Malware Analysis Report

2025-01-22 16:27

Sample ID 241007-h6s19sxalb
Target f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N
SHA256 f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817
Tags
berbew gozi backdoor banker discovery isfb persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817

Threat Level: Known bad

The file f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N was found to be: Known bad.

Malicious Activity Summary

berbew gozi backdoor banker discovery isfb persistence trojan

Adds autorun key to be loaded by Explorer.exe on startup

Berbew family

Berbew

Gozi

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Program crash

System Location Discovery: System Language Discovery

Unsigned PE

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-07 07:21

Signatures

Berbew family

berbew

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-07 07:21

Reported

2024-10-07 07:23

Platform

win7-20240903-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Eqijej32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cghggc32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Enakbp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cldooj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Endhhp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dlnbeh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Djmicm32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dhbfdjdp.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eqijej32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cjdfmo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dlkepi32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ccngld32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Enakbp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Emkaol32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ebjglbml.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cghggc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dfdjhndl.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dlnbeh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Enfenplo.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ebjglbml.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fjaonpnn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cjdfmo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dhbfdjdp.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dlkepi32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dfdjhndl.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Emkaol32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dfoqmo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dfoqmo32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Djhphncm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Djhphncm.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dliijipn.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cgejac32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ccngld32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dhdcji32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dliijipn.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dhdcji32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Eqpgol32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ejhlgaeh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ejhlgaeh.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ejmebq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Users\Admin\AppData\Local\Temp\f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dpbheh32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cldooj32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fjaonpnn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dpbheh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ejobhppq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dbfabp32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Endhhp32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ekhhadmk.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Enfenplo.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dbfabp32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Djmicm32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eqpgol32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ekhhadmk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ejmebq32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ejobhppq.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Users\Admin\AppData\Local\Temp\f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cgejac32.exe N/A

