Analysis Overview
SHA256
5175b9040aef91e2138dee8578f963e419a9b0994f80c888abb3e69aa43749e7
Threat Level: Known bad
The file 5175b9040aef91e2138dee8578f963e419a9b0994f80c888abb3e69aa43749e7N was found to be: Known bad.
Malicious Activity Summary
Berbew family
Adds autorun key to be loaded by Explorer.exe on startup
Berbew
Loads dropped DLL
Executes dropped EXE
Drops file in System32 directory
Drops file in Windows directory
Unsigned PE
System Location Discovery: System Language Discovery
Program crash
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 17:05
Signatures
Berbew family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 17:05
Reported
2024-11-13 17:07
Platform
win7-20240903-en
Max time kernel
84s
Max time network
17s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Qnghel32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Apgagg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bkegah32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Aoagccfn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Bgaebe32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Ceebklai.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Adlcfjgh.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cocphf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Users\Admin\AppData\Local\Temp\5175b9040aef91e2138dee8578f963e419a9b0994f80c888abb3e69aa43749e7N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Apgagg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Alqnah32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pkcbnanl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Alnalh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bjbndpmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ceebklai.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Bmpkqklh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Bbmcibjp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Cebeem32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Bjmeiq32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bgcbhd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bcjcme32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Pleofj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Aakjdo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bjmeiq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Cocphf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Cgoelh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Alqnah32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Bjbndpmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bmpkqklh.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pleofj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Bkegah32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dmbcen32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Dmbcen32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Qdncmgbj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Ajmijmnn.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cjonncab.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Alnalh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Adlcfjgh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Cmedlk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Aakjdo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bjpaop32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Bgcbhd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Cjonncab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Users\Admin\AppData\Local\Temp\5175b9040aef91e2138dee8578f963e419a9b0994f80c888abb3e69aa43749e7N.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Qnghel32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ajmijmnn.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ccjoli32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Qdlggg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Qdlggg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Bcjcme32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Bjpaop32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cmedlk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cepipm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cgoelh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Cgcnghpl.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Apedah32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Aqbdkk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bgaebe32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Ccjoli32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Cfhkhd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Aoagccfn.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cebeem32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cfhkhd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Apedah32.exe | N/A |
Berbew
Berbew family
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Alnalh32.exe | C:\Windows\SysWOW64\Afdiondb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Alnalh32.exe | C:\Windows\SysWOW64\Afdiondb.exe | N/A |
| File created | C:\Windows\SysWOW64\Bmpkqklh.exe | C:\Windows\SysWOW64\Bjbndpmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bcjcme32.exe | C:\Windows\SysWOW64\Bmpkqklh.exe | N/A |
| File created | C:\Windows\SysWOW64\Mfakaoam.dll | C:\Windows\SysWOW64\Bcjcme32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lmajfk32.dll | C:\Windows\SysWOW64\Bkegah32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cofdbf32.dll | C:\Users\Admin\AppData\Local\Temp\5175b9040aef91e2138dee8578f963e419a9b0994f80c888abb3e69aa43749e7N.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Pleofj32.exe | C:\Windows\SysWOW64\Pkcbnanl.exe | N/A |
| File created | C:\Windows\SysWOW64\Qoblpdnf.dll | C:\Windows\SysWOW64\Aakjdo32.exe | N/A |
| File created | C:\Windows\SysWOW64\Aqbdkk32.exe | C:\Windows\SysWOW64\Aoagccfn.exe | N/A |
| File created | C:\Windows\SysWOW64\Cmedlk32.exe | C:\Windows\SysWOW64\Bkegah32.exe | N/A |
| File created | C:\Windows\SysWOW64\Qnghel32.exe | C:\Windows\SysWOW64\Qdncmgbj.exe | N/A |
| File created | C:\Windows\SysWOW64\Cebeem32.exe | C:\Windows\SysWOW64\Cgoelh32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cjonncab.exe | C:\Windows\SysWOW64\Cebeem32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hqjpab32.dll | C:\Windows\SysWOW64\Apedah32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lgpgbj32.dll | C:\Windows\SysWOW64\Afdiondb.exe | N/A |
| File created | C:\Windows\SysWOW64\Omakjj32.dll | C:\Windows\SysWOW64\Ceebklai.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bjbndpmd.exe | C:\Windows\SysWOW64\Bgcbhd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gdgqdaoh.dll | C:\Windows\SysWOW64\Cocphf32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Apgagg32.exe | C:\Windows\SysWOW64\Ajmijmnn.exe | N/A |
| File created | C:\Windows\SysWOW64\Ajmijmnn.exe | C:\Windows\SysWOW64\Apedah32.exe | N/A |
| File created | C:\Windows\SysWOW64\Adlcfjgh.exe | C:\Windows\SysWOW64\Alqnah32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hiablm32.dll | C:\Windows\SysWOW64\Bmpkqklh.exe | N/A |
| File created | C:\Windows\SysWOW64\Cgoelh32.exe | C:\Windows\SysWOW64\Cepipm32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dmbcen32.exe | C:\Windows\SysWOW64\Cfhkhd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Oeopijom.dll | C:\Windows\SysWOW64\Cebeem32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Qdlggg32.exe | C:\Windows\SysWOW64\Pleofj32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bjpaop32.exe | C:\Windows\SysWOW64\Bgaebe32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gfikmo32.dll | C:\Windows\SysWOW64\Bgcbhd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bbmcibjp.exe | C:\Windows\SysWOW64\Bcjcme32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cepipm32.exe | C:\Windows\SysWOW64\Cocphf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ciohdhad.dll | C:\Windows\SysWOW64\Cgcnghpl.exe | N/A |
| File created | C:\Windows\SysWOW64\Pdkefp32.dll | C:\Windows\SysWOW64\Dmbcen32.exe | N/A |
| File created | C:\Windows\SysWOW64\Alqnah32.exe | C:\Windows\SysWOW64\Aakjdo32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dpapaj32.exe | C:\Windows\SysWOW64\Dmbcen32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cepipm32.exe | C:\Windows\SysWOW64\Cocphf32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Afdiondb.exe | C:\Windows\SysWOW64\Apgagg32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bgcbhd32.exe | C:\Windows\SysWOW64\Bjpaop32.exe | N/A |
| File created | C:\Windows\SysWOW64\Fikbiheg.dll | C:\Windows\SysWOW64\Cfhkhd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Apgagg32.exe | C:\Windows\SysWOW64\Ajmijmnn.exe | N/A |
| File created | C:\Windows\SysWOW64\Bjpaop32.exe | C:\Windows\SysWOW64\Bgaebe32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cdpkangm.dll | C:\Windows\SysWOW64\Bgaebe32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cmedlk32.exe | C:\Windows\SysWOW64\Bkegah32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cocphf32.exe | C:\Windows\SysWOW64\Cmedlk32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ccjoli32.exe | C:\Windows\SysWOW64\Cgcnghpl.exe | N/A |
| File created | C:\Windows\SysWOW64\Dmbcen32.exe | C:\Windows\SysWOW64\Cfhkhd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Incleo32.dll | C:\Windows\SysWOW64\Apgagg32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kmhnlgkg.dll | C:\Windows\SysWOW64\Aoagccfn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ceebklai.exe | C:\Windows\SysWOW64\Cjonncab.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Alqnah32.exe | C:\Windows\SysWOW64\Aakjdo32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kgloog32.dll | C:\Windows\SysWOW64\Cjonncab.exe | N/A |
| File created | C:\Windows\SysWOW64\Pleofj32.exe | C:\Windows\SysWOW64\Pkcbnanl.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Qdncmgbj.exe | C:\Windows\SysWOW64\Qdlggg32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Apedah32.exe | C:\Windows\SysWOW64\Qnghel32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cgoelh32.exe | C:\Windows\SysWOW64\Cepipm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cgcnghpl.exe | C:\Windows\SysWOW64\Ceebklai.exe | N/A |
| File created | C:\Windows\SysWOW64\Nlbjim32.dll | C:\Windows\SysWOW64\Pkcbnanl.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Aakjdo32.exe | C:\Windows\SysWOW64\Alnalh32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Aqbdkk32.exe | C:\Windows\SysWOW64\Aoagccfn.exe | N/A |
