda32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ndjfeo32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kmjojo32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lghjel32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lndohedg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ndhipoob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Knklagmb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kegqdqbl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lphhenhc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nlhgoqhh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jfknbe32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lgjfkk32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mmihhelk.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kfmjgeaj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mpmapm32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Modkfi32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mieeibkn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mgalqkbk.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kbbngf32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kkolkk32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Liplnc32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ngdifkpi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Naimccpo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jjdmmdnh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mffimglk.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mbpgggol.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mapjmehi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mencccop.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nigome32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\381270b97a462e0707f20b5d8e124da6940b783bc3f1caa63356ec8ce2160258N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kbkameaf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lgmcqkkh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nenobfak.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Migbnb32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mkmhaj32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Npagjpcd.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Kbbngf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Liplnc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Mhhfdo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Mapjmehi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Knklagmb.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Kfmjgeaj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kkolkk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Lndohedg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Liplnc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Kmjojo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Mhhfdo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpahiebe.dll" | C:\Windows\SysWOW64\Modkfi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Naimccpo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Nigome32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Mffimglk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecfmdf32.dll" | C:\Windows\SysWOW64\Mhhfdo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jjdmmdnh.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Kkolkk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Mencccop.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Naimccpo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Modkfi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Npagjpcd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kmjojo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnddig32.dll" | C:\Windows\SysWOW64\Lgmcqkkh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Mieeibkn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ndjfeo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjfhfnim.dll" | C:\Windows\SysWOW64\Kmjojo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpcnkg32.dll" | C:\Windows\SysWOW64\Kbkameaf.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Mapjmehi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eppddhlj.dll" | C:\Windows\SysWOW64\Ngdifkpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jfknbe32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihlfca32.dll" | C:\Windows\SysWOW64\Kkolkk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbpljhnf.dll" | C:\Windows\SysWOW64\Mmldme32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Nlcnda32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Jjdmmdnh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kbkameaf.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Lghjel32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Lpjdjmfp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkeghkck.dll" | C:\Windows\SysWOW64\Mencccop.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgmgbeon.dll" | C:\Windows\SysWOW64\Mkmhaj32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\381270b97a462e0707f20b5d8e124da6940b783bc3f1caa63356ec8ce2160258N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} | C:\Users\Admin\AppData\Local\Temp\381270b97a462e0707f20b5d8e124da6940b783bc3f1caa63356ec8ce2160258N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kbbngf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Mgalqkbk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqaedifk.dll" | C:\Windows\SysWOW64\Ndjfeo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID | C:\Users\Admin\AppData\Local\Temp\381270b97a462e0707f20b5d8e124da6940b783bc3f1caa63356ec8ce2160258N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Kegqdqbl.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Lpjdjmfp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Migbnb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Mkmhaj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Mmihhelk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\381270b97a462e0707f20b5d8e124da6940b783bc3f1caa63356ec8ce2160258N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdilgioe.dll" | C:\Windows\SysWOW64\Lndohedg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olahaplc.dll" | C:\Windows\SysWOW64\Lpjdjmfp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Migbnb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Mmihhelk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hebpjd32.dll" | C:\Windows\SysWOW64\Jjdmmdnh.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Mbpgggol.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Mmldme32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egnhob32.dll" | C:\Windows\SysWOW64\Naimccpo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Lphhenhc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Mffimglk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nafmbhpm.dll" | C:\Users\Admin\AppData\Local\Temp\381270b97a462e0707f20b5d8e124da6940b783bc3f1caa63356ec8ce2160258N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeieql32.dll" | C:\Windows\SysWOW64\Knklagmb.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\381270b97a462e0707f20b5d8e124da6940b783bc3f1caa63356ec8ce2160258N.exe
"C:\Users\Admin\AppData\Local\Temp\381270b97a462e0707f20b5d8e124da6940b783bc3f1caa63356ec8ce2160258N.exe"
C:\Windows\SysWOW64\Jjdmmdnh.exe
C:\Windows\system32\Jjdmmdnh.exe
C:\Windows\SysWOW64\Jfknbe32.exe
C:\Windows\system32\Jfknbe32.exe
C:\Windows\SysWOW64\Kbbngf32.exe
C:\Windows\system32\Kbbngf32.exe
C:\Windows\SysWOW64\Kfmjgeaj.exe
C:\Windows\system32\Kfmjgeaj.exe
C:\Windows\SysWOW64\Kmjojo32.exe
C:\Windows\system32\Kmjojo32.exe
C:\Windows\SysWOW64\Knklagmb.exe
C:\Windows\system32\Knklagmb.exe
C:\Windows\SysWOW64\Kkolkk32.exe
C:\Windows\system32\Kkolkk32.exe
C:\Windows\SysWOW64\Kegqdqbl.exe
C:\Windows\system32\Kegqdqbl.exe
C:\Windows\SysWOW64\Kbkameaf.exe
C:\Windows\system32\Kbkameaf.exe
C:\Windows\SysWOW64\Lghjel32.exe
C:\Windows\system32\Lghjel32.exe
C:\Windows\SysWOW64\Lgjfkk32.exe
C:\Windows\system32\Lgjfkk32.exe
C:\Windows\SysWOW64\Lndohedg.exe
C:\Windows\system32\Lndohedg.exe
C:\Windows\SysWOW64\Lgmcqkkh.exe
C:\Windows\system32\Lgmcqkkh.exe
C:\Windows\SysWOW64\Lphhenhc.exe
C:\Windows\system32\Lphhenhc.exe
C:\Windows\SysWOW64\Liplnc32.exe
C:\Windows\system32\Liplnc32.exe
C:\Windows\SysWOW64\Lpjdjmfp.exe
C:\Windows\system32\Lpjdjmfp.exe
C:\Windows\SysWOW64\Mpmapm32.exe
C:\Windows\system32\Mpmapm32.exe
C:\Windows\SysWOW64\Mffimglk.exe
C:\Windows\system32\Mffimglk.exe
C:\Windows\SysWOW64\Mieeibkn.exe
C:\Windows\system32\Mieeibkn.exe
C:\Windows\SysWOW64\Mhhfdo32.exe
C:\Windows\system32\Mhhfdo32.exe
C:\Windows\SysWOW64\Mapjmehi.exe
C:\Windows\system32\Mapjmehi.exe
C:\Windows\SysWOW64\Migbnb32.exe
C:\Windows\system32\Migbnb32.exe
C:\Windows\SysWOW64\Modkfi32.exe
C:\Windows\system32\Modkfi32.exe
C:\Windows\SysWOW64\Mbpgggol.exe
C:\Windows\system32\Mbpgggol.exe
C:\Windows\SysWOW64\Mencccop.exe
C:\Windows\system32\Mencccop.exe
C:\Windows\SysWOW64\Mmihhelk.exe
C:\Windows\system32\Mmihhelk.exe
C:\Windows\SysWOW64\Mgalqkbk.exe
C:\Windows\system32\Mgalqkbk.exe
C:\Windows\SysWOW64\Mkmhaj32.exe
C:\Windows\system32\Mkmhaj32.exe
C:\Windows\SysWOW64\Mmldme32.exe
C:\Windows\system32\Mmldme32.exe
C:\Windows\SysWOW64\Ngdifkpi.exe
C:\Windows\system32\Ngdifkpi.exe
C:\Windows\SysWOW64\Naimccpo.exe
C:\Windows\system32\Naimccpo.exe
C:\Windows\SysWOW64\Ndhipoob.exe
C:\Windows\system32\Ndhipoob.exe
C:\Windows\SysWOW64\Nlcnda32.exe
C:\Windows\system32\Nlcnda32.exe
C:\Windows\SysWOW64\Ndjfeo32.exe
C:\Windows\system32\Ndjfeo32.exe
C:\Windows\SysWOW64\Nigome32.exe
C:\Windows\system32\Nigome32.exe
C:\Windows\SysWOW64\Npagjpcd.exe
C:\Windows\system32\Npagjpcd.exe
C:\Windows\SysWOW64\Nenobfak.exe
C:\Windows\system32\Nenobfak.exe
C:\Windows\SysWOW64\Nlhgoqhh.exe
C:\Windows\system32\Nlhgoqhh.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1248 -s 140
Network
Files
memory/1884-0-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1884-13-0x0000000001F20000-0x0000000001F4F000-memory.dmp
memory/2292-14-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1884-12-0x0000000001F20000-0x0000000001F4F000-memory.dmp
C:\Windows\SysWOW64\Jjdmmdnh.exe
| MD5 | 75a32e86bd4244ececfaaaef6e073495 |
| SHA1 | 56e77366a9606d78b7c3aa63aa19892289cf7b8c |
| SHA256 | 2805121550ddf8a2e9c7484b3ffbc97c5d12a2e211c4b9a6fb7f8370f52eaf94 |
| SHA512 | 7f2daff22317bed4417d1d26dcc8b0aa727408d702dcb43420bd6a955e4dea81b9e83bb793e64b9e7fd6d828c9d266cb13aae7aa9fc806fff45ca9c635044c56 |
memory/2292-21-0x0000000000430000-0x000000000045F000-memory.dmp
\Windows\SysWOW64\Jfknbe32.exe
| MD5 | df03e01de2fe8e7d3bf86ce45c356992 |
| SHA1 | f9eeb79748f1b92e2ee69e2c32e3ee8106c8f093 |
| SHA256 | 10503398de48e4701c175143159a0c030e1ec97b9929c3f6e814ba2aa05aa3f3 |
| SHA512 | ddad4b8c37bbc86bcec850f2c587b6f5ee41095a31fae88eccaa59101dd50e89cf126234e5bcb8207975d29305e1669db969795a312720da345eff4db04cfcaf |
C:\Windows\SysWOW64\Kbbngf32.exe
| MD5 | ebceff5313e98b09fad663ae7978d870 |
| SHA1 | d239e3c10fc7abd3b70a4a895206dbac9267e224 |
| SHA256 | 5617aab2f022f8eb584c54f7c0860261e67bedad08f867d0a6916c972522b6ff |
| SHA512 | 061866b46d552d5d912ac1d3ce05a414fec852df4a9634876a308d0f746d3300ac87986e1b57c2a7bddc9a7ce001f14d8aecbd7890fe359c1b8790a745071488 |
memory/2748-46-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3040-34-0x0000000000250000-0x000000000027F000-memory.dmp
memory/2704-55-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Kfmjgeaj.exe
| MD5 | 22ffec7dbe8771517a80309b3a6126e9 |
| SHA1 | d1285e68232770a31f26b7f14840842bd1aa7fa7 |
| SHA256 | a266c55c9294b8d65682426058d7c10ad303689bf76125865d7c9821be1383c6 |
| SHA512 | c17f358d3e66674d9040c4de6199b6c1e646ab645127855ce2c47f33daad36b078e6bea28dfce17ae70ae5318c98168cec4481955bf41ea51cedb91774f6c6c1 |
memory/2748-53-0x00000000003D0000-0x00000000003FF000-memory.dmp
\Windows\SysWOW64\Kmjojo32.exe
| MD5 | 85ba2011e9760fc1d9b3e4fdfa6f48a3 |
| SHA1 | 26476f71a1722e6870802033c7489f95acf566c2 |
| SHA256 | 0ba1596e9440108bb87bb6f6a3e3540fd35f19e41b964ce368bdc4b0de962761 |
| SHA512 | 1952c029a36101110c775c55c6861bc766eb1df37b76720a29a64300fbcc7fe94d4645f26a56c82811d4ff36a8695027340ddb125e1842fc5b1a2c6048a340b4 |
memory/2704-63-0x00000000002D0000-0x00000000002FF000-memory.dmp
memory/3000-70-0x0000000000400000-0x000000000042F000-memory.dmp
\Windows\SysWOW64\Knklagmb.exe
| MD5 | 2e113ccfdac54b6eb757ecaf7699123c |
| SHA1 | 536a518fdf9d388c8239b7ccad0bbb605bc9b6c5 |
| SHA256 | 9a4d5f2d5268badbcaad7d976139ef77f9eefb8e307bdbacd1765f4b0c109ca9 |
| SHA512 | 2252c973924e18a7de74356024349aa78d2095b0a4aa02667d35a2ed9e463081529c71c09021d76719fdbcfe2cf34b225de4f606e0ae3bed1c85b4eb5b7b53ed |
memory/2516-83-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3000-82-0x0000000000250000-0x000000000027F000-memory.dmp
\Windows\SysWOW64\Kkolkk32.exe
| MD5 | 58b7a9df58620b086a52626c759fe979 |
| SHA1 | 354c66e3442214c32b51d857bcc1f9fe71b7678c |
| SHA256 | bfc5e16a1dc34a38ede0d1657e3a2bf5c3156ad6394253c5dabc8e64d1ea8690 |
| SHA512 | 0c0f059f16c0bd20a908077fad97289372ea343672f12ef40c247b14452d0a166991ab2dc5a90ee981761adfdd1eff48110bfc02753e63f7d3cc4e9444c542af |
memory/2516-90-0x0000000000250000-0x000000000027F000-memory.dmp
C:\Windows\SysWOW64\Kegqdqbl.exe
| MD5 | bf320c442e57a187344ac3acfaf7810b |
| SHA1 | 3c4f4af369e4c73ab8a79c989beeb809ba83d3da |
| SHA256 | 076d6b47c9133abed4f7a8a5ceda5e51e4cf332327cbad66c3a4e28d75e395d0 |
| SHA512 | 44e76af20f7af72e22a0d2d839cf060b0c984878dc7213909e1bcee0e5df43ab0fdba25ae35809f932c2a2c93b2667db79571f1ee5564d5523670dcd89ebfce7 |
memory/332-110-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2456-108-0x0000000000250000-0x000000000027F000-memory.dmp
\Windows\SysWOW64\Kbkameaf.exe
| MD5 | d6cfb7d8c929cca119b6a935e2218af5 |
| SHA1 | 757041679d8e2495b3bfae50cf62cb8f965065d5 |
