Analysis Overview
SHA256
c600e4ccdd77fefb163ca90012c4cfd340efb5fc018983b21a1bb8a21c8c2fa9
Threat Level: Known bad
The file c600e4ccdd77fefb163ca90012c4cfd340efb5fc018983b21a1bb8a21c8c2fa9N.exe was found to be: Known bad.
Malicious Activity Summary
Berbew family
Adds autorun key to be loaded by Explorer.exe on startup
Berbew
Gozi
Gozi family
Loads dropped DLL
Executes dropped EXE
Drops file in System32 directory
Program crash
System Location Discovery: System Language Discovery
Unsigned PE
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-19 08:19
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-19 08:19
Reported
2024-11-19 08:21
Platform
win7-20240903-en
Max time kernel
26s
Max time network
18s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bmeimhdj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bilmcf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Becnhgmg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pdaheq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pbnoliap.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Baohhgnf.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bmeimhdj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cpfaocal.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cbdnko32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Users\Admin\AppData\Local\Temp\c600e4ccdd77fefb163ca90012c4cfd340efb5fc018983b21a1bb8a21c8c2fa9N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pmjqcc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Qkhpkoen.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Qqeicede.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Aganeoip.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Aaolidlk.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Acmhepko.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Becnhgmg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Users\Admin\AppData\Local\Temp\c600e4ccdd77fefb163ca90012c4cfd340efb5fc018983b21a1bb8a21c8c2fa9N.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pmjqcc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Abbeflpf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bjbcfn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bkglameg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cklfll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cklfll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Afgkfl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Aaloddnn.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Poapfn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Poapfn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Aaheie32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Baohhgnf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bkglameg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cpfaocal.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pdaheq32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pbkbgjcc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Aaolidlk.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bilmcf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bjbcfn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Aaheie32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Aganeoip.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Aaloddnn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Acmhepko.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Qqeicede.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Afgkfl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pbkbgjcc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pbnoliap.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Qkhpkoen.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Abbeflpf.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bjdplm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bjdplm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pfdabino.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pfdabino.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cbdnko32.exe | N/A |
Berbew
Berbew family
Gozi
Gozi family
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\Becnhgmg.exe | C:\Windows\SysWOW64\Bilmcf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bjdplm32.exe | C:\Windows\SysWOW64\Bjbcfn32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bmeimhdj.exe | C:\Windows\SysWOW64\Bkglameg.exe | N/A |
| File created | C:\Windows\SysWOW64\Gfpifm32.dll | C:\Windows\SysWOW64\Cpfaocal.exe | N/A |
| File created | C:\Windows\SysWOW64\Aganeoip.exe | C:\Windows\SysWOW64\Aaheie32.exe | N/A |
| File created | C:\Windows\SysWOW64\Afgkfl32.exe | C:\Windows\SysWOW64\Aganeoip.exe | N/A |
| File created | C:\Windows\SysWOW64\Gmfkdm32.dll | C:\Windows\SysWOW64\Acmhepko.exe | N/A |
| File created | C:\Windows\SysWOW64\Dqcngnae.dll | C:\Windows\SysWOW64\Bmeimhdj.exe | N/A |
| File created | C:\Windows\SysWOW64\Qhiphb32.dll | C:\Windows\SysWOW64\Poapfn32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bjdplm32.exe | C:\Windows\SysWOW64\Bjbcfn32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Baohhgnf.exe | C:\Windows\SysWOW64\Bjdplm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Nfolbbmp.dll | C:\Windows\SysWOW64\Bjdplm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mdqfkmom.dll | C:\Windows\SysWOW64\Baohhgnf.exe | N/A |
| File created | C:\Windows\SysWOW64\Cbdnko32.exe | C:\Windows\SysWOW64\Cpfaocal.exe | N/A |
| File created | C:\Windows\SysWOW64\Cklfll32.exe | C:\Windows\SysWOW64\Cbdnko32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Afgkfl32.exe | C:\Windows\SysWOW64\Aganeoip.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Aaloddnn.exe | C:\Windows\SysWOW64\Afgkfl32.exe | N/A |
| File created | C:\Windows\SysWOW64\Acmhepko.exe | C:\Windows\SysWOW64\Aaolidlk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bilmcf32.exe | C:\Windows\SysWOW64\Abbeflpf.exe | N/A |
| File created | C:\Windows\SysWOW64\Becnhgmg.exe | C:\Windows\SysWOW64\Bilmcf32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bmeimhdj.exe | C:\Windows\SysWOW64\Bkglameg.exe | N/A |
| File created | C:\Windows\SysWOW64\Dhbkakib.dll | C:\Windows\SysWOW64\Pdaheq32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Qkhpkoen.exe | C:\Windows\SysWOW64\Poapfn32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cophek32.dll | C:\Windows\SysWOW64\Aganeoip.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Acmhepko.exe | C:\Windows\SysWOW64\Aaolidlk.exe | N/A |
| File created | C:\Windows\SysWOW64\Baohhgnf.exe | C:\Windows\SysWOW64\Bjdplm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ocdneocc.dll | C:\Users\Admin\AppData\Local\Temp\c600e4ccdd77fefb163ca90012c4cfd340efb5fc018983b21a1bb8a21c8c2fa9N.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Qqeicede.exe | C:\Windows\SysWOW64\Qkhpkoen.exe | N/A |
| File created | C:\Windows\SysWOW64\Abbeflpf.exe | C:\Windows\SysWOW64\Acmhepko.exe | N/A |
| File created | C:\Windows\SysWOW64\Hqlhpf32.dll | C:\Windows\SysWOW64\Becnhgmg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cpfaocal.exe | C:\Windows\SysWOW64\Bmeimhdj.exe | N/A |
| File created | C:\Windows\SysWOW64\Bjbcfn32.exe | C:\Windows\SysWOW64\Becnhgmg.exe | N/A |
| File created | C:\Windows\SysWOW64\Bkglameg.exe | C:\Windows\SysWOW64\Baohhgnf.exe | N/A |
| File created | C:\Windows\SysWOW64\Pmjqcc32.exe | C:\Users\Admin\AppData\Local\Temp\c600e4ccdd77fefb163ca90012c4cfd340efb5fc018983b21a1bb8a21c8c2fa9N.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Poapfn32.exe | C:\Windows\SysWOW64\Pbnoliap.exe | N/A |
| File created | C:\Windows\SysWOW64\Qqeicede.exe | C:\Windows\SysWOW64\Qkhpkoen.exe | N/A |
| File created | C:\Windows\SysWOW64\Aaloddnn.exe | C:\Windows\SysWOW64\Afgkfl32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Abbeflpf.exe | C:\Windows\SysWOW64\Acmhepko.exe | N/A |
| File created | C:\Windows\SysWOW64\Aaolidlk.exe | C:\Windows\SysWOW64\Aaloddnn.exe | N/A |
| File created | C:\Windows\SysWOW64\Bfqgjgep.dll | C:\Windows\SysWOW64\Aaloddnn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cklfll32.exe | C:\Windows\SysWOW64\Cbdnko32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Pfdabino.exe | C:\Windows\SysWOW64\Pdaheq32.exe | N/A |
| File created | C:\Windows\SysWOW64\Igciil32.dll | C:\Windows\SysWOW64\Pfdabino.exe | N/A |
| File created | C:\Windows\SysWOW64\Pbnoliap.exe | C:\Windows\SysWOW64\Pbkbgjcc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Aganeoip.exe | C:\Windows\SysWOW64\Aaheie32.exe | N/A |
| File created | C:\Windows\SysWOW64\Hbcicn32.dll | C:\Windows\SysWOW64\Aaheie32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Pmjqcc32.exe | C:\Users\Admin\AppData\Local\Temp\c600e4ccdd77fefb163ca90012c4cfd340efb5fc018983b21a1bb8a21c8c2fa9N.exe | N/A |
| File created | C:\Windows\SysWOW64\Qkhpkoen.exe | C:\Windows\SysWOW64\Poapfn32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lgahjhop.dll | C:\Windows\SysWOW64\Abbeflpf.exe | N/A |
| File created | C:\Windows\SysWOW64\Fpcopobi.dll | C:\Windows\SysWOW64\Bjbcfn32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cpfaocal.exe | C:\Windows\SysWOW64\Bmeimhdj.exe | N/A |
| File created | C:\Windows\SysWOW64\Pbkbgjcc.exe | C:\Windows\SysWOW64\Pfdabino.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Pbnoliap.exe | C:\Windows\SysWOW64\Pbkbgjcc.exe | N/A |
| File created | C:\Windows\SysWOW64\Lbbjgn32.dll | C:\Windows\SysWOW64\Pbnoliap.exe | N/A |
| File created | C:\Windows\SysWOW64\Mhpeoj32.dll | C:\Windows\SysWOW64\Afgkfl32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ceegmj32.exe | C:\Windows\SysWOW64\Cklfll32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lclclfdi.dll | C:\Windows\SysWOW64\Pbkbgjcc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Aaheie32.exe | C:\Windows\SysWOW64\Qqeicede.exe | N/A |
| File created | C:\Windows\SysWOW64\Idlgcclp.dll | C:\Windows\SysWOW64\Qqeicede.exe | N/A |
| File created | C:\Windows\SysWOW64\Bilmcf32.exe | C:\Windows\SysWOW64\Abbeflpf.exe | N/A |
| File created | C:\Windows\SysWOW64\Ceegmj32.exe | C:\Windows\SysWOW64\Cklfll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Pdaheq32.exe | C:\Windows\SysWOW64\Pmjqcc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Aaolidlk.exe | C:\Windows\SysWOW64\Aaloddnn.exe | N/A |
| File created | C:\Windows\SysWOW64\Gioicn32.dll | C:\Windows\SysWOW64\Aaolidlk.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Ceegmj32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pbnoliap.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Qqeicede.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bilmcf32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cbdnko32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pdaheq32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Becnhgmg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pbkbgjcc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Qkhpkoen.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Aaheie32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Afgkfl32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Aaolidlk.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cklfll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pfdabino.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Abbeflpf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bmeimhdj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ceegmj32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Aganeoip.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bjdplm32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Baohhgnf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bkglameg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Aaloddnn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Acmhepko.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bjbcfn32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cpfaocal.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c600e4ccdd77fefb163ca90012c4cfd340efb5fc018983b21a1bb8a21c8c2fa9N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pmjqcc32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Poapfn32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhbkakib.dll" | C:\Windows\SysWOW64\Pdaheq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igciil32.dll" | C:\Windows\SysWOW64\Pfdabino.