Analysis Overview
SHA256
10e3948d8caf306281063beb38a0d9f734ed83552e980e03b42a8c4e62ef07c8
Threat Level: Known bad
The file 10e3948d8caf306281063beb38a0d9f734ed83552e980e03b42a8c4e62ef07c8N was found to be: Known bad.
Malicious Activity Summary
Adds autorun key to be loaded by Explorer.exe on startup
Berbew
Berbew family
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Program crash
Unsigned PE
System Location Discovery: System Language Discovery
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 14:19
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 14:19
Reported
2024-11-10 14:21
Platform
win7-20241010-en
Max time kernel
78s
Max time network
16s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Qlgkki32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Afdiondb.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cbdiia32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Opihgfop.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Cgcnghpl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Pebpkk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Users\Admin\AppData\Local\Temp\10e3948d8caf306281063beb38a0d9f734ed83552e980e03b42a8c4e62ef07c8N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Njhfcp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lkjjma32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Pgcmbcih.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Qlgkki32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bjdkjpkb.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cjonncab.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nbjeinje.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Njhfcp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Nmfbpk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pleofj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Alnalh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Bkhhhd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bqlfaj32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nhlgmd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pepcelel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Ajmijmnn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Bfdenafn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Mfjann32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Objaha32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Bbmcibjp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cgcnghpl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Aakjdo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Bqlfaj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Ceebklai.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cinafkkd.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dnpciaef.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Users\Admin\AppData\Local\Temp\10e3948d8caf306281063beb38a0d9f734ed83552e980e03b42a8c4e62ef07c8N.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mbhlek32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mclebc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Pgfjhcge.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Qdncmgbj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Apgagg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Aoojnc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Bffbdadk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Bjdkjpkb.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cgoelh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Cbffoabe.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Djdgic32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Mcnbhb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Mqbbagjo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Pljlbf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bfdenafn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Bnknoogp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mjcaimgg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bnknoogp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Ciihklpj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Nibqqh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Oiffkkbk.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Opqoge32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Ahebaiac.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ccmpce32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Bjpaop32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lgqkbb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mcnbhb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Paiaplin.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nbhhdnlh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Ncnngfna.exe | N/A |
Berbew
Berbew family
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\Aohdmdoh.exe | C:\Windows\SysWOW64\Alihaioe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ciihklpj.exe | C:\Windows\SysWOW64\Ccmpce32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cgoelh32.exe | C:\Windows\SysWOW64\Cbblda32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mkndhabp.exe | C:\Windows\SysWOW64\Lqipkhbj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mclebc32.exe | C:\Windows\SysWOW64\Mjcaimgg.exe | N/A |
| File created | C:\Windows\SysWOW64\Mcnbhb32.exe | C:\Windows\SysWOW64\Mfjann32.exe | N/A |
| File created | C:\Windows\SysWOW64\Incjbkig.dll | C:\Windows\SysWOW64\Ahpifj32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Aakjdo32.exe | C:\Windows\SysWOW64\Aomnhd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lbmnig32.dll | C:\Windows\SysWOW64\Bbmcibjp.exe | N/A |
| File created | C:\Windows\SysWOW64\Lqipkhbj.exe | C:\Windows\SysWOW64\Lgqkbb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Opqoge32.exe | C:\Windows\SysWOW64\Oiffkkbk.exe | N/A |
| File created | C:\Windows\SysWOW64\Qkfocaki.exe | C:\Windows\SysWOW64\Qcogbdkg.exe | N/A |
| File created | C:\Windows\SysWOW64\Ahebaiac.exe | C:\Windows\SysWOW64\Aakjdo32.exe | N/A |
| File created | C:\Windows\SysWOW64\Adlcfjgh.exe | C:\Windows\SysWOW64\Anbkipok.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cgfkmgnj.exe | C:\Windows\SysWOW64\Ccjoli32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ciffggmh.dll | C:\Windows\SysWOW64\Mclebc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mqbbagjo.exe | C:\Windows\SysWOW64\Mikjpiim.exe | N/A |
| File created | C:\Windows\SysWOW64\Qeppdo32.exe | C:\Windows\SysWOW64\Qcachc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Alihaioe.exe | C:\Windows\SysWOW64\Qeppdo32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Anbkipok.exe | C:\Windows\SysWOW64\Aoojnc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Adlcfjgh.exe | C:\Windows\SysWOW64\Anbkipok.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Afdiondb.exe | C:\Windows\SysWOW64\Aojabdlf.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bqlfaj32.exe | C:\Windows\SysWOW64\Bieopm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ollopmbl.dll | C:\Windows\SysWOW64\Lkjjma32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dofhhgce.dll | C:\Windows\SysWOW64\Lgqkbb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Nhgnaehm.exe | C:\Windows\SysWOW64\Nbjeinje.exe | N/A |
| File created | C:\Windows\SysWOW64\Gaokcb32.dll | C:\Windows\SysWOW64\Nhlgmd32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ofcqcp32.exe | C:\Windows\SysWOW64\Opihgfop.exe | N/A |
| File created | C:\Windows\SysWOW64\Pleofj32.exe | C:\Windows\SysWOW64\Pdjjag32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ccmpce32.exe | C:\Windows\SysWOW64\Bjdkjpkb.exe | N/A |
| File created | C:\Windows\SysWOW64\Cgcnghpl.exe | C:\Windows\SysWOW64\Ceebklai.exe | N/A |
| File created | C:\Windows\SysWOW64\Pdkefp32.dll | C:\Windows\SysWOW64\Dnpciaef.exe | N/A |
| File created | C:\Windows\SysWOW64\Akafaiao.dll | C:\Windows\SysWOW64\Nmfbpk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Qdlggg32.exe | C:\Windows\SysWOW64\Pleofj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bbbpenco.exe | C:\Windows\SysWOW64\Bnfddp32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ccmpce32.exe | C:\Windows\SysWOW64\Bjdkjpkb.exe | N/A |
| File created | C:\Windows\SysWOW64\Ajmijmnn.exe | C:\Windows\SysWOW64\Accqnc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pmmgmc32.dll | C:\Windows\SysWOW64\Alnalh32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bdcifi32.exe | C:\Windows\SysWOW64\Bmlael32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ckndebll.dll | C:\Windows\SysWOW64\Bjpaop32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bffbdadk.exe | C:\Windows\SysWOW64\Boljgg32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bbmcibjp.exe | C:\Windows\SysWOW64\Bqlfaj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mpioba32.dll | C:\Windows\SysWOW64\Opqoge32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cjonncab.exe | C:\Windows\SysWOW64\Ckmnbg32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ladpkl32.dll | C:\Windows\SysWOW64\Mqbbagjo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Nedhjj32.exe | C:\Windows\SysWOW64\Nbflno32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Oeindm32.exe | C:\Windows\SysWOW64\Objaha32.exe | N/A |
| File created | C:\Windows\SysWOW64\Qdncmgbj.exe | C:\Windows\SysWOW64\Qlgkki32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pcaibd32.dll | C:\Windows\SysWOW64\Cgcnghpl.exe | N/A |
| File created | C:\Windows\SysWOW64\Pmiljc32.dll | C:\Windows\SysWOW64\Djdgic32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mfakaoam.dll | C:\Windows\SysWOW64\Bqlfaj32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ceebklai.exe | C:\Windows\SysWOW64\Cbffoabe.exe | N/A |
| File created | C:\Windows\SysWOW64\Mikjpiim.exe | C:\Windows\SysWOW64\Mcnbhb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pjdjea32.dll | C:\Windows\SysWOW64\Nibqqh32.exe | N/A |
| File created | C:\Windows\SysWOW64\Nmfbpk32.exe | C:\Windows\SysWOW64\Njhfcp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hqjpab32.dll | C:\Windows\SysWOW64\Accqnc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Nmlfpfpl.dll | C:\Windows\SysWOW64\Ajmijmnn.exe | N/A |
| File created | C:\Windows\SysWOW64\Gbnbjo32.dll | C:\Windows\SysWOW64\Bieopm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dpapaj32.exe | C:\Windows\SysWOW64\Dnpciaef.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Nbhhdnlh.exe | C:\Windows\SysWOW64\Nedhjj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Nhlgmd32.exe | C:\Windows\SysWOW64\Nmfbpk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pljlbf32.exe | C:\Windows\SysWOW64\Pepcelel.exe | N/A |
| File created | C:\Windows\SysWOW64\Dgnenf32.dll | C:\Windows\SysWOW64\Bnknoogp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dnpciaef.exe | C:\Windows\SysWOW64\Djdgic32.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Dpapaj32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nbflno32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nibqqh32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Qdlggg32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bkhhhd32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bmlael32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Qlgkki32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Qcachc32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Apgagg32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lkjjma32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ppnnai32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cgfkmgnj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pgfjhcge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pleofj32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Qkfocaki.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cjonncab.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cmpgpond.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pdeqfhjd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Qdncmgbj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Qeppdo32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bgllgedi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bqijljfd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bieopm32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cbblda32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dnpciaef.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mjcaimgg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pepcelel.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ccjoli32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bbmcibjp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ckmnbg32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Njhfcp32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ofcqcp32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Oiffkkbk.