| SHA256 | 5bf27f67c2b86fb51356433dd1a028fd8af443cad34b86593f7679900a673323 |
| SHA512 | b1397cc25d1b6056661bb5a859d0630b37274fb2aad6f8749cea3b68ebefa59d146ff6426afef91ef1ceda064daa10c76f961b5bb60545aec31ae3ff4645a5af |
memory/332-117-0x00000000005C0000-0x00000000005EF000-memory.dmp
memory/1488-124-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2800-138-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Lghjel32.exe
| MD5 | ca754e81c9037cb85ac57a248aac77ef |
| SHA1 | 459e5f491f9764817615b2aa7c9478400265b859 |
| SHA256 | e05971d06a6e08a5571238f36a3509d8b7881c7fc05fec718b3e899e0874f79f |
| SHA512 | cfe62dea537315755dc724e5c4b4f5b612d8b371d93564e21132969207391dcf2db2eba0af8aa41a5f4ce4983c43da05122e35ea11cb253e1244524198993f46 |
memory/1488-136-0x0000000000280000-0x00000000002AF000-memory.dmp
\Windows\SysWOW64\Lgjfkk32.exe
| MD5 | 1d40036f408c4c1ed17525d3c6d92a79 |
| SHA1 | de389235439f12f9149d9ba23d1f013bd90399e9 |
| SHA256 | fe8754ca39ae326352d568389e7794d418b3b64fd1da558ff3a5af0010a39831 |
| SHA512 | 814817cb038ff6b7dad34148111c08bf6242babbd56601acc23478b58b4e1e2563911dbca62d967348f9d66017692def67075ab97a394fd5f59ab3433e587457 |
memory/2800-145-0x00000000002D0000-0x00000000002FF000-memory.dmp
\Windows\SysWOW64\Lndohedg.exe
| MD5 | 996234cd5a096c83e3fa80c07a448570 |
| SHA1 | e3fbfae4514ea180da4c7bf50967b08d0464d8b0 |
| SHA256 | 5d7027392d7b04bc7632f0c922771360953c32fbf60d3de7d403be37268f5565 |
| SHA512 | 738a2db10b377230b2cec3799faa7485e95742609dc6967466c3224793ff5994ca279e3aa0971cfc5519b66cb1ef9ee8331c04ceca847f80bece3bddf8f98cc3 |
memory/1336-165-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2864-163-0x0000000000250000-0x000000000027F000-memory.dmp
\Windows\SysWOW64\Lgmcqkkh.exe
| MD5 | b2257c9279f6d297bda7a14952142ff1 |
| SHA1 | 52740c2a71385dcf37010ad9c6b97b0ac27499e2 |
| SHA256 | a7c94db5f811b06bce58b45bbc44d60caa4dd69ccdd8ed3262a95a7f1b21e48e |
| SHA512 | 11ac30108cb1aee04f0404948178a07eb2939207cd0c47f4484c20103d415f9f2f00d5e69943d2749df1b2e063d6d5b9dbea3ce8816c74ca38a94c389e993ad3 |
memory/1336-172-0x0000000000250000-0x000000000027F000-memory.dmp
\Windows\SysWOW64\Lphhenhc.exe
| MD5 | 8dc4b4344653aa76e95b4c8c54bd118d |
| SHA1 | bc6a8585cc268cb3b39f40279e4bf948feffc9c4 |
| SHA256 | 183998fa33b32706c707a3d85ac155caa5f8578c4f53c66cd430dc042fae2ed7 |
| SHA512 | 4139b1e84f67d60850066c0e679f376c3d1297d0c19813c2b88df466cc8f0afc90ba953dbea73bdcd1cd5ada65ac224cee6ca2f7425ec64ee94075758b31bbd8 |
memory/1572-190-0x0000000000250000-0x000000000027F000-memory.dmp
memory/1080-192-0x0000000000400000-0x000000000042F000-memory.dmp
\Windows\SysWOW64\Liplnc32.exe
| MD5 | efce0c38eee01d6c74d0d4b6a5639119 |
| SHA1 | 2ad8ec6e080b4c61dba4b09679991122092a4cbd |
| SHA256 | 96a72b8f5c7de0497d16e1bc1a722744bb4f15b8022e964efcf947f7a460a5e6 |
| SHA512 | cc322bec2f90457deaef305bf9df77df8a0d76d984ceedb26b835e5d65e32e5c76d745c24b86ffec95de03f8995a00c047e439b6bb6a6a04a60ccf43e49a3fa5 |
memory/1080-205-0x0000000000250000-0x000000000027F000-memory.dmp
memory/1988-208-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1080-204-0x0000000000250000-0x000000000027F000-memory.dmp
\Windows\SysWOW64\Lpjdjmfp.exe
| MD5 | 06ee87e88e6daf226580a3f0ee0f39aa |
| SHA1 | f6bbf68535843b9ce61a732371ee07d5ac97bc0b |
| SHA256 | 7b0bfde653ef6508eaab9d80ab33b9f0bef62d642fd7dcedf8ee89d93284077a |
| SHA512 | 002fea1f3152e43ce48e84c6a17f0281da7a405a654c4d18fd307b64cee2e44687c29a4dce2edd83648f746b624e0ef4a4d79deb71fe48972dd13ee9b90f5689 |
memory/2468-221-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1988-219-0x0000000000280000-0x00000000002AF000-memory.dmp
memory/2468-228-0x0000000000270000-0x000000000029F000-memory.dmp
C:\Windows\SysWOW64\Mpmapm32.exe
| MD5 | 749dfce1b0404109bb8ccf2b88282c9a |
| SHA1 | f4ef4e59ec36f8a2d6301c48ceb4624439035b28 |
| SHA256 | a6e69565b98338592d71866700115faa1d7dc6bc22ac27923133f59024abf5d1 |
| SHA512 | da98a62ad61bd3555a4e1460b025e8da92b89ba8357bef81c7cce4420a8720e0022f7b8c812d17c98450a53668aba80e07c05e7c40390df1e910796e2756be3a |
memory/2468-232-0x0000000000270000-0x000000000029F000-memory.dmp
C:\Windows\SysWOW64\Mffimglk.exe
| MD5 | 4fb87bf2f35d0b066ded9b6e618bc05b |
| SHA1 | 36873daae6016ea22b40bb34a9341c344f276eee |
| SHA256 | 3eaf30548a7c8267b24675fcd59405463dd0083e44665dac6343dfff69bb2469 |
| SHA512 | 63515508b3094139b6e5f121ad2bd153aca957315233863c02e1168e56ff16efb0dec5bf1dd4a3d8e71b27feb2717689196d35969646958a4fc64c1d0c02a898 |
memory/2356-242-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2920-241-0x0000000000250000-0x000000000027F000-memory.dmp
memory/2356-248-0x0000000000250000-0x000000000027F000-memory.dmp
C:\Windows\SysWOW64\Mieeibkn.exe
| MD5 | ac6d1370f03ab0fb5a2195e6e3a146de |
| SHA1 | 0b2169b15db64b182e1aa6b95e98f0bb765b4780 |
| SHA256 | 14f581db2a9139fb0bdbb1af47cc1303c9d521157094a8d3f672776314e83c4c |
| SHA512 | ea5383fc010968d72e49ce2ac763f75f93398a61b1408e16b2f2b7c9e5f69a72a15c864d72b80851fad06c6bcfeff1c5a10d9d23fcec38bce793acf92909d819 |
memory/2352-254-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2352-258-0x0000000000250000-0x000000000027F000-memory.dmp
C:\Windows\SysWOW64\Mhhfdo32.exe
| MD5 | c03f97efea0127890c528932bf83ea9a |
| SHA1 | efba75d19dd5ce636eadb00d20805841416cbf79 |
| SHA256 | e8160188f23a0a6ac3c5ccbc63a24114da78b14794b30fd984781ae4bcff1969 |
| SHA512 | d2e363252cb3e783f000bf2883639593356d90ac6d45fffcef649aacd2a1e85ce26f87cb8059b245a9af8d0f768dd42c1b40290c425152e5ad7b1ef0287affa3 |
C:\Windows\SysWOW64\Mapjmehi.exe
| MD5 | dc8f99ed55673a4a11b90fe3ec3c79ab |
| SHA1 | d421379409d1505b72a938de31c01174f8497a9a |
| SHA256 | b0c47b9f647b31feb983b093b55f66247788ff50fa9fc51ac404cbe30a16e6bd |
| SHA512 | bdb2a3a061fd1169975829aabb16478c654a7789048e843a6fa4bfbe98863f900f6751b32b6cc9c6419951df852b947f2f47008d86d0e71546c53dff37039825 |
memory/1768-270-0x00000000002F0000-0x000000000031F000-memory.dmp
memory/700-271-0x0000000000400000-0x000000000042F000-memory.dmp
memory/700-277-0x0000000001F20000-0x0000000001F4F000-memory.dmp
C:\Windows\SysWOW64\Migbnb32.exe
| MD5 | f3e3819ed1cf1f6d9a8e7756d0e178f0 |
| SHA1 | de3f6d586131b0ea05060f9e7fcca60ebf1c841a |
| SHA256 | d8b76b24fc2911eb98a870786476c26719f519aab223832e0ef4837a1be8f5b6 |
| SHA512 | 215c35f740731654c57f606b18ed4cd8fa739094e3f5d98445015c5d6bc9dfff54204c5fcc18eda35b2adbaee5ad3777605aaf27cbb632f4abe7ad2b8e65b61d |
memory/3064-289-0x0000000000260000-0x000000000028F000-memory.dmp
C:\Windows\SysWOW64\Modkfi32.exe
| MD5 | 5c2c27f781361b24332a34057fca3a76 |
| SHA1 | 10018985920006e713e8aec22d6f0a8e2f0acbd9 |
| SHA256 | 233bf098f261b1ffd82858e96e0fc9a5663937b8142ab89e742f568d4f4ec820 |
| SHA512 | 4576e152402f82f977c05ea114617f34d37c553ae39969089c568e1d48d9bfbae363afe5048aa78fbc06640b1e8f7ad9abb60c7ef1c92466dd6cc86fd3682255 |
memory/2044-294-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Mbpgggol.exe
| MD5 | a6ae179e4ad90527d490ed73475c9882 |
| SHA1 | 778f84fd5098d6121d0997932c2742284fa82765 |
| SHA256 | a0000f3e2b6e67f98ca74cfcfa62d2fac768f6f3abdbf22dd6ddfd4086908a95 |
| SHA512 | 8bb35e522677f9c3c8a77098dc061fb394a6a4ad36011a13cdc1ed046c270af4bc4342b31309771e31c89d1745a2b2a3a983a30849c3d27767023fa69c5fd299 |
memory/2044-299-0x0000000000250000-0x000000000027F000-memory.dmp
C:\Windows\SysWOW64\Mencccop.exe
| MD5 | 491f09da524938434ac38509ad7f9548 |
| SHA1 | d2761392d046a9b1c4b9ed999317e5c7715ea4f9 |
| SHA256 | 1c1c0e5b879eb12645be50232a379658332232f1a3026fe415d2a23c1d733ee3 |
| SHA512 | 546e435874693cb190bd7dd2d178827fde513e79cc30fe3704218e8914794ccac0286210e554d89cc241d5ac9adc2667ac453c77aeba18fd89a410c52eee7cae |
memory/916-308-0x0000000000250000-0x000000000027F000-memory.dmp
memory/2948-309-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Mmihhelk.exe
| MD5 | eb5691f8e5c0da13bf51ca3c714262e1 |
| SHA1 | 050d89044e6bda0981705cde2e3f7d604c2b734a |
| SHA256 | 85bd5531dec956c36a707ef449b36f896ffdc3b9cfeb03b2bb090b40e6b85496 |
| SHA512 | 8775cbf5ca8aaf8516528f0d4b7062f7c1a9e7f7fe245cf5b15524b93e78deb68d08dcc999f8e73f8b861e9a1f3fdfb3c821d523db6c8d0ec4a595d41228a2f7 |
memory/2060-320-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2948-319-0x00000000002D0000-0x00000000002FF000-memory.dmp
memory/2948-318-0x00000000002D0000-0x00000000002FF000-memory.dmp
C:\Windows\SysWOW64\Mgalqkbk.exe
| MD5 | ef3982ce30f8f83ba4cb8bef61d0988d |
| SHA1 | 31ce5c760aab364aa1b7374fe7497a2c12a75095 |
| SHA256 | dae948585d0ff1b3f7574873f55b065b7bb0c2dd47c4e3e935b73ab8063c35c7 |
| SHA512 | c4f385d64845bf47cdd5c4e7649201cd83f2b179a4d66f934094137594ef2a7e296a8b2abd89396ed77b30865fc210c364ca526ed58cdc8538e4f650c66c7f35 |
memory/1620-335-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2060-330-0x00000000001E0000-0x000000000020F000-memory.dmp
memory/2060-329-0x00000000001E0000-0x000000000020F000-memory.dmp
C:\Windows\SysWOW64\Mkmhaj32.exe
| MD5 | 71e686c686a6e7f464188b493aef873e |
| SHA1 | 99b0dbffccacab94636708242d269faa7a4e96cb |
| SHA256 | 4ee393f1a4621381fbdd4fda6fb51a02dcf38fd6acc223644198e61bbe68becb |
| SHA512 | 565e3fbaf4836cbfb99b2fcf26425f84369604e98e83e42b78743d0b63ab598e563bfdce725a5a0b471d10685ea4e3e13b81f268749da1b6f36df7f35342bf91 |
memory/2640-346-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2292-342-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1620-341-0x0000000000250000-0x000000000027F000-memory.dmp
memory/1884-340-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Mmldme32.exe
| MD5 | 84a7517cb4b01503ea62f7751147e2ff |
| SHA1 | aab9b10ce3c93e9f7eae2239a3df3533bf92e72f |
| SHA256 | 80f054870417268cc217a93446ee1f12433df65ebf756637223c3c5e26f81986 |
| SHA512 | ad7f382d0b1e19b7b5037fe7cf51eb56f2262b02ca94dda4331111f9a451d279dcd430ad2e99b7460d6484b7fd7d70f34342936cec0cc3522628f2d4691b57b5 |
memory/1884-352-0x0000000001F20000-0x0000000001F4F000-memory.dmp
memory/2732-357-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2732-363-0x0000000000250000-0x000000000027F000-memory.dmp
memory/2616-365-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3040-364-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2292-362-0x0000000000430000-0x000000000045F000-memory.dmp
C:\Windows\SysWOW64\Ngdifkpi.exe
| MD5 | 2347271fe616b178af5e35b6ba6b8e9e |
| SHA1 | fe592eebba448d1a325a097e63950b0cd54d2a01 |
| SHA256 | 5c7bca9fbc4262e2d06f63ea929b210412b98f2fc64dcd3268492ed73146208e |
| SHA512 | 8e35b0331cc72ad0a62cea7aff22955ea645e86103dcd366756d4d5bc0e39ed0596112fcfa51c5c7e1581b585bbe7588ca1d62465b08f0584f8d9114569c5f23 |
memory/2616-371-0x00000000002D0000-0x00000000002FF000-memory.dmp
C:\Windows\SysWOW64\Naimccpo.exe
| MD5 | b17d66bbf584607b4ff656f03db3d7fa |
| SHA1 | 74de6d1a00c82a6f2c05c81d6a8f44675d867619 |
| SHA256 | 245ab62aa3e77a5f77852f9580e159813f8ef85051071332cb3c795c1e510419 |
| SHA512 | df2e43f5dfe9f0fd885c3408cea7be1195c8e3ff755934251500011d0a71a024a5eaa91b3dd0903197edfbb7130f9f4ef1d9e146bc9473aa1c63785ee4af654b |
memory/2664-381-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2616-376-0x00000000002D0000-0x00000000002FF000-memory.dmp
memory/2748-375-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2664-383-0x0000000000250000-0x000000000027F000-memory.dmp
C:\Windows\SysWOW64\Ndhipoob.exe
| MD5 | abf4e5687831016fac5b43ca186fa18f |
| SHA1 | 9cbd0ab80a7ccd10ae568e0d0f6bd2a2032b6433 |
| SHA256 | 21cf32e116a76497dccba5426516bdac7b64d138763d29741acb26967d92101f |
| SHA512 | 4255a39eacc147570c7a898e7efdab236f554a3b280b1692872413c25cd402cc7823fb8ac23bbb14c4ad1fc8ca37658cdde6a6f96b3adfa9559a5810aa6fe346 |
memory/2664-388-0x0000000000250000-0x000000000027F000-memory.dmp
memory/2704-387-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Nlcnda32.exe
| MD5 | f90827ca2827873a7454858babffe812 |
| SHA1 | 2d1ca5c98005ae9d226e30094805c57d2eaa613a |
| SHA256 | c0c78c776fa8fb18781027fe30106e570e63e6f31d9897a0db1b63fb3c4606e3 |
| SHA512 | f28085828bb3dfc1edd0e5e74a3fde58753acb6a4bbcc1c138d5f7c840a5905c59458152f03569ac927edc39db895ea8c8d5f593d214550dea67a7b9a23c5d1f |
memory/3000-397-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2556-399-0x00000000002D0000-0x00000000002FF000-memory.dmp
memory/2552-405-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3000-398-0x0000000000250000-0x000000000027F000-memory.dmp
memory/2516-400-0x0000000000400000-0x000000000042F000-memory.dmp
memory/896-412-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2516-411-0x0000000000250000-0x000000000027F000-memory.dmp
memory/2552-410-0x0000000000260000-0x000000000028F000-memory.dmp
C:\Windows\SysWOW64\Ndjfeo32.exe
| MD5 | 6602e63a4ba2f06d1996249621e2f3c5 |
| SHA1 | e6ff48f08d9ff38846613d65a7f6eb318f57c1f8 |
| SHA256 | 5924f7cc6ed9743a59c60999d85cfc62b772446c9a0a262d6ed91d0d761dccac |
| SHA512 | 821c64e1d7aca6b8bea472c46915cc375981586886caf6d545bb0266298fe044443f8bccdc299672e5a23f17f6149f089b3602007c6e8c0ad749cd6f24386497 |
memory/2456-417-0x0000000000400000-0x000000000042F000-memory.dmp
memory/896-419-0x00000000002D0000-0x00000000002FF000-memory.dmp
C:\Windows\SysWOW64\Nigome32.exe
| MD5 | 4c2b082323cfaf233477cfae26e45000 |
| SHA1 | 43abaf507e2fc363b6406fda6b78f8c85c8638f6 |
| SHA256 | 2b436bc99b720b38ed0071c335fd7d09ec70f99323c2e270377bbb1ce81534bc |
| SHA512 | 410a3098b7114bdc97c6181d5819200dfc133720c169ef65cbe28e795c5f4fe57c742bb441126765ced2cdd0a15700d4f21c7efbc903ad2ec88ba1109e453e57 |
memory/2456-423-0x0000000000250000-0x000000000027F000-memory.dmp
memory/332-424-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1492-429-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2488-435-0x0000000000400000-0x000000000042F000-memory.dmp
memory/332-434-0x00000000005C0000-0x00000000005EF000-memory.dmp
C:\Windows\SysWOW64\Npagjpcd.exe
| MD5 | cdea8d0b2d6d7e106d490d5fddc8779c |
| SHA1 | 5d079e2d7adcc70a819fa6d6af34846d7590639a |
| SHA256 | 12cdbc989c5fcca5539357d6f1b285876af7cd3643e8a20c7aa5126b551e6379 |
