Analysis Overview
SHA256
9b3d7dc58bee2d81215c500af42086b0829b1c68408f09aa0e6586954bc3e29a
Threat Level: Known bad
The file 9b3d7dc58bee2d81215c500af42086b0829b1c68408f09aa0e6586954bc3e29aN was found to be: Known bad.
Malicious Activity Summary
Adds autorun key to be loaded by Explorer.exe on startup
Berbew
Berbew family
Loads dropped DLL
Executes dropped EXE
Drops file in System32 directory
Program crash
System Location Discovery: System Language Discovery
Unsigned PE
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-11 10:51
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-11 10:51
Reported
2024-11-11 10:53
Platform
win7-20241010-en
Max time kernel
107s
Max time network
19s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Dinneo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ifdlng32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kfaalh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Dfkhndca.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jigbebhb.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kigndekn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Jplfkjbd.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Laqojfli.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ljldnhid.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ngpqfp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Hqnjek32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jllqplnp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dfkhndca.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Cdmepgce.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hjmlhbbg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Jnagmc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bqijljfd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Kkjpggkn.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jgjkfi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Eheglk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Emdmjamj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Bgghac32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Khgkpl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Kmkihbho.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Fdiqpigl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Pbemboof.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fmohco32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Ccmpce32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Glbaei32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ncpdbohb.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ajckilei.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cinafkkd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Hjmlhbbg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Demaoj32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ghbljk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Iknafhjb.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kbmome32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Bfoeil32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Hcjilgdb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Aclpaali.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Anadojlo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Ghbljk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ibacbcgg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Indnnfdn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Feddombd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Hgqlafap.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Ioeclg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Glchpp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Ohfcfb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Edlafebn.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hqnjek32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fkefbcmf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Cinafkkd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Hmmdin32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jplfkjbd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Fgocmc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Ajhddk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Jgjkfi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Klecfkff.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Qemldifo.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Aognbnkm.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Gpggei32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Glpepj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Jipaip32.exe | N/A |
Berbew
Berbew family
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\Eheglk32.exe | C:\Windows\SysWOW64\Dinneo32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ndcapd32.exe | C:\Windows\SysWOW64\Ngpqfp32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Khgkpl32.exe | C:\Windows\SysWOW64\Jplfkjbd.exe | N/A |
| File created | C:\Windows\SysWOW64\Glchpp32.exe | C:\Windows\SysWOW64\Ggagmjbq.exe | N/A |
| File created | C:\Windows\SysWOW64\Hkolakkb.exe | C:\Windows\SysWOW64\Gqcnln32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pcfahenq.dll | C:\Windows\SysWOW64\Adaiee32.exe | N/A |
| File created | C:\Windows\SysWOW64\Oejcpf32.exe | C:\Windows\SysWOW64\Ohfcfb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jkbolo32.dll | C:\Windows\SysWOW64\Plpopddd.exe | N/A |
| File created | C:\Windows\SysWOW64\Kpachc32.dll | C:\Windows\SysWOW64\Feddombd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jigbebhb.exe | C:\Windows\SysWOW64\Ifdlng32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mbqkiind.exe | C:\Windows\SysWOW64\Mfgnnhkc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kkjpggkn.exe | C:\Windows\SysWOW64\Klecfkff.exe | N/A |
| File created | C:\Windows\SysWOW64\Ibacbcgg.exe | C:\Windows\SysWOW64\Hiioin32.exe | N/A |
| File created | C:\Windows\SysWOW64\Glehgdkn.dll | C:\Windows\SysWOW64\Hbkqdepm.exe | N/A |
| File created | C:\Windows\SysWOW64\Qldhkc32.exe | C:\Windows\SysWOW64\Plpopddd.exe | N/A |
| File created | C:\Windows\SysWOW64\Bddbjhlp.exe | C:\Windows\SysWOW64\Bkknac32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dfkhndca.exe | C:\Windows\SysWOW64\Cinafkkd.exe | N/A |
| File created | C:\Windows\SysWOW64\Pjnpem32.dll | C:\Windows\SysWOW64\Glchpp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Nckkgp32.exe | C:\Windows\SysWOW64\Ndcapd32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hqnjek32.exe | C:\Windows\SysWOW64\Hcjilgdb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Eipgjaoi.exe | C:\Windows\SysWOW64\Emdmjamj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bddbjhlp.exe | C:\Windows\SysWOW64\Bkknac32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Efljhq32.exe | C:\Windows\SysWOW64\Emdeok32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pgejcl32.dll | C:\Windows\SysWOW64\Hgqlafap.exe | N/A |
| File created | C:\Windows\SysWOW64\Kkjpggkn.exe | C:\Windows\SysWOW64\Klecfkff.exe | N/A |
| File created | C:\Windows\SysWOW64\Lgdqap32.dll | C:\Windows\SysWOW64\Emdmjamj.exe | N/A |
| File created | C:\Windows\SysWOW64\Gqcnln32.exe | C:\Windows\SysWOW64\Glchpp32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ejcmmp32.exe | C:\Windows\SysWOW64\Emoldlmc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jnagmc32.exe | C:\Windows\SysWOW64\Iamfdo32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ifdlng32.exe | C:\Windows\SysWOW64\Indnnfdn.exe | N/A |
| File created | C:\Windows\SysWOW64\Pkkkap32.dll | C:\Windows\SysWOW64\Lnjldf32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Emdeok32.exe | C:\Windows\SysWOW64\Edlafebn.exe | N/A |
| File created | C:\Windows\SysWOW64\Ipbkjl32.dll | C:\Windows\SysWOW64\Kmkihbho.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Fdiqpigl.exe | C:\Windows\SysWOW64\Fmohco32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ghbljk32.exe | C:\Windows\SysWOW64\Gpggei32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Libjncnc.exe | C:\Windows\SysWOW64\Kmkihbho.exe | N/A |
| File created | C:\Windows\SysWOW64\Iamfdo32.exe | C:\Windows\SysWOW64\Icifjk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ikbilijo.dll | C:\Windows\SysWOW64\Jllqplnp.exe | N/A |
| File created | C:\Windows\SysWOW64\Lffkcfke.dll | C:\Windows\SysWOW64\Ohfcfb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Elbafomj.dll | C:\Windows\SysWOW64\Qemldifo.exe | N/A |
| File created | C:\Windows\SysWOW64\Aclpaali.exe | C:\Windows\SysWOW64\Ajckilei.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hbkqdepm.exe | C:\Windows\SysWOW64\Hkolakkb.exe | N/A |
| File created | C:\Windows\SysWOW64\Jmfjecle.dll | C:\Windows\SysWOW64\Fmohco32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ioeclg32.exe | C:\Windows\SysWOW64\Ibacbcgg.exe | N/A |
| File created | C:\Windows\SysWOW64\Ilalae32.dll | C:\Windows\SysWOW64\Eimcjl32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lbjofi32.exe | C:\Windows\SysWOW64\Libjncnc.exe | N/A |
| File created | C:\Windows\SysWOW64\Ngpqfp32.exe | C:\Windows\SysWOW64\Mbqkiind.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bkknac32.exe | C:\Windows\SysWOW64\Bfoeil32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dhnhab32.dll | C:\Windows\SysWOW64\Dfcgbb32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Fkefbcmf.exe | C:\Windows\SysWOW64\Fdiqpigl.exe | N/A |
| File created | C:\Windows\SysWOW64\Eipgjaoi.exe | C:\Windows\SysWOW64\Emdmjamj.exe | N/A |
| File created | C:\Windows\SysWOW64\Kgnkci32.exe | C:\Windows\SysWOW64\Kigndekn.exe | N/A |
| File created | C:\Windows\SysWOW64\Bbhccm32.exe | C:\Windows\SysWOW64\Bddbjhlp.exe | N/A |
| File created | C:\Windows\SysWOW64\Dokmejcg.dll | C:\Windows\SysWOW64\Ldjbkb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hlekjpbi.dll | C:\Windows\SysWOW64\Klecfkff.exe | N/A |
| File created | C:\Windows\SysWOW64\Ipafocdg.dll | C:\Windows\SysWOW64\Libjncnc.exe | N/A |
| File created | C:\Windows\SysWOW64\Ajckilei.exe | C:\Windows\SysWOW64\Adfbpega.exe | N/A |
| File created | C:\Windows\SysWOW64\Bolcma32.exe | C:\Windows\SysWOW64\Bbhccm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Fkefbcmf.exe | C:\Windows\SysWOW64\Fdiqpigl.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jipaip32.exe | C:\Windows\SysWOW64\Jllqplnp.exe | N/A |
| File created | C:\Windows\SysWOW64\Eheglk32.exe | C:\Windows\SysWOW64\Dinneo32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Lnjldf32.exe | C:\Windows\SysWOW64\Ljldnhid.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Pmjaohol.exe | C:\Windows\SysWOW64\Pbemboof.exe | N/A |
| File created | C:\Windows\SysWOW64\Ifolhann.exe | C:\Windows\SysWOW64\Ioeclg32.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Lbjofi32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ioeclg32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Hkolakkb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Addfkeid.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Iamfdo32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kgnkci32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Glbaei32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Gefmcp32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Indnnfdn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ghbljk32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Qemldifo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ajckilei.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dnefhpma.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jgjkfi32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jmfcop32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bqijljfd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dfkhndca.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ohfcfb32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Eimcjl32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Fdiqpigl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Fgocmc32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jfcabd32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Fpohakbp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kkjpggkn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ngpqfp32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Adfbpega.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Hffibceh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Eipgjaoi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jigbebhb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Adaiee32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Libjncnc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nqokpd32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Qldhkc32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Gockgdeh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Hgqlafap.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Hiioin32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Fkefbcmf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Gpggei32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ggagmjbq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Onnnml32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ncpdbohb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dfcgbb32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cinafkkd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lnjldf32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Obeacl32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jplfkjbd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Plpopddd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Feddombd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Fijbco32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kigndekn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lonibk32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bddbjhlp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bgghac32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Gekfnoog.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Gqcnln32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Laqojfli.