Analysis Overview
SHA256
b51b8bc28e0132fc1fca130073211213f0635143b8db2b9d18bdb1fce7e92e28
Threat Level: Known bad
The file b51b8bc28e0132fc1fca130073211213f0635143b8db2b9d18bdb1fce7e92e28 was found to be: Known bad.
Malicious Activity Summary
Berbew family
Adds autorun key to be loaded by Explorer.exe on startup
Berbew
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Program crash
Unsigned PE
System Location Discovery: System Language Discovery
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 01:56
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 01:56
Reported
2024-11-10 01:59
Platform
win7-20240903-en
Max time kernel
122s
Max time network
122s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Agdjkogm.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Abbeflpf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Bejdiffp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Ojigbhlp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Aaheie32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Cmgechbh.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cpfaocal.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Pngphgbf.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Akmjfn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Annbhi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Beejng32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Pmccjbaf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Qiladcdh.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bhfcpb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pkdgpo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Aaloddnn.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Apdhjq32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cbdnko32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Pqemdbaj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pqemdbaj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Qgmdjp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Qqeicede.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Aaloddnn.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cmjbhh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Clmbddgp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pngphgbf.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Amelne32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Balkchpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Bkglameg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ogmhkmki.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ajgpbj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Acpdko32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cmgechbh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Pjbjhgde.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Aaloddnn.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Blkioa32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Bdmddc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Bobhal32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Pckoam32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pjpnbg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pmccjbaf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Bfpnmj32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bonoflae.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Okdkal32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Pgbafl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Pqjfoa32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Ajgpbj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Cdoajb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Users\Admin\AppData\Local\Temp\b51b8bc28e0132fc1fca130073211213f0635143b8db2b9d18bdb1fce7e92e28.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pckoam32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Qgoapp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Apoooa32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bbgnak32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Bbgnak32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Balkchpi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Oqacic32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bfpnmj32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pjbjhgde.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bkglameg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Qbplbi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Qflhbhgg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Abbeflpf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Blkioa32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bphbeplm.exe | N/A |
Berbew
Berbew family
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Ojigbhlp.exe | C:\Windows\SysWOW64\Oqacic32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ogmhkmki.exe | C:\Windows\SysWOW64\Oqcpob32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Pqhijbog.exe | C:\Windows\SysWOW64\Pnimnfpc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Qgmdjp32.exe | C:\Windows\SysWOW64\Qflhbhgg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Aaloddnn.exe | C:\Windows\SysWOW64\Annbhi32.exe | N/A |
| File created | C:\Windows\SysWOW64\Apalea32.exe | C:\Windows\SysWOW64\Amcpie32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bmnbjfam.dll | C:\Windows\SysWOW64\Apalea32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bdmddc32.exe | C:\Windows\SysWOW64\Bejdiffp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cbdnko32.exe | C:\Windows\SysWOW64\Cpfaocal.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Pjbjhgde.exe | C:\Windows\SysWOW64\Pcibkm32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Apoooa32.exe | C:\Windows\SysWOW64\Aaloddnn.exe | N/A |
| File created | C:\Windows\SysWOW64\Cpfaocal.exe | C:\Windows\SysWOW64\Cmgechbh.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cklfll32.exe | C:\Windows\SysWOW64\Cbdnko32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Pdlkiepd.exe | C:\Windows\SysWOW64\Pckoam32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mabanhgg.dll | C:\Windows\SysWOW64\Cdoajb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jhgkeald.dll | C:\Windows\SysWOW64\Blkioa32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Oqcpob32.exe | C:\Windows\SysWOW64\Ojigbhlp.exe | N/A |
| File created | C:\Windows\SysWOW64\Bobhal32.exe | C:\Windows\SysWOW64\Bkglameg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ceegmj32.exe | C:\Windows\SysWOW64\Cddjebgb.exe | N/A |
| File created | C:\Windows\SysWOW64\Bjpdmqog.dll | C:\Windows\SysWOW64\Cfnmfn32.exe | N/A |
| File created | C:\Windows\SysWOW64\Qgoapp32.exe | C:\Windows\SysWOW64\Qiladcdh.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Amelne32.exe | C:\Windows\SysWOW64\Ajgpbj32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bhdgjb32.exe | C:\Windows\SysWOW64\Beejng32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ajgpbj32.exe | C:\Windows\SysWOW64\Apalea32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cmjbhh32.exe | C:\Windows\SysWOW64\Cklfll32.exe | N/A |
| File created | C:\Windows\SysWOW64\Amcpie32.exe | C:\Windows\SysWOW64\Apoooa32.exe | N/A |
| File created | C:\Windows\SysWOW64\Abbeflpf.exe | C:\Windows\SysWOW64\Acpdko32.exe | N/A |
| File created | C:\Windows\SysWOW64\Aaheie32.exe | C:\Windows\SysWOW64\Qgoapp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bfpnmj32.exe | C:\Windows\SysWOW64\Blkioa32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pjbjhgde.exe | C:\Windows\SysWOW64\Pcibkm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ajgpbj32.exe | C:\Windows\SysWOW64\Apalea32.exe | N/A |
| File created | C:\Windows\SysWOW64\Blkahecm.dll | C:\Windows\SysWOW64\Pckoam32.exe | N/A |
| File created | C:\Windows\SysWOW64\Balkchpi.exe | C:\Windows\SysWOW64\Bonoflae.exe | N/A |
| File created | C:\Windows\SysWOW64\Ckpfcfnm.dll | C:\Windows\SysWOW64\Cklfll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Pngphgbf.exe | C:\Windows\SysWOW64\Ogmhkmki.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Biojif32.exe | C:\Windows\SysWOW64\Bfpnmj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cjnolikh.dll | C:\Windows\SysWOW64\Bejdiffp.exe | N/A |
| File created | C:\Windows\SysWOW64\Ghkekdhl.dll | C:\Windows\SysWOW64\Okdkal32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ojigbhlp.exe | C:\Windows\SysWOW64\Oqacic32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pqjfoa32.exe | C:\Windows\SysWOW64\Pjpnbg32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Amcpie32.exe | C:\Windows\SysWOW64\Apoooa32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cdoajb32.exe | C:\Windows\SysWOW64\Baadng32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Pcdipnqn.exe | C:\Windows\SysWOW64\Pqemdbaj.exe | N/A |
| File created | C:\Windows\SysWOW64\Qqeicede.exe | C:\Windows\SysWOW64\Qodlkm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Annbhi32.exe | C:\Windows\SysWOW64\Agdjkogm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Apdhjq32.exe | C:\Windows\SysWOW64\Amelne32.exe | N/A |
| File created | C:\Windows\SysWOW64\Acpdko32.exe | C:\Windows\SysWOW64\Apdhjq32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bdmddc32.exe | C:\Windows\SysWOW64\Bejdiffp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bphbeplm.exe | C:\Windows\SysWOW64\Biojif32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hocjoqin.dll | C:\Windows\SysWOW64\Bonoflae.exe | N/A |
| File created | C:\Windows\SysWOW64\Ljacemio.dll | C:\Windows\SysWOW64\Bobhal32.exe | N/A |
| File created | C:\Windows\SysWOW64\Clmbddgp.exe | C:\Windows\SysWOW64\Cmjbhh32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ogmhkmki.exe | C:\Windows\SysWOW64\Oqcpob32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pngphgbf.exe | C:\Windows\SysWOW64\Ogmhkmki.exe | N/A |
| File created | C:\Windows\SysWOW64\Nlpdbghp.dll | C:\Windows\SysWOW64\Pqhijbog.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Pqjfoa32.exe | C:\Windows\SysWOW64\Pjpnbg32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pkfceo32.exe | C:\Windows\SysWOW64\Pmccjbaf.exe | N/A |
| File created | C:\Windows\SysWOW64\Ceegmj32.exe | C:\Windows\SysWOW64\Cddjebgb.exe | N/A |
| File created | C:\Windows\SysWOW64\Pcibkm32.exe | C:\Windows\SysWOW64\Pqjfoa32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dnabbkhk.dll | C:\Windows\SysWOW64\Baadng32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bpodeegi.dll | C:\Windows\SysWOW64\Pnimnfpc.exe | N/A |
| File created | C:\Windows\SysWOW64\Ffjmmbcg.dll | C:\Windows\SysWOW64\Pkdgpo32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bhfcpb32.exe | C:\Windows\SysWOW64\Balkchpi.exe | N/A |