| SHA512 | d98cde663967b29eb957ae9182855c695c69d1e8a9cc850a9daae07e7464d5facc7698ca31506d9d4cc682112d56cc1aee5e861191d5a5e8867c8177f6ab241c |
memory/2488-442-0x00000000002D0000-0x00000000002FF000-memory.dmp
memory/1488-440-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1488-446-0x0000000000280000-0x00000000002AF000-memory.dmp
memory/1488-447-0x0000000000280000-0x00000000002AF000-memory.dmp
C:\Windows\SysWOW64\Nenobfak.exe
| MD5 | 4bc4228851d4eac7fd9d69a24b7a81e2 |
| SHA1 | 230e17e363d16410102ed1bf9cc5169e8e2db585 |
| SHA256 | 496f30fe443dca16af87c511517bf82ae3e9129c2531e0a60eb2a0100431bafa |
| SHA512 | d636c61f64c591acae8555d80a2d8cd56311375a7b69cbb0bf09dcfbbff0dcf6485f6eb082f9756a0e4be5a102ee7f6eb9dcacd51f299bb809c4524746a0ecca |
memory/2800-456-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2800-458-0x00000000002D0000-0x00000000002FF000-memory.dmp
memory/1248-457-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Nlhgoqhh.exe
| MD5 | 9d69dd5030ceed0c07db8acaf070891e |
| SHA1 | b0d23691b719e0f7b7dc4fd68b64c845af312494 |
| SHA256 | 1790535cc10a4753dbcd5209d6e45303c8e7f9de7398113cf5033bcb6f500aec |
| SHA512 | ed8ecf18c838b801b63b6d3aef0ed10bcf3986bbf508e0ba7ca31e857e1e7d3614bc966ffade6562d92f4fde1db1ff6238864b0bcc70bb927ab26f156579085b |
memory/2864-459-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2864-460-0x0000000000250000-0x000000000027F000-memory.dmp
memory/1336-461-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2352-482-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1768-509-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2860-512-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1572-506-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2468-508-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2552-467-0x0000000000400000-0x000000000042F000-memory.dmp
memory/896-465-0x0000000000400000-0x000000000042F000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-10 09:52
Reported
2024-11-10 09:54
Platform
win10v2004-20241007-en
Max time kernel
109s
Max time network
110s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Fjohde32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kdmqmc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lcggio32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Aagkhd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cnaaib32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Fjjnifbl.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Clchbqoo.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cnkkjh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jljbeali.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ikdcmpnl.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lklbdm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lfbped32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mmmqhl32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Chfegk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Lqpamb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Odoogi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ffqhcq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mcpcdg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dokgdkeh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Qmgelf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hblkjo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jphkkpbp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Users\Admin\AppData\Local\Temp\381270b97a462e0707f20b5d8e124da6940b783bc3f1caa63356ec8ce2160258N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dpdaepai.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dfiildio.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Phajna32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nmigoagp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Adkgje32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hibjli32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bacjdbch.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gdlfhj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Nghekkmn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dkahilkl.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dbnmke32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jcanll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Qoelkp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dmlkhofd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Glipgf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lnoaaaad.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mjlhgaqp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bdmmeo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cnaaib32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ldgccb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Panhbfep.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dcpmen32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Emdajb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kqfngd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Onmfimga.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pdfehh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ojomcopk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Iloidijb.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nghekkmn.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Aggpfkjj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kjjiej32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Aoalgn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ipjoja32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Eppqqn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gljgbllj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pkpmdbfd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Palbgl32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ddgibkpc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mcecjmkl.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hibafp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mgclpkac.exe | N/A |
Berbew
Berbew family
Executes dropped EXE
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\Nqbpojnp.exe | C:\Windows\SysWOW64\Nmdgikhi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Pmlfqh32.exe | C:\Windows\SysWOW64\Pnfiplog.exe | N/A |
| File created | C:\Windows\SysWOW64\Qjiipk32.exe | C:\Windows\SysWOW64\Qdoacabq.exe | N/A |
| File created | C:\Windows\SysWOW64\Efeifngp.dll | C:\Windows\SysWOW64\Eifhdd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Njmhhefi.exe | C:\Windows\SysWOW64\Nlkgmh32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Iomoenej.exe | C:\Windows\SysWOW64\Ipjoja32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kckqbj32.exe | C:\Windows\SysWOW64\Klahfp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Minqeaad.dll | C:\Windows\SysWOW64\Lokdnjkg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bahdob32.exe | C:\Windows\SysWOW64\Bgbpaipl.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Fcniglmb.exe | C:\Windows\SysWOW64\Elgaeolp.exe | N/A |
| File created | C:\Windows\SysWOW64\Jlmcka32.dll | C:\Windows\SysWOW64\Hlcjhkdp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Aoalgn32.exe | C:\Windows\SysWOW64\Albpkc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Qdbdcg32.exe | C:\Windows\SysWOW64\Qachgk32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Emmdom32.exe | C:\Windows\SysWOW64\Efblbbqd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Gidnkkpc.exe | C:\Windows\SysWOW64\Fmmmfj32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mfchlbfd.exe | C:\Windows\SysWOW64\Mcelpggq.exe | N/A |
| File created | C:\Windows\SysWOW64\Hkdjfb32.exe | C:\Windows\SysWOW64\Hcmbee32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jebiel32.dll | C:\Windows\SysWOW64\Nmigoagp.exe | N/A |
| File created | C:\Windows\SysWOW64\Mhpbkngk.dll | C:\Windows\SysWOW64\Nmnqjp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Fqehjpfj.dll | C:\Windows\SysWOW64\Eofgpikj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Llmhaold.exe | C:\Windows\SysWOW64\Lfbped32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Emphocjj.exe | C:\Windows\SysWOW64\Eidlnd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jhdnigno.dll | C:\Windows\SysWOW64\Ilccoh32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jkiocibf.dll | C:\Windows\SysWOW64\Ldgccb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lnnlhc32.dll | C:\Windows\SysWOW64\Giinpa32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lfojmmbg.dll | C:\Windows\SysWOW64\Peahgl32.exe | N/A |
| File created | C:\Windows\SysWOW64\Qklmpalf.exe | C:\Windows\SysWOW64\Qdbdcg32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dmfeidbe.exe | C:\Windows\SysWOW64\Dikihe32.exe | N/A |
| File created | C:\Windows\SysWOW64\Enabbk32.dll | C:\Windows\SysWOW64\Efccmidp.exe | N/A |
| File created | C:\Windows\SysWOW64\Fpejlmcf.exe | C:\Windows\SysWOW64\Fmfnpa32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gmbmkpie.exe | C:\Windows\SysWOW64\Gjdaodja.exe | N/A |
| File created | C:\Windows\SysWOW64\Iogkekkb.dll | C:\Windows\SysWOW64\Cfnjpfcl.exe | N/A |
| File created | C:\Windows\SysWOW64\Figmglee.dll | C:\Windows\SysWOW64\Ocjoadei.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hibjli32.exe | C:\Windows\SysWOW64\Hfcnpn32.exe | N/A |
| File created | C:\Windows\SysWOW64\Okehmlqi.dll | C:\Windows\SysWOW64\Mnmmboed.exe | N/A |
| File created | C:\Windows\SysWOW64\Hlhccj32.exe | C:\Windows\SysWOW64\Hkfglb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hdjgko32.dll | C:\Windows\SysWOW64\Jgeghp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ojgjndno.exe | C:\Windows\SysWOW64\Ohhnbhok.exe | N/A |
| File created | C:\Windows\SysWOW64\Iehjdl32.dll | C:\Windows\SysWOW64\Lcggio32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hblkjo32.exe | C:\Windows\SysWOW64\Hlbcnd32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cncnob32.exe | C:\Windows\SysWOW64\Ckebcg32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cbpajgmf.exe | C:\Windows\SysWOW64\Clchbqoo.exe | N/A |
| File created | C:\Windows\SysWOW64\Nmiadaea.dll | C:\Windows\SysWOW64\Nmdgikhi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Nnfpinmi.exe | C:\Windows\SysWOW64\Nglhld32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dpnkdq32.exe | C:\Windows\SysWOW64\Coknoaic.exe | N/A |
| File created | C:\Windows\SysWOW64\Gphphj32.exe | C:\Windows\SysWOW64\Gmiclo32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ngjbaj32.exe | C:\Windows\SysWOW64\Nelfeo32.exe | N/A |
| File created | C:\Windows\SysWOW64\Aeaanjkl.exe | C:\Windows\SysWOW64\Qklmpalf.exe | N/A |
| File created | C:\Windows\SysWOW64\Gjdaodja.exe | C:\Windows\SysWOW64\Gbmingjo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Lgepom32.exe | C:\Windows\SysWOW64\Ldgccb32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ljclki32.exe | C:\Windows\SysWOW64\Lgepom32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Omjpeo32.exe | C:\Windows\SysWOW64\Olicnfco.exe | N/A |
| File created | C:\Windows\SysWOW64\Cdecba32.dll | C:\Windows\SysWOW64\Dheibpje.exe | N/A |
| File created | C:\Windows\SysWOW64\Hlfpph32.dll | C:\Windows\SysWOW64\Bdojjo32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ikfhji32.dll | C:\Windows\SysWOW64\Fllkqn32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hcmbee32.exe | C:\Windows\SysWOW64\Hlcjhkdp.exe | N/A |
| File created | C:\Windows\SysWOW64\Gedapeof.dll | C:\Windows\SysWOW64\Kmaopfjm.exe | N/A |
| File created | C:\Windows\SysWOW64\Jleijb32.exe | C:\Windows\SysWOW64\Jmbhoeid.exe | N/A |
| File created | C:\Windows\SysWOW64\Lgbloglj.exe | C:\Windows\SysWOW64\Lokdnjkg.exe | N/A |
| File created | C:\Windows\SysWOW64\Bfjkjgbh.dll | C:\Windows\SysWOW64\Eidlnd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lciibdmj.dll | C:\Windows\SysWOW64\Hoclopne.exe | N/A |
