Analysis Overview
SHA256
f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817
Threat Level: Known bad
The file f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N was found to be: Known bad.
Malicious Activity Summary
Adds autorun key to be loaded by Explorer.exe on startup
Berbew family
Berbew
Gozi
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Program crash
System Location Discovery: System Language Discovery
Unsigned PE
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-07 07:21
Signatures
Berbew family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-07 07:21
Reported
2024-10-07 07:23
Platform
win7-20240903-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Eqijej32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cghggc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Enakbp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cldooj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Endhhp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dlnbeh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Djmicm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dhbfdjdp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Eqijej32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cjdfmo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dlkepi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ccngld32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Enakbp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Emkaol32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ebjglbml.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cghggc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dfdjhndl.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dlnbeh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Enfenplo.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ebjglbml.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Fjaonpnn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cjdfmo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dhbfdjdp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dlkepi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dfdjhndl.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Emkaol32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dfoqmo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dfoqmo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Djhphncm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Djhphncm.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dliijipn.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cgejac32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ccngld32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dhdcji32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dliijipn.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dhdcji32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Eqpgol32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ejhlgaeh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ejhlgaeh.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ejmebq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Users\Admin\AppData\Local\Temp\f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dpbheh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cldooj32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fjaonpnn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dpbheh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ejobhppq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dbfabp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Endhhp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ekhhadmk.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Enfenplo.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dbfabp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Djmicm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Eqpgol32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ekhhadmk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ejmebq32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ejobhppq.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Users\Admin\AppData\Local\Temp\f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cgejac32.exe | N/A |
Berbew
Gozi
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\Ejmebq32.exe | C:\Windows\SysWOW64\Enfenplo.exe | N/A |
| File created | C:\Windows\SysWOW64\Emkaol32.exe | C:\Windows\SysWOW64\Ejmebq32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dfdjhndl.exe | C:\Windows\SysWOW64\Dlkepi32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Enakbp32.exe | C:\Windows\SysWOW64\Dhdcji32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hhijaf32.dll | C:\Windows\SysWOW64\Enakbp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Aabagnfc.dll | C:\Windows\SysWOW64\Ejhlgaeh.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ebjglbml.exe | C:\Windows\SysWOW64\Eqijej32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cgejac32.exe | C:\Users\Admin\AppData\Local\Temp\f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe | N/A |
| File created | C:\Windows\SysWOW64\Dlnbeh32.exe | C:\Windows\SysWOW64\Dhbfdjdp.exe | N/A |
| File created | C:\Windows\SysWOW64\Dhdcji32.exe | C:\Windows\SysWOW64\Dlnbeh32.exe | N/A |
| File created | C:\Windows\SysWOW64\Eqpgol32.exe | C:\Windows\SysWOW64\Enakbp32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cgejac32.exe | C:\Users\Admin\AppData\Local\Temp\f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cghggc32.exe | C:\Windows\SysWOW64\Cjdfmo32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dbfabp32.exe | C:\Windows\SysWOW64\Dliijipn.exe | N/A |
| File created | C:\Windows\SysWOW64\Dhbfdjdp.exe | C:\Windows\SysWOW64\Dfdjhndl.exe | N/A |
| File created | C:\Windows\SysWOW64\Ecdjal32.dll | C:\Windows\SysWOW64\Dliijipn.exe | N/A |
| File created | C:\Windows\SysWOW64\Kncphpjl.dll | C:\Windows\SysWOW64\Dlnbeh32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dfoqmo32.exe | C:\Windows\SysWOW64\Dpbheh32.exe | N/A |
| File created | C:\Windows\SysWOW64\Djmicm32.exe | C:\Windows\SysWOW64\Dbfabp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dhhlgc32.dll | C:\Windows\SysWOW64\Eqpgol32.exe | N/A |
| File created | C:\Windows\SysWOW64\Akigbbni.dll | C:\Windows\SysWOW64\Cldooj32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dpbheh32.exe | C:\Windows\SysWOW64\Djhphncm.exe | N/A |
| File created | C:\Windows\SysWOW64\Joliff32.dll | C:\Windows\SysWOW64\Djhphncm.exe | N/A |
| File created | C:\Windows\SysWOW64\Dfoqmo32.exe | C:\Windows\SysWOW64\Dpbheh32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mghohc32.dll | C:\Windows\SysWOW64\Cgejac32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mcfidhng.dll | C:\Windows\SysWOW64\Dpbheh32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Djmicm32.exe | C:\Windows\SysWOW64\Dbfabp32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Eqijej32.exe | C:\Windows\SysWOW64\Ejobhppq.exe | N/A |