| File created | C:\Windows\SysWOW64\Bgaebe32.exe | C:\Windows\SysWOW64\Bjmeiq32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bgaebe32.exe | C:\Windows\SysWOW64\Bjmeiq32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cpqmndme.dll | C:\Windows\SysWOW64\Qnghel32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bjmeiq32.exe | C:\Windows\SysWOW64\Aqbdkk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dfefmpeo.dll | C:\Windows\SysWOW64\Bjpaop32.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32†Fpbdkn32.¾ll | C:\Windows\SysWOW64\Dpapaj32.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bjbndpmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bbmcibjp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cebeem32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ceebklai.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Aoagccfn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bjmeiq32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bgcbhd32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Alnalh32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bcjcme32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ccjoli32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bmpkqklh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bkegah32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Qdlggg32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Apedah32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Apgagg32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cfhkhd32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pkcbnanl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Alqnah32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cepipm32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bjpaop32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dpapaj32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5175b9040aef91e2138dee8578f963e419a9b0994f80c888abb3e69aa43749e7N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Qdncmgbj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Adlcfjgh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cgcnghpl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Qnghel32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bgaebe32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cjonncab.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Aakjdo32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Aqbdkk32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cmedlk32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cocphf32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cgoelh32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pleofj32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ajmijmnn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Afdiondb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dmbcen32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cjonncab.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Aakjdo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Alnalh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cmedlk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgloog32.dll" | C:\Windows\SysWOW64\Cjonncab.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Ccjoli32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fikbiheg.dll" | C:\Windows\SysWOW64\Cfhkhd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Apgagg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfikmo32.dll" | C:\Windows\SysWOW64\Bgcbhd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ccjoli32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Bjmeiq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Adlcfjgh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfefmpeo.dll" | C:\Windows\SysWOW64\Bjpaop32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Cepipm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cgoelh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkdqjn32.dll" | C:\Windows\SysWOW64\Ccjoli32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olbkdn32.dll" | C:\Windows\SysWOW64\Qdncmgbj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Incjbkig.dll" | C:\Windows\SysWOW64\Ajmijmnn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Alqnah32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Bgcbhd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cgcnghpl.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831} | C:\Users\Admin\AppData\Local\Temp\5175b9040aef91e2138dee8578f963e419a9b0994f80c888abb3e69aa43749e7N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Cgoelh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll" | C:\Windows\SysWOW64\Dmbcen32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiablm32.dll" | C:\Windows\SysWOW64\Bmpkqklh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpqmndme.dll" | C:\Windows\SysWOW64\Qnghel32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oabhggjd.dll" | C:\Windows\SysWOW64\Bjmeiq32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Bbmcibjp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciohdhad.dll" | C:\Windows\SysWOW64\Cgcnghpl.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\5175b9040aef91e2138dee8578f963e419a9b0994f80c888abb3e69aa43749e7N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbjclbek.dll" | C:\Windows\SysWOW64\Alnalh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdgqdaoh.dll" | C:\Windows\SysWOW64\Cocphf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CL‰ID\ÿs | C:\Windows\SysWOW64\Dpapaj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqjpab32.dll" | C:\Windows\SysWOW64\Apedah32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Ceebklai.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Qdlggg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Qdlggg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Aqbdkk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Bjpaop32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bjpaop32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Bkegah32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeopijom.dll" | C:\Windows\SysWOW64\Cebeem32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cofdbf32.dll" | C:\Users\Admin\AppData\Local\Temp\5175b9040aef91e2138dee8578f963e419a9b0994f80c888abb3e69aa43749e7N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Cjonncab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aldhcb32.dll" | C:\Windows\SysWOW64\Qdlggg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Alqnah32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmhnlgkg.dll" | C:\Windows\SysWOW64\Aoagccfn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cocphf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Dmbcen32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Pleofj32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Cfhkhd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Afdiondb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fiqhbk32.dll" | C:\Windows\SysWOW64\Alqnah32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bgaebe32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Bmpkqklh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cfhkhd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbcjo32.dll" | C:\Windows\SysWOW64\Pleofj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjdhe32.dll" | C:\Windows\SysWOW64\Bbmcibjp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Ajmijmnn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdpkangm.dll" | C:\Windows\SysWOW64\Bgaebe32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pijjilik.dll" | C:\Windows\SysWOW64\Bjbndpmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Cmedlk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Incleo32.dll" | C:\Windows\SysWOW64\Apgagg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Bcjcme32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5175b9040aef91e2138dee8578f963e419a9b0994f80c888abb3e69aa43749e7N.exe
"C:\Users\Admin\AppData\Local\Temp\5175b9040aef91e2138dee8578f963e419a9b0994f80c888abb3e69aa43749e7N.exe"
C:\Windows\SysWOW64\Pkcbnanl.exe
C:\Windows\system32\Pkcbnanl.exe
C:\Windows\SysWOW64\Pleofj32.exe
C:\Windows\system32\Pleofj32.exe
C:\Windows\SysWOW64\Qdlggg32.exe
C:\Windows\system32\Qdlggg32.exe
C:\Windows\SysWOW64\Qdncmgbj.exe
C:\Windows\system32\Qdncmgbj.exe
C:\Windows\SysWOW64\Qnghel32.exe
C:\Windows\system32\Qnghel32.exe
C:\Windows\SysWOW64\Apedah32.exe
C:\Windows\system32\Apedah32.exe
C:\Windows\SysWOW64\Ajmijmnn.exe
C:\Windows\system32\Ajmijmnn.exe
C:\Windows\SysWOW64\Apgagg32.exe
C:\Windows\system32\Apgagg32.exe
C:\Windows\SysWOW64\Afdiondb.exe
C:\Windows\system32\Afdiondb.exe
C:\Windows\SysWOW64\Alnalh32.exe
C:\Windows\system32\Alnalh32.exe
C:\Windows\SysWOW64\Aakjdo32.exe
C:\Windows\system32\Aakjdo32.exe
C:\Windows\SysWOW64\Alqnah32.exe
C:\Windows\system32\Alqnah32.exe
C:\Windows\SysWOW64\Adlcfjgh.exe
C:\Windows\system32\Adlcfjgh.exe
C:\Windows\SysWOW64\Aoagccfn.exe
C:\Windows\system32\Aoagccfn.exe
C:\Windows\SysWOW64\Aqbdkk32.exe
C:\Windows\system32\Aqbdkk32.exe
C:\Windows\SysWOW64\Bjmeiq32.exe
C:\Windows\system32\Bjmeiq32.exe
C:\Windows\SysWOW64\Bgaebe32.exe
C:\Windows\system32\Bgaebe32.exe
C:\Windows\SysWOW64\Bjpaop32.exe
C:\Windows\system32\Bjpaop32.exe
C:\Windows\SysWOW64\Bgcbhd32.exe
C:\Windows\system32\Bgcbhd32.exe
C:\Windows\SysWOW64\Bjbndpmd.exe
C:\Windows\system32\Bjbndpmd.exe
C:\Windows\SysWOW64\Bmpkqklh.exe
C:\Windows\system32\Bmpkqklh.exe
C:\Windows\SysWOW64\Bcjcme32.exe
C:\Windows\system32\Bcjcme32.exe
C:\Windows\SysWOW64\Bbmcibjp.exe
C:\Windows\system32\Bbmcibjp.exe
C:\Windows\SysWOW64\Bkegah32.exe
C:\Windows\system32\Bkegah32.exe
C:\Windows\SysWOW64\Cmedlk32.exe
C:\Windows\system32\Cmedlk32.exe
C:\Windows\SysWOW64\Cocphf32.exe
C:\Windows\system32\Cocphf32.exe
C:\Windows\SysWOW64\Cepipm32.exe
C:\Windows\system32\Cepipm32.exe
C:\Windows\SysWOW64\Cgoelh32.exe
C:\Windows\system32\Cgoelh32.exe
C:\Windows\SysWOW64\Cebeem32.exe
C:\Windows\system32\Cebeem32.exe
C:\Windows\SysWOW64\Cjonncab.exe
C:\Windows\system32\Cjonncab.exe
C:\Windows\SysWOW64\Ceebklai.exe
C:\Windows\system32\Ceebklai.exe
C:\Windows\SysWOW64\Cgcnghpl.exe
C:\Windows\system32\Cgcnghpl.exe
C:\Windows\SysWOW64\Ccjoli32.exe
C:\Windows\system32\Ccjoli32.exe
C:\Windows\SysWOW64\Cfhkhd32.exe
C:\Windows\system32\Cfhkhd32.exe
C:\Windows\SysWOW64\Dmbcen32.exe
C:\Windows\system32\Dmbcen32.exe
C:\Windows\SysWOW64\Dpapaj32.exe
C:\Windows\system32\Dpapaj32.exe
Network
Files
memory/1768-0-0x0000000000400000-0x000000000043C000-memory.dmp
\Windows\SysWOW64\Pkcbnanl.exe
| MD5 | 11a6fcc40a7c5545e39f1595ef49a0c3 |
| SHA1 | 07e40fb746ea2623ff9f4d7ed605cca6587ca08f |
| SHA256 | a13573ed8e6bc0d035556d4d5f188b6d9bae15fd1071a269974f3307643470f7 |
| SHA512 | 7697309370de4ddd817b8b9ca89d6cc9a10269624ba3fe22878d43da6c206fe176b440b579f2ca7369bbbad029f511907fb323796ce356ec440d8f069e3e8068 |
memory/3028-19-0x0000000000400000-0x000000000043C000-memory.dmp
memory/1768-18-0x0000000000440000-0x000000000047C000-memory.dmp
memory/1768-17-0x0000000000440000-0x000000000047C000-memory.dmp
C:\Windows\SysWOW64\Pleofj32.exe
| MD5 | 540dc8018845a6fbd678df780ed7ab77 |
| SHA1 | 30547d6fd29e0d31a60dfd3e655e2009058431b3 |
| SHA256 | 6c966309d25f4670e8174911e9fb9348eedbcbe3823485339f8d9ca45d319705 |
| SHA512 | d137177066a6ba5d4d3cc8b70bdbc49d3eced31aeb5cb8f2c6133dcda767249379757e0f05dd0823dde68ebbd36dc3e016c930370f76e22954ed447843d05678 |
memory/2188-27-0x0000000000400000-0x000000000043C000-memory.dmp
\Windows\SysWOW64\Qdlggg32.exe
| MD5 | 7c990217905ea50d09ba4397d75f9bc7 |
| SHA1 | ce5e89f96fb5517a35d0470d9c52777e753b5a47 |
| SHA256 | 1f03ef8b32a2d0f5cdd064823c2ce5d9df8dfdd78b140c54cf9513d7893a24fd |
| SHA512 | a2b27714918e7e079e2b789601aa1aab11f14ca7d1e03b85caf0fdd34fc0c61c7b4fa60fe404c8484c535de3da13ec8084a64f19cd6c4070982a09b1e382a0c8 |
memory/2188-34-0x0000000000250000-0x000000000028C000-memory.dmp
memory/2188-41-0x0000000000250000-0x000000000028C000-memory.dmp
\Windows\SysWOW64\Qdncmgbj.exe
| MD5 | 21bbdc1041684969d30c11ffe65f9700 |
| SHA1 | 8fd84bed1f7e9df68a9b4a269d56aae35f3125de |
| SHA256 | c63832de15161799b97ee1740a5aa151e783568165ef99a5e8125ac1c31e5891 |
| SHA512 | 98cfaf0f0501ba43c7850c243104c92c42ffac41f4966f07bf1fc2234438a31820cba2f83728392e6ce1559c27b5af492d517bc34dbd50cd08b3619c2e3e21b1 |