| File created | C:\Windows\SysWOW64\Iedjmioj.exe | C:\Windows\SysWOW64\Igajal32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Djelgied.exe | C:\Windows\SysWOW64\Dbndfl32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Eiobceef.exe | C:\Windows\SysWOW64\Ejlbhh32.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Dkqaoe32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mglfplgk.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kglmio32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cleegp32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pjdpelnc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ljfhqh32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cdlqqcnl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Clchbqoo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Oalipoiq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Qoelkp32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Klfaapbl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pdhkcb32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Qmgelf32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bacjdbch.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ebjcajjd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nmnqjp32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dmlkhofd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nelfeo32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lqbncb32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nmigoagp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dkahilkl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Fjohde32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Hlhccj32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Chlflabp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jinboekc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lljklo32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Fipkjb32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mfchlbfd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nmdgikhi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Qdoacabq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Fmmmfj32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Aajohjon.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ljclki32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Fcniglmb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pmoiqneg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mjjkaabc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bdmmeo32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dpbdopck.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Fdepgkgj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lknojl32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lmpkadnm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Poimpapp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Adkgje32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dflfac32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lcnfohmi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Emdajb32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mmnhcb32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ncabfkqo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pkpmdbfd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cnindhpg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Hloqml32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bkjiao32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Gjdaodja.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Gpcfmkff.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Gljgbllj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ikdcmpnl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kmaopfjm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Hipmfjee.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ipjoja32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Djelgied.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Omjpeo32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dcpmen32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cpmapodj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nmgjia32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Hcpojd32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbhafkok.dll" | C:\Windows\SysWOW64\Nqbpojnp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehkljb32.dll" | C:\Windows\SysWOW64\Lmpkadnm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Plbfdekd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Dbkqfe32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gejopl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hblkjo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ingpmmgm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bnfihkqm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cfbcke32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Klahfp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cnaaib32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bkgeainn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iemlnm32.dll" | C:\Windows\SysWOW64\Ggahedjn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgnagk32.dll" | C:\Windows\SysWOW64\Kqfngd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Lcnmin32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdflmg32.dll" | C:\Windows\SysWOW64\Phodcg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Pdhbmh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jljbeali.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ljeafb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Mmmqhl32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Eiaoid32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Gljgbllj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Igdnabjh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbibld32.dll" | C:\Windows\SysWOW64\Chlflabp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Emjgim32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bgbpaipl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Nmigoagp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ohfami32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Aahbbkaq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gofdmmgd.dll" | C:\Windows\SysWOW64\Bhpfqcln.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dngjff32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Fllkqn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Fbfcmhpg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cbpajgmf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adfonlkp.dll" | C:\Windows\SysWOW64\Jcoaglhk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Mmnhcb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Nlfnaicd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhpbkngk.dll" | C:\Windows\SysWOW64\Nmnqjp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhffdban.dll" | C:\Windows\SysWOW64\Eplgeokq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gdobnj32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Igbalblk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iigkob32.dll" | C:\Windows\SysWOW64\Lggldm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ljfhqh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpoeg32.dll" | C:\Windows\SysWOW64\Alkijdci.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqhejb32.dll" | C:\Windows\SysWOW64\Gbalopbn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Lnldla32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bdfpkm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nflnbh32.dll" | C:\Windows\SysWOW64\Cpmapodj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okehmlqi.dll" | C:\Windows\SysWOW64\Mnmmboed.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcgmgn32.dll" | C:\Windows\SysWOW64\Phajna32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oajpfn32.dll" | C:\Windows\SysWOW64\Hkfglb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jabdjc32.dll" | C:\Windows\SysWOW64\Jcgnbaeo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Mchppmij.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfklem32.dll" | C:\Windows\SysWOW64\Adkgje32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ddgibkpc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Aagkhd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Giinpa32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Hdehni32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Nmnqjp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Digehphc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Qmgelf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoqqpnlk.dll" | C:\Windows\SysWOW64\Cdnmfclj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nklinjmj.dll" | C:\Windows\SysWOW64\Dfiildio.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Jphkkpbp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\381270b97a462e0707f20b5d8e124da6940b783bc3f1caa63356ec8ce2160258N.exe
"C:\Users\Admin\AppData\Local\Temp\381270b97a462e0707f20b5d8e124da6940b783bc3f1caa63356ec8ce2160258N.exe"
C:\Windows\SysWOW64\Coknoaic.exe
C:\Windows\system32\Coknoaic.exe
C:\Windows\SysWOW64\Dpnkdq32.exe
C:\Windows\system32\Dpnkdq32.exe
C:\Windows\SysWOW64\Djcoai32.exe
C:\Windows\system32\Djcoai32.exe
C:\Windows\SysWOW64\Dmalne32.exe
C:\Windows\system32\Dmalne32.exe
C:\Windows\SysWOW64\Dpphjp32.exe
C:\Windows\system32\Dpphjp32.exe
C:\Windows\SysWOW64\Dbndfl32.exe
C:\Windows\system32\Dbndfl32.exe
C:\Windows\SysWOW64\Djelgied.exe
C:\Windows\system32\Djelgied.exe
C:\Windows\SysWOW64\Dmdhcddh.exe
C:\Windows\system32\Dmdhcddh.exe
C:\Windows\SysWOW64\Dpbdopck.exe
C:\Windows\system32\Dpbdopck.exe
C:\Windows\SysWOW64\Dbqqkkbo.exe
C:\Windows\system32\Dbqqkkbo.exe
C:\Windows\SysWOW64\Dflmlj32.exe
C:\Windows\system32\Dflmlj32.exe
C:\Windows\SysWOW64\Dikihe32.exe
C:\Windows\system32\Dikihe32.exe
C:\Windows\SysWOW64\Dmfeidbe.exe
C:\Windows\system32\Dmfeidbe.exe
C:\Windows\SysWOW64\Dpdaepai.exe
C:\Windows\system32\Dpdaepai.exe
C:\Windows\SysWOW64\Dcpmen32.exe
C:\Windows\system32\Dcpmen32.exe
C:\Windows\SysWOW64\Dimenegi.exe
C:\Windows\system32\Dimenegi.exe
C:\Windows\SysWOW64\Dlkbjqgm.exe
C:\Windows\system32\Dlkbjqgm.exe
C:\Windows\SysWOW64\Dpgnjo32.exe
C:\Windows\system32\Dpgnjo32.exe
C:\Windows\SysWOW64\Ebejfk32.exe
C:\Windows\system32\Ebejfk32.exe
C:\Windows\SysWOW64\Ejlbhh32.exe
C:\Windows\system32\Ejlbhh32.exe
C:\Windows\SysWOW64\Eiobceef.exe
C:\Windows\system32\Eiobceef.exe
C:\Windows\SysWOW64\Elnoopdj.exe
C:\Windows\system32\Elnoopdj.exe
C:\Windows\SysWOW64\Ecefqnel.exe
C:\Windows\system32\Ecefqnel.exe
C:\Windows\SysWOW64\Efccmidp.exe
C:\Windows\system32\Efccmidp.exe
C:\Windows\SysWOW64\Eiaoid32.exe
C:\Windows\system32\Eiaoid32.exe
C:\Windows\SysWOW64\Emmkiclm.exe
C:\Windows\system32\Emmkiclm.exe
C:\Windows\SysWOW64\Eplgeokq.exe
C:\Windows\system32\Eplgeokq.exe
C:\Windows\SysWOW64\Ebjcajjd.exe
C:\Windows\system32\Ebjcajjd.exe
C:\Windows\SysWOW64\Efepbi32.exe
C:\Windows\system32\Efepbi32.exe
C:\Windows\SysWOW64\Eidlnd32.exe
C:\Windows\system32\Eidlnd32.exe
C:\Windows\SysWOW64\Emphocjj.exe
C:\Windows\system32\Emphocjj.exe
C:\Windows\SysWOW64\Epndknin.exe
C:\Windows\system32\Epndknin.exe
C:\Windows\SysWOW64\Eblpgjha.exe
C:\Windows\system32\Eblpgjha.exe
C:\Windows\SysWOW64\Efhlhh32.exe
C:\Windows\system32\Efhlhh32.exe
C:\Windows\SysWOW64\Eifhdd32.exe
C:\Windows\system32\Eifhdd32.exe
C:\Windows\SysWOW64\Eleepoob.exe
C:\Windows\system32\Eleepoob.exe
C:\Windows\SysWOW64\Eppqqn32.exe
C:\Windows\system32\Eppqqn32.exe
C:\Windows\SysWOW64\Ebommi32.exe
C:\Windows\system32\Ebommi32.exe
C:\Windows\SysWOW64\Ejfeng32.exe
C:\Windows\system32\Ejfeng32.exe
C:\Windows\SysWOW64\Emdajb32.exe
C:\Windows\system32\Emdajb32.exe
C:\Windows\SysWOW64\Elgaeolp.exe
C:\Windows\system32\Elgaeolp.exe
C:\Windows\SysWOW64\Fcniglmb.exe
C:\Windows\system32\Fcniglmb.exe
C:\Windows\SysWOW64\Ffmfchle.exe
C:\Windows\system32\Ffmfchle.exe
C:\Windows\SysWOW64\Fmfnpa32.exe
C:\Windows\system32\Fmfnpa32.exe
C:\Windows\SysWOW64\Fpejlmcf.exe
C:\Windows\system32\Fpejlmcf.exe
C:\Windows\SysWOW64\Fjjnifbl.exe
C:\Windows\system32\Fjjnifbl.exe
C:\Windows\SysWOW64\Fllkqn32.exe
C:\Windows\system32\Fllkqn32.exe
C:\Windows\SysWOW64\Fbfcmhpg.exe
C:\Windows\system32\Fbfcmhpg.exe
C:\Windows\SysWOW64\Fipkjb32.exe
C:\Windows\system32\Fipkjb32.exe
C:\Windows\SysWOW64\Fdepgkgj.exe
C:\Windows\system32\Fdepgkgj.exe
C:\Windows\SysWOW64\Fjohde32.exe
C:\Windows\system32\Fjohde32.exe
C:\Windows\SysWOW64\Flqdlnde.exe
C:\Windows\system32\Flqdlnde.exe
C:\Windows\SysWOW64\Fbjmhh32.exe
C:\Windows\system32\Fbjmhh32.exe
C:\Windows\SysWOW64\Fideeaco.exe
C:\Windows\system32\Fideeaco.exe
C:\Windows\SysWOW64\Gpnmbl32.exe
C:\Windows\system32\Gpnmbl32.exe
C:\Windows\SysWOW64\Gbmingjo.exe
C:\Windows\system32\Gbmingjo.exe
C:\Windows\SysWOW64\Gjdaodja.exe
C:\Windows\system32\Gjdaodja.exe
C:\Windows\SysWOW64\Gmbmkpie.exe
C:\Windows\system32\Gmbmkpie.exe
C:\Windows\SysWOW64\Glengm32.exe
C:\Windows\system32\Glengm32.exe
C:\Windows\SysWOW64\Gdlfhj32.exe
C:\Windows\system32\Gdlfhj32.exe
C:\Windows\SysWOW64\Gfkbde32.exe
C:\Windows\system32\Gfkbde32.exe
C:\Windows\SysWOW64\Giinpa32.exe
C:\Windows\system32\Giinpa32.exe
C:\Windows\SysWOW64\Gpcfmkff.exe
C:\Windows\system32\Gpcfmkff.exe
C:\Windows\SysWOW64\Gdobnj32.exe
C:\Windows\system32\Gdobnj32.exe
C:\Windows\SysWOW64\Gfmojenc.exe
C:\Windows\system32\Gfmojenc.exe
C:\Windows\SysWOW64\Gikkfqmf.exe
C:\Windows\system32\Gikkfqmf.exe
C:\Windows\SysWOW64\Gljgbllj.exe
C:\Windows\system32\Gljgbllj.exe
C:\Windows\SysWOW64\Gpecbk32.exe
C:\Windows\system32\Gpecbk32.exe
C:\Windows\SysWOW64\Gbdoof32.exe
C:\Windows\system32\Gbdoof32.exe
C:\Windows\SysWOW64\Gkkgpc32.exe
C:\Windows\system32\Gkkgpc32.exe
C:\Windows\SysWOW64\Gmiclo32.exe
C:\Windows\system32\Gmiclo32.exe
C:\Windows\SysWOW64\Gphphj32.exe
C:\Windows\system32\Gphphj32.exe
C:\Windows\SysWOW64\Gdcliikj.exe
C:\Windows\system32\Gdcliikj.exe
C:\Windows\SysWOW64\Ggahedjn.exe
C:\Windows\system32\Ggahedjn.exe
C:\Windows\SysWOW64\Gipdap32.exe
C:\Windows\system32\Gipdap32.exe
C:\Windows\SysWOW64\Hloqml32.exe
C:\Windows\system32\Hloqml32.exe
C:\Windows\SysWOW64\Hdehni32.exe
C:\Windows\system32\Hdehni32.exe
C:\Windows\SysWOW64\Hgdejd32.exe
C:\Windows\system32\Hgdejd32.exe
C:\Windows\SysWOW64\Hibafp32.exe
C:\Windows\system32\Hibafp32.exe
C:\Windows\SysWOW64\Hlambk32.exe
C:\Windows\system32\Hlambk32.exe
C:\Windows\SysWOW64\Hdhedh32.exe
C:\Windows\system32\Hdhedh32.exe
C:\Windows\SysWOW64\Hgfapd32.exe
C:\Windows\system32\Hgfapd32.exe
C:\Windows\SysWOW64\Hienlpel.exe
C:\Windows\system32\Hienlpel.exe
C:\Windows\SysWOW64\Hlcjhkdp.exe
C:\Windows\system32\Hlcjhkdp.exe
C:\Windows\SysWOW64\Hcmbee32.exe
C:\Windows\system32\Hcmbee32.exe
C:\Windows\SysWOW64\Hkdjfb32.exe
C:\Windows\system32\Hkdjfb32.exe
C:\Windows\SysWOW64\Hmbfbn32.exe
C:\Windows\system32\Hmbfbn32.exe
C:\Windows\SysWOW64\Hpabni32.exe
C:\Windows\system32\Hpabni32.exe
C:\Windows\SysWOW64\Hcpojd32.exe
C:\Windows\system32\Hcpojd32.exe
C:\Windows\SysWOW64\Hkfglb32.exe
C:\Windows\system32\Hkfglb32.exe
C:\Windows\SysWOW64\Hlhccj32.exe
C:\Windows\system32\Hlhccj32.exe
C:\Windows\SysWOW64\Hdokdg32.exe
C:\Windows\system32\Hdokdg32.exe
C:\Windows\SysWOW64\Hgmgqc32.exe
C:\Windows\system32\Hgmgqc32.exe
C:\Windows\SysWOW64\Ingpmmgm.exe
C:\Windows\system32\Ingpmmgm.exe
C:\Windows\SysWOW64\Ipflihfq.exe
C:\Windows\system32\Ipflihfq.exe
C:\Windows\SysWOW64\Icdheded.exe
C:\Windows\system32\Icdheded.exe
C:\Windows\SysWOW64\Ikkpgafg.exe
C:\Windows\system32\Ikkpgafg.exe
C:\Windows\SysWOW64\Injmcmej.exe
C:\Windows\system32\Injmcmej.exe
C:\Windows\SysWOW64\Idcepgmg.exe
C:\Windows\system32\Idcepgmg.exe
C:\Windows\SysWOW64\Igbalblk.exe