| File created | C:\Windows\SysWOW64\Dpbheh32.exe | C:\Windows\SysWOW64\Djhphncm.exe | N/A |
| File created | C:\Windows\SysWOW64\Nnfbei32.dll | C:\Windows\SysWOW64\Dhbfdjdp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dhdcji32.exe | C:\Windows\SysWOW64\Dlnbeh32.exe | N/A |
| File created | C:\Windows\SysWOW64\Enfenplo.exe | C:\Windows\SysWOW64\Ekhhadmk.exe | N/A |
| File created | C:\Windows\SysWOW64\Hdjlnm32.dll | C:\Users\Admin\AppData\Local\Temp\f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cjdfmo32.exe | C:\Windows\SysWOW64\Cgejac32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cldooj32.exe | C:\Windows\SysWOW64\Cghggc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jaegglem.dll | C:\Windows\SysWOW64\Ccngld32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Emkaol32.exe | C:\Windows\SysWOW64\Ejmebq32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ejobhppq.exe | C:\Windows\SysWOW64\Emkaol32.exe | N/A |
| File created | C:\Windows\SysWOW64\Fkckeh32.exe | C:\Windows\SysWOW64\Fjaonpnn.exe | N/A |
| File created | C:\Windows\SysWOW64\Lchkpi32.dll | C:\Windows\SysWOW64\Ekhhadmk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dliijipn.exe | C:\Windows\SysWOW64\Dfoqmo32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dlkepi32.exe | C:\Windows\SysWOW64\Djmicm32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Eqpgol32.exe | C:\Windows\SysWOW64\Enakbp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ejhlgaeh.exe | C:\Windows\SysWOW64\Eqpgol32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dlnbeh32.exe | C:\Windows\SysWOW64\Dhbfdjdp.exe | N/A |
| File created | C:\Windows\SysWOW64\Enakbp32.exe | C:\Windows\SysWOW64\Dhdcji32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Endhhp32.exe | C:\Windows\SysWOW64\Ejhlgaeh.exe | N/A |
| File created | C:\Windows\SysWOW64\Ekgednng.dll | C:\Windows\SysWOW64\Emkaol32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dliijipn.exe | C:\Windows\SysWOW64\Dfoqmo32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dlkepi32.exe | C:\Windows\SysWOW64\Djmicm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jdjfho32.dll | C:\Windows\SysWOW64\Dlkepi32.exe | N/A |
| File created | C:\Windows\SysWOW64\Oghiae32.dll | C:\Windows\SysWOW64\Dfdjhndl.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Fkckeh32.exe | C:\Windows\SysWOW64\Fjaonpnn.exe | N/A |
| File created | C:\Windows\SysWOW64\Epjomppp.dll | C:\Windows\SysWOW64\Dfoqmo32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ejhlgaeh.exe | C:\Windows\SysWOW64\Eqpgol32.exe | N/A |
| File created | C:\Windows\SysWOW64\Eqijej32.exe | C:\Windows\SysWOW64\Ejobhppq.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Fjaonpnn.exe | C:\Windows\SysWOW64\Ebjglbml.exe | N/A |
| File created | C:\Windows\SysWOW64\Ebjglbml.exe | C:\Windows\SysWOW64\Eqijej32.exe | N/A |
| File created | C:\Windows\SysWOW64\Fjaonpnn.exe | C:\Windows\SysWOW64\Ebjglbml.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cldooj32.exe | C:\Windows\SysWOW64\Cghggc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ccngld32.exe | C:\Windows\SysWOW64\Cldooj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dbfabp32.exe | C:\Windows\SysWOW64\Dliijipn.exe | N/A |
| File created | C:\Windows\SysWOW64\Amfidj32.dll | C:\Windows\SysWOW64\Endhhp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cjdfmo32.exe | C:\Windows\SysWOW64\Cgejac32.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Fkckeh32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dfoqmo32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ejmebq32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dhdcji32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Enakbp32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ejobhppq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Fjaonpnn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cgejac32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cjdfmo32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cldooj32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dlnbeh32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ejhlgaeh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Enfenplo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cghggc32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Djhphncm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Eqpgol32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Emkaol32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dpbheh32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dbfabp32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Djmicm32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ekhhadmk.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ebjglbml.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Fkckeh32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dfdjhndl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ccngld32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dliijipn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dlkepi32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dhbfdjdp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Endhhp32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Eqijej32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ejobhppq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnghjbjl.dll" | C:\Windows\SysWOW64\Cjdfmo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaegglem.dll" | C:\Windows\SysWOW64\Ccngld32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhijaf32.dll" | C:\Windows\SysWOW64\Enakbp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Eqpgol32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ejmebq32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Djmicm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dfdjhndl.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ekhhadmk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lchkpi32.dll" | C:\Windows\SysWOW64\Ekhhadmk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klmkof32.dll" | C:\Windows\SysWOW64\Ejobhppq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmkmmi32.dll" | C:\Windows\SysWOW64\Eqijej32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cldooj32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Djhphncm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dbfabp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Dhbfdjdp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dhbfdjdp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Endhhp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} | C:\Users\Admin\AppData\Local\Temp\f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oehfcmhd.dll" | C:\Windows\SysWOW64\Cghggc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dfoqmo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdjfho32.dll" | C:\Windows\SysWOW64\Dlkepi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dlkepi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ebjglbml.