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ahebaiac.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lqipkhbj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Qcogbdkg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cgoelh32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cbdiia32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cinafkkd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lgqkbb32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Oeindm32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Andgop32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bnfddp32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ajpepm32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Afdiondb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Adnpkjde.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bdcifi32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bnknoogp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Boljgg32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Aomnhd32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mikjpiim.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mqbbagjo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mbcoio32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ncnngfna.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mcnbhb32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pljlbf32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pebpkk32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bccmmf32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mfjann32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nbhhdnlh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Paiaplin.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Aohdmdoh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dpapaj32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nlcibc32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Njjcip32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Mfjann32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Cgcnghpl.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Lkjjma32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Qdlggg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bqlfaj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ccjoli32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmiljc32.dll" | C:\Windows\SysWOW64\Djdgic32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Nmfbpk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iidobe32.dll" | C:\Windows\SysWOW64\Pepcelel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Qcogbdkg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqjpab32.dll" | C:\Windows\SysWOW64\Accqnc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ollopmbl.dll" | C:\Windows\SysWOW64\Lkjjma32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Ofcqcp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Pdjjag32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Apgagg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll" | C:\Windows\SysWOW64\Dnpciaef.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iocnkj32.dll" | C:\Windows\SysWOW64\Mkndhabp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbbobb32.dll" | C:\Windows\SysWOW64\Nbflno32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Opihgfop.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaaded32.dll" | C:\Windows\SysWOW64\Pgfjhcge.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqcjjk32.dll" | C:\Windows\SysWOW64\Ppnnai32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Adlcfjgh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Nedhjj32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Qlgkki32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Adnpkjde.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckndebll.dll" | C:\Windows\SysWOW64\Bjpaop32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dofhhgce.dll" | C:\Windows\SysWOW64\Lgqkbb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okhdnm32.dll" | C:\Windows\SysWOW64\Opihgfop.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Aojabdlf.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Bnfddp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\10e3948d8caf306281063beb38a0d9f734ed83552e980e03b42a8c4e62ef07c8N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ohncbdbd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bqijljfd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Ciihklpj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcaibd32.dll" | C:\Windows\SysWOW64\Cgcnghpl.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Mbhlek32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmiacp32.dll" | C:\Windows\SysWOW64\Mjcaimgg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Nbhhdnlh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ofcqcp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Objaha32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Pljlbf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Ahebaiac.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Mclebc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Nbflno32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khoqme32.dll" | C:\Windows\SysWOW64\Apgagg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjmeignj.dll" | C:\Windows\SysWOW64\Adnpkjde.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Bbmcibjp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Cmpgpond.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Ohncbdbd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jidmcq32.dll" | C:\Windows\SysWOW64\Cbblda32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Ccjoli32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Nbflno32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhiejpim.dll" | C:\Windows\SysWOW64\Pidfdofi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Ahpifj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ahpifj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bjpaop32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Cgoelh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Mmicfh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Alnalh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cbblda32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Djdgic32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Qeppdo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Ceebklai.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Adnpkjde.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\10e3948d8caf306281063beb38a0d9f734ed83552e980e03b42a8c4e62ef07c8N.exe
"C:\Users\Admin\AppData\Local\Temp\10e3948d8caf306281063beb38a0d9f734ed83552e980e03b42a8c4e62ef07c8N.exe"
C:\Windows\SysWOW64\Lkjjma32.exe
C:\Windows\system32\Lkjjma32.exe
C:\Windows\SysWOW64\Lgqkbb32.exe
C:\Windows\system32\Lgqkbb32.exe
C:\Windows\SysWOW64\Lqipkhbj.exe
C:\Windows\system32\Lqipkhbj.exe
C:\Windows\SysWOW64\Mkndhabp.exe
C:\Windows\system32\Mkndhabp.exe
C:\Windows\SysWOW64\Mbhlek32.exe
C:\Windows\system32\Mbhlek32.exe
C:\Windows\SysWOW64\Mjcaimgg.exe
C:\Windows\system32\Mjcaimgg.exe
C:\Windows\SysWOW64\Mclebc32.exe
C:\Windows\system32\Mclebc32.exe
C:\Windows\SysWOW64\Mfjann32.exe
C:\Windows\system32\Mfjann32.exe
C:\Windows\SysWOW64\Mcnbhb32.exe
C:\Windows\system32\Mcnbhb32.exe
C:\Windows\SysWOW64\Mikjpiim.exe
C:\Windows\system32\Mikjpiim.exe
C:\Windows\SysWOW64\Mqbbagjo.exe
C:\Windows\system32\Mqbbagjo.exe
C:\Windows\SysWOW64\Mbcoio32.exe
C:\Windows\system32\Mbcoio32.exe
C:\Windows\SysWOW64\Mmicfh32.exe
C:\Windows\system32\Mmicfh32.exe
C:\Windows\SysWOW64\Nbflno32.exe
C:\Windows\system32\Nbflno32.exe
C:\Windows\SysWOW64\Nedhjj32.exe
C:\Windows\system32\Nedhjj32.exe
C:\Windows\SysWOW64\Nbhhdnlh.exe
C:\Windows\system32\Nbhhdnlh.exe
C:\Windows\SysWOW64\Nibqqh32.exe
C:\Windows\system32\Nibqqh32.exe
C:\Windows\SysWOW64\Nbjeinje.exe
C:\Windows\system32\Nbjeinje.exe
C:\Windows\SysWOW64\Nhgnaehm.exe
C:\Windows\system32\Nhgnaehm.exe
C:\Windows\SysWOW64\Nlcibc32.exe
C:\Windows\system32\Nlcibc32.exe
C:\Windows\SysWOW64\Nnafnopi.exe
C:\Windows\system32\Nnafnopi.exe
C:\Windows\SysWOW64\Ncnngfna.exe
C:\Windows\system32\Ncnngfna.exe
C:\Windows\SysWOW64\Njhfcp32.exe
C:\Windows\system32\Njhfcp32.exe
C:\Windows\SysWOW64\Nmfbpk32.exe
C:\Windows\system32\Nmfbpk32.exe
C:\Windows\SysWOW64\Nhlgmd32.exe
C:\Windows\system32\Nhlgmd32.exe
C:\Windows\SysWOW64\Njjcip32.exe
C:\Windows\system32\Njjcip32.exe
C:\Windows\SysWOW64\Ohncbdbd.exe
C:\Windows\system32\Ohncbdbd.exe
C:\Windows\SysWOW64\Opihgfop.exe
C:\Windows\system32\Opihgfop.exe
C:\Windows\SysWOW64\Ofcqcp32.exe
C:\Windows\system32\Ofcqcp32.exe
C:\Windows\SysWOW64\Objaha32.exe
C:\Windows\system32\Objaha32.exe
C:\Windows\SysWOW64\Oeindm32.exe
C:\Windows\system32\Oeindm32.exe
C:\Windows\SysWOW64\Oiffkkbk.exe
C:\Windows\system32\Oiffkkbk.exe
C:\Windows\SysWOW64\Opqoge32.exe
C:\Windows\system32\Opqoge32.exe
C:\Windows\SysWOW64\Pepcelel.exe
C:\Windows\system32\Pepcelel.exe
C:\Windows\SysWOW64\Pljlbf32.exe
C:\Windows\system32\Pljlbf32.exe
C:\Windows\SysWOW64\Pebpkk32.exe
C:\Windows\system32\Pebpkk32.exe
C:\Windows\SysWOW64\Pdeqfhjd.exe
C:\Windows\system32\Pdeqfhjd.exe
C:\Windows\SysWOW64\Pgcmbcih.exe
C:\Windows\system32\Pgcmbcih.exe
C:\Windows\SysWOW64\Paiaplin.exe
C:\Windows\system32\Paiaplin.exe
C:\Windows\SysWOW64\Pgfjhcge.exe
C:\Windows\system32\Pgfjhcge.exe
C:\Windows\SysWOW64\Pidfdofi.exe
C:\Windows\system32\Pidfdofi.exe
C:\Windows\SysWOW64\Ppnnai32.exe
C:\Windows\system32\Ppnnai32.exe
C:\Windows\SysWOW64\Pdjjag32.exe
C:\Windows\system32\Pdjjag32.exe
C:\Windows\SysWOW64\Pleofj32.exe
C:\Windows\system32\Pleofj32.exe
C:\Windows\SysWOW64\Qdlggg32.exe
C:\Windows\system32\Qdlggg32.exe
C:\Windows\SysWOW64\Qcogbdkg.exe
C:\Windows\system32\Qcogbdkg.exe
C:\Windows\SysWOW64\Qkfocaki.exe
C:\Windows\system32\Qkfocaki.exe
C:\Windows\SysWOW64\Qlgkki32.exe
C:\Windows\system32\Qlgkki32.exe
C:\Windows\SysWOW64\Qdncmgbj.exe
C:\Windows\system32\Qdncmgbj.exe
C:\Windows\SysWOW64\Qcachc32.exe
C:\Windows\system32\Qcachc32.exe
C:\Windows\SysWOW64\Qeppdo32.exe
C:\Windows\system32\Qeppdo32.exe
C:\Windows\SysWOW64\Alihaioe.exe
C:\Windows\system32\Alihaioe.exe
C:\Windows\SysWOW64\Aohdmdoh.exe
C:\Windows\system32\Aohdmdoh.exe
C:\Windows\SysWOW64\Accqnc32.exe
C:\Windows\system32\Accqnc32.exe
C:\Windows\SysWOW64\Ajmijmnn.exe
C:\Windows\system32\Ajmijmnn.exe
C:\Windows\SysWOW64\Ahpifj32.exe
C:\Windows\system32\Ahpifj32.exe
C:\Windows\SysWOW64\Apgagg32.exe
C:\Windows\system32\Apgagg32.exe
C:\Windows\SysWOW64\Aojabdlf.exe
C:\Windows\system32\Aojabdlf.exe
C:\Windows\SysWOW64\Afdiondb.exe
C:\Windows\system32\Afdiondb.exe
C:\Windows\SysWOW64\Ajpepm32.exe
C:\Windows\system32\Ajpepm32.exe
C:\Windows\SysWOW64\Alnalh32.exe
C:\Windows\system32\Alnalh32.exe
C:\Windows\SysWOW64\Aomnhd32.exe
C:\Windows\system32\Aomnhd32.exe
C:\Windows\SysWOW64\Aakjdo32.exe
C:\Windows\system32\Aakjdo32.exe
C:\Windows\SysWOW64\Ahebaiac.exe
C:\Windows\system32\Ahebaiac.exe
C:\Windows\SysWOW64\Aoojnc32.exe
C:\Windows\system32\Aoojnc32.exe
C:\Windows\SysWOW64\Anbkipok.exe
C:\Windows\system32\Anbkipok.exe
C:\Windows\SysWOW64\Adlcfjgh.exe
C:\Windows\system32\Adlcfjgh.exe
C:\Windows\SysWOW64\Agjobffl.exe
C:\Windows\system32\Agjobffl.exe
C:\Windows\SysWOW64\Andgop32.exe
C:\Windows\system32\Andgop32.exe
C:\Windows\SysWOW64\Adnpkjde.exe
C:\Windows\system32\Adnpkjde.exe
C:\Windows\SysWOW64\Bgllgedi.exe
C:\Windows\system32\Bgllgedi.exe
C:\Windows\SysWOW64\Bkhhhd32.exe
C:\Windows\system32\Bkhhhd32.exe
C:\Windows\SysWOW64\Bnfddp32.exe
C:\Windows\system32\Bnfddp32.exe
C:\Windows\SysWOW64\Bbbpenco.exe
C:\Windows\system32\Bbbpenco.exe
C:\Windows\SysWOW64\Bccmmf32.exe
C:\Windows\system32\Bccmmf32.exe
C:\Windows\SysWOW64\Bjmeiq32.exe
C:\Windows\system32\Bjmeiq32.exe
C:\Windows\SysWOW64\Bmlael32.exe
C:\Windows\system32\Bmlael32.exe
C:\Windows\SysWOW64\Bdcifi32.exe
C:\Windows\system32\Bdcifi32.exe
C:\Windows\SysWOW64\Bfdenafn.exe
C:\Windows\system32\Bfdenafn.exe
C:\Windows\SysWOW64\Bjpaop32.exe
C:\Windows\system32\Bjpaop32.exe
C:\Windows\SysWOW64\Bnknoogp.exe
C:\Windows\system32\Bnknoogp.exe
C:\Windows\SysWOW64\Bqijljfd.exe
C:\Windows\system32\Bqijljfd.exe
C:\Windows\SysWOW64\Boljgg32.exe
C:\Windows\system32\Boljgg32.exe
C:\Windows\SysWOW64\Bffbdadk.exe
C:\Windows\system32\Bffbdadk.exe
C:\Windows\SysWOW64\Bieopm32.exe
C:\Windows\system32\Bieopm32.exe
C:\Windows\SysWOW64\Bqlfaj32.exe
C:\Windows\system32\Bqlfaj32.exe
C:\Windows\SysWOW64\Bbmcibjp.exe
C:\Windows\system32\Bbmcibjp.exe
C:\Windows\SysWOW64\Bjdkjpkb.exe
C:\Windows\system32\Bjdkjpkb.exe