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Pbkbgjcc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimbjlde.dll" | C:\Windows\SysWOW64\Bkglameg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bmeimhdj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqcngnae.dll" | C:\Windows\SysWOW64\Bmeimhdj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Poapfn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfqgjgep.dll" | C:\Windows\SysWOW64\Aaloddnn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bilmcf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID | C:\Users\Admin\AppData\Local\Temp\c600e4ccdd77fefb163ca90012c4cfd340efb5fc018983b21a1bb8a21c8c2fa9N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhiphb32.dll" | C:\Windows\SysWOW64\Poapfn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bjdplm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Pdaheq32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Qkhpkoen.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bjdplm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfpifm32.dll" | C:\Windows\SysWOW64\Cpfaocal.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aheefb32.dll" | C:\Windows\SysWOW64\Cbdnko32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node | C:\Users\Admin\AppData\Local\Temp\c600e4ccdd77fefb163ca90012c4cfd340efb5fc018983b21a1bb8a21c8c2fa9N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plfmnipm.dll" | C:\Windows\SysWOW64\Pmjqcc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Pmjqcc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Poapfn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idlgcclp.dll" | C:\Windows\SysWOW64\Qqeicede.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cophek32.dll" | C:\Windows\SysWOW64\Aganeoip.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bilmcf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bjbcfn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfolbbmp.dll" | C:\Windows\SysWOW64\Bjdplm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\c600e4ccdd77fefb163ca90012c4cfd340efb5fc018983b21a1bb8a21c8c2fa9N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Aaloddnn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Aaolidlk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Acmhepko.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Abbeflpf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bkglameg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Afgkfl32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Acmhepko.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Abbeflpf.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Becnhgmg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bjbcfn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpcopobi.dll" | C:\Windows\SysWOW64\Bjbcfn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cklfll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Pmjqcc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Pfdabino.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gioicn32.dll" | C:\Windows\SysWOW64\Aaolidlk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Baohhgnf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoogfhfp.dll" | C:\Windows\SysWOW64\Cklfll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} | C:\Users\Admin\AppData\Local\Temp\c600e4ccdd77fefb163ca90012c4cfd340efb5fc018983b21a1bb8a21c8c2fa9N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Afgkfl32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Aaloddnn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmfkdm32.dll" | C:\Windows\SysWOW64\Acmhepko.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Baohhgnf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbcicn32.dll" | C:\Windows\SysWOW64\Aaheie32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Becnhgmg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdqfkmom.dll" | C:\Windows\SysWOW64\Baohhgnf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bmeimhdj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocdneocc.dll" | C:\Users\Admin\AppData\Local\Temp\c600e4ccdd77fefb163ca90012c4cfd340efb5fc018983b21a1bb8a21c8c2fa9N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Pdaheq32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lclclfdi.dll" | C:\Windows\SysWOW64\Pbkbgjcc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Qqeicede.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Qqeicede.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Aganeoip.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgahjhop.dll" | C:\Windows\SysWOW64\Abbeflpf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\c600e4ccdd77fefb163ca90012c4cfd340efb5fc018983b21a1bb8a21c8c2fa9N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Qkhpkoen.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhpeoj32.dll" | C:\Windows\SysWOW64\Afgkfl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqlhpf32.dll" | C:\Windows\SysWOW64\Becnhgmg.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c600e4ccdd77fefb163ca90012c4cfd340efb5fc018983b21a1bb8a21c8c2fa9N.exe
"C:\Users\Admin\AppData\Local\Temp\c600e4ccdd77fefb163ca90012c4cfd340efb5fc018983b21a1bb8a21c8c2fa9N.exe"
C:\Windows\SysWOW64\Pmjqcc32.exe
C:\Windows\system32\Pmjqcc32.exe
C:\Windows\SysWOW64\Pdaheq32.exe
C:\Windows\system32\Pdaheq32.exe
C:\Windows\SysWOW64\Pfdabino.exe
C:\Windows\system32\Pfdabino.exe
C:\Windows\SysWOW64\Pbkbgjcc.exe
C:\Windows\system32\Pbkbgjcc.exe
C:\Windows\SysWOW64\Pbnoliap.exe
C:\Windows\system32\Pbnoliap.exe
C:\Windows\SysWOW64\Poapfn32.exe
C:\Windows\system32\Poapfn32.exe
C:\Windows\SysWOW64\Qkhpkoen.exe
C:\Windows\system32\Qkhpkoen.exe
C:\Windows\SysWOW64\Qqeicede.exe
C:\Windows\system32\Qqeicede.exe
C:\Windows\SysWOW64\Aaheie32.exe
C:\Windows\system32\Aaheie32.exe
C:\Windows\SysWOW64\Aganeoip.exe
C:\Windows\system32\Aganeoip.exe
C:\Windows\SysWOW64\Afgkfl32.exe
C:\Windows\system32\Afgkfl32.exe
C:\Windows\SysWOW64\Aaloddnn.exe
C:\Windows\system32\Aaloddnn.exe
C:\Windows\SysWOW64\Aaolidlk.exe
C:\Windows\system32\Aaolidlk.exe
C:\Windows\SysWOW64\Acmhepko.exe
C:\Windows\system32\Acmhepko.exe
C:\Windows\SysWOW64\Abbeflpf.exe
C:\Windows\system32\Abbeflpf.exe
C:\Windows\SysWOW64\Bilmcf32.exe
C:\Windows\system32\Bilmcf32.exe
C:\Windows\SysWOW64\Becnhgmg.exe
C:\Windows\system32\Becnhgmg.exe
C:\Windows\SysWOW64\Bjbcfn32.exe
C:\Windows\system32\Bjbcfn32.exe
C:\Windows\SysWOW64\Bjdplm32.exe
C:\Windows\system32\Bjdplm32.exe
C:\Windows\SysWOW64\Baohhgnf.exe
C:\Windows\system32\Baohhgnf.exe
C:\Windows\SysWOW64\Bkglameg.exe
C:\Windows\system32\Bkglameg.exe
C:\Windows\SysWOW64\Bmeimhdj.exe
C:\Windows\system32\Bmeimhdj.exe
C:\Windows\SysWOW64\Cpfaocal.exe
C:\Windows\system32\Cpfaocal.exe
C:\Windows\SysWOW64\Cbdnko32.exe
C:\Windows\system32\Cbdnko32.exe
C:\Windows\SysWOW64\Cklfll32.exe
C:\Windows\system32\Cklfll32.exe
C:\Windows\SysWOW64\Ceegmj32.exe
C:\Windows\system32\Ceegmj32.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2788 -s 140
Network
Files
memory/2884-0-0x0000000000400000-0x0000000000468000-memory.dmp
C:\Windows\SysWOW64\Pmjqcc32.exe
| MD5 | 87c79364cf9863646dd78722ce4b111b |
| SHA1 | 3bd4fdb4e6d54cc1c7e0ea695a901b3a22a546c1 |
| SHA256 | c93ee1a1198cfd35a3fd175343ecb4a5bc05c41677f1b963a08e976d4677603b |
| SHA512 | 94002cbcdc2aa32391db42870d7bb2cd13a93d6e656619ec85e74f54195ebfd1950a3f09e9d1efaeaf8bc8187d9c7666c997d496bac22f7118ce7338666c97a6 |
memory/2884-17-0x0000000000330000-0x0000000000398000-memory.dmp
C:\Windows\SysWOW64\Pdaheq32.exe
| MD5 | 2bf55f68a6af26dbb372057fb7563605 |
| SHA1 | f0a61088462ff8b9fc1baed419f1ad04904bca02 |
| SHA256 | 98351bf64f19f0bb09284a1ff99859a9e8705788d06ab87009986766070a2f39 |
| SHA512 | 92a14624b3bf950794f3f2aabd59be3dcc7bebc70a0a8b9fa84213a4173f72793d6bc359434c73455615ae588a555f4a7cb794f5196b520215e38bb60422cd3b |
memory/2596-25-0x0000000000400000-0x0000000000468000-memory.dmp
memory/2236-26-0x0000000000400000-0x0000000000468000-memory.dmp
\Windows\SysWOW64\Pfdabino.exe
| MD5 | 22290b74a7e6aaa31dce6936b23823a7 |
| SHA1 | 7432b083790b63197845c02169ef5cec1b5f8cc9 |
| SHA256 | 84e6678c4f6daa01632e65d4ca729703c2665579a50b6a09fb16d28d5edd4d04 |
| SHA512 | 1c1f1cd28b2b428071ec926a903869e9d5feee402eab7c937469f6d9e5e8e8ba04efe05088c5d2d1aaaad8ca78edf934f281a12e05654395613bef9abb6ff0ae |
memory/2632-39-0x0000000000400000-0x0000000000468000-memory.dmp
memory/2652-52-0x0000000000400000-0x0000000000468000-memory.dmp
C:\Windows\SysWOW64\Pbkbgjcc.exe
| MD5 | ff5c9dbc12adc768dfa34487523c764d |
| SHA1 | 3bdea1e4a105d927694d1a3b38910e533b5f621a |
| SHA256 | 5d0ae160d5aa196453bd4055da97dee7b7277bfe55eafffa02fde75b6cf8b1c7 |
| SHA512 | a301cfdc4d15757ee9de99b78046fb9e03f8b36191b707a1ff03c8c090f3b020b2a16185f02f6eaedbae8467fbd4cb7deed0ef6785bb1de806c8fd1afd3d1cf6 |
\Windows\SysWOW64\Pbnoliap.exe
| MD5 | 1ba3ce30ef34cdb7258ff3b0c3981be6 |
| SHA1 | 710f2990145d5a66a736c5b149d4b5a657fa34a6 |
| SHA256 | 6eb507fecf813d532461fac329e11e472fba6804678e44319b3b43c1216377aa |
| SHA512 | 4de9b5e0ad32f02ed7bf3b1963f5c2d1b06d58272cd12a5085e4aa593998dae36045c1b097580cf310b19e61f22d2bc287715168984a3efac148fed99a87a396 |
memory/2652-59-0x0000000000250000-0x00000000002B8000-memory.dmp
\Windows\SysWOW64\Poapfn32.exe
| MD5 | 4b1616a3a4ee9d452a949474f7375396 |
| SHA1 | 7cb411a7e2b0d27f96690bde05f3e5e7bdd8c752 |
| SHA256 | 63baaf240e7d94f2d78c227baf19c608e4f3c47ad4e9891e2c8210edbff798d1 |
| SHA512 | db2e80c710e65c5673486a6816c82156d0bfbf5383a55bd70c0f795d2d0dc5d78293e19032bdcf0a080ee6f2f8a065c9117ac16891b8e14fb1a8d13f69c9a21a |
memory/584-78-0x0000000000400000-0x0000000000468000-memory.dmp
\Windows\SysWOW64\Qkhpkoen.exe
| MD5 | 932b6f2da1a72b3204b4868e6f23a25b |
| SHA1 | 0c9951149e44e508d4ad4ba38b0057c28e68adfa |
| SHA256 | df34956890017af6ef04dff8d72601723f023ff892f887c9ae2bd9081f5453d2 |
| SHA512 | 4ccc10dd44c98af83f264b7f4ccc9ec41b8df064c907cc6b292833b7d7fab21daaba2c940c8df67663e926dc8a866a0847460b0d3763b2d565bc64e336de4a44 |
memory/584-86-0x0000000000250000-0x00000000002B8000-memory.dmp
\Windows\SysWOW64\Qqeicede.exe
| MD5 | d734abbcd50cc0dec2e06cab3e543bfb |
| SHA1 | 23f0daa69aecede276ffce60b43e255df41c3ca4 |
| SHA256 | 5244d22e7e5cbf02c6452e65fd2707dc18ff67c2b970fae9e410f4a0b3d337e6 |
| SHA512 | c4d0077a043e3153bb505525ff9ef31434ed10d28fa05bbbfad8a93033d0dbcbf78de54819eb440bd5d9d1f639a57420b0d309475cb43d0ca5f82ab7abf981d0 |
memory/2532-104-0x0000000000400000-0x0000000000468000-memory.dmp
\Windows\SysWOW64\Aaheie32.exe
| MD5 | d5fba8583c545b4ba2d2a153c9a2b5de |
| SHA1 | 72a55914a26b559c4381189cd83980e9a4ca90e5 |
| SHA256 | cb2f350479fc35174ac65ee5ee027bbef5e86c221455827dded7fb43915b62b6 |
| SHA512 | 8d3e14df32c3c82759934fb34570922a605fcd515a9700f4327e15c0fb5b902111cb70ce8ae68e38bc804804e75989679d11eaac0bef52e66597a03f9077b28a |
C:\Windows\SysWOW64\Aganeoip.exe
| MD5 | 4c00a1972131735dab25ce0a1c3a938f |
| SHA1 | 9ad03b6a7e5d2d1ddce456a1f0dbad5374290b0c |
| SHA256 | 3c576b7c75d58eb95eeb726730ef839b3b7e0ae64aada649cef20cd3fa720472 |
| SHA512 | d05d6a275777d80684857e33aeea6b55e8406b1511e83ee9d24a2a94eeea6c4adc67c35d8ee697c4d592747fcbc1609ae05e2c719b84837ceeb1ed9126e34862 |
memory/2676-129-0x0000000000400000-0x0000000000468000-memory.dmp
\Windows\SysWOW64\Afgkfl32.exe
| MD5 | 3aea35428da56d73af20a4ee906ddbda |
| SHA1 | 511ab078f5e5b00adb39e918676a7031cd98cdf0 |
| SHA256 | 1d1f137ae1348cc19fee435d1f23ad3a83ad2500ae0b9b137d68875cd4a4f0ea |
| SHA512 | e5cf403adf1a6d7418e9587caa469635586c1f903a32856d68097b5ae333dbf27e2f684f6edf8afee3ca05faa98b14486aab9e3db4c6228f3e7cbb51d40a3318 |
memory/2676-137-0x0000000000250000-0x00000000002B8000-memory.dmp
\Windows\SysWOW64\Aaloddnn.exe
| MD5 | e0e3d3bcdb70417c5ef0f6331315dd01 |
| SHA1 | 4bc3515247e97e1506d5b80c983b027a00bdb542 |
| SHA256 | a379cc7e92acbd92e6cab108fabfcb601378f9d66f9312198260d9be5d501b58 |
| SHA512 | 1b983c6f36de95b215daa6f6633e34fd84b8078baf4fa885ae56b69c6810b70d30ab1cf6d89d5d15143c4cce81c4141bf5148676176d3be4f054a19c190f2146 |
memory/2960-154-0x0000000000250000-0x00000000002B8000-memory.dmp
memory/2092-157-0x0000000000400000-0x0000000000468000-memory.dmp
memory/2960-155-0x0000000000250000-0x00000000002B8000-memory.dmp
C:\Windows\SysWOW64\Aaolidlk.exe
| MD5 | 845124e395d8956b975a33f943e504f7 |
| SHA1 | dccc3cf95c39f682f6ae153c960d20baaca7e0a8 |
| SHA256 | 8e848b058a7e603aa69ab1b0e3dcc93c8a10c1098cadc7b0baa32e3621546929 |
| SHA512 | ad9cab28e584a992345e9ced1e254c1c75dca339d75c32d70e6d5d1cfb2b01d9632a29051281c38f4eba8b8a7ce5af02317e70c749df1e423a8496a21d1a0fcf |
memory/2092-170-0x0000000000250000-0x00000000002B8000-memory.dmp
memory/2092-169-0x0000000000250000-0x00000000002B8000-memory.dmp
C:\Windows\SysWOW64\Acmhepko.exe
| MD5 | 39e523f6a7ab989bcbebe151b864658c |
| SHA1 | f633e62e84722fc4d24eb88ce76e7cb50eee2985 |
| SHA256 | 00466205a22af9f0e7f51db43a19131ae2f7fa5e0732efcd2f2aa8209bf9fd19 |
| SHA512 | fbd2e3ef0a2df04040ee6e501f946ba07ed563d37a87cfaaee20735c8facefdce5f58458fdb428e94f8ff7dedbaa4d848909b3c9d9dab26f8281cb2a760bf047 |
memory/552-192-0x0000000002040000-0x00000000020A8000-memory.dmp