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Glchpp32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nckkgp32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mloiec32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jipaip32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Khgkpl32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ldjbkb32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cdmepgce.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Edlafebn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Hqnjek32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Icifjk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kfaalh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Indnnfdn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ljldnhid.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Pmjaohol.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node | C:\Users\Admin\AppData\Local\Temp\9b3d7dc58bee2d81215c500af42086b0829b1c68408f09aa0e6586954bc3e29aN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fchook32.dll" | C:\Windows\SysWOW64\Bqijljfd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bieepc32.dll" | C:\Windows\SysWOW64\Emoldlmc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Qldhkc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igcphbih.dll" | C:\Windows\SysWOW64\Ajhddk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqhkjacc.dll" | C:\Windows\SysWOW64\Bbhccm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inppon32.dll" | C:\Windows\SysWOW64\Bolcma32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gekfnoog.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Hcjilgdb.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID | C:\Users\Admin\AppData\Local\Temp\9b3d7dc58bee2d81215c500af42086b0829b1c68408f09aa0e6586954bc3e29aN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Nqokpd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bddbjhlp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Ohfcfb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Fgocmc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkjcap32.dll" | C:\Windows\SysWOW64\Hffibceh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Icifjk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ldjbkb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Lnjldf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Hffibceh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilalae32.dll" | C:\Windows\SysWOW64\Eimcjl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Fgocmc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckkhdaei.dll" | C:\Windows\SysWOW64\Gpggei32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kkjpggkn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Kigndekn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eckfklnl.dll" | C:\Windows\SysWOW64\Cdmepgce.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ejcmmp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Gekfnoog.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffdmihcc.dll" | C:\Windows\SysWOW64\Ioeclg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Iamfdo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jnagmc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Mbqkiind.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Onnnml32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Anadojlo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iinkmi32.dll" | C:\Windows\SysWOW64\Ndcapd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcfahenq.dll" | C:\Windows\SysWOW64\Adaiee32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Bfoeil32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ibacbcgg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Ioeclg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Ccmpce32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Fpohakbp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aondioej.dll" | C:\Windows\SysWOW64\Ggagmjbq.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Ibacbcgg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Jllqplnp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdnfmn32.dll" | C:\Windows\SysWOW64\Kbmome32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Mloiec32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbjjjgna.dll" | C:\Windows\SysWOW64\Pbemboof.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Qemldifo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Eimcjl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Feddombd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Jnagmc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgnenf32.dll" | C:\Users\Admin\AppData\Local\Temp\9b3d7dc58bee2d81215c500af42086b0829b1c68408f09aa0e6586954bc3e29aN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ncpdbohb.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Dfcgbb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Khgkpl32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Hkolakkb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nehhoand.dll" | C:\Windows\SysWOW64\Obeacl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Plpopddd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Aognbnkm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Gockgdeh.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9b3d7dc58bee2d81215c500af42086b0829b1c68408f09aa0e6586954bc3e29aN.exe
"C:\Users\Admin\AppData\Local\Temp\9b3d7dc58bee2d81215c500af42086b0829b1c68408f09aa0e6586954bc3e29aN.exe"
C:\Windows\SysWOW64\Bqijljfd.exe
C:\Windows\system32\Bqijljfd.exe
C:\Windows\SysWOW64\Ccmpce32.exe
C:\Windows\system32\Ccmpce32.exe
C:\Windows\SysWOW64\Cinafkkd.exe
C:\Windows\system32\Cinafkkd.exe
C:\Windows\SysWOW64\Dfkhndca.exe
C:\Windows\system32\Dfkhndca.exe
C:\Windows\SysWOW64\Dinneo32.exe
C:\Windows\system32\Dinneo32.exe
C:\Windows\SysWOW64\Eheglk32.exe
C:\Windows\system32\Eheglk32.exe
C:\Windows\SysWOW64\Emdmjamj.exe
C:\Windows\system32\Emdmjamj.exe
C:\Windows\SysWOW64\Eipgjaoi.exe
C:\Windows\system32\Eipgjaoi.exe
C:\Windows\SysWOW64\Fpohakbp.exe
C:\Windows\system32\Fpohakbp.exe
C:\Windows\SysWOW64\Ggagmjbq.exe
C:\Windows\system32\Ggagmjbq.exe
C:\Windows\SysWOW64\Glchpp32.exe
C:\Windows\system32\Glchpp32.exe
C:\Windows\SysWOW64\Gqcnln32.exe
C:\Windows\system32\Gqcnln32.exe
C:\Windows\SysWOW64\Hkolakkb.exe
C:\Windows\system32\Hkolakkb.exe
C:\Windows\SysWOW64\Hbkqdepm.exe
C:\Windows\system32\Hbkqdepm.exe
C:\Windows\SysWOW64\Indnnfdn.exe
C:\Windows\system32\Indnnfdn.exe
C:\Windows\SysWOW64\Ifdlng32.exe
C:\Windows\system32\Ifdlng32.exe
C:\Windows\SysWOW64\Jigbebhb.exe
C:\Windows\system32\Jigbebhb.exe
C:\Windows\SysWOW64\Kigndekn.exe
C:\Windows\system32\Kigndekn.exe
C:\Windows\SysWOW64\Kgnkci32.exe
C:\Windows\system32\Kgnkci32.exe
C:\Windows\SysWOW64\Lonibk32.exe
C:\Windows\system32\Lonibk32.exe
C:\Windows\SysWOW64\Ldjbkb32.exe
C:\Windows\system32\Ldjbkb32.exe
C:\Windows\SysWOW64\Laqojfli.exe
C:\Windows\system32\Laqojfli.exe
C:\Windows\SysWOW64\Ljldnhid.exe
C:\Windows\system32\Ljldnhid.exe
C:\Windows\SysWOW64\Lnjldf32.exe
C:\Windows\system32\Lnjldf32.exe
C:\Windows\SysWOW64\Mloiec32.exe
C:\Windows\system32\Mloiec32.exe
C:\Windows\SysWOW64\Mfgnnhkc.exe
C:\Windows\system32\Mfgnnhkc.exe
C:\Windows\SysWOW64\Mbqkiind.exe
C:\Windows\system32\Mbqkiind.exe
C:\Windows\SysWOW64\Ngpqfp32.exe
C:\Windows\system32\Ngpqfp32.exe
C:\Windows\SysWOW64\Ndcapd32.exe
C:\Windows\system32\Ndcapd32.exe
C:\Windows\SysWOW64\Nckkgp32.exe
C:\Windows\system32\Nckkgp32.exe
C:\Windows\SysWOW64\Nqokpd32.exe
C:\Windows\system32\Nqokpd32.exe
C:\Windows\SysWOW64\Ncpdbohb.exe
C:\Windows\system32\Ncpdbohb.exe
C:\Windows\SysWOW64\Obeacl32.exe
C:\Windows\system32\Obeacl32.exe
C:\Windows\SysWOW64\Onnnml32.exe
C:\Windows\system32\Onnnml32.exe
C:\Windows\SysWOW64\Ohfcfb32.exe
C:\Windows\system32\Ohfcfb32.exe
C:\Windows\SysWOW64\Oejcpf32.exe
C:\Windows\system32\Oejcpf32.exe
C:\Windows\SysWOW64\Pbemboof.exe
C:\Windows\system32\Pbemboof.exe
C:\Windows\SysWOW64\Pmjaohol.exe
C:\Windows\system32\Pmjaohol.exe
C:\Windows\SysWOW64\Plpopddd.exe
C:\Windows\system32\Plpopddd.exe
C:\Windows\SysWOW64\Qldhkc32.exe
C:\Windows\system32\Qldhkc32.exe
C:\Windows\SysWOW64\Qemldifo.exe
C:\Windows\system32\Qemldifo.exe
C:\Windows\SysWOW64\Adaiee32.exe
C:\Windows\system32\Adaiee32.exe
C:\Windows\SysWOW64\Aognbnkm.exe
C:\Windows\system32\Aognbnkm.exe
C:\Windows\SysWOW64\Addfkeid.exe
C:\Windows\system32\Addfkeid.exe
C:\Windows\SysWOW64\Adfbpega.exe
C:\Windows\system32\Adfbpega.exe
C:\Windows\SysWOW64\Ajckilei.exe
C:\Windows\system32\Ajckilei.exe
C:\Windows\SysWOW64\Aclpaali.exe
C:\Windows\system32\Aclpaali.exe
C:\Windows\SysWOW64\Anadojlo.exe
C:\Windows\system32\Anadojlo.exe
C:\Windows\SysWOW64\Ajhddk32.exe
C:\Windows\system32\Ajhddk32.exe
C:\Windows\SysWOW64\Bfoeil32.exe
C:\Windows\system32\Bfoeil32.exe
C:\Windows\SysWOW64\Bkknac32.exe
C:\Windows\system32\Bkknac32.exe
C:\Windows\SysWOW64\Bddbjhlp.exe
C:\Windows\system32\Bddbjhlp.exe
C:\Windows\SysWOW64\Bbhccm32.exe
C:\Windows\system32\Bbhccm32.exe
C:\Windows\SysWOW64\Bolcma32.exe
C:\Windows\system32\Bolcma32.exe
C:\Windows\SysWOW64\Bgghac32.exe
C:\Windows\system32\Bgghac32.exe
C:\Windows\SysWOW64\Cgidfcdk.exe
C:\Windows\system32\Cgidfcdk.exe
C:\Windows\SysWOW64\Cdmepgce.exe
C:\Windows\system32\Cdmepgce.exe
C:\Windows\SysWOW64\Demaoj32.exe
C:\Windows\system32\Demaoj32.exe
C:\Windows\SysWOW64\Dnefhpma.exe
C:\Windows\system32\Dnefhpma.exe
C:\Windows\SysWOW64\Dfcgbb32.exe
C:\Windows\system32\Dfcgbb32.exe
C:\Windows\SysWOW64\Emoldlmc.exe
C:\Windows\system32\Emoldlmc.exe
C:\Windows\SysWOW64\Ejcmmp32.exe
C:\Windows\system32\Ejcmmp32.exe
C:\Windows\SysWOW64\Edlafebn.exe
C:\Windows\system32\Edlafebn.exe
C:\Windows\SysWOW64\Emdeok32.exe
C:\Windows\system32\Emdeok32.exe
C:\Windows\SysWOW64\Efljhq32.exe
C:\Windows\system32\Efljhq32.exe
C:\Windows\SysWOW64\Eimcjl32.exe
C:\Windows\system32\Eimcjl32.exe
C:\Windows\SysWOW64\Feddombd.exe
C:\Windows\system32\Feddombd.exe
C:\Windows\SysWOW64\Fmohco32.exe
C:\Windows\system32\Fmohco32.exe
C:\Windows\SysWOW64\Fdiqpigl.exe
C:\Windows\system32\Fdiqpigl.exe
C:\Windows\SysWOW64\Fkefbcmf.exe
C:\Windows\system32\Fkefbcmf.exe
C:\Windows\SysWOW64\Fijbco32.exe
C:\Windows\system32\Fijbco32.exe
C:\Windows\SysWOW64\Fgocmc32.exe
C:\Windows\system32\Fgocmc32.exe
C:\Windows\SysWOW64\Gpggei32.exe
C:\Windows\system32\Gpggei32.exe
C:\Windows\SysWOW64\Ghbljk32.exe
C:\Windows\system32\Ghbljk32.exe
C:\Windows\SysWOW64\Gefmcp32.exe
C:\Windows\system32\Gefmcp32.exe
C:\Windows\SysWOW64\Glpepj32.exe
C:\Windows\system32\Glpepj32.exe
C:\Windows\SysWOW64\Glbaei32.exe
C:\Windows\system32\Glbaei32.exe
C:\Windows\SysWOW64\Gekfnoog.exe
C:\Windows\system32\Gekfnoog.exe
C:\Windows\SysWOW64\Gockgdeh.exe
C:\Windows\system32\Gockgdeh.exe
C:\Windows\SysWOW64\Hjmlhbbg.exe
C:\Windows\system32\Hjmlhbbg.exe
C:\Windows\SysWOW64\Hgqlafap.exe
C:\Windows\system32\Hgqlafap.exe
C:\Windows\SysWOW64\Hmmdin32.exe
C:\Windows\system32\Hmmdin32.exe
C:\Windows\SysWOW64\Hffibceh.exe
C:\Windows\system32\Hffibceh.exe
C:\Windows\SysWOW64\Hcjilgdb.exe
C:\Windows\system32\Hcjilgdb.exe
C:\Windows\SysWOW64\Hqnjek32.exe
C:\Windows\system32\Hqnjek32.exe
C:\Windows\SysWOW64\Hiioin32.exe
C:\Windows\system32\Hiioin32.exe
C:\Windows\SysWOW64\Ibacbcgg.exe
C:\Windows\system32\Ibacbcgg.exe
C:\Windows\SysWOW64\Ioeclg32.exe
C:\Windows\system32\Ioeclg32.exe
C:\Windows\SysWOW64\Ifolhann.exe
C:\Windows\system32\Ifolhann.exe
C:\Windows\SysWOW64\Ibfmmb32.exe
C:\Windows\system32\Ibfmmb32.exe
C:\Windows\SysWOW64\Iknafhjb.exe
C:\Windows\system32\Iknafhjb.exe
C:\Windows\SysWOW64\Icifjk32.exe
C:\Windows\system32\Icifjk32.exe
C:\Windows\SysWOW64\Iamfdo32.exe
C:\Windows\system32\Iamfdo32.exe
C:\Windows\SysWOW64\Jnagmc32.exe
C:\Windows\system32\Jnagmc32.exe
C:\Windows\SysWOW64\Jgjkfi32.exe
C:\Windows\system32\Jgjkfi32.exe
C:\Windows\SysWOW64\Jmfcop32.exe
C:\Windows\system32\Jmfcop32.exe
C:\Windows\SysWOW64\Jllqplnp.exe
C:\Windows\system32\Jllqplnp.exe
C:\Windows\SysWOW64\Jipaip32.exe
C:\Windows\system32\Jipaip32.exe
C:\Windows\SysWOW64\Jfcabd32.exe
C:\Windows\system32\Jfcabd32.exe
C:\Windows\SysWOW64\Jplfkjbd.exe
C:\Windows\system32\Jplfkjbd.exe
C:\Windows\SysWOW64\Khgkpl32.exe
C:\Windows\system32\Khgkpl32.exe
C:\Windows\SysWOW64\Kbmome32.exe
C:\Windows\system32\Kbmome32.exe
C:\Windows\SysWOW64\Klecfkff.exe
C:\Windows\system32\Klecfkff.exe
C:\Windows\SysWOW64\Kkjpggkn.exe
C:\Windows\system32\Kkjpggkn.exe
C:\Windows\SysWOW64\Kfaalh32.exe
C:\Windows\system32\Kfaalh32.exe
C:\Windows\SysWOW64\Kmkihbho.exe
C:\Windows\system32\Kmkihbho.exe
C:\Windows\SysWOW64\Libjncnc.exe
C:\Windows\system32\Libjncnc.exe
C:\Windows\SysWOW64\Lbjofi32.exe
C:\Windows\system32\Lbjofi32.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 140
Network
Files
memory/1552-0-0x0000000000400000-0x0000000000433000-memory.dmp
\Windows\SysWOW64\Bqijljfd.exe
| MD5 | ef7a5bdf2fc59dc22fcdf0c030e84aeb |
| SHA1 | 0d67d1f99af3ed5e019ffa552a94d1a046b4ecb5 |
| SHA256 | 514d41b5f249dc92fbd01b36089063b0dc67733a8e8016977e388a865a6a261f |
| SHA512 | a892cb175cb98b4b361c2a1357e72a2557d56670ce93502d5fb5e63a1a262c4e80f1cb31b7755da08fdc717781d008c528a9a01f250cf3f1ea5ed0b3811fd421 |
memory/1552-7-0x00000000002A0000-0x00000000002D3000-memory.dmp
memory/1552-12-0x00000000002A0000-0x00000000002D3000-memory.dmp
memory/1700-14-0x0000000000400000-0x0000000000433000-memory.dmp
\Windows\SysWOW64\Ccmpce32.exe
| MD5 | 8f2fe940dfd25bd28f8ff0c49c31a8e6 |
| SHA1 | b9912b7b16b6c4af9f5b3bce10d9b6d339bfc591 |
| SHA256 | ad64f7aea7ecc9ec9c2d11248196ec27b08f0ad25e7b4ffe183f992aea924cfc |
| SHA512 | 5206ed915c4d0bebdbc97a1a896058886fbe67d2c5038275d2ef3c4c27ea4ada2e135173601000716623016adb0a569c26a9981a78d5b5eef9bfbbd681daac1b |
memory/1700-21-0x0000000000220000-0x0000000000253000-memory.dmp
\Windows\SysWOW64\Cinafkkd.exe
| MD5 | be2e396dcf447989aa977d921d455990 |
| SHA1 | 1af1c4dc732824510cbece97dd5110015acd8c28 |
| SHA256 | 13dcdc0db25b53477d4de41f74ab9e713efc80ac97230acde54ef50beb1935b0 |
| SHA512 | 65019e905f2b4b3357b2c551a02ebc2897284a77a7f73170cd90e57bd612943db8d459cc92fe7136659cde0e35b2654edfae8ad2abe564b1c5c7da2c8aebdd09 |