Berbew

backdoor berbew

Gozi

banker trojan gozi

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe N/A
N/A N/A C:\Windows\SysWOW64\Cgejac32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cgejac32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cjdfmo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cjdfmo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cghggc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cghggc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cldooj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cldooj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ccngld32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ccngld32.exe N/A
N/A N/A C:\Windows\SysWOW64\Djhphncm.exe N/A
N/A N/A C:\Windows\SysWOW64\Djhphncm.exe N/A
N/A N/A C:\Windows\SysWOW64\Dpbheh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dpbheh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dfoqmo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dfoqmo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dliijipn.exe N/A
N/A N/A C:\Windows\SysWOW64\Dliijipn.exe N/A
N/A N/A C:\Windows\SysWOW64\Dbfabp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dbfabp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Djmicm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Djmicm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dlkepi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dlkepi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dfdjhndl.exe N/A
N/A N/A C:\Windows\SysWOW64\Dfdjhndl.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhbfdjdp.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhbfdjdp.exe N/A
N/A N/A C:\Windows\SysWOW64\Dlnbeh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dlnbeh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhdcji32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhdcji32.exe N/A
N/A N/A C:\Windows\SysWOW64\Enakbp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Enakbp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eqpgol32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eqpgol32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejhlgaeh.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejhlgaeh.exe N/A
N/A N/A C:\Windows\SysWOW64\Endhhp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Endhhp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ekhhadmk.exe N/A
N/A N/A C:\Windows\SysWOW64\Ekhhadmk.exe N/A
N/A N/A C:\Windows\SysWOW64\Enfenplo.exe N/A
N/A N/A C:\Windows\SysWOW64\Enfenplo.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejmebq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejmebq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Emkaol32.exe N/A
N/A N/A C:\Windows\SysWOW64\Emkaol32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejobhppq.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejobhppq.exe N/A
N/A N/A C:\Windows\SysWOW64\Eqijej32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eqijej32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebjglbml.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebjglbml.exe N/A
N/A N/A C:\Windows\SysWOW64\Fjaonpnn.exe N/A
N/A N/A C:\Windows\SysWOW64\Fjaonpnn.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Ejmebq32.exe C:\Windows\SysWOW64\Enfenplo.exe N/A
File created C:\Windows\SysWOW64\Emkaol32.exe C:\Windows\SysWOW64\Ejmebq32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dfdjhndl.exe C:\Windows\SysWOW64\Dlkepi32.exe N/A
File opened for modification C:\Windows\SysWOW64\Enakbp32.exe C:\Windows\SysWOW64\Dhdcji32.exe N/A
File created C:\Windows\SysWOW64\Hhijaf32.dll C:\Windows\SysWOW64\Enakbp32.exe N/A
File created C:\Windows\SysWOW64\Aabagnfc.dll C:\Windows\SysWOW64\Ejhlgaeh.exe N/A
File opened for modification C:\Windows\SysWOW64\Ebjglbml.exe C:\Windows\SysWOW64\Eqijej32.exe N/A
File created C:\Windows\SysWOW64\Cgejac32.exe C:\Users\Admin\AppData\Local\Temp\f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe N/A
File created C:\Windows\SysWOW64\Dlnbeh32.exe C:\Windows\SysWOW64\Dhbfdjdp.exe N/A
File created C:\Windows\SysWOW64\Dhdcji32.exe C:\Windows\SysWOW64\Dlnbeh32.exe N/A
File created C:\Windows\SysWOW64\Eqpgol32.exe C:\Windows\SysWOW64\Enakbp32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cgejac32.exe C:\Users\Admin\AppData\Local\Temp\f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe N/A
File opened for modification C:\Windows\SysWOW64\Cghggc32.exe C:\Windows\SysWOW64\Cjdfmo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dbfabp32.exe C:\Windows\SysWOW64\Dliijipn.exe N/A
File created C:\Windows\SysWOW64\Dhbfdjdp.exe C:\Windows\SysWOW64\Dfdjhndl.exe N/A
File created C:\Windows\SysWOW64\Ecdjal32.dll C:\Windows\SysWOW64\Dliijipn.exe N/A
File created C:\Windows\SysWOW64\Kncphpjl.dll C:\Windows\SysWOW64\Dlnbeh32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dfoqmo32.exe C:\Windows\SysWOW64\Dpbheh32.exe N/A
File created C:\Windows\SysWOW64\Djmicm32.exe C:\Windows\SysWOW64\Dbfabp32.exe N/A
File created C:\Windows\SysWOW64\Dhhlgc32.dll C:\Windows\SysWOW64\Eqpgol32.exe N/A
File created C:\Windows\SysWOW64\Akigbbni.dll C:\Windows\SysWOW64\Cldooj32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dpbheh32.exe C:\Windows\SysWOW64\Djhphncm.exe N/A
File created C:\Windows\SysWOW64\Joliff32.dll C:\Windows\SysWOW64\Djhphncm.exe N/A
File created C:\Windows\SysWOW64\Dfoqmo32.exe C:\Windows\SysWOW64\Dpbheh32.exe N/A
File created C:\Windows\SysWOW64\Mghohc32.dll C:\Windows\SysWOW64\Cgejac32.exe N/A
File created C:\Windows\SysWOW64\Mcfidhng.dll C:\Windows\SysWOW64\Dpbheh32.exe N/A
File opened for modification C:\Windows\SysWOW64\Djmicm32.exe C:\Windows\SysWOW64\Dbfabp32.exe N/A
File opened for modification C:\Windows\SysWOW64\Eqijej32.exe C:\Windows\SysWOW64\Ejobhppq.exe N/A
File created C:\Windows\SysWOW64\Dpbheh32.exe C:\Windows\SysWOW64\Djhphncm.exe N/A
File created C:\Windows\SysWOW64\Nnfbei32.dll C:\Windows\SysWOW64\Dhbfdjdp.exe N/A
File opened for modification C:\Windows\SysWOW64\Dhdcji32.exe C:\Windows\SysWOW64\Dlnbeh32.exe N/A
File created C:\Windows\SysWOW64\Enfenplo.exe C:\Windows\SysWOW64\Ekhhadmk.exe N/A
File created C:\Windows\SysWOW64\Hdjlnm32.dll C:\Users\Admin\AppData\Local\Temp\f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe N/A
File opened for modification C:\Windows\SysWOW64\Cjdfmo32.exe C:\Windows\SysWOW64\Cgejac32.exe N/A
File created C:\Windows\SysWOW64\Cldooj32.exe C:\Windows\SysWOW64\Cghggc32.exe N/A
File created C:\Windows\SysWOW64\Jaegglem.dll C:\Windows\SysWOW64\Ccngld32.exe N/A
File opened for modification C:\Windows\SysWOW64\Emkaol32.exe C:\Windows\SysWOW64\Ejmebq32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ejobhppq.exe C:\Windows\SysWOW64\Emkaol32.exe N/A
File created C:\Windows\SysWOW64\Fkckeh32.exe C:\Windows\SysWOW64\Fjaonpnn.exe N/A
File created C:\Windows\SysWOW64\Lchkpi32.dll C:\Windows\SysWOW64\Ekhhadmk.exe N/A
File opened for modification C:\Windows\SysWOW64\Dliijipn.exe C:\Windows\SysWOW64\Dfoqmo32.exe N/A
File created C:\Windows\SysWOW64\Dlkepi32.exe C:\Windows\SysWOW64\Djmicm32.exe N/A
File opened for modification C:\Windows\SysWOW64\Eqpgol32.exe C:\Windows\SysWOW64\Enakbp32.exe N/A
File created C:\Windows\SysWOW64\Ejhlgaeh.exe C:\Windows\SysWOW64\Eqpgol32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dlnbeh32.exe C:\Windows\SysWOW64\Dhbfdjdp.exe N/A
File created C:\Windows\SysWOW64\Enakbp32.exe C:\Windows\SysWOW64\Dhdcji32.exe N/A
File opened for modification C:\Windows\SysWOW64\Endhhp32.exe C:\Windows\SysWOW64\Ejhlgaeh.exe N/A
File created C:\Windows\SysWOW64\Ekgednng.dll C:\Windows\SysWOW64\Emkaol32.exe N/A
File created C:\Windows\SysWOW64\Dliijipn.exe C:\Windows\SysWOW64\Dfoqmo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dlkepi32.exe C:\Windows\SysWOW64\Djmicm32.exe N/A
File created C:\Windows\SysWOW64\Jdjfho32.dll C:\Windows\SysWOW64\Dlkepi32.exe N/A
File created C:\Windows\SysWOW64\Oghiae32.dll C:\Windows\SysWOW64\Dfdjhndl.exe N/A
File opened for modification C:\Windows\SysWOW64\Fkckeh32.exe C:\Windows\SysWOW64\Fjaonpnn.exe N/A
File created C:\Windows\SysWOW64\Epjomppp.dll C:\Windows\SysWOW64\Dfoqmo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ejhlgaeh.exe C:\Windows\SysWOW64\Eqpgol32.exe N/A
File created C:\Windows\SysWOW64\Eqijej32.exe C:\Windows\SysWOW64\Ejobhppq.exe N/A
File opened for modification C:\Windows\SysWOW64\Fjaonpnn.exe C:\Windows\SysWOW64\Ebjglbml.exe N/A
File created C:\Windows\SysWOW64\Ebjglbml.exe C:\Windows\SysWOW64\Eqijej32.exe N/A
File created C:\Windows\SysWOW64\Fjaonpnn.exe C:\Windows\SysWOW64\Ebjglbml.exe N/A
File opened for modification C:\Windows\SysWOW64\Cldooj32.exe C:\Windows\SysWOW64\Cghggc32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ccngld32.exe C:\Windows\SysWOW64\Cldooj32.exe N/A
File created C:\Windows\SysWOW64\Dbfabp32.exe C:\Windows\SysWOW64\Dliijipn.exe N/A
File created C:\Windows\SysWOW64\Amfidj32.dll C:\Windows\SysWOW64\Endhhp32.exe N/A
File created C:\Windows\SysWOW64\Cjdfmo32.exe C:\Windows\SysWOW64\Cgejac32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Fkckeh32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dfoqmo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ejmebq32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dhdcji32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Enakbp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ejobhppq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fjaonpnn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cgejac32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cjdfmo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cldooj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dlnbeh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ejhlgaeh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Enfenplo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cghggc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Djhphncm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Eqpgol32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Emkaol32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dpbheh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dbfabp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Djmicm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ekhhadmk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ebjglbml.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fkckeh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dfdjhndl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ccngld32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dliijipn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dlkepi32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dhbfdjdp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Endhhp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Eqijej32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ejobhppq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnghjbjl.dll" C:\Windows\SysWOW64\Cjdfmo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaegglem.dll" C:\Windows\SysWOW64\Ccngld32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhijaf32.dll" C:\Windows\SysWOW64\Enakbp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Eqpgol32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ejmebq32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Djmicm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dfdjhndl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ekhhadmk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lchkpi32.dll" C:\Windows\SysWOW64\Ekhhadmk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klmkof32.dll" C:\Windows\SysWOW64\Ejobhppq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmkmmi32.dll" C:\Windows\SysWOW64\Eqijej32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cldooj32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Djhphncm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dbfabp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dhbfdjdp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dhbfdjdp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Endhhp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} C:\Users\Admin\AppData\Local\Temp\f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oehfcmhd.dll" C:\Windows\SysWOW64\Cghggc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dfoqmo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdjfho32.dll" C:\Windows\SysWOW64\Dlkepi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dlkepi32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ebjglbml.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epjomppp.dll" C:\Windows\SysWOW64\Dfoqmo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oghiae32.dll" C:\Windows\SysWOW64\Dfdjhndl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kncphpjl.dll" C:\Windows\SysWOW64\Dlnbeh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Enfenplo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Emkaol32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node C:\Users\Admin\AppData\Local\Temp\f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cjdfmo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ccngld32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joliff32.dll" C:\Windows\SysWOW64\Djhphncm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dhdcji32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Enakbp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Fjaonpnn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekgednng.dll" C:\Windows\SysWOW64\Emkaol32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Eqpgol32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aabagnfc.dll" C:\Windows\SysWOW64\Ejhlgaeh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ejhlgaeh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ekhhadmk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Illjbiak.dll" C:\Windows\SysWOW64\Enfenplo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ejmebq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Djhphncm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dlnbeh32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Endhhp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Emkaol32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ejobhppq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cghggc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecdjal32.dll" C:\Windows\SysWOW64\Dliijipn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lednakhd.dll" C:\Windows\SysWOW64\Dhdcji32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odifab32.dll" C:\Windows\SysWOW64\Dbfabp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ccngld32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnfbei32.dll" C:\Windows\SysWOW64\Dhbfdjdp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Enakbp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhhlgc32.dll" C:\Windows\SysWOW64\Eqpgol32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cjdfmo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dfoqmo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dliijipn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgllco32.dll" C:\Windows\SysWOW64\Ejmebq32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Eqijej32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2080 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe C:\Windows\SysWOW64\Cgejac32.exe
PID 2080 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe C:\Windows\SysWOW64\Cgejac32.exe
PID 2080 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe C:\Windows\SysWOW64\Cgejac32.exe
PID 2080 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe C:\Windows\SysWOW64\Cgejac32.exe
PID 2552 wrote to memory of 2720 N/A C:\Windows\SysWOW64\Cgejac32.exe C:\Windows\SysWOW64\Cjdfmo32.exe
PID 2552 wrote to memory of 2720 N/A C:\Windows\SysWOW64\Cgejac32.exe C:\Windows\SysWOW64\Cjdfmo32.exe
PID 2552 wrote to memory of 2720 N/A C:\Windows\SysWOW64\Cgejac32.exe C:\Windows\SysWOW64\Cjdfmo32.exe
PID 2552 wrote to memory of 2720 N/A C:\Windows\SysWOW64\Cgejac32.exe C:\Windows\SysWOW64\Cjdfmo32.exe
PID 2720 wrote to memory of 2464 N/A C:\Windows\SysWOW64\Cjdfmo32.exe C:\Windows\SysWOW64\Cghggc32.exe
PID 2720 wrote to memory of 2464 N/A C:\Windows\SysWOW64\Cjdfmo32.exe C:\Windows\SysWOW64\Cghggc32.exe
PID 2720 wrote to memory of 2464 N/A C:\Windows\SysWOW64\Cjdfmo32.exe C:\Windows\SysWOW64\Cghggc32.exe
PID 2720 wrote to memory of 2464 N/A C:\Windows\SysWOW64\Cjdfmo32.exe C:\Windows\SysWOW64\Cghggc32.exe
PID 2464 wrote to memory of 2820 N/A C:\Windows\SysWOW64\Cghggc32.exe C:\Windows\SysWOW64\Cldooj32.exe
PID 2464 wrote to memory of 2820 N/A C:\Windows\SysWOW64\Cghggc32.exe C:\Windows\SysWOW64\Cldooj32.exe
PID 2464 wrote to memory of 2820 N/A C:\Windows\SysWOW64\Cghggc32.exe C:\Windows\SysWOW64\Cldooj32.exe
PID 2464 wrote to memory of 2820 N/A C:\Windows\SysWOW64\Cghggc32.exe C:\Windows\SysWOW64\Cldooj32.exe
PID 2820 wrote to memory of 2456 N/A C:\Windows\SysWOW64\Cldooj32.exe C:\Windows\SysWOW64\Ccngld32.exe
PID 2820 wrote to memory of 2456 N/A C:\Windows\SysWOW64\Cldooj32.exe C:\Windows\SysWOW64\Ccngld32.exe
PID 2820 wrote to memory of 2456 N/A C:\Windows\SysWOW64\Cldooj32.exe C:\Windows\SysWOW64\Ccngld32.exe
PID 2820 wrote to memory of 2456 N/A C:\Windows\SysWOW64\Cldooj32.exe C:\Windows\SysWOW64\Ccngld32.exe
PID 2456 wrote to memory of 1900 N/A C:\Windows\SysWOW64\Ccngld32.exe C:\Windows\SysWOW64\Djhphncm.exe
PID 2456 wrote to memory of 1900 N/A C:\Windows\SysWOW64\Ccngld32.exe C:\Windows\SysWOW64\Djhphncm.exe
PID 2456 wrote to memory of 1900 N/A C:\Windows\SysWOW64\Ccngld32.exe C:\Windows\SysWOW64\Djhphncm.exe
PID 2456 wrote to memory of 1900 N/A C:\Windows\SysWOW64\Ccngld32.exe C:\Windows\SysWOW64\Djhphncm.exe
PID 1900 wrote to memory of 264 N/A C:\Windows\SysWOW64\Djhphncm.exe C:\Windows\SysWOW64\Dpbheh32.exe
PID 1900 wrote to memory of 264 N/A C:\Windows\SysWOW64\Djhphncm.exe C:\Windows\SysWOW64\Dpbheh32.exe
PID 1900 wrote to memory of 264 N/A C:\Windows\SysWOW64\Djhphncm.exe C:\Windows\SysWOW64\Dpbheh32.exe
PID 1900 wrote to memory of 264 N/A C:\Windows\SysWOW64\Djhphncm.exe C:\Windows\SysWOW64\Dpbheh32.exe
PID 264 wrote to memory of 1404 N/A C:\Windows\SysWOW64\Dpbheh32.exe C:\Windows\SysWOW64\Dfoqmo32.exe
PID 264 wrote to memory of 1404 N/A C:\Windows\SysWOW64\Dpbheh32.exe C:\Windows\SysWOW64\Dfoqmo32.exe
PID 264 wrote to memory of 1404 N/A C:\Windows\SysWOW64\Dpbheh32.exe C:\Windows\SysWOW64\Dfoqmo32.exe
PID 264 wrote to memory of 1404 N/A C:\Windows\SysWOW64\Dpbheh32.exe C:\Windows\SysWOW64\Dfoqmo32.exe
PID 1404 wrote to memory of 2908 N/A C:\Windows\SysWOW64\Dfoqmo32.exe C:\Windows\SysWOW64\Dliijipn.exe
PID 1404 wrote to memory of 2908 N/A C:\Windows\SysWOW64\Dfoqmo32.exe C:\Windows\SysWOW64\Dliijipn.exe
PID 1404 wrote to memory of 2908 N/A C:\Windows\SysWOW64\Dfoqmo32.exe C:\Windows\SysWOW64\Dliijipn.exe
PID 1404 wrote to memory of 2908 N/A C:\Windows\SysWOW64\Dfoqmo32.exe C:\Windows\SysWOW64\Dliijipn.exe
PID 2908 wrote to memory of 2976 N/A C:\Windows\SysWOW64\Dliijipn.exe C:\Windows\SysWOW64\Dbfabp32.exe
PID 2908 wrote to memory of 2976 N/A C:\Windows\SysWOW64\Dliijipn.exe C:\Windows\SysWOW64\Dbfabp32.exe
PID 2908 wrote to memory of 2976 N/A C:\Windows\SysWOW64\Dliijipn.exe C:\Windows\SysWOW64\Dbfabp32.exe
PID 2908 wrote to memory of 2976 N/A C:\Windows\SysWOW64\Dliijipn.exe C:\Windows\SysWOW64\Dbfabp32.exe
PID 2976 wrote to memory of 2020 N/A C:\Windows\SysWOW64\Dbfabp32.exe C:\Windows\SysWOW64\Djmicm32.exe
PID 2976 wrote to memory of 2020 N/A C:\Windows\SysWOW64\Dbfabp32.exe C:\Windows\SysWOW64\Djmicm32.exe
PID 2976 wrote to memory of 2020 N/A C:\Windows\SysWOW64\Dbfabp32.exe C:\Windows\SysWOW64\Djmicm32.exe
PID 2976 wrote to memory of 2020 N/A C:\Windows\SysWOW64\Dbfabp32.exe C:\Windows\SysWOW64\Djmicm32.exe
PID 2020 wrote to memory of 2340 N/A C:\Windows\SysWOW64\Djmicm32.exe C:\Windows\SysWOW64\Dlkepi32.exe
PID 2020 wrote to memory of 2340 N/A C:\Windows\SysWOW64\Djmicm32.exe C:\Windows\SysWOW64\Dlkepi32.exe
PID 2020 wrote to memory of 2340 N/A C:\Windows\SysWOW64\Djmicm32.exe C:\Windows\SysWOW64\Dlkepi32.exe
PID 2020 wrote to memory of 2340 N/A C:\Windows\SysWOW64\Djmicm32.exe C:\Windows\SysWOW64\Dlkepi32.exe
PID 2340 wrote to memory of 1724 N/A C:\Windows\SysWOW64\Dlkepi32.exe C:\Windows\SysWOW64\Dfdjhndl.exe
PID 2340 wrote to memory of 1724 N/A C:\Windows\SysWOW64\Dlkepi32.exe C:\Windows\SysWOW64\Dfdjhndl.exe
PID 2340 wrote to memory of 1724 N/A C:\Windows\SysWOW64\Dlkepi32.exe C:\Windows\SysWOW64\Dfdjhndl.exe
PID 2340 wrote to memory of 1724 N/A C:\Windows\SysWOW64\Dlkepi32.exe C:\Windows\SysWOW64\Dfdjhndl.exe
PID 1724 wrote to memory of 1456 N/A C:\Windows\SysWOW64\Dfdjhndl.exe C:\Windows\SysWOW64\Dhbfdjdp.exe
PID 1724 wrote to memory of 1456 N/A C:\Windows\SysWOW64\Dfdjhndl.exe C:\Windows\SysWOW64\Dhbfdjdp.exe
PID 1724 wrote to memory of 1456 N/A C:\Windows\SysWOW64\Dfdjhndl.exe C:\Windows\SysWOW64\Dhbfdjdp.exe
PID 1724 wrote to memory of 1456 N/A C:\Windows\SysWOW64\Dfdjhndl.exe C:\Windows\SysWOW64\Dhbfdjdp.exe
PID 1456 wrote to memory of 1752 N/A C:\Windows\SysWOW64\Dhbfdjdp.exe C:\Windows\SysWOW64\Dlnbeh32.exe
PID 1456 wrote to memory of 1752 N/A C:\Windows\SysWOW64\Dhbfdjdp.exe C:\Windows\SysWOW64\Dlnbeh32.exe
PID 1456 wrote to memory of 1752 N/A C:\Windows\SysWOW64\Dhbfdjdp.exe C:\Windows\SysWOW64\Dlnbeh32.exe
PID 1456 wrote to memory of 1752 N/A C:\Windows\SysWOW64\Dhbfdjdp.exe C:\Windows\SysWOW64\Dlnbeh32.exe
PID 1752 wrote to memory of 2104 N/A C:\Windows\SysWOW64\Dlnbeh32.exe C:\Windows\SysWOW64\Dhdcji32.exe
PID 1752 wrote to memory of 2104 N/A C:\Windows\SysWOW64\Dlnbeh32.exe C:\Windows\SysWOW64\Dhdcji32.exe
PID 1752 wrote to memory of 2104 N/A C:\Windows\SysWOW64\Dlnbeh32.exe C:\Windows\SysWOW64\Dhdcji32.exe
PID 1752 wrote to memory of 2104 N/A C:\Windows\SysWOW64\Dlnbeh32.exe C:\Windows\SysWOW64\Dhdcji32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe

"C:\Users\Admin\AppData\Local\Temp\f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe"

C:\Windows\SysWOW64\Cgejac32.exe

C:\Windows\system32\Cgejac32.exe

C:\Windows\SysWOW64\Cjdfmo32.exe

C:\Windows\system32\Cjdfmo32.exe

C:\Windows\SysWOW64\Cghggc32.exe

C:\Windows\system32\Cghggc32.exe

C:\Windows\SysWOW64\Cldooj32.exe

C:\Windows\system32\Cldooj32.exe

C:\Windows\SysWOW64\Ccngld32.exe

C:\Windows\system32\Ccngld32.exe

C:\Windows\SysWOW64\Djhphncm.exe

C:\Windows\system32\Djhphncm.exe

C:\Windows\SysWOW64\Dpbheh32.exe

C:\Windows\system32\Dpbheh32.exe

C:\Windows\SysWOW64\Dfoqmo32.exe

C:\Windows\system32\Dfoqmo32.exe

C:\Windows\SysWOW64\Dliijipn.exe

C:\Windows\system32\Dliijipn.exe

C:\Windows\SysWOW64\Dbfabp32.exe

C:\Windows\system32\Dbfabp32.exe

C:\Windows\SysWOW64\Djmicm32.exe

C:\Windows\system32\Djmicm32.exe

C:\Windows\SysWOW64\Dlkepi32.exe

C:\Windows\system32\Dlkepi32.exe

C:\Windows\SysWOW64\Dfdjhndl.exe

C:\Windows\system32\Dfdjhndl.exe

C:\Windows\SysWOW64\Dhbfdjdp.exe

C:\Windows\system32\Dhbfdjdp.exe

C:\Windows\SysWOW64\Dlnbeh32.exe

C:\Windows\system32\Dlnbeh32.exe

C:\Windows\SysWOW64\Dhdcji32.exe

C:\Windows\system32\Dhdcji32.exe

C:\Windows\SysWOW64\Enakbp32.exe

C:\Windows\system32\Enakbp32.exe

C:\Windows\SysWOW64\Eqpgol32.exe

C:\Windows\system32\Eqpgol32.exe

C:\Windows\SysWOW64\Ejhlgaeh.exe

C:\Windows\system32\Ejhlgaeh.exe

C:\Windows\SysWOW64\Endhhp32.exe

C:\Windows\system32\Endhhp32.exe

C:\Windows\SysWOW64\Ekhhadmk.exe

C:\Windows\system32\Ekhhadmk.exe

C:\Windows\SysWOW64\Enfenplo.exe

C:\Windows\system32\Enfenplo.exe

C:\Windows\SysWOW64\Ejmebq32.exe

C:\Windows\system32\Ejmebq32.exe

C:\Windows\SysWOW64\Emkaol32.exe

C:\Windows\system32\Emkaol32.exe

C:\Windows\SysWOW64\Ejobhppq.exe

C:\Windows\system32\Ejobhppq.exe

C:\Windows\SysWOW64\Eqijej32.exe

C:\Windows\system32\Eqijej32.exe

C:\Windows\SysWOW64\Ebjglbml.exe

C:\Windows\system32\Ebjglbml.exe

C:\Windows\SysWOW64\Fjaonpnn.exe

C:\Windows\system32\Fjaonpnn.exe

C:\Windows\SysWOW64\Fkckeh32.exe

C:\Windows\system32\Fkckeh32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 140

