Analysis Overview
SHA256
a4c09ba7f1ed47c725b37d44d521c3e5abea101ff8691d88ffa9dc9fd8656a08
Threat Level: Known bad
The file a4c09ba7f1ed47c725b37d44d521c3e5abea101ff8691d88ffa9dc9fd8656a08.exe was found to be: Known bad.
Malicious Activity Summary
Berbew
Adds autorun key to be loaded by Explorer.exe on startup
Berbew family
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
System Location Discovery: System Language Discovery
Program crash
Unsigned PE
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-12 14:13
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-12 14:13
Reported
2024-11-12 14:16
Platform
win7-20241010-en
Max time kernel
13s
Max time network
19s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jcfjhj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Lijepc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Nmgjee32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nejdjf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Biceoj32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Knddcg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Amhopfof.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Dkekmp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dlfgehqk.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dilddl32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jcdmbk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Jcfjhj32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mgoaap32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pkfiaqgk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Pkfiaqgk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Dilddl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Lkcgapjl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Ollcee32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Paghojip.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Kkckblgq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Lfdbcing.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Chkoef32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Dpdpkfga.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Dalfdjdl.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kkckblgq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Lffohikd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Ndjhpcoe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Amebjgai.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cfgehn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cligkdlm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Ogddhmdl.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cahmik32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Users\Admin\AppData\Local\Temp\a4c09ba7f1ed47c725b37d44d521c3e5abea101ff8691d88ffa9dc9fd8656a08.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Aoihaa32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dajiok32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Bjnhnn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Cahmik32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kninog32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lkfdfo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Olopjddf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Panehkaj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Pkkblp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bmhkojab.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Oaqeogll.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Caccnllf.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kjkehhjf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Mgoaap32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Mcfbfaao.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Mfihml32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Dkpabqoa.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mfihml32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ndjhpcoe.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Paghojip.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Qmcedg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Dbkffc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Noplmlok.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pkkblp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Mmemoe32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Panehkaj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Penjdien.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Aialjgbh.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lkcgapjl.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lfdbcing.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mcfbfaao.exe | N/A |
Berbew
Berbew family
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Bfkfbm32.dll | C:\Windows\SysWOW64\Dilddl32.exe | N/A |
| File created | C:\Windows\SysWOW64\Knddcg32.exe | C:\Windows\SysWOW64\Kkckblgq.exe | N/A |
| File created | C:\Windows\SysWOW64\Eobjmken.dll | C:\Windows\SysWOW64\Bjnhnn32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Chkoef32.exe | C:\Windows\SysWOW64\Cbnfmo32.exe | N/A |
| File created | C:\Windows\SysWOW64\Caepdk32.exe | C:\Windows\SysWOW64\Cligkdlm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dkekmp32.exe | C:\Windows\SysWOW64\Dalfdjdl.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mcfbfaao.exe | C:\Windows\SysWOW64\Mgoaap32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mmemoe32.exe | C:\Windows\SysWOW64\Mfihml32.exe | N/A |
| File created | C:\Windows\SysWOW64\Aialjgbh.exe | C:\Windows\SysWOW64\Aoihaa32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Caepdk32.exe | C:\Windows\SysWOW64\Cligkdlm.exe | N/A |
| File created | C:\Windows\SysWOW64\Dilddl32.exe | C:\Windows\SysWOW64\Dpdpkfga.exe | N/A |
| File created | C:\Windows\SysWOW64\Bjnhnn32.exe | C:\Windows\SysWOW64\Bgmolb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dkpabqoa.exe | C:\Windows\SysWOW64\Cahmik32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pbkkql32.dll | C:\Windows\SysWOW64\Mhckloge.exe | N/A |
| File created | C:\Windows\SysWOW64\Nejdjf32.exe | C:\Windows\SysWOW64\Noplmlok.exe | N/A |
| File created | C:\Windows\SysWOW64\Ollcee32.exe | C:\Windows\SysWOW64\Oacbdg32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hnjfjm32.dll | C:\Windows\SysWOW64\Penjdien.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Amhopfof.exe | C:\Windows\SysWOW64\Amebjgai.exe | N/A |
| File created | C:\Windows\SysWOW64\Ihdhmkjd.dll | C:\Windows\SysWOW64\Paghojip.exe | N/A |
| File created | C:\Windows\SysWOW64\Dbkffc32.exe | C:\Windows\SysWOW64\Dajiok32.exe | N/A |
| File created | C:\Windows\SysWOW64\Aecmfopg.dll | C:\Windows\SysWOW64\Lijepc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ndjhpcoe.exe | C:\Windows\SysWOW64\Nokcbm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pkfiaqgk.exe | C:\Windows\SysWOW64\Panehkaj.exe | N/A |
| File created | C:\Windows\SysWOW64\Penjdien.exe | C:\Windows\SysWOW64\Pkfiaqgk.exe | N/A |
| File created | C:\Windows\SysWOW64\Pkkblp32.exe | C:\Windows\SysWOW64\Penjdien.exe | N/A |
| File created | C:\Windows\SysWOW64\Noplmlok.exe | C:\Windows\SysWOW64\Ndjhpcoe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cfgehn32.exe | C:\Windows\SysWOW64\Biceoj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cmmlkk32.dll | C:\Windows\SysWOW64\Kkckblgq.exe | N/A |
| File created | C:\Windows\SysWOW64\Mcfbfaao.exe | C:\Windows\SysWOW64\Mgoaap32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mhckloge.exe | C:\Windows\SysWOW64\Mcfbfaao.exe | N/A |
| File created | C:\Windows\SysWOW64\Ppfhfkhm.dll | C:\Windows\SysWOW64\Mcfbfaao.exe | N/A |
| File created | C:\Windows\SysWOW64\Nmgjee32.exe | C:\Windows\SysWOW64\Mmemoe32.exe | N/A |
| File created | C:\Windows\SysWOW64\Biceoj32.exe | C:\Windows\SysWOW64\Bjnhnn32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ngcjbg32.dll | C:\Windows\SysWOW64\Caccnllf.exe | N/A |
| File created | C:\Windows\SysWOW64\Paebkkhn.dll | C:\Windows\SysWOW64\Cligkdlm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kkckblgq.exe | C:\Windows\SysWOW64\Jcfjhj32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mgoaap32.exe | C:\Windows\SysWOW64\Lijepc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ogddhmdl.exe | C:\Windows\SysWOW64\Olopjddf.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Pkkblp32.exe | C:\Windows\SysWOW64\Penjdien.exe | N/A |
| File created | C:\Windows\SysWOW64\Hegfajbc.dll | C:\Windows\SysWOW64\Qdhqpe32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cfbhlb32.exe | C:\Windows\SysWOW64\Caepdk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Flnjii32.dll | C:\Windows\SysWOW64\Caepdk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dcemgk32.dll | C:\Windows\SysWOW64\Aoihaa32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cfbhlb32.exe | C:\Windows\SysWOW64\Caepdk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Inpiogfm.dll | C:\Windows\SysWOW64\Denknngk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kjkehhjf.exe | C:\Windows\SysWOW64\Knddcg32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jdekhe32.dll | C:\Windows\SysWOW64\Lkcgapjl.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Penjdien.exe | C:\Windows\SysWOW64\Pkfiaqgk.exe | N/A |
| File created | C:\Windows\SysWOW64\Mikelp32.dll | C:\Windows\SysWOW64\Amebjgai.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dalfdjdl.exe | C:\Windows\SysWOW64\Dbkffc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jcfjhj32.exe | C:\Windows\SysWOW64\Jcdmbk32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kninog32.exe | C:\Windows\SysWOW64\Kjkehhjf.exe | N/A |
| File created | C:\Windows\SysWOW64\Eohhqjab.dll | C:\Windows\SysWOW64\Lffohikd.exe | N/A |
| File created | C:\Windows\SysWOW64\Lijepc32.exe | C:\Windows\SysWOW64\Lkfdfo32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mhckloge.exe | C:\Windows\SysWOW64\Mcfbfaao.exe | N/A |
| File created | C:\Windows\SysWOW64\Kcclakie.dll | C:\Windows\SysWOW64\Dbkffc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Djnbkg32.dll | C:\Windows\SysWOW64\Dpdpkfga.exe | N/A |
| File created | C:\Windows\SysWOW64\Bleppqce.dll | C:\Windows\SysWOW64\Dkekmp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hddpfjgq.dll | C:\Windows\SysWOW64\Nmgjee32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gdbcbcgp.dll | C:\Windows\SysWOW64\Nokcbm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Amebjgai.exe | C:\Windows\SysWOW64\Qmcedg32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Caccnllf.exe | C:\Windows\SysWOW64\Chkoef32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gkldecjp.dll | C:\Windows\SysWOW64\Chkoef32.exe | N/A |