memory/2808-54-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Windows\SysWOW64\Olbkdn32.dll
| MD5 | b1c7081c13eaa25419d85091c6290ac9 |
| SHA1 | a88c29895a759eda6db4564e501ca0e43f120f96 |
| SHA256 | 9afc9830714b672861091d7d918e7eff303510a5ef9555257d673443d891b5a6 |
| SHA512 | 6b3ab4188f31a4ead187b6ad1a23d6edc8df0077115d34ff3f3f51aaa6c79d813ba3d9b8fa4e36faa7781374129280f2aa9eea4c589752181f351027e2cd1d6e |
\Windows\SysWOW64\Qnghel32.exe
| MD5 | 947eae214606492dcf74efd9ecd4ddf3 |
| SHA1 | f031bfe556d3d49e6c024f1c40ba01691e31d883 |
| SHA256 | 4ab9fbb588ec06cdef059d37718d547bc5b8fd2b5f8c78d274279c18c70854c6 |
| SHA512 | 3da24733857938971085c0ff73cdcbcb2e5f91eb0082223668794ebb357e79fc2e8907aca3d99864e3fe53e92600f3592bdb33614e38d4882c2de741f9698cf6 |
memory/2808-62-0x0000000000250000-0x000000000028C000-memory.dmp
C:\Windows\SysWOW64\Apedah32.exe
| MD5 | 2701ef486ed72274eeb1c27e7edbbffa |
| SHA1 | bcab0fe6a58603ee29dfca3f2b2ccea07746f5e7 |
| SHA256 | 2771c2e6855247b5e85e032f5a4f723a7bf90769a35d80242a9193c93199385f |
| SHA512 | d461076149012491b064e5c2fe7c0845e6e993664c140ac791bf75c0c205d725934184711c012aa28993ab8ccfb41f398cefd623b73635aeafcb88e0f86e2323 |
memory/2832-81-0x0000000000250000-0x000000000028C000-memory.dmp
memory/2832-75-0x0000000000400000-0x000000000043C000-memory.dmp
\Windows\SysWOW64\Ajmijmnn.exe
| MD5 | 7c31525868ce8b6b4ba30c92e4785477 |
| SHA1 | 505ec0fd0584980fdb7781bc302bb643d594c248 |
| SHA256 | ce8842302913014a7feaa7ac7b177af3a040573a7bde41e40ceaa95d14211c26 |
| SHA512 | 6d83e3a16d12c3e6bc04d9f13bd44c9f994140917073097cd62409db7af60688de3cb827efc30f886507a5401e8c7944f31157c3b4fa07374cbfe0ac47b1b678 |
memory/2636-88-0x00000000002A0000-0x00000000002DC000-memory.dmp
C:\Windows\SysWOW64\Apgagg32.exe
| MD5 | d960f240a4e40ea74cc8e1efd846f6e1 |
| SHA1 | bbf11063bb30bf09a103e7af9a8a49e7ec8eae5b |
| SHA256 | 2542a2acd59a28cfdd0bd2ee5a887f5c0677bdd1bee109dca186e9e65f7990ff |
| SHA512 | 84a22dee36bbad44cfe500cca026c61bfcfba5590182789d71e05dc9e939dd01fd273ba4d5953e9e085f6973add398dfb1b9007e0defcff0d8f718df662a2582 |
memory/2848-107-0x0000000000400000-0x000000000043C000-memory.dmp
\Windows\SysWOW64\Afdiondb.exe
| MD5 | c17a98c69136f1190e3ce6ec76ab1fb7 |
| SHA1 | 9f6cb0a65c0c16da6d0277e056316ade7252823f |
| SHA256 | 88787372ef365f1f347e5bb4b5840b9c70c390e87501afdfb5f53f40e9d2ec3a |
| SHA512 | 5dcb13ee44bf5437d70237f10ced19733aeedf50d45ab086fcfb0c1f2e0eb4d1c951420e70f14db4c2c33a30520e26a7d853450fc467e9bb974addf511f7f8ad |
memory/2848-114-0x0000000000250000-0x000000000028C000-memory.dmp
memory/2356-121-0x0000000000400000-0x000000000043C000-memory.dmp
memory/1940-134-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Windows\SysWOW64\Alnalh32.exe
| MD5 | 13f76f5e96c3dcf74417186d65115443 |
| SHA1 | 9564a8ed4cd6324902f3ee2e03ec25e922b004bc |
| SHA256 | b61cc2577a97abe1d57d717d724dd64854aac0100d8e8f83983ca524c4067493 |
| SHA512 | 6d1494985121695cd2dece410faa559f05dd5b1f6cd82f5d046820986f7f4312c372b386608e746d78cb0700b55219dbe557a13d2189ad4a7d9d29e0edb00aaa |
\Windows\SysWOW64\Aakjdo32.exe
| MD5 | 4fd4331c942ddd17c8b4da75f24731db |
| SHA1 | fb7ea1f26f9ffbdeb390686bb95068207b9a207a |
| SHA256 | 98436ab6e4606c8c8409ad8e6594fc707515019f7aa338940db96befe73af422 |
| SHA512 | 0148071d48328b88f057cecc28823b5d8437aabf048a65ad279b02290b0db5696d06bef948912733d946b9b4d0ff0a2777c1ff04769fdac7fd01b91769bf37cf |
memory/1940-141-0x0000000000440000-0x000000000047C000-memory.dmp
memory/1484-153-0x0000000000400000-0x000000000043C000-memory.dmp
memory/1284-161-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Windows\SysWOW64\Alqnah32.exe
| MD5 | d73e8d2a566b758d69c5857808cb17c4 |
| SHA1 | 6b27931e9284ab9e79a12077e58f3484d21ce8d0 |
| SHA256 | 011f885665c608759b2bd493f39d06ef47f35276d4220b8659acf1b98a86b5cb |
| SHA512 | 7487d7d44e3a46f1b63f415a9ba84f7ed2b6f6067b972e55e3f9c3b2e2f65ecccfecfecd7afb46d73d526ce43b51a983c15c3c8210ea9834e159260aa7a65621 |
\Windows\SysWOW64\Adlcfjgh.exe
| MD5 | 4a2aa49168ecf318abbb1faf66bd63e6 |
| SHA1 | b0e96ab5c1b9a8f472ed867e7bb7ed32c9cfc43d |
| SHA256 | d1791f19e17cd8577e3792b43cf0187abe2c04118321c24124477f72f4ac5bd0 |
| SHA512 | c9e41c15d08e9cd3e86ab72bb7c248601932401a3cd36ba0c65ae1bd516cd9b61291e1f9565680de0621d183e25a54e3c2651971dc8781cf66a2ce9001f175f9 |
memory/1284-169-0x00000000002F0000-0x000000000032C000-memory.dmp
memory/628-175-0x0000000000400000-0x000000000043C000-memory.dmp
\Windows\SysWOW64\Aoagccfn.exe
| MD5 | c92c8ff5eeb69fc6c151f6f7e08174d6 |
| SHA1 | 68fe0a5c78034c2bb19f25e065ce706199d5cbca |
| SHA256 | 4f1342150072364abc2419564dcc153a5ffbc21c8d3afb65205ee822e11fbe49 |
| SHA512 | 717af78083b2414601fa8d7c39b2d5e630b4fb441e368af2a498bc49a52089cb48b69cceb53064abe99b07db7c17673f9e645936ecda5011212d67f26e9f2b19 |
memory/2748-188-0x0000000000400000-0x000000000043C000-memory.dmp
\Windows\SysWOW64\Aqbdkk32.exe
| MD5 | ca80e3815abfd79a9ff2ce86823dfcce |
| SHA1 | 00ae2a0a2923f93e4808d80acee91655e63e0e0e |
| SHA256 | c161a6a97b553364435202be2daafb1cbd183db7d3db79a8683fbf30bca4a9cb |
| SHA512 | eed28d1e6dc7b762903dcaf45dab1c9ad293388a0c334b8172cda5aee036db44ecd0ead1372292b67ce9e982e9c313479ab9a09db93c259969b89db5a8dd932d |
memory/2748-196-0x0000000000290000-0x00000000002CC000-memory.dmp
\Windows\SysWOW64\Bjmeiq32.exe
| MD5 | 210c5802ab1f7b738a540c20432d6f8a |
| SHA1 | c18c9a19c2a1eca2ea2508e003e7cffe35f82154 |
| SHA256 | f5f89b882091ee6beeb3103c47c7321890ac41de117191eaa611f1be20513bf0 |
| SHA512 | 5d07a8a70f9ad4b22a53c477b4a287b8560d749621aeeed343258181c729073ee24344881055acda1b9504c6154f3ff0ab2b401832c3e063d6db60cfd09edee7 |
memory/1656-209-0x0000000000400000-0x000000000043C000-memory.dmp
memory/1396-216-0x0000000000400000-0x000000000043C000-memory.dmp
memory/1656-210-0x0000000000270000-0x00000000002AC000-memory.dmp
memory/1396-227-0x00000000002D0000-0x000000000030C000-memory.dmp
C:\Windows\SysWOW64\Bgaebe32.exe
| MD5 | 42e36b76c93a776dca5ffcf3cda39e51 |
| SHA1 | a1d12bd3ab5e6f1e061d890c5681777fc89bbd1d |
| SHA256 | b542ead0441c221c396c2989b1358a976ad9517b444bae2190d8c1b2a7fd4992 |
| SHA512 | 53585e4b11f199900fc00f6e02729df74612fd7470f71104db8f9a8264fd8244772f527794ce20439962d30a49dc62763b67ef453f473cd85196fa58d4dfebb2 |
memory/1396-223-0x00000000002D0000-0x000000000030C000-memory.dmp
memory/2000-233-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Windows\SysWOW64\Bjpaop32.exe
| MD5 | cf12d78eb973535aa20ed404d0252cb5 |
| SHA1 | 5b7bbb1e2be5c39df0d67745bff65f6dc15b6ab7 |
| SHA256 | 3871c35790f810c006b2e1d6621bd2971077ee6a5909383d1c1361d2e70801a9 |
| SHA512 | 34c94f0bbe1cbe525c396d1c7483b44acfeb1100e39cdb3ae5a88d183999fd8dd4edfbcd50c62b01bab4ab56889afd031feeeb6a7892b36fa35bcb400daa17d6 |
memory/1008-237-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Windows\SysWOW64\Bgcbhd32.exe
| MD5 | a4bba69be5f6e45257a449232186b91f |
| SHA1 | 2ad4524069d406aa2c10fdbf57ff04bc907a0897 |
| SHA256 | 10b559c43ffaab5b363f9398a26e239f52b401e47f3e547abe14e362456d838a |
| SHA512 | 6b9dc4f9b90cdcb35cc8b75790d21e67ca71264255abdfa7e2adab63de7fae236d4cad1449ec76dc2ece6f50e4b13c71a7d4f98fb225a6a76ad899e17b73ae74 |
memory/1752-246-0x0000000000400000-0x000000000043C000-memory.dmp
memory/1620-256-0x0000000000400000-0x000000000043C000-memory.dmp
memory/1752-255-0x0000000000250000-0x000000000028C000-memory.dmp
C:\Windows\SysWOW64\Bjbndpmd.exe
| MD5 | 7046ceabc7ca996fb9ab5b1b652a30b2 |
| SHA1 | 4aa252fc1219f424710d9699d1318e6fecbe90da |
| SHA256 | ba49fe15a76978deff1bf0e4ed880b5db636bc9776d152f1975d261f193165db |
| SHA512 | e3daadf566f46d492362857f86bedb6feed942dc8ab1976b1282356d912808303354ad007d1d16064ec6f10e235767acf86e66baae758bd45e43f28c57e23cdc |
C:\Windows\SysWOW64\Bmpkqklh.exe
| MD5 | 704fcbc770cc5737072342cd154e7696 |
| SHA1 | 42b984f93aab1072c71560a22056e5519db82111 |
| SHA256 | 87c9e311eb8bfc3567d89ce4eeac09a2554ca818673329cce2895344f80e11ee |
| SHA512 | 68521f4eb5d1ae432e9aba33d47778ce13e0cd3355585206d012ff5e30438bbf958afa8e88df71eea54c10a5774ab3495141d7998715a2e4a29e709cc33a957e |
memory/1620-265-0x0000000000330000-0x000000000036C000-memory.dmp
memory/2296-270-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Windows\SysWOW64\Bcjcme32.exe
| MD5 | 8b25743fdf045e53bb9e7c4e4eaf3f1f |
| SHA1 | 26987df5dbf0f76eec63545713972fde6aa1701d |
| SHA256 | 1ffe294b4b61e189c802ac203c26014ae7d24bca52fe086d41be4b061c2c5a7f |
| SHA512 | 66667a4e84ab50677f88d9d35f33169ca5210a9a5e009973d8c16b4eda8e886c9a6a5496b87c0035d5685e27fd2c0fad57e2144dc6d2269939a3a939aed6dc23 |
memory/988-277-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2296-276-0x0000000000250000-0x000000000028C000-memory.dmp
memory/2296-275-0x0000000000250000-0x000000000028C000-memory.dmp
C:\Windows\SysWOW64\Bbmcibjp.exe
| MD5 | bec70ef15ffe6cb8632998b7b742241d |
| SHA1 | bd6c15f5548c5c5b84a8da9430fdea46ebe36df0 |
| SHA256 | 0001993d769ed19144864b91503384b198bb803109d82b692d2dafa07dcfed81 |
| SHA512 | d7742f86e1d35795b8ca0c3d07b8d3b94d7a01b5bda8e96775088d92f37f0721bcafec9a5ac33556f7fd5550f11820378a241ce4281a2355f8cf06d5241e389d |
memory/988-287-0x0000000000290000-0x00000000002CC000-memory.dmp
memory/1492-292-0x0000000000400000-0x000000000043C000-memory.dmp
memory/988-286-0x0000000000290000-0x00000000002CC000-memory.dmp
C:\Windows\SysWOW64\Bkegah32.exe
| MD5 | 43a37ebf223960b89e37ec6020172fbf |
| SHA1 | b0556eae641e7520a74e27484cd30975b3ecef6e |
| SHA256 | 25ff055913ca04664556366d8319d83c69c5a2e8d78d6c53e8e7e8c40b096015 |
| SHA512 | aec97b3f73f7ec227461e65c7426c75feb3cf107d0ff49069bec37b6de354b068791590ac79cc451d726d4525d831fb911dab3789e39a09db2d12e9ab933a88b |
memory/1632-299-0x0000000000400000-0x000000000043C000-memory.dmp
memory/1492-298-0x0000000000250000-0x000000000028C000-memory.dmp
memory/1492-297-0x0000000000250000-0x000000000028C000-memory.dmp
C:\Windows\SysWOW64\Cmedlk32.exe
| MD5 | 3efd6bdd3073f52653753d6d92a0bf92 |
| SHA1 | 41f43956555b2532205fac7e2723cd64d60130a1 |
| SHA256 | 4a09a94131b83d595f6b4bb0aa118b128f036ac8dc2c29c0a2b36578e251f504 |
| SHA512 | 62e51b34555c52426f97cddd6c2e3b6a8b318b0ec91c948b59ac0f20e7fe3d69f5fa0e93e36fdcc126a7c321e93c18b0d1e5e5c284e8b4a07ea4d06b9bffed74 |
memory/1632-309-0x00000000002D0000-0x000000000030C000-memory.dmp
memory/1580-310-0x0000000000400000-0x000000000043C000-memory.dmp
memory/1632-308-0x00000000002D0000-0x000000000030C000-memory.dmp
memory/1256-320-0x0000000000400000-0x000000000043C000-memory.dmp
memory/1580-319-0x0000000000330000-0x000000000036C000-memory.dmp
C:\Windows\SysWOW64\Cocphf32.exe
| MD5 | 84b3eb5c052ce020fa2ef95cd88693a6 |
| SHA1 | f0bab68c89c19113e6723caccd21aecf713ea251 |
| SHA256 | fb14de6bb7f610ac0e6498fc5b921d4fa36505204d75f90f5f1592738420bd5a |
| SHA512 | 3ffceef6ad12549e5d3999922311ffd1d9026bc9667ff95af0b6f60f414451c4341d4b437e1c858f6ecdb428685f79b0f69f33b100c76a4a237d1d63966d1465 |
C:\Windows\SysWOW64\Cepipm32.exe
| MD5 | ea2b6993930186dd8e4232fc0c9f3c45 |
| SHA1 | eac3ffe0f9511bdda22a1029cb12cc09a9d9437e |
| SHA256 | 21a00062118824e9b642e9b315bd7f8a71d618240b77e5b0373a8a57d1f27052 |
| SHA512 | 21b80dcf07e245604f737bab12436d8ff2489af001e4c7fb23867256f8719bba0bb753536952b78a00cec6e5a8b1639bb494567016192dec2546b73e8cf55460 |
memory/1256-330-0x00000000002E0000-0x000000000031C000-memory.dmp
memory/2800-342-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2160-341-0x0000000000260000-0x000000000029C000-memory.dmp
memory/2160-340-0x0000000000260000-0x000000000029C000-memory.dmp
