Analysis Overview
SHA256
dc4cf104c8973b4183028d7cb6de5caeffa904635f187a2763d282e89648c327
Threat Level: Known bad
The file dc4cf104c8973b4183028d7cb6de5caeffa904635f187a2763d282e89648c327N was found to be: Known bad.
Malicious Activity Summary
Adds autorun key to be loaded by Explorer.exe on startup
Berbew
Berbew family
Loads dropped DLL
Executes dropped EXE
Drops file in System32 directory
Program crash
System Location Discovery: System Language Discovery
Unsigned PE
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-07 08:01
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-07 08:01
Reported
2024-11-07 08:03
Platform
win7-20241010-en
Max time kernel
13s
Max time network
19s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pojecajj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cegoqlof.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gifclb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Idkpganf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Nbjeinje.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ccmpce32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kdklfe32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kkjnnn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Njfjnpgp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Omnipjni.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Abmgjo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gkglnm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Objaha32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Abmgjo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bjkhdacm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cocphf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fjjpjgjj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Phlclgfc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Accqnc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bigkel32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hgpjhn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Iflmjihl.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lcjlnpmo.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Oococb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pepcelel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Paknelgk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cegoqlof.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Users\Admin\AppData\Local\Temp\dc4cf104c8973b4183028d7cb6de5caeffa904635f187a2763d282e89648c327N.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fjhcegll.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ghdgfbkl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kkjnnn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pebpkk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Qppkfhlc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cgfkmgnj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Injndk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ilnomp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jhbold32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kncaojfb.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mgedmb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Nenkqi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Qiioon32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Omnipjni.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Accqnc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Aaimopli.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Alqnah32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Adnpkjde.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fgldnkkf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Fjjpjgjj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lfkeokjp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bnknoogp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cinafkkd.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jpdnbbah.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Njfjnpgp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Objaha32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ilnomp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Iihiphln.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ofadnq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bgcbhd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cinafkkd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Fgldnkkf.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jbhcim32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hjacjifm.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cnkjnb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cchbgi32.exe | N/A |
Berbew
Berbew family
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Olfcfe32.dll | C:\Windows\SysWOW64\Iihiphln.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cgoelh32.exe | C:\Windows\SysWOW64\Cocphf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hdhkdkaa.dll | C:\Windows\SysWOW64\Hjacjifm.exe | N/A |
| File created | C:\Windows\SysWOW64\Accqnc32.exe | C:\Windows\SysWOW64\Alihaioe.exe | N/A |
| File created | C:\Windows\SysWOW64\Acnenl32.dll | C:\Windows\SysWOW64\Cnkjnb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Egqjelqn.dll | C:\Users\Admin\AppData\Local\Temp\dc4cf104c8973b4183028d7cb6de5caeffa904635f187a2763d282e89648c327N.exe | N/A |
| File created | C:\Windows\SysWOW64\Pjdjea32.dll | C:\Windows\SysWOW64\Mmicfh32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pebpkk32.exe | C:\Windows\SysWOW64\Pohhna32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Qgmpibam.exe | C:\Windows\SysWOW64\Qiioon32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mmicfh32.exe | C:\Windows\SysWOW64\Mmbmeifk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cegoqlof.exe | C:\Windows\SysWOW64\Cjakccop.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jhbold32.exe | C:\Windows\SysWOW64\Jpdnbbah.exe | N/A |
| File created | C:\Windows\SysWOW64\Abmgjo32.exe | C:\Windows\SysWOW64\Alqnah32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cnimiblo.exe | C:\Windows\SysWOW64\Cgoelh32.exe | N/A |
| File created | C:\Windows\SysWOW64\Iihiphln.exe | C:\Windows\SysWOW64\Idkpganf.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bjkhdacm.exe | C:\Windows\SysWOW64\Adnpkjde.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bqeqqk32.exe | C:\Windows\SysWOW64\Bjkhdacm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kddomchg.exe | C:\Windows\SysWOW64\Kkjnnn32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cpehmcmg.dll | C:\Windows\SysWOW64\Jpdnbbah.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Pplaki32.exe | C:\Windows\SysWOW64\Pojecajj.exe | N/A |
| File created | C:\Windows\SysWOW64\Bbjclbek.dll | C:\Windows\SysWOW64\Ahbekjcf.exe | N/A |
| File created | C:\Windows\SysWOW64\Eepejpil.dll | C:\Windows\SysWOW64\Cnimiblo.exe | N/A |
| File created | C:\Windows\SysWOW64\Jhbold32.exe | C:\Windows\SysWOW64\Jpdnbbah.exe | N/A |
| File created | C:\Windows\SysWOW64\Agjobffl.exe | C:\Windows\SysWOW64\Abmgjo32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ccmpce32.exe | C:\Windows\SysWOW64\Bigkel32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cefkjiak.dll | C:\Windows\SysWOW64\Gfcnegnk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Pebpkk32.exe | C:\Windows\SysWOW64\Pohhna32.exe | N/A |
| File created | C:\Windows\SysWOW64\Qqmfpqmc.dll | C:\Windows\SysWOW64\Pohhna32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pkcbnanl.exe | C:\Windows\SysWOW64\Paknelgk.exe | N/A |
| File created | C:\Windows\SysWOW64\Jpefpo32.dll | C:\Windows\SysWOW64\Qiioon32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ciihklpj.exe | C:\Windows\SysWOW64\Ccmpce32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kjoahnho.dll | C:\Windows\SysWOW64\Jbhcim32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pmagpjhh.dll | C:\Windows\SysWOW64\Iflmjihl.exe | N/A |
| File created | C:\Windows\SysWOW64\Aaimopli.exe | C:\Windows\SysWOW64\Allefimb.exe | N/A |
| File created | C:\Windows\SysWOW64\Ghdgfbkl.exe | C:\Windows\SysWOW64\Gfcnegnk.exe | N/A |
| File created | C:\Windows\SysWOW64\Klbgbj32.dll | C:\Windows\SysWOW64\Ofadnq32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bigkel32.exe | C:\Windows\SysWOW64\Bgcbhd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jclcfm32.dll | C:\Windows\SysWOW64\Ghdgfbkl.exe | N/A |
| File created | C:\Windows\SysWOW64\Alqnah32.exe | C:\Windows\SysWOW64\Aakjdo32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hjcppidk.exe | C:\Windows\SysWOW64\Hjacjifm.exe | N/A |
| File created | C:\Windows\SysWOW64\Dekhchoj.dll | C:\Windows\SysWOW64\Gifclb32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Idkpganf.exe | C:\Windows\SysWOW64\Ilnomp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Behjbjcf.dll | C:\Windows\SysWOW64\Kncaojfb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cocphf32.exe | C:\Windows\SysWOW64\Ciihklpj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Gifclb32.exe | C:\Windows\SysWOW64\Ghdgfbkl.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Nenkqi32.exe | C:\Windows\SysWOW64\Njfjnpgp.exe | N/A |
| File created | C:\Windows\SysWOW64\Qgmpibam.exe | C:\Windows\SysWOW64\Qiioon32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ciihklpj.exe | C:\Windows\SysWOW64\Ccmpce32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Injndk32.exe | C:\Windows\SysWOW64\Iflmjihl.exe | N/A |
| File created | C:\Windows\SysWOW64\Pojecajj.exe | C:\Windows\SysWOW64\Pebpkk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Maanne32.dll | C:\Windows\SysWOW64\Aaimopli.exe | N/A |
| File created | C:\Windows\SysWOW64\Komjgdhc.dll | C:\Windows\SysWOW64\Abmgjo32.exe | N/A |
| File created | C:\Windows\SysWOW64\Aqpmpahd.dll | C:\Windows\SysWOW64\Ciihklpj.exe | N/A |
| File created | C:\Windows\SysWOW64\Gfcnegnk.exe | C:\Windows\SysWOW64\Fjjpjgjj.exe | N/A |