C:\Windows\system32\Igbalblk.exe
C:\Windows\SysWOW64\Ijqmhnko.exe
C:\Windows\system32\Ijqmhnko.exe
C:\Windows\SysWOW64\Iloidijb.exe
C:\Windows\system32\Iloidijb.exe
C:\Windows\SysWOW64\Idfaefkd.exe
C:\Windows\system32\Idfaefkd.exe
C:\Windows\SysWOW64\Igdnabjh.exe
C:\Windows\system32\Igdnabjh.exe
C:\Windows\SysWOW64\Ijcjmmil.exe
C:\Windows\system32\Ijcjmmil.exe
C:\Windows\SysWOW64\Ilafiihp.exe
C:\Windows\system32\Ilafiihp.exe
C:\Windows\SysWOW64\Idhnkf32.exe
C:\Windows\system32\Idhnkf32.exe
C:\Windows\SysWOW64\Iggjga32.exe
C:\Windows\system32\Iggjga32.exe
C:\Windows\SysWOW64\Ijegcm32.exe
C:\Windows\system32\Ijegcm32.exe
C:\Windows\SysWOW64\Ilccoh32.exe
C:\Windows\system32\Ilccoh32.exe
C:\Windows\SysWOW64\Icnklbmj.exe
C:\Windows\system32\Icnklbmj.exe
C:\Windows\SysWOW64\Ikdcmpnl.exe
C:\Windows\system32\Ikdcmpnl.exe
C:\Windows\SysWOW64\Jncoikmp.exe
C:\Windows\system32\Jncoikmp.exe
C:\Windows\SysWOW64\Jpaleglc.exe
C:\Windows\system32\Jpaleglc.exe
C:\Windows\SysWOW64\Jcgnbaeo.exe
C:\Windows\system32\Jcgnbaeo.exe
C:\Windows\SysWOW64\Jjafok32.exe
C:\Windows\system32\Jjafok32.exe
C:\Windows\SysWOW64\Jqknkedi.exe
C:\Windows\system32\Jqknkedi.exe
C:\Windows\SysWOW64\Jgeghp32.exe
C:\Windows\system32\Jgeghp32.exe
C:\Windows\SysWOW64\Kmaopfjm.exe
C:\Windows\system32\Kmaopfjm.exe
C:\Windows\SysWOW64\Kdigadjo.exe
C:\Windows\system32\Kdigadjo.exe
C:\Windows\SysWOW64\Kggcnoic.exe
C:\Windows\system32\Kggcnoic.exe
C:\Windows\SysWOW64\Knalji32.exe
C:\Windows\system32\Knalji32.exe
C:\Windows\SysWOW64\Kkeldnpi.exe
C:\Windows\system32\Kkeldnpi.exe
C:\Windows\SysWOW64\Kjhloj32.exe
C:\Windows\system32\Kjhloj32.exe
C:\Windows\SysWOW64\Kdmqmc32.exe
C:\Windows\system32\Kdmqmc32.exe
C:\Windows\SysWOW64\Kglmio32.exe
C:\Windows\system32\Kglmio32.exe
C:\Windows\SysWOW64\Kjjiej32.exe
C:\Windows\system32\Kjjiej32.exe
C:\Windows\SysWOW64\Kmieae32.exe
C:\Windows\system32\Kmieae32.exe
C:\Windows\SysWOW64\Kcbnnpka.exe
C:\Windows\system32\Kcbnnpka.exe
C:\Windows\SysWOW64\Knhakh32.exe
C:\Windows\system32\Knhakh32.exe
C:\Windows\SysWOW64\Kqfngd32.exe
C:\Windows\system32\Kqfngd32.exe
C:\Windows\SysWOW64\Kcejco32.exe
C:\Windows\system32\Kcejco32.exe
C:\Windows\SysWOW64\Lklbdm32.exe
C:\Windows\system32\Lklbdm32.exe
C:\Windows\SysWOW64\Lnjnqh32.exe
C:\Windows\system32\Lnjnqh32.exe
C:\Windows\SysWOW64\Lcggio32.exe
C:\Windows\system32\Lcggio32.exe
C:\Windows\SysWOW64\Lknojl32.exe
C:\Windows\system32\Lknojl32.exe
C:\Windows\SysWOW64\Ljaoeini.exe
C:\Windows\system32\Ljaoeini.exe
C:\Windows\SysWOW64\Lmpkadnm.exe
C:\Windows\system32\Lmpkadnm.exe
C:\Windows\SysWOW64\Ldgccb32.exe
C:\Windows\system32\Ldgccb32.exe
C:\Windows\SysWOW64\Lgepom32.exe
C:\Windows\system32\Lgepom32.exe
C:\Windows\SysWOW64\Ljclki32.exe
C:\Windows\system32\Ljclki32.exe
C:\Windows\SysWOW64\Lmbhgd32.exe
C:\Windows\system32\Lmbhgd32.exe
C:\Windows\SysWOW64\Ldipha32.exe
C:\Windows\system32\Ldipha32.exe
C:\Windows\SysWOW64\Lggldm32.exe
C:\Windows\system32\Lggldm32.exe
C:\Windows\SysWOW64\Ljfhqh32.exe
C:\Windows\system32\Ljfhqh32.exe
C:\Windows\SysWOW64\Lmdemd32.exe
C:\Windows\system32\Lmdemd32.exe
C:\Windows\SysWOW64\Lqpamb32.exe
C:\Windows\system32\Lqpamb32.exe
C:\Windows\SysWOW64\Lcnmin32.exe
C:\Windows\system32\Lcnmin32.exe
C:\Windows\SysWOW64\Lndagg32.exe
C:\Windows\system32\Lndagg32.exe
C:\Windows\SysWOW64\Lqbncb32.exe
C:\Windows\system32\Lqbncb32.exe
C:\Windows\SysWOW64\Mglfplgk.exe
C:\Windows\system32\Mglfplgk.exe
C:\Windows\SysWOW64\Mjkblhfo.exe
C:\Windows\system32\Mjkblhfo.exe
C:\Windows\SysWOW64\Mminhceb.exe
C:\Windows\system32\Mminhceb.exe
C:\Windows\SysWOW64\Madjhb32.exe
C:\Windows\system32\Madjhb32.exe
C:\Windows\SysWOW64\Mgobel32.exe
C:\Windows\system32\Mgobel32.exe
C:\Windows\SysWOW64\Mjmoag32.exe
C:\Windows\system32\Mjmoag32.exe
C:\Windows\SysWOW64\Mmkkmc32.exe
C:\Windows\system32\Mmkkmc32.exe
C:\Windows\SysWOW64\Mcecjmkl.exe
C:\Windows\system32\Mcecjmkl.exe
C:\Windows\SysWOW64\Mkmkkjko.exe
C:\Windows\system32\Mkmkkjko.exe
C:\Windows\SysWOW64\Mmnhcb32.exe
C:\Windows\system32\Mmnhcb32.exe
C:\Windows\SysWOW64\Mchppmij.exe
C:\Windows\system32\Mchppmij.exe
C:\Windows\SysWOW64\Mgclpkac.exe
C:\Windows\system32\Mgclpkac.exe
C:\Windows\SysWOW64\Mnmdme32.exe
C:\Windows\system32\Mnmdme32.exe
C:\Windows\SysWOW64\Malpia32.exe
C:\Windows\system32\Malpia32.exe
C:\Windows\SysWOW64\Mcjmel32.exe
C:\Windows\system32\Mcjmel32.exe
C:\Windows\SysWOW64\Mkadfj32.exe
C:\Windows\system32\Mkadfj32.exe
C:\Windows\SysWOW64\Mnpabe32.exe
C:\Windows\system32\Mnpabe32.exe
C:\Windows\SysWOW64\Manmoq32.exe
C:\Windows\system32\Manmoq32.exe
C:\Windows\SysWOW64\Meiioonj.exe
C:\Windows\system32\Meiioonj.exe
C:\Windows\SysWOW64\Nghekkmn.exe
C:\Windows\system32\Nghekkmn.exe
C:\Windows\SysWOW64\Nlcalieg.exe
C:\Windows\system32\Nlcalieg.exe
C:\Windows\SysWOW64\Njfagf32.exe
C:\Windows\system32\Njfagf32.exe
C:\Windows\SysWOW64\Nmenca32.exe
C:\Windows\system32\Nmenca32.exe
C:\Windows\SysWOW64\Nelfeo32.exe
C:\Windows\system32\Nelfeo32.exe
C:\Windows\SysWOW64\Ngjbaj32.exe
C:\Windows\system32\Ngjbaj32.exe
C:\Windows\SysWOW64\Nlfnaicd.exe
C:\Windows\system32\Nlfnaicd.exe
C:\Windows\SysWOW64\Nndjndbh.exe
C:\Windows\system32\Nndjndbh.exe
C:\Windows\SysWOW64\Nmgjia32.exe
C:\Windows\system32\Nmgjia32.exe
C:\Windows\SysWOW64\Ncabfkqo.exe
C:\Windows\system32\Ncabfkqo.exe
C:\Windows\SysWOW64\Nhmofj32.exe
C:\Windows\system32\Nhmofj32.exe
C:\Windows\SysWOW64\Njkkbehl.exe
C:\Windows\system32\Njkkbehl.exe
C:\Windows\SysWOW64\Nmigoagp.exe
C:\Windows\system32\Nmigoagp.exe
C:\Windows\SysWOW64\Neqopnhb.exe
C:\Windows\system32\Neqopnhb.exe
C:\Windows\SysWOW64\Nccokk32.exe
C:\Windows\system32\Nccokk32.exe
C:\Windows\SysWOW64\Nlkgmh32.exe
C:\Windows\system32\Nlkgmh32.exe
C:\Windows\SysWOW64\Njmhhefi.exe
C:\Windows\system32\Njmhhefi.exe
C:\Windows\SysWOW64\Nmlddqem.exe
C:\Windows\system32\Nmlddqem.exe
C:\Windows\SysWOW64\Neclenfo.exe
C:\Windows\system32\Neclenfo.exe
C:\Windows\SysWOW64\Nhahaiec.exe
C:\Windows\system32\Nhahaiec.exe
C:\Windows\SysWOW64\Njpdnedf.exe
C:\Windows\system32\Njpdnedf.exe
C:\Windows\SysWOW64\Nmnqjp32.exe
C:\Windows\system32\Nmnqjp32.exe
C:\Windows\SysWOW64\Oeehkn32.exe
C:\Windows\system32\Oeehkn32.exe
C:\Windows\SysWOW64\Oloahhki.exe
C:\Windows\system32\Oloahhki.exe
C:\Windows\SysWOW64\Oalipoiq.exe
C:\Windows\system32\Oalipoiq.exe
C:\Windows\SysWOW64\Ohfami32.exe
C:\Windows\system32\Ohfami32.exe
C:\Windows\SysWOW64\Ojdnid32.exe
C:\Windows\system32\Ojdnid32.exe
C:\Windows\SysWOW64\Omcjep32.exe
C:\Windows\system32\Omcjep32.exe
C:\Windows\SysWOW64\Oejbfmpg.exe
C:\Windows\system32\Oejbfmpg.exe
C:\Windows\SysWOW64\Ohhnbhok.exe
C:\Windows\system32\Ohhnbhok.exe
C:\Windows\SysWOW64\Ojgjndno.exe
C:\Windows\system32\Ojgjndno.exe
C:\Windows\SysWOW64\Omegjomb.exe
C:\Windows\system32\Omegjomb.exe
C:\Windows\SysWOW64\Odoogi32.exe
C:\Windows\system32\Odoogi32.exe
C:\Windows\SysWOW64\Olfghg32.exe
C:\Windows\system32\Olfghg32.exe
C:\Windows\SysWOW64\Oodcdb32.exe
C:\Windows\system32\Oodcdb32.exe
C:\Windows\SysWOW64\Oacoqnci.exe
C:\Windows\system32\Oacoqnci.exe
C:\Windows\SysWOW64\Odalmibl.exe
C:\Windows\system32\Odalmibl.exe
C:\Windows\SysWOW64\Olicnfco.exe
C:\Windows\system32\Olicnfco.exe
C:\Windows\SysWOW64\Omjpeo32.exe
C:\Windows\system32\Omjpeo32.exe
C:\Windows\SysWOW64\Peahgl32.exe
C:\Windows\system32\Peahgl32.exe
C:\Windows\SysWOW64\Phodcg32.exe
C:\Windows\system32\Phodcg32.exe
C:\Windows\SysWOW64\Poimpapp.exe
C:\Windows\system32\Poimpapp.exe
C:\Windows\SysWOW64\Pahilmoc.exe
C:\Windows\system32\Pahilmoc.exe
C:\Windows\SysWOW64\Pdfehh32.exe
C:\Windows\system32\Pdfehh32.exe
C:\Windows\SysWOW64\Pkpmdbfd.exe
C:\Windows\system32\Pkpmdbfd.exe
C:\Windows\SysWOW64\Pmoiqneg.exe
C:\Windows\system32\Pmoiqneg.exe
C:\Windows\SysWOW64\Pdhbmh32.exe
C:\Windows\system32\Pdhbmh32.exe
C:\Windows\SysWOW64\Plpjoe32.exe
C:\Windows\system32\Plpjoe32.exe
C:\Windows\SysWOW64\Ponfka32.exe
C:\Windows\system32\Ponfka32.exe
C:\Windows\SysWOW64\Palbgl32.exe
C:\Windows\system32\Palbgl32.exe
C:\Windows\SysWOW64\Pdkoch32.exe
C:\Windows\system32\Pdkoch32.exe
C:\Windows\SysWOW64\Plbfdekd.exe
C:\Windows\system32\Plbfdekd.exe
C:\Windows\SysWOW64\Pmcclm32.exe
C:\Windows\system32\Pmcclm32.exe
C:\Windows\SysWOW64\Pejkmk32.exe
C:\Windows\system32\Pejkmk32.exe
C:\Windows\SysWOW64\Pldcjeia.exe
C:\Windows\system32\Pldcjeia.exe
C:\Windows\SysWOW64\Pocpfphe.exe
C:\Windows\system32\Pocpfphe.exe
C:\Windows\SysWOW64\Qaalblgi.exe
C:\Windows\system32\Qaalblgi.exe
C:\Windows\SysWOW64\Qdphngfl.exe
C:\Windows\system32\Qdphngfl.exe
C:\Windows\SysWOW64\Qlgpod32.exe
C:\Windows\system32\Qlgpod32.exe
C:\Windows\SysWOW64\Qoelkp32.exe
C:\Windows\system32\Qoelkp32.exe
C:\Windows\SysWOW64\Qachgk32.exe
C:\Windows\system32\Qachgk32.exe
C:\Windows\SysWOW64\Qdbdcg32.exe
C:\Windows\system32\Qdbdcg32.exe
C:\Windows\SysWOW64\Qklmpalf.exe
C:\Windows\system32\Qklmpalf.exe
C:\Windows\SysWOW64\Aeaanjkl.exe
C:\Windows\system32\Aeaanjkl.exe
C:\Windows\SysWOW64\Alkijdci.exe
C:\Windows\system32\Alkijdci.exe
C:\Windows\SysWOW64\Aahbbkaq.exe
C:\Windows\system32\Aahbbkaq.exe
C:\Windows\SysWOW64\Adfnofpd.exe
C:\Windows\system32\Adfnofpd.exe
C:\Windows\SysWOW64\Alnfpcag.exe
C:\Windows\system32\Alnfpcag.exe
C:\Windows\SysWOW64\Aajohjon.exe
C:\Windows\system32\Aajohjon.exe
C:\Windows\SysWOW64\Adikdfna.exe
C:\Windows\system32\Adikdfna.exe
C:\Windows\SysWOW64\Akccap32.exe
C:\Windows\system32\Akccap32.exe
C:\Windows\SysWOW64\Anaomkdb.exe
C:\Windows\system32\Anaomkdb.exe
C:\Windows\SysWOW64\Adkgje32.exe
C:\Windows\system32\Adkgje32.exe
C:\Windows\SysWOW64\Albpkc32.exe
C:\Windows\system32\Albpkc32.exe
C:\Windows\SysWOW64\Aoalgn32.exe
C:\Windows\system32\Aoalgn32.exe
C:\Windows\SysWOW64\Aaohcj32.exe
C:\Windows\system32\Aaohcj32.exe
C:\Windows\SysWOW64\Ahippdbe.exe
C:\Windows\system32\Ahippdbe.exe
C:\Windows\SysWOW64\Akglloai.exe
C:\Windows\system32\Akglloai.exe
C:\Windows\SysWOW64\Bnfihkqm.exe
C:\Windows\system32\Bnfihkqm.exe
C:\Windows\SysWOW64\Blgifbil.exe
C:\Windows\system32\Blgifbil.exe
C:\Windows\SysWOW64\Bkjiao32.exe
C:\Windows\system32\Bkjiao32.exe
C:\Windows\SysWOW64\Bdbnjdfg.exe
C:\Windows\system32\Bdbnjdfg.exe
C:\Windows\SysWOW64\Bohbhmfm.exe
C:\Windows\system32\Bohbhmfm.exe
C:\Windows\SysWOW64\Bhpfqcln.exe
C:\Windows\system32\Bhpfqcln.exe
C:\Windows\SysWOW64\Bedgjgkg.exe
C:\Windows\system32\Bedgjgkg.exe
C:\Windows\SysWOW64\Bakgoh32.exe
C:\Windows\system32\Bakgoh32.exe
C:\Windows\SysWOW64\Blqllqqa.exe
C:\Windows\system32\Blqllqqa.exe
C:\Windows\SysWOW64\Coohhlpe.exe
C:\Windows\system32\Coohhlpe.exe
C:\Windows\SysWOW64\Cdlqqcnl.exe
C:\Windows\system32\Cdlqqcnl.exe
C:\Windows\SysWOW64\Clchbqoo.exe
C:\Windows\system32\Clchbqoo.exe
C:\Windows\SysWOW64\Cbpajgmf.exe
C:\Windows\system32\Cbpajgmf.exe
C:\Windows\SysWOW64\Cdnmfclj.exe
C:\Windows\system32\Cdnmfclj.exe
C:\Windows\SysWOW64\Cleegp32.exe
C:\Windows\system32\Cleegp32.exe
C:\Windows\SysWOW64\Cfnjpfcl.exe
C:\Windows\system32\Cfnjpfcl.exe
C:\Windows\SysWOW64\Chlflabp.exe
C:\Windows\system32\Chlflabp.exe
C:\Windows\SysWOW64\Cnindhpg.exe
C:\Windows\system32\Cnindhpg.exe
C:\Windows\SysWOW64\Ckmonl32.exe
C:\Windows\system32\Ckmonl32.exe
C:\Windows\SysWOW64\Cnkkjh32.exe
C:\Windows\system32\Cnkkjh32.exe
C:\Windows\SysWOW64\Cfbcke32.exe
C:\Windows\system32\Cfbcke32.exe
C:\Windows\SysWOW64\Dmlkhofd.exe
C:\Windows\system32\Dmlkhofd.exe
C:\Windows\SysWOW64\Dokgdkeh.exe
C:\Windows\system32\Dokgdkeh.exe
C:\Windows\SysWOW64\Dfdpad32.exe
C:\Windows\system32\Dfdpad32.exe
C:\Windows\SysWOW64\Dhclmp32.exe
C:\Windows\system32\Dhclmp32.exe
C:\Windows\SysWOW64\Dkahilkl.exe
C:\Windows\system32\Dkahilkl.exe
C:\Windows\SysWOW64\Domdjj32.exe
C:\Windows\system32\Domdjj32.exe
C:\Windows\SysWOW64\Dbkqfe32.exe
C:\Windows\system32\Dbkqfe32.exe
C:\Windows\SysWOW64\Dheibpje.exe
C:\Windows\system32\Dheibpje.exe
C:\Windows\SysWOW64\Dkceokii.exe
C:\Windows\system32\Dkceokii.exe
C:\Windows\SysWOW64\Dooaoj32.exe
C:\Windows\system32\Dooaoj32.exe
C:\Windows\SysWOW64\Dbnmke32.exe
C:\Windows\system32\Dbnmke32.exe
C:\Windows\SysWOW64\Dfiildio.exe
C:\Windows\system32\Dfiildio.exe
C:\Windows\SysWOW64\Digehphc.exe
C:\Windows\system32\Digehphc.exe
C:\Windows\SysWOW64\Dkfadkgf.exe
C:\Windows\system32\Dkfadkgf.exe
C:\Windows\SysWOW64\Dndnpf32.exe
C:\Windows\system32\Dndnpf32.exe
C:\Windows\SysWOW64\Dflfac32.exe
C:\Windows\system32\Dflfac32.exe
C:\Windows\SysWOW64\Dijbno32.exe
C:\Windows\system32\Dijbno32.exe
C:\Windows\SysWOW64\Dngjff32.exe
C:\Windows\system32\Dngjff32.exe
C:\Windows\SysWOW64\Eiloco32.exe
C:\Windows\system32\Eiloco32.exe
C:\Windows\SysWOW64\Eofgpikj.exe
C:\Windows\system32\Eofgpikj.exe
C:\Windows\SysWOW64\Efpomccg.exe
C:\Windows\system32\Efpomccg.exe
C:\Windows\SysWOW64\Emjgim32.exe
C:\Windows\system32\Emjgim32.exe
C:\Windows\SysWOW64\Eoideh32.exe
C:\Windows\system32\Eoideh32.exe
C:\Windows\SysWOW64\Enkdaepb.exe
C:\Windows\system32\Enkdaepb.exe
C:\Windows\SysWOW64\Efblbbqd.exe
C:\Windows\system32\Efblbbqd.exe
C:\Windows\SysWOW64\Emmdom32.exe
C:\Windows\system32\Emmdom32.exe
C:\Windows\SysWOW64\Ebimgcfi.exe
C:\Windows\system32\Ebimgcfi.exe
C:\Windows\SysWOW64\Eehicoel.exe
C:\Windows\system32\Eehicoel.exe
C:\Windows\SysWOW64\Ekaapi32.exe
C:\Windows\system32\Ekaapi32.exe
C:\Windows\SysWOW64\Efgemb32.exe
C:\Windows\system32\Efgemb32.exe
C:\Windows\SysWOW64\Eifaim32.exe
C:\Windows\system32\Eifaim32.exe
C:\Windows\SysWOW64\Enbjad32.exe
C:\Windows\system32\Enbjad32.exe
C:\Windows\SysWOW64\Felbnn32.exe
C:\Windows\system32\Felbnn32.exe
C:\Windows\SysWOW64\Fbpchb32.exe
C:\Windows\system32\Fbpchb32.exe
C:\Windows\SysWOW64\Fligqhga.exe
C:\Windows\system32\Fligqhga.exe
C:\Windows\SysWOW64\Flkdfh32.exe
C:\Windows\system32\Flkdfh32.exe
C:\Windows\SysWOW64\Ffqhcq32.exe
C:\Windows\system32\Ffqhcq32.exe
C:\Windows\SysWOW64\Flmqlg32.exe
C:\Windows\system32\Flmqlg32.exe
C:\Windows\SysWOW64\Fnlmhc32.exe
C:\Windows\system32\Fnlmhc32.exe
C:\Windows\SysWOW64\Fefedmil.exe
C:\Windows\system32\Fefedmil.exe