| File created | C:\Windows\SysWOW64\Eejqea32.dll | C:\Windows\SysWOW64\Dkpabqoa.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Eceimadb.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dajiok32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dalfdjdl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Oacbdg32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ogddhmdl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Penjdien.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nfpnnk32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Noplmlok.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lkcgapjl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lkfdfo32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mcfbfaao.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bmhkojab.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Biceoj32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dpdpkfga.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jcfjhj32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kkckblgq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nmgjee32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cligkdlm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cfbhlb32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mmemoe32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Panehkaj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Aoihaa32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a4c09ba7f1ed47c725b37d44d521c3e5abea101ff8691d88ffa9dc9fd8656a08.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pkfiaqgk.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pdcgeejf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Aialjgbh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Caccnllf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jcdmbk32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kjkehhjf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lffohikd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cbnfmo32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dkpabqoa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Eceimadb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mfihml32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Qdhqpe32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cahmik32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bjnhnn32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cfgehn32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dbkffc32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dlfgehqk.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nokcbm32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ndjhpcoe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nejdjf32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Qmcedg32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Amebjgai.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Denknngk.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kninog32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mhckloge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Oaqeogll.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lijepc32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dkekmp32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Olopjddf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pkkblp32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Amhopfof.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lfdbcing.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mgoaap32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ollcee32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Chkoef32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Caepdk32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dilddl32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Knddcg32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Paghojip.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bgmolb32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmmlkk32.dll" | C:\Windows\SysWOW64\Kkckblgq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dlfgehqk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID | C:\Users\Admin\AppData\Local\Temp\a4c09ba7f1ed47c725b37d44d521c3e5abea101ff8691d88ffa9dc9fd8656a08.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aecmfopg.dll" | C:\Windows\SysWOW64\Lijepc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Ollcee32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ogddhmdl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faeaddaj.dll" | C:\Windows\SysWOW64\Dajiok32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Dbkffc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\a4c09ba7f1ed47c725b37d44d521c3e5abea101ff8691d88ffa9dc9fd8656a08.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Panehkaj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Aoihaa32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Aialjgbh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jngakhdp.dll" | C:\Windows\SysWOW64\Oaqeogll.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Nfpnnk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Pkkblp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Cbnfmo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dkpabqoa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcclakie.dll" | C:\Windows\SysWOW64\Dbkffc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Dkekmp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdekhe32.dll" | C:\Windows\SysWOW64\Lkcgapjl.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Mcfbfaao.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Mmemoe32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Amhopfof.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcemgk32.dll" | C:\Windows\SysWOW64\Aoihaa32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bgmolb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Dilddl32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Kjkehhjf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Oaqeogll.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Amebjgai.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Lijepc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hddpfjgq.dll" | C:\Windows\SysWOW64\Nmgjee32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Panehkaj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Bmhkojab.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Bgmolb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node | C:\Users\Admin\AppData\Local\Temp\a4c09ba7f1ed47c725b37d44d521c3e5abea101ff8691d88ffa9dc9fd8656a08.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Nokcbm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Oacbdg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnjfjm32.dll" | C:\Windows\SysWOW64\Penjdien.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihdhmkjd.dll" | C:\Windows\SysWOW64\Paghojip.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Cfgehn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cfgehn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Chkoef32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Kninog32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edljdb32.dll" | C:\Windows\SysWOW64\Ndjhpcoe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Giedhjnn.dll" | C:\Windows\SysWOW64\Oacbdg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Pkfiaqgk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnimikan.dll" | C:\Windows\SysWOW64\Bmhkojab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eobjmken.dll" | C:\Windows\SysWOW64\Bjnhnn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbbbhigf.dll" | C:\Windows\SysWOW64\Cfgehn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngcjbg32.dll" | C:\Windows\SysWOW64\Caccnllf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmibhn32.dll" | C:\Windows\SysWOW64\Jcdmbk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfkfbm32.dll" | C:\Windows\SysWOW64\Dilddl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Caccnllf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Mgoaap32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Bjnhnn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpkphm32.dll" | C:\Windows\SysWOW64\Lfdbcing.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmbjkm32.dll" | C:\Windows\SysWOW64\Pdcgeejf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bmhkojab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfkhnhf.dll" | C:\Windows\SysWOW64\Bgmolb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klheoobo.dll" | C:\Windows\SysWOW64\Cbnfmo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inpiogfm.dll" | C:\Windows\SysWOW64\Denknngk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Knddcg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mohkpn32.dll" | C:\Windows\SysWOW64\Dlfgehqk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dpdpkfga.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a4c09ba7f1ed47c725b37d44d521c3e5abea101ff8691d88ffa9dc9fd8656a08.exe
"C:\Users\Admin\AppData\Local\Temp\a4c09ba7f1ed47c725b37d44d521c3e5abea101ff8691d88ffa9dc9fd8656a08.exe"
C:\Windows\SysWOW64\Jcdmbk32.exe
C:\Windows\system32\Jcdmbk32.exe
C:\Windows\SysWOW64\Jcfjhj32.exe
C:\Windows\system32\Jcfjhj32.exe
C:\Windows\SysWOW64\Kkckblgq.exe
C:\Windows\system32\Kkckblgq.exe
C:\Windows\SysWOW64\Knddcg32.exe
C:\Windows\system32\Knddcg32.exe
C:\Windows\SysWOW64\Kjkehhjf.exe
C:\Windows\system32\Kjkehhjf.exe
C:\Windows\SysWOW64\Kninog32.exe
C:\Windows\system32\Kninog32.exe
C:\Windows\SysWOW64\Lfdbcing.exe
C:\Windows\system32\Lfdbcing.exe
C:\Windows\SysWOW64\Lffohikd.exe
C:\Windows\system32\Lffohikd.exe
C:\Windows\SysWOW64\Lkcgapjl.exe
C:\Windows\system32\Lkcgapjl.exe
C:\Windows\SysWOW64\Lkfdfo32.exe
C:\Windows\system32\Lkfdfo32.exe
C:\Windows\SysWOW64\Lijepc32.exe
C:\Windows\system32\Lijepc32.exe
C:\Windows\SysWOW64\Mgoaap32.exe
C:\Windows\system32\Mgoaap32.exe
C:\Windows\SysWOW64\Mcfbfaao.exe
C:\Windows\system32\Mcfbfaao.exe
C:\Windows\SysWOW64\Mhckloge.exe
C:\Windows\system32\Mhckloge.exe
C:\Windows\SysWOW64\Mfihml32.exe
C:\Windows\system32\Mfihml32.exe
C:\Windows\SysWOW64\Mmemoe32.exe
C:\Windows\system32\Mmemoe32.exe
C:\Windows\SysWOW64\Nmgjee32.exe
C:\Windows\system32\Nmgjee32.exe
C:\Windows\SysWOW64\Nfpnnk32.exe
C:\Windows\system32\Nfpnnk32.exe
C:\Windows\SysWOW64\Nokcbm32.exe
C:\Windows\system32\Nokcbm32.exe
C:\Windows\SysWOW64\Ndjhpcoe.exe
C:\Windows\system32\Ndjhpcoe.exe
C:\Windows\SysWOW64\Noplmlok.exe
C:\Windows\system32\Noplmlok.exe
C:\Windows\SysWOW64\Nejdjf32.exe
C:\Windows\system32\Nejdjf32.exe
C:\Windows\SysWOW64\Oaqeogll.exe
C:\Windows\system32\Oaqeogll.exe
C:\Windows\SysWOW64\Oacbdg32.exe
C:\Windows\system32\Oacbdg32.exe
C:\Windows\SysWOW64\Ollcee32.exe
C:\Windows\system32\Ollcee32.exe
C:\Windows\SysWOW64\Olopjddf.exe
C:\Windows\system32\Olopjddf.exe
C:\Windows\SysWOW64\Ogddhmdl.exe
C:\Windows\system32\Ogddhmdl.exe
C:\Windows\SysWOW64\Panehkaj.exe