C:\Windows\SysWOW64\Ccmpce32.exe
C:\Windows\system32\Ccmpce32.exe
C:\Windows\SysWOW64\Ciihklpj.exe
C:\Windows\system32\Ciihklpj.exe
C:\Windows\SysWOW64\Cbblda32.exe
C:\Windows\system32\Cbblda32.exe
C:\Windows\SysWOW64\Cgoelh32.exe
C:\Windows\system32\Cgoelh32.exe
C:\Windows\SysWOW64\Cbdiia32.exe
C:\Windows\system32\Cbdiia32.exe
C:\Windows\SysWOW64\Cinafkkd.exe
C:\Windows\system32\Cinafkkd.exe
C:\Windows\SysWOW64\Ckmnbg32.exe
C:\Windows\system32\Ckmnbg32.exe
C:\Windows\SysWOW64\Cjonncab.exe
C:\Windows\system32\Cjonncab.exe
C:\Windows\SysWOW64\Cbffoabe.exe
C:\Windows\system32\Cbffoabe.exe
C:\Windows\SysWOW64\Ceebklai.exe
C:\Windows\system32\Ceebklai.exe
C:\Windows\SysWOW64\Cgcnghpl.exe
C:\Windows\system32\Cgcnghpl.exe
C:\Windows\SysWOW64\Cmpgpond.exe
C:\Windows\system32\Cmpgpond.exe
C:\Windows\SysWOW64\Ccjoli32.exe
C:\Windows\system32\Ccjoli32.exe
C:\Windows\SysWOW64\Cgfkmgnj.exe
C:\Windows\system32\Cgfkmgnj.exe
C:\Windows\SysWOW64\Djdgic32.exe
C:\Windows\system32\Djdgic32.exe
C:\Windows\SysWOW64\Dnpciaef.exe
C:\Windows\system32\Dnpciaef.exe
C:\Windows\SysWOW64\Dpapaj32.exe
C:\Windows\system32\Dpapaj32.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 568 -s 144
Network
Files
memory/1488-0-0x0000000000400000-0x0000000000437000-memory.dmp
\Windows\SysWOW64\Lkjjma32.exe
| MD5 | b2ecbe9b0a97db60cc7e561e62b887ef |
| SHA1 | 3c8050366fe9367848bb0ef7d4b88fadbaaf4838 |
| SHA256 | fbc2026e08e8badb887a1b82617675057280194516d2f7945194eff14066d530 |
| SHA512 | dd917af19d4b6a5704bbf74244c27b9b212005289943143f563c0fdb3338dd0d65bb1a6744aa846d38fdf089968dc3e26ec377bc17da8c29546ff4bf4d0aa37c |
memory/2396-14-0x0000000000400000-0x0000000000437000-memory.dmp
memory/1488-13-0x0000000001F70000-0x0000000001FA7000-memory.dmp
memory/1488-12-0x0000000001F70000-0x0000000001FA7000-memory.dmp
\Windows\SysWOW64\Lgqkbb32.exe
| MD5 | 37e5a2679b344f506d595335a2ad782a |
| SHA1 | ea5e22f04a4f718214700f6ba93a9a671a1e6cbb |
| SHA256 | 3e31c1e82e6cb976a5bcd61e79fb31f62accec0fa85f1b2011efbb4495b8d013 |
| SHA512 | 07412a503c766f4c129366d1792a243802ea612b20fc361ec4a4d2a5165f34e55e4138607b2b029a1fd7094610c868a240de6a0f916860bc80323cf83970f737 |
memory/2316-29-0x0000000000400000-0x0000000000437000-memory.dmp
memory/2396-28-0x0000000000300000-0x0000000000337000-memory.dmp
memory/2396-27-0x0000000000300000-0x0000000000337000-memory.dmp
\Windows\SysWOW64\Lqipkhbj.exe
| MD5 | cb2ba723a0e6d8bac862776b65dfc33b |
| SHA1 | e79c7ea727da01828c517b9270566daf2b8b7ce5 |
| SHA256 | 3bb5d7f8adbf34f58db129cf93d0e5a36a54161ea0a80943db74dab1eaa94681 |
| SHA512 | 32d7d4d3402a8a9c441f6bf73190a2300b3557a2480b6887517d3d1c1393e906cbb067788d3337ff5ab5e42267bfcfa96640a12ccdb1c803001bd42690002a1b |
memory/2784-42-0x0000000000400000-0x0000000000437000-memory.dmp
\Windows\SysWOW64\Mkndhabp.exe
| MD5 | 94b0a5c8fd9ef473056f937ad1e16ec0 |
| SHA1 | a07eef88f4e346f2a4010a41288bf4c6c917230b |
| SHA256 | 323a3f8b558114e555934b202a6ea3c9fb9d6937bd4106f2d65c019c089bf862 |
| SHA512 | bea105879d7a778cd16de00772fcd7d41f7c9084a83a26b94a029766b79c1dbbc844ae2c4955b922738b2664fb8a0b510953791b0048ec187190586e08462faf |
memory/2784-50-0x0000000000290000-0x00000000002C7000-memory.dmp
C:\Windows\SysWOW64\Iocnkj32.dll
| MD5 | 909cdbecab137d7063d7ade007f41317 |
| SHA1 | c9acd4f87ed13a3aa59fbfcff54e987f7a70d261 |
| SHA256 | a52ca70ab74996434c7f4bb0c8c5a4f7375a59f83da69355d3a006d67ab8afcf |
| SHA512 | f7409aa6d2824af178eba98c1119853f188295715a91af224730858ab0eadbd0433dd5983461592b5c473fbbd7992d364f9e31b1760d5a348eb25848678236ee |
\Windows\SysWOW64\Mbhlek32.exe
| MD5 | 48796abe0af980f2b9a0e5836a06e984 |
| SHA1 | 89abf7b96d51d01659b74251cb9150e555815599 |
| SHA256 | 9d0422acedf118f8861458ec672a255b819deb4db0b660913a69624c17ea9504 |
| SHA512 | c0dedb4aa7e7499c52bc6cdea4cad7732e9464ac0e07e73f98cfb116da77982e17891bf4ebee1c209dce9c3bd7653d29d41e8040474505aac0553baaf1b27e7c |
memory/2836-60-0x0000000000400000-0x0000000000437000-memory.dmp
memory/2060-69-0x0000000000400000-0x0000000000437000-memory.dmp
\Windows\SysWOW64\Mjcaimgg.exe
| MD5 | e6dcb2684431709f99187e65124e0d3e |
| SHA1 | b69d1f69c196db7e9efddc1c77a28b1ffb011cff |
| SHA256 | 85859c27320d6691a477ea1c902cf13c1a995cf977f681b746c812b2edb328cf |
| SHA512 | 6480b9f20c499186852d8394539498cbf7e49f244a8c7883c4a6ab8624c08064c53093517d75e42f6ef3b15c4fd93fb25ce0cd019c78b63068a48d074ee9b07e |
memory/2060-76-0x0000000000260000-0x0000000000297000-memory.dmp
memory/2684-88-0x0000000000400000-0x0000000000437000-memory.dmp
C:\Windows\SysWOW64\Mclebc32.exe
| MD5 | 2b7a9ac8715fcf7b06ad1c91bd7f61c6 |
| SHA1 | 08879cdd35901d35b81d256bb4bee55dd674a71c |
| SHA256 | 8f853deb4226cddf4a772f6e8c65452acace1379068440ad694028a22a1abfa7 |
| SHA512 | 3561a4099a61540630fc649a9474fb99f20b149ea6f8e025bd5635c1d759af3258c8b65de85bbbfc74d384a4d0e46feb0db88799a489f58e2c30390c859e45e3 |
memory/2704-96-0x0000000000400000-0x0000000000437000-memory.dmp
\Windows\SysWOW64\Mfjann32.exe
| MD5 | 27f274cc4bb8a2cb1da63fef2d9af6fc |
| SHA1 | ec535160393b59a7003f742987f2a6d5cb58dcaa |
| SHA256 | e3e09fb8100ea8a631c27cf085f9cf67fcc8f600a50e59f3ec8750389c7bce0b |
| SHA512 | 93970393b91db959b5860a5ac34fde07de78c0930e0cfd06b511d35c4a37973e6301122db29270fd0dffd0a4427ad9ff9e615dea6888fce68b8cea905c87528f |
memory/2704-108-0x00000000002D0000-0x0000000000307000-memory.dmp
\Windows\SysWOW64\Mcnbhb32.exe
| MD5 | 39f41007aa628442490f63faabaafbde |
| SHA1 | 9cf4a689958ce2db6b92ca269af2ffba2878d2d5 |
| SHA256 | 9a3e9567f5c3c7227bd4c9d7965f2a8db928b793e80ddeb412b0d003339869a4 |
| SHA512 | 5e17656afb74ea3bc8513f48dd1b17a35e1549eb3a95a0a920d80b8b4085500257d8a7560a3a5a912ead09f47d8c7cfe02a54a272522c74559473b7b308292cc |
memory/3036-122-0x0000000000400000-0x0000000000437000-memory.dmp
memory/3036-130-0x0000000000480000-0x00000000004B7000-memory.dmp
\Windows\SysWOW64\Mikjpiim.exe
| MD5 | f9877014689c7c80621f06d33bd04c90 |
| SHA1 | 9bd12b74105be7f5b1873dbe1b5f0bbf8136a861 |
| SHA256 | 95b7a37bd35906268039739774aa47481eafd1b64f5c6ad491dfbb1d350ba72c |
| SHA512 | e3d5a86aba07d60bc1162181afbb8f9233b4e11a83a961937b5e481aec415f289096489b10a30dc42acfe0ffcb0c60b786514cddaf4c667ed50de7f456924bd6 |
C:\Windows\SysWOW64\Mqbbagjo.exe
| MD5 | e24033bc32be2361977f5612b915cfa8 |
| SHA1 | 18fd617ae66c690ad32f8356dd9aa190d1b42559 |
| SHA256 | 73cfe00c6dbb76f318b8f87309859bd043177d2d242e6a8b2891ff43a9e8ecb7 |
| SHA512 | bbf389ffabfbc93e750999d0ef3963901ad051bb643f46927beb4ccbf4cacb11ddb0dd5597f35382481ad30dba2ce869d0b55cb20141c21c8933e24a0b992110 |
memory/2820-148-0x0000000000400000-0x0000000000437000-memory.dmp
memory/1276-149-0x0000000000400000-0x0000000000437000-memory.dmp
\Windows\SysWOW64\Mbcoio32.exe
| MD5 | 6ea9624e94a5a2b153ebadd66f02c389 |
| SHA1 | af3cf71ecf47c28856029acc64eb7ebc46b33253 |
| SHA256 | 78936cc403e3a8c449435089c2996e2461e97a94838196bb45d194881c0cc9a7 |
| SHA512 | 377a986e8b2396a66fc206fd7782480f1b52616c5ff91261abe0cc065fa5fd9a610dca1530df2ab7efece94f2e24346a717116427f6f03ff24f9a468f25df7e2 |
memory/1276-161-0x0000000000290000-0x00000000002C7000-memory.dmp
\Windows\SysWOW64\Mmicfh32.exe
| MD5 | 85f31db90fa7f8f3eee8b6ab68c2a613 |
| SHA1 | 235651213e17d2ad576a0ac9fbce84f762aa5e6b |
| SHA256 | 0d0a6fb694ca13dafa3a96c04f225c44d1e504b7ce583a6eeeb65e3a597a1a88 |
| SHA512 | 04f240f0613832e908917e7464736610cc79b50d750ffce464496fdcd282cbaed49091d2c13d49edfe367d3d8f7f65dd53a4d0fea3f6bf20fe918fc23f35319b |
memory/2960-175-0x0000000000400000-0x0000000000437000-memory.dmp
memory/1988-182-0x0000000000400000-0x0000000000437000-memory.dmp
memory/2960-176-0x0000000000250000-0x0000000000287000-memory.dmp
C:\Windows\SysWOW64\Nbflno32.exe
| MD5 | 72c381aa7fa2e4a1c59693149e0c03c7 |
| SHA1 | 9c37c475022d5c4c776dbf6e1982d678a54a7b4c |
| SHA256 | d50e32f13ea9ba1ea3b9c404ba06627528fe2f77fa9c6138ef5b85d7dee0499c |
| SHA512 | 0fc679c86ff196d8562c40acebd708311942e316f1471f21f2c293a797705e3ca252920b6113f1df8839e440d00662fa76f316222442afd9a38992f9b101987e |
memory/2148-195-0x0000000000400000-0x0000000000437000-memory.dmp
\Windows\SysWOW64\Nedhjj32.exe
| MD5 | 24edeeaeb815cfd22cd620c842456ac2 |
| SHA1 | 1ff03369f72dc46c045c09885c8913a2e0b656ee |
| SHA256 | 2597fa5cf80ace4a7bfb350e49a30ef382509cf7cf2b4b96413e1ae222e8366c |
| SHA512 | 8f4dd76366ccf420e93fa42b8fad5552d6c23c76a2ffa7ea8b860368bf7d484b40a7626a251404b61a4496e0abdcd8b48a39b160b5cda292c9e11f92b6f3f906 |
memory/2072-203-0x0000000000400000-0x0000000000437000-memory.dmp
\Windows\SysWOW64\Nbhhdnlh.exe
| MD5 | bc51133d8f2da156036f34419847824e |
| SHA1 | c153a7f73e8fd74664ff3e3b4fa70cfe7ff36dd6 |
| SHA256 | 1eecb571033773b88d05aecde0b71cd850119f1d2d0ae4b774c151bc89b3e918 |
| SHA512 | a84499d0b09d5c85d99ea14b2a140d3ca2bb373b7593fd604921c14789104c61319c0aa0f1894aa37c9771d0d0e5728defc5ca420563da8a7e7062cfffaff788 |
memory/1628-227-0x0000000000400000-0x0000000000437000-memory.dmp
C:\Windows\SysWOW64\Nibqqh32.exe
| MD5 | d67ded53a1bafb33db4e7575e2e43d97 |
| SHA1 | 86d992e7e2760f6c45dca3fd60742fa1b396a335 |
| SHA256 | 6c1071aa07d32aa4dc6490e2ffbe67563d4410708f17cbb439ccf1e2ef6b449b |
| SHA512 | e6fd99f6fd33ccc601bd8219951839bc213c6d42ef24b29b4b48b159f614f24afe445ae8eeee1f7b6d5dcf92edc6acd8be4515b2d209c4b2e560cd8f371141fe |
memory/1080-222-0x0000000000400000-0x0000000000437000-memory.dmp
memory/2072-215-0x00000000002A0000-0x00000000002D7000-memory.dmp
memory/1628-237-0x0000000000280000-0x00000000002B7000-memory.dmp
memory/1628-236-0x0000000000280000-0x00000000002B7000-memory.dmp
C:\Windows\SysWOW64\Nbjeinje.exe
| MD5 | 1cbeecd3969281652703748678e3f98a |
| SHA1 | d7b882abc204174f104b4daad05835ad6dcb6a74 |
| SHA256 | 57e7b9cf21d104a6733c6d370e260991169af8185202f16ac4a974dbe4e06d70 |
| SHA512 | ea499970fff4a2adcf787370e2690a0cd93319a3bea5f451ede0c3124b09305eda0092efd70ed7ce386ccd994242978b18624296b5fc3b9fa2b7396e9c9b9214 |
memory/1032-246-0x0000000000400000-0x0000000000437000-memory.dmp
C:\Windows\SysWOW64\Nhgnaehm.exe
| MD5 | f5c7c0249376923abb88c2f6ce8ca524 |
| SHA1 | d284e595b4c36ab7a7894deae9d78dc29f402588 |
| SHA256 | a046928f66b34b0c5a46a263e5913861f30696e3aeb0757927b95d80ad3fd24a |
| SHA512 | 79fa3bafc2e523ff02455f5ac6f88a541a57bc58ac78b47b2f023482bb4a205823599add60edccf43e530aa4cd172d5900d7378f3dd1c63742a8d7e0b178e1c4 |
memory/1160-256-0x0000000000400000-0x0000000000437000-memory.dmp
memory/1032-253-0x0000000000250000-0x0000000000287000-memory.dmp
C:\Windows\SysWOW64\Nlcibc32.exe
| MD5 | 798e7011b0188b759e4d139ba7a91f89 |
| SHA1 | c86672de915aef1c46c0f97e6b490457e3da0ff6 |
| SHA256 | a4b8e2c12be0d7d5bea99453d83d325b2ea25e99ce912a98f6324438e0482bd8 |
| SHA512 | aec192278c677ad5ec63bd9b66412e3719c95a24ab6af4f403143741dc52c23e43b0b2ee39c2f7c719ff3d4c97e6eb5d1705050922c19fcc9428b4882dfcc6a7 |
C:\Windows\SysWOW64\Nnafnopi.exe
| MD5 | 57b2a2e25adc03f201dd2b90babca122 |
| SHA1 | cab8393e6f9bc32117b6f1f301a9f6b29c51bda1 |
| SHA256 | 60b74192d1e57cd703484b3f9c0f06eaa53f26649251bdb84436713f058cfc97 |
| SHA512 | 6c13af3bcd2fa4ff54663a883ae8a66eab9080c1c1365f485139a2eeced9d53a016485f0ff2b07975cf51dbe896bd064b7da321bd63f06ebbc0a73552734c032 |
memory/2436-265-0x0000000000400000-0x0000000000437000-memory.dmp
memory/868-278-0x0000000000400000-0x0000000000437000-memory.dmp
memory/2436-274-0x0000000000260000-0x0000000000297000-memory.dmp
C:\Windows\SysWOW64\Ncnngfna.exe
| MD5 | 2025378daaf50de2a2cf4dd0484f89bc |
| SHA1 | 8fed3eacfb6e59356e6cda4aa16270b7cee92ddf |
| SHA256 | 29651f85b6e003c6f53c4a205b81d0afdd217e7dbcf010ee01c243a9a3a2ea6e |
| SHA512 | 5f0db13973e4e7a9b0fb95707a6b9d14162bd98ef92f71b9e01fff4f6efffd8b82dab1ba422e83da5de62d6f294fe2e1ab6b11651fd333b05f3067b237bc3525 |
C:\Windows\SysWOW64\Njhfcp32.exe
| MD5 | c87a369dace9bf8ea3c460601094d5ca |
| SHA1 | cea06a33ec49ae20e5c6bdbc028e3afa962e7f36 |
| SHA256 | 2d6e75c99c3571dc015dc084231408409b49048d370f73a704b06a63fe9f3927 |
| SHA512 | ef09bf4f5bbe7cc74bc2801d637affd92a2cbd44ee3869b1ab33bd743fac13b89921ae3526c0865ac912c1a9d55030b7f86c5c6794df3b3b897d786c4da83c69 |
memory/2016-286-0x0000000000400000-0x0000000000437000-memory.dmp
memory/868-285-0x0000000000250000-0x0000000000287000-memory.dmp
memory/868-284-0x0000000000250000-0x0000000000287000-memory.dmp
memory/2016-296-0x0000000000250000-0x0000000000287000-memory.dmp
memory/2016-295-0x0000000000250000-0x0000000000287000-memory.dmp
C:\Windows\SysWOW64\Nmfbpk32.exe
| MD5 | 2b528d8474cf993d7a89271e2a9e20e5 |
| SHA1 | 2434b421643b3815823ee6cd0e0f68e9f1c0c7c6 |
| SHA256 | d2b54f9490725a396817ec068e6bfc7ea65aa9268c820e7a444935036e9e0ccd |
| SHA512 | f573fa77983e6c6ba4c7eba463223dc1094b523985acd0e3b2f629b7395f9ebbf0f1cf68c4548f1e587d81331280e20466d4f6d7551cd4e40b92af00ec1034f5 |
C:\Windows\SysWOW64\Nhlgmd32.exe
| MD5 | 3a99c2ebf7d9ed26082f383b44261a7a |
| SHA1 | e6d0233abf73c4b6fd1c2bc8f52ca8538316c909 |
| SHA256 | 64f9ad99b777baae670b3959bb6b1e606a98a130259e2576bf598fa80540195c |