Network

N/A

Files

memory/2080-0-0x0000000000400000-0x0000000000453000-memory.dmp

\Windows\SysWOW64\Cgejac32.exe

MD5 b33d707eee5f65f024b10b25ee468c49
SHA1 37357390c53d9a728277615569bef8899a7e6944
SHA256 e201755091d02b30b2d6f56c1cad86bd6f02a693c60a2da96c050018f260a1b0
SHA512 8ff8a20b89912f9ee5a9a855bf4ab6f687b1342fdbfeb0ea17e6b1cf5aa1123ef8c650c7b92b70d417841ef419d6a4d697bc64bec5c92d91acdf46b5726d201a

memory/2080-16-0x0000000001FC0000-0x0000000002013000-memory.dmp

memory/2552-18-0x0000000000400000-0x0000000000453000-memory.dmp

\Windows\SysWOW64\Cjdfmo32.exe

MD5 a192190a5d922f94b68e2f8944a2fe61
SHA1 5d19335b4856b89896a94385eabe0fab73d2e7e8
SHA256 cfc64c84d14ae4e91abf5e2154d13a911c10b8934fc38edfa88e3d99af0b5d71
SHA512 1687e3034c675af6bb52a3c5b9483bd58bc338b5686330c9bbb6e9e5a1c84f382d5d711b285401db48d4ae50351d1d7a3a8f632927e3f93b298c810d43496356

memory/2720-26-0x0000000000400000-0x0000000000453000-memory.dmp

\Windows\SysWOW64\Cghggc32.exe

MD5 7f16c292cef178cced15a87047030ae5
SHA1 94377f8916931efb5a13cd0c6f9465ab7ef5d64e
SHA256 160694d6f5d123bdca722ef812ebb2372a989b3c3b50576752c5d79e6823ab14
SHA512 7137d7f920b77ef2cce5de3ee83110d1dbe896b0afc9f6972b6ec42563000d3f9c8bfd659263e36df2b953bcc7e0c1ff97dedfbf103e08bdd631665f2835f6b4

memory/2720-34-0x00000000002D0000-0x0000000000323000-memory.dmp

\Windows\SysWOW64\Cldooj32.exe

MD5 7bb92cd263ec6820dcbcfb8149306b83
SHA1 04c91c095f361538a1ab60da9840a8866d0a242b
SHA256 6ddb9edee3fd9ecbecd6a884f9eaa901ab91506b680d28e5afd14c3b755941d3
SHA512 f45bbb8b3392f8c18dd16211d78d3730f62d526630c3fd159844581dd224d41945595523a57c77ba3ec1262c637edcc5382ce17703d73d7cb79d49eeaba89c9e

memory/2820-52-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2820-60-0x0000000000310000-0x0000000000363000-memory.dmp

\Windows\SysWOW64\Ccngld32.exe

MD5 40d8a26dd7e8118a899fa92651f53795
SHA1 6cedbf9ab3d8beaa8f7f40d6bfb86488e8d2fe22
SHA256 345022a6778f5ed95f84c0a937829d055ad4b08ea7d552c24e09d6b008646000
SHA512 b285cdd2559827269d8323929564e675f83c1eca204f3b44b2a67439c005a35fd8e4106b013876231d8d69a19b88db2ba7b3c3c1b150d942b2931e6bfa3ccb08

\Windows\SysWOW64\Djhphncm.exe

MD5 fad96ee791382cd7444e299b944ffcf3
SHA1 0ecbb48e029e1ab8e88bb278e1dccf2120e930c9
SHA256 50c710f9024479ea83e85a838215e632b9ba71ded00af00682a70a517dfb7f77
SHA512 3a054500ee609667bc934449126e1912c42368fc75f8fee40c8d0942de315fd901e18f3249d775a63a74ca4ec1ae06f425ccbec4d67f531a96e6593b1ac343b8

memory/2456-78-0x0000000000250000-0x00000000002A3000-memory.dmp

\Windows\SysWOW64\Dpbheh32.exe

MD5 49c6b0ce35f890029b360687a48667d3
SHA1 14db3367a7fe2c4cd95b91d9ee0b6e1c4b166416
SHA256 b347aff69c5dd1d04667f4459a958c86159d61e94bf3ae996e8092612ffadf01
SHA512 a7bf5a2a7f1ec7665f9f882e24d5ac4c6fa0d537e17f1a62b06e23ffa6262889ad92882f382aac15caa5477cc3b6214308fa68ca703e6c69c1d28384ddfdc783

memory/1900-90-0x0000000000460000-0x00000000004B3000-memory.dmp

C:\Windows\SysWOW64\Dfoqmo32.exe

MD5 64817d8d830e775a170189243b9cef14
SHA1 a8452fdf84f35ca0f10cbbe564dd67e2afc9a97d
SHA256 33d30cae363514c4e9ad49bae1a7958c4d33d69201340fcf5d85c268bc5cab45
SHA512 99ad669663a858aac5b0c789207a716b50d46894f1c0cdb355a4f9bf603a804f342266a90553f6b7a6e844bce63aad6a05fd38049e1cea3e52cbb9dc12d1f8a0

memory/1404-104-0x0000000000400000-0x0000000000453000-memory.dmp

\Windows\SysWOW64\Dliijipn.exe

MD5 20f3fd9f048f8a53a96cbd7b280e812d
SHA1 a436bc7c231b11941dc7e924452366347fa5b5ff
SHA256 824d222564650067f456c016db40996329dd3bf91615486831f239d5342c722d
SHA512 902ebdc34401563020c930559da67aa63c21622e19f7b5f29aae0a5916f6fd42f557674f62cf3929f0dc6518cbc177b41d32ce78c28f2221106ec8b33fce018d

memory/1404-112-0x0000000000250000-0x00000000002A3000-memory.dmp

\Windows\SysWOW64\Dbfabp32.exe

MD5 8d288d2315246dbe95643bb1e3d3435e
SHA1 0f85b9dfcb2695489933d5bb24f6fb3ec918d7e2
SHA256 c3bab760d2f7087296c702e8a822bb91374e6adc521f16a9e39eeba6af225371
SHA512 33e4e3a3838b47b7b074b796bf82cd69d8eb1c00dd0eedab413bb899f1254308d31d16720238dd87b078e105415543a02c77c1b66690b696b56fcebbb74fce88

memory/2976-130-0x0000000000400000-0x0000000000453000-memory.dmp

\Windows\SysWOW64\Djmicm32.exe

MD5 a2603b441211b4d479338b7f5b0de362
SHA1 3d8f50825e4e10dcf8d1f465f9d7454391fef85c
SHA256 8aa30b1f55dd67e9f051271d085377aa2b7a474038d4254be6cbf6a207ead7ba
SHA512 a3546ec161a5b1ede15e79c75291e2ac463b8cfaf8b5c5661e8e9ce81357dda6c45ad086d864f4a0e43e98d7058504a0e72f0fc23c29a2d11d7a87203d0f0fa5

memory/2340-155-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Dlkepi32.exe

MD5 7f59166b7dbc5bdc484f8bcad41d57ee
SHA1 d0beb6156b1c57318771f5b1994528f057b46a6b
SHA256 5b6e0a435b967b2c1c4835cce7f82301c4396da8e868e43c76f7f7352da01d95
SHA512 7bfd234e05580cad3f0b58886c065d95fb62044ad5d0e0e4a4c7057c9a031781d2b780a80a39261dfc8566b27a8f0a7320ba47b2b22e078b8c420de87fcbf8d8

\Windows\SysWOW64\Dfdjhndl.exe

MD5 138eb685b92331139522f83d3b304750
SHA1 189dee5f4ea1f1a635e8e70a41af0c737959b75c
SHA256 4c582da6bc650e64b225e0a051fba851fc4befb6bc99b2c1a1847d3384cb6d3a
SHA512 4d95220ea6d564a2f055a3ddbe72a5826d86aee60e512a41821f47106aa6557f10a59e8443ae1c2e4fa1e270ccef58f7b49962fb2e8e0e9b35aac9f858d149f0

memory/2340-163-0x00000000004D0000-0x0000000000523000-memory.dmp

\Windows\SysWOW64\Dhbfdjdp.exe

MD5 d7fd9aa96361d5480c75613e4d1bdbde
SHA1 6884db8648072c49b40fd2facf611fe47042ae17
SHA256 d3d3dfd8f69abb9026f3aa642a3f5891dcc44fe54b7042f072b9069cc222bfc0
SHA512 bec0dbf45c5ea6675019bf859978f9153295f3f2f6ab96400cb87c20709b7b5fee069dc835030cec998fd6d0709ef8e917308a248945ca7470fdbbdbf53e350e

memory/1456-181-0x0000000000400000-0x0000000000453000-memory.dmp

\Windows\SysWOW64\Dlnbeh32.exe

MD5 e42dcb446b05c540d285b7c804028b7d
SHA1 805e358ec28f3d7b48e15ef8861ce8dcd7b9f3af
SHA256 934f3a29d8a452f05cda6b01f5f2d2f666f795ef426f9e11b78798e9e55b6615
SHA512 3cf2d20685fca6602f14dff2bf4e3a75f71d78e63872f99bd87a910eaca7d566a23637e8507c1e27eaa3f004639ecc3471e9fa1daa169dcc9d570ff3fa97d2d2