C:\Windows\system32\Panehkaj.exe
C:\Windows\SysWOW64\Pkfiaqgk.exe
C:\Windows\system32\Pkfiaqgk.exe
C:\Windows\SysWOW64\Penjdien.exe
C:\Windows\system32\Penjdien.exe
C:\Windows\SysWOW64\Pkkblp32.exe
C:\Windows\system32\Pkkblp32.exe
C:\Windows\SysWOW64\Pdcgeejf.exe
C:\Windows\system32\Pdcgeejf.exe
C:\Windows\SysWOW64\Paghojip.exe
C:\Windows\system32\Paghojip.exe
C:\Windows\SysWOW64\Qdhqpe32.exe
C:\Windows\system32\Qdhqpe32.exe
C:\Windows\SysWOW64\Qmcedg32.exe
C:\Windows\system32\Qmcedg32.exe
C:\Windows\SysWOW64\Amebjgai.exe
C:\Windows\system32\Amebjgai.exe
C:\Windows\SysWOW64\Amhopfof.exe
C:\Windows\system32\Amhopfof.exe
C:\Windows\SysWOW64\Aoihaa32.exe
C:\Windows\system32\Aoihaa32.exe
C:\Windows\SysWOW64\Aialjgbh.exe
C:\Windows\system32\Aialjgbh.exe
C:\Windows\SysWOW64\Bmhkojab.exe
C:\Windows\system32\Bmhkojab.exe
C:\Windows\SysWOW64\Bgmolb32.exe
C:\Windows\system32\Bgmolb32.exe
C:\Windows\SysWOW64\Bjnhnn32.exe
C:\Windows\system32\Bjnhnn32.exe
C:\Windows\SysWOW64\Biceoj32.exe
C:\Windows\system32\Biceoj32.exe
C:\Windows\SysWOW64\Cfgehn32.exe
C:\Windows\system32\Cfgehn32.exe
C:\Windows\SysWOW64\Cbnfmo32.exe
C:\Windows\system32\Cbnfmo32.exe
C:\Windows\SysWOW64\Chkoef32.exe
C:\Windows\system32\Chkoef32.exe
C:\Windows\SysWOW64\Caccnllf.exe
C:\Windows\system32\Caccnllf.exe
C:\Windows\SysWOW64\Cligkdlm.exe
C:\Windows\system32\Cligkdlm.exe
C:\Windows\SysWOW64\Caepdk32.exe
C:\Windows\system32\Caepdk32.exe
C:\Windows\SysWOW64\Cfbhlb32.exe
C:\Windows\system32\Cfbhlb32.exe
C:\Windows\SysWOW64\Cahmik32.exe
C:\Windows\system32\Cahmik32.exe
C:\Windows\SysWOW64\Dkpabqoa.exe
C:\Windows\system32\Dkpabqoa.exe
C:\Windows\SysWOW64\Dajiok32.exe
C:\Windows\system32\Dajiok32.exe
C:\Windows\SysWOW64\Dbkffc32.exe
C:\Windows\system32\Dbkffc32.exe
C:\Windows\SysWOW64\Dalfdjdl.exe
C:\Windows\system32\Dalfdjdl.exe
C:\Windows\SysWOW64\Dkekmp32.exe
C:\Windows\system32\Dkekmp32.exe
C:\Windows\SysWOW64\Dlfgehqk.exe
C:\Windows\system32\Dlfgehqk.exe
C:\Windows\SysWOW64\Denknngk.exe
C:\Windows\system32\Denknngk.exe
C:\Windows\SysWOW64\Dpdpkfga.exe
C:\Windows\system32\Dpdpkfga.exe
C:\Windows\SysWOW64\Dilddl32.exe
C:\Windows\system32\Dilddl32.exe
C:\Windows\SysWOW64\Eceimadb.exe
C:\Windows\system32\Eceimadb.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 140
Network
Files
memory/816-0-0x0000000000400000-0x0000000000435000-memory.dmp
\Windows\SysWOW64\Jcdmbk32.exe
| MD5 | 8ecc63efc012f9d0e8e15b966fb7053c |
| SHA1 | ea0082d8b8c5fa63c8f1e142e1cf49020047248e |
| SHA256 | 5a73bd6071e54aab5cdc5fc11a0af50c0c884d631295712c664ab3a01f6b9b2f |
| SHA512 | dd54ef4a89e6727ee8fb8080febedffb3ea58f71a626dd96b28f5c1236061a56026ca51969f70d6343d9eeed0752d9b9c745bb46f5330c33e1e9dfb8fb440e04 |
memory/2724-14-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2724-21-0x00000000002A0000-0x00000000002D5000-memory.dmp
memory/816-13-0x00000000002A0000-0x00000000002D5000-memory.dmp
memory/816-12-0x00000000002A0000-0x00000000002D5000-memory.dmp
\Windows\SysWOW64\Jcfjhj32.exe
| MD5 | 95b214bd445e062cfee165bc3499e9c3 |
| SHA1 | 4d2f396d3af295ae59d092f041b5489ddce91f02 |
| SHA256 | 89971e5776060de2e9dbaa7f7df67ff34fb8d9f5a0737d0dfbc6b0b9177a085e |
| SHA512 | 9beff3f9f717fca990776eef352f9192aabfab54dd33c12b080ee7fb050cf04bf77d30195788e8f7a95d58215964b7552a8dd332573b2f19d57fa589c8c3c7a1 |
\Windows\SysWOW64\Kkckblgq.exe
| MD5 | 2778618c8f00c7480e37779cf39540c9 |
| SHA1 | bfca288471a395f4d40515adf7182d00126f2382 |
| SHA256 | 2f6c5903f4b5621c1491ee13993e621fcb32ff41dda72f77483b1a2c5e0cf096 |
| SHA512 | fc49e0f11f75b947cec216bc2f946ec7f248678895e572c3acbc3329c6aa0136b6af41243978b774a3bba6c56bae2221e8b0891522ad05d12d6ffaa229707a21 |
memory/3004-41-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2888-40-0x0000000000220000-0x0000000000255000-memory.dmp
\Windows\SysWOW64\Knddcg32.exe
| MD5 | 8697856f1fba22b8c1ac58fc846adb10 |
| SHA1 | 21b591f92dd7d5c6b63cbb005deb7a4ef2649d5d |
| SHA256 | db19fcd558c848f1378eed2220b6d2f5aee7002649c6202734be0b36157f0271 |
| SHA512 | 51207f732fd5911fd50dbfbc5af40d8d9cda2b4e0cb848dc866ffb22890b338ec66de5dc6e97139247a9e8890487e6afe3fb2ef7f5c0f47e55b68d90a6213a5a |
memory/3004-49-0x0000000000220000-0x0000000000255000-memory.dmp
C:\Windows\SysWOW64\Gigpekfk.dll
| MD5 | b15f75c3eae57178fcb1f356675450ae |
| SHA1 | 8fdd5f70a1464d1dd01770b35444524a46836d93 |
| SHA256 | 0f82a87d26391b760f6cbb86f28d20f99172dcd5fcb88b7105248f2579102501 |
| SHA512 | 257ebbe5b00e6f1b46ba1dd4e3fc37ec550f23f89fcab3df4cbf7ebec1c4eeb0ab87a47ac71db2ed91076ff44510a469851ef267f55c41efe8e9ba28a51ebe95 |
memory/1892-55-0x0000000000400000-0x0000000000435000-memory.dmp
\Windows\SysWOW64\Kjkehhjf.exe
| MD5 | 88dd34788e8081d6b491c6a3951aa381 |
| SHA1 | 2c8bfc0c0021f64e92cc403b1c7a480144362537 |
| SHA256 | c888ed4d7bbc4c86350fab5c55445b560800b77f0858885c98ddbbcd4d24ec39 |
| SHA512 | 5697fc6210d1048ba6d0bfac1d975c1aa5dd87e858c03d6260c4d4fbbf6605f825b0f795eb51d934a440471c482d58a7f0230d0cc100d7680c7d45d01889fb38 |
memory/2800-68-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2800-76-0x00000000002B0000-0x00000000002E5000-memory.dmp
\Windows\SysWOW64\Kninog32.exe
| MD5 | fe985ebcdc4af1a20e6367952c8e0518 |
| SHA1 | 1d6bdcb83e6a4fff3776a48c8205002ce7945a7b |
| SHA256 | 2a9ff1f7e2e1b7b12a5f9462b949d721bd8349ec15f489c10adb2ed844c33bcf |
| SHA512 | b361bb25e92bbbac6ff4a360fa2d7f4abcad61ee81cbe4074e4d4fb86f5f49be7867df46726b1015e4add07ec76ebf061d0f42041bece37b262b5ac2e255d3f1 |
\Windows\SysWOW64\Lfdbcing.exe
| MD5 | f48c80cbc50bf741b370e89328549bdf |
| SHA1 | 6da98e62670b3342a43981384146ee4c18a124b9 |
| SHA256 | c1754a9f610de3ac249b02f216592ffde6cc223b1780b39844369df7bc15011b |
| SHA512 | 9c7c2baec95d873c4a14399b415a1f1ccfb33beec7e235a90553cf713341501fa1f647c505b0bbcc8fcc647e58335d1c5d0c52a6373c50fed846065f99028f37 |
memory/2796-94-0x0000000000270000-0x00000000002A5000-memory.dmp
\Windows\SysWOW64\Lffohikd.exe
| MD5 | 3d330db4dff8f320f2e37fc64edae9f0 |
| SHA1 | 349ebc2f081f9516a897805d59d752cb8b46ad92 |
| SHA256 | aab8fcff39042ab22eb45b0e985d3ca04c487d98e2942b636465c4d88f372a74 |
| SHA512 | 4023f6945355b856ce30919e87671804d943175f75660a0610c9defc05169673e421069aaa862132bb2a882065ce090a7d3c813cdc297252981923d68871a4a0 |
memory/2428-103-0x0000000000220000-0x0000000000255000-memory.dmp
memory/736-108-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Windows\SysWOW64\Lkcgapjl.exe
| MD5 | 9cb5a65e0c542c2e61c9f14954c9f4ac |
| SHA1 | 31246b4cb864c64822fa1e9a35f4206feffce2bd |
| SHA256 | 147eb54c3550adaca603abbf212eb6b2bdcc1b8e040d9df803612fb1a0e8fcbf |
| SHA512 | 7584e9d584e5b18302f1de27a06311d7b3ce6eebddbc3774e7eaebc2d0beeb845ba0c06b3708585e26f78a10fdc05d3471a5ac3bb3481ec8c3c24df8e09eb7de |
memory/2828-121-0x0000000000400000-0x0000000000435000-memory.dmp
\Windows\SysWOW64\Lkfdfo32.exe
| MD5 | 8ca0a62414d7fae798d8b3b3e8bc9ce7 |
| SHA1 | 3cd3d8b581289425abff616e0204effe3d18c668 |
| SHA256 | f9146b3ef514433c5c74a53fdb050ad66a9a2caba4aed77eb6aa459cd29f0fbf |
| SHA512 | 75fd928a00fea2c107fc18c7f6f33e94c683a3b8b0693398aab85e3cdcad2a7e501e3f2026c59427397a69eab93e562e8c3dd8cba154d2ddfde6c325763093f1 |
memory/2828-133-0x0000000000220000-0x0000000000255000-memory.dmp
\Windows\SysWOW64\Lijepc32.exe
| MD5 | 5d65009501992f2343d0b5530f7dbe69 |
| SHA1 | c2ca11cede6aaeea44c4993304b6fff44a89cea9 |
| SHA256 | d36a1345f58eb72692f49cc86b90c23ac8e06a428a5da62fb38ebde3f48f2808 |
| SHA512 | d695ce7d0b73707fa875e71716fddbcef5eea2fa0c595999f1f01ab19e7aaa244877d7538484b3bd100f4eb719090a9474d2bd26c06b337e9cbadba2606ba4d6 |
memory/2044-143-0x00000000001B0000-0x00000000001E5000-memory.dmp
memory/2684-148-0x0000000000400000-0x0000000000435000-memory.dmp
\Windows\SysWOW64\Mgoaap32.exe
| MD5 | ebd41d0aa4eca9cf297e9ea4331da2ee |
| SHA1 | 832fd87e7da80373d92acfb3817dbcc3d220c868 |
| SHA256 | 043768bbc37cef60f21e8bf0ee5124dfb1e6106549d6eac8e59307a8b43b6728 |
| SHA512 | 34380fc57d2d575e6e56b47701d8c51b511f35e649b51b5ae09c906509b335fe6a6cee59151a9f29282a84b19c2840e04590077c34bdc60d3b5c57c6f5a6bb00 |
memory/2104-161-0x0000000000400000-0x0000000000435000-memory.dmp
\Windows\SysWOW64\Mcfbfaao.exe
| MD5 | c7ccbf772596480784e84d80a437b511 |
| SHA1 | 45987a7b2c41f9de23a489f80a6751d5b230f458 |
| SHA256 | 919c10ec785d3ca51e2845ee068fd8f4224fbc87adc8c76527f004f2e29f475b |
| SHA512 | 8259422bcf1f6eacdcaeda3c1f21d75e6a17a05880f2df9873ed327462198f4e73a6d0fa9af028198f9183ed5828a86796d0ff5f35a92360954d8d390f6b6dd0 |
memory/2104-169-0x00000000001C0000-0x00000000001F5000-memory.dmp
memory/2960-175-0x0000000000400000-0x0000000000435000-memory.dmp
\Windows\SysWOW64\Mhckloge.exe
| MD5 | 5a578e0d1d31fea083f2d475936066a4 |
| SHA1 | 9241bad84ad2864167cfaff859bcc5f63ccd3756 |
| SHA256 | 72d9eebe3f6e4467e0612393b9d31f77bce53811d8548c2b74e8365ae1e73345 |
| SHA512 | 69f39a0b2e98de0f947c16eb8d7187e606dfe140c22d50b37f049a8c1c013b1dc960e5c5466fb84ae0cfc22dedb6e892b92d2dec9a23bb641f68b571d19a12ac |
memory/2960-182-0x00000000003C0000-0x00000000003F5000-memory.dmp
\Windows\SysWOW64\Mfihml32.exe
| MD5 | 98c0d304a420f0cbcc58e265d63d6ef8 |
| SHA1 | 6a2a6580456fca98eb1c8fdf03c705d6a1d7f535 |
| SHA256 | ee3ef13ebb2dcc6497bc7af412b2b76f2f48a452e9cd78fa8a44a26d78908891 |
| SHA512 | ba63224c5faffb8d0270bd8f98f90bc1651f3fcee5ef343e92d09b898fc1ffdadee1050028b75211438dd33b64660975cda80bf207463d37bb5a0d42b9df2172 |
memory/1960-201-0x0000000000400000-0x0000000000435000-memory.dmp
\Windows\SysWOW64\Mmemoe32.exe
| MD5 | 968eb2e0149e96aa3b068d39602cc48f |
| SHA1 | 8d0b7d6de9756177d8341fb765b4ad72b35d22c9 |
| SHA256 | 500a8a1f70b58b18514748f479bea438f37a776aacba643b2f2c1bae59f7d683 |
| SHA512 | cb6127d8c829bd713887e276d75a89f0b1625a8e753827ed1f555aa263ac237f2efe3acabd21acbdf7a1bee2638c8c0b818705449d3cfec1a4760a6cca340425 |
memory/1960-211-0x0000000000230000-0x0000000000265000-memory.dmp
C:\Windows\SysWOW64\Nmgjee32.exe
| MD5 | 2a930a67147b97dbf6d875bf9bd193c1 |
| SHA1 | 7566c205e6071886fc2a914936da64e158bb2256 |
| SHA256 | bdcf34e6800d618e26ff2108dde695d289e93dc7d77e8d697e0f1a2ab2f0bcc6 |
| SHA512 | 213ab00a26b87e083ebb193ee5ab9c49c461ce68226c2a752e8c7b52233fa91403b1214c6b0d5f209b24487a5f8bd70a8c8e6ebedd2342f2dfe461fa0048a6a2 |
memory/2516-224-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2516-230-0x0000000000220000-0x0000000000255000-memory.dmp
C:\Windows\SysWOW64\Nfpnnk32.exe
| MD5 | 466870559ffa13df273fa4ff3c022f98 |
| SHA1 | 4d0155e3f1199972183ac358dbe67f2cc7cc516c |
| SHA256 | 8a1dd49060bb63a0a8f4537dd576ca1813d0a5dffca0f64bf4db39e1111fa160 |
| SHA512 | f76ac97960667223fc6df4ddc51e868c7219ba3ca32eb7749c76367568b4bce23fd7c31ba10ada42921e9d92223bb391b31bbf8bc9f09614826b42e38117dab2 |
memory/1500-238-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1500-240-0x0000000000260000-0x0000000000295000-memory.dmp
C:\Windows\SysWOW64\Nokcbm32.exe
| MD5 | 364286305b618cb3c5357d59cf4d7fc7 |
| SHA1 | 64c7b69060190eacb68922ad05ce958f55341b10 |
| SHA256 | a673d2aceb9b061df0b284ef792bab82ae35c7536668dcca37b32285a094326e |