memory/2744-42-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2036-40-0x0000000000220000-0x0000000000253000-memory.dmp
memory/2036-39-0x0000000000220000-0x0000000000253000-memory.dmp
\Windows\SysWOW64\Dfkhndca.exe
| MD5 | edd25b895a2080f78e51d9dcbc4cffa0 |
| SHA1 | 1094bd5dd591c50e47333c1c24a87dc5dfd60811 |
| SHA256 | 0b0b9b9e059ffb6825cfcdc8cf7c60bd995e8946f18103f65fd105dfa128fef0 |
| SHA512 | a0d7f099bdd30b8e0814b7de1be1b2a93280dd37f336fb6e09a7c80c0012abb62d40285fbccde3b9dcd7a0c554bc821dfa2095c14066196ec7d9ecc3ca0a5fcb |
memory/2996-56-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2744-50-0x0000000000220000-0x0000000000253000-memory.dmp
C:\Windows\SysWOW64\Aeojbkal.dll
| MD5 | 30bd23670a656c1fd1a4ec94abc1127e |
| SHA1 | 52ccbc0287ebdaf7e806193423f389034d5adbac |
| SHA256 | e84fcde073b926898cb94302de94b0d241d41c300e6fdae928a21ee8d9158a81 |
| SHA512 | 6f59f8f1f8341e167d3affdf77fbf779db2de664e9adae1c5575d3884d6ead112c80859f6c7996ac7ecd80a5428ca51ffbb3995f026262de7cd73069cbd74c8f |
\Windows\SysWOW64\Dinneo32.exe
| MD5 | 82dfce8060bfa5554a276489ae10923b |
| SHA1 | e3584501436bbc305c1aa8c5db80b53ec47557d1 |
| SHA256 | d6d6cc9caf5072ba215b997dbbfa41734be651e292fa421cabefc44ed5f6ec1f |
| SHA512 | 11d1bcf697af5cf57f789cd96a2e8044f65d165eea0d27ae26eaa7264d027d21ce27c815d00b8fa7d2bcfc1b299eb84dcb26bee8b80b974652a3b37dfdf82cd4 |
memory/2996-68-0x00000000002A0000-0x00000000002D3000-memory.dmp
memory/1904-70-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1904-77-0x0000000000440000-0x0000000000473000-memory.dmp
\Windows\SysWOW64\Eheglk32.exe
| MD5 | 76806e1d925b8a0b770859e8fd0683da |
| SHA1 | 3637cb054bd0ec0619caae473d04069be8205ac7 |
| SHA256 | 0a891d8b6b147b09be1f8b77a674590697b6f105aa326e5fc6db44eb9794d91a |
| SHA512 | 7a088b7a5ec0d98656a1748fd0966a8c81402b6ae32cf126c04da3b02646c1cae139ff25f12c70cae3c34a2087a8a69bc255cc3edb4ea4840f1c4a74ab4449cc |
memory/2740-91-0x00000000002B0000-0x00000000002E3000-memory.dmp
\Windows\SysWOW64\Emdmjamj.exe
| MD5 | a2a9d5f0437eac1f7c4323bca2dbc9ca |
| SHA1 | c7bbe57461b20b9bea061ad4aa04de3bd86d1c4f |
| SHA256 | 823a3e3c7567282238c4838f809df3cc07e4c719f5bd8b9b4287dcb4951c079c |
| SHA512 | dea4389d48ffb1d40d7d14f97e9fed6e06f61a599ffc5f2f90b225b5a602febdda5061cb714640a064a40f693da8a2ecb78fb682e694cede7503d82c58c9f3f1 |
memory/2080-97-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2080-110-0x00000000001B0000-0x00000000001E3000-memory.dmp
memory/1936-111-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Eipgjaoi.exe
| MD5 | 9a55044d0290d4129ee6d4f6674a27fb |
| SHA1 | f216724fe9b3e8e78520cf81b9b6f2b0f20283fb |
| SHA256 | 4bdec75db3125a47266cb19b28be11258bc970f34bfd89fcce6c853ef5c9a589 |
| SHA512 | 137133050406fe81a4a02d6f7063a12f845c61487ea62b5c83f69393d7f3aa966b8d6a79022356b5481b3ba9ba84e692cb81d48ab0a37e02fd5d780b7bcf2737 |
\Windows\SysWOW64\Fpohakbp.exe
| MD5 | b088ab61a52ed09ee5ac25c2cc74cacd |
| SHA1 | 0f31fe736e76ea04166b6cf1ff9e623c84687ccc |
| SHA256 | 0f7b754b0f82d29626d938c74dba84548542ad27dbcc788e4453a4358c7a062a |
| SHA512 | 665879fc98806e159db58cadffbb41e40ff1948c8391bea716f9f3a926b2b46b94bc60048694841c3384736ab397644839df632d5d5d197898f6981140db9ce7 |
memory/2720-125-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1936-123-0x0000000000440000-0x0000000000473000-memory.dmp
memory/2720-133-0x0000000000220000-0x0000000000253000-memory.dmp
\Windows\SysWOW64\Ggagmjbq.exe
| MD5 | a6d6857b8a9303e81aefd698b65307b2 |
| SHA1 | 1de585855fe4e91d6fc7281057221524620cfa57 |
| SHA256 | 2bd2862f18b85495513eb1daca328bc67adccd1167f35255f1c0c02e088ef003 |
| SHA512 | 2982cd4cca2dbf823786ffb642f395a44d7e63a47f7ea2656c7cd8cad26319c5c604ff231d188f727f25a60e0994c5fd38e2cffadfeca5f1535e6ae1eb88a7d9 |
\Windows\SysWOW64\Glchpp32.exe
| MD5 | 71b38971b5e6a44057d3ac9917726eb3 |
| SHA1 | f95070d74892f7a036ce666a3b5c7abfebe91662 |
| SHA256 | 53c01cecc9e57e6b3c1b0029baaedd9263de5924a7c540b0d4267a6b11302a7d |
| SHA512 | 210e3a3e3cab06f2684c488fc6d864e182ea078308e0f25549b4cfb8ab1ed35d989ca8e1d479785af23f53da548721a071aa7ff180414656c7407eb4dc5ccfef |
memory/1884-152-0x0000000000400000-0x0000000000433000-memory.dmp
memory/560-150-0x0000000000220000-0x0000000000253000-memory.dmp
\Windows\SysWOW64\Gqcnln32.exe
| MD5 | 05dcd7f17b099254b51d8d3400c707df |
| SHA1 | 13456c57f649eb3cb4f25d8f93263d09d6cfeede |
| SHA256 | 6b12b88c669f96673fb0f0405b5b83c1f0e40a4c20d164c875e1d020ed31f2bc |
| SHA512 | 12af2442d767bb92a6823c091de6d536b7710235f5249046125fa462202cc8487658dff6e4d28995ae29eb3119108315633558bbbda759ed82bdb900b0fd717f |
memory/1884-159-0x0000000000220000-0x0000000000253000-memory.dmp
\Windows\SysWOW64\Hkolakkb.exe
| MD5 | b42a42d2d50b38689d2096e4e541066b |
| SHA1 | 64c8181967960d637ca495e90dd58eb57d41a0ef |
| SHA256 | cd3d955d729e38873a73d7accaba09db9eb91843a069ba7ae6a0fc02717ed973 |
| SHA512 | ee248a86b2128f3400c23d793900500332ac6152550f2458e3b2a65fe6a2f13e1194ace3012fffadfd22432b90a63b024a08aeab136ba3ce24981d9b104f8215 |
memory/2572-177-0x0000000000220000-0x0000000000253000-memory.dmp
memory/2168-179-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2168-187-0x0000000000260000-0x0000000000293000-memory.dmp
\Windows\SysWOW64\Hbkqdepm.exe
| MD5 | ddb60dda79b31de05a3661653f87d1e0 |
| SHA1 | add58fe22676ceba80136483a613860dd1b49671 |
| SHA256 | ecbdc09a66c9d454497cc209a58fed8356e29e4f31a6bf3961bb57e1c760b1c6 |
| SHA512 | 32b0b53a5b6a76cf5e7b015811932a2d21f60e7b1871a143773a0a5019cb735635cf74b7d6825c34b14723a1ded3ac70a773ce42d571de5f37ce86e1e1eb0274 |
\Windows\SysWOW64\Indnnfdn.exe
| MD5 | 6971cf6daf1f0ba9c2f9892ed909639e |
| SHA1 | 62ca0ddaffa21554a728587f9c173f7ae525470f |
| SHA256 | 8ffcb58964352f5b64f45b5bef762de5e30099d33caed6bde42287c8da4a1497 |
| SHA512 | 7bf86b9ea9ba4719468738f1c2357fafca9aa38a70eeda4f9b23d2525a1eb498e1052f111ed937386e27d8587aa8fce98f7070f523e4c79f0ebbe0b61a6a65a2 |
memory/2288-198-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1064-207-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2288-205-0x0000000000220000-0x0000000000253000-memory.dmp
\Windows\SysWOW64\Ifdlng32.exe
| MD5 | 2c60a71c906f66dca2b14899fe0e50bd |
| SHA1 | 08b62bed489326b064b9e44e922000f64644e863 |
| SHA256 | 1371613fcadb8cde6afa650302b00806ce76439c9e6b3207bbd2f656d2d63732 |
| SHA512 | d22088921fd2393e42a458699e4815f551b1f9534270b16e2b9a5460c3f89c59d6e003a3ff8eb1ab5950b0c7b3608da5200b46fe28aecfc2ab711537a48421fa |
memory/688-221-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1064-219-0x0000000000220000-0x0000000000253000-memory.dmp
memory/688-228-0x0000000000220000-0x0000000000253000-memory.dmp
C:\Windows\SysWOW64\Jigbebhb.exe
| MD5 | 49ee551635e2d4d72f39172d9364011f |
| SHA1 | eb2bdce49dc50509690d5604c1b4a78aaff2f5c1 |
| SHA256 | 06c125d8a4f523bd40484f698c1cc8fbca63eb77afd04dd0736db46ad3ad9e55 |
| SHA512 | 4a59683e7b66a5a2a5a34cc14f3e8ef6d0b9b77cbd46e36e52b09977200baae3a282b99de3c95b63c1c71ec31bf4d6e440c21ce8bf4e0f089bd9e6dc1a401986 |
memory/2424-237-0x00000000003A0000-0x00000000003D3000-memory.dmp
memory/1724-241-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Kigndekn.exe
| MD5 | a8f8385d9b7326702941f6c7466b0a37 |
| SHA1 | 00775f24d9974d514adcb2f8a6d16cb1108cb5de |
| SHA256 | 089edc9f13854fdabd3be3d715ebc582cc77e47549cac40382bcdef81fbf4192 |
| SHA512 | 736ad95e159e5aeccd10268cbb36c4924821bb80074c65909a94f372638921ace8ab4423e95169fdcc1ca6a8e72a5169f070377738b8c407e87ea3c46b4cf9b7 |
C:\Windows\SysWOW64\Kgnkci32.exe
| MD5 | 242363e60604681f7e53568056439dee |
| SHA1 | ffafb0af7e3eba4fd89067d7e94aea139b1280e4 |
| SHA256 | a37a6c58accd2bf36c7feacc9c83debffa2e20407376b84f10ea795df3be8b59 |
| SHA512 | 0a809c3914426e1628d1cf3b4ebc61c31861b70388c7103447d60258e99d7789fda81b53e0fb1312f5bda1114332b25b068db6554a65b0576b9d27e32e57fb8c |
memory/1724-248-0x0000000000220000-0x0000000000253000-memory.dmp
C:\Windows\SysWOW64\Lonibk32.exe
| MD5 | 0c963f578df058af0b8d242b962371f2 |
| SHA1 | bae616878c1b39f2a3258f37001e2a1b0bb6ff9c |
| SHA256 | fb43c601c2e092ac36e13cd0e45dbf05b97bb6598874f783b62756f8d2f8ec93 |
| SHA512 | a3ea36e25dccaca4dea0325f83e3ad0a291b48ead22f05089997c135f4aa391beb3f828b9530bf88706948912a5d9df8e09987976e6dded5d26a9b36db050737 |
memory/2044-260-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1416-259-0x0000000000440000-0x0000000000473000-memory.dmp
C:\Windows\SysWOW64\Ldjbkb32.exe
| MD5 | 2dda356c34782f57a44d8d9f3b205c8e |
| SHA1 | 05df38254bfbd4c747021bf9b4c22541e27de0b0 |
| SHA256 | c6fe1e1f967a2940042c4db9b4628817250089aa0ae05347c439c76ce81f1a1f |
| SHA512 | c46ccca1b1cb212f4d76fcffff3e3ea99b464b8cf10d496933bf8b72bab80176dff2a33e79be7c3708b51927865894ea2f7f0620c03a4fd4e8d26cc17fa36ae6 |
memory/2044-269-0x00000000002B0000-0x00000000002E3000-memory.dmp
memory/2372-270-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2372-276-0x0000000000220000-0x0000000000253000-memory.dmp
C:\Windows\SysWOW64\Laqojfli.exe
| MD5 | 922ad14dfa687be5514adfc219ff4458 |
| SHA1 | 4ffdd25156dbf68b72b5b0262842b318dc92da87 |
| SHA256 | 83d6b671618aa07e04ec90b5a74946c03e930e39b14331b6c0c584c86b937f7e |
| SHA512 | a0f25834c7c29044e7b6a5c2849e47e1d36e2c478abdaf35d8f750a5d751161a35f8e78062472ed1df85c09e3889dd5ef558b39cf849d4f67d3cf59297e763cd |
memory/1820-285-0x0000000000220000-0x0000000000253000-memory.dmp
C:\Windows\SysWOW64\Ljldnhid.exe
| MD5 | dfec1c2734fe5223f3d0be44319f1686 |
| SHA1 | 9a2353e2e134d61682ca6bdd845a1e8085565988 |
| SHA256 | e6ac953b0e842ade955a6d07bc5ad3b15682b46d9541b9e0f08ed9da01088a17 |
| SHA512 | 0f01a36eecd4db5e3015e2c11ed7044ae89399735560d2f3cf305c1d665524832244d6e8487b311f31e6827c4e312f715799a5116e68042fcfb4021b1ffefc45 |
memory/2452-294-0x0000000000440000-0x0000000000473000-memory.dmp
C:\Windows\SysWOW64\Lnjldf32.exe
| MD5 | 43b241df1c7c52e35d82f6e0d21474cb |
| SHA1 | 8b46674cd69ef0b4c177eccc0e28c43075be7d5f |
| SHA256 | 5a156e4b5f74303812de17e88758583cd25dca830fc1a5a44e1d31e40d1c4a0f |
| SHA512 | d5754729bc0298dbdee5aee98b2d6a5fa846a7350608ccd6ea0ec7bb8e28dd56295486016295f6a03a31eb8ec02e6026b1a031cf7a7e9ef8fe6a55a6db6e2c5b |
memory/2452-298-0x0000000000440000-0x0000000000473000-memory.dmp
memory/864-303-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Mloiec32.exe
| MD5 | 5d09d4e82dbb65cf81613519e94e1bb6 |
| SHA1 | 395ae53d485010013466da734ab36f309b9a630b |
| SHA256 | 660988f5c2ebdf3d952135fdff51ab031fedb0daa959c3f25d90aa5f24dbe503 |
| SHA512 | 222437ae16c1b2257fd3ae06a7b679324ec35cdee1dee9bad8ae6cebc2ba4029bd5e10a9d1f282856b9e09ed18c60653f79aab499ae5d51e209027cb92d75ac9 |
memory/788-310-0x0000000000400000-0x0000000000433000-memory.dmp
memory/864-309-0x0000000000220000-0x0000000000253000-memory.dmp
memory/864-308-0x0000000000220000-0x0000000000253000-memory.dmp
C:\Windows\SysWOW64\Mfgnnhkc.exe
| MD5 | 7c436e3ee7c0ba387a338eb955b0dfd1 |
| SHA1 | f5bad8b32a6d2bc1c024f4bb5241e2e75e27abfa |
| SHA256 | 7096e12003c49e405bdd36c19ef1f4b86e666ca01e7a77f3f3d12e1d0b7846fa |
| SHA512 | 230d8540728184b76864090a4951cff55e1beaaca6c5b0f8974ed4dbbe51ad98e73846639d5a896533b2dad2529d4d72a959b98875d5a36529625db362a2c861 |
memory/788-320-0x00000000002D0000-0x0000000000303000-memory.dmp
memory/788-319-0x00000000002D0000-0x0000000000303000-memory.dmp
memory/1564-325-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1564-331-0x0000000000280000-0x00000000002B3000-memory.dmp
memory/2388-332-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1564-330-0x0000000000280000-0x00000000002B3000-memory.dmp
C:\Windows\SysWOW64\Mbqkiind.exe
| MD5 | 3cfc26fc38889e6f6c703fcb82cdcfc6 |
| SHA1 | c622514801a171d4ac8574ef5a67f4667efe8e17 |
| SHA256 | 52448c14912d691171610b99d4f068a008bafab657722daef5bb652c8f66d454 |
| SHA512 | 754b1ce3fbb478a5ed1218e5508104c415934c9eb30b29b5dfc12f41389207da948734d8b7f929076d4231fb678b46fbe1e123c0634caa785e9dfe7db8a06b48 |
C:\Windows\SysWOW64\Ngpqfp32.exe
| MD5 | 211789d68371133126e5db89db7663b4 |
| SHA1 | b69e101c1835d53639fb7d84eb52822646732c66 |
| SHA256 | 5cddbb2925248c701fc98da5c6e9fe2aed0e988d4f4951fb76a9136b50c7184e |
| SHA512 | edcd522b15456bbd194313508cbdc31bebb524466a8603896e19e28405699b18e340b27d2e5b1353aa42a3e0c2e064f57b9816a2287486062d55ac48be3a5452 |
memory/2724-348-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1552-343-0x00000000002A0000-0x00000000002D3000-memory.dmp
memory/2656-355-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2724-354-0x00000000002C0000-0x00000000002F3000-memory.dmp
memory/1700-353-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Ndcapd32.exe
| MD5 | 8fe2e98dd9a4636f844f9e61c6290e6e |
| SHA1 | d2c2d5e5d2e343ffa8a7c226feeeb586b87ba890 |
| SHA256 | f5c2642c5f2a4c35d9177ac72227edc5260031b2c591a60692f9cd196d503c53 |
| SHA512 | ad1587c2634afe9cfbe9d386a18a69d3d4615040d0679f53271699eecd14523c49449c5cf0180a912f297a4376d24b0dc000aa6ff2c9afcc41171c5afd60062d |
memory/2388-342-0x00000000001B0000-0x00000000001E3000-memory.dmp
memory/1552-341-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2036-369-0x0000000000220000-0x0000000000253000-memory.dmp
memory/2896-370-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2656-365-0x0000000000440000-0x0000000000473000-memory.dmp
memory/2036-364-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Nckkgp32.exe
| MD5 | 2c6f4fefa0c56b37b65bdd2d583c6be1 |
| SHA1 | 0d7c966769c18810b489caf96812ff1618a1df05 |
| SHA256 | e9d40a36f07562bc575aef4ebd92055968c99e1dd5a2150c7af201a157fd50af |
| SHA512 | 3ab857a54eecd5147a0dd0f0a61149d6be3d66108c3d1eed73de566acf197d952e0cbf3fdb57052301f32efbf84e97f48268b7a97321bf70bbce1b6c71db9193 |
memory/2896-376-0x0000000000230000-0x0000000000263000-memory.dmp
C:\Windows\SysWOW64\Nqokpd32.exe
| MD5 | 29f14df26ab8ada5e83bd8a3d0129b08 |
| SHA1 | 2f37a51c9bb2908a82c73a4ea13816be2c413915 |
| SHA256 | 0dfdff89d76cee2fd811a7c1d7261646bf05a489d18fbd0b0b355d800d59a5a4 |
| SHA512 | 516322889cb51f12dfbe78f1055b2f9e216c003b97ae1ad589592d689548092c63d46aeecba647e62dc0c254832cd90b1b9df01a6871dd00d053fd1123801bc8 |
memory/2744-377-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Ncpdbohb.exe
| MD5 | d9eb2188283cd0c458bf121b9afe89fb |
| SHA1 | 46e535f7b993399b1a63c5c8dce9d58a31b58cca |
| SHA256 | 427afa415b1d5ce14bba6e86604af5754c948e2a42eda21ff47177a2b785539a |