memory/2244-186-0x0000000000400000-0x0000000000468000-memory.dmp
memory/552-185-0x0000000002040000-0x00000000020A8000-memory.dmp
memory/552-184-0x0000000000400000-0x0000000000468000-memory.dmp
C:\Windows\SysWOW64\Abbeflpf.exe
| MD5 | 683ff554604113a7aa784589ecd590ca |
| SHA1 | fe6dbffad72ee92c912f886426edf2231ebaaa70 |
| SHA256 | 56e78ffc0dd6d8017ad38433f47d516e17f5747413f7d4c08e55c65110d9db93 |
| SHA512 | 68a89547c0178626cf13b9ff42ac5b880d45ac405206055afe0f3cea3a81ca6a9c2325ae79ae87d6fed3cafc76a310a577ad0bebadde6bc67255315a50df5b51 |
memory/3060-207-0x0000000000400000-0x0000000000468000-memory.dmp
memory/2244-200-0x00000000002D0000-0x0000000000338000-memory.dmp
memory/2244-199-0x00000000002D0000-0x0000000000338000-memory.dmp
\Windows\SysWOW64\Bilmcf32.exe
| MD5 | ee8f4b0351ca8f3942dac4f7260d04ac |
| SHA1 | 0e510295b592096cf7aeb2c6bf262ad32dee4246 |
| SHA256 | 9e07e010d20ca4f5d28200359f52da0e5d6893981c905e6b463d7924f47655a6 |
| SHA512 | 2a8f4fa2b7da9f6f2ce399e7ffb91672ad3ef1261f96e0c1addbeccefce9daa8b08d5d5c10a5c9633f86250a46df6ab8d2cbc85a76d0aa4c2d730ac8fda0ab5f |
memory/2324-217-0x0000000000400000-0x0000000000468000-memory.dmp
memory/3060-216-0x0000000001FD0000-0x0000000002038000-memory.dmp
memory/3060-214-0x0000000001FD0000-0x0000000002038000-memory.dmp
C:\Windows\SysWOW64\Becnhgmg.exe
| MD5 | da9e257c226e7bbfaffff5ad891eb517 |
| SHA1 | 3cd49509a3ece7ad2d5228ca23a61fed3c83b071 |
| SHA256 | 8945f58c6d51094e6d9396f91e51c9cd0a52f523fde010d5d988018ab3475b8c |
| SHA512 | ad7f104da036c0c89dc0f80f5f80d913c11a73d4222966c5196bc1ce0e6e4e26e48db8976fe22dc83faf375a37404981d0fd52257c25303422ec837c39837ea8 |
memory/2324-228-0x00000000002D0000-0x0000000000338000-memory.dmp
memory/2160-232-0x0000000000400000-0x0000000000468000-memory.dmp
memory/2324-227-0x00000000002D0000-0x0000000000338000-memory.dmp
memory/2160-235-0x00000000002E0000-0x0000000000348000-memory.dmp
C:\Windows\SysWOW64\Bjbcfn32.exe
| MD5 | 4279b7899bc154ed181dfae1e30e1dc3 |
| SHA1 | 3849d31bd575849d1b1ffb32d7aef64a4dd25cb0 |
| SHA256 | bfffdc2ffe105b5df0481de16ccd9b203ccc5f6d69954ba08a92b81c14f76479 |
| SHA512 | d9b2130169fcf41ad0dd2a8b588b512946ef8f755c717235a6220dc28abbcd7749dccd02376646124e9d26dad3e2fc2e99f2b31e082fb0a2b8fc81b043cb2e49 |
memory/1524-240-0x0000000000400000-0x0000000000468000-memory.dmp
memory/2160-239-0x00000000002E0000-0x0000000000348000-memory.dmp
C:\Windows\SysWOW64\Bjdplm32.exe
| MD5 | 5e0e6becc29ccb3a1a0b96c19589fca1 |
| SHA1 | d2da4c9acf1b2b4198a6dc38dd81603a6c50c895 |
| SHA256 | 4e15441b09d9783026fa842f8b0dfd0c8491d5264f72c78039e8e0edaf62a40d |
| SHA512 | e8981ee1d0c652461b67295df4bd625cfd72e60332a10e7bdcb7f4c3e70f26dcc81c572c95046402066191158d83bf1c26310e341f48b4dfd3a2804a085170d8 |
memory/1260-251-0x0000000000400000-0x0000000000468000-memory.dmp
memory/1524-250-0x0000000000330000-0x0000000000398000-memory.dmp
memory/1524-249-0x0000000000330000-0x0000000000398000-memory.dmp
C:\Windows\SysWOW64\Baohhgnf.exe
| MD5 | 3a60dbdd354f4be25a6073d7cb2cced2 |
| SHA1 | bfcae50661a32b1eddbb936c78a86a4bef006230 |
| SHA256 | d46566d5676a1b0a80c313edee14c0484583a1eadaea85f6eca3fc5c7f8c4181 |
| SHA512 | 7fa2a47254b29b5cb642ae64573345156500221b1fbc0dfbcff0a55079a13e92e75700dff6fe75b892fd762f6e43f6ec38750c0404da66db940b983fc6c77186 |
memory/1260-260-0x0000000000300000-0x0000000000368000-memory.dmp
memory/616-261-0x0000000000400000-0x0000000000468000-memory.dmp
C:\Windows\SysWOW64\Bkglameg.exe
| MD5 | f8bf45f99e1d1009ff33abe534cec94e |
| SHA1 | d006d32d9a3e0b92f84042b9776e85211867e833 |
| SHA256 | db1d39244cc172fa261319e1f32f23cacce7548360420e9baa0958b0dde470f2 |
| SHA512 | 7cc02dad12f026a0d743c32a643f39650ed75d7ea02f841113b4feb88f61f842da0a6b077f9980783d1f625baee9cc24b76f4da26a81c7d8935d1f21847414ad |
memory/616-274-0x0000000001F90000-0x0000000001FF8000-memory.dmp
memory/616-275-0x0000000001F90000-0x0000000001FF8000-memory.dmp
C:\Windows\SysWOW64\Bmeimhdj.exe
| MD5 | 42e80748ea54750e55ae9d41e3c6b817 |
| SHA1 | acba568d5f2ed3caaa8f3a4e40538587239cddb1 |
| SHA256 | 14e19c51fb74c0b7ad98b621d0359ff5828f8c7554b33f92dcc0925f7e1f16dd |
| SHA512 | fc3c727d826be98de995f1bdc02cffe26d8d3dac73904784b4abc3199ebd4c98f7f82a6fd34ddd3e10e70d5fe0b65712698225e3da6dce325c37efdd30035958 |
memory/2800-282-0x0000000000400000-0x0000000000468000-memory.dmp
memory/2120-281-0x0000000000280000-0x00000000002E8000-memory.dmp
memory/2120-280-0x0000000000280000-0x00000000002E8000-memory.dmp
C:\Windows\SysWOW64\Cpfaocal.exe
| MD5 | f5909d2a27f3a3012e50490ef9fb5dc9 |
| SHA1 | 137e011613ca2864e23304f6959d2a28a4a486f3 |
| SHA256 | 916a7d9ae3db2c9163164f5cd2e1c1bb06654e041662177c1d57dffc85757534 |
| SHA512 | 95583806b1c621e98b5d0710056cbed2aa54615b6ea341e2be8744de2fa104004c4737038578f0879c44d8853d0df1f967ccec2a84dbb49ba040f6b86bf7ee50 |
memory/2800-292-0x0000000000300000-0x0000000000368000-memory.dmp
memory/1964-297-0x0000000000400000-0x0000000000468000-memory.dmp
memory/2800-291-0x0000000000300000-0x0000000000368000-memory.dmp
memory/2832-308-0x0000000000400000-0x0000000000468000-memory.dmp
memory/1964-303-0x0000000000390000-0x00000000003F8000-memory.dmp
memory/1964-302-0x0000000000390000-0x00000000003F8000-memory.dmp
C:\Windows\SysWOW64\Cbdnko32.exe
| MD5 | cf71c69f4dfed4404b58461072f11d6b |
| SHA1 | 943b5b4040eab9a3dff0d0aa34f7c30c9fdf7816 |
| SHA256 | 3df25a56541fb2236d5037b15a297f2c19916a7acae3e59ee73619da44b05477 |
| SHA512 | 117c5402e23158b888c250e04f3522bb42f98c1d7b2bc8808ca752e9b797647ffedbd032724ff448512adc64c6c20ad87eb0e0dfb44a6050898ebe05ae38f1ab |
C:\Windows\SysWOW64\Cklfll32.exe
| MD5 | a30f0db239a19bd06a8ed33d0ade701f |
| SHA1 | 169d627169bb7bccd6a180958dfaa62e1ddf68b4 |
| SHA256 | 4b53f9b265a33849722f53773242e157f9bb13112b3e9eb1f965d812e9af070f |
| SHA512 | c23614cfd8d7c19c5039d189d329df096e1e168e94f795e404cfcbe9005c239883c25d82bdbfcd5e71fadc96a807d1c8738e995e6b9de1aef6c1971a4ecc73bb |
memory/2832-314-0x00000000002D0000-0x0000000000338000-memory.dmp
memory/2740-319-0x0000000000400000-0x0000000000468000-memory.dmp
memory/2832-313-0x00000000002D0000-0x0000000000338000-memory.dmp
memory/2788-326-0x0000000000400000-0x0000000000468000-memory.dmp
memory/2740-325-0x0000000000260000-0x00000000002C8000-memory.dmp
memory/2740-324-0x0000000000260000-0x00000000002C8000-memory.dmp
C:\Windows\SysWOW64\Ceegmj32.exe
| MD5 | dccf4400af71c9033a4b09a58343ee19 |
| SHA1 | cc732df12413ef7111ef8ef067cdf480d190454e |
| SHA256 | 09325efa4ab4fc56e9d85cd0b4cbf31b20e22221f88191ef5f217d26f5c06b7f |
| SHA512 | b7dd63179605cb77700981c4de9da1dd30825e8932e51a3a3dadd1031b9062316d4694b59c5c24a789af011b656d9961da8a42c543ea5cad3193159bfba62d5f |
memory/2652-361-0x0000000000400000-0x0000000000468000-memory.dmp
memory/584-373-0x0000000000400000-0x0000000000468000-memory.dmp
memory/2504-379-0x0000000000400000-0x0000000000468000-memory.dmp
memory/2504-378-0x0000000000400000-0x0000000000468000-memory.dmp
memory/2532-377-0x0000000000400000-0x0000000000468000-memory.dmp
memory/2532-376-0x0000000000400000-0x0000000000468000-memory.dmp
memory/2884-375-0x0000000000400000-0x0000000000468000-memory.dmp
memory/2884-374-0x0000000000400000-0x0000000000468000-memory.dmp
memory/2740-372-0x0000000000400000-0x0000000000468000-memory.dmp
memory/2596-371-0x0000000000400000-0x0000000000468000-memory.dmp
memory/2652-370-0x0000000000400000-0x0000000000468000-memory.dmp
memory/1344-368-0x0000000000400000-0x0000000000468000-memory.dmp
memory/2236-367-0x0000000000400000-0x0000000000468000-memory.dmp
memory/2632-364-0x0000000000400000-0x0000000000468000-memory.dmp
memory/2740-359-0x0000000000400000-0x0000000000468000-memory.dmp
memory/2800-360-0x0000000000400000-0x0000000000468000-memory.dmp
memory/2800-357-0x0000000000400000-0x0000000000468000-memory.dmp
memory/2960-358-0x0000000000400000-0x0000000000468000-memory.dmp
memory/2092-356-0x0000000000400000-0x0000000000468000-memory.dmp
memory/2960-355-0x0000000000400000-0x0000000000468000-memory.dmp
memory/2676-354-0x0000000000400000-0x0000000000468000-memory.dmp
memory/3036-353-0x0000000000400000-0x0000000000468000-memory.dmp
memory/552-350-0x0000000000400000-0x0000000000468000-memory.dmp
memory/552-348-0x0000000000400000-0x0000000000468000-memory.dmp
memory/2324-347-0x0000000000400000-0x0000000000468000-memory.dmp
memory/1964-346-0x0000000000400000-0x0000000000468000-memory.dmp
memory/2788-344-0x0000000000400000-0x0000000000468000-memory.dmp
memory/2244-343-0x0000000000400000-0x0000000000468000-memory.dmp
memory/3060-342-0x0000000000400000-0x0000000000468000-memory.dmp
memory/2160-339-0x0000000000400000-0x0000000000468000-memory.dmp
memory/2788-338-0x0000000000400000-0x0000000000468000-memory.dmp
memory/2160-337-0x0000000000400000-0x0000000000468000-memory.dmp
memory/1260-335-0x0000000000400000-0x0000000000468000-memory.dmp
memory/616-334-0x0000000000400000-0x0000000000468000-memory.dmp
memory/2120-331-0x0000000000400000-0x0000000000468000-memory.dmp
memory/2832-330-0x0000000000400000-0x0000000000468000-memory.dmp
memory/2120-329-0x0000000000400000-0x0000000000468000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-19 08:19
Reported
2024-11-19 08:21
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
94s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Oiojkffd.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bpnnakmf.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cpljbi32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dcaloc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jnfgbc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jdhiej32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pfdppdop.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Aloeii32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lcjide32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bjjohe32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bmpadpnc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nfgkilok.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Inoaadih.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Iannnphl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pkcenj32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Edhoie32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pfijkc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Nfgkilok.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dkanob32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Egfkfa32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ejegblid.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jjmhgd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pbikjl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Okcmgmjg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cmagpihd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Llekcj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Llidnjkc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cdeimhkb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Hglfol32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fgadgilh.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pfjqei32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cikkeppa.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ejpngm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Abimfcid.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pamhmb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ejbklm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Epnidpme.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Fpeoeogm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ljkhbnlo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ockkbqne.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mdkhidoj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nollbldc.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Acfmjf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Liaelpdj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mcmoab32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ajcigf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Aflfag32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dpnpmb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pbikjl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Lhaagfik.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Aloeii32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Abimfcid.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Amoacl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kecekkjh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Lkpncb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Nhpgpboi.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cionei32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Nhldoifj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ibhqlc32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jaljon32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Laalak32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Abkjlb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Longjpoe.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pijbmnhk.exe | N/A |