memory/1456-189-0x0000000000290000-0x00000000002E3000-memory.dmp

memory/1456-194-0x0000000000290000-0x00000000002E3000-memory.dmp

\Windows\SysWOW64\Dhdcji32.exe

MD5 c4158fe9918e4fd5420332deed43535a
SHA1 1b0a607f75de0caf072ed8378d6e4df9d5de91bd
SHA256 0c2b2c3045b31cd08401385fd101cea6f52e1e85aab4a378778ee17ca48d1155
SHA512 74f8dcbf2fc31dbfe15f40b427b44f537435885282af44f11e0743a11783673b72a764eb12624e6abd70d7fe003adf093dfeefc57f4f1d85c5b74369a2410b41

memory/2104-210-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1752-208-0x0000000000310000-0x0000000000363000-memory.dmp

memory/1752-207-0x0000000000310000-0x0000000000363000-memory.dmp

C:\Windows\SysWOW64\Enakbp32.exe

MD5 51809ce37655d28ec2f4b76f14f4eab5
SHA1 ec78ffd564e6820025c6783fb934a893aea68a00
SHA256 d26ae8801516940f877e2365366abf5a7902d556e90112d9a7c02f4a7c4bdd6d
SHA512 49752f73c9b9c422b0c8be4949c8c5e16e261202b4d5d500b93dde448043206a6c99c1248b33082a514a6d21cab6161174ea25d7e6da01954ddceb11c9eff474

memory/2104-220-0x0000000000250000-0x00000000002A3000-memory.dmp

memory/2440-221-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Eqpgol32.exe

MD5 52f89dc295839fcc1ee246924dff7f0f
SHA1 d804ea748f627573e8dfc1716475fe79a6515698
SHA256 b9114fe8b10ae226c89355571a17c44d4d1852e9e459e4150bd441e598cdf15d
SHA512 57279ab09f3bde932c2ad7b403c6e3d0fc6f4e514c4bc403ef694f75d7a6e224a187967e11d1f412a271132e4c1e838370c5f79fa5400a0945ffdcd6c8e9f1af

memory/3028-232-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2440-231-0x0000000000250000-0x00000000002A3000-memory.dmp

memory/2440-230-0x0000000000250000-0x00000000002A3000-memory.dmp

C:\Windows\SysWOW64\Ejhlgaeh.exe

MD5 1659d67911b2244961134d2858e4580e
SHA1 3d7244c09c85e33c54009b0d26bf8b4ce265f2ac
SHA256 a7a9b19fd6cb6d385dde155ffa69a767b6d4c2a028318aaf9a1b6a8fad38214d
SHA512 e91364824b9375da652a351d3fbee2c3aed3b098517a7624264c98d80279f252fb36ffbdf8ef6249a1288b5ab3e71c1416da7e79203cd15e20cb3ae6dc2dad2a

memory/3028-242-0x00000000002E0000-0x0000000000333000-memory.dmp

memory/3028-241-0x00000000002E0000-0x0000000000333000-memory.dmp

memory/1168-253-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2872-252-0x0000000002010000-0x0000000002063000-memory.dmp

memory/2872-251-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Endhhp32.exe

MD5 c53d3d1aef3c1d128140cb24b70fbf46
SHA1 3f25984c91525ce68004441b41dd1caa15e9e2f5
SHA256 1d4230f8a6119187b47d522aa481077cb73770189565ff6d3b702a5d1a0bea8b
SHA512 01a484db8d38e9a01a9d357ecd230a5e79e617d56b12ab5480851a77006a0d9ed36dd5330ada52880edb5f26c77094a3292b8932c8e14f210aa78045c12c0018

C:\Windows\SysWOW64\Ekhhadmk.exe

MD5 b4a0c9457eaf04e1b8f9d814e4ac56ba
SHA1 676e36d5332cde93881487c8917b953ccd5dc49c
SHA256 6e753282d0e9dec2ebb266ebbcb3778c1e661e6625ba0751173869e40696c08d
SHA512 571b4ffed0e0b6ac0299f0a6e7160cfa6c4cb042acf2db9137dcdec16c2485453ffde3163a1da2bcfde2f3e45a21ed3a4b9c5eeb9c6db2e185478303f2501288

memory/1168-262-0x00000000002D0000-0x0000000000323000-memory.dmp

memory/1168-263-0x00000000002D0000-0x0000000000323000-memory.dmp

memory/1952-269-0x00000000002F0000-0x0000000000343000-memory.dmp

C:\Windows\SysWOW64\Enfenplo.exe

MD5 ccc4d4bb5d2ebe72c1db234530024350
SHA1 dc76159a470afb1a2d09ed40cb207ebeeb0950f8
SHA256 49e1eefb9307bbb1c3506a141bf24683a1bdfef0db883d679959307e9a2924a6
SHA512 12c432ec47b94b22309723773642cba808e7ec295ceb0adabb8fe655d3572e48a5784096a168526fa4e43244d65235737b3b6085d1036fb1c2548de3d96c37cc

memory/2816-274-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1952-273-0x00000000002F0000-0x0000000000343000-memory.dmp

memory/2816-280-0x00000000004D0000-0x0000000000523000-memory.dmp

C:\Windows\SysWOW64\Ejmebq32.exe

MD5 ce6f27dbcbb0a48cf936badea548f33c
SHA1 02a55d87e92e965e73426ff835430931ed6a504a
SHA256 3dd282f70d588e1098408beb5a44afa0101afadc3b36df0e469a17ef906ec19c
SHA512 5209b35fa3a8faa30bd2a5eb25b462292bb9f5b9993b9f3f83905023da7cc21e20312fd7b82900b648c0de311957c20afa8095aa4021959e6661c0cce66e5e34

memory/2816-284-0x00000000004D0000-0x0000000000523000-memory.dmp

memory/2364-289-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1964-295-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Emkaol32.exe

MD5 61114b6aff63304bb6b6695711dcacfa
SHA1 6f103e80c5f373bde19260461b0d170c267b1950
SHA256 8b6eb84cfa41fc2231ada4e7a0d7de96e7c844f3bdec08c0ebade7363ed95f25
SHA512 3906d432ee632aacdaabd3524642048fc1f04aa2c3a56717c2b49180b4150f0be91fc28c37d470c598a3b6d4d4772b79c038bb97b924acc97d4fefb2ecd52f1e

memory/2364-291-0x00000000002E0000-0x0000000000333000-memory.dmp

memory/1964-304-0x0000000000310000-0x0000000000363000-memory.dmp

memory/1892-306-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1964-305-0x0000000000310000-0x0000000000363000-memory.dmp

C:\Windows\SysWOW64\Ejobhppq.exe

MD5 5b53725ef1d550d9434d21c9dd01087f
SHA1 d9ee949716d818547625ec6b85e24afef72fe0f5
SHA256 a6603c9ab1214b6501b593333e5e50a1f11c088abfa72c1fdadfa2934887d7dc
SHA512 0a7e90b8fce0ee99d9d256a60b9d71ad56ef437d46df6481bfa78ba559995f025ed1ab6a03ef61891548d55c3bcad3b54c27477544e90a7eed737245bafd53a6

memory/1892-316-0x0000000000250000-0x00000000002A3000-memory.dmp

C:\Windows\SysWOW64\Eqijej32.exe

MD5 de86084bcc4572de1152226902b4dbb1
SHA1 44465da3ed7e23b0de821b9be122dbe8ce0890c5
SHA256 cbaa10f7173c046699c379099340c46718efed7d1342e5c5d8bd0e8e363805c4
SHA512 97e1f3cfbdec0e82940e571a3c00750476b9ce4eaa2a36433ecb5bae72eb40f85b2dc442ab43924d8ed29f935d53a097820e3f86cfa5c99697868a18fe18e1bd

memory/1892-315-0x0000000000250000-0x00000000002A3000-memory.dmp

memory/1344-317-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1344-327-0x0000000000250000-0x00000000002A3000-memory.dmp

memory/2680-328-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1344-326-0x0000000000250000-0x00000000002A3000-memory.dmp

C:\Windows\SysWOW64\Ebjglbml.exe

MD5 7c92cde500b121e7c6fb6c2590678834
SHA1 86114a0f71a601275eead26c892e0417641ad890
SHA256 749f45bd293ad07dd7b91f3fd06822adb032508051d8bf4525aa619691c4656e
SHA512 9d79cc366568e02b3e3ae9b2ed418a7415d2ced558027e3dd8970fba88b2ff716ef955d8a9214bcfe636ec5fa7557c40c0b8a65d7e5eb2b42c3fc93e9edacca4

C:\Windows\SysWOW64\Fjaonpnn.exe

MD5 81c6ece686f5ab315e98dcaa36975b0f
SHA1 86580e3facb1e1d13fd3a1fece88f6b9eeae2221
SHA256 773328a8cffbf8dc3820715e0750defc8f1fbfdebdd58ea3515adf151aa33c4c
SHA512 dfb91fea32e71d27337b13fba1271bcfdbbe38005f0ed8bebc4e4838191b7a9fc1cf9c09ffb5e623119d39ba24505acc0405ee75fa66c2606b3f057c23f73f39

memory/2680-343-0x0000000000340000-0x0000000000393000-memory.dmp

memory/2608-342-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2680-341-0x0000000000340000-0x0000000000393000-memory.dmp