C:\Windows\SysWOW64\Fmmmfj32.exe
C:\Windows\system32\Fmmmfj32.exe
C:\Windows\SysWOW64\Gidnkkpc.exe
C:\Windows\system32\Gidnkkpc.exe
C:\Windows\SysWOW64\Gejopl32.exe
C:\Windows\system32\Gejopl32.exe
C:\Windows\SysWOW64\Gbnoiqdq.exe
C:\Windows\system32\Gbnoiqdq.exe
C:\Windows\SysWOW64\Gmdcfidg.exe
C:\Windows\system32\Gmdcfidg.exe
C:\Windows\SysWOW64\Gbalopbn.exe
C:\Windows\system32\Gbalopbn.exe
C:\Windows\SysWOW64\Glipgf32.exe
C:\Windows\system32\Glipgf32.exe
C:\Windows\SysWOW64\Gfodeohd.exe
C:\Windows\system32\Gfodeohd.exe
C:\Windows\SysWOW64\Gpgind32.exe
C:\Windows\system32\Gpgind32.exe
C:\Windows\SysWOW64\Hipmfjee.exe
C:\Windows\system32\Hipmfjee.exe
C:\Windows\SysWOW64\Hfcnpn32.exe
C:\Windows\system32\Hfcnpn32.exe
C:\Windows\SysWOW64\Hibjli32.exe
C:\Windows\system32\Hibjli32.exe
C:\Windows\SysWOW64\Hlbcnd32.exe
C:\Windows\system32\Hlbcnd32.exe
C:\Windows\SysWOW64\Hblkjo32.exe
C:\Windows\system32\Hblkjo32.exe
C:\Windows\SysWOW64\Hpqldc32.exe
C:\Windows\system32\Hpqldc32.exe
C:\Windows\SysWOW64\Hoclopne.exe
C:\Windows\system32\Hoclopne.exe
C:\Windows\SysWOW64\Ibaeen32.exe
C:\Windows\system32\Ibaeen32.exe
C:\Windows\SysWOW64\Iikmbh32.exe
C:\Windows\system32\Iikmbh32.exe
C:\Windows\SysWOW64\Ibcaknbi.exe
C:\Windows\system32\Ibcaknbi.exe
C:\Windows\SysWOW64\Iinjhh32.exe
C:\Windows\system32\Iinjhh32.exe
C:\Windows\SysWOW64\Ipgbdbqb.exe
C:\Windows\system32\Ipgbdbqb.exe
C:\Windows\SysWOW64\Igajal32.exe
C:\Windows\system32\Igajal32.exe
C:\Windows\SysWOW64\Iedjmioj.exe
C:\Windows\system32\Iedjmioj.exe
C:\Windows\SysWOW64\Ipjoja32.exe
C:\Windows\system32\Ipjoja32.exe
C:\Windows\SysWOW64\Iomoenej.exe
C:\Windows\system32\Iomoenej.exe
C:\Windows\SysWOW64\Imnocf32.exe
C:\Windows\system32\Imnocf32.exe
C:\Windows\SysWOW64\Ipoheakj.exe
C:\Windows\system32\Ipoheakj.exe
C:\Windows\SysWOW64\Jmbhoeid.exe
C:\Windows\system32\Jmbhoeid.exe
C:\Windows\SysWOW64\Jleijb32.exe
C:\Windows\system32\Jleijb32.exe
C:\Windows\SysWOW64\Jocefm32.exe
C:\Windows\system32\Jocefm32.exe
C:\Windows\SysWOW64\Jcoaglhk.exe
C:\Windows\system32\Jcoaglhk.exe
C:\Windows\SysWOW64\Jcanll32.exe
C:\Windows\system32\Jcanll32.exe
C:\Windows\SysWOW64\Jljbeali.exe
C:\Windows\system32\Jljbeali.exe
C:\Windows\SysWOW64\Jcdjbk32.exe
C:\Windows\system32\Jcdjbk32.exe
C:\Windows\SysWOW64\Jgpfbjlo.exe
C:\Windows\system32\Jgpfbjlo.exe
C:\Windows\SysWOW64\Jinboekc.exe
C:\Windows\system32\Jinboekc.exe
C:\Windows\SysWOW64\Jphkkpbp.exe
C:\Windows\system32\Jphkkpbp.exe
C:\Windows\SysWOW64\Jgbchj32.exe
C:\Windows\system32\Jgbchj32.exe
C:\Windows\SysWOW64\Kgdpni32.exe
C:\Windows\system32\Kgdpni32.exe
C:\Windows\SysWOW64\Klahfp32.exe
C:\Windows\system32\Klahfp32.exe
C:\Windows\SysWOW64\Kckqbj32.exe
C:\Windows\system32\Kckqbj32.exe
C:\Windows\SysWOW64\Koaagkcb.exe
C:\Windows\system32\Koaagkcb.exe
C:\Windows\SysWOW64\Klfaapbl.exe
C:\Windows\system32\Klfaapbl.exe
C:\Windows\SysWOW64\Kofkbk32.exe
C:\Windows\system32\Kofkbk32.exe
C:\Windows\SysWOW64\Lljklo32.exe
C:\Windows\system32\Lljklo32.exe
C:\Windows\SysWOW64\Lfbped32.exe
C:\Windows\system32\Lfbped32.exe
C:\Windows\SysWOW64\Llmhaold.exe
C:\Windows\system32\Llmhaold.exe
C:\Windows\SysWOW64\Lokdnjkg.exe
C:\Windows\system32\Lokdnjkg.exe
C:\Windows\SysWOW64\Lgbloglj.exe
C:\Windows\system32\Lgbloglj.exe
C:\Windows\SysWOW64\Ljqhkckn.exe
C:\Windows\system32\Ljqhkckn.exe
C:\Windows\SysWOW64\Lnldla32.exe
C:\Windows\system32\Lnldla32.exe
C:\Windows\SysWOW64\Lomqcjie.exe
C:\Windows\system32\Lomqcjie.exe
C:\Windows\SysWOW64\Lfgipd32.exe
C:\Windows\system32\Lfgipd32.exe
C:\Windows\SysWOW64\Lnoaaaad.exe
C:\Windows\system32\Lnoaaaad.exe
C:\Windows\SysWOW64\Lqmmmmph.exe
C:\Windows\system32\Lqmmmmph.exe
C:\Windows\SysWOW64\Ljeafb32.exe
C:\Windows\system32\Ljeafb32.exe
C:\Windows\SysWOW64\Lcnfohmi.exe
C:\Windows\system32\Lcnfohmi.exe
C:\Windows\SysWOW64\Mcpcdg32.exe
C:\Windows\system32\Mcpcdg32.exe
C:\Windows\SysWOW64\Mjjkaabc.exe
C:\Windows\system32\Mjjkaabc.exe
C:\Windows\SysWOW64\Mnegbp32.exe
C:\Windows\system32\Mnegbp32.exe
C:\Windows\SysWOW64\Mjlhgaqp.exe
C:\Windows\system32\Mjlhgaqp.exe
C:\Windows\SysWOW64\Mcelpggq.exe
C:\Windows\system32\Mcelpggq.exe
C:\Windows\SysWOW64\Mfchlbfd.exe
C:\Windows\system32\Mfchlbfd.exe
C:\Windows\SysWOW64\Mmmqhl32.exe
C:\Windows\system32\Mmmqhl32.exe
C:\Windows\SysWOW64\Mokmdh32.exe
C:\Windows\system32\Mokmdh32.exe
C:\Windows\SysWOW64\Mgbefe32.exe
C:\Windows\system32\Mgbefe32.exe
C:\Windows\SysWOW64\Mnmmboed.exe
C:\Windows\system32\Mnmmboed.exe
C:\Windows\SysWOW64\Monjjgkb.exe
C:\Windows\system32\Monjjgkb.exe
C:\Windows\SysWOW64\Nmbjcljl.exe
C:\Windows\system32\Nmbjcljl.exe
C:\Windows\SysWOW64\Nopfpgip.exe
C:\Windows\system32\Nopfpgip.exe
C:\Windows\SysWOW64\Nmdgikhi.exe
C:\Windows\system32\Nmdgikhi.exe
C:\Windows\SysWOW64\Nqbpojnp.exe
C:\Windows\system32\Nqbpojnp.exe
C:\Windows\SysWOW64\Nglhld32.exe
C:\Windows\system32\Nglhld32.exe
C:\Windows\SysWOW64\Nnfpinmi.exe
C:\Windows\system32\Nnfpinmi.exe
C:\Windows\SysWOW64\Ngndaccj.exe
C:\Windows\system32\Ngndaccj.exe
C:\Windows\SysWOW64\Ojomcopk.exe
C:\Windows\system32\Ojomcopk.exe
C:\Windows\SysWOW64\Offnhpfo.exe
C:\Windows\system32\Offnhpfo.exe
C:\Windows\SysWOW64\Onmfimga.exe
C:\Windows\system32\Onmfimga.exe
C:\Windows\SysWOW64\Ocjoadei.exe
C:\Windows\system32\Ocjoadei.exe
C:\Windows\SysWOW64\Onocomdo.exe
C:\Windows\system32\Onocomdo.exe
C:\Windows\SysWOW64\Ofkgcobj.exe
C:\Windows\system32\Ofkgcobj.exe
C:\Windows\SysWOW64\Ogjdmbil.exe
C:\Windows\system32\Ogjdmbil.exe
C:\Windows\SysWOW64\Pnfiplog.exe
C:\Windows\system32\Pnfiplog.exe
C:\Windows\SysWOW64\Pmlfqh32.exe
C:\Windows\system32\Pmlfqh32.exe
C:\Windows\SysWOW64\Phajna32.exe
C:\Windows\system32\Phajna32.exe
C:\Windows\SysWOW64\Pdhkcb32.exe
C:\Windows\system32\Pdhkcb32.exe
C:\Windows\SysWOW64\Pjdpelnc.exe
C:\Windows\system32\Pjdpelnc.exe
C:\Windows\SysWOW64\Panhbfep.exe
C:\Windows\system32\Panhbfep.exe
C:\Windows\SysWOW64\Qdoacabq.exe
C:\Windows\system32\Qdoacabq.exe
C:\Windows\SysWOW64\Qjiipk32.exe
C:\Windows\system32\Qjiipk32.exe
C:\Windows\SysWOW64\Qmgelf32.exe
C:\Windows\system32\Qmgelf32.exe
C:\Windows\SysWOW64\Qpeahb32.exe
C:\Windows\system32\Qpeahb32.exe
C:\Windows\SysWOW64\Ahmjjoig.exe
C:\Windows\system32\Ahmjjoig.exe
C:\Windows\SysWOW64\Adcjop32.exe
C:\Windows\system32\Adcjop32.exe
C:\Windows\SysWOW64\Aagkhd32.exe
C:\Windows\system32\Aagkhd32.exe
C:\Windows\SysWOW64\Amnlme32.exe
C:\Windows\system32\Amnlme32.exe
C:\Windows\SysWOW64\Aggpfkjj.exe
C:\Windows\system32\Aggpfkjj.exe
C:\Windows\SysWOW64\Agimkk32.exe
C:\Windows\system32\Agimkk32.exe
C:\Windows\SysWOW64\Amcehdod.exe
C:\Windows\system32\Amcehdod.exe
C:\Windows\SysWOW64\Bdmmeo32.exe
C:\Windows\system32\Bdmmeo32.exe
C:\Windows\SysWOW64\Bkgeainn.exe
C:\Windows\system32\Bkgeainn.exe
C:\Windows\SysWOW64\Bdojjo32.exe
C:\Windows\system32\Bdojjo32.exe
C:\Windows\SysWOW64\Bgnffj32.exe
C:\Windows\system32\Bgnffj32.exe
C:\Windows\SysWOW64\Bacjdbch.exe
C:\Windows\system32\Bacjdbch.exe
C:\Windows\SysWOW64\Bgpcliao.exe
C:\Windows\system32\Bgpcliao.exe
C:\Windows\SysWOW64\Bogkmgba.exe
C:\Windows\system32\Bogkmgba.exe
C:\Windows\SysWOW64\Bgbpaipl.exe
C:\Windows\system32\Bgbpaipl.exe
C:\Windows\SysWOW64\Bahdob32.exe
C:\Windows\system32\Bahdob32.exe
C:\Windows\SysWOW64\Bdfpkm32.exe
C:\Windows\system32\Bdfpkm32.exe
C:\Windows\SysWOW64\Bgelgi32.exe
C:\Windows\system32\Bgelgi32.exe
C:\Windows\SysWOW64\Cpmapodj.exe
C:\Windows\system32\Cpmapodj.exe
C:\Windows\SysWOW64\Cnaaib32.exe
C:\Windows\system32\Cnaaib32.exe
C:\Windows\SysWOW64\Chfegk32.exe
C:\Windows\system32\Chfegk32.exe
C:\Windows\SysWOW64\Ckebcg32.exe
C:\Windows\system32\Ckebcg32.exe
C:\Windows\SysWOW64\Cncnob32.exe
C:\Windows\system32\Cncnob32.exe
C:\Windows\SysWOW64\Chiblk32.exe
C:\Windows\system32\Chiblk32.exe
C:\Windows\SysWOW64\Cdpcal32.exe
C:\Windows\system32\Cdpcal32.exe
C:\Windows\SysWOW64\Coegoe32.exe
C:\Windows\system32\Coegoe32.exe
C:\Windows\SysWOW64\Cacckp32.exe
C:\Windows\system32\Cacckp32.exe
C:\Windows\SysWOW64\Cgqlcg32.exe
C:\Windows\system32\Cgqlcg32.exe
C:\Windows\SysWOW64\Cklhcfle.exe
C:\Windows\system32\Cklhcfle.exe
C:\Windows\SysWOW64\Dddllkbf.exe
C:\Windows\system32\Dddllkbf.exe
C:\Windows\SysWOW64\Ddgibkpc.exe
C:\Windows\system32\Ddgibkpc.exe
C:\Windows\SysWOW64\Dkqaoe32.exe
C:\Windows\system32\Dkqaoe32.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 11068 -ip 11068
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 11068 -s 400
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
Files
memory/4464-0-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Coknoaic.exe
| MD5 | 5964f553e056b92afb37bd828b4a5617 |
| SHA1 | 1808fd8bd9136668e33169805710b3e0d21a2fed |
| SHA256 | f5acc1e39ca4d8095b0a592a95355cd0360afc7e2b7595b68063a0ed6a490bdd |
| SHA512 | b41ed4de05b2f5a5bde8785299d6da7d1ff9c433805ceee0499537762545d860d143b81688a067e5a6be9505796bfe0b48225d773e3c7dfc23d25275594dc897 |
memory/4940-8-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Dpnkdq32.exe
| MD5 | 22dfcf44cc6dc43424ffb2a5b235fb9b |
| SHA1 | 02475e559042686e2c619760a19fe044ad6a64ce |
| SHA256 | cc63d30e6b573caba40662cbbef4ac189e376ae69fad7043c48f433e5fb6cdb0 |
| SHA512 | e8d3c4f146062d8402f37403fa06899814ac0bca1b9796825d1f46b35d54026036a9ce576a8b1e46ff81ce7230a1c1e3e0e196b2a7fdadf49b2171986c01acdf |
memory/864-15-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Djcoai32.exe
| MD5 | 8b09c1a4f6893083b28acaab09ee7efb |
| SHA1 | 0283edccfa0cecbb80ba7320066ed0708fa20f7a |
| SHA256 | b01984d170e85ade5999a6118b76db056b1972157976e9383ea2bf7af5eed069 |
| SHA512 | 06afec7d7a2c735b427d2a9c9d66b1c3c13deb2ca32a276ae4c4db931792aa7f362c01951cb8891c820628c4d544b367bd39a1d119188e176fcb3d7c57ff156c |
memory/4504-28-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Dpphjp32.exe
| MD5 | e06be9320c21f3fd681f8de488cd3bb0 |
| SHA1 | 0f6ef2effe05757d8fd232249efc46f563a1a131 |
| SHA256 | f00526523b729a7d95b5f09b4caf5eb9f328dda0985f96d680a863567996b954 |
| SHA512 | 8151cb22a6f3e081d0a73a005c4ff75503c1116c744751a95f353aab5a8c1050f1777be50305bec69ee53e9a3f143ed5322db9cb896379f80fa8693723c72309 |
C:\Windows\SysWOW64\Dbndfl32.exe
| MD5 | a94dfbd81af26723534ba7631c1f66a7 |
| SHA1 | bc4848ea9a03006cfe48b8c26a8f2b63e6e7bf18 |
| SHA256 | 9b84ea56cfac05de5894e5b94e4c67c12433c9276beb5f204696090095d266f3 |
| SHA512 | 0199b6051aabc3f35eba32ce8e8ba9ae25be44b0ab3b226107690244725549f5f11aa60ea8620ed77c9d501ad534667931892463809b0b3f33261f7c9ef5e5e5 |
C:\Windows\SysWOW64\Djelgied.exe
| MD5 | 82336b6cd90daab448ea94412157d070 |
| SHA1 | 9c378d2195f74bc5e846c96de2edb8b932551496 |
| SHA256 | 9d6898c77005648d2e76f43e582aa935e700707f9357c6c898b6c358c8d8ce72 |
| SHA512 | b53aa29539e399b97e9b78ef19c7fe0b14de4fa7b3b037f99fef1b0da0c64e51530f16637fcb8139c07026acc5e7dface191a2210fd6401dd7abb18d5cceeb4b |
C:\Windows\SysWOW64\Dmdhcddh.exe
| MD5 | 5ad60ce9f9c72672a6bb9fefab6f1ae2 |
| SHA1 | 26624666684b28b22840999a82e327bed55fb383 |
| SHA256 | f68a4770c1a0d74737e9c04a09216df81e6b5215de7c4e61b6de37fe942e2588 |
| SHA512 | 2d8b947cbe8b91c755076978f026befffba077dc6d89640e62f3cded27007c7b44a24c3cda4b6820e1296bb823df08ce5cdb5ffadde8195670d7e91cc5fe2a3f |
C:\Windows\SysWOW64\Dcpmen32.exe
| MD5 | 84dc0d1497797e35a84ac3df9b1e75ca |
| SHA1 | 43154d3d5cda52293379eb2ac5ec656844489b3a |
| SHA256 | f54ba0d329d0daabd1be98ffc24b259d5959b0e8f5cd7d1ad346c376a7e3f407 |
| SHA512 | 0289bf70b19aba4769dc7e8ba4657c5877b2cd3b75065e59f6dc5a299e9e47b88f9a54387c0bccb2152c62561853ad4db06f1bc6d72aa08a006fc9aaadc421ea |
C:\Windows\SysWOW64\Dlkbjqgm.exe
| MD5 | 77e59734f0f260ab8a130b5eb1d86a0b |
| SHA1 | 95227c07e508d1558f28ccc72239f8586d8efde4 |
| SHA256 | 1184bdfb2b19a42209e8a04de31542990677846be480cd81077266fa1c470364 |
| SHA512 | bd36578e8406a32d505aa194f100698d9a47224df56065bcf1a1248fbb45d2115da20505efc69578afbfed1ed051bd5ede509ff7eb14167f5b29108f563d59be |
C:\Windows\SysWOW64\Eplgeokq.exe
| MD5 | 54e586b8b60a793c37bb3c7580ba8f58 |
| SHA1 | 807fcd1ee795566efce387d717e51aadcb3e6720 |
| SHA256 | afad206a91007261022eb79fd229ec19b37e21e700826a78cbf47a06e490bfb2 |
| SHA512 | ee3c1eb06c80d51c79b080cfa339b8d514b5d5c6f09af13635e2f1c8a2b8210d6fa6d188e95cb153ad5e135d54672aaac55d984a45a369ae7506e2097b5eeb13 |
C:\Windows\SysWOW64\Epndknin.exe
| MD5 | 75a4f6c14912b87e47474b0b302d3dac |
| SHA1 | 1011a319db02e716141ee38187a66131a6a4218a |
| SHA256 | ce45b5e37d80537c88e931b986e82ac1da4938caca58423134503c74923d49aa |
| SHA512 | 456782d20461e6143333c77ed6f5db5f64a6e90cf83563867b3cf1207a81d621c0ded29db88c36da29bbbf6d64deba56d0ae115c6906c07ed92052492f38ac31 |
memory/1684-351-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2108-465-0x0000000000400000-0x000000000042F000-memory.dmp
memory/5952-601-0x0000000000400000-0x000000000042F000-memory.dmp
memory/6072-619-0x0000000000400000-0x000000000042F000-memory.dmp
memory/6032-613-0x0000000000400000-0x000000000042F000-memory.dmp
memory/5992-607-0x0000000000400000-0x000000000042F000-memory.dmp
memory/5908-595-0x0000000000400000-0x000000000042F000-memory.dmp
memory/5868-589-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4532-588-0x0000000000400000-0x000000000042F000-memory.dmp
memory/5828-582-0x0000000000400000-0x000000000042F000-memory.dmp
memory/5788-576-0x0000000000400000-0x000000000042F000-memory.dmp
memory/5740-570-0x0000000000400000-0x000000000042F000-memory.dmp
memory/864-568-0x0000000000400000-0x000000000042F000-memory.dmp
memory/5700-563-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4940-562-0x0000000000400000-0x000000000042F000-memory.dmp
memory/5656-556-0x0000000000400000-0x000000000042F000-memory.dmp
memory/5616-550-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4464-549-0x0000000000400000-0x000000000042F000-memory.dmp
memory/5576-543-0x0000000000400000-0x000000000042F000-memory.dmp
memory/5536-537-0x0000000000400000-0x000000000042F000-memory.dmp
memory/5496-531-0x0000000000400000-0x000000000042F000-memory.dmp