Berbew
Berbew family
Executes dropped EXE
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\Keqieklj.exe | C:\Windows\SysWOW64\Khmhlg32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gkbhpocn.dll | C:\Windows\SysWOW64\Opibhq32.exe | N/A |
| File created | C:\Windows\SysWOW64\Iecamf32.dll | C:\Windows\SysWOW64\Djnaamol.exe | N/A |
| File created | C:\Windows\SysWOW64\Ggbchm32.exe | C:\Windows\SysWOW64\Gedgla32.exe | N/A |
| File created | C:\Windows\SysWOW64\Agolnflf.dll | C:\Windows\SysWOW64\Hekmmqme.exe | N/A |
| File created | C:\Windows\SysWOW64\Bepobppn.dll | C:\Windows\SysWOW64\Nhpgpboi.exe | N/A |
| File created | C:\Windows\SysWOW64\Bnchjo32.dll | C:\Windows\SysWOW64\Pbidoe32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Nqhfkf32.exe | C:\Windows\SysWOW64\Njnnnllj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dablmkba.exe | C:\Windows\SysWOW64\Djldlnao.exe | N/A |
| File created | C:\Windows\SysWOW64\Fbebihbl.exe | C:\Windows\SysWOW64\Fcbefalp.exe | N/A |
| File created | C:\Windows\SysWOW64\Cgjbcebq.exe | C:\Windows\SysWOW64\Bpqjfk32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mkepeo32.exe | C:\Windows\SysWOW64\Mdkhidoj.exe | N/A |
| File created | C:\Windows\SysWOW64\Cionei32.exe | C:\Windows\SysWOW64\Cmhmqhbl.exe | N/A |
| File created | C:\Windows\SysWOW64\Kbkfiaco.exe | C:\Windows\SysWOW64\Kjdnhcbl.exe | N/A |
| File created | C:\Windows\SysWOW64\Dlhofd32.dll | C:\Windows\SysWOW64\Femnbg32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lhkdneaq.exe | C:\Windows\SysWOW64\Laalak32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ppdbdo32.exe | C:\Windows\SysWOW64\Pflmkimc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Epnidpme.exe | C:\Windows\SysWOW64\Eidqgf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gjocoi32.exe | C:\Windows\SysWOW64\Gcekbokj.exe | N/A |
| File created | C:\Windows\SysWOW64\Ajhhlpmm.dll | C:\Windows\SysWOW64\Mclhfl32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Oqlofeoa.exe | C:\Windows\SysWOW64\Nfgkilok.exe | N/A |
| File created | C:\Windows\SysWOW64\Jdpklo32.dll | C:\Windows\SysWOW64\Dcaloc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Fanajimp.dll | C:\Windows\SysWOW64\Leebqk32.exe | N/A |
| File created | C:\Windows\SysWOW64\Nikpidbp.dll | C:\Windows\SysWOW64\Bmkhip32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ghblpi32.dll | C:\Windows\SysWOW64\Mdkhidoj.exe | N/A |
| File created | C:\Windows\SysWOW64\Dlddme32.dll | C:\Windows\SysWOW64\Pfijkc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Edghoo32.exe | C:\Windows\SysWOW64\Emnpbepd.exe | N/A |
| File created | C:\Windows\SysWOW64\Fkdpod32.dll | C:\Windows\SysWOW64\Dappgk32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Pigfgo32.exe | C:\Windows\SysWOW64\Pfijkc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Gckmqbod.dll | C:\Windows\SysWOW64\Aflpgq32.exe | N/A |
| File created | C:\Windows\SysWOW64\Fpjhpo32.exe | C:\Windows\SysWOW64\Fnllcc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mmgqogpe.dll | C:\Users\Admin\AppData\Local\Temp\c600e4ccdd77fefb163ca90012c4cfd340efb5fc018983b21a1bb8a21c8c2fa9N.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mcmoab32.exe | C:\Windows\SysWOW64\Mqnceg32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Oqfblcgf.exe | C:\Windows\SysWOW64\Oiojkffd.exe | N/A |
| File created | C:\Windows\SysWOW64\Mjcclf32.dll | C:\Windows\SysWOW64\Gbaaeggo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Gjocoi32.exe | C:\Windows\SysWOW64\Gcekbokj.exe | N/A |
| File created | C:\Windows\SysWOW64\Pcmjdg32.exe | C:\Windows\SysWOW64\Pmcbgmcg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ljfogo32.exe | C:\Windows\SysWOW64\Lcjide32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ooalga32.exe | C:\Windows\SysWOW64\Ockkbqne.exe | N/A |
| File created | C:\Windows\SysWOW64\Jicnaean.dll | C:\Windows\SysWOW64\Pfjqei32.exe | N/A |
| File created | C:\Windows\SysWOW64\Niacgmml.dll | C:\Windows\SysWOW64\Ephing32.exe | N/A |
| File created | C:\Windows\SysWOW64\Klgoalkh.exe | C:\Windows\SysWOW64\Kbnjig32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Gdpnabgb.exe | C:\Windows\SysWOW64\Gbaaeggo.exe | N/A |
| File created | C:\Windows\SysWOW64\Khoebgkn.exe | C:\Windows\SysWOW64\Keqieklj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Pcmjdg32.exe | C:\Windows\SysWOW64\Pmcbgmcg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Adnjek32.exe | C:\Windows\SysWOW64\Amdbiahp.exe | N/A |
| File created | C:\Windows\SysWOW64\Lcpikn32.exe | C:\Windows\SysWOW64\Llfqnc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Afjjlg32.exe | C:\Windows\SysWOW64\Amaeca32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Odpjkalb.exe | C:\Windows\SysWOW64\Oboaif32.exe | N/A |
| File created | C:\Windows\SysWOW64\Qpgoinaa.exe | C:\Windows\SysWOW64\Pfnjqikq.exe | N/A |
| File created | C:\Windows\SysWOW64\Bhjnom32.dll | C:\Windows\SysWOW64\Apmnpg32.exe | N/A |
| File created | C:\Windows\SysWOW64\Epnidpme.exe | C:\Windows\SysWOW64\Eidqgf32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ldkobgmm.exe | C:\Windows\SysWOW64\Longjpoe.exe | N/A |
| File created | C:\Windows\SysWOW64\Qohjnfpf.dll | C:\Windows\SysWOW64\Edekip32.exe | N/A |
| File created | C:\Windows\SysWOW64\Fllpjp32.exe | C:\Windows\SysWOW64\Fgogai32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Nofmlc32.exe | C:\Windows\SysWOW64\Nhldoifj.exe | N/A |
| File created | C:\Windows\SysWOW64\Elnplg32.dll | C:\Windows\SysWOW64\Ecfejc32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kaikfmma.dll | C:\Windows\SysWOW64\Pccgnibo.exe | N/A |
| File created | C:\Windows\SysWOW64\Dkppekog.dll | C:\Windows\SysWOW64\Aijlcl32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bncpqm32.dll | C:\Windows\SysWOW64\Badgdold.exe | N/A |
| File created | C:\Windows\SysWOW64\Pliioanb.dll | C:\Windows\SysWOW64\Ggbchm32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hccgcmoj.exe | C:\Windows\SysWOW64\Hbakld32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Khmhlg32.exe | C:\Windows\SysWOW64\Koddcagp.exe | N/A |
| File created | C:\Windows\SysWOW64\Gkfbhn32.dll | C:\Windows\SysWOW64\Edhoie32.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Fpleen32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pigfgo32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Njpjdkig.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jjmhgd32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pbidoe32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ojimjjal.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Fkbpmmdg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jhloeikc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pfbcjdab.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pkcenj32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nofmlc32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kbdiopkd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Femnbg32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Klgoalkh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kcqgnfbe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dfhhjmbe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lhkdneaq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ooalga32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Amdbiahp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Khmhlg32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Blmakgeg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mbkfap32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pfgdpj32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mdikce32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Omioaokb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pfdppdop.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Abimfcid.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Eekalg32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Opfebqpd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pamhmb32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Egihkqhn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Longjpoe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mdkhidoj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Blhhpg32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Eghaajdb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lchmoe32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nfgkilok.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Obbeimaj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Qpgoinaa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Hbjdkepd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Aidlmcdl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mamlmi32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Fpcbop32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jomncb32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mecnbhle.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mclhfl32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nbblbo32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bfhfne32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cgjbcebq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dgkljb32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Icljjkgp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Aflpgq32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Fdcgkn32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Keappapf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c600e4ccdd77fefb163ca90012c4cfd340efb5fc018983b21a1bb8a21c8c2fa9N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Obdbolog.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ppdbdo32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pfnjqikq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dablmkba.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cbcico32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ppkonp32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cpljbi32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Keqieklj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pieiao32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Amanik32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jdhiej32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjodin32.dll" | C:\Windows\SysWOW64\Cmagpihd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idelqf32.dll" | C:\Windows\SysWOW64\Liaelpdj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Fkbpmmdg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Hjjbkg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmcebmaa.dll" | C:\Windows\SysWOW64\Hbjdkepd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djilbf32.dll" | C:\Windows\SysWOW64\Kbnjig32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Baiqpo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Acfmjf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Eekalg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dappgk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cccjfnfq.dll" | C:\Windows\SysWOW64\Mkepeo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfiqnn32.dll" | C:\Windows\SysWOW64\Clfdaeml.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Qecpgo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Qiocbd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ddlong32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ephing32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Fbebihbl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kilicb32.dll" | C:\Windows\SysWOW64\Aegibnhg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Kahpebej.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Qbggkiob.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Epgbca32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nikpidbp.dll" | C:\Windows\SysWOW64\Bmkhip32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Kbdiopkd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Amoacl32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cbcico32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Fnllcc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Milgfoef.dll" | C:\Windows\SysWOW64\Mecnbhle.