| File created | C:\Windows\SysWOW64\Aheefb32.dll | C:\Windows\SysWOW64\Cbdnko32.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Ceegmj32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ckiigmcd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ogmhkmki.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pcibkm32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pmccjbaf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Qgmdjp32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Akmjfn32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Annbhi32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Aaloddnn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pckoam32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Qqeicede.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Apdhjq32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cpfaocal.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Oqacic32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pcdipnqn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Aaloddnn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Apalea32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b51b8bc28e0132fc1fca130073211213f0635143b8db2b9d18bdb1fce7e92e28.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pjbjhgde.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pdlkiepd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Balkchpi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Clmbddgp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pnimnfpc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Apoooa32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Aeqabgoj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Blkioa32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bkglameg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bobhal32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cklfll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cddjebgb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ojigbhlp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pngphgbf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pjpnbg32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pqjfoa32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Qflhbhgg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cfnmfn32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ceegmj32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Achojp32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bejdiffp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cmgechbh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cdoajb32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Okdkal32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Oqcpob32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pqemdbaj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pgbafl32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ajgpbj32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bbgnak32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Blobjaba.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cmjbhh32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Agdjkogm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bfpnmj32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bphbeplm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pkdgpo32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Qiladcdh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Aecaidjl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Beejng32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bdmddc32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pqhijbog.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Qgoapp32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Amcpie32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Acpdko32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Biojif32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Amelne32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bhdgjb32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bonoflae.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Pjpnbg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aheefb32.dll" | C:\Windows\SysWOW64\Cbdnko32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Qbplbi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bjdplm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Qiladcdh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Qqeicede.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emfmdo32.dll" | C:\Windows\SysWOW64\Aaheie32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Amelne32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecjdib32.dll" | C:\Windows\SysWOW64\Apdhjq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aipheffp.dll" | C:\Windows\SysWOW64\Pmccjbaf.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Bkglameg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqcngnae.dll" | C:\Windows\SysWOW64\Cmgechbh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Pqjfoa32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Pcibkm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Aaheie32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Aecaidjl.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Ajgpbj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cbdnko32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlpdbghp.dll" | C:\Windows\SysWOW64\Pqhijbog.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plnfdigq.dll" | C:\Windows\SysWOW64\Qbplbi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elmnchif.dll" | C:\Windows\SysWOW64\Aecaidjl.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Achojp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Achojp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Apalea32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmfkdm32.dll" | C:\Windows\SysWOW64\Acpdko32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Qgmdjp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Aeqabgoj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Bphbeplm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Bejdiffp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okbekdoi.dll" | C:\Windows\SysWOW64\Akmjfn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Bobhal32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Amcpie32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Cfnmfn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Napoohch.dll" | C:\Windows\SysWOW64\Achojp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Qflhbhgg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bobhal32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjpdmqog.dll" | C:\Windows\SysWOW64\Cfnmfn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cmgechbh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Pdlkiepd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idlgcclp.dll" | C:\Windows\SysWOW64\Qgoapp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cklfll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blkahecm.dll" | C:\Windows\SysWOW64\Pckoam32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Aaheie32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnabbkhk.dll" | C:\Windows\SysWOW64\Baadng32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Pqemdbaj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Agdjkogm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebjnie32.dll" | C:\Windows\SysWOW64\Ajgpbj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cpfaocal.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\b51b8bc28e0132fc1fca130073211213f0635143b8db2b9d18bdb1fce7e92e28.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Pckoam32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmdgdp32.dll" | C:\Windows\SysWOW64\Bfpnmj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeqmqeba.dll" | C:\Windows\SysWOW64\Pkfceo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Pkfceo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nacehmno.dll" | C:\Windows\SysWOW64\Qgmdjp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Abbeflpf.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Ojigbhlp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Agdjkogm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Apalea32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opacnnhp.dll" | C:\Windows\SysWOW64\Bjdplm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffjmmbcg.dll" | C:\Windows\SysWOW64\Pkdgpo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Qodlkm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Baadng32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Cdoajb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Cbdnko32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b51b8bc28e0132fc1fca130073211213f0635143b8db2b9d18bdb1fce7e92e28.exe
"C:\Users\Admin\AppData\Local\Temp\b51b8bc28e0132fc1fca130073211213f0635143b8db2b9d18bdb1fce7e92e28.exe"
C:\Windows\SysWOW64\Okdkal32.exe
C:\Windows\system32\Okdkal32.exe
C:\Windows\SysWOW64\Oqacic32.exe
C:\Windows\system32\Oqacic32.exe
C:\Windows\SysWOW64\Ojigbhlp.exe
C:\Windows\system32\Ojigbhlp.exe
C:\Windows\SysWOW64\Oqcpob32.exe
C:\Windows\system32\Oqcpob32.exe
C:\Windows\SysWOW64\Ogmhkmki.exe
C:\Windows\system32\Ogmhkmki.exe
C:\Windows\SysWOW64\Pngphgbf.exe
C:\Windows\system32\Pngphgbf.exe
C:\Windows\SysWOW64\Pqemdbaj.exe
C:\Windows\system32\Pqemdbaj.exe
C:\Windows\SysWOW64\Pcdipnqn.exe
C:\Windows\system32\Pcdipnqn.exe
C:\Windows\SysWOW64\Pnimnfpc.exe
C:\Windows\system32\Pnimnfpc.exe
C:\Windows\SysWOW64\Pqhijbog.exe
C:\Windows\system32\Pqhijbog.exe
C:\Windows\SysWOW64\Pgbafl32.exe
C:\Windows\system32\Pgbafl32.exe
C:\Windows\SysWOW64\Pjpnbg32.exe
C:\Windows\system32\Pjpnbg32.exe
C:\Windows\SysWOW64\Pqjfoa32.exe
C:\Windows\system32\Pqjfoa32.exe
C:\Windows\SysWOW64\Pcibkm32.exe
C:\Windows\system32\Pcibkm32.exe
C:\Windows\SysWOW64\Pjbjhgde.exe
C:\Windows\system32\Pjbjhgde.exe
C:\Windows\SysWOW64\Pkdgpo32.exe
C:\Windows\system32\Pkdgpo32.exe
C:\Windows\SysWOW64\Pckoam32.exe
C:\Windows\system32\Pckoam32.exe
C:\Windows\SysWOW64\Pdlkiepd.exe
C:\Windows\system32\Pdlkiepd.exe
C:\Windows\SysWOW64\Pmccjbaf.exe
C:\Windows\system32\Pmccjbaf.exe
C:\Windows\SysWOW64\Pkfceo32.exe
C:\Windows\system32\Pkfceo32.exe
C:\Windows\SysWOW64\Qbplbi32.exe
C:\Windows\system32\Qbplbi32.exe
C:\Windows\SysWOW64\Qflhbhgg.exe
C:\Windows\system32\Qflhbhgg.exe
C:\Windows\SysWOW64\Qgmdjp32.exe
C:\Windows\system32\Qgmdjp32.exe
C:\Windows\SysWOW64\Qodlkm32.exe
C:\Windows\system32\Qodlkm32.exe
C:\Windows\SysWOW64\Qqeicede.exe
C:\Windows\system32\Qqeicede.exe
C:\Windows\SysWOW64\Qiladcdh.exe
C:\Windows\system32\Qiladcdh.exe
C:\Windows\SysWOW64\Qgoapp32.exe
C:\Windows\system32\Qgoapp32.exe
C:\Windows\SysWOW64\Aaheie32.exe
C:\Windows\system32\Aaheie32.exe
C:\Windows\SysWOW64\Aecaidjl.exe
C:\Windows\system32\Aecaidjl.exe
C:\Windows\SysWOW64\Akmjfn32.exe
C:\Windows\system32\Akmjfn32.exe
C:\Windows\SysWOW64\Achojp32.exe
C:\Windows\system32\Achojp32.exe
C:\Windows\SysWOW64\Agdjkogm.exe
C:\Windows\system32\Agdjkogm.exe
C:\Windows\SysWOW64\Annbhi32.exe
C:\Windows\system32\Annbhi32.exe
C:\Windows\SysWOW64\Aaloddnn.exe
C:\Windows\system32\Aaloddnn.exe
C:\Windows\SysWOW64\Aaloddnn.exe
C:\Windows\system32\Aaloddnn.exe
C:\Windows\SysWOW64\Apoooa32.exe
C:\Windows\system32\Apoooa32.exe
C:\Windows\SysWOW64\Amcpie32.exe
C:\Windows\system32\Amcpie32.exe
C:\Windows\SysWOW64\Apalea32.exe
C:\Windows\system32\Apalea32.exe
C:\Windows\SysWOW64\Ajgpbj32.exe
C:\Windows\system32\Ajgpbj32.exe
C:\Windows\SysWOW64\Amelne32.exe
C:\Windows\system32\Amelne32.exe
C:\Windows\SysWOW64\Apdhjq32.exe
C:\Windows\system32\Apdhjq32.exe
C:\Windows\SysWOW64\Acpdko32.exe
C:\Windows\system32\Acpdko32.exe
C:\Windows\SysWOW64\Abbeflpf.exe
C:\Windows\system32\Abbeflpf.exe
C:\Windows\SysWOW64\Aeqabgoj.exe
C:\Windows\system32\Aeqabgoj.exe
C:\Windows\SysWOW64\Blkioa32.exe
C:\Windows\system32\Blkioa32.exe
C:\Windows\SysWOW64\Bfpnmj32.exe
C:\Windows\system32\Bfpnmj32.exe
C:\Windows\SysWOW64\Biojif32.exe
C:\Windows\system32\Biojif32.exe
C:\Windows\SysWOW64\Bphbeplm.exe
C:\Windows\system32\Bphbeplm.exe
C:\Windows\SysWOW64\Bbgnak32.exe
C:\Windows\system32\Bbgnak32.exe
C:\Windows\SysWOW64\Beejng32.exe
C:\Windows\system32\Beejng32.exe
C:\Windows\SysWOW64\Bhdgjb32.exe
C:\Windows\system32\Bhdgjb32.exe
C:\Windows\SysWOW64\Blobjaba.exe
C:\Windows\system32\Blobjaba.exe
C:\Windows\SysWOW64\Bonoflae.exe
C:\Windows\system32\Bonoflae.exe
C:\Windows\SysWOW64\Balkchpi.exe
C:\Windows\system32\Balkchpi.exe
C:\Windows\SysWOW64\Bhfcpb32.exe
C:\Windows\system32\Bhfcpb32.exe
C:\Windows\SysWOW64\Bjdplm32.exe
C:\Windows\system32\Bjdplm32.exe
C:\Windows\SysWOW64\Bmclhi32.exe
C:\Windows\system32\Bmclhi32.exe
C:\Windows\SysWOW64\Bejdiffp.exe
C:\Windows\system32\Bejdiffp.exe
C:\Windows\SysWOW64\Bdmddc32.exe
C:\Windows\system32\Bdmddc32.exe
C:\Windows\SysWOW64\Bkglameg.exe
C:\Windows\system32\Bkglameg.exe
C:\Windows\SysWOW64\Bobhal32.exe
C:\Windows\system32\Bobhal32.exe
C:\Windows\SysWOW64\Baadng32.exe
C:\Windows\system32\Baadng32.exe
C:\Windows\SysWOW64\Cdoajb32.exe
C:\Windows\system32\Cdoajb32.exe
C:\Windows\SysWOW64\Cfnmfn32.exe
C:\Windows\system32\Cfnmfn32.exe
C:\Windows\SysWOW64\Ckiigmcd.exe
C:\Windows\system32\Ckiigmcd.exe
C:\Windows\SysWOW64\Cmgechbh.exe
C:\Windows\system32\Cmgechbh.exe
C:\Windows\SysWOW64\Cpfaocal.exe
C:\Windows\system32\Cpfaocal.exe
C:\Windows\SysWOW64\Cbdnko32.exe
C:\Windows\system32\Cbdnko32.exe