| SHA512 | 2ff6bf06edb96860e3b91e4e3bdc8b9d024b6079a72085a8795f68f4fbe01e56c3ceb1c8dd4e66ce98dc26a1943b816a5b7254f233d12450aff113483a2ab0cf |
memory/2632-384-0x0000000000220000-0x0000000000253000-memory.dmp
memory/2632-382-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2996-388-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2996-394-0x00000000002A0000-0x00000000002D3000-memory.dmp
memory/772-393-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Obeacl32.exe
| MD5 | 349722652367740dc4233ce2be9d33b5 |
| SHA1 | 44bbfd2f64aba7d3eb5800aa17815e8ea0b9df29 |
| SHA256 | 8f2d02635542c7b37e6374fb415b479d05853ca9dbf3f41dc193b1a9d272ce30 |
| SHA512 | 617b68d63aa44c005fa10cd32d960a61922e7739b6ce80a36e2f5950355c37d125f36355b72cdaaef8793c8cd5c8f5b20be0a599e41094152996be8cdd943f61 |
memory/2600-400-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1904-399-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Onnnml32.exe
| MD5 | 2fae424ff272b888e355bafe4be43399 |
| SHA1 | c4537f8b8153dd0e9160ad6e3540e2a1475f3a5e |
| SHA256 | 20d0756a83d296081190b6ef2dcd4f68aed6b5acfd26df6c7a7d132be21892d4 |
| SHA512 | b0c714f039cc6980c6527877ea8acf62b11997e6e3f5b4a3d5c91a81856e4fe632c1c5148424ae24ebf6c2b2ce4f473946ef3d9909a482b85869723433621768 |
memory/3016-414-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2740-413-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Ohfcfb32.exe
| MD5 | 41e6c27b8890ea90af7da0cc30e2877e |
| SHA1 | fbc62a57ce92b33a567eb53114f945762aae9134 |
| SHA256 | 4062ff871d8a5541a7812afcf16a0c600c9a4158eee707dc75cbd9cef63ab92b |
| SHA512 | 43861c2ec5cbbc8e8d34d777c153b897f041e0713ffa111971dc6b29f3cea18123faf9d59598629dd954a2e9a3126f6c5a3b810c48f71bf69cb2b765a80b3840 |
memory/2840-423-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3016-420-0x00000000002B0000-0x00000000002E3000-memory.dmp
memory/3016-419-0x00000000002B0000-0x00000000002E3000-memory.dmp
memory/1936-434-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2080-433-0x00000000001B0000-0x00000000001E3000-memory.dmp
memory/2868-435-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2840-432-0x0000000000340000-0x0000000000373000-memory.dmp
memory/2840-431-0x0000000000340000-0x0000000000373000-memory.dmp
memory/2080-428-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Oejcpf32.exe
| MD5 | 647e1924ee495528011c213180c97f64 |
| SHA1 | 9c48466359540b6138be24cbe07bd77903261214 |
| SHA256 | 088ef54d1876106279871f2412726a5c025ea13a72cbe5a22784238c02d9fea3 |
| SHA512 | 63617a510a8f861e4c6c5a88f39e841058e6e77a59d4686aa54ff8312f62ac1033d62daa89b2bc34f5fde2f92238bc3b4fc972534251c1f5fdeba94db630717e |
C:\Windows\SysWOW64\Pbemboof.exe
| MD5 | af7b873b1638b90f30c73066daacb4d1 |
| SHA1 | 6c8883e9a1e82e9d6406e75e6ce7aa28eff7293f |
| SHA256 | e62edca88e211c954b95a49d185ed46e280ac953336253b0a691548dd10446bd |
| SHA512 | 4c55f8a1e8366881b2e51532e50d04675dea469e3ab83b84357750f9be2c82da57d0fa93c2eeb285acf1562af6c4679abd614e9e9ea29e65ac6506187da4921b |
memory/1936-444-0x0000000000440000-0x0000000000473000-memory.dmp
memory/1284-451-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2868-449-0x0000000000220000-0x0000000000253000-memory.dmp
memory/2868-445-0x0000000000220000-0x0000000000253000-memory.dmp
memory/1284-457-0x0000000000300000-0x0000000000333000-memory.dmp
memory/2808-460-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1284-458-0x0000000000300000-0x0000000000333000-memory.dmp
memory/2720-456-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Pmjaohol.exe
| MD5 | c114a9dca286f7c5adcfeeb9611f24de |
| SHA1 | 9131d98ef02423d094d2759ac206d5c59c5893ed |
| SHA256 | 69055ffec59f41f316cfdd0c3035ce4dec5f60b533e94a158986680f7a8fdb27 |
| SHA512 | 0c79f76ba299eced63815c698acfa1cc85315fe6a3da205138f5cc4d27abb215d8b1fd8557e0862e122301c09f5b36a4a4933128981452f3cbddb85f47565dfd |
C:\Windows\SysWOW64\Plpopddd.exe
| MD5 | 532e08aa2e9e670a3177d492d9b0f97f |
| SHA1 | 43cd7d0e7e1c7de5a1cf2129d6c48d0c7595ca9d |
| SHA256 | ca05510030126a4af43e123874991e163b622e77a5686b6be6e4ba48f2a047ab |
| SHA512 | c517e53e3f2d82dbc140a9062686409a95ed6cb171e40f76bbef9a54f39265983270bd5d0940dd7123f2def6b6ee2d10ade7fa7cb17897184cf355ff50c8f8ed |
memory/2808-470-0x0000000000220000-0x0000000000253000-memory.dmp
memory/2248-471-0x0000000000400000-0x0000000000433000-memory.dmp
memory/560-469-0x0000000000220000-0x0000000000253000-memory.dmp
memory/560-468-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Qldhkc32.exe
| MD5 | 8bc0e54ce05f55f46343171357714745 |
| SHA1 | 5d1c94d6cd544deee815b1e4c607ea83079442fc |
| SHA256 | cca574500fc86237d05206ac68ad87081ca18d5446eb5345c4bba30135241ec2 |
| SHA512 | 1a6881e92f314f030cfb9aab45f0e968ed964fc63fe31311f35c05d74ff50ffe5e5380e396a362036d809396346ee6da397cd17992d05278510ea90dc64460d0 |
C:\Windows\SysWOW64\Qemldifo.exe
| MD5 | 0203267034aab677c610a95274acf3f6 |
| SHA1 | 05177c18ae7aab077ef2a084b0f1743a2f484985 |
| SHA256 | 8e5ff520bd03579a73d7a86cf7edd600de3f5ee3fe6307a365e961bcce9a8073 |
| SHA512 | 5f30b31d0274cc7edbfbf0bcc17a324b1a3deda1166433ca5e9ed57d035f4cf65ba43be897affeeb53a7944727d04879edb62dd867a1687c02cd7f39f1880d9d |
C:\Windows\SysWOW64\Adaiee32.exe
| MD5 | 9b853cfd396ee38927839a4ee4ac153f |
| SHA1 | 8c02007378cd7e797253c6ed3a83e7fd8c988d64 |
| SHA256 | 059e3b469688eeb82a6401ce71df7e98c04668ba5dbfa7aa518de8d2cbac2750 |
| SHA512 | 92f89c7180503177796a61c77aa3c6d6789a9e91a0dee1bc988879f4f99e718777404ac39b8651f7c6253a1492575f182e2217f3efa95a1f39e4cdc8d0b95a83 |
C:\Windows\SysWOW64\Aognbnkm.exe
| MD5 | a6a7c738e3de2b330605d4c3c78dc04c |
| SHA1 | cdebfc4026f6894664781990640e10634b07cac7 |
| SHA256 | 691513a680a10d45cbbba03aa696056257732538a44f45d85ede2a8f6039fc73 |
| SHA512 | 2d26ea27a6503b368dd802966dab1dc686d59020c6a74746d5edd6e6aceb36c7cf903d52dc6f7ed273aa07d937bd186b74361a3541126f01caff6bb954e55859 |
C:\Windows\SysWOW64\Addfkeid.exe
| MD5 | e6ff3733a6569be022e0b7bbc2ab3c5c |
| SHA1 | 7aec73338d38d24374d78a97297ade9bd120b661 |
| SHA256 | ce1063b0d7387c16f610f61d277c431635b6ddb747f9c5e75b6a7ea5def0155b |
| SHA512 | 9a54aad344bb50e2e885f30940ddba65a5987daf04629731013ddc527585e3e7144b639e407f4d6194f5bb7212e458441d7d52b1d133bec1025643748ebe45ed |
C:\Windows\SysWOW64\Adfbpega.exe
| MD5 | 0463150f917ad056e58cf2b0a14ea0f0 |
| SHA1 | 0a9a17e33fac0d41f3b60667f3ee2c58b1c1f5ad |
| SHA256 | bac05c173f39de811423873b10dcba80db566243957dad29fe05ce2fcb9c1554 |
| SHA512 | 51da724bb9308664833d64d0b78eb8c245b14388d9255fe56f42522436c371502db234b2ce96460eaecdfc0118e0944c00be79d2544ab7c5720c316ac225688e |
C:\Windows\SysWOW64\Ajckilei.exe
| MD5 | 3c7f23ec28e3af4ae08f13ea19234c32 |
| SHA1 | 044fb018e35e0cdb4bb30daa6ba4ba9b5cf7814e |
| SHA256 | 3e23f6f3df3b89a3e4d9a529504b6075a82b134e74fde114ab11c95c57f2a874 |
| SHA512 | 977419a3cb3a532f51ef0e9253a36646ac04627d40b80b2cded93953cd6f0de02a98888cfdd4b40486921e2d00f80cc9de0948c2e6b09813d7241fcbc16756b7 |
C:\Windows\SysWOW64\Aclpaali.exe
| MD5 | 2e5ae3be33ba67eb49faabefdb0785ca |
| SHA1 | 43526f42a91bb6d0a1ae46452e21302f73ac8adb |
| SHA256 | c4847b155de95c237a49a681ca120d77863047c1bb0bec16a46081161179fb92 |
| SHA512 | 1620eb5f53aa7a53aa1e355716ead7080f3e81ef3244cd21948d17635ec885ec5701ae85d8020d41b5f4996c9e08a3a293fa941c934f618d19156798bd279cb6 |
C:\Windows\SysWOW64\Anadojlo.exe
| MD5 | 4b360912feb09b6660b84808b04a9dbf |
| SHA1 | ef1db8aab8940488b9a3ce0f85b5733e90e227ba |
| SHA256 | 533e59786671426a4e5361c13fc4d8ada5a3ad3f0b48aab917e5ac0fdc7ae7d5 |
| SHA512 | a9bbb1bf979b5266ecf657ff4c435f99890861df6266a2b248a31edf957980a8e10e61b8635aed9e7eb91b606c534ae13af3f9c8491f76e84c0e8fca3800d48e |
C:\Windows\SysWOW64\Ajhddk32.exe
| MD5 | e93afa81ccf773cc20d1b5cc6a1bd607 |
| SHA1 | 6d2b7c8d13937352f96889d9a267a3e6e1f4726f |
| SHA256 | 8139aa25a4418c2737a8fdffd74fb1d0b22afcabc8b0d95ba8de5188f7d26be8 |
| SHA512 | c5e61e36eb0970e15c9ff3926f480464e51c12264795c8135d8956cc3edc9e06a77bd01d6c916694e02b67c065a39d7ce7bb312df063bf9569b8b41c4f6e2d6c |
C:\Windows\SysWOW64\Bfoeil32.exe
| MD5 | df49a91894755101e6748d0d311e63df |
| SHA1 | e236c4455317a9c58f81673f2d1203acaadc015c |
| SHA256 | 23e700334ae22243fc14286e848c81b2ca1e164ebb5ae93e3564451a8e8fadc5 |
| SHA512 | 324ac1fb4b5cda98319b2969d5b93234f29b803aae865cc82c38939df8a31b9f4e1110c984f2ed7a1f1ea013080e6a4a6782b190c957dd3e078da3368d68d4d1 |
C:\Windows\SysWOW64\Bkknac32.exe
| MD5 | a47339dfc1709b895b08926fa00ffebf |
| SHA1 | 41942c3a0f60efb103765888f860eb012259c78d |
| SHA256 | c42b7bca988fd6d2681c9780c0ead2ed320645163a9284cd438e3f16712917c8 |
| SHA512 | ebfe0bb7507ab2bf80bb5c94eb3b7e6805f84903efca42ac0195693a617ab3ce59de8f67368cd84d2909a438b24e6e3592fd332bcd9a9feb4df609280110e7c0 |
C:\Windows\SysWOW64\Bddbjhlp.exe
| MD5 | 1281e9f5438c9483eaa9097d26d7d1f4 |
| SHA1 | 8bb305b57ac768d3eca93fa6d83c75879d37c3cb |
| SHA256 | 4d69969605ace271896b70788813308f35d3a44e802ebd92011a9b8a42cdfa2c |
| SHA512 | d6d843957c6425153489734eb162884d10861d146a0c2027c137b8453146d5a475e8fe3f2cfa306d023df9ee5c5223e5d54cce8abb04637a53f4435513ea2949 |
C:\Windows\SysWOW64\Bbhccm32.exe
| MD5 | 534524d2da0b8c5edc72e4d5fa7eceb1 |
| SHA1 | f0a582992b0c7bf558543500858d8a776bd6804d |
| SHA256 | 3485243ae8891f967b77be3f0952cdf61749cdc6575f3af2c7c717717e746124 |
| SHA512 | a125ee146616be7a87a0dbb867aea1a8b2af236733460dff162b8d39d9b9133f1788a3b9b027f51326d24275f2290de3421db493ff018c7e7eb5b65f997a5b9d |
C:\Windows\SysWOW64\Bolcma32.exe
| MD5 | 2408aba29f9cbb2e15701035a1a866b0 |
| SHA1 | 0b4456bf24d031e98f5e21daea7ad705bad5e504 |
| SHA256 | 666b2e4240304895b124921599b0d204f697fed5bc428e0c165bcd6aa4db925c |
| SHA512 | d25797f34c51d20b995faae6b68bb10f1839df107b49e85caca5c54fe0435b304b1d2354b2b759fc852c532ff69b754696053a17b105e78c4c5e0af4a298c14c |
C:\Windows\SysWOW64\Bgghac32.exe
| MD5 | d7f529c9d57e72f965c4a68fb2c34229 |
| SHA1 | 6d25a1de3843f4bad807d3bc15414ee7381e901b |
| SHA256 | ebbec06b14a8d2f34bfc35ceb4078c63f9ef0e917c46f04dd9158432b3f995ad |
| SHA512 | c7fe3a3809acffe5ce87871831179447b931b8cf364eeb45cbb1671e934d4e7a3265337bd9407308cc88f8f95c3425cd08c493ba5460a8c878b6dad144086320 |
C:\Windows\SysWOW64\Cgidfcdk.exe
| MD5 | 8e2f77a3874ad7c9dd72c1741c326696 |
| SHA1 | 40b6a829ea89354cf888ec5cd03d9f418d2f6e9c |
| SHA256 | 2deae06eb776ee97b0c7c562b2c14ffd93aab5e5cf0ecc397db11fd8976f7d64 |
| SHA512 | 125932da7041da3a067090220a6d6e18a8f365a1e591dcbd52d18b8e3fbcaa8990adc0cdd9e49c6f2ba9091ef521655165f789bdf5585d260c6ca01eded108d0 |
C:\Windows\SysWOW64\Cdmepgce.exe
| MD5 | b481753c2714d3e304fe608793052fbb |
| SHA1 | 001c34ac967ccaf1d8cf163163b8518f32289546 |
| SHA256 | 4b2b8b50ace249b83c3a653067b789a89b1b5b50d4f4fe019ae38b36dcee4c28 |
| SHA512 | 227ca901eed6f2ac33ce1577cda17c61dd7a46edda2ee0fc85cf1d16c41520ad5c5822b6991a0adac012b119e28e27d5adab071b9b7a722b45b824a7287f1d55 |
C:\Windows\SysWOW64\Demaoj32.exe
| MD5 | 07c4fa8bfe473b22fb63b20e51a5b5c7 |
| SHA1 | a5c6fcc4b15cdb698a6a3e82f606ccab8c882df4 |
| SHA256 | 5feb9df477a46e2b708e078c5cd9a884bf2d48d2b52ce2171e45b4c4ddd15f14 |
| SHA512 | 4303dcfb55577fdd0984c4d8408ce00e5018fad235c6686c6eceec59e3a495e5c30618c6d8694de3b9bf8be16a8e5b3ce4107acaced68bf3c3ccee02afb26a18 |
C:\Windows\SysWOW64\Dnefhpma.exe
| MD5 | 9b339be288a9ad537d0a6d776875d873 |
| SHA1 | 5f064f49a5479991332168516b00b19405f40a2f |
| SHA256 | 2e2fb3498e292bfd12bd8f2bd0f6a9ddc99e9ada2cbfe920454a6631271e188f |
| SHA512 | 128df57f50961f1085e595bc8de416cdaca43d6d2311dd7b3b58731d5af41fc5af330f6fd91339fb8bddb7f5f104a38ac2a93a56b4ce0feb0760b9945d5554d2 |
C:\Windows\SysWOW64\Dfcgbb32.exe
| MD5 | 360582a23ea1c6b11ed99ff57fa186e1 |
| SHA1 | 41f7f42bfa372625dea8600ba42035beb2347b8c |
| SHA256 | e3e7c45cc9278871151c301c1ec02fdc2f86e60315bbade7b7fd04009fefe534 |
| SHA512 | fa34d2eb7e7c11df2e02ed0cbfe9e28d938e93ae15a124470ccb379518e93977741af3955164d984861c961d9c662c43b3137ed9f6cecdfd49e5b32c049f5693 |
C:\Windows\SysWOW64\Emoldlmc.exe
| MD5 | b63cac23fa06f901bac50dc3e4ce08ea |
| SHA1 | 9384a6c20c7a1255d875dd033df49666a7e29c2d |
| SHA256 | 67456f83756e3562c5c6ae5600d8d01b51ea1c22d65884646cc8c59ff1e64d13 |
| SHA512 | 75e4f09ca948dc427d51c8e3a7d1c745d8d5d7b4919d19c915db7bf5642a025ff603431a20b1c730c9daea0703a2fe2e01981152a82d1ef1d83137b4e3f33150 |
C:\Windows\SysWOW64\Ejcmmp32.exe
| MD5 | 6a2bd3ef69577cd145f0992af35a1f6c |
| SHA1 | ecab0964d64d0550e405be466be44fc82dad8882 |
| SHA256 | 519fd9d63e804aba00293dc184830c27436d10fae0408758e2e4835997ac6978 |
| SHA512 | 6337986fa66aae58e1208f39cc3a5ff766a2d7a6f05e5bb90a61ba1537ed46cc64588d37e0d1258d1feb01aed8bb426cdd90358d39863ebdbcec341093119e07 |
C:\Windows\SysWOW64\Edlafebn.exe
| MD5 | cdbe807564ab67d901e9d02dd8beba26 |
| SHA1 | 248dfb8229161f22543901984bea876870a527ee |
| SHA256 | 17ac7ad5f204631d6385e74d5cbf729609d2653d802183c37cc739d34a258fe6 |
| SHA512 | 7c14829ce978607062c70ee9820a1362a0210b88c9650f6440bce121617909dde5641ac158d6595a63d010e7d365d7a42fabc61f77ce61eed445ea9678a96e6c |
C:\Windows\SysWOW64\Emdeok32.exe
| MD5 | affed87fcba90c0e5c64cb56050626c1 |
| SHA1 | beb67c756115dcbe0808857e6738a7e24ac94e9d |
| SHA256 | a02b35100d274b0d0d261987a0e0137894dc83829bb061e905764f21aba2ec1e |
| SHA512 | a1eff1c6654a67d4c042f09ad3a3353fb77232766704c2b6e8e763a45d8c27559f43cd521989f79fa083c79cf59c73cc34445535ae6fb14f4aea175e7f1ba102 |
C:\Windows\SysWOW64\Efljhq32.exe
| MD5 | d8dabf1c39982dba0aa8bcb2419afb2b |
| SHA1 | 2998fb2a17d8ac022b5bd5e23a607f53dc85b459 |
| SHA256 | c0067f8546df34509f8e9484d0a0b1f1d7a925cd0b0a8b8b70f3436def7a139e |
| SHA512 | f8c450decbfcafe08278cf1d49b2fa6d0e4149910fad2485df508a9a592757400bfcd55cb5a8e40ea405d9bca280e4c28dc574c3db1f19d62e5bafc6c1b4ec34 |
C:\Windows\SysWOW64\Eimcjl32.exe
| MD5 | 46e01fca7804d3a9a4f2ebb21c266ed0 |
| SHA1 | 1e530d6d9a5d58740eb21fa1101faa9052bca812 |
| SHA256 | b428cbcb17fb650fe26a5bfdfdd80d091b50d8c66ac103ee87bd7c842c4f5d5d |
| SHA512 | 6a9899356b35b85b871bc35ae1e05a677317bafcbab998d7ef41d61b98d962c723f06b9b89a05e80802fa904ea2e15d418c415968d8d221baf71517b20a2aba4 |
C:\Windows\SysWOW64\Feddombd.exe
| MD5 | 59b2261c18af5dd854da868e8a5d250e |
| SHA1 | 7218f7cffcd6bea8c18f1392e485d6a1a30afc3b |
| SHA256 | 7ceaaa829ec2205e628851590993c9ba53e2c2e771cc3d955e451f17edbc789c |
| SHA512 | e14a121ad28cd3d1732c7361bbdddbfe000f02f2f61036ec15292a60a839c9f95ed5ecd6e2fa9da2f1d3a9341bfa8487b012ded4cbf615ff6b843013b1c859cb |