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Edghoo32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dancal32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Fnopci32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdijlhkm.dll" | C:\Windows\SysWOW64\Lkpncb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Apkhdn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaikfmma.dll" | C:\Windows\SysWOW64\Pccgnibo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Pbidoe32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Llekcj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gnciohah.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Pieiao32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ienackeo.dll" | C:\Windows\SysWOW64\Dccbjm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bknkdbpo.dll" | C:\Windows\SysWOW64\Diihfn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmofnhi.dll" | C:\Windows\SysWOW64\Omioaokb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Liaelpdj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Nhnadidg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Digkqn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ddlong32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eghaag32.dll" | C:\Windows\SysWOW64\Qpgoinaa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cikkeppa.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Mhpnid32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Aijlcl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Fgogai32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ammlhbnh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Aflfag32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Abimfcid.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Nknclm32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Keappapf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emjfdh32.dll" | C:\Windows\SysWOW64\Opfebqpd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Diihfn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Kecekkjh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Apmnpg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Adnjek32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cpljbi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Dcaloc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Edhoie32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cionei32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c600e4ccdd77fefb163ca90012c4cfd340efb5fc018983b21a1bb8a21c8c2fa9N.exe
"C:\Users\Admin\AppData\Local\Temp\c600e4ccdd77fefb163ca90012c4cfd340efb5fc018983b21a1bb8a21c8c2fa9N.exe"
C:\Windows\SysWOW64\Kbnjig32.exe
C:\Windows\system32\Kbnjig32.exe
C:\Windows\SysWOW64\Klgoalkh.exe
C:\Windows\system32\Klgoalkh.exe
C:\Windows\SysWOW64\Kcqgnfbe.exe
C:\Windows\system32\Kcqgnfbe.exe
C:\Windows\SysWOW64\Keappapf.exe
C:\Windows\system32\Keappapf.exe
C:\Windows\SysWOW64\Kahpebej.exe
C:\Windows\system32\Kahpebej.exe
C:\Windows\SysWOW64\Lchmoe32.exe
C:\Windows\system32\Lchmoe32.exe
C:\Windows\SysWOW64\Liaelpdj.exe
C:\Windows\system32\Liaelpdj.exe
C:\Windows\SysWOW64\Llpahkcm.exe
C:\Windows\system32\Llpahkcm.exe
C:\Windows\SysWOW64\Lcjide32.exe
C:\Windows\system32\Lcjide32.exe
C:\Windows\SysWOW64\Ljfogo32.exe
C:\Windows\system32\Ljfogo32.exe
C:\Windows\SysWOW64\Llekcj32.exe
C:\Windows\system32\Llekcj32.exe
C:\Windows\SysWOW64\Lpbcii32.exe
C:\Windows\system32\Lpbcii32.exe
C:\Windows\SysWOW64\Ljkhbnlo.exe
C:\Windows\system32\Ljkhbnlo.exe
C:\Windows\SysWOW64\Llidnjkc.exe
C:\Windows\system32\Llidnjkc.exe
C:\Windows\SysWOW64\Mjmdgn32.exe
C:\Windows\system32\Mjmdgn32.exe
C:\Windows\SysWOW64\Mlnnii32.exe
C:\Windows\system32\Mlnnii32.exe
C:\Windows\SysWOW64\Mbkfap32.exe
C:\Windows\system32\Mbkfap32.exe
C:\Windows\SysWOW64\Mffbbomn.exe
C:\Windows\system32\Mffbbomn.exe
C:\Windows\SysWOW64\Mplfog32.exe
C:\Windows\system32\Mplfog32.exe
C:\Windows\SysWOW64\Mqnceg32.exe
C:\Windows\system32\Mqnceg32.exe
C:\Windows\SysWOW64\Mcmoab32.exe
C:\Windows\system32\Mcmoab32.exe
C:\Windows\SysWOW64\Nbblbo32.exe
C:\Windows\system32\Nbblbo32.exe
C:\Windows\SysWOW64\Nhldoifj.exe
C:\Windows\system32\Nhldoifj.exe
C:\Windows\SysWOW64\Nofmlc32.exe
C:\Windows\system32\Nofmlc32.exe
C:\Windows\SysWOW64\Nhnadidg.exe
C:\Windows\system32\Nhnadidg.exe
C:\Windows\SysWOW64\Njnnnllj.exe
C:\Windows\system32\Njnnnllj.exe
C:\Windows\SysWOW64\Nqhfkf32.exe
C:\Windows\system32\Nqhfkf32.exe
C:\Windows\SysWOW64\Njpjdkig.exe
C:\Windows\system32\Njpjdkig.exe
C:\Windows\SysWOW64\Nfgkilok.exe
C:\Windows\system32\Nfgkilok.exe
C:\Windows\SysWOW64\Oqlofeoa.exe
C:\Windows\system32\Oqlofeoa.exe
C:\Windows\SysWOW64\Ockkbqne.exe
C:\Windows\system32\Ockkbqne.exe
C:\Windows\SysWOW64\Ooalga32.exe
C:\Windows\system32\Ooalga32.exe
C:\Windows\SysWOW64\Oijqpg32.exe
C:\Windows\system32\Oijqpg32.exe
C:\Windows\SysWOW64\Oodimaaf.exe
C:\Windows\system32\Oodimaaf.exe
C:\Windows\SysWOW64\Obbeimaj.exe
C:\Windows\system32\Obbeimaj.exe
C:\Windows\SysWOW64\Ojimjjal.exe
C:\Windows\system32\Ojimjjal.exe
C:\Windows\SysWOW64\Opfebqpd.exe
C:\Windows\system32\Opfebqpd.exe
C:\Windows\SysWOW64\Obdbolog.exe
C:\Windows\system32\Obdbolog.exe
C:\Windows\SysWOW64\Oiojkffd.exe
C:\Windows\system32\Oiojkffd.exe
C:\Windows\SysWOW64\Oqfblcgf.exe
C:\Windows\system32\Oqfblcgf.exe
C:\Windows\SysWOW64\Opibhq32.exe
C:\Windows\system32\Opibhq32.exe
C:\Windows\SysWOW64\Ppkonp32.exe
C:\Windows\system32\Ppkonp32.exe
C:\Windows\SysWOW64\Pbikjl32.exe
C:\Windows\system32\Pbikjl32.exe
C:\Windows\SysWOW64\Piccfe32.exe
C:\Windows\system32\Piccfe32.exe
C:\Windows\SysWOW64\Pfgdpj32.exe
C:\Windows\system32\Pfgdpj32.exe
C:\Windows\SysWOW64\Pamhmb32.exe
C:\Windows\system32\Pamhmb32.exe
C:\Windows\SysWOW64\Pfjqei32.exe
C:\Windows\system32\Pfjqei32.exe
C:\Windows\SysWOW64\Pmcibc32.exe
C:\Windows\system32\Pmcibc32.exe
C:\Windows\SysWOW64\Pflmkimc.exe
C:\Windows\system32\Pflmkimc.exe
C:\Windows\SysWOW64\Ppdbdo32.exe
C:\Windows\system32\Ppdbdo32.exe
C:\Windows\SysWOW64\Pfnjqikq.exe
C:\Windows\system32\Pfnjqikq.exe
C:\Windows\SysWOW64\Qpgoinaa.exe
C:\Windows\system32\Qpgoinaa.exe
C:\Windows\SysWOW64\Qiocbd32.exe
C:\Windows\system32\Qiocbd32.exe
C:\Windows\SysWOW64\Qbggkiob.exe
C:\Windows\system32\Qbggkiob.exe
C:\Windows\SysWOW64\Ammlhbnh.exe
C:\Windows\system32\Ammlhbnh.exe
C:\Windows\SysWOW64\Apkhdn32.exe
C:\Windows\system32\Apkhdn32.exe
C:\Windows\SysWOW64\Aidlmcdl.exe
C:\Windows\system32\Aidlmcdl.exe
C:\Windows\SysWOW64\Adiqjlcb.exe
C:\Windows\system32\Adiqjlcb.exe
C:\Windows\SysWOW64\Ajcigf32.exe
C:\Windows\system32\Ajcigf32.exe
C:\Windows\SysWOW64\Amaeca32.exe
C:\Windows\system32\Amaeca32.exe
C:\Windows\SysWOW64\Afjjlg32.exe
C:\Windows\system32\Afjjlg32.exe
C:\Windows\SysWOW64\Amdbiahp.exe
C:\Windows\system32\Amdbiahp.exe
C:\Windows\SysWOW64\Adnjek32.exe
C:\Windows\system32\Adnjek32.exe
C:\Windows\SysWOW64\Aflfag32.exe
C:\Windows\system32\Aflfag32.exe
C:\Windows\SysWOW64\Abcgghde.exe
C:\Windows\system32\Abcgghde.exe
C:\Windows\SysWOW64\Bjjohe32.exe
C:\Windows\system32\Bjjohe32.exe
C:\Windows\SysWOW64\Badgdold.exe
C:\Windows\system32\Badgdold.exe
C:\Windows\SysWOW64\Bfapmfkk.exe
C:\Windows\system32\Bfapmfkk.exe
C:\Windows\SysWOW64\Bmkhip32.exe
C:\Windows\system32\Bmkhip32.exe
C:\Windows\SysWOW64\Bjohcdab.exe
C:\Windows\system32\Bjohcdab.exe
C:\Windows\SysWOW64\Baiqpo32.exe
C:\Windows\system32\Baiqpo32.exe
C:\Windows\SysWOW64\Bbjmggnm.exe
C:\Windows\system32\Bbjmggnm.exe
C:\Windows\SysWOW64\Bmpadpnc.exe
C:\Windows\system32\Bmpadpnc.exe
C:\Windows\SysWOW64\Bpnnakmf.exe
C:\Windows\system32\Bpnnakmf.exe
C:\Windows\SysWOW64\Bfhfne32.exe
C:\Windows\system32\Bfhfne32.exe
C:\Windows\SysWOW64\Bpqjfk32.exe
C:\Windows\system32\Bpqjfk32.exe
C:\Windows\SysWOW64\Cgjbcebq.exe
C:\Windows\system32\Cgjbcebq.exe
C:\Windows\SysWOW64\Ciioopad.exe
C:\Windows\system32\Ciioopad.exe
C:\Windows\SysWOW64\Cikkeppa.exe
C:\Windows\system32\Cikkeppa.exe
C:\Windows\SysWOW64\Ckkhocgd.exe
C:\Windows\system32\Ckkhocgd.exe
C:\Windows\SysWOW64\Cdclgh32.exe
C:\Windows\system32\Cdclgh32.exe
C:\Windows\SysWOW64\Cagmamlo.exe
C:\Windows\system32\Cagmamlo.exe
C:\Windows\SysWOW64\Cdeimhkb.exe
C:\Windows\system32\Cdeimhkb.exe
C:\Windows\SysWOW64\Cpljbi32.exe
C:\Windows\system32\Cpljbi32.exe
C:\Windows\SysWOW64\Dkanob32.exe
C:\Windows\system32\Dkanob32.exe
C:\Windows\SysWOW64\Dghodc32.exe
C:\Windows\system32\Dghodc32.exe
C:\Windows\SysWOW64\Digkqn32.exe
C:\Windows\system32\Digkqn32.exe
C:\Windows\SysWOW64\Dancal32.exe
C:\Windows\system32\Dancal32.exe
C:\Windows\SysWOW64\Ddlong32.exe
C:\Windows\system32\Ddlong32.exe
C:\Windows\SysWOW64\Dgkljb32.exe
C:\Windows\system32\Dgkljb32.exe
C:\Windows\SysWOW64\Diihfn32.exe
C:\Windows\system32\Diihfn32.exe
C:\Windows\SysWOW64\Dappgk32.exe
C:\Windows\system32\Dappgk32.exe
C:\Windows\SysWOW64\Dcaloc32.exe
C:\Windows\system32\Dcaloc32.exe
C:\Windows\SysWOW64\Djldlnao.exe
C:\Windows\system32\Djldlnao.exe
C:\Windows\SysWOW64\Dablmkba.exe
C:\Windows\system32\Dablmkba.exe
C:\Windows\SysWOW64\Ddaiifae.exe
C:\Windows\system32\Ddaiifae.exe
C:\Windows\SysWOW64\Djnaamol.exe
C:\Windows\system32\Djnaamol.exe
C:\Windows\SysWOW64\Ephing32.exe
C:\Windows\system32\Ephing32.exe
C:\Windows\SysWOW64\Ecfejc32.exe
C:\Windows\system32\Ecfejc32.exe
C:\Windows\SysWOW64\Ejpngm32.exe
C:\Windows\system32\Ejpngm32.exe
C:\Windows\SysWOW64\Epjfcgef.exe
C:\Windows\system32\Epjfcgef.exe
C:\Windows\SysWOW64\Ecibpbdj.exe
C:\Windows\system32\Ecibpbdj.exe
C:\Windows\SysWOW64\Ejbklm32.exe
C:\Windows\system32\Ejbklm32.exe
C:\Windows\SysWOW64\Edhoie32.exe
C:\Windows\system32\Edhoie32.exe
C:\Windows\SysWOW64\Egfkfa32.exe
C:\Windows\system32\Egfkfa32.exe
C:\Windows\SysWOW64\Ejegblid.exe
C:\Windows\system32\Ejegblid.exe
C:\Windows\SysWOW64\Egihkqhn.exe
C:\Windows\system32\Egihkqhn.exe
C:\Windows\SysWOW64\Eanlhihd.exe
C:\Windows\system32\Eanlhihd.exe
C:\Windows\SysWOW64\Egkdapfk.exe
C:\Windows\system32\Egkdapfk.exe
C:\Windows\SysWOW64\Fcbefalp.exe
C:\Windows\system32\Fcbefalp.exe
C:\Windows\SysWOW64\Fbebihbl.exe
C:\Windows\system32\Fbebihbl.exe
C:\Windows\SysWOW64\Fdfkkcom.exe
C:\Windows\system32\Fdfkkcom.exe
C:\Windows\SysWOW64\Fnopci32.exe
C:\Windows\system32\Fnopci32.exe
C:\Windows\SysWOW64\Fdhhqc32.exe
C:\Windows\system32\Fdhhqc32.exe
C:\Windows\SysWOW64\Fkbpmmdg.exe
C:\Windows\system32\Fkbpmmdg.exe
C:\Windows\SysWOW64\Gnciohah.exe
C:\Windows\system32\Gnciohah.exe
C:\Windows\SysWOW64\Gcpago32.exe
C:\Windows\system32\Gcpago32.exe
C:\Windows\SysWOW64\Gbaaeggo.exe
C:\Windows\system32\Gbaaeggo.exe
C:\Windows\SysWOW64\Gdpnabgb.exe
C:\Windows\system32\Gdpnabgb.exe
C:\Windows\SysWOW64\Gcekbokj.exe
C:\Windows\system32\Gcekbokj.exe
C:\Windows\SysWOW64\Gjocoi32.exe
C:\Windows\system32\Gjocoi32.exe
C:\Windows\SysWOW64\Gqiklcjd.exe
C:\Windows\system32\Gqiklcjd.exe
C:\Windows\SysWOW64\Gedgla32.exe
C:\Windows\system32\Gedgla32.exe
C:\Windows\SysWOW64\Ggbchm32.exe
C:\Windows\system32\Ggbchm32.exe
C:\Windows\SysWOW64\Hbjdkepd.exe
C:\Windows\system32\Hbjdkepd.exe
C:\Windows\SysWOW64\Hekmmqme.exe
C:\Windows\system32\Hekmmqme.exe
C:\Windows\SysWOW64\Hcnnhm32.exe
C:\Windows\system32\Hcnnhm32.exe
C:\Windows\SysWOW64\Habnbabi.exe
C:\Windows\system32\Habnbabi.exe
C:\Windows\SysWOW64\Hglfol32.exe
C:\Windows\system32\Hglfol32.exe
C:\Windows\SysWOW64\Hjjbkg32.exe
C:\Windows\system32\Hjjbkg32.exe
C:\Windows\SysWOW64\Hbakld32.exe
C:\Windows\system32\Hbakld32.exe
C:\Windows\SysWOW64\Hccgcmoj.exe
C:\Windows\system32\Hccgcmoj.exe
C:\Windows\SysWOW64\Iebcnpfm.exe
C:\Windows\system32\Iebcnpfm.exe
C:\Windows\SysWOW64\Igqpjkeq.exe
C:\Windows\system32\Igqpjkeq.exe
C:\Windows\SysWOW64\Ijolffed.exe
C:\Windows\system32\Ijolffed.exe
C:\Windows\SysWOW64\Iaidbq32.exe
C:\Windows\system32\Iaidbq32.exe
C:\Windows\SysWOW64\Ilohpi32.exe
C:\Windows\system32\Ilohpi32.exe
C:\Windows\SysWOW64\Ibhqlc32.exe
C:\Windows\system32\Ibhqlc32.exe
C:\Windows\SysWOW64\Iakahpjo.exe
C:\Windows\system32\Iakahpjo.exe
C:\Windows\SysWOW64\Icjmdlib.exe
C:\Windows\system32\Icjmdlib.exe
C:\Windows\SysWOW64\Inoaadih.exe
C:\Windows\system32\Inoaadih.exe
C:\Windows\SysWOW64\Iannnphl.exe
C:\Windows\system32\Iannnphl.exe
C:\Windows\SysWOW64\Icljjkgp.exe
C:\Windows\system32\Icljjkgp.exe
C:\Windows\SysWOW64\Jjholemj.exe
C:\Windows\system32\Jjholemj.exe
C:\Windows\SysWOW64\Jndkmd32.exe
C:\Windows\system32\Jndkmd32.exe
C:\Windows\SysWOW64\Jhloeikc.exe
C:\Windows\system32\Jhloeikc.exe
C:\Windows\SysWOW64\Jnfgbc32.exe
C:\Windows\system32\Jnfgbc32.exe
C:\Windows\SysWOW64\Jjmhgd32.exe
C:\Windows\system32\Jjmhgd32.exe
C:\Windows\SysWOW64\Jhaiqi32.exe
C:\Windows\system32\Jhaiqi32.exe
C:\Windows\SysWOW64\Jdhiej32.exe
C:\Windows\system32\Jdhiej32.exe
C:\Windows\SysWOW64\Jomncb32.exe
C:\Windows\system32\Jomncb32.exe
C:\Windows\SysWOW64\Jaljon32.exe
C:\Windows\system32\Jaljon32.exe
C:\Windows\SysWOW64\Kjdnhcbl.exe