| SHA512 | ce4d30690c06ebc903418b01847f8e1913325492baa9711e04138dcae100c63cbfcb1627aa2ce4a06b0e8439f88aa56ae7ffdf06568dfad4a38f1657389d9b1e |
memory/2332-252-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Windows\SysWOW64\Noplmlok.exe
| MD5 | 37f4118059993e4566e58d423a257bd9 |
| SHA1 | f47314168b7b2e31674b16da9b03103b58ff8c2a |
| SHA256 | 6f64c6ca2f3d93d9c59e2d822a88a790cf762049b8b2d7051cc2db1f21b628eb |
| SHA512 | 6ffe61613f9c3799455c0de32d7d08ce3adf2189c719863e873773a2cdbd1ebf20736ec4396c5c6243de49dd3173dbe2c56cc5f6606f0104c9b0087200392a6f |
C:\Windows\SysWOW64\Ndjhpcoe.exe
| MD5 | 4a94b0a919a0c897ed5cdfb20a7855ee |
| SHA1 | 8dada736e7bb4060c5b556a896560859c42802ad |
| SHA256 | f6f7a1cd40e24b30eb3450b89b62f85d9a45fbda3dcccec025c9c1d3ad40602b |
| SHA512 | e913f7f0b34f7b47b155978de223d23b79b86262f62a1501b385faab58da141f41407591848283fee417c7223dfc61ad39bff0c3f57527bc82b69309d2b59309 |
memory/1064-261-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1064-267-0x0000000000220000-0x0000000000255000-memory.dmp
C:\Windows\SysWOW64\Nejdjf32.exe
| MD5 | 0c1a2eb185d0c7ecec7a89663a00ade6 |
| SHA1 | 08f5258a43e4dc4811ee4eace73ec62d8a85d227 |
| SHA256 | 082e850a022aab74083b0aae3530f391399df20fda109b800e976ac09de260fd |
| SHA512 | 14cb82aa444c8416e065e2687ea9e7e8ac76fd01ac106592f6bc49f2b3dc7b54bf1c31bbc15bc60d1eee20e9f6b9550701d97732181d4933349d8e894c75a693 |
memory/2352-271-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2352-277-0x00000000003C0000-0x00000000003F5000-memory.dmp
C:\Windows\SysWOW64\Oaqeogll.exe
| MD5 | 6957e1f4030e6e9e4fa7e66d6346b012 |
| SHA1 | 108ac9610e7da470cb71ec4a11ec1ce8ffe594cd |
| SHA256 | d341a66d89f72a4be5af286f81f93accae560690119fad3b337eeba123587bd5 |
| SHA512 | 162c19b149d6a744b8f716fc4c193cc8ab94abfee92d4e7af09742c0fa809206c8347c394aacf9b324d598f13b8b8489f014eda441daafb0111c36e5fd96ca0a |
memory/2352-281-0x00000000003C0000-0x00000000003F5000-memory.dmp
memory/2124-287-0x0000000000220000-0x0000000000255000-memory.dmp
C:\Windows\SysWOW64\Oacbdg32.exe
| MD5 | 2794527f307e4c4b4c5796653e49c4fd |
| SHA1 | e984385719ba086109add72382153d10d30cce74 |
| SHA256 | 87bbb96ae8a93ce2a02b6cb503c46a4091e816fef6473e3d97f0b2b8724eb6e3 |
| SHA512 | b8bf7d6a7b430137275f7cd83a4aca11f5706eacb6626c6a0ebec9d43f8660d7c0f89e788ad740635eaa1bfcde8f8e913da42a32bac57024d7ffd7a198ed16b2 |
memory/2124-291-0x0000000000220000-0x0000000000255000-memory.dmp
memory/1712-292-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1712-298-0x0000000000220000-0x0000000000255000-memory.dmp
C:\Windows\SysWOW64\Ollcee32.exe
| MD5 | 9c45b5cc9c052b6318290af10092f0ff |
| SHA1 | d206ce0a260c3ca11e320e34ae64c983261b3333 |
| SHA256 | 1fd037dc8c5cab1793421618e53454a4c4da875d4c67947429c22d9a52285157 |
| SHA512 | b3195327e811254e3e8ded55b7ad86b8176236ea2ada00957714cd5e0f3cf11c50116087ec28999525b3b1c1fa15de9d1484735ece149389ab830a0d2891be7d |
memory/872-303-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1712-302-0x0000000000220000-0x0000000000255000-memory.dmp
memory/872-304-0x00000000005D0000-0x0000000000605000-memory.dmp
memory/2296-306-0x0000000000400000-0x0000000000435000-memory.dmp
memory/872-305-0x00000000005D0000-0x0000000000605000-memory.dmp
C:\Windows\SysWOW64\Ogddhmdl.exe
| MD5 | 53b835946399bce1b5f215d12e6774a3 |
| SHA1 | 1dbf15616e4338f79d56bdcf798a1999ab34bf0a |
| SHA256 | 3b25e32d418f458d87d3b5f3d8e0bcad51dc192fb5cc86ff94f3dda719b16599 |
| SHA512 | 23bd81c20778f1d2766835f0babaf2147297a214873068997c680df9992e7489dcd32f3b9771030dcfa2f1643ebbe9eccc43324c4309164b4ac6eabf7cb7354c |
memory/2296-312-0x0000000000260000-0x0000000000295000-memory.dmp
memory/2296-316-0x0000000000260000-0x0000000000295000-memory.dmp
C:\Windows\SysWOW64\Panehkaj.exe
| MD5 | dc6d62249447b3a9acb289941e300a6d |
| SHA1 | 90c43fbffa4634a4ee1f4d207ac57a7f9b0d9200 |
| SHA256 | b5fc3d3209765425e941f040243b025a9ffe66c856feb542d2838c797bc310cf |
| SHA512 | cff2b4937b9217b4071ae62687ee61400671b8da79be4b4d315e289dd986fb88864d33f566039cb2ae7a5d836b3bacfb13176077e2b8e01200aec8f8c1b6c877 |
memory/2116-331-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3020-338-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2116-337-0x0000000000490000-0x00000000004C5000-memory.dmp
memory/2116-336-0x0000000000490000-0x00000000004C5000-memory.dmp
C:\Windows\SysWOW64\Pkfiaqgk.exe
| MD5 | 039410b3149bffce7215a2dbd139b6ed |
| SHA1 | 52927e91ddfbc9e58fec167abaf8d3245c084a16 |
| SHA256 | 2baa390c0e44a38e4441f5beef7764aab44901c84e50a81c59804159fe42bcf5 |
| SHA512 | b4fe2d22e5d7adb6677dc23167b889023ca8e06794c349efc40f0d1996a3d9fbf01487436e155fea9e0e9875a1041844a195d10b4c5091972f7ff35640bf4a85 |
memory/832-326-0x0000000000220000-0x0000000000255000-memory.dmp
memory/832-325-0x0000000000220000-0x0000000000255000-memory.dmp
memory/816-344-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2724-350-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2784-355-0x0000000000400000-0x0000000000435000-memory.dmp
memory/816-349-0x00000000002A0000-0x00000000002D5000-memory.dmp
memory/3020-348-0x0000000000220000-0x0000000000255000-memory.dmp
C:\Windows\SysWOW64\Penjdien.exe
| MD5 | bc1d11ca9e622d7cb8f412fceffadc9d |
| SHA1 | d3ce029c13b81851e165738f70248779c5f8cfce |
| SHA256 | 7311feb025899558180027a7643064a3b75b197588dbcaf42cd7c83f328d2827 |
| SHA512 | 23b2b40756f58cc3b14538331256ead9ae49f0efffa08b2e9f409bbd756869583afa6afa6c02901066a726225328d2b25b3a48dba418f36f45ea53dc57016153 |
memory/2804-360-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Windows\SysWOW64\Pkkblp32.exe
| MD5 | 94586d0d9cdf626bc77938568f022e44 |
| SHA1 | abbb4991e97ad67d79c1e6ba63f7ed606b042b37 |
| SHA256 | 2cec28de7587d60c03a78035170fd5c5db9eae737a75a1ef2b552a7fea6a1490 |
| SHA512 | 267955039f536d7f26553a3ccd16a1449b39862d6447ce194a6c389508371c37a8df942cdd0aea83043ba69a96862410233c545d1b967f437cdb30c1f94a517e |
C:\Windows\SysWOW64\Pdcgeejf.exe
| MD5 | 62aaf9dbc1b6eac903b92d54b04831f2 |
| SHA1 | 458891583126a6cbea5ffea12ff30db62823cb59 |
| SHA256 | 23a4c8e8cd219146fd34ef2581eee354c2ac72905c505ad5da9d2073eba61dd6 |
| SHA512 | f8388be0e96b83afc41795b04527c0637cbef60e45c07dca78f5527aba3ef13f6d6163c96015c80146f9ba31ab60601fb1dd3bf862473dc2121dc7357c7dcf6c |
memory/2888-369-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3004-374-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2804-380-0x0000000000250000-0x0000000000285000-memory.dmp
C:\Windows\SysWOW64\Paghojip.exe
| MD5 | 44455e2fd8130b1163c0e137b6c5e9ce |
| SHA1 | 10928c6222869e81369d2581f58faca5d9b8b2c9 |
| SHA256 | ef1cdaef4c03d33c23c75403f9bf484c5566d70f02d2fa13e6e1c84cba3f318a |
| SHA512 | 3cffd2f6141992eae2ae054f651fe5f7c91fdcc0d705c3829ecab6eb41cc0dcd1aac09146268a0550b2a5b43c668cdf0560c01b7de8aea0fcfc0e9b1affa53d9 |
memory/2804-376-0x0000000000250000-0x0000000000285000-memory.dmp
memory/2824-381-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2900-382-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2900-388-0x0000000000220000-0x0000000000255000-memory.dmp
C:\Windows\SysWOW64\Qdhqpe32.exe
| MD5 | 747497df4b70d2ce6485ec0e8dd74645 |
| SHA1 | 781fc5581989d3b4ffe8c96d6ad5d5f21784749e |
| SHA256 | 5fa27676f361c62ea519ef0bd83732f10beb801f5c646ba25836bd648189e85f |
| SHA512 | 22bc791d36d8da9b69925306c2ae0589faebc7304abecf4d21f89519712c318961f4fa2edfc0cc2878773c3a16d3e74d9100463f6329e11492e105f678078bf7 |
memory/2900-396-0x0000000000220000-0x0000000000255000-memory.dmp
memory/2312-398-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3004-399-0x0000000000220000-0x0000000000255000-memory.dmp
memory/1892-403-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Windows\SysWOW64\Qmcedg32.exe
| MD5 | 8e0554f396e53a53c5d87d77ebaf33ca |
| SHA1 | 1ca50f85c2645a3a3f4fc0cfae37cb70e623554c |
| SHA256 | 1de3f5ee116421ce1e19214403b248e0ec857786d49a9d4cbc131a44b5dae150 |
| SHA512 | 03d138866e1f684c681a889d0c4168430e58fbd8a45c24e1609006390b7baf6d7976fb1466d42a62c61c0200b35702223538fc34331e0d6290d5561f40541009 |
memory/812-404-0x0000000000400000-0x0000000000435000-memory.dmp
memory/812-410-0x0000000000220000-0x0000000000255000-memory.dmp
memory/616-415-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2800-414-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Windows\SysWOW64\Amebjgai.exe
| MD5 | cfb5eb98171b083ec7ea834502ccb240 |
| SHA1 | 9d7bdd5acb7d44a536d2fdb168fc653328b4d146 |
| SHA256 | 7f7603f3ee382a4dce2ce2dbd7e75b0a14dc5f3f46c44a0408037985bc872975 |
| SHA512 | 65f4efbc327dbdac59e19a57956cdaa8793fa5e8302488c6a915942ae55b554e542d8a0ea96c565bb738dadbb48e612c412252df6ce70d5a91b1051341bd0d31 |
memory/2796-425-0x0000000000400000-0x0000000000435000-memory.dmp
memory/548-426-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2428-424-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Windows\SysWOW64\Amhopfof.exe
| MD5 | 3ee806d889c0cce04f6d47ac093c6011 |
| SHA1 | 9645983d5c95f2d4eab0f75bd9c6ebeeea636f48 |
| SHA256 | 9a0cac61a1badee0dfb8b37cc056ae51ec497491c73d9429f15a8e3e05c8d189 |
| SHA512 | 09e5c38b2248cdaaf96774ef03d9b85e65a023da834655e450c36bb3ae395f044dddf67ec5517b248820384d33bbcc3c0e864a1749c4ef2663c99acae9fe59ce |
memory/2428-432-0x0000000000220000-0x0000000000255000-memory.dmp
memory/3048-437-0x0000000000400000-0x0000000000435000-memory.dmp
memory/548-436-0x0000000000220000-0x0000000000255000-memory.dmp
C:\Windows\SysWOW64\Aoihaa32.exe
| MD5 | 640cc21672476e63f251826ed67882c1 |
| SHA1 | 7e3eed4a3861660eb5262261736ee879577c3ad4 |
| SHA256 | 746b3dc6729e9eefe36980b28d9b91a7af958b26178b4ddbba34eee509fd99e0 |
| SHA512 | 1986b398904c2b648fcf34c878ed604c942e4b4d21690f4cac03012afe7c64b8a068dc9edf13a3eedc75c27f2d9a7810f8fa2e5d693d13b131bdbbcfec4f7d75 |
C:\Windows\SysWOW64\Aialjgbh.exe
| MD5 | a58d5e81fba5617e62ba17a3ab8f5c3a |
| SHA1 | 9e7be3bc5c6532447d769cc3bf07daf94ee43730 |
| SHA256 | 7e6eaceca1fdf01aafe70c79bf79ad8e2aaa4c198af3763abb4d6a779fbf0089 |
| SHA512 | b832890e63d8a4c6fb50a00e37502945f21ec0a48d74328fc0d3ae71378a1be71e8908a29734a11fff237158fe1f6597f0abaf7c9b278e3fd3cf0165f5d42c24 |
memory/3048-443-0x0000000000220000-0x0000000000255000-memory.dmp
memory/2828-448-0x0000000000400000-0x0000000000435000-memory.dmp
memory/736-447-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2828-463-0x0000000000220000-0x0000000000255000-memory.dmp
memory/2140-458-0x00000000001B0000-0x00000000001E5000-memory.dmp
memory/944-469-0x0000000000400000-0x0000000000435000-memory.dmp
memory/944-468-0x0000000000220000-0x0000000000255000-memory.dmp
C:\Windows\SysWOW64\Bgmolb32.exe
| MD5 | 1a8e2da315da2e5cfd23b1f5c8daebd6 |
| SHA1 | 0dea34d072da34a3fff9551878bd7bbdf9d83acd |
| SHA256 | 0dcffba0413f84836490c5130aec16c965086ba17d09b308b4ca6a8221f49077 |
| SHA512 | 587e3a56f5526ee27276004dee27438833e6573ddeef7d96924f47fae11c1a965ff08389ca60a4d3606757e7439c3250ff1b5b54096d34ce6976cf5b6c082049 |
C:\Windows\SysWOW64\Bmhkojab.exe
| MD5 | cfe629090df05b6bd0e3cefcc2fec699 |