memory/5464-525-0x0000000000400000-0x000000000042F000-memory.dmp
memory/5416-514-0x0000000000400000-0x000000000042F000-memory.dmp
memory/5376-513-0x0000000000400000-0x000000000042F000-memory.dmp
memory/5336-507-0x0000000000400000-0x000000000042F000-memory.dmp
memory/5296-501-0x0000000000400000-0x000000000042F000-memory.dmp
memory/5256-495-0x0000000000400000-0x000000000042F000-memory.dmp
memory/5216-489-0x0000000000400000-0x000000000042F000-memory.dmp
memory/5176-483-0x0000000000400000-0x000000000042F000-memory.dmp
memory/5136-477-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3560-471-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3472-459-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1196-453-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1552-447-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2396-441-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4116-435-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1292-429-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4836-423-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2696-417-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2904-411-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4516-405-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2996-399-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2784-393-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3836-392-0x0000000000400000-0x000000000042F000-memory.dmp
memory/5064-381-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4272-375-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3948-369-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4796-362-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4920-357-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2440-350-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2000-339-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3396-333-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3636-327-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4952-321-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4484-315-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1356-309-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4792-303-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1872-296-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1556-291-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4364-285-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4968-279-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2832-272-0x0000000000400000-0x000000000042F000-memory.dmp
memory/628-267-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4604-261-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3744-253-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Emphocjj.exe
| MD5 | aaa219be1179f54d1d2528452e9237dc |
| SHA1 | 3e1c33772a270d7ce5b1acbe7c919723fa7eb6ae |
| SHA256 | 02e1acead2806a89b3f09276a652701dfbfa5a2a2e0599e07beaf24b5aae1c13 |
| SHA512 | 8011bc5324145f4f2a04b8256234e2c1b25fe90879db1b744b06a83d490d1dde60bb44728db2bd338bf94c7ac4332efa336d881d3d33c4aba41ac9ef0056bb51 |
memory/4328-244-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Eidlnd32.exe
| MD5 | 556df0c08250b78f35c73e60e1e41f8d |
| SHA1 | 5780c4f69f3e9e4d5cb065d4e122b8b9e72a0e3f |
| SHA256 | b57dbdf7ab49e441cb0db4c7e3b2197ef0191fca3cbb54a0ef0319cff075d498 |
| SHA512 | 68ca57bb7a1c77c519bfd9859db8826cc825b73a2f54296cc7e78091a8bb3c441f3b135465306793c7af19d37c0387e7ff0d65012750955353f025dce80a433c |
memory/2388-236-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Efepbi32.exe
| MD5 | 5d054970f5fc7dea3225adc26bf18c12 |
| SHA1 | 3f9eedf4fe027ac4ab092d472535d2aab2b283e7 |
| SHA256 | 8aef5abb3169cf1e05b7b5aec3a7f480760aeb09a40d8dfef109f8ff762b2a56 |
| SHA512 | ffb4534a1e1a673759e8527df44592f0972b8fdbf5cc0ca34824561b227c556c9286e51832bdf0e8c942b97206b765e011c53426641b4fe20b4f79843e30349e |
memory/2680-229-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Ebjcajjd.exe
| MD5 | 8fcc5e651a676b01674063b0e135cc8a |
| SHA1 | d8b2a2fd9d4c7f0765d9927a75b02c49ccbfbed8 |
| SHA256 | 044018438bb5781781ef7b0fa24e8e1fe02bc8cb939051bd1f6b23b2b0d1e638 |
| SHA512 | bb1e2a230d2d63ff770b460eb40cd5036daefd18262f0783c4d2704400358f91cd6d03b7673bb4701028adce5f091a7eaa9e89aab29a15addb7c2258800d2667 |
memory/4228-221-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3112-213-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Emmkiclm.exe
| MD5 | c67335f5a5479c82336b4452f95b902a |
| SHA1 | 76d542c1d595d7172181afdc9834b6b2c2012d59 |
| SHA256 | b730473307eea3673ab6f3cec95b044825d5360b3b6cfa6cd6c62b3e3f2afa0f |
| SHA512 | 1ea9579e9a4683378183ebc8181a62c99519dd935690892363c67851bc2e4b571b828cfe110a192698b6733d33416142f30e1792a68bc8f89118faf8fdc1c342 |
memory/1524-204-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Eiaoid32.exe
| MD5 | 7493cd5ba25f52b0350d452810745797 |
| SHA1 | 91e806e4329c1d3efcb6b86867b88da0553e0e4b |
| SHA256 | 0dbbff42b4d84b470b13ec88bbe51ed2f225b66a7cbc8f547037ff42b72a27eb |
| SHA512 | 342f2849441b2ff4a9f0aa696c213cc85cd8ee9dfea559522cae997c627be3d5b488e57ab9f5d43a7ad6dad9920b4aadec380c4c56715a153d6572f33b85f274 |
memory/1076-197-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Efccmidp.exe
| MD5 | f328ed107e6fd3d62d5458f581df7456 |
| SHA1 | 0707e3e783b079621be7e43531f6518835c1fe21 |
| SHA256 | a78eae1d37e867f10fc77b20a7df755260512d7f6c2b06cc23b14d873f05d771 |
| SHA512 | 6fc80e82a09ab0aa6fbced28fef8bca1e78a46b2781d7b01b9229bcbb7a6064ad17db0363d3092df8edb9c13f451de265c853f70e6af0800dc64d7bdbc3ff0a1 |
memory/1696-188-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Ecefqnel.exe
| MD5 | 78fb26e9537e182c1208edd67448ec90 |
| SHA1 | b14ca063aafd0e30d8bf6e57033b41a01e973567 |
| SHA256 | 47882bbf92c2ec7b13a6b1a2b03f1a5b033d219cb2ec96a947d9d4071099948b |
| SHA512 | 486a2b7db318cf46278f18cdf923dd5c9e0a8da3613b6c0cf659f9c18caec1baca2bcefda2ad8b986b349ef654c08699e09e7da34720dd08ba46743a6300a4f6 |
memory/216-180-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Elnoopdj.exe
| MD5 | 7bc99f59bfae2bf6c87a8f34598f20bc |
| SHA1 | 0891f17350add7c32055979667b8c9c434f9c0f4 |
| SHA256 | 2f391605bf0232d5151073996453197a2d191ff776bc7482ceaa19175cdabab5 |
| SHA512 | f49c02f4959d31316ee026b6a308341404707338d635160eaa6a0b169ec2863f02149c73d9e84bdeffc14b00948168e34281dbee1d8530e79880c2f0a609be52 |
memory/3048-173-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Eiobceef.exe
| MD5 | 180e99c3d7225882a62fb772c3db21ab |
| SHA1 | 04a041d03c2ea0e81c4f3599f60895b8ed12b421 |
| SHA256 | 5b097f4a3d333cb2d52122f20cdea7e1da9fcbce9caef67eb8af85207d07c7ee |
| SHA512 | 9fdb3e8393c5a4d11fa4dfa150aacb28e579a62a7d21b8d1e4ba0b956ae630277ce90ec462808fe8926d70accf714dc67325d6c66b2ad54bfb217559ab24ff62 |
memory/1064-164-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Ejlbhh32.exe
| MD5 | 00c8569f7599785c5a5a8031fd8197b9 |
| SHA1 | b97df50ac6996c37fcf2fa30d4a5146e11c233ee |
| SHA256 | d1ff9b75f79c49f7aa669d75c28ba1e0bb3bf473c5e03b37a050f87297ee315a |
| SHA512 | 49b800a9bdca6f446c8bff52bb0a56ce2cca1e5348fac2083accd6dc13d9343f6f55a347a1f8d71592afae5bd6bda52bc1f91a96bcb2efab62d621fdd0f1a5c1 |
memory/2628-157-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Ebejfk32.exe
| MD5 | b0987ac977949cfe0dc3a59db0f935a5 |
| SHA1 | 758777966ace66f3662fcbb09ab25395e3bbe6cc |
| SHA256 | e89d9d9dcb01144fd30c4cd46e230b4afaa09fe5ab59dfebaf254b4192fcef88 |
| SHA512 | 1350f153e941c090d5c764218c17f1f36e63ccf771aa99a0bdcd8057249c99288286729e167b13d206b4f3e08210cd21c96d3f9c5007568b1cfce39dc41497ea |
memory/4108-148-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Dpgnjo32.exe
| MD5 | 9cf40cd548fe5fb6ec44629f0408a72f |
| SHA1 | b4be5e9bfb5d9a6fea9a8f473c92986badfa7103 |
| SHA256 | 36923a0963532877feca8e2cb45abd17b5e614b6706b22f0b7de6bb993ef9c08 |
| SHA512 | 1cfb0c035e400730a2247e1f7a7ccfbf6a005ae5bcbe0a7d054cbbe6189bcc2b847b0517d80414b3626115241407fe9971cc4efff87f859ad0f356ec1d03dc04 |
memory/4664-141-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3588-133-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Dimenegi.exe
| MD5 | 365b270cce5d85280022a748151018c0 |
| SHA1 | f5ac541effdcbb1714983097249e006be2f1f3fb |
| SHA256 | c221284b170b4a28040d408e53349512bb9560779b27abb94e7ccb4aca003d90 |
| SHA512 | 16f6a4a7327cbffaffa9c3f6abecd42b92798f684af3cb76aef169b07f42ec76636cc2eb93772e9d120fccb0a8f05c942edab520755a8d3a02b845346dc1b581 |
memory/2504-125-0x0000000000400000-0x000000000042F000-memory.dmp
memory/60-116-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Dpdaepai.exe
| MD5 | 4be03f4b2d3316d75c1ac1b8bb7f6a5c |
| SHA1 | b8fe196429ac1e767ec17627789e7fc519c87454 |
| SHA256 | 3aa4f55cf190524f8fe1d11c02766cf52cfd964e9a2310b8c5f94bc8189a75cf |
| SHA512 | 56beaacb1b8c9ae4096a4d3d63c7a998e0fc65c8d74c04dd29175da5d781497a2ba3bb3ab16acaf4f13351615d881832ada4f5656801abad6cfaf3e5f9068dc3 |
memory/4280-109-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Dmfeidbe.exe
| MD5 | 63bbf12a68c6255cbacaadfaa7fe6102 |
| SHA1 | 1521fa6e150faa1d8066b68fe80998d912cf4986 |
| SHA256 | 28f1a86c6698ca98363ebd59db9ef50b43784b6a56d678af957d019b51f76d5b |
| SHA512 | 3a768e1bf662da324422670043d15e360ed61445c1e8b2931022dd90da0b2c30d448b65ebfdb9a4e87ea7517f6ec3219419512dcf1775c542d4ae299d1051077 |
memory/4216-101-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Dikihe32.exe
| MD5 | 991bf396e1c0ff8bc9a4a6442f758406 |
| SHA1 | 5ef2026e7882310963c133984d911dc52674456a |
| SHA256 | e639580a3f35ede51e3ed54a4ed4bb1eaa7bcbaa5a0ee267cc774a77081dccbd |
| SHA512 | 2505da8b877245f2dca7c4c6173359117e2dc02482159b85b36147d1e3d50b9c44c6e974b4437dced31e9074452aa4a3cfb7cca511999ac250abafac3c884f5c |
memory/1324-92-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Dflmlj32.exe
| MD5 | e3d32033cf6954bcffdbe3ce04138961 |
| SHA1 | 24a5f2c789f8074430252bbe51d38ac8ae69dbb4 |
| SHA256 | 1817e353b005cabb1643f0b0bc66c1998d8a9866ba933406bcfaec7a9e6b098d |
| SHA512 | 6fcef19b271b9ef45a0604f8d2f26ba78e8f0cc30c8fb9f27977d4a541539b47b602817dc27b93155efcd6a89260035fecfae00c6c47f2a271432baf5e21ee59 |
memory/2352-84-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Dbqqkkbo.exe
| MD5 | fe69fa9a03f2221bb03b27154bd8d42c |
| SHA1 | 154c7cac1c4b792bf2bbe7b8c920c9d194727528 |
| SHA256 | 52d7a4ef292aa26c549af148a2019ee7d661376ec5cefd66fff31955f8dc77f3 |
| SHA512 | 95e79b854c8560e31f5d4dd69a4b534a4c4e50253c3800f85adfa3e46ff9fb2f1facef5d2c735246d86979953512e4a3478abef6fa9a9ae25784a85b5149b767 |
memory/2572-77-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Dpbdopck.exe
| MD5 | b5f62a4f3b811a47ca0f26d70bf101d4 |
| SHA1 | 0ec36e7a2f4a6adeefdca9d1e35b8a642caf94ae |
| SHA256 | 9009df6de82586b47a0c4a324978d18693c890da13220d7748393bb4b5888a6e |
| SHA512 | cb3713beb12cb7efb0ec2be75c74d14221326d3423ff29c67038c0d5cfa2d124022e034a24c2997c09e6e47c42655635bc22a0abbde00351f5cf38691d6c8506 |
memory/3868-68-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4320-60-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4532-59-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4084-54-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Dmalne32.exe
| MD5 | 26c6d1d227fdbb447b5a4f4c52641f46 |
| SHA1 | be4b507278352289d5754dad097acb874bde4cb5 |
| SHA256 | 16f70f4e56911f5c3c2fb8bef6121e45cd5f1ad12893364f2d98116703a2d873 |
| SHA512 | 82c33e7b8ad7e91c209080a3d0a2a2e640dfe4feeae76a02165cd463f174295d2faa7bde77ba5115c848fcabaac631930e85a99f3a83ed673aa5c916b854a76f |
memory/2556-37-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Jgeghp32.exe
| MD5 | 66e279db673454853af13e406fcf06c5 |
| SHA1 | 954445fc376dcb31deb2a45e4fbac03fd9b5ebe7 |
| SHA256 | e768666d50834e37d5f21873b74dc0ac1f21de73ff7ac3b2472b58a5febbce8c |
| SHA512 | 6f66afefb8bfe4e759abb29a5a30a3788ff319e35ff14d8096a000928f52a7cf93bd68fc5bf8fa9f679f64955e9577629cdb938e4769105992307b12529b52ef |
C:\Windows\SysWOW64\Knalji32.exe
| MD5 | d11b5ecd9730f3196d4f50dad03b04b7 |
| SHA1 | d98bf84b601414e986e59f0ce1df965f6198be97 |
| SHA256 | c49bf679dfc393caffe3448be8dae4db5917b3188a65ea9b785c3d4055c63ec3 |
| SHA512 | 03840c9228ffc8c921ea441c544b34a5bacfa5987cf46ee32961d220f36d864d88dd7dbb15c79c182c640da22469ea7d3f10e00419f4470c2b7fd86e975e9408 |
C:\Windows\SysWOW64\Kjhloj32.exe
| MD5 | 0bfe6f74285781a8535ff3e470f3325b |
| SHA1 | ba1335c98082e5d1b8d2245246fb7ad0e679573f |
| SHA256 | 8823bdc0394a3b53ec0e6197a6c89ed02fb2137551ab59c279ab680d73091e27 |
| SHA512 | 0f7be19fefa02edbbc07236e0a91e06d90fd991e20359975b5fdc8166e5811fd5eb74ee2886957f5e7b17c547868bd0d7afca4f73f91aaf1fa4459dfcc575c4b |
C:\Windows\SysWOW64\Kcejco32.exe
| MD5 | a8214ea3f201e22cca0ae7a257aae367 |
| SHA1 | d4a68604db70ea9c969daec15a074e319b9f9b3e |
| SHA256 | ee51f1ab973a5b266247e72b1532a3d5715cefa2e87915f27c1c56e835def096 |
| SHA512 | dd4a8dc602b9650dd560a55f785c88e2e475078eb2e9bfc8de700141212eab79b9e62d66fc19dc196643048bc769bebe855bf2d84509bf0e8c99760f1eae37d1 |
C:\Windows\SysWOW64\Lnjnqh32.exe
| MD5 | a09a5bb7af10533af46a51ce7ad0921a |
| SHA1 | f14b89a1464a65a9d4c37f1c9ef2c5d722aff042 |
| SHA256 | e4789f9d27d51bd7cbee41d5ddc53481738d9e4dc7b9e9c44f25e73125893cc4 |
| SHA512 | 50de3f6f14f90138e54c4633184619c591086e22b60541237e3c89bd5bd96ce0468745240b57b3c5c34bfb3cbe85ea012edc5ae378b0413be0b0f5370844d695 |
C:\Windows\SysWOW64\Lmbhgd32.exe
| MD5 | 55232a85588a92f1adf601d7c1dbe867 |
| SHA1 | 0c43caa72d512a619149d3a9df03a7527bcec1e2 |
| SHA256 | 51151eef7596ff5a3e693945986ac99071a68206e1b40055d75a6453cd0be7ae |
| SHA512 | 22278b650a11d7d40e6aa634e745b0bc60e45e78e750cd572332bfea25b154ca575cfe86e0e9d37b10847b877fbe3815695d4a1c7ea1ae6e647d562e8242c74b |
C:\Windows\SysWOW64\Lqbncb32.exe
| MD5 | c4bbc193d6d50feab7f476604f4c35c1 |
| SHA1 | af6761086afdaf648cd2bf5a83344e1074f6bc44 |
| SHA256 | ba9e83a52c8a650ab835c9ca43e9057260b5898b9d01b3e335cadaaaa9278d10 |