C:\Windows\system32\Kjdnhcbl.exe
C:\Windows\SysWOW64\Kbkfiaco.exe
C:\Windows\system32\Kbkfiaco.exe
C:\Windows\SysWOW64\Kkfkmc32.exe
C:\Windows\system32\Kkfkmc32.exe
C:\Windows\SysWOW64\Kelokl32.exe
C:\Windows\system32\Kelokl32.exe
C:\Windows\SysWOW64\Koddcagp.exe
C:\Windows\system32\Koddcagp.exe
C:\Windows\SysWOW64\Khmhlg32.exe
C:\Windows\system32\Khmhlg32.exe
C:\Windows\SysWOW64\Keqieklj.exe
C:\Windows\system32\Keqieklj.exe
C:\Windows\SysWOW64\Khoebgkn.exe
C:\Windows\system32\Khoebgkn.exe
C:\Windows\SysWOW64\Kknanbja.exe
C:\Windows\system32\Kknanbja.exe
C:\Windows\SysWOW64\Kbdiopkd.exe
C:\Windows\system32\Kbdiopkd.exe
C:\Windows\SysWOW64\Kecekkjh.exe
C:\Windows\system32\Kecekkjh.exe
C:\Windows\SysWOW64\Lhaagfik.exe
C:\Windows\system32\Lhaagfik.exe
C:\Windows\SysWOW64\Lkpncb32.exe
C:\Windows\system32\Lkpncb32.exe
C:\Windows\SysWOW64\Lajfplpl.exe
C:\Windows\system32\Lajfplpl.exe
C:\Windows\SysWOW64\Leebqk32.exe
C:\Windows\system32\Leebqk32.exe
C:\Windows\SysWOW64\Lhdnmf32.exe
C:\Windows\system32\Lhdnmf32.exe
C:\Windows\SysWOW64\Longjpoe.exe
C:\Windows\system32\Longjpoe.exe
C:\Windows\SysWOW64\Ldkobgmm.exe
C:\Windows\system32\Ldkobgmm.exe
C:\Windows\SysWOW64\Llagcdmo.exe
C:\Windows\system32\Llagcdmo.exe
C:\Windows\SysWOW64\Lejlljdp.exe
C:\Windows\system32\Lejlljdp.exe
C:\Windows\SysWOW64\Laalak32.exe
C:\Windows\system32\Laalak32.exe
C:\Windows\SysWOW64\Lhkdneaq.exe
C:\Windows\system32\Lhkdneaq.exe
C:\Windows\SysWOW64\Llfqnc32.exe
C:\Windows\system32\Llfqnc32.exe
C:\Windows\SysWOW64\Lcpikn32.exe
C:\Windows\system32\Lcpikn32.exe
C:\Windows\SysWOW64\Mlimccgg.exe
C:\Windows\system32\Mlimccgg.exe
C:\Windows\SysWOW64\Meaami32.exe
C:\Windows\system32\Meaami32.exe
C:\Windows\SysWOW64\Mhpnid32.exe
C:\Windows\system32\Mhpnid32.exe
C:\Windows\SysWOW64\Mecnbhle.exe
C:\Windows\system32\Mecnbhle.exe
C:\Windows\SysWOW64\Mlmgob32.exe
C:\Windows\system32\Mlmgob32.exe
C:\Windows\SysWOW64\Mdikce32.exe
C:\Windows\system32\Mdikce32.exe
C:\Windows\SysWOW64\Mlpcdb32.exe
C:\Windows\system32\Mlpcdb32.exe
C:\Windows\SysWOW64\Monpqn32.exe
C:\Windows\system32\Monpqn32.exe
C:\Windows\SysWOW64\Mamlmi32.exe
C:\Windows\system32\Mamlmi32.exe
C:\Windows\SysWOW64\Mdkhidoj.exe
C:\Windows\system32\Mdkhidoj.exe
C:\Windows\SysWOW64\Mkepeo32.exe
C:\Windows\system32\Mkepeo32.exe
C:\Windows\SysWOW64\Mclhfl32.exe
C:\Windows\system32\Mclhfl32.exe
C:\Windows\SysWOW64\Nldmpamj.exe
C:\Windows\system32\Nldmpamj.exe
C:\Windows\SysWOW64\Ndpaddje.exe
C:\Windows\system32\Ndpaddje.exe
C:\Windows\SysWOW64\Nlgiea32.exe
C:\Windows\system32\Nlgiea32.exe
C:\Windows\SysWOW64\Nacbmh32.exe
C:\Windows\system32\Nacbmh32.exe
C:\Windows\SysWOW64\Nogbgl32.exe
C:\Windows\system32\Nogbgl32.exe
C:\Windows\SysWOW64\Nhpgpboi.exe
C:\Windows\system32\Nhpgpboi.exe
C:\Windows\SysWOW64\Nknclm32.exe
C:\Windows\system32\Nknclm32.exe
C:\Windows\SysWOW64\Nollbldc.exe
C:\Windows\system32\Nollbldc.exe
C:\Windows\SysWOW64\Obkhngcf.exe
C:\Windows\system32\Obkhngcf.exe
C:\Windows\SysWOW64\Ohdpka32.exe
C:\Windows\system32\Ohdpka32.exe
C:\Windows\SysWOW64\Okcmgmjg.exe
C:\Windows\system32\Okcmgmjg.exe
C:\Windows\SysWOW64\Odkapb32.exe
C:\Windows\system32\Odkapb32.exe
C:\Windows\SysWOW64\Okeillhd.exe
C:\Windows\system32\Okeillhd.exe
C:\Windows\SysWOW64\Oclamjhf.exe
C:\Windows\system32\Oclamjhf.exe
C:\Windows\SysWOW64\Oboaif32.exe
C:\Windows\system32\Oboaif32.exe
C:\Windows\SysWOW64\Odpjkalb.exe
C:\Windows\system32\Odpjkalb.exe
C:\Windows\SysWOW64\Omioaokb.exe
C:\Windows\system32\Omioaokb.exe
C:\Windows\SysWOW64\Pccgnibo.exe
C:\Windows\system32\Pccgnibo.exe
C:\Windows\SysWOW64\Pfbcjdab.exe
C:\Windows\system32\Pfbcjdab.exe
C:\Windows\SysWOW64\Pippfpqf.exe
C:\Windows\system32\Pippfpqf.exe
C:\Windows\SysWOW64\Pojhcj32.exe
C:\Windows\system32\Pojhcj32.exe
C:\Windows\SysWOW64\Pbidoe32.exe
C:\Windows\system32\Pbidoe32.exe
C:\Windows\SysWOW64\Pfdppdop.exe
C:\Windows\system32\Pfdppdop.exe
C:\Windows\SysWOW64\Pkaihkng.exe
C:\Windows\system32\Pkaihkng.exe
C:\Windows\SysWOW64\Pchaihni.exe
C:\Windows\system32\Pchaihni.exe
C:\Windows\SysWOW64\Peimapdg.exe
C:\Windows\system32\Peimapdg.exe
C:\Windows\SysWOW64\Pieiao32.exe
C:\Windows\system32\Pieiao32.exe
C:\Windows\SysWOW64\Pkcenj32.exe
C:\Windows\system32\Pkcenj32.exe
C:\Windows\SysWOW64\Pcjnoh32.exe
C:\Windows\system32\Pcjnoh32.exe
C:\Windows\SysWOW64\Pfijkc32.exe
C:\Windows\system32\Pfijkc32.exe
C:\Windows\SysWOW64\Pigfgo32.exe
C:\Windows\system32\Pigfgo32.exe
C:\Windows\SysWOW64\Pmcbgmcg.exe
C:\Windows\system32\Pmcbgmcg.exe
C:\Windows\SysWOW64\Pcmjdg32.exe
C:\Windows\system32\Pcmjdg32.exe
C:\Windows\SysWOW64\Pbpjpdao.exe
C:\Windows\system32\Pbpjpdao.exe
C:\Windows\SysWOW64\Pijbmnhk.exe
C:\Windows\system32\Pijbmnhk.exe
C:\Windows\SysWOW64\Pockih32.exe
C:\Windows\system32\Pockih32.exe
C:\Windows\SysWOW64\Qfncfbge.exe
C:\Windows\system32\Qfncfbge.exe
C:\Windows\SysWOW64\Qeqcao32.exe
C:\Windows\system32\Qeqcao32.exe
C:\Windows\SysWOW64\Qkjlniel.exe
C:\Windows\system32\Qkjlniel.exe
C:\Windows\SysWOW64\Qcacogfo.exe
C:\Windows\system32\Qcacogfo.exe
C:\Windows\SysWOW64\Qecpgo32.exe
C:\Windows\system32\Qecpgo32.exe
C:\Windows\SysWOW64\Aphddhlc.exe
C:\Windows\system32\Aphddhlc.exe
C:\Windows\SysWOW64\Aiqimm32.exe
C:\Windows\system32\Aiqimm32.exe
C:\Windows\SysWOW64\Aloeii32.exe
C:\Windows\system32\Aloeii32.exe
C:\Windows\SysWOW64\Acfmjf32.exe
C:\Windows\system32\Acfmjf32.exe
C:\Windows\SysWOW64\Abimfcid.exe
C:\Windows\system32\Abimfcid.exe
C:\Windows\SysWOW64\Aegibnhg.exe
C:\Windows\system32\Aegibnhg.exe
C:\Windows\SysWOW64\Amoacl32.exe
C:\Windows\system32\Amoacl32.exe
C:\Windows\SysWOW64\Apmnpg32.exe
C:\Windows\system32\Apmnpg32.exe
C:\Windows\SysWOW64\Abkjlb32.exe
C:\Windows\system32\Abkjlb32.exe
C:\Windows\SysWOW64\Aejfhn32.exe
C:\Windows\system32\Aejfhn32.exe
C:\Windows\SysWOW64\Amanik32.exe
C:\Windows\system32\Amanik32.exe
C:\Windows\SysWOW64\Aflpgq32.exe
C:\Windows\system32\Aflpgq32.exe
C:\Windows\SysWOW64\Aijlcl32.exe
C:\Windows\system32\Aijlcl32.exe
C:\Windows\SysWOW64\Blhhpg32.exe
C:\Windows\system32\Blhhpg32.exe
C:\Windows\SysWOW64\Bcbmfdhl.exe
C:\Windows\system32\Bcbmfdhl.exe
C:\Windows\SysWOW64\Blmakgeg.exe
C:\Windows\system32\Blmakgeg.exe
C:\Windows\SysWOW64\Biabdkdq.exe
C:\Windows\system32\Biabdkdq.exe
C:\Windows\SysWOW64\Bicojk32.exe
C:\Windows\system32\Bicojk32.exe
C:\Windows\SysWOW64\Cmagpihd.exe
C:\Windows\system32\Cmagpihd.exe
C:\Windows\SysWOW64\Clfdaeml.exe
C:\Windows\system32\Clfdaeml.exe
C:\Windows\SysWOW64\Cbcico32.exe
C:\Windows\system32\Cbcico32.exe
C:\Windows\SysWOW64\Cmhmqhbl.exe
C:\Windows\system32\Cmhmqhbl.exe
C:\Windows\SysWOW64\Cionei32.exe
C:\Windows\system32\Cionei32.exe
C:\Windows\SysWOW64\Dmmglg32.exe
C:\Windows\system32\Dmmglg32.exe
C:\Windows\SysWOW64\Dpnpmb32.exe
C:\Windows\system32\Dpnpmb32.exe
C:\Windows\SysWOW64\Dfhhjmbe.exe
C:\Windows\system32\Dfhhjmbe.exe
C:\Windows\SysWOW64\Dihalh32.exe
C:\Windows\system32\Dihalh32.exe
C:\Windows\SysWOW64\Dpbihbgc.exe
C:\Windows\system32\Dpbihbgc.exe
C:\Windows\SysWOW64\Dmfjaf32.exe
C:\Windows\system32\Dmfjaf32.exe
C:\Windows\SysWOW64\Dccbjm32.exe
C:\Windows\system32\Dccbjm32.exe
C:\Windows\SysWOW64\Eimjgglq.exe
C:\Windows\system32\Eimjgglq.exe
C:\Windows\SysWOW64\Epgbca32.exe
C:\Windows\system32\Epgbca32.exe
C:\Windows\SysWOW64\Eedklh32.exe
C:\Windows\system32\Eedklh32.exe
C:\Windows\SysWOW64\Edekip32.exe
C:\Windows\system32\Edekip32.exe
C:\Windows\SysWOW64\Eefhahob.exe
C:\Windows\system32\Eefhahob.exe
C:\Windows\SysWOW64\Emnpbepd.exe
C:\Windows\system32\Emnpbepd.exe
C:\Windows\SysWOW64\Edghoo32.exe
C:\Windows\system32\Edghoo32.exe
C:\Windows\SysWOW64\Eidqgf32.exe
C:\Windows\system32\Eidqgf32.exe
C:\Windows\SysWOW64\Epnidpme.exe
C:\Windows\system32\Epnidpme.exe
C:\Windows\SysWOW64\Eghaajdb.exe
C:\Windows\system32\Eghaajdb.exe
C:\Windows\SysWOW64\Eekalg32.exe
C:\Windows\system32\Eekalg32.exe
C:\Windows\SysWOW64\Eleiiabj.exe
C:\Windows\system32\Eleiiabj.exe
C:\Windows\SysWOW64\Ecoafk32.exe
C:\Windows\system32\Ecoafk32.exe
C:\Windows\SysWOW64\Femnbg32.exe
C:\Windows\system32\Femnbg32.exe
C:\Windows\SysWOW64\Fpcbop32.exe
C:\Windows\system32\Fpcbop32.exe
C:\Windows\SysWOW64\Fepkgfgg.exe
C:\Windows\system32\Fepkgfgg.exe
C:\Windows\SysWOW64\Fngbidhj.exe
C:\Windows\system32\Fngbidhj.exe
C:\Windows\SysWOW64\Fpeoeogm.exe
C:\Windows\system32\Fpeoeogm.exe
C:\Windows\SysWOW64\Fgogai32.exe
C:\Windows\system32\Fgogai32.exe
C:\Windows\SysWOW64\Fllpjp32.exe
C:\Windows\system32\Fllpjp32.exe
C:\Windows\SysWOW64\Fdcgkn32.exe
C:\Windows\system32\Fdcgkn32.exe
C:\Windows\SysWOW64\Fgadgilh.exe
C:\Windows\system32\Fgadgilh.exe
C:\Windows\SysWOW64\Fnllcc32.exe
C:\Windows\system32\Fnllcc32.exe
C:\Windows\SysWOW64\Fpjhpo32.exe
C:\Windows\system32\Fpjhpo32.exe
C:\Windows\SysWOW64\Ffgqhe32.exe
C:\Windows\system32\Ffgqhe32.exe
C:\Windows\SysWOW64\Fpleen32.exe
C:\Windows\system32\Fpleen32.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 8272 -ip 8272
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8272 -s 408
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.130.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
memory/3112-0-0x0000000000400000-0x0000000000468000-memory.dmp
memory/3112-1-0x0000000000431000-0x0000000000432000-memory.dmp
C:\Windows\SysWOW64\Kbnjig32.exe
| MD5 | 8837ea9763a86d3ed86dbd9f4306460d |
| SHA1 | 40a54607ace8a91784684e6172972d60f912cc91 |
| SHA256 | c8668c4ac11a02f7b2a03d570b2978bf4c2c93c875abcb9fcc678fdedcfc5d93 |
| SHA512 | e57f91c8465ec2c9da4a3f8d74ff2aa85bc089582c967797521ac5f988d942a8626c66571a0fe1710eea3b96e469595140a5da35a3d32b1d901650ca0c7cbb05 |
memory/4768-8-0x0000000000400000-0x0000000000468000-memory.dmp
C:\Windows\SysWOW64\Klgoalkh.exe
| MD5 | e0d8cf3db4c354b044d90690c9707e1e |
| SHA1 | 70bba3310f7dda383c203eb5ddd4eab0e68b0ac8 |
| SHA256 | 533f020e8ba39a9f0f34c614cd10a045394b49463ccf0d84fe1a560c4854828c |
| SHA512 | 666a78e7a1f9c9d55d1a632e6de574a0493e8e4942e0b2e79179e3e2e6e7d6425efeac67cf5fac7cc4527a44cfbf4f70ebdbd94a6543456f0153ada84c90206d |
memory/688-17-0x0000000000400000-0x0000000000468000-memory.dmp
C:\Windows\SysWOW64\Kcqgnfbe.exe
| MD5 | 611ad2ad3a7977af9f7985dab10062ca |
| SHA1 | d6956137056ecaa6a6adf0022c40e75cd903627a |
| SHA256 | 5634367ffebf4e86326407a25f74a5edf1da3f951ce13dd20fbec6c165a44ae7 |
| SHA512 | 8b370a308f607720cf9054c26fd34ce26c7c399871c4e797c90f2a5ccce96eea8cf5e81b1368974150d3da1f53704c18ed8162156e87fcce3097206779c2e47b |
memory/2716-25-0x0000000000400000-0x0000000000468000-memory.dmp
C:\Windows\SysWOW64\Keappapf.exe
| MD5 | f9d81bbf55e617bba685d68c066d442f |
| SHA1 | aea9d0f2dc6d4980e3a97522adb9b24cbf4bcaa4 |
| SHA256 | a4c81db8d9be03048bbbb2b6092a5cca957d48a37422e5f8c841ffd2507a0781 |
| SHA512 | c4a5efcade466db3515a556aa4d84e8c292579cb5ccdd2b6194ebcb71656b2c4e7d7bfa5c2a72b1dd1440fab7e82d9fedd183632a03b695bdaf95385ac781b2f |
memory/2552-32-0x0000000000400000-0x0000000000468000-memory.dmp
C:\Windows\SysWOW64\Kahpebej.exe
| MD5 | bbd243cfd96f34f5c4ad92f9eb0dfc4a |
| SHA1 | be1ee4b32351fcf656f3733711b8820f5f617177 |
| SHA256 | ad301d7cfb31dfa3062c3b85c52210fdf79f737cf85652f7c0340c31ace205b6 |
| SHA512 | ea483c62e2744cf00449d09e3020d77febc8404133f49d8f88af4f69adcfc0aca998373b96e3aa0417c4023dcdd4984f14201d79aba9b3fe0c44570e0fa8fda4 |
memory/2740-40-0x0000000000400000-0x0000000000468000-memory.dmp
C:\Windows\SysWOW64\Lchmoe32.exe
| MD5 | f94e16c7c40639e119160efb17942c4b |
| SHA1 | e115d054e1a52abb8e6bb7de92546e61bfdc494e |
| SHA256 | 57bdd11ae791152a34660f9f17a9ab0f449e9ffe18df41e8ad3fbfb4bc9b1e4f |
| SHA512 | ae4aa591409b8b3bc8d1dc774dcb9ae8af33e2cfc8504eae776207b76aa9e695d85fad9cacbb6654dbbf4fd2724e785cbb984919b725a0bd8d2026ddf7ec9b41 |
memory/4368-48-0x0000000000400000-0x0000000000468000-memory.dmp
C:\Windows\SysWOW64\Liaelpdj.exe
| MD5 | 1db752288e3197de9715281ff3cbf0c2 |
| SHA1 | 02d1d4adc1a6c368dbefd00908229c283758bf40 |
| SHA256 | 43b7b1550422e8aa3b08dbbb55b34cf918f533ad1d0ed6b9556055ac521800f7 |
| SHA512 | 01e8d6119ecac8c54bc82b84ea01498ab9f3bc269d93cf7e39a519dd8440545a3e4dc0309f8d95da777336cc397e66f0c1be9b2379aa4732b8944df0df503de5 |
memory/1068-57-0x0000000000400000-0x0000000000468000-memory.dmp
C:\Windows\SysWOW64\Llpahkcm.exe
| MD5 | 9f0f2518f5ba9929c536d576a578adef |
| SHA1 | ced3d9ebeacfaaf8bc0819b4e3c62677b1db566f |
| SHA256 | 57f4403c15d9a4e9ae9140c2962c7a0d1b6149bc53a5cbe55c998f8f4237b8fc |
| SHA512 | 4ed9598abc48ecf501a8c2ba08dced378571780aae096339fc30e920004063a95a4d3113fa3ba58f5563b1be3edf5c2a185b84dc33b505f942bead1ef1d73911 |
memory/4604-65-0x0000000000400000-0x0000000000468000-memory.dmp
C:\Windows\SysWOW64\Lcjide32.exe
| MD5 | 687b84a61de3d0b23f6d021550f85776 |
| SHA1 | b8f08c22190dd24021605b56a942ab1b95dda600 |
| SHA256 | 301b03ee3da9fc8f37bcf25413d164d1e46feace8f1b9d52b5f1f9b572e70cf1 |