| SHA1 | fda9c4c4cf51d4b7b086b9e1ce67b0eda126351d |
| SHA256 | e6788d385ba2e94c916faabb3a7e693d0efaef4f936e1b8d530145cafb9c8565 |
| SHA512 | b535e5723ceb5054d8a53a3486bfb219b70526a2c8e068e86b6f9d207603bfe4123d483eb6230a0ccbca474010160daeef01a9d37056f3e71a4a56168cbd2b38 |
memory/2140-453-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2044-470-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2112-472-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2044-471-0x00000000001B0000-0x00000000001E5000-memory.dmp
C:\Windows\SysWOW64\Bjnhnn32.exe
| MD5 | 5eb733d55c66bf37c773ea4c837015fb |
| SHA1 | 3021123343314a7fea0a2dd00908fb24a186f805 |
| SHA256 | 1d8243700dc6ef443ab2936b40031a7798daa71e0277e2746bdf9e400d3ee9b4 |
| SHA512 | be1660d12e8b538a19e8ed0ce84d78d0bcf0c542b549410d47c605d668d2b34e1b109200a2ff85ebd05a047c6b6a5be8f2e5a69736ee4757eaade2a88ace12ba |
memory/924-483-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2112-481-0x0000000000220000-0x0000000000255000-memory.dmp
memory/2684-482-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Windows\SysWOW64\Biceoj32.exe
| MD5 | 202cd181acf1c80743db5930d0e3c226 |
| SHA1 | fa695e97ef5146cde88ca09ca57720660d7b467b |
| SHA256 | e919b7fdd1b186c926a8de0b1cfe686a6a5363d86e0a82fa0425c8b0963ef546 |
| SHA512 | 52035f0385ed77272692044def41f81f4211b3e9cee0b68672d6a3b0fc3909a5d038afb11b9f4c4dca43a9b0942cd8d47d016a9c43592b372b91c11ef05d0452 |
memory/1864-493-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2104-492-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Windows\SysWOW64\Cfgehn32.exe
| MD5 | ca554f26e6664fff6f9ccd62bb7b94e3 |
| SHA1 | d56925736e30dece1f7d4937339fcc90fcd32505 |
| SHA256 | de4986d147bfc5e75bcc9f0bed610f43e217912bf7387b3b62f20212fb8f5fd3 |
| SHA512 | 0ee41b6b48afc2bec80d9099676a29f82d42861c6c207d86c25856406447ec40e68f3a73155c5bb9a5cbf5ac557ddca20d4714da27362f455baee01c3bab6021 |
memory/2104-502-0x00000000001C0000-0x00000000001F5000-memory.dmp
memory/2104-503-0x00000000001C0000-0x00000000001F5000-memory.dmp
C:\Windows\SysWOW64\Cbnfmo32.exe
| MD5 | ee008392db9a9b3cd5383375f8b23b61 |
| SHA1 | 3a87557d553e5e6386c38c8f81b8d52b28039bd8 |
| SHA256 | 820966776048c37e903fdffa4d6f9f1c6ed49c544220e1da086ca69e66f15fea |
| SHA512 | 70f2a5ac31714063e54a333625cb9c5c23ba6c3021e5416dec9e2ba3350a3336347958a27bb0d8bb06f526a0bcf370b006c892ce1783efb9db503afc38eb8fd4 |
C:\Windows\SysWOW64\Chkoef32.exe
| MD5 | 044ca20052ae1394b02e242ea5dd3151 |
| SHA1 | ab0865727f0725179d1090477c282f5f74baf70e |
| SHA256 | 4af28330d12f2241bc7e54c4b043f8b9fdbdb5e2dca8d460c97324ad01a98b92 |
| SHA512 | 4d9cba1f6a589733dbd3ecd57063fb7425db01d22b05808dbc15f2e8e022e957b31b0ddb92e270911d8e6a27e7de6b52f45b9f8298b8fd99261d57c93a25fc43 |
C:\Windows\SysWOW64\Caccnllf.exe
| MD5 | ee6f933709728ec96fbb8964b60039a1 |
| SHA1 | 9c84fe8e8ddcc9bd9fdb6fdeae6b02f5f67f53ed |
| SHA256 | c0917325c104a107225e3130cb0c986bf4019ab103ad8ed9dea1a1a4a06fe511 |
| SHA512 | 8055246dd300aea6bc7182be620e96bc3105bb6862363713c61934798b49f501540647420ac6f0180bd51cc3828fb984892ef2b475bda43e4f3809c6c0eda8e7 |
C:\Windows\SysWOW64\Cligkdlm.exe
| MD5 | e188cc982c78b5cb24d029b31ca3b7e6 |
| SHA1 | 7eefb1c75927584a2f8dfe6590f753a9e9d13131 |
| SHA256 | 7e021863a567b1e2a53c77872054a4687cb4f024b2017062e2907533f6153b60 |
| SHA512 | 53038a51e9cfe44d78fa95625dae2edefafa2be30e6a5e62b1842d0bc663cbd5acc1bca5ae8a95dd132106a7053503eb97159289fae2e424c29b089506fcae01 |
C:\Windows\SysWOW64\Caepdk32.exe
| MD5 | 06bcb98667864ab5af4c80b51f1593b8 |
| SHA1 | c95c6bea222974c1dcb99bef83cb0e8c5620de9c |
| SHA256 | b50f67db5de1332aab956c9eee59527aa3401daebcc0ce1959a766db37965101 |
| SHA512 | b54d6d072b71e34d010a47b87b26dc1cc799834cf70ecc1c73273aae5ebccf0d597672331fde70c59935c87dd4120eb96485b082e84ad0b2a798c804f662f916 |
C:\Windows\SysWOW64\Cfbhlb32.exe
| MD5 | 8d78e9572e0136cd562adf09e8fc90f7 |
| SHA1 | 3d761da93aacd0e1d7c9b3aef4416cf1459be40d |
| SHA256 | 3dc334321b21ca1a7b61c290a337c774eb027b8510525a0693889542341f409c |
| SHA512 | cb6b06370f23f7cddb76c71d7f719549cdc5c711c1662409165edde9ac92cbe0b8d5245d254588e7ce383a396cdbbe032683160fe75e614d4ba3dc1efef05bb9 |
C:\Windows\SysWOW64\Cahmik32.exe
| MD5 | 16c3c4091fbca9728c4c8e3d3d1de732 |
| SHA1 | 0396898811c08c5c7d27a1b7b46be7fb0dc52a35 |
| SHA256 | 8785ec65173ce33a3b85e490401a82be521f0a7962c9d1bef21577d9df24f8aa |
| SHA512 | 6eafbc60ff870628c2803ebffdb1f6098cec8e4607387ceb8c76408c9c0b0290a37ec422d238e30d91ceedf2e57166a1b10f14176d7355284217faea8f1054c7 |
C:\Windows\SysWOW64\Dkpabqoa.exe
| MD5 | 3c300abb1b9f5e6f69a8159678f95687 |
| SHA1 | 60dd6bf6af3e96f9c71312b392dac2085008e5a4 |
| SHA256 | 377a7bbe3e41d783232d46a53d9117396b4f7ce1ff57522ec541a509260a3ad1 |
| SHA512 | 99a68528952ebb5ae9649b5ad85c19a3b9272a9131e742a500bd517525702d4762761ba77f17efad2db903b8f6469e6dbfbd1a475681b4e77731078e273dfdfc |
C:\Windows\SysWOW64\Dajiok32.exe
| MD5 | 6b50f081874a6e77276fa88102f12832 |
| SHA1 | a47d4065d5a99c5527e6ba8af2bad6d65cddf601 |
| SHA256 | 8a19aba11cc96d81bdf3269c48257e764493d9463da0a732b5a5bb9fa2bf3458 |
| SHA512 | 004daec373a66b9ba466bd9812238a179c32e8835718a99ebcb0244c3a51e4d10746d971952cc0df7b9c9db408d7022efc87a07079025928ba8666a7ef79501d |
C:\Windows\SysWOW64\Dbkffc32.exe
| MD5 | 39f5e9eb7b6493c9aafdea9d5ff172cc |
| SHA1 | 41ba5132674eab2fdd5b4eaff485f6a9b9ecddd5 |
| SHA256 | a06ffe22857e07a600783c3db71a794bc53ed216f9b158d17cfb0c244f242d44 |
| SHA512 | 79eac7cb315e2460192f26de47d7c14f232506b5258a1d0515c3c083086f92cdb784e8f3347e46ea9ff111605e53ae46dc0ec97fce6d7bec782c9119dcde22ba |
C:\Windows\SysWOW64\Dalfdjdl.exe
| MD5 | 96ced8f0c24438edb9dbc73d7192244e |
| SHA1 | a8f3f2a189d21c1a3f40d82274f92dcfa524863d |
| SHA256 | 1bf6ef1c15f85c5a48f18133bf0d0176589e487bcf5a35baab5f98d317269408 |
| SHA512 | 0379b89cd65f13d2bbe3d392324ad0b01d76e14fead25914ad687136cc84d5f936e1248074ce3c843d9a9e1c0cc4ace767bf078344683c72d3d24c221f5b34ee |
C:\Windows\SysWOW64\Dkekmp32.exe
| MD5 | 1b290c88d2b327e97c09468375754007 |
| SHA1 | a38a11f144eb47a42d2b28ac9192b52153a4e991 |
| SHA256 | b1572f05cf81a4b95352b0a385fed841b69a91c234355eed31367902287aea3d |
| SHA512 | 91951210678b3c6dba62985c2ac30abba1012112b0262f1c9803ce992ddbbd72ee196ac7ae58bc35a3d6d50ef19488122ec487a3bfc5a80f7a7a425ec5f92916 |
C:\Windows\SysWOW64\Dlfgehqk.exe
| MD5 | a1fc5ccb73a2cccce941145c64b7f060 |
| SHA1 | 9ccddd9ce96c2570b8a6127cfb5906bfd1c6324e |
| SHA256 | 949b90209f689eb92e2cddbc8b223b56ee342ed916a415086c1b9d2e09406b0b |
| SHA512 | 68780c77857cb8f23fcc5d84d9318193e0f3dcb0fe475d817c3d3ecdb32bdcb63f9a1b3d9fe6222cdfb0944be9a8edb0eff0ea64f27f68c8decd785bf404ed08 |
C:\Windows\SysWOW64\Denknngk.exe
| MD5 | e89c2f695e150a20f01af3cfc4654480 |
| SHA1 | 84a8b8293515eb8d57c0ac595ae50356895a1138 |
| SHA256 | a3144008b0d0c1e148598f850304f955304aa2e60d1c9104c2e7f033f09c069b |
| SHA512 | 52f101c71d52cde380fa4d3c33130c9919d25547a41388b00e36929464733469765b4c4a23819afbc8d8e8277b1e19cb891deb7c48426bdd3c758b3917ef7ad8 |
C:\Windows\SysWOW64\Dpdpkfga.exe
| MD5 | d50adbb7f6bb458e639cb3e122ec935b |
| SHA1 | 79b946dc3e7c4cf359c697961f1b0836131f21be |
| SHA256 | 10e6cb746160132a35787ceac4f7d718fa939890ac8dfe6923f89d6edd2cece8 |
| SHA512 | b78585f90bc1e5c5f575b1ad789711fc12c750a8c9b5dc71a6c0be8ac1b561b0c950331aa2b2b3a504c4ed1f305f7aba4888de9037d79c595baac88c4157d850 |
C:\Windows\SysWOW64\Dilddl32.exe
| MD5 | a3e80a56024e9dd79d0d5964f669c8b9 |
| SHA1 | b0c44afc485252fd000b5ea78a137cab1e29e2af |
| SHA256 | 8d51cf3625d8b38de5569a0dd15f807685837b6b5b50e2acb61577034b68f271 |
| SHA512 | 748e048b6cc92d100849cd1b9edefd25c1baf34ae85bc6bfed232fc2f78f40e41dd66373e9e7d01b3beb4f11f277b8179e830912c773e39a6646ded583cc313d |
C:\Windows\SysWOW64\Eceimadb.exe
| MD5 | e90dbcceb59d5ddc54545bd9bef746c4 |
| SHA1 | 93a381526260e7b34b5ae766cf7aae75af6bb49f |
| SHA256 | acff5f04de1b24b7b9126e4e219708f62dce479cec8bbce16baf618e29a9ad9a |
| SHA512 | 6a45d4a35cd0d9d0b732213745a94bf948925860806a7a6604fabe5dbd0156c5b698924d526e26be807056cb69377b2944faa67f0135a28ff7a0bdf9695c25fa |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-12 14:13
Reported
2024-11-12 14:15
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
96s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cabfga32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Caebma32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cnnlaehj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Cegdnopg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Danecp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Users\Admin\AppData\Local\Temp\a4c09ba7f1ed47c725b37d44d521c3e5abea101ff8691d88ffa9dc9fd8656a08.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Bchomn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bfhhoi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Dhocqigp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bchomn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bnmcjg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Dkifae32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Djgjlelk.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ddonekbl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Dmjocp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Bfhhoi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bcoenmao.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dfiafg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Banllbdn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Caebma32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Djgjlelk.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cndikf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dhhnpjmh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Cdcoim32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ddakjkqi.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cffdpghg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Dhhnpjmh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Beglgani.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bapiabak.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cdabcm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Danecp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Bfkedibe.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cjmgfgdf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Cjmgfgdf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Ddonekbl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Bnmcjg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Banllbdn.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cmnpgb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Dkkcge32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dmjocp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Beglgani.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Cabfga32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cfdhkhjj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Cfdhkhjj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Cffdpghg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Daconoae.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Users\Admin\AppData\Local\Temp\a4c09ba7f1ed47c725b37d44d521c3e5abea101ff8691d88ffa9dc9fd8656a08.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Bcoenmao.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Cagobalc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cagobalc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dkkcge32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dhocqigp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dkifae32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Ddakjkqi.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cdcoim32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Cmnpgb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Dfiafg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Cdabcm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Daconoae.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bfkedibe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Bapiabak.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Cndikf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cegdnopg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" | C:\Windows\SysWOW64\Cnnlaehj.exe | N/A |