| File created | C:\Windows\SysWOW64\Kddomchg.exe | C:\Windows\SysWOW64\Kkjnnn32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Objaha32.exe | C:\Windows\SysWOW64\Omnipjni.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Alihaioe.exe | C:\Windows\SysWOW64\Qgmpibam.exe | N/A |
| File created | C:\Windows\SysWOW64\Pkjjaebl.dll | C:\Windows\SysWOW64\Fgldnkkf.exe | N/A |
| File created | C:\Windows\SysWOW64\Knbbpakg.dll | C:\Windows\SysWOW64\Kkjnnn32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pohbak32.dll | C:\Windows\SysWOW64\Mmbmeifk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Nbjeinje.exe | C:\Windows\SysWOW64\Mmicfh32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cchbgi32.exe | C:\Windows\SysWOW64\Cnkjnb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gifclb32.exe | C:\Windows\SysWOW64\Ghdgfbkl.exe | N/A |
| File created | C:\Windows\SysWOW64\Adnpkjde.exe | C:\Windows\SysWOW64\Agjobffl.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Dpapaj32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Fgldnkkf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lklgbadb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lgchgb32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cgoelh32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Alqnah32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cnimiblo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cinafkkd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Abmgjo32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bqeqqk32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Hjcppidk.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jikeeh32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ofadnq32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Allefimb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Opihgfop.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Oococb32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pohhna32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pojecajj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Hjacjifm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Iflmjihl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lfkeokjp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mgedmb32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ahbekjcf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bjkhdacm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dpapaj32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bgcbhd32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cnkjnb32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cchbgi32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Hgpjhn32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Knmdeioh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Qgmpibam.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Accqnc32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kncaojfb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cocphf32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Phlclgfc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ciihklpj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ghdgfbkl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Gbadjg32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jpdnbbah.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jbhcim32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Alihaioe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bkjdndjo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Injndk32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kpdjaecc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nbjeinje.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Qppkfhlc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lcjlnpmo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Adnpkjde.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cjakccop.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Fjhcegll.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Gkglnm32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jhbold32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kdklfe32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ccmpce32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pepcelel.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Qiioon32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Agjobffl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bnknoogp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pplaki32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nenkqi32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bceibfgj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Gifclb32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kddomchg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Paknelgk.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Idkpganf.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID | C:\Users\Admin\AppData\Local\Temp\dc4cf104c8973b4183028d7cb6de5caeffa904635f187a2763d282e89648c327N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Kdklfe32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ofadnq32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cgfkmgnj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Hjcppidk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfcfe32.dll" | C:\Windows\SysWOW64\Iihiphln.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlbakl32.dll" | C:\Windows\SysWOW64\Pepcelel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bigkel32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebmjlg32.dll" | C:\Windows\SysWOW64\Injndk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoblpdnf.dll" | C:\Windows\SysWOW64\Aakjdo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Alqnah32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Agjobffl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ahbekjcf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Komjgdhc.dll" | C:\Windows\SysWOW64\Abmgjo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bjkhdacm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Lfkeokjp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Nbjeinje.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Qgmpibam.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Accqnc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gfcnegnk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gbadjg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hneebcff.dll" | C:\Windows\SysWOW64\Jikeeh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Gfcnegnk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hfjpdjjo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Lcjlnpmo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Njfjnpgp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Nenkqi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpdonf32.dll" | C:\Windows\SysWOW64\Kpdjaecc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bjkhdacm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cjakccop.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjoahnho.dll" | C:\Windows\SysWOW64\Jbhcim32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kpdjaecc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Opihgfop.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Injndk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Kpdjaecc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Pohhna32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acnenl32.dll" | C:\Windows\SysWOW64\Cnkjnb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Fjhcegll.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jikeeh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjhmge32.dll" | C:\Windows\SysWOW64\Ccmpce32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Aaimopli.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Gkglnm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hjcppidk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Lklgbadb.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Alihaioe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Fgldnkkf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gkglnm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Pkcbnanl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cgfkmgnj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcopgk32.dll" | C:\Windows\SysWOW64\Alihaioe.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bkjdndjo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cnkjnb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cnkjnb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Idkpganf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knbbpakg.dll" | C:\Windows\SysWOW64\Kkjnnn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cljoegei.dll" | C:\Windows\SysWOW64\Lklgbadb.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Paknelgk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Hjacjifm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obecdjcn.dll" | C:\Windows\SysWOW64\Oococb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cnimiblo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cinafkkd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} | C:\Users\Admin\AppData\Local\Temp\dc4cf104c8973b4183028d7cb6de5caeffa904635f187a2763d282e89648c327N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcnfppba.dll" | C:\Windows\SysWOW64\Nenkqi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Adnpkjde.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\dc4cf104c8973b4183028d7cb6de5caeffa904635f187a2763d282e89648c327N.exe
"C:\Users\Admin\AppData\Local\Temp\dc4cf104c8973b4183028d7cb6de5caeffa904635f187a2763d282e89648c327N.exe"
C:\Windows\SysWOW64\Fjhcegll.exe
C:\Windows\system32\Fjhcegll.exe
C:\Windows\SysWOW64\Fgldnkkf.exe
C:\Windows\system32\Fgldnkkf.exe
C:\Windows\SysWOW64\Fjjpjgjj.exe
C:\Windows\system32\Fjjpjgjj.exe