| SHA512 | 99d7c46c93a23f1bfe2c0dd06a48b8b5b9962e354efbb13f89c63ef2396f759c4719673eaa550e567c07d00bf4c2bfa34683411fc6e76379c759156756f09d7e |
memory/5004-73-0x0000000000400000-0x0000000000468000-memory.dmp
C:\Windows\SysWOW64\Ljfogo32.exe
| MD5 | 96be64ac005f28989ca24f4ddeb53a0b |
| SHA1 | 46940e1a08fd04dd3a655da7474e8c38d4c895b6 |
| SHA256 | d727cd1069c302558fe69dec09f108a9538586f63a7dc4948f5b7585b4838be5 |
| SHA512 | 09b10c43d7cbf3e7a2b17bd2e131daf11f840f0c1c40baa599c3836a3414cc81185cdc0acffcd5a0a4511d5ae5135b464fefd81cb5cc8b07a50298a7d7ee0371 |
C:\Windows\SysWOW64\Llekcj32.exe
| MD5 | 9ded3a975f6373c5a3bd9acae8355f06 |
| SHA1 | 4c64eda284ff696b52e5283f529b41cc291d7652 |
| SHA256 | f961c81feaea2560f312ab5a0e93104f32909c9e64808d2af992b9e3a938ec94 |
| SHA512 | 5e0d37d5e347d3b6a35953156f3d07f6cf7fb30861df8fbf414390dfd42d6e257482e4c58f93aaa076227c6635bb463abcc08aad95014a733b51fa64bf58606f |
memory/3528-89-0x0000000000400000-0x0000000000468000-memory.dmp
memory/844-85-0x0000000000400000-0x0000000000468000-memory.dmp
C:\Windows\SysWOW64\Lpbcii32.exe
| MD5 | ebe936789cbd68df2bdc3ccf32328243 |
| SHA1 | 1e524d9c0f106fbf7a2e7982f863c1106871d9e7 |
| SHA256 | 144f0ef121970b8b6dead7c7a3f67e88d7fe8e660288ab5cd0f44946bdc58faa |
| SHA512 | 3231e237f9c43e0e2987e5b6e2277669cac7dd2d017a6e2ca2291803ca8295b798e5e96edf6580a74acf841a1c6e23b8bbf11707bd60eda0617073e0c15f9342 |
memory/4872-97-0x0000000000400000-0x0000000000468000-memory.dmp
C:\Windows\SysWOW64\Ljkhbnlo.exe
| MD5 | 7a4f4df9162aeaa431d340aa3c9e0aa5 |
| SHA1 | 018556cdabe5f9c0f79dcc730ddf41b0182b8fbd |
| SHA256 | 518eadc97a6ba9c70df29f48b0eea8801119448d9804918d24b698269928a188 |
| SHA512 | 0827dac66926812f7c7b4097acc5bcd1a44798f8fb14636a356c7cb67483df8e9529fb68c24a7cce3f8092bb9172eed2344e2bb2e7cee4ab7fbb069291031f4b |
memory/2412-108-0x0000000000400000-0x0000000000468000-memory.dmp
C:\Windows\SysWOW64\Llidnjkc.exe
| MD5 | ccf47a8884f04428b6e7c03b49f33dfc |
| SHA1 | 448f5d2578b1ef31cdedbe4e5b180aca9ad4acd9 |
| SHA256 | 90bb784dd492ee04c2de608cfdca328585208b15351f575798f8a737fa3305bd |
| SHA512 | ab757ae0f5b8eda7e967b3d921e1eb38e1c7ba3d121750ada4d4ce781dcb2ae9ecccfea1cf604e812b396ff4dd3179ba461320c6a00dd1c86330e36f0f268e2e |
memory/4436-113-0x0000000000400000-0x0000000000468000-memory.dmp
C:\Windows\SysWOW64\Mjmdgn32.exe
| MD5 | 25e69c63816333b987ce0282f8ace647 |
| SHA1 | 1a78a0f75e8acfb13414d046eb6a3b69f56e55db |
| SHA256 | adbc55037e027fd3de0859868b79551f3083241a3756b2b4c8e75a159d2d3674 |
| SHA512 | ddfe6b2b0c9cc8bcd3958868f59e652e5ef0073167c948abf2ce1899e4e3a5ea1dbac00ee043d41bc61e0548bc12078e0da99b9c3f3fd59312de4c0eb29ea77e |
memory/1492-120-0x0000000000400000-0x0000000000468000-memory.dmp
C:\Windows\SysWOW64\Mlnnii32.exe
| MD5 | 3d6c979927396218dd3cb47c14646406 |
| SHA1 | 8bd7adf3962df898060f54bddeebd0810b775d09 |
| SHA256 | 76e9571d750016e10ed1b9a0848745f45107a2acaa6093331d48489cfce8dc31 |
| SHA512 | f21c9904fb30b23781804dd1219d98ff5601269d84ce1f5e898a9a710d58421784d3eaa8d2438909b7478c0b98bafe0210dd46642bb8b5c4d2197c13e6b837be |
memory/1248-129-0x0000000000400000-0x0000000000468000-memory.dmp
C:\Windows\SysWOW64\Mbkfap32.exe
| MD5 | e76ac4760ec73e96f2e0d5fc602f6eeb |
| SHA1 | ec60d5a391a489cfc9ca22ed7049e825f51baf35 |
| SHA256 | eee1d4c8e38d196a5da5ce648e29ea056edc2fe085955e48b9d37c597ff596e3 |
| SHA512 | f3b30da704aff8f864913f0fbbcb6ef930986acc027d8701a4812e5de2d7e0c353c74f45cc7ff58b3f05169d72bf0223e3dfb287a48a4a9605a556c61b0c9d04 |
memory/4620-137-0x0000000000400000-0x0000000000468000-memory.dmp
C:\Windows\SysWOW64\Mffbbomn.exe
| MD5 | e5b64e2e2716b66c49ff63f2bc434941 |
| SHA1 | 0260d4c35f7a335895f6880254fa47cfbade334f |
| SHA256 | 20f4a8bb4bc1fc9313388039bb23559f64e4cf9ab0fec2d7f170f7d3c379589e |
| SHA512 | 25e56c8454c442d01a50faeec95bd27813a3236adb905528bba8344266d48daec3206d5388cbbdedd002aadbc4acb21ada5feff7fe6ba3d752f361e2f9bd1bdf |
memory/4408-145-0x0000000000400000-0x0000000000468000-memory.dmp
memory/4480-153-0x0000000000400000-0x0000000000468000-memory.dmp
C:\Windows\SysWOW64\Mplfog32.exe
| MD5 | 07657b2ce462019c5dd6538d33ee6356 |
| SHA1 | 81bb7c482e6e168b39e7e8ca36cbe5f5f7fc48e9 |
| SHA256 | 8eff3e7e6e6a52e37384ac5531ec529d6c87e8c6952a829af10e04f9803971f9 |
| SHA512 | 9173c598c3f12a4d3d99369bdb276aa34f1db7b214fae49fd8ea72eb65774c9cbfe97f4ced74b572acb90e3115cde5d0d69cd3d2067cdc8412abf2060c73009c |
C:\Windows\SysWOW64\Mqnceg32.exe
| MD5 | 4c1df187f359d15a66b30aefad74a038 |
| SHA1 | 5bce044a9bf8ee77812ff4342be441ccac06614d |
| SHA256 | 888a54b44ede0bb2f098eca5f231c9eadead0e4d4e5f29ba37d2fce5b1575bc0 |
| SHA512 | ef0642df119700c8ea513a1a2caeaac88dc9ff2a06d2ea56a1906698659ed1825e9ea5b20d70d125d024f5183f3121d7d8c50d2126d519738bdbf061346600c7 |
memory/4276-161-0x0000000000400000-0x0000000000468000-memory.dmp
C:\Windows\SysWOW64\Mcmoab32.exe
| MD5 | 2562a3dca19c4d36aca5048edb04f7de |
| SHA1 | 1be13ec717c49a701b1fa82cce712f3ab3af67c4 |
| SHA256 | 93e3e40f927d6b62edd2b061f991c65d461b0e1d36df9763fa7afa067b5aa35a |
| SHA512 | 0121d294acd9d492167568c44dac1ae0f91669536b406b15b77cacf80e77dbb33800a61e1cbd47b81b4d34d6d162fff6d67eab22db0c3e566659dd2493724837 |
memory/708-168-0x0000000000400000-0x0000000000468000-memory.dmp
C:\Windows\SysWOW64\Nbblbo32.exe
| MD5 | 2a58ed445127d01b039c2fc9f0f63dbf |
| SHA1 | 3a46898fe617961e2f5fc1e6b948a5e7677f1196 |
| SHA256 | d053702441be7d66caaa5b02a0414aec85d95d0d5884c66104271963599569e6 |
| SHA512 | 230f5549e54117ff9ea9655eb20b20f51638fc45d9d4d88f261433ad78cd2491678b221166c1b31d9f7717e9c7c2fb5ab9e831c62b3377d6b965a0b3329d76ad |
memory/1144-176-0x0000000000400000-0x0000000000468000-memory.dmp
C:\Windows\SysWOW64\Nhldoifj.exe
| MD5 | f5d122d767cd6f9fe1f2bc3abdde1a1f |
| SHA1 | 8d99460431fbc08791a78d856f7f57cea202fffa |
| SHA256 | 77e8b07af2a48006deefc100d42cb147a41f442444e7685fbe6c1304bf350e25 |
| SHA512 | dd24bf388575ffcbaeb6c1f26cb954306f7ba0051d30c7004fef384ec404baec6a48986f0ba78ab2fc03f571c8cc6bea5eaf363067588ae7a538903f8906724b |
C:\Windows\SysWOW64\Nofmlc32.exe
| MD5 | 484bcbbc909551e4fa73890532311ab9 |
| SHA1 | d90132467a5f85be3adbde8c1e4e680e6c0f71b7 |
| SHA256 | ba71a7b3e4afd07aee3d8e3ef323962a72e251fc83cb67866fdb9de3185db59e |
| SHA512 | bfe6263fdda445a43a19998d63e91722597a4351a9bc5c4d4ffb2465ba384a8a0e16a07afcadd9229bbd258607dba198ae390d2fc505c3e2e2784d38be192c22 |
memory/4104-185-0x0000000000400000-0x0000000000468000-memory.dmp
memory/2976-193-0x0000000000400000-0x0000000000468000-memory.dmp
C:\Windows\SysWOW64\Nhnadidg.exe
| MD5 | 961a77cbdcca7f966f4c7d8b69c2511a |
| SHA1 | 2c2c01eb2e85e5908802ec190457ed9b1c4f63f7 |
| SHA256 | 95f298bf78bac2400101e2c1e33e366c732baaf83bc032de0d6bbb3dceeff8b0 |
| SHA512 | c65b0eb9bbb27a04ab7408a66019fb7c87c043c5471fd34f81ddd8e15065e7accc513c2948d83e84195d925b5f6474eada35f4edffe7c4738228279fb4f5a572 |
memory/3920-201-0x0000000000400000-0x0000000000468000-memory.dmp
C:\Windows\SysWOW64\Njnnnllj.exe
| MD5 | 78ec8df4b80f53c0255c18be85375567 |
| SHA1 | 1575290f7d9edc876aed4e0e2b10cbc2f9dbf3ec |
| SHA256 | 9b5c75445660f9438ce4a3579814542dbf840ad208550f22b8af22ca904471cb |
| SHA512 | 6cfe086c7077d5918d3ab0e140551010f4f941743fddfc25c13c1677d5e884665a1fe67135d1cb86b132218975011b8c8153cab3e9f93a966d82ba9831859a79 |
memory/3304-208-0x0000000000400000-0x0000000000468000-memory.dmp
C:\Windows\SysWOW64\Nqhfkf32.exe
| MD5 | a64635486696262ea71801a8539f0059 |
| SHA1 | 115825fa5b1dd16fb7b664a32ea324f1b5d5fcab |
| SHA256 | dfb690d846154b41780def8bd8b3e6f1a082729f4f9301171755de2af3345de1 |
| SHA512 | c347e1dcae09d55b9d7846d923955f9c672fdfe25e553ce788eccd14a8b5f49a94556c2bca5ea4347dd0ae7f00c520774aa0f13aa2838fea36113885ec0a98b8 |
memory/5000-220-0x0000000000400000-0x0000000000468000-memory.dmp
C:\Windows\SysWOW64\Njpjdkig.exe
| MD5 | a640b3e7954bf05bcf3608272ce4d6f4 |
| SHA1 | d4bd1ab3e4ab6764745d897d6bc78fae0e9d30de |
| SHA256 | e188d824e9495a57967bcf155b1c7b483add87368cf0f65107592fe6dde63b75 |
| SHA512 | 6dbee29841dede02c12b259e6393f2ea5e87c98cbc3835abd72b7011db413e9f4aaeb606e755376ee2b870e2a7da703d9a32ea6091385b98a8b5f80bf6fb26d5 |
memory/3276-225-0x0000000000400000-0x0000000000468000-memory.dmp
C:\Windows\SysWOW64\Nfgkilok.exe
| MD5 | 2d8a28878e994a0ea8024fe386f18040 |
| SHA1 | 6467dd03694e8d29de71360fcae96bd302663226 |
| SHA256 | e517a22f1ae2ee06692cfff2cb32f7675ed3fc37dc44132e272939089c547a2c |
| SHA512 | eb4a156ed04b077412dbb3716ee51e5ff041cc03642dba1e83fcb4f8f23540cd182aafc9a4ecd9b67d9db3c8137780041ef719e8b9efc1c2ddb921f6b9cd617e |
memory/4644-233-0x0000000000400000-0x0000000000468000-memory.dmp
C:\Windows\SysWOW64\Oqlofeoa.exe
| MD5 | d4ce0f97aba0ffcb2fa5f2791ace221c |
| SHA1 | 7a2b38260d74462565b73ea9dc01dd9a012d8258 |
| SHA256 | b195e74c37d2f0cb0202cc504c98b057564a84836362eedc695ed7b8bd29398f |
| SHA512 | e0e40a994bad37b4ba57568b03a7a1a2b6388acda7ed0eeeccea1e95ac38f8f5051d1160f8ed8f2fd27bc81f4dccea5c1253c8cab794c600b8a9414118107ae7 |
memory/212-240-0x0000000000400000-0x0000000000468000-memory.dmp
C:\Windows\SysWOW64\Ockkbqne.exe
| MD5 | 7574786af5c9d8bbcaa23bb04b5888df |
| SHA1 | 12574d16846eb98da72b5af1885321239866f9da |
| SHA256 | 402d9f733e158f5e44676349bbc97159d4de1bb2830ca486a353bfb8c507ae57 |
| SHA512 | 7bd7bbeb952d8f740b7051d1f406a514476853cf870a25cc96cf99fd046f61510768c298262792c101f07c1486f2f6356a1b48abfe4be97f23a352e9dcd298b0 |
memory/4092-248-0x0000000000400000-0x0000000000468000-memory.dmp
C:\Windows\SysWOW64\Ooalga32.exe
| MD5 | 2d55e16bd3024f39d063dc76f59eeadb |
| SHA1 | c128ea33376cc693f288aa10a0a3a7f36d8e8deb |
| SHA256 | 9e41d40fc1034b46b6798cf603e7fbe8e8969b519fefb745501662bdb5807855 |
| SHA512 | e5475876bacd29a31393f69e695d7c8196a939ebc90eaad158d92f1677f44776b7a7e2bc054c6c0e65c18537ccddf6d9a283fe6a811b58716a2ce93c6e548028 |
memory/1636-257-0x0000000000400000-0x0000000000468000-memory.dmp
C:\Windows\SysWOW64\Oijqpg32.exe
| MD5 | 911fbb9469adf83132c29fa2f9bfd5ad |
| SHA1 | bd4993f86b18c794b664c03a45bc3babe9e712d5 |
| SHA256 | c1e10387de88516d799d62d7ec96a53aedc3612e261b0d2d948a11edef67c08f |
| SHA512 | 27cc36530b07dfcfd30f3d42564e2bf2d719cb1159595286c677b5faceff604343c25f01d5b96d6d1d6ac443fe1f3bfd09c91d33e56a7719721c90fbf559c0d0 |
memory/3876-263-0x0000000000400000-0x0000000000468000-memory.dmp
memory/4320-269-0x0000000000400000-0x0000000000468000-memory.dmp
memory/408-280-0x0000000000400000-0x0000000000468000-memory.dmp
memory/1176-286-0x0000000000400000-0x0000000000468000-memory.dmp
memory/2784-297-0x0000000000400000-0x0000000000468000-memory.dmp
memory/3384-303-0x0000000000400000-0x0000000000468000-memory.dmp
memory/912-308-0x0000000000400000-0x0000000000468000-memory.dmp
memory/3984-310-0x0000000000400000-0x0000000000468000-memory.dmp
memory/2900-321-0x0000000000400000-0x0000000000468000-memory.dmp
memory/1668-327-0x0000000000400000-0x0000000000468000-memory.dmp
memory/2480-333-0x0000000000400000-0x0000000000468000-memory.dmp
C:\Windows\SysWOW64\Pamhmb32.exe
| MD5 | 6395a02578ae22cafb610b1e325ba4c2 |
| SHA1 | bc2beb36cd4065077810f05baffaddf16a6d149b |
| SHA256 | 764a755b935a5657c3c95e85c7388f5cc4f22500fe66ebae0d841cfcb3fca922 |
| SHA512 | 5e90830668a07e4ae39eb89c9cff595daf18b99675c3462e0f8cf9a86d172c7ecc4f31fff5627f43382985ff0f133f37506380822b942ed1c3f36906a5e51f34 |
memory/2000-339-0x0000000000400000-0x0000000000468000-memory.dmp
memory/2756-345-0x0000000000400000-0x0000000000468000-memory.dmp
C:\Windows\SysWOW64\Pmcibc32.exe
| MD5 | 5285c2c54cb09510663b36f367bc0fc0 |
| SHA1 | 2f04515c18f9c5f415856948ed9aba199cdc7a48 |
| SHA256 | 0d406592b178dd0ba187b163330b48a8c634b639bce13103b45f592e9fac214d |
| SHA512 | 54163ebdae40d18be4e72016d96a77703dab9c378583b915a71b1adc7a739dfa3cd15933eaecc0bc8693aa703f0048861c70954e5788d91bb7942a0f87ae5487 |
memory/4008-351-0x0000000000400000-0x0000000000468000-memory.dmp
memory/3496-357-0x0000000000400000-0x0000000000468000-memory.dmp
memory/2960-363-0x0000000000400000-0x0000000000468000-memory.dmp
memory/2760-369-0x0000000000400000-0x0000000000468000-memory.dmp
memory/2236-375-0x0000000000400000-0x0000000000468000-memory.dmp
C:\Windows\SysWOW64\Qiocbd32.exe
| MD5 | 96ea479d0a9b598bce2e9780761dfe5c |
| SHA1 | dc871adb4121958b015442e329ac5a5fb35a6a55 |
| SHA256 | 7515f3acc3638a0c08e127d0a465d4d29989f62ca25e129528344296ff6b618b |
| SHA512 | b4f2d406db73b076c5602872d9358432d9f37250b0f46fc6125a5aa3de8c2904d1e0a16cc0177b2c8f021e267ef64572e11776da8df65da3824d055e97b2550f |
memory/4296-381-0x0000000000400000-0x0000000000468000-memory.dmp
memory/4040-387-0x0000000000400000-0x0000000000468000-memory.dmp
memory/5032-393-0x0000000000400000-0x0000000000468000-memory.dmp
memory/4164-399-0x0000000000400000-0x0000000000468000-memory.dmp
memory/3408-405-0x0000000000400000-0x0000000000468000-memory.dmp
memory/3964-411-0x0000000000400000-0x0000000000468000-memory.dmp
memory/324-417-0x0000000000400000-0x0000000000468000-memory.dmp