| SHA512 | b42d953d21c6611982d8b639d3cc5dd659eda5e169a627548cdb424d2c7343c6b6b770d6db07b8522a4d9505247568499b016632103f36ed3124e1204d9b8d9d |
memory/2568-308-0x00000000002B0000-0x00000000002E7000-memory.dmp
memory/1876-307-0x0000000000400000-0x0000000000437000-memory.dmp
memory/2568-306-0x00000000002B0000-0x00000000002E7000-memory.dmp
memory/2568-305-0x0000000000400000-0x0000000000437000-memory.dmp
memory/2588-319-0x0000000000400000-0x0000000000437000-memory.dmp
memory/1876-318-0x0000000000270000-0x00000000002A7000-memory.dmp
memory/1876-317-0x0000000000270000-0x00000000002A7000-memory.dmp
C:\Windows\SysWOW64\Njjcip32.exe
| MD5 | 0303cb04cd5b41f7312954f8c298315a |
| SHA1 | 24072353255b7afd1c3db766c7e4076caf8b823d |
| SHA256 | 3e7ac77df22aefb89c8a4fbfbd75dbad6b5348b1eb39c1b32947c957cb3ae97e |
| SHA512 | 4655eb5947327f614a80c1f2125b05ced00e64fe0b8449c61b5999d3cc8471cfbff1ff9c39df38cc6067d3dc7da173bcc228b0c66402e05b526e59d3f47d7861 |
C:\Windows\SysWOW64\Ohncbdbd.exe
| MD5 | 2ed3bb0c07933c562c706faace7cb207 |
| SHA1 | d66de599b860a3a8695616693498e77eef3dcbeb |
| SHA256 | b30c979bb869ad3d5f47a49eef161f52da538838074ea1c73747d78c497bdc06 |
| SHA512 | cb1135f430302ea48161918a330f6173b35e14b151f130cd89ea1dc57ca8f08005d180db7d0743da6e0dac808e6d7dec5e03459e3fac41e4ef1ffbc3539e27de |
memory/2588-329-0x0000000000250000-0x0000000000287000-memory.dmp
memory/2840-330-0x0000000000400000-0x0000000000437000-memory.dmp
memory/2588-328-0x0000000000250000-0x0000000000287000-memory.dmp
C:\Windows\SysWOW64\Opihgfop.exe
| MD5 | 0d9a6e686a6265658103b13671e41d7c |
| SHA1 | 44fd227a19c29ad6275203f4bbd7386cfd366bcc |
| SHA256 | b706656a123a9651e1cd9d587153d1ca55454df692e74424bf5ff4428158a8b2 |
| SHA512 | fb1d08b32a5e0f3b05684c0e4c688b22494ba8304486864331242e77dffd685cb439b605c27a1e37a22c8bd7231b574685b7b0668de075db7d795b24813eb3a2 |
memory/2840-340-0x0000000000270000-0x00000000002A7000-memory.dmp
memory/2792-345-0x0000000000400000-0x0000000000437000-memory.dmp
memory/2840-339-0x0000000000270000-0x00000000002A7000-memory.dmp
memory/2664-351-0x0000000000400000-0x0000000000437000-memory.dmp
memory/2792-350-0x00000000002E0000-0x0000000000317000-memory.dmp
C:\Windows\SysWOW64\Ofcqcp32.exe
| MD5 | a325000c99b3719b3def6c6b9ae93e93 |
| SHA1 | b0f8a48f01be0cb9dba8242cba23dedf276dc492 |
| SHA256 | 0fdfcc0b044b67c4f4aa2de69b11a2eec68882f8021b34f06b29e0e61ccd7140 |
| SHA512 | eada2541bb8d5947762b3d7f71d30b719e265eeb3327111ae46f84c8d0c852863ced8775b3c3914e7d9651c83c0622a65c099cf6f44b62660a99498863297c78 |
memory/2664-361-0x0000000000300000-0x0000000000337000-memory.dmp
memory/2664-360-0x0000000000300000-0x0000000000337000-memory.dmp
C:\Windows\SysWOW64\Objaha32.exe
| MD5 | 6bd9ad5e079319ed10884e227eeec86a |
| SHA1 | 7a0368c325c19532d7fbfb5d8b4f793ebdcb047f |
| SHA256 | b794ebf6b3ab5e27388ffcbef6251207ac14c54ea34634edf5d67e18793ceb3c |
| SHA512 | 73d46059f200dda42f039565ee64366b92ff0eaca941e8ec1a40cde3f6af9bea3a1aafb7525132fbeb07a8573b72a86b5be94767dc9abf0ca5c1e3762a4e3286 |
memory/2656-373-0x0000000000400000-0x0000000000437000-memory.dmp
memory/2808-372-0x0000000000250000-0x0000000000287000-memory.dmp
memory/2808-371-0x0000000000250000-0x0000000000287000-memory.dmp
C:\Windows\SysWOW64\Oeindm32.exe
| MD5 | 882a66efbdfe6693d2632d6579c0b674 |
| SHA1 | 7e2a8643b52436a91a206155741baf530d4f29aa |
| SHA256 | 2e0b0d6b28d427d5893bfbf854caa00e6fd985b510b49103c9405540127c964c |
| SHA512 | 1bd05ec04e8205ee2858564c79dc2ccef95978da08a04ad14d136ec5ea19578dfa8fb7b4e5834cec613fbae4669606f65ce148ddd0ef94faaecfa530381b1f7e |
memory/2808-366-0x0000000000400000-0x0000000000437000-memory.dmp
C:\Windows\SysWOW64\Oiffkkbk.exe
| MD5 | 074ba593b037ef5aaac2b7821c6cbd1f |
| SHA1 | 17350b8e4308b11421a1e9240c203809669ca2be |
| SHA256 | 58c18297ac91e2ee3c7ce83f01a70c8c9fae1ccf4c6508e4dba4e90a2444e3c2 |
| SHA512 | a4f26a8a94e1323d74265a00f4f4c3d74dd5e6e148e6777d48c280638cc7c18904cead38ac6b0a4db3199ab1f52224209d32e8b0bff694ab223d503ba64144af |
memory/1488-386-0x0000000001F70000-0x0000000001FA7000-memory.dmp
memory/2396-385-0x0000000000300000-0x0000000000337000-memory.dmp
memory/2396-384-0x0000000000400000-0x0000000000437000-memory.dmp
memory/1488-383-0x0000000000400000-0x0000000000437000-memory.dmp
memory/2656-382-0x0000000000440000-0x0000000000477000-memory.dmp
memory/2692-395-0x0000000000400000-0x0000000000437000-memory.dmp
C:\Windows\SysWOW64\Opqoge32.exe
| MD5 | a1f7a8c97da49addcb065fcb7afee6c2 |
| SHA1 | 312b0055859690378a738479c9d5e68d098e92c0 |
| SHA256 | 3b9964922641b8720acbab9a9d2e9e73eb488eacc8336120614eba2e9b41bb47 |
| SHA512 | ccce6ad97e4254fc6a16c03b119c56a4c318c885930ff4f5c16b2de7e20cd4ea6a0c55315db8835b49e9c9a86e4dcba923b4d7f093481387856a5149309bd4aa |
memory/2692-398-0x00000000002D0000-0x0000000000307000-memory.dmp
memory/3012-400-0x0000000000400000-0x0000000000437000-memory.dmp
memory/2316-399-0x0000000000400000-0x0000000000437000-memory.dmp
memory/2692-397-0x00000000002D0000-0x0000000000307000-memory.dmp
memory/2396-396-0x0000000000300000-0x0000000000337000-memory.dmp
memory/3012-406-0x0000000000440000-0x0000000000477000-memory.dmp
C:\Windows\SysWOW64\Pepcelel.exe
| MD5 | de8ac9583feb940c43daf11dc7493922 |
| SHA1 | 6d0999a3bc302c209d1588de96f943b16d515942 |
| SHA256 | 590572efcbc85f6bf846213210e5d3d94bb0ddcf9158c36ecc4075e43e656736 |
| SHA512 | 0d2f56aa14ef6848ddad7df38434fc376c3b5d0576769e4d615042a5983b86d11441ed2fcaf90fd029ab9968372cdec90906e102bcaf96ca4eab033528e3669f |
memory/3060-411-0x0000000000400000-0x0000000000437000-memory.dmp
memory/2316-410-0x0000000000250000-0x0000000000287000-memory.dmp
memory/2948-422-0x0000000000400000-0x0000000000437000-memory.dmp
memory/3060-421-0x0000000000440000-0x0000000000477000-memory.dmp
memory/2784-420-0x0000000000400000-0x0000000000437000-memory.dmp
C:\Windows\SysWOW64\Pljlbf32.exe
| MD5 | 99a67794d12b14d432ce0f6cf6822e1a |
| SHA1 | d309a3f16cf98c8ab0c704c1071f221e9ec2a1f3 |
| SHA256 | 11da16ae6dc82e6a900f94770443077dee2022b5633233871aac5d5c0eae99fa |
| SHA512 | 0973a61af6c9b69a206b98b340d5cc8abfe9471ce99ec21064f5c64062ce03232f61cd82d9365f9f4e091956244773cf2c526836b135988ee5cb4df485b6db50 |
memory/2836-431-0x0000000000400000-0x0000000000437000-memory.dmp
C:\Windows\SysWOW64\Pebpkk32.exe
| MD5 | 6d1081ebc7286624fa89b3a5e124cd34 |
| SHA1 | 07802f4bda9964425941c1ee10ab658e1125dcd0 |
| SHA256 | 8e65d1f712101c977cb98cd65a450abcf77b321cdf8a6216e816691512ec4539 |
| SHA512 | 37a9bd74bc5de29d277b30f60f971f13cc2beeae9f23a769020a9737f087639feadec830d230f0c5b2595033bc1c906802b101af9c82c1cb53703a90c1a9bcdd |
C:\Windows\SysWOW64\Pdeqfhjd.exe
| MD5 | a8b69f38e153864894bfe1e217d78d28 |
| SHA1 | a652ac68ec6f3da1929ebe7fb1a91393e205b9a2 |
| SHA256 | 464be1c7874b0c5026233007921b824a3b730e70cc88299adc66828183ef2d5a |
| SHA512 | 127c14c58a9ffa615c39a2e9e621ad94dfcd5f53eb467f5192206b24707a45619d6e1bb1f6f82da0955334494a6572741b9eea705b8a37585cfb875cce4b6a5e |
memory/2512-441-0x0000000000400000-0x0000000000437000-memory.dmp
memory/1324-440-0x0000000000400000-0x0000000000437000-memory.dmp
memory/2736-451-0x0000000000400000-0x0000000000437000-memory.dmp
C:\Windows\SysWOW64\Pgcmbcih.exe
| MD5 | 29aa6bc990aa40d59fec85ed1214523e |
| SHA1 | e5ec4d4c630e5a34d01e994e6f9a4c5367954c47 |
| SHA256 | 453ebe78b1ba7012e35d664914673b009b13ed1c04fcd206d03d7b75e4f3a775 |
| SHA512 | 8d52f382ac64a17d2a4a431907403da5ed302d40eb25602a50bbbb40f1f0c1ee8918c1b7b3717c5c5cebc9f0514b7720a66c6084b3ee2cd5e6275001c024a3c7 |
memory/2060-447-0x0000000000400000-0x0000000000437000-memory.dmp
memory/2736-461-0x0000000000250000-0x0000000000287000-memory.dmp
C:\Windows\SysWOW64\Paiaplin.exe
| MD5 | 723e9dbd20d46e6f421344689c6a2464 |
| SHA1 | a658faa002161be3c7b405b91b33d1c36c0fe236 |
| SHA256 | 00704bb5b5013cf1ae0096a092abbc1ed7b22d901a01ca2fce7ddcb2940257ff |
| SHA512 | 4b419acef6f8aa6767b9fcbd648e3325f787a2d92ba897ef1dac48a6ff1a937301e44fa5c9f563f3b2d29c037f71ac1d5ce2956a7c304f8a3714a0f10a004808 |
memory/896-462-0x0000000000400000-0x0000000000437000-memory.dmp
memory/2684-457-0x0000000000400000-0x0000000000437000-memory.dmp
memory/896-472-0x0000000000250000-0x0000000000287000-memory.dmp
C:\Windows\SysWOW64\Pidfdofi.exe
| MD5 | 0c6f1153f8f5dbe599fcca87f52411be |
| SHA1 | 05262b411e7232245fb5a31fcd022a52aa27c692 |
| SHA256 | 4948c79df1315ff4434cd3b3a5af514fa1627bfe620fc4c0bd6253a95154e90e |
| SHA512 | f46770d4dc0eb1591c14dfa202717ade5bb3b3f70851b13ff35d505fa2785b40fc50df562ea955e10544f2146204c0daf09c7c554f3d5ce4e86d65655e6e05c9 |
C:\Windows\SysWOW64\Pgfjhcge.exe
| MD5 | 57f649a85acfb0488eabbeb79dbfdfa5 |
| SHA1 | 0f06ee9cbb80a6c524bce3396b7ea67343266bdd |
| SHA256 | 9fb335332d9586b26a04c8fb9705e2f092d7e6bd50e637c1c0543443cb1c5007 |
| SHA512 | 65ab65acac55a13f1052d89ba3d937ddb981804f11df56fffd5f3426bb565b002078eec16169cdeaa58d63aecf8f067e16bcf5a354c631efe7f480a694cf44d3 |
memory/2704-467-0x0000000000400000-0x0000000000437000-memory.dmp
memory/1100-490-0x00000000002A0000-0x00000000002D7000-memory.dmp
memory/1760-494-0x00000000002D0000-0x0000000000307000-memory.dmp
memory/2500-487-0x0000000000400000-0x0000000000437000-memory.dmp
C:\Windows\SysWOW64\Ppnnai32.exe
| MD5 | 83a62aee5be1ba124c903b322f8929b6 |
| SHA1 | 7127ef7d897c683342f5cffc49f61f017cd9ff6c |
| SHA256 | 38dcd4788cd6d004b0c2121c26540f84438fd899e9707900046f692f0bc42768 |
| SHA512 | 5db04485a4b4fff41c5e59c9bdb8072b15f350b7c27005644bf02a83772dc9a00e3625c6a18b078f9277ec77d62c42a946be3c2b075d2e14db30331e0aed9453 |
C:\Windows\SysWOW64\Pdjjag32.exe
| MD5 | 2cfc38693cc30bd8fb791d3b3b53bad8 |
| SHA1 | 9b30e0325901976305b52c9dd0bc056bc37858a6 |
| SHA256 | 8092b1f2731af7f3198c6effa70df307720a2e6166d4f8092aec7310a8a38fc2 |
| SHA512 | e3564cc598b56bcd0f93245f36ec3134ce26c7a0ceef570b8061e2b0d80239d2f0b9a808f175f9da3865000d88ffc1af6a66d67350fb7b0fc3d8ba57960461c8 |
memory/1760-483-0x0000000000400000-0x0000000000437000-memory.dmp
memory/1100-482-0x00000000002A0000-0x00000000002D7000-memory.dmp
memory/3036-499-0x0000000000400000-0x0000000000437000-memory.dmp
memory/1100-481-0x0000000000400000-0x0000000000437000-memory.dmp
C:\Windows\SysWOW64\Pleofj32.exe
| MD5 | 62f0c019a27c2fc3565f05e7f8fd69a4 |
| SHA1 | 15bface7f30de58de798cef5a4aadb21a3ae680b |
| SHA256 | 2bf64b73cc8c793ed77cc4a04c9f963fda1250a38cb2f164da1e66cb136af2c0 |
| SHA512 | 961615e70f11fd9ad3c28cbd90cec54b2197c87fef7da99414b230c655cabc758bbe1303b6d7ea81db8cfa9d069ba4542b81f51e0ca5f62af233070495658bfa |
C:\Windows\SysWOW64\Qdlggg32.exe
| MD5 | ba476c9867ace79e378c3d07ad518dae |
| SHA1 | 223e0f90079200610b952a7bba04c27e07c2d2b7 |
| SHA256 | ec52f00b97d44c233c51b6ba8c9c46e45789d604bf05f8c194863435e7982daa |
| SHA512 | 10ba221897f514a9cd49d50945343d7eae61481e5d50727513dc0b7aed66e91957120abe6dcef734e732b0c767eaccd8eb1a6fe6318efe9958e7aef1130cc86c |
C:\Windows\SysWOW64\Qcogbdkg.exe
| MD5 | bb5e63928062eba2f05d2cd5f1eb3f21 |
| SHA1 | 48c02dd028df7a01547ad80e756979813b29c1b8 |
| SHA256 | 6e5fe797e4d37a2dbd05b6114f0c8c3826587e9eec7bf9bf439e2c8cc2fb8210 |
| SHA512 | cf4c1d0824239777173c1746d2b3719f7ef01836d3043d5c83fd9051363fa95517f1e4cecb1aba01227e4b9ac6960c3523b27334395ed020313ea9815bb46b95 |
C:\Windows\SysWOW64\Qkfocaki.exe
| MD5 | 5ca120e51782439b3b5ddfc03f7d0a10 |
| SHA1 | 5988a90e142bdc5c4d57e842d45c43969e02bcab |
| SHA256 | 1c959a959d8dad0a669a8234babeb7ef0fecafdb6b9368a1e4bd2cf757f3af35 |
| SHA512 | 677c2d8f4a94db12ca624d6fe7e348ccf2585e34ccd71cf3f6b7d92a15d15937a3ceb8925c817565d3f316d5ef83f6573dbf450db00d277a1f0f00e9a6eaca41 |
C:\Windows\SysWOW64\Qlgkki32.exe
| MD5 | ddace3375a97c4705e7036ce70bc880e |
| SHA1 | 65b39d1bffbea2f825648d686ec51abdf6d9f53f |
| SHA256 | c09a411c077f88cff65b098da3749c42ebb1bca383e89c20d8734fd951c6d596 |
| SHA512 | d595676de3ae00783b9c312e2b5fdd7f3b934e38b371db789aac6a81349ee123ef33ae8c7aec90c96ba575133de8952760ef6d703eb65880c255b3d2fa8eb399 |
C:\Windows\SysWOW64\Qdncmgbj.exe
| MD5 | 0d88789d78661515a7d911e40991bae8 |
| SHA1 | da233608a17904d7a3ed9bc12784a423c38b46b5 |
| SHA256 | 6f84a3033a095e7a4c01849f727115be8569fc8acd5cf41267e6b94931c4c831 |
| SHA512 | 431aa20af5187cea9fd4828bfd7863c8863a74c47af16e8bc7949e0e6056bc691a656d20cba95bb71ef23fd3c5a165853c192f9a08702d47e658efdc1c648349 |
C:\Windows\SysWOW64\Qcachc32.exe
| MD5 | 0858e32b5bc80bfee5501e99c5de0738 |
| SHA1 | a84180c77f6de5853c26197a015f108c527df048 |
| SHA256 | 4ae9acf5dc3152931c996ea1c745db6f36e8ebf2a03527f2ae46c3413ba6c1f7 |
| SHA512 | 9edc206d9d1520b87621b0bde54000946c1349dfacd75906f5d766c9b45b6b1f809a0ee9e709f7478bc7040c342af1b9620a512f9320faa67d1f85f02dfb0d80 |
C:\Windows\SysWOW64\Qeppdo32.exe
| MD5 | 10c384e4495e986e853bb131c66d0cf0 |
| SHA1 | 0156e08ddd3741a77394f4bc6a1f33451cf1a61b |
| SHA256 | ee02e39d12efe89c8a9340e7a3ae52b7901fcb35ca0e7adaef183dc4c92cdd07 |