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epjomppp.dll" | C:\Windows\SysWOW64\Dfoqmo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oghiae32.dll" | C:\Windows\SysWOW64\Dfdjhndl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kncphpjl.dll" | C:\Windows\SysWOW64\Dlnbeh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Enfenplo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Emkaol32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node | C:\Users\Admin\AppData\Local\Temp\f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cjdfmo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ccngld32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joliff32.dll" | C:\Windows\SysWOW64\Djhphncm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Dhdcji32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Enakbp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Fjaonpnn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekgednng.dll" | C:\Windows\SysWOW64\Emkaol32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Eqpgol32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aabagnfc.dll" | C:\Windows\SysWOW64\Ejhlgaeh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ejhlgaeh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ekhhadmk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Illjbiak.dll" | C:\Windows\SysWOW64\Enfenplo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ejmebq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Djhphncm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Dlnbeh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Endhhp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Emkaol32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ejobhppq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cghggc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecdjal32.dll" | C:\Windows\SysWOW64\Dliijipn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lednakhd.dll" | C:\Windows\SysWOW64\Dhdcji32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID | C:\Users\Admin\AppData\Local\Temp\f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odifab32.dll" | C:\Windows\SysWOW64\Dbfabp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ccngld32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnfbei32.dll" | C:\Windows\SysWOW64\Dhbfdjdp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Enakbp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhhlgc32.dll" | C:\Windows\SysWOW64\Eqpgol32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cjdfmo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Dfoqmo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Dliijipn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgllco32.dll" | C:\Windows\SysWOW64\Ejmebq32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Eqijej32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe
"C:\Users\Admin\AppData\Local\Temp\f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe"
C:\Windows\SysWOW64\Cgejac32.exe
C:\Windows\system32\Cgejac32.exe
C:\Windows\SysWOW64\Cjdfmo32.exe
C:\Windows\system32\Cjdfmo32.exe
C:\Windows\SysWOW64\Cghggc32.exe
C:\Windows\system32\Cghggc32.exe
C:\Windows\SysWOW64\Cldooj32.exe
C:\Windows\system32\Cldooj32.exe
C:\Windows\SysWOW64\Ccngld32.exe
C:\Windows\system32\Ccngld32.exe
C:\Windows\SysWOW64\Djhphncm.exe
C:\Windows\system32\Djhphncm.exe
C:\Windows\SysWOW64\Dpbheh32.exe
C:\Windows\system32\Dpbheh32.exe
C:\Windows\SysWOW64\Dfoqmo32.exe
C:\Windows\system32\Dfoqmo32.exe
C:\Windows\SysWOW64\Dliijipn.exe
C:\Windows\system32\Dliijipn.exe
C:\Windows\SysWOW64\Dbfabp32.exe
C:\Windows\system32\Dbfabp32.exe
C:\Windows\SysWOW64\Djmicm32.exe
C:\Windows\system32\Djmicm32.exe
C:\Windows\SysWOW64\Dlkepi32.exe
C:\Windows\system32\Dlkepi32.exe
C:\Windows\SysWOW64\Dfdjhndl.exe
C:\Windows\system32\Dfdjhndl.exe
C:\Windows\SysWOW64\Dhbfdjdp.exe
C:\Windows\system32\Dhbfdjdp.exe
C:\Windows\SysWOW64\Dlnbeh32.exe
C:\Windows\system32\Dlnbeh32.exe
C:\Windows\SysWOW64\Dhdcji32.exe
C:\Windows\system32\Dhdcji32.exe
C:\Windows\SysWOW64\Enakbp32.exe
C:\Windows\system32\Enakbp32.exe
C:\Windows\SysWOW64\Eqpgol32.exe
C:\Windows\system32\Eqpgol32.exe
C:\Windows\SysWOW64\Ejhlgaeh.exe
C:\Windows\system32\Ejhlgaeh.exe
C:\Windows\SysWOW64\Endhhp32.exe
C:\Windows\system32\Endhhp32.exe
C:\Windows\SysWOW64\Ekhhadmk.exe
C:\Windows\system32\Ekhhadmk.exe
C:\Windows\SysWOW64\Enfenplo.exe
C:\Windows\system32\Enfenplo.exe
C:\Windows\SysWOW64\Ejmebq32.exe
C:\Windows\system32\Ejmebq32.exe
C:\Windows\SysWOW64\Emkaol32.exe
C:\Windows\system32\Emkaol32.exe
C:\Windows\SysWOW64\Ejobhppq.exe
C:\Windows\system32\Ejobhppq.exe
C:\Windows\SysWOW64\Eqijej32.exe
C:\Windows\system32\Eqijej32.exe
C:\Windows\SysWOW64\Ebjglbml.exe
C:\Windows\system32\Ebjglbml.exe
C:\Windows\SysWOW64\Fjaonpnn.exe
C:\Windows\system32\Fjaonpnn.exe
C:\Windows\SysWOW64\Fkckeh32.exe
C:\Windows\system32\Fkckeh32.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 140
Network
Files
memory/2080-0-0x0000000000400000-0x0000000000453000-memory.dmp
\Windows\SysWOW64\Cgejac32.exe
| MD5 | b33d707eee5f65f024b10b25ee468c49 |
| SHA1 | 37357390c53d9a728277615569bef8899a7e6944 |
| SHA256 | e201755091d02b30b2d6f56c1cad86bd6f02a693c60a2da96c050018f260a1b0 |
| SHA512 | 8ff8a20b89912f9ee5a9a855bf4ab6f687b1342fdbfeb0ea17e6b1cf5aa1123ef8c650c7b92b70d417841ef419d6a4d697bc64bec5c92d91acdf46b5726d201a |
memory/2080-16-0x0000000001FC0000-0x0000000002013000-memory.dmp
memory/2552-18-0x0000000000400000-0x0000000000453000-memory.dmp
\Windows\SysWOW64\Cjdfmo32.exe
| MD5 | a192190a5d922f94b68e2f8944a2fe61 |
| SHA1 | 5d19335b4856b89896a94385eabe0fab73d2e7e8 |
| SHA256 | cfc64c84d14ae4e91abf5e2154d13a911c10b8934fc38edfa88e3d99af0b5d71 |
| SHA512 | 1687e3034c675af6bb52a3c5b9483bd58bc338b5686330c9bbb6e9e5a1c84f382d5d711b285401db48d4ae50351d1d7a3a8f632927e3f93b298c810d43496356 |
memory/2720-26-0x0000000000400000-0x0000000000453000-memory.dmp
\Windows\SysWOW64\Cghggc32.exe
| MD5 | 7f16c292cef178cced15a87047030ae5 |
| SHA1 | 94377f8916931efb5a13cd0c6f9465ab7ef5d64e |
| SHA256 | 160694d6f5d123bdca722ef812ebb2372a989b3c3b50576752c5d79e6823ab14 |
| SHA512 | 7137d7f920b77ef2cce5de3ee83110d1dbe896b0afc9f6972b6ec42563000d3f9c8bfd659263e36df2b953bcc7e0c1ff97dedfbf103e08bdd631665f2835f6b4 |
memory/2720-34-0x00000000002D0000-0x0000000000323000-memory.dmp
\Windows\SysWOW64\Cldooj32.exe
| MD5 | 7bb92cd263ec6820dcbcfb8149306b83 |
| SHA1 | 04c91c095f361538a1ab60da9840a8866d0a242b |
| SHA256 | 6ddb9edee3fd9ecbecd6a884f9eaa901ab91506b680d28e5afd14c3b755941d3 |
| SHA512 | f45bbb8b3392f8c18dd16211d78d3730f62d526630c3fd159844581dd224d41945595523a57c77ba3ec1262c637edcc5382ce17703d73d7cb79d49eeaba89c9e |
memory/2820-52-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2820-60-0x0000000000310000-0x0000000000363000-memory.dmp
\Windows\SysWOW64\Ccngld32.exe