memory/2160-339-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Windows\SysWOW64\Cgoelh32.exe
| MD5 | b0cee4b130493259ca5481760cd37625 |
| SHA1 | 8b8f1f5f2e6f866b96fb0d5acf7838edf879165a |
| SHA256 | bab51acaf900b91cb70086ea4fbe56bff5c2fc59057506c80ce9784d94068fc9 |
| SHA512 | 11e6714f17e6eec41037464db269c243a9d2fd5d3da53e9c340510319fd9535a7dd688950761d9f16ec73193b53c432ed88eac128f009a0caedd83f94ed2d483 |
memory/1256-329-0x00000000002E0000-0x000000000031C000-memory.dmp
C:\Windows\SysWOW64\Cebeem32.exe
| MD5 | 2a88e030ee6177c1fd7902fe60e64425 |
| SHA1 | efdf073cd09bc56dcf4df90c1238dd6f19781714 |
| SHA256 | e2c358f7f03530ddef0122e7ac22f0cb6451744cfe072995dd0add5991660ebb |
| SHA512 | ed22dfbb29f46469ce9e9c5c78c7cdb62e11709aaa46675259cc8759bd12ccac985f7d4d283f1489f0e34c06f428aa9ffc0d3205a3f1d6572b4736bc20011c8e |
memory/1768-356-0x0000000000440000-0x000000000047C000-memory.dmp
memory/1768-351-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Windows\SysWOW64\Cjonncab.exe
| MD5 | c60c0ac604b8d4d4e124523c5cc9779b |
| SHA1 | b5f8731dc561c8a64e056285d843ed17888c4e50 |
| SHA256 | c6f59be14108c0b77040b8a8fa52681ff2098f9f38acae85684daed37cef99c4 |
| SHA512 | e6163b61375fd555ea11ba02e9a84eacfd0859a6bfc106130d422ed55aa164d6133fcf88c435e807204efb5126eef3b891b3bc58629b9301334f827d95c1c3ea |
memory/2884-363-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2676-362-0x00000000002C0000-0x00000000002FC000-memory.dmp
memory/2676-358-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2188-369-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2188-374-0x0000000000250000-0x000000000028C000-memory.dmp
memory/2884-373-0x0000000000280000-0x00000000002BC000-memory.dmp
C:\Windows\SysWOW64\Ceebklai.exe
| MD5 | db3bf409bc46e33dc77050cb15b3148c |
| SHA1 | f1a0d7b49275ef8b7bf92b404629107d5441ebf2 |
| SHA256 | 5dfdbede7424b4e59f1033e59b27e7cb35eed3208f189c5e2ba146c032073006 |
| SHA512 | dcd33b408f6ecf3ac47b228d2a1a49a169903cec362c762464e4f8e549e8e9b2c9018a78275569048e4f12204c7433b8cf69780f29ff7cb7a66bb075a7e0d764 |
C:\Windows\SysWOW64\Cgcnghpl.exe
| MD5 | 860efe7700277d9dac5165ad2f1c107f |
| SHA1 | 529575af2cd418890bdc0aed9d9704def7fa9354 |
| SHA256 | ae14c48df49bd50f096fd0c15d96364e187eb80b223c1b3354d627fc6d77233a |
| SHA512 | 6ee658d67f2b0a75efcd0a2ad990b1b56963eb857ba1c7dd35f35eb9cb8f44697973ec9af8aeb87e3095c1f9c1b502a99a16e51bbaa6ab672d581b2dc5fa7003 |
memory/2588-383-0x0000000000400000-0x000000000043C000-memory.dmp
memory/3036-387-0x0000000000400000-0x000000000043C000-memory.dmp
memory/1292-386-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2588-385-0x0000000000250000-0x000000000028C000-memory.dmp
memory/2588-384-0x0000000000250000-0x000000000028C000-memory.dmp
memory/2808-396-0x0000000000400000-0x000000000043C000-memory.dmp
memory/320-397-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Windows\SysWOW64\Ccjoli32.exe
| MD5 | 814cfc082433c14795efaa478f1246ca |
| SHA1 | ad937ba5c2d4f38f1a753accca51bd5379a3f401 |
| SHA256 | 47c6fa64882a6b6c081d5f1696c50245a8a1a5fd55e8cd358b741278e08cf27d |
| SHA512 | 2168b37ed5b66a4112245bf275d984bb20fbc4d1c87a8db39a28cf54bd7afbe22693b07c4d124a78d1a1bef14f20c4557cf8a22b4c1ac7f423236382ca0ea1f0 |
C:\Windows\SysWOW64\Cfhkhd32.exe
| MD5 | 255575b0a821c14f694df388f898ef5a |
| SHA1 | ae3135e7b85ffe7d7a72de14e7d14bf0bf665c72 |
| SHA256 | de16174383b1e2f1b4da1075ed948e1a61928e2433b61795fc51ea2f1225f8c1 |
| SHA512 | d40527a5bdf1729ef561ed5a9372370570d2adc023b89aa197d4cc825cb0e2fa99c4b23cc72d2c535151575317cb7c0a96cb986c93d1ea9acb2359a67d31e241 |
memory/1244-406-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2832-415-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Windows\SysWOW64\Dmbcen32.exe
| MD5 | 78c7fc8cc1e2d23b6b491accda6123c7 |
| SHA1 | 0d2b405bb0fdd848fa2df00a383c882ed4acac44 |
| SHA256 | c64b6d817a762a24451ad682648753e2cb59e59c5c01b34011bf2336a352b9b7 |
| SHA512 | 00224cb7b0362f1834a39cfd83f3416bac8ca7328a840632c4514dbc2a7c829037cf184666304230b4cd40738a80f469365364393def67462c371ee71c5ea3b1 |
C:\Windows\SysWOW64\Dpapaj32.exe
| MD5 | 51187e09dc9ebabf44f54f48c15650e9 |
| SHA1 | 833d4c64bb333e7bbbd1ba482c02b5445bf30648 |
| SHA256 | b376e65c7991e0d20f93b572fd1ad141028a9a27212fceb2c267a5a408e2e741 |
| SHA512 | d842d483212a7d98653e9cd23f7a47f336c613af167c468c4db31aba554dd9910001e3d4d98c51d030e249d39239b697da7a0a810370988dccec817be3b82626 |
memory/2636-420-0x0000000000400000-0x000000000043C000-memory.dmp
memory/1760-427-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2636-426-0x00000000002A0000-0x00000000002DC000-memory.dmp
memory/2088-422-0x0000000000400000-0x000000000043C000-memory.dmp
memory/1244-429-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2884-434-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2800-433-0x0000000000400000-0x000000000043C000-memory.dmp
memory/3036-432-0x0000000000400000-0x000000000043C000-memory.dmp
memory/320-431-0x0000000000400000-0x000000000043C000-memory.dmp
memory/1760-430-0x0000000000400000-0x000000000043C000-memory.dmp
memory/1580-436-0x0000000000400000-0x000000000043C000-memory.dmp
memory/1632-437-0x0000000000400000-0x000000000043C000-memory.dmp
memory/1256-435-0x0000000000400000-0x000000000043C000-memory.dmp
memory/988-438-0x0000000000400000-0x000000000043C000-memory.dmp
memory/1940-446-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2544-448-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2356-447-0x0000000000400000-0x000000000043C000-memory.dmp
memory/628-445-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2848-444-0x0000000000400000-0x000000000043C000-memory.dmp
memory/1284-443-0x0000000000400000-0x000000000043C000-memory.dmp
memory/1396-442-0x0000000000400000-0x000000000043C000-memory.dmp
memory/1008-441-0x0000000000400000-0x000000000043C000-memory.dmp
memory/1620-440-0x0000000000400000-0x000000000043C000-memory.dmp
memory/1752-439-0x0000000000400000-0x000000000043C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 17:05
Reported
2024-11-13 17:07
Platform
win10v2004-20241007-en
Max time kernel
98s
Max time network
99s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Bnkgeg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ncdgcf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Nebdoa32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Ndcdmikd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Pjjhbl32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Aglemn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Bganhm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mmnldp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Bmpcfdmg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dmjocp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bganhm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Cfpnph32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Lllcen32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Meiaib32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Mpablkhc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pgnilpah.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Qgcbgo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Aminee32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Ldoaklml.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Ncdgcf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Nnjlpo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Odapnf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Qdbiedpa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Olkhmi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Qgqeappe.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bjddphlq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Danecp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Npfkgjdn.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Njefqo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Olcbmj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Ojoign32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Bffkij32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dfpgffpm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Bgehcmmm.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cfpnph32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Chokikeb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Cdhhdlid.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Dmjocp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Opdghh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Ocbddc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pdfjifjo.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cndikf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dgbdlf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Llgjjnlj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Meiaib32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Npjebj32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ocnjidkf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Olmeci32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Cdfkolkf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Dmgbnq32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Melnob32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Mnebeogl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Pjhlml32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Qdbiedpa.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Acjclpcf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Bjfaeh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Medgncoe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Mipcob32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Beglgani.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Cajlhqjp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" | C:\Windows\SysWOW64\Mgddhf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Oneklm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Daqbip32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mgkjhe32.exe | N/A |
Berbew
Berbew family
Executes dropped EXE
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Ocbddc32.exe | C:\Windows\SysWOW64\Opdghh32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Aminee32.exe | C:\Windows\SysWOW64\Ajkaii32.exe | N/A |
| File created | C:\Windows\SysWOW64\Fpnnia32.dll | C:\Windows\SysWOW64\Bgcknmop.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cffdpghg.exe | C:\Windows\SysWOW64\Cdhhdlid.exe | N/A |
| File created | C:\Windows\SysWOW64\Mckemg32.exe | C:\Windows\SysWOW64\Mplhql32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pjeoglgc.exe | C:\Windows\SysWOW64\Pggbkagp.exe | N/A |
| File created | C:\Windows\SysWOW64\Jlklhm32.dll | C:\Windows\SysWOW64\Ajfhnjhq.exe | N/A |
| File created | C:\Windows\SysWOW64\Dhkjej32.exe | C:\Windows\SysWOW64\Daqbip32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pnlaml32.exe | C:\Windows\SysWOW64\Ofeilobp.exe | N/A |
| File created | C:\Windows\SysWOW64\Mpablkhc.exe | C:\Windows\SysWOW64\Melnob32.exe | N/A |
| File created | C:\Windows\SysWOW64\Nckndeni.exe | C:\Windows\SysWOW64\Npmagine.exe | N/A |
| File created | C:\Windows\SysWOW64\Bfajji32.dll | C:\Windows\SysWOW64\Ldleel32.exe | N/A |
| File created | C:\Windows\SysWOW64\Qfbgbeai.dll | C:\Windows\SysWOW64\Odapnf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pmfhig32.exe | C:\Windows\SysWOW64\Pjhlml32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Nnjlpo32.exe | C:\Windows\SysWOW64\Nebdoa32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dhfajjoj.exe | C:\Windows\SysWOW64\Cnnlaehj.exe | N/A |