| SHA512 | 8847e00349c3a0284789e7ac02f9c05b8db970a7b350d30bfa7fdd15d8b0a0feb277dd56f86d5ccf6367059ea4a35a7f561a86ca6ca7d49630bdbf9cedabb022 |
C:\Windows\SysWOW64\Alihaioe.exe
| MD5 | 8fa6d702a20f15a09d5af6fcfe7465bb |
| SHA1 | 21cd7232ac73b016e931989fb18278f4e3dfa234 |
| SHA256 | 83bec0e2aac8ec8c2e505ad1648abf3bb4ad7a632620fe6b4ebb36512a09e33d |
| SHA512 | 75a091cf90673e061b11f6594b7434a5ce8c00954ecfd1d9d9b9208e8a2864be0c82506e62804ca6cd461364f86de60e3de3dd036f84212f41b7eb1763554630 |
C:\Windows\SysWOW64\Aohdmdoh.exe
| MD5 | 036763cbbb8d6e4398892af957fd2523 |
| SHA1 | 3bf2338f40aecff387ed3d84a8e0801f059b0656 |
| SHA256 | 85243a1feb7286357a4613f53ae1102cb2ddab3f87e886580979efa76cfb5636 |
| SHA512 | 299f4ad349b2c0c1a0e86ae4adb08ced2171dcd9ae4d60a63e4e823ecee94ce6553691794e3742c74959ff3d8246fadce745a12901574d3cfa01775b67e05ed3 |
C:\Windows\SysWOW64\Accqnc32.exe
| MD5 | eb1131b89ab829e2ae8c2a4b92c22a70 |
| SHA1 | 666252e38fac957d7a6ebe745a8747e3e0fe4e1b |
| SHA256 | 728720ba4101eef658ae3e2335896cdbd8664a51a2036f874bd5a1fcf00d453c |
| SHA512 | 5e108529190f562f439c19fb920135e7b65ba7313a70a4f4282dcb64c3638e73a2f45baae77978e381b4b439eabed2813e58221b5249200061866bfb15e27811 |
C:\Windows\SysWOW64\Ajmijmnn.exe
| MD5 | 14d7c110a5fb4767ff28c0c9194c7491 |
| SHA1 | b7a8f835dc53fbdf5bcc92edce10d3383984cf38 |
| SHA256 | a4ddbd81c7d95fae786c76f8318b834d0b95f964d237deab68136d0ab9587d0e |
| SHA512 | f4058799caf02af6354529b67280dd61b59e3ab8354405b6abf169635d56fb442eacceca083ba38ab2b89cdc47fde8de4ff194173c02aa05277f545eadb66fda |
C:\Windows\SysWOW64\Ahpifj32.exe
| MD5 | 9003878b662c7bc5536c9c45113dcc80 |
| SHA1 | 06d97be75f1b3d550f5a9c8b5bfd0095254f9297 |
| SHA256 | 6e96f4ba094e132d557a5ab0b7875b7557d509d32577f28888256f3b033ef1a8 |
| SHA512 | bff443a05e5b4f57b24c4f4f12bfc64559fdb83257a96d1ce4bc6d7f5b573796990caaab437289cab9731d7f345d08f3ce556294b7ed32b01915384ebb77270b |
C:\Windows\SysWOW64\Apgagg32.exe
| MD5 | f324c6df9e89597c8c265bb6e4e2b556 |
| SHA1 | 2aedfa00a44984c5e4e0046814e32c0631060eee |
| SHA256 | d60a174379d97cdf8366d90ef28a3cd73fc2e22d94cfb35b6ea2abee04b03f5a |
| SHA512 | fb6b50738a18e031864efbd3fa8457b7173ae5f15558f7f546570062cc7d3e795053ba5cdd0682ffd51a69747f109bc0ac375b6a2e40b18df014e069bd660a29 |
C:\Windows\SysWOW64\Aojabdlf.exe
| MD5 | 1b0a966e048b5ff94c8705b6fe2dba19 |
| SHA1 | 24bb7b5cd8b527156864f4fe4eb76eb326ef199e |
| SHA256 | 800293de7683bbb1d73550f63117c6299377ddfd65bc039c05c4c9cf4e6dcf84 |
| SHA512 | 94ef642359a7bcf75009efe5ba3d2fa3d09b49c03b92a332b4efe32b2b3dadf5b753cb9d0a79d46fbf7a26357a815aecc7fcce8afbd344edb59209fe597e5549 |
C:\Windows\SysWOW64\Afdiondb.exe
| MD5 | b9b705c0bf26d2dd673935c25f4a2bc5 |
| SHA1 | b5d8f57cbcc4335930a98866cd70969bddb51dd5 |
| SHA256 | e97d4e5dd14763726e2a60d784241eca4e3dd3f747d7e0308c74f21def1bc0ca |
| SHA512 | ff899b151953c35cb90b2a043faf0909a913f813ea530e5c8c6f4c9c72d5388cd6313445282a189142acfa0bc5b008d581ee651ffc1c0ae2288fc79fa5ee4634 |
C:\Windows\SysWOW64\Ajpepm32.exe
| MD5 | e4d4d16e8ee08171f0591916c0e617fd |
| SHA1 | 5512b5a71bbb0d776704921b8618fd6d6acc9db4 |
| SHA256 | 021ca130b84e4703df083f9f3ec3f1f8adbfc15e992f7474e7aa51f01ceaf41c |
| SHA512 | a6cdf16a47f8ec0246a155ebfbaef42171180c2e82b7401af195426f776fcf944f523912ce2e66ee8711d5b3c5ddde77c655d89dbd2b358509be0de4201939f2 |
C:\Windows\SysWOW64\Alnalh32.exe
| MD5 | f9e235bdd375dabc4e34b7ae3972c17d |
| SHA1 | d555ca2b9c6b8610c83ffe447a979bf00b0ef0a7 |
| SHA256 | 960567a1cc404c47252bcf1966ad66fdb2ac9c6f37306eac80d14d206c71740e |
| SHA512 | fea05e794282509d7a6862bd17d57941d1d98bc20c6d50c88cf426f64b05dfec26e94311c3870e789b76ce03ceabf0f126fa428623e2a6f339248a36ef910bdf |
C:\Windows\SysWOW64\Aomnhd32.exe
| MD5 | 1f58d47ce827678814d295dcc750dc91 |
| SHA1 | f4db8a3e00fd71301ef3f88bf07a9eb38b6b9d38 |
| SHA256 | 9e2ce7ce1c1e06624620d813739b11046dd55a8dfa4dd7b6ed9c6a8c31f554a3 |
| SHA512 | 012eb43c96b062f4bca97aa0900b5ad2bdff85d8265e8da563a68bf922a0268bb22408b677392ded674927bc7e6a62b907db12022753be11834d971b20366d16 |
C:\Windows\SysWOW64\Aakjdo32.exe
| MD5 | 9795dda7c6b271fb23be04c11a6ecda2 |
| SHA1 | ed4bf9c55ea0288b025cff95baea45c390a0946b |
| SHA256 | a7f989b71a9369bdab8875208398d99e7e6ef5b4334497dd05d447f3823eda57 |
| SHA512 | c46352d6fa019c7f2bd7cff10ba92541978590b1a74898441518959786cce562c8a49db15e8b6373acac16e92f3d95d70dcc72120cc309fa3129908c56c13b05 |
C:\Windows\SysWOW64\Ahebaiac.exe
| MD5 | b0b2130311cb184b0c41bfbc10f75add |
| SHA1 | f3727e2e9295b051d29332b3a634bb5ffcd99951 |
| SHA256 | 25933536b57c1b81411c376349d7e0781a587b70390b92140bc25196a1540e3c |
| SHA512 | a702db325c0f4fcfb7ee79c0c81462c0e7d316f11f05de2ec8748f78e4c30321ab2ac10650427c72f0b670cd6140b30302ed251c4a3a30bba2579f899cb0b962 |
C:\Windows\SysWOW64\Aoojnc32.exe
| MD5 | 2daa7ffd431ef159e8901d4ca392085f |
| SHA1 | bbb775dfe31710eac35cd900f5565a2b43509fe4 |
| SHA256 | e90c647cb64c02153e4d10bd71cad85ce9de714676f67072982195044a30bf18 |
| SHA512 | 8fe1392fa7916c4a3bb1ba7d8a6e333398e7458b2a206602e3950b19c12091ee5c8f2f649813d591fae679d70f9b08ce4d1415ffecfca8f67883723c8d314211 |
C:\Windows\SysWOW64\Anbkipok.exe
| MD5 | a2a091ade54bfcd0dd427ba1baf3ee23 |
| SHA1 | 78b36d52ffc45bc908a3de9229fe40ea0b697ead |
| SHA256 | d12e589f25e833f63e6b46b322d82d4b9fb3ecec547bb3eb399772bd87a1e8bf |
| SHA512 | dbf302d441eb1d0b47bc771aa9c9ebba5ea147ed716bee07a2ba6e887cdd8fdb84676cb16f3aab39fecc5d3446b8dc06c498ffd87e02e1e1afe13055b48c9d4b |
C:\Windows\SysWOW64\Adlcfjgh.exe
| MD5 | 44d201bce2a8cbd5aef74880ac48b4b4 |
| SHA1 | 39b9fabedc4b6ea1a7ae7e6514602784055bcbb5 |
| SHA256 | 92916e40d617a1e96f30d5ccb02c9142972a3e7a75d0d1cf37f37b607b72e7c1 |
| SHA512 | 9fe4da166c2dc62b80f4e3230914bc6483bcc3428a565027d65791ba6d9854926c5e88661b27a9b2fe6bb0f5373ed9040675d63c87c7c363911027eca17cb5de |
C:\Windows\SysWOW64\Agjobffl.exe
| MD5 | b30106dd62a6daf81eb074e20cab976f |
| SHA1 | 613d02eb1f7db04fd7e6791eaea5627b59e172fd |
| SHA256 | a0f58a2c5bb28404e08125ebcb64eb2a428388cc19402dcb57aaef8da7267aee |
| SHA512 | 3ff78be52206d00ead81d7a22483d93182e1c0817cd80a109d8aeb4f689189671b6abc11040e27edcf1626708ea52daae78684b8333f5b3a7d8124dc9c787d0d |
C:\Windows\SysWOW64\Andgop32.exe
| MD5 | 86770f9f1f0f7736b7e67452eedbd9ad |
| SHA1 | 5838d0c3f95b0f1e5358a1342361d381bc344e55 |
| SHA256 | 86a62c1670002da33e250f3bed1bebabd66b7e67086a4d45d8f7f04ff762e2cb |
| SHA512 | f0d5a7d4006d5b4e9631fd496f24e117c0b48bf5da7cc73bfe4d518a86e464b7cf28629016bfd828e4d12a55d7a0ca8928f614c6e739a5e508ec6f5ae04e8947 |
C:\Windows\SysWOW64\Adnpkjde.exe
| MD5 | b07520f6cac19a085ef8d6ed4f161986 |
| SHA1 | 326fb91997d4db93e8ae59ed20d43bda14cf0e24 |
| SHA256 | d50e7715f76e82e8e66706f43b51977255683c54bbf8eab6805f42ea329b904d |
| SHA512 | c6ee8505a3cfbf10170304aef6e4a15d00972302d40389dafff7c78fbaa2f370e7ff6d53febffe06c3b55f9ab41c52366f1b4c47bc93df96743c78aa4098b73f |
C:\Windows\SysWOW64\Bgllgedi.exe
| MD5 | c31df46ab22b09feaf9326f8a797b05a |
| SHA1 | e021022ab48a7d6ddd02f03d40e11dcbfa73e57c |
| SHA256 | b5a01675435d86dea319a5ca1376dece0f71bdb6544e155c3067d45c4c43cc33 |
| SHA512 | c2834067ef77c72b5a1bd1a8811d2dd68d90ec77ca6f06fcca162f3a816362fc1f63b7ed4a82800ddcda614fa62c5930e57e6bbe136402081e500afba02488aa |
C:\Windows\SysWOW64\Bkhhhd32.exe
| MD5 | c4f22e0958b7796be3206ad45c82f3b8 |
| SHA1 | 6618328bf9c40c677a4d72d28b685ee356e40a3f |
| SHA256 | a4d5fe71d04835d44254bd30c62adf0ee862941ace5989ce6f7edc657fb0f170 |
| SHA512 | 17c7fd8cb79a0e39f94479bf2c4f3e2d4f3e50658c72ca4c461cf98f8579f911edf0382bfe4ead3be99797c1357efb755c9b52ad148adae9276fc6ebe5bbde2d |
C:\Windows\SysWOW64\Bnfddp32.exe
| MD5 | a82c9f8ee89b0808eb9d023c026d9d0d |
| SHA1 | 0300fd2e5093fc0beb6bb4ee2c9851c0198b8fc8 |
| SHA256 | 3427d79a9285023fd74d64d94a3b0000123cf1944ade065a888bfbf24726756f |
| SHA512 | 64b2f768c928828833524666a55a02d3d96a8e7510b1c93d58fac244657482d0b659268b4da75a760bbab6c8318268bd93a89ddf5bc708e299fde8ddc4d4ea8d |
C:\Windows\SysWOW64\Bbbpenco.exe
| MD5 | 74d3d44a5ee6ad485f8adddecc8a65ea |
| SHA1 | 12e88d6def3e79f0e475a2aa487742e8f6b6ab59 |
| SHA256 | 685184e5f329a132ba4ffae195ab2005026b6845ac3fe583d4688692e4501a2a |
| SHA512 | f2640717b190d119be5c73a63862174f60915312b5ff1e42bd201074266ef19bffc8d0141bca6ec553121fcb18cc7163ac14404568b57935cca73059c7701317 |
C:\Windows\SysWOW64\Bccmmf32.exe
| MD5 | bef5e9d4d02fd3b31b167c0541bef0e7 |
| SHA1 | b178c5e4fc4034745ca0a196775c2f239110c7d2 |
| SHA256 | 13f7753a7751f5f2a93feec1835c3793798c3d2495b564bdbb4afedab3d0e182 |
| SHA512 | 0feba0245fc21c6b3bf8b5e90fde803e68fb4d4be0e43ae67c176fa8d8cc347c9b6d73ba34bd1d7cc9d05f5d00a038bd3ddf62d2b32d78cd877a4ba3f49bbaa5 |
C:\Windows\SysWOW64\Bjmeiq32.exe
| MD5 | 763b8cedc17c73d12db8dd0dc72dfd77 |
| SHA1 | 0230d3daf5ff0f162e501c3cb047b9ae94131308 |
| SHA256 | 2317849632e0f78388f1be2a1f47426b35cde741b62f69cef42001f0cb8d9bf2 |
| SHA512 | a15c5e1eb800274e9709cb212cb7c5bbd98046b4cb7da6ad4e165787695c24249fb92104d4c7c980f289185c9494b737ca21dd062b24442d126b8c00e30d871c |
C:\Windows\SysWOW64\Bmlael32.exe
| MD5 | 8c861e67b1f4001bb2b98c4b4f7e8416 |
| SHA1 | e2517859bbce3919ca2662eb74163c6a378b0fbd |
| SHA256 | 56a95e37754d3d024d0508575bb9b0ba11d409bc223d9c5e5b6d4ec055648287 |
| SHA512 | 69a1d8b72cc9673c1d4895c08e192b55f95e9e67671823e4f78bdaad4b9496f0ae316946dcd3d9d34122b70b6b7759a46476779d77514933233cccd30333d532 |
C:\Windows\SysWOW64\Bdcifi32.exe
| MD5 | b34e4f439e152898919511330798af31 |
| SHA1 | 68684382acdfcfe1295204155785692787c1527f |
| SHA256 | 474a642b30ea5f60ee98c1dd412687a32935b0be683098dcb02804b0ef2625c9 |
| SHA512 | 7929c616ec014e00753b1b4bf783b53eee95f910712318d2d10c58f56201bbc3cb4295dc216b59f08ad24571e1e3955484f2d7a053feeb99582842c53a722cff |
C:\Windows\SysWOW64\Bfdenafn.exe
| MD5 | 84309ab4a7c806e14385cd78565266a3 |
| SHA1 | 0942015deb61c3c592afa9f1902b35bd48307776 |
| SHA256 | fcd97225d848dfd3aa749ec8a4698d855d7cec42b83c38025e01703f8f73109d |
| SHA512 | 92bf972b770e273f3dd08e23bdf9bfbacdeedec886d3ea36ff702512d1667f76c2475b78e2db5d57973df284ca603c1a92160866baf188c271c97eb3e0571bfa |
C:\Windows\SysWOW64\Bjpaop32.exe
| MD5 | ff9e276c4b42f02750bb8c68b43d6549 |
| SHA1 | 349ea58562031120689d059eedefe66f691c6ade |
| SHA256 | 88101bdc03b75cc27ee0c7fbcdf71b61d6c4666ed18d9350d8bc8bfe28f2256c |
| SHA512 | 14c3478c6bf743b23cae6247e449bf60ffee56f7945578dd3514cd122b86f6ff0e11df416f0506444baf21a36cd70bebc8b7e5c5f424effb4127a72c07c38c68 |
C:\Windows\SysWOW64\Bnknoogp.exe
| MD5 | 86abba24db62d398bc0b919c5b13d14e |
| SHA1 | cdb95e7de3186a3891d73b79b45e438b1f1d6d22 |
| SHA256 | d6ba161b103de476e01416b79e633de5ade5d1729181f4b79454755a013a6544 |
| SHA512 | 3ff9f42799f5468daf31edcd743baabff26eef02fe211e8acf89d7ce861eda95f06b9228f50c519ba475c9cf9592eb4629caba5826e20e35ed4312d7d8a10774 |
C:\Windows\SysWOW64\Bqijljfd.exe
| MD5 | 1ac8ca174b2386a076cbf314e3463e06 |
| SHA1 | 8d81748e9a7f3ce31211c20854e6f3da6cbc766c |
| SHA256 | 48da81b4a9d65fb80d784bbe4bdb67dcd8f2fde23403b29db76681a34b064125 |
| SHA512 | db8a80a48abf2c517f2ca03ac176bd14cd7ac36b26412983ffaf30bae77fbf8b245f3aa502192300e0328db429c3253782c07d74d0b3af91ba088b817bce21bc |
C:\Windows\SysWOW64\Boljgg32.exe
| MD5 | 4caea0932de037f5f43a2f569dd9e10b |
| SHA1 | 7bcc1a7c32ea47f91ddb0bbd1dcd68edcac37a5f |
| SHA256 | 15cb46569a6c7819d4d7844fa1b98f229a4464f69d3a3dab626998b545c7c5e5 |
| SHA512 | 21e02834df62db8e2aeedc4fc438a02d70840bb1587f4afe97846d11dae6550032b155580a9b073590214c7cb6ae625d4a18ae2d1a5e7b3932fd1eee5b6480f8 |
C:\Windows\SysWOW64\Bffbdadk.exe
| MD5 | 9880aec7006aa3a71c11a95565ba4cf2 |
| SHA1 | 5b21db9d3af30f1eabd7116723933aef5693f577 |
| SHA256 | 740b734bafe2782151ee5edb1fe49d47a5181cf0215c8b6c432f7f3f2481158a |
| SHA512 | 513fdcf863a512eefbbd80970b3226bede4f781cac4b023f88282f48d0fb971736e27684e4351005cadef78b211ca471f545294ca6690379c9a4af4b6e7e88ce |
C:\Windows\SysWOW64\Bieopm32.exe
| MD5 | ff3d557c29be7815be8711f84db3d72e |
| SHA1 | 029e323a52b344b6784761a1f3e70b6f4e4e0120 |
| SHA256 | 4210779d062af8795ccfde806142c119a5717400b79b5156cbc58968d31ba775 |
| SHA512 | 41b90642242ce0cb4f823da0c43ffefed8187396d6ac1e8520456903f42f63949dc885fc3789ad4e4d3aa3293b7980d99d0aa29a5fa2cc33db45b015c83e89c4 |
C:\Windows\SysWOW64\Bqlfaj32.exe
| MD5 | 0c37773f71cbeef3ef392529ed213206 |
| SHA1 | b4e925f7401eaf25a30b8a3c85bb73125049ce2c |
| SHA256 | e269a2249f548abb23f5c0612914e017e0f6c900e5c4b4b930f3cdc74670b20c |
| SHA512 | 73788bddaab4be8eb5ac376a53ab2db4929d4d31e5f4e7aee69da58946af3153ce6ebd530e3ca104b9af97aa58d760046ff6007b877bb6f5103d3aa808438198 |
C:\Windows\SysWOW64\Bbmcibjp.exe
| MD5 | 4a53bb6932168b72b5b263919f60bee8 |
| SHA1 | dd55b0da951d9b047827c7e15408b69a1be75bc3 |
| SHA256 | 23cf9fd0003b37563316a27f3d1bb5f5c8dd8a02484428fb3bd3eb0a85a48a00 |
| SHA512 | 5a8047b2bd8153ed0ea9f38e612141cbf5f4a651916bfa54c5cae3bcd309db672fa9d2d8b18c9a014719e35a2f73e9aa91a28bfe521331eb0a1b7d9abbc38959 |
C:\Windows\SysWOW64\Bjdkjpkb.exe
| MD5 | ca5535de12dabc8a3ca3c674a0bfe3b9 |