Berbew
Berbew family
Executes dropped EXE
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Cegdnopg.exe | C:\Windows\SysWOW64\Cnnlaehj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dkkcge32.exe | C:\Windows\SysWOW64\Ddakjkqi.exe | N/A |
| File created | C:\Windows\SysWOW64\Cabfga32.exe | C:\Windows\SysWOW64\Cndikf32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cdcoim32.exe | C:\Windows\SysWOW64\Caebma32.exe | N/A |
| File created | C:\Windows\SysWOW64\Nedmmlba.dll | C:\Windows\SysWOW64\Caebma32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cjmgfgdf.exe | C:\Windows\SysWOW64\Cdcoim32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gifhkeje.dll | C:\Windows\SysWOW64\Daconoae.exe | N/A |
| File created | C:\Windows\SysWOW64\Dmjocp32.exe | C:\Windows\SysWOW64\Dkkcge32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bnmcjg32.exe | C:\Windows\SysWOW64\Bchomn32.exe | N/A |
| File created | C:\Windows\SysWOW64\Banllbdn.exe | C:\Windows\SysWOW64\Bfhhoi32.exe | N/A |
| File created | C:\Windows\SysWOW64\Danecp32.exe | C:\Windows\SysWOW64\Dfiafg32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ddakjkqi.exe | C:\Windows\SysWOW64\Daconoae.exe | N/A |
| File created | C:\Windows\SysWOW64\Ghilmi32.dll | C:\Windows\SysWOW64\Cagobalc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dfiafg32.exe | C:\Windows\SysWOW64\Cegdnopg.exe | N/A |
| File created | C:\Windows\SysWOW64\Kkmjgool.dll | C:\Windows\SysWOW64\Cegdnopg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ddonekbl.exe | C:\Windows\SysWOW64\Djgjlelk.exe | N/A |
| File created | C:\Windows\SysWOW64\Bfhhoi32.exe | C:\Windows\SysWOW64\Beglgani.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cndikf32.exe | C:\Windows\SysWOW64\Bcoenmao.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cabfga32.exe | C:\Windows\SysWOW64\Cndikf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cdcoim32.exe | C:\Windows\SysWOW64\Caebma32.exe | N/A |
| File created | C:\Windows\SysWOW64\Oammoc32.dll | C:\Windows\SysWOW64\Dkifae32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bapiabak.exe | C:\Windows\SysWOW64\Bfkedibe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bapiabak.exe | C:\Windows\SysWOW64\Bfkedibe.exe | N/A |
| File created | C:\Windows\SysWOW64\Maickled.dll | C:\Windows\SysWOW64\Cdcoim32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cegdnopg.exe | C:\Windows\SysWOW64\Cnnlaehj.exe | N/A |
| File created | C:\Windows\SysWOW64\Nnjaqjfh.dll | C:\Windows\SysWOW64\Banllbdn.exe | N/A |
| File created | C:\Windows\SysWOW64\Mgcail32.dll | C:\Windows\SysWOW64\Cnnlaehj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Danecp32.exe | C:\Windows\SysWOW64\Dfiafg32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mjelcfha.dll | C:\Windows\SysWOW64\Djgjlelk.exe | N/A |
| File created | C:\Windows\SysWOW64\Ddakjkqi.exe | C:\Windows\SysWOW64\Daconoae.exe | N/A |
| File created | C:\Windows\SysWOW64\Jcbdhp32.dll | C:\Windows\SysWOW64\Ddakjkqi.exe | N/A |
| File created | C:\Windows\SysWOW64\Caebma32.exe | C:\Windows\SysWOW64\Cdabcm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cffdpghg.exe | C:\Windows\SysWOW64\Cmnpgb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Nbgngp32.dll | C:\Windows\SysWOW64\Danecp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ddonekbl.exe | C:\Windows\SysWOW64\Djgjlelk.exe | N/A |
| File created | C:\Windows\SysWOW64\Cfdhkhjj.exe | C:\Windows\SysWOW64\Cagobalc.exe | N/A |
| File created | C:\Windows\SysWOW64\Ffpmlcim.dll | C:\Windows\SysWOW64\Cfdhkhjj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dhocqigp.exe | C:\Windows\SysWOW64\Dmjocp32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dmllipeg.exe | C:\Windows\SysWOW64\Dhocqigp.exe | N/A |
| File created | C:\Windows\SysWOW64\Bchomn32.exe | C:\Users\Admin\AppData\Local\Temp\a4c09ba7f1ed47c725b37d44d521c3e5abea101ff8691d88ffa9dc9fd8656a08.exe | N/A |
| File created | C:\Windows\SysWOW64\Mmnbeadp.dll | C:\Windows\SysWOW64\Bapiabak.exe | N/A |
| File created | C:\Windows\SysWOW64\Cndikf32.exe | C:\Windows\SysWOW64\Bcoenmao.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Caebma32.exe | C:\Windows\SysWOW64\Cdabcm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kngpec32.dll | C:\Windows\SysWOW64\Dhocqigp.exe | N/A |
| File created | C:\Windows\SysWOW64\Beeppfin.dll | C:\Windows\SysWOW64\Dhhnpjmh.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Beglgani.exe | C:\Windows\SysWOW64\Bnmcjg32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jhbffb32.dll | C:\Windows\SysWOW64\Bfkedibe.exe | N/A |
| File created | C:\Windows\SysWOW64\Echdno32.dll | C:\Windows\SysWOW64\Cjmgfgdf.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dhhnpjmh.exe | C:\Windows\SysWOW64\Danecp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kbejge32.dll | C:\Users\Admin\AppData\Local\Temp\a4c09ba7f1ed47c725b37d44d521c3e5abea101ff8691d88ffa9dc9fd8656a08.exe | N/A |
| File created | C:\Windows\SysWOW64\Bmhnkg32.dll | C:\Windows\SysWOW64\Bnmcjg32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Banllbdn.exe | C:\Windows\SysWOW64\Bfhhoi32.exe | N/A |
| File created | C:\Windows\SysWOW64\Agjbpg32.dll | C:\Windows\SysWOW64\Dfiafg32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cnnlaehj.exe | C:\Windows\SysWOW64\Cffdpghg.exe | N/A |
| File created | C:\Windows\SysWOW64\Dhocqigp.exe | C:\Windows\SysWOW64\Dmjocp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cdabcm32.exe | C:\Windows\SysWOW64\Cabfga32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bhicommo.dll | C:\Windows\SysWOW64\Cabfga32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cagobalc.exe | C:\Windows\SysWOW64\Cjmgfgdf.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cfdhkhjj.exe | C:\Windows\SysWOW64\Cagobalc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Daconoae.exe | C:\Windows\SysWOW64\Dkifae32.exe | N/A |
| File created | C:\Windows\SysWOW64\Elkadb32.dll | C:\Windows\SysWOW64\Dmjocp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Beglgani.exe | C:\Windows\SysWOW64\Bnmcjg32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cffdpghg.exe | C:\Windows\SysWOW64\Cmnpgb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ingfla32.dll | C:\Windows\SysWOW64\Cffdpghg.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Dmllipeg.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a4c09ba7f1ed47c725b37d44d521c3e5abea101ff8691d88ffa9dc9fd8656a08.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bfkedibe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bapiabak.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dmjocp32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Banllbdn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cfdhkhjj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dkkcge32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dhocqigp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cnnlaehj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bnmcjg32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Beglgani.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bfhhoi32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cabfga32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cdabcm32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cjmgfgdf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cmnpgb32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dmllipeg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Caebma32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cndikf32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cdcoim32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cffdpghg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ddonekbl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Daconoae.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cagobalc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Danecp32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Djgjlelk.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bchomn32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dfiafg32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dhhnpjmh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dkifae32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ddakjkqi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bcoenmao.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cegdnopg.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dfiafg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll" | C:\Windows\SysWOW64\Danecp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Dmjocp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbejge32.dll" | C:\Users\Admin\AppData\Local\Temp\a4c09ba7f1ed47c725b37d44d521c3e5abea101ff8691d88ffa9dc9fd8656a08.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Beglgani.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll" | C:\Windows\SysWOW64\Cndikf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cdabcm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cfdhkhjj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll" | C:\Windows\SysWOW64\Cmnpgb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll" | C:\Windows\SysWOW64\Dfiafg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ddakjkqi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Cabfga32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhicommo.dll" | C:\Windows\SysWOW64\Cabfga32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cabfga32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Daconoae.