C:\Windows\SysWOW64\Gfcnegnk.exe
C:\Windows\system32\Gfcnegnk.exe
C:\Windows\SysWOW64\Ghdgfbkl.exe
C:\Windows\system32\Ghdgfbkl.exe
C:\Windows\SysWOW64\Gifclb32.exe
C:\Windows\system32\Gifclb32.exe
C:\Windows\SysWOW64\Gkglnm32.exe
C:\Windows\system32\Gkglnm32.exe
C:\Windows\SysWOW64\Gbadjg32.exe
C:\Windows\system32\Gbadjg32.exe
C:\Windows\SysWOW64\Hgpjhn32.exe
C:\Windows\system32\Hgpjhn32.exe
C:\Windows\SysWOW64\Hjacjifm.exe
C:\Windows\system32\Hjacjifm.exe
C:\Windows\SysWOW64\Hjcppidk.exe
C:\Windows\system32\Hjcppidk.exe
C:\Windows\SysWOW64\Hfjpdjjo.exe
C:\Windows\system32\Hfjpdjjo.exe
C:\Windows\SysWOW64\Iflmjihl.exe
C:\Windows\system32\Iflmjihl.exe
C:\Windows\SysWOW64\Injndk32.exe
C:\Windows\system32\Injndk32.exe
C:\Windows\SysWOW64\Ilnomp32.exe
C:\Windows\system32\Ilnomp32.exe
C:\Windows\SysWOW64\Idkpganf.exe
C:\Windows\system32\Idkpganf.exe
C:\Windows\SysWOW64\Iihiphln.exe
C:\Windows\system32\Iihiphln.exe
C:\Windows\SysWOW64\Jikeeh32.exe
C:\Windows\system32\Jikeeh32.exe
C:\Windows\SysWOW64\Jpdnbbah.exe
C:\Windows\system32\Jpdnbbah.exe
C:\Windows\SysWOW64\Jhbold32.exe
C:\Windows\system32\Jhbold32.exe
C:\Windows\SysWOW64\Jbhcim32.exe
C:\Windows\system32\Jbhcim32.exe
C:\Windows\SysWOW64\Kdklfe32.exe
C:\Windows\system32\Kdklfe32.exe
C:\Windows\SysWOW64\Kncaojfb.exe
C:\Windows\system32\Kncaojfb.exe
C:\Windows\SysWOW64\Kpdjaecc.exe
C:\Windows\system32\Kpdjaecc.exe
C:\Windows\SysWOW64\Kkjnnn32.exe
C:\Windows\system32\Kkjnnn32.exe
C:\Windows\SysWOW64\Kddomchg.exe
C:\Windows\system32\Kddomchg.exe
C:\Windows\SysWOW64\Knmdeioh.exe
C:\Windows\system32\Knmdeioh.exe
C:\Windows\SysWOW64\Lcjlnpmo.exe
C:\Windows\system32\Lcjlnpmo.exe
C:\Windows\SysWOW64\Lfkeokjp.exe
C:\Windows\system32\Lfkeokjp.exe
C:\Windows\SysWOW64\Lklgbadb.exe
C:\Windows\system32\Lklgbadb.exe
C:\Windows\SysWOW64\Lgchgb32.exe
C:\Windows\system32\Lgchgb32.exe
C:\Windows\SysWOW64\Mgedmb32.exe
C:\Windows\system32\Mgedmb32.exe
C:\Windows\SysWOW64\Mmbmeifk.exe
C:\Windows\system32\Mmbmeifk.exe
C:\Windows\SysWOW64\Mmicfh32.exe
C:\Windows\system32\Mmicfh32.exe
C:\Windows\SysWOW64\Nbjeinje.exe
C:\Windows\system32\Nbjeinje.exe
C:\Windows\SysWOW64\Njfjnpgp.exe
C:\Windows\system32\Njfjnpgp.exe
C:\Windows\SysWOW64\Nenkqi32.exe
C:\Windows\system32\Nenkqi32.exe
C:\Windows\SysWOW64\Ofadnq32.exe
C:\Windows\system32\Ofadnq32.exe
C:\Windows\SysWOW64\Opihgfop.exe
C:\Windows\system32\Opihgfop.exe
C:\Windows\SysWOW64\Omnipjni.exe
C:\Windows\system32\Omnipjni.exe
C:\Windows\SysWOW64\Objaha32.exe
C:\Windows\system32\Objaha32.exe
C:\Windows\SysWOW64\Oococb32.exe
C:\Windows\system32\Oococb32.exe
C:\Windows\SysWOW64\Phlclgfc.exe
C:\Windows\system32\Phlclgfc.exe
C:\Windows\SysWOW64\Pepcelel.exe
C:\Windows\system32\Pepcelel.exe
C:\Windows\SysWOW64\Pohhna32.exe
C:\Windows\system32\Pohhna32.exe
C:\Windows\SysWOW64\Pebpkk32.exe
C:\Windows\system32\Pebpkk32.exe
C:\Windows\SysWOW64\Pojecajj.exe
C:\Windows\system32\Pojecajj.exe
C:\Windows\SysWOW64\Pplaki32.exe
C:\Windows\system32\Pplaki32.exe
C:\Windows\SysWOW64\Paknelgk.exe
C:\Windows\system32\Paknelgk.exe
C:\Windows\SysWOW64\Pkcbnanl.exe
C:\Windows\system32\Pkcbnanl.exe
C:\Windows\SysWOW64\Qppkfhlc.exe
C:\Windows\system32\Qppkfhlc.exe
C:\Windows\SysWOW64\Qiioon32.exe
C:\Windows\system32\Qiioon32.exe
C:\Windows\SysWOW64\Qgmpibam.exe
C:\Windows\system32\Qgmpibam.exe
C:\Windows\SysWOW64\Alihaioe.exe
C:\Windows\system32\Alihaioe.exe
C:\Windows\SysWOW64\Accqnc32.exe
C:\Windows\system32\Accqnc32.exe
C:\Windows\SysWOW64\Allefimb.exe
C:\Windows\system32\Allefimb.exe
C:\Windows\SysWOW64\Aaimopli.exe
C:\Windows\system32\Aaimopli.exe
C:\Windows\SysWOW64\Ahbekjcf.exe
C:\Windows\system32\Ahbekjcf.exe
C:\Windows\SysWOW64\Aakjdo32.exe
C:\Windows\system32\Aakjdo32.exe
C:\Windows\SysWOW64\Alqnah32.exe
C:\Windows\system32\Alqnah32.exe
C:\Windows\SysWOW64\Abmgjo32.exe
C:\Windows\system32\Abmgjo32.exe
C:\Windows\SysWOW64\Agjobffl.exe
C:\Windows\system32\Agjobffl.exe
C:\Windows\SysWOW64\Adnpkjde.exe
C:\Windows\system32\Adnpkjde.exe
C:\Windows\SysWOW64\Bjkhdacm.exe
C:\Windows\system32\Bjkhdacm.exe
C:\Windows\SysWOW64\Bqeqqk32.exe
C:\Windows\system32\Bqeqqk32.exe
C:\Windows\SysWOW64\Bkjdndjo.exe
C:\Windows\system32\Bkjdndjo.exe
C:\Windows\SysWOW64\Bceibfgj.exe
C:\Windows\system32\Bceibfgj.exe
C:\Windows\SysWOW64\Bnknoogp.exe
C:\Windows\system32\Bnknoogp.exe
C:\Windows\SysWOW64\Bgcbhd32.exe
C:\Windows\system32\Bgcbhd32.exe
C:\Windows\SysWOW64\Bigkel32.exe
C:\Windows\system32\Bigkel32.exe
C:\Windows\SysWOW64\Ccmpce32.exe
C:\Windows\system32\Ccmpce32.exe
C:\Windows\SysWOW64\Ciihklpj.exe
C:\Windows\system32\Ciihklpj.exe
C:\Windows\SysWOW64\Cocphf32.exe
C:\Windows\system32\Cocphf32.exe
C:\Windows\SysWOW64\Cgoelh32.exe
C:\Windows\system32\Cgoelh32.exe
C:\Windows\SysWOW64\Cnimiblo.exe
C:\Windows\system32\Cnimiblo.exe
C:\Windows\SysWOW64\Cinafkkd.exe
C:\Windows\system32\Cinafkkd.exe
C:\Windows\SysWOW64\Cnkjnb32.exe
C:\Windows\system32\Cnkjnb32.exe
C:\Windows\SysWOW64\Cchbgi32.exe
C:\Windows\system32\Cchbgi32.exe
C:\Windows\SysWOW64\Cjakccop.exe
C:\Windows\system32\Cjakccop.exe
C:\Windows\SysWOW64\Cegoqlof.exe
C:\Windows\system32\Cegoqlof.exe
C:\Windows\SysWOW64\Cgfkmgnj.exe
C:\Windows\system32\Cgfkmgnj.exe
C:\Windows\SysWOW64\Dpapaj32.exe
C:\Windows\system32\Dpapaj32.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 864 -s 144
Network
Files
memory/2356-0-0x0000000000400000-0x0000000000440000-memory.dmp
\Windows\SysWOW64\Fjhcegll.exe
| MD5 | 4548b026a39fb55971664433b5dc2d3d |
| SHA1 | 939d335b1e4fd11ed1d555c648a2befe8e25db44 |
| SHA256 | 82fbe3ab7d5a49f9dff0278d6317731df6cbd57fc5a82302ae880c6e8f3925d8 |
| SHA512 | 3dc64ab6374b744f0b048418ca307c74a42ddaa5cb9e71a11ae61647e2fdc871475a6e7ed95189c03af49b8b03ca0f5999e4c4a453ad9b9fa0fdb80a96e7481e |
memory/2536-18-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2356-11-0x0000000000220000-0x0000000000260000-memory.dmp
C:\Windows\SysWOW64\Fgldnkkf.exe
| MD5 | bde89b0690f435581c5301b5d04cb0fe |
| SHA1 | 8c14081742e888be2bff354accc43c779175cdb4 |
| SHA256 | fe2aed1c7bec5b2486d03fe6071e4270558f3f2d57397f1750c933b0d5ba6a57 |
| SHA512 | 2fadf6cbb2137a40a27a9309c5ef9feb963d3f3c97a2e20c513d03c10622f1cd2d6417445e690c482da82b0578b1524a2541130e2a14cddab9555a63b2994b43 |
memory/1972-31-0x0000000000400000-0x0000000000440000-memory.dmp
\Windows\SysWOW64\Fjjpjgjj.exe
| MD5 | 3d308a75cc6952b343fa81e19c4da8c4 |
| SHA1 | 8c62637cac25ac907a755cbc7228bb61be84cab9 |
| SHA256 | 37553c31f58d94cd24ab88e07e9d731948d8e51e959423905ff1ddd10581d6ef |
| SHA512 | bc180fbf9a42acca0dd96e8cf0442566f4e9d03f3405f3402d616a418d54b1d8a4df1ea033456d494639e655ee717a5c3480d2eff8680534729086ccc63f8369 |
memory/2136-39-0x0000000000400000-0x0000000000440000-memory.dmp
\Windows\SysWOW64\Gfcnegnk.exe
| MD5 | 06e057a9566389202f090304706932a4 |
| SHA1 | ed78568087ff0408f9d8c31eb8806bee9ab8543d |
| SHA256 | ce019ca09b2fdad1d45ec79995294364062ab4b110685cf76ba929e74a63ae8c |
| SHA512 | 16b7a5cd7f063efb61568d41a3be951f6e1130d5cf132e2fd3e8d930f9c7ef3f82b38de9a4610d97bf39431b1b3b38a56ecb0cef11562614732efd91ea5bca81 |
memory/1192-54-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2136-52-0x00000000002B0000-0x00000000002F0000-memory.dmp
memory/2136-51-0x00000000002B0000-0x00000000002F0000-memory.dmp
\Windows\SysWOW64\Ghdgfbkl.exe
| MD5 | 347962b4860b12c6929a5706ce470fb6 |
| SHA1 | a005115d3b8138261707bc84936e92a624e693f1 |
| SHA256 | 73ace806ce823472277df84c23e27095375e069f43387572083722684ed6a6f9 |
| SHA512 | be13f1aaa1e133d2c80fb5df2ba0f8e0eb1f2a8ba4b4366f17186287ac8c40c11d037ff97a49a720b7489583786c8dbd53af3d888f2e4d4eba02134c59feb236 |
memory/2936-67-0x0000000000400000-0x0000000000440000-memory.dmp
\Windows\SysWOW64\Gifclb32.exe
| MD5 | c922bbf68ca67380f7f485ec27af975c |
| SHA1 | 26d8f0fd84b702afc6a4a35d2a01a60d320b6e8b |
| SHA256 | e9665eec5edb8a06f611542d90c9ce1e564ed06f61b82c34f3f46c367e7e4b87 |
| SHA512 | a46a9e075f11d8cbc6442f84138fc1e6e02dbd4bd3387b6e58a21008802bd401cf1ae37654c5a60eaf26c3662bc71e042eeb6f3e72487aaf5272a1ef67e0d352 |
memory/2812-80-0x0000000000400000-0x0000000000440000-memory.dmp
\Windows\SysWOW64\Gkglnm32.exe
| MD5 | cb7aa1842289a726b2fdd0f2bb5ef375 |
| SHA1 | 4284a0c4c79daf62fa314faef610be910e3ef4d4 |
| SHA256 | 3db7bca9989fe285075fe485d4400bf26ee5d7eee7e729519c76ea7483649a5c |
| SHA512 | ffe2bedb1f62cd532353bf555e516e737f45f22799fb02f947bf1fc0e9141c3827b51936545ce2d76a348e14fa07a01c182904c7f443fdab7980432778655d84 |
memory/1276-93-0x0000000000400000-0x0000000000440000-memory.dmp
\Windows\SysWOW64\Gbadjg32.exe
| MD5 | b90150936424a465ffb428082d92e73d |
| SHA1 | 387cab7b69029b3397e07e1407a47499e977eb8b |
| SHA256 | a8d8530972c0e1d85a0304c847bd8b060cb10d8392bfedd9ba6594906a5057ff |
| SHA512 | d4bae5fa69d07985a09638b1deb7c981d55a46e176e4d5b8e56000e0ca99e12a2ba62498927713e694eb3e83294b19fb34296f9c21b9da6719ec242cd096d647 |
memory/1276-101-0x00000000002D0000-0x0000000000310000-memory.dmp
memory/2664-107-0x0000000000400000-0x0000000000440000-memory.dmp
\Windows\SysWOW64\Hgpjhn32.exe
| MD5 | a7e1192112f7e8c933b3f3de3cae03c8 |
| SHA1 | 6ab19a4ae4ff40374307bbfb91fab8d4afee8b4b |
| SHA256 | 726504da036af709d9a94617af3c2b915016caf26fe44c0e6bff5a5608f24752 |
| SHA512 | 84112e184545c1a1100e3a05c889d286c116dcefd034d28cfe8f66c52fbb37ba8d44b67cbc107bb9940189bdf6585c93e1060d4a429d42029f97d5bf408031ab |
memory/1960-120-0x0000000000400000-0x0000000000440000-memory.dmp
\Windows\SysWOW64\Hjacjifm.exe
| MD5 | 9ef904a1920ac518ac3aeb4e9b4fd5a6 |
| SHA1 | 2a71758b24be3a5be063bb7d2a4697ef79d1ddc7 |
| SHA256 | 881944ca27d3c12d65d58e3f2476c242796fbdf660e3f0be3e59737be1eff8b4 |
| SHA512 | 2c12d5c1e81ad728ec23577add1d8cf50c5e4b99630c3a3218f9abcaf0ebe71063adb0f7358de63088627e1e5c20f4379c4daabcf27f6ef6ee00d12abf2b6eb7 |
memory/1960-127-0x0000000000220000-0x0000000000260000-memory.dmp
memory/556-138-0x0000000000400000-0x0000000000440000-memory.dmp
\Windows\SysWOW64\Hjcppidk.exe
| MD5 | 9e15a43f34a46287146a56a777053e61 |
| SHA1 | 9e7b952e18fa7a2ae44f433f8586c496051d70dc |