| SHA1 | f4dd6ae40f52efc8cfcf3fcbbea6261774cd36fb |
| SHA256 | 49df7e096f5b656fefc36494d3bef6204cf931138b2ea6f8c83f5c28f10ea91b |
| SHA512 | 6f7618a30831f05e28eaa034d527c5e0c9e2dec93f4659b23d6e6bc92c94e1322e518ce443504591afc71ab15c34e1d9271a513a38c8c18f9469a9d157913639 |
C:\Windows\SysWOW64\Ccmpce32.exe
| MD5 | 756e85bd6e76c651d077b3cd3295d262 |
| SHA1 | 78971ae49861a3a58007c0ee552a009b9d668da6 |
| SHA256 | 35f6af6d0ee81879ab0ff727eb67ec37ec8fa613630c0f892c1257a0dcca60c1 |
| SHA512 | b5c34a0e42f921bde3150d49566d389cf4c0f6c1b1cf0d473b08057517340b47aa8e3aab36cb1d3dda03d24f2337004cdbdefacad41134df21cfcb443512c7ae |
C:\Windows\SysWOW64\Ciihklpj.exe
| MD5 | 547e6e20f86e2294630889bfb7095379 |
| SHA1 | 337ba3b2f64f5ac6831c809f76b247be2e367cb5 |
| SHA256 | 80bda95a465395d711a075ce2f93e57ff72af35317cb08fa7a0c96a1844dd8d6 |
| SHA512 | f747296b232d368031f083a92430ef4e4a95bff15b2249fd2c6dc917a5b35508fd76a38a7b8f8999bb52676945ac1256eba28d3ee69c472d01a8f925547828d3 |
C:\Windows\SysWOW64\Cbblda32.exe
| MD5 | b1f5ca1592cdf35b31fd4fed5983aea1 |
| SHA1 | 5dcf50bcb266b09bdeb4f077841445749570d97b |
| SHA256 | 60c22df855acc545b1ca0918cbf8e0efc2b46026ab3e01f0712f2b1d5046b58b |
| SHA512 | 87a76e059c09d196d8c5a0e1b3248bc34375b45e75cc64b944603b331af0eb3247a8aa1427949a8fb7bbbab0ad8f8108e88ccaad7fc4d52fd3acd17fe76fe557 |
C:\Windows\SysWOW64\Cgoelh32.exe
| MD5 | 955654ba62203041e8c4d8326f202e18 |
| SHA1 | 1a14b7c84029447996080d2dc6550c236d3d84e9 |
| SHA256 | 1922d7a0fed6b616c8d0622fe7a986157129ce9012d40e9dabaadf10c37a032d |
| SHA512 | ad97babf3c440c221c512b0863805a15c2c6a170c3046e98236612430b830c5a22f4ac9f7c47d65643384c3c3862a80548a0ed4e963357013d40b55fdbbceb50 |
C:\Windows\SysWOW64\Cbdiia32.exe
| MD5 | f5827c8a92f7eeb29caf6d7461abdac8 |
| SHA1 | d7878475d6bb777b77ec208e9bd7f923958aa6bd |
| SHA256 | 373c2d48777d2b79ff6f15bc2941de21faf86c95e95659d256c7b201b85efe25 |
| SHA512 | a4ef0757fc20b4fb1a3f6631f1ae4697f63fe0a057b329381cd5371da57c675f924d02c451411b120c67dd40b0b8b89908a26eb0568e83972617cb59a9e722eb |
C:\Windows\SysWOW64\Cinafkkd.exe
| MD5 | bc751732a20a77e46f78d011bf75c61d |
| SHA1 | 48911886a5f7035cc4e6e3257b3f20d8b08997f8 |
| SHA256 | 65e1955558bc30ebc46d4b8b3ce864221f57d5b35b61f1d8740435efcd3a63ed |
| SHA512 | 9f30e00bcce1fa876d0cbecb6033bf21b0ac1d780273b394d69ab8d5c5f95242614c15a10e2cb443a5a7a851df5be2250947d5db8bd679ea6f8c853df8e40117 |
C:\Windows\SysWOW64\Ckmnbg32.exe
| MD5 | dc9e3a64318682c684f631557a942df8 |
| SHA1 | e6fdbbb9b98ec34ba990b3fc994d9f77b291713f |
| SHA256 | 037e02d99fec72a4e078185fa38790a4a2eb8b38435f62984abc1a14634976d3 |
| SHA512 | e6f8aad67a67f6ef195a5408bab2309a1bda456f14ded82649dd5e9ac658edcb05f4ce68482fe39d6b36c92020fc88b7c968e6f03ac05d01d66f62808276700d |
C:\Windows\SysWOW64\Cjonncab.exe
| MD5 | aa1fe04baece41380daec75cae325ce1 |
| SHA1 | 919459a5bdcd4156f163832b85edf1dfd4580fab |
| SHA256 | 3a375565f566f0cec554db33e8aa41256a8705c38f3c7223acf729c3bee88277 |
| SHA512 | 095264b4fb4ae7247cc5313f89f51f66d4f95b62f447af618319efc2214b6a961fc46026d9361de3828b89c680e8e040bd717d8b9dda6a8428118e8b7468f092 |
C:\Windows\SysWOW64\Cbffoabe.exe
| MD5 | 5debd31ee2f722d9e238f9a5a1aaf862 |
| SHA1 | f5c032c907e5a9c05c29fe61af714c7dee818760 |
| SHA256 | 0f997cb2164d4662d63f1111f61392ac0fb8d714b994d2e7efac5f45805ea76e |
| SHA512 | d71ba32a649e62de8d4fc9629d92f71ef77f5b161d2486b31af078d636643cd9ac7ef3016c54964fafe5b3f328e58c430d8e06d0587c2a34901d47d2a88e943e |
C:\Windows\SysWOW64\Ceebklai.exe
| MD5 | c61bfb2ccb9961ad3cb6afd699b7b5f0 |
| SHA1 | 2270b420dd735fa417dafcc32f2957b04178dfa0 |
| SHA256 | 7e2bf5ee9c676c34b1aa180f664160ef554f49a702686f8a2a45f3ea9f473137 |
| SHA512 | 4053cca8bc1a13f0c8ce7593b4b8608908b76434df546529bbdaae065139a5403d8644ce7183e55bf5826781ac7a436833db3755d2349b0739359451d4176a1b |
C:\Windows\SysWOW64\Cgcnghpl.exe
| MD5 | 2481ccbee1e41c10c060a4fb4deefded |
| SHA1 | 2dbf18d44ada6b76de450816bfe9c7d89552e96e |
| SHA256 | ef4aeca19a362baf52e6c7afe113c6967e8410ca0d9e10dcdd0f38e0aa434d20 |
| SHA512 | 7cf23896557514964b8705758548ae6f9ba3930aa86376dea3efa7d2cd0c6f22aef46a19ec4e8a64482948df129b42dcc4a6c470b0dd9394af03487f7a5624d9 |
C:\Windows\SysWOW64\Cmpgpond.exe
| MD5 | 1c44db250d60d334923865383ab12348 |
| SHA1 | c3a9a7a03ad08ce14d871ca62241aea5b63ec7ed |
| SHA256 | 9283827be16cd53fc231db5381cdfb76757427c1fb5b9467a8ce0c0feba2f16f |
| SHA512 | ea1eb5ba4b40e0886c3a0e4c2ddef1b549d7f271c78c0ac655a0b86af227474f9816c6ffa5d001244a0aee8c17b40fb647bb8a7b7026b03ceb5e5a69bfdc06e2 |
C:\Windows\SysWOW64\Ccjoli32.exe
| MD5 | 94838f2d5db58e1a2569924ccbe8cd03 |
| SHA1 | 669c64aea3e566134be91915bd75548592506810 |
| SHA256 | 432879553dd1d3c7655f768b7718144f87a99e9104c20ee4b5dc9c4e50bc874e |
| SHA512 | 4adbfebab4e50ad338bc89fa0afe3f39946251aaaf1b3cce4b848774ad8949b28689b4b226d65796c375f7edf25e535e4605a8a95e4b87f9a606c17834cdd161 |
C:\Windows\SysWOW64\Cgfkmgnj.exe
| MD5 | 8a9bf25b81f5f85fd753288e7b0ba376 |
| SHA1 | 6205e4c3ab6fa400355f01d65a33d481516ac58e |
| SHA256 | a97797e80e3f922fc1549102a2a0f914a0ad3fc4ad8dfcbc0477ac591b4ee062 |
| SHA512 | 3ef830740b2e3cacf270841621d4920ec1097d3770d7fdc74a6d1ddc872ab009749d7ab48812f078822a167aca1b537f3eb373ac0fb333a8a9282921391f05b0 |
C:\Windows\SysWOW64\Djdgic32.exe
| MD5 | ecd78cea85ace0488489cbf32919504b |
| SHA1 | 0d4bf0f80bbe364be6c433494512203c9bad230c |
| SHA256 | 4bd967073dc881bc449533c2951ee524f45ad3220ea0d531162727a6173b96d0 |
| SHA512 | 6ae9bd058eb9bd1e025538cc5479afa36751c9ffb93099b82a291dbf16cce0e5dbc5c48388eebb43afd2de22fb16f679ac5650169990642f22cd69b5ec766f47 |
C:\Windows\SysWOW64\Dnpciaef.exe
| MD5 | dc82060f0531566f926345feb055c4ad |
| SHA1 | b49093ae8f470f4d2bfc9f37dab7bff0867944ee |
| SHA256 | 261de5a1d5d918d1d92c0ae507507eee572964de61e0003bdea47250af6a5df4 |
| SHA512 | 78acef5ca00179e7fdf3f84e319a0341a9d48ea5c6918633f7320ffc13bb542483797399bf989846e4d86cac1f105f97927ba603a8a55a6c8d46eb96f6b2ee87 |
C:\Windows\SysWOW64\Dpapaj32.exe
| MD5 | cfcf7c11d5648a7c66556b168b600122 |
| SHA1 | 30fda3d3e04705fb1e5d16ff87568c68df2fa0a0 |
| SHA256 | 15995bb0449ea71048bf945a29680b7f103ecbeb151c8e6a9aa334fb41f78c97 |
| SHA512 | d2fd28389b1ea2eafbe5e8dba7ff9e3672669c533b0f9b8cc7b010ea949d149671cb816dfcdd827566c40e521705201e8df8e82d20f4951f2796a2aec4fb3701 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-10 14:19
Reported
2024-11-10 14:21
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
95s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Djgjlelk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Dgbdlf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Cdcoim32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cjpckf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Dkifae32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Users\Admin\AppData\Local\Temp\10e3948d8caf306281063beb38a0d9f734ed83552e980e03b42a8c4e62ef07c8N.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cjbpaf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cdabcm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cmiflbel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Dhhnpjmh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Caebma32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Cjbpaf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dhhnpjmh.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dkifae32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dgbdlf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Ceckcp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Danecp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dddhpjof.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Caebma32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cdcoim32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Cnicfe32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Danecp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Dfpgffpm.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cnicfe32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Chcddk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cegdnopg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Ddakjkqi.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Djgjlelk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Ddonekbl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Dmjocp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Cjpckf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dfiafg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Dfiafg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dmefhako.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Users\Admin\AppData\Local\Temp\10e3948d8caf306281063beb38a0d9f734ed83552e980e03b42a8c4e62ef07c8N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Cdabcm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Cfdhkhjj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Ceehho32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Cjkjpgfi.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ceckcp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cfdhkhjj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Cmiflbel.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ceehho32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Cegdnopg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Dddhpjof.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Chcddk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Dmefhako.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ddonekbl.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Doilmc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Doilmc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dmjocp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cjkjpgfi.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ddakjkqi.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dfpgffpm.exe | N/A |
Berbew
Berbew family
Executes dropped EXE
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Ceehho32.exe | C:\Windows\SysWOW64\Cjpckf32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cegdnopg.exe | C:\Windows\SysWOW64\Cjbpaf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ddonekbl.exe | C:\Windows\SysWOW64\Dmefhako.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ddonekbl.exe | C:\Windows\SysWOW64\Dmefhako.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dddhpjof.exe | C:\Windows\SysWOW64\Dmjocp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bbloam32.dll | C:\Windows\SysWOW64\Cjkjpgfi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ceckcp32.exe | C:\Windows\SysWOW64\Cnicfe32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cfdhkhjj.exe | C:\Windows\SysWOW64\Ceckcp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mjelcfha.dll | C:\Windows\SysWOW64\Dmefhako.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dkifae32.exe | C:\Windows\SysWOW64\Ddonekbl.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dmjocp32.exe | C:\Windows\SysWOW64\Dfpgffpm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dgbdlf32.exe | C:\Windows\SysWOW64\Dddhpjof.exe | N/A |
| File created | C:\Windows\SysWOW64\Diphbb32.dll | C:\Windows\SysWOW64\Dgbdlf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cfdhkhjj.exe | C:\Windows\SysWOW64\Ceckcp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ghilmi32.dll | C:\Windows\SysWOW64\Ceckcp32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Danecp32.exe | C:\Windows\SysWOW64\Dfiafg32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kngpec32.dll | C:\Windows\SysWOW64\Doilmc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Omocan32.dll | C:\Windows\SysWOW64\Cdabcm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gifhkeje.dll | C:\Windows\SysWOW64\Dkifae32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Doilmc32.exe | C:\Windows\SysWOW64\Dgbdlf32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cdcoim32.exe | C:\Windows\SysWOW64\Caebma32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cjbpaf32.exe | C:\Windows\SysWOW64\Chcddk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cegdnopg.exe | C:\Windows\SysWOW64\Cjbpaf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cdabcm32.exe | C:\Users\Admin\AppData\Local\Temp\10e3948d8caf306281063beb38a0d9f734ed83552e980e03b42a8c4e62ef07c8N.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cdabcm32.exe | C:\Users\Admin\AppData\Local\Temp\10e3948d8caf306281063beb38a0d9f734ed83552e980e03b42a8c4e62ef07c8N.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cmiflbel.exe | C:\Windows\SysWOW64\Cjkjpgfi.exe | N/A |