C:\Windows\SysWOW64\Fkckeh32.exe

MD5 755e50025ee50b5cfd65b6870accb541
SHA1 180c254154ee54aea0be52341e171a3a4393989c
SHA256 2d0917b83ce887b671a73443dcb100aeb9630fa90c1f3e5a7c7e30e08fe7801b
SHA512 f2dae174639c20e4d2768fae6c633c4c6fafa6523b791bb7b0040957ceb73cb65f4884dd880c11912ba2819efe62cf6a8e42766f9486be893e8464c603c6ab34

memory/2584-350-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2608-349-0x0000000000250000-0x00000000002A3000-memory.dmp

memory/2608-348-0x0000000000250000-0x00000000002A3000-memory.dmp

memory/2080-351-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2584-354-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2364-366-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2872-379-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2680-359-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2872-377-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2104-376-0x0000000000400000-0x0000000000453000-memory.dmp

memory/3028-375-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2440-374-0x0000000000400000-0x0000000000453000-memory.dmp

memory/3028-373-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2440-372-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1168-371-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2080-403-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1952-370-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1752-393-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2720-409-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1900-411-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1404-408-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2720-407-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1404-406-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2080-405-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2552-404-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2456-401-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2820-400-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2464-399-0x0000000000400000-0x0000000000453000-memory.dmp

memory/264-395-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2908-391-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2976-390-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2908-389-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2976-388-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2020-387-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2340-386-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2020-385-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1724-383-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1456-382-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2104-378-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2816-367-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1964-363-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1892-362-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1344-358-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2608-355-0x0000000000400000-0x0000000000453000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-07 07:21

Reported

2024-10-07 07:23

Platform

win10v2004-20240802-en

Max time kernel

115s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Users\Admin\AppData\Local\Temp\f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cildom32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dphiaffa.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cildom32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bbhildae.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cibain32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ckdkhq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cpfmlghd.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Users\Admin\AppData\Local\Temp\f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bmladm32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bdeiqgkj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bdeiqgkj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dkkaiphj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bbhildae.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cdmoafdb.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cgklmacf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cgklmacf.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cdolgfbp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cpfmlghd.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cgfbbb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cgfbbb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cdmoafdb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cdolgfbp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dkkaiphj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dphiaffa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Calfpk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bmladm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cibain32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Calfpk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ckdkhq32.exe N/A