| SHA256 | 23da91fad5065c7f6f5ceab5a763fbd15a1dbc5e803722d894a45a60793b95dd |
| SHA512 | 8538f82d8b4a60e408f04333f5c0f37adeb6ba0897b5a5409798df6834f569d529145049ca9a77906ce5491d0f0746d4e3ff7c82b091461bdfc38044cb627350 |
memory/1600-151-0x0000000000400000-0x0000000000440000-memory.dmp
memory/556-146-0x0000000000220000-0x0000000000260000-memory.dmp
memory/1600-156-0x0000000000220000-0x0000000000260000-memory.dmp
\Windows\SysWOW64\Hfjpdjjo.exe
| MD5 | 1ca47b513b74dd170aca65336e455355 |
| SHA1 | 45dcb961749e5e916fbeb7ccc6a49aed392de7ba |
| SHA256 | c9434471e38e97365cab64c62fc36ec7427e8c7f5004b073b44dff6ea881815d |
| SHA512 | d0ef6fc6810199b3ef3e1de87e37cf63fcc3e133d118ad41ceef10f9df67a8401830b3b2ffb3203a13c0643b0bc16de3c23e70ff58e314fc03788df736c9338d |
memory/2848-162-0x0000000000400000-0x0000000000440000-memory.dmp
\Windows\SysWOW64\Iflmjihl.exe
| MD5 | fda0e7bbbdafc9841f95efd7c4c26439 |
| SHA1 | 7e1a25faeee4b087eade1428b28892e5765d2348 |
| SHA256 | fb59ee1faa0c302663419deb5d49d03b3dea9502715a0426bcdcaa7416acfadc |
| SHA512 | bf23231ef73b4189aa2a1c0627a0757da9459f4f829e38bca1a13f70ade461824a195199970593a652486d3639b2d3e2e882f6e733048407fbd4e8f429b8dc84 |
memory/2868-175-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2556-202-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Ilnomp32.exe
| MD5 | 4fc0f71fc432fc182a0162f5983ed5b8 |
| SHA1 | 54d6e183ce84eb06f561e56040e50e8abc63b7db |
| SHA256 | f747fe4637cc1eb60988acc4a2e2e440fcd9215fdb2e3c4bf4ee58f08b439682 |
| SHA512 | 636673694a4a52826141066017372a571444859e5746e909e5bdf6ecc06959da6920ca93f79c84a28fbed2e7b67ab931c376ee52082b3e5fb952bf177c93450b |
C:\Windows\SysWOW64\Injndk32.exe
| MD5 | fd9f2cf68e1f57f41c7efbd9253df6f8 |
| SHA1 | 37e7eaa2075c84725546679a58e38136a75487d7 |
| SHA256 | f2f62f0e57a45db391a9d9d8ca374effdb6285148fcc304f471cfbda7c10f24f |
| SHA512 | 5e77ba90e70e93b58bae1a8767b518a83a5ae82ec44a8a25be107c6393e96f9d99ac5bdaafa85750748e77ff6b9809af87bd0eff7b5d2b1865331267b71589f3 |
memory/2144-189-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2868-187-0x00000000005D0000-0x0000000000610000-memory.dmp
\Windows\SysWOW64\Idkpganf.exe
| MD5 | ba2850b2e1ba5c76d3dd07bd2a2e10e2 |
| SHA1 | 105770f30c75efe47799c1a4dd69d131ebd48a7e |
| SHA256 | 11b71085714ea88a2992bd833e5d83f9685cbddca643fe976cb5611a5cd5d05c |
| SHA512 | c6438ba25a8c156c9a338c1883ef8ef9d869a26b12537248e14fda98fa8310cecc56fce892db065a4e31945718aa795522c9d663a7d4d4a631cde957eb77781a |
memory/1864-215-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1124-225-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Iihiphln.exe
| MD5 | 6901537827b869ad60b301c609d16033 |
| SHA1 | eb00ed7cc716a084f59ea1f3abf6495dd3a5300d |
| SHA256 | a628b0191a82dfa1493d62d044c9b51f022d840767ef701a791389d59ef04118 |
| SHA512 | 5adf17b8519a10c380823ea8ea7d18e859c6b3bc61590516098bb611d5ea6ee8e765e8b24dcfeac4f69450fa1b715436a4056041eb415396ec96c1de6eeb92a5 |
C:\Windows\SysWOW64\Jikeeh32.exe
| MD5 | 14f3097512376a8153f93e35d5d0d556 |
| SHA1 | 77a64e50a3fc47b0e09a8537ab928732df23f5cb |
| SHA256 | 767ef0c75506aeb9b368fffa8a09289d59b24913ad0aa0133a1a350c451f4124 |
| SHA512 | 1d147571e874b3df6a37c7acb2879cf8f488c5de84754fc01ce71b16c7cec3a83eba9fe5b7aabe604147684edfc74c0e9392b6619dd8bd36450632f027b91684 |
C:\Windows\SysWOW64\Jpdnbbah.exe
| MD5 | 7803006eedddd5dad3cea049688524d7 |
| SHA1 | 833107093823706d8b3b753f3faa78b7357373b0 |
| SHA256 | fd97d62a5502d4f6b66298f81312ead501dd3b9140bcbb706563f69d964267c0 |
| SHA512 | 9d9939820a03783c0528de32beef202b8b48482e79aa42364eed9b90e83b6d7733d5f794c65eb67d85c86fef84717c76fbe06eedfb780d1db99cb46b18530ffb |
memory/1340-244-0x0000000000220000-0x0000000000260000-memory.dmp
memory/1736-246-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1340-245-0x0000000000220000-0x0000000000260000-memory.dmp
memory/1340-243-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1124-238-0x0000000000220000-0x0000000000260000-memory.dmp
memory/2428-256-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1736-255-0x00000000003B0000-0x00000000003F0000-memory.dmp
C:\Windows\SysWOW64\Jhbold32.exe
| MD5 | 35ac0c7732a23422f000a4d145cbd57b |
| SHA1 | 49c6cb3c40d1f79a41cbf4b9ce09b498c53cd64f |
| SHA256 | 1eed4329cc22ec97088c204885b975e7811332a448dffc7858fff3adefb16ce6 |
| SHA512 | 204ed74a5c6fc22192a59f209e1688ca64f901f1dd3f4ebf07ce1b8fd3bbc708e9a632602aafe548a71cc8e5965961083251a751edf9051ca57b32f320ab4f16 |
memory/2428-262-0x0000000000220000-0x0000000000260000-memory.dmp
memory/2428-266-0x0000000000220000-0x0000000000260000-memory.dmp
C:\Windows\SysWOW64\Jbhcim32.exe
| MD5 | fb594a087bafedc228c7b8c253aa6e45 |
| SHA1 | b26f22317301ac12bbf6f318c0bc8935d85b8bef |
| SHA256 | 75be8c49ec47704ebe82409eea201d9921feb5e5aad4431d0f436cb47827690b |
| SHA512 | 3a9eaec64e862d7b4efad722a355bfeb505bb0acf978a21ac07d319e74f3a9f15f6c8ccf63b2f85f4af89ce8721b9bb6b63b3de77fa72ff32cda903d97ee4521 |
C:\Windows\SysWOW64\Kdklfe32.exe
| MD5 | ac87c08af5baaa011b4736bd8848e9c6 |
| SHA1 | 432ce73b61a7965ae2e4fe3961ac3d28065473af |
| SHA256 | 9bf85ff2ea98b9adafb6ebd7389b3e2a9be571568df133bdbc9719187f4fc518 |
| SHA512 | f1a3845a272dd1968b8aa3c79141c4b1670baf6a6b1c0267903e4e8bc834f4b187b9f4e5a866a806912fc88d202e676df96b670c2f215fbb2e27fa7b4211d4fa |
memory/1580-277-0x0000000000400000-0x0000000000440000-memory.dmp
memory/748-276-0x00000000001B0000-0x00000000001F0000-memory.dmp
memory/1020-288-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1580-287-0x0000000000220000-0x0000000000260000-memory.dmp
memory/1580-286-0x0000000000220000-0x0000000000260000-memory.dmp
C:\Windows\SysWOW64\Kncaojfb.exe
| MD5 | 252dba6cfb6e5133fb6510bdd0f756e1 |
| SHA1 | 28c4f9014008e2a4604d7fce7891c86bd2fa069e |
| SHA256 | e4322bd1d946daa1a79dd49ad809f719a48cb316fde5887aff596f36877c2b0c |
| SHA512 | b91b67518bb6f876a42cdc0c164788145043d08562207954c7b0990bd0d2e0ea76e66d17c34fbde40fcb795aa0e55a93c2ca15f0decd48aaa9704028f6fa33bb |
memory/748-275-0x00000000001B0000-0x00000000001F0000-memory.dmp
memory/1020-298-0x0000000000220000-0x0000000000260000-memory.dmp
memory/1020-297-0x0000000000220000-0x0000000000260000-memory.dmp
C:\Windows\SysWOW64\Kpdjaecc.exe
| MD5 | d1c3049bb648867a56d4f2406e72c89c |
| SHA1 | d1c7b7a6f4ce856b659a528a9ec4a30fc4cac213 |
| SHA256 | be7366f85dff2ca4a3dda4df04ac172824405f3804b65f79601f0be6659b50b5 |
| SHA512 | e484d1462e83f3901debf7ddd87ca7cafb3625777cff72f6a883a9aae9980f0ee871ad8038f49ab111fb78953637c0dc54acc051c7610d4fe1efc465912d4c1e |
memory/1408-305-0x0000000000220000-0x0000000000260000-memory.dmp
C:\Windows\SysWOW64\Kkjnnn32.exe
| MD5 | 3535d7b6349faca583c750c0934a33f5 |
| SHA1 | bb7d1a165d7243cd162966a3ba56a09345a6f641 |
| SHA256 | 055b79dd32a0b47898e13117a441fd2b2c0be880ed1b8513db04710979445cff |
| SHA512 | edcc8d79b7dd903d0fd72e6d0d30a88f8912bea93ab3980f8ce41078562c5d39b47aec489827a44336efa1167931de2428851bb026a2723c62dcc65fd592a6b0 |
memory/1408-303-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1408-309-0x0000000000220000-0x0000000000260000-memory.dmp
memory/1624-310-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1624-316-0x00000000003C0000-0x0000000000400000-memory.dmp
C:\Windows\SysWOW64\Kddomchg.exe
| MD5 | 833ea5fd7c2a63867040edc75413041a |
| SHA1 | 28663761f913eb0ec038897eaae84d24a02654d3 |
| SHA256 | 06bad6451f202fe9acbe61930196bc4e09792ba20a0ae1e6dffc809c1c4b8307 |
| SHA512 | c175edfc4ae9548bb4f434f420f2381b67b36ea9c93b665f53619c24d6db25bbca4e1cdc01d565d853f181268d4f8431e5a795cd834ee7d7bcb6cf5f1f9c22b7 |
memory/1624-320-0x00000000003C0000-0x0000000000400000-memory.dmp
C:\Windows\SysWOW64\Knmdeioh.exe
| MD5 | d4781632db0246961788ed6b5dc0c6f5 |
| SHA1 | a914b5045138516fb89bc574ebacd986e51acf90 |
| SHA256 | 2b902cc40e91626b105ec059e6edba963c9a2c252f5c8230e0182b6505fa100f |
| SHA512 | c3205e34dd425fac88c369f5ed95a70968c7d552289770fc3716bf8d51242552f1b3b9af08506db7977218266f7c2d22c0299c0d08edecb74c3bb7f82a9298ed |
memory/2056-329-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2056-334-0x0000000000220000-0x0000000000260000-memory.dmp
memory/1684-330-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1684-340-0x0000000000220000-0x0000000000260000-memory.dmp
C:\Windows\SysWOW64\Lcjlnpmo.exe
| MD5 | 1e1fd7d3e0733b87e595e48417683f65 |
| SHA1 | 197780abfa50db4346f6fed0609107eb9655195f |
| SHA256 | 779790603916af619120c2b2a8cc16598a1a8475d9cccf1302b788ba53df406e |
| SHA512 | 791a34023b9226f94487e976702a2a00420c4cb53ff5b0c7bb8e28b86e5b4609da862fb8fd152f9af14a0b2469916e2ed78f433cae2af031edb1a131f01420db |
memory/2500-346-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2496-353-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2500-352-0x0000000000220000-0x0000000000260000-memory.dmp
memory/2500-351-0x0000000000220000-0x0000000000260000-memory.dmp
C:\Windows\SysWOW64\Lfkeokjp.exe
| MD5 | 9fb6afb8e2d144f1355e15f7fe7f1a17 |
| SHA1 | fd66b715d22c7b33de13e72061fe7b7fd8d505a0 |
| SHA256 | ff509a73487c5b267dfca42d88e43cc46025aa525ade8b449e24dc46dc3da4ed |
| SHA512 | b3620a09530928848fbace8edecaa828aa3e6c17acbf9f20c73d046d93b14375e620c4fd1a708477922ace7ba7d2775aad15ed8ef7c51f87490f0f905cee8a7c |
memory/1684-341-0x0000000000220000-0x0000000000260000-memory.dmp
memory/2920-364-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Lklgbadb.exe
| MD5 | 354fd5dc15f79db4ad8afefaed1bb4f1 |
| SHA1 | cd51145598410ffebdb17199c8d2e62aa39cc08a |
| SHA256 | d4b0bc3440a6d7b9e7527f6ee86f2c0b25c43789d296bf31e140f723b049b09f |
| SHA512 | 4f26cefc67c30f3a76044be79af2cb74aae3903ef2ebe1024a1fbb38437c7850875c6eca3c3870f875d14dbf39e0c3f1cb71fbd90bd12636c304244f4995acd1 |
memory/2496-363-0x0000000000250000-0x0000000000290000-memory.dmp
memory/2496-362-0x0000000000250000-0x0000000000290000-memory.dmp
C:\Windows\SysWOW64\Lgchgb32.exe
| MD5 | b75e5ad3d464e0c36dc98a654eda9e90 |
| SHA1 | f3ce9602880b9091379cd67b88bcc4e5efbab8f9 |
| SHA256 | 48d90030710be215150799b4f92886a8264296c5261f46cd4cf9018c5d653e77 |
| SHA512 | a5babd26d9f58220d7b3caae64ed0576292443b1e5cd192e32828681bcf5b066a6d8f6b3425e401cfaf424f67c3cdc4ef23ac09bdee687e70ed3b9145c0b4658 |