C:\Windows\SysWOW64\Cklfll32.exe
C:\Windows\system32\Cklfll32.exe
C:\Windows\SysWOW64\Cmjbhh32.exe
C:\Windows\system32\Cmjbhh32.exe
C:\Windows\SysWOW64\Clmbddgp.exe
C:\Windows\system32\Clmbddgp.exe
C:\Windows\SysWOW64\Cddjebgb.exe
C:\Windows\system32\Cddjebgb.exe
C:\Windows\SysWOW64\Ceegmj32.exe
C:\Windows\system32\Ceegmj32.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 140
Network
Files
memory/2828-0-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Windows\SysWOW64\Okdkal32.exe
| MD5 | e31c2e879ee36b7cafc8dd853040d015 |
| SHA1 | c7bb04d8b983faf355db0a758333a6c11f253386 |
| SHA256 | 4c0f3773e4ee1348c47541ffe73f93046cf6cc8e9f25332417b477d38677ba35 |
| SHA512 | 1185ad9a74130ec041195197d0e4a519e13e36810fa03ec35e371b53c0b0f638e91bf24c441b160c141aec289b7647f379bdc7437c46d07358e958058cdfc760 |
memory/3068-14-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2828-12-0x0000000000440000-0x0000000000475000-memory.dmp
memory/2828-11-0x0000000000440000-0x0000000000475000-memory.dmp
\Windows\SysWOW64\Oqacic32.exe
| MD5 | 98845d48881a8271265eb52e275729d0 |
| SHA1 | 349ccfd78a53acfc1fb174abccfd69138e88024b |
| SHA256 | e88b7d0004774ec770c3a2e0e00c0bbc9947bae6fc47b00e849a38df2860c70e |
| SHA512 | 487df9b857189ef636f8fabcbdb585db4eaf71cc89ac400d252afc2f476fba14d60ad8f3bdf5c95a6c678c25606c3e9d2f805ce73109951eb9a82a7637167a3d |
memory/2812-28-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3068-27-0x00000000002D0000-0x0000000000305000-memory.dmp
\Windows\SysWOW64\Ojigbhlp.exe
| MD5 | 86778cfeb1131983bc2f2e29e2b7ec4e |
| SHA1 | 157a5e50eea0947dca721957b8fb0b5506cb7dff |
| SHA256 | ed93e62c5b732a349fde0e39c151a4d4742abe04c461bd07670234461a3460db |
| SHA512 | e938e7dc4d761dfd91b590665a9aa1140b9b264003bf078e6d6cca49e4a0c7e514b12ebaceaa165c313e55ca4817505e6b2c2c97e98e8246c9f8f10e700a2dea |
memory/2812-36-0x0000000000250000-0x0000000000285000-memory.dmp
memory/2700-49-0x0000000000250000-0x0000000000285000-memory.dmp
\Windows\SysWOW64\Oqcpob32.exe
| MD5 | f659c49b4790d52ec64c234c7b893284 |
| SHA1 | ddbb887c592716219f6c569922dcd6cb546a1df2 |
| SHA256 | a0556a1afda98d05a09c3d5a722afb53635a52482f7fbacad108b04f1bacf0c7 |
| SHA512 | b1f015aec9af72e22fd949e39835117202a411098d40869e6de87d203cc3c1e43513b03f8751a5f718b9b8cc6a8495e7b5c053dd5cd50d112611f92654f71ce4 |
memory/2664-55-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Windows\SysWOW64\Ihlfga32.dll
| MD5 | e354e8e66359b623ecda8a5c591def83 |
| SHA1 | 2c06ebf3d67b54fdcabbac8fcabdd7a2e409983d |
| SHA256 | f08202a92b3c8c5585de15929e4618268cf1ebda205b55e1383b1ae7339971de |
| SHA512 | 4cd1d0bcd54eb9d05e8f682f29e5f7a98252931ed86e6d7ac4b2e7ac6b4cbf6c684b66a9c91b0f9d798a2665bb79fb8c1bce5822d86d75bb1dc40c4520c6ec7a |
\Windows\SysWOW64\Ogmhkmki.exe
| MD5 | de68735f30cd2de41f35caaf902222ba |
| SHA1 | 5f486f6f2289550b3aad5b76ca08bb513cb3a01b |
| SHA256 | 7590233f88c33c3c0350b2607b5dd30c03d19f10483f0fde6a624c40cb4152bb |
| SHA512 | 10bfddae7cb8b68a4a72eb549f2ee2fa17c361f8b9733b339eef354d05e66a8478b3c60252ed80bcb57d2a009558b37eb84f418b396b25c18ca0f81614731b2b |
memory/2664-62-0x0000000000440000-0x0000000000475000-memory.dmp
\Windows\SysWOW64\Pngphgbf.exe
| MD5 | 2622a10acb24bb2e789801c0d7eb9d65 |
| SHA1 | d99d474f0715186879f40252506e44fd53eea4b9 |
| SHA256 | 9b5f25637ee3450a6245e2769323fa40c8574cfdfa6121338161c86807ba4d2b |
| SHA512 | 464d81efad2a9008c7d65b221d58f39c8ab5e2f9fb1cc89db1cba10f1c4468a1bd5a6ed1761f5bee697a760b78465ea3d8903557a4a56aae3db496c830130ffb |
memory/956-81-0x0000000000400000-0x0000000000435000-memory.dmp
\Windows\SysWOW64\Pqemdbaj.exe
| MD5 | 0c60a639ab7066279e7604f37d725138 |
| SHA1 | b96ab376df14d5ef3d9a815d001e8e1e698427bc |
| SHA256 | e7c790bed449bca4eb6ceca96e6fea91090b99f37886be4d228259cf8412cf85 |
| SHA512 | 2af4f647eaf3997d7b18d59998cd03fea1556f28c99a3b7795cff195590bac8d0394607e5dd0c87d375fe5bd7ef09e76eca05a20f2c1d14e46e223586cbd2728 |
memory/2140-94-0x0000000000400000-0x0000000000435000-memory.dmp
\Windows\SysWOW64\Pcdipnqn.exe
| MD5 | d8c72e6e64b91b9b650b248dc7d9b075 |
| SHA1 | f194febab27345f515c7beab179c03975b138745 |
| SHA256 | eb0166427e539711ac1701a352fe3d1eb20366ea5cf7f4fb9313f4bcf434a736 |
| SHA512 | 2673970f797bbd8fad8b88a00880b5b8aa7b137928a35a592f0866a80d43dbb0ce3314f8e613b40ecaf503adaaed17b4ca32f4887cc781aeeecd96beff25de58 |
memory/1968-107-0x0000000000400000-0x0000000000435000-memory.dmp
\Windows\SysWOW64\Pnimnfpc.exe
| MD5 | 418481777008fe3de19020c428075cb4 |
| SHA1 | a1f0e8c528b067adb25e8d3a9846468faaaee654 |
| SHA256 | 6c47007709369510d88635438551b611af4882329dabfd977cad506d8bfd8fc3 |
| SHA512 | 23312fd6a711e6e8692c4c5abf245c03d841672308f8347b49387352bd9c9eac0e3392ffbace782be7577fb404cf3bb29c4a6e7b760a8dd3f81a4f5b392726e3 |
memory/1968-114-0x0000000000250000-0x0000000000285000-memory.dmp
C:\Windows\SysWOW64\Pqhijbog.exe
| MD5 | 86f0efc445410c467df2becb23e5fcfc |
| SHA1 | daa6610c7f89d4d2d2182b007328231770c90228 |
| SHA256 | a261b61c7fca0a38838d05794df158c5ccb7d5117cacd9247c6c52e103faa0be |
| SHA512 | eb816916f2686900b95efd35a8f5e5a033ede233ceb55c4df0ab1c32a891a6a0c84c778f3970009756b46927a80bf93a394cded25543c10d7dde6be26b4f5704 |
memory/2992-133-0x0000000000400000-0x0000000000435000-memory.dmp
\Windows\SysWOW64\Pgbafl32.exe
| MD5 | d6b1193015c31346eaaf00ab79e63c47 |
| SHA1 | 837d37d4d1232dfdb9b1c0a5131dcf0272025dc4 |
| SHA256 | 4406f6a42d703a93306d3970b737fdc0d13a646d191f6328858307f60a06bd34 |
| SHA512 | f5ad35c3cdaed5f87a2ec062e719839aa4a895e4ac5c444833df109514d9dff77f054896f9f15efb2c966e195f41d2b82b416700650f5f637660ee7206513f8a |
memory/2992-140-0x0000000000260000-0x0000000000295000-memory.dmp
memory/1132-159-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Windows\SysWOW64\Pjpnbg32.exe
| MD5 | ab86c7621d03dcfaa2a9bc776592e3fe |
| SHA1 | f3204ee53f1af62d5f071a43e11d75597192943c |
| SHA256 | 8554c0f7f3478aca315257d60dbac760c93bb6cc4ea07e1867c369b66d223dc3 |
| SHA512 | 837ffe955e7271023efe1a700130975e3c8ac393bb5b3d5f0e7be68493b5089d9068988090c28a38c6ab2b1e9382e5e686ab2105daaa3d466ddf93ef73227aad |
\Windows\SysWOW64\Pqjfoa32.exe
| MD5 | 0728d4e9da9b4589d023be42b92609dc |
| SHA1 | 38baff8205d219a4f1717905dd23c9b0ac0f0f2c |
| SHA256 | b1af690cd28dd20a243a3ece7afb41abf94c9b2054cfd2579d4b6226ed317d4b |
| SHA512 | 9cae76b89af6a3304f660a4464b6f01e103f9aed5de62b7e57434233d57c7ad705dcb28153d91d2a99fa72e7657efb33867fa8cd7f439193d4c9e1474243e24e |
memory/1132-166-0x0000000000250000-0x0000000000285000-memory.dmp
memory/1444-174-0x0000000000400000-0x0000000000435000-memory.dmp
\Windows\SysWOW64\Pcibkm32.exe
| MD5 | b02bda0e77b089cfad0682df9e5be695 |
| SHA1 | 8a7e3db04e9ff2563893267277a35f8d33312808 |
| SHA256 | 0c7403a03c3857f5a269127e4b80d1b8d48878612c3241de0efec08bf0443a40 |
| SHA512 | d7f57c24a68c1b9ef7c441078dd746269fb1f3a4d60aeb189695287d212acfbcc144652f9d37b950b538fc9adc52eb41521f2b2859865a7b2288ca712d3271c0 |
memory/1444-181-0x0000000000440000-0x0000000000475000-memory.dmp
\Windows\SysWOW64\Pjbjhgde.exe
| MD5 | 1f965352149b6f721b19fd1371a205d3 |
| SHA1 | 3ad53045fb1359bdfc9c98bf9d207908c120368b |
| SHA256 | aa5f6077c0b7c4c45931f650f2b50f35f94e42361687d8ca90ea13196aa0a3f0 |
| SHA512 | fea4aae631d9ff994a58d998cdf059ae39b0dc25696339c799e9e496727bec3bbd180a54039cad3efee2856f299196f416ec491898015b1baf12da55da3dfb45 |
memory/2052-193-0x0000000000250000-0x0000000000285000-memory.dmp
memory/2152-200-0x0000000000400000-0x0000000000435000-memory.dmp
\Windows\SysWOW64\Pkdgpo32.exe
| MD5 | a98f14b1fc3ce38274157f5a9576a70c |
| SHA1 | 07df3925413bee9523a75d435a27f11d04669ad3 |
| SHA256 | 47e8be6aab512aa65833593a0ddce7ec220191e3347c4b4a4bd0670921141db7 |
| SHA512 | 274507859366bade193a22b6203b81fa2c417e928a603a187871f192d9f8cfa7acdc9fc0ef3932b4401b09a3198ae67b398373d7e76f5cc99a8ab75f853a966c |
memory/1108-213-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1108-220-0x0000000000260000-0x0000000000295000-memory.dmp
C:\Windows\SysWOW64\Pckoam32.exe
| MD5 | e7e5607bd693ebf32b2c266aabbbb54c |
| SHA1 | 25e63507905eb88d6093b0eb77a16797d7bd2e40 |
| SHA256 | ee9a1b23d2da8d88f2aed577d47b92eba0180b5e51f261735db8b7bdc821d3eb |
| SHA512 | 03aed9b9eb7c35a5efe10cf5ab160f00b32a88f3b9e0f1f867245b4104f547c6ba21ff4cf5a67da7457f62ade85e4779651b39c9f7d6fb791f317f7e96de1b3d |
memory/408-229-0x00000000002A0000-0x00000000002D5000-memory.dmp
C:\Windows\SysWOW64\Pdlkiepd.exe
| MD5 | da0757d57e38654a0cfbf825cc94c575 |
| SHA1 | 4f0e1a4e6537af0dad345482888f8599f857f7df |
| SHA256 | 58b3d6e51cbb5915f51d84cf318efa7089785aa8752282cfaf17c41c47b496e1 |
| SHA512 | 70ec7e5ddc5fc230a978dfaf4b1e2005a3e58086c388881c21f005532c675e567de541d4540305c539bcccf7fe5fc66203a23503425d995e68fa11072ba27fb5 |
memory/2372-238-0x0000000000280000-0x00000000002B5000-memory.dmp
C:\Windows\SysWOW64\Pmccjbaf.exe
| MD5 | ae13ddaa96f970037525128480ba9059 |
| SHA1 | aab3202248b3dd5bd6fefe9715c77bd14b27ee49 |
| SHA256 | 6c1e6d3fa6f75e47a0efb11a618a6a73879c239390ed8c5f9e7ab5e3cdacf438 |
| SHA512 | f231d9295a4cc4a8896328acea06c7d0c6968e8810f5cfbc3a366309b9b3d9b81e7c0f3b267d8143a17de89eb08ab5fd2434a19d05053960be04ef6b7f0a7d95 |
memory/1568-246-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Windows\SysWOW64\Pkfceo32.exe
| MD5 | 6d85689e6d2a6372d272fa38b5d077cf |
| SHA1 | 0dca478af2ae90144197f0a039b1f96066d35059 |
| SHA256 | 7ff633f6cfab17977dca927bcca7be5b9c59c98962a9a6e59093b18d49e6095a |
| SHA512 | 4754e278c2ec59d4cda3a5a8a06d34911ccb4fe6b46e0be49fd77a4c7d73ece7ef698b1079f92ee27aebd5931339f50cd862273dd82ee2ab3e5efd53dd648c81 |
memory/1908-251-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1908-257-0x0000000000250000-0x0000000000285000-memory.dmp
C:\Windows\SysWOW64\Qbplbi32.exe
| MD5 | 7d1d8816ebf76e57f57a17f7a76a7d75 |
| SHA1 | ff3a1f34e3f3cb1122f7f0896810bb4709ca9a27 |
| SHA256 | 687b52a7db7470aff60b4b8ced5576b4ac0f23dd84e628b1782766a9d365309d |
| SHA512 | 2787664780f39bd0cbdee668d3bfc7125780055e020cd6a8aed1ac067bf80c293c2f2f539e2e2c1befafee3631cb04cbf549a7df9b28cc61e6801322f6256b61 |
memory/1528-262-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1908-261-0x0000000000250000-0x0000000000285000-memory.dmp
memory/2196-272-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1528-271-0x0000000000250000-0x0000000000285000-memory.dmp
C:\Windows\SysWOW64\Qflhbhgg.exe
| MD5 | 7b68c8d534fb6a5e1ddd2658ad735364 |
| SHA1 | d12a6805e89168b7cf9d6f81a1d12e888c626a97 |
| SHA256 | 310c3493281c8332295dd13bca130719f144812d5d21ddb64125619af9849f73 |
| SHA512 | e351263a1378ed676634a9a0edc8417bb1c5e930a35b9603cc1f9bed6197e3e24f1d5ef45b1c8b0ac36ba17e94d5e3e058d8ee3cd959966be5b9991027c915e6 |
memory/2196-278-0x00000000002E0000-0x0000000000315000-memory.dmp
C:\Windows\SysWOW64\Qgmdjp32.exe
| MD5 | f944ef81a79d1f26f5a461974690a94c |
| SHA1 | 37813a5eae6f1b3d0a9aa3362dac4cf245605fef |
| SHA256 | ee61cfa29a950683a453d875d86602a4de794e212e4435bf910344752986577c |
| SHA512 | 8c9b54a69284038bb96474a73f4c4ea9b1a5d587fcd048899d325587631bddfa41ac5b2957a1633575252b933c7d4d78f47bf554206eecc455bc8cd5b2a0668f |
memory/2012-283-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2196-282-0x00000000002E0000-0x0000000000315000-memory.dmp
memory/2012-292-0x00000000002F0000-0x0000000000325000-memory.dmp
memory/1548-294-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2012-293-0x00000000002F0000-0x0000000000325000-memory.dmp
C:\Windows\SysWOW64\Qodlkm32.exe
| MD5 | 5c5daf0f5b1491253b6cad84167a746b |
| SHA1 | 9577dd8ef7655ab958393fea646b6dc21e2cf883 |
| SHA256 | 9330511337717bfe66abd81b07b9659abc6ca2ed95d2c0bb4cab1fd5ad524fba |
| SHA512 | 369cb3c2e9893ae1eb2d4d82de1b6de461a0b56f9c55cb09f36d4f8636782b862943e216192a6ccf734a7475be165f89a90295aa069e37ca6f4067546d8d9c71 |
C:\Windows\SysWOW64\Qqeicede.exe
| MD5 | 6535408ec540997293251fc96fa2b574 |
| SHA1 | 870fc6e9b5d9e6df93f607d2a722851234cacc53 |
| SHA256 | c84785ec45c4ed5e113b9cd37c7824d8d6c26d65dd9bf8836affac698b424d6a |
| SHA512 | 23216a79892f96c12e171cb5d869bbe8a7f4a9485ed54a1d903b5a2c5fefd29653035738e3766fe99351ac73fd3197c876740dd20722d45ed302d9a0df98dd77 |
memory/1548-303-0x0000000000250000-0x0000000000285000-memory.dmp
C:\Windows\SysWOW64\Qiladcdh.exe
| MD5 | dbcf9b2b9b4bc7e51827ab992eb30e6d |