C:\Windows\SysWOW64\Fmohco32.exe
| MD5 | dff31c7ff37ad2ecb323d2975f695523 |
| SHA1 | 1004348f9967b8d331d3b728bc5a5f7042a0807e |
| SHA256 | c0c6e56037b01b9413a89040fa779e290a992b0c3ae4ee281766b50d1fe0b6f5 |
| SHA512 | 2ac3fce63012658755eadbf557b401df5edbf1fc1a1849aedaf269450811a9c2d3f4ea489952906ec6b49351531c6e488c8ed3492b736f30699ecc7e6eb130b2 |
C:\Windows\SysWOW64\Fdiqpigl.exe
| MD5 | 7f40f3cbe957439f9a468d694091befb |
| SHA1 | 28b6d0892ca81d785bdecf7c966dea91b4d7e205 |
| SHA256 | d48d9e59c8771c5f3c7e6bbc108b030810ce368f31dfba1675911e1ca397b041 |
| SHA512 | b01e71034874194cf12699404db9fe4da685028e6a55703ddd1f885a4a269cf12e3012454373699df3e9e7f971cc7583067b37a253b00259b887d312695f63ad |
C:\Windows\SysWOW64\Fkefbcmf.exe
| MD5 | efe363e9057fbdff2b6cffd0a982c9ce |
| SHA1 | a2ef588b028d9082d92c23aea14692dca4e9a449 |
| SHA256 | 0a053468be2dd89322288cfb1a4b39d2fb93ab485cee0ff65905b72d6da1086d |
| SHA512 | 5161aaed971c12b1c299074dbc12af44a4eae60ae5bd3e686de25168999333449de4e627dca0b965d20dffb705b118ec9788ad3879dd4a1861b9097937d144fc |
C:\Windows\SysWOW64\Fijbco32.exe
| MD5 | d854262685f1c1e866b4cdffdefb5d77 |
| SHA1 | 159bc78b3d5cf3d02877a427e89673a88550713e |
| SHA256 | 3e7dae359c8896653b5a9ce225ae6301ca26e0eff267d5c881a1aa218701ae52 |
| SHA512 | be21161f844e538378c2aabe13b67057c194a4ea862725374eb2ccf0855c5f9c1cda1e093f3b107d599fe3cdc26b3fb8beb92d65a2380607391bee86928674fb |
C:\Windows\SysWOW64\Fgocmc32.exe
| MD5 | 5358b00b2670237e9f813d140f8af5f1 |
| SHA1 | e8f751e28cb4ee4bdf90d5f490cc1545b8849aa5 |
| SHA256 | dc72b15a638d94105924ab00ae2f2d0b0bc06f05d2ea0235bdf2fa15da35edc9 |
| SHA512 | fc4c929f5954737cb367e64860f128431dca332c616605e7aad31c96ce3404f1dc5d073fa15cc783c5501bc900bd4162b16848f90bda5bbd62fd10bcec6584d8 |
C:\Windows\SysWOW64\Gpggei32.exe
| MD5 | cbbbcca1ff613fc1f255f180b5926050 |
| SHA1 | b2929ac01bbf0f95c9cab8a3dec770fab667db8b |
| SHA256 | 7992b2ece89c74b09c14da136a4ed24f00532ef12d4ab3952e070e3377ba63eb |
| SHA512 | cd4bed8ab1c7fff021e7692151a1782e06e484fa0f33f566bba1b354ce66f9565637b94ad7b54d2b8e584d22adfbb8a32cd5ea675861108d22082f1035bc9f5d |
C:\Windows\SysWOW64\Ghbljk32.exe
| MD5 | 3c4efef93aab84fd8477e29268c4f60d |
| SHA1 | f9b784a089b988d45888922e5b0e9cf043ec7576 |
| SHA256 | 914ec21fc7a954bb8bc3d135298047b42b1ee20d19f11b57da28f2ed3170a896 |
| SHA512 | dcec00163fbe71ec84c2055fd3d9fe7f7e1605aadac10a3e3d4bae5c1ceac73289ce54b59a611f5f567b655fbaba52675e73a7ef4dbdd9defa1c15db1961ae9c |
C:\Windows\SysWOW64\Gefmcp32.exe
| MD5 | ff44152c1836187b9383e883426ecac9 |
| SHA1 | f2b2ef9169eca2bfdf367be8e2010476a91f26e7 |
| SHA256 | 05a212c436be504088d446e8d16f6c4886d334410b643f32bcdd58649ef7a954 |
| SHA512 | 93783fd05decd41d70056e66dbc28df4235d4cbfcb3ed3c9d6126a183104aaf4baefeaabcf6070ea07393ef5784d6acbeb119a12f4a71eaa50b2c780d342a03e |
C:\Windows\SysWOW64\Glpepj32.exe
| MD5 | 3da81832aea9302be284c260a194ca09 |
| SHA1 | 59524802ccb11885f428be907327e7d090b8dd67 |
| SHA256 | 41d284484a6fa58c6844427b16c2d212b84eafbc5389cb928f1da60ebc42867c |
| SHA512 | 566e06bd83f17675d1eb78cdb7d4e8bfff126baebb91b8cbd09fd8e1e7c801b76fe512335f2444fc5a076c9e7fbf9eba12d90f39c75d8e713743533e1a3ca2e2 |
C:\Windows\SysWOW64\Glbaei32.exe
| MD5 | dc540a33d6e4e3f16114f8141282fd16 |
| SHA1 | 30e476399f1f2d59b32cda2e68ab8d5198aced21 |
| SHA256 | 44464047536a946e668d1bc072ed0fde55300e8cb4429d4e96dc1ef5f1e42001 |
| SHA512 | 54536f9fbb7a37f873744bffa3cf1376f3b6610e99901ca09b6cb89ca4d80af1f36681bdb3f973542aafad6676ba075f77f57c4fd30ad688094aa38724c4a448 |
C:\Windows\SysWOW64\Gekfnoog.exe
| MD5 | bb8c86600746aa827a38ce4b3a5655fa |
| SHA1 | 09fb954ddd82b0c8f253ce12798b0e3500dd59c1 |
| SHA256 | a69e6e10dda7f03fd3f1fae53bbf9311bf817d9e0f5efbe55755e4efd1164827 |
| SHA512 | 77f56a2dbc2943e6e052832d41283e46cdfaf0a3262a09e1deae5e23e6278d25733ab54904e3fce34bfc124097c406b67128bd71596dfb418b10374500a1af4c |
C:\Windows\SysWOW64\Gockgdeh.exe
| MD5 | e1bc5bd941464759fcdd5c18a6a91f7f |
| SHA1 | 02982b63ec18006df53a0206473907a5ba2c2361 |
| SHA256 | 554a8b54699bb1ab407b9d0c691b55ca9e6ede8d14e2bf36f17354952ed8689b |
| SHA512 | 7566f74708711ac5519d88699522f994a961ca4ce0a102c491d38818132afcd46317c614a3eae0ebdcfdaa7fb188233162c5c2205c639fb107617d6925d98901 |
C:\Windows\SysWOW64\Hjmlhbbg.exe
| MD5 | b72fbb71bcb7d5ac7f459990635954af |
| SHA1 | 850329256f0c39d3e247520e19221ac5006afb86 |
| SHA256 | 3082e370d83bf85d46832f9bf90a3be69b9595a97cd369864a6eb29655161902 |
| SHA512 | 7ff05225778c99a05007b34b65cc1d5eb14912090e2f2bcf1ba2cf55d287dd565c80f078c00328852f15c9c07335a8265a5bd9effbb6261992533425a2689d37 |
C:\Windows\SysWOW64\Hgqlafap.exe
| MD5 | 7cf5898323866b0a012efd0e34b3875e |
| SHA1 | 56e672dbe5705a503af2c6b381e831d489961385 |
| SHA256 | e42bfaf4050c34cef4fa99f1bff5693cc4b6c62dbf113ed97fb36f274970fc4a |
| SHA512 | 5bfff7ad8fb1d965c19866dac37f56bd8eba026f79b251507c00a7923083bf781a7dea0fa8b58e4324f099fe75cf0c49abecafd66a32892c44ab461cf43261b1 |
C:\Windows\SysWOW64\Hmmdin32.exe
| MD5 | b6f28a723e40365c5f722e6b21d316b7 |
| SHA1 | cf046e8c8738bf8354935837e6ef37eb4b2cd9a4 |
| SHA256 | 4f630626a46462a6f41974352fba58a5d5c109fd8ca2870e463fd8e9b6f2131d |
| SHA512 | ac45cdf65ccb86a2ee21de209b6f7804f3b29eccb7c80a237db77437c2a3bec28764f937ffb9eaf2d0ec696227219c1bdfb30173754f2beb807bf17f9ce54175 |
C:\Windows\SysWOW64\Hffibceh.exe
| MD5 | 846dbd7562637683f4763cb49d5ee424 |
| SHA1 | 9e5a8f9ebd0aa464a26ae8349d076a4b04ba2bf6 |
| SHA256 | 5b0f2956b7aa169b80f39e77597c881f398295735d3c575f5f07b49813857a58 |
| SHA512 | 7e719ba5fc45ab9643d3ff87652c92f6e2808dec7a222f1e232fab1c51df16cdcc2c52d4af27af5a1d63a9f6cd783723e124f4c2558d712cb49e3c8387a41ca4 |
C:\Windows\SysWOW64\Hcjilgdb.exe
| MD5 | 0e99a4618e515a394377aff009c09eeb |
| SHA1 | c88cacec510cb49eb01e2c246339f287b5168b03 |
| SHA256 | 989822e86c8f91d94bb8fb4d4fbd0ac89edb7747bcfa63bac132b08a13bd3591 |
| SHA512 | cfa614c69f694b0ee3159a2072d9f933d33ef5a296c1ca34071fa08ad8750b819872b25cb1c04553f3ea0dc094adbdcd7edf1dcf6dd0bb8a4ff9beeaff77d5b4 |
C:\Windows\SysWOW64\Hqnjek32.exe
| MD5 | aafe10aa6d1460bccf7c5730af55789d |
| SHA1 | a286f644adb2067fc55ca277575347d80a3bf106 |
| SHA256 | 56f7b32e5c1f8f0afba9006a622815a86155ec6c7e6d3ca6c03f1562121b6032 |
| SHA512 | e2de06e07752b3b9e0b05af979d8402e7b1b444bf43582f58de4e7eef77877bcc276b50e80876c09671da3bb6747d9493b78fa0bac97533520fef156b259b394 |
C:\Windows\SysWOW64\Hiioin32.exe
| MD5 | e24fb8210cec0c06c11f080d884f362b |
| SHA1 | fa6969ddca3cae4d232349422313916ad2b8ad8f |
| SHA256 | 1754eaf1d97802e8769e3e9bbb3373490804a1031e2dd9718fa69cc89cdd0e12 |
| SHA512 | 63e867cb9b8a2d004bb3bfadf8dee6eb1bd02a60b0526662fa88043fa3fcf6f9126bad53be113eff557b40be7138bb148323dac09d98b2ae2cec456b7c42dfda |
C:\Windows\SysWOW64\Ibacbcgg.exe
| MD5 | 9a13fbdc1c4458ce37d0006287f71945 |
| SHA1 | 6dc0d89a074d434a35e6e16f18e7d59245c8ad6a |
| SHA256 | 58ba2fbdf7b48e249fb51cee4dc1beda07ff9dbe0032d5b862cbdd036535ca12 |
| SHA512 | 5923425ac49d9928c3624e14e2114cf849cebdf47b0d0c6d725c300f4a8fbb0818e1dc158db1e3a476cee8b659a06881b4f796e1db4210779cf848f16149c9cb |
C:\Windows\SysWOW64\Ioeclg32.exe
| MD5 | f86221bba1accddcdf8d5aa08d41a8d7 |
| SHA1 | 45991effa356749ae681fc9e10eebd1fc37056cc |
| SHA256 | 876c11c2589ba64f58551217d18614dee6f30770d1333d788c010cd573ee3e10 |
| SHA512 | 78a40779ea7a0be1a1e8186ed334d171ec07baa7cc5d0a0eca5b27ebe78870207b6e2dd954a4f7814ff29de10dfda1fb62cfba5ec1cdbc299fc1ea45cdf16883 |
C:\Windows\SysWOW64\Ifolhann.exe
| MD5 | bbea2dc1f399050f4a78376a12665d5f |
| SHA1 | 48ac24cdb1d89a0c6e8e3d52600a443e19edb7c1 |
| SHA256 | da0df4c10d9228bbfca3c8f503f16bd9ee22cd81daf2c27ee17f0128f10c1995 |
| SHA512 | e2f842ea35c2f98688b4bb6b4c910893c24e71519ebe63973b94e3e92eccfbfaf8a4ce43c70883fbc48fd85dffad7bc2eb209208b5f76fb946c043992f7a379c |
C:\Windows\SysWOW64\Ibfmmb32.exe
| MD5 | 853084202bd5c130b9421b86747a456e |
| SHA1 | 79e72f93f92197c7eaa9bc3156e59de1e2f6a353 |
| SHA256 | 7a253a1d75893beb1fe3390a6a14fb71f7ec88dd954a706a1b4052c6b9c320a6 |
| SHA512 | d795491ef80fc29c6c9da98442c796c6a4e4ef0c952eae33d8f1ae5577a9f0534fb66c40d2785dfc0063605cac6bfafe34c1e09a643e63f956a114514f79bcb9 |
C:\Windows\SysWOW64\Iknafhjb.exe
| MD5 | dc8e8df72bb77003b9cb0dd181d69ff4 |
| SHA1 | 3c100d38214417b7b82e835450984ed18314d002 |
| SHA256 | aa21051ee3b59038580ec8088b358a3d92d3e58bebb4359b793bcb2637ef8cea |
| SHA512 | 9a35a37744f34e71b62a9562055422fac2f40012298dc7db65cb048d6dc41660ac89ce17d09cab87fad055df7facdfe40367adde4f94f119b32fa592e2c84d39 |
C:\Windows\SysWOW64\Icifjk32.exe
| MD5 | 4f86a5cd408ada78504989dc261e4e19 |
| SHA1 | 78dd6bac8a40f4dd48aa0691ac06291112ab14ec |
| SHA256 | 38e0e8919b646b1951767e073ae8074cf1e29fcd870e30e8cd32875ebffea6f9 |
| SHA512 | 61a2823736b0e9daadc1ce196f90eb75f72ed9156f7f47fc403910be60153dc089b4111550f16ede6ba1308a1fe15ff514023247171fe62f7122176e8a67a956 |
C:\Windows\SysWOW64\Iamfdo32.exe
| MD5 | 5ba5976ca167b2afdbed2f5662c31e31 |
| SHA1 | 8d17459b6d342cab5841d9f30e32f219f3bc4f66 |
| SHA256 | 217bd29ccaac8665dd9e0120c3b52208d07099a4a14f33f6078029ba27962bf3 |
| SHA512 | b0df345be17c2df9f77c6e1e1d121a66b3edeba729c1eaa4db3a3a49fc815f095d5ffa845397ed56cf0ef8199226ac07efa14dd84a8b79aeab1322632ddb6269 |
C:\Windows\SysWOW64\Jnagmc32.exe
| MD5 | 74aa5240d4e8548a34514aab78f1d281 |
| SHA1 | 0f330a3dd8d86c518aaff1dc393184a70c005ac1 |
| SHA256 | 5e277cc09d6a421ef2005fa091e347e36bff0ed20ea541b1a54c0270aed29011 |
| SHA512 | d809bae72a94810858b212bbaa746defa47ef170d9e24b2fba1a14a7f09e5a5bedee481e0f7d2c1cccf2171698d4d0beee110805310c6389e20da967072d9f23 |
C:\Windows\SysWOW64\Jgjkfi32.exe
| MD5 | 09b71e1b60926177a291620feb05ec38 |
| SHA1 | 8728a5cd10c603d87e20a4000a9b850f8a8a5294 |
| SHA256 | 8a42c2162a58131f0bdf5ea195b4273be3c60b63cb4e6136c7f8e548ff37333f |
| SHA512 | 4763fcce7e6e8a5b4ee7a6d38b55af0fc1f76b1c5279bc22b459f6cfc0dfec49eba4a59ed9af0170496f0c3fe66f6d03e46155f692fe1df2557f0726b6c14181 |
C:\Windows\SysWOW64\Jmfcop32.exe
| MD5 | 754b1696c92554d01cfb97ca6661f04a |
| SHA1 | cd6d4fa9b1488a63e4a05bf949605ac9945cfbe8 |
| SHA256 | 869902d41b51a2bba9f7c9e35d8ee8e4b47f68dfaf69a799e69a4b9fa509775d |
| SHA512 | 58390010fd59ffb95167ade4d69ec4336f00b140c239adabf386ee320f8aad4e49b2dc21e7b06cb6fe2120365f20315d86409ae13c8bde9ad6ad77da1b2734c7 |
C:\Windows\SysWOW64\Jllqplnp.exe
| MD5 | 7774dddef42bb4383c946d1131d8c3c4 |
| SHA1 | 3d54d8f50bd09d5598bb2b47ff160b70c31a0dc3 |
| SHA256 | 091757e0787760a18cfba34065b949a661809fc1f9a36cd4afa987a710229d28 |
| SHA512 | 554ee81b80162bd37c67c2f2eef861f04ed91a15c529c673104f19ba94f15283ba2ae5cbae0262a1dd61fa836000895ffe9b7a418e0593f17593c33f098c9600 |
C:\Windows\SysWOW64\Jipaip32.exe
| MD5 | 2b7c011ee83fe10b11abad6bd6f8583e |
| SHA1 | f6b9e5fa6f8ea703d89e6f562f70918606f26e30 |
| SHA256 | 231daca0831c654363945a691346b0559812d29bae2ff5fe630a06e63fcf8096 |
| SHA512 | da10a554c7eec4b0018c4e902cad12fdd38dae49190baba5f81b56126231b80fdb43417a785adbe4648ed3f94a45e79d05654f4a644f8e9f237bed120843d5fc |
C:\Windows\SysWOW64\Jfcabd32.exe
| MD5 | f92cba1ede7ed00da5dd01a8da59e5f7 |
| SHA1 | 8fc18bd96a7a739903701808a995d4cc60371fc7 |
| SHA256 | 317ee5d11b5547fbd3789191161ab60db86aba36d2582d8cfa98b7ac9640047d |
| SHA512 | 0d732beb55828cc6e3821878cf2edfe46469434333e78b193e175ed4ddc97e5588a29d5aecd5de5b572e060c47e17bd955731272017a50d118c070b932fa4752 |
C:\Windows\SysWOW64\Jplfkjbd.exe
| MD5 | 8ed2e418db1c8477c446e04d7ca7d3ce |
| SHA1 | e9ad6fe52fa80ae4476b5605cb627a35a3877808 |
| SHA256 | 84cc8268ebf52462bb61a28c075a1b1d5aff964ffdefd934d1fa50faf51663ef |
| SHA512 | 5f56327dbb03e3c7e23a3f86a3482b41bad749183c1b4da697ae36a3e5d26838156ace87d7f4689a323a21000783ef9533eca8ec8b9b6372d4aca2113aa7699c |
C:\Windows\SysWOW64\Khgkpl32.exe
| MD5 | a5b79e79fcc73b66f1131a2951831159 |
| SHA1 | a3269f3b8107846d55e0a219e4927b3747e00179 |
| SHA256 | 44bfeff8c39916a4e55c2cd1dccaaf09028e4664dc41d3426a803ad78b3eab9f |
| SHA512 | f18668df474ae6cadb8ebc4d37275a0c3b134296c9dc4c7214bc49ff6eccc1f43a7fbdeb44d6b41077bee867141b7b3064ad50acadc80176e473881b67ce8480 |
C:\Windows\SysWOW64\Kbmome32.exe
| MD5 | 4ac143618aaf3443b97f281b5a53995d |
| SHA1 | 24283e88e919f0375f0671e7559079b9fc966976 |
| SHA256 | b93b9bf5e8c74e24b7bf9f934680a5b99dc10d41758f6ace0fef5a0fd8a96d14 |
| SHA512 | 90ecd796ee3771fa5193c76bb1d9cb0c82faad6ef5f167ef381bfc469b14c26a7994424e8199bb88f472d0d831b0d00b33da870e57643f8c7b99519280854230 |
C:\Windows\SysWOW64\Klecfkff.exe
| MD5 | 5b3041e4459d34d7a87b89c37a3c7f9c |
| SHA1 | 9dd3d41b6cc03dc9dc28fb07199e71906f4a537d |
| SHA256 | b22fdf7f03dea23bea47f81a8a815232287d0180e4bc8be443fc4075e0fe563d |
| SHA512 | f068e87b81513b4f2a8822d76244ae8ba081b5b10f19e5471848ac01f4eeee2126436bf9ff2ee8fa27261911db676ab48a6017e20d94f4fe0bc9b2b13e68bf4f |
C:\Windows\SysWOW64\Kkjpggkn.exe
| MD5 | c21bab91d5ab54b44b6e94e27624a53d |
| SHA1 | 560ed0fc9906ec15be8f6fb9a36c50f585019a4e |
| SHA256 | 72887c08687acf38cf1b460c20554d581ca29e49675d53e169e9f8bf5d30775d |
| SHA512 | 6e91f1af1b6fb8f85383ac68ae8ec06996c24178cdcd150e26d8f0fa3038c4e7974e7a908253fdd763b18a1061582f207584c775c63c6157e5553fdbb85542b7 |
C:\Windows\SysWOW64\Kfaalh32.exe
| MD5 | 8565782ea03c82b690b52c569eb46bfb |
| SHA1 | db5e8a56d8fbded399945e07657c20f01fc64b2d |
| SHA256 | 9f300236a565e7120c49d257f3cc101b64811b946bf908d4446eb954eb72d862 |
| SHA512 | b12ca93618cdf7005062a86fca8547a546fe9453c24dbe15a10a9b8b7331994bb17a65ddb0a4ed26bd4150c0c24d6adf0150e70823e77edceeda19f01d0d7f28 |
C:\Windows\SysWOW64\Kmkihbho.exe
| MD5 | aa66839910a363ef0149dab28f7af384 |
| SHA1 | 3d4b535f6848ad9424250600fdf9ff050419f493 |
| SHA256 | 6ad220db341fefd375403a6954dbf64ef280b2d113bde23e37b2cfb5b354e0f4 |
| SHA512 | 14cb3a6e722ba16d744ecb72b2e75957642b1939f75cd10a87353ad40feaec6e9c1e50e932dcac0e7791a1adb28acd6aa81d698885a51aeda23b55441552a6b6 |
C:\Windows\SysWOW64\Libjncnc.exe
| MD5 | 7d5789103c7858f74c95b8c3ac2d0af7 |
| SHA1 | 5f3ab301959358a26d132b175deefd11775f8dff |
| SHA256 | cfe10d8a76419ca6aa01fe7e1faa25b629e05949455ec6b6352679a0c8399809 |
| SHA512 | 371f7f951069a16831fe5f62fcbb0321695e22bc0f26f14ce34a4fc0cc7b9694839bd90996f823798dbfd3686fdf7de863da0dcef017b65b408cbbffc5af4962 |
C:\Windows\SysWOW64\Lbjofi32.exe
| MD5 | fde39223df4e65be0bd824a9f2951a17 |
| SHA1 | d000d727f6b5cf10b942269356c455ef2ac965e9 |
| SHA256 | 8fbf8fc83450b3200c54035d3ca7dc634ea301d9cdcf0adb5a1738fcce09b046 |