| File created | C:\Windows\SysWOW64\Jdipdgch.dll | C:\Windows\SysWOW64\Dobfld32.exe | N/A |
| File created | C:\Windows\SysWOW64\Clncadfb.dll | C:\Windows\SysWOW64\Ogpmjb32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pjcbbmif.exe | C:\Windows\SysWOW64\Pdfjifjo.exe | N/A |
| File created | C:\Windows\SysWOW64\Bhbopgfn.dll | C:\Windows\SysWOW64\Npjebj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lebkhc32.exe | C:\Windows\SysWOW64\Lbdolh32.exe | N/A |
| File created | C:\Windows\SysWOW64\Nkenegog.dll | C:\Windows\SysWOW64\Nepgjaeg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Baicac32.exe | C:\Windows\SysWOW64\Bnkgeg32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cajlhqjp.exe | C:\Windows\SysWOW64\Cdfkolkf.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dgbdlf32.exe | C:\Windows\SysWOW64\Dhocqigp.exe | N/A |
| File created | C:\Windows\SysWOW64\Blleba32.dll | C:\Windows\SysWOW64\Mlopkm32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Olmeci32.exe | C:\Windows\SysWOW64\Ojoign32.exe | N/A |
| File created | C:\Windows\SysWOW64\Agjhgngj.exe | C:\Windows\SysWOW64\Aqppkd32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Aglemn32.exe | C:\Windows\SysWOW64\Amgapeea.exe | N/A |
| File created | C:\Windows\SysWOW64\Melnob32.exe | C:\Windows\SysWOW64\Mcmabg32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ajfhnjhq.exe | C:\Windows\SysWOW64\Aeiofcji.exe | N/A |
| File created | C:\Windows\SysWOW64\Aglemn32.exe | C:\Windows\SysWOW64\Amgapeea.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Odapnf32.exe | C:\Windows\SysWOW64\Olkhmi32.exe | N/A |
| File created | C:\Windows\SysWOW64\Beeoaapl.exe | C:\Windows\SysWOW64\Baicac32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mmnbeadp.dll | C:\Windows\SysWOW64\Bapiabak.exe | N/A |
| File created | C:\Windows\SysWOW64\Cjmgfgdf.exe | C:\Windows\SysWOW64\Chokikeb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Aepefb32.exe | C:\Windows\SysWOW64\Aminee32.exe | N/A |
| File created | C:\Windows\SysWOW64\Qgqeappe.exe | C:\Windows\SysWOW64\Qdbiedpa.exe | N/A |
| File created | C:\Windows\SysWOW64\Aepefb32.exe | C:\Windows\SysWOW64\Aminee32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cfmajipb.exe | C:\Windows\SysWOW64\Bcoenmao.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cjmgfgdf.exe | C:\Windows\SysWOW64\Chokikeb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Llemdo32.exe | C:\Users\Admin\AppData\Local\Temp\5175b9040aef91e2138dee8578f963e419a9b0994f80c888abb3e69aa43749e7N.exe | N/A |
| File created | C:\Windows\SysWOW64\Fjbodfcj.dll | C:\Windows\SysWOW64\Agoabn32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bhhdil32.exe | C:\Windows\SysWOW64\Banllbdn.exe | N/A |
| File created | C:\Windows\SysWOW64\Cfpnph32.exe | C:\Windows\SysWOW64\Chmndlge.exe | N/A |
| File created | C:\Windows\SysWOW64\Bbloam32.dll | C:\Windows\SysWOW64\Cfpnph32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cogflbdn.dll | C:\Windows\SysWOW64\Dhhnpjmh.exe | N/A |
| File created | C:\Windows\SysWOW64\Gilnhifk.dll | C:\Users\Admin\AppData\Local\Temp\5175b9040aef91e2138dee8578f963e419a9b0994f80c888abb3e69aa43749e7N.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Qddfkd32.exe | C:\Windows\SysWOW64\Qnjnnj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pjhlml32.exe | C:\Windows\SysWOW64\Pgioqq32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Qnhahj32.exe | C:\Windows\SysWOW64\Pgnilpah.exe | N/A |
| File created | C:\Windows\SysWOW64\Oahicipe.dll | C:\Windows\SysWOW64\Afoeiklb.exe | N/A |
| File created | C:\Windows\SysWOW64\Cnnlaehj.exe | C:\Windows\SysWOW64\Cffdpghg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dmgbnq32.exe | C:\Windows\SysWOW64\Dhkjej32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ndcdmikd.exe | C:\Windows\SysWOW64\Nlmllkja.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bhhdil32.exe | C:\Windows\SysWOW64\Banllbdn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mplhql32.exe | C:\Windows\SysWOW64\Mmnldp32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Pnlaml32.exe | C:\Windows\SysWOW64\Ofeilobp.exe | N/A |
| File created | C:\Windows\SysWOW64\Ccdlci32.dll | C:\Windows\SysWOW64\Pdpmpdbd.exe | N/A |
| File created | C:\Windows\SysWOW64\Papbpdoi.dll | C:\Windows\SysWOW64\Qgqeappe.exe | N/A |
| File created | C:\Windows\SysWOW64\Pmgmnjcj.dll | C:\Windows\SysWOW64\Bjokdipf.exe | N/A |
| File created | C:\Windows\SysWOW64\Gbdhjm32.dll | C:\Windows\SysWOW64\Neeqea32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ogkcpbam.exe | C:\Windows\SysWOW64\Opakbi32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ocgmpccl.exe | C:\Windows\SysWOW64\Oqhacgdh.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Dmllipeg.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bcebhoii.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mlopkm32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nnjlpo32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nckndeni.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ogpmjb32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Amgapeea.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Aminee32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ldoaklml.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dfknkg32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dhocqigp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lbdolh32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mmpijp32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bjokdipf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dopigd32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Deagdn32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cdfkolkf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Njefqo32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ojoign32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pnlaml32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pggbkagp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Agoabn32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Chokikeb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mlcifmbl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Melnob32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pmfhig32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bcoenmao.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5175b9040aef91e2138dee8578f963e419a9b0994f80c888abb3e69aa43749e7N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ndcdmikd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pjjhbl32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Anmjcieo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lenamdem.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Oneklm32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Acjclpcf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bjfaeh32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cfmajipb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dhfajjoj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mcmabg32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ncdgcf32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ogkcpbam.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ngdmod32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Odapnf32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ajkaii32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bgehcmmm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dmgbnq32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mdckfk32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nebdoa32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ojgbfocc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Aeiofcji.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dmllipeg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bjddphlq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cndikf32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Baicac32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cmiflbel.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Llgjjnlj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mckemg32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Meiaib32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Oflgep32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Agjhgngj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Aepefb32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cajlhqjp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nngokoej.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Oponmilc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pdpmpdbd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ambgef32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Nepgjaeg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfdjmlhn.dll" | C:\Windows\SysWOW64\Ocbddc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll" | C:\Windows\SysWOW64\Dhocqigp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ojjolnaq.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Aqppkd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjpmk32.dll" | C:\Windows\SysWOW64\Aglemn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Cajlhqjp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll" | C:\Windows\SysWOW64\Cnnlaehj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Ldoaklml.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Lbdolh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Ojgbfocc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qopkop32.dll" | C:\Windows\SysWOW64\Bcebhoii.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfajji32.dll" | C:\Windows\SysWOW64\Ldleel32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Qnjnnj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingbah32.dll" | C:\Windows\SysWOW64\Lebkhc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Opakbi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Olkhmi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll" | C:\Windows\SysWOW64\Cffdpghg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Lebkhc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll" | C:\Windows\SysWOW64\Bcoenmao.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Llemdo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Lllcen32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qihfjd32.dll" | C:\Windows\SysWOW64\Bjddphlq.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Cdhhdlid.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Lbdolh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naekcf32.dll" | C:\Windows\SysWOW64\Olkhmi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdjinlko.dll" | C:\Windows\SysWOW64\Pnlaml32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Dfknkg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcdgbkil.dll" | C:\Windows\SysWOW64\Lenamdem.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Ldanqkki.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Meiaib32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmphmhjc.dll" | C:\Windows\SysWOW64\Pgnilpah.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Nngokoej.