| SHA1 | 17a99ef7e78a240b168e3e2d6e1998535d867a53 |
| SHA256 | a2d1c00ab41fae6857e65889a6c561b3a68c339aa7173901ab627a3f41142764 |
| SHA512 | ca3cc9d6e7adb16a5c286ba1409c865d8861c8d696039682cbb8af66b939bea9a96755d973222acfca24b958a4169bc103c29786dc6536f2003a0ef3db6ab004 |
memory/2248-317-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1124-316-0x0000000000290000-0x00000000002C5000-memory.dmp
memory/1124-315-0x0000000000290000-0x00000000002C5000-memory.dmp
memory/2248-319-0x0000000000290000-0x00000000002C5000-memory.dmp
memory/2248-324-0x0000000000290000-0x00000000002C5000-memory.dmp
C:\Windows\SysWOW64\Qgoapp32.exe
| MD5 | a306f2b39d1a0d9240273307697881d3 |
| SHA1 | 4aafae1894c4a6e296ca06108e85df1b84f126d2 |
| SHA256 | 599de79a24e7958a3269ce01bbe3e13137e5a5173467764c1b2d17ff2f3a8562 |
| SHA512 | ac8a866099e03f1b184d04de5eab03529b49ef6733124be9b5a0293eda63255344af4087cc9881c70db1aa621fba0698d5b8b27c1152641ec6f409012769f4f6 |
memory/2488-329-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Windows\SysWOW64\Aaheie32.exe
| MD5 | 9228aa40a491acebeb8df58c49db1dc4 |
| SHA1 | d30a303fe5e8286a3c25ab9f22baf0895a22e819 |
| SHA256 | a2f79a1a11c9ab17d7f33fb94c273dad8c79f0eddc1493b42ca24b8d1db7757d |
| SHA512 | 7a76ac2821d8c6efdc06af410abab6ad649cdfdc532ba880e234261453605f0fae0dd1aa85dab5ea35ccd5deed618f0debfd75b0cdd4fcf2d20b38a165622c88 |
memory/2828-334-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2640-335-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3068-345-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2640-344-0x0000000000260000-0x0000000000295000-memory.dmp
memory/800-359-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2812-358-0x0000000000250000-0x0000000000285000-memory.dmp
memory/1868-357-0x0000000000330000-0x0000000000365000-memory.dmp
memory/1868-356-0x0000000000330000-0x0000000000365000-memory.dmp
C:\Windows\SysWOW64\Akmjfn32.exe
| MD5 | e4a90a599fa2e8a3bac206d755085b3b |
| SHA1 | c2302bcf9f273f76582e87148ed9a74b66eaec6d |
| SHA256 | f7f046ea4e6900fe6d244f1c5c28aa40541beee051c0ef9df0df6c27f8fdfe0d |
| SHA512 | 87cf476cb14020567470a858b1208b53e8ffd604be7b6945a391b9aee9342bf6a93b981b05b8bed6d0c4954756af0e8d322fa616a9230d341e50d77933de3ad6 |
memory/1868-351-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2812-350-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Windows\SysWOW64\Aecaidjl.exe
| MD5 | 9371d735da69b94e28be3b93c9989ec9 |
| SHA1 | 1b889a499ca3ed398e3fe72653d775e96c1d066e |
| SHA256 | b0d866685a6adb794fcdb4863c107b4a3bff41e43849928a744f712e7fa2e9f9 |
| SHA512 | 41d4fedfaca371cf7a240b4117ed717e616bcb90d7532c2f537e9c4178f5a7f7d5f73fc2d9f60e9ecf614d5f2c0074387b8f5963cbe538406dc7950689a1b382 |
memory/2700-364-0x0000000000400000-0x0000000000435000-memory.dmp
memory/800-369-0x0000000000290000-0x00000000002C5000-memory.dmp
memory/1888-370-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Windows\SysWOW64\Achojp32.exe
| MD5 | 320c629f6186386916f0d598db126a5b |
| SHA1 | 001111ec7718c6fb1622ca8cba2ceb93224c1ad5 |
| SHA256 | 9d5c856d2a5afc1c7cba424ba6673eb2689adf7ee1b2ce507428567cc4cfe294 |
| SHA512 | d8365058682bb6a4b1489653968e5e89d5c74beb4426d0c5e246270bf2d57015d69e62442f3d7bdfd07a8ddcc6aff295ed99a2922d66c8c626df1e5535cf406a |
C:\Windows\SysWOW64\Agdjkogm.exe
| MD5 | 4bef98b8eadc3bcca468e067f8281424 |
| SHA1 | f6e6b40f9861333447bbce13cacdb8d72262f597 |
| SHA256 | a94a96541c44272554d5335a0beddd26788c6f52bb56650eae9157e42a2b88a9 |
| SHA512 | e12cc4899f827a68e5c780a847369f14bf7ef1187d1791e13b6c7e264994935d1050c038b8e5ae004996c0c3a0c20a8879cb6002bef07f78fd1d4937f5870dd2 |
memory/536-381-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2532-382-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1888-380-0x0000000000440000-0x0000000000475000-memory.dmp
memory/2664-379-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2532-388-0x0000000000250000-0x0000000000285000-memory.dmp
C:\Windows\SysWOW64\Annbhi32.exe
| MD5 | 047e100f534da3c13aea67cc75d2547c |
| SHA1 | bd457c8a103ae6dce338c6335475d1284b42412c |
| SHA256 | 16bd2a75853094742c505229ae8e1fe665bd5d3ca065abb71ca993172c9d3f6d |
| SHA512 | 7a65304d7dcd10f3649e1fe34dcf79f874dbfb3d836d9e411aeee6bfc584a8dd1a99708cb9ebe7b0786646d813d6f707bdd3d928da5a2041a8e799329ef2d747 |
memory/1680-397-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2140-406-0x00000000002C0000-0x00000000002F5000-memory.dmp
memory/2140-405-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2676-402-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2676-404-0x0000000000250000-0x0000000000285000-memory.dmp
memory/956-401-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Windows\SysWOW64\Aaloddnn.exe
| MD5 | 05a3ac159c1b99b1e4fb381cae613b01 |
| SHA1 | 0f9db003a9c50760eb5dc79e6674852596c28a35 |
| SHA256 | d73480c36db37a088877b58e787047287972bf88efe8ef497557b6f1fde9bb24 |
| SHA512 | fe99a0f67817d6b3983b275f14b1cbf85ad21533a8704c50bfbb3bd15a663a76c8d06c69bd0afafc62aa3cd871e9a1bf81d2c242eb851f265f7df29f209b0a04 |
C:\Windows\SysWOW64\Apoooa32.exe
| MD5 | b521d331d8be77149d986a8642b2fcb7 |
| SHA1 | f96bf79b0194d17bd49034158f6f0dc48302cce0 |
| SHA256 | 6604439a120b15fabab276963e7f38800d12870b40b4f09f0453c8597709553d |
| SHA512 | 355b1d76f7995bb600ef007120f471caeaa44f5a0978b32b1fe73398be8124e91731830dc8bd9fb716eaf938a2c0320a7928abea5e9d9b48f556c0516c57b1e6 |
memory/2864-415-0x0000000000260000-0x0000000000295000-memory.dmp
memory/2944-418-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1968-417-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2864-416-0x0000000000260000-0x0000000000295000-memory.dmp
C:\Windows\SysWOW64\Amcpie32.exe
| MD5 | eef888f06fb0c0fdecaf621f5d6b2063 |
| SHA1 | 2b63dcb5d397b7334b197aa85095fa55c232c439 |
| SHA256 | 8c2b71175d361d1aa73d6cec82375629170441ea3f4743de30d9d2d39ebd1382 |
| SHA512 | a72c8d9bc763b0a2231228572978cbc4329105402243a7af7b5da11f535ae416b1bfaa03f7d4938e4442437a20eaafd5ca83a8d0399a6603615199eb48727eaf |
memory/2944-424-0x0000000000440000-0x0000000000475000-memory.dmp
memory/2944-429-0x0000000000440000-0x0000000000475000-memory.dmp
memory/2568-428-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Windows\SysWOW64\Apalea32.exe
| MD5 | b542c55d1d3a0878eeeb8fd6509a503e |
| SHA1 | 8132c51a36b619e0fad9c8ae035f087cf512d0e5 |
| SHA256 | 489d8df428463bfa75ff2708215656430a1d1a06c75994f5276311b006fcd7df |
| SHA512 | ed63da8a4502eb8f130d1be2af0cd385959e589bba24903108be0e17433b38c82d26f733ba9370990f7ae9b9c3bb4fbbb0940cd7dc3730d119d1149fcab5fb0c |
memory/2780-435-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1420-440-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2992-439-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Windows\SysWOW64\Ajgpbj32.exe
| MD5 | 60fa14e6ab43daf2837ec491b707d34c |
| SHA1 | d41d8f16656a465d5c77e7afe5785d1cdd449280 |
| SHA256 | ca53c36bb9b53e7f313e61b0cec5ca200d7038cc2b147abf51937c946f3d11f7 |
| SHA512 | 767ed10dea46f585c03744fa70769328572eb8cefbbcd21b7d0806ad0741ed9e53def5efdc96183cc280f07047dee61063c6c8b38a78bcd2b7470c17977fdb8b |
memory/3040-450-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1420-449-0x00000000002D0000-0x0000000000305000-memory.dmp
memory/2556-455-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Windows\SysWOW64\Amelne32.exe
| MD5 | 649ec6ae6cfd63994c86e6a0722aaab3 |
| SHA1 | a34ae73eff7514e6074b3b42ddf684175a976916 |
| SHA256 | 44be65919fd7c3e7529a7ebb91ad42940b8c1bd543acc188b9b87708b9130a74 |
| SHA512 | 7c0720c4aa0382dd04c6c19cf23ab854c5a27c2c6c8529aa31c367d0e4d5d02913c66540cb8b7820f287e9996070ab7060c1482c2b71140bac1aa4ac9dfd0339 |
memory/1500-461-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1132-460-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1444-470-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Windows\SysWOW64\Apdhjq32.exe
| MD5 | b9d2584488dbee7a25a57cb00a3fe95a |
| SHA1 | 64afe7fd9973a4429b2e7ca56255655f3e516634 |
| SHA256 | cf7845c986a7c85ecffea84f6f9aaf08cc94b057d1d4495a893c52cf35030d3c |
| SHA512 | 970b55aecdcb6ef3fae046e99462f7e35864cb965226a6de3d39edbd14aedc1424e9f4efc4e049e93013fe3b426c37dd02b0191fe3d4d3d31645c56fdb575063 |
memory/2324-471-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Windows\SysWOW64\Acpdko32.exe
| MD5 | 3cd007e791ffada49449aae84578c626 |
| SHA1 | ddf9362007500fb62554a87f3774d7a0990f7616 |
| SHA256 | 9d296908f1c384196d399d6bb5089bda39ad1958f71d064ea19c55962cf84321 |
| SHA512 | 8e5bc2058c3686ac4aae119e404fb97f216a30c28d4fcd90ffd901fd9add9bc4e345fcb1c3cb5760c2f58a2cd57abd83ce0b99822eae01e152a07e749fbb79af |
memory/1004-480-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2052-486-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Windows\SysWOW64\Abbeflpf.exe
| MD5 | fbe80817407c21d284dd661cf8a9e202 |
| SHA1 | cb82a3fab0a930813b1cc0c5c386aa0503060566 |
| SHA256 | 8962d30e656b05b89e9f028091fa98d1e6098bc8e59b0eb9cec1f2a2bd20d216 |
| SHA512 | 64d8380c79e6fcc57017f2c342d382f911a0ee0d7b750ef2d017a6ef9bdd9d4dbaacda93ed14750fe06f720d9b8d3053fa79180423657b5eaa581385e21532b1 |
memory/1004-490-0x00000000002D0000-0x0000000000305000-memory.dmp
memory/1364-491-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2152-500-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1060-501-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Windows\SysWOW64\Aeqabgoj.exe
| MD5 | 8e5d6156fe0569bef3511d565ff41a5c |
| SHA1 | 43416d02a4fc576a5f34d43525c761e576923a65 |
| SHA256 | 448de70d06f13f45a547c9b0442cee97f9a66967c54251ffd95b9b9f4ad126ab |
| SHA512 | 631aebdac05f70785c354539ab4cb5f0f8ce99c24597c44540bea514a63d0662a0baf5e745344d30e3be82cac6cbd3688ce438cf851c756425d7a3e350bfe3cd |
C:\Windows\SysWOW64\Blkioa32.exe
| MD5 | fc42004565bd84516280bd5b316a5adb |
| SHA1 | 6529306047a2d48d966a8a9318e9e5cc96429943 |
| SHA256 | b870f81bba10684f373b857868c320a1059529e8d981a7f4405bc5606ed13d17 |
| SHA512 | 8e5807af9618e19d1db85a234ebd577880d77528582f86c5560bb2be79b872005b063677cab1852908d686974b37f5287729f63c73c19c7d1bd4c05a5c6ca241 |
memory/1108-506-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1388-511-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Windows\SysWOW64\Bfpnmj32.exe
| MD5 | 064ebe76ac3a8100461ec1f0a9369602 |
| SHA1 | 9f2e4480632f8bca82b3d8a581f43bbf9b1f14c6 |
| SHA256 | c1cf6eead95cbf87a172ee89acae793f0e8fb5257b8cdb3aa040afcacf01f29e |
| SHA512 | 176a1b49934863e251b87b4975ae97d61fa2205c594411cc343fe5ae1178430d52490b652308e13f2089cc402ecf48eb251208271dbebc402ee016badea3c8d8 |
memory/408-520-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Windows\SysWOW64\Biojif32.exe
| MD5 | 4deed635edaad4071ab2f4d51c10433f |
| SHA1 | ee88ecee903d85133a24e972c2c1bfa897a66916 |
| SHA256 | 54870fb0a975c8ff1abd3f1383d4595a870efe0e5b9b0713620069788387a8f2 |
| SHA512 | 5612853dd5ccdc382c3e00ac72fac3b72808a31021701b8f0d74603f6fff6f0823629c44fbcdb9a7ad20b4241a187ba43c6cca50dfd47eca76c10a745d22272c |
C:\Windows\SysWOW64\Bphbeplm.exe
| MD5 | 13f27375023f2f947525a217e8b60ba8 |
| SHA1 | b8019c1c0b0b8d00333abf02f0a4a3f96c460a0e |
| SHA256 | df65bafc18c247379f81bd8803fde389a871931a1de4f9a6e93f89d6dcd5a1dd |
| SHA512 | 1342d0c3dd1926f40d58b5668b7dc0833b675196823b518d572c753d1548d5d87c771e95292a4d7957d9e2b5460be30b75de1468aad8cd601011518fea322f90 |
C:\Windows\SysWOW64\Bbgnak32.exe
| MD5 | ffe4cfc241a5fc468cafe91f12c73f15 |
| SHA1 | 2b24f2cf7c0cd021ab9de45b0583cfbd5b6557fa |
| SHA256 | 3dd60e436e8d7baa2f56d965d451e371c50a24593b8c859b5e13bedd03308fbe |
| SHA512 | 2e2e8e2c8503a45d8be8529cddc82a0dbbc5088deedd8e6c11ebd4aaf44e514088da7edbb8bb29d459c6bba6a3ea8f86d3fb6baf72c79319be3d819c609154d8 |
C:\Windows\SysWOW64\Beejng32.exe
| MD5 | 54dc6c3b06cde3b31b0a120eb5f1ac7c |
| SHA1 | 63da40e5fe3e990a871f1d05bfa2c8186b2cb9f6 |
| SHA256 | 63ffcc5a80b3a2abd9fdd8660655d33225a7206abdb4fefb8947e94e423858a5 |
| SHA512 | d780e94cc5a8257d86773e5c4d29e7de29e74f7de669fe677c3d5ec8cf26633552f1b6ff7d2342cd1b941cea7b6753c836ee4727383c7a7e6ef53f8a5642afa1 |
C:\Windows\SysWOW64\Bhdgjb32.exe
| MD5 | 348730aca3765ce0fefc037fe6d15c08 |
| SHA1 | 5b4d8845df389d4b9ac8941e55e278fc2183438c |
| SHA256 | 2bdac79bef31ffc213cb48f67ae0f87af918a77c7e6ae1a86c71e3aaa4520e9c |