memory/2660-387-0x00000000002A0000-0x00000000002E0000-memory.dmp
memory/2920-377-0x0000000000220000-0x0000000000260000-memory.dmp
memory/2168-392-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2536-388-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2648-400-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2168-399-0x0000000000220000-0x0000000000260000-memory.dmp
memory/1972-398-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Mmbmeifk.exe
| MD5 | 4ede4eee1f38468dc8b13312d5850b9c |
| SHA1 | 21bd28b4b6e90e847e9599b07d1bb528ee8fa385 |
| SHA256 | 2b7d5b92152a08a91a7dac82daae71c3f1b518069a9438e63f9a572af4213f5a |
| SHA512 | aa74a9eb68d7502a224e0123fc3ad54a926f86ad25e3e807831e5aec75127796f434e23ab630b4a4c7af4a7e18d855ba2267bbaa55d66ba6a892338be1b6b32e |
memory/2356-386-0x0000000000220000-0x0000000000260000-memory.dmp
memory/2660-385-0x00000000002A0000-0x00000000002E0000-memory.dmp
C:\Windows\SysWOW64\Mgedmb32.exe
| MD5 | b6b567ae45bc764401f9bc6000ce676c |
| SHA1 | 610b47bcb84f79265388e2e84ce059113428fdd9 |
| SHA256 | eb4d8f1bc91baaa4251590fe80c6d04591ff6c58bdf8afae40f1829384712df8 |
| SHA512 | 0009889c5b82a2e7d6aa088edc98486c617e201db9295eece1dadd220de5d7da3153177c3ca6f2b3492f17506af81976183d6bdd09c051d78b13ab6750af43cd |
memory/2660-381-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2356-379-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2920-373-0x0000000000220000-0x0000000000260000-memory.dmp
C:\Windows\SysWOW64\Mmicfh32.exe
| MD5 | b4a79a8176d7c0a6aa2c6409368046a7 |
| SHA1 | 8ee1eb5b13b2565fc3fedbb95d1ae26c916851fe |
| SHA256 | 1c1fc137d32a0040b4303ad4055b957f4f69b4142f5ca3cc719eed36226337cc |
| SHA512 | 1299b69c460f0cdfa0ee7640bd84f897b10ecce463ff24787c7bee01c46aacd3abae6b0c705083400c341722358a7ac50dc3b034d3d717127bce7c67f0561348 |
memory/2136-410-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2648-409-0x00000000002B0000-0x00000000002F0000-memory.dmp
memory/2136-415-0x00000000002B0000-0x00000000002F0000-memory.dmp
memory/1868-423-0x00000000002C0000-0x0000000000300000-memory.dmp
memory/1868-422-0x00000000002C0000-0x0000000000300000-memory.dmp
memory/2632-421-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1868-420-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Nbjeinje.exe
| MD5 | f9d37cf053d5f86388eb2859481ceb7a |
| SHA1 | 25071986c8ad1a042f42d67801516fc939ca72c1 |
| SHA256 | ddced9c79ea6d878e7e503345372315987f4161082460aa66bc3022dde4b762e |
| SHA512 | 76f50acf15245e7d6138e6015a06ef4782cdc4cc22df53874e2e02e2c8a5a575426f2c465750e81611f5caca7dc98ef18eebffe4c43957067735888bfab8602e |
C:\Windows\SysWOW64\Njfjnpgp.exe
| MD5 | 7b53b996a78c0dd77ceb7354f03f27d5 |
| SHA1 | de39c4ab64a199c8761ee049e253b680b574fe53 |
| SHA256 | bb720a71f595424bd895d91f4792be8155ce6856c6b6f1ce35f8a663444a55be |
| SHA512 | 366f16b470ad03c3fdbb8a64fafc0c679b1f5312b8f76a3448823a378b8a2dfbc7f3966ee9e1e680477226b33929b924eb9080765e5fb7c55d4bfbf65f8676ac |
memory/1192-437-0x0000000000220000-0x0000000000260000-memory.dmp
memory/1996-439-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1192-433-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2136-429-0x00000000002B0000-0x00000000002F0000-memory.dmp
C:\Windows\SysWOW64\Nenkqi32.exe
| MD5 | 362e1666b8e759ae26327c8449903021 |
| SHA1 | ad56006692d72bb9dcc5b86f5a71cfada1a1a1ff |
| SHA256 | 6e4260d6da5f7e5408dc0e3670863b4d9c97a1c0abacd3c92b670d8ca4883369 |
| SHA512 | eb04874ab66eea4b32d59da1000b56e4cdddb0f7f5d809e9e4775be07596131447c0e167546c8161fb18cdfcc17de89d134a6baffacb6eeb5e4e6ee9f4e371da |
memory/2936-444-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1264-445-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Ofadnq32.exe
| MD5 | 3be9f0d6e5253e64dc7a1c88a25b6bee |
| SHA1 | 96b8f5e6234f6c5c87c1cb691438abef9b21ee01 |
| SHA256 | ece0f88447d1777cbd2a0609852ccfbf35543dd992984b4dfc1a649e33fd4ee5 |
| SHA512 | 82ff9f58b028c033836b06a0929de0eb0cf3699cd99b1b2d4af8933ede5383b856b745a0d112b1e5a91b976eb1c54bbc8c9338411564133c49c90169985fb3a2 |
memory/2812-454-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2012-459-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2964-477-0x0000000000250000-0x0000000000290000-memory.dmp
C:\Windows\SysWOW64\Omnipjni.exe
| MD5 | 7ce2daa80341613edf1e88dbf141def2 |
| SHA1 | ca5e4ee368632a7fddd5da2c7401309dd488c108 |
| SHA256 | b3bde361d48b7115c8aec0cffa190bea2f5350873aa8d81e066d37c85402000b |
| SHA512 | 3610e137948594b652138d1dd9de147dd416179b43ba12f47ad70776f2073155ac32a864bdb713ff640f24e80ffca7a25ed37b9a3516f7c6f753cd1d4b114605 |
memory/2748-479-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2964-470-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1960-478-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2012-465-0x0000000000220000-0x0000000000260000-memory.dmp
memory/2964-476-0x0000000000250000-0x0000000000290000-memory.dmp
C:\Windows\SysWOW64\Objaha32.exe
| MD5 | 40744e7aff44730fe510a3579beddbc2 |
| SHA1 | efe60b6149f5b02106bbbfd21d8ad4c60a458c5a |
| SHA256 | 60758fc805f6fa4c7fe321afb4348979455df103c1872738249ca877cbf0b3f4 |
| SHA512 | c431c36771dbe4b7cb4ee16f6f591d21b383b21d81026908941c0e74a4a9490deccf3a78e1e47bc716ce81239ae714452e8681f182ff8c82528e25b6be665e45 |
memory/1276-472-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2012-464-0x0000000000220000-0x0000000000260000-memory.dmp
C:\Windows\SysWOW64\Opihgfop.exe
| MD5 | ddf1300f5e6cb695e57a2370933e145a |
| SHA1 | cc6c9f6290b5cefcfc28de9828d4e48bbb60d575 |
| SHA256 | eb21210d4190717fd38eb60a42095cea46b2d7d8818e970b311353f73f273c0e |
| SHA512 | f771ce936b3fdee63501724553f2cf78a1cfd91bed5815f3be147021e85bf154bc445b5bfa3386778a1e69abd42d81454e51a648583e5ed6651a62581b12e752 |
C:\Windows\SysWOW64\Oococb32.exe
| MD5 | 62daec2573510aa0dca721579b99cdc2 |
| SHA1 | aa5b7614c2e7541a0fda0ede3ca14da101f6519c |
| SHA256 | 90503d5dbb0a8063cb6841132e6b43f4b4eb31201dba339db6551e4cdeed85f6 |
| SHA512 | e2746f09fd4e58df74184af088442bf5c9f04a97a45b71e6e4b2966cf6026deb2eca6ba051f1d10030543503dbae9babe65f99e5c5ce293db4e346c7956bad4f |
C:\Windows\SysWOW64\Phlclgfc.exe
| MD5 | f8339e53d89915e40efe82e5db35ab04 |
| SHA1 | 4c286787e17fea6f8c3bae158d95312f8bfa114e |
| SHA256 | 6833a16e24854300452385c17c59961099dee7565c73b37c700ce408dc6430e2 |
| SHA512 | 9ba3cae44c730c727b63049fa4655a823b5076fca5a0df40172fd77f530f61c88df8fceff1c4886e7c82ac86bd85a2a26129e6eb534f495ebc478a217c665c7a |
C:\Windows\SysWOW64\Pepcelel.exe
| MD5 | 045973510843d1191a9c1de985e50418 |
| SHA1 | 131f453f4cd9abaea29460381f225faa46c9d109 |
| SHA256 | dc934a0372e98d016fb49028eb69afec32fa55f5d7bb84790e755e36b7ee6626 |
| SHA512 | f1e08cdeca170d078732c070d77b4e97fdc11324f6e75f45ab8949256fe334562b735686c5313e9addfa77bdb9919f684b73da4530378daf8eea1c150b3d5b06 |
C:\Windows\SysWOW64\Pohhna32.exe
| MD5 | 66036320241c1f44f0a6af76bead0569 |
| SHA1 | b8b475bc7d5654052acc78e78ad39b7ead10bdbf |
| SHA256 | ff51193cc91f6e21c24ef27ad04b9e8278a8737319b3f94deca82a38fe4175ea |
| SHA512 | d8bf675961cda9d3177ededb3dbf118d93aff1e65e4e521602fb93565baacb1014dd8f644a31e04375840c5df2daa8cf906c115b81a8c60363ddf886465d052b |
C:\Windows\SysWOW64\Pebpkk32.exe
| MD5 | 0008c8d0f74f67933f1ce89b86793c02 |
| SHA1 | b15a5e49d2cdab4f18a08b24cf97a5978873c351 |
| SHA256 | df2b128e438697bc2d7993e0d0881256abe7dad933fe8d0962216277f07350db |
| SHA512 | 6671a830195898643fec65b210851272794e2bb2193ccedc16e651cfbd67ed4bcfb5b3cd8183fb978682ea296328f7216dfd0c2879f1abebfaa8c8bc4adeacac |
C:\Windows\SysWOW64\Pojecajj.exe
| MD5 | 0763ddc2edad45622c86b9923e968f97 |
| SHA1 | bc099401dd44767759e99300c93813c4018410b9 |
| SHA256 | b7dde52210a5168b54fc79a8fe3a59ba8964d8265adab63ded2a4a0f13490d60 |
| SHA512 | 58457f77646438eda7684e3581913eea5846c1e6c60a2dc34837a6cb26622a83a44993c5798a46c452c2f4b2c59d474f169b431ba8bd97caff5ab59a169895b4 |
C:\Windows\SysWOW64\Pplaki32.exe
| MD5 | 0fbc45bc389a0190686a8488e1afdaa4 |
| SHA1 | bc72ea13517ecdfaadb56cb53a295c0e33bd3326 |
| SHA256 | 47c3f0fce8c5a1b968c014115d49ff7bc3d0454d28ca7588e2a34037edc383bb |
| SHA512 | 485dd56a51839d4620c5f99c0b0b6189b59b029f37a60284ead657a57bbb3fa85b8b7a46cce8d8d5094d7d0c6e394e6d7e370977f51d45964bcd35599b71009d |
C:\Windows\SysWOW64\Paknelgk.exe
| MD5 | a95dd70dabd375f45d6ea1e875bf453b |
| SHA1 | 13eab06eaa6eba07ede5a4a1eba52d2051836910 |
| SHA256 | 02e52d35301ef6f0c95776e043153c1307c0ee4a16d4fa9e3626f27a2bd9ce83 |
| SHA512 | 63b046efe187dccd4bb604d4e48c5cfcdacf87a1562ba618338086689d3efc9f58d4b41f0d6c600e4c987eee555cd15fb4fd22f194039fbc1ca5a7cf4ea61146 |
C:\Windows\SysWOW64\Pkcbnanl.exe
| MD5 | 74a2690c89a168026d5caea67e052337 |
| SHA1 | 5217f1d8064df15f2232fa78df83c985d38801f6 |
| SHA256 | 918755d366a8412a63c9208101435ddbb27bdf94ab4724e10627e5443915ad92 |
| SHA512 | fdcf2e6adf8237766271f29a36fb01f7140f0c88151e500000dd33aecc8a38576e0d35d99844655b255111aa6bc8c502d03998fba7a6d5cff53b9d15c4cdbfa5 |
C:\Windows\SysWOW64\Qppkfhlc.exe
| MD5 | d867ac4c6dec88ff7bdcbde97d8159af |
| SHA1 | 473ba71c4614d825045e0e815a7b81b9fee47f53 |
| SHA256 | 96ae4b29e47dafe634dae8a8511d51a538443a72496bc862f922ea914b392c21 |
| SHA512 | 59bf1c04957b34acd716f0e4e599254b682657b4e2e283be00bc6257d5e48378bcfb6a884a7b130a72ec3533f2e1938584e41aff713b3358da93f98f76f0fc72 |
C:\Windows\SysWOW64\Qiioon32.exe
| MD5 | 2e177a05c6d22be3e754c7ff8088ea8b |
| SHA1 | 28bc9af64f3c2798230d7eba0f17dc11f5329159 |
| SHA256 | 620425947225c864d22dddd020e3c397e986c64b7f7935d8f9677aa2efa606f5 |
| SHA512 | 9ad031551b60d554f020ec7a61f4aeac087fca29288186c3fe2dd2be5b2bbb74ae26cb8cf5601f6d7786cc58b8d68db07b4b29960ad307e19c49ae6f307065f3 |
C:\Windows\SysWOW64\Qgmpibam.exe
| MD5 | be17ea91fb3245df7ef7eaea882aa10e |
| SHA1 | b1aca4afd1d106accb37ae5e6c7621e311e14b62 |
| SHA256 | 05530c1aadd57ae374f548d11e26507b0146ff83d0853e428467d767e19fa8f3 |
| SHA512 | f600912e3b5f4c65fffeb3d37c63a85796fd2c2c1e5d312ec5d77d2decf0639804d92eadd8e3500a77e84e9c957148215fae219b2f51c838644eb5a51890536b |
C:\Windows\SysWOW64\Alihaioe.exe