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Qddfkd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll" | C:\Windows\SysWOW64\Cfmajipb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Deagdn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhgfglco.dll" | C:\Windows\SysWOW64\Lmgfda32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfmccd32.dll" | C:\Windows\SysWOW64\Ncdgcf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Njciko32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Ddakjkqi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmcjho32.dll" | C:\Windows\SysWOW64\Nckndeni.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Oflgep32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Aglemn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll" | C:\Windows\SysWOW64\Ddakjkqi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Qdbiedpa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll" | C:\Windows\SysWOW64\Dfknkg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dfknkg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ddakjkqi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Lmgfda32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpkknm32.dll" | C:\Windows\SysWOW64\Ndfqbhia.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Odapnf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Pnlaml32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Ncdgcf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Npmagine.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Cjmgfgdf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckijjqka.dll" | C:\Windows\SysWOW64\Mdckfk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Nngokoej.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ambgef32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Ajfhnjhq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Npjebj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdjlic32.dll" | C:\Windows\SysWOW64\Ocnjidkf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ojllan32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehaaclak.dll" | C:\Windows\SysWOW64\Pjeoglgc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 | C:\Windows\SysWOW64\Afoeiklb.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5175b9040aef91e2138dee8578f963e419a9b0994f80c888abb3e69aa43749e7N.exe
"C:\Users\Admin\AppData\Local\Temp\5175b9040aef91e2138dee8578f963e419a9b0994f80c888abb3e69aa43749e7N.exe"
C:\Windows\SysWOW64\Llemdo32.exe
C:\Windows\system32\Llemdo32.exe
C:\Windows\SysWOW64\Ldleel32.exe
C:\Windows\system32\Ldleel32.exe
C:\Windows\SysWOW64\Lenamdem.exe
C:\Windows\system32\Lenamdem.exe
C:\Windows\SysWOW64\Llgjjnlj.exe
C:\Windows\system32\Llgjjnlj.exe
C:\Windows\SysWOW64\Ldoaklml.exe
C:\Windows\system32\Ldoaklml.exe
C:\Windows\SysWOW64\Lepncd32.exe
C:\Windows\system32\Lepncd32.exe
C:\Windows\SysWOW64\Lmgfda32.exe
C:\Windows\system32\Lmgfda32.exe
C:\Windows\SysWOW64\Ldanqkki.exe
C:\Windows\system32\Ldanqkki.exe
C:\Windows\SysWOW64\Lbdolh32.exe
C:\Windows\system32\Lbdolh32.exe
C:\Windows\SysWOW64\Lebkhc32.exe
C:\Windows\system32\Lebkhc32.exe
C:\Windows\SysWOW64\Lllcen32.exe
C:\Windows\system32\Lllcen32.exe
C:\Windows\SysWOW64\Mdckfk32.exe
C:\Windows\system32\Mdckfk32.exe
C:\Windows\SysWOW64\Medgncoe.exe
C:\Windows\system32\Medgncoe.exe
C:\Windows\SysWOW64\Mipcob32.exe
C:\Windows\system32\Mipcob32.exe
C:\Windows\SysWOW64\Mlopkm32.exe
C:\Windows\system32\Mlopkm32.exe
C:\Windows\SysWOW64\Mdehlk32.exe
C:\Windows\system32\Mdehlk32.exe
C:\Windows\SysWOW64\Mgddhf32.exe
C:\Windows\system32\Mgddhf32.exe
C:\Windows\SysWOW64\Mmnldp32.exe
C:\Windows\system32\Mmnldp32.exe
C:\Windows\SysWOW64\Mplhql32.exe
C:\Windows\system32\Mplhql32.exe
C:\Windows\SysWOW64\Mckemg32.exe
C:\Windows\system32\Mckemg32.exe
C:\Windows\SysWOW64\Meiaib32.exe
C:\Windows\system32\Meiaib32.exe
C:\Windows\SysWOW64\Mmpijp32.exe
C:\Windows\system32\Mmpijp32.exe
C:\Windows\SysWOW64\Mlcifmbl.exe
C:\Windows\system32\Mlcifmbl.exe
C:\Windows\SysWOW64\Mcmabg32.exe
C:\Windows\system32\Mcmabg32.exe
C:\Windows\SysWOW64\Melnob32.exe
C:\Windows\system32\Melnob32.exe
C:\Windows\SysWOW64\Mpablkhc.exe
C:\Windows\system32\Mpablkhc.exe
C:\Windows\SysWOW64\Mgkjhe32.exe
C:\Windows\system32\Mgkjhe32.exe
C:\Windows\SysWOW64\Mnebeogl.exe
C:\Windows\system32\Mnebeogl.exe
C:\Windows\SysWOW64\Ncbknfed.exe
C:\Windows\system32\Ncbknfed.exe
C:\Windows\SysWOW64\Nepgjaeg.exe
C:\Windows\system32\Nepgjaeg.exe
C:\Windows\SysWOW64\Nngokoej.exe
C:\Windows\system32\Nngokoej.exe
C:\Windows\SysWOW64\Npfkgjdn.exe
C:\Windows\system32\Npfkgjdn.exe
C:\Windows\SysWOW64\Ncdgcf32.exe
C:\Windows\system32\Ncdgcf32.exe
C:\Windows\SysWOW64\Nebdoa32.exe
C:\Windows\system32\Nebdoa32.exe
C:\Windows\SysWOW64\Nnjlpo32.exe
C:\Windows\system32\Nnjlpo32.exe
C:\Windows\SysWOW64\Nlmllkja.exe
C:\Windows\system32\Nlmllkja.exe
C:\Windows\SysWOW64\Ndcdmikd.exe
C:\Windows\system32\Ndcdmikd.exe
C:\Windows\SysWOW64\Neeqea32.exe
C:\Windows\system32\Neeqea32.exe
C:\Windows\SysWOW64\Njqmepik.exe
C:\Windows\system32\Njqmepik.exe
C:\Windows\SysWOW64\Npjebj32.exe
C:\Windows\system32\Npjebj32.exe
C:\Windows\SysWOW64\Ndfqbhia.exe
C:\Windows\system32\Ndfqbhia.exe
C:\Windows\SysWOW64\Ngdmod32.exe
C:\Windows\system32\Ngdmod32.exe
C:\Windows\SysWOW64\Njciko32.exe
C:\Windows\system32\Njciko32.exe
C:\Windows\SysWOW64\Nnneknob.exe
C:\Windows\system32\Nnneknob.exe
C:\Windows\SysWOW64\Npmagine.exe
C:\Windows\system32\Npmagine.exe
C:\Windows\SysWOW64\Nckndeni.exe
C:\Windows\system32\Nckndeni.exe
C:\Windows\SysWOW64\Nggjdc32.exe
C:\Windows\system32\Nggjdc32.exe
C:\Windows\SysWOW64\Njefqo32.exe
C:\Windows\system32\Njefqo32.exe
C:\Windows\SysWOW64\Olcbmj32.exe
C:\Windows\system32\Olcbmj32.exe
C:\Windows\SysWOW64\Oponmilc.exe
C:\Windows\system32\Oponmilc.exe
C:\Windows\SysWOW64\Ocnjidkf.exe
C:\Windows\system32\Ocnjidkf.exe
C:\Windows\SysWOW64\Oflgep32.exe
C:\Windows\system32\Oflgep32.exe
C:\Windows\SysWOW64\Ojgbfocc.exe
C:\Windows\system32\Ojgbfocc.exe
C:\Windows\SysWOW64\Opakbi32.exe
C:\Windows\system32\Opakbi32.exe
C:\Windows\SysWOW64\Ogkcpbam.exe
C:\Windows\system32\Ogkcpbam.exe
C:\Windows\SysWOW64\Ojjolnaq.exe
C:\Windows\system32\Ojjolnaq.exe
C:\Windows\SysWOW64\Oneklm32.exe
C:\Windows\system32\Oneklm32.exe
C:\Windows\SysWOW64\Opdghh32.exe
C:\Windows\system32\Opdghh32.exe
C:\Windows\SysWOW64\Ocbddc32.exe
C:\Windows\system32\Ocbddc32.exe
C:\Windows\SysWOW64\Ojllan32.exe
C:\Windows\system32\Ojllan32.exe
C:\Windows\SysWOW64\Olkhmi32.exe
C:\Windows\system32\Olkhmi32.exe
C:\Windows\SysWOW64\Odapnf32.exe
C:\Windows\system32\Odapnf32.exe
C:\Windows\SysWOW64\Ogpmjb32.exe
C:\Windows\system32\Ogpmjb32.exe
C:\Windows\SysWOW64\Ojoign32.exe
C:\Windows\system32\Ojoign32.exe
C:\Windows\SysWOW64\Olmeci32.exe
C:\Windows\system32\Olmeci32.exe
C:\Windows\SysWOW64\Oqhacgdh.exe
C:\Windows\system32\Oqhacgdh.exe
C:\Windows\SysWOW64\Ocgmpccl.exe
C:\Windows\system32\Ocgmpccl.exe
C:\Windows\SysWOW64\Ofeilobp.exe
C:\Windows\system32\Ofeilobp.exe
C:\Windows\SysWOW64\Pnlaml32.exe
C:\Windows\system32\Pnlaml32.exe
C:\Windows\SysWOW64\Pdfjifjo.exe
C:\Windows\system32\Pdfjifjo.exe
C:\Windows\SysWOW64\Pjcbbmif.exe
C:\Windows\system32\Pjcbbmif.exe
C:\Windows\SysWOW64\Pggbkagp.exe
C:\Windows\system32\Pggbkagp.exe
C:\Windows\SysWOW64\Pjeoglgc.exe
C:\Windows\system32\Pjeoglgc.exe
C:\Windows\SysWOW64\Pgioqq32.exe
C:\Windows\system32\Pgioqq32.exe
C:\Windows\SysWOW64\Pjhlml32.exe
C:\Windows\system32\Pjhlml32.exe
C:\Windows\SysWOW64\Pmfhig32.exe
C:\Windows\system32\Pmfhig32.exe
C:\Windows\SysWOW64\Pcppfaka.exe
C:\Windows\system32\Pcppfaka.exe
C:\Windows\SysWOW64\Pjjhbl32.exe
C:\Windows\system32\Pjjhbl32.exe
C:\Windows\SysWOW64\Pdpmpdbd.exe
C:\Windows\system32\Pdpmpdbd.exe
C:\Windows\SysWOW64\Pgnilpah.exe
C:\Windows\system32\Pgnilpah.exe
C:\Windows\SysWOW64\Qnhahj32.exe
C:\Windows\system32\Qnhahj32.exe
C:\Windows\SysWOW64\Qdbiedpa.exe
C:\Windows\system32\Qdbiedpa.exe
C:\Windows\SysWOW64\Qgqeappe.exe
C:\Windows\system32\Qgqeappe.exe
C:\Windows\SysWOW64\Qnjnnj32.exe
C:\Windows\system32\Qnjnnj32.exe
C:\Windows\SysWOW64\Qddfkd32.exe
C:\Windows\system32\Qddfkd32.exe
C:\Windows\SysWOW64\Qgcbgo32.exe
C:\Windows\system32\Qgcbgo32.exe
C:\Windows\SysWOW64\Anmjcieo.exe
C:\Windows\system32\Anmjcieo.exe
C:\Windows\SysWOW64\Acjclpcf.exe
C:\Windows\system32\Acjclpcf.exe
C:\Windows\SysWOW64\Ambgef32.exe
C:\Windows\system32\Ambgef32.exe
C:\Windows\SysWOW64\Aeiofcji.exe
C:\Windows\system32\Aeiofcji.exe
C:\Windows\SysWOW64\Ajfhnjhq.exe
C:\Windows\system32\Ajfhnjhq.exe
C:\Windows\SysWOW64\Aqppkd32.exe
C:\Windows\system32\Aqppkd32.exe
C:\Windows\SysWOW64\Agjhgngj.exe
C:\Windows\system32\Agjhgngj.exe
C:\Windows\SysWOW64\Amgapeea.exe
C:\Windows\system32\Amgapeea.exe
C:\Windows\SysWOW64\Aglemn32.exe
C:\Windows\system32\Aglemn32.exe
C:\Windows\SysWOW64\Afoeiklb.exe
C:\Windows\system32\Afoeiklb.exe
C:\Windows\SysWOW64\Ajkaii32.exe
C:\Windows\system32\Ajkaii32.exe
C:\Windows\SysWOW64\Aminee32.exe
C:\Windows\system32\Aminee32.exe
C:\Windows\SysWOW64\Aepefb32.exe
C:\Windows\system32\Aepefb32.exe
C:\Windows\SysWOW64\Agoabn32.exe
C:\Windows\system32\Agoabn32.exe
C:\Windows\SysWOW64\Bfabnjjp.exe
C:\Windows\system32\Bfabnjjp.exe
C:\Windows\SysWOW64\Bcebhoii.exe
C:\Windows\system32\Bcebhoii.exe
C:\Windows\SysWOW64\Bganhm32.exe
C:\Windows\system32\Bganhm32.exe
C:\Windows\SysWOW64\Bjokdipf.exe
C:\Windows\system32\Bjokdipf.exe
C:\Windows\SysWOW64\Bnkgeg32.exe
C:\Windows\system32\Bnkgeg32.exe
C:\Windows\SysWOW64\Baicac32.exe
C:\Windows\system32\Baicac32.exe
C:\Windows\SysWOW64\Beeoaapl.exe
C:\Windows\system32\Beeoaapl.exe
C:\Windows\SysWOW64\Bgcknmop.exe
C:\Windows\system32\Bgcknmop.exe
C:\Windows\SysWOW64\Bffkij32.exe
C:\Windows\system32\Bffkij32.exe
C:\Windows\SysWOW64\Bnmcjg32.exe
C:\Windows\system32\Bnmcjg32.exe
C:\Windows\SysWOW64\Bmpcfdmg.exe
C:\Windows\system32\Bmpcfdmg.exe
C:\Windows\SysWOW64\Beglgani.exe
C:\Windows\system32\Beglgani.exe
C:\Windows\SysWOW64\Bgehcmmm.exe
C:\Windows\system32\Bgehcmmm.exe
C:\Windows\SysWOW64\Bjddphlq.exe
C:\Windows\system32\Bjddphlq.exe
C:\Windows\SysWOW64\Banllbdn.exe
C:\Windows\system32\Banllbdn.exe
C:\Windows\SysWOW64\Bhhdil32.exe
C:\Windows\system32\Bhhdil32.exe
C:\Windows\SysWOW64\Bjfaeh32.exe
C:\Windows\system32\Bjfaeh32.exe
C:\Windows\SysWOW64\Bapiabak.exe
C:\Windows\system32\Bapiabak.exe
C:\Windows\SysWOW64\Bcoenmao.exe
C:\Windows\system32\Bcoenmao.exe
C:\Windows\SysWOW64\Cfmajipb.exe
C:\Windows\system32\Cfmajipb.exe
C:\Windows\SysWOW64\Cndikf32.exe
C:\Windows\system32\Cndikf32.exe
C:\Windows\SysWOW64\Chmndlge.exe
C:\Windows\system32\Chmndlge.exe
C:\Windows\SysWOW64\Cfpnph32.exe
C:\Windows\system32\Cfpnph32.exe
C:\Windows\SysWOW64\Cmiflbel.exe
C:\Windows\system32\Cmiflbel.exe
C:\Windows\SysWOW64\Chokikeb.exe
C:\Windows\system32\Chokikeb.exe
C:\Windows\SysWOW64\Cjmgfgdf.exe
C:\Windows\system32\Cjmgfgdf.exe
C:\Windows\SysWOW64\Cagobalc.exe
C:\Windows\system32\Cagobalc.exe
C:\Windows\SysWOW64\Cdfkolkf.exe
C:\Windows\system32\Cdfkolkf.exe
C:\Windows\SysWOW64\Cajlhqjp.exe
C:\Windows\system32\Cajlhqjp.exe
C:\Windows\SysWOW64\Cdhhdlid.exe
C:\Windows\system32\Cdhhdlid.exe
C:\Windows\SysWOW64\Cffdpghg.exe
C:\Windows\system32\Cffdpghg.exe
C:\Windows\SysWOW64\Cnnlaehj.exe
C:\Windows\system32\Cnnlaehj.exe
C:\Windows\SysWOW64\Dhfajjoj.exe
C:\Windows\system32\Dhfajjoj.exe
C:\Windows\SysWOW64\Dopigd32.exe
C:\Windows\system32\Dopigd32.exe
C:\Windows\SysWOW64\Danecp32.exe
C:\Windows\system32\Danecp32.exe
C:\Windows\SysWOW64\Dhhnpjmh.exe
C:\Windows\system32\Dhhnpjmh.exe
C:\Windows\SysWOW64\Dfknkg32.exe
C:\Windows\system32\Dfknkg32.exe
C:\Windows\SysWOW64\Dobfld32.exe
C:\Windows\system32\Dobfld32.exe