| SHA512 | bf817e4217dee7cf8c377baa1f352b6135bb0ef0e31c063ed60c884d59dcf80525588406bb8f4dd191f02b80f450e65f802cbb4f7c4f02aa82bd7b0769cb0f4e |
C:\Windows\SysWOW64\Bonoflae.exe
| MD5 | 0a10c7598d6c1f81acfd148903d29cde |
| SHA1 | 8158b58dcf67b2bbe9ed70a0959638c960b70126 |
| SHA256 | 83714a3acdfc0c984914c64f81df91c371e31ef6e22b21c801d2f96a5b675fc9 |
| SHA512 | f0f8ef767221a276405a27fe4cc72de33d3d6e861732eae7200fc006202156c355db622e035a9c992514ab21aeb4eae3521b23f898279c848658ee06f84ed338 |
C:\Windows\SysWOW64\Blobjaba.exe
| MD5 | c1e12190a4d2b1189e3f6a337e961bc9 |
| SHA1 | f37da382f10c98b0cb25787f6f93d4af5458f6f5 |
| SHA256 | d914e5d59d86a2f00405a45560b89c6c174ee416402f427f7f67f985b4d59020 |
| SHA512 | d5083625daa5319d1293e73f807804c40461a299fb713518bb9617899d084d940fe05b13bcfc78c25bf519afc41ec2219f6256c3dde01abed6f2dac2aedcd629 |
C:\Windows\SysWOW64\Balkchpi.exe
| MD5 | 8e1e3bf30eb596b7cf69f963344fb14c |
| SHA1 | 05282cef22f5b49dc60c591b0bf71abebdd40c42 |
| SHA256 | 3c1ba1c4dcb60e599b522c14a4abf846724b448e95bc09523c950cebd5f92e46 |
| SHA512 | 131f037f885fe67a4dc818796817502220af60d6faab2f2b870c855782a93ab60f5b724cf57d1fb641da5b80c66d2c7b0478415660ea50d344a65f472bf508ea |
C:\Windows\SysWOW64\Bhfcpb32.exe
| MD5 | 32004cdf69736f73ae6d99063e5f0955 |
| SHA1 | c452bcc9591b01e31cd24d47080166cacc2b0141 |
| SHA256 | d991685772818c57c5fdbec89d43e1a0c3ae7a3b2ce46673bc78a64679a96f47 |
| SHA512 | 1f1f7ef8a817c47946e0f482219231e342cb7a4d2cb1e6b7f97384573dc1f356412b59e2dccf51250f455e992d75e59ce719029cdaada35f05cdde8d00405945 |
C:\Windows\SysWOW64\Bjdplm32.exe
| MD5 | bfccc4077aed70e29e1f2aecde48c09a |
| SHA1 | aa255097b7c5d47955c820a2390696685c562d98 |
| SHA256 | cb44f042a6b89522e105cb9d3399f767d57cd8e4074222e737ff5a1ede9cce3f |
| SHA512 | 25461d43c656a82731fe2208ed7e24bdb37d4f90e3604fc0288b4332001b51bb0855562c1923682675e8832ffb921d1f7b4356c03921216c3ff9a489f87a5c2f |
C:\Windows\SysWOW64\Bmclhi32.exe
| MD5 | 5474d5f6da21bc6bf5ed8418d60a0fd3 |
| SHA1 | 0eac29b05d19f9c93a633250cf4784ec758d5648 |
| SHA256 | 927da4f467b4a0901f4a0158c590c199fe6d6baa7f184d3a2f85ad47f371551d |
| SHA512 | d2696f8fe0574441816156d3d83dc73081b949616e60533c901b3eea9790188a9a89931a83b0f2d1c5136bf1fd96c15df0020505160210861ee9161b7e6650f3 |
C:\Windows\SysWOW64\Bejdiffp.exe
| MD5 | 7f5fefa256286f7582432014a4f66033 |
| SHA1 | fbfe93af762138eb9618d7f9c756abc35ab4a7fb |
| SHA256 | a1972a42bbbbe11a66f1bb083600d040bcd30aab5626001ccb2fe0460e17e225 |
| SHA512 | ded462cf1881002c96c768fcbd9c29032cada47ddb3e450cedc86c026d6421b44f73bd86c979778365bde49e601477f35f4a1c07cb3b1896ea71e4b56ebeab67 |
C:\Windows\SysWOW64\Bdmddc32.exe
| MD5 | 8ce01e0cb23765f9465c5a1c79159d7a |
| SHA1 | 7235b8b0c27fce8a79e4533a181825fadf2de4d7 |
| SHA256 | dc8d2125dd612c658379776dae6239259fb3455780c2421448254783fd37049b |
| SHA512 | 64c250313cf46e92a0b07fc2cd4dcf119e523f4f4adbb839e7f80c82752792e18d5605344826020b047a850ba1914de204b357b403da5601056729f1266ce59e |
C:\Windows\SysWOW64\Bkglameg.exe
| MD5 | 8035729cfd72b6eb0741fb9e58662d2b |
| SHA1 | 42d1bbb1526cc21ec53939a44ba9df51f0539469 |
| SHA256 | 4c10397a98fcf61b88cbace5b780b07c313a24be8f6abd28641a23da6cd1f2fd |
| SHA512 | 9d334c5c02e01001aac2f82a4c9a28d569abe6d9bdf6de478f1df2474b38fcfcdaca4b3d21f9c366e5c07080f8d82b751087eddcff91c2d937828bcb77d0229d |
C:\Windows\SysWOW64\Bobhal32.exe
| MD5 | 6611ae14c8aa22dbe1bac230d333f3f8 |
| SHA1 | 139d60149454ee50b1ab9c7ab52ffc8f1c03cb18 |
| SHA256 | 42d414f6c9aa5cddd939007a81fe5ef49b7b3033f366a0653821e6c467d53c99 |
| SHA512 | 406cc466aada1d7d248e351dbe45a35aa2f91e363301637aa1f9df8003b2673087e092ef0fa7314918cdd4789b05fcb0b97967df262967eefac52957c320c267 |
C:\Windows\SysWOW64\Baadng32.exe
| MD5 | 9baae3d1f2575a8c6c5b7e5a1b0dd768 |
| SHA1 | d580f4b0cf5da7ab6a18c6f01f1437131a881aa6 |
| SHA256 | 4398d7a6480ea3fd614846e70f2b0ae656d3636fe787317db853176649cdb21b |
| SHA512 | 22a05f791c11b13f7adb628d250d3193b38afefb89bd81fb5b27dab497d4fac7a9b73fe67792a1a1dd775ea989b55000b43608201d17f5a574316ff68f44577e |
C:\Windows\SysWOW64\Cdoajb32.exe
| MD5 | 9b28a85228d03d4c032f75fc53b51284 |
| SHA1 | 41e65ee78e08887009bbdc8b98b417879e7c75ed |
| SHA256 | 6f75ac45fe22e89642dcea48ce454dc56676db882caf981fa494c4856056ef02 |
| SHA512 | 300dba8ee935602a7e9478625e4bebcabd0f829e23f56398c905b10343dfbfd217ad5eca9ad76fc96e9620f049e79e7e5a07722bcd1c8167fab840c7d149c303 |
C:\Windows\SysWOW64\Cfnmfn32.exe
| MD5 | 0e03947bb01b82649d2a43f1dec5faa1 |
| SHA1 | 7542fc443c81c3e1a76f47ffa7edc06c3536a63b |
| SHA256 | 80fef69074b9afffdc29361810461b16ff929c49155e6331de057f988b359870 |
| SHA512 | 1265f2bfff3643edbca460e27d3989ffb40ce9cf4c77ec2be9e84971c4fd4d11cfab85150c91f157045a0b34ebba5c3de9624e87f0c69d45cbcee66d2b2e1a47 |
C:\Windows\SysWOW64\Ckiigmcd.exe
| MD5 | e4f4c0647f720ec12ad6d5cc18ed121d |
| SHA1 | 91a2e41f1a55871df8ea373471d1c063e5a1f6a6 |
| SHA256 | 6955083eca10fb3be068af772adc76e651c46b7447279b931c42273d8cec363e |
| SHA512 | 1abea8ec1ba62c773d91394172bd35de83477b0ddb806f0272a5f9b5a57235704aa1ce76df1f97a50677209f20ddd52053f455924ffc02b34847e9017947034d |
C:\Windows\SysWOW64\Cmgechbh.exe
| MD5 | d290f46c775a3979647206603897f965 |
| SHA1 | 179416a57aca4987241da0f3652be03b3467541f |
| SHA256 | ebdba3b73ee2c6c6b188dea854de8154ec50c825d26ff4adf4fb3d90bc2a2a0f |
| SHA512 | 3ce9f5bfa141e33ccf8438dc8a259c5163833984280f45fb2b294c3b1385cc39db25f57284d96f5bd70c9d8242f1342cf643c0af959110d8d67727ae2033a0da |
C:\Windows\SysWOW64\Cpfaocal.exe
| MD5 | 8dda74bbda79bbf2879fd102da6b1cd7 |
| SHA1 | ecdece9827091a53faf70dec0bf21539ef28acb0 |
| SHA256 | cc306ec651ca7bd6da02a6be7206c148dbac45286262a8f91ce1b9a2a6973191 |
| SHA512 | 9d0960723f34216ff88cd5b74cadceb4c12677b4bb62a02c5f16063934859e4375b6bf6aa07146f3aecae2980d6fe4b04959b8f3c677f1391ffa6cb555958b0c |
C:\Windows\SysWOW64\Cbdnko32.exe
| MD5 | d5c37258dfb0ab092f5701a4601766b3 |
| SHA1 | 47de7db6a58d4be24e0742baa2e8b38fcad54257 |
| SHA256 | 073bfe28a98df6c56ab0d8fc207f174f419c389cc87087d31ff8d8fafae41935 |
| SHA512 | 071b8a7f27287f755248755deee0e2167daa2458e3fb5cf8a20fc285436d3fa2d0b63c5301f293381adaa12fac8760cfe6819bdaa827b0c1f3677230347d342a |
C:\Windows\SysWOW64\Cklfll32.exe
| MD5 | 33df0070b0a04cae2cfac6b627529dd9 |
| SHA1 | 398f39355488194236e8c3a976430c0f002c19f8 |
| SHA256 | 1e929f9dd4e5aaff80b4c4fec7b0f2f5fb5021f8a2278bc3bae1d573eb6b4a08 |
| SHA512 | a38979c30b9d48d9611875c1c349853667dc91828f5d7f58b04a1717702070dab50aee7e35d1e40a418c1f3eb52863cab57db596507cb3d99aef931cb946c684 |
C:\Windows\SysWOW64\Cmjbhh32.exe
| MD5 | 3df8b3ca382bed6de5d55c764f43b524 |
| SHA1 | 4c84dc286e860459d0c620d7056c2c3d1cf19059 |
| SHA256 | 9be0864e6723dcec494bc8210fa3cdee1d9b4cfca0bfab285350be46294bb8d6 |
| SHA512 | 7446b7b227dc355c8c9d78f442491f3f9206e614ff9a9a05cc894aa3783ff3ab76526c139d7c2f20ac20c4777344896d0052168668f6496d7eaa38aa503532c4 |
C:\Windows\SysWOW64\Clmbddgp.exe
| MD5 | 9ad972fe847a79cf98531d20b7a033fd |
| SHA1 | 4da8c2010e65448bc292a2bf9f59f67e946912aa |
| SHA256 | 2572e255ad3a39d113821d65bef2c174b8c24b85254e0223d1cad85b4c548630 |
| SHA512 | 12eb4aaba1c70224866c67dc37566e3c7a9355fc575cd1445c7e6a9d50869d274420b2cb65ff5bbfabe32afaf09ada772c3b6375f08baac82cf9238fc756ad61 |
C:\Windows\SysWOW64\Cddjebgb.exe
| MD5 | a429e852f8658a72e1278930282bf39d |
| SHA1 | 15449db0f1ab5473de9ceb321aa05afe96bc8969 |
| SHA256 | 403b79059df37bb5a7c2e46ea9b9701859a89841de9178a4e1542b8a58015c85 |
| SHA512 | a98fbf29810e4c275029c872e13726c5cbd75cbda4e4f91e25bae4bd502ca18319b4dac9bc76f678c79718c40bb0b3bd8402efd4393046932b83b5da3e50cc22 |
C:\Windows\SysWOW64\Ceegmj32.exe
| MD5 | f71f8794021167de09c391ac8d1d4c69 |
| SHA1 | 40ff125caf674b349a372491ff1ee97f00b07a44 |
| SHA256 | 54f9657d6f8736b6f0edc3df6898da8a6bb39745b8db868d69f5bdf658d4f698 |
| SHA512 | c954373bbde297cfa935b42e9b053ee19d3edcbbdf2068a178d66a86555579d4d54d3b404b93b7bf0faa1be6c43bf2bb1c828ae1c1b0114f7256ce93017c5b2b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-10 01:56
Reported
2024-11-10 01:59
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Bjddphlq.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cffdpghg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cmqmma32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Dodbbdbb.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bjddphlq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Cfpnph32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Cnffqf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Chjaol32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dfnjafap.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dmgbnq32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dhocqigp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Bfabnjjp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bfkedibe.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ddakjkqi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Dogogcpo.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Djgjlelk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Djgjlelk.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dodbbdbb.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bmpcfdmg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cfbkeh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Djdmffnn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Agoabn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cmiflbel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Ddakjkqi.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dhhnpjmh.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dmefhako.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Beglgani.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Banllbdn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Ceckcp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Cmqmma32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Djdmffnn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Dhocqigp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bganhm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Dknpmdfc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Doilmc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bebblb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Bgehcmmm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Dfiafg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Ceqnmpfo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Dmcibama.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Users\Admin\AppData\Local\Temp\b51b8bc28e0132fc1fca130073211213f0635143b8db2b9d18bdb1fce7e92e28.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Chjaol32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cnffqf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bmngqdpj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Beeoaapl.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Chagok32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Chagok32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dfiafg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Cndikf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Bcoenmao.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cajlhqjp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Delnin32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Aadifclh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Aadifclh.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Banllbdn.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cenahpha.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Dfnjafap.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Bfkedibe.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cdhhdlid.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Dfpgffpm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Bebblb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Bmngqdpj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ceqnmpfo.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Agoabn32.exe | N/A |
Berbew
Berbew family
Executes dropped EXE
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Fqjamcpe.dll | C:\Windows\SysWOW64\Chjaol32.exe | N/A |