| SHA512 | 5af77c764952b8efab8dd78526619752ad9b28a69d0adefcac57b43d0dac01f93ef8df185fd090b41110f555495ed88aa833952ab68c9bf4bc1b8cbb8ad281f2 |
C:\Windows\SysWOW64\Mmkkmc32.exe
| MD5 | 75638797bad284b7a5e7a39efdf23522 |
| SHA1 | dcb1c3fcfdb566de7310802b0dc1765d61fbb328 |
| SHA256 | 22ab404f92db1e8f4549e174387be1334c8b47ae2dcbd656045609de008ac3f5 |
| SHA512 | 7d767f804c46fa1a0fe4654acd653ac64f172dd706d7283bf79d24c9ad3d41e080e68bf6ed4997d25f261932e543c02df9ea9bd2b8b61b3f045a7ae76a18a7e3 |
C:\Windows\SysWOW64\Mmnhcb32.exe
| MD5 | bd950b3e1d5b0833b7715ea41f5813f0 |
| SHA1 | e3ca0eeaf049795f7ceebc1159a8b55c04940ed5 |
| SHA256 | fc19dd44df2adde2ed4e465dd2d5f4f23ee0401a2d95855f28747c733568602d |
| SHA512 | 10859894c95c68cbd726ee545939f638a03f8ff584c21f7a081537632577bf60c97728b6a889f0c7006da1f580895ea2198b60fac00f99e296f764f611fb54b9 |
C:\Windows\SysWOW64\Nmgjia32.exe
| MD5 | 56e6202ad562077ed25d4c59465193be |
| SHA1 | 5ec721253d007382098a64d27f569b35189defaf |
| SHA256 | 3fefcd19c4ce7b6ff69732818d2e45952476ae8653ec2c8c8cb6a6fb96519882 |
| SHA512 | ed42089b934d01758b4d076ebc4d0a4c9c72cffec9fd2ddd6850b184edff02796c3342a2eedb77589e795fba584117d740ce9251c69ce981f9960a3b3b4a84c2 |
C:\Windows\SysWOW64\Oeehkn32.exe
| MD5 | 6b5d2264763e5db434ab6682163825b0 |
| SHA1 | 21296854c29816fe08d4bd028432db4e86930023 |
| SHA256 | 5bcce2f7d0d20ca1bd9dbedcb3efb43ba06a5d4b28e2cd33546e0aeb291921ca |
| SHA512 | 91b7a26cb7623a627ce132ca2e681ba15e0e55ead3bcc5660cac34f1151eaa63eda308b984e3e084b31104a759efc5413e42917dc619ea4fcb851ac72f706555 |
C:\Windows\SysWOW64\Oalipoiq.exe
| MD5 | 8a6e9cf2d222a6a99f2b2353f52e74b0 |
| SHA1 | a0bcf2e8ff565d154a057de488120d459fb18d9b |
| SHA256 | 931bd48d33db22160183a5513ed992822941f5ef2787709f6176f1e435d37695 |
| SHA512 | 92bd262fd2373a747858f21d15b84a4fa226d41193dfac762096c4822795f0753f5921d1a1a5f656a4604977ef72326111331e88639dda2aae277e7cd930969d |
C:\Windows\SysWOW64\Qoelkp32.exe
| MD5 | 47f8c7bf3789316d454ad8166bf7201c |
| SHA1 | 057c6f1c8aebb008226ff6cf1463ffab600edcda |
| SHA256 | 302edf2eddc5d9f461c13492e5f0b9aee69f3e8205de43d683878097b471b246 |
| SHA512 | 16eb59331a9abd4d5c6a4fc110cea0a210fc3f6ba07d8e0f4b2a6ea04a52a433199783175bc1dca39a77a31e40c9b3bc33595a0ffd9ec18b04eedf7f49ab5a30 |
C:\Windows\SysWOW64\Aeaanjkl.exe
| MD5 | 04ca96989a4b33c8c0fa05933e7949e8 |
| SHA1 | 44d7d7b53b76b5c2a9e9844c09c66ffebd86a4fb |
| SHA256 | f4e2efe29936b1a7113544071d220f92867334b8d063e5f788fc321caea6d8f1 |
| SHA512 | 5d414f76d422d7280bdb69d2861094cf6f48dcf74a76cb27b019573adcca8e72d345e9504915cea79b23b9b2c2c4941e557289b0407db0c823a9af6485265f2b |
C:\Windows\SysWOW64\Alkijdci.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Windows\SysWOW64\Adikdfna.exe
| MD5 | 13201bea25dd88c712ec371cbf0a1abb |
| SHA1 | b455dc1dddb38b0f6eac617dbc6b0d18e2fae8b1 |
| SHA256 | f9d8283a3da7cb578dc9823a753d5489f1e3148ca89c2d51393d921feea41f39 |
| SHA512 | ec7f64680082723ba9a92c6c81a7273677dac4e16fd11ba5011764d97102aa6e750dcec3c73465a9839132d129eef96c89445b32ef44aa9166c90f485b65c546 |
C:\Windows\SysWOW64\Aoalgn32.exe
| MD5 | 61bbdfc56eeb60c63c7ec7825e0759ae |
| SHA1 | 0a500473c0dff3892f384bbf684f0778241af375 |
| SHA256 | de496e138963192f2fdd295c26a856f8fbc1e499e796c8b8427a6ea1000b6862 |
| SHA512 | 3bb55dc6a65c6e08e9c05ffa43af9796cbc0bf0e5bf1d5a12c65f3a3ef708afc9b2084f6320311caf59c36500dab39579cb3fe4431fe97a4c54e6e6a2d145500 |
C:\Windows\SysWOW64\Bkjiao32.exe
| MD5 | 612192fac817b65e29099b588ba95938 |
| SHA1 | 1a9cccbcae5616997eed94829ecea4586283504b |
| SHA256 | 0c9ce8188ae66491e3a69da2ddbeadbd629f0c763033837ec5cab2d2ffc746a1 |
| SHA512 | 813f206c4ffb11f78930d29b966acc026fb4d927d61d2ec39a6f85a74a7a592c612915e45b24cb7fbe7a9d6b1537aa584890a977518b6fd6136a7de43ca25253 |
C:\Windows\SysWOW64\Bhpfqcln.exe
| MD5 | 9b14d9f472a43b9ce7b61dfa30703121 |
| SHA1 | 0f2ebed16ae22e34b5b78facf13390b2432711a4 |
| SHA256 | c6477453008048b3d9c3878fced3a535550b7c2b3fe56a42ec8bc359f1c502dd |
| SHA512 | 6e453a60ef9f449fafe6256bbfe5271f6c8a91a12ded0be18f2d0be4f5365dc9c53a9dcc11a0f2e84177b15ffe39bc880bf1d8e06686217a3404b2097b067db0 |
C:\Windows\SysWOW64\Coohhlpe.exe
| MD5 | f6c93179a040a1fe9c8c1e628faf426b |
| SHA1 | beb7a0a529a056bfe480acb892ec082a411bf4dd |
| SHA256 | 8358d2ea3823100f8724c78564df1c84949becae3a1c6cb4e851fa2438f26b7d |
| SHA512 | eea430c831d6ed34f7a0b8b52fd836f2f5523b84a182aad1e837a356f4d1634a0387a56b7f2c75dfc6e4cb0ec590992957c4f5bfb26fea42657aa9f4e6237873 |
C:\Windows\SysWOW64\Cleegp32.exe
| MD5 | 44ee041941969b9a4acc11929d49ef0d |
| SHA1 | a29ec9df71cc3ec928daa8cc266ea1f390007298 |
| SHA256 | 8762ab353eb3fcd63c13886ce15f51644e85001e38ef676341e3cbe9779220f1 |
| SHA512 | 15e12020c870b48c76810453756ac0b7d5d1ec99ee8d4f8ab43b3034cbb0b08f6e4ea369664a1616fda5381b38f3b303931032e703e55bdc572e18627b6042e9 |
C:\Windows\SysWOW64\Dokgdkeh.exe
| MD5 | 005db371b882c31e883dfeb088bbd23c |
| SHA1 | fff94e171434e5a1a28d40cc9b7aff689decfd1c |
| SHA256 | f47be2c8c2200a2b8724eb6c0c4a7b3f68d0eb6450bc6902feb2b5e28bf19092 |
| SHA512 | 3b9035f9556e756e0435216473f94215d0b8ed8ddcd08da51d10436a338c46ab54a21cfe72f73171600071032d03436d1aeb8c2bc9de6963fea445d0468b3467 |
C:\Windows\SysWOW64\Efpomccg.exe
| MD5 | 3c7783ccfcdb0807e024677fd72d734c |
| SHA1 | 4e812773ff60f1ec41a1a5f63c7102b24d8e7469 |
| SHA256 | cb81ad212dd1d0c221af02880bbb0505e93799b5dda5aed16bd366bdaee22cde |
| SHA512 | 893791381ed8b2b1deb35c75c97a6082600b656532efd99851b457216b951bbc370f96c52e33ae64c8252fa88660e2b5ad04f5b8b48af07e7f6a85ecdb3cfac3 |
C:\Windows\SysWOW64\Fnlmhc32.exe
| MD5 | 3bd1f9134f0767e25319f23420f14324 |
| SHA1 | a4fc9d811e15d478ee28b8f561f431614d28f336 |
| SHA256 | 120eeb9927981f2ce500c3ff9759f37f5f5e766156f475d7909d08c497f3666a |
| SHA512 | eacc6fd5c84d3f7299dbcb18ca414508f4698743b720857443addcfc4fd60d2315cb5de3f759ed5d3b967bbb8ca9b718876429d5d01afb6d49f76737c5b9246b |
C:\Windows\SysWOW64\Fmmmfj32.exe
| MD5 | abd3a8c4b4e77e414560c50fddc50485 |
| SHA1 | 8c5dba4b5fc7d810e7a62f13e79f0f14d168838a |
| SHA256 | a72c4574552552690cf2a4715c08998b72738731b6876aa1ad36855254747698 |
| SHA512 | 9d9b713501859d3398774e63bb6995195cba581c4eff0fab6d06995a4deb113175ab97f7609d049ccbd2e19c8453f413090d8f7da606c1df97bca5c9abe05a57 |
C:\Windows\SysWOW64\Gbalopbn.exe
| MD5 | 1ce9a8f3a7c1b17bebc27137421c22ca |
| SHA1 | 7e11e2bbc92066c15cc542dc80f93abe4bb86659 |
| SHA256 | cbfbb0c2ec8a0e09431559e6d6e767dc5aa47f3448a42bd1c08349d39952ac4a |
| SHA512 | 8a29873b72dbf5d42cc6123935251f019b0c173cd44a2b479ed004b6f8439bca30ce6672137d4a7f41385de5bfbbc6214b3369020057105c97113f965465d43f |
C:\Windows\SysWOW64\Gfodeohd.exe
| MD5 | 482c7647d81950f2764c8709953ac207 |
| SHA1 | 74d6a894bef256894f37a9cd5b1a18b1c9be73c8 |
| SHA256 | 643b582b0c2117e2ad70092995be55730f6778b880c4820b3e5d5b5db2839749 |
| SHA512 | 67d9d5241404c98582e4dc7e5b97e6daac22d1a3139367af5344b329e3018ab81b313d2cc1d558916521253e85eda554e894c1c73064e5f5071ddfa73493e8df |
C:\Windows\SysWOW64\Hibjli32.exe
| MD5 | 0fea01252637a6305b731cfec084e2a3 |
| SHA1 | 5436218fccd915b259481c2e119d1a9ecbe2a97d |
| SHA256 | d25e30ea4f8a6724e27dcf104bb1097eeae2bc54093da654fc3412b24045cfa2 |
| SHA512 | ee652dc9e2d273fbe0dc8a730e2ff9673c0ff38897bd9f69c6e8335c839156394ac53ce53f90a7eb17f0e15dacebbe8fa6f857fbd439cae31a049458d2f1df7e |
C:\Windows\SysWOW64\Ibcaknbi.exe
| MD5 | 4e43c2a6bae03cdd6bff2c131e7ae424 |
| SHA1 | adef0b7a192e77ee6bd05b751aaca8ccc4b3f21a |
| SHA256 | 9c4c96ad9659ef814d27477bb08fc5a81e01268495773454e7264f1fcfd47b47 |
| SHA512 | 166e9868e1f6b98f8cdbc95df97902691aadd5f9b595ebc1593b3b8dedc628fae321f064104b8e1b8ff9a8af7e22ac76f4c6ac0b91afcf57218334b31819d498 |
C:\Windows\SysWOW64\Iomoenej.exe
| MD5 | db24141353dbd93c12e1afd779138d3b |
| SHA1 | 1c806c09b30a1e86b2173d2ddf07efc27dcc371a |
| SHA256 | 2ea0ea38f733f1f622afc408205c8352835fc7eba5b29502602d9eef1ad26745 |
| SHA512 | 82eac99134d4042dc35e933ef11c31926782ba5f1cf842ecd248b3baeef81dd697b96a2ba28837376a6da88804ac4d87697fa7238c4eb67f6db9b8837fe76bb9 |
C:\Windows\SysWOW64\Jgbchj32.exe
| MD5 | a13976e5022a614e4edff9bcf51c43ca |
| SHA1 | 088796f6e8c46384e93432576adc650fce882687 |
| SHA256 | 458c91e5e5eb0f3aca4083a366f0ba22e3302c2b2f790a6486de2a104ed23b0c |
| SHA512 | 80471ab51dc9781b61b4beac62a04023125ff0e9204358dfac9a335140669fc77971a2aec3c414faef4cf11f7880123edac5ff0d8cbfc8dcc41242611f7a93a1 |
C:\Windows\SysWOW64\Lljklo32.exe
| MD5 | cbcbdb724bc23606face0221435b9ffd |
| SHA1 | 096517acc345401f887fcd046037c20da96c4fdf |
| SHA256 | 54ea1f92f58afe7c97f7865523e80735953862e8cbab58ffa576e69eca388ffa |
| SHA512 | e6026f7458525b6b6010326ab5d4001c0956f1af65172307975c9313554b8af6db3c36209b23d177269ce100239b293b9be3e25fe9e5a3d4ca55b3965f4fc083 |
C:\Windows\SysWOW64\Lgbloglj.exe
| MD5 | 9e0709a1af93f80033656f5e5b5a8104 |
| SHA1 | 2bc5a87330d722c6f0fea5b4ae7d4953d312a237 |
| SHA256 | 1fba67afe3f41fb46f3b7d9394b7b9b170c359f17aebc8c8f21725c63ab82cec |
| SHA512 | 5921f208f0500681106cbfbab4ae0860f6d0bdd62138e0ef94285e4053db1ae8beb05c4d343e4abb3ff384b5ef6a83f5b3ef45c23b72f525e288f3376a6ea97a |
C:\Windows\SysWOW64\Lqmmmmph.exe
| MD5 | 2c3f9e7b47da5e180299984227dd52f3 |
| SHA1 | 34ad8bd6cd32418726eee8e91bc787b8245d3e3b |
| SHA256 | 82ac6f8a72d4e8a60cfd18ac8710011fb624b6796ecde5b046ab7fa58890f400 |
| SHA512 | 3ec05c3ce081f5fc6196559f22265e42636b5ed38af5ab743e7bbe29094c74f47221e2484b14a212f2ae65e3381c561fbfc3f041c79ec06c88916cfcce1fbb3d |
C:\Windows\SysWOW64\Mnegbp32.exe
| MD5 | 2944b285a40cbbcb58b3567f8c76339e |
| SHA1 | 9d78047f70e2d7734edd99d83d8c360dc8f2dc63 |
| SHA256 | 3fdd7a5a2f1b66f110c19f512be4b7498350b6021663feaf49498cf4318610d2 |
| SHA512 | ce4100dd213bdcaef3d3f2700b33b81f7dfd8a470e08b8da39fa12c64a5f1e942b26c3aad7c4fa7253a49a03614ef2112e3b9a9907d713dc7f479dd4b46a3573 |
C:\Windows\SysWOW64\Monjjgkb.exe
| MD5 | 84021072b17ba54e9334ddcc9d9e6eba |
| SHA1 | ef0aca34a715e032dd20b229cc3c97e3315e829c |
| SHA256 | 2854c99d5d5f172167b87cdb80925073dc85903924224cf6d2d32cf03f043d6f |
| SHA512 | 47d54fb18dbc0313928d136c5f0585e56e6f0953e76b89ed95dc6b8c37367a9ee3229b1ff47717b4031861582f95f57db5eb8bde788e82f1eb18f0d67b2d549c |
C:\Windows\SysWOW64\Nnfpinmi.exe
| MD5 | 6692093787cd5a1e633db553c92e9c05 |
| SHA1 | ee35f36e3d202606270a8944690a8d843cd90f34 |
| SHA256 | b41b79875136a0037c3548eb34993785a58973ae374f34b54729ede32adb4666 |
| SHA512 | 8294dab7733ff054b126833a0ff5d1f202abc4c143c74e1d015c27e2a697a7a526131edd5c0e0b65e4df6db6d3732f763affefe01bb5c72ad35a41f81e4c4467 |
C:\Windows\SysWOW64\Ojomcopk.exe
| MD5 | 396621498d546fa8051a19f3b383f9a5 |
| SHA1 | a9cbbe06602dbe0d4b3b9e3a5ab6db8dfcfbefae |
| SHA256 | 93515ec85276d8c71b0151037c67a164fe37b4133f20a01f7c10c18e7534734d |
| SHA512 | df57f9ffea2523613d4687e3d99c97da052c2f6ad649ca91ac5d2efc9483f15bf76a88a4bd00aff091e6bf1b600b7a3d62e9d0f3f4cdf952e675cd6f20bc5517 |
C:\Windows\SysWOW64\Pnfiplog.exe
| MD5 | 809a7783daa4b79778e9be2bd85fd843 |
| SHA1 | 2a903f2335dc5cef1b8756079f3b5101fe40ae06 |
| SHA256 | 9c68688afe081f45d9242301b782d7a11c0af813933c5762c5760a6f5c293164 |
| SHA512 | bedbd1424a5f1d0d8a2d1d19bb7433bff2cb4e33f639a89ba6cef156e1f48f5694d078b388f9f87882ac63d3717fe2d9710a7e5ba1fc3019b3372574093be886 |
C:\Windows\SysWOW64\Pdhkcb32.exe
| MD5 | f42d61948c4f9a51f0b8348901a036a4 |
| SHA1 | 2cb3e606d7716925c2ea1313e5f7203a1d1616db |
| SHA256 | 19466df36c81b857bb55a0338d72e3dddadd51e61875d491ccaf0c47d8d4489a |
| SHA512 | 13c19c28904389cc929e6b51a87ca73ecd9a2000f8d63931aa2b6f10a5bc1fa925ddd470f00095b06070caf5ed028f690f849e6c1854d6a6ed0e5ada695095e7 |
C:\Windows\SysWOW64\Panhbfep.exe
| MD5 | d46c0ae72bf1b8623962b14694766a6f |
| SHA1 | 8569cc34a0e0001a19dfb6cf7ca1a49e2d90f368 |
| SHA256 | af762290fb02eab3839b2119d17c2c026313b55d559720c8b5d31ff2aceb2e9f |
| SHA512 | 68b2ceaa81be56df7391488e2a9c76b153d67e7de6189bf885cc501b9a0b651782db1419dc0b78687817f6495c3dac5d1040f69a50f6b051e3e2b6e5303d3cb5 |
C:\Windows\SysWOW64\Amnlme32.exe
| MD5 | 5e8937ce187bdcf62d51c91d520724a8 |
| SHA1 | f465dfc1cc46ce1d5a8184fad197fe4adc07f382 |
| SHA256 | e9e97c2e56b32699f52ffb7f5a6c3c068e8c05f640a745c24555ae627e897e76 |
| SHA512 | 525f41163efba9588177d4cd83e647d14ccce10befef8244a65dd597fd2825b5052fc88eced67c7bc085dceb95d5e18cd3a948f5880befaeed4a7b4d7fca688c |
C:\Windows\SysWOW64\Agimkk32.exe
| MD5 | 89a97929fa77805dd139caa4515a665a |
| SHA1 | 8cee9006b4b49fc14ef9a6a5d37ecf57ef704cef |
| SHA256 | 0c352428faa30924ee38ed40baba438d15f53e6840fb7055272af0dbe6881bb6 |
| SHA512 | 24b2f8ab5e93d743ddb9a3a1a359a762a258fac56d2b53dff9fe346dd074be03068a430cd5b2ac4a9b3661f3bd28c46c15c2c9289d119beb5e655837f7fbda77 |
C:\Windows\SysWOW64\Bacjdbch.exe
| MD5 | 1bbc57aca45a37b13a591eab255ffe54 |
| SHA1 | 33e999cd92d1153b6bf200da94a96fb219c31565 |
| SHA256 | 57de726fd9f1ddb7c45e7d007b69ea13d5d45fef3d1f8f97ca3d1de8d1fbdd4b |
| SHA512 | 07c26e3e6ae8607d00ccb0ca4511d9e8a6e436817ab4685c159b5e0f6e704c59a79760e1c42f53099396aa8fc11897fce0bd52bd6121946a5b8c628814b9e4dc |
C:\Windows\SysWOW64\Chiblk32.exe
| MD5 | ac353ee95af59f83f6face03624eea8a |
| SHA1 | 348a6e3e63dee78a230d8db4b6c6ee2457e06089 |
| SHA256 | 887667f3aca248dc07ab1de1d033205e57857e1b35a745a2d188db8860037eec |
| SHA512 | 6af7ef9a2316023ba71c78e16bd6bb7ab6c00f7c21997714d8afe5b56c40180cc0454662adbc5fd4d37363a848191b985235fe6e7e2c648f5c9b74cfead7ac78 |
C:\Windows\SysWOW64\Cgqlcg32.exe
| MD5 | 8ec6b1fab449cfe07a2b39d537b2246f |
| SHA1 | 6ffeeedd4f6d1b8434bd99afb0bbc8eba51270fe |
| SHA256 | 1290f0f4afe64362e3738af19e99c5bd9440eed3032a4fa892dd8df765e2f0ca |
| SHA512 | 1942e0dad60f0e12cc80ac501d900710b2d0d8de14d16389a6ebe45f80cda71d7a2d928c227df5aea971ec8e65f5e996ef4abbe63eb7f3a0e1e7d89ccf3eaaec |
C:\Windows\SysWOW64\Ddgibkpc.exe
| MD5 | 4f20e0d0787bed92f226d08c044a7b50 |
| SHA1 | fbef23653eccac6aa32e2dc4a6dceb8be51bfc82 |
| SHA256 | 4d05dcfd5748631f1fb0cec415843d16ac5f5024517303825eb6c8c95960ccdb |
| SHA512 | b9c983b4a26ba68dabeee12d45a90de3ef063d740d12f8ef9d340139157431148142d31e6acee4ac2299a7796ef0bf07991862de6b1864996e94767737d05598 |