C:\Windows\SysWOW64\Daqbip32.exe
C:\Windows\system32\Daqbip32.exe
C:\Windows\SysWOW64\Dhkjej32.exe
C:\Windows\system32\Dhkjej32.exe
C:\Windows\SysWOW64\Dmgbnq32.exe
C:\Windows\system32\Dmgbnq32.exe
C:\Windows\SysWOW64\Ddakjkqi.exe
C:\Windows\system32\Ddakjkqi.exe
C:\Windows\SysWOW64\Dfpgffpm.exe
C:\Windows\system32\Dfpgffpm.exe
C:\Windows\SysWOW64\Dmjocp32.exe
C:\Windows\system32\Dmjocp32.exe
C:\Windows\SysWOW64\Deagdn32.exe
C:\Windows\system32\Deagdn32.exe
C:\Windows\SysWOW64\Dhocqigp.exe
C:\Windows\system32\Dhocqigp.exe
C:\Windows\SysWOW64\Dgbdlf32.exe
C:\Windows\system32\Dgbdlf32.exe
C:\Windows\SysWOW64\Dmllipeg.exe
C:\Windows\system32\Dmllipeg.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 6588 -ip 6588
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6588 -s 424
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
memory/1972-0-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Windows\SysWOW64\Llemdo32.exe
| MD5 | 61bc3c102b236ee230823cecd7b22a9b |
| SHA1 | 93a16e88172a86c62d10fcda99de1fa97c7b2275 |
| SHA256 | 2daf6d6b95564f785ad16ca1314dd5c4705ff47e75f73894b4b6818364edce3a |
| SHA512 | 75a25d00800a5cf3bffb99670248fe35900b9a156c0178013796ce5e282089c6748b343c5eba1d8f65e025b154d7dc33f89a156b461aaa9428d50b11f860e6d4 |
memory/3216-8-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Windows\SysWOW64\Ldleel32.exe
| MD5 | 8645e485aa3a89e836c239de4b814472 |
| SHA1 | ebbf2027a488db8916a25d76be712ddd0c4f11ef |
| SHA256 | 565043d3307bd9eea38e84b36c71703aadfb106bed1aee4ceea5da637b075284 |
| SHA512 | 0adde047c759ada6840cf461cd4d59704ee985f61458ea75c2f0551139f98ffe23c3da4d4b0ca124c5e96b6a2e5056c2c846332e1d9a833eb1da23f451a97a49 |
memory/60-15-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Windows\SysWOW64\Lenamdem.exe
| MD5 | cd96700f95f5319c217095eaece0bea4 |
| SHA1 | 1c0dd4e37aa7a01f8d66e056e3df01c51a23625f |
| SHA256 | e27407efd9af2ec307ad3fca4173a7adfdc0ef6e8847b220845a0f18950359cd |
| SHA512 | 374d9b10712be0b6e33289c33969dc217eafb7b8fd28a82fb4149200d1228012a9e95a18b2fbc22d5197ecf51151d1d3d0f6d9f9d8161a8ebe56ef534e30131a |
memory/1552-23-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Windows\SysWOW64\Llgjjnlj.exe
| MD5 | 3d3e6ef0cfff84b43540d44bdc0a5778 |
| SHA1 | 54c6de356d7359e2be8b9689a53de2faa2767337 |
| SHA256 | 5dde1cdd0d9317195d304ff6d7f62a558302abe97738ec44cfdd4ac661d4452a |
| SHA512 | 20d4d8706a622e89f5fb5f870f9dd37941186aee7d9b58576437237438c760ba20f342be4b2812d06ef40006da6f20c8f1e60ebdfdb80d4826259a6f7dadc25c |
memory/1580-32-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Windows\SysWOW64\Ldoaklml.exe
| MD5 | 95784d59c377261979f2c7684c21c21e |
| SHA1 | 03123c2e0b568b7d68cb9dd98f7a3055dee281a4 |
| SHA256 | aa51593da5fc4f3fc89525efdba1d0cb69d0500fa2307eb5c6faf8a7749f1d0b |
| SHA512 | 078152ef7d0b62079a038034fd096684a394c1e75101b8584f012aa130e078fdaad0b36bb55bc69e65cec43300ad3bdfc63f1cd42535513ae09b004ec12be67a |
C:\Windows\SysWOW64\Hflheb32.dll
| MD5 | e3bd0553707e343fb6a4c4f7edcb00e8 |
| SHA1 | 64db2a523cb7081f19b3413ac57b5789b2772c49 |
| SHA256 | 400918b9f73fa6ae96a9becff20611ef4f7e05a76e9b07823b8012d6559336b6 |
| SHA512 | f07555ab822798169e9a72c8102e29aa9cfdccca3cc049f08b163753c7652b5cca7502a1dda87cf040c360527b5bb2021f8679f09fe6b51faee301961493a404 |
C:\Windows\SysWOW64\Ldoaklml.exe
| MD5 | 7bba9bfbf50c4d3b40b45e10e88efb6d |
| SHA1 | ebff54634476a85b30e55f1d7be61bb3dd2f1ac3 |
| SHA256 | 889070ebe5ac2d9cf549a6fa1587face48e3a2d96d56ba348591696c8f49e6d1 |
| SHA512 | dc4617c07440046708aab657e6d4645eba8a64fac1549adf563a515369da9ee1ea08aeebffa78e5a06b6d33c10ed369eba8b9f690b58ff494b280044031a6b62 |
memory/1172-39-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Windows\SysWOW64\Lepncd32.exe
| MD5 | a486af3943e202ac0810bcad7aa93c6e |
| SHA1 | 7a3c2f649744f4884467adf81e66cf9ef19cb9ff |
| SHA256 | f0827bde1d32df84b804dc7ad50c7d6a26d0ba1b0f8bbc01f66e1514b5ac2eb5 |
| SHA512 | 4c61373eabf4d2b1570f4f24d9b27979e8f8d4d6b99fb307179f8ae48424778a8c8fd38c1731e6617f5371eb008413b851059223fab1e6b390387875fcd5878d |
memory/4492-47-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Windows\SysWOW64\Lmgfda32.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Windows\SysWOW64\Lmgfda32.exe
| MD5 | 5412da8f0ae33786265da50da7e2a12b |
| SHA1 | e005f08c78e3d4311452cd2f1410678ec20a1385 |
| SHA256 | 5579601a90dbb71df8150591241e9cabf52063bc03f89092ef1f2fcb7817029b |
| SHA512 | b62047637780bcaabfc1a2b8d121a2db11eac4511ec8f762b0f10d6cc8d74c6577bdea422b063b1ccf70ae9c5fd48d9c1167c70103af33a393b3bc8e35298922 |
memory/4856-55-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Windows\SysWOW64\Ldanqkki.exe
| MD5 | 0d6b76ded4fc15f1ebb2020f3d5c6a60 |
| SHA1 | dfb50e46f11ba602ff0299792d234ee2c7fd8af4 |
| SHA256 | 8c53af124abffd16825134170f2d38f0e72086972cc9da0daf91c3087a8832ab |
| SHA512 | b95d32763c543f99346e2c5aff60ec85da5c08ae4fdde48bfbdae3b3760b8159cef43f02a616288ba5ce885a4327a36908d5b0a11b330aa6f0a242e5567bb3c7 |
memory/2708-64-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Windows\SysWOW64\Lbdolh32.exe
| MD5 | 3ff94eede6361a087fa1d2cd9e891665 |
| SHA1 | 9d15b9327c95c66f8281c9e628c30c5ce2a3eb84 |
| SHA256 | ea7cb6cce42698d1c61be49c7c8bba70d335bc9fee93f4802350127daf3af1c5 |
| SHA512 | e24259ac213c8bdc8cc2d930e18d56c5fef0a8de391ad43083864a3715d483a7086bfc5a435151e559465cfd6b1e66f7d4ccc3c1d6c7de27b307732606352cf6 |
memory/940-71-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Windows\SysWOW64\Lebkhc32.exe
| MD5 | 9882e271517b824c4ce8e160b4391004 |
| SHA1 | 7af825ce6943ac7511541fe8a9071a052a15cde6 |
| SHA256 | 446ab65b6f9f4eca1a791f947cfd4e32620e2f3b2da3654ccae53297f4390b42 |
| SHA512 | 36e5e4e702062628c20f9d9aeb48b2e1d9f2a538017f1a3a919b1b73408e96e7322cda9dd44c7009ccf60e7033e72d4f9b2e5ff6792a607c2294ce441b8ee936 |
memory/4832-79-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Windows\SysWOW64\Lllcen32.exe
| MD5 | 3ab87381098b578dec273ff5d94c1893 |
| SHA1 | 99e2899c97a877e281d745339e0d570397da2bb7 |
| SHA256 | 566e9ed89a4cfa2ab7db9d2c696cf84cca7f5141ea2abf415f96690abf69c97f |
| SHA512 | 38d4dd4d490ee6cf9ce36732cb41bfa795d6c68f524584f9116af98632288bbfc210b2a4304c42d53b08fb1c60c0ae22684ef83c3d99a1c8833d8d7c730a760d |
memory/4024-87-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Windows\SysWOW64\Mdckfk32.exe
| MD5 | 1f33dea103a9b78b7e180661fb53b058 |
| SHA1 | 9aaf4ecf4f6d834b8f1906ce2895002cab171588 |
| SHA256 | 7b8e6c9a359fa9fb92705136baa749595f0193b2e53978c85f5bccb51619528f |
| SHA512 | 3e07414fe28d0932d37cc0d2fb45c2a6c71608f79d353a4f065b042a19f196693057d3a191663225cb6ed5612fd752072df78726289cc5187adb6681f2e6418b |
memory/2476-96-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Windows\SysWOW64\Medgncoe.exe
| MD5 | a5414e2b632f5aacb3a44060691543d8 |
| SHA1 | 5df9f826fbf797ca879ec239dfae42d971f5a284 |
| SHA256 | 8c167d6fe6357c31f22fab321667ea75c1a8fd2bc2225cd201c88a6fa6cfe35e |
| SHA512 | dcb14d45eed6fbadf59250f8d583b643b49f2a10006d0d296eec750acf846c3e1db2db10f5020913d28aa777e991ad0a9b75b5249f564c94518b8d84adb1482f |
memory/1064-104-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Windows\SysWOW64\Mipcob32.exe
| MD5 | c53d6147d95ed620bdfbf2f1634255d7 |
| SHA1 | 0dde1947fb19e47d1081db06584abd54aa96724c |
| SHA256 | d4d92c08ce41faa2d6db6ec604a1902982c4cec426d61a219a0d62614ed4b91b |
| SHA512 | b319fc0dd7d4298877c64a70d803cbf60c38786001d907bee8cc479937771eaf64827282dfb3fae3f2fc58e28c24fddcf8253abfd3f0e4bf71a4fb3ba8f01179 |
memory/2392-112-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Windows\SysWOW64\Mlopkm32.exe
| MD5 | a554c9b9a6b5cc268613f6c64f472238 |
| SHA1 | 69783ab9ad8da341453098b3ac965fc13f363e49 |
| SHA256 | 41971ac9b26e8d0a96c546b15d608efc796c4ff454540b24eb4cbb8c74027174 |
| SHA512 | 9e49480d379ac49fdf5ce079b49c7cdbd7482a8c8fdda5556235f64b196524e2e088850b8965827ea6467a99bb2015703b669c63eeec543dfbbaf7f50765fe4a |
memory/1468-120-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Windows\SysWOW64\Mdehlk32.exe
| MD5 | a9f749f54fa8e1ae40ddc09314775ae0 |
| SHA1 | 21a5344a34a17ef8f5d6672f30a478d999a0ee52 |
| SHA256 | 946ef1331a46d004b60bb646b43a6be631ac1282a08f8ca221f78109d565645c |
| SHA512 | b0bfc34c2b22042f1662ade12a39289875c2c5cc88787faa5605f58863187db1cabff4e2f4ff0a08a8325b81d747e8c8561bc60943ecd5157750816805ac52e4 |
memory/4592-127-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Windows\SysWOW64\Mgddhf32.exe
| MD5 | 4e9644528d1374c4d34b1d782cd6c179 |
| SHA1 | f84ce560d5e202807a58c49a63b6759d5fd298d5 |
| SHA256 | ba08b1716e7894310b2fe725ac74d67838dc78d9a3f89118bf2682442b92d4b6 |
| SHA512 | 9aa32a54bd1c3ff3b3a92af24fc03069816e5a8e7885f48a8d8227c95fb72e12b72fcf62a880cb3fad58284fcffc19a3cfca88e9226f386c6ef2f7980848a895 |
memory/1924-136-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Windows\SysWOW64\Mmnldp32.exe
| MD5 | 7179f16c979290367224328f53180038 |
| SHA1 | 92958b7b521aee6832534d67f1c190ab95a64f01 |
| SHA256 | 6423e40a88b0f83de0d9811f47420088f524f2e7bf2d83d9160db1abf28f3ac1 |
| SHA512 | 61ec18f6624ce3e0836d251544a509689bbe54793b2779bbc0fb32f638d41acba38cf6e8a1e2488961a6613adc70e360ffb868292f29c1919d76b23b0f007440 |
memory/5116-144-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Windows\SysWOW64\Mplhql32.exe
| MD5 | 78095da975b5daf44b1a19bfcee56337 |
| SHA1 | 7b13a3fa0be17d419f8cff24ee698aadb2f0beb9 |
| SHA256 | 5b90b4b2554db83f17d1987fd1074e14cc222b376abf9f3fb993cfeff574b270 |
| SHA512 | 0aadee45a71e7d4b4a878f2ca2d88d24f78999aae2bf5504a4f90f2b57f088cfa73c6693f025856eda11b9fef0b9815679fd15675988420ebd981962551d9291 |
memory/3516-151-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Windows\SysWOW64\Mckemg32.exe
| MD5 | 051a5b34c55f3a6627704cdd85a5eb65 |
| SHA1 | 90cbd308482a914f61406ce766ac24f0d9cce339 |
| SHA256 | 7c9230329eb96fae7541e092abedfd7d4329dcc21799b2676390b6bf9462261d |
| SHA512 | 8819f27b300c24c2440ee8fe2a02571d1cd65897990e59b615d91a9fbb795c0744efe850acbfdb04c9e869d6ccba84cef074da31959e68fde5dc9abe45090e04 |
memory/2928-159-0x0000000000400000-0x000000000043C000-memory.dmp
memory/804-167-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Windows\SysWOW64\Meiaib32.exe
| MD5 | 658d70e39c4d7ecb842838225824413b |
| SHA1 | 7a3e6f056f725a393383749560fc0294ebf30a86 |
| SHA256 | ba3a9257785f196f547375e32406821690f9f0b3f0a31ddedd5a78ee8b1573df |
| SHA512 | 5d9625e0538fc77b48be2d571596ebe6c605a81f4c19a58678411e124cf11027c14eb6548f644882ec182ce3ff26ca206f51a0598d52234bb1e99bdd34e021ae |
C:\Windows\SysWOW64\Mmpijp32.exe
| MD5 | 50b83a5cd3c6b82ab57947ae4506ccc1 |
| SHA1 | 48b4fa305ebd4fa975e2d2a2e4ad4774e0ca376c |
| SHA256 | 38c7cd7f02bd0d483596e53c7dfb77a7d9d00a63c18b7e6a7cbb5e60606e0ab4 |
| SHA512 | 08903ff1ff2624c0cd0af8b2239f7d081a1d72c36fd1c15dc092dafe860ec98b94fd75a01b73cbc745fd4152a76fa7ee8babf843dc3c6965655906372674046b |
memory/3308-175-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Windows\SysWOW64\Mlcifmbl.exe
| MD5 | 7f748277870a461109e942772e372912 |
| SHA1 | 7437dc3fc3450b4627712e16373f51b0eeb9fef1 |
| SHA256 | 0d77c1e968fdb2d7fa1e9208b8f18cca2937a969a35ec45f8cfd6f0331d74037 |
| SHA512 | 175cb9e3709ad1e5c754dc54eb3fed7e73d31af940539af6059473c6db0c4cc28476cb2e2da5d5eebe8a9c81201ec026de9a16af387ce0f3c697743917185ade |
memory/5020-183-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Windows\SysWOW64\Mcmabg32.exe
| MD5 | e60af978f3569d7512dfe9ac904c93f4 |
| SHA1 | 6dee69e8e22c6e45b2c67f079cea68a2dd624774 |
| SHA256 | 5796c52b15aebb84863e11d277432a8eb1c55d5582137201403065b74f878e1a |
| SHA512 | f6ec6d5189cfd723286b838f8945ac45476b312ba19ca42b6dac66d6b2012cc1d5725a2c8f7df4b748f5ad73fa2d99cc3359497b05f0a5ecb68742f295b8488d |
memory/2884-191-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Windows\SysWOW64\Melnob32.exe
| MD5 | 6bd759aa8f6bbe83ba90a720f8a61e33 |
| SHA1 | b72a80f5d1ca964e3decce95e365a5376ff2edcf |
| SHA256 | 792f61548d1382d2c690c0dae77471180a0150141a9a49c9ee48fc6a8e098032 |
| SHA512 | bdd3d8552fe1769bbcd40b553ae90421763724a32972a9e1068d66baa97cb4c5b2f21920315be3787171f64fa8e6804751ff308d493dc84a7fdd7665733ba734 |
memory/208-199-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Windows\SysWOW64\Mpablkhc.exe
| MD5 | 0f23c112cdb9b80d8cb3143c2708168e |
| SHA1 | 26d16c0c43079640890e23890781a99b2ed490bd |
| SHA256 | 02cf8815d894f6d89b0a65adafbbbcba2b61ab6231f999e3a29c9741049ad938 |
| SHA512 | a4149fdcbabfe3a13c300a4ecbc6e22a3b9f6f72e2faada655361dfa5a2d49b3e39b04d6affcf8930804b8d4658e6f4939c8f640fca92f659348632a22653ea3 |
memory/4544-213-0x0000000000400000-0x000000000043C000-memory.dmp
memory/1340-215-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Windows\SysWOW64\Mgkjhe32.exe
| MD5 | 6378714a71460bd4c7c4dcf34c6296da |
| SHA1 | 51495a9e32f2e015d7215151fffb828a42959bff |
| SHA256 | b4f1d27e19e85325726796c09dce5c810def512666af64ad0186b99acf0cf600 |
| SHA512 | d23de1ff4c892b2e8414b04f0abe9d3ba13ceab9eee5a2926d6c18734139b38d785cf9bae98b8028ef113ed2d8330c5eb0e3c5a11f5e36d086c95aaf672d0a84 |
memory/2060-223-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Windows\SysWOW64\Mnebeogl.exe
| MD5 | b58789cf362acb2f73f4252ef7c5faf4 |
| SHA1 | 036c6dac406077981ef9c04ea5b647cb899aaf15 |
| SHA256 | 1d87bc707e4775c5a5482ec415c6f47124306a261db2916cdca3d873f3070f2c |
| SHA512 | 87af15f6484c38fe3e13ed3b6f4a40a3da38f4faf0801cb41d006cf5153d696f4d89ad92686c94a68581dbc08d642c26279b48dfd215946e1695907a946c6603 |
C:\Windows\SysWOW64\Ncbknfed.exe
| MD5 | dfefc6c1ef305bde420ab94d6b5fb780 |
| SHA1 | 317d2cb619918f4f0218ed2e8115e8172b02f901 |
| SHA256 | ac389e9cd82f300676531862d8d67c59cd37d984d6001dbabaadbd77487bfc04 |
| SHA512 | 6d7107c6614c8d68a421bce94c4d1c312b856814101e40ad2ef56e874cdcc3d14ebd9a8e60260ca0b579b86a4a5ebab2bc4de52d6c2c3544f11634b664044869 |
memory/4584-231-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Windows\SysWOW64\Nepgjaeg.exe
| MD5 | 47c43c2d5dab173679ab1acf072a8041 |
| SHA1 | 2ea1e1d8ea5d2ef3dd03d15eab0cf8db25b19610 |
| SHA256 | d7d5b5a6846f2f85a7c8f872df7f5294e392d0645fcb068a7863e384ee986912 |
| SHA512 | 0efd183dbceb6afb3d26d0d88718f8f007703bcebe72c024271cfb5a2c23497ebaacd993c7076e544c802ebb85f0260789987a2cc630a7a73cd19b480728c21c |
memory/2448-239-0x0000000000400000-0x000000000043C000-memory.dmp
memory/3428-247-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Windows\SysWOW64\Nngokoej.exe
| MD5 | b59c7626a5cb7f9854d979611fec4318 |
| SHA1 | abddd19f0ecdf517720c5ef8516fb2ca765e540d |
| SHA256 | 1a8fba95c67eb3bd8a761e12a0a1a5152739e3c3e6bc97b1a3a1f9f29fddbab4 |
| SHA512 | 7e6f0213f7357d38bf62be17d7d2f8a195f06eb82255e186ad5b317472d88e1be79b62cc5de360f1c3fa4493681c5d1e751349a0ae48afe810ce95ebd4c9cc20 |
C:\Windows\SysWOW64\Npfkgjdn.exe
| MD5 | c79d667bd9d82d2aa0ab6e46ded86c18 |
| SHA1 | 0d0bebe7f88f5ca39bee6bb8fd3c0cec4827c9f3 |
| SHA256 | 1f43f7ae7a807f22ac07979ba0f72daad6e4bf121138b82d7421697d1a7f61f5 |
| SHA512 | 629054142d441939b8c6dbe503a5e4e6d8e1416d2513ed78f858d65bd0ac43673af43fc32065d742587b299ef28b44f194f2d203cee36d6168202b43da69a12d |
memory/4944-256-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2400-262-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2168-268-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2800-274-0x0000000000400000-0x000000000043C000-memory.dmp
memory/3268-280-0x0000000000400000-0x000000000043C000-memory.dmp
memory/4996-286-0x0000000000400000-0x000000000043C000-memory.dmp
memory/4168-292-0x0000000000400000-0x000000000043C000-memory.dmp
memory/1028-298-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2024-304-0x0000000000400000-0x000000000043C000-memory.dmp
memory/3244-310-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2792-316-0x0000000000400000-0x000000000043C000-memory.dmp
memory/3328-326-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2312-328-0x0000000000400000-0x000000000043C000-memory.dmp
memory/4472-334-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2592-340-0x0000000000400000-0x000000000043C000-memory.dmp
memory/3288-346-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2288-352-0x0000000000400000-0x000000000043C000-memory.dmp
memory/4684-358-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2472-364-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Windows\SysWOW64\Ocnjidkf.exe
| MD5 | bb6f779c371b5a29218b8fcde2164307 |
| SHA1 | 0b175a3cb25ce2e34c0f7f86eb72cafab3e597cb |
| SHA256 | db4bda8b141fff51574deb6446d44e5d10a30d39f817941b5a8c698b06f324a5 |
| SHA512 | 11ee184069b478699891ade8a03296bf02fc4d48c2faafa549039064c893ee4d4cf128987200cbae13f9f289af8b128238d6ff3309bd1eac921c8a252427ae88 |
memory/3572-370-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2248-376-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2544-382-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2936-388-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2208-394-0x0000000000400000-0x000000000043C000-memory.dmp
memory/464-400-0x0000000000400000-0x000000000043C000-memory.dmp
memory/400-406-0x0000000000400000-0x000000000043C000-memory.dmp
memory/4316-412-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2568-418-0x0000000000400000-0x000000000043C000-memory.dmp
memory/4548-424-0x0000000000400000-0x000000000043C000-memory.dmp
memory/1880-434-0x0000000000400000-0x000000000043C000-memory.dmp
memory/860-436-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2484-442-0x0000000000400000-0x000000000043C000-memory.dmp
memory/4920-448-0x0000000000400000-0x000000000043C000-memory.dmp
memory/3112-454-0x0000000000400000-0x000000000043C000-memory.dmp
memory/4392-466-0x0000000000400000-0x000000000043C000-memory.dmp
memory/4452-465-0x0000000000400000-0x000000000043C000-memory.dmp
memory/3684-472-0x0000000000400000-0x000000000043C000-memory.dmp
memory/4620-478-0x0000000000400000-0x000000000043C000-memory.dmp
memory/5040-484-0x0000000000400000-0x000000000043C000-memory.dmp
memory/3900-490-0x0000000000400000-0x000000000043C000-memory.dmp
memory/1536-496-0x0000000000400000-0x000000000043C000-memory.dmp
memory/4844-502-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Windows\SysWOW64\Pgioqq32.exe
| MD5 | f22f9abc3b2b2fe6043af838a45cc9cd |
| SHA1 | 382b2b67d6f85961043f02e8b4fb8d8d606e5775 |
| SHA256 | c6725a96ef1ea7e2f83e8680833a9d76a2d43f3bbfcba7341f6e69f37caa411c |
| SHA512 | db2e428f1cc820fe7f61f9e3cb850c91a62494093289ef72be7fe568a82a5b2e9f4c82ea28cc78ed5b11019aa8bfdc19a2d702138992ba7b86130b6932bbbb1f |
memory/2620-508-0x0000000000400000-0x000000000043C000-memory.dmp
memory/1300-514-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2052-520-0x0000000000400000-0x000000000043C000-memory.dmp
memory/3552-526-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2908-532-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2396-538-0x0000000000400000-0x000000000043C000-memory.dmp
memory/1972-544-0x0000000000400000-0x000000000043C000-memory.dmp
memory/3192-545-0x0000000000400000-0x000000000043C000-memory.dmp
memory/1436-552-0x0000000000400000-0x000000000043C000-memory.dmp
memory/3216-551-0x0000000000400000-0x000000000043C000-memory.dmp
memory/4580-559-0x0000000000400000-0x000000000043C000-memory.dmp
memory/60-558-0x0000000000400000-0x000000000043C000-memory.dmp
memory/1996-566-0x0000000000400000-0x000000000043C000-memory.dmp
memory/1552-565-0x0000000000400000-0x000000000043C000-memory.dmp
memory/1580-572-0x0000000000400000-0x000000000043C000-memory.dmp
memory/3576-573-0x0000000000400000-0x000000000043C000-memory.dmp
memory/1172-579-0x0000000000400000-0x000000000043C000-memory.dmp
memory/1056-584-0x0000000000400000-0x000000000043C000-memory.dmp
memory/4492-586-0x0000000000400000-0x000000000043C000-memory.dmp
memory/5152-587-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Windows\SysWOW64\Anmjcieo.exe
| MD5 | 7a9773f88feedc786a3167a292a23993 |
| SHA1 | 57e45258e390fc57279aad611c85a8ac8bd099aa |
| SHA256 | 8363a4bc535a475d9153698cfe398abcf513c6765b5f4442d1135b0d4da4c9d6 |
| SHA512 | 2a209ba36c4a320731b2e769855981501ca8c0c9f204d659533c51b68a3494bef32e2f9f5e01518e3daad8f127b630366fd21c80edaabaa138f79adba969655b |
memory/5200-594-0x0000000000400000-0x000000000043C000-memory.dmp
memory/4856-593-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Windows\SysWOW64\Ajfhnjhq.exe
| MD5 | d63df0bd983a2f1c01acc46ec6c7e88b |
| SHA1 | 77855e29e90b5699d7e75c38707a62f7d335829d |
| SHA256 | f3a5bbfed47f0acf97d34b3503de624a41b5552fa848cbac8618a03f62e76423 |
| SHA512 | 431d12e9f0040d256b2a010123a9d13cd8df2be1ee32463effc037931f8f325b99f69b31a4419904ae5859bf426e694d9b1e05ec03e248c1dbd5349b207e1f0a |
C:\Windows\SysWOW64\Bcoenmao.exe
| MD5 | 63504fa65dd85df42959407b45d8539c |
| SHA1 | 3a799559aba13a5a8e91450e6dc8095e5559c292 |
| SHA256 | fb8bce97d7d58c1c6e31167cb37cf133d56dcdadf0be3237ec90793759df61fa |
| SHA512 | 6ceba7a1ba98c1dffa93710a41d90324d1dd4277e5cb5cc506512e6e0dec15549e0b068ee8c4377333d6b53a1499a5829bea740656345d2319544130cfebf38a |
C:\Windows\SysWOW64\Cmiflbel.exe
| MD5 | b482e763931972e41fd1b0cf36e8733e |
| SHA1 | e86b410e28d2ee22c9d586b67bc5d3f2606003b3 |
| SHA256 | f06bd1b9e55a13ca4fd516c6e44f211bb6473f014f9b01f32b28d785f480090d |
| SHA512 | 672a6fa93e99c2ab54074295601a283322a5edc0bc5ee1992fb559be6b5fe1970c5a01b54cc09824b5e340b1c037dbde2485860b7f54d4df7d8626a7089ca6c1 |
C:\Windows\SysWOW64\Cjmgfgdf.exe
| MD5 | 41762e0be501a33e455bdbab8a196ee8 |
| SHA1 | e268c95058b8c4f8f217f6b9d855291ca58d92a8 |
| SHA256 | 60c4131699095f46d3987b9b2f3dccb38cd04a3050ecf6a2195682791e1e5f5c |
| SHA512 | cc11062e97e240eeca143a817716e997caf5c89736b7b3a2f2e26c6952e6051be43203fd1dbe61e2817abb1a585498583e021663b87c3e98a8156d56eceaa8a4 |
C:\Windows\SysWOW64\Cdfkolkf.exe
| MD5 | 37da7d2b53003188ea61a0f60c8da848 |
| SHA1 | 7c1ea475570483bf96bbd19d7ef2e9b4d9489692 |
| SHA256 | 79168e6d37ba6c01bd763756cbace30331a5e0a8694f0abf5481405e71a4a205 |
| SHA512 | 9cd111d613e49b1524a5daaae805bc6102f5465e8bea04362ec6a5f0a1ba26d149b72f3272688b501b56663d6b32b2609940d359be451858ba479ad2f9e2db7f |
C:\Windows\SysWOW64\Cffdpghg.exe
| MD5 | f219c9daa19dd361a65bc0e2d97e18f4 |
| SHA1 | 90b845ac0d98938fe6c8adc002b622e58f1afc14 |
| SHA256 | f5b33f19dd78e13019a15a6b3a9ff14197b20bfe97b1e753dd0ed5011a0b386d |
| SHA512 | dfcd5e6e5ee4314fc90a751a62ed261f01c96a52d592ce7105eb5ee76ff87c7d6679df5583b212718d385ede89ac1c60f064830430965c379f79e659ad69c6b8 |
C:\Windows\SysWOW64\Dhkjej32.exe
| MD5 | a59d1e13a8dcaa9d6a6ee5c723ed833c |
| SHA1 | a9145ba37fbeada52157e856b65bf5e0b8d809ee |
| SHA256 | 17524d4b95c7743cb44106967ead6a3af6590c0e1bcd31763dcf295facd164f3 |
| SHA512 | 349b3502c269b635b6d7e16c174b915e8f5d6422728c26e9530a38bed9a6e6077d3024a5a0a9b955a7c07753bcbd6d10eb924b62494f4dce3871448c5384e23b |
C:\Windows\SysWOW64\Dmllipeg.exe
| MD5 | 20a4b57000745af9f42725dc5c649749 |
| SHA1 | d8d0fd59ba45716b45ad483ab0eb936649263f55 |
| SHA256 | 5ba3ac5846a6381a282d7017aa67dbcb7c12b2ba425a117fdf281ba5d886e2f4 |
| SHA512 | 06473cd2f21b05390dbf1f4cee77b53bd4cd04e88149ff6c948b6b1a2da823693adc032fb1a73063468bad509c02869993e2ab78314615ffb96ca50474e278c8 |