| File created | C:\Windows\SysWOW64\Flgehc32.dll | C:\Windows\SysWOW64\Cenahpha.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dhhnpjmh.exe | C:\Windows\SysWOW64\Danecp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ebdijfii.dll | C:\Windows\SysWOW64\Beglgani.exe | N/A |
| File created | C:\Windows\SysWOW64\Bclhhnca.exe | C:\Windows\SysWOW64\Banllbdn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bclhhnca.exe | C:\Windows\SysWOW64\Banllbdn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bmemac32.exe | C:\Windows\SysWOW64\Bfkedibe.exe | N/A |
| File created | C:\Windows\SysWOW64\Dchfiejc.dll | C:\Windows\SysWOW64\Cdhhdlid.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Aepefb32.exe | C:\Windows\SysWOW64\Aadifclh.exe | N/A |
| File created | C:\Windows\SysWOW64\Agoabn32.exe | C:\Windows\SysWOW64\Aepefb32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Beglgani.exe | C:\Windows\SysWOW64\Bmpcfdmg.exe | N/A |
| File created | C:\Windows\SysWOW64\Djgjlelk.exe | C:\Windows\SysWOW64\Dhhnpjmh.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dodbbdbb.exe | C:\Windows\SysWOW64\Dfnjafap.exe | N/A |
| File created | C:\Windows\SysWOW64\Phiifkjp.dll | C:\Windows\SysWOW64\Bfabnjjp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bjddphlq.exe | C:\Windows\SysWOW64\Bgehcmmm.exe | N/A |
| File created | C:\Windows\SysWOW64\Fnmnbf32.dll | C:\Windows\SysWOW64\Dfnjafap.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cndikf32.exe | C:\Windows\SysWOW64\Chjaol32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cdhhdlid.exe | C:\Windows\SysWOW64\Ceehho32.exe | N/A |
| File created | C:\Windows\SysWOW64\Djdmffnn.exe | C:\Windows\SysWOW64\Dfiafg32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gmcfdb32.dll | C:\Windows\SysWOW64\Dmefhako.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Doilmc32.exe | C:\Windows\SysWOW64\Dknpmdfc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Agoabn32.exe | C:\Windows\SysWOW64\Aepefb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Leqcid32.dll | C:\Windows\SysWOW64\Bganhm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bjddphlq.exe | C:\Windows\SysWOW64\Bgehcmmm.exe | N/A |
| File created | C:\Windows\SysWOW64\Cmqmma32.exe | C:\Windows\SysWOW64\Cffdpghg.exe | N/A |
| File created | C:\Windows\SysWOW64\Dmgbnq32.exe | C:\Windows\SysWOW64\Dodbbdbb.exe | N/A |
| File created | C:\Windows\SysWOW64\Bmhnkg32.dll | C:\Windows\SysWOW64\Bmpcfdmg.exe | N/A |
| File created | C:\Windows\SysWOW64\Mkijij32.dll | C:\Windows\SysWOW64\Cndikf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cffdpghg.exe | C:\Windows\SysWOW64\Cdhhdlid.exe | N/A |
| File created | C:\Windows\SysWOW64\Calhnpgn.exe | C:\Windows\SysWOW64\Cmqmma32.exe | N/A |
| File created | C:\Windows\SysWOW64\Doilmc32.exe | C:\Windows\SysWOW64\Dknpmdfc.exe | N/A |
| File created | C:\Windows\SysWOW64\Beeoaapl.exe | C:\Windows\SysWOW64\Bmngqdpj.exe | N/A |
| File created | C:\Windows\SysWOW64\Bmpcfdmg.exe | C:\Windows\SysWOW64\Bgcknmop.exe | N/A |
| File created | C:\Windows\SysWOW64\Bbloam32.dll | C:\Windows\SysWOW64\Cnffqf32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cmlcbbcj.exe | C:\Windows\SysWOW64\Cfbkeh32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Calhnpgn.exe | C:\Windows\SysWOW64\Cmqmma32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dmcibama.exe | C:\Windows\SysWOW64\Djdmffnn.exe | N/A |
| File created | C:\Windows\SysWOW64\Gidbim32.dll | C:\Windows\SysWOW64\Djgjlelk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bmpcfdmg.exe | C:\Windows\SysWOW64\Bgcknmop.exe | N/A |
| File created | C:\Windows\SysWOW64\Bmemac32.exe | C:\Windows\SysWOW64\Bfkedibe.exe | N/A |
| File created | C:\Windows\SysWOW64\Lfjhbihm.dll | C:\Windows\SysWOW64\Cfpnph32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cfpnph32.exe | C:\Windows\SysWOW64\Cenahpha.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cfpnph32.exe | C:\Windows\SysWOW64\Cenahpha.exe | N/A |
| File created | C:\Windows\SysWOW64\Eifnachf.dll | C:\Windows\SysWOW64\Cmlcbbcj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dmcibama.exe | C:\Windows\SysWOW64\Djdmffnn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dfpgffpm.exe | C:\Windows\SysWOW64\Ddakjkqi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bgcknmop.exe | C:\Windows\SysWOW64\Beeoaapl.exe | N/A |
| File created | C:\Windows\SysWOW64\Hhqeiena.dll | C:\Windows\SysWOW64\Bgehcmmm.exe | N/A |
| File created | C:\Windows\SysWOW64\Mmnbeadp.dll | C:\Windows\SysWOW64\Bmemac32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dogogcpo.exe | C:\Windows\SysWOW64\Dfpgffpm.exe | N/A |
| File created | C:\Windows\SysWOW64\Elkadb32.dll | C:\Windows\SysWOW64\Daekdooc.exe | N/A |
| File created | C:\Windows\SysWOW64\Okgoadbf.dll | C:\Windows\SysWOW64\Cffdpghg.exe | N/A |
| File created | C:\Windows\SysWOW64\Naeheh32.dll | C:\Windows\SysWOW64\Cmqmma32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bfkedibe.exe | C:\Windows\SysWOW64\Bclhhnca.exe | N/A |
| File created | C:\Windows\SysWOW64\Kdqjac32.dll | C:\Windows\SysWOW64\Cmiflbel.exe | N/A |
| File created | C:\Windows\SysWOW64\Chagok32.exe | C:\Windows\SysWOW64\Ceckcp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dfnjafap.exe | C:\Windows\SysWOW64\Delnin32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ohmoom32.dll | C:\Windows\SysWOW64\Dogogcpo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Beeoaapl.exe | C:\Windows\SysWOW64\Bmngqdpj.exe | N/A |
| File created | C:\Windows\SysWOW64\Beglgani.exe | C:\Windows\SysWOW64\Bmpcfdmg.exe | N/A |
| File created | C:\Windows\SysWOW64\Ceqnmpfo.exe | C:\Windows\SysWOW64\Cmiflbel.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Banllbdn.exe | C:\Windows\SysWOW64\Bjddphlq.exe | N/A |
| File created | C:\Windows\SysWOW64\Mogqfgka.dll | C:\Windows\SysWOW64\Bfkedibe.exe | N/A |
| File created | C:\Windows\SysWOW64\Jekpanpa.dll | C:\Windows\SysWOW64\Cajlhqjp.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Dmllipeg.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dmllipeg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cffdpghg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cmqmma32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dknpmdfc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Danecp32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bganhm32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cndikf32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cfbkeh32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Aadifclh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bgcknmop.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Chjaol32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Delnin32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Banllbdn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bmemac32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cfpnph32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dogogcpo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cenahpha.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Calhnpgn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Beeoaapl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bmpcfdmg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bjddphlq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ddakjkqi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bgehcmmm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bclhhnca.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cdhhdlid.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bfabnjjp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Beglgani.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ceckcp32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bcoenmao.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ceehho32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dhhnpjmh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ceqnmpfo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dmcibama.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dmgbnq32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Aepefb32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bmngqdpj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dfnjafap.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dmefhako.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dfpgffpm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Doilmc32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b51b8bc28e0132fc1fca130073211213f0635143b8db2b9d18bdb1fce7e92e28.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cmlcbbcj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Djdmffnn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dhocqigp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cmiflbel.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Chagok32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Daekdooc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dfiafg32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Djgjlelk.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dodbbdbb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Agoabn32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bebblb32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bfkedibe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cnffqf32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cajlhqjp.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Ceckcp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll" | C:\Windows\SysWOW64\Chagok32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll" | C:\Windows\SysWOW64\Ceehho32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll" | C:\Windows\SysWOW64\Cdhhdlid.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Calhnpgn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Dhhnpjmh.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Dmgbnq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dogogcpo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll" | C:\Windows\SysWOW64\Dhocqigp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Doilmc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Beeoaapl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Beglgani.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Bjddphlq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll" | C:\Windows\SysWOW64\Djgjlelk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\b51b8bc28e0132fc1fca130073211213f0635143b8db2b9d18bdb1fce7e92e28.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Cmlcbbcj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bjddphlq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cndikf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Cmiflbel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll" | C:\Windows\SysWOW64\Chjaol32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Bgcknmop.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll" | C:\Windows\SysWOW64\Ddakjkqi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qihfjd32.dll" | C:\Windows\SysWOW64\Bjddphlq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bfkedibe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll" | C:\Windows\SysWOW64\Cnffqf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll" | C:\Windows\SysWOW64\Cfbkeh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Danecp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Delnin32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Bfkedibe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cmlcbbcj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cdhhdlid.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll" | C:\Windows\SysWOW64\Dhhnpjmh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dmefhako.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Cfpnph32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cfpnph32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cffdpghg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Calhnpgn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll" | C:\Windows\SysWOW64\Dmefhako.