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dhocqigp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll" | C:\Windows\SysWOW64\Cfdhkhjj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Cnnlaehj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cnnlaehj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Banllbdn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Banllbdn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cndikf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cdcoim32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll" | C:\Windows\SysWOW64\Cffdpghg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmjapi32.dll" | C:\Windows\SysWOW64\Bchomn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll" | C:\Windows\SysWOW64\Bnmcjg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofpij32.dll" | C:\Windows\SysWOW64\Beglgani.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll" | C:\Windows\SysWOW64\Dmjocp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bcoenmao.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Danecp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll" | C:\Windows\SysWOW64\Ddakjkqi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Bchomn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Beglgani.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll" | C:\Windows\SysWOW64\Banllbdn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Bfkedibe.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Cndikf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Cdcoim32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll" | C:\Windows\SysWOW64\Dhhnpjmh.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Dhocqigp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\a4c09ba7f1ed47c725b37d44d521c3e5abea101ff8691d88ffa9dc9fd8656a08.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bnmcjg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bfhhoi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cmnpgb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ddonekbl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dkifae32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Daconoae.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Dkkcge32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Caebma32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Cjmgfgdf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll" | C:\Windows\SysWOW64\Cagobalc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dmjocp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Ddonekbl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll" | C:\Windows\SysWOW64\Dhocqigp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bchomn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Bapiabak.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll" | C:\Windows\SysWOW64\Cnnlaehj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll" | C:\Windows\SysWOW64\Cegdnopg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Djgjlelk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\a4c09ba7f1ed47c725b37d44d521c3e5abea101ff8691d88ffa9dc9fd8656a08.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 | C:\Windows\SysWOW64\Bnmcjg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bfkedibe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll" | C:\Windows\SysWOW64\Dkifae32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll" | C:\Windows\SysWOW64\Dkkcge32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll" | C:\Windows\SysWOW64\Bfkedibe.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a4c09ba7f1ed47c725b37d44d521c3e5abea101ff8691d88ffa9dc9fd8656a08.exe
"C:\Users\Admin\AppData\Local\Temp\a4c09ba7f1ed47c725b37d44d521c3e5abea101ff8691d88ffa9dc9fd8656a08.exe"
C:\Windows\SysWOW64\Bchomn32.exe
C:\Windows\system32\Bchomn32.exe
C:\Windows\SysWOW64\Bnmcjg32.exe
C:\Windows\system32\Bnmcjg32.exe
C:\Windows\SysWOW64\Beglgani.exe
C:\Windows\system32\Beglgani.exe
C:\Windows\SysWOW64\Bfhhoi32.exe
C:\Windows\system32\Bfhhoi32.exe
C:\Windows\SysWOW64\Banllbdn.exe
C:\Windows\system32\Banllbdn.exe
C:\Windows\SysWOW64\Bfkedibe.exe
C:\Windows\system32\Bfkedibe.exe
C:\Windows\SysWOW64\Bapiabak.exe
C:\Windows\system32\Bapiabak.exe
C:\Windows\SysWOW64\Bcoenmao.exe
C:\Windows\system32\Bcoenmao.exe
C:\Windows\SysWOW64\Cndikf32.exe
C:\Windows\system32\Cndikf32.exe
C:\Windows\SysWOW64\Cabfga32.exe
C:\Windows\system32\Cabfga32.exe
C:\Windows\SysWOW64\Cdabcm32.exe
C:\Windows\system32\Cdabcm32.exe
C:\Windows\SysWOW64\Caebma32.exe
C:\Windows\system32\Caebma32.exe
C:\Windows\SysWOW64\Cdcoim32.exe
C:\Windows\system32\Cdcoim32.exe
C:\Windows\SysWOW64\Cjmgfgdf.exe
C:\Windows\system32\Cjmgfgdf.exe
C:\Windows\SysWOW64\Cagobalc.exe
C:\Windows\system32\Cagobalc.exe
C:\Windows\SysWOW64\Cfdhkhjj.exe
C:\Windows\system32\Cfdhkhjj.exe
C:\Windows\SysWOW64\Cmnpgb32.exe
C:\Windows\system32\Cmnpgb32.exe
C:\Windows\SysWOW64\Cffdpghg.exe
C:\Windows\system32\Cffdpghg.exe
C:\Windows\SysWOW64\Cnnlaehj.exe
C:\Windows\system32\Cnnlaehj.exe
C:\Windows\SysWOW64\Cegdnopg.exe
C:\Windows\system32\Cegdnopg.exe
C:\Windows\SysWOW64\Dfiafg32.exe
C:\Windows\system32\Dfiafg32.exe
C:\Windows\SysWOW64\Danecp32.exe
C:\Windows\system32\Danecp32.exe
C:\Windows\SysWOW64\Dhhnpjmh.exe
C:\Windows\system32\Dhhnpjmh.exe
C:\Windows\SysWOW64\Djgjlelk.exe
C:\Windows\system32\Djgjlelk.exe
C:\Windows\SysWOW64\Ddonekbl.exe
C:\Windows\system32\Ddonekbl.exe
C:\Windows\SysWOW64\Dkifae32.exe
C:\Windows\system32\Dkifae32.exe
C:\Windows\SysWOW64\Daconoae.exe
C:\Windows\system32\Daconoae.exe
C:\Windows\SysWOW64\Ddakjkqi.exe
C:\Windows\system32\Ddakjkqi.exe
C:\Windows\SysWOW64\Dkkcge32.exe
C:\Windows\system32\Dkkcge32.exe
C:\Windows\SysWOW64\Dmjocp32.exe
C:\Windows\system32\Dmjocp32.exe
C:\Windows\SysWOW64\Dhocqigp.exe
C:\Windows\system32\Dhocqigp.exe
C:\Windows\SysWOW64\Dmllipeg.exe
C:\Windows\system32\Dmllipeg.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5012 -ip 5012
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 408
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
memory/2356-0-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Windows\SysWOW64\Bchomn32.exe
| MD5 | 6679dfc4a4119953ed26137e7c68db74 |
| SHA1 | 6ff6af39fdca6623b2b549c3f93616a93e84b6dc |
| SHA256 | a5ffbbde18627921df683b70499c879ff7890efe296bcc7d0a9ca73f15aa8ac4 |
| SHA512 | 85c2b1af97b69c6ab9631c73b63ae71bcf3ebea1db9aa486f4b618102dad6cc7e82f19a5c967e716cc2eb422831fa40b959100df76c15b767c14a78945b97da6 |
memory/3668-7-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Windows\SysWOW64\Bnmcjg32.exe
| MD5 | 1ed1f314c55d492daa29272c82618ae2 |
| SHA1 | e0d2a3eba453f1dc14c6c8abf822075b17dd8db7 |
| SHA256 | 2e7e1a69c1166eba004e06b37489fcd69a522708503e176eaed2370b3cf0873f |
| SHA512 | d4cfae2fd474f2853409fed19bf7e84b71cf2e0092f11f8b99dfeb4b51609742eafb02de54bfbb109d09508467ebe9a1e9c5561f961aebb7775366bfbd705b72 |
memory/4424-15-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Windows\SysWOW64\Beglgani.exe
| MD5 | d0749f3f2a886e4fa9740590cb760589 |
| SHA1 | db0f3ad34696a791daae58476ff02cc3edfe319a |
| SHA256 | ef7005210225b7e439f7c83c34ea9af00b64b6b4da63cc6205d28a085aeeba34 |
| SHA512 | 6bbd7ebdd80c39d334482761ccb564eaadd9dd1ca218338be7716552aac2ec855b760685e6bf66365670874ac353241b928954637c08c18f491ef346d3caa40f |
memory/5056-24-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Windows\SysWOW64\Bfhhoi32.exe
| MD5 | b5986319c3e03dcd1d0f8c89e37f9d5a |
| SHA1 | de5a18c107588aa982287ffdd9b9b58c0d8f6e7d |
| SHA256 | a3ddcc13f7ce6a60c89ae2328ee38748b131c6af870e4a8ddb29aca9f8871e25 |
| SHA512 | bed782fec1a66acb41b5f7ba9f6fa650ada9cf4f19f16fe399f94e9386d1575f51ad1c0c0dc4e2ef5c94d220ceed27b82fe33dc6a25e0e785c0bf3ce24ece542 |
memory/1440-31-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Windows\SysWOW64\Qihfjd32.dll
| MD5 | 1f07bfc729d270fa706c8fc3d91efb3a |
| SHA1 | 612ec010dd74ff0038561b30041012eac3d799a3 |
| SHA256 | 7e7a5e0b65969779e22003c06678b1c7c2fe25eb32ddf8752dd03535baadeb9d |
| SHA512 | 96af4c0da35264c1bb711cbae62110fd088e659b925d6efcd744606ac579dbf23ac05149b05ba2d32dd2b4c54e2e3f21b3e8014bf89c7299c503708686d6aa1e |
C:\Windows\SysWOW64\Banllbdn.exe
| MD5 | 1e97642d84e87fa65b0ae5e32c274c29 |
| SHA1 | 45a4004e4682ca0241185a173da661415ab355e4 |
| SHA256 | 9055845cbcc2c2f8c8bbc8cc7edfa4858aebec9b2f197b9da044dcbda6066ff1 |
| SHA512 | 5d0632a2edd23a29edcfbe5e0c0ff015ad656c5a92367e062f6ee8805890bf76fadb5f0c2423cb114c8286e35e54de9a3db026ce4ef1935849280790f66abb1e |
memory/2300-39-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Windows\SysWOW64\Bfkedibe.exe
| MD5 | 49458093d838f22cd6ea09267cc7d5c8 |
| SHA1 | 2f3f7d2fe026b80fbe65032e8b6fadd69821edc9 |
| SHA256 | e275ac164cf12fdf55a39fb74f07b1eff68cb8e1d907bb53d75e075ee6b67a51 |
| SHA512 | 59298803f4f31050eec96d2b40d35042c27956893ae9d13ccf9607823b59f73172cfaaa9a4d83ffbd93335f77ac683d87444d8bc67a6191df83f5f7c0c05ef36 |
memory/3492-48-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Windows\SysWOW64\Bapiabak.exe
| MD5 | f853bfe062e4ee93c4c6288ae9a8cbee |
| SHA1 | 7d5f3f41f18335107deb0089f9441a057dc56f2b |
| SHA256 | 3ee81c16e34b2992266028b7a43d4b9f2832319a76d72148fe2a6c2ef4b0df1b |
| SHA512 | a3b2a0ce7f0b8eb2a3be353d644189ebd1085d0a0f1c123925c89770c8127b583893d9b8f25892b8c5c7a75a0e394f78bd73aa868df47c126ef47f80581dc73e |
memory/4044-55-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Windows\SysWOW64\Bcoenmao.exe
| MD5 | cb7948332fba205457be26d70552973c |
| SHA1 | 11d3b0f5beb41690442aaabc2651e77bca944b00 |
| SHA256 | 276c42d74551b33141d283f7f832c3e91617530d7888d56ad4d4cd7a5ff85475 |
| SHA512 | 9bf47f54e48e7e87873d16edded6b2e9632b60f93fc356101bc6e1bf6d2a996e6a0437f43a613ac5d498aa97c4cf911b1a2930102dd311c6bb6b82219bbf99bb |
memory/1216-63-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Windows\SysWOW64\Cndikf32.exe
| MD5 | 69d2cba136eaa501fef033523ed6e219 |
| SHA1 | 2b3a032c0c2809ad41a3a1d017e66c8fa94aba1e |
| SHA256 | f922d21234faf9c742c5db3538d207c08f05ab575a44657a8a2b34d32cd2fdfc |
| SHA512 | cd8ed5dc63f298ad490cb70eb0f69a4d60b6ffe4a0d6c8d23a85e860c6bc60fc526baf30116e9256fb6e6b1de02b86f818955336d1ddcb03e027cda43ca13736 |
memory/1048-71-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Windows\SysWOW64\Cabfga32.exe
| MD5 | e2efbecc025a2892bb3415550b577ba2 |
| SHA1 | 0a95afb6cc41a9325147fb17cc4c882d7555a7b4 |
| SHA256 | defd70a4fc348e3356afb2b528dea2ca17350dec54babd7cbf2a3ec7c4cf6a01 |
| SHA512 | 3ba7b32d6a9ebad15f29ed4cc854f753fe5c8ec4721f9c58445f5a932e0c45c2ca086b9f853f11716f49a5375b979dfe89a02b06504de5ee4826a54029ee4543 |
memory/4760-80-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Windows\SysWOW64\Cdabcm32.exe
| MD5 | f50aea14fc63509acac35e2b3fc0e97c |
| SHA1 | f7fa03b0167303b817886fffb6bb2bfbb25672bd |
| SHA256 | 385bd452abe38fd79922b25e0ed2ebd866608cd2e2a2960e2e0973ee63345521 |