| SHA512 | 6b8ec5bbfaccda13744b69aeac8d67d6f3ae058cbb71dccf9ae0bc901914f855236b9b42b6de9acbc51d3aa34470519090470db0e22a1097191d7f259fd1bbf8 |
memory/528-1353-0x0000000000400000-0x0000000000433000-memory.dmp
memory/940-1351-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1540-1350-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1532-1346-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2812-1343-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2380-1342-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1624-1339-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1688-1336-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1476-1333-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2556-1329-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1972-1355-0x0000000000400000-0x0000000000433000-memory.dmp
memory/640-1340-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1752-1321-0x0000000000400000-0x0000000000433000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-11 10:51
Reported
2024-11-11 10:53
Platform
win10v2004-20241007-en
Max time kernel
95s
Max time network
97s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Users\Admin\AppData\Local\Temp\9b3d7dc58bee2d81215c500af42086b0829b1c68408f09aa0e6586954bc3e29aN.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ajhddjfn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Ajhddjfn.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cjinkg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Cabfga32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Chokikeb.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Anfmjhmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Aadifclh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Cmgjgcgo.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cjmgfgdf.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Chagok32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bjddphlq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Cdabcm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dmcibama.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dmgbnq32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Agoabn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Bjfaeh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Cnicfe32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Cdhhdlid.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Dhhnpjmh.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ddakjkqi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Aabmqd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Bmkjkd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Bebblb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Belebq32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dejacond.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bnpppgdj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Cdfkolkf.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dhfajjoj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Dmcibama.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Dobfld32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Chjaol32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Cnffqf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Andqdh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Aglemn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Agoabn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Baicac32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Bcjlcn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Banllbdn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Cjmgfgdf.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dobfld32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cegdnopg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Dhkjej32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bchomn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Bjddphlq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Cjinkg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Cfpnph32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Chokikeb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Calhnpgn.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Daconoae.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dmjocp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Aglemn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Cagobalc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dddhpjof.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bfdodjhm.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Aeniabfd.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Aepefb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bebblb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Banllbdn.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bjfaeh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cagobalc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Daqbip32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dhkjej32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Anadoi32.exe | N/A |
Berbew
Berbew family
Executes dropped EXE
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\Aglemn32.exe | C:\Windows\SysWOW64\Aeniabfd.exe | N/A |
| File created | C:\Windows\SysWOW64\Anfmjhmd.exe | C:\Windows\SysWOW64\Ajkaii32.exe | N/A |
| File created | C:\Windows\SysWOW64\Aepefb32.exe | C:\Windows\SysWOW64\Aadifclh.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bjfaeh32.exe | C:\Windows\SysWOW64\Bfkedibe.exe | N/A |
| File created | C:\Windows\SysWOW64\Cjmgfgdf.exe | C:\Windows\SysWOW64\Chokikeb.exe | N/A |
| File created | C:\Windows\SysWOW64\Dobfld32.exe | C:\Windows\SysWOW64\Dfknkg32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pdheac32.dll | C:\Windows\SysWOW64\Dhkjej32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dmjocp32.exe | C:\Windows\SysWOW64\Dkkcge32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jffggf32.dll | C:\Windows\SysWOW64\Cagobalc.exe | N/A |
| File created | C:\Windows\SysWOW64\Cacamdcd.dll | C:\Windows\SysWOW64\Chagok32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Chcddk32.exe | C:\Windows\SysWOW64\Cdhhdlid.exe | N/A |
| File created | C:\Windows\SysWOW64\Cnnlaehj.exe | C:\Windows\SysWOW64\Cjbpaf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dfknkg32.exe | C:\Windows\SysWOW64\Dhhnpjmh.exe | N/A |
| File created | C:\Windows\SysWOW64\Gfghpl32.dll | C:\Windows\SysWOW64\Dddhpjof.exe | N/A |
| File created | C:\Windows\SysWOW64\Bcebhoii.exe | C:\Windows\SysWOW64\Bebblb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Qlgene32.dll | C:\Windows\SysWOW64\Cdfkolkf.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dgbdlf32.exe | C:\Windows\SysWOW64\Dddhpjof.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cegdnopg.exe | C:\Windows\SysWOW64\Calhnpgn.exe | N/A |
| File created | C:\Windows\SysWOW64\Oammoc32.dll | C:\Windows\SysWOW64\Dmgbnq32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dddhpjof.exe | C:\Windows\SysWOW64\Daekdooc.exe | N/A |
| File created | C:\Windows\SysWOW64\Bmkjkd32.exe | C:\Windows\SysWOW64\Bnhjohkb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cfpnph32.exe | C:\Windows\SysWOW64\Cdabcm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ddonekbl.exe | C:\Windows\SysWOW64\Daqbip32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cdlgno32.dll | C:\Windows\SysWOW64\Bfdodjhm.exe | N/A |
| File created | C:\Windows\SysWOW64\Balpgb32.exe | C:\Windows\SysWOW64\Bnmcjg32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cmiflbel.exe | C:\Windows\SysWOW64\Cnffqf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cdfkolkf.exe | C:\Windows\SysWOW64\Cagobalc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cmnpgb32.exe | C:\Windows\SysWOW64\Cjpckf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Naeheh32.dll | C:\Windows\SysWOW64\Cnnlaehj.exe | N/A |
| File created | C:\Windows\SysWOW64\Doilmc32.exe | C:\Windows\SysWOW64\Dgbdlf32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Balpgb32.exe | C:\Windows\SysWOW64\Bnmcjg32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cfpnph32.exe | C:\Windows\SysWOW64\Cdabcm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jbpbca32.dll | C:\Windows\SysWOW64\Ddonekbl.exe | N/A |
| File created | C:\Windows\SysWOW64\Kdqjac32.dll | C:\Windows\SysWOW64\Cmiflbel.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dkifae32.exe | C:\Windows\SysWOW64\Dhkjej32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ihidnp32.dll | C:\Windows\SysWOW64\Dkifae32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hjjdjk32.dll | C:\Windows\SysWOW64\Balpgb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mogqfgka.dll | C:\Windows\SysWOW64\Bjfaeh32.exe | N/A |
| File created | C:\Windows\SysWOW64\Chokikeb.exe | C:\Windows\SysWOW64\Ceqnmpfo.exe | N/A |
| File created | C:\Windows\SysWOW64\Bcjlcn32.exe | C:\Windows\SysWOW64\Balpgb32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ajkaii32.exe | C:\Windows\SysWOW64\Aglemn32.exe | N/A |
| File created | C:\Windows\SysWOW64\Djdmffnn.exe | C:\Windows\SysWOW64\Dhfajjoj.exe | N/A |
| File created | C:\Windows\SysWOW64\Kbejge32.dll | C:\Windows\SysWOW64\Baicac32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hfggmg32.dll | C:\Windows\SysWOW64\Bjddphlq.exe | N/A |
| File created | C:\Windows\SysWOW64\Nbgngp32.dll | C:\Windows\SysWOW64\Dejacond.exe | N/A |
| File created | C:\Windows\SysWOW64\Bgehcmmm.exe | C:\Windows\SysWOW64\Bcjlcn32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ceqnmpfo.exe | C:\Windows\SysWOW64\Cmiflbel.exe | N/A |
| File created | C:\Windows\SysWOW64\Lfjhbihm.dll | C:\Windows\SysWOW64\Cfpnph32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ddakjkqi.exe | C:\Windows\SysWOW64\Daconoae.exe | N/A |
| File created | C:\Windows\SysWOW64\Aglemn32.exe | C:\Windows\SysWOW64\Aeniabfd.exe | N/A |
| File created | C:\Windows\SysWOW64\Ooojbbid.dll | C:\Windows\SysWOW64\Anfmjhmd.exe | N/A |
| File created | C:\Windows\SysWOW64\Dmjapi32.dll | C:\Windows\SysWOW64\Bjagjhnc.exe | N/A |
| File created | C:\Windows\SysWOW64\Jfihel32.dll | C:\Windows\SysWOW64\Belebq32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dhkjej32.exe | C:\Windows\SysWOW64\Ddonekbl.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Agoabn32.exe | C:\Windows\SysWOW64\Aepefb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cmiflbel.exe | C:\Windows\SysWOW64\Cnffqf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bbloam32.dll | C:\Windows\SysWOW64\Cnffqf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cogflbdn.dll | C:\Windows\SysWOW64\Dhhnpjmh.exe | N/A |
| File created | C:\Windows\SysWOW64\Daqbip32.exe | C:\Windows\SysWOW64\Dobfld32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kngpec32.dll | C:\Windows\SysWOW64\Doilmc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Aqppkd32.exe | C:\Windows\SysWOW64\Anadoi32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Aeniabfd.exe | C:\Windows\SysWOW64\Aabmqd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bneljh32.dll | C:\Windows\SysWOW64\Bnkgeg32.exe | N/A |
| File created | C:\Windows\SysWOW64\Belebq32.exe | C:\Windows\SysWOW64\Bmemac32.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Doilmc32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Anadoi32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Anfmjhmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bclhhnca.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Chjaol32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dhhnpjmh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cjinkg32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cjpckf32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dejacond.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ddonekbl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bnpppgdj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bfkedibe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Chagok32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dddhpjof.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dmllipeg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Balpgb32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cdhhdlid.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cjbpaf32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Aeklkchg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Aadifclh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bjmnoi32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bfdodjhm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bjokdipf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cnnlaehj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Calhnpgn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Daqbip32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dmjocp32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Agjhgngj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Aepefb32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bnkgeg32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cmiflbel.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Chcddk32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Andqdh32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bebblb32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ceqnmpfo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dfknkg32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dhkjej32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bcebhoii.