Berbew

backdoor berbew

Gozi

banker trojan gozi

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Nepmal32.dll C:\Windows\SysWOW64\Cdmoafdb.exe N/A
File created C:\Windows\SysWOW64\Lncmdghm.dll C:\Windows\SysWOW64\Cdolgfbp.exe N/A
File opened for modification C:\Windows\SysWOW64\Dkkaiphj.exe C:\Windows\SysWOW64\Cpfmlghd.exe N/A
File opened for modification C:\Windows\SysWOW64\Bmladm32.exe C:\Users\Admin\AppData\Local\Temp\f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe N/A
File created C:\Windows\SysWOW64\Bcominjm.dll C:\Windows\SysWOW64\Bdeiqgkj.exe N/A
File created C:\Windows\SysWOW64\Calfpk32.exe C:\Windows\SysWOW64\Cgfbbb32.exe N/A
File created C:\Windows\SysWOW64\Daqfhf32.dll C:\Windows\SysWOW64\Ckdkhq32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cgklmacf.exe C:\Windows\SysWOW64\Cdmoafdb.exe N/A
File opened for modification C:\Windows\SysWOW64\Dphiaffa.exe C:\Windows\SysWOW64\Dkkaiphj.exe N/A
File created C:\Windows\SysWOW64\Amoppdld.dll C:\Users\Admin\AppData\Local\Temp\f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe N/A
File created C:\Windows\SysWOW64\Bdeiqgkj.exe C:\Windows\SysWOW64\Bmladm32.exe N/A
File created C:\Windows\SysWOW64\Cibain32.exe C:\Windows\SysWOW64\Bbhildae.exe N/A
File opened for modification C:\Windows\SysWOW64\Cibain32.exe C:\Windows\SysWOW64\Bbhildae.exe N/A
File created C:\Windows\SysWOW64\Cdolgfbp.exe C:\Windows\SysWOW64\Cgklmacf.exe N/A
File created C:\Windows\SysWOW64\Lljoca32.dll C:\Windows\SysWOW64\Cildom32.exe N/A
File created C:\Windows\SysWOW64\Dphiaffa.exe C:\Windows\SysWOW64\Dkkaiphj.exe N/A
File opened for modification C:\Windows\SysWOW64\Bbhildae.exe C:\Windows\SysWOW64\Bdeiqgkj.exe N/A
File created C:\Windows\SysWOW64\Anbgamkp.dll C:\Windows\SysWOW64\Bbhildae.exe N/A
File created C:\Windows\SysWOW64\Eafbac32.dll C:\Windows\SysWOW64\Cgfbbb32.exe N/A
File created C:\Windows\SysWOW64\Cgklmacf.exe C:\Windows\SysWOW64\Cdmoafdb.exe N/A
File created C:\Windows\SysWOW64\Cildom32.exe C:\Windows\SysWOW64\Cdolgfbp.exe N/A
File created C:\Windows\SysWOW64\Bcidlo32.dll C:\Windows\SysWOW64\Cibain32.exe N/A
File created C:\Windows\SysWOW64\Ckdkhq32.exe C:\Windows\SysWOW64\Calfpk32.exe N/A
File created C:\Windows\SysWOW64\Dooaccfg.dll C:\Windows\SysWOW64\Calfpk32.exe N/A
File created C:\Windows\SysWOW64\Icpjna32.dll C:\Windows\SysWOW64\Cgklmacf.exe N/A
File created C:\Windows\SysWOW64\Qahlom32.dll C:\Windows\SysWOW64\Dphiaffa.exe N/A
File created C:\Windows\SysWOW64\Pjcfndog.dll C:\Windows\SysWOW64\Bmladm32.exe N/A
File created C:\Windows\SysWOW64\Bbhildae.exe C:\Windows\SysWOW64\Bdeiqgkj.exe N/A
File opened for modification C:\Windows\SysWOW64\Calfpk32.exe C:\Windows\SysWOW64\Cgfbbb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cdmoafdb.exe C:\Windows\SysWOW64\Ckdkhq32.exe N/A
File created C:\Windows\SysWOW64\Dkkaiphj.exe C:\Windows\SysWOW64\Cpfmlghd.exe N/A
File opened for modification C:\Windows\SysWOW64\Cgfbbb32.exe C:\Windows\SysWOW64\Cibain32.exe N/A
File created C:\Windows\SysWOW64\Cdmoafdb.exe C:\Windows\SysWOW64\Ckdkhq32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cdolgfbp.exe C:\Windows\SysWOW64\Cgklmacf.exe N/A
File created C:\Windows\SysWOW64\Bigpblgh.dll C:\Windows\SysWOW64\Cpfmlghd.exe N/A
File opened for modification C:\Windows\SysWOW64\Diqnjl32.exe C:\Windows\SysWOW64\Dphiaffa.exe N/A
File created C:\Windows\SysWOW64\Bkodbfgo.dll C:\Windows\SysWOW64\Dkkaiphj.exe N/A
File created C:\Windows\SysWOW64\Bmladm32.exe C:\Users\Admin\AppData\Local\Temp\f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe N/A
File opened for modification C:\Windows\SysWOW64\Bdeiqgkj.exe C:\Windows\SysWOW64\Bmladm32.exe N/A
File created C:\Windows\SysWOW64\Cgfbbb32.exe C:\Windows\SysWOW64\Cibain32.exe N/A
File created C:\Windows\SysWOW64\Cpfmlghd.exe C:\Windows\SysWOW64\Cildom32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cpfmlghd.exe C:\Windows\SysWOW64\Cildom32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ckdkhq32.exe C:\Windows\SysWOW64\Calfpk32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cildom32.exe C:\Windows\SysWOW64\Cdolgfbp.exe N/A
File created C:\Windows\SysWOW64\Diqnjl32.exe C:\Windows\SysWOW64\Dphiaffa.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Diqnjl32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Calfpk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cibain32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bbhildae.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cgfbbb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cildom32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dkkaiphj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bmladm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ckdkhq32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cdmoafdb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cgklmacf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cdolgfbp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Diqnjl32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cpfmlghd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dphiaffa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bdeiqgkj.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Calfpk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ckdkhq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cdolgfbp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dkkaiphj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cibain32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cgfbbb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cdmoafdb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lncmdghm.dll" C:\Windows\SysWOW64\Cdolgfbp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cildom32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dkkaiphj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjcfndog.dll" C:\Windows\SysWOW64\Bmladm32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Calfpk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daqfhf32.dll" C:\Windows\SysWOW64\Ckdkhq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nepmal32.dll" C:\Windows\SysWOW64\Cdmoafdb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amoppdld.dll" C:\Users\Admin\AppData\Local\Temp\f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcominjm.dll" C:\Windows\SysWOW64\Bdeiqgkj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eafbac32.dll" C:\Windows\SysWOW64\Cgfbbb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcidlo32.dll" C:\Windows\SysWOW64\Cibain32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cgklmacf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icpjna32.dll" C:\Windows\SysWOW64\Cgklmacf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qahlom32.dll" C:\Windows\SysWOW64\Dphiaffa.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node C:\Users\Admin\AppData\Local\Temp\f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} C:\Users\Admin\AppData\Local\Temp\f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cpfmlghd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cpfmlghd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dphiaffa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bmladm32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cildom32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cdmoafdb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cdolgfbp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bigpblgh.dll" C:\Windows\SysWOW64\Cpfmlghd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dphiaffa.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bbhildae.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cgfbbb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ckdkhq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cgklmacf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lljoca32.dll" C:\Windows\SysWOW64\Cildom32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkodbfgo.dll" C:\Windows\SysWOW64\Dkkaiphj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bmladm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bdeiqgkj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anbgamkp.dll" C:\Windows\SysWOW64\Bbhildae.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dooaccfg.dll" C:\Windows\SysWOW64\Calfpk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bdeiqgkj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bbhildae.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cibain32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3668 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe C:\Windows\SysWOW64\Bmladm32.exe
PID 3668 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe C:\Windows\SysWOW64\Bmladm32.exe
PID 3668 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe C:\Windows\SysWOW64\Bmladm32.exe
PID 3448 wrote to memory of 2200 N/A C:\Windows\SysWOW64\Bmladm32.exe C:\Windows\SysWOW64\Bdeiqgkj.exe
PID 3448 wrote to memory of 2200 N/A C:\Windows\SysWOW64\Bmladm32.exe C:\Windows\SysWOW64\Bdeiqgkj.exe
PID 3448 wrote to memory of 2200 N/A C:\Windows\SysWOW64\Bmladm32.exe C:\Windows\SysWOW64\Bdeiqgkj.exe
PID 2200 wrote to memory of 340 N/A C:\Windows\SysWOW64\Bdeiqgkj.exe C:\Windows\SysWOW64\Bbhildae.exe
PID 2200 wrote to memory of 340 N/A C:\Windows\SysWOW64\Bdeiqgkj.exe C:\Windows\SysWOW64\Bbhildae.exe
PID 2200 wrote to memory of 340 N/A C:\Windows\SysWOW64\Bdeiqgkj.exe C:\Windows\SysWOW64\Bbhildae.exe
PID 340 wrote to memory of 632 N/A C:\Windows\SysWOW64\Bbhildae.exe C:\Windows\SysWOW64\Cibain32.exe
PID 340 wrote to memory of 632 N/A C:\Windows\SysWOW64\Bbhildae.exe C:\Windows\SysWOW64\Cibain32.exe
PID 340 wrote to memory of 632 N/A C:\Windows\SysWOW64\Bbhildae.exe C:\Windows\SysWOW64\Cibain32.exe
PID 632 wrote to memory of 1152 N/A C:\Windows\SysWOW64\Cibain32.exe C:\Windows\SysWOW64\Cgfbbb32.exe
PID 632 wrote to memory of 1152 N/A C:\Windows\SysWOW64\Cibain32.exe C:\Windows\SysWOW64\Cgfbbb32.exe
PID 632 wrote to memory of 1152 N/A C:\Windows\SysWOW64\Cibain32.exe C:\Windows\SysWOW64\Cgfbbb32.exe
PID 1152 wrote to memory of 3504 N/A C:\Windows\SysWOW64\Cgfbbb32.exe C:\Windows\SysWOW64\Calfpk32.exe
PID 1152 wrote to memory of 3504 N/A C:\Windows\SysWOW64\Cgfbbb32.exe C:\Windows\SysWOW64\Calfpk32.exe
PID 1152 wrote to memory of 3504 N/A C:\Windows\SysWOW64\Cgfbbb32.exe C:\Windows\SysWOW64\Calfpk32.exe
PID 3504 wrote to memory of 3744 N/A C:\Windows\SysWOW64\Calfpk32.exe C:\Windows\SysWOW64\Ckdkhq32.exe
PID 3504 wrote to memory of 3744 N/A C:\Windows\SysWOW64\Calfpk32.exe C:\Windows\SysWOW64\Ckdkhq32.exe
PID 3504 wrote to memory of 3744 N/A C:\Windows\SysWOW64\Calfpk32.exe C:\Windows\SysWOW64\Ckdkhq32.exe
PID 3744 wrote to memory of 4656 N/A C:\Windows\SysWOW64\Ckdkhq32.exe C:\Windows\SysWOW64\Cdmoafdb.exe
PID 3744 wrote to memory of 4656 N/A C:\Windows\SysWOW64\Ckdkhq32.exe C:\Windows\SysWOW64\Cdmoafdb.exe
PID 3744 wrote to memory of 4656 N/A C:\Windows\SysWOW64\Ckdkhq32.exe C:\Windows\SysWOW64\Cdmoafdb.exe
PID 4656 wrote to memory of 4272 N/A C:\Windows\SysWOW64\Cdmoafdb.exe C:\Windows\SysWOW64\Cgklmacf.exe
PID 4656 wrote to memory of 4272 N/A C:\Windows\SysWOW64\Cdmoafdb.exe C:\Windows\SysWOW64\Cgklmacf.exe
PID 4656 wrote to memory of 4272 N/A C:\Windows\SysWOW64\Cdmoafdb.exe C:\Windows\SysWOW64\Cgklmacf.exe
PID 4272 wrote to memory of 4948 N/A C:\Windows\SysWOW64\Cgklmacf.exe C:\Windows\SysWOW64\Cdolgfbp.exe
PID 4272 wrote to memory of 4948 N/A C:\Windows\SysWOW64\Cgklmacf.exe C:\Windows\SysWOW64\Cdolgfbp.exe
PID 4272 wrote to memory of 4948 N/A C:\Windows\SysWOW64\Cgklmacf.exe C:\Windows\SysWOW64\Cdolgfbp.exe
PID 4948 wrote to memory of 752 N/A C:\Windows\SysWOW64\Cdolgfbp.exe C:\Windows\SysWOW64\Cildom32.exe
PID 4948 wrote to memory of 752 N/A C:\Windows\SysWOW64\Cdolgfbp.exe C:\Windows\SysWOW64\Cildom32.exe
PID 4948 wrote to memory of 752 N/A C:\Windows\SysWOW64\Cdolgfbp.exe C:\Windows\SysWOW64\Cildom32.exe
PID 752 wrote to memory of 4376 N/A C:\Windows\SysWOW64\Cildom32.exe C:\Windows\SysWOW64\Cpfmlghd.exe
PID 752 wrote to memory of 4376 N/A C:\Windows\SysWOW64\Cildom32.exe C:\Windows\SysWOW64\Cpfmlghd.exe
PID 752 wrote to memory of 4376 N/A C:\Windows\SysWOW64\Cildom32.exe C:\Windows\SysWOW64\Cpfmlghd.exe
PID 4376 wrote to memory of 1768 N/A C:\Windows\SysWOW64\Cpfmlghd.exe C:\Windows\SysWOW64\Dkkaiphj.exe
PID 4376 wrote to memory of 1768 N/A C:\Windows\SysWOW64\Cpfmlghd.exe C:\Windows\SysWOW64\Dkkaiphj.exe
PID 4376 wrote to memory of 1768 N/A C:\Windows\SysWOW64\Cpfmlghd.exe C:\Windows\SysWOW64\Dkkaiphj.exe
PID 1768 wrote to memory of 4848 N/A C:\Windows\SysWOW64\Dkkaiphj.exe C:\Windows\SysWOW64\Dphiaffa.exe
PID 1768 wrote to memory of 4848 N/A C:\Windows\SysWOW64\Dkkaiphj.exe C:\Windows\SysWOW64\Dphiaffa.exe
PID 1768 wrote to memory of 4848 N/A C:\Windows\SysWOW64\Dkkaiphj.exe C:\Windows\SysWOW64\Dphiaffa.exe
PID 4848 wrote to memory of 812 N/A C:\Windows\SysWOW64\Dphiaffa.exe C:\Windows\SysWOW64\Diqnjl32.exe
PID 4848 wrote to memory of 812 N/A C:\Windows\SysWOW64\Dphiaffa.exe C:\Windows\SysWOW64\Diqnjl32.exe
PID 4848 wrote to memory of 812 N/A C:\Windows\SysWOW64\Dphiaffa.exe C:\Windows\SysWOW64\Diqnjl32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe

"C:\Users\Admin\AppData\Local\Temp\f58a281f5705a42aaf56e0316b2dbe7e05034926b90087fb0b6cc7f8f5402817N.exe"

C:\Windows\SysWOW64\Bmladm32.exe

C:\Windows\system32\Bmladm32.exe

C:\Windows\SysWOW64\Bdeiqgkj.exe

C:\Windows\system32\Bdeiqgkj.exe

C:\Windows\SysWOW64\Bbhildae.exe

C:\Windows\system32\Bbhildae.exe

C:\Windows\SysWOW64\Cibain32.exe

C:\Windows\system32\Cibain32.exe

C:\Windows\SysWOW64\Cgfbbb32.exe

C:\Windows\system32\Cgfbbb32.exe

C:\Windows\SysWOW64\Calfpk32.exe

C:\Windows\system32\Calfpk32.exe

C:\Windows\SysWOW64\Ckdkhq32.exe

C:\Windows\system32\Ckdkhq32.exe

C:\Windows\SysWOW64\Cdmoafdb.exe

C:\Windows\system32\Cdmoafdb.exe

C:\Windows\SysWOW64\Cgklmacf.exe

C:\Windows\system32\Cgklmacf.exe

C:\Windows\SysWOW64\Cdolgfbp.exe

C:\Windows\system32\Cdolgfbp.exe

C:\Windows\SysWOW64\Cildom32.exe

C:\Windows\system32\Cildom32.exe

C:\Windows\SysWOW64\Cpfmlghd.exe

C:\Windows\system32\Cpfmlghd.exe

C:\Windows\SysWOW64\Dkkaiphj.exe

C:\Windows\system32\Dkkaiphj.exe

C:\Windows\SysWOW64\Dphiaffa.exe

C:\Windows\system32\Dphiaffa.exe

C:\Windows\SysWOW64\Diqnjl32.exe

C:\Windows\system32\Diqnjl32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 812 -ip 812