| SHA512 | 4963e5260fdd508722ec60969dcc7b8bd65101d0a297fa5466721f75434a85a7905b1660d5929ae85672e176934e26f9603c0560314abbedd7e211672768fdfb |
memory/692-87-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Windows\SysWOW64\Caebma32.exe
| MD5 | e99e61393d56841e952aab38e35f51a5 |
| SHA1 | b08bac06e5cf6162beb4f1ff663f7c2ca7d82ba5 |
| SHA256 | 5b3a0fe33c23d0b04a1d62239e21b49a6c0f721586a3ea7c0d80474ded3296e4 |
| SHA512 | 82de2d12dad17f170045c3062fdf371db79db1b15af467ea743fbb3eb0d5bda03475dbdeb5fc6edb15107147a2c706690d40870ca61a6738e11f54bdbde02795 |
memory/3672-96-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Windows\SysWOW64\Cdcoim32.exe
| MD5 | eba8d187a45bb731fdf23eb210eda890 |
| SHA1 | 10c0f1b8e0d315ca1eeb45240ded1e291d1f868c |
| SHA256 | a019b4c351aeb4d96ae8e7bb875cdeafc0e6fba720d734659596d8e53b4f3d8f |
| SHA512 | d07ad51044f3132b69a45d596183fe312c0722471c2a773788f691efbcf9738547790ed3d565de2c8ae8e988d1a9171e1420337a11fb66c3beb90f8417be6b90 |
memory/3068-104-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Windows\SysWOW64\Cjmgfgdf.exe
| MD5 | fe1739055cb51c4b2be08fbd336b5b77 |
| SHA1 | 673f05891349912e540f93d8b4e5f457fbb77e22 |
| SHA256 | 48992ee35ddb51bfffd5ad62b874598574d0ff292216b0dbeb7507f51b48fd64 |
| SHA512 | 88b4c1571cfef007fa69eec5256da71c74e5593eb09d626b78232e6a1ac78ba0d2a98a3057969fb855d66dde1addb24cc84a5af092fbddad9e3b55c8a5186ad9 |
memory/4752-111-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Windows\SysWOW64\Cagobalc.exe
| MD5 | 3211ccd9eb3a6450e82f92bb55231f25 |
| SHA1 | ad1ff84abcf25580cebcb035c914565bafa561e4 |
| SHA256 | 37e1cc2225ce9d28be91c79e9e0f7f24e9a57354df1deaa6528117467ee2af22 |
| SHA512 | 02b3c839cfb7dfe4b608c14f077f3ddd52f6e3f10c95800f380ad12be1eb7abaab26b9c6fac5dfb66384b46eeafdd4aac70e3146eb8210621a6fd4b639eabdef |
memory/2440-119-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Windows\SysWOW64\Cfdhkhjj.exe
| MD5 | 87aca57cf6d2584741ef2ea00952e023 |
| SHA1 | fa7c0ff69206c1329b948605b286f8e3bb632ecc |
| SHA256 | b5bd69b9ddd26676508dd0d81c53b0b98aea897d91a8aad0ea6ebe94b3289e9e |
| SHA512 | 29a21c37bf2ddf62933e1c57c9e05125b0a2bd9c019df8c09db37549606426112f103c604bc99fa43d0b0ca32511722cf5fd155f517e6d9d1786476793e4bd28 |
memory/2612-127-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Windows\SysWOW64\Cmnpgb32.exe
| MD5 | 4c8ec160cca21f2e25f2839c7a49c501 |
| SHA1 | a5572d23f6ca2c9789e57120c343df01f9ba3c40 |
| SHA256 | d3fe03e0b29b21ccecd961547862af9028fb3fd0b87250ed374c207bed2cb216 |
| SHA512 | fff457eebd19b81a82b0a8342191fa3d8df8cfc011b67bb3f467abe0af0f4948c5f5e70ee405819b6303ad52b70525c26f2f745ac5fff7260b77a573c1712d8d |
memory/3616-135-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Windows\SysWOW64\Cffdpghg.exe
| MD5 | 25069ffa5b2c170936022d56675c46f5 |
| SHA1 | 080a20f4370fbf6f96d36e6169afbbd0fb594bff |
| SHA256 | d0596fe8cef2e486bd8c4f14aa2949cb85b961e58457f917bd07390f3db9ca13 |
| SHA512 | 437f5438aa5fc70d4de21b3ffb0ccc714d312106974943a2f90466bf38d23b3d7a17dfac5aa2495c916700106387f2d003080e6232631e61e9f30703a9865e4d |
memory/2960-144-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Windows\SysWOW64\Cnnlaehj.exe
| MD5 | c7b804cfc65ae2d63be33b54ed418208 |
| SHA1 | 6b1e809ba5d45d3c0de35743eafc5a0eb5c81f5b |
| SHA256 | e6770633c7cd4337837471f94f66f945353603e3f1f851c7f36ca1e6c738398c |
| SHA512 | a48bce4186f5f241ff33510931b9fa09d24f1cbdcfa6880cc287121dd23eb46de527d1431b594ebbc61800632cb4e07f67eb17ff25369d93dfeed2e78e50ad17 |
memory/216-152-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Windows\SysWOW64\Cegdnopg.exe
| MD5 | 4be3b4bc631f0120e3aaca7484b3e849 |
| SHA1 | 634fdb0dac6201db0a199af62b0447fb50dcf6c0 |
| SHA256 | 5075eb6e4c1220a82056b71684c88c0e824d460ef1045e44315b0729f8e4600f |
| SHA512 | f5ffbe607d120a3084e0dc4136184b94f2acb17f31b09563ff715fc851665bffe9759fb66f9183b1fd8cd9af66b93d3db4d41032642cfbad6c4a18eb79d154df |
memory/2952-159-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Windows\SysWOW64\Dfiafg32.exe
| MD5 | 7ef692531920cef479e546a048d5fdcd |
| SHA1 | e02300511124c891c53ccc5d5e7cf49ab567d67d |
| SHA256 | 1af2ff5d613a5e3217133e6147cf44239e550ab77f553e2561a33e8f97b6fa96 |
| SHA512 | 7dc06e64632a7aa2dcfa9be6b55ebbd10c78d92a66a177a3da9256adb2b842abedc5ff8f9a80eb11f4d392ab326fd93a48e96cbcc18d9b24d6d60eab9caf8cf8 |
memory/624-173-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Windows\SysWOW64\Danecp32.exe
| MD5 | f1d3e4d94c27d8f74f7b9ef1b4d22721 |
| SHA1 | eded94e39634f140e1a454b725567dc4eb1c2ec4 |
| SHA256 | fc22a11b8b7f5fbeed01ca7bdb142f7c61582a5d6b3be410144ef6909d9b9cd6 |
| SHA512 | faa7049104c54c1e20baaa0dccb56362f5c3d5de8704f7b94261e361e9c9c3b095ba1fa4e41a61ce2d369074cb33fd22a68ae52ddf1e2c3186a366ee1dd9b629 |
memory/3548-175-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Windows\SysWOW64\Dhhnpjmh.exe
| MD5 | e6c57e79d0a2eb6801b6d9d5530bee97 |
| SHA1 | a278d7bd43c4457765eb797c6c6d881705bf7353 |
| SHA256 | 72e9c98456e176d4e3b2e775ed1842691cbad50c88da56a9af8cbc8859615486 |
| SHA512 | 22e28c05efb8b1454eb111211421a644791d5b31cd8a535eec267d4b1c871e3ba72d6bdc1eb90637f11c09379f08b59cfaaca68f384f3e50c9aa3d333f298670 |
memory/3320-184-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Windows\SysWOW64\Djgjlelk.exe
| MD5 | 377452f3e08ad418422c2c679051f1ed |
| SHA1 | 5a8c086ed6c0fceb3206ce31ad9155fe777a7610 |
| SHA256 | 871c6dc78090dae81cad021d56fe7598748e55f1d9caf7e9a71a828e848dfdef |
| SHA512 | 4d5cc2cdd5055a24f26b493e6a3797e7fde8c4851514ef56e03a593aaec04a71cf0b93f1429329e4d8921fe08311e3218ab233e159d70514e23c8f7e8ca8b48b |
memory/2972-192-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Windows\SysWOW64\Ddonekbl.exe
| MD5 | b6f5073d08986444fabf2499f57581f7 |
| SHA1 | 06f6505bdc0fe8430a676954f34ff45457be10eb |
| SHA256 | 6bb30dd946ecee2680b4f79dce065b0d9dbd382f3e0bee335abc98d60978b877 |
| SHA512 | 5cc1938072651a04c4bb66b75b6ae1ec1563bb4b36341e4bbf98fb8c1e02157f2b18735ad9875ab7335a20afcf59dd238b9c41e9466f50a9064acc4a2ee53ac5 |
memory/3280-199-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Windows\SysWOW64\Dkifae32.exe
| MD5 | a8f03203082936ed0f72f10a7a3bb7b5 |
| SHA1 | ad2298a1d88595a25649ffcf61800d6f87b4d2c5 |
| SHA256 | d201e3ec159757d8dc9803b47720af575d650ee3605d9bb4f70301b25ed0ad17 |
| SHA512 | ef9c88e463f414c99cb3386ec12b105274a8ed55e75d8df81f139b0d078d71ed2ce9dca8a9a142d310eaaf5a95bdb275b4c554815157275cba03dea9ae35e768 |
memory/2020-207-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Windows\SysWOW64\Daconoae.exe
| MD5 | a843d60abff072620c007fa2c6d23b93 |
| SHA1 | 8248156576eb5b9c766c17ac8a77aa5835c4f261 |
| SHA256 | 80c281768b40df28ac1c56df7d27a80bdf1dc013500bae5fd8d67f1041eeadfd |
| SHA512 | 1daaafa249b5f52ae74f391e21ed36f169bc5d0d4cb438cf2dae3a7861829fc9b0b2f01b0830c5cbac80a1d629e705c1995214758e9a07b79fa4741c83db2918 |
memory/1248-216-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Windows\SysWOW64\Ddakjkqi.exe
| MD5 | 15faf27b224306e8f0bc97d15e5e4cd2 |
| SHA1 | 599c44db73d2596e7d3aa15fbdafb9a1384c30f5 |
| SHA256 | 76b95e6c5e2c31a320feec7e81fe84be6a17161c4d84020e0b3fe1eff75100ed |
| SHA512 | ddd175724a430771617157838da2e294d7232bc2b17970c126926e4f9832b7499b4128243f31913c5fd4bd6dfb53e821b1ff3c1971f0c37034e642ed2bcbd0e1 |
memory/5028-224-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Windows\SysWOW64\Dkkcge32.exe
| MD5 | 2a72e44db8ed5060fb468bed2e3d366f |
| SHA1 | 9198213b6e50c7a3de4f7e0a35b3508f909fa5d1 |
| SHA256 | 3cd3fb77311b356695a8afd52fff16bfe66048eab9873ca256fa344e3424d6d0 |
| SHA512 | 1f51ea1f155730b8318d258f5448b6720e358d981262560e344645c9943379862307b9330a58ec2983442b99ab47f6640fefb92e3903cc8a1f89d70afa4de89c |
memory/3656-236-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Windows\SysWOW64\Dmjocp32.exe
| MD5 | f1f277b93fdf5ce688f32d1b15465dc1 |
| SHA1 | 8cbcf5a1f7571b6a99439a55b38a964f3f8e3d79 |
| SHA256 | 2d8602006cb003f18f9fe3e7e18778dd914c393098c941d5cb08b7a68e10473a |
| SHA512 | b735d35e891d61ad64456777130157dc56069f9be21ed8e25d189c7eb2c90e1efc22c2e84535d9685007b326cb9d2c8a12019429b8d518ff7ea8cd3604349d31 |
memory/748-239-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Windows\SysWOW64\Dhocqigp.exe
| MD5 | 04c7648c66be0b90eedf4ac347d2e87f |
| SHA1 | 57ef3addf5b53354a6cc813fb81b86f7b4254603 |
| SHA256 | 8a398ef2bb8633c29ebc12b073010230d1bd2ee2ab8209006aa904e5dec2f1bc |
| SHA512 | 779302c32fe00ee36cfb66d6381b1b3efc2003d697c8d6840cd7cd0f5ae0a6331bf2a4e50304cbdb0fffc153fec0b633e9662c0d0589e6d3af2010addd464ff9 |
memory/5008-247-0x0000000000400000-0x0000000000435000-memory.dmp
C:\Windows\SysWOW64\Dmllipeg.exe
| MD5 | 974620966e2db39bada22066f194344f |
| SHA1 | ebdd94cbfdd1197e9bc4c612e663c9582f530e31 |
| SHA256 | 1a041c61d70e110ccd0761788fee76c5870cf7ea07f1632a86f1262a39f0e4c9 |
| SHA512 | 83aea60d51116eb082ca919444be4133b5c1b166a0c6ab18953342a2367727f0cd3a552f985918e21247a888415d7cacdd554101617720f8c0abc90c4e4b5d35 |
memory/5012-255-0x0000000000400000-0x0000000000435000-memory.dmp
memory/5012-258-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3280-263-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3320-265-0x0000000000400000-0x0000000000435000-memory.dmp
memory/216-268-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2612-271-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4760-277-0x0000000000400000-0x0000000000435000-memory.dmp
memory/5056-284-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2356-287-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3668-286-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4424-285-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1440-283-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2300-282-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3492-281-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4044-280-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1216-279-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1048-278-0x0000000000400000-0x0000000000435000-memory.dmp
memory/692-276-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3672-275-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3068-274-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4752-273-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2440-272-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3616-270-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2960-269-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2952-267-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3548-266-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2972-264-0x0000000000400000-0x0000000000435000-memory.dmp
memory/2020-262-0x0000000000400000-0x0000000000435000-memory.dmp
memory/1248-261-0x0000000000400000-0x0000000000435000-memory.dmp
memory/5028-260-0x0000000000400000-0x0000000000435000-memory.dmp
memory/748-259-0x0000000000400000-0x0000000000435000-memory.dmp
memory/5008-257-0x0000000000400000-0x0000000000435000-memory.dmp