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Doilmc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqfhilhd.dll" | C:\Windows\SysWOW64\Aepefb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Djdmffnn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Bclhhnca.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Dodbbdbb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Daekdooc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbodfcj.dll" | C:\Windows\SysWOW64\Agoabn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qopkop32.dll" | C:\Windows\SysWOW64\Bebblb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll" | C:\Windows\SysWOW64\Bmpcfdmg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bclhhnca.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bmemac32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll" | C:\Windows\SysWOW64\Cenahpha.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ceckcp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dfiafg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dmcibama.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Djgjlelk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Dmefhako.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Bmngqdpj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bmpcfdmg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll" | C:\Windows\SysWOW64\Cmiflbel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node | C:\Users\Admin\AppData\Local\Temp\b51b8bc28e0132fc1fca130073211213f0635143b8db2b9d18bdb1fce7e92e28.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll" | C:\Windows\SysWOW64\Bclhhnca.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll" | C:\Windows\SysWOW64\Dfiafg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll" | C:\Windows\SysWOW64\Dmcibama.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Danecp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Dknpmdfc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b51b8bc28e0132fc1fca130073211213f0635143b8db2b9d18bdb1fce7e92e28.exe
"C:\Users\Admin\AppData\Local\Temp\b51b8bc28e0132fc1fca130073211213f0635143b8db2b9d18bdb1fce7e92e28.exe"
C:\Windows\SysWOW64\Aadifclh.exe
C:\Windows\system32\Aadifclh.exe
C:\Windows\SysWOW64\Aepefb32.exe
C:\Windows\system32\Aepefb32.exe
C:\Windows\SysWOW64\Agoabn32.exe
C:\Windows\system32\Agoabn32.exe
C:\Windows\SysWOW64\Bfabnjjp.exe
C:\Windows\system32\Bfabnjjp.exe
C:\Windows\SysWOW64\Bebblb32.exe
C:\Windows\system32\Bebblb32.exe
C:\Windows\SysWOW64\Bganhm32.exe
C:\Windows\system32\Bganhm32.exe
C:\Windows\SysWOW64\Bmngqdpj.exe
C:\Windows\system32\Bmngqdpj.exe
C:\Windows\SysWOW64\Beeoaapl.exe
C:\Windows\system32\Beeoaapl.exe
C:\Windows\SysWOW64\Bgcknmop.exe
C:\Windows\system32\Bgcknmop.exe
C:\Windows\SysWOW64\Bmpcfdmg.exe
C:\Windows\system32\Bmpcfdmg.exe
C:\Windows\SysWOW64\Beglgani.exe
C:\Windows\system32\Beglgani.exe
C:\Windows\SysWOW64\Bgehcmmm.exe
C:\Windows\system32\Bgehcmmm.exe
C:\Windows\SysWOW64\Bjddphlq.exe
C:\Windows\system32\Bjddphlq.exe
C:\Windows\SysWOW64\Banllbdn.exe
C:\Windows\system32\Banllbdn.exe
C:\Windows\SysWOW64\Bclhhnca.exe
C:\Windows\system32\Bclhhnca.exe
C:\Windows\SysWOW64\Bfkedibe.exe
C:\Windows\system32\Bfkedibe.exe
C:\Windows\SysWOW64\Bmemac32.exe
C:\Windows\system32\Bmemac32.exe
C:\Windows\SysWOW64\Bcoenmao.exe
C:\Windows\system32\Bcoenmao.exe
C:\Windows\SysWOW64\Chjaol32.exe
C:\Windows\system32\Chjaol32.exe
C:\Windows\SysWOW64\Cndikf32.exe
C:\Windows\system32\Cndikf32.exe
C:\Windows\SysWOW64\Cenahpha.exe
C:\Windows\system32\Cenahpha.exe
C:\Windows\SysWOW64\Cfpnph32.exe
C:\Windows\system32\Cfpnph32.exe
C:\Windows\SysWOW64\Cnffqf32.exe
C:\Windows\system32\Cnffqf32.exe
C:\Windows\SysWOW64\Cmiflbel.exe
C:\Windows\system32\Cmiflbel.exe
C:\Windows\SysWOW64\Ceqnmpfo.exe
C:\Windows\system32\Ceqnmpfo.exe
C:\Windows\SysWOW64\Cfbkeh32.exe
C:\Windows\system32\Cfbkeh32.exe
C:\Windows\SysWOW64\Cmlcbbcj.exe
C:\Windows\system32\Cmlcbbcj.exe
C:\Windows\SysWOW64\Ceckcp32.exe
C:\Windows\system32\Ceckcp32.exe
C:\Windows\SysWOW64\Chagok32.exe
C:\Windows\system32\Chagok32.exe
C:\Windows\SysWOW64\Cajlhqjp.exe
C:\Windows\system32\Cajlhqjp.exe
C:\Windows\SysWOW64\Ceehho32.exe
C:\Windows\system32\Ceehho32.exe
C:\Windows\SysWOW64\Cdhhdlid.exe
C:\Windows\system32\Cdhhdlid.exe
C:\Windows\SysWOW64\Cffdpghg.exe
C:\Windows\system32\Cffdpghg.exe
C:\Windows\SysWOW64\Cmqmma32.exe
C:\Windows\system32\Cmqmma32.exe
C:\Windows\SysWOW64\Calhnpgn.exe
C:\Windows\system32\Calhnpgn.exe
C:\Windows\SysWOW64\Dfiafg32.exe
C:\Windows\system32\Dfiafg32.exe
C:\Windows\SysWOW64\Djdmffnn.exe
C:\Windows\system32\Djdmffnn.exe
C:\Windows\SysWOW64\Dmcibama.exe
C:\Windows\system32\Dmcibama.exe
C:\Windows\SysWOW64\Danecp32.exe
C:\Windows\system32\Danecp32.exe
C:\Windows\SysWOW64\Dhhnpjmh.exe
C:\Windows\system32\Dhhnpjmh.exe
C:\Windows\SysWOW64\Djgjlelk.exe
C:\Windows\system32\Djgjlelk.exe
C:\Windows\SysWOW64\Dmefhako.exe
C:\Windows\system32\Dmefhako.exe
C:\Windows\SysWOW64\Delnin32.exe
C:\Windows\system32\Delnin32.exe
C:\Windows\SysWOW64\Dfnjafap.exe
C:\Windows\system32\Dfnjafap.exe
C:\Windows\SysWOW64\Dodbbdbb.exe
C:\Windows\system32\Dodbbdbb.exe
C:\Windows\SysWOW64\Dmgbnq32.exe
C:\Windows\system32\Dmgbnq32.exe
C:\Windows\SysWOW64\Ddakjkqi.exe
C:\Windows\system32\Ddakjkqi.exe
C:\Windows\SysWOW64\Dfpgffpm.exe
C:\Windows\system32\Dfpgffpm.exe
C:\Windows\SysWOW64\Dogogcpo.exe
C:\Windows\system32\Dogogcpo.exe
C:\Windows\SysWOW64\Daekdooc.exe
C:\Windows\system32\Daekdooc.exe
C:\Windows\SysWOW64\Dhocqigp.exe
C:\Windows\system32\Dhocqigp.exe
C:\Windows\SysWOW64\Dknpmdfc.exe
C:\Windows\system32\Dknpmdfc.exe
C:\Windows\SysWOW64\Doilmc32.exe
C:\Windows\system32\Doilmc32.exe
C:\Windows\SysWOW64\Dmllipeg.exe
C:\Windows\system32\Dmllipeg.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4848 -ip 4848
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 408
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
Files
memory/4392-0-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Windows\SysWOW64\Aadifclh.exe
| MD5 | d9a7e70253e7254cbe251bda0af1fc08 |
| SHA1 | 015226feea70ea5b47e77cf9934cca8021c9fb6a |
| SHA256 | 7b6f2016cd007b0f435e42377ec444c0aa4ab15f09edf8aa6051b9bcf6ff64bf |
| SHA512 | cb0273ca51c520cfd0f07ebc8c6e477d018da549c24d78db95ba1cc4a21f16bcb6fa938e938a92d26531f5da6fcc8685c346e31a18affb124529ee62c487ddc0 |
memory/2324-7-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Windows\SysWOW64\Aepefb32.exe
| MD5 | 9eac242ddcc79565e8c0026fdc0b5d0e |
| SHA1 | bfd60b8ac366d3a640062e98fd44f68c09030482 |
| SHA256 | 9b371aff8b563e5037c5a25025146cef7bb2892aa95c64b8ad9029b954f65f94 |
| SHA512 | 5df96edab29a59a61e9a6144d0102fb1782455528ce009cc06e2401af3f0350f8f623af4bb2258c9bef170a7e685ad0dabdb8cd780f14c0f1c1ec2c71b05659a |
memory/4084-16-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2164-28-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Windows\SysWOW64\Bfabnjjp.exe
| MD5 | aec6c65ee950a42a31280e6e162b3b06 |
| SHA1 | a92665ecae5db828246f557b39217b552b4929e2 |
| SHA256 | 1ae63d955d58571201e13fed271a02828625d67cc7f9184c934ce36f80ba5966 |
| SHA512 | 803ea2279ff169a84b4b6247834f57160147f3f59f81f161133a938083bfa32e749324299ded04315c901a7a80093d3af1fe99cdd9a22c33883efd1b429bc80a |
memory/3064-32-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Windows\SysWOW64\Agoabn32.exe
| MD5 | ca0c53796898c1b3665f2cbafd72907c |
| SHA1 | ad27ddc080db68debbe1fa6e79a66fa5e635f809 |
| SHA256 | 65820ac344ab38ca97ef5d90d1a8b020a0855de8becc94a2fa6bc202f114d2bf |
| SHA512 | d98c69edf5a0f1cf0a6e81e5f0f0ad743a21be5bc5ca903c810f8a5f90f555c95f83832da570392775b4aa8720e920d76dd2e2d432a115a36dfc3b7abffe9908 |
C:\Windows\SysWOW64\Phiifkjp.dll
| MD5 | ec91f06b4d590882573031b752c92cbe |
| SHA1 | 8ebe73a38950f267113164cee75cf0062a13046c |
| SHA256 | 5834c142272f491f836612ac77a67c633a0c59234e512996bbb63312e24297db |
| SHA512 | 31f8ca358ec4d6668ca75d4fc9fea7f2e6e48c671890317493fbf16e63614e724da519c5a96dc1c7a1fb1ecb3f0ebc3804ed26d25c0604d89685856397469067 |
memory/4884-40-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Windows\SysWOW64\Bebblb32.exe
| MD5 | d3b9a4de53937b2e29182e5c1dbd36c2 |
| SHA1 | ae08a56948a8ec92354eae8b469007f0465dce48 |
| SHA256 | 9762b209aa148ecb54d6a8e6bbc8756d1ce711989aae37d2557725f38e8a626a |
| SHA512 | 414b78515c6b43ab2f5427cdac4a35e6142910800b390c72a8128c33d4e7a80e68d583c02c4b058b3a84756ac5b4fc5adc4507c35bee4fa742739ab544ae6314 |
C:\Windows\SysWOW64\Bganhm32.exe
| MD5 | 0dbbc82c281670926f537b884db19f58 |
| SHA1 | dbabc92ed8a381809708f45e74d02ecf469752e0 |
| SHA256 | fc2e7e3284f8c056bc8f63221a13d8d6edd1ed38b8b8891779fcfca79a2ec9a9 |
| SHA512 | 41b6da9b57ded609d039ae809ac0998b3ffbee7aec2b9e6493b8534edaa43494e9de0933892bf0e5b84207cdeb84031dae3972d3e078b19e9658f6d9aa5f22eb |
memory/2596-47-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Windows\SysWOW64\Bmngqdpj.exe
| MD5 | 4c00f467dc33180c92ee119e34caf097 |
| SHA1 | 1f37739a3dad2dd090b1347806e90494d5ba5832 |
| SHA256 | dd70b57c7b684657467ec63d4737284dc0533feb685473af72863930cb0be7f4 |
| SHA512 | 5b6b0bb3176c58e6467ccfc902b079b99cf5c098a1eb839859cd0b26ef669ac43d81e09db30401ba9c278c273c086e931a628769b1bde7fc9019227a22dd5027 |
memory/2648-56-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Windows\SysWOW64\Beeoaapl.exe
| MD5 | 7f0bcde0b43686c44c717e3df73dfeb0 |
| SHA1 | 7efe863c6d9f5ae4a25d9d666fc16a7a0a6aed63 |
| SHA256 | 95d1a4c4411e86b3944817d35b55922caa13618838899b54ca155cf6042e76be |
| SHA512 | 18e646ed2b6cd84655771d74b0edd616333e8d196ebbaff2485acbbe954b1fe3877cbdbe633f022111c34cd16de14e3fd47ec26b5ca16e9a92e1545efd628d88 |
C:\Windows\SysWOW64\Beeoaapl.exe
| MD5 | ef6b1118a0412d8daafbe18df34b8f7d |
| SHA1 | 164edd6b44d244b362045c35c85c449b81829fd7 |
| SHA256 | 4d941ed9f9797cc781b1207ee2ba282ef3170116a6e5667920f4151d863469dc |
| SHA512 | af59fdeca376e3562d12627ca22fd0c978fdca4538354ef92b0169e1eaac90ff28889c3b6b6d53df39653aa75b72245caf33ac392847d407596f86b3bad5f2de |
memory/2928-64-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Windows\SysWOW64\Bgcknmop.exe
| MD5 | 5da3f45229a214b2ca97d57e2de449de |
| SHA1 | e2780785bed4e0b0ffc6780c6237e2c4f2c00be1 |
| SHA256 | 6bfd16362250181ae498c4ba1c9f459c65e028c38e6676501ac0a90f90da93b6 |
| SHA512 | beaaf959d44055522b538f3cfecd643490e3a4d9b404eac3daaeaecdb4179fdd1a6fc792dc3cfe75dcce095b3a09c0274ebea2bfaf4a7fff299c5d3f6a7691c9 |
memory/2660-71-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Windows\SysWOW64\Bmpcfdmg.exe
| MD5 | 3ecf365d5dd5d8112339cec6c87cb713 |
| SHA1 | bbad02985e8f187c961a163bb61e32c96fb730a9 |
| SHA256 | 06f5b34121960b136416dbc5249fd201a10187aefa004dc4ffa44c1353fbbbcb |
| SHA512 | 38cd5d62ba6c290f7750b34bae7c4ad9f042c0623e95a33b7f402b15033b7c757f71ef12307a810b2937e8e13f8e7643d09497a1608c984d19bcc81bbd2198c9 |
memory/5092-80-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Windows\SysWOW64\Beglgani.exe
| MD5 | 67d7735176103b73703943abc5c89a7f |
| SHA1 | 24ae193e0508e45e3ab8e022f36738fbd6e27d9c |
| SHA256 | 44d1a89b7a87cd7dd09b1d1b51f2d4587f64c41db3882c631dacde5e07d456b6 |
| SHA512 | 18bcffbbfd5cf2a1cc230de7d4150b368a1cba348f28bcbfd14e5d934e1c761876a6a018e10fbb257e487bfbe0506d1ad3414ade0fe52190134ae93c165e421f |
memory/4380-88-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Windows\SysWOW64\Bgehcmmm.exe
| MD5 | 3bd9acb3dd9c7bfec4e43b5a0d2c5a3b |
| SHA1 | 04306812c68431533e9db2320361ae9d9526f98d |
| SHA256 | c6670b8bef36d2ec2f6e19ced3a111c259fb385d7c632559f6c2301880148ef2 |
| SHA512 | b31c60f4df7b9a7e343384ee095d4333f849ac7660460e1495d984a890e7cc90a6ad39d9d75d90ecaaa01cf570950dbba98dcded69648594bc673f82ba18e62f |
memory/2392-95-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Windows\SysWOW64\Bjddphlq.exe
| MD5 | 8b1f963c30e8d67f3d18dba9d2033f0e |
| SHA1 | bf037eded307303e266c07f3d21f6a381260b5de |
| SHA256 | 4e350c81fd9b6eff8e4e7fe5ea8714f1384963a00ad52e4b19dbac529311593f |
| SHA512 | 72061357c883235e485df1a34c4b829a3212195cd59ad3d44be64f5cecd8dad6780024b1768394c7b662acc294a6a202a7f660bf97e1bc6f1a0bd25ce3cbeefb |
memory/4736-103-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Windows\SysWOW64\Banllbdn.exe
| MD5 | fb1eb59695d1072705c6542f9b5a01d2 |
| SHA1 | d15a7b4feec9f37159b89e86d7c0ea0e5da78baa |
| SHA256 | 64c05de0e91494e95a28fad693bdf17d76005a766a42f7b4efbf254eb2d4db3d |
| SHA512 | 2b16f07dc36661f46db841931fb33391397b33e6a6a5c3b5c7f6d5e380e678c8b408b738412977b5eb6018b3cda661727984714677868739120ec0ea1a861975 |
memory/2828-112-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Windows\SysWOW64\Bclhhnca.exe
| MD5 | 4aa3808962fde5c7bf208bc29547f38a |
| SHA1 | 5d68116a3967c434da36fd43140ad6a36471a350 |
| SHA256 | 98ca02a9ffaf2a56d46b519515f17fc0df1126cd8deb0a1e05e94b28ed476e27 |
| SHA512 | 710b5bd5a44adb26e99ca84a17111004ede03d4a54bcda5bae044cc9e02c32ad73374040d5021e1406d5701dbd8b2e73b7438fec35981bee020f2cd3b3cb10a2 |
memory/8-119-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Windows\SysWOW64\Bfkedibe.exe
| MD5 | 3a04a03a02803496b612a8f31c40cacc |
| SHA1 | 1a8905727de50b915bd6df13554a5812050a6905 |
| SHA256 | 6524d70597b827a076c7f37a80fb15dd368cc46cc5f5e629d301a0cc6ee6d9ce |
| SHA512 | bacb2af4742587ed68d5952acbcb9592d6ff8750aef93ad78cc3957a8c9ea87a95e21753fb7695a66f490b2754955bbf00730359a9392a09ea8ba180c0e35197 |
memory/1436-128-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Windows\SysWOW64\Bmemac32.exe
| MD5 | f2eb38af03a52dfaf3ef7fd98b1dc0b4 |
| SHA1 | da9243d8876215a60c787c2804d42686bfb41872 |
| SHA256 | 0395b6e6812b9b59d8b2c083e0da8381f8c251b8cce1bab5ad443db0f2cc7d4f |
| SHA512 | b6e7e9fc7929d1bdd4f5e18966c3dd50372c9db747c51117ba73ad83fa37331878ef0de5191f545c861d525d6077c88a2b1e16be8d9762ba37ef78534ffb6515 |
memory/4076-135-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Windows\SysWOW64\Bcoenmao.exe
| MD5 | 521e9d4b4946b77ef5a6cb3e1a8c0f86 |
| SHA1 | 78f3bad4aa929b888bb282a729e21e4f41cf2032 |
| SHA256 | c98ac751a6a00ebf9e33e235d4b98c3f53f7253291c1832088083933cbc35133 |
| SHA512 | 181c7304dd15044d049dcb44c6305bb1e3d04a2305030f3cfe8815f1a49c07f59b3a424def21791528f84e2a8241e299ccf6cd2e02a5d793698a1f819737d917 |
memory/2800-144-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Windows\SysWOW64\Chjaol32.exe
| MD5 | 8c31528d8a6380d15708e01838f7d7a5 |
| SHA1 | dada853f9a5737b50bbcd9dd609cadb89e649143 |
| SHA256 | 3fb45896cebc0358416a3c33404b604bdaaa75556e8bc2b838f11b8aabe232ed |
| SHA512 | 30263643a1c96946ccc395a047d7652dfc34f76de39f8a14d5b27e94cd80409e49df4353911bca9f65045a9c5b7f508fed53b895c25917ff1abeac7ff918502f |
memory/3352-151-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Windows\SysWOW64\Cndikf32.exe
| MD5 | f40ca3f553adff0375d85732f1e73948 |
| SHA1 | c4057e42a6d8a37de57341bdd734de24fe5bc987 |
| SHA256 | f7b97c5667ad18f3ce1bd51cfcd15cfdd1929d19296fb9165c6f7e3a7d4aa87d |
| SHA512 | 477338936b6659d4d957f0bd14b61014218b883299487eb1689a53019643af3a83d3397ca484e525f05734d719e0bad0573d3a75e971f0836bbdb99336fa5a82 |
memory/776-159-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Windows\SysWOW64\Cenahpha.exe
| MD5 | d20671ca6b716ccfba8aa1fd2daaeb63 |
| SHA1 | 47063b900549d631c714058a7d1507d332531916 |
| SHA256 | e0bccf329734abbb705aa6f3781adfbd2cdf6958307d98601ce9d3370fcc8050 |
| SHA512 | f67570d50b5ca8d44cbdd1d1d4ddc72a7213627b9e37ef8021e8da16034c83d01b4d45e38090ecf17a70999fdcd260fd7a57d01ff1f5dc0c7a5e2c96806cfe90 |
memory/3608-167-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Windows\SysWOW64\Cfpnph32.exe
| MD5 | 5f49072462ed52d808fe70b00374953a |
| SHA1 | 84bf97090bb89173b16d816f6e4becf58137c76e |
| SHA256 | c1ec4dcc2adf89eabb409016fba85e0268153a205b4fe01bf75ad45357dd4606 |
| SHA512 | 8e78bf80d645253cefc7b2543a1f51dee8de43776fc14cd05f9d0c85887e5e63e4206a26a7a24e80b01b9174d067b2bd0564600795798ca112c00f3b2b58631f |
memory/3356-175-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Windows\SysWOW64\Cnffqf32.exe
| MD5 | 16a6537d5af05126780596d048572d05 |
| SHA1 | 84f757cbf1dc9d2033095d0d017f6bc02d69981c |
| SHA256 | 3b5730bc60a9cac39ff8aeec511ed0acd4c7b0c8e4472a3bcf07a63f319b648e |
| SHA512 | f9a76521f24bd192c71fa17a93d8adb1e9212eefc8c52b24f24af238cd7a9487533fefad63c1181ba6fa59c51766dccfb1c490f3ade6273685eca2ae8ced0488 |
memory/1256-188-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Windows\SysWOW64\Cmiflbel.exe
| MD5 | 53cadcd42948b9cfeb46164d736a6fc7 |
| SHA1 | b8f32e6de98369bddd008639422cc70d54d9bcf3 |
| SHA256 | d1da324a800fa132f79610de839c25d5a7b6e55bc66e740a325edcf05c63ad83 |
| SHA512 | a3fea619c4b28a6f1f371fd1f4af450eb99b479edace5d0b00b23ec92a3f0144ca0949f01700dadb9c1f77f50c371b17acda5ab659edf22c8ffaf6219bfee588 |
memory/2424-192-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Windows\SysWOW64\Ceqnmpfo.exe
| MD5 | 2be5557191cff7ddf9278300ab381169 |
| SHA1 | f086717e8278be8b1a99dfd6303485220d18831c |
| SHA256 | 2b5be965b0e25a066a67962a682d9a878b00a25b56d2b6dcab5b222353ffa078 |
| SHA512 | 3fd5de050d55c77b0bb36a71ceccd8a0e29fe77225668e379c1efa031cc26543deaf4839201765aa4ce8d47fc890efbf3486cd861eb6b12cee71b5403468e523 |
memory/1972-200-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Windows\SysWOW64\Cfbkeh32.exe
| MD5 | 159afa7977c394131c0ee82778c9259a |
| SHA1 | 3c5b43921d2fa6a4d4c52277c15c83d30599d944 |
| SHA256 | 5aab28595a0ad58077c9324397ac3ff225d1a53a32bb2ea40054b0edc00a6cbf |
| SHA512 | 31d20981c85e439e3f676c7e9c255842b41c91a9b80ca56afd0c52eb0c30c2fedb76e6010391746a71934fdb4af4ffe1d730b8c8883fa74b8c64fa0baf013f94 |
memory/4652-207-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Windows\SysWOW64\Cmlcbbcj.exe
| MD5 | 097b93d6d396e6391f3d389e7677889e |
| SHA1 | 3b3943b55bee46f725b8052969f67e9a7a7da48e |
| SHA256 | 7406a0203c1bf54d88fbccd6fefb022c85414173bee2d3b2457df33c238e2f33 |
| SHA512 | 33d6b896d93a22228e414ec981532187dc2d8fddb7ef21f77e5040401d34b8a587b925886ea4d64bcb3b17dc8184f547e5d89b8fe158a2dac0220d292ff61031 |
memory/3096-216-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Windows\SysWOW64\Ceckcp32.exe
| MD5 | 8c438636f5f2b41b2e275b061b6859a1 |
| SHA1 | dc719874a72aa6d38394fd47c00db3262f14788e |
| SHA256 | 00479c7450576648ed09190737087d63f02bcb52b95fd7faef001e8cfd29c2f8 |
| SHA512 | 05ed6fe9f83b62bbc7c64ed334ff72da6a1c6f27d84ff304366caf34ba8443ba892e83b3db81b2b1b517574a759e24733aff39b0a94e8fc2ba4e07b8907b942b |
memory/1620-228-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Windows\SysWOW64\Chagok32.exe
| MD5 | d1734fb67cdd6b16f54b0ab1207bf383 |
| SHA1 | 2f9c0a1276b0acb22593fc64cbb3e9f8108d25e3 |
| SHA256 | f39012506b7e3f076a5bdc180665889067a030da29a4fcf7caeca1b3d3302910 |
| SHA512 | 979699830896395c483b73b972368c0c4e2a9b84ae5b4f769dcc159d82904180362e8cdf4ad9c4650f11906624beb11acf344f186721742f6f3c9e38b5648ccc |
memory/624-231-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Windows\SysWOW64\Cajlhqjp.exe
| MD5 | 18d6fee0aa93c3b211bb46437a8d441d |
| SHA1 | f8018588caf1ab6f2e575c3038901dea13a3700f |
| SHA256 | aaa73976549efce22236cbbe3b576b8aa8c84e545964f7b177ab0f07fa142c46 |
| SHA512 | a76485f56ef103d753de21bab029e84fd254ba3ae0795ef74f0fe708c90e3b149d35fe311b8b90323e93894bd7f3e40cfac13b9f0229faa9fd79a131f596ebfc |
C:\Windows\SysWOW64\Ceehho32.exe
| MD5 | b6d78e4d956b5044443e6cb5956e4d3b |
| SHA1 | 342b5f64b08b15ae819755ea8894bce22ec75ffe |
| SHA256 | 8a4908f712e87c1ad33e70f661267d63e1e13ed48d8ee12139dda88bca4d72bb |
| SHA512 | 9a24f420fb51504449b24a7a376c84aeb092be9e8f602edac2a7f453f8a4bc5296002705bcee8cd7081ef2c85b0dce6c2780ed16d3d49c53eecd2c890f9f86d5 |
memory/5112-244-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4920-252-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1460-256-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2856-262-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Windows\SysWOW64\Cdhhdlid.exe
| MD5 | b3feb0055d8839f127418ebe7c0ec3b9 |
| SHA1 | db5ef88603a3133796de15f80a640293b6cf38ae |
| SHA256 | 07b602371c2e1495a23ddc11f65aaf6caf7a46c1193a26f18e4635b62121d5a0 |
| SHA512 | ad7180cd325830ffdada88b066664cf64fd8023f8f50b0645a461d2d2d363bdf0069be45f4cb33622e19aa0f301119544463b83fbb750947760ee9caae22cb27 |
memory/2096-268-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1360-274-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4572-280-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3740-292-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4080-291-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3656-298-0x0000000000400000-0x0000000000435000-memory.dmp
memory/812-304-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1200-310-0x0000000000400000-0x0000000000435000-memory.dmp
memory/744-316-0x0000000000400000-0x0000000000435000-memory.dmp
memory/5004-322-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1188-328-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2300-338-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3292-340-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1392-346-0x0000000000400000-0x0000000000435000-memory.dmp
memory/228-352-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3824-358-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3308-364-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2168-370-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3060-376-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2984-382-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Windows\SysWOW64\Dmllipeg.exe
| MD5 | 464a88cdd99c8c5b9090daffee0c0a74 |
| SHA1 | 0e7dd95877b718f484d5bb40941eebb6c3eabc7b |
| SHA256 | ac9d192ae191a295a051399f6141ecd2a90af4716d2f44f99e1df1ea9523453c |
| SHA512 | 9287cb3085368f3a22b96cc000b9217960b24a755a79d19a2589c5ac2402353a56d31f27ccdbff4a5755489ac8df3e37faf3582ce7019951e9a143d3bae23888 |
memory/4848-388-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4848-389-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2984-390-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3824-395-0x0000000000400000-0x0000000000435000-memory.dmp
memory/5004-399-0x0000000000400000-0x0000000000435000-memory.dmp
memory/744-400-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4652-412-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3352-419-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2660-429-0x0000000000400000-0x0000000000435000-memory.dmp
memory/5092-428-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4380-427-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2392-426-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4736-425-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2828-424-0x0000000000400000-0x0000000000435000-memory.dmp
memory/8-423-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1436-422-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4076-421-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2800-420-0x0000000000400000-0x0000000000435000-memory.dmp
memory/776-418-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3608-417-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3356-416-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1256-415-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2424-414-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1972-413-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3096-411-0x0000000000400000-0x0000000000435000-memory.dmp
memory/624-410-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1460-409-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2856-408-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2096-407-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1360-406-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4572-405-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3740-404-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3656-403-0x0000000000400000-0x0000000000435000-memory.dmp
memory/812-402-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1200-401-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1188-398-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3292-397-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1392-396-0x0000000000400000-0x0000000000435000-memory.dmp
memory/228-394-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3308-393-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3060-391-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2168-392-0x0000000000400000-0x0000000000435000-memory.dmp