| MD5 | d5aa4d1f60f293828d3194046bf28608 |
| SHA1 | 94a13e8310ea58c43af872b183ee9489060e10c7 |
| SHA256 | 2d631b8c47aee820dd91a56b89e243e0b4431a40f3e2b2dc2012f13e91c84e15 |
| SHA512 | 78b3aabc2040478303d28495d4cd04fc875d64c392b4cf98bc3ea5f5bc1ce4369da641a3511c774a66c58f302f8eeda308ff3265e19717fdcb5b7f75b8d140d8 |
C:\Windows\SysWOW64\Accqnc32.exe
| MD5 | e5a62ea6f78f8e9fb05eb74c9d3f7c5d |
| SHA1 | e53eac40ab62a6ddc42fd78befdb8bfe94209960 |
| SHA256 | 592b729cb44aae61922c974b0e3b38ff633b57696d613fc86c7afc1ffdf48749 |
| SHA512 | fd629a3c95d31392107eb1bb151871df7022673a506f2b1b15a08e63e32e79637c59fce2245193bab0306c22e90e29da51e395467bf3538483a477219ea07354 |
C:\Windows\SysWOW64\Allefimb.exe
| MD5 | 030f8a787e173102704eb25d142a31e8 |
| SHA1 | 1d41cf8ae6f15c7bb2f93c11eaa54c4a6d98449f |
| SHA256 | 243b5f0f087d73b94d9e34b342c8a5ad550f1eef31218912deda87dca5ef9719 |
| SHA512 | 4b4e413708b7550698446d38adb3df9de0a9b8a0c45f0d608247e1c7ca3f32801ec80014cbc5ba37769c081b1d2890ca526a3260ec522e92e137439a1b17e8d3 |
C:\Windows\SysWOW64\Aaimopli.exe
| MD5 | 561eb11a0918642de2f28f15f33d4a9a |
| SHA1 | f55363dc2959fd9619f4a0e5fd9a58ac17c10cf8 |
| SHA256 | 6994babd38d739b8b11b2b8b4c9fa874c5c70e693e88b6ba26f1d8475480942e |
| SHA512 | f84ffc298be4667a88d8c60d18eb3ff8969c2430fe4b520ae688c7d6436a9c531d741d8499cb17bf007c2cf594f4bf4e4724541b5aecda6f5c315cce2151f2ab |
C:\Windows\SysWOW64\Ahbekjcf.exe
| MD5 | dfe153d567f5c46b2cbb1921b1cc5e7b |
| SHA1 | 13846a7093f1547f00de532864b8d934d3c2f256 |
| SHA256 | c18a708d0450d6cf3e884299cfd34a806394cff95374f35ab88ffbe8f22db5d8 |
| SHA512 | e77efa19374e688034feaaca689748b610ad7e71dda45657a74d5c751e8328920718a4c86d288ad6a2122f4c54feb68e0268dfbe8dffa1d588f163283d0e196f |
C:\Windows\SysWOW64\Aakjdo32.exe
| MD5 | e33a118339f020506175efdf1cbaffdc |
| SHA1 | 9afe77f7fae11a785cec2c22ed6345f5f102f59d |
| SHA256 | c47d2bc329d27278aca5808930fed888e73213ab8f5ff200d9b6d427ca6953c4 |
| SHA512 | 1b98a4878be923acc7c1a8338fbfff073cb392c51b64b94dc3fb22b1502c2d0d6407ca602edb5d85a48c66ab0554c98d9daabcbc446af839609911bbeb3a96a0 |
C:\Windows\SysWOW64\Alqnah32.exe
| MD5 | 94ab5ac805df72930ea36491b6c2ce05 |
| SHA1 | d63a9678159d4e7817b2945674dc79d6d4d359b2 |
| SHA256 | 1820615c3477a7394e9274b3920b7cb71af86f87cfad72a602fadd82faca0bad |
| SHA512 | 854ce7c2110d16f39f98dae2615972277aee91ce6a1947a5fe088ccefa21ba8481814230566cc840a5a8fa5784575b4fae828e4003589eca27fcb114c9cb6258 |
C:\Windows\SysWOW64\Abmgjo32.exe
| MD5 | 823e0cf5dece42b18091bda5a9f717bf |
| SHA1 | 06eb394cd17f4a993e8e24efec5a67f75a29f69f |
| SHA256 | dfeb1eabc2da2571d345589e9068321b021c78395031384e5eeca0fab76a5108 |
| SHA512 | 11374aff3e2c416cd726bfe718d0c4be1a3e7eb97154584ca7f6895bae59fcbbd3748389e319afd2260bc5e5065a32afa7d226ffff8a477ab1b50a981155037d |
C:\Windows\SysWOW64\Agjobffl.exe
| MD5 | 3236cb755d8bd81b096d08e24de504dd |
| SHA1 | 9d4986142d748d7da5c124ddc5895428bdc549ae |
| SHA256 | a07dfb2effc33b7e4f4b1a33bead5af94cb98bf9d106a948527d1d1493340fcb |
| SHA512 | 1695058d279ae5e33896b7c7bd8e91fbe2809661696f13d54bf0e6dfae95d20dc6752cdcd8d62f0ff7250d50e7475823d3d0e53ccc11a746c5c57a3043353559 |
C:\Windows\SysWOW64\Adnpkjde.exe
| MD5 | 4e6ff88e563044a043fcc5a9d0479a28 |
| SHA1 | fc7eea580795b0e4aa67e74531a2274846ec3ff8 |
| SHA256 | dc510251f1cbfdcb479ed151eace9f03a54d7488d92afb45d7fc961658095c48 |
| SHA512 | 1b8ca3d9c292159f49d9d493249b2d00e04af2a692caff276776440166491cb1d5f2b975ce01ab4758a9d91158e4a0885899790a4c82ae3219f2258ea59b4a99 |
C:\Windows\SysWOW64\Bjkhdacm.exe
| MD5 | e041915386edc27728e409658b31228e |
| SHA1 | 0971c71234cae33622e08de954877800b6837229 |
| SHA256 | 226ee8310691acdb5729dd1375ed4ffd4dc785f188bc02f5c9678c7c0182119f |
| SHA512 | 08c84c951b069920153c21cb04b4f979fa9955b3e92e57875d18d00b28cdcc27d26d98127aa6913b472dc1ffd1f27e962d0ed3125c6eef728e31ac5bf39b0f1d |
C:\Windows\SysWOW64\Bqeqqk32.exe
| MD5 | 228bd1a0a647509081268a900bbee635 |
| SHA1 | 5e984849618be4c88ef71a067a5c45160907cecc |
| SHA256 | f1ae3ca0f231bcdbe0c3533b5ff912b708a6443f622483bd15236685fb848912 |
| SHA512 | 10aac98974a214bcc28a7d58379bedce27ef82b4173701956a6b8765a55a828cdcbcc329d6188e85d5a1dbb627bf57a8ddf9087721a923ed3345e20a5a4ca134 |
C:\Windows\SysWOW64\Bkjdndjo.exe
| MD5 | b65132371b58d814140c2e4cf5157f56 |
| SHA1 | 0a749a4696673f5b305230560ef63016a91661ea |
| SHA256 | baecc24ebda71af6699d1044b78b2ff3c51fe40ea9db2d21017d4963d7bb8ddd |
| SHA512 | 052f584bae2b8c4d41e92de791dff919039aaf1d684cdb7eb56cdf13c6f39df8df66cac4ae5411e0f7f096c2b71e58ba6718a99c607fb99c3b3ad541e58d23b5 |
C:\Windows\SysWOW64\Bceibfgj.exe
| MD5 | e04d5bc3552c8e92fbb349138b641f27 |
| SHA1 | 59854c3f9d833d307ac0f7edba711cabc2dd23bb |
| SHA256 | fc30b42e8733c99eb2d02d0709b41328f951476e1b20e902f16683c41f63423b |
| SHA512 | 681698e4c4c6e613b3c8dd8f1a4e7b35676a9ed65d3eaac5e48495e1bf8f3660dd1535a57e129c2d6a55423ae6c2c29fea295175db1d6afae962a8d11a63c33d |
C:\Windows\SysWOW64\Bnknoogp.exe
| MD5 | b8eb9d8c01058ae1dd0cc922032f0063 |
| SHA1 | 2a634f62f357f2dbd52bca185c97a10e631a95d6 |
| SHA256 | b0f8b306f85998c77a115eb5bb4dcb2f73a757aac49317a1e68ef25d59f1f8c2 |
| SHA512 | 7c31d9ecc27562610a81f83cffff2c9da6663f874314be43f707e19b90a6bdc6e8b03a55d6a21f7540ab2268a72ae5d376e347258cdbdb3ff3026c512b839c93 |
C:\Windows\SysWOW64\Bgcbhd32.exe
| MD5 | dc3f997af7c474c46ab1aa89cf177510 |
| SHA1 | 437dae3537e72fa19f64fc54d638398b31577ccd |
| SHA256 | d20ea3851ec1abad5b2e69641035191b895a4cb9bc43ac2c81537f635be8d00f |
| SHA512 | 977796893f4aabbf6d68af469bec02ded8774a5d6633a97d1d940a78bf64988b11efb6b6b4090b7a89b0762a2415218b7f797414f038eadd1c13ec7b9d1ecee3 |
C:\Windows\SysWOW64\Bigkel32.exe
| MD5 | d865a724382b14815f88d65b2d160ee5 |
| SHA1 | 28c27db4a4db693c9917986bf08defdf2837c818 |
| SHA256 | 85f74a40384cf9a3792996e1920c313bac5ee4bbda14a5284901d8ee345fbefa |
| SHA512 | 886eb1d74102a595aec0c7a7c2826db09a81de62e11ff021ff26a1eae6d5de54436590bb8343f843e72d04c42de32785e6ed4f43077dea9422f1440c08833e4b |
C:\Windows\SysWOW64\Ccmpce32.exe
| MD5 | ae6bca3f27893e322079a2f4f60ed0c3 |
| SHA1 | 4107f7516e9b0d3448164afc1edaebd9a4a2eb67 |
| SHA256 | 1e7b0a9b1f5402f7619cbf288cd1e778eb5e073beb7b996586d658baea667b9a |
| SHA512 | 704faac13d86a8bb36a78ee480f7881d99317346942e84082a95b29f5a6fe68ea4de97ebfad34d0ad3f72e6b71092286da406bc8dbb451c049cec38c3cb0849c |
C:\Windows\SysWOW64\Ciihklpj.exe
| MD5 | 215c164d1bd7300cc1ec856dd4c712fe |
| SHA1 | 4ac03e34ae3022aa07123327435bf51fbb94d8f3 |
| SHA256 | 71528e50eb58597121848719aea14893b3e00ba61456f5db02391d2fad0c3d39 |
| SHA512 | a43f6461c81476c82d8458db4a118d721b73d8e6476967e4e67e0e4f58eb91fd133ea0568aef3b9870bbc22111293a3dce1d414a51e5b8bb2472fa2473befc7d |
C:\Windows\SysWOW64\Cocphf32.exe
| MD5 | 3cff5fd71a48ee309e63dc6f800a508a |
| SHA1 | d033448ff60517c3eed1cd9e14c141c53aaa8dd1 |
| SHA256 | 8acc6e478d88ab2dbdd172db6401f9d8476a2c2df398c48a56893670db2a9f38 |
| SHA512 | 4d27a4f84abc8fc20c3a4a82b94e0e36107b4c17eb2c2fcb0d5770fbb7606aba7127c0f4e6a7edb5a0fadb31f64ab59dc09ed4d339b9067cbbc1ac62e4dd7580 |
C:\Windows\SysWOW64\Cgoelh32.exe
| MD5 | 3739724f67d8a575ef31e34d2efb8f0b |
| SHA1 | 5c0824ba0e59901a9cd324563fb1f87b47b1e2f8 |
| SHA256 | 921a748fd57e40050b836150a7fd60c73f196bac657cf74ee06593826cd45b38 |
| SHA512 | 46e6b247b7600957196222197e3005129908ed5d11c00044ddd762be4d6d21b18a7ef44a082494c8a947eed6e2d79d2e5f8dffb6f9bbf65da25bb94d837b38b4 |
C:\Windows\SysWOW64\Cnimiblo.exe
| MD5 | 266f98df2a47519b6f89e9a536894bb6 |
| SHA1 | a786c4a315175a6519b541a30b1906fa969661d4 |
| SHA256 | 0e40b8a4961315e583d9faca7383ada176b8c774e15f7e694be1c5e4e3253edc |
| SHA512 | 2faf53edab9af0f9efdb0a733421e1443c673e67b7203303f796c9da558a94d89afcbebccdd540252c5831b2b9939fb44c85fa368f61b733074ade76e037ab51 |
C:\Windows\SysWOW64\Cinafkkd.exe
| MD5 | 97857e72361c13c4a1f405b84ee47a50 |
| SHA1 | 20057e84d3d38caff84065f9bbd48783e2cb527f |
| SHA256 | 34484f71abecb1cff75d9e9c26d26e8b31fa724831a14442358e9a328baf89b4 |
| SHA512 | e61269b493cca477c2fd14dade6aa1578b149fbc00ea3124820f10be18cc6589813d2333cb836c16852feb27b43dbf982ceb5d8ba1c62fc1e4b7d8255a9396e9 |
C:\Windows\SysWOW64\Cnkjnb32.exe
| MD5 | 53d044fda020f37f7cf3da9f351693a9 |
| SHA1 | 60b1f576302962b93fc348165f1e93841f883c5d |
| SHA256 | 7a48a912de4ab1aec44373c2f792fa8d01826a597e03e3b021ab7e056e4a98ca |
| SHA512 | acca189f782cdbfb3bb8d1b1f24f08804fc635042b7da1d0b915dc11500995de733fb5ecffde8ef738d6f526eeb2b004d8d23d29084f4b5baddb5336fd108bf0 |
C:\Windows\SysWOW64\Cchbgi32.exe
| MD5 | 241feb3e875dab2799340825aab2b10a |
| SHA1 | da081e61e3a9e77f4d237ddc3724014deafa7a9b |
| SHA256 | 17ea1f61499aa9ec0a67fe417fa2fbfc7b0c8f89a988e56f291f443ffef6ebb1 |
| SHA512 | d4736317e45ab04e7df35a8887b09a13bdeeef47666343f17fa338a372254d6c0ce04df416648dd2fa78f49b94a2676618f78d130e050c9f5245afcf7e5ce5fd |
C:\Windows\SysWOW64\Cjakccop.exe
| MD5 | 639a3c3b8377c1ff2b8c1bb61e5e4633 |
| SHA1 | 4a9a83f14a8acf70b01f0467672179360630e80e |
| SHA256 | ac8c58467d69a198efa7e3203330a8f3c5e6ba2782f0abf5d7611a3ea344f946 |
| SHA512 | 5d9e0b66b640e11bc5a1791a3b4c0bb729bbd4b426f8e027c9a97a7f15f7c5b527e36d9b98740d90d0dfb1af49afc02a463ffbfdd55cc8414b0517ae898b412c |
C:\Windows\SysWOW64\Cegoqlof.exe
| MD5 | 17128872563342ada69e8fa2d6e4324b |
| SHA1 | 781f975e5395f60f7f256826b123f53cd1615ad6 |
| SHA256 | 5e4a59897f597c0f50282e8aca51fdd666df104928ca4343328c64e425c4173a |
| SHA512 | 5a0daee7c25f93d542d6e4cd6414f765d9ca367cc1e6af76054c1c7b39528d05deb46a7e7216dd6923fb60e38aa71e8430c188ab06212b24dabeb85e2084167f |
C:\Windows\SysWOW64\Cgfkmgnj.exe
| MD5 | 71b5e0accc3ce5b62475e1646ad9ae1c |
| SHA1 | 7ef0a1c3ecf75c338035ccc8f3ea3c561686edc3 |
| SHA256 | a4c9db5a765395302eb9caffe42bd0fd56cad8d4208f2b31b9991b2ff5f2c4e7 |
| SHA512 | 7737c08b76768287c55264abf4d6e135552c0c0037f9b75efa7f6edab7ce92b2924475cb8b664592c5158cb916966f2f3c9a84aadd4a87d07ead3cc20c117862 |
C:\Windows\SysWOW64\Dpapaj32.exe
| MD5 | c2396759d728690bf1ab093aa95777f3 |
| SHA1 | dd0d964e5baa56283140501029c2963cee78acea |
| SHA256 | 8b528203ff7f91e0e95fe246d57d93cf150007d2b773c7f03877971618003a81 |