memory/4624-423-0x0000000000400000-0x0000000000468000-memory.dmp
memory/1716-429-0x0000000000400000-0x0000000000468000-memory.dmp
memory/4764-435-0x0000000000400000-0x0000000000468000-memory.dmp
memory/1060-441-0x0000000000400000-0x0000000000468000-memory.dmp
memory/4484-447-0x0000000000400000-0x0000000000468000-memory.dmp
memory/2816-457-0x0000000000400000-0x0000000000468000-memory.dmp
memory/3936-459-0x0000000000400000-0x0000000000468000-memory.dmp
memory/1644-465-0x0000000000400000-0x0000000000468000-memory.dmp
memory/3812-471-0x0000000000400000-0x0000000000468000-memory.dmp
memory/3208-477-0x0000000000400000-0x0000000000468000-memory.dmp
memory/744-487-0x0000000000400000-0x0000000000468000-memory.dmp
memory/2244-492-0x0000000000400000-0x0000000000468000-memory.dmp
memory/396-495-0x0000000000400000-0x0000000000468000-memory.dmp
memory/3340-501-0x0000000000400000-0x0000000000468000-memory.dmp
memory/2472-512-0x0000000000400000-0x0000000000468000-memory.dmp
memory/1748-518-0x0000000000400000-0x0000000000468000-memory.dmp
memory/2848-524-0x0000000000400000-0x0000000000468000-memory.dmp
memory/4168-530-0x0000000000400000-0x0000000000468000-memory.dmp
C:\Windows\SysWOW64\Cikkeppa.exe
| MD5 | a826facd494d73590495c863547d2ece |
| SHA1 | 118927f65811c4bf0ef0886d382e620f8e273d0b |
| SHA256 | c4856f5c5d89b192c91d746687474ad4be442e8f4415ed9665d37f4a3bf90304 |
| SHA512 | 279ffa469d37a70d3f25ea09ec92b6f5c422095b2686bee272f6bc141b5b0d67f539d9fcaaa7646511e001d0cf0a6fffe32b3206220a76c142407aa9fee695c8 |
memory/3112-536-0x0000000000400000-0x0000000000468000-memory.dmp
memory/1620-537-0x0000000000400000-0x0000000000468000-memory.dmp
memory/1312-543-0x0000000000400000-0x0000000000468000-memory.dmp
memory/4768-549-0x0000000000400000-0x0000000000468000-memory.dmp
memory/4360-550-0x0000000000400000-0x0000000000468000-memory.dmp
memory/688-556-0x0000000000400000-0x0000000000468000-memory.dmp
memory/3444-557-0x0000000000400000-0x0000000000468000-memory.dmp
memory/3840-564-0x0000000000400000-0x0000000000468000-memory.dmp
memory/2716-563-0x0000000000400000-0x0000000000468000-memory.dmp
C:\Windows\SysWOW64\Cpljbi32.exe
| MD5 | 760d67d34a080ea3c0a5c13e616335ed |
| SHA1 | 45567761d2cb99fdf3c67a930f0420322a404030 |
| SHA256 | 7121bfd650a74dd2803fda7dba8eeeefab09450258f3eefd9f7e06370277f8c5 |
| SHA512 | 2b18583518a20ef0c589c368073722c307e359e169e31234415f81f959282653e211877cf05047311d8985669a22040275ab787a3eae7e7ee98ef79ef8620538 |
memory/2552-570-0x0000000000400000-0x0000000000468000-memory.dmp
memory/980-571-0x0000000000400000-0x0000000000468000-memory.dmp
memory/2740-577-0x0000000000400000-0x0000000000468000-memory.dmp
memory/5036-578-0x0000000000400000-0x0000000000468000-memory.dmp
memory/4368-584-0x0000000000400000-0x0000000000468000-memory.dmp
memory/4540-585-0x0000000000400000-0x0000000000468000-memory.dmp
memory/936-592-0x0000000000400000-0x0000000000468000-memory.dmp
memory/1068-591-0x0000000000400000-0x0000000000468000-memory.dmp
memory/4604-598-0x0000000000400000-0x0000000000468000-memory.dmp
memory/5004-617-0x0000000000400000-0x0000000000468000-memory.dmp
C:\Windows\SysWOW64\Dcaloc32.exe
| MD5 | c754c9d5a1ea6a482093cfe3d3c60fcd |
| SHA1 | d2e148760047569311e5cfb955f9dd45bd4ff54c |
| SHA256 | 3232244c76a3df9fa0d41a06a02ddc05d5aa577851b75fb5efb73f62405d1a48 |
| SHA512 | 6a32c86f5ab8dce4f388a91f6bccee26ae504ca8bc1331b966d4fe52d07ac2a1e0c1ab07b844b15046bfbc278d8bd5de2e3fe222ca590bc856483706af13ba41 |
C:\Windows\SysWOW64\Djldlnao.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Windows\SysWOW64\Ddaiifae.exe
| MD5 | f7dc7bd396f0a0e61a7071fcf9b03d4e |
| SHA1 | 9b9a2d81ad8304cf9a8e2d2a5e45305c96a8d5d2 |
| SHA256 | 2a75cf81000582370dac7699b3d75b44e6e6dd150493dadf4fe6a02846403ef3 |
| SHA512 | 14609ee8c57aa412ceb69a0db617ac120c751912d6134dfbaa9c12d4c1810d163e74bf4cb5c7dd034a8c2cd8e5551aa6ab357956ac7dde85281e95b08a9f2040 |
C:\Windows\SysWOW64\Epjfcgef.exe
| MD5 | d56c2cedfb2f695dfbd5662275b6fb17 |
| SHA1 | df6a8d60850856b25f0ede802c64cb7fbf773be0 |
| SHA256 | 56740f26c31df01619168b32220e32c349f0a68dfc0f4da682f93858196630ba |
| SHA512 | 0b15b7e9c67b0e02de362bb89375133783fb877b221743fde387063331f6a4f74f8f46fdc6e2332b0ed12340f9412d0aa85cd6c3a5fdbda6cbf497e08752795f |
C:\Windows\SysWOW64\Eanlhihd.exe
| MD5 | b5c28cfbb5804069cd5b126b39534c4a |
| SHA1 | 10fe7f306544db361cac6898cefb35592c0455be |
| SHA256 | 3b7f1ff43149c58e1726a2f7b583920b58bd4f9db5d0e588967655b286bf922b |
| SHA512 | 10ddc92cb865d836f855c8c082f5e191435c66b1b7ab4a2075e3e83578912e7e6041758f6adff4939000e130d72399785bdaf3ef8e9ea8250a875b0532e777b6 |
C:\Windows\SysWOW64\Fcbefalp.exe
| MD5 | eeca341d38d649d1988c36d5c3a3209c |
| SHA1 | c653fc661456d02160c8671cf9d1426313cbca46 |
| SHA256 | 3313aa26b3cc1d759559872a2ff43f21a17514b9af548655fbffbc7b06063a1d |
| SHA512 | cb85fa3482e469a45f941bba29710f7dbbe89955fc236736db4df357a1aca06831f2fc37583411b5e4e5cf0507289d352763629d2a2e42870cce48ba7a8a09fc |
C:\Windows\SysWOW64\Fbebihbl.exe
| MD5 | fa854c0f8b87209d156a0552dce1c476 |
| SHA1 | 27ef5ac7cf1b2f7a1100881bf68bfd968ca397fc |
| SHA256 | a2090ab2512f147126b436425ebd51f837bf1b607becc39fe44e7e312b758232 |
| SHA512 | 2a4029d97bb81708aeaf0091bafee32551848b866afac729adccfc7b869f01de4741e6cf60fa5c69cd34b06b2e26d1c914157da32c139e9e3d6db4a16a5b7d7c |
C:\Windows\SysWOW64\Gnciohah.exe
| MD5 | f3c48ea99b0ec8310f63cc6d712794ae |
| SHA1 | 8aad1b5fccbc7f830165328479895fb44c946541 |
| SHA256 | 2dd2ec1474f9e43550fca48731c9e25d0aea8d31e39efddeb31004d44b9c0f74 |
| SHA512 | 36c15e75e532212ed51a830d89d597e6d6af63bd4d1748ce148b588b2d9e722085fad525fb35cc071514aceb9902331222acee0e0027b0f437187074d60ab254 |
C:\Windows\SysWOW64\Gcekbokj.exe
| MD5 | b9d393b9368377a4f22b291afaf2c25c |
| SHA1 | 44e62d800083d29eb6061e93fdf8f2c88f5f7289 |
| SHA256 | b9a69943e5e90dc7d60de5d8ad66fddffbde69cca96d5c82dcccdc7b1cd516a1 |
| SHA512 | a40019e161a353329d8de69e849de8cce7c5b2d70bb542ebc6ec16d41f40463268aaf05f2c760ba050f0b61b5ab098c2cedf1405b4bb7a8acf2e178fad56f9cd |
C:\Windows\SysWOW64\Gjocoi32.exe
| MD5 | ca130f94e4b46c1739b686ce0437d747 |
| SHA1 | 26061b9f3c3351227b1ce681368390b118a73ece |
| SHA256 | 070f352747b18a482610892f800675aef597529ccd0e894d641620e5fba6fd5c |
| SHA512 | aa66271fab480e61fa01aca1604962e799042751bafd7ae80d4ee27d41c710988029ed1f4a6f06b3e377f789fa444f3593a5582703871020d71c413deeeb1b4e |
C:\Windows\SysWOW64\Hbjdkepd.exe
| MD5 | 5ebb2c5d2cf7cbcfd16c53f648265889 |
| SHA1 | 0868e689caa2f44e746df495d32eb6c1a4864b52 |
| SHA256 | ad633fcf3a9c9ed564ab95097b1453254771d9b1e799e0b080a036478d8e489f |
| SHA512 | e047180bdf5cb8368a420e07d683308fa47596c42260711d238a14a811e3220e6969f02c3369a1923bc1d01611678e0a34777e8b394d89217f38dd58bfca84eb |
C:\Windows\SysWOW64\Habnbabi.exe
| MD5 | 4819e8d43f76052b6e4fff6ba17fded5 |
| SHA1 | a254d67bba3d65f73150a3e45b157b233681ba18 |
| SHA256 | 87ff7305002d04f15be470c791810afb9f84df767c82b880f4409cadf2667923 |
| SHA512 | 7f95f605dc8d56355e3f0ae156208627726d147ada5062f7a51b0c80a7e3c3ee6fe5d5aa5591c30060f9ea61f47b5902db449416c3f69a5964ee98fb03d613b4 |
C:\Windows\SysWOW64\Hccgcmoj.exe
| MD5 | 6dc98bc8a80aaeff9a2c7eff685eb692 |
| SHA1 | ada002ea20039680904972a4102011f553d88e32 |
| SHA256 | e061e74839e273f61d622e344824d7662b29a15666bf0023e99eceb739d035e8 |
| SHA512 | f561d2e6691d292deff2e536ea1fb2348e31bc886662e3c61b8d4dd84b221179c2e14348ac30a7e1f349eabd367d793b1c7668c3f9baaa22d24f390ad5438974 |
C:\Windows\SysWOW64\Ilohpi32.exe
| MD5 | 5160fcaa0361211b0b60a8b4a740d947 |
| SHA1 | 94ecdc45a5444c311357e104e6ae99c238c6fec3 |
| SHA256 | fb2e679039a8483ff5e1b9714cc67505e86d6f5c67fd71fa9c6a65d3524b4085 |
| SHA512 | a89a56d10aa322dd9a255764d5f9512721357fb1cbb4877260fea798bf1484c5bf52b81a4457d67b6ab5350b7a00450b59b37afd472a2c564237b60deb38d814 |
C:\Windows\SysWOW64\Icjmdlib.exe
| MD5 | 1300e0c054f59dd8fbfbca84b98ff835 |
| SHA1 | 15efca630216c043825a573620ff35818e13a724 |
| SHA256 | c6a503bbeb2f117cef482d87018a879c1f87d1530c8e8becab7ce2ef6a7baa25 |
| SHA512 | 1503220a48f1577e73ef76cd6867125e7822fa426571fb68d62a2681c123481bd67b950c353747eb5f7cfaf2a8f648d06208451969fec0f3237bf4b311c8d4b1 |
C:\Windows\SysWOW64\Jndkmd32.exe
| MD5 | b85fb535fa748ddc9599863b4e7a52f7 |
| SHA1 | 5b44e86fdf291e8d3be4351ea115948a3b16f046 |
| SHA256 | 58b999a50bce0fe33e1f3ede58be6b0a7b3612dd3b2e6f4b9d55f7afa5782786 |
| SHA512 | fd823c75e1d34a246db8a8c1e55c5d3a7da0d10eaae6cf025772716a07e8f603dabd9bffa3db200c2fd3104c15bed6eba88ce0853a3caa3edbfefba939be8965 |
C:\Windows\SysWOW64\Jjmhgd32.exe
| MD5 | 16b4f4104e8deed81e8d30c37652a6bd |
| SHA1 | 6983228f447955e78a9f80bae2a4ddfb4dce0c3a |
| SHA256 | ce90319c8fbf11528a6a0a62086ef3929c07b24aabfe9bd7ef7aff8e2c794c24 |
| SHA512 | 4302a9f9c44f53a3289bdf7c91a4921909bf300eca8c5df7c0b66680711b3eeca3c9fa41bf3d37a421eff49713cc6b6b6526f51890bb0a4aeff28bc3d08fa1b7 |
C:\Windows\SysWOW64\Jdhiej32.exe
| MD5 | 98795f958a442aa1d8bed04542112692 |
| SHA1 | ddb633440973778ec45ae39b97a429bd6f231abe |
| SHA256 | 2db6f71f1411c0215c6c873f833e3936a9acdb8ab19e5759959e16f017e3e6bf |
| SHA512 | 400bf18aa11d0d337feb2c72df4f9afe405bdbd98ad7d56f3c84e43d6925e021f812855915101973041d732daf6b51a4257245665912f919237da713449061c1 |
C:\Windows\SysWOW64\Jaljon32.exe
| MD5 | 375b6acfe928ca2829e5744dee980e70 |
| SHA1 | 1f7fd64d8e5ab86f8b97b1010ab3cbaac56e5b9a |
| SHA256 | 3d6fe0487ae5b3a57a9fc741e39e51a8877143791377686aaca064871884fd27 |
| SHA512 | a00bb307a1bedcf5556157603bebc70f806ba490d94b9b205b8806d0f396e7006d629fe1c2e5a784c1445ce81056396f2a31f7d27f9a0ae57e8db4346c37cf54 |
C:\Windows\SysWOW64\Kbkfiaco.exe
| MD5 | 9ed3be3dbfc4610a02f6bd17d2cd4ebf |
| SHA1 | c6e325e3eb3956ce031ad3bbcf34c2ac18a88dc8 |
| SHA256 | 3624d920c8e2e2e03064573239055c48a6e2ba8dcc7df51d5990bee793fae528 |
| SHA512 | c76a05a8a082f95489e9614b28d86f838449201109d4454d64a36caffbb485b97d3d837cc7d53f6d2a9a3d4c6ebd6ca7fafacdb24af54ce5e6996f032f8be6e6 |
C:\Windows\SysWOW64\Kelokl32.exe
| MD5 | ff934d368882948c99289b93804e1908 |
| SHA1 | 01ca67c7897f95221b03d11db6b412d2c5d7a5d1 |
| SHA256 | 3a1dd93d4ef139e72e88d1a6330bd42a68013fd5c294283a46261526e88c1f0d |
| SHA512 | 0b9a509aac80d9a8a1be5226263d6974075b3d3bbd092c06a2cfc1b54abfb1ac3319c15ccd61b99537627e29ffbbb21a1ca4ce62ff21c4e3a8fa68ecb2d84b80 |
C:\Windows\SysWOW64\Khmhlg32.exe
| MD5 | 77907832b5f7e2cbcee9e2faf8df5542 |
| SHA1 | 89d5d84b9ee2fb4c8ede8f92d5fb78b4c4183cd5 |
| SHA256 | 4b9ce5b4ecb252d30fac039110cdda0832be28a0c135b4e0ef5c3cff2f40193d |
| SHA512 | 65f0a4013be751e1d8cc70c5b587057e0b86e561cbf43f1614a1e15e5e33483fd0dce0594c40262443d353ae1c4ff23f49ab514b61c96d1c19a8495e10566548 |
C:\Windows\SysWOW64\Lejlljdp.exe
| MD5 | a9c473a14054d5cc3cc4b76ba4066955 |
| SHA1 | 5bcf6b73554ee3f223ca3490349c8a9fd967c54c |
| SHA256 | a907901dbc3b25cd2af4ece58a137f6105e9d779bebdc14f245d8b3622e063b7 |
| SHA512 | 89960e0c47ab54a9e82050fc12ccfb852a632d9c85656e98ed5831dcc3f050c207ab4e3621cb1a4420a3553e050e1479dd9b5df16f065b6d00b4a8b723565256 |
C:\Windows\SysWOW64\Mlimccgg.exe
| MD5 | a3ce7af48a20fc58678261034e3011a2 |
| SHA1 | dec12e6248f2ecdaee920a7dc01a9de607d6fc22 |
| SHA256 | 9bb8e04f65d02705f346ea80cd375f4a571f0a81d52d20b7a26cad7207c791b3 |
| SHA512 | 5feb4949b38c6a52a5fcdb157f7271b95b506e73edb9c79d2d8145db48af224e7c5960c59fce3552c5f9183a509c89df8271f93170aef06212b495df63da4c26 |
C:\Windows\SysWOW64\Mhpnid32.exe
| MD5 | eccd1e426884415f25962bda6d0d61cc |
| SHA1 | 543564342a50ef6283a4611a04d413f6ca0dddc8 |
| SHA256 | 2c48a72c8bc68ac1ccf4959a1d4efc7fe8417f03aab7016bce39435117198f2e |
| SHA512 | 1fd523bd907257a6de8c760d292024b4ea9b72ef87f8485e41756fe7ccf95f8e0b15f3b701e5f3322ec00d4825c69a1b8e26f87c0c6175a89d80f81fe0bedffe |
C:\Windows\SysWOW64\Mamlmi32.exe
| MD5 | 76f2913944e6aeb080d76e16e127d664 |
| SHA1 | 2e347def3e07afb4c17e2629a4b7a9b277d82402 |
| SHA256 | 397b3d50df60ad02c9cd437861b4c84649b26c51889d9c5ccd15a321111e8155 |
| SHA512 | d5dd80d47ee363cf806a85521d92145c2fa256bc74b54c9d4b8137d16884f2b1fb6fcc211db4a8eb15f1f376872ad956ea9186b0e4f116c8bfb970e705dccead |
C:\Windows\SysWOW64\Mclhfl32.exe
| MD5 | 2d8d2174f6a4f000deb98d10847613e3 |
| SHA1 | 2ef08ff9c33c5a948722b366c83dc969e9e507b1 |
| SHA256 | 7fe714420bdb8fd28b8d7026ece19732846dc06f6444e6509f4955f75f32939f |
| SHA512 | 914b9d42282337eaab18663d8bee5c86a95eca03a9852c60080ed7cf2d91b3718626920e7a5f994561570da940b6b35fb2c41c06f9b77ff909c9e0ae0a5d3122 |
C:\Windows\SysWOW64\Nlgiea32.exe
| MD5 | cf1f1afef15b2022d25f9548f508d101 |
| SHA1 | e35b3ab01e04ca7769b66aba758d51cfd9911cbb |
| SHA256 | eeff2df1620d9256ab2e5a72608916b6db40a0c4d8ce9cb173ed2bbdd14aa2ea |
| SHA512 | 941b1ab91c581360bfda161d0f8e6617c673d93f19f68c065691745153c2dd78827f099b6778013da4db6c82faabfc1812a96e7c752bbf0ab1604908fd1dcc85 |
C:\Windows\SysWOW64\Oboaif32.exe
| MD5 | 7710dbe12967fd8f6dd39ecdef46df2c |
| