Analysis Overview
SHA256
3816cbaa1211f7bf2613db6206b0d6b28186e8d713a23795ae0f497e7e7b881f
Threat Level: Known bad
The file 3816cbaa1211f7bf2613db6206b0d6b28186e8d713a23795ae0f497e7e7b881fN was found to be: Known bad.
Malicious Activity Summary
Berbew family
Adds autorun key to be loaded by Explorer.exe on startup
Berbew
Loads dropped DLL
Executes dropped EXE
Drops file in System32 directory
System Location Discovery: System Language Discovery
Program crash
Unsigned PE
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 10:37
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 10:37
Reported
2024-11-10 10:39
Platform
win7-20240903-en
Max time kernel
117s
Max time network
117s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ibacbcgg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jllqplnp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kdbepm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gkgoff32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hjfnnajl.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kambcbhb.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Klcgpkhh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ghdiokbq.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Goqnae32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kmimcbja.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kdbepm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kpieengb.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gaojnq32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Iclbpj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Iocgfhhc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Inhdgdmk.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kdnkdmec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Goldfelp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hdbpekam.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Inhdgdmk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jfaeme32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kmfpmc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kfodfh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ghdiokbq.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jikhnaao.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kambcbhb.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kjhcag32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kkjpggkn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Gecpnp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jpbcek32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kipmhc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kmkihbho.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hcgmfgfd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ifolhann.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hgeelf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hqnjek32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Iclbpj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jikhnaao.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jefbnacn.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kidjdpie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Gcedad32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Gkcekfad.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Llpfjomf.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kenhopmf.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kfodfh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jhenjmbb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kidjdpie.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jjhgbd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jhenjmbb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jfjolf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jjhgbd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kjhcag32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Gaojnq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ibfmmb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Iegeonpc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kekkiq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ibacbcgg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Iakino32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Iamfdo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gcedad32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gnfkba32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jfaeme32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kipmhc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kdnkdmec.exe | N/A |
Berbew
Berbew family
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Hqmkfaia.dll | C:\Windows\SysWOW64\Gecpnp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dfcllk32.dll | C:\Windows\SysWOW64\Hmdkjmip.exe | N/A |
| File created | C:\Windows\SysWOW64\Iclbpj32.exe | C:\Windows\SysWOW64\Iamfdo32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mobafhlg.dll | C:\Windows\SysWOW64\Jhenjmbb.exe | N/A |
| File created | C:\Windows\SysWOW64\Kambcbhb.exe | C:\Windows\SysWOW64\Kbjbge32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kbmome32.exe | C:\Windows\SysWOW64\Klcgpkhh.exe | N/A |
| File created | C:\Windows\SysWOW64\Goldfelp.exe | C:\Windows\SysWOW64\Gecpnp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Efdmgc32.dll | C:\Windows\SysWOW64\Goldfelp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hnhgha32.exe | C:\Windows\SysWOW64\Hgnokgcc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ibfmmb32.exe | C:\Windows\SysWOW64\Igqhpj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kobgmfjh.dll | C:\Windows\SysWOW64\Iamfdo32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hmdkjmip.exe | C:\Windows\SysWOW64\Hjfnnajl.exe | N/A |
| File created | C:\Windows\SysWOW64\Ccmkid32.dll | C:\Windows\SysWOW64\Jikhnaao.exe | N/A |
| File created | C:\Windows\SysWOW64\Jefbnacn.exe | C:\Windows\SysWOW64\Jbhebfck.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kmimcbja.exe | C:\Windows\SysWOW64\Kkjpggkn.exe | N/A |
| File created | C:\Windows\SysWOW64\Bodilc32.dll | C:\Windows\SysWOW64\Kkjpggkn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kipmhc32.exe | C:\Windows\SysWOW64\Kfaalh32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Gnfkba32.exe | C:\Windows\SysWOW64\Gkgoff32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hqiqjlga.exe | C:\Windows\SysWOW64\Hklhae32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pbonaedo.dll | C:\Windows\SysWOW64\Hcgmfgfd.exe | N/A |
| File created | C:\Windows\SysWOW64\Iocgfhhc.exe | C:\Windows\SysWOW64\Hmdkjmip.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Inhdgdmk.exe | C:\Windows\SysWOW64\Ikjhki32.exe | N/A |
| File created | C:\Windows\SysWOW64\Caejbmia.dll | C:\Windows\SysWOW64\Igqhpj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jjhgbd32.exe | C:\Windows\SysWOW64\Jpbcek32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jfaeme32.exe | C:\Windows\SysWOW64\Jllqplnp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hgnokgcc.exe | C:\Windows\SysWOW64\Gnfkba32.exe | N/A |
| File created | C:\Windows\SysWOW64\Flpkcb32.dll | C:\Windows\SysWOW64\Hnhgha32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pbpifm32.dll | C:\Windows\SysWOW64\Iclbpj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hcgmfgfd.exe | C:\Windows\SysWOW64\Hqiqjlga.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jbclgf32.exe | C:\Windows\SysWOW64\Jikhnaao.exe | N/A |
| File created | C:\Windows\SysWOW64\Gffdobll.dll | C:\Windows\SysWOW64\Kpieengb.exe | N/A |
| File created | C:\Windows\SysWOW64\Ipafocdg.dll | C:\Windows\SysWOW64\Llpfjomf.exe | N/A |
| File created | C:\Windows\SysWOW64\Piaoqi32.dll | C:\Users\Admin\AppData\Local\Temp\3816cbaa1211f7bf2613db6206b0d6b28186e8d713a23795ae0f497e7e7b881fN.exe | N/A |
| File created | C:\Windows\SysWOW64\Gecpnp32.exe | C:\Windows\SysWOW64\Gcedad32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ikjhki32.exe | C:\Windows\SysWOW64\Ibacbcgg.exe | N/A |
| File created | C:\Windows\SysWOW64\Jikhnaao.exe | C:\Windows\SysWOW64\Jjhgbd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kmfpmc32.exe | C:\Windows\SysWOW64\Kjhcag32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kkjpggkn.exe | C:\Windows\SysWOW64\Kfodfh32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Gkgoff32.exe | C:\Windows\SysWOW64\Gaojnq32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ffbpca32.dll | C:\Windows\SysWOW64\Iocgfhhc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Iegeonpc.exe | C:\Windows\SysWOW64\Iakino32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jefbnacn.exe | C:\Windows\SysWOW64\Jbhebfck.exe | N/A |
| File created | C:\Windows\SysWOW64\Agioom32.dll | C:\Windows\SysWOW64\Kbmome32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ijjnkj32.dll | C:\Windows\SysWOW64\Kdnkdmec.exe | N/A |
| File created | C:\Windows\SysWOW64\Kpieengb.exe | C:\Windows\SysWOW64\Kmkihbho.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hgeelf32.exe | C:\Windows\SysWOW64\Honnki32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ghdiokbq.exe | C:\Windows\SysWOW64\Goldfelp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hklhae32.exe | C:\Windows\SysWOW64\Hdbpekam.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hqnjek32.exe | C:\Windows\SysWOW64\Hgeelf32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Iocgfhhc.exe | C:\Windows\SysWOW64\Hmdkjmip.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Iamfdo32.exe | C:\Windows\SysWOW64\Iegeonpc.exe | N/A |
| File created | C:\Windows\SysWOW64\Jhenjmbb.exe | C:\Windows\SysWOW64\Jefbnacn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kidjdpie.exe | C:\Windows\SysWOW64\Keioca32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kekkiq32.exe | C:\Windows\SysWOW64\Kbmome32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kfodfh32.exe | C:\Windows\SysWOW64\Kenhopmf.exe | N/A |
| File created | C:\Windows\SysWOW64\Kpgionie.exe | C:\Windows\SysWOW64\Kmimcbja.exe | N/A |
| File created | C:\Windows\SysWOW64\Kfaalh32.exe | C:\Windows\SysWOW64\Kdbepm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Llpfjomf.exe | C:\Windows\SysWOW64\Libjncnc.exe | N/A |
| File created | C:\Windows\SysWOW64\Qfomeb32.dll | C:\Windows\SysWOW64\Gcedad32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Goqnae32.exe | C:\Windows\SysWOW64\Gkcekfad.exe | N/A |
| File created | C:\Windows\SysWOW64\Hnhgha32.exe | C:\Windows\SysWOW64\Hgnokgcc.exe | N/A |
| File created | C:\Windows\SysWOW64\Ibfmmb32.exe | C:\Windows\SysWOW64\Igqhpj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kbjbge32.exe | C:\Windows\SysWOW64\Jhenjmbb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kfaalh32.exe | C:\Windows\SysWOW64\Kdbepm32.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Lbjofi32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Gaojnq32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Gnfkba32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jbhebfck.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Klcgpkhh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jikhnaao.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jefbnacn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kpieengb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Gkgoff32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Hklhae32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Hcgmfgfd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Hgeelf32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Iegeonpc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kkjpggkn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Hgnokgcc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Hmdkjmip.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Iaimipjl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kidjdpie.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kmfpmc32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jpbcek32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jllqplnp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Keioca32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kekkiq32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kfodfh32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Gecpnp32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ibacbcgg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kbmome32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kmkihbho.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Llpfjomf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Gcedad32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Goldfelp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jjhgbd32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Hnhgha32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Iclbpj32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jbclgf32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jhenjmbb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Hdbpekam.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kambcbhb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kdbepm32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kfaalh32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kipmhc32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lbjofi32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Hqiqjlga.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ikjhki32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kbjbge32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3816cbaa1211f7bf2613db6206b0d6b28186e8d713a23795ae0f497e7e7b881fN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ghdiokbq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Iocgfhhc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jjjdhc32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kkojbf32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Libjncnc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Igqhpj32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Iamfdo32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kjhcag32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Goqnae32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Iakino32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jfaeme32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Khjgel32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kenhopmf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Hqnjek32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ifolhann.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kdnkdmec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kmimcbja.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Gkcekfad.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Honnki32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Klcgpkhh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jjjdhc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kmfpmc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlekjpbi.dll" | C:\Windows\SysWOW64\Kfodfh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aiomcb32.dll" | C:\Windows\SysWOW64\Keioca32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\3816cbaa1211f7bf2613db6206b0d6b28186e8d713a23795ae0f497e7e7b881fN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Honnki32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Iegeonpc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kkojbf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gkcekfad.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkbnjifp.dll" | C:\Windows\SysWOW64\Gkgoff32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hcgmfgfd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Kkjpggkn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kambcbhb.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Kidjdpie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agioom32.dll" | C:\Windows\SysWOW64\Kbmome32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ghdiokbq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbonaedo.dll" | C:\Windows\SysWOW64\Hcgmfgfd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ifolhann.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kkjpggkn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipdbellh.dll" | C:\Windows\SysWOW64\Ibacbcgg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Iamfdo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kekkiq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omfpmb32.dll" | C:\Windows\SysWOW64\Jfjolf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caefjg32.dll" | C:\Windows\SysWOW64\Kekkiq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkpnde32.dll" | C:\Windows\SysWOW64\Kfaalh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kdnkdmec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node | C:\Users\Admin\AppData\Local\Temp\3816cbaa1211f7bf2613db6206b0d6b28186e8d713a23795ae0f497e7e7b881fN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jbhebfck.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gffdobll.dll" | C:\Windows\SysWOW64\Kpieengb.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Gaojnq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gaojnq32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Hjfnnajl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ibfmmb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Keioca32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mebgijei.dll" | C:\Windows\SysWOW64\Jbclgf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faibdo32.dll" | C:\Windows\SysWOW64\Hklhae32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mobafhlg.dll" | C:\Windows\SysWOW64\Jhenjmbb.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Kfaalh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efdmgc32.dll" | C:\Windows\SysWOW64\Goldfelp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Iocgfhhc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kidjdpie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijjnkj32.dll" | C:\Windows\SysWOW64\Kdnkdmec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Hoqjqhjf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkaamgeg.dll" | C:\Windows\SysWOW64\Ibfmmb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Gecpnp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dllmckbg.dll" | C:\Windows\SysWOW64\Hgeelf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jfaeme32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcadppco.dll" | C:\Windows\SysWOW64\Kjhcag32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\3816cbaa1211f7bf2613db6206b0d6b28186e8d713a23795ae0f497e7e7b881fN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Hklhae32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hmdkjmip.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffdmihcc.dll" | C:\Windows\SysWOW64\Inhdgdmk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbdofg32.dll" | C:\Windows\SysWOW64\Hgnokgcc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Hqnjek32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqgpml32.dll" | C:\Windows\SysWOW64\Hjfnnajl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bodilc32.dll" | C:\Windows\SysWOW64\Kkjpggkn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjbpqjma.dll" | C:\Windows\SysWOW64\Ghdiokbq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncbdnb32.dll" | C:\Windows\SysWOW64\Ikjhki32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnhanebc.dll" | C:\Windows\SysWOW64\Jjjdhc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Gkgoff32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kjhcag32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmofpf32.dll" | C:\Windows\SysWOW64\Kidjdpie.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aijpfppe.dll" | C:\Windows\SysWOW64\Hdbpekam.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3816cbaa1211f7bf2613db6206b0d6b28186e8d713a23795ae0f497e7e7b881fN.exe
"C:\Users\Admin\AppData\Local\Temp\3816cbaa1211f7bf2613db6206b0d6b28186e8d713a23795ae0f497e7e7b881fN.exe"
C:\Windows\SysWOW64\Gcedad32.exe
C:\Windows\system32\Gcedad32.exe
C:\Windows\SysWOW64\Gecpnp32.exe
C:\Windows\system32\Gecpnp32.exe
C:\Windows\SysWOW64\Goldfelp.exe
C:\Windows\system32\Goldfelp.exe
C:\Windows\SysWOW64\Ghdiokbq.exe
C:\Windows\system32\Ghdiokbq.exe
C:\Windows\SysWOW64\Gkcekfad.exe
C:\Windows\system32\Gkcekfad.exe
C:\Windows\SysWOW64\Goqnae32.exe
C:\Windows\system32\Goqnae32.exe
C:\Windows\SysWOW64\Gaojnq32.exe
C:\Windows\system32\Gaojnq32.exe
C:\Windows\SysWOW64\Gkgoff32.exe
C:\Windows\system32\Gkgoff32.exe
C:\Windows\SysWOW64\Gnfkba32.exe
C:\Windows\system32\Gnfkba32.exe
C:\Windows\SysWOW64\Hgnokgcc.exe
C:\Windows\system32\Hgnokgcc.exe
C:\Windows\SysWOW64\Hnhgha32.exe
C:\Windows\system32\Hnhgha32.exe
C:\Windows\SysWOW64\Hdbpekam.exe
C:\Windows\system32\Hdbpekam.exe
C:\Windows\SysWOW64\Hklhae32.exe
C:\Windows\system32\Hklhae32.exe
C:\Windows\SysWOW64\Hqiqjlga.exe
C:\Windows\system32\Hqiqjlga.exe
C:\Windows\SysWOW64\Hcgmfgfd.exe
C:\Windows\system32\Hcgmfgfd.exe
C:\Windows\SysWOW64\Honnki32.exe
C:\Windows\system32\Honnki32.exe
C:\Windows\SysWOW64\Hgeelf32.exe
C:\Windows\system32\Hgeelf32.exe
C:\Windows\SysWOW64\Hqnjek32.exe
C:\Windows\system32\Hqnjek32.exe
C:\Windows\SysWOW64\Hoqjqhjf.exe
C:\Windows\system32\Hoqjqhjf.exe
C:\Windows\SysWOW64\Hjfnnajl.exe
C:\Windows\system32\Hjfnnajl.exe
C:\Windows\SysWOW64\Hmdkjmip.exe
C:\Windows\system32\Hmdkjmip.exe
C:\Windows\SysWOW64\Iocgfhhc.exe
C:\Windows\system32\Iocgfhhc.exe
C:\Windows\SysWOW64\Ibacbcgg.exe
C:\Windows\system32\Ibacbcgg.exe
C:\Windows\SysWOW64\Ikjhki32.exe
C:\Windows\system32\Ikjhki32.exe
C:\Windows\SysWOW64\Inhdgdmk.exe
C:\Windows\system32\Inhdgdmk.exe
C:\Windows\SysWOW64\Ifolhann.exe
C:\Windows\system32\Ifolhann.exe
C:\Windows\SysWOW64\Igqhpj32.exe
C:\Windows\system32\Igqhpj32.exe
C:\Windows\SysWOW64\Ibfmmb32.exe
C:\Windows\system32\Ibfmmb32.exe
C:\Windows\SysWOW64\Iaimipjl.exe
C:\Windows\system32\Iaimipjl.exe
C:\Windows\SysWOW64\Iakino32.exe
C:\Windows\system32\Iakino32.exe
C:\Windows\SysWOW64\Iegeonpc.exe
C:\Windows\system32\Iegeonpc.exe
C:\Windows\SysWOW64\Iamfdo32.exe
C:\Windows\system32\Iamfdo32.exe
C:\Windows\SysWOW64\Iclbpj32.exe
C:\Windows\system32\Iclbpj32.exe
C:\Windows\SysWOW64\Jfjolf32.exe
C:\Windows\system32\Jfjolf32.exe
C:\Windows\SysWOW64\Jpbcek32.exe
C:\Windows\system32\Jpbcek32.exe
C:\Windows\SysWOW64\Jjhgbd32.exe
C:\Windows\system32\Jjhgbd32.exe
C:\Windows\SysWOW64\Jikhnaao.exe
C:\Windows\system32\Jikhnaao.exe
C:\Windows\SysWOW64\Jbclgf32.exe
C:\Windows\system32\Jbclgf32.exe
C:\Windows\SysWOW64\Jjjdhc32.exe
C:\Windows\system32\Jjjdhc32.exe
C:\Windows\SysWOW64\Jllqplnp.exe
C:\Windows\system32\Jllqplnp.exe
C:\Windows\SysWOW64\Jfaeme32.exe
C:\Windows\system32\Jfaeme32.exe
C:\Windows\SysWOW64\Jbhebfck.exe
C:\Windows\system32\Jbhebfck.exe
C:\Windows\SysWOW64\Jefbnacn.exe
C:\Windows\system32\Jefbnacn.exe
C:\Windows\SysWOW64\Jhenjmbb.exe
C:\Windows\system32\Jhenjmbb.exe
C:\Windows\SysWOW64\Kbjbge32.exe
C:\Windows\system32\Kbjbge32.exe
C:\Windows\SysWOW64\Kambcbhb.exe
C:\Windows\system32\Kambcbhb.exe
C:\Windows\SysWOW64\Keioca32.exe
C:\Windows\system32\Keioca32.exe
C:\Windows\SysWOW64\Kidjdpie.exe
C:\Windows\system32\Kidjdpie.exe
C:\Windows\SysWOW64\Klcgpkhh.exe
C:\Windows\system32\Klcgpkhh.exe
C:\Windows\SysWOW64\Kbmome32.exe
C:\Windows\system32\Kbmome32.exe
C:\Windows\SysWOW64\Kekkiq32.exe
C:\Windows\system32\Kekkiq32.exe
C:\Windows\SysWOW64\Kdnkdmec.exe
C:\Windows\system32\Kdnkdmec.exe
C:\Windows\SysWOW64\Khjgel32.exe
C:\Windows\system32\Khjgel32.exe
C:\Windows\SysWOW64\Kjhcag32.exe
C:\Windows\system32\Kjhcag32.exe
C:\Windows\SysWOW64\Kmfpmc32.exe
C:\Windows\system32\Kmfpmc32.exe
C:\Windows\SysWOW64\Kenhopmf.exe
C:\Windows\system32\Kenhopmf.exe
C:\Windows\SysWOW64\Kfodfh32.exe
C:\Windows\system32\Kfodfh32.exe
C:\Windows\SysWOW64\Kkjpggkn.exe
C:\Windows\system32\Kkjpggkn.exe
C:\Windows\SysWOW64\Kmimcbja.exe
C:\Windows\system32\Kmimcbja.exe
C:\Windows\SysWOW64\Kpgionie.exe
C:\Windows\system32\Kpgionie.exe
C:\Windows\SysWOW64\Kdbepm32.exe
C:\Windows\system32\Kdbepm32.exe
C:\Windows\SysWOW64\Kfaalh32.exe
C:\Windows\system32\Kfaalh32.exe
C:\Windows\SysWOW64\Kipmhc32.exe
C:\Windows\system32\Kipmhc32.exe
C:\Windows\SysWOW64\Kmkihbho.exe
C:\Windows\system32\Kmkihbho.exe
C:\Windows\SysWOW64\Kpieengb.exe
C:\Windows\system32\Kpieengb.exe
C:\Windows\SysWOW64\Kkojbf32.exe
C:\Windows\system32\Kkojbf32.exe
C:\Windows\SysWOW64\Libjncnc.exe
C:\Windows\system32\Libjncnc.exe
C:\Windows\SysWOW64\Llpfjomf.exe
C:\Windows\system32\Llpfjomf.exe
C:\Windows\SysWOW64\Lbjofi32.exe
C:\Windows\system32\Lbjofi32.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1744 -s 140
Network
Files
memory/2092-0-0x0000000000400000-0x000000000042F000-memory.dmp
\Windows\SysWOW64\Gcedad32.exe
| MD5 | b77497d0f4d4bb5530d5a91715cb7285 |
| SHA1 | 0fd5695f2f4636dcacf0b3955d591bc4410e8899 |
| SHA256 | f9dc8c9bd92f7cabedb826bb5e7adb588289d3754ba88067c2174a9db16267c4 |
| SHA512 | 6bf6b0dd1426edd1ccba71e2d3df1b6434c218996782df477da12b69f456a3d57057de147f66c38f5ffd8408dce4fd85ddec8f72d81edb0eb30f72268dbaa615 |
memory/2712-14-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2092-13-0x0000000000280000-0x00000000002AF000-memory.dmp
memory/2092-12-0x0000000000280000-0x00000000002AF000-memory.dmp
C:\Windows\SysWOW64\Gecpnp32.exe
| MD5 | 74faa206af9103dfc62a2514f384c8ce |
| SHA1 | 150548209feb3c4a242f9137507c4ff0fa7f7ffc |
| SHA256 | 3c0ead17b1e2ad38cb9f8bc0d630cdb1838aef5ad3677e58a47c94e6b393be47 |
| SHA512 | d8705daccff4d4a8c039a1c6d6ddba9d3dcfb91604ac8b869ef381f5e8c21318a05fb1e787379a815ed8f59a04731f276c224f82a8a0bc280d1f0bbd2d05eae1 |
memory/2712-27-0x00000000002D0000-0x00000000002FF000-memory.dmp
\Windows\SysWOW64\Goldfelp.exe
| MD5 | 0476f68cc961709a59cfc6674ff3981c |
| SHA1 | ad908d282abc8b5ac3eeaffdc43fdb3f767e6eec |
| SHA256 | c5c988abb1b5474c0309d942def17cf97d3dcbd538354178e14520f3a015c686 |
| SHA512 | 91d01f4492a9c9ad32a5caf3b4102f10c75fdc859e01ac1b3dc8d8d729b44ca66d553f7b3b6cb2eac7a319235ff736c63c50d1ba13c746872e5a82dbc3c78ead |
memory/2724-36-0x00000000002D0000-0x00000000002FF000-memory.dmp
memory/2724-34-0x0000000000400000-0x000000000042F000-memory.dmp
\Windows\SysWOW64\Ghdiokbq.exe
| MD5 | 50eb269aa1e6b03bf77d5b440c5b58f5 |
| SHA1 | c94c33f44ee28b45d61d688a29e72da2b8eb342e |
| SHA256 | f3ce1f1abe858d35a79e23ae7d49352f0e0fcc2040471c476be1d8afbae944d1 |
| SHA512 | 9d0535ac19f59892d988849547ac72cb413c18cdf0cf9315c9ddb539cef619451055e77a42d9f6076f410be560e9467816d0daa223e4b348613f28c9adef1bf4 |
memory/2648-68-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Gkcekfad.exe
| MD5 | 6727a375ae028f5434f7cbf26004d0dd |
| SHA1 | d7ad394fedc9ae625be71de12b7ee61517eac762 |
| SHA256 | 21af2283bf4b1f75369cee01975cc229893a317e1eb69cea68da9f63477476c0 |
| SHA512 | 23d523560d01eef2a42f59ce8138e6f00bf4d901a48a5f5291081d2aa0dc16be9b9b00cfde9bd17bc45849d95a37d1c4e3111211be5037bf8c1ca21fb0d53ebb |
memory/2740-60-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3000-59-0x0000000000250000-0x000000000027F000-memory.dmp
memory/2648-75-0x0000000000260000-0x000000000028F000-memory.dmp
\Windows\SysWOW64\Goqnae32.exe
| MD5 | a787d0a6da87e421ff74bc9fa548cc24 |
| SHA1 | 40fd0d81d0350a65b1870b5ac911e04ebe4898c9 |
| SHA256 | ca761384cbd9ecd66c42ebe3a2f93b4c2257f3e8791d0141962f87e49321c9eb |
| SHA512 | 627ceade0739cd8b7c2b7decbb15697b7b6bbe7598ed6d680d646e939d5ae4a5d191513208048b29ca315cb387ae87c3642344ef2b6f04a608ccd1acdae3a823 |
\Windows\SysWOW64\Gaojnq32.exe
| MD5 | 9efea6b8256886b8814c68d70a60d7de |
| SHA1 | 148eba736e173df43dde86f768b10232dd7e5171 |
| SHA256 | 508e35926aeb72f020c54d97a115052a9051ea05d04443704df4f3e95ed4c8ff |
| SHA512 | dd8a97b38139ebd63dd3c8be2c0375e033c6920e95227c4ebec38a650526825c04ebb3671a1e3bb5b6918b9134f93a084b97aad35df4f3f21b14bec48170f587 |
memory/1232-89-0x0000000001F40000-0x0000000001F6F000-memory.dmp
\Windows\SysWOW64\Gkgoff32.exe
| MD5 | 47edc1ebcd73de57dbe40266b019cf39 |
| SHA1 | 99fcc9ae7b861a89d61657c7db8e2994999037ab |
| SHA256 | 318179f042f321ebd029b33853e57f87c56c8bd067e322946da101cc37d02c5c |
| SHA512 | 5c5be13d4cf6da8dbf4c886b112f43ce037b6fdd089b74aae6caccb25793c449781cae614ef23ee0f097d24ae5bbad0608853845e2430f24b098e03c6b096121 |
memory/1296-102-0x0000000000250000-0x000000000027F000-memory.dmp
memory/1692-108-0x0000000000400000-0x000000000042F000-memory.dmp
\Windows\SysWOW64\Gnfkba32.exe
| MD5 | 8e95511cbaf0b08a74f16ae8db430358 |
| SHA1 | bc811a2ca1e67618ea4d281d282bc55056be4600 |
| SHA256 | 8d3292435b6d0b382e64d89e99ef182dccf140ef1a39c9cd2c04ef96fa04c556 |
| SHA512 | 337002f206ddc5e84c40373008dbe140e937c4a4619778af4a4362f5fd6ce42b8b17ae29f7cf98b00c6e11bdc9c316789598d02998af8845c07567838fed35e4 |
memory/2056-121-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2056-129-0x0000000000250000-0x000000000027F000-memory.dmp
\Windows\SysWOW64\Hgnokgcc.exe
| MD5 | f02440126329e5ac85a059758cbd3acf |
| SHA1 | ed5f579f43566a345ebea4a51619db55cfd56a6f |
| SHA256 | a2af0c849e5b72c7a9a8e7f694bddd3c3e675591c76ecf2ae078fa68a62fc91b |
| SHA512 | 5658039ff2a624d6d22f2687f524fa05a74086925cf6beb59d7249df5ae8ffba71553130a69009b0714fffcf414b6f84720c9981d7fc7863ee1515a53353b23a |
\Windows\SysWOW64\Hnhgha32.exe
| MD5 | d22a9e425d2148086072869eaa0b28dd |
| SHA1 | d32afd0035694417e9e14d95f590c5885ae6cb4e |
| SHA256 | 39332346fb4b85968a7b2c4055960b15a66b89214a669f9b06fbe2cbedf134b1 |
| SHA512 | 53556485f75d4ca8864102a55d69076b1d14309675acbefd67e2ae6eb69637d3a7f599a6b6cb24dae20646efcf187464f3384bb2e5aceac2eccfdbc3dbe639c6 |
memory/2020-147-0x0000000000400000-0x000000000042F000-memory.dmp
\Windows\SysWOW64\Hdbpekam.exe
| MD5 | 58eed5289e4215f1afe2b01094f30d52 |
| SHA1 | 48d112ba1fc3a72cda748f3b4b161dd2d73504a3 |
| SHA256 | f2dff69884a792839fa30257327e78840b4a37e168775a26cebbc19ddc88c8ea |
| SHA512 | 52c288f576db6785c39e2c0cf19727492b7f77ae2394758925199decedfb66228979844305b77700ce8f688ffa081cd2e5e4154ca748c91110f388b256612ce4 |
memory/2020-155-0x0000000000250000-0x000000000027F000-memory.dmp
memory/1128-161-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Hklhae32.exe
| MD5 | d851c1622739f02bef28a8c4aa347350 |
| SHA1 | 03c82ae917ad6888eadb3c481b5ce68ac21a5e1f |
| SHA256 | f8dff4af504e1f39b4e7520d26afcc1c417cd8d91f95d482d2621b7b3afe6005 |
| SHA512 | 0b6a4ba58fe5592df82ccf89fc26fddb12434da9342da170565859c0e08e2f6d54fda15b0afff5b84f71aaa7ae2ed663e510f5219b526b08dc3544694db1bb13 |
memory/316-174-0x0000000000400000-0x000000000042F000-memory.dmp
\Windows\SysWOW64\Hqiqjlga.exe
| MD5 | 039adaed827095c00e1ee4d9b6dc7a7b |
| SHA1 | a514205443573925524b8b9d7d65aad03aed3344 |
| SHA256 | 2985ac5bbdb866fe7ad122908ca9858dbebcd7dd6d7f71ed7d46a601fa4d63e2 |
| SHA512 | b007c8abdfef6bec48bba3f3d2cdb6dbfe087740a53903d33620c2cd2631310c155a9c8e131ad18c60757232d3ae8232bda885ce61230a9cb7a71cef0cd1b73c |
memory/316-186-0x0000000000250000-0x000000000027F000-memory.dmp
memory/2176-199-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Hcgmfgfd.exe
| MD5 | a6ed8df6f099f40ca67cb3bfca6e33b7 |
| SHA1 | 93132497d569103e88d119a7246ce305b6bd9c7c |
| SHA256 | 9b8f55286b0170587ee36cbe69517986e6c20b74cbefe857ade6eb336cfc2850 |
| SHA512 | a802e32768c815320dbd731487696d88ea05a1d946d101d83da60dc6a82194c9fbfc340497c814a2f5bf8d86665df7b35de173a1fe45ac6b6abe4841e3b3c2b4 |
memory/2364-201-0x0000000000400000-0x000000000042F000-memory.dmp
\Windows\SysWOW64\Honnki32.exe
| MD5 | c682a09e2fc7b362ec8ca33230724208 |
| SHA1 | 91eb8851fb0544d427a00e8edef4d544c20c8db6 |
| SHA256 | 0a4028b3732163132ad311ade31fd28f9081ddaf4308d10d4a19c385fe22a339 |
| SHA512 | 381a05ca77338c31ec3f58ef7b797e713c13f22ed8dfd669411de88102e925ec0281ed01d0f31c4fb26c1d9a0552bebead45c9fd455bf06b7207ef3264b203af |
memory/2364-214-0x0000000001F20000-0x0000000001F4F000-memory.dmp
memory/2364-209-0x0000000001F20000-0x0000000001F4F000-memory.dmp
memory/2960-226-0x0000000000400000-0x000000000042F000-memory.dmp
memory/836-225-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Hgeelf32.exe
| MD5 | 8319bcf42ae788392f033846dab86263 |
| SHA1 | 18a0f2df1d2af2b8cfbd095b44f4bb19fa295f11 |
| SHA256 | 7d56aaf31e71260551b378b8512e30cbfb87101fc7c59010b0012e4f9c9192c6 |
| SHA512 | 1acd66ab06246ad7f3137d3a71b8008f2941b78f6b958bd60fcbc26e3cbd8562c2cee6fae80bed8cd8d6018e24fba5a70e47468368fe1241dc73609f0fa0ab89 |
memory/2960-232-0x00000000002D0000-0x00000000002FF000-memory.dmp
memory/1512-236-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Hqnjek32.exe
| MD5 | fdece6c07dca7eeeac14b371ab6fa689 |
| SHA1 | 08e62a3bf1d73c0108386d093f7fc55b99c8096d |
| SHA256 | 1aae038d1a2d6f566cbeb40b1eaac05f4e7ad132fbe7631a31e23c4d8b4bfa4d |
| SHA512 | 7ae58dea90ef08a1754d985d00d02503f46a584f519c36cde991530403a8852aa95c0a2c742abed99dd5f0caa33a05ab309d02824385cbd1808d1db927b7f3b2 |
C:\Windows\SysWOW64\Hoqjqhjf.exe
| MD5 | 38cbaa8d7232d8795d3ab0d2a7df4d19 |
| SHA1 | b450bc1674203f2bd97817c82ed6fcf97e9ea075 |
| SHA256 | 9e81e6e3722e468367a3b72354cf2d04692db96c66d3001be22c37bdd10f52d1 |
| SHA512 | 512476c55090e745881e4951c93517a92da3a24ec3162f9f19275b3419b2a6920fcfbb8cc19a3ed70582fa7efcf86d41438510bdd10e26917048fd23e9514e5a |
memory/1940-245-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1636-255-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1940-254-0x00000000002F0000-0x000000000031F000-memory.dmp
C:\Windows\SysWOW64\Hjfnnajl.exe
| MD5 | 44ec76dfd34c7fe994babb28cfb43d6f |
| SHA1 | 01c2bdd5518f81c1cf92111ca186c339b161a35b |
| SHA256 | 5b787b0d98e3b2aca0cfadd05b89f3009c489de858a1f6ceaeca71dac4a2859d |
| SHA512 | 9844c3fb7bda63e1a41ff39b04769f6de593847f5fa0226eff82e5cd417ca11e426146c67da9a743713c655b19f2032f2635ee31f537b8e548d8d7ec4bb3023b |
C:\Windows\SysWOW64\Hmdkjmip.exe
| MD5 | a37363673b76c777f401782c4181e593 |
| SHA1 | eed46682ef1413cc1fd35f5460a119ec1220eec2 |
| SHA256 | c4cf14b140a3109827cd9da3015a607be9db99c90fef19e5de3ca60aeaba7324 |
| SHA512 | e0d2baba15c53bc10bfb419541487426b0c4023a6967ff7d5e2dcdd109b554731a66c77da00446b58f1c3868523406df1fe10a320299023c2167e935fcd56f99 |
memory/3036-268-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1636-264-0x0000000000250000-0x000000000027F000-memory.dmp
C:\Windows\SysWOW64\Iocgfhhc.exe
| MD5 | 3662d4a6ed71e5af72345238414ba277 |
| SHA1 | 3106295c86ebd05e2fe8632e52f0d24980fc9850 |
| SHA256 | 3d3ddbcd76016b2d430336e973cb3cb40ac0b4d589e2096fc5e472ad268577c8 |
| SHA512 | 8626d38c234375659dcd2183a4bc66da800ecfd133db1ed85437f2a10f1ecd263e2cc7e9f3aa5b91f8a7cc3bfa2e0ee09934109d8e5b1e23bee21ccd7b1f25ca |
memory/2552-274-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Ibacbcgg.exe
| MD5 | c62a776c124bd56b9bd4077565165a47 |
| SHA1 | 7e96d3cf0fecf8fc370abb148a342db320ec7943 |
| SHA256 | 11bb862f330ce2533e24c3874af139cf5d1cbb785cfe70908096ffc100e5b387 |
| SHA512 | e95392d155fe5273c0fa3385e9940023c3a6f812ff193461d2935e844061d3ce31894dff030359843cf211f7ed570435df50fccc84a7941fe6849ffda72725b6 |
memory/2552-283-0x0000000001F20000-0x0000000001F4F000-memory.dmp
memory/1736-284-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Ikjhki32.exe
| MD5 | 47485c737641f3af5af4b74ce2f582bf |
| SHA1 | 1afd23eb0fc05cb98618f8ddfc9c61ad01e0d11c |
| SHA256 | 7b5e200f66ebb2e1c475e0704d031b1b589fbbc7a8b4e609d86c61bb7c13c4f3 |
| SHA512 | 445a497a86e351e0878e4ee3db7c56f3df69b42664b3d5e7edc6be881e4a379f770b6c0fd92ed07c474f13e3ed1fd66fd81d6a93f05c88ff5b97550e17cf9ee9 |
memory/980-294-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1736-293-0x0000000000250000-0x000000000027F000-memory.dmp
C:\Windows\SysWOW64\Inhdgdmk.exe
| MD5 | 53f8f00ebae727984185858ac29a008c |
| SHA1 | c9af75c174f12b16b643a72cbd589f2f3920fcef |
| SHA256 | 81a0f9ed5813b902fd3f3c23b2358afb4303aaf69156c244321e0b6242b8df34 |
| SHA512 | 99682b937523dd7855ec5e2a4a276fc7a4f4c1947b03d656c161fb7f4e12d113c000b6842875f2114e2942aff04c797490dc5ffa258abcace848c94e61188765 |
memory/880-303-0x0000000000400000-0x000000000042F000-memory.dmp
memory/880-309-0x0000000000250000-0x000000000027F000-memory.dmp
memory/1800-314-0x0000000000400000-0x000000000042F000-memory.dmp
memory/880-313-0x0000000000250000-0x000000000027F000-memory.dmp
C:\Windows\SysWOW64\Ifolhann.exe
| MD5 | 03953a095bf0bd90219b1dedde3bbfc9 |
| SHA1 | 3b977d807cad5f1faefc51bf3361c1d6b4b376f9 |
| SHA256 | c6c3a2f39bbdbbfd42350e99c7c3dda788a2698ac8a68864be09952f19e90dde |
| SHA512 | 3fdbe0cf6b4fb309b218825156e04f513d310f06f00dbdc873d33614f41cb2b073cacb39bf06d40b78e29c64b630a763806b0e43a52af91bbcef855fe20baedc |
C:\Windows\SysWOW64\Igqhpj32.exe
| MD5 | 860161a5e754507d2811d1cabb54c1d7 |
| SHA1 | 92d95b2452f0b9b821e90dc60f463066e75f466d |
| SHA256 | 99e86b3c209ea6b5cf755087c4bf1267e54f7efb79184f813bcbd82285a1772c |
| SHA512 | e27b03709a4bba7ea8600142e4c715598dbb0af292db0713dd200c9f933c703dd2a78e81e2c9d2fbd289e87d929f4a334d1ff408820f4322d5c1a650cb922819 |
memory/1568-325-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1800-324-0x00000000002D0000-0x00000000002FF000-memory.dmp
memory/1800-323-0x00000000002D0000-0x00000000002FF000-memory.dmp
memory/2820-347-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2864-346-0x0000000000250000-0x000000000027F000-memory.dmp
memory/2864-345-0x0000000000250000-0x000000000027F000-memory.dmp
C:\Windows\SysWOW64\Iaimipjl.exe
| MD5 | 45db9b8587e8419496ba84a1a12f38d2 |
| SHA1 | 40ead0f74fda9bc75a79bc37fd2af688e34a3bde |
| SHA256 | 3495b04d03580b8f85856ce1b97b3f1ac700bf68a3ba4b61a664159e80a2b9c8 |
| SHA512 | 46d7d51fbfc35af0eb4cb4c0cb316ad558b29133e8a11b75bd6491430c15af0855ca78e14d57b77b3103645adabef50e8777f32d08551ea0e05624c26339668d |
memory/2864-336-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1568-335-0x00000000005C0000-0x00000000005EF000-memory.dmp
memory/1568-334-0x00000000005C0000-0x00000000005EF000-memory.dmp
C:\Windows\SysWOW64\Ibfmmb32.exe
| MD5 | 8337db57c07f6b0711881402a1ec9140 |
| SHA1 | 0848dafbae2f7351052f33d3fdaeba795be156c6 |
| SHA256 | fec8dc59d764a9a4bc66767fe920947629347eb102df34aed3a60b75c03aa074 |
| SHA512 | de9800ba2df1e8d7918b81111df9a1b8a803b135e36608815905fa0fb22c54debe58d3bc0a6cd84a3b9e7695193af6dee3079a0dc28197c5c06628bc6a85d3fa |
memory/1328-358-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2820-357-0x0000000000250000-0x000000000027F000-memory.dmp
memory/2820-356-0x0000000000250000-0x000000000027F000-memory.dmp
C:\Windows\SysWOW64\Iakino32.exe
| MD5 | ca65047fed5ce582bb9083ff70f19063 |
| SHA1 | 502b3b6e3cec2701abc67671286bc303413595d0 |
| SHA256 | 77ccbec8f0893c2a8916187e62092d2fdeef052f33317663b78fa1e95eb9044f |
| SHA512 | 2281348c2b985f1651c8660bf63ed9ca6cf1f4f17c76445e067714b28dc0a907ce395a6f72239692b0bbc2d29b213aee99a163efa237d008633f0792fc299657 |
memory/1592-369-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1328-368-0x0000000000250000-0x000000000027F000-memory.dmp
memory/1328-367-0x0000000000250000-0x000000000027F000-memory.dmp
C:\Windows\SysWOW64\Iegeonpc.exe
| MD5 | 5b3df152ceb8e29a48b969369e1b68f5 |
| SHA1 | e1c0b32eb249572f2614f1fce546e9765b140958 |
| SHA256 | 53cbcb01ae6765e0824e3ca9d700de165f53af5272e9232da687c5cdbd31f4f1 |
| SHA512 | 73cf823fc74c44ae88e29fb9cc4698da5b14d7e0741b8d487be601f5459098dd8a56f8703c2aef710facce682d78ce94536d1a1d00e14f947b9c592e3d85d69b |
memory/1592-379-0x0000000000280000-0x00000000002AF000-memory.dmp
C:\Windows\SysWOW64\Iamfdo32.exe
| MD5 | df605ffdf2bd0cf629d3454993822013 |
| SHA1 | 6e33e7eca06e529ccb75aa8b6e83ba3527337ab7 |
| SHA256 | 1145eb578e85cfa014e632d2fee93b084459fd6771670aac8bdb31e40f9c702b |
| SHA512 | c3589ae7cd14851946cdd6165f458ab852eb95a8de51fecd2a512471d58c8c0bfdebb4279184df4f625dd942e1b9621f3d2c7f44723a0cfb1f54000625f20754 |
memory/1592-377-0x0000000000280000-0x00000000002AF000-memory.dmp
memory/1920-380-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1476-391-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1920-390-0x0000000000280000-0x00000000002AF000-memory.dmp
memory/1920-389-0x0000000000280000-0x00000000002AF000-memory.dmp
C:\Windows\SysWOW64\Iclbpj32.exe
| MD5 | 5b8e27b6142e1fdfa287b3ca8e6704f6 |
| SHA1 | 918a4f9c16c1806584622ca9af619b6a0eb17983 |
| SHA256 | cfe44913ce4420741336634ea3ed6f0c1aa887d60515ed62c0c86c2ec7f62f9e |
| SHA512 | 325c34f653bd74c2324c32f4b843459cde1c4dc7ccdbde2a472f6ba169169a0b58efb2e837cced8769c83e0bb7d5dc0c564ad933be9f3e2284622553af303744 |
memory/2712-404-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2092-403-0x0000000000280000-0x00000000002AF000-memory.dmp
memory/2092-402-0x0000000000280000-0x00000000002AF000-memory.dmp
memory/1476-401-0x0000000000280000-0x00000000002AF000-memory.dmp
C:\Windows\SysWOW64\Jfjolf32.exe
| MD5 | d9c329c42c0ab8be5621f725466b4b41 |
| SHA1 | 55a699d04720a9df98a353dd0c74eb2fb4221f3d |
| SHA256 | ef1809d240ad86e97964193b35b5b0653c5167418005b2d4883d76b001468139 |
| SHA512 | 614cbd52418c6beff17a6bce5662dca1aa5a799caeb492534d7cf0f3f3bf68be0c6d2e50a45943a256b50ffa0eb7e1c8961be002b5b4a2708775496f0aaa3329 |
memory/2092-397-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Jpbcek32.exe
| MD5 | 3d419dfd7987fd3f22fc68d5e55a2f30 |
| SHA1 | 0ece5466691988700367b08169ba253c5fff47b1 |
| SHA256 | 6b48013e2d41158f406883ef546c7b8edd61195a71ec21059c3f4ffaf23f6a7b |
| SHA512 | a34098760bdf475e7d81a78908b6d7a472d01086ebad79cd12d93b8818a8af8c56c72d3ee337b62dd8653fd37e3a62139190ff69b92a2f9b0f69b6c514939ae0 |
memory/2408-419-0x0000000000250000-0x000000000027F000-memory.dmp
memory/2640-430-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1740-425-0x0000000000250000-0x000000000027F000-memory.dmp
C:\Windows\SysWOW64\Jikhnaao.exe
| MD5 | 52ff10ec7328f02d53358abb281713f5 |
| SHA1 | 608d664dc78f02294504eafbf62b3ad32d8611f2 |
| SHA256 | b3736c8182ce4a3cc754c4137f332b63c5bf6b3db93f8adc2d192c43b8779af1 |
| SHA512 | 7e8bddf9a57fc05ca43706a0bdc956fb8ecd6f18468578185dbeabb1238b7d4a0b627fb268f288433ea13a27ed9dc034eaca313a49b8a3ad0c215ebda2f130e6 |
memory/3000-437-0x0000000000250000-0x000000000027F000-memory.dmp
memory/1000-436-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3000-435-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Jjhgbd32.exe
| MD5 | a57a92c83edccf85316b42a707a8d9ad |
| SHA1 | 38b3c1b7393f06d276d64f8696d92f50985c544a |
| SHA256 | c5d8e9a5462ddd25173bec3a135cea256ea7e6a472b99e2f3a0e13882d2a48f6 |
| SHA512 | e8d742936ef8cdce1f5cfaa98bd79b70013c2ce6e15b690e2aa36578b6bbcfd35543d96547176f0be01e70adeebef258f1725e4abfcdd383ce417d9e257accb6 |
memory/1740-415-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2408-414-0x0000000000250000-0x000000000027F000-memory.dmp
memory/2408-413-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1496-449-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1000-448-0x0000000000250000-0x000000000027F000-memory.dmp
memory/2648-447-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Jbclgf32.exe
| MD5 | a157d86f440fec9ea9bd9c8899b77d55 |
| SHA1 | 7050afbf6bb26dbeffffcf8ffda0de89c93ecc67 |
| SHA256 | da866cd9a3c3e850255004857a8d73d24c203f9a511a4f0a5bc0b8f8c2ccd61f |
| SHA512 | 093826a1ca8b024c33451c5a3097f6b8a075ac5f8f22e2faeac5d23d7c231287bc0699b7163ece382c94e355f1ceca1365bafee5d677a3963d8d8ff424dc8832 |
C:\Windows\SysWOW64\Jjjdhc32.exe
| MD5 | ba7427e87e172ea0e7fff2f47398e53f |
| SHA1 | 305a2a6c76f86e103d37df4fc108d9a5d9ad54f6 |
| SHA256 | 74fdc52d90547ab319aa8c625a5e3baab3a71f75658a8974b805ae4eef76b8d4 |
| SHA512 | b8adbb89b1957dd977fa65bc39e8bf5ace0089da8c4e0994640835ba1411516741c15187aa02ff0324d0c7d7eaeb2123f7cf433e76ab4f9c138a689608356a70 |
memory/1000-443-0x0000000000250000-0x000000000027F000-memory.dmp
memory/1500-459-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1496-458-0x00000000002D0000-0x00000000002FF000-memory.dmp
memory/1232-464-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1500-469-0x0000000000280000-0x00000000002AF000-memory.dmp
C:\Windows\SysWOW64\Jllqplnp.exe
| MD5 | beebcc690bd3b0136904782d04cf64ca |
| SHA1 | cdb5e4d9802bf54964c531ad4dc305e94bb3bcc0 |
| SHA256 | 4c5e6d3c613492dd3dfc5f7da550537cae24edc92a0a9d64f59cf0ca3801e13e |
| SHA512 | dec87b430f5fe03bfb936c3fa7df3b2ec4b2591583cef3dcda5174a93e1e5dc961889a24bea0c9c4c49d995517f96ed2acd899cc17564ebebf96037d3b55965b |
memory/2368-481-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1296-480-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1764-479-0x00000000002F0000-0x000000000031F000-memory.dmp
C:\Windows\SysWOW64\Jfaeme32.exe
| MD5 | 9662dca5bb2fee02f60ea16ac2df4c9d |
| SHA1 | 05a68099ebea84ee4394a77cb42415ca8eeec726 |
| SHA256 | 266701a7608b474eefbaadd36703f16df7109a02725dabc7609e745efb1b7d7c |
| SHA512 | e52f298e180c3eae819109493dddafe2a64b4218015699410b655d5665fcac4fb336911ebf09bf69086f7841fe39b4798a9e54a56148b59d90453cd5d72c7c84 |
memory/1764-474-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1692-491-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2368-489-0x0000000000250000-0x000000000027F000-memory.dmp
C:\Windows\SysWOW64\Jbhebfck.exe
| MD5 | bb89a28a8dca1bc2f1089300393f1bcd |
| SHA1 | e3d985e4926e031ebfa591f74490e4b9e2fae20c |
| SHA256 | 1ac745b696b84608f19791961f722731ae4ffdf8380da446885a3aed6e561de9 |
| SHA512 | f01ffb667b0a873bc6e92648a3624a91de2cffadce41866c168ceea3a57273e10dc34bb47a466056e3c6e8c565d1775d7c3af2af39441317cdc9df16bb6ebe35 |
memory/2056-493-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1692-492-0x00000000001E0000-0x000000000020F000-memory.dmp
memory/1356-503-0x0000000000260000-0x000000000028F000-memory.dmp
memory/1356-502-0x0000000000260000-0x000000000028F000-memory.dmp
C:\Windows\SysWOW64\Jefbnacn.exe
| MD5 | e5bb0404b9b756f6cd7e8c0f612a6f7b |
| SHA1 | e99c5559fdea06b9a30a7bdc43a682d6c06153df |
| SHA256 | 088d239248b92e53564ecae5febfa26d6b303be68662011b5b907468b9f8c049 |
| SHA512 | d61a528aa3a09c2237654aefa2288fe03852f8db348c6383c3af6e46db1a19e6c2a760e593d93720a4bc93816e9729774f3889ebbe6b695cf05bf67580a084cd |
C:\Windows\SysWOW64\Jhenjmbb.exe
| MD5 | fb687b30c3256e08229275b7f6082cc8 |
| SHA1 | 3df77f9906ddee0df41297b7db689b5fa3293ebc |
| SHA256 | 1cb85a4990b811fe9c8143f91aa95f1ec496d6ca5cbca921082ae02ff8bd35df |
| SHA512 | 644fd04809842244887075ba41e5e4235d0b63f108798f48e2da6704d30df7c596cfdf4a84dcfc54e014be773df775848a1d882239ebf57471de3f2f8ff5046f |
C:\Windows\SysWOW64\Kbjbge32.exe
| MD5 | df939b1ad7814ba395c816de8809ba8c |
| SHA1 | 0484abf7359468faab908e91c4333c73f8725306 |
| SHA256 | 3a06abe3afb442405c110c28c98b7526648eef5afa54883d6a4be5ae6edaedfa |
| SHA512 | a413bb163868188a377e06889201cc2bd7d9491ab803bc7b6a894a87457b0e7e1aee2cda929b3aec9cbd1521ab1a25069cb1139eb48a9059472fca6cfe17a3b0 |
C:\Windows\SysWOW64\Kambcbhb.exe
| MD5 | d2db96c6bb842e67a02306d99c305191 |
| SHA1 | 3f568a0aa2a757569d327161b90cdbeaa5121b2c |
| SHA256 | bae9fb61c9457b4010ee639aae7333daa7c4ff3c5609164a235c134cc60cae23 |
| SHA512 | 9c9eab3f12016acdc9d6c26524101bdabe689d6f2bae50986a0db81ea10fa4ee5011b961e399bd33869703d0b62a997c2345261eefcb0260fedf53e1b506dce5 |
C:\Windows\SysWOW64\Keioca32.exe
| MD5 | 5d005134109454291eb1f20f28f5f7dd |
| SHA1 | 48d21828ef6b37d097979f82ad0810c5a8d0f7c1 |
| SHA256 | 10901fc1728db59360203cad19eca5614b016d0ec988fd3304c1dfc43c109e03 |
| SHA512 | d914605dc3edd60977dce4251100099adbb6623c685eb55174d82b5833f3947277cf3364598057cc04c6df7d6b04b974307f0aac23f2c97b1e1cb22e7ecc067a |
C:\Windows\SysWOW64\Kidjdpie.exe
| MD5 | ced11b4dfe05c9a3788e745a393a2454 |
| SHA1 | fa6abc503f5844467d34c9991d9b457869750211 |
| SHA256 | 5b29fb69bddfda18495de68a184c2149a570dfe41eea524d10cb62cbdc9e0378 |
| SHA512 | 06a314e0e8bb4573316eab0883d889d11359f4d63708df23ffe5924bf503b4d40b4d96e2ae22e51ef6c3e1a6b9a6c83b6c7655e254a0b6254268d7e06f8a41c2 |
C:\Windows\SysWOW64\Klcgpkhh.exe
| MD5 | 57c9394a84685606ac757ee86cfd8c41 |
| SHA1 | b9d080079271f5c956bd57c847ca8be773cb6260 |
| SHA256 | b721b2b093caca64e924be144cb818fabde78672241777c416d21c408ada619a |
| SHA512 | 5aefc992af29c0e768a5c9771219c1eeb4cb137d8970825c04e35ae5afcade522229ad77100f9ec4d54d216405c6cf2a770f5ddc07e4e3fc3a92611e06a8f5d7 |
C:\Windows\SysWOW64\Kbmome32.exe
| MD5 | 32b847722f920de6bd49b31278302ce7 |
| SHA1 | 695518db93a85a4cd8c0a04e229315035a796c7d |
| SHA256 | 3809c2c5ce8ef3a29e24bed9258d569a8118539c156827f8dd66a17f291a2155 |
| SHA512 | af680dbe76425c6e565b224709d4d9a906211cd494828fb3a4e65e4a163b38462b6b5e9a3b5fae62f2b4f684ec25be5b49e5bd14d65af7913089fd2a80a0ac57 |
C:\Windows\SysWOW64\Kdnkdmec.exe
| MD5 | 71177e3889f0989b19408b2970e62711 |
| SHA1 | aca78cdc6818fe5224a663c7d85fcdc8fcce94fe |
| SHA256 | 0874338b3dd774081ab1eb709367c6561e89430b4d9873703d74071c47cca24b |
| SHA512 | 57c20ef13ddb309e010383099b2573ec4b428b288f176f11e64948e8e9622222555fcf249a1fe21b54e22a3ce877515bf5bb2e94d8c9034cfa5e751ba7328199 |
C:\Windows\SysWOW64\Khjgel32.exe
| MD5 | 436bf0277fcb5b205efa618574044f1b |
| SHA1 | 40bd52fb38b5a195586d1e08a2677eeb093db37b |
| SHA256 | 6381ff86f90b07b19e5f64ce1680ac2fb56ab71f090b873bde40f6689f380b3d |
| SHA512 | 2d4be526f27b15e297a289c1a1b1c9cbc3201d591c0cdb60a6670e4e989cecf055eed908cd0a31dac243189846962814e2becc324596e543c9dd28604ce0353a |
C:\Windows\SysWOW64\Kekkiq32.exe
| MD5 | c1339a141844a14db34cf98794057beb |
| SHA1 | c15beff5bbd7da5cdea4bf3d247b3469ad48e1f4 |
| SHA256 | ae2f01a2d7b0393a2bdfd95843f15a3ca330af805223a0bf500d54a875eaae45 |
| SHA512 | f5459f37b351ac287275339bdc58691dc03f30113a11791b63aaa151e4c0b7075d34643be70151e8bf6b3fd52055dd3da9c91cc1dcdcfe32bf18a20d800ca63c |
C:\Windows\SysWOW64\Kjhcag32.exe
| MD5 | a5fabaee4e8bd965a821df10288b677f |
| SHA1 | 0e8a38df39d37902a7ef119163e88a28432baec3 |
| SHA256 | 05fd7492621e4637e3aeaaf8e4963070c8a3f0314e448b703316fc452554ee08 |
| SHA512 | 74d999654ea6261f4b37eed7dc71d44d960bf47cd5eae66cee0a3cbd91015c838e3ba1f117240d46c0326239c7456627ea686377974ef880e88e033cbb7e8ecb |
C:\Windows\SysWOW64\Kmfpmc32.exe
| MD5 | 79a66df2cc75434c392f27a502e76168 |
| SHA1 | 8f32fbe1bfc8ee078228e95d0df71f199f7f6ee8 |
| SHA256 | 882e477a067d5c1407c5edf1535686a70378bcebc1d7c3aba440bfc2328970a7 |
| SHA512 | 598d301ed3c1271755d3a5cc5405b881ef09596c641efad91a050f01ffc96b434aead02d61db4eab5d5e617f44fd70155c77a07b575c82a42897ab20c3d2594e |
C:\Windows\SysWOW64\Kenhopmf.exe
| MD5 | ee867b803e0b34b3178a0fde711a0e57 |
| SHA1 | 3b62b41bb499c8788ea2e23581dafc2f50b14ce5 |
| SHA256 | d6c9f760427d552e7c9710fc5c937d6c23b5ac14f85cb804d2b8b8025fbf07a0 |
| SHA512 | b463d329f055c00414a73afb46724ca1a13ff8c5e1cb84708911b2d32df87bb3752a5b0eb6d1be0f478dfb2dd76b1fb4c680c5abf0ac841974cc7f2ed8e09692 |
C:\Windows\SysWOW64\Kfodfh32.exe
| MD5 | 76e556f982301e707161e68c1f1d1591 |
| SHA1 | 5a45594e433c5f9c8ef5cc9f2c500fde5a864c92 |
| SHA256 | 2c735fa716cd726a73f38f06a898768284723e3df922a86eb731f98e87c8e415 |
| SHA512 | 82f794c8fc41d88272341032a671272fb3707703b6b03e208477bfbaf7600ccc4fcd724f33359a7dbe08fe124b0a57001403727b160e05340d9fa4cc0dbceed8 |
C:\Windows\SysWOW64\Kkjpggkn.exe
| MD5 | 086fd1bd9bdf306812a62af26f92ce48 |
| SHA1 | 1504119c5ec54dd0c52f97cad5bd09457011d26c |
| SHA256 | 99e0621c26d4a2326931dbb8c79a1b541153b8dd47101eb201c8a34eb4d9ae62 |
| SHA512 | 1b75cbe99d6379b230ca1dff401a0aed93b8056f0fdae8d65cc042b247f0bd904224f3a3800c357f42853620d4d5640f7da9ac2567012e4204fdd940b54d3bf0 |
C:\Windows\SysWOW64\Kmimcbja.exe
| MD5 | a138929085589243c5bd28fc12bef570 |
| SHA1 | 7b20dc56c531dbe82d108126b42bbc5ef0f14fc3 |
| SHA256 | 693e7dc592555052f9331d2888d7a6e25e3dfaec2d8ddd9f13161a65699d1efd |
| SHA512 | be78664451b4be6beb79a288b33bcef2c00a6661f3da1759adff3e55496e9c37308bf009fd967708dc7d20ccdf97facae3a580bfcc44eb11fe7609a3b22de29b |
C:\Windows\SysWOW64\Kpgionie.exe
| MD5 | fc1e309ded03c095acf619450af7ae50 |
| SHA1 | 3bd1a9b094fecafb48d94de8ce7bbb929f49b39d |
| SHA256 | 15704ba52c852dbc35f2ffb31f7b4756ba471238943ea6a6f3c0f7eba9a63415 |
| SHA512 | 2a1f0e4cf3b392ff731d88adb276b10799e3b0ed99a57534e8a9c69098221ade3796a919fa4c14225a0fa92215d42fea7111379430c4d3aef28a0c2784142dc7 |
C:\Windows\SysWOW64\Kdbepm32.exe
| MD5 | f3fc47b9b4c3d798206a305ca6336a07 |
| SHA1 | df35c7669ee54a948282a7ee59429c9c5600fba9 |
| SHA256 | 99ded7a739c146731c2feda35b8b3da0df6613b178615e768a1e9167bfc6517a |
| SHA512 | b61ed2522862ddcf864f40569e2a2e7bd844e5793219f2bd86b88a2b7317fb31d9e0fc130729262e46db1fba5dcb902aca711e36b60b5b859fe94fa77d52921b |
C:\Windows\SysWOW64\Kfaalh32.exe
| MD5 | 0dd435306fadcb66b1b6a579aa85139a |
| SHA1 | c26da9a42e598ed8ddfbf3acf8dbe18749095ea4 |
| SHA256 | af371a2fbb8091ef23cdfe4541855f67c5b2e542ade9c8521bd4ca794ddd3e33 |
| SHA512 | 0788061287ffd016e56f60677811da7e27ab78824d89c62086db826e1951a56f96e75ad7a5d93cb025e5dd81ec604d3032784c6006e0d88ee21be0428be6a210 |
C:\Windows\SysWOW64\Kipmhc32.exe
| MD5 | d9b977896525a241a09ce99af08aeafd |
| SHA1 | f93aae6b9d11378420f254a6268b7800984f4582 |
| SHA256 | 62b53621d50f72a9d1451e7d9af99a0a0be6e3e7984ea8828f5a2a3feac41d9c |
| SHA512 | da52faef9436c495a70cf9a251125349b0374db94a43400a37193fdd1cbec6f3b3fc91dfb2ca924267f49f6895061a214933678e3297396ffaa65779cd22ba1c |
C:\Windows\SysWOW64\Kpieengb.exe
| MD5 | b3138153c4f403e9b1281b84306eb600 |
| SHA1 | c01315747a3778cb8ca17ee02ec06fed967817b1 |
| SHA256 | b3404a24bfc14b9b7273850c3f95ac00e10faec696be55734cf81ed2bff8fa7a |
| SHA512 | 1c77bce4e06c31de093ce0dad4298751b90e2192ebd9499daee674a3c1bf9dd8f38238c18dfa081060eb6da78402babbffe1d2d72451435fc167b156cecd886c |
C:\Windows\SysWOW64\Kmkihbho.exe
| MD5 | b762051ae2e8da38a381b2e8bddb31e4 |
| SHA1 | 1b61b5b85e65188beee246e534ef31b98a31e11e |
| SHA256 | fdaaa1d071cab14caa52d32d606551abe34b9f4a34a15037bfe02099ffd00ca0 |
| SHA512 | 64632bda5476d059896e22c0e978f9c83aa3cd00e5799c96cd19634fa879d9d2c32e51df35744af56ca7034f7c08fa9ea4e1a001e4f233346613e33b574494ff |
C:\Windows\SysWOW64\Kkojbf32.exe
| MD5 | a65ac9c11b2b0be2d8e040c1f8e7087a |
| SHA1 | 4cec8f75718ba4767029e2de745b673b06ab27a9 |
| SHA256 | 7249c0d9f66cf07e42b33d80b32d595f2d150c38d020ee86802e89d3e6d1d02f |
| SHA512 | a9f9943a6d7d7d86d819f1474143833e1dd561d91e0ec25e274756e7a730c6f4151c914e2dfe91970e5d89ca28a0fe4e0b2ac8f51dd020310c4320750cc0cef1 |
C:\Windows\SysWOW64\Libjncnc.exe
| MD5 | 007f4bd18196680a058c02852481f35a |
| SHA1 | 76cf9535f8b14e22ce98feeeee90505c818a6104 |
| SHA256 | 4439c64101b67ca15a6b023def0524d01990046bbb893700b516e50042e881fc |
| SHA512 | a27366d9df013ca28ed31168edf4ca3f4bce13aae3dc4353e9f8962dee83b1cfee454474f054d3da648944caf59e96ddab421547903444ec9cc08e1d2fe6d921 |
C:\Windows\SysWOW64\Llpfjomf.exe
| MD5 | 1538d0fc00f4fbb7cc4c023e4006f123 |
| SHA1 | d47c22664b6a74288ed3d8bec763588d551d3193 |
| SHA256 | f08e1556fc7de55eb5fc6377a6c0ba29e38953f2effd061bc7061208c664e31d |
| SHA512 | 289efea3a309a1f01dbe88d01f12ba9f2dfa84eca4ae944545c6e651a88c6dab94ccb86d7df2efef5c0092f71ea2b81cbf24fcb502993202362d2e2d0d9f5bfd |
C:\Windows\SysWOW64\Lbjofi32.exe
| MD5 | 6e167cada7ae6d51d166228bc9cfdef7 |
| SHA1 | 9b9a6a7fd631675bbf753bb27ed4392acf25c9bd |
| SHA256 | 4b2f870b01f0771ef44a00acc98d3d90e00c05fdf78e30f473a1c44a04d0cc35 |
| SHA512 | 4e485a9396ac38d4ad8c1f3a5cb8c2c2bbc06edba1d6380e6fe1238cbd515a399c1de323c4001fda773ad0b12f424c0e1dd19365682c67effbed1400acaf8c6d |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-10 10:37
Reported
2024-11-10 10:39
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
95s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Digehphc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kngkqbgl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Qpeahb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hhaggp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jbojlfdp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jeocna32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ddgplado.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hoclopne.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Nfcabp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Enmjlojd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ebifmm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Feenjgfq.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nmhijd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gbchdp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Caojpaij.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pfepdg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pfepdg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nmdgikhi.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Iikmbh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ifomll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ondljl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ppnenlka.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hedafk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Lnjgfb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Lmdnbn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pfoann32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bdmmeo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hlppno32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ickglm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fpgpgfmh.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Iefgbh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kpanan32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Aagkhd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ehpadhll.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fganqbgg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Gaebef32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Doaneiop.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Lpjjmg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lckboblp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jhkbdmbg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Fealin32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lfgipd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Fnbcgn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nblolm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ebdcld32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gehbjm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Loighj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ekajec32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ojqcnhkl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Fmmmfj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pfiddm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pcpnhl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pcpnhl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Deqcbpld.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Figgdg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Likhem32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Llnnmhfe.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mhanngbl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Nhhdnf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Klahfp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Iipfmggc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kofkbk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dhikci32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Nqaiecjd.exe | N/A |
Berbew
Berbew family
Executes dropped EXE
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Ibaeen32.exe | C:\Windows\SysWOW64\Hlglidlo.exe | N/A |
| File created | C:\Windows\SysWOW64\Mnknop32.dll | C:\Windows\SysWOW64\Jadgnb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Galdglpd.dll | C:\Windows\SysWOW64\Glgcbf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pmpockdl.dll | C:\Windows\SysWOW64\Adcjop32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mljmhflh.exe | C:\Windows\SysWOW64\Mcaipa32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Omfekbdh.exe | C:\Windows\SysWOW64\Ojhiogdd.exe | N/A |
| File created | C:\Windows\SysWOW64\Ibqnkh32.exe | C:\Windows\SysWOW64\Ilfennic.exe | N/A |
| File created | C:\Windows\SysWOW64\Nbphglbe.exe | C:\Windows\SysWOW64\Nhhdnf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dnbjkgmg.dll | C:\Windows\SysWOW64\Jcanll32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cfiedd32.dll | C:\Windows\SysWOW64\Klhnfo32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jpbhgp32.dll | C:\Windows\SysWOW64\Ebifmm32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Halhfe32.exe | C:\Windows\SysWOW64\Hnnljj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mmmqhl32.exe | C:\Windows\SysWOW64\Mgphpe32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Nfqnbjfi.exe | C:\Windows\SysWOW64\Nmhijd32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jjpode32.exe | C:\Windows\SysWOW64\Jcfggkac.exe | N/A |
| File created | C:\Windows\SysWOW64\Bdmmeo32.exe | C:\Windows\SysWOW64\Apaadpng.exe | N/A |
| File created | C:\Windows\SysWOW64\Qdhlclpe.dll | C:\Windows\SysWOW64\Kiphjo32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Llqjbhdc.exe | C:\Windows\SysWOW64\Legben32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Nqaiecjd.exe | C:\Windows\SysWOW64\Nbphglbe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Oiagde32.exe | C:\Windows\SysWOW64\Nfqnbjfi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kpmdfonj.exe | C:\Windows\SysWOW64\Klahfp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Iocedcbl.dll | C:\Windows\SysWOW64\Akdilipp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Edbiniff.exe | C:\Windows\SysWOW64\Eoepebho.exe | N/A |
| File created | C:\Windows\SysWOW64\Gkaclqkk.exe | C:\Windows\SysWOW64\Ggfglb32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Lcnfohmi.exe | C:\Windows\SysWOW64\Lmdnbn32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Pnifekmd.exe | C:\Windows\SysWOW64\Ppgegd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bpfkpp32.exe | C:\Windows\SysWOW64\Bhkfkmmg.exe | N/A |
| File created | C:\Windows\SysWOW64\Jadgnb32.exe | C:\Windows\SysWOW64\Jpbjfjci.exe | N/A |
| File created | C:\Windows\SysWOW64\Fgmdec32.exe | C:\Windows\SysWOW64\Fdnhih32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Glhimp32.exe | C:\Windows\SysWOW64\Gnblnlhl.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hlppno32.exe | C:\Windows\SysWOW64\Hajkqfoe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Lcclncbh.exe | C:\Windows\SysWOW64\Lpepbgbd.exe | N/A |
| File created | C:\Windows\SysWOW64\Fhhfif32.dll | C:\Windows\SysWOW64\Jljbeali.exe | N/A |
| File created | C:\Windows\SysWOW64\Klhnfo32.exe | C:\Windows\SysWOW64\Kjjbjd32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mnegbp32.exe | C:\Windows\SysWOW64\Mjjkaabc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Aagkhd32.exe | C:\Windows\SysWOW64\Adcjop32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gblbca32.exe | C:\Windows\SysWOW64\Glbjggof.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Iipfmggc.exe | C:\Windows\SysWOW64\Ibfnqmpf.exe | N/A |
| File created | C:\Windows\SysWOW64\Hnbeeiji.exe | C:\Windows\SysWOW64\Haodle32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Pjoppf32.exe | C:\Windows\SysWOW64\Pcegclgp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dkahilkl.exe | C:\Windows\SysWOW64\Ddgplado.exe | N/A |
| File created | C:\Windows\SysWOW64\Aajhndkb.exe | C:\Windows\SysWOW64\Ahaceo32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ifaohg32.dll | C:\Windows\SysWOW64\Apaadpng.exe | N/A |
| File created | C:\Windows\SysWOW64\Dmncdk32.dll | C:\Windows\SysWOW64\Bklomh32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ddgplado.exe | C:\Windows\SysWOW64\Dokgdkeh.exe | N/A |
| File created | C:\Windows\SysWOW64\Plmell32.dll | C:\Windows\SysWOW64\Gaebef32.exe | N/A |
| File created | C:\Windows\SysWOW64\Nhhdnf32.exe | C:\Windows\SysWOW64\Nhegig32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Fiodpl32.exe | C:\Windows\SysWOW64\Fpgpgfmh.exe | N/A |
| File created | C:\Windows\SysWOW64\Hpnoncim.exe | C:\Windows\SysWOW64\Hidgai32.exe | N/A |
| File created | C:\Windows\SysWOW64\Qfoaecol.dll | C:\Windows\SysWOW64\Cgifbhid.exe | N/A |
| File created | C:\Windows\SysWOW64\Ekonpckp.exe | C:\Windows\SysWOW64\Ehpadhll.exe | N/A |
| File created | C:\Windows\SysWOW64\Qjfmkk32.exe | C:\Windows\SysWOW64\Qhhpop32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lckggdbo.dll | C:\Windows\SysWOW64\Ipgkjlmg.exe | N/A |
| File created | C:\Windows\SysWOW64\Lphdhn32.dll | C:\Windows\SysWOW64\Jpegkj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kolabf32.exe | C:\Windows\SysWOW64\Klndfj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kfbdfl32.dll | C:\Windows\SysWOW64\Eeelnp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Enpmld32.exe | C:\Windows\SysWOW64\Emoadlfo.exe | N/A |
| File created | C:\Windows\SysWOW64\Glgcbf32.exe | C:\Windows\SysWOW64\Gihgfk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Obqhpfck.dll | C:\Windows\SysWOW64\Mqkiok32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hidgai32.exe | C:\Windows\SysWOW64\Hffken32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jljbeali.exe | C:\Windows\SysWOW64\Jilfifme.exe | N/A |
| File created | C:\Windows\SysWOW64\Lfebfnqn.dll | C:\Windows\SysWOW64\Gojiiafp.exe | N/A |
| File created | C:\Windows\SysWOW64\Qdaniq32.exe | C:\Windows\SysWOW64\Qpeahb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lcdciiec.exe | C:\Windows\SysWOW64\Loighj32.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Pififb32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Gehbjm32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Egaejeej.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Filapfbo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dmadco32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Iinjhh32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kfpcoefj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Gegkpf32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nhegig32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Hibjli32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nflkbanj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Aagkhd32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Apaadpng.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Fdnhih32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ggfglb32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jeapcq32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lojmcdgl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Hekgfj32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jilfifme.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lcnfohmi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Qpeahb32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Eoepebho.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Fqgedh32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jadgnb32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nqaiecjd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ojhiogdd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mhanngbl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Fneggdhg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Gbchdp32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Iikmbh32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jgkmgk32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Npiiffqe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Klndfj32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Klggli32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Padnaq32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dnbakghm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lfbped32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nqbpojnp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Qhhpop32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lpjjmg32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Omfekbdh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jjpode32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Hecjke32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jaonbc32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Eklajcmc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ilnlom32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pafkgphl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ekdnei32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Gmafajfi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Enkmfolf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jikoopij.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lchfib32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Glbjggof.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dkhgod32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Fndpmndl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Hoclopne.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pfoann32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cpmapodj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Halhfe32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pbekii32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Hedafk32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jniood32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Klahfp32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kngkqbgl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Moipoh32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbmolo32.dll" | C:\Windows\SysWOW64\Lmdnbn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Nfcabp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Pnifekmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Hedafk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Likhem32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eklikcef.dll" | C:\Windows\SysWOW64\Gbalopbn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Lgbloglj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Hlkfbocp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkbcikkp.dll" | C:\Windows\SysWOW64\Mjggal32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Pbekii32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fiboaq32.dll" | C:\Windows\SysWOW64\Dmadco32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Iinjhh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ppgegd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Enkdaepb.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Hffken32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfebfnqn.dll" | C:\Windows\SysWOW64\Gojiiafp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Fbdehlip.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Gmimai32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Lokdnjkg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hpnoncim.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ibaeen32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eecgicmp.dll" | C:\Windows\SysWOW64\Fnkfmm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjpdeo32.dll" | C:\Windows\SysWOW64\Gkaclqkk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Kolabf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Lcclncbh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojgljk32.dll" | C:\Windows\SysWOW64\Pcpnhl32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Lfgipd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfgomdnj.dll" | C:\Windows\SysWOW64\Akkffkhk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ehlhih32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kldjcoje.dll" | C:\Windows\SysWOW64\Fnbcgn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Gaebef32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Fiodpl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfipab32.dll" | C:\Windows\SysWOW64\Ebdcld32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmdkcj32.dll" | C:\Windows\SysWOW64\Lckboblp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iheocj32.dll" | C:\Windows\SysWOW64\Pbekii32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Dhgonidg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfmpaf32.dll" | C:\Windows\SysWOW64\Obnehj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cikamapb.dll" | C:\Windows\SysWOW64\Hekgfj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgnpek32.dll" | C:\Windows\SysWOW64\Lpgmhg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Mjggal32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Nblolm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkncfepb.dll" | C:\Windows\SysWOW64\Mcpcdg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jadgnb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Gbiockdj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Fijkdmhn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Fnkfmm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Dodjjimm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Pcpnhl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fenhjedb.dll" | C:\Windows\SysWOW64\Hmkigh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Glbjggof.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hehhjm32.dll" | C:\Windows\SysWOW64\Pmpolgoi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmijpchc.dll" | C:\Windows\SysWOW64\Ahaceo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfhmgagf.dll" | C:\Windows\SysWOW64\Eoepebho.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Filapfbo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fknofqcc.dll" | C:\Windows\SysWOW64\Piocecgj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dnbakghm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Jgpfbjlo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Feqeog32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Feenjgfq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Mljmhflh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehmjob32.dll" | C:\Windows\SysWOW64\Lcnfohmi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ibfnqmpf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Mjcngpjh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cpmapodj.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3816cbaa1211f7bf2613db6206b0d6b28186e8d713a23795ae0f497e7e7b881fN.exe
"C:\Users\Admin\AppData\Local\Temp\3816cbaa1211f7bf2613db6206b0d6b28186e8d713a23795ae0f497e7e7b881fN.exe"
C:\Windows\SysWOW64\Dokgdkeh.exe
C:\Windows\system32\Dokgdkeh.exe
C:\Windows\SysWOW64\Ddgplado.exe
C:\Windows\system32\Ddgplado.exe
C:\Windows\SysWOW64\Dkahilkl.exe
C:\Windows\system32\Dkahilkl.exe
C:\Windows\SysWOW64\Dfglfdkb.exe
C:\Windows\system32\Dfglfdkb.exe
C:\Windows\SysWOW64\Dmadco32.exe
C:\Windows\system32\Dmadco32.exe
C:\Windows\SysWOW64\Dnbakghm.exe
C:\Windows\system32\Dnbakghm.exe
C:\Windows\SysWOW64\Digehphc.exe
C:\Windows\system32\Digehphc.exe
C:\Windows\SysWOW64\Doaneiop.exe
C:\Windows\system32\Doaneiop.exe
C:\Windows\SysWOW64\Ddnfmqng.exe
C:\Windows\system32\Ddnfmqng.exe
C:\Windows\SysWOW64\Dodjjimm.exe
C:\Windows\system32\Dodjjimm.exe
C:\Windows\SysWOW64\Deqcbpld.exe
C:\Windows\system32\Deqcbpld.exe
C:\Windows\SysWOW64\Ekkkoj32.exe
C:\Windows\system32\Ekkkoj32.exe
C:\Windows\SysWOW64\Ebdcld32.exe
C:\Windows\system32\Ebdcld32.exe
C:\Windows\SysWOW64\Ekmhejao.exe
C:\Windows\system32\Ekmhejao.exe
C:\Windows\SysWOW64\Enkdaepb.exe
C:\Windows\system32\Enkdaepb.exe
C:\Windows\SysWOW64\Eeelnp32.exe
C:\Windows\system32\Eeelnp32.exe
C:\Windows\SysWOW64\Eokqkh32.exe
C:\Windows\system32\Eokqkh32.exe
C:\Windows\SysWOW64\Ebimgcfi.exe
C:\Windows\system32\Ebimgcfi.exe
C:\Windows\SysWOW64\Emoadlfo.exe
C:\Windows\system32\Emoadlfo.exe
C:\Windows\SysWOW64\Enpmld32.exe
C:\Windows\system32\Enpmld32.exe
C:\Windows\SysWOW64\Eifaim32.exe
C:\Windows\system32\Eifaim32.exe
C:\Windows\SysWOW64\Ekdnei32.exe
C:\Windows\system32\Ekdnei32.exe
C:\Windows\SysWOW64\Enbjad32.exe
C:\Windows\system32\Enbjad32.exe
C:\Windows\SysWOW64\Fihnomjp.exe
C:\Windows\system32\Fihnomjp.exe
C:\Windows\SysWOW64\Flfkkhid.exe
C:\Windows\system32\Flfkkhid.exe
C:\Windows\SysWOW64\Fneggdhg.exe
C:\Windows\system32\Fneggdhg.exe
C:\Windows\SysWOW64\Fijkdmhn.exe
C:\Windows\system32\Fijkdmhn.exe
C:\Windows\SysWOW64\Fligqhga.exe
C:\Windows\system32\Fligqhga.exe
C:\Windows\SysWOW64\Fbbpmb32.exe
C:\Windows\system32\Fbbpmb32.exe
C:\Windows\SysWOW64\Fealin32.exe
C:\Windows\system32\Fealin32.exe
C:\Windows\SysWOW64\Fpgpgfmh.exe
C:\Windows\system32\Fpgpgfmh.exe
C:\Windows\SysWOW64\Fiodpl32.exe
C:\Windows\system32\Fiodpl32.exe
C:\Windows\SysWOW64\Fnlmhc32.exe
C:\Windows\system32\Fnlmhc32.exe
C:\Windows\SysWOW64\Fefedmil.exe
C:\Windows\system32\Fefedmil.exe
C:\Windows\SysWOW64\Fmmmfj32.exe
C:\Windows\system32\Fmmmfj32.exe
C:\Windows\SysWOW64\Fnnjmbpm.exe
C:\Windows\system32\Fnnjmbpm.exe
C:\Windows\SysWOW64\Gehbjm32.exe
C:\Windows\system32\Gehbjm32.exe
C:\Windows\SysWOW64\Glbjggof.exe
C:\Windows\system32\Glbjggof.exe
C:\Windows\SysWOW64\Gblbca32.exe
C:\Windows\system32\Gblbca32.exe
C:\Windows\SysWOW64\Gejopl32.exe
C:\Windows\system32\Gejopl32.exe
C:\Windows\SysWOW64\Gmafajfi.exe
C:\Windows\system32\Gmafajfi.exe
C:\Windows\SysWOW64\Gfjkjo32.exe
C:\Windows\system32\Gfjkjo32.exe
C:\Windows\SysWOW64\Gihgfk32.exe
C:\Windows\system32\Gihgfk32.exe
C:\Windows\SysWOW64\Glgcbf32.exe
C:\Windows\system32\Glgcbf32.exe
C:\Windows\SysWOW64\Gbalopbn.exe
C:\Windows\system32\Gbalopbn.exe
C:\Windows\SysWOW64\Gikdkj32.exe
C:\Windows\system32\Gikdkj32.exe
C:\Windows\SysWOW64\Glipgf32.exe
C:\Windows\system32\Glipgf32.exe
C:\Windows\SysWOW64\Gbchdp32.exe
C:\Windows\system32\Gbchdp32.exe
C:\Windows\SysWOW64\Gmimai32.exe
C:\Windows\system32\Gmimai32.exe
C:\Windows\SysWOW64\Gojiiafp.exe
C:\Windows\system32\Gojiiafp.exe
C:\Windows\SysWOW64\Hedafk32.exe
C:\Windows\system32\Hedafk32.exe
C:\Windows\SysWOW64\Hmkigh32.exe
C:\Windows\system32\Hmkigh32.exe
C:\Windows\SysWOW64\Holfoqcm.exe
C:\Windows\system32\Holfoqcm.exe
C:\Windows\SysWOW64\Hfcnpn32.exe
C:\Windows\system32\Hfcnpn32.exe
C:\Windows\SysWOW64\Hibjli32.exe
C:\Windows\system32\Hibjli32.exe
C:\Windows\SysWOW64\Hplbickp.exe
C:\Windows\system32\Hplbickp.exe
C:\Windows\SysWOW64\Hffken32.exe
C:\Windows\system32\Hffken32.exe
C:\Windows\SysWOW64\Hidgai32.exe
C:\Windows\system32\Hidgai32.exe
C:\Windows\SysWOW64\Hpnoncim.exe
C:\Windows\system32\Hpnoncim.exe
C:\Windows\SysWOW64\Hblkjo32.exe
C:\Windows\system32\Hblkjo32.exe
C:\Windows\SysWOW64\Hekgfj32.exe
C:\Windows\system32\Hekgfj32.exe
C:\Windows\SysWOW64\Hlepcdoa.exe
C:\Windows\system32\Hlepcdoa.exe
C:\Windows\SysWOW64\Hoclopne.exe
C:\Windows\system32\Hoclopne.exe
C:\Windows\SysWOW64\Hiipmhmk.exe
C:\Windows\system32\Hiipmhmk.exe
C:\Windows\SysWOW64\Hlglidlo.exe
C:\Windows\system32\Hlglidlo.exe
C:\Windows\SysWOW64\Ibaeen32.exe
C:\Windows\system32\Ibaeen32.exe
C:\Windows\SysWOW64\Iikmbh32.exe
C:\Windows\system32\Iikmbh32.exe
C:\Windows\SysWOW64\Iliinc32.exe
C:\Windows\system32\Iliinc32.exe
C:\Windows\SysWOW64\Ifomll32.exe
C:\Windows\system32\Ifomll32.exe
C:\Windows\SysWOW64\Iinjhh32.exe
C:\Windows\system32\Iinjhh32.exe
C:\Windows\SysWOW64\Illfdc32.exe
C:\Windows\system32\Illfdc32.exe
C:\Windows\SysWOW64\Ibfnqmpf.exe
C:\Windows\system32\Ibfnqmpf.exe
C:\Windows\SysWOW64\Iipfmggc.exe
C:\Windows\system32\Iipfmggc.exe
C:\Windows\SysWOW64\Iefgbh32.exe
C:\Windows\system32\Iefgbh32.exe
C:\Windows\SysWOW64\Ickglm32.exe
C:\Windows\system32\Ickglm32.exe
C:\Windows\SysWOW64\Ilcldb32.exe
C:\Windows\system32\Ilcldb32.exe
C:\Windows\SysWOW64\Joahqn32.exe
C:\Windows\system32\Joahqn32.exe
C:\Windows\SysWOW64\Jmbhoeid.exe
C:\Windows\system32\Jmbhoeid.exe
C:\Windows\SysWOW64\Jocefm32.exe
C:\Windows\system32\Jocefm32.exe
C:\Windows\SysWOW64\Jgkmgk32.exe
C:\Windows\system32\Jgkmgk32.exe
C:\Windows\SysWOW64\Jlgepanl.exe
C:\Windows\system32\Jlgepanl.exe
C:\Windows\SysWOW64\Jcanll32.exe
C:\Windows\system32\Jcanll32.exe
C:\Windows\SysWOW64\Jilfifme.exe
C:\Windows\system32\Jilfifme.exe
C:\Windows\SysWOW64\Jljbeali.exe
C:\Windows\system32\Jljbeali.exe
C:\Windows\SysWOW64\Jgpfbjlo.exe
C:\Windows\system32\Jgpfbjlo.exe
C:\Windows\SysWOW64\Jniood32.exe
C:\Windows\system32\Jniood32.exe
C:\Windows\SysWOW64\Jcfggkac.exe
C:\Windows\system32\Jcfggkac.exe
C:\Windows\SysWOW64\Jjpode32.exe
C:\Windows\system32\Jjpode32.exe
C:\Windows\SysWOW64\Komhll32.exe
C:\Windows\system32\Komhll32.exe
C:\Windows\SysWOW64\Kjblje32.exe
C:\Windows\system32\Kjblje32.exe
C:\Windows\SysWOW64\Klahfp32.exe
C:\Windows\system32\Klahfp32.exe
C:\Windows\SysWOW64\Kpmdfonj.exe
C:\Windows\system32\Kpmdfonj.exe
C:\Windows\SysWOW64\Koaagkcb.exe
C:\Windows\system32\Koaagkcb.exe
C:\Windows\SysWOW64\Kpanan32.exe
C:\Windows\system32\Kpanan32.exe
C:\Windows\SysWOW64\Kgkfnh32.exe
C:\Windows\system32\Kgkfnh32.exe
C:\Windows\SysWOW64\Kjjbjd32.exe
C:\Windows\system32\Kjjbjd32.exe
C:\Windows\SysWOW64\Klhnfo32.exe
C:\Windows\system32\Klhnfo32.exe
C:\Windows\SysWOW64\Kofkbk32.exe
C:\Windows\system32\Kofkbk32.exe
C:\Windows\SysWOW64\Kfpcoefj.exe
C:\Windows\system32\Kfpcoefj.exe
C:\Windows\SysWOW64\Kngkqbgl.exe
C:\Windows\system32\Kngkqbgl.exe
C:\Windows\SysWOW64\Loighj32.exe
C:\Windows\system32\Loighj32.exe
C:\Windows\SysWOW64\Lcdciiec.exe
C:\Windows\system32\Lcdciiec.exe
C:\Windows\SysWOW64\Lfbped32.exe
C:\Windows\system32\Lfbped32.exe
C:\Windows\SysWOW64\Lnjgfb32.exe
C:\Windows\system32\Lnjgfb32.exe
C:\Windows\SysWOW64\Lokdnjkg.exe
C:\Windows\system32\Lokdnjkg.exe
C:\Windows\SysWOW64\Lgbloglj.exe
C:\Windows\system32\Lgbloglj.exe
C:\Windows\SysWOW64\Lfeljd32.exe
C:\Windows\system32\Lfeljd32.exe
C:\Windows\SysWOW64\Llodgnja.exe
C:\Windows\system32\Llodgnja.exe
C:\Windows\SysWOW64\Lfgipd32.exe
C:\Windows\system32\Lfgipd32.exe
C:\Windows\SysWOW64\Lopmii32.exe
C:\Windows\system32\Lopmii32.exe
C:\Windows\SysWOW64\Lmdnbn32.exe
C:\Windows\system32\Lmdnbn32.exe
C:\Windows\SysWOW64\Lcnfohmi.exe
C:\Windows\system32\Lcnfohmi.exe
C:\Windows\SysWOW64\Lncjlq32.exe
C:\Windows\system32\Lncjlq32.exe
C:\Windows\SysWOW64\Mcpcdg32.exe
C:\Windows\system32\Mcpcdg32.exe
C:\Windows\SysWOW64\Mjjkaabc.exe
C:\Windows\system32\Mjjkaabc.exe
C:\Windows\SysWOW64\Mnegbp32.exe
C:\Windows\system32\Mnegbp32.exe
C:\Windows\SysWOW64\Mjlhgaqp.exe
C:\Windows\system32\Mjlhgaqp.exe
C:\Windows\SysWOW64\Mmkdcm32.exe
C:\Windows\system32\Mmkdcm32.exe
C:\Windows\SysWOW64\Moipoh32.exe
C:\Windows\system32\Moipoh32.exe
C:\Windows\SysWOW64\Mgphpe32.exe
C:\Windows\system32\Mgphpe32.exe
C:\Windows\SysWOW64\Mmmqhl32.exe
C:\Windows\system32\Mmmqhl32.exe
C:\Windows\SysWOW64\Mcgiefen.exe
C:\Windows\system32\Mcgiefen.exe
C:\Windows\SysWOW64\Mnmmboed.exe
C:\Windows\system32\Mnmmboed.exe
C:\Windows\SysWOW64\Mqkiok32.exe
C:\Windows\system32\Mqkiok32.exe
C:\Windows\SysWOW64\Mjcngpjh.exe
C:\Windows\system32\Mjcngpjh.exe
C:\Windows\SysWOW64\Nfjola32.exe
C:\Windows\system32\Nfjola32.exe
C:\Windows\SysWOW64\Nmdgikhi.exe
C:\Windows\system32\Nmdgikhi.exe
C:\Windows\SysWOW64\Nflkbanj.exe
C:\Windows\system32\Nflkbanj.exe
C:\Windows\SysWOW64\Nqbpojnp.exe
C:\Windows\system32\Nqbpojnp.exe
C:\Windows\SysWOW64\Npepkf32.exe
C:\Windows\system32\Npepkf32.exe
C:\Windows\SysWOW64\Nnfpinmi.exe
C:\Windows\system32\Nnfpinmi.exe
C:\Windows\SysWOW64\Ncchae32.exe
C:\Windows\system32\Ncchae32.exe
C:\Windows\SysWOW64\Npiiffqe.exe
C:\Windows\system32\Npiiffqe.exe
C:\Windows\SysWOW64\Nfcabp32.exe
C:\Windows\system32\Nfcabp32.exe
C:\Windows\SysWOW64\Omnjojpo.exe
C:\Windows\system32\Omnjojpo.exe
C:\Windows\SysWOW64\Ocgbld32.exe
C:\Windows\system32\Ocgbld32.exe
C:\Windows\SysWOW64\Ombcji32.exe
C:\Windows\system32\Ombcji32.exe
C:\Windows\SysWOW64\Ojfcdnjc.exe
C:\Windows\system32\Ojfcdnjc.exe
C:\Windows\SysWOW64\Ocohmc32.exe
C:\Windows\system32\Ocohmc32.exe
C:\Windows\SysWOW64\Ondljl32.exe
C:\Windows\system32\Ondljl32.exe
C:\Windows\SysWOW64\Pfoann32.exe
C:\Windows\system32\Pfoann32.exe
C:\Windows\SysWOW64\Ppgegd32.exe
C:\Windows\system32\Ppgegd32.exe
C:\Windows\SysWOW64\Pnifekmd.exe
C:\Windows\system32\Pnifekmd.exe
C:\Windows\SysWOW64\Pjpfjl32.exe
C:\Windows\system32\Pjpfjl32.exe
C:\Windows\SysWOW64\Pmpolgoi.exe
C:\Windows\system32\Pmpolgoi.exe
C:\Windows\SysWOW64\Phfcipoo.exe
C:\Windows\system32\Phfcipoo.exe
C:\Windows\SysWOW64\Pfiddm32.exe
C:\Windows\system32\Pfiddm32.exe
C:\Windows\SysWOW64\Pnplfj32.exe
C:\Windows\system32\Pnplfj32.exe
C:\Windows\SysWOW64\Panhbfep.exe
C:\Windows\system32\Panhbfep.exe
C:\Windows\SysWOW64\Qhhpop32.exe
C:\Windows\system32\Qhhpop32.exe
C:\Windows\SysWOW64\Qjfmkk32.exe
C:\Windows\system32\Qjfmkk32.exe
C:\Windows\SysWOW64\Qobhkjdi.exe
C:\Windows\system32\Qobhkjdi.exe
C:\Windows\SysWOW64\Qdoacabq.exe
C:\Windows\system32\Qdoacabq.exe
C:\Windows\SysWOW64\Qjiipk32.exe
C:\Windows\system32\Qjiipk32.exe
C:\Windows\SysWOW64\Qpeahb32.exe
C:\Windows\system32\Qpeahb32.exe
C:\Windows\SysWOW64\Qdaniq32.exe
C:\Windows\system32\Qdaniq32.exe
C:\Windows\SysWOW64\Akkffkhk.exe
C:\Windows\system32\Akkffkhk.exe
C:\Windows\SysWOW64\Adcjop32.exe
C:\Windows\system32\Adcjop32.exe
C:\Windows\SysWOW64\Aagkhd32.exe
C:\Windows\system32\Aagkhd32.exe
C:\Windows\SysWOW64\Ahaceo32.exe
C:\Windows\system32\Ahaceo32.exe
C:\Windows\SysWOW64\Aajhndkb.exe
C:\Windows\system32\Aajhndkb.exe
C:\Windows\SysWOW64\Apmhiq32.exe
C:\Windows\system32\Apmhiq32.exe
C:\Windows\SysWOW64\Aggpfkjj.exe
C:\Windows\system32\Aggpfkjj.exe
C:\Windows\SysWOW64\Aonhghjl.exe
C:\Windows\system32\Aonhghjl.exe
C:\Windows\SysWOW64\Akdilipp.exe
C:\Windows\system32\Akdilipp.exe
C:\Windows\SysWOW64\Apaadpng.exe
C:\Windows\system32\Apaadpng.exe
C:\Windows\SysWOW64\Bdmmeo32.exe
C:\Windows\system32\Bdmmeo32.exe
C:\Windows\SysWOW64\Bobabg32.exe
C:\Windows\system32\Bobabg32.exe
C:\Windows\SysWOW64\Bhkfkmmg.exe
C:\Windows\system32\Bhkfkmmg.exe
C:\Windows\SysWOW64\Bpfkpp32.exe
C:\Windows\system32\Bpfkpp32.exe
C:\Windows\SysWOW64\Bhmbqm32.exe
C:\Windows\system32\Bhmbqm32.exe
C:\Windows\SysWOW64\Bklomh32.exe
C:\Windows\system32\Bklomh32.exe
C:\Windows\SysWOW64\Bhpofl32.exe
C:\Windows\system32\Bhpofl32.exe
C:\Windows\SysWOW64\Bahdob32.exe
C:\Windows\system32\Bahdob32.exe
C:\Windows\SysWOW64\Cpmapodj.exe
C:\Windows\system32\Cpmapodj.exe
C:\Windows\SysWOW64\Cgifbhid.exe
C:\Windows\system32\Cgifbhid.exe
C:\Windows\SysWOW64\Caojpaij.exe
C:\Windows\system32\Caojpaij.exe
C:\Windows\SysWOW64\Chkobkod.exe
C:\Windows\system32\Chkobkod.exe
C:\Windows\SysWOW64\Chnlgjlb.exe
C:\Windows\system32\Chnlgjlb.exe
C:\Windows\SysWOW64\Dddllkbf.exe
C:\Windows\system32\Dddllkbf.exe
C:\Windows\SysWOW64\Dnmaea32.exe
C:\Windows\system32\Dnmaea32.exe
C:\Windows\SysWOW64\Dhbebj32.exe
C:\Windows\system32\Dhbebj32.exe
C:\Windows\SysWOW64\Dkcndeen.exe
C:\Windows\system32\Dkcndeen.exe
C:\Windows\SysWOW64\Dhgonidg.exe
C:\Windows\system32\Dhgonidg.exe
C:\Windows\SysWOW64\Dhikci32.exe
C:\Windows\system32\Dhikci32.exe
C:\Windows\SysWOW64\Dkhgod32.exe
C:\Windows\system32\Dkhgod32.exe
C:\Windows\SysWOW64\Ehlhih32.exe
C:\Windows\system32\Ehlhih32.exe
C:\Windows\SysWOW64\Eoepebho.exe
C:\Windows\system32\Eoepebho.exe
C:\Windows\SysWOW64\Edbiniff.exe
C:\Windows\system32\Edbiniff.exe
C:\Windows\SysWOW64\Egaejeej.exe
C:\Windows\system32\Egaejeej.exe
C:\Windows\SysWOW64\Eklajcmc.exe
C:\Windows\system32\Eklajcmc.exe
C:\Windows\SysWOW64\Enkmfolf.exe
C:\Windows\system32\Enkmfolf.exe
C:\Windows\SysWOW64\Ehpadhll.exe
C:\Windows\system32\Ehpadhll.exe
C:\Windows\SysWOW64\Ekonpckp.exe
C:\Windows\system32\Ekonpckp.exe
C:\Windows\SysWOW64\Enmjlojd.exe
C:\Windows\system32\Enmjlojd.exe
C:\Windows\SysWOW64\Ebifmm32.exe
C:\Windows\system32\Ebifmm32.exe
C:\Windows\SysWOW64\Egened32.exe
C:\Windows\system32\Egened32.exe
C:\Windows\SysWOW64\Ekajec32.exe
C:\Windows\system32\Ekajec32.exe
C:\Windows\SysWOW64\Enpfan32.exe
C:\Windows\system32\Enpfan32.exe
C:\Windows\SysWOW64\Edionhpn.exe
C:\Windows\system32\Edionhpn.exe
C:\Windows\SysWOW64\Eghkjdoa.exe
C:\Windows\system32\Eghkjdoa.exe
C:\Windows\SysWOW64\Fnbcgn32.exe
C:\Windows\system32\Fnbcgn32.exe
C:\Windows\SysWOW64\Fqppci32.exe
C:\Windows\system32\Fqppci32.exe
C:\Windows\SysWOW64\Figgdg32.exe
C:\Windows\system32\Figgdg32.exe
C:\Windows\SysWOW64\Fndpmndl.exe
C:\Windows\system32\Fndpmndl.exe
C:\Windows\SysWOW64\Fdnhih32.exe
C:\Windows\system32\Fdnhih32.exe
C:\Windows\SysWOW64\Fgmdec32.exe
C:\Windows\system32\Fgmdec32.exe
C:\Windows\SysWOW64\Feqeog32.exe
C:\Windows\system32\Feqeog32.exe
C:\Windows\SysWOW64\Filapfbo.exe
C:\Windows\system32\Filapfbo.exe
C:\Windows\SysWOW64\Fkjmlaac.exe
C:\Windows\system32\Fkjmlaac.exe
C:\Windows\SysWOW64\Fbdehlip.exe
C:\Windows\system32\Fbdehlip.exe
C:\Windows\SysWOW64\Fqgedh32.exe
C:\Windows\system32\Fqgedh32.exe
C:\Windows\SysWOW64\Finnef32.exe
C:\Windows\system32\Finnef32.exe
C:\Windows\SysWOW64\Fganqbgg.exe
C:\Windows\system32\Fganqbgg.exe
C:\Windows\SysWOW64\Fkmjaa32.exe
C:\Windows\system32\Fkmjaa32.exe
C:\Windows\SysWOW64\Fnkfmm32.exe
C:\Windows\system32\Fnkfmm32.exe
C:\Windows\SysWOW64\Feenjgfq.exe
C:\Windows\system32\Feenjgfq.exe
C:\Windows\SysWOW64\Gokbgpeg.exe
C:\Windows\system32\Gokbgpeg.exe
C:\Windows\SysWOW64\Gbiockdj.exe
C:\Windows\system32\Gbiockdj.exe
C:\Windows\SysWOW64\Gegkpf32.exe
C:\Windows\system32\Gegkpf32.exe
C:\Windows\SysWOW64\Ggfglb32.exe
C:\Windows\system32\Ggfglb32.exe
C:\Windows\SysWOW64\Gkaclqkk.exe
C:\Windows\system32\Gkaclqkk.exe
C:\Windows\SysWOW64\Gnpphljo.exe
C:\Windows\system32\Gnpphljo.exe
C:\Windows\SysWOW64\Giecfejd.exe
C:\Windows\system32\Giecfejd.exe
C:\Windows\SysWOW64\Gnblnlhl.exe
C:\Windows\system32\Gnblnlhl.exe
C:\Windows\SysWOW64\Glhimp32.exe
C:\Windows\system32\Glhimp32.exe
C:\Windows\SysWOW64\Gaebef32.exe
C:\Windows\system32\Gaebef32.exe
C:\Windows\SysWOW64\Hlkfbocp.exe
C:\Windows\system32\Hlkfbocp.exe
C:\Windows\SysWOW64\Hbenoi32.exe
C:\Windows\system32\Hbenoi32.exe
C:\Windows\SysWOW64\Hecjke32.exe
C:\Windows\system32\Hecjke32.exe
C:\Windows\SysWOW64\Hhaggp32.exe
C:\Windows\system32\Hhaggp32.exe
C:\Windows\SysWOW64\Hajkqfoe.exe
C:\Windows\system32\Hajkqfoe.exe
C:\Windows\SysWOW64\Hlppno32.exe
C:\Windows\system32\Hlppno32.exe
C:\Windows\SysWOW64\Hnnljj32.exe
C:\Windows\system32\Hnnljj32.exe
C:\Windows\SysWOW64\Halhfe32.exe
C:\Windows\system32\Halhfe32.exe
C:\Windows\SysWOW64\Hehdfdek.exe
C:\Windows\system32\Hehdfdek.exe
C:\Windows\SysWOW64\Haodle32.exe
C:\Windows\system32\Haodle32.exe
C:\Windows\SysWOW64\Hnbeeiji.exe
C:\Windows\system32\Hnbeeiji.exe
C:\Windows\SysWOW64\Ilfennic.exe
C:\Windows\system32\Ilfennic.exe
C:\Windows\SysWOW64\Ibqnkh32.exe
C:\Windows\system32\Ibqnkh32.exe
C:\Windows\SysWOW64\Iogopi32.exe
C:\Windows\system32\Iogopi32.exe
C:\Windows\SysWOW64\Ipgkjlmg.exe
C:\Windows\system32\Ipgkjlmg.exe
C:\Windows\SysWOW64\Ilnlom32.exe
C:\Windows\system32\Ilnlom32.exe
C:\Windows\SysWOW64\Ilphdlqh.exe
C:\Windows\system32\Ilphdlqh.exe
C:\Windows\SysWOW64\Iehmmb32.exe
C:\Windows\system32\Iehmmb32.exe
C:\Windows\SysWOW64\Jaonbc32.exe
C:\Windows\system32\Jaonbc32.exe
C:\Windows\SysWOW64\Jbojlfdp.exe
C:\Windows\system32\Jbojlfdp.exe
C:\Windows\SysWOW64\Jhkbdmbg.exe
C:\Windows\system32\Jhkbdmbg.exe
C:\Windows\SysWOW64\Jpbjfjci.exe
C:\Windows\system32\Jpbjfjci.exe
C:\Windows\SysWOW64\Jadgnb32.exe
C:\Windows\system32\Jadgnb32.exe
C:\Windows\SysWOW64\Jeocna32.exe
C:\Windows\system32\Jeocna32.exe
C:\Windows\SysWOW64\Jikoopij.exe
C:\Windows\system32\Jikoopij.exe
C:\Windows\SysWOW64\Jpegkj32.exe
C:\Windows\system32\Jpegkj32.exe
C:\Windows\SysWOW64\Jbccge32.exe
C:\Windows\system32\Jbccge32.exe
C:\Windows\SysWOW64\Jeapcq32.exe
C:\Windows\system32\Jeapcq32.exe
C:\Windows\SysWOW64\Kiphjo32.exe
C:\Windows\system32\Kiphjo32.exe
C:\Windows\SysWOW64\Klndfj32.exe
C:\Windows\system32\Klndfj32.exe
C:\Windows\SysWOW64\Kolabf32.exe
C:\Windows\system32\Kolabf32.exe
C:\Windows\SysWOW64\Kplmliko.exe
C:\Windows\system32\Kplmliko.exe
C:\Windows\SysWOW64\Kpnjah32.exe
C:\Windows\system32\Kpnjah32.exe
C:\Windows\SysWOW64\Kifojnol.exe
C:\Windows\system32\Kifojnol.exe
C:\Windows\SysWOW64\Klekfinp.exe
C:\Windows\system32\Klekfinp.exe
C:\Windows\SysWOW64\Klggli32.exe
C:\Windows\system32\Klggli32.exe
C:\Windows\SysWOW64\Likhem32.exe
C:\Windows\system32\Likhem32.exe
C:\Windows\SysWOW64\Lpepbgbd.exe
C:\Windows\system32\Lpepbgbd.exe
C:\Windows\SysWOW64\Lcclncbh.exe
C:\Windows\system32\Lcclncbh.exe
C:\Windows\SysWOW64\Lebijnak.exe
C:\Windows\system32\Lebijnak.exe
C:\Windows\SysWOW64\Lindkm32.exe
C:\Windows\system32\Lindkm32.exe
C:\Windows\SysWOW64\Lpgmhg32.exe
C:\Windows\system32\Lpgmhg32.exe
C:\Windows\SysWOW64\Lojmcdgl.exe
C:\Windows\system32\Lojmcdgl.exe
C:\Windows\SysWOW64\Ledepn32.exe
C:\Windows\system32\Ledepn32.exe
C:\Windows\SysWOW64\Llnnmhfe.exe
C:\Windows\system32\Llnnmhfe.exe
C:\Windows\SysWOW64\Lpjjmg32.exe
C:\Windows\system32\Lpjjmg32.exe
C:\Windows\SysWOW64\Lchfib32.exe
C:\Windows\system32\Lchfib32.exe
C:\Windows\SysWOW64\Legben32.exe
C:\Windows\system32\Legben32.exe
C:\Windows\SysWOW64\Llqjbhdc.exe
C:\Windows\system32\Llqjbhdc.exe
C:\Windows\SysWOW64\Lckboblp.exe
C:\Windows\system32\Lckboblp.exe
C:\Windows\SysWOW64\Lhgkgijg.exe
C:\Windows\system32\Lhgkgijg.exe
C:\Windows\SysWOW64\Loacdc32.exe
C:\Windows\system32\Loacdc32.exe
C:\Windows\SysWOW64\Lcmodajm.exe
C:\Windows\system32\Lcmodajm.exe
C:\Windows\SysWOW64\Mjggal32.exe
C:\Windows\system32\Mjggal32.exe
C:\Windows\SysWOW64\Mledmg32.exe
C:\Windows\system32\Mledmg32.exe
C:\Windows\SysWOW64\Mablfnne.exe
C:\Windows\system32\Mablfnne.exe
C:\Windows\SysWOW64\Mhldbh32.exe
C:\Windows\system32\Mhldbh32.exe
C:\Windows\SysWOW64\Mpclce32.exe
C:\Windows\system32\Mpclce32.exe
C:\Windows\SysWOW64\Mcaipa32.exe
C:\Windows\system32\Mcaipa32.exe
C:\Windows\SysWOW64\Mljmhflh.exe
C:\Windows\system32\Mljmhflh.exe
C:\Windows\SysWOW64\Mcdeeq32.exe
C:\Windows\system32\Mcdeeq32.exe
C:\Windows\SysWOW64\Mfbaalbi.exe
C:\Windows\system32\Mfbaalbi.exe
C:\Windows\SysWOW64\Mhanngbl.exe
C:\Windows\system32\Mhanngbl.exe
C:\Windows\SysWOW64\Mbibfm32.exe
C:\Windows\system32\Mbibfm32.exe
C:\Windows\SysWOW64\Nblolm32.exe
C:\Windows\system32\Nblolm32.exe
C:\Windows\SysWOW64\Nhegig32.exe
C:\Windows\system32\Nhegig32.exe
C:\Windows\SysWOW64\Nhhdnf32.exe
C:\Windows\system32\Nhhdnf32.exe
C:\Windows\SysWOW64\Nbphglbe.exe
C:\Windows\system32\Nbphglbe.exe
C:\Windows\SysWOW64\Nqaiecjd.exe
C:\Windows\system32\Nqaiecjd.exe
C:\Windows\SysWOW64\Nmhijd32.exe
C:\Windows\system32\Nmhijd32.exe
C:\Windows\SysWOW64\Nfqnbjfi.exe
C:\Windows\system32\Nfqnbjfi.exe
C:\Windows\SysWOW64\Oiagde32.exe
C:\Windows\system32\Oiagde32.exe
C:\Windows\SysWOW64\Ojqcnhkl.exe
C:\Windows\system32\Ojqcnhkl.exe
C:\Windows\SysWOW64\Oqmhqapg.exe
C:\Windows\system32\Oqmhqapg.exe
C:\Windows\SysWOW64\Obnehj32.exe
C:\Windows\system32\Obnehj32.exe
C:\Windows\SysWOW64\Ojemig32.exe
C:\Windows\system32\Ojemig32.exe
C:\Windows\SysWOW64\Opbean32.exe
C:\Windows\system32\Opbean32.exe
C:\Windows\SysWOW64\Ojhiogdd.exe
C:\Windows\system32\Ojhiogdd.exe
C:\Windows\SysWOW64\Omfekbdh.exe
C:\Windows\system32\Omfekbdh.exe
C:\Windows\SysWOW64\Pcpnhl32.exe
C:\Windows\system32\Pcpnhl32.exe
C:\Windows\SysWOW64\Padnaq32.exe
C:\Windows\system32\Padnaq32.exe
C:\Windows\SysWOW64\Pbekii32.exe
C:\Windows\system32\Pbekii32.exe
C:\Windows\SysWOW64\Piocecgj.exe
C:\Windows\system32\Piocecgj.exe
C:\Windows\SysWOW64\Pafkgphl.exe
C:\Windows\system32\Pafkgphl.exe
C:\Windows\SysWOW64\Pcegclgp.exe
C:\Windows\system32\Pcegclgp.exe
C:\Windows\SysWOW64\Pjoppf32.exe
C:\Windows\system32\Pjoppf32.exe
C:\Windows\SysWOW64\Pcgdhkem.exe
C:\Windows\system32\Pcgdhkem.exe
C:\Windows\SysWOW64\Pfepdg32.exe
C:\Windows\system32\Pfepdg32.exe
C:\Windows\SysWOW64\Ppnenlka.exe
C:\Windows\system32\Ppnenlka.exe
C:\Windows\SysWOW64\Pblajhje.exe
C:\Windows\system32\Pblajhje.exe
C:\Windows\SysWOW64\Pififb32.exe
C:\Windows\system32\Pififb32.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 8964 -ip 8964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8964 -s 400
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
memory/4908-0-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Dokgdkeh.exe
| MD5 | 24aaa9fb0b4110ed9520a3cd5eb57f35 |
| SHA1 | 469d41b62379c643ca68cca2ee5b079bb67222df |
| SHA256 | 2cf293bb800a3167c34792a8ceeb0907c1dd89d78c56defc7c68ac2cb64dd723 |
| SHA512 | ca58cd462b8fb64daad22d19cc46e66042ce76332e3fea3f3dccc1225e103a9ac8d0025382fd577a1c397d9421e616f49c7b5df2c87da03dfbff806fd4190fd6 |
memory/4852-7-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Ddgplado.exe
| MD5 | 1d0f297013ba160f3c0659ad8edaaf54 |
| SHA1 | 7633eb86529a3537583ff91cddf1d083d97567b4 |
| SHA256 | fd9bf0ce707c62a7a796807ea72fb5e86c0daaa497be294b40898a974ee5ec49 |
| SHA512 | 46b09aeaa476f9a542c1e48237b2cd8991c9105f0e13f8bfeeef9f8af9c484f347b0e658132a521f2031b149431039dd7d33acf11026e145de509d2bdc5a41a3 |
memory/2272-15-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Dkahilkl.exe
| MD5 | f044adfbc00aad01e579c2317e9570a3 |
| SHA1 | a6ddf91037001e05e1aa2b412c588f2380e7f0da |
| SHA256 | 876a1606cf2ebfe18836343aef2c96bb0a78edc4591c1cc53e924403de1c43b2 |
| SHA512 | 7bd931b6dfdb6455b6c4df4fb24c46c1fc7c0a54b4ffa927197b967e847e08fd1af51214760a711bc9177d77edaa66759d5406791a00599a8abf3ac76822de2d |