| SHA512 | 5cffa19ee1379756594e6444291a3fc14f99af76bf279a9d27483b91544c6d245bfee16eff7df0232bc5ce8ba98d6cc277f3a53d9ac06d2b5686dd8113837022 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-07 08:01
Reported
2024-11-07 08:03
Platform
win10v2004-20241007-en
Max time kernel
92s
Max time network
95s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dhhnpjmh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dobfld32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dfnjafap.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dkifae32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dhmgki32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dogogcpo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dogogcpo.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dhhnpjmh.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Delnin32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Daconoae.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Deagdn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dfnjafap.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dhfajjoj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dopigd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dhmgki32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Users\Admin\AppData\Local\Temp\dc4cf104c8973b4183028d7cb6de5caeffa904635f187a2763d282e89648c327N.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Danecp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dobfld32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Delnin32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Users\Admin\AppData\Local\Temp\dc4cf104c8973b4183028d7cb6de5caeffa904635f187a2763d282e89648c327N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Danecp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dopigd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dkifae32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Daconoae.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Deagdn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dgbdlf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dgbdlf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dhfajjoj.exe | N/A |
Berbew
Berbew family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\Dhfajjoj.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Dopigd32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Danecp32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Dhhnpjmh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Dobfld32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Delnin32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Dfnjafap.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Dkifae32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Daconoae.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Dhmgki32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Dogogcpo.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Deagdn32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Dgbdlf32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Dmllipeg.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Delnin32.exe | C:\Windows\SysWOW64\Dobfld32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Delnin32.exe | C:\Windows\SysWOW64\Dobfld32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dhmgki32.exe | C:\Windows\SysWOW64\Daconoae.exe | N/A |
| File created | C:\Windows\SysWOW64\Gfghpl32.dll | C:\Windows\SysWOW64\Deagdn32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dhfajjoj.exe | C:\Users\Admin\AppData\Local\Temp\dc4cf104c8973b4183028d7cb6de5caeffa904635f187a2763d282e89648c327N.exe | N/A |
| File created | C:\Windows\SysWOW64\Dopigd32.exe | C:\Windows\SysWOW64\Dhfajjoj.exe | N/A |
| File created | C:\Windows\SysWOW64\Hcjccj32.dll | C:\Windows\SysWOW64\Dhfajjoj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dhhnpjmh.exe | C:\Windows\SysWOW64\Danecp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dhhnpjmh.exe | C:\Windows\SysWOW64\Danecp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gmcfdb32.dll | C:\Windows\SysWOW64\Dobfld32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dhmgki32.exe | C:\Windows\SysWOW64\Daconoae.exe | N/A |
| File created | C:\Windows\SysWOW64\Lbabpnmn.dll | C:\Windows\SysWOW64\Dhmgki32.exe | N/A |
| File created | C:\Windows\SysWOW64\Agjbpg32.dll | C:\Windows\SysWOW64\Dopigd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dobfld32.exe | C:\Windows\SysWOW64\Dhhnpjmh.exe | N/A |
| File created | C:\Windows\SysWOW64\Alcidkmm.dll | C:\Windows\SysWOW64\Dhhnpjmh.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dkifae32.exe | C:\Windows\SysWOW64\Dfnjafap.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dogogcpo.exe | C:\Windows\SysWOW64\Dhmgki32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Deagdn32.exe | C:\Windows\SysWOW64\Dogogcpo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dgbdlf32.exe | C:\Windows\SysWOW64\Deagdn32.exe | N/A |
| File created | C:\Windows\SysWOW64\Nbgngp32.dll | C:\Windows\SysWOW64\Danecp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dfnjafap.exe | C:\Windows\SysWOW64\Delnin32.exe | N/A |
| File created | C:\Windows\SysWOW64\Poahbe32.dll | C:\Windows\SysWOW64\Delnin32.exe | N/A |
| File created | C:\Windows\SysWOW64\Daconoae.exe | C:\Windows\SysWOW64\Dkifae32.exe | N/A |
| File created | C:\Windows\SysWOW64\Danecp32.exe | C:\Windows\SysWOW64\Dopigd32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Danecp32.exe | C:\Windows\SysWOW64\Dopigd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Fpdaoioe.dll | C:\Windows\SysWOW64\Daconoae.exe | N/A |
| File created | C:\Windows\SysWOW64\Dmllipeg.exe | C:\Windows\SysWOW64\Dgbdlf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Eokchkmi.dll | C:\Users\Admin\AppData\Local\Temp\dc4cf104c8973b4183028d7cb6de5caeffa904635f187a2763d282e89648c327N.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dopigd32.exe | C:\Windows\SysWOW64\Dhfajjoj.exe | N/A |
| File created | C:\Windows\SysWOW64\Pdheac32.dll | C:\Windows\SysWOW64\Dfnjafap.exe | N/A |
| File created | C:\Windows\SysWOW64\Dogogcpo.exe | C:\Windows\SysWOW64\Dhmgki32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dgbdlf32.exe | C:\Windows\SysWOW64\Deagdn32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dkifae32.exe | C:\Windows\SysWOW64\Dfnjafap.exe | N/A |
| File created | C:\Windows\SysWOW64\Oammoc32.dll | C:\Windows\SysWOW64\Dkifae32.exe | N/A |
| File created | C:\Windows\SysWOW64\Deagdn32.exe | C:\Windows\SysWOW64\Dogogcpo.exe | N/A |
| File created | C:\Windows\SysWOW64\Kahdohfm.dll | C:\Windows\SysWOW64\Dogogcpo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dmllipeg.exe | C:\Windows\SysWOW64\Dgbdlf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kngpec32.dll | C:\Windows\SysWOW64\Dgbdlf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dhfajjoj.exe | C:\Users\Admin\AppData\Local\Temp\dc4cf104c8973b4183028d7cb6de5caeffa904635f187a2763d282e89648c327N.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dobfld32.exe | C:\Windows\SysWOW64\Dhhnpjmh.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dfnjafap.exe | C:\Windows\SysWOW64\Delnin32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Daconoae.exe | C:\Windows\SysWOW64\Dkifae32.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Dmllipeg.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Danecp32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dgbdlf32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dmllipeg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dopigd32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dhhnpjmh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Delnin32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dogogcpo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\dc4cf104c8973b4183028d7cb6de5caeffa904635f187a2763d282e89648c327N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dhfajjoj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dobfld32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dkifae32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Daconoae.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Deagdn32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dfnjafap.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dhmgki32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll" | C:\Windows\SysWOW64\Dobfld32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Daconoae.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dogogcpo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll" | C:\Windows\SysWOW64\Deagdn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Deagdn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Danecp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Dfnjafap.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Dhmgki32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\dc4cf104c8973b4183028d7cb6de5caeffa904635f187a2763d282e89648c327N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll" | C:\Windows\SysWOW64\Dhhnpjmh.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Delnin32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll" | C:\Windows\SysWOW64\Dhmgki32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll" | C:\Windows\SysWOW64\Dogogcpo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Dhhnpjmh.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Dhfajjoj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll" | C:\Windows\SysWOW64\Dfnjafap.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dfnjafap.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Dogogcpo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\dc4cf104c8973b4183028d7cb6de5caeffa904635f187a2763d282e89648c327N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll" | C:\Windows\SysWOW64\Dopigd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll" | C:\Windows\SysWOW64\Danecp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Danecp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Delnin32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll" | C:\Windows\SysWOW64\Daconoae.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dhmgki32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Deagdn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} | C:\Users\Admin\AppData\Local\Temp\dc4cf104c8973b4183028d7cb6de5caeffa904635f187a2763d282e89648c327N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll" | C:\Windows\SysWOW64\Dgbdlf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Dkifae32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll" | C:\Windows\SysWOW64\Dkifae32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dkifae32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Daconoae.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Dgbdlf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dgbdlf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dopigd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID | C:\Users\Admin\AppData\Local\Temp\dc4cf104c8973b4183028d7cb6de5caeffa904635f187a2763d282e89648c327N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll" | C:\Users\Admin\AppData\Local\Temp\dc4cf104c8973b4183028d7cb6de5caeffa904635f187a2763d282e89648c327N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll" | C:\Windows\SysWOW64\Dhfajjoj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dhfajjoj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Dobfld32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dobfld32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node | C:\Users\Admin\AppData\Local\Temp\dc4cf104c8973b4183028d7cb6de5caeffa904635f187a2763d282e89648c327N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dhhnpjmh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll" | C:\Windows\SysWOW64\Delnin32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Dopigd32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\dc4cf104c8973b4183028d7cb6de5caeffa904635f187a2763d282e89648c327N.exe
"C:\Users\Admin\AppData\Local\Temp\dc4cf104c8973b4183028d7cb6de5caeffa904635f187a2763d282e89648c327N.exe"
C:\Windows\SysWOW64\Dhfajjoj.exe
C:\Windows\system32\Dhfajjoj.exe
C:\Windows\SysWOW64\Dopigd32.exe
C:\Windows\system32\Dopigd32.exe
C:\Windows\SysWOW64\Danecp32.exe
C:\Windows\system32\Danecp32.exe
C:\Windows\SysWOW64\Dhhnpjmh.exe
C:\Windows\system32\Dhhnpjmh.exe
C:\Windows\SysWOW64\Dobfld32.exe
C:\Windows\system32\Dobfld32.exe
C:\Windows\SysWOW64\Delnin32.exe
C:\Windows\system32\Delnin32.exe
C:\Windows\SysWOW64\Dfnjafap.exe
C:\Windows\system32\Dfnjafap.exe
C:\Windows\SysWOW64\Dkifae32.exe
C:\Windows\system32\Dkifae32.exe
C:\Windows\SysWOW64\Daconoae.exe
C:\Windows\system32\Daconoae.exe
C:\Windows\SysWOW64\Dhmgki32.exe
C:\Windows\system32\Dhmgki32.exe
C:\Windows\SysWOW64\Dogogcpo.exe
C:\Windows\system32\Dogogcpo.exe
C:\Windows\SysWOW64\Deagdn32.exe
C:\Windows\system32\Deagdn32.exe
C:\Windows\SysWOW64\Dgbdlf32.exe
C:\Windows\system32\Dgbdlf32.exe
C:\Windows\SysWOW64\Dmllipeg.exe
C:\Windows\system32\Dmllipeg.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1852 -ip 1852
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1852 -s 404
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
memory/1724-0-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1724-1-0x0000000000431000-0x0000000000432000-memory.dmp
C:\Windows\SysWOW64\Dhfajjoj.exe
| MD5 | f342d924e8cbf830c9be0e71ab58590e |
| SHA1 | ff052b9c1900cbe3f268a5f81a6e365aed451620 |
| SHA256 | 604b18928564738b0f3fafef826f63ca24d5c45472412fe52f2298f514c141b8 |
| SHA512 | f5082a87f626add0cbe1f625f6f31e863811831eb5cf24590852cee342acb918e52634c70cfa5bb6a472e7461d143999228e1dea233afb4db15ed5a1d739f2ad |
memory/2328-8-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Dopigd32.exe
| MD5 | ba213b8716d7b8e1f9904083ef2f6c79 |
| SHA1 | 159a77c0ce34995685e3b5cfb408174511537d24 |
| SHA256 | dda1f3b89c7062cbebb9fbf2eb84f3d05fd66e0ebdebc7b3ddf2b17f57b88be8 |
| SHA512 | 330b9c52f56313e17eabb35e4e8b75275dc1fce3534792473680628095426052e54bcde2c2b7cda31c9430b8f4f84bcb7beba2a80b925ce66e9ad5cc2759ac0f |
memory/4148-17-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Danecp32.exe
| MD5 | 1d509f0e563836cd63d88d119dc738a8 |
| SHA1 | ee09d1ef7faf8a1855d63ea821c817f574dae478 |
| SHA256 | f198c2061bae08f433245935be14e02ef046837a868b0be360f975312da27ccc |
| SHA512 | a27c30f92870996f096d33e1b3c0cecbe59c1d1bbdde516fd9f14fcb3b0562b3f24d45ed6dd64e237dd905bc1f8611c3019f5c03a2aaa0b378d37b32fc9c0a1c |
memory/3204-25-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Dhhnpjmh.exe
| MD5 | a270c814782febb20273f0f7e68d44ad |
| SHA1 | a7763dab6f250c810c162be3b3cf0d51eca5d199 |
| SHA256 | bafeee9d404cc1c7929b380017371f8df241969572515237135c9971946c6fb5 |
| SHA512 | 06cff0e5d211d2d8b78d856b20914abd4e3bb8a56ebb1a98d5653396ddf3a0e64520e4a31d6df096fe4a7c38e37999eda49beabe754726d16ee4b23dca526653 |
memory/3412-32-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Dobfld32.exe
| MD5 | cc070b7f1c460ad4595d3e96216d6a2e |
| SHA1 | aae16491211e8564c28c9106521e8c20f5ae5afd |
| SHA256 | b40548b7fa9e9311c96c410d228bbc84684f936ebfd3f04bc2e59e2e4e2f25c5 |
| SHA512 | d7f1fd2edf961d3b627916f3bab6dc5eaa50d5e61171675b2760e16e79862124d698f816feb2fea066bb3ed8eb074d00030b408dfe406091822f23de1bbb488c |
memory/4500-40-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Delnin32.exe
| MD5 | a7c8c33a805c425e5f7ccde251dd64f4 |
| SHA1 | ac97ff01a0fc9100a3d2eb8087f1c039364bcea8 |
| SHA256 | 393b5e8fd4404895ef46099f091a714809314c463a25f470c30b89cfd86d226f |
| SHA512 | 6293cfdfad8a348d8cedafb862221df5d41969c0b8c210290eb28c3b0d48e7418de7f48f7b0353b2f156f6a4958760864d9842a471e4eb724c755482fe5141f7 |
memory/2468-48-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Dfnjafap.exe
| MD5 | dc7827c1dec0480f0624099cf37da927 |
| SHA1 | 687f371c199cc1163d79b2b868968b6fb3d0f255 |
| SHA256 | 2a064621a1fde850db882c403bf61f20b48ace52b0be5be66f74c9568eb86a24 |
| SHA512 | 99b45e77e4216136b87322633e051e5f15f6c28bb9cd5b839a53c351df63625d5e15abf0b98177f547a7832d6ff54ab5722e02331087f7cd9991c91becc358a5 |
memory/3416-57-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Dkifae32.exe
| MD5 | 9d933419bb2a3f2f25a06eee2db6e8cb |
| SHA1 | 1ff1303b6fc9ae298cb4f79134ef5179d303b792 |
| SHA256 | 74bfddd0544c5b2c7d15e4737a2d45d432bfb1dc2050547ece1f20d8762407a6 |
| SHA512 | fd34547515587ddf2bce976da958343ec88638bffeeacf24637223d3b2d0451ee601dcf5e46ec8cd143896d00af5c8a19c4ff7ddd371073baeeb6f8322035c2f |
memory/3140-64-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Daconoae.exe
| MD5 | deea790b067555ab96169caed39e7a49 |
| SHA1 | 356400540ad19a8e1755f86ad16540f4548de778 |
| SHA256 | ec8b3005416d3295152098e08bf8175692d8c136f3115e65dab777e36cbb1a64 |
| SHA512 | b3509b0926416872bc3689ae016a438c671c71db8bba8167842c666d858bcd8154a2c4df111c393258a54d616fc19f3b51ee6b9a9179d0ce6049dc86807f5d11 |
memory/976-73-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Dhmgki32.exe
| MD5 | 573677e2230c06d6e2911041e3482a88 |
| SHA1 | ed3f3ebd673cb6289876e49a29def3ebbed85e78 |
| SHA256 | a39252a3d1c3e02ad24bdbc3cb46e82c8642f8f9ef2ab7309bd0a36480c030c7 |
| SHA512 | 46f0b6a719a02a3f0a7a933b97e497a9c7dc9ba3e226196198e0efb633da8fcee88d35a5c31a67be5ce4fa780ff9f487a1123331cfc9f737d7d25e8935970dc8 |
memory/3116-80-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Dogogcpo.exe
| MD5 | a9b4a1e8338d991d88776454df78f82a |
| SHA1 | 24d07b746fd2620fa18f2c1dd146ca9c14a0fb8b |
| SHA256 | ea183a58767e5074e535b737ed2510eee5e591d9ac0f69033b29856f5e0e5d68 |
| SHA512 | 4ba636e0730352b1936134f1947c6b74cf374b07a91cdd898977deb0d28645e5726fac59b7297c45568f0de15a835cbcb0c878dd877c8f7b124e49ee7396b542 |
memory/1576-88-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Deagdn32.exe
| MD5 | 2be42037b34325da3e3e8be54b62dea4 |
| SHA1 | bdbce7c82863472cf4b9eb90e069c25946ed227b |
| SHA256 | 0f39ab61bf512174a41d0d393d11386938e37da276ae1844d54214bab9f9a279 |
| SHA512 | 719caa0fe3bdce1c86ac18b7634fd5a4c11f4280154caade7bc207bfa6bfa499adc0f720613665c9cc01a943341207a9bafd2d4770a948801688d8854993435e |
memory/4044-97-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4396-104-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Windows\SysWOW64\Dgbdlf32.exe
| MD5 | e08d48794e26021f30a79a943b62b8f9 |
| SHA1 | 73942a2356f4ebe72f4e0a693bb0f2f022160b20 |
| SHA256 | 67839a72c20d2e1b3715f5ae74ef9d985526dbc7e80e99073ce2da40e97c5775 |
| SHA512 | 13c464f66c61c34efca9bbd612e7d8f32c4a6c4345bea9accb5b6d279144c26b8df7457df030f95a113486c7dbc79fdeb68f17af1623129bb84bfc4cfe4a8770 |
C:\Windows\SysWOW64\Dmllipeg.exe
| MD5 | 90e1366cb198a89a531bfd76b82b3f5e |
| SHA1 | c849aede0b7adf260840364acab26291651f2412 |
| SHA256 | 328524688e78364665cd1d7b8287ddb1aa9cbe7c93852f939c7529c41067f704 |
| SHA512 | 151f3c0302aaff1a230c61f7a69e64dbc8334d3bf9d82a72a36c92efb802ec1d966f2b5eba85a55614a05f389f509557d841f105dbadd75b7e274993187c439e |
memory/1852-113-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4396-116-0x0000000000400000-0x0000000000440000-memory.dmp
memory/3116-120-0x0000000000400000-0x0000000000440000-memory.dmp
memory/3416-121-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2468-125-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2328-127-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4148-126-0x0000000000400000-0x0000000000440000-memory.dmp
memory/3204-124-0x0000000000400000-0x0000000000440000-memory.dmp
memory/3412-123-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4500-122-0x0000000000400000-0x0000000000440000-memory.dmp
memory/3140-119-0x0000000000400000-0x0000000000440000-memory.dmp
memory/976-118-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1576-117-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4044-115-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1852-114-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1724-128-0x0000000000400000-0x0000000000440000-memory.dmp