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Baicac32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Banllbdn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dkifae32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bnhjohkb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cabfga32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cnffqf32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cmnpgb32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cegdnopg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dkkcge32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9b3d7dc58bee2d81215c500af42086b0829b1c68408f09aa0e6586954bc3e29aN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Aqppkd32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ajhddjfn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bjagjhnc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cfpnph32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bcjlcn32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dmgbnq32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ddakjkqi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dgbdlf32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Aglemn32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bgcknmop.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bjfaeh32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cjmgfgdf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ajkaii32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bchomn32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bjddphlq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bmemac32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll" | C:\Windows\SysWOW64\Cjbpaf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll" | C:\Windows\SysWOW64\Calhnpgn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll" | C:\Windows\SysWOW64\Dmgbnq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diphbb32.dll" | C:\Windows\SysWOW64\Dgbdlf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfnphnen.dll" | C:\Users\Admin\AppData\Local\Temp\9b3d7dc58bee2d81215c500af42086b0829b1c68408f09aa0e6586954bc3e29aN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldfgeigq.dll" | C:\Windows\SysWOW64\Agoabn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cmiflbel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Chcddk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Aadifclh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bebblb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Bjokdipf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Djdmffnn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echegpbb.dll" | C:\Windows\SysWOW64\Ajhddjfn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Aabmqd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll" | C:\Windows\SysWOW64\Cmgjgcgo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cjpckf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cegdnopg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll" | C:\Windows\SysWOW64\Ddonekbl.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Andqdh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Agoabn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bchomn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Aglemn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Anfmjhmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll" | C:\Windows\SysWOW64\Ddakjkqi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Bjmnoi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bnhjohkb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhicommo.dll" | C:\Windows\SysWOW64\Cabfga32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cnicfe32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akmfnc32.dll" | C:\Windows\SysWOW64\Bnhjohkb.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Bclhhnca.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Dmgbnq32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Calhnpgn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dmgbnq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll" | C:\Windows\SysWOW64\Dddhpjof.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Doilmc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll" | C:\Windows\SysWOW64\Chcddk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dfknkg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Agjhgngj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akichh32.dll" | C:\Windows\SysWOW64\Bchomn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmjapi32.dll" | C:\Windows\SysWOW64\Bjagjhnc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll" | C:\Windows\SysWOW64\Cajlhqjp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Cjinkg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cmgjgcgo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll" | C:\Windows\SysWOW64\Dkifae32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phiifkjp.dll" | C:\Windows\SysWOW64\Bmkjkd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Bgcknmop.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qihfjd32.dll" | C:\Windows\SysWOW64\Bnpppgdj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll" | C:\Windows\SysWOW64\Bfkedibe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Daekdooc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooojbbid.dll" | C:\Windows\SysWOW64\Anfmjhmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Bmkjkd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Bnpppgdj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Daqbip32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Cnicfe32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cmnpgb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dmjocp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Aeklkchg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Belebq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll" | C:\Windows\SysWOW64\Chjaol32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Cnffqf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Bnkgeg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Ddakjkqi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID | C:\Users\Admin\AppData\Local\Temp\9b3d7dc58bee2d81215c500af42086b0829b1c68408f09aa0e6586954bc3e29aN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cabfga32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9b3d7dc58bee2d81215c500af42086b0829b1c68408f09aa0e6586954bc3e29aN.exe
"C:\Users\Admin\AppData\Local\Temp\9b3d7dc58bee2d81215c500af42086b0829b1c68408f09aa0e6586954bc3e29aN.exe"
C:\Windows\SysWOW64\Anadoi32.exe
C:\Windows\system32\Anadoi32.exe
C:\Windows\SysWOW64\Aqppkd32.exe
C:\Windows\system32\Aqppkd32.exe
C:\Windows\SysWOW64\Aeklkchg.exe
C:\Windows\system32\Aeklkchg.exe
C:\Windows\SysWOW64\Agjhgngj.exe
C:\Windows\system32\Agjhgngj.exe
C:\Windows\SysWOW64\Ajhddjfn.exe
C:\Windows\system32\Ajhddjfn.exe
C:\Windows\SysWOW64\Andqdh32.exe
C:\Windows\system32\Andqdh32.exe
C:\Windows\SysWOW64\Aabmqd32.exe
C:\Windows\system32\Aabmqd32.exe
C:\Windows\SysWOW64\Aeniabfd.exe
C:\Windows\system32\Aeniabfd.exe
C:\Windows\SysWOW64\Aglemn32.exe
C:\Windows\system32\Aglemn32.exe
C:\Windows\SysWOW64\Ajkaii32.exe
C:\Windows\system32\Ajkaii32.exe
C:\Windows\SysWOW64\Anfmjhmd.exe
C:\Windows\system32\Anfmjhmd.exe
C:\Windows\SysWOW64\Aadifclh.exe
C:\Windows\system32\Aadifclh.exe
C:\Windows\SysWOW64\Aepefb32.exe
C:\Windows\system32\Aepefb32.exe
C:\Windows\SysWOW64\Agoabn32.exe
C:\Windows\system32\Agoabn32.exe
C:\Windows\SysWOW64\Bjmnoi32.exe
C:\Windows\system32\Bjmnoi32.exe
C:\Windows\SysWOW64\Bnhjohkb.exe
C:\Windows\system32\Bnhjohkb.exe
C:\Windows\SysWOW64\Bmkjkd32.exe
C:\Windows\system32\Bmkjkd32.exe
C:\Windows\SysWOW64\Bebblb32.exe
C:\Windows\system32\Bebblb32.exe
C:\Windows\SysWOW64\Bcebhoii.exe
C:\Windows\system32\Bcebhoii.exe
C:\Windows\SysWOW64\Bfdodjhm.exe
C:\Windows\system32\Bfdodjhm.exe
C:\Windows\SysWOW64\Bjokdipf.exe
C:\Windows\system32\Bjokdipf.exe
C:\Windows\SysWOW64\Bnkgeg32.exe
C:\Windows\system32\Bnkgeg32.exe
C:\Windows\SysWOW64\Baicac32.exe
C:\Windows\system32\Baicac32.exe
C:\Windows\SysWOW64\Bchomn32.exe
C:\Windows\system32\Bchomn32.exe
C:\Windows\SysWOW64\Bgcknmop.exe
C:\Windows\system32\Bgcknmop.exe
C:\Windows\SysWOW64\Bjagjhnc.exe
C:\Windows\system32\Bjagjhnc.exe
C:\Windows\SysWOW64\Bnmcjg32.exe
C:\Windows\system32\Bnmcjg32.exe
C:\Windows\SysWOW64\Balpgb32.exe
C:\Windows\system32\Balpgb32.exe
C:\Windows\SysWOW64\Bcjlcn32.exe
C:\Windows\system32\Bcjlcn32.exe
C:\Windows\SysWOW64\Bgehcmmm.exe
C:\Windows\system32\Bgehcmmm.exe
C:\Windows\SysWOW64\Bjddphlq.exe
C:\Windows\system32\Bjddphlq.exe
C:\Windows\SysWOW64\Bnpppgdj.exe
C:\Windows\system32\Bnpppgdj.exe
C:\Windows\SysWOW64\Banllbdn.exe
C:\Windows\system32\Banllbdn.exe
C:\Windows\SysWOW64\Bclhhnca.exe
C:\Windows\system32\Bclhhnca.exe
C:\Windows\SysWOW64\Bfkedibe.exe
C:\Windows\system32\Bfkedibe.exe
C:\Windows\SysWOW64\Bjfaeh32.exe
C:\Windows\system32\Bjfaeh32.exe
C:\Windows\SysWOW64\Bmemac32.exe
C:\Windows\system32\Bmemac32.exe
C:\Windows\SysWOW64\Belebq32.exe
C:\Windows\system32\Belebq32.exe
C:\Windows\SysWOW64\Chjaol32.exe
C:\Windows\system32\Chjaol32.exe
C:\Windows\SysWOW64\Cjinkg32.exe
C:\Windows\system32\Cjinkg32.exe
C:\Windows\SysWOW64\Cmgjgcgo.exe
C:\Windows\system32\Cmgjgcgo.exe
C:\Windows\SysWOW64\Cabfga32.exe
C:\Windows\system32\Cabfga32.exe
C:\Windows\SysWOW64\Cdabcm32.exe
C:\Windows\system32\Cdabcm32.exe
C:\Windows\SysWOW64\Cfpnph32.exe
C:\Windows\system32\Cfpnph32.exe
C:\Windows\SysWOW64\Cnffqf32.exe
C:\Windows\system32\Cnffqf32.exe
C:\Windows\SysWOW64\Cmiflbel.exe
C:\Windows\system32\Cmiflbel.exe
C:\Windows\SysWOW64\Ceqnmpfo.exe
C:\Windows\system32\Ceqnmpfo.exe
C:\Windows\SysWOW64\Chokikeb.exe
C:\Windows\system32\Chokikeb.exe
C:\Windows\SysWOW64\Cjmgfgdf.exe
C:\Windows\system32\Cjmgfgdf.exe
C:\Windows\SysWOW64\Cnicfe32.exe
C:\Windows\system32\Cnicfe32.exe
C:\Windows\SysWOW64\Cagobalc.exe
C:\Windows\system32\Cagobalc.exe
C:\Windows\SysWOW64\Cdfkolkf.exe
C:\Windows\system32\Cdfkolkf.exe
C:\Windows\SysWOW64\Chagok32.exe
C:\Windows\system32\Chagok32.exe
C:\Windows\SysWOW64\Cjpckf32.exe
C:\Windows\system32\Cjpckf32.exe
C:\Windows\SysWOW64\Cmnpgb32.exe
C:\Windows\system32\Cmnpgb32.exe
C:\Windows\SysWOW64\Cajlhqjp.exe
C:\Windows\system32\Cajlhqjp.exe
C:\Windows\SysWOW64\Cdhhdlid.exe
C:\Windows\system32\Cdhhdlid.exe
C:\Windows\SysWOW64\Chcddk32.exe
C:\Windows\system32\Chcddk32.exe
C:\Windows\SysWOW64\Cjbpaf32.exe
C:\Windows\system32\Cjbpaf32.exe
C:\Windows\SysWOW64\Cnnlaehj.exe
C:\Windows\system32\Cnnlaehj.exe
C:\Windows\SysWOW64\Calhnpgn.exe
C:\Windows\system32\Calhnpgn.exe
C:\Windows\SysWOW64\Cegdnopg.exe
C:\Windows\system32\Cegdnopg.exe
C:\Windows\SysWOW64\Dhfajjoj.exe
C:\Windows\system32\Dhfajjoj.exe
C:\Windows\SysWOW64\Djdmffnn.exe
C:\Windows\system32\Djdmffnn.exe
C:\Windows\SysWOW64\Dmcibama.exe
C:\Windows\system32\Dmcibama.exe
C:\Windows\SysWOW64\Dejacond.exe
C:\Windows\system32\Dejacond.exe
C:\Windows\SysWOW64\Dhhnpjmh.exe
C:\Windows\system32\Dhhnpjmh.exe
C:\Windows\SysWOW64\Dfknkg32.exe
C:\Windows\system32\Dfknkg32.exe
C:\Windows\SysWOW64\Dobfld32.exe
C:\Windows\system32\Dobfld32.exe
C:\Windows\SysWOW64\Daqbip32.exe
C:\Windows\system32\Daqbip32.exe
C:\Windows\SysWOW64\Ddonekbl.exe
C:\Windows\system32\Ddonekbl.exe
C:\Windows\SysWOW64\Dhkjej32.exe
C:\Windows\system32\Dhkjej32.exe
C:\Windows\SysWOW64\Dkifae32.exe
C:\Windows\system32\Dkifae32.exe
C:\Windows\SysWOW64\Dmgbnq32.exe
C:\Windows\system32\Dmgbnq32.exe
C:\Windows\SysWOW64\Daconoae.exe
C:\Windows\system32\Daconoae.exe
C:\Windows\SysWOW64\Ddakjkqi.exe
C:\Windows\system32\Ddakjkqi.exe
C:\Windows\SysWOW64\Dkkcge32.exe
C:\Windows\system32\Dkkcge32.exe
C:\Windows\SysWOW64\Dmjocp32.exe
C:\Windows\system32\Dmjocp32.exe
C:\Windows\SysWOW64\Daekdooc.exe
C:\Windows\system32\Daekdooc.exe
C:\Windows\SysWOW64\Dddhpjof.exe
C:\Windows\system32\Dddhpjof.exe
C:\Windows\SysWOW64\Dgbdlf32.exe
C:\Windows\system32\Dgbdlf32.exe
C:\Windows\SysWOW64\Doilmc32.exe
C:\Windows\system32\Doilmc32.exe
C:\Windows\SysWOW64\Dmllipeg.exe
C:\Windows\system32\Dmllipeg.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5720 -ip 5720
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5720 -s 408
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
memory/1616-0-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Anadoi32.exe
| MD5 | 4ffabc8aa292472ba34637f8181be062 |
| SHA1 | 1a0485e044e7335cc1a1150a0ce1319e143710af |
| SHA256 | 5af6633f74fd23c8f09c5483405480f3fe0c02b8d2fb2e153500a2844c01411e |
| SHA512 | 98a775e9ba19d750254c4d91a924a21c30d922d0fa332eaf5c5052e2a4fbdcd3357ed7c55bb86a98b3d582e8314dde070247dac1daaca71e972fe843c5b735bd |
memory/2780-12-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4688-20-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Aeklkchg.exe
| MD5 | 9033d2981a18a605291db997d583e8ba |
| SHA1 | 462b074949397d5edb14d9d314afebf180dab27e |
| SHA256 | 7809e0976306cb102204ba2ebbaae7c0eda72ed092255e334357168c775b9cc1 |
| SHA512 | d84d566ad229330854ae2e48616308018c185a1a381df78cfd78af746545328d520ecdaae79cd9a2c1baaff60ac6ebae23f5217dcbe3e14367eeb245aaa04cdb |
memory/3616-28-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Agjhgngj.exe
| MD5 | 2bbefa417553b86165dc8d011c97fc57 |
| SHA1 | 8711abb550a7e386a5e68225efdb78a5f46a978b |
| SHA256 | ff6c247408a44fd63fe151f299d329c699feb716bf9df7ab4ce44bf7dd0625b2 |
| SHA512 | b22e6cc8bf571b8442872fc54ff6f126e472ed15090801bcce54a026301d7f401055951cbf37931069e0c2deb04726f914efd7fa0447d9e9fa8d83c7dbc18553 |
C:\Windows\SysWOW64\Oicmfmok.dll
| MD5 | 6e1123c58d25ad4d90730094ef185322 |
| SHA1 | e8a011a5a72e7d6614fb35a86a19949627dbfb84 |
| SHA256 | 1d9b9b034c223ba26694923179b9e53719ecf7c23c2fcc956ec4b5f1e51bf305 |
| SHA512 | 0fd7c987d76a701ae67db5e5a7546e16fe08612833ab2da6f46f069a58e9815bf6ef1a9cd33aab7d4a755abacc0275fcda0bc0adaab313b96d6694c2fbc320a5 |
C:\Windows\SysWOW64\Ajhddjfn.exe
| MD5 | 54e978ae72a7372572bb100b8968ceda |
| SHA1 | 89afc3b6d88a985ecc49a88546fe7693fca54c22 |
| SHA256 | d415ef949795eb5991a23adb6942e0c48973686aac9eeb2fc38a25e3ecfe031f |
| SHA512 | 7cc4919cbc5948a587826b2a0d71cf7d48f68802be784b3c60f90a4fe032b572e1dd97b943cee50892f27e2aac0a23a4b53a88dc90ed9cad56b2596e7066c564 |
C:\Windows\SysWOW64\Andqdh32.exe
| MD5 | 6dc4d3d60446c2792db0f620f604a920 |
| SHA1 | 74adaf0531eb962faada1e27e78a5978b34b43b7 |
| SHA256 | 5b85099359f9c2f998c54cfd864f46a117512a7b9540bfb710eb5d6cbec2ae1d |
| SHA512 | 39c02a117e84edf80159433e278ef625da3b95654ff7783d7a6004192693a5a40a32face58890c3f9608779964c071553f4782ac710806f8124f610436b10e2b |
memory/228-52-0x0000000000400000-0x0000000000433000-memory.dmp
memory/216-60-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1612-68-0x0000000000400000-0x0000000000433000-memory.dmp
memory/556-76-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Anfmjhmd.exe
| MD5 | 4e8648a8a43145c59be715ce33b11161 |
| SHA1 | a2c750a493cc18c9b64bb02138a7c7aed89e9900 |
| SHA256 | 1337ffbc4136d0409c1b72f8a857f95ed4c7b731595879f954d6fbe9a0798b54 |
| SHA512 | f8e4b9067ef57e6c4ba1233f8d17aaf8a5d95fec1fa4b528cfe18d2a423afea9158a5565bd3e0facbc87b5698821a6cddf4d2e5dab410eeb913dadf1888965cc |
memory/2668-108-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Bchomn32.exe
| MD5 | a195a979c34925e77e64a4990ae3dbdc |
| SHA1 | db3c57f42347a0bf90a8d2ca26463707b265412a |
| SHA256 | 88eba9656e880f701ee6ac096eb0f6ae1be3759ed1468a89bd2fbb8009bbc119 |
| SHA512 | 91728d0e1d6839a5ee28332d99e731d005be3349c44385097c4a034ccee4fcaa73ddbadb88819c57956793f9200d33572301a7994bf5f9f07be09832cd933b84 |
C:\Windows\SysWOW64\Bgehcmmm.exe
| MD5 | e9e24e680f9f139d7ccb43d986a9bc85 |
| SHA1 | bef665ac2e4a8dde81affaeb6ebe9c58e7194050 |
| SHA256 | 4ef1144eb56d4f31a4f3bea11085bd6542ebfe3f79784f0fce6261e2e8093d9d |
| SHA512 | c8bc2f932de67214c7527d57d55ec8786b510b5976330cc0bf22e0eb11101312e5e2dcec83e51a6b67da1bd9e40268d5f5ccce24385b9a291336a635c4cf71c8 |
memory/2320-291-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4784-315-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2732-375-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4232-464-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5196-489-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5356-513-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5596-550-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5680-562-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5720-563-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5636-556-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1616-549-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5564-543-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5516-536-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5476-531-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5436-525-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5396-519-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5316-507-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5276-501-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5236-495-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5156-483-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2348-477-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3936-471-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4108-458-0x0000000000400000-0x0000000000433000-memory.dmp
memory/628-453-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3896-447-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1772-445-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1552-434-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2020-429-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3740-423-0x0000000000400000-0x0000000000433000-memory.dmp
memory/404-417-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2416-411-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3248-405-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2996-399-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3492-392-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4568-387-0x0000000000400000-0x0000000000433000-memory.dmp
memory/532-380-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1816-368-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2060-363-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4700-356-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3972-351-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1736-345-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3928-339-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1572-333-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1124-327-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4264-321-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1996-309-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3392-302-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3452-296-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1948-284-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2384-279-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4724-273-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4304-267-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4284-261-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Bnpppgdj.exe
| MD5 | 22218f9a90c350d2da5fcc0438caad69 |
| SHA1 | 12941900aed12da89233110f97d4b8507d910af6 |
| SHA256 | 21c37f7e0a31e02fef89aa9516e9ad0859b8f65744b8b40fd9a361c9d446a782 |
| SHA512 | 0ae4fc4cefdbac42bc1a88280196d916d8c228f664477fbe89a9bbc45ba9352db5b79b568a23b577ab160fd4ae7aa2605845df8f432f6951902daa10af1f5f6d |
memory/464-252-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Bjddphlq.exe
| MD5 | d589cb5b698778459710e02f545b5db3 |
| SHA1 | 288abd678422e5ed3726e49c4610d1f7c5e2bda4 |
| SHA256 | 5a4ec4a2159baa5d785115cf1bb91a540723e5bb97bf000e8169a89f9a54b8ad |
| SHA512 | c03ed5f4a1f5f728c5f7e2f4343898107b5b4a5d2d0c0fdeac4057cb86709ffa5e6bdde3d082af616bc127ffa8d0c5e7921536c6be3a0badf1619df35778eaeb |
memory/5068-245-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2748-236-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Bcjlcn32.exe
| MD5 | 786e59a353a4fcc1ab519f84a27f6cff |
| SHA1 | b167bb7d78037018a64c6b6ea5630bf7e9d3cf4d |
| SHA256 | 4ff2665bd6e3c34009feb528a2093a66a540a4c552efea660dc6bfbb68c752f8 |
| SHA512 | f80167cadbed951e65974c38aa7be5d6ceda7651913a99ef5fe68bf83e6900b0cc99799a864387ac81594de7886851dd10e488eaa81f3a2d0ea0cade8c552506 |
memory/3624-229-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Balpgb32.exe
| MD5 | 05817ed39385a3762f1a7484114e11bb |
| SHA1 | fcfb845f5ec3a1afbe728b4cad4262f7f39066ed |
| SHA256 | ec74ccfd19af4d5c0c545af6662fc16a1dbceda41ba94d791418ebf289642578 |
| SHA512 | 3fc80399f86764d26e49330208d3046af3a520824fef075c7e3e121adac961ef9e33f1e9bdae497896cc3939d7dfb5f8134ad1766d4483f02bb9260623c6596c |
memory/4052-221-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Bnmcjg32.exe
| MD5 | 0ae159163e8566c045f7c58b1f0406ba |
| SHA1 | 7f286abe9b947677ddd578831ddb5c8b3f0a915d |
| SHA256 | a348ab21a063970932400b1fdc3fff7beecddc9c5bd97fc99c50a784f374e86d |
| SHA512 | 71e01c394b850122cfccbb32ffabcd78d0cfcbcde6e218c97380f312c3f9757c69d62ed7396e7fc0e0e1fe79781bfa8f1927284c10e0c9dfc5a01ca1098bc742 |
memory/3892-213-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Bjagjhnc.exe
| MD5 | 6e9801b31315492eeba2db98408adfcb |
| SHA1 | 725addc8c30916a33fee2542ff57ea8ebe61e609 |
| SHA256 | 68a589fcc4bb5851544039af57029b11a40d365db29c21e03de0dbf74e9ec05b |
| SHA512 | bf42a9d8d1001d7d6c2503bab19a16aa5f1f4c893a034946a9be8bfc5f4fc469f4f6b5355891327b8d59798cbbaf025e04a6c1c26b85c733ee6798bf8b382c56 |
memory/3880-204-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Bgcknmop.exe
| MD5 | 03b18db24a7eaed60251d152f040f675 |
| SHA1 | dd0f9ec8639efffba8c9751cf7cbbede009bcfd2 |
| SHA256 | d45f8f4660d57c36ed357b5e3c18453173ba6be2c63d2e9412fd35f394a200ce |
| SHA512 | f31d513978821ae80aa11f80c30d7b8c73e8781a64b2839e527ba07cb53569c7bd4c16076d400d287666ce5c4a98f22ceff12830ce8439eda4df66626adca0ee |
memory/3588-197-0x0000000000400000-0x0000000000433000-memory.dmp
memory/336-188-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Baicac32.exe
| MD5 | 2e87eea3b2eac62c29cffddc7a7bdb07 |
| SHA1 | a2da2d7eb388361223249b2bd5789254ad9d5916 |
| SHA256 | 61aa0a3c16b05065952f1c81d8c05495c24765ab8f725c62f53af9a5ac17657d |
| SHA512 | fa6d414166c543ad028f3b844c793d11df5999d5d3494d4f7a172fbaf5198b456e9474f8989ee0380aafb29545727ebb9e561d71d23017460c778c28995a9fd5 |
memory/3336-180-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Bnkgeg32.exe
| MD5 | c740db47b5b808dc2c08c40adf4b515a |
| SHA1 | d0455335f8f882a8962df4c37232ea6284361824 |
| SHA256 | e9f34b7ff02daff0c2a87523d23cdb6c2dbba4e218d610c9034394d831a206fb |
| SHA512 | e4a3b128646756f9468f74c8d1944dc688647d7b2ce35392f5f290d1a4418431c7d9999672091a08cbffe678dbf6546df8c29349b55a819e8e99ad26a68e4ee8 |
memory/1256-173-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Bjokdipf.exe
| MD5 | b308e8e93ff5e694facb802d2c6373c6 |
| SHA1 | 0dff637ba0b35ae738533051dd9b9542ddf303fa |
| SHA256 | ad8ad43bb23f579ada4b8075f3c82bebb9312c1db037ef94020568eda3369da4 |
| SHA512 | fb8dcea8ee8dc46aabc15e7f36a7abd82f03800d3c99629e7faec76b82856de97f70025c103176159856455b6474e2e0a8b36b75dfc176a1eaf97f6be9f1be51 |
memory/4832-164-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Bfdodjhm.exe
| MD5 | 3cda09660b34ecf2d14433873c983c9a |
| SHA1 | dc37780155b72c4a54c1543408b6e8fb5cab2869 |
| SHA256 | e6c458327f9a6623a2fe12da2fce90f296e05eb68436f0462effc5eef715ec43 |
| SHA512 | 7fa5ffad96c26ff32abece4c00ea9cc56c41acbf51d949d1c7db22a6e778060eb567f210e806aea0dfac4dca947509b8f93b79dcc6e559b69ba315713b2b76df |
memory/2336-157-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Bcebhoii.exe
| MD5 | 9241beba41c378685658f4dcf73eab46 |
| SHA1 | 25f7e74b4f32aa97ea001ca3ff54f12ac16ae139 |
| SHA256 | 29864d08a28638f6ce16c4f309cf68d9abc2fe77dae689dbddefdb2a2d61687f |
| SHA512 | 03f91c2676fd717e2d354302256452dcc112eb7eb2d929f37b93403c06eb41699de1d50d2d14bbb90e39967a944c24da05dddd01e616e97914a9305a6000161e |
memory/3672-148-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Bebblb32.exe
| MD5 | 8fe9eda04d39a1b92b99bb117fa96e6f |
| SHA1 | 20eba5ad6f8b93d805c78704054a89c7248c6efa |
| SHA256 | 4d747ae878c711078a4a9f5acb9d1a7e07a79666e9950317c0f24d761634294f |
| SHA512 | 8be8e51cf721202ea9f80dd68707af1ed83b79670b8b26931c71ec7ad3b6b39ca063e929fae01f37ca2daebc2c33cc368f2c8b5fcfb79ebcaf8390a333365c38 |
memory/4268-140-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Bmkjkd32.exe
| MD5 | d976e3ae9ece8489471ef7f8afcb335e |
| SHA1 | b5da39c03eae1ab7e7b1e856124f16c25dc0f717 |
| SHA256 | b8e410fc8e772f1a422188d0673271c1ab6f1b26a2b34d899fdf8156a8913ec7 |
| SHA512 | 1f477c46170885eab831bb5120add1999729a8c7f75d01732e4dcea6cb5b67c01881b33d88f10cb2a240a3b4665eeadcec7f561224ad636a9f44b340f5ae68f8 |
memory/4768-133-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Bnhjohkb.exe
| MD5 | 5e423dd3bec5f6579a1688034fa13e42 |
| SHA1 | 6b4590ad9ae0c5a027f62d2b322cbc2101960973 |
| SHA256 | f0677a4c4c8b99752b05c419f9d6310d52a38a986c698fc5a7ab597225175432 |
| SHA512 | abdc2c634087ddea475c0526d85a499da7f67b65789d2c7171e795379e6e6f4bc96e86b37f27b0c1102cac6f5d7d16e5115a84efe19e086e053761dc2ee0e96f |
memory/4860-124-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Bjmnoi32.exe
| MD5 | f6a8245f959cab9fbcd18d89044a176c |
| SHA1 | 62fea54aba3b05b4fbc85c0d67d8da131b2fe8b6 |
| SHA256 | 5ac49e35f5ff23a72a1fa1a3556f378777a8cd2012de413a8b5383e687d6fcc0 |
| SHA512 | c50c894286bc9f68a82da155e90536b75ad56df1799feec4c776525e61dc586595ae1f506c1a04b382b21ec0cca7b9821a602a278a774a4253111408aaf3c131 |
memory/840-117-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Agoabn32.exe
| MD5 | c46908b167b12e58b88c244a0d2c6419 |
| SHA1 | cf35b424fc4fd467a5cd99a080b2d4df31ec0102 |
| SHA256 | 4b22b23d4c4d5523e7aa65790029298b0ede415f09dba843a2f3608e38bc5a13 |
| SHA512 | 9ca6074131867e3a0d3b67e68e327d2fa9c5e9f7f5a5bf183eacffe202ea0d4c3afcd84afe022fb0b6a60df2b0c7213469d39acc820f6ea08e7a3348862a0d7a |
C:\Windows\SysWOW64\Aepefb32.exe
| MD5 | b7939ed895f271fe437ab6f59a5a36fe |
| SHA1 | 63fcdedaf7693f075c1493b73d2badb333036378 |
| SHA256 | 83d0ca1cbe71ccbbda877ec96e824bf2c14a4aad085a43d4057d3e6daab882c3 |
| SHA512 | 29afce1ffdd61ea6a21c2306cf46dc9c09bd210da4787464ee550c024c77c9984a6bfdee47b6671195e2c2dccc6ee70985f84637b5e4c85647c321bafca766da |
memory/2532-100-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Aadifclh.exe
| MD5 | 76483984f8b2bff03f185a16e6be996b |
| SHA1 | adc95cd8ccc4aeb48838ef70e365d65f35a7825f |
| SHA256 | 14fc25a18db423ab6de3ba789d01c6ba876d46327743c353ab10e420ed176ef1 |
| SHA512 | afff813f6218120726a89b09319a0855b68c75a7d8ad894c7a3bbaf6f2f4c4ab0d185ba9703b564659339781b8c1e97b3cbf75c88ee53bbef350d1a0fc54e46f |
memory/2864-92-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1980-84-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Ajkaii32.exe
| MD5 | ce53cdd0fac74c87ee4613b2fea5192e |
| SHA1 | 8f598a91ec21a5a5fce149cee3766d6535ab24b9 |
| SHA256 | 5f0e75834ba00008219daa765f8ab3a502973152ddf8101fc346294ed52f63b1 |
| SHA512 | e40f5232c121072e963b72cbd12ddcf6efd9d737133e9596d2e126fb222914ccf5f8e87373edb247802f2f154cc1a487d3564dc720de9608507b5836ff808365 |
C:\Windows\SysWOW64\Aglemn32.exe
| MD5 | 5b887951738160872b2b94b2dfdf426c |
| SHA1 | 4000da3e13ba7be4bae36ec7c73100a4090cf984 |
| SHA256 | c4545a96259a0722acee2cec39aa1d55d76ad605eea9acb9cb63cbe304de44fd |
| SHA512 | 7f29f0cbfc460d2078e842d749e5f00d9b559cc005d31767889385194c9aaa9c2b32af3cf84c74ffb2b9189b5226f2a6180c9f067b23c75f3026107634758ca2 |
C:\Windows\SysWOW64\Aeniabfd.exe
| MD5 | fc193cca4ef6d18159e7c6c97d7785fb |
| SHA1 | 22ecdb554eb63b1660203838ef2720166ae938cf |
| SHA256 | a6fc962d18d2192d674fed0280a4b03872300460e685d1ef6ffaa537511960ee |
| SHA512 | 2c092f04e2dc488c40a87596ec29cc16f320a4352931b134f46db58f408389d946a946d272d52563be0e71e7b72256e6f97edafa2850a08644e4882cc42dbfcd |
C:\Windows\SysWOW64\Aabmqd32.exe
| MD5 | 5caba83cabf3aaed4cbc94c42ce5e0e4 |
| SHA1 | aadd6257512939517869d3b6d23401f18e8654e8 |
| SHA256 | 39038682c45c852002c9a46489192ecef9bae4f6f16bb0a203343e72a8045f95 |
| SHA512 | 1df41df88c660273c6d7bfe51fcb1293ba766657ec3e6a4efa8a74868572e10d08c8c377ca4dca8ac8496e3764a97fb6890e11e6acea9c1f1e7b3891c9f9df72 |
memory/1448-44-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3964-32-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Aqppkd32.exe
| MD5 | a7f7759e023d90bdebe75b43a067fc65 |
| SHA1 | 8ba9798615f6018e63448a0c52efb0bbc6de1257 |
| SHA256 | 6deb7d6c3f1306a50906236c0df25fa3f95d39612910fa424454f9a696668496 |
| SHA512 | 1b651abbfffdb451490bfc740a51161411344b30b68dedd54bd1c9b79e6297b4c02e8c00d97fc6d9e6b76fe9320146315f6e6f9960847415fe4a5adebf61c961 |
memory/3964-564-0x0000000000400000-0x0000000000433000-memory.dmp