memory/1384-23-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Dfglfdkb.exe
| MD5 | 0c27396e9614e5b3b5d6821bf89278be |
| SHA1 | ca656bb1456998f7d8730f707acd2131828da600 |
| SHA256 | c6acc16a6def64441b09d44b1db7a40f4f50743e0cf49a5a75555b49f6ff80f7 |
| SHA512 | ec50074d90b1c4f8bac98afd3aa7ed8e2efc48320828a440c14801a36ce82b6eba3655dbb641fbf2e52190049c717d691d7fa146d78f10cc08ce5a4784a69893 |
memory/3484-31-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Dmadco32.exe
| MD5 | c223e9d5a6a544e0a9e316f1887d36a0 |
| SHA1 | f7aa1c4800e601b2abb1f0fb5ec5223d9bc5472a |
| SHA256 | 3584bc5cf3e2f62569c4c58d998dc1c751736325a5122be93e27fe46e5c68fb9 |
| SHA512 | 4652ddeeacb99640963f116a0fdb6b4ba46d1ed33773e7b400f1797554a19ad7714c0fa68d01a218b3d43bbe2a5e13cd65f768e0365e2ee3a28405b5eaac9c7a |
memory/2932-39-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Dnbakghm.exe
| MD5 | 5d52f02595dfea1287ea10ca22410577 |
| SHA1 | 6cc00b05f375c6e737e577944e471532f6607744 |
| SHA256 | 500819f18f15d64078c53d01856c926abf8fc9dd1bba316675f3a88d01e2bd37 |
| SHA512 | df2c9c8bc74247a9cd4d3d794be091c7b8837ffb3fb7eddb7593a4957e69475c4b587b5b841b44003864ac32ab30c3635fc8dd52e08fd7d81d1c76ad5e48b389 |
memory/3940-47-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Digehphc.exe
| MD5 | 9d4661dd29313e9a2ced44a03bccbf9f |
| SHA1 | a9e6fd780b6713c6f8bc7a21874fca75455484fe |
| SHA256 | 7e076dcf8d7efca3d074588065fb5debbae885ec36c7514a5e1a463aae2a6375 |
| SHA512 | d634cb2f57b5713e57a6473d43777e5d12004029a4e7e6af18e2283689fd60c9ea638f129194edba74a6894283ea69aab87a74f386a4e913e746292b1231d450 |
memory/4324-55-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Doaneiop.exe
| MD5 | e9cc9c047cb26b5317145fb4aa5a0fca |
| SHA1 | 940696c16b7a01838c91f21d229c837c8b07523b |
| SHA256 | 2361b23397f778fcbd2bd3e191c49b038a8459bf4a11c5ecb903573d03c4ae63 |
| SHA512 | 910ff18f4fddbd932444aa8ef34f18bc7f017b56d96bfc6e03054a7c27fd8bd6582500587b0e1b0a3a76ee6a70fc86e1a998342a178ef9c2ca3c088f28302e9f |
memory/2532-63-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Ddnfmqng.exe
| MD5 | 39af695fe90276ad7e7a522c0a579fec |
| SHA1 | 3569b94eabf1e5eb65f41be8c137cebcb12f07b1 |
| SHA256 | 2ee37fc90c22c91d94c80bdb4a6ea0ba2c8ea6a5504012322b7b5c455d9e9333 |
| SHA512 | e6a77706dd7257d0a748f977899ffd3cbf5c972ae7fd67e0cc6078ca64a17526b62c1eb54d7398ce14bef28a4c6f6bc90183bcd0861a324325a118606dcfe8cf |
memory/4848-71-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Dodjjimm.exe
| MD5 | 15749e9d789cc61a9d5a055b4bac6523 |
| SHA1 | 3b5a934bb22ce969fdd7f97c91cc216b4fd171a2 |
| SHA256 | 468a1bc70319181ca4c1ad8e19145cfdffe0002f0b12a507c55f4da583a7d66f |
| SHA512 | fd0b0c0269a463c54f009e8bdbebb9f3821146259d7e28b606eb3dc8a6e73d9e53d31d0c499f53b457d369f6d1aa4d2b4a37d425771162ff2268211a8e5cfa2a |
memory/4148-79-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Deqcbpld.exe
| MD5 | 80d6057d59e07d69262327cec0ca25c2 |
| SHA1 | 5c8c462a2e934333a208765ea2aa93790d3b15aa |
| SHA256 | 651a3b005c62c62aded37a9f2ffb67538948a022e281dac2415de6f332fcb07e |
| SHA512 | eb62e226f750c4501847d68340edc16e4d2828466bb77f07c4631e28b53f14666b22ea631efb35c4f19bdfc1e9c42e02743c58542f899e165650b75a89040847 |
memory/2108-87-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Ekkkoj32.exe
| MD5 | dd5275ccd78a1641cf8cee90c54085ae |
| SHA1 | b7e1f80003cafc536f63a2f38d8d75e4bfd1915a |
| SHA256 | e34180ec8c7b3dbbdfa17911ac1b04e54f8f07be5a10ce124c00f5f42986fef2 |
| SHA512 | 5ea7f218da0bd7bcd8ef7bfa9ffd9df6cebbb82525fe7f71f17aa9775ec9f2d6257aa9b95a625a6d8e4fdb1e7852bc3cf12c121d62626c7008d4704b234922ab |
memory/1956-95-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Ebdcld32.exe
| MD5 | 65e5c19122648e6f4378d1aa92bae063 |
| SHA1 | 08e31e6c4362f706bf67c36ab02a1090dd14b93f |
| SHA256 | e09b4604fa84ea6274cfa9dde084b415fe60b6de7a1b8b0fc37e3e976a1ea8b9 |
| SHA512 | 319fabc49ec015262905e1678d4ca80457a8978a1d4984a8c2ca8ff1407520eb9fbf681e8c3f71f413a2a3f8f7ff03b6288bc81f044ac408f160bdebdc6178d3 |
memory/844-103-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Ekmhejao.exe
| MD5 | 57e252e45c23bc6e0403aaf980538dc5 |
| SHA1 | 1f425db790143c1a58d48bf49ab4a39535592c72 |
| SHA256 | fd75b0c42f12e814086187949b9a646cad5101c8a382335fdb8c7d152f08dcfd |
| SHA512 | 85de555228673465a04f9d2cb0b7034e28bd5ae212f90b8ed3c8214141c474bfd4cacfc58e636abfeb44bc2efb2b5b79360d49b64d6256f6ce3369de5c01ae24 |
memory/3316-111-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4416-119-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Enkdaepb.exe
| MD5 | 113d1f5a557283171848ccc405fbf666 |
| SHA1 | b9e7457068877dc1fb414c9660da242f5e1dc2f1 |
| SHA256 | c3c2163dca6a4fe78b00804818803d9f3a261e9ecb6036131e1720ddf6264950 |
| SHA512 | 87dd53ad18caa80ac323d254fc20081da3368d7231c98955d6725d1d5ba61be0a626a48159f03e58c07a56ab0ed5acf57ad9afcd70ba73bf203f0fc18d7763d8 |
C:\Windows\SysWOW64\Eeelnp32.exe
| MD5 | 25681094b8bb96af39a0d34eceb2a0f1 |
| SHA1 | e079b75f4e95a7ce979b2b36ed2db33c3015ecf1 |
| SHA256 | d351bce45bad25d0a9b066822f39c95fbc48c838c94dce2a2b374bdfb52f2150 |
| SHA512 | 3ad564c2f66c5cb1e8e5f98f4fd1a2fe253466e0af13bf7c8c7313cb7415be7bd3e0f8176b198043569d28540855f223cda87a0883ce50b843adf50fa8e9873f |
memory/5112-127-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Eokqkh32.exe
| MD5 | a1a91df8b6a95821f6d046d96153adfa |
| SHA1 | 83130e37af403581bc719e7da6113b903a3e6f5d |
| SHA256 | a0b52182c1c172fc9d99aac20ffb2a1ae88dc167392a6040369fefb897659ed2 |
| SHA512 | f56a568649b745d2bea82701d7db53724137bf6d2afd5ce8067f8bfe0c5cc36cec3d852386cbe5befa7f6c65460cd999cd15744055996a4e64d692ef0eb1cafa |
memory/928-136-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4712-144-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Ebimgcfi.exe
| MD5 | 4c044b0ef30dbc8ba247ebe5f9b4994c |
| SHA1 | 07acf49017f0bf4c7daedb860a1f708849663dd5 |
| SHA256 | 5115023eb1ad362abe782570401cce49fb5de3f05b93bde803ba606e48677008 |
| SHA512 | 7f5bcb467bd911f03a7fd8bf9859c62026d4c65023477814e4baa418be434dfa1f72ec7c272048627a972b8eca4dd309ca32898f56f66a29fce1be3805028925 |
C:\Windows\SysWOW64\Emoadlfo.exe
| MD5 | e1d3530fa45566ef49ae16434b29ab06 |
| SHA1 | 4192f45a9aeda285a3e041140c98075148341b69 |
| SHA256 | 752d076a9e578cccc0c4f1dc52078d442483034a0e5cd178029bc6d98c52cf80 |
| SHA512 | fc524804f2e7c037cc4f23ab4b0a2bbc00bed0123ade887bbe75908c261454a128db0468fb6652ff15369f3ed70f26a66cc408f53677cad14a414d0f4ded73f7 |
memory/1116-151-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Enpmld32.exe
| MD5 | 3b29f360cdfc7fc1e33b5944744a8342 |
| SHA1 | 9e3508594bcb5dcae53b58ee3d882e0acb832893 |
| SHA256 | b6ccf16f040918a51e5f96da7a57fad5f1df4614dac592ff72040ab01a6d240f |
| SHA512 | 8b23867b3fb3146dcd586b4d10aa82ad57b8c60fa5511df7c715d1c002215aa5a4c4205d21e2953adfe0c9f2763ca59c44e0fdd433b5a9e0d621ad151b37c088 |
memory/3004-159-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Eifaim32.exe
| MD5 | 2b98cb3304609e47920a2e32ad750917 |
| SHA1 | 9a39415bfb7c60b1b18fb698d48da088ee27c3bf |
| SHA256 | faaed9f6a4bc3e4635e20056d36dfd3369e33ba940483338dbf1757a88820a3a |
| SHA512 | 1d0796ed1e31c3d1091b2d603bc2636b2a70b14bd6c3fe51170cf5024967e2d0bd5fc8ffd20b2303e5c10e155c09a08610fce40dae4e5cb617078d55506b439c |
memory/1896-168-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Ekdnei32.exe
| MD5 | 880d83ced1a1dee47bee649e63fa897f |
| SHA1 | 355f00c59d27b7acaac9d8146ce41bd4ff477645 |
| SHA256 | 483ff68f7a4c49a94123be9eda0029f95bd9700027c9c4bc817dbc66579a9414 |
| SHA512 | 6dcefc14f065d2c1d8629d5ff1d48cd2b3e5b25dc726f4e1e87797bc689a214ae4b616788e2bbc1d4ad3592fe3dcfc4e6bedfb3d7892ad12350dc38e7e2d5223 |
memory/2404-180-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2008-184-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Enbjad32.exe
| MD5 | 184fd8b2f709aecb123ff533abc0f61e |
| SHA1 | 9e2a6f10afc999c642fac4442c0c86b97308d2b0 |
| SHA256 | 2b09ff9b8a14e854f26473204a0affc1bd2378264376916e8bc946b1ca88d393 |
| SHA512 | 5598ba4a3ab50ef83dfe069b4ea8f727ddaa43ed4e3f7d02da0ed346a93f33e2583a07d38eef742ba4c21ffd13c07fdcd6345817f2205f2c2f931081b3c88ab7 |
C:\Windows\SysWOW64\Fihnomjp.exe
| MD5 | 82bb1137b3980583316fa1254602cfda |
| SHA1 | d2c24760b96efd4913bef24850723272c85bef1e |
| SHA256 | efb6a5159aa5495cdeebb3ff72866c8fd32a9675c393261042c48c01530b2ed2 |
| SHA512 | 8d1db79ea2a22dc35c5da0b8fefc48e5d6fd9bdee96b493ab927eaf61bdc1f69d865e86d0b510953accec58f4d1ed60516d2ec624c98ea715834a86c92993bc9 |
C:\Windows\SysWOW64\Flfkkhid.exe
| MD5 | 0cf84b77868b878b95f47d1f80875130 |
| SHA1 | f14b77f17a43ed197c29b2ef8ce5db829bb58841 |
| SHA256 | 6f53ad9e56a67f715d505bdc9adf53e8e97c38a28ab186adcd92c19172063c45 |
| SHA512 | 9d81f3ced687242c4166e8fe425caeb5905840e3cdeac44bb17531b52a240a722cd656ef5df4349456982c20346f33b46be94a09915d76da52a968e01280a418 |
memory/748-204-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Fneggdhg.exe
| MD5 | c149eca1717be38d98b702fc4626d5e8 |
| SHA1 | 48e3d4efcd1287f629e7db1f55ed0971541fee4f |
| SHA256 | 6ff232d317169e883b3aaa1ea9e281c5bd6df432508afb5a83346ef342a16dcb |
| SHA512 | 36f64b879631306aceaae59b9ec417272e4d3f094cf9fd440edf832c593e61ddc5f26f6d5fc171d5d0749e3ee564c0b7e6a6cd29c85acc030fc8afa12f17b465 |
memory/1904-196-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4088-207-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Fijkdmhn.exe
| MD5 | d62a7afb5703dc5660dfca27f08ff418 |
| SHA1 | 2e9271928b36fd1261bb4e3955714fc6af7eeb6b |
| SHA256 | ce9b33bfd2796ba48ef832651effbd0e88bd458227ee63da9ed4d06bdbd45087 |
| SHA512 | 53876db574f22722d594bf95a496336cfb6d65c03eb32532cdcae789f7907e1aa45236d3ba58e0e82821e2404c8944073ab68dba007994d5efe9025baad8284b |
memory/1840-220-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1140-224-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Fligqhga.exe
| MD5 | dcb5e1b004284b8d87659b3d9d9f8e6d |
| SHA1 | 54589c321c3920edd0bda7432c4ae990a2327f10 |
| SHA256 | 7527905c8771df421aeb7e51a7f7afed46ad14d0dd49411422c10028b24d398a |
| SHA512 | 832f4ea7a85fb0833beb5a527caec665fe5b64e69412727d443b8fd5ea63fcfc1c1efe535083afe39713c67ca096adad29e941efb5728c96d858f50e8cdacdae |
C:\Windows\SysWOW64\Fbbpmb32.exe
| MD5 | ea03aca7d8f8ee86b3a27f674e0573e1 |
| SHA1 | 49b9021b4a649a509f90b944bc0d705fa6aace57 |
| SHA256 | 294d19bfc3a0e4f555df43538a317b009aac2bf05446acb3e2a505419cf23eeb |
| SHA512 | 5ac4573a5a72bd6c52c8d888cf5f36416f50e69adefb58ac8bfc0dd3d8e49ae6ae7a9288b8882ece6e9c0cf4cc5c8e68aaf02ed1d780a69134925d1af67e246f |
memory/2492-236-0x0000000000400000-0x000000000042F000-memory.dmp
memory/400-239-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Fealin32.exe
| MD5 | 9585e6666bf9b6f9e945baf32c71f620 |
| SHA1 | 5e4c84e26aacef1fb5a4b0c417bd3944d4d99bf9 |
| SHA256 | 438f1a5adb9370b63d6f5a6949f94fa1bbb50e6faef4374d6358fa0d8439c2f1 |
| SHA512 | f7d8059970a5b129241679eda32f8775a8856530d5c3d654c4d44dddff87da3c9d00654a59c2f8e3e9b9361bf8c21cd1fa1d88b3642e182d32515f23beb687e9 |
C:\Windows\SysWOW64\Fpgpgfmh.exe
| MD5 | f8324a4b0bbe0a69457d30d0e9d114db |
| SHA1 | 29095e3a034c293c76d6d15b377613f1418c7314 |
| SHA256 | b1b0567f4ed90291bc939555c7192eb789b976f6a04cfbb8d46be91d9dbb8985 |
| SHA512 | 96da30079327db054eb70659d02b5423ef385c971218b519f9287b154e3a6f8521756538883210ab6bc96b13c1662c02c9f1455373e75baeed4548020539cea2 |
memory/852-247-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Fiodpl32.exe
| MD5 | 0f475dfc06b7a27640c6e1fde25e9544 |
| SHA1 | dc587dbd4197f467cc295c640520ab1d553fd1fe |
| SHA256 | 67ca08463ef8c3d71723876b8b7028f5bb260561a6efb511d43586aa0d6f9dea |
| SHA512 | b66033b8cd15a3ba75b4c56122cd12848a0a02ddcb2a553714fa730ab810a4fc36a30d9c40d1a65014ac44ff9dcad9609ed69913f0ca634f7ba1bcbff892bc95 |
memory/4520-255-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4964-262-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2320-268-0x0000000000400000-0x000000000042F000-memory.dmp
memory/464-274-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3508-280-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4176-286-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4804-292-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3848-298-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4156-304-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1908-310-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2760-316-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1912-322-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4756-328-0x0000000000400000-0x000000000042F000-memory.dmp
memory/5080-334-0x0000000000400000-0x000000000042F000-memory.dmp
memory/316-340-0x0000000000400000-0x000000000042F000-memory.dmp
memory/5104-346-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3144-352-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1496-358-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1752-364-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4040-370-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1920-376-0x0000000000400000-0x000000000042F000-memory.dmp
memory/644-382-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4784-388-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4164-394-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1188-400-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2368-406-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4856-412-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2156-418-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4388-424-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3972-430-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3668-439-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4128-442-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2224-448-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4464-454-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2348-460-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4092-466-0x0000000000400000-0x000000000042F000-memory.dmp
memory/220-472-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2284-478-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2316-488-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2948-490-0x0000000000400000-0x000000000042F000-memory.dmp
memory/5008-496-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Iipfmggc.exe
| MD5 | 0c6c0a9334bc0a11be5d9ca8f50f88a8 |
| SHA1 | 5f8f9256976057db37db5655a8f47ef44d2b5ac6 |
| SHA256 | e4ec613cbe9f8e21d3bb3bed9eff55ba8b651dfe8ad0cd2c359f24b0e666dc0e |
| SHA512 | 60b26ec36cecb04bc525dd7f8c63b1cba1318ba66a0fe6fb74697377839cd6b2714a0fcfb28a9c43b1c47b8a975d21249fe148a2bb34d33f547b9381671f32dd |
memory/2972-502-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2468-508-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3956-514-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Ilcldb32.exe
| MD5 | 885be907f6717999aeafb83e905dbcdc |
| SHA1 | 7cba8934cf288d439455b9dc353d16855c22090f |
| SHA256 | 0c13182d9f6dca24c5d997d6a3d0b00cd006247d0fe951f97187c50f347b674b |
| SHA512 | 839c992eb4ca91a489507f4f85f241f8783c6445ed8b0a7cfbe0205e02ef7e7a8db03a1fcbf886cee703786a6ca909bfbe892886c9c4c7db0e68b5f1fce5c533 |
memory/984-520-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4344-526-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Jmbhoeid.exe
| MD5 | 2631a08fceb0c69b5736d886a7c3e3dc |
| SHA1 | c7e847e254f826e7636e6d86b4a4a470509eb67c |
| SHA256 | 4056ab8baa8ff7fc5443d589ec091f8f9cbfa9d0fe519e3247fbf17b13ea2b4c |
| SHA512 | 9fd1f8521420b1cfa94525cebba2015c3755a92854669e5bfbbc35455c30ea7ec35d35b5ef034ea5c51afa12dc15a82c4be3ce0736cca1b781c60be74695ab03 |
memory/3500-532-0x0000000000400000-0x000000000042F000-memory.dmp
memory/452-538-0x0000000000400000-0x000000000042F000-memory.dmp
memory/804-545-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4908-544-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4012-552-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4852-551-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2272-558-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2400-559-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1384-565-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4504-566-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4588-573-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3484-572-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2932-579-0x0000000000400000-0x000000000042F000-memory.dmp
memory/5036-580-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4204-587-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3940-586-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4324-593-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4752-594-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Windows\SysWOW64\Komhll32.exe
| MD5 | 59c822594e8616fcbfeada3cf46f1ea0 |
| SHA1 | 64359599f659a74f9ce24f905fcaa10c4ffe006f |
| SHA256 | 55b7c4dbc75e36a70b27a396c5bbc88cc1f4196c5e05ce013b7d92e68c3809ad |
| SHA512 | c9ab20490a3e366f50791b1b76791e87d30d9d5ee87e3f30b917a0bc7e818f117d44586ed5a88670fa878d9a36ec95015f8cc9410d87ab0f4ea90a780b465541 |
C:\Windows\SysWOW64\Lfbped32.exe
| MD5 | 6924d57734c34aba169a78028e7d99e0 |
| SHA1 | 13537b66a14f67a9b99276a61eb0f2d14afbdd45 |
| SHA256 | d5d36bfe1eb83a4505798ef6402f820c08b2626fc4d50665a56e98d80117d9d1 |
| SHA512 | 260c6c95196ae34f48627acd03491cda37f9f02cc3a1a492077331ef09167c5def072a4028d602fc0d2ca4dbfa5b2ed24f50a2db38235bfa9c026b8b154146e5 |
C:\Windows\SysWOW64\Llodgnja.exe
| MD5 | 90374bf59c21c453b549903ebd1c2ed6 |
| SHA1 | fb370807c6a7f73cf06bc0292943a4836f671f60 |
| SHA256 | a919f51d19eab7ed4f1ab3bb610b41d627c294d0f1b3e1df545d9e7d6c437d74 |
| SHA512 | 7d670ca9bf6c72f84e8ea46f8f5ad27bd45c070a5bdef4090999cd71bd20249b56b17ba737931a35c2aae51f35439ceaeba7500ce4faa43d062d4e2381a5f9f7 |
C:\Windows\SysWOW64\Lcnfohmi.exe
| MD5 | 9405fedf94c998f534714db48d9f330d |
| SHA1 | 9a4bf00ae60e73ccbebcf7d35bf0c09dfc80ea4f |
| SHA256 | 53a5434112aee970fa28deee736d5efb04a023bf9554e073bdc73ba2f33765e6 |
| SHA512 | 2baf41899a16124feaad7e0a6a5c9518541e50f72e90a575d60df84559a495c0279c2c968c98d9083f451756182b12969b61a82cf57965abbe7a5d3b25009be5 |
C:\Windows\SysWOW64\Mnegbp32.exe
| MD5 | 814c4de2003ea5f222583e26785666dc |
| SHA1 | 4ba72f502c9e4b9f5b2ea5f2abdf89194b3e319c |
| SHA256 | 2867bad32f59420095bd7651b8bf636325c8c32817015e70e3b71b36ae5ac9c4 |
| SHA512 | b84f05b017ec04d53d55c93489b776ee1f4ff96e39dda67f092f13d2a56c5ed4e59a5863e250af3b8d1ff9a062015bd85d6b55edaa2f509bf6d9adbc78ab1b17 |
C:\Windows\SysWOW64\Mmkdcm32.exe
| MD5 | a8353f100606c558c06393319181374a |
| SHA1 | 760fd2fc7ec8cc996177b0c4c928a128fe1f1e40 |
| SHA256 | cc2474a98b237fe04ed2361dc6a2a7c25a39522795ee3911ff7f3040c12868f9 |
| SHA512 | f8459e68816a6cc78e9c74d5768520d39e2af6462ef313db80b867ca3eccc207b6e694e38759829a582bf699e82750589f4a89f179c62f88d5a5e67b6fc85d57 |
C:\Windows\SysWOW64\Mcgiefen.exe
| MD5 | 4fd467e3790d6a36ff36caf17171ebbb |
| SHA1 | 16b35df5f2535c4bc2a9b731deea9c0887fd4b1a |
| SHA256 | 51c66eb0e5f74cd9b81fd5706865176a2896bdff2a54bfea7fd40153733e0e52 |
| SHA512 | db685ec73931f02083f95636e85fed7f5018d7050a3827c5cb56b89d28b472717b9e008229a7a5eba91bfd8d529cec679fde3bbe6a5967403cd67baa8a86ed17 |
C:\Windows\SysWOW64\Mjcngpjh.exe
| MD5 | d0338577b9f34814085f2b13b43dc8e8 |
| SHA1 | 03fd5bcac2a0bbe8e4f2d67ca4169d60e6ec2fda |
| SHA256 | 3dc6160285a42145dd644254dd73e76e601cd426dd5015865dc7ec10985ce39d |
| SHA512 | 8acbce52a77f24984cb1726856d4225c91ef96aada77875bdb7b63b1f7205d17750eedd5e3d952f5f9621c6fc1977e2d2d8d6c30c5d201618dd6e1137677efd3 |
C:\Windows\SysWOW64\Ocgbld32.exe
| MD5 | b193bc421e5c07d735dab1cb07e72bf8 |
| SHA1 | 58d0b6a43492210aeef14ccc32cd85c587d0ecbc |
| SHA256 | 03e8448b4ad8ad0b336b2ed96e25bae8bb2dc50908d5ba8cfcb34d067903b2a3 |
| SHA512 | 58c438b8f9a1bf11497eb892158eaf20340adaad3678202e944760438d2786c958d16d37f71917180cf5bfb075fac4f73f7f8724ec100a7f725271eca36e32ae |
C:\Windows\SysWOW64\Ondljl32.exe
| MD5 | e2330e07b115258b6520346547b396d5 |
| SHA1 | 06cca66348ec5a4f600bdd8d5e3c31b09f80107d |
| SHA256 | 1c8181c2dedf1d9c448199731bb877ef3050226f584cb6733a06a459b9f6bb91 |
| SHA512 | 7c928f665ea630083299db494864c047997644d79feb82b25e2d57f5a85cce910a3090c171fcd05ba2b496f33219bf802907795513f39af10794cbcde16baa0e |
C:\Windows\SysWOW64\Qdoacabq.exe
| MD5 | 849ff43eec6e68eacfa4727f58fd40a4 |
| SHA1 | 11eee87f248ef757d222bd8dc29fae33d6c6bcbb |
| SHA256 | 8b3ff3d5e791ae79642fad0016560bcea98ecc842d1e0aab1b040c006a1cf75b |
| SHA512 | 69a08785fc04fe0a4c10c8f4582d5e646cf6d5e2a27c266b5764728a3fe5ab98a2c87f67e984902796c01b516328594f684b16f780602d6c018db40f8581e996 |
C:\Windows\SysWOW64\Akkffkhk.exe
| MD5 | 30e575ce8f69bdb1a7a14dce74aa226a |
| SHA1 | 52e79344e3b77e099e4b48d4b3125395719332c6 |
| SHA256 | cd4f8abbe39bfcaf2eac70e3cbeb0ac066257092faee5b291cc0fecfbafee7e9 |
| SHA512 | ab8ed688754f8baa2f286a3f2e73bd9f7f1027e149b626961b9cf6cc62e25f81b0a680dad8dc41ecb74b9e82b2ec85d1af4f1260644d9c7c35e9ffdcf3d4f4a0 |
C:\Windows\SysWOW64\Ahaceo32.exe
| MD5 | 7731eb83066e3350da9047608511e70f |
| SHA1 | 284fc26d72af88893cf97a972b2f35882762dc94 |
| SHA256 | d97c0f21a750dcdab9bf4f8ed8435407a0f9cee7ad1d9075c1e526fee29f1bd5 |
| SHA512 | 9b54f66191f634bfadb091709e970714edef532ebea6d239232131334c3d84e15a5c35f82b68df7d2a19bce820bf07baf45ef014cd593349b1d9e9fd716e9c32 |
C:\Windows\SysWOW64\Aggpfkjj.exe
| MD5 | 6514472b2af4631937cf7e5243e6dafd |
| SHA1 | 14279cf15c5d914cd3685b44b6195fc5af787912 |
| SHA256 | ab5391ce25af97ea2dae6fe823ae1b53d30dc4e543ec5e413c9eee0b8d76f6c2 |
| SHA512 | 6216beaf82458bc09508c696b563b613571227cb83c0c3b13d793503263e6bc7d627ce7883623e81b3faf309dc365577b0f0d8dcddcc184f25307d0cac2c592e |
C:\Windows\SysWOW64\Akdilipp.exe
| MD5 | 3ab7a2073a95a9b32fe6221385378fa0 |
| SHA1 | d2dba69881c92ccb98ea98f0ed2060a171b62124 |
| SHA256 | deb0fe6e3e2e063f5b1a2d2964ef4d34b4a3a7ab51ce8c3846031812b0f6065a |
| SHA512 | 4edefb871a571a3fca74dbe1eeffaacdcff8cc47c60fe30633297f9109df4dd172026db9437e38adfb9fb9384653c7404a5db54e09dfbd6d37ffe645c4439b3e |
C:\Windows\SysWOW64\Bobabg32.exe
| MD5 | 694d54ef00481e1309e5f8449f69de00 |
| SHA1 | 045fd8a5bd3ff64ff7714b6c498b418cdc53bbac |
| SHA256 | befdd8f888049f824f53c502b7f9f4d366f77d1342b0ec81a0ffe1e02666c114 |
| SHA512 | 9b2441f76aa6779a4f71112cef59e8af590f8c4a589ec3ac47ca9f3042cc49da8d8d905b455bb6516c0669dc50553ce19a5875242c4e089ecf2ab6521f745718 |
C:\Windows\SysWOW64\Bklomh32.exe
| MD5 | 7680232e07befdb8904642b8769e923e |
| SHA1 | 0699896a276d0e0ba0610e0587ab1c081bd49ded |
| SHA256 | d8b5663b314d08f6526aff787cb951cd53280171efad1499a53ea0a09b25833a |
| SHA512 | de23e5e4ec5bd8dbc99b66f7125d6ab89c23d7fb997db6387c98dd35ee352953a5c493012d6fd5f592e630efa61420d4d65384c6fcecb3bcef3aeb9abe7b5e49 |
C:\Windows\SysWOW64\Cgifbhid.exe
| MD5 | dbcf27f16dfa1ed0f10a909853a07210 |
| SHA1 | 617fdf08221a3eed221240058a1492f480c0c8c6 |
| SHA256 | de63fc101237025309aa987a797c4b87d6f3344353dc89a4a37169c1e21cc77d |
| SHA512 | 4b94169cc3e58430c0e0265bbef306629846a61373c11dfde14bbebd6e1c396ae1f9baa6ecf8d8c1a89dfb9170d0e4f35313ba0cb1934ded2131891c964daf46 |
C:\Windows\SysWOW64\Chkobkod.exe
| MD5 | f8bcc1c0c0d73cd47f0fad579786253d |
| SHA1 | 29a617e51fcc1f1331bd408523d7b8258acefae4 |
| SHA256 | 704fc27d7a6ddd79e0f6f0da7575264130714a3dc13d5783cb3f3d2ec3295b77 |
| SHA512 | ad5c850d65110e6d0ce70dcc97190b18062392994492861707d6469d59131d484035262acaa4f74595c2bff5ae175abed74142a07388f883bfbbcf318b8baf79 |
C:\Windows\SysWOW64\Dhbebj32.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Windows\SysWOW64\Dhikci32.exe
| MD5 | f95d6e3de6b9744b9a06261389864bfd |
| SHA1 | d40e20e4ba07c9fbc38dc4880635061bc8a428ac |
| SHA256 | faaf6da8a2c45fa57f456955af924b22a44198e7fa33df52d722a4e7c57cbe08 |
| SHA512 | 7e5892d58f9efcd8abd00c921808c77eb22c5f579857c7cb0f4647ef02bd2739b21bd2950a4e09906758a9fa175593a25852227562c22001c60f1840d94c3609 |
C:\Windows\SysWOW64\Eoepebho.exe
| MD5 | 2a8ea2c137d5ecb31587fcb08e3a002f |
| SHA1 | fe4aa22f29a148ce9a94d9584ecb6e927716940c |
| SHA256 | ed2ce9585ac005db6ace69a7dd912fb816c65158ba2b615ebdeeaeff1fdd5d17 |
| SHA512 | 2cca8c15b0e8c65fa416c14fafc20538cac81dec26a5175bea1c0a36a68ff4beb0bfbd27289fecab23545f6bcec32142f88138aaaf3ea402a5a51fc331ee3a29 |
C:\Windows\SysWOW64\Gbiockdj.exe
| MD5 | e04a7f66b5281babe403b74ea05dca33 |
| SHA1 | d23c2d4ca23ab2df59605f773af68c5ebd66305e |
| SHA256 | 286c9178a7ef01ea619c1b6c6e8245ac590a4257aeb3cc530fc71dba42ce3335 |
| SHA512 | af857aec27fce5523461b3dc5a061b38762b53da7a3d94e9cac50835a283b433d9b29e659305697e1ebab5109f896f08dd483e60e59b23d45245a0f2b1988e71 |
C:\Windows\SysWOW64\Gnpphljo.exe
| MD5 | 6e79fcdf51be06580c9f524d5baca2de |
| SHA1 | ab64349b3426e5d49558c0943d0f4b408df31d26 |
| SHA256 | de525b7ff99505ec509853728c331619f13fd17438623dd5484bf656ef2dd426 |
| SHA512 | ec886d9d5f461b669949a51cc367ac3c1353296ac3621f68ca479e227c36920145780b46d33e448446734de4bf60ea47109ef8c77cd5d6a7e112787a0eb5e075 |
C:\Windows\SysWOW64\Glhimp32.exe
| MD5 | de28251952e861a5edc4978edc68b267 |
| SHA1 | c4963bd2f0c1cdfb038a05fcdb3d18c5834782f2 |
| SHA256 | 86b617bb9b02a7566dd47f25e730562ff3f3fb5103310e6f8087cf27f9601e3f |
| SHA512 | ef7cea795fd74eb3a6575fd704ee8e530116028d39879c7f189f9ba8f342766eb92607febe7b5c8164863cd2fd90943b76163219a2f6deda5eb331d23c968b8a |
C:\Windows\SysWOW64\Hlkfbocp.exe
| MD5 | d96549f533519242af86d1f3d772d89c |
| SHA1 | 17c658ff620b6ef3e1e8b2f1669bb4641aa030f0 |
| SHA256 | 636f6ce6d509f513cfa65aeb0457771859d78c684889aa6e5609e09962d05fc4 |
| SHA512 | 42430cbff32a559220a5a522c32248e41ab403ab7283dd73cfbf79326782f3a92734143bba4fd7754907b102043d07ef8960d02914db7d13b30c750e2798f24a |
C:\Windows\SysWOW64\Hecjke32.exe
| MD5 | 908923603dd084664254a5de9a1c17ff |
| SHA1 | 3c43c523689c501b0b667ec065be99ac0a1d3c56 |
| SHA256 | 769e85880f20249a695f9836ed5ad504c797700363764e32b88f1f592e681f43 |
| SHA512 | 34e78e9c353a255b4adbcc34b98e8cd0e2baaebb2a000a7b56ebfcf673bd49c07310e1034f69a3f2e6704cd13dad0f3cc23945af091457ab80e1510eecaa4cfa |
C:\Windows\SysWOW64\Hajkqfoe.exe
| MD5 | cb1221d765f7ef4312677770b4f80b1e |
| SHA1 | 6645e4cd167f4381207938dc0ce4f8782a2b7b6f |
| SHA256 | 15f66b9f3897293baa48e74c92ceaa28657b666268b81dc45aa19804106e9554 |
| SHA512 | 1397b471e026991d397e21e0483deaf1b4b9abeac67a3a67bac41e1d7b592e007e437224aac93c6ac6effac09100982391a6e3207e922ee711e0ef64593c7e3a |
C:\Windows\SysWOW64\Hnnljj32.exe
| MD5 | 8a5dd308194c419bd3e32c4a302c447e |
| SHA1 | 7a4b3a8cecad617a5f9664fd66574c548804f037 |
| SHA256 | 41c6e19eaf7cd593a3570d2ec4e6a4cc47f0d0a0b47104e7bcac3cf19a34faac |
| SHA512 | 111618e01b945dc2489cb759c12608426f24b7eac0bb97ca4040aca2079660a37e8e28bc05ada4fff5371cbe35a33a0e0239f5598a8679202cd1b7f791236be7 |
C:\Windows\SysWOW64\Iogopi32.exe
| MD5 | 01419bb206fc812c7183fad0d255e36e |
| SHA1 | 766dc91f055380e29aed09582f9c55ee16d0eaf1 |
| SHA256 | f217a39698585f3daad4286b67246a71d795cdf492acef9ede02b3c4b0020269 |
| SHA512 | 38433dccca0121586f949a9bc51ce1373a05665ae6a16be3f894af15f3638d0c6b27310f10739ba6be7aa8324b6ec1c12b3ccc7a6a04dfc36f3da44f13619ba2 |
C:\Windows\SysWOW64\Ilnlom32.exe
| MD5 | 61cc0e215b9259911522c1e69ca15b46 |
| SHA1 | 5b5a5873cbac01fedd006b948595750ba538aac4 |
| SHA256 | aa6a1d25c1e564468fe7221bfe0aa1b1ac7ee5adf04587043f13790446fc5ac6 |
| SHA512 | 8d4fa9c27c8865263e381ae84d27a3f39d88c8aa29317b7979664ce00979875483267d3b188688528a2950c583a7ccc4385387f350d1f47dfb55f235269f93d7 |
C:\Windows\SysWOW64\Iehmmb32.exe
| MD5 | c77e803789c59d13125c0e0d91092f64 |
| SHA1 | 1b8554df9aff2095fa55858e393c31a0e18f62f8 |
| SHA256 | 048c3f1d8cf75c15258a4101f110845356f1bc4ab717af77b58f9e107ec06487 |
| SHA512 | 28aa9036fd944c82eb5f818cffd9950494486339dcb9f25c5b5f37cc9a8e649037c37fefcd4bceef10b8eabea0f33a5a01bfe7fd7351bd3d67df47160bc2772f |
C:\Windows\SysWOW64\Jeapcq32.exe
| MD5 | 85c4d6b6727bd77e8859ecb3a1f1a5e8 |
| SHA1 | 298637045e769bd0fb7662710b8692240455aa97 |
| SHA256 | 0e60e045661d46a1e151ca697dc6a9063046bf3baeb2b867a2bdb7f502a3ca1c |
| SHA512 | ab59798436fe742daf3a9422d2090d029482f3b8ac18b93222e00671d10b6b8e732c59671c56273efd63aae491ef30b4f6c9efbf1fedf80fff3bf419b660cb5f |
C:\Windows\SysWOW64\Kolabf32.exe
| MD5 | 1dc985c56037a17f8eee716b135fb126 |
| SHA1 | 2049a788ba3903843844390de86a228429806f68 |
| SHA256 | c329dda46576b9957bf7775943985499e0bbf6b7ca9fe8f9cd642856a2b738e6 |
| SHA512 | 023f5ffca20b2d1a711b0e58fd007d497a235c6912b56bbc4639b137755332a709b52beca21ca37399c866354b1b91ab8bee4ad3c633c707173413e0b95f2602 |
C:\Windows\SysWOW64\Kpnjah32.exe
| MD5 | 8db1eca3380bec1d776b3d7f2d257a30 |
| SHA1 | 1cedbfe240e3e1b2e68ef11a36b18048e0a10e70 |
| SHA256 | 815747f7f5e62240f0f2cd6966e453e78825bf8db039ead9a0344f14851e5cb7 |
| SHA512 | 888403f87c66569f70636d3592acf888dec12c5a445d289fbc6ca61d167c2b30282c07488de97d9af1d3a450895f41ad46e7b2a7e012884394794485616cbae9 |
C:\Windows\SysWOW64\Lckboblp.exe
| MD5 | 13ec7d91d9a1e0c37405302bc513b3e3 |
| SHA1 | e1be407e0b6ad34afcce68aea43c67419a5d2326 |
| SHA256 | 77529bc0438a2569857e682f8ed4ca3897a1cb92d9840c3371b9ee742c7ab40a |
| SHA512 | cc976abfa09977f51b0ed6749a0fb5a26df7fddec345b5aa9035c65065fdd4a0f57b1ac624c7a08759e03572dce5d765cc0927af928a34c37449c3bf0eaab4c1 |
C:\Windows\SysWOW64\Mjggal32.exe
| MD5 | 9b0fe2fba0e9677d6c3f2ff96504a464 |
| SHA1 | 0c99a34051b30e6d889bcca892db8b6b36a7a0ea |
| SHA256 | d68802aadef3f408077fa7fd07174afda54506b931449d4de33b4881780170d8 |
| SHA512 | eba2b3ed768125fa89f9d542581132434e588f0bcada775b70f7437470d404d8eebc604b29a4c69374837960ebaf1fcd2b2b6fc9586d61497671124619459217 |
C:\Windows\SysWOW64\Nhhdnf32.exe
| MD5 | 55e98d952bca70cf08ea45e5711abede |
| SHA1 | 08e9a0f3342878d0f7aa8ac3403536c9f14365fc |
| SHA256 | 09054c1ee4da55918bad01d4ada2899f9c59c0fa7df82318a5fd1762531fd6d2 |
| SHA512 | f3b1e629904eac1c4817a2cd2b4c17ecad08d300566cdecfd1e9bfdfcc71e604c0e628f4773ce2ae6adc67664ddbc7cc1c74472f6968cb1fbcb01b6fe9455e5c |
C:\Windows\SysWOW64\Oiagde32.exe
| MD5 | 0c3a7acc1b3da1ed50f6de116da73e68 |
| SHA1 | 78caaf0dfd4428b6160bd648c02a2e5b42e63205 |
| SHA256 | 6056ba49cd5ebc9ecc29ef83945e3041d632f22393800d7a19590f1a6314ed05 |
| SHA512 | 8781108f7603e436ee42454bcaf30fd1971e6615c195b57d83f30c245a8bcc2aedeb59be81c50b428e39cbd56bd5bb294fca0e1df61815a30a1df1607b42fad1 |
C:\Windows\SysWOW64\Ojqcnhkl.exe
| MD5 | 334b32981f78b408ca17983fc92fad2e |
| SHA1 | 306d953aa687a3481e3f6d394a4848239b4d1cfb |
| SHA256 | 4ff6d1a07b09c25640c21d5c542ccf38a2f1fe3a283fda6ec001a666dceb7fcd |
| SHA512 | 37f7425c2dd4e47b9e007e995f65d46616bff55d8d916829914291162da4afe1d977164a187cdcbbe37792c8bbb557cdcd6c5baa477c8231083cca3121b339f1 |
C:\Windows\SysWOW64\Ojhiogdd.exe
| MD5 | 12d37c3bda8bd67fe137379f8b301381 |
| SHA1 | 26b5f9420815fc8c115493d83ff295f1ee83f962 |
| SHA256 | 8ddbd12e5e302119ae72c4cc187397c2cea3f27e1c56026a343e432ef421d0d3 |
| SHA512 | 3ee577a8cff074d4be0ebc12a7defb8e572d596a499cda5dcd8f7d1b8e5f7cf1002f5c8295a45605c598fce6b249d9ed0ea10a8c5886e7768b3bcb69758e22b5 |
C:\Windows\SysWOW64\Padnaq32.exe
| MD5 | 438da3aba5bd7c95f4a616579523d7cd |
| SHA1 | 186c7d22865df7869420973ff25c6b2b8b7f770a |
| SHA256 | 917d32fd1cf6371a956205b88234ade8890aefa1e6363a846d0bae817e5833f9 |
| SHA512 | e89bda123641b5de0ce1b961255de527a382647d68a122fb62b992b15ae16410eca18f8915d29f7ca7402a8dcc182b90b192f72b5d46f60120b0ef62b5d7001c |
C:\Windows\SysWOW64\Pjoppf32.exe
| MD5 | 1bc46ce7071767be24bc19f9d87abd79 |
| SHA1 | 7dafec8fcbef32f470dcc5ed91478540215c0ad4 |
| SHA256 | 3e4014f2e216421bc24aa0a072666c08616c029676e743787a07aced277cd37f |
| SHA512 | 82333f4e220baa4c80da0060d41ae8bf4acb28376ad2d74435c1cf34abf88fee918796c41292f86dd74ce5da91ce0f540a4b223cac5175322922afb6d6899d32 |
C:\Windows\SysWOW64\Ppnenlka.exe
| MD5 | 6c4501affe71b39cb6da8503f9ca364e |
| SHA1 | 879557260fd5ad1123a7573cf2de08be89aa977c |
| SHA256 | 46351cebb16031b55b80d89d0bfde13b3ebc4fff63473b1fd2da4c2c6ce65e3d |
| SHA512 | f98b7a190d9c92e2f54bb95bdb25e01f60d17afe4cc02920b1d09b41a061b23fe22afefc1fad125ec23b8ec5edd3fdc681ee26d36efe4e07081ca6ac85961c33 |
C:\Windows\SysWOW64\Pififb32.exe
| MD5 | a3a515045d7a373d09e588df51d73697 |
| SHA1 | eca5a9708e83861d92872b84dee515cdcf7d0ce6 |
| SHA256 | d15d9720d607486e606cfdcc4e80d52a7c510663dd8b0331ab44cdc2cffa8864 |
| SHA512 | a5a9a58a35ac8771bc1e2497a087be64d6c532dc14bcbabdd67525a67b718f338350369de9e1a1ec728b18b9236819560b712ad272064ebfd94fbb3931108cce |