| MD5 | 40d8a26dd7e8118a899fa92651f53795 |
| SHA1 | 6cedbf9ab3d8beaa8f7f40d6bfb86488e8d2fe22 |
| SHA256 | 345022a6778f5ed95f84c0a937829d055ad4b08ea7d552c24e09d6b008646000 |
| SHA512 | b285cdd2559827269d8323929564e675f83c1eca204f3b44b2a67439c005a35fd8e4106b013876231d8d69a19b88db2ba7b3c3c1b150d942b2931e6bfa3ccb08 |
\Windows\SysWOW64\Djhphncm.exe
| MD5 | fad96ee791382cd7444e299b944ffcf3 |
| SHA1 | 0ecbb48e029e1ab8e88bb278e1dccf2120e930c9 |
| SHA256 | 50c710f9024479ea83e85a838215e632b9ba71ded00af00682a70a517dfb7f77 |
| SHA512 | 3a054500ee609667bc934449126e1912c42368fc75f8fee40c8d0942de315fd901e18f3249d775a63a74ca4ec1ae06f425ccbec4d67f531a96e6593b1ac343b8 |
memory/2456-78-0x0000000000250000-0x00000000002A3000-memory.dmp
\Windows\SysWOW64\Dpbheh32.exe
| MD5 | 49c6b0ce35f890029b360687a48667d3 |
| SHA1 | 14db3367a7fe2c4cd95b91d9ee0b6e1c4b166416 |
| SHA256 | b347aff69c5dd1d04667f4459a958c86159d61e94bf3ae996e8092612ffadf01 |
| SHA512 | a7bf5a2a7f1ec7665f9f882e24d5ac4c6fa0d537e17f1a62b06e23ffa6262889ad92882f382aac15caa5477cc3b6214308fa68ca703e6c69c1d28384ddfdc783 |
memory/1900-90-0x0000000000460000-0x00000000004B3000-memory.dmp
C:\Windows\SysWOW64\Dfoqmo32.exe
| MD5 | 64817d8d830e775a170189243b9cef14 |
| SHA1 | a8452fdf84f35ca0f10cbbe564dd67e2afc9a97d |
| SHA256 | 33d30cae363514c4e9ad49bae1a7958c4d33d69201340fcf5d85c268bc5cab45 |
| SHA512 | 99ad669663a858aac5b0c789207a716b50d46894f1c0cdb355a4f9bf603a804f342266a90553f6b7a6e844bce63aad6a05fd38049e1cea3e52cbb9dc12d1f8a0 |
memory/1404-104-0x0000000000400000-0x0000000000453000-memory.dmp
\Windows\SysWOW64\Dliijipn.exe
| MD5 | 20f3fd9f048f8a53a96cbd7b280e812d |
| SHA1 | a436bc7c231b11941dc7e924452366347fa5b5ff |
| SHA256 | 824d222564650067f456c016db40996329dd3bf91615486831f239d5342c722d |
| SHA512 | 902ebdc34401563020c930559da67aa63c21622e19f7b5f29aae0a5916f6fd42f557674f62cf3929f0dc6518cbc177b41d32ce78c28f2221106ec8b33fce018d |
memory/1404-112-0x0000000000250000-0x00000000002A3000-memory.dmp
\Windows\SysWOW64\Dbfabp32.exe
| MD5 | 8d288d2315246dbe95643bb1e3d3435e |
| SHA1 | 0f85b9dfcb2695489933d5bb24f6fb3ec918d7e2 |
| SHA256 | c3bab760d2f7087296c702e8a822bb91374e6adc521f16a9e39eeba6af225371 |
| SHA512 | 33e4e3a3838b47b7b074b796bf82cd69d8eb1c00dd0eedab413bb899f1254308d31d16720238dd87b078e105415543a02c77c1b66690b696b56fcebbb74fce88 |
memory/2976-130-0x0000000000400000-0x0000000000453000-memory.dmp
\Windows\SysWOW64\Djmicm32.exe
| MD5 | a2603b441211b4d479338b7f5b0de362 |
| SHA1 | 3d8f50825e4e10dcf8d1f465f9d7454391fef85c |
| SHA256 | 8aa30b1f55dd67e9f051271d085377aa2b7a474038d4254be6cbf6a207ead7ba |
| SHA512 | a3546ec161a5b1ede15e79c75291e2ac463b8cfaf8b5c5661e8e9ce81357dda6c45ad086d864f4a0e43e98d7058504a0e72f0fc23c29a2d11d7a87203d0f0fa5 |
memory/2340-155-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Dlkepi32.exe
| MD5 | 7f59166b7dbc5bdc484f8bcad41d57ee |
| SHA1 | d0beb6156b1c57318771f5b1994528f057b46a6b |
| SHA256 | 5b6e0a435b967b2c1c4835cce7f82301c4396da8e868e43c76f7f7352da01d95 |
| SHA512 | 7bfd234e05580cad3f0b58886c065d95fb62044ad5d0e0e4a4c7057c9a031781d2b780a80a39261dfc8566b27a8f0a7320ba47b2b22e078b8c420de87fcbf8d8 |
\Windows\SysWOW64\Dfdjhndl.exe
| MD5 | 138eb685b92331139522f83d3b304750 |
| SHA1 | 189dee5f4ea1f1a635e8e70a41af0c737959b75c |
| SHA256 | 4c582da6bc650e64b225e0a051fba851fc4befb6bc99b2c1a1847d3384cb6d3a |
| SHA512 | 4d95220ea6d564a2f055a3ddbe72a5826d86aee60e512a41821f47106aa6557f10a59e8443ae1c2e4fa1e270ccef58f7b49962fb2e8e0e9b35aac9f858d149f0 |
memory/2340-163-0x00000000004D0000-0x0000000000523000-memory.dmp
\Windows\SysWOW64\Dhbfdjdp.exe
| MD5 | d7fd9aa96361d5480c75613e4d1bdbde |
| SHA1 | 6884db8648072c49b40fd2facf611fe47042ae17 |
| SHA256 | d3d3dfd8f69abb9026f3aa642a3f5891dcc44fe54b7042f072b9069cc222bfc0 |
| SHA512 | bec0dbf45c5ea6675019bf859978f9153295f3f2f6ab96400cb87c20709b7b5fee069dc835030cec998fd6d0709ef8e917308a248945ca7470fdbbdbf53e350e |
memory/1456-181-0x0000000000400000-0x0000000000453000-memory.dmp
\Windows\SysWOW64\Dlnbeh32.exe
| MD5 | e42dcb446b05c540d285b7c804028b7d |
| SHA1 | 805e358ec28f3d7b48e15ef8861ce8dcd7b9f3af |
| SHA256 | 934f3a29d8a452f05cda6b01f5f2d2f666f795ef426f9e11b78798e9e55b6615 |
| SHA512 | 3cf2d20685fca6602f14dff2bf4e3a75f71d78e63872f99bd87a910eaca7d566a23637e8507c1e27eaa3f004639ecc3471e9fa1daa169dcc9d570ff3fa97d2d2 |
memory/1456-189-0x0000000000290000-0x00000000002E3000-memory.dmp
memory/1456-194-0x0000000000290000-0x00000000002E3000-memory.dmp
\Windows\SysWOW64\Dhdcji32.exe
| MD5 | c4158fe9918e4fd5420332deed43535a |
| SHA1 | 1b0a607f75de0caf072ed8378d6e4df9d5de91bd |
| SHA256 | 0c2b2c3045b31cd08401385fd101cea6f52e1e85aab4a378778ee17ca48d1155 |
| SHA512 | 74f8dcbf2fc31dbfe15f40b427b44f537435885282af44f11e0743a11783673b72a764eb12624e6abd70d7fe003adf093dfeefc57f4f1d85c5b74369a2410b41 |
memory/2104-210-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1752-208-0x0000000000310000-0x0000000000363000-memory.dmp
memory/1752-207-0x0000000000310000-0x0000000000363000-memory.dmp
C:\Windows\SysWOW64\Enakbp32.exe
| MD5 | 51809ce37655d28ec2f4b76f14f4eab5 |
| SHA1 | ec78ffd564e6820025c6783fb934a893aea68a00 |
| SHA256 | d26ae8801516940f877e2365366abf5a7902d556e90112d9a7c02f4a7c4bdd6d |
| SHA512 | 49752f73c9b9c422b0c8be4949c8c5e16e261202b4d5d500b93dde448043206a6c99c1248b33082a514a6d21cab6161174ea25d7e6da01954ddceb11c9eff474 |
memory/2104-220-0x0000000000250000-0x00000000002A3000-memory.dmp
memory/2440-221-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Eqpgol32.exe
| MD5 | 52f89dc295839fcc1ee246924dff7f0f |
| SHA1 | d804ea748f627573e8dfc1716475fe79a6515698 |
| SHA256 | b9114fe8b10ae226c89355571a17c44d4d1852e9e459e4150bd441e598cdf15d |
| SHA512 | 57279ab09f3bde932c2ad7b403c6e3d0fc6f4e514c4bc403ef694f75d7a6e224a187967e11d1f412a271132e4c1e838370c5f79fa5400a0945ffdcd6c8e9f1af |
memory/3028-232-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2440-231-0x0000000000250000-0x00000000002A3000-memory.dmp
memory/2440-230-0x0000000000250000-0x00000000002A3000-memory.dmp
C:\Windows\SysWOW64\Ejhlgaeh.exe
| MD5 | 1659d67911b2244961134d2858e4580e |
| SHA1 | 3d7244c09c85e33c54009b0d26bf8b4ce265f2ac |
| SHA256 | a7a9b19fd6cb6d385dde155ffa69a767b6d4c2a028318aaf9a1b6a8fad38214d |
| SHA512 | e91364824b9375da652a351d3fbee2c3aed3b098517a7624264c98d80279f252fb36ffbdf8ef6249a1288b5ab3e71c1416da7e79203cd15e20cb3ae6dc2dad2a |
memory/3028-242-0x00000000002E0000-0x0000000000333000-memory.dmp
memory/3028-241-0x00000000002E0000-0x0000000000333000-memory.dmp
memory/1168-253-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2872-252-0x0000000002010000-0x0000000002063000-memory.dmp
memory/2872-251-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Endhhp32.exe
| MD5 | c53d3d1aef3c1d128140cb24b70fbf46 |
| SHA1 | 3f25984c91525ce68004441b41dd1caa15e9e2f5 |
| SHA256 | 1d4230f8a6119187b47d522aa481077cb73770189565ff6d3b702a5d1a0bea8b |
| SHA512 | 01a484db8d38e9a01a9d357ecd230a5e79e617d56b12ab5480851a77006a0d9ed36dd5330ada52880edb5f26c77094a3292b8932c8e14f210aa78045c12c0018 |