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 812 -s 400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1436,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=4388 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

memory/3668-0-0x0000000000400000-0x0000000000453000-memory.dmp

memory/3668-1-0x0000000000432000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Bmladm32.exe

MD5 ff48e282c566195f3db6c73110c35038
SHA1 c72ef0414248c92be02c72e6ac04c1a24799ee3f
SHA256 42287f0163f46fd6c68f0891ecb2d651475364a4c61e87c0b7c4e062eb76971d
SHA512 9eb16d9dfed64847619f6cc8121a3bb057f2d9d83ac9d5c2f1aa36731150659bfa4acbdf46be381eb82a41f888f61595bf090c73dc159bd4d412102f721a2f5c

memory/3448-8-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Bdeiqgkj.exe

MD5 c75f19d15a3740eb8a4a788245d42c0e
SHA1 bd4d18bf65ab6717b8614dc8c4cc029ab0bfb3cc
SHA256 c6b500456298fd6e136b345c39079c816a5498c2191155183fcef0b62259e347
SHA512 59360c5c711e8a6dac28bbc8f49c771d107f7f8a48abfe619097f2a6655d6fb26f23b73b57dd188eddbac6f2a7bc709a3242f175aa7b4e0f9e67acfdd1291ac8

memory/2200-17-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Bbhildae.exe

MD5 411c7d174ad32c807f80a6e720603f10
SHA1 3da9fe4d02e390d4ec88943dc66ff3ecb1d77bc1
SHA256 48ba92cd2a58d8da2cdd8ddbd13539ae5f6fb9946114c7af1fce762615c9ba77
SHA512 368020c2b4b499f5bce359f04d9d867d62c1424e2f468cab9439536a2f23ebc3e331276839ccdf95c62ea673cc590a89dc3b0c81772ed6d4eaaac6beb6dd89e6

memory/340-25-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Cibain32.exe

MD5 d155553922a8e58e161c567588140971
SHA1 43c12390480bbd5bce3e548b0ffad9670032a56a
SHA256 6a9923a561160a61f1fc26cbd2c6e98bc47654e8e04a83e5f49c3a6cd26c689a
SHA512 d6af6550c6747bab3ce34e98a00a1b351cd0ec3667ef5331ee2f64070f93bff3f7617af290e924313cb00ce8e58b674334f4b0c6fa50db7602b879d7f32f53be

memory/632-37-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Cgfbbb32.exe

MD5 5dfc7f134b91b1cd054b92cf67c752c8
SHA1 9608b520fd0cc617c9f17a7f00276ef9396fe3b0
SHA256 7fa1c8359ea1baf0d7091a3544d5f1c54a38cb7408889751645eb29c530eb8dc
SHA512 90ac2d48a7f785597f4e690e2e2daf75c10807d09070ae3a8c1b72311a2825a7940f55f76e2e40903dc373e8eeecf96b4b27047674ea4a68e622ca219287dc03

memory/1152-40-0x0000000000400000-0x0000000000453000-memory.dmp

memory/3504-48-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Calfpk32.exe

MD5 118d706c9e8c1857a5f105c34aa5ef9a
SHA1 483700699b576777743e32ba92bff2a16120e057
SHA256 b7aa0a76d0b2a561f4ba3601a35581945f8e877727d357762eb75fb99407d49b
SHA512 3da1805e61aaf2b602eb60b058b5ec0c24d18b849e65c4255eb52337eac84568a72b4e29404a0b2c31e5057eee906c933a438f9a9d27ad1fe0395a8bdb2a4894

C:\Windows\SysWOW64\Ckdkhq32.exe

MD5 af834898890e797f1ff4b7c7ef9228c4
SHA1 85f7025250da04c18960fc9d09a9147bfcd99d4b
SHA256 46b5896689fe727abbe2a1345b8d6d78fde73e23bb61f5ad1d7a76402c60bf9b
SHA512 7b1042516905408f5d9e546db26fd245576b4e8f3927a828fd5ad1d29a3fa74e752798fce10e6e1f3726bc78a084f37e28a5674862fc0f18baa4ff19f6882830

memory/3744-56-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Cdmoafdb.exe

MD5 dfae94ea89bacb309bd9e7e93ecdcbd3
SHA1 dfa14d0708c0c5ce51e5019ecf8004c6ce1ae932
SHA256 052f2038158f786c0864adaeaa68edd2050bfdab473f56d30700cf68698755f5
SHA512 076417f777b82f9b1ac5b50f19d1b83f6b59aeb55bc6001c7ceb112d785604638f158ce16b1a44a072714d9fdb43df87e87f4ece04612c7b5fd0ddea9d0d66ab

memory/4656-65-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Cgklmacf.exe

MD5 0d209215b522a41b385e778146241e1d
SHA1 7292dd736f8caa8e7b90d3cb1502851c830df57a
SHA256 63b5e4569b079fbc0f6a14594118c14b1784448bbee8b5c76136139e9dae1024
SHA512 789b2e2ad81ceae0db855bfddb6d32dc9d0c4dfb3661d5e5313ad14f3dcb530b97fccd4a14b62bd95ddeef5cc6e81ca62ce3dce38430d85601706918d38c00b8

memory/4272-73-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Cdolgfbp.exe

MD5 8cb4c92a6c2b92f18b6d8e5b79120887
SHA1 beefd0670ffe5357336964320e0ea734e967869c
SHA256 9d9e214611b0c8a514bb73d21020233ea2261526112d016b6a23d333f5534cf0
SHA512 0df9159c593767b4a5a2b75c0d60b87d67af0aed936f5b5c5eb648f5ffeee0f1d96b38ce8ff7710fdf68550190dca8396b1b0e6e6441e4e3928af7a7b4456cec

memory/4948-80-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Cildom32.exe

MD5 211ea342329d72e9f26a6285da007d65
SHA1 3765f2cfa56d9fca79645d3c60891f4ffa000550
SHA256 7e9d32f34110cc91f02af73ad25b0319c52ffa818d8ffa9aee276684dcb48e06
SHA512 5a4e2827e587ce9049f35f548fccef8553121ad4f32d3435e5eacb171b393020fc2df557ca5f8773fa21fa8594e001cfbf2bda500c3f7a3f23af9cc9cbc35634

memory/752-89-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Cpfmlghd.exe

MD5 17794684ac10c0cbcae0c5e63da944db
SHA1 e065efcb643105f84e5d7eebe5668cdf9d609414
SHA256 8d5757e5d541bd3bba4d1e5d6fcc1a111c369cc0abadc58855c6ca550b3c2baa
SHA512 2b4a4225a6c046bebc25259912b273191fc6a24f22b842039b0e0c4adf8e6ced485b931b9130c18572d5de3915cc4937f345690c057e817faa52aa35a223e675

memory/4376-97-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Dkkaiphj.exe

MD5 6621689022f678701fa6963f54857ecd
SHA1 0068b010ed4ac0216ee9a7b61aa069aa53ea9898
SHA256 0d6551c17a41a7a297101ce2566b670d4f979f7220309f56d8597449fe252360
SHA512 fa7331b29948659eb053968514d0d7ad209f4cfe040840bb72a2b72ad52c4683d1bccc7d2e38ea326d36f6b915dc99eab072e52fd5446202bd65f798489546aa

memory/1768-104-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Dphiaffa.exe

MD5 be3ffe7671f481046dadd6be59c9c41e
SHA1 51f0e852bce5c8b56a67e24fd6a9519aeb0a0520
SHA256 393748a3b897f1c14d76f1b96274bfc64d8d7451ab36e85a49e0859a9b28c2a6
SHA512 8769bff5d13531d02ffb02618af5ebbeada5ca4a0bfb2fde09915f55627df21df6ca60c2da90a6e8c237cf242ce851c29b420f5ab33181143cfdf540e41df0d3

memory/4848-112-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Diqnjl32.exe

MD5 b35bb56989d6db5d83c96aba11bb72f9
SHA1 4ed5d19ab48e4be0182967887348726e2e5252ea
SHA256 124ca1a04309df6fb0c1960e57a4b242d1782c44385d51e7cfe192e0850e6853
SHA512 d6e7a8419b6a6c8d1438ad270845ae09901db5424064f3bfeee953f1b924277a0b7715adf227fbdc4482423fd2dd14a01c05b27bb74fdafd77f1965b83729b86

memory/812-121-0x0000000000400000-0x0000000000453000-memory.dmp

memory/812-124-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1768-127-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4376-131-0x0000000000400000-0x0000000000453000-memory.dmp

memory/3504-141-0x0000000000400000-0x0000000000453000-memory.dmp

memory/632-145-0x0000000000400000-0x0000000000453000-memory.dmp

memory/3668-153-0x0000000000400000-0x0000000000453000-memory.dmp

memory/3448-151-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2200-149-0x0000000000400000-0x0000000000453000-memory.dmp

memory/340-147-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1152-143-0x0000000000400000-0x0000000000453000-memory.dmp

memory/3744-139-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4656-137-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4272-135-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4948-133-0x0000000000400000-0x0000000000453000-memory.dmp

memory/752-130-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4848-125-0x0000000000400000-0x0000000000453000-memory.dmp