Analysis Overview
SHA256
2d02f92aab69b9088deb04eeae8e8bc4ccf5278d2c2ec5d7e2097048d96b2f6e
Threat Level: Known bad
The file 2d02f92aab69b9088deb04eeae8e8bc4ccf5278d2c2ec5d7e2097048d96b2f6eN was found to be: Known bad.
Malicious Activity Summary
Adds autorun key to be loaded by Explorer.exe on startup
Berbew family
Gozi
Berbew
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Program crash
System Location Discovery: System Language Discovery
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-02 05:36
Signatures
Berbew family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-02 05:36
Reported
2024-10-02 05:38
Platform
win7-20240729-en
Max time kernel
16s
Max time network
17s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Users\Admin\AppData\Local\Temp\2d02f92aab69b9088deb04eeae8e8bc4ccf5278d2c2ec5d7e2097048d96b2f6eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Users\Admin\AppData\Local\Temp\2d02f92aab69b9088deb04eeae8e8bc4ccf5278d2c2ec5d7e2097048d96b2f6eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Oegdcj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Oegdcj32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Olalpdbc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Olalpdbc.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\Oegdcj32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Olalpdbc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Ockdmn32.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2d02f92aab69b9088deb04eeae8e8bc4ccf5278d2c2ec5d7e2097048d96b2f6eN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2d02f92aab69b9088deb04eeae8e8bc4ccf5278d2c2ec5d7e2097048d96b2f6eN.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Oegdcj32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Oegdcj32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Olalpdbc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Olalpdbc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Oegdcj32.exe | C:\Users\Admin\AppData\Local\Temp\2d02f92aab69b9088deb04eeae8e8bc4ccf5278d2c2ec5d7e2097048d96b2f6eN.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Oegdcj32.exe | C:\Users\Admin\AppData\Local\Temp\2d02f92aab69b9088deb04eeae8e8bc4ccf5278d2c2ec5d7e2097048d96b2f6eN.exe | N/A |
| File created | C:\Windows\SysWOW64\Olalpdbc.exe | C:\Windows\SysWOW64\Oegdcj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Khhaomjd.dll | C:\Windows\SysWOW64\Olalpdbc.exe | N/A |
| File created | C:\Windows\SysWOW64\Lncacf32.dll | C:\Users\Admin\AppData\Local\Temp\2d02f92aab69b9088deb04eeae8e8bc4ccf5278d2c2ec5d7e2097048d96b2f6eN.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Olalpdbc.exe | C:\Windows\SysWOW64\Oegdcj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lkdjamga.dll | C:\Windows\SysWOW64\Oegdcj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ockdmn32.exe | C:\Windows\SysWOW64\Olalpdbc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ockdmn32.exe | C:\Windows\SysWOW64\Olalpdbc.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Oegdcj32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Olalpdbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ockdmn32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2d02f92aab69b9088deb04eeae8e8bc4ccf5278d2c2ec5d7e2097048d96b2f6eN.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\2d02f92aab69b9088deb04eeae8e8bc4ccf5278d2c2ec5d7e2097048d96b2f6eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID | C:\Users\Admin\AppData\Local\Temp\2d02f92aab69b9088deb04eeae8e8bc4ccf5278d2c2ec5d7e2097048d96b2f6eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lncacf32.dll" | C:\Users\Admin\AppData\Local\Temp\2d02f92aab69b9088deb04eeae8e8bc4ccf5278d2c2ec5d7e2097048d96b2f6eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Oegdcj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkdjamga.dll" | C:\Windows\SysWOW64\Oegdcj32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Olalpdbc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Olalpdbc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node | C:\Users\Admin\AppData\Local\Temp\2d02f92aab69b9088deb04eeae8e8bc4ccf5278d2c2ec5d7e2097048d96b2f6eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} | C:\Users\Admin\AppData\Local\Temp\2d02f92aab69b9088deb04eeae8e8bc4ccf5278d2c2ec5d7e2097048d96b2f6eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\2d02f92aab69b9088deb04eeae8e8bc4ccf5278d2c2ec5d7e2097048d96b2f6eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Oegdcj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khhaomjd.dll" | C:\Windows\SysWOW64\Olalpdbc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2d02f92aab69b9088deb04eeae8e8bc4ccf5278d2c2ec5d7e2097048d96b2f6eN.exe
"C:\Users\Admin\AppData\Local\Temp\2d02f92aab69b9088deb04eeae8e8bc4ccf5278d2c2ec5d7e2097048d96b2f6eN.exe"
C:\Windows\SysWOW64\Oegdcj32.exe
C:\Windows\system32\Oegdcj32.exe
C:\Windows\SysWOW64\Olalpdbc.exe
C:\Windows\system32\Olalpdbc.exe
C:\Windows\SysWOW64\Ockdmn32.exe
C:\Windows\system32\Ockdmn32.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 140
Network
Files
memory/2308-4-0x0000000000400000-0x0000000000453000-memory.dmp
\Windows\SysWOW64\Oegdcj32.exe
| MD5 | d1c23bc8515abe135d13740c8d6f32ea |
| SHA1 | d4b42458d1f2f8baf3fccac92e3c45cd4025302f |
| SHA256 | d2d5589c8acbe345c95c6c42952b4e6858bac8633782f9868f311b6672ed7fe7 |
| SHA512 | f34e416c63cbb427ce0f5b45cfc75c1ae04109cd37c4f928921970ed30e112a8982d9e94e61c2f9c8382f856e3564e59c791394c7a6fa2df5391b947fae5125b |
memory/1724-13-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2308-12-0x0000000000460000-0x00000000004B3000-memory.dmp
memory/2348-31-0x0000000000400000-0x0000000000453000-memory.dmp
\Windows\SysWOW64\Ockdmn32.exe
| MD5 | fe492eacdd1115681cb1b6eb86a04c61 |
| SHA1 | e8378112facaa0ce6d4cf6700c724999cabdda83 |
| SHA256 | d3fe3f90e48f2d7a4446bee95aebf21271f234cdf825c6f8a8c9e02a74b3c9ef |
| SHA512 | 8a4bb03e49ad8f0465e3521412a684597a37d6ca92555fd1b7b0620aab0b7c86b76de5e729ec28ecc0e5876ef9bbcd8986fd9fc3f7181d2cabad6b753c52e13e |
memory/3060-40-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2348-39-0x00000000002F0000-0x0000000000343000-memory.dmp
C:\Windows\SysWOW64\Olalpdbc.exe
| MD5 | 74ecd263a56d3ce7aa75e367787d35e8 |
| SHA1 | 2f7bf15ff9e3845f5c87281930c1514b2eb47f53 |
| SHA256 | 592fecb3d661f4eca5f4421176cf4a225cdc3f97aea5030073e7f06ef2fe1488 |
| SHA512 | 946aef3134162ab07012d766758650d2e3e5e7478c819c94b88393daf4ab7504aa19db4ef2b6b60beab4a897c6ce14069689662f85b02551e3f7c4d7a6829a2d |
memory/3060-52-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2308-51-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2348-49-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1724-48-0x0000000000400000-0x0000000000453000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-02 05:36
Reported
2024-10-02 05:38
Platform
win10v2004-20240802-en
Max time kernel
94s
Max time network
95s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ajanck32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ambgef32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bchomn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bchomn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cnicfe32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Aepefb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cnkplejl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cnkplejl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ceehho32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ddonekbl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Daconoae.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dhmgki32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Daekdooc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bganhm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Beihma32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ceqnmpfo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Chcddk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Djgjlelk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Qgqeappe.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bjmnoi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bjokdipf.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Beihma32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bfkedibe.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Calhnpgn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Calhnpgn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ddjejl32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Delnin32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Users\Admin\AppData\Local\Temp\2d02f92aab69b9088deb04eeae8e8bc4ccf5278d2c2ec5d7e2097048d96b2f6eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Aqncedbp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bebblb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bganhm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bmngqdpj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cfpnph32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Aqkgpedc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ageolo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Aeklkchg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bebblb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ceqnmpfo.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cnicfe32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cdfkolkf.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Users\Admin\AppData\Local\Temp\2d02f92aab69b9088deb04eeae8e8bc4ccf5278d2c2ec5d7e2097048d96b2f6eN.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Qfcfml32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ajfhnjhq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Aepefb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ddmaok32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Djgjlelk.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dobfld32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ddonekbl.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dfnjafap.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ajfhnjhq.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Amgapeea.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bmkjkd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bmngqdpj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cfpnph32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dopigd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Qjoankoi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Qcgffqei.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ajanck32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bmpcfdmg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cndikf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cnnlaehj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bmkjkd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bfkedibe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cndikf32.exe | N/A |
Berbew
Gozi
Executes dropped EXE
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Ajanck32.exe | C:\Windows\SysWOW64\Qcgffqei.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Aminee32.exe | C:\Windows\SysWOW64\Ajkaii32.exe | N/A |
| File created | C:\Windows\SysWOW64\Fqjamcpe.dll | C:\Windows\SysWOW64\Bcoenmao.exe | N/A |
| File created | C:\Windows\SysWOW64\Nnjaqjfh.dll | C:\Windows\SysWOW64\Beihma32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gmcfdb32.dll | C:\Windows\SysWOW64\Dobfld32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ehfnmfki.dll | C:\Windows\SysWOW64\Ajanck32.exe | N/A |
| File created | C:\Windows\SysWOW64\Amgapeea.exe | C:\Windows\SysWOW64\Aeklkchg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ajkaii32.exe | C:\Windows\SysWOW64\Amgapeea.exe | N/A |
| File created | C:\Windows\SysWOW64\Phiifkjp.dll | C:\Windows\SysWOW64\Bmkjkd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kbejge32.dll | C:\Windows\SysWOW64\Bmngqdpj.exe | N/A |
| File created | C:\Windows\SysWOW64\Aepefb32.exe | C:\Windows\SysWOW64\Aminee32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bebblb32.exe | C:\Windows\SysWOW64\Bmkjkd32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bchomn32.exe | C:\Windows\SysWOW64\Bmngqdpj.exe | N/A |
| File created | C:\Windows\SysWOW64\Ebdijfii.dll | C:\Windows\SysWOW64\Bmpcfdmg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Delnin32.exe | C:\Windows\SysWOW64\Dobfld32.exe | N/A |
| File created | C:\Windows\SysWOW64\Chcddk32.exe | C:\Windows\SysWOW64\Ceehho32.exe | N/A |
| File created | C:\Windows\SysWOW64\Fpdaoioe.dll | C:\Windows\SysWOW64\Daconoae.exe | N/A |
| File created | C:\Windows\SysWOW64\Ibaabn32.dll | C:\Windows\SysWOW64\Ageolo32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ldfgeigq.dll | C:\Windows\SysWOW64\Aepefb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Naeheh32.dll | C:\Windows\SysWOW64\Cnnlaehj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Djgjlelk.exe | C:\Windows\SysWOW64\Ddmaok32.exe | N/A |
| File created | C:\Windows\SysWOW64\Qjoankoi.exe | C:\Windows\SysWOW64\Qfcfml32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cdfkolkf.exe | C:\Windows\SysWOW64\Cnicfe32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ddjejl32.exe | C:\Windows\SysWOW64\Calhnpgn.exe | N/A |
| File created | C:\Windows\SysWOW64\Aqkgpedc.exe | C:\Windows\SysWOW64\Ajanck32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bmkjkd32.exe | C:\Windows\SysWOW64\Bjmnoi32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cndikf32.exe | C:\Windows\SysWOW64\Bcoenmao.exe | N/A |
| File created | C:\Windows\SysWOW64\Jjjald32.dll | C:\Windows\SysWOW64\Dopigd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ddmaok32.exe | C:\Windows\SysWOW64\Dopigd32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dobfld32.exe | C:\Windows\SysWOW64\Djgjlelk.exe | N/A |
| File created | C:\Windows\SysWOW64\Qcgffqei.exe | C:\Windows\SysWOW64\Qjoankoi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bjmnoi32.exe | C:\Windows\SysWOW64\Aepefb32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bmpcfdmg.exe | C:\Windows\SysWOW64\Bchomn32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bfkedibe.exe | C:\Windows\SysWOW64\Beihma32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cnicfe32.exe | C:\Windows\SysWOW64\Ceqnmpfo.exe | N/A |
| File created | C:\Windows\SysWOW64\Beeppfin.dll | C:\Windows\SysWOW64\Ddmaok32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dobfld32.exe | C:\Windows\SysWOW64\Djgjlelk.exe | N/A |
| File created | C:\Windows\SysWOW64\Akmfnc32.dll | C:\Windows\SysWOW64\Bjmnoi32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bgehcmmm.exe | C:\Windows\SysWOW64\Bmpcfdmg.exe | N/A |
| File created | C:\Windows\SysWOW64\Jekpanpa.dll | C:\Windows\SysWOW64\Cnkplejl.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Calhnpgn.exe | C:\Windows\SysWOW64\Cnnlaehj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dopigd32.exe | C:\Windows\SysWOW64\Ddjejl32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Qfcfml32.exe | C:\Windows\SysWOW64\Qgqeappe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bjokdipf.exe | C:\Windows\SysWOW64\Bganhm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Flgehc32.dll | C:\Windows\SysWOW64\Cndikf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cnnlaehj.exe | C:\Windows\SysWOW64\Chcddk32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Daconoae.exe | C:\Windows\SysWOW64\Dfnjafap.exe | N/A |
| File created | C:\Windows\SysWOW64\Efmolq32.dll | C:\Windows\SysWOW64\Aqkgpedc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ambgef32.exe | C:\Windows\SysWOW64\Ageolo32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cndikf32.exe | C:\Windows\SysWOW64\Bcoenmao.exe | N/A |
| File created | C:\Windows\SysWOW64\Cfpnph32.exe | C:\Windows\SysWOW64\Cndikf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ambgef32.exe | C:\Windows\SysWOW64\Ageolo32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cnkplejl.exe | C:\Windows\SysWOW64\Cdfkolkf.exe | N/A |
| File created | C:\Windows\SysWOW64\Alcidkmm.dll | C:\Windows\SysWOW64\Djgjlelk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bmkjkd32.exe | C:\Windows\SysWOW64\Bjmnoi32.exe | N/A |
| File created | C:\Windows\SysWOW64\Qopkop32.dll | C:\Windows\SysWOW64\Bebblb32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Qgqeappe.exe | C:\Users\Admin\AppData\Local\Temp\2d02f92aab69b9088deb04eeae8e8bc4ccf5278d2c2ec5d7e2097048d96b2f6eN.exe | N/A |
| File created | C:\Windows\SysWOW64\Qciaajej.dll | C:\Users\Admin\AppData\Local\Temp\2d02f92aab69b9088deb04eeae8e8bc4ccf5278d2c2ec5d7e2097048d96b2f6eN.exe | N/A |
| File created | C:\Windows\SysWOW64\Gokgpogl.dll | C:\Windows\SysWOW64\Qgqeappe.exe | N/A |
| File created | C:\Windows\SysWOW64\Aqncedbp.exe | C:\Windows\SysWOW64\Ambgef32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bfddbh32.dll | C:\Windows\SysWOW64\Ajkaii32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dmllipeg.exe | C:\Windows\SysWOW64\Dhocqigp.exe | N/A |
| File created | C:\Windows\SysWOW64\Ajkaii32.exe | C:\Windows\SysWOW64\Amgapeea.exe | N/A |
| File created | C:\Windows\SysWOW64\Bjokdipf.exe | C:\Windows\SysWOW64\Bganhm32.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Dmllipeg.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bmpcfdmg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cnicfe32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cdfkolkf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dmllipeg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Qcgffqei.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ajanck32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Aqkgpedc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ajfhnjhq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Amgapeea.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bmngqdpj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bfkedibe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bcoenmao.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2d02f92aab69b9088deb04eeae8e8bc4ccf5278d2c2ec5d7e2097048d96b2f6eN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cfpnph32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bchomn32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bgehcmmm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cndikf32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ddjejl32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Djgjlelk.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dfnjafap.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ageolo32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Calhnpgn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Delnin32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dhocqigp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cnkplejl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Aqncedbp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Aminee32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bmkjkd32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Beihma32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ceehho32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Chcddk32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dhmgki32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Qfcfml32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Qjoankoi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ambgef32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Aeklkchg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ajkaii32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bebblb32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bganhm32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bjokdipf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Qgqeappe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dopigd32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ddmaok32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cnnlaehj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ceqnmpfo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dobfld32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ddonekbl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bjmnoi32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Daconoae.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Daekdooc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Aepefb32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dhmgki32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Qfcfml32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Aeklkchg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll" | C:\Windows\SysWOW64\Ceqnmpfo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ddmaok32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ickfifmb.dll" | C:\Windows\SysWOW64\Aqncedbp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfiloih.dll" | C:\Windows\SysWOW64\Aminee32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bcoenmao.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ddmaok32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dhocqigp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfddbh32.dll" | C:\Windows\SysWOW64\Ajkaii32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Calhnpgn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ddonekbl.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Dhocqigp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Dfnjafap.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Daconoae.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Qgqeappe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Qcgffqei.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijjfldq.dll" | C:\Windows\SysWOW64\Bchomn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bfkedibe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Qgqeappe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cnnlaehj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bebblb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ceqnmpfo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cnicfe32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Daekdooc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ageolo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phiifkjp.dll" | C:\Windows\SysWOW64\Bmkjkd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Chcddk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Djgjlelk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qopkop32.dll" | C:\Windows\SysWOW64\Bebblb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll" | C:\Windows\SysWOW64\Calhnpgn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll" | C:\Windows\SysWOW64\Djgjlelk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ajanck32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Aqncedbp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ajkaii32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akmfnc32.dll" | C:\Windows\SysWOW64\Bjmnoi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Delnin32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Daconoae.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldfgeigq.dll" | C:\Windows\SysWOW64\Aepefb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cndikf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll" | C:\Windows\SysWOW64\Cnicfe32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll" | C:\Windows\SysWOW64\Delnin32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gokgpogl.dll" | C:\Windows\SysWOW64\Qgqeappe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll" | C:\Windows\SysWOW64\Cdfkolkf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ddonekbl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll" | C:\Windows\SysWOW64\Daconoae.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qeobam32.dll" | C:\Windows\SysWOW64\Qcgffqei.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Amgapeea.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bjokdipf.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bchomn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bchomn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll" | C:\Windows\SysWOW64\Beihma32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ceqnmpfo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cnicfe32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} | C:\Users\Admin\AppData\Local\Temp\2d02f92aab69b9088deb04eeae8e8bc4ccf5278d2c2ec5d7e2097048d96b2f6eN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ajkaii32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Aminee32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Aepefb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cnkplejl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll" | C:\Windows\SysWOW64\Dobfld32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cdfkolkf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll" | C:\Windows\SysWOW64\Cnkplejl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll" | C:\Windows\SysWOW64\Ceehho32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2d02f92aab69b9088deb04eeae8e8bc4ccf5278d2c2ec5d7e2097048d96b2f6eN.exe
"C:\Users\Admin\AppData\Local\Temp\2d02f92aab69b9088deb04eeae8e8bc4ccf5278d2c2ec5d7e2097048d96b2f6eN.exe"
C:\Windows\SysWOW64\Qgqeappe.exe
C:\Windows\system32\Qgqeappe.exe
C:\Windows\SysWOW64\Qfcfml32.exe
C:\Windows\system32\Qfcfml32.exe
C:\Windows\SysWOW64\Qjoankoi.exe
C:\Windows\system32\Qjoankoi.exe
C:\Windows\SysWOW64\Qcgffqei.exe
C:\Windows\system32\Qcgffqei.exe
C:\Windows\SysWOW64\Ajanck32.exe
C:\Windows\system32\Ajanck32.exe
C:\Windows\SysWOW64\Aqkgpedc.exe
C:\Windows\system32\Aqkgpedc.exe
C:\Windows\SysWOW64\Ageolo32.exe
C:\Windows\system32\Ageolo32.exe
C:\Windows\SysWOW64\Ambgef32.exe
C:\Windows\system32\Ambgef32.exe
C:\Windows\SysWOW64\Aqncedbp.exe
C:\Windows\system32\Aqncedbp.exe
C:\Windows\SysWOW64\Ajfhnjhq.exe
C:\Windows\system32\Ajfhnjhq.exe
C:\Windows\SysWOW64\Aeklkchg.exe
C:\Windows\system32\Aeklkchg.exe
C:\Windows\SysWOW64\Amgapeea.exe
C:\Windows\system32\Amgapeea.exe
C:\Windows\SysWOW64\Ajkaii32.exe
C:\Windows\system32\Ajkaii32.exe
C:\Windows\SysWOW64\Aminee32.exe
C:\Windows\system32\Aminee32.exe
C:\Windows\SysWOW64\Aepefb32.exe
C:\Windows\system32\Aepefb32.exe
C:\Windows\SysWOW64\Bjmnoi32.exe
C:\Windows\system32\Bjmnoi32.exe
C:\Windows\SysWOW64\Bmkjkd32.exe
C:\Windows\system32\Bmkjkd32.exe
C:\Windows\SysWOW64\Bebblb32.exe
C:\Windows\system32\Bebblb32.exe
C:\Windows\SysWOW64\Bganhm32.exe
C:\Windows\system32\Bganhm32.exe
C:\Windows\SysWOW64\Bjokdipf.exe
C:\Windows\system32\Bjokdipf.exe
C:\Windows\SysWOW64\Bmngqdpj.exe
C:\Windows\system32\Bmngqdpj.exe
C:\Windows\SysWOW64\Bchomn32.exe
C:\Windows\system32\Bchomn32.exe
C:\Windows\SysWOW64\Bmpcfdmg.exe
C:\Windows\system32\Bmpcfdmg.exe
C:\Windows\SysWOW64\Bgehcmmm.exe
C:\Windows\system32\Bgehcmmm.exe
C:\Windows\SysWOW64\Beihma32.exe
C:\Windows\system32\Beihma32.exe
C:\Windows\SysWOW64\Bfkedibe.exe
C:\Windows\system32\Bfkedibe.exe
C:\Windows\SysWOW64\Bcoenmao.exe
C:\Windows\system32\Bcoenmao.exe
C:\Windows\SysWOW64\Cndikf32.exe
C:\Windows\system32\Cndikf32.exe
C:\Windows\SysWOW64\Cfpnph32.exe
C:\Windows\system32\Cfpnph32.exe
C:\Windows\SysWOW64\Ceqnmpfo.exe
C:\Windows\system32\Ceqnmpfo.exe
C:\Windows\SysWOW64\Cnicfe32.exe
C:\Windows\system32\Cnicfe32.exe
C:\Windows\SysWOW64\Cdfkolkf.exe
C:\Windows\system32\Cdfkolkf.exe
C:\Windows\SysWOW64\Cnkplejl.exe
C:\Windows\system32\Cnkplejl.exe
C:\Windows\SysWOW64\Ceehho32.exe
C:\Windows\system32\Ceehho32.exe
C:\Windows\SysWOW64\Chcddk32.exe
C:\Windows\system32\Chcddk32.exe
C:\Windows\SysWOW64\Cnnlaehj.exe
C:\Windows\system32\Cnnlaehj.exe
C:\Windows\SysWOW64\Calhnpgn.exe
C:\Windows\system32\Calhnpgn.exe
C:\Windows\SysWOW64\Ddjejl32.exe
C:\Windows\system32\Ddjejl32.exe
C:\Windows\SysWOW64\Dopigd32.exe
C:\Windows\system32\Dopigd32.exe
C:\Windows\SysWOW64\Ddmaok32.exe
C:\Windows\system32\Ddmaok32.exe
C:\Windows\SysWOW64\Djgjlelk.exe
C:\Windows\system32\Djgjlelk.exe
C:\Windows\SysWOW64\Dobfld32.exe
C:\Windows\system32\Dobfld32.exe
C:\Windows\SysWOW64\Delnin32.exe
C:\Windows\system32\Delnin32.exe
C:\Windows\SysWOW64\Ddonekbl.exe
C:\Windows\system32\Ddonekbl.exe
C:\Windows\SysWOW64\Dfnjafap.exe
C:\Windows\system32\Dfnjafap.exe
C:\Windows\SysWOW64\Daconoae.exe
C:\Windows\system32\Daconoae.exe
C:\Windows\SysWOW64\Dhmgki32.exe
C:\Windows\system32\Dhmgki32.exe
C:\Windows\SysWOW64\Daekdooc.exe
C:\Windows\system32\Daekdooc.exe
C:\Windows\SysWOW64\Dhocqigp.exe
C:\Windows\system32\Dhocqigp.exe
C:\Windows\SysWOW64\Dmllipeg.exe
C:\Windows\system32\Dmllipeg.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 908 -ip 908
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 908 -s 396
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
memory/3184-0-0x0000000000400000-0x0000000000453000-memory.dmp
memory/3184-1-0x0000000000432000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Qgqeappe.exe
| MD5 | 7bb950fe2c90627795cf0e51daae955c |
| SHA1 | d8c48c7228cf87778daf8f1727c5a2f3c756ca23 |
| SHA256 | 3e85342260a7dc53fe5c7be8ebcddb0d25979812a32146ef00c6ffce40b669a9 |
| SHA512 | b9f19b8438fb1d440aed2e759a9e1ff274853ebda0e7fc89cd114c7a5c68c66b0ab22967363db40fa722bfce184d750119193fc570b4b3355c800db38dc0a1b5 |
memory/4324-12-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Qfcfml32.exe
| MD5 | 5cb8d0b283abc38c88f158a633fabe89 |
| SHA1 | fa8c7c88fa5deab7edfcfba5a4925ff420facc89 |
| SHA256 | fb53de27cd98396e1cd5a70ad85cde3fc8558db7403139f19bda10ccca40e83a |
| SHA512 | 4044de697552b50fd14798e686c36774f19714feea6085f9fbe03b1c3ea45b9bad02dd0026b714a4ec07c2a2510913335be0f3ebee23b7eba562a93be861e310 |
memory/4952-21-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Qjoankoi.exe
| MD5 | a202233a0a6e3e69f047b0aa9db6b9ee |
| SHA1 | 83c42729e9ae22bbc7d2c56686fe363fa11b8847 |
| SHA256 | b8f58088d8fea182f42f60302787c337689618a0fa3c6e6c6edfb28dc1a7b67b |
| SHA512 | 533d2c77497f1732c8fc7d30fc96f9861ec47bfecafef3b7e09e7c4ecf19fa64aae452f1c98104d55f0c320066a015258361d2d7983ea9fe1ef09f7220bc930a |
memory/3504-24-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Qcgffqei.exe
| MD5 | ddd131fe0a4d86075dd6825020c58b12 |
| SHA1 | 15baae72fed8152a8decc0f06b0a5b39ca785cc3 |
| SHA256 | 2eaa32b7249e0b484c047fd542059e2dd9dbbf288f09d2e9f6667739572a2265 |
| SHA512 | 11de47807b9b590e8317361cb49366fb9fe5fb631c36229200660a74d7a82c6eea3f5b4b2d42bb3c2af96bc2a6f1848966de72a3530f72e313852aed34844818 |
memory/1284-32-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Ajanck32.exe
| MD5 | 9f4a2a39e84aba62fb729963ff8639a8 |
| SHA1 | 25493640d8d3291a02e1a29d3332adf5f507c914 |
| SHA256 | 94295c8f5f9457d22af5650e38fce83ff1c9fe466abe8cc7d8410c3f28bd717b |
| SHA512 | 874a2b90cb7676dcfc7330236956dece7b3942fa2b70a340bf8271769acdb08fd5d9ca4743deeb6f572982795d059ff845b980bdf305127971719987376c3ba9 |
memory/1004-41-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Aqkgpedc.exe
| MD5 | a712e9157bfc726576f53eaba490e5f5 |
| SHA1 | d857a49472b8d7c4b5ff4436b969b613ea67e186 |
| SHA256 | db5a050e4fcbea31e3a5c37ed2cfd74ce79a9fe1a83c13e5dc074c4ce27bbf9a |
| SHA512 | 0fddcc66cb1113d64432281beb4198858b90285fdbc7644de3d5b3a9bc72774e3808d8fef803d85759786ae0bf06672f1ae2e2d78607f3824e6ae1ab54911c4b |
memory/4228-48-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Ageolo32.exe
| MD5 | 441484cb0ee8b4b0504d602fbec9d192 |
| SHA1 | e969a6307a75c95b033c45a70784646dcb254ca5 |
| SHA256 | ebd8d25580b7dbb530a57977783ce8781da3db83410aecba6bab09c67bbf79d7 |
| SHA512 | b6d96e5a5aef0360c238376ca7a185b838547cbfe1502ae4cbade512da6e8dd4401f69677efbe4376729885387e770ced38e8bb514ee7c2cfc9a3fc58baf0192 |
memory/3972-56-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Ambgef32.exe
| MD5 | e5aa8c227d43191d4bc1727db50a6a31 |
| SHA1 | d380564125a1298224c815ad96e1cb67eb602bf4 |
| SHA256 | abec439d29a7efe1d570eade21a6df41f35edb8bb66f42896f8fc3f3b55fe893 |
| SHA512 | 771261e21cfb212180f2cdec4fb083e444a0678681f282e384c81b3443a562f95d58f8d9b9f94e6713ec2ae5a25d98d59a0d97c21967fbb89ad7a612602b3187 |
memory/116-69-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Aqncedbp.exe
| MD5 | 2517ed4542ae8621e67ce8cae676c7a1 |
| SHA1 | 8f095ac8875682f2dbde83edb73c79c5827d9df5 |
| SHA256 | 6b01768b9ca1b5a0902c39cba52c16851223baf84c198aa28e65467eabee6de8 |
| SHA512 | 84d8a0f98a77fc12f57d159812fd66ac32bf38143f771ecf632ec6aefe453d5328dc683a539f952d6e15b0d3e8a469ebc8ce6b91224178266b91a48c5a4da8b0 |
memory/540-72-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Ajfhnjhq.exe
| MD5 | d80387ca9f3b69edb6badd07ec1ac90e |
| SHA1 | fdc2e2722c2786c7e3b610f3d1de0c8a25676973 |
| SHA256 | d6f9ceb56c0c50f424feb82a75c8ae2ba67d223638e7f21df66d2f179e12b777 |
| SHA512 | 83327d90261c48789556d272783754d011608aa68b8943afbbbbfd21924725eb4a24011d02946fac1b84c47c90044590263d201eefeac1a3f1c689c542ef2dc4 |
memory/1568-80-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Aeklkchg.exe
| MD5 | b70dbb34da1b41d1abb1f2a2d852dfd1 |
| SHA1 | e7f9fa01f8aaaeb75954d949e67d73735ba11143 |
| SHA256 | aae78f2fb4937ecb812092bcc74f5055c6649a93986fe6c80ad0bcc91570b86b |
| SHA512 | c4bd62ab052a574da47bc2feec0891bb0f4cb59d5c9a623e7a5cbaf86894a5de4a3fb672cb799b6135d0a4d2f51fc4ec4e6b19bb35ba44efda24a166e7d50648 |
memory/3208-88-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Amgapeea.exe
| MD5 | 6b0bb9fc6400c1418d1f9a5d852b874a |
| SHA1 | 9a0ce2e3df27b05b2ba2cf22b7d7b0d8006a6bce |
| SHA256 | 3f5d88851948e6042cde82da55c004a3e1977991a6c04c44c9345a9173972e9f |
| SHA512 | 59dd81bc454cb41dca2e1f91835ebb19f5cf3bd70e14f63184c22bba266e1819b4ec65e1096f96e47478f9374fa721514f275025c2e471e7b4de3f0cb03c54da |
memory/4716-96-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Ajkaii32.exe
| MD5 | b000e4290d541c5abd4fe319e0a01af0 |
| SHA1 | dd2f57fca37656ef0ae3414729f788ff07fa618c |
| SHA256 | f9299b261e98f77d260b50d20011eaa133b2e2397b39fb27421a37445baf451f |
| SHA512 | 8fe8c43d42f9b4c93f64943540f9f5743ce1eac3fe8b642ae56098f78346a99351128fa7f1ee9d6dd5da1c3c9997de6eff615ed5ddde32dbea166d12d3351d37 |
memory/4996-104-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Aminee32.exe
| MD5 | b67527c33bcb7d4344489cbad10d487f |
| SHA1 | 1bc8d15228bb03043a918f78faa8dc85dc1905dc |
| SHA256 | d5c4ccfe1abf2e064bf6f0313cf59d08203ed1e6f906b710b2f225e7e39cc87c |
| SHA512 | 312b2d1964385b435e8d31ed0c24dbf6ec76f7bfc706b0bfa58c2c1b4e74ec8f09e11f8d53744cd1a58cc1099878ac66960d559b751379f10c6500407cc497a2 |
memory/4056-112-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Aepefb32.exe
| MD5 | a8f3bffc0ca8817e485937f22720a35f |
| SHA1 | d31759099e0e293b273ec030366c8803c3c3dab4 |
| SHA256 | 3b69dba5ebe8dde15cf07b7bb7e8ee16cd5d0f18c71f070b81dfb2c2877ef7f0 |
| SHA512 | 4511f2e79620a60ff8c774b9ecb8ab8ba0b230c0a009d3b7fe1a6783356ed7ff469b52278ba5a518f58088dfb0da1a15794759c4e3a2f0873cfe7e28e3f6c45f |
memory/2024-121-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Bjmnoi32.exe
| MD5 | a0cc0f84c7dab09d81e0e67e7020bd6f |
| SHA1 | db4088cde5c0f6bb64a08cedfa1a62e163125732 |
| SHA256 | 36f60500b2df8affe2d51c93bc3985c14e9f5697b4757d84ca0156dd327c0879 |
| SHA512 | ab8c5faae93260cd3d92dca9ef73de8921009769c1d4467c22e51b13476f6d4cd01dbf0d5376ad2b3306b3f6395161fd75b32055bf4ab709cbea816c867a1dc4 |
memory/1300-128-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Bmkjkd32.exe
| MD5 | d2e662ee07976f5b412335b23e940770 |
| SHA1 | 47c50e7f540d1cfd6644c3c3af2df760a0915c34 |
| SHA256 | b82c15d7394ec97c93e2c9ef806bb7ef1276e9ef7f04919d6ae0e5de39d97e13 |
| SHA512 | 89ff15e0ee8a247ac7a22cfb37760e59819c112f2143bb21fb99e842cd204856789eb32824b37dbaf3b906d4e6145b5cadcb2bddf9f10eb9dcb28acd9b8cf927 |
memory/4912-137-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Bebblb32.exe
| MD5 | c27d646550cd7a821124d4539f94c5c8 |
| SHA1 | 4e05a40caa1e39d5b9891fdd1c2a4c60ed2bf3be |
| SHA256 | 53d42e1a4b286edf925202a4b3d8ddc0602affde1666bf422df1033d6bd72315 |
| SHA512 | 4c3c871a45bf4d667ff9c997230e29b862ccd56ab2e784cde30c0171904e5bfa513de1a235e3897f5f25e758b0a830fcc49eca2882bd6f66f752e316ef39bb72 |
C:\Windows\SysWOW64\Bganhm32.exe
| MD5 | 1201c841de2afc7ffb03d5d4f6815b2d |
| SHA1 | 75c6a1163f2579a1e35a7637494c12095bbb05c1 |
| SHA256 | 8c39a492490c8b03b8a9c00f600eeceaa149b86ad331a4207b7bde7a094eab41 |
| SHA512 | 8830afeea4ad603d10c2c7f8ffce91c548ea5850d82ce3676d6b8c5378a7184f92fd948aff6012ce55665369402d444f1c03146268886550a9329da7efcc6775 |
memory/1560-145-0x0000000000400000-0x0000000000453000-memory.dmp
memory/5108-157-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Bjokdipf.exe
| MD5 | 1af4a8a87af5ab2019e27d3dd5a2f260 |
| SHA1 | 9b15ecb88f0d1a3a17b80a6279cf1a657e708d49 |
| SHA256 | ebc9868fd0ebc31eed094c7e92d691c228b7badec8ffbd3834a3a7d187ce6e07 |
| SHA512 | a71d68929b2e3ac9159ef061028ef2decb15a1a1391b1c56a233d22c8749686ffaa3ca1c38e3ae9fec2b4fa1c313151cc8f3f0c880febda4c5a3fcd26c91d664 |
memory/5032-165-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Bmngqdpj.exe
| MD5 | a0380572849826bbc73e41b6519d5fd2 |
| SHA1 | 2993842e167a020984322cfb9d4521d332f6b2a7 |
| SHA256 | 38906b6d599606ab0afb8b97dd9d85d6973f753b4bb294b3326e8b8211584767 |
| SHA512 | a66edd2d6a493fa70b97f0b9d84ee380e3b4df5669cdb02a8fe10bbd2f15d6150570c2b4158b9d04369cb8e34b9fb67fdd72a006fb5967e0c1fe2f68f0aa1810 |
memory/1820-173-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Bchomn32.exe
| MD5 | 477cc991faaf064f5698f25fe81145dd |
| SHA1 | ac08008da8854764f22a741de56e5188cfca0491 |
| SHA256 | a51da9887bfdc99a7fb77de38a88344f01ec06d81b915b74bf8459ec527d5515 |
| SHA512 | b9e36b1635558170f586f5ca2f536c99965ff28127165ed50a0d7ab4d86d167626c638349a865fb54e167e5babcd5c33597cc9d301c879daddee7b1e5d38f865 |
memory/4556-176-0x0000000000400000-0x0000000000453000-memory.dmp
memory/4564-184-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Bmpcfdmg.exe
| MD5 | 38508d6daf090bdf6b29cc8f35bdcb24 |
| SHA1 | eab2c11dbb211e5aaf8f074c1963ea31fbd48188 |
| SHA256 | ac1741eccce9da233de7dd59681de9e5f91dd71ae2b14271c1d308a3c3f206d4 |
| SHA512 | cffddc1b67c85e274e384ebb7a26bf33e95cab0d3ea47477bba6fca5d33a76a6572fe3ad6b9e3e6d5e1a1ae32c4f2ffd4012aa94f674dc012fa486b4cb3f562e |
C:\Windows\SysWOW64\Bgehcmmm.exe
| MD5 | 8cf26e9bdf6ec2d5bddf4a99b9d04b7e |
| SHA1 | f804facd5e2bc7b2cec25faf6ab470f3ba7e884f |
| SHA256 | 4b87ae186fedcc8d93a8b6cfb506cc5aba8cff9148b9c63d642f6b12262e6aff |
| SHA512 | 79bda881a06bb87fdce7727eb003118dce1e85a834b694e2407d00914e0b5c19cd42dd518c899361f8c2a76565c24b6a009c4280e351782b68b0a5f47ba2b42b |
memory/3556-192-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Beihma32.exe
| MD5 | 4a4ede0ce2aecb2d2b227b9103de43e5 |
| SHA1 | 14510c9b45d6131c5799641b2fa731c54e6beb1f |
| SHA256 | caeaa96c47bbfc9fa43e716788ca950e6bd9ef213f9fecbc383f867c358b6b96 |
| SHA512 | 777ec412d4e207d5393235d8b2456d25f2d5da578e1b6cd7bd0860877e3b0a6baa9b6d30947744935b4a8cd1288443d13c72e8c1abcd2e848ebb3466c2da8b92 |
memory/4720-200-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Bfkedibe.exe
| MD5 | b586c856269c6254d45aa08cc1f6081b |
| SHA1 | ad22540ab4da9e111a69483c46e616c12368408e |
| SHA256 | e23f0023e617ad5e6cf153494bee52331abdf79171bc52ce3d87f49a31daa024 |
| SHA512 | e293525b7beddd3f8f5f787d65ff84c22af583d3a7394bb5c3fd557d43b2df5d2a459e81ac5c401a6c2daa4a8508429f31617a6a587bb5a1b13f547601add23d |
memory/756-208-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Bcoenmao.exe
| MD5 | a2ddfcd04cbfe626f396f5b66428d93e |
| SHA1 | bbded3c0c58c80e2a3b495cacbd3f0263492f36a |
| SHA256 | 89393f5ad42a786f6610f3ddedf1e301012a9b9f8da64e851d9ca5cf56403537 |
| SHA512 | 5fe322d9507fa6afeb2368f66ca59aaf0fd00a2dbe141e230b676c37729733b42ae3bd0cac1fff7b92391748598103529ab5394159ec3090fc5ce19f297ca052 |
C:\Windows\SysWOW64\Bcoenmao.exe
| MD5 | 8f6114e3e699fc5a2d99a3aee871e4e3 |
| SHA1 | 5a3447ad41f6c0b097a5f15d942a1f951615c457 |
| SHA256 | 3e86251da8d6e45f53e2479571771009802a5580c29b603811d01463d0239717 |
| SHA512 | 4fb48614115eb777ca6b880eadb6072c0a405cdd1dc81d38a80b9aa2114ad46debf24afbefce2bebdf261f6b754179d4f9ec395182190db61e733a6838f08e16 |
memory/2312-217-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Cndikf32.exe
| MD5 | 9b04eb518f79e30e60b6e77e2182acef |
| SHA1 | edd1e815e4f03235036ab68182f3ae88b125ab9c |
| SHA256 | fbfa302076cdc53c8439cc03b980da77d460afcc96a8f1ad6dac9797d924994e |
| SHA512 | 8aab8c839b15eccc80b533264c5b9e455f6d41a610bc3330b58f4a2ba136e8e264e7af777687bc53e978ac8a312e607d5a4ba719d4633b661fc7f2c3d19752eb |
memory/1688-225-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Cfpnph32.exe
| MD5 | 4a645d7cadf1f28b5d110f41a2b11ad4 |
| SHA1 | b37e62bbcb9cb630706823471cd521a6cee6e71c |
| SHA256 | 386d34fa57cab55b2d16eb0bdd79668584ae140cbbcd7221a652d6b51bfaf680 |
| SHA512 | 9444e93a63857088d53ff010255ea82963d42e124179372c15f349973c3bc83a0fbf63e6258f1e723082f3ceb625eb44cbeb9725f38d583157f44004dc10549f |
memory/3328-232-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Ceqnmpfo.exe
| MD5 | dce7d0860ff638728cfaaa6897a03fc1 |
| SHA1 | 1e4e3ee841ee7b8d1df07a0fba86714f8eb7c7d4 |
| SHA256 | 9520be03ef2a071dd471aa49d64bf1f35bb13cefb6cc2e728d10feead6ef0981 |
| SHA512 | 8956fc6d568983704ec18ef6b88f02b3142c3c1d5b34995ed2fd11c4cb70c45342f08e4099c118900e8a3e5b6b9b499f3d197ff4b4712642519c2dc994440750 |
memory/3200-240-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Cnicfe32.exe
| MD5 | 33d38ff08109c55c02afc66b1fbee243 |
| SHA1 | c95bdae00c55275309926a20c08a3adbb932d17d |
| SHA256 | 288f39ff50f717f58701c2e95a1b2acc55f1ed189e7f7206334a5be2050286cb |
| SHA512 | 937370aace13057095b52268f803ac5041e5986590fef16245eb1b518f218f41afe5fcfb84312366ddc86be3a5f292f0b426c23211742fd3d5ea07ebedaf8cf5 |
memory/2756-248-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Cdfkolkf.exe
| MD5 | 66a9b5e8670f250fcdfb95b4842585f8 |
| SHA1 | d79a7bf3ba89a7922227fd044e2aed5632f0d794 |
| SHA256 | 705dece08143d1a7f282a83d8b3a72b3cb5beb32eef8719c016cb09f955b8d40 |
| SHA512 | 96275a0b7eb5b0367eb76bdf968f0fc7cf42432559d0386c03e2ac95dd93b495fb9af11159df8dec426d459e21134b1914a996d3999a0481e6bcb2c0cbaad792 |
memory/1500-257-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2780-263-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Ceehho32.exe
| MD5 | d56d5d56a2bc65b99dd2d20e1ca0d257 |
| SHA1 | 39dc333188b3604dfa5cb0e4a226f9ce9067a9c4 |
| SHA256 | f8238c7b98b25132de5c197c460dbb804cfd5b2790d1952b8ec4800439eb5630 |
| SHA512 | d0760207ab10527cb6e81c689b3d19ed2c119137ddb5620739cb1497bcd7d43fe3743b93986527b6d59ed0d15e2944cbe25d0544b3a4c17fcf8ff59c32b7ef14 |
memory/1836-269-0x0000000000400000-0x0000000000453000-memory.dmp
memory/4768-275-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1828-281-0x0000000000400000-0x0000000000453000-memory.dmp
memory/452-287-0x0000000000400000-0x0000000000453000-memory.dmp
memory/4068-293-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2324-299-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Ddmaok32.exe
| MD5 | b4f23c77faeff0b1f91bc3c811a7a524 |
| SHA1 | 29a6c51778032e730dad1135741f7f97d5f598df |
| SHA256 | 6cd3319c6e5a8a15291697c48486f8cca761815879701920aeb532804412ae08 |
| SHA512 | 9722a85624f5dfa86f031d2788b47bc593e5e4a027f1a3e16c794834756fcccb5401a87383234cd099fb648d22d7f468c1b1d256486556a99e0c5d21c79fdaf7 |
memory/672-305-0x0000000000400000-0x0000000000453000-memory.dmp
memory/3708-311-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2416-317-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Delnin32.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/3520-323-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2424-329-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Dfnjafap.exe
| MD5 | 13c9489e9510a0a017675a3b8149cd0c |
| SHA1 | e8f1b26d6a7458d1b7b25537b85e9655eefb7d9e |
| SHA256 | 90597e3904abc887791f53f14151c7f8c26e5b200205e35768294009ee7fd937 |
| SHA512 | 1dbf9a6aa134538aeaf194a23038dca579f7684469664dc693debb6df2940e93b05a9c7d57d0a908d38e4c42f5ebeecba7492f9a555e44564fcd93a4fffd7e41 |
memory/4880-335-0x0000000000400000-0x0000000000453000-memory.dmp
memory/384-341-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2180-350-0x0000000000400000-0x0000000000453000-memory.dmp
memory/4764-356-0x0000000000400000-0x0000000000453000-memory.dmp
memory/3028-359-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Dmllipeg.exe
| MD5 | d247051391e970f169501c966256d7b5 |
| SHA1 | d4b2770751de84df866b7e663cd6676af16001d6 |
| SHA256 | 9c0c72b3a1a85ee873bb186897bbf7bec8a018813fd3987c1fd40d5f1e5a30aa |
| SHA512 | 3aa1c110cc55651682a11b1fb6cc8cb83691b3a8dcadfd82fb407bff51b7f7536820e7db39b23fb4839455f4f47cdad6c48d9482467780c1a4a98786987cadd9 |
memory/908-365-0x0000000000400000-0x0000000000453000-memory.dmp
memory/908-368-0x0000000000400000-0x0000000000453000-memory.dmp
memory/3028-369-0x0000000000400000-0x0000000000453000-memory.dmp
memory/4764-371-0x0000000000400000-0x0000000000453000-memory.dmp
memory/384-375-0x0000000000400000-0x0000000000453000-memory.dmp
memory/4880-380-0x0000000000400000-0x0000000000453000-memory.dmp
memory/3520-384-0x0000000000400000-0x0000000000453000-memory.dmp
memory/4068-391-0x0000000000400000-0x0000000000453000-memory.dmp
memory/4564-421-0x0000000000400000-0x0000000000453000-memory.dmp
memory/3972-453-0x0000000000400000-0x0000000000453000-memory.dmp
memory/116-451-0x0000000000400000-0x0000000000453000-memory.dmp
memory/540-449-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1568-447-0x0000000000400000-0x0000000000453000-memory.dmp
memory/3208-445-0x0000000000400000-0x0000000000453000-memory.dmp
memory/4716-443-0x0000000000400000-0x0000000000453000-memory.dmp
memory/4996-441-0x0000000000400000-0x0000000000453000-memory.dmp
memory/4056-439-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2024-437-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1300-435-0x0000000000400000-0x0000000000453000-memory.dmp
memory/4912-433-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1560-431-0x0000000000400000-0x0000000000453000-memory.dmp
memory/5108-429-0x0000000000400000-0x0000000000453000-memory.dmp
memory/5032-427-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1820-425-0x0000000000400000-0x0000000000453000-memory.dmp
memory/4556-423-0x0000000000400000-0x0000000000453000-memory.dmp
memory/3556-419-0x0000000000400000-0x0000000000453000-memory.dmp
memory/4720-417-0x0000000000400000-0x0000000000453000-memory.dmp
memory/756-415-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2312-413-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1688-411-0x0000000000400000-0x0000000000453000-memory.dmp
memory/3328-409-0x0000000000400000-0x0000000000453000-memory.dmp
memory/3200-407-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2756-405-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1500-403-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2780-401-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1836-399-0x0000000000400000-0x0000000000453000-memory.dmp
memory/4768-397-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1828-395-0x0000000000400000-0x0000000000453000-memory.dmp
memory/452-393-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2324-389-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2416-387-0x0000000000400000-0x0000000000453000-memory.dmp
memory/672-386-0x0000000000400000-0x0000000000453000-memory.dmp
memory/3708-382-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2424-378-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2180-373-0x0000000000400000-0x0000000000453000-memory.dmp