C:\Windows\SysWOW64\Ekhhadmk.exe
| MD5 | b4a0c9457eaf04e1b8f9d814e4ac56ba |
| SHA1 | 676e36d5332cde93881487c8917b953ccd5dc49c |
| SHA256 | 6e753282d0e9dec2ebb266ebbcb3778c1e661e6625ba0751173869e40696c08d |
| SHA512 | 571b4ffed0e0b6ac0299f0a6e7160cfa6c4cb042acf2db9137dcdec16c2485453ffde3163a1da2bcfde2f3e45a21ed3a4b9c5eeb9c6db2e185478303f2501288 |
memory/1168-262-0x00000000002D0000-0x0000000000323000-memory.dmp
memory/1168-263-0x00000000002D0000-0x0000000000323000-memory.dmp
memory/1952-269-0x00000000002F0000-0x0000000000343000-memory.dmp
C:\Windows\SysWOW64\Enfenplo.exe
| MD5 | ccc4d4bb5d2ebe72c1db234530024350 |
| SHA1 | dc76159a470afb1a2d09ed40cb207ebeeb0950f8 |
| SHA256 | 49e1eefb9307bbb1c3506a141bf24683a1bdfef0db883d679959307e9a2924a6 |
| SHA512 | 12c432ec47b94b22309723773642cba808e7ec295ceb0adabb8fe655d3572e48a5784096a168526fa4e43244d65235737b3b6085d1036fb1c2548de3d96c37cc |
memory/2816-274-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1952-273-0x00000000002F0000-0x0000000000343000-memory.dmp
memory/2816-280-0x00000000004D0000-0x0000000000523000-memory.dmp
C:\Windows\SysWOW64\Ejmebq32.exe
| MD5 | ce6f27dbcbb0a48cf936badea548f33c |
| SHA1 | 02a55d87e92e965e73426ff835430931ed6a504a |
| SHA256 | 3dd282f70d588e1098408beb5a44afa0101afadc3b36df0e469a17ef906ec19c |
| SHA512 | 5209b35fa3a8faa30bd2a5eb25b462292bb9f5b9993b9f3f83905023da7cc21e20312fd7b82900b648c0de311957c20afa8095aa4021959e6661c0cce66e5e34 |
memory/2816-284-0x00000000004D0000-0x0000000000523000-memory.dmp
memory/2364-289-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1964-295-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Emkaol32.exe
| MD5 | 61114b6aff63304bb6b6695711dcacfa |
| SHA1 | 6f103e80c5f373bde19260461b0d170c267b1950 |
| SHA256 | 8b6eb84cfa41fc2231ada4e7a0d7de96e7c844f3bdec08c0ebade7363ed95f25 |
| SHA512 | 3906d432ee632aacdaabd3524642048fc1f04aa2c3a56717c2b49180b4150f0be91fc28c37d470c598a3b6d4d4772b79c038bb97b924acc97d4fefb2ecd52f1e |
memory/2364-291-0x00000000002E0000-0x0000000000333000-memory.dmp
memory/1964-304-0x0000000000310000-0x0000000000363000-memory.dmp
memory/1892-306-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1964-305-0x0000000000310000-0x0000000000363000-memory.dmp
C:\Windows\SysWOW64\Ejobhppq.exe
| MD5 | 5b53725ef1d550d9434d21c9dd01087f |
| SHA1 | d9ee949716d818547625ec6b85e24afef72fe0f5 |
| SHA256 | a6603c9ab1214b6501b593333e5e50a1f11c088abfa72c1fdadfa2934887d7dc |
| SHA512 | 0a7e90b8fce0ee99d9d256a60b9d71ad56ef437d46df6481bfa78ba559995f025ed1ab6a03ef61891548d55c3bcad3b54c27477544e90a7eed737245bafd53a6 |
memory/1892-316-0x0000000000250000-0x00000000002A3000-memory.dmp
C:\Windows\SysWOW64\Eqijej32.exe
| MD5 | de86084bcc4572de1152226902b4dbb1 |
| SHA1 | 44465da3ed7e23b0de821b9be122dbe8ce0890c5 |
| SHA256 | cbaa10f7173c046699c379099340c46718efed7d1342e5c5d8bd0e8e363805c4 |
| SHA512 | 97e1f3cfbdec0e82940e571a3c00750476b9ce4eaa2a36433ecb5bae72eb40f85b2dc442ab43924d8ed29f935d53a097820e3f86cfa5c99697868a18fe18e1bd |
memory/1892-315-0x0000000000250000-0x00000000002A3000-memory.dmp
memory/1344-317-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1344-327-0x0000000000250000-0x00000000002A3000-memory.dmp
memory/2680-328-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1344-326-0x0000000000250000-0x00000000002A3000-memory.dmp
C:\Windows\SysWOW64\Ebjglbml.exe
| MD5 | 7c92cde500b121e7c6fb6c2590678834 |
| SHA1 | 86114a0f71a601275eead26c892e0417641ad890 |
| SHA256 | 749f45bd293ad07dd7b91f3fd06822adb032508051d8bf4525aa619691c4656e |
| SHA512 | 9d79cc366568e02b3e3ae9b2ed418a7415d2ced558027e3dd8970fba88b2ff716ef955d8a9214bcfe636ec5fa7557c40c0b8a65d7e5eb2b42c3fc93e9edacca4 |
C:\Windows\SysWOW64\Fjaonpnn.exe
| MD5 | 81c6ece686f5ab315e98dcaa36975b0f |
| SHA1 | 86580e3facb1e1d13fd3a1fece88f6b9eeae2221 |
| SHA256 | 773328a8cffbf8dc3820715e0750defc8f1fbfdebdd58ea3515adf151aa33c4c |
| SHA512 | dfb91fea32e71d27337b13fba1271bcfdbbe38005f0ed8bebc4e4838191b7a9fc1cf9c09ffb5e623119d39ba24505acc0405ee75fa66c2606b3f057c23f73f39 |
memory/2680-343-0x0000000000340000-0x0000000000393000-memory.dmp
memory/2608-342-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2680-341-0x0000000000340000-0x0000000000393000-memory.dmp
C:\Windows\SysWOW64\Fkckeh32.exe
| MD5 | 755e50025ee50b5cfd65b6870accb541 |
| SHA1 | 180c254154ee54aea0be52341e171a3a4393989c |
| SHA256 | 2d0917b83ce887b671a73443dcb100aeb9630fa90c1f3e5a7c7e30e08fe7801b |
| SHA512 | f2dae174639c20e4d2768fae6c633c4c6fafa6523b791bb7b0040957ceb73cb65f4884dd880c11912ba2819efe62cf6a8e42766f9486be893e8464c603c6ab34 |
memory/2584-350-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2608-349-0x0000000000250000-0x00000000002A3000-memory.dmp
memory/2608-348-0x0000000000250000-0x00000000002A3000-memory.dmp
memory/2080-351-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2584-354-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2364-366-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2872-379-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2680-359-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2872-377-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2104-376-0x0000000000400000-0x0000000000453000-memory.dmp
memory/3028-375-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2440-374-0x0000000000400000-0x0000000000453000-memory.dmp
memory/3028-373-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2440-372-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1168-371-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2080-403-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1952-370-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1752-393-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2720-409-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1900-411-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1404-408-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2720-407-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1404-406-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2080-405-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2552-404-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2456-401-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2820-400-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2464-399-0x0000000000400000-0x0000000000453000-memory.dmp
memory/264-395-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2908-391-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2976-390-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2908-389-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2976-388-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2020-387-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2340-386-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2020-385-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1724-383-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1456-382-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2104-378-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2816-367-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1964-363-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1892-362-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1344-358-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2608-355-0x0000000000400000-0x0000000000453000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-07 07:21
Reported
2024-10-07 07:23
Platform
win10v2004-20240802-en
Max time kernel
115s
Max time network
119s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Users\Admin\AppData\Local\Temp\f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cildom32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dphiaffa.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cildom32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bbhildae.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cibain32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ckdkhq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cpfmlghd.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Users\Admin\AppData\Local\Temp\f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bmladm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bdeiqgkj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bdeiqgkj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dkkaiphj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bbhildae.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cdmoafdb.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cgklmacf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cgklmacf.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cdolgfbp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cpfmlghd.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cgfbbb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cgfbbb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cdmoafdb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cdolgfbp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dkkaiphj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dphiaffa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Calfpk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bmladm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cibain32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Calfpk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ckdkhq32.exe | N/A |
Berbew
Gozi
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\Bmladm32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Bdeiqgkj.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Bbhildae.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Cibain32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Cgfbbb32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Calfpk32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Ckdkhq32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Cdmoafdb.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Cgklmacf.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Cdolgfbp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Cildom32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Cpfmlghd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Dkkaiphj.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Dphiaffa.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Diqnjl32.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Nepmal32.dll | C:\Windows\SysWOW64\Cdmoafdb.exe | N/A |
| File created | C:\Windows\SysWOW64\Lncmdghm.dll | C:\Windows\SysWOW64\Cdolgfbp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dkkaiphj.exe | C:\Windows\SysWOW64\Cpfmlghd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bmladm32.exe | C:\Users\Admin\AppData\Local\Temp\f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe | N/A |
| File created | C:\Windows\SysWOW64\Bcominjm.dll | C:\Windows\SysWOW64\Bdeiqgkj.exe | N/A |
| File created | C:\Windows\SysWOW64\Calfpk32.exe | C:\Windows\SysWOW64\Cgfbbb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Daqfhf32.dll | C:\Windows\SysWOW64\Ckdkhq32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cgklmacf.exe | C:\Windows\SysWOW64\Cdmoafdb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dphiaffa.exe | C:\Windows\SysWOW64\Dkkaiphj.exe | N/A |
| File created | C:\Windows\SysWOW64\Amoppdld.dll | C:\Users\Admin\AppData\Local\Temp\f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe | N/A |
| File created | C:\Windows\SysWOW64\Bdeiqgkj.exe | C:\Windows\SysWOW64\Bmladm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cibain32.exe | C:\Windows\SysWOW64\Bbhildae.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cibain32.exe | C:\Windows\SysWOW64\Bbhildae.exe | N/A |
| File created | C:\Windows\SysWOW64\Cdolgfbp.exe | C:\Windows\SysWOW64\Cgklmacf.exe | N/A |
| File created | C:\Windows\SysWOW64\Lljoca32.dll | C:\Windows\SysWOW64\Cildom32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dphiaffa.exe | C:\Windows\SysWOW64\Dkkaiphj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bbhildae.exe | C:\Windows\SysWOW64\Bdeiqgkj.exe | N/A |
| File created | C:\Windows\SysWOW64\Anbgamkp.dll | C:\Windows\SysWOW64\Bbhildae.exe | N/A |
| File created | C:\Windows\SysWOW64\Eafbac32.dll | C:\Windows\SysWOW64\Cgfbbb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cgklmacf.exe | C:\Windows\SysWOW64\Cdmoafdb.exe | N/A |
| File created | C:\Windows\SysWOW64\Cildom32.exe | C:\Windows\SysWOW64\Cdolgfbp.exe | N/A |
| File created | C:\Windows\SysWOW64\Bcidlo32.dll | C:\Windows\SysWOW64\Cibain32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ckdkhq32.exe | C:\Windows\SysWOW64\Calfpk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dooaccfg.dll | C:\Windows\SysWOW64\Calfpk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Icpjna32.dll | C:\Windows\SysWOW64\Cgklmacf.exe | N/A |
| File created | C:\Windows\SysWOW64\Qahlom32.dll | C:\Windows\SysWOW64\Dphiaffa.exe | N/A |
| File created | C:\Windows\SysWOW64\Pjcfndog.dll | C:\Windows\SysWOW64\Bmladm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bbhildae.exe | C:\Windows\SysWOW64\Bdeiqgkj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Calfpk32.exe | C:\Windows\SysWOW64\Cgfbbb32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cdmoafdb.exe | C:\Windows\SysWOW64\Ckdkhq32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dkkaiphj.exe | C:\Windows\SysWOW64\Cpfmlghd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cgfbbb32.exe | C:\Windows\SysWOW64\Cibain32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cdmoafdb.exe | C:\Windows\SysWOW64\Ckdkhq32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cdolgfbp.exe | C:\Windows\SysWOW64\Cgklmacf.exe | N/A |
| File created | C:\Windows\SysWOW64\Bigpblgh.dll | C:\Windows\SysWOW64\Cpfmlghd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Diqnjl32.exe | C:\Windows\SysWOW64\Dphiaffa.exe | N/A |