| File created | C:\Windows\SysWOW64\Jekpanpa.dll | C:\Windows\SysWOW64\Cjpckf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bilonkon.dll | C:\Windows\SysWOW64\Ceehho32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mgcail32.dll | C:\Windows\SysWOW64\Cjbpaf32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dfiafg32.exe | C:\Windows\SysWOW64\Cegdnopg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dmefhako.exe | C:\Windows\SysWOW64\Djgjlelk.exe | N/A |
| File created | C:\Windows\SysWOW64\Bhicommo.dll | C:\Users\Admin\AppData\Local\Temp\10e3948d8caf306281063beb38a0d9f734ed83552e980e03b42a8c4e62ef07c8N.exe | N/A |
| File created | C:\Windows\SysWOW64\Cjkjpgfi.exe | C:\Windows\SysWOW64\Cdabcm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cacamdcd.dll | C:\Windows\SysWOW64\Cfdhkhjj.exe | N/A |
| File created | C:\Windows\SysWOW64\Bobiobnp.dll | C:\Windows\SysWOW64\Dfpgffpm.exe | N/A |
| File created | C:\Windows\SysWOW64\Gfghpl32.dll | C:\Windows\SysWOW64\Dddhpjof.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dhhnpjmh.exe | C:\Windows\SysWOW64\Danecp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dfpgffpm.exe | C:\Windows\SysWOW64\Ddakjkqi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Caebma32.exe | C:\Windows\SysWOW64\Cmiflbel.exe | N/A |
| File created | C:\Windows\SysWOW64\Dmefhako.exe | C:\Windows\SysWOW64\Djgjlelk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ddakjkqi.exe | C:\Windows\SysWOW64\Dkifae32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cjpckf32.exe | C:\Windows\SysWOW64\Cfdhkhjj.exe | N/A |
| File created | C:\Windows\SysWOW64\Dhhnpjmh.exe | C:\Windows\SysWOW64\Danecp32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Chcddk32.exe | C:\Windows\SysWOW64\Ceehho32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dfiafg32.exe | C:\Windows\SysWOW64\Cegdnopg.exe | N/A |
| File created | C:\Windows\SysWOW64\Danecp32.exe | C:\Windows\SysWOW64\Dfiafg32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dkifae32.exe | C:\Windows\SysWOW64\Ddonekbl.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dfpgffpm.exe | C:\Windows\SysWOW64\Ddakjkqi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cjkjpgfi.exe | C:\Windows\SysWOW64\Cdabcm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cdcoim32.exe | C:\Windows\SysWOW64\Caebma32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ckmllpik.dll | C:\Windows\SysWOW64\Cdcoim32.exe | N/A |
| File created | C:\Windows\SysWOW64\Doilmc32.exe | C:\Windows\SysWOW64\Dgbdlf32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dmllipeg.exe | C:\Windows\SysWOW64\Doilmc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Eifnachf.dll | C:\Windows\SysWOW64\Cnicfe32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pdheac32.dll | C:\Windows\SysWOW64\Ddonekbl.exe | N/A |
| File created | C:\Windows\SysWOW64\Dmjocp32.exe | C:\Windows\SysWOW64\Dfpgffpm.exe | N/A |
| File created | C:\Windows\SysWOW64\Kmdjdl32.dll | C:\Windows\SysWOW64\Ddakjkqi.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ceehho32.exe | C:\Windows\SysWOW64\Cjpckf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Agjbpg32.dll | C:\Windows\SysWOW64\Dfiafg32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Djgjlelk.exe | C:\Windows\SysWOW64\Dhhnpjmh.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cjpckf32.exe | C:\Windows\SysWOW64\Cfdhkhjj.exe | N/A |
| File created | C:\Windows\SysWOW64\Jgilhm32.dll | C:\Windows\SysWOW64\Chcddk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kkmjgool.dll | C:\Windows\SysWOW64\Cegdnopg.exe | N/A |
| File created | C:\Windows\SysWOW64\Beeppfin.dll | C:\Windows\SysWOW64\Dhhnpjmh.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Dmllipeg.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cmiflbel.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Caebma32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cegdnopg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ddonekbl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dmjocp32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Danecp32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cdabcm32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dddhpjof.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cnicfe32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ceckcp32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dhhnpjmh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ddakjkqi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Doilmc32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dfiafg32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dfpgffpm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dgbdlf32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\10e3948d8caf306281063beb38a0d9f734ed83552e980e03b42a8c4e62ef07c8N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ceehho32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Djgjlelk.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dkifae32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cfdhkhjj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Chcddk32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cjbpaf32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dmefhako.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cjkjpgfi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cdcoim32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cjpckf32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dmllipeg.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cfdhkhjj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cegdnopg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll" | C:\Windows\SysWOW64\Doilmc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Cdcoim32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll" | C:\Windows\SysWOW64\Cdcoim32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dhhnpjmh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dddhpjof.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Doilmc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Cnicfe32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cjbpaf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Dfiafg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Dfpgffpm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717} | C:\Users\Admin\AppData\Local\Temp\10e3948d8caf306281063beb38a0d9f734ed83552e980e03b42a8c4e62ef07c8N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocan32.dll" | C:\Windows\SysWOW64\Cdabcm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ceckcp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Cfdhkhjj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cjpckf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll" | C:\Windows\SysWOW64\Cegdnopg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Dkifae32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll" | C:\Windows\SysWOW64\Ddakjkqi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID | C:\Users\Admin\AppData\Local\Temp\10e3948d8caf306281063beb38a0d9f734ed83552e980e03b42a8c4e62ef07c8N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll" | C:\Windows\SysWOW64\Caebma32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll" | C:\Windows\SysWOW64\Djgjlelk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Ddonekbl.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node | C:\Users\Admin\AppData\Local\Temp\10e3948d8caf306281063beb38a0d9f734ed83552e980e03b42a8c4e62ef07c8N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cnicfe32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll" | C:\Windows\SysWOW64\Cfdhkhjj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ddakjkqi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Dgbdlf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Cdabcm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Danecp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Djgjlelk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll" | C:\Windows\SysWOW64\Dmefhako.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll" | C:\Windows\SysWOW64\Dkifae32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Chcddk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll" | C:\Windows\SysWOW64\Danecp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll" | C:\Windows\SysWOW64\Cmiflbel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll" | C:\Windows\SysWOW64\Ceckcp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll" | C:\Windows\SysWOW64\Ceehho32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Cjbpaf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Danecp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Dddhpjof.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll" | C:\Windows\SysWOW64\Dddhpjof.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Cmiflbel.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll" | C:\Windows\SysWOW64\Cnicfe32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll" | C:\Windows\SysWOW64\Cjbpaf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Dhhnpjmh.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Dmefhako.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ddonekbl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dkifae32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll" | C:\Windows\SysWOW64\Dfpgffpm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cdabcm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Caebma32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Ceckcp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Ceehho32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dgbdlf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Cjkjpgfi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Chcddk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Ddakjkqi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dfpgffpm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll" | C:\Windows\SysWOW64\Dmjocp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diphbb32.dll" | C:\Windows\SysWOW64\Dgbdlf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Caebma32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Cegdnopg.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\10e3948d8caf306281063beb38a0d9f734ed83552e980e03b42a8c4e62ef07c8N.exe
"C:\Users\Admin\AppData\Local\Temp\10e3948d8caf306281063beb38a0d9f734ed83552e980e03b42a8c4e62ef07c8N.exe"
C:\Windows\SysWOW64\Cdabcm32.exe
C:\Windows\system32\Cdabcm32.exe
C:\Windows\SysWOW64\Cjkjpgfi.exe
C:\Windows\system32\Cjkjpgfi.exe
C:\Windows\SysWOW64\Cmiflbel.exe
C:\Windows\system32\Cmiflbel.exe
C:\Windows\SysWOW64\Caebma32.exe
C:\Windows\system32\Caebma32.exe
C:\Windows\SysWOW64\Cdcoim32.exe
C:\Windows\system32\Cdcoim32.exe
C:\Windows\SysWOW64\Cnicfe32.exe
C:\Windows\system32\Cnicfe32.exe
C:\Windows\SysWOW64\Ceckcp32.exe
C:\Windows\system32\Ceckcp32.exe
C:\Windows\SysWOW64\Cfdhkhjj.exe
C:\Windows\system32\Cfdhkhjj.exe
C:\Windows\SysWOW64\Cjpckf32.exe
C:\Windows\system32\Cjpckf32.exe
C:\Windows\SysWOW64\Ceehho32.exe
C:\Windows\system32\Ceehho32.exe
C:\Windows\SysWOW64\Chcddk32.exe
C:\Windows\system32\Chcddk32.exe
C:\Windows\SysWOW64\Cjbpaf32.exe
C:\Windows\system32\Cjbpaf32.exe
C:\Windows\SysWOW64\Cegdnopg.exe
C:\Windows\system32\Cegdnopg.exe
C:\Windows\SysWOW64\Dfiafg32.exe
C:\Windows\system32\Dfiafg32.exe
C:\Windows\SysWOW64\Danecp32.exe
C:\Windows\system32\Danecp32.exe
C:\Windows\SysWOW64\Dhhnpjmh.exe
C:\Windows\system32\Dhhnpjmh.exe
C:\Windows\SysWOW64\Djgjlelk.exe
C:\Windows\system32\Djgjlelk.exe
C:\Windows\SysWOW64\Dmefhako.exe
C:\Windows\system32\Dmefhako.exe
C:\Windows\SysWOW64\Ddonekbl.exe
C:\Windows\system32\Ddonekbl.exe
C:\Windows\SysWOW64\Dkifae32.exe
C:\Windows\system32\Dkifae32.exe
C:\Windows\SysWOW64\Ddakjkqi.exe
C:\Windows\system32\Ddakjkqi.exe
C:\Windows\SysWOW64\Dfpgffpm.exe
C:\Windows\system32\Dfpgffpm.exe
C:\Windows\SysWOW64\Dmjocp32.exe
C:\Windows\system32\Dmjocp32.exe
C:\Windows\SysWOW64\Dddhpjof.exe
C:\Windows\system32\Dddhpjof.exe
C:\Windows\SysWOW64\Dgbdlf32.exe
C:\Windows\system32\Dgbdlf32.exe
C:\Windows\SysWOW64\Doilmc32.exe
C:\Windows\system32\Doilmc32.exe
C:\Windows\SysWOW64\Dmllipeg.exe
C:\Windows\system32\Dmllipeg.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4724 -ip 4724
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 416
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
memory/1592-0-0x0000000000400000-0x0000000000437000-memory.dmp
C:\Windows\SysWOW64\Cdabcm32.exe
| MD5 | 826fd67a279289d0da56ad765d96a716 |
| SHA1 | 12e5b51de28f1509d88ad439c25e572770062f7e |
| SHA256 | 1a9b68b0ad9924f0e0f3beadb795148813af0cdbd150058ec84faf8bf13f2066 |
| SHA512 | f449bc349aaf846c5c88b2120b413eb1b743b036266e567f16b426666c772d5026b5877f3c4a2d75a6314a0dd8e26857a0099009c89b0ee123f10e1e6bd330db |
memory/2360-7-0x0000000000400000-0x0000000000437000-memory.dmp
C:\Windows\SysWOW64\Cjkjpgfi.exe
| MD5 | 84096d780dbd84cca88070982438d21a |
| SHA1 | f2c8f1fa7de632ad341d812f254d7b30290377b1 |
| SHA256 | c28723efb0170e8d3cbc41350fe36cdcf2f9a875ebe6c542612ad85a0063fdc2 |
| SHA512 | 0c4a1b9f867a155a46bf8d14f23630a35dbb49a20ba3ba2b824a8b0d1e8296cc4e6fc77a7a66a1b443174694d72009806267da2c4334797b96fe81f1f774c9a5 |
C:\Windows\SysWOW64\Cmiflbel.exe
| MD5 | 01ece0d9d8ea3eb1fda53b3982b944cb |
| SHA1 | add1d9fee308262b1320498bcd13c17945133ecd |
| SHA256 | 17f27fc473a69066e933054d08886c745d663d62887840a0b6648e22b5f68d1b |
| SHA512 | bcd4fc4eb4274f7d901aab0804ab1e18f56f82a769c963626a3bcff288a9e59590aa5370dd5f8cf2c9bd7b9fd086254433bb5d3c71934810824bd2b86861fe61 |
memory/2228-15-0x0000000000400000-0x0000000000437000-memory.dmp
memory/1264-27-0x0000000000400000-0x0000000000437000-memory.dmp
C:\Windows\SysWOW64\Caebma32.exe
| MD5 | 54793eb9b3aecb0d9364daccd96180dd |
| SHA1 | 53de0f0e1b7a6dc550633ae34e185d667dbf1965 |
| SHA256 | 019aaaf376cadb55afaf180db8a21e94e198be41878c3afab557f48a3d27362a |
| SHA512 | e0da704f4f8f0e234f728fb5be4a5e6adbcdb10103047ac96c73257d098dc920a03343fc9a2a72cdd291c3eed92a2ff2a55613ddf05cc3ec86e82f6c7c2f6eab |
memory/2324-31-0x0000000000400000-0x0000000000437000-memory.dmp
C:\Windows\SysWOW64\Nedmmlba.dll
| MD5 | af1da632033bd44b7626581019df4b25 |
| SHA1 | 249c432b9f06b792a1f914f2bb6b39086ddec5c5 |
| SHA256 | 95226d5e16e5b6fef77c3695b3847bd29dde17c10b1a0b6074be3d6a1bf86e76 |
| SHA512 | 31ba7a47beea8f048c9920e2c9d7b065f2d1451043424fd621a3b7616c1c168be4bfa5cd0dffaa3e7411ce9245acc7b78de7e2f20b979de890dd3b71936bbe63 |
C:\Windows\SysWOW64\Cdcoim32.exe
| MD5 | 6c20ffce8a97421b80761c983feca3c6 |
| SHA1 | f5b3c61f7feba9d9e9cf5a44a930606a444b2e82 |
| SHA256 | 05fc99a560289d407b95375852225de0bdd4a00af04f62f57b80d88729233a95 |
| SHA512 | 24042a0c8aac669c0821103efed40bdda12d5a838574fd41925069b9abc30b2210b636e31ee484da937da3b1a3eee4577bc13ab7401ea1a8cad5250440735c78 |
memory/468-39-0x0000000000400000-0x0000000000437000-memory.dmp
C:\Windows\SysWOW64\Cnicfe32.exe
| MD5 | eb2fdbea88cb0fd16c831fab467f5601 |
| SHA1 | fa91547114748712f96a5329982f906e50991518 |
| SHA256 | a683c21228b99a2d5d6a4047bc38a0d50dafc58cd0eb39ae9fd3bef757485f6d |
| SHA512 | 9da4577247488365f25a85ab2b25282248f8d051a6fc62783099da5084653ce8242b08c43b2ba97b28f79ad30b74bf03a0e15d25b617b263faf1289dcf769fe4 |
memory/3452-48-0x0000000000400000-0x0000000000437000-memory.dmp
C:\Windows\SysWOW64\Ceckcp32.exe
| MD5 | b137e5cfe18aaa66555f6f6886b8fe8b |
| SHA1 | 3642d9ab2705ce347f878774da2c405f8a5fad14 |
| SHA256 | 9e73affcaa603ce37cd61b8cbbe2941490c0dbfff241566f3815937a13414823 |
| SHA512 | 43de038606b691e89aa994ad1eece499318daea225a576a2ab96180a9ac06a8da8f55971bec5976345394890c47e0376f9dafce9a9f74d0dbab8a6c1f63a6e7d |
memory/516-55-0x0000000000400000-0x0000000000437000-memory.dmp
C:\Windows\SysWOW64\Cfdhkhjj.exe
| MD5 | f0837c01809c6ea5d9d9e97b61fa3d1e |
| SHA1 | efd32af9119bc83fa8f1607ead8ece82d17d8be1 |
| SHA256 | a9cfb8a7fcc5c6a52f8c861a41857fac24c46346c46787adc62ca1d1f0953a29 |
| SHA512 | 0f0a12b43840fa9428fc7cbc0fbe6c69fad9e21e090e64c917795efcb3c78d0b7d468d77d93b2f38f85baf25ed7fe020cf2bfd6098eeb9113a0e3ba57279ce36 |
C:\Windows\SysWOW64\Cjpckf32.exe
| MD5 | be1bd9dce8124cc47923b53da5b7f644 |
| SHA1 | 5a62c5e05870030b958c52c1a6e53c5b527acdfc |
| SHA256 | 31e6c438844468a1f2cb98063a03a909c9e15c30ba85f4bc2157322da35b4742 |
| SHA512 | 6a4e8b293964ef4c39695255b4756db47e49cd70d8ea44ddf6b56f2fe7eab33c8cea965d73b7999b843fbef29722d9191e614cdbdc3240263dd73d9a7ba7e848 |
memory/112-64-0x0000000000400000-0x0000000000437000-memory.dmp
memory/3304-71-0x0000000000400000-0x0000000000437000-memory.dmp
C:\Windows\SysWOW64\Ceehho32.exe
| MD5 | ced9fb3968fa365643f4e2c52c38f135 |
| SHA1 | ea07c2ece3e4234d771e4719c3a477b60bef67a2 |
| SHA256 | 1229ec4bbd9eb57f0c1e5fb01f209fe2cef63853091e6ead3171c4fcc8255366 |
| SHA512 | 8108d6322ff0ead2a3c5d24f8c3cb366db10369038fe84c59dbecae73a71961214e6cf288d1f0de05507ea50aa99535c9fb8fd0f8222190eed1a0b9fc801f1ba |
memory/2156-79-0x0000000000400000-0x0000000000437000-memory.dmp
C:\Windows\SysWOW64\Chcddk32.exe
| MD5 | 8aee369243639760a3a42138da5db937 |
| SHA1 | 379b4e9bbde4c90e8b2f3116b5de739dcdc9a1d4 |
| SHA256 | efa2db6296ff1260ffe62633e9063c0b03022f553cbd29b94ee23dda2fba10fa |
| SHA512 | 2efee00fe6042f7aeef98d4e757f93d172ec6198aa76492727f8203e09e78d4644daec85f9730574a75a8ac0ba520f97e60674e68bfca1896e59d84ced7f245a |
memory/1624-88-0x0000000000400000-0x0000000000437000-memory.dmp
C:\Windows\SysWOW64\Cjbpaf32.exe
| MD5 | 3089d791cca18cd60afb73052c900a49 |
| SHA1 | 8b763cf194ef8dbbd8edc9053226123847d251f2 |
| SHA256 | e87c7c3fba6cab76fb34cbad7814b522fc2b30bbb2f7d30a4ccb6633344c1afc |
| SHA512 | d690a6ab1e6c3c1c4fefac967486402bfae9cd0272bf09a53125fd8bad648a8f7931c8ce230f632dba827ac27a44fc9cc0b39587ca8578ca8b12e30b82656ac0 |
memory/4144-95-0x0000000000400000-0x0000000000437000-memory.dmp
C:\Windows\SysWOW64\Cegdnopg.exe
| MD5 | 16d029e1e8d37a7263a3314b5055ecb3 |
| SHA1 | 3be0331aab664fdfd7769f84a2be2c3bc8d5ac3d |
| SHA256 | ce5c2c4963aeab9056945327f9b9882fb03396a819c0ad9c4177ea2e4204c387 |
| SHA512 | 7b30750b50abc83f9cb60851daaaa80a75b23abc314737d028a8a0ac9ca2f69a0db925289fd6edc80ccd13f8abf5e89ea08fcfd8b1c8f08a1bc7dd72c44ab60f |
memory/1936-104-0x0000000000400000-0x0000000000437000-memory.dmp
C:\Windows\SysWOW64\Dfiafg32.exe
| MD5 | 4da75e874a3cebdddfc11e7d9de02760 |
| SHA1 | a8bd0af35becff4f497c35db50bd74a27d3a30e2 |
| SHA256 | 0e425d45118801755478fe29174d1ddf3806be48868042e687e0ce16bef697f4 |
| SHA512 | 894780873099faf01d85c9a3ca7f8cad682a39f7c5d1ce0435c4fc4b69a1d5a6d4de216d6b47ee27c7c382c83095e2b6fd7d7c125dcf3ddd7d633d6519f85d8c |
memory/4676-111-0x0000000000400000-0x0000000000437000-memory.dmp
C:\Windows\SysWOW64\Danecp32.exe
| MD5 | 0b4d631734276d07b5e86f534b65a9a1 |
| SHA1 | e4405fc62432715ac2bfc95f4accd610caf958c3 |
| SHA256 | 261ce64f7db1f33826eacd6f1eb043d01ab201db3a7792f6bfc7117bb0f6a94a |
| SHA512 | 0e4c86a99533983d2ee64f4f38a5e9da176db907d9176982de99f8de09e1b1f01ccce2f02f7ba5968e7eff1d0b77616e3c09c233c17c29a413fecfe9b76c269b |
memory/4048-119-0x0000000000400000-0x0000000000437000-memory.dmp
C:\Windows\SysWOW64\Dhhnpjmh.exe
| MD5 | 5ffc2ed3179994d7cd2a57eef26b80fe |
| SHA1 | 49bd3ed62039b39701ce2c398b73ddfde35836ae |
| SHA256 | fbbc31d2f0fb663f8bbc702e99da4cfdb449797b25b384886803f45778d13a99 |
| SHA512 | e5ab1658d4d41da4f1d0e73b18615ba8a7e7efa12a23b0d54b7c9b27310691b4cd9e8d6785dd6db364f9a1eaf84fa859c0f3b63d50c02c107ec8906111ffe7eb |
memory/3184-127-0x0000000000400000-0x0000000000437000-memory.dmp
C:\Windows\SysWOW64\Djgjlelk.exe
| MD5 | c455233fe0dab8a369b7a11d6ba72891 |
| SHA1 | 42866a3cbac19a3c3cc40f2ecb7ece9a5dd6c813 |
| SHA256 | e636087321073b51192cceccd22176d3bfbc330c5ec1969ebe8892a469cab17b |
| SHA512 | a1e56f9f8c96a37fd07ac4b3a1c87e3f754fecb5329e6189e8dd42cd598354c10efab26f4c3656f6c3fb09baf0477514a54735bfc44dc3148ed36d294434cc59 |
memory/4972-136-0x0000000000400000-0x0000000000437000-memory.dmp
C:\Windows\SysWOW64\Dmefhako.exe
| MD5 | 5bf7834c98a611ef707fef9dc2871981 |
| SHA1 | 0daa90abb98633c73c089b26e03e5e54f7af6cfc |
| SHA256 | fbad722a75ac72f11d55fbd90a360d2c724b0d9d3e77529ff678751ee34a4307 |
| SHA512 | 11af5be9efd7b906ea0d3c1aec6b7cc3cc3f364702b7eade337c1e1b3996a77771b0c5dbe9101efedace79398bbeda16482c078568834549e1cf4831e87e2416 |
memory/2880-143-0x0000000000400000-0x0000000000437000-memory.dmp
C:\Windows\SysWOW64\Ddonekbl.exe
| MD5 | 69d5842c54c3fcfee59b424ac1da7a21 |
| SHA1 | 482bd0918984b87e92b732dabd453714f1b49a20 |
| SHA256 | 7399d348db2c86c573800148394149281067fc81edf2cd23a590f295a0d0b652 |
| SHA512 | fe1e714c829048a4f02124ae2aea1aebd59c697b5d8cd3c90fa1e009f6cbf47876d9c064f4d9aad46dc7aedf6d2d6213fdabbca83238fa2effe320809fc696a8 |
memory/1328-152-0x0000000000400000-0x0000000000437000-memory.dmp
memory/4072-159-0x0000000000400000-0x0000000000437000-memory.dmp
C:\Windows\SysWOW64\Dkifae32.exe
| MD5 | ac46655bc91b41444757ec17b5b1938d |
| SHA1 | 7809819c1f01f85191286725665245aad0237c57 |
| SHA256 | f6b67917153b9c1781453f282e35dc1a1f24a8d8707fc16b1c56dbe14230b613 |
| SHA512 | f730b89263368220646b7c39ea306de42ca41fc81abbea6acd93ab86f96411b7f45fa3527a6f7f7477cd8d7a7c19d6d57c1bb6a2adfcadb340b9614161669ac9 |
C:\Windows\SysWOW64\Ddakjkqi.exe
| MD5 | a753b2e597323f95bfa083db96d7abbc |
| SHA1 | 13cf2599b88686a66d49471a1787e0a00b4c4c95 |
| SHA256 | bdc53f1d8101617f837967c5717853b95746cbbf338c9313e3f19b3b7c70fc63 |
| SHA512 | 4ebc48dc91d9d3fb5a8fac4c5eba899da75bda977eb4036c3b75953f8175c54c1dc8d14a594a0231bd15571ffeee0ea25450ca3adf3aa3ecd3367e2c11542f4f |
memory/5000-172-0x0000000000400000-0x0000000000437000-memory.dmp
C:\Windows\SysWOW64\Dfpgffpm.exe
| MD5 | 856f009f9aaa04d87d3a48ff932c8a08 |
| SHA1 | 48126e2e94205b7019c2f878cc1a5a07360be506 |
| SHA256 | 560c9cd8e3324a2f51bc6c0b691f848ab393aa79bb9a3f63f28d41154f4967e7 |
| SHA512 | 0f999b86951d2a9bd51d9538d600ee633597bce5ccfea9512d357f4b2560408c2bb7768b0397e7b1b0ad73b2813bf7bc17ff5794392cfa566788a612a66c3ea0 |
memory/2948-175-0x0000000000400000-0x0000000000437000-memory.dmp
C:\Windows\SysWOW64\Dmjocp32.exe
| MD5 | ed5d95ba35e9cfe447bdb7e5e84ff046 |
| SHA1 | b078e0845e20fa36f9cb5972cb70df260fba9cd4 |
| SHA256 | 0990580b51e5d98f71d822c4ad238936618e5b2bdd02c063888191067d4dcc53 |
| SHA512 | 6dee1fd930a797f8b76c44c2ca2371c143f918772669c53593b57f7ac05a9690f627024f3ccf88d6c341a7cd6bada12590f2af06a4edc389b8123faf083fbc76 |
memory/2688-183-0x0000000000400000-0x0000000000437000-memory.dmp
C:\Windows\SysWOW64\Dddhpjof.exe
| MD5 | 52972750a6f7f8cadabd2a3604fded7d |
| SHA1 | 53691d6b0c4e85b66985789f4116d1417ffb50f6 |
| SHA256 | d448c78488dea27c85a99f5606ad5bf5027859e301cfa97a5e7f29b83ad2e0e9 |
| SHA512 | 5ff06555d32e9ab77d5d9e32f78c5f7e520433ad4f25ba31f216a0107e596fa169e05f1a96237fd1cd813d2c704c4f80c09cdcf3e68112fc3b763f55a688d5dd |
memory/3608-192-0x0000000000400000-0x0000000000437000-memory.dmp
C:\Windows\SysWOW64\Dgbdlf32.exe
| MD5 | 3e958359f44fb481149a2e0e295c8597 |
| SHA1 | dde7ce80fe2005387a2e552b65ae3ebf256d7c6d |
| SHA256 | ef59f212b13acc127bcc31912bf0649c4b18fa6593ff0f0c31b097bcf1c2eec6 |
| SHA512 | 0fa8d85950ea29490c26197bbcbc9d8b6fff8baf1d6333a8c8f787f53c623402de59ff8afad8661388a56d756fc4359605f629fe11bf92d5f5e44c2a2671800d |
memory/1896-199-0x0000000000400000-0x0000000000437000-memory.dmp
C:\Windows\SysWOW64\Doilmc32.exe
| MD5 | fa72dc5ef18e18164b6d0764512a9159 |
| SHA1 | 284ac322971890beb46b108d0115ab90c36b225a |
| SHA256 | c5de75e116aed6d870c3f1d5346905354ed92cf52a0a14bfd5d027074f139f91 |
| SHA512 | e0c88ddbc1b4f13696d925e95e28439b188b21cc778bbc6643c2123227c5d390bb7154afb917bcf34a9d7d4b6353e43ac83315458a52bab89844644ddf44bf99 |
memory/1516-212-0x0000000000400000-0x0000000000437000-memory.dmp
memory/4724-216-0x0000000000400000-0x0000000000437000-memory.dmp
C:\Windows\SysWOW64\Dmllipeg.exe
| MD5 | a237e6a51456f1f1fac35df6862317fc |
| SHA1 | a204b92fdad4bd244d2960428544d045a6d1df8c |
| SHA256 | 6046608959fad343efda52c2ee532d4edab69b6591328ea23ee87ccdbaa072da |
| SHA512 | 3cea33131a160ac8b1ff6cf6c362b0ea57dda4b873a1ae87c286ad00a757dd0ce7b02b92cbd75696a116ad278391d0b23b526d97f33db606088fe64ed60e9ba6 |
memory/1896-218-0x0000000000400000-0x0000000000437000-memory.dmp
memory/2948-221-0x0000000000400000-0x0000000000437000-memory.dmp
memory/4072-222-0x0000000000400000-0x0000000000437000-memory.dmp
memory/4972-225-0x0000000000400000-0x0000000000437000-memory.dmp
memory/516-235-0x0000000000400000-0x0000000000437000-memory.dmp
memory/2360-241-0x0000000000400000-0x0000000000437000-memory.dmp
memory/1592-242-0x0000000000400000-0x0000000000437000-memory.dmp
memory/2228-240-0x0000000000400000-0x0000000000437000-memory.dmp
memory/1264-239-0x0000000000400000-0x0000000000437000-memory.dmp
memory/2324-238-0x0000000000400000-0x0000000000437000-memory.dmp
memory/468-237-0x0000000000400000-0x0000000000437000-memory.dmp
memory/3452-236-0x0000000000400000-0x0000000000437000-memory.dmp
memory/112-234-0x0000000000400000-0x0000000000437000-memory.dmp
memory/3304-233-0x0000000000400000-0x0000000000437000-memory.dmp
memory/2156-232-0x0000000000400000-0x0000000000437000-memory.dmp
memory/1624-231-0x0000000000400000-0x0000000000437000-memory.dmp
memory/4144-230-0x0000000000400000-0x0000000000437000-memory.dmp
memory/1936-229-0x0000000000400000-0x0000000000437000-memory.dmp
memory/4676-228-0x0000000000400000-0x0000000000437000-memory.dmp
memory/4048-227-0x0000000000400000-0x0000000000437000-memory.dmp
memory/3184-226-0x0000000000400000-0x0000000000437000-memory.dmp
memory/2880-224-0x0000000000400000-0x0000000000437000-memory.dmp
memory/1328-223-0x0000000000400000-0x0000000000437000-memory.dmp
memory/3608-219-0x0000000000400000-0x0000000000437000-memory.dmp
memory/2688-220-0x0000000000400000-0x0000000000437000-memory.dmp
memory/4724-217-0x0000000000400000-0x0000000000437000-memory.dmp