| File created | C:\Windows\SysWOW64\Bkodbfgo.dll | C:\Windows\SysWOW64\Dkkaiphj.exe | N/A |
| File created | C:\Windows\SysWOW64\Bmladm32.exe | C:\Users\Admin\AppData\Local\Temp\f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bdeiqgkj.exe | C:\Windows\SysWOW64\Bmladm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cgfbbb32.exe | C:\Windows\SysWOW64\Cibain32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cpfmlghd.exe | C:\Windows\SysWOW64\Cildom32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cpfmlghd.exe | C:\Windows\SysWOW64\Cildom32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ckdkhq32.exe | C:\Windows\SysWOW64\Calfpk32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cildom32.exe | C:\Windows\SysWOW64\Cdolgfbp.exe | N/A |
| File created | C:\Windows\SysWOW64\Diqnjl32.exe | C:\Windows\SysWOW64\Dphiaffa.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Diqnjl32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Calfpk32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cibain32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bbhildae.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cgfbbb32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cildom32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dkkaiphj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bmladm32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ckdkhq32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cdmoafdb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cgklmacf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cdolgfbp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Diqnjl32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cpfmlghd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dphiaffa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bdeiqgkj.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Calfpk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ckdkhq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cdolgfbp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dkkaiphj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cibain32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cgfbbb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cdmoafdb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lncmdghm.dll" | C:\Windows\SysWOW64\Cdolgfbp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cildom32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Dkkaiphj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjcfndog.dll" | C:\Windows\SysWOW64\Bmladm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Calfpk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daqfhf32.dll" | C:\Windows\SysWOW64\Ckdkhq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nepmal32.dll" | C:\Windows\SysWOW64\Cdmoafdb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amoppdld.dll" | C:\Users\Admin\AppData\Local\Temp\f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcominjm.dll" | C:\Windows\SysWOW64\Bdeiqgkj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eafbac32.dll" | C:\Windows\SysWOW64\Cgfbbb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcidlo32.dll" | C:\Windows\SysWOW64\Cibain32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cgklmacf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icpjna32.dll" | C:\Windows\SysWOW64\Cgklmacf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qahlom32.dll" | C:\Windows\SysWOW64\Dphiaffa.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node | C:\Users\Admin\AppData\Local\Temp\f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID | C:\Users\Admin\AppData\Local\Temp\f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} | C:\Users\Admin\AppData\Local\Temp\f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cpfmlghd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cpfmlghd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dphiaffa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bmladm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cildom32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cdmoafdb.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cdolgfbp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bigpblgh.dll" | C:\Windows\SysWOW64\Cpfmlghd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Dphiaffa.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bbhildae.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cgfbbb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ckdkhq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cgklmacf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lljoca32.dll" | C:\Windows\SysWOW64\Cildom32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkodbfgo.dll" | C:\Windows\SysWOW64\Dkkaiphj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bmladm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bdeiqgkj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anbgamkp.dll" | C:\Windows\SysWOW64\Bbhildae.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dooaccfg.dll" | C:\Windows\SysWOW64\Calfpk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bdeiqgkj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bbhildae.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cibain32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe
"C:\Users\Admin\AppData\Local\Temp\f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe"
C:\Windows\SysWOW64\Bmladm32.exe
C:\Windows\system32\Bmladm32.exe
C:\Windows\SysWOW64\Bdeiqgkj.exe
C:\Windows\system32\Bdeiqgkj.exe
C:\Windows\SysWOW64\Bbhildae.exe
C:\Windows\system32\Bbhildae.exe
C:\Windows\SysWOW64\Cibain32.exe
C:\Windows\system32\Cibain32.exe
C:\Windows\SysWOW64\Cgfbbb32.exe
C:\Windows\system32\Cgfbbb32.exe
C:\Windows\SysWOW64\Calfpk32.exe
C:\Windows\system32\Calfpk32.exe
C:\Windows\SysWOW64\Ckdkhq32.exe
C:\Windows\system32\Ckdkhq32.exe
C:\Windows\SysWOW64\Cdmoafdb.exe
C:\Windows\system32\Cdmoafdb.exe
C:\Windows\SysWOW64\Cgklmacf.exe
C:\Windows\system32\Cgklmacf.exe
C:\Windows\SysWOW64\Cdolgfbp.exe
C:\Windows\system32\Cdolgfbp.exe
C:\Windows\SysWOW64\Cildom32.exe
C:\Windows\system32\Cildom32.exe
C:\Windows\SysWOW64\Cpfmlghd.exe
C:\Windows\system32\Cpfmlghd.exe
C:\Windows\SysWOW64\Dkkaiphj.exe
C:\Windows\system32\Dkkaiphj.exe
C:\Windows\SysWOW64\Dphiaffa.exe
C:\Windows\system32\Dphiaffa.exe
C:\Windows\SysWOW64\Diqnjl32.exe
C:\Windows\system32\Diqnjl32.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 812 -ip 812
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 812 -s 400
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1436,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=4388 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
memory/3668-0-0x0000000000400000-0x0000000000453000-memory.dmp
memory/3668-1-0x0000000000432000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Bmladm32.exe
| MD5 | ff48e282c566195f3db6c73110c35038 |
| SHA1 | c72ef0414248c92be02c72e6ac04c1a24799ee3f |
| SHA256 | 42287f0163f46fd6c68f0891ecb2d651475364a4c61e87c0b7c4e062eb76971d |
| SHA512 | 9eb16d9dfed64847619f6cc8121a3bb057f2d9d83ac9d5c2f1aa36731150659bfa4acbdf46be381eb82a41f888f61595bf090c73dc159bd4d412102f721a2f5c |
memory/3448-8-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Bdeiqgkj.exe
| MD5 | c75f19d15a3740eb8a4a788245d42c0e |
| SHA1 | bd4d18bf65ab6717b8614dc8c4cc029ab0bfb3cc |
| SHA256 | c6b500456298fd6e136b345c39079c816a5498c2191155183fcef0b62259e347 |
| SHA512 | 59360c5c711e8a6dac28bbc8f49c771d107f7f8a48abfe619097f2a6655d6fb26f23b73b57dd188eddbac6f2a7bc709a3242f175aa7b4e0f9e67acfdd1291ac8 |
memory/2200-17-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Bbhildae.exe
| MD5 | 411c7d174ad32c807f80a6e720603f10 |
| SHA1 | 3da9fe4d02e390d4ec88943dc66ff3ecb1d77bc1 |
| SHA256 | 48ba92cd2a58d8da2cdd8ddbd13539ae5f6fb9946114c7af1fce762615c9ba77 |
| SHA512 | 368020c2b4b499f5bce359f04d9d867d62c1424e2f468cab9439536a2f23ebc3e331276839ccdf95c62ea673cc590a89dc3b0c81772ed6d4eaaac6beb6dd89e6 |
memory/340-25-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Cibain32.exe
| MD5 | d155553922a8e58e161c567588140971 |
| SHA1 | 43c12390480bbd5bce3e548b0ffad9670032a56a |
| SHA256 | 6a9923a561160a61f1fc26cbd2c6e98bc47654e8e04a83e5f49c3a6cd26c689a |
| SHA512 | d6af6550c6747bab3ce34e98a00a1b351cd0ec3667ef5331ee2f64070f93bff3f7617af290e924313cb00ce8e58b674334f4b0c6fa50db7602b879d7f32f53be |
memory/632-37-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Cgfbbb32.exe
| MD5 | 5dfc7f134b91b1cd054b92cf67c752c8 |
| SHA1 | 9608b520fd0cc617c9f17a7f00276ef9396fe3b0 |
| SHA256 | 7fa1c8359ea1baf0d7091a3544d5f1c54a38cb7408889751645eb29c530eb8dc |
| SHA512 | 90ac2d48a7f785597f4e690e2e2daf75c10807d09070ae3a8c1b72311a2825a7940f55f76e2e40903dc373e8eeecf96b4b27047674ea4a68e622ca219287dc03 |
memory/1152-40-0x0000000000400000-0x0000000000453000-memory.dmp
memory/3504-48-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Calfpk32.exe
| MD5 | 118d706c9e8c1857a5f105c34aa5ef9a |
| SHA1 | 483700699b576777743e32ba92bff2a16120e057 |
| SHA256 | b7aa0a76d0b2a561f4ba3601a35581945f8e877727d357762eb75fb99407d49b |
| SHA512 | 3da1805e61aaf2b602eb60b058b5ec0c24d18b849e65c4255eb52337eac84568a72b4e29404a0b2c31e5057eee906c933a438f9a9d27ad1fe0395a8bdb2a4894 |
C:\Windows\SysWOW64\Ckdkhq32.exe
| MD5 | af834898890e797f1ff4b7c7ef9228c4 |
| SHA1 | 85f7025250da04c18960fc9d09a9147bfcd99d4b |
| SHA256 | 46b5896689fe727abbe2a1345b8d6d78fde73e23bb61f5ad1d7a76402c60bf9b |
| SHA512 | 7b1042516905408f5d9e546db26fd245576b4e8f3927a828fd5ad1d29a3fa74e752798fce10e6e1f3726bc78a084f37e28a5674862fc0f18baa4ff19f6882830 |
memory/3744-56-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Cdmoafdb.exe
| MD5 | dfae94ea89bacb309bd9e7e93ecdcbd3 |
| SHA1 | dfa14d0708c0c5ce51e5019ecf8004c6ce1ae932 |
| SHA256 | 052f2038158f786c0864adaeaa68edd2050bfdab473f56d30700cf68698755f5 |
| SHA512 | 076417f777b82f9b1ac5b50f19d1b83f6b59aeb55bc6001c7ceb112d785604638f158ce16b1a44a072714d9fdb43df87e87f4ece04612c7b5fd0ddea9d0d66ab |
memory/4656-65-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Cgklmacf.exe
| MD5 | 0d209215b522a41b385e778146241e1d |
| SHA1 | 7292dd736f8caa8e7b90d3cb1502851c830df57a |
| SHA256 | 63b5e4569b079fbc0f6a14594118c14b1784448bbee8b5c76136139e9dae1024 |
| SHA512 | 789b2e2ad81ceae0db855bfddb6d32dc9d0c4dfb3661d5e5313ad14f3dcb530b97fccd4a14b62bd95ddeef5cc6e81ca62ce3dce38430d85601706918d38c00b8 |
memory/4272-73-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Cdolgfbp.exe
| MD5 | 8cb4c92a6c2b92f18b6d8e5b79120887 |
| SHA1 | beefd0670ffe5357336964320e0ea734e967869c |
| SHA256 | 9d9e214611b0c8a514bb73d21020233ea2261526112d016b6a23d333f5534cf0 |
| SHA512 | 0df9159c593767b4a5a2b75c0d60b87d67af0aed936f5b5c5eb648f5ffeee0f1d96b38ce8ff7710fdf68550190dca8396b1b0e6e6441e4e3928af7a7b4456cec |
memory/4948-80-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Cildom32.exe
| MD5 | 211ea342329d72e9f26a6285da007d65 |
| SHA1 | 3765f2cfa56d9fca79645d3c60891f4ffa000550 |
| SHA256 | 7e9d32f34110cc91f02af73ad25b0319c52ffa818d8ffa9aee276684dcb48e06 |
| SHA512 | 5a4e2827e587ce9049f35f548fccef8553121ad4f32d3435e5eacb171b393020fc2df557ca5f8773fa21fa8594e001cfbf2bda500c3f7a3f23af9cc9cbc35634 |
memory/752-89-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Cpfmlghd.exe
| MD5 | 17794684ac10c0cbcae0c5e63da944db |
| SHA1 | e065efcb643105f84e5d7eebe5668cdf9d609414 |
| SHA256 | 8d5757e5d541bd3bba4d1e5d6fcc1a111c369cc0abadc58855c6ca550b3c2baa |
| SHA512 | 2b4a4225a6c046bebc25259912b273191fc6a24f22b842039b0e0c4adf8e6ced485b931b9130c18572d5de3915cc4937f345690c057e817faa52aa35a223e675 |
memory/4376-97-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Dkkaiphj.exe
| MD5 | 6621689022f678701fa6963f54857ecd |
| SHA1 | 0068b010ed4ac0216ee9a7b61aa069aa53ea9898 |
| SHA256 | 0d6551c17a41a7a297101ce2566b670d4f979f7220309f56d8597449fe252360 |
| SHA512 | fa7331b29948659eb053968514d0d7ad209f4cfe040840bb72a2b72ad52c4683d1bccc7d2e38ea326d36f6b915dc99eab072e52fd5446202bd65f798489546aa |
memory/1768-104-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Dphiaffa.exe
| MD5 | be3ffe7671f481046dadd6be59c9c41e |
| SHA1 | 51f0e852bce5c8b56a67e24fd6a9519aeb0a0520 |
| SHA256 | 393748a3b897f1c14d76f1b96274bfc64d8d7451ab36e85a49e0859a9b28c2a6 |
| SHA512 | 8769bff5d13531d02ffb02618af5ebbeada5ca4a0bfb2fde09915f55627df21df6ca60c2da90a6e8c237cf242ce851c29b420f5ab33181143cfdf540e41df0d3 |
memory/4848-112-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Windows\SysWOW64\Diqnjl32.exe
| MD5 | b35bb56989d6db5d83c96aba11bb72f9 |
| SHA1 | 4ed5d19ab48e4be0182967887348726e2e5252ea |
| SHA256 | 124ca1a04309df6fb0c1960e57a4b242d1782c44385d51e7cfe192e0850e6853 |
| SHA512 | d6e7a8419b6a6c8d1438ad270845ae09901db5424064f3bfeee953f1b924277a0b7715adf227fbdc4482423fd2dd14a01c05b27bb74fdafd77f1965b83729b86 |
memory/812-121-0x0000000000400000-0x0000000000453000-memory.dmp
memory/812-124-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1768-127-0x0000000000400000-0x0000000000453000-memory.dmp
memory/4376-131-0x0000000000400000-0x0000000000453000-memory.dmp
memory/3504-141-0x0000000000400000-0x0000000000453000-memory.dmp
memory/632-145-0x0000000000400000-0x0000000000453000-memory.dmp
memory/3668-153-0x0000000000400000-0x0000000000453000-memory.dmp
memory/3448-151-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2200-149-0x0000000000400000-0x0000000000453000-memory.dmp
memory/340-147-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1152-143-0x0000000000400000-0x0000000000453000-memory.dmp
memory/3744-139-0x0000000000400000-0x0000000000453000-memory.dmp
memory/4656-137-0x0000000000400000-0x0000000000453000-memory.dmp
memory/4272-135-0x0000000000400000-0x0000000000453000-memory.dmp
memory/4948-133-0x0000000000400000-0x0000000000453000-memory.dmp
memory/752-130-0x0000000000400000-0x0000000000453000-memory.dmp
memory/4848-125-0x0000000000400000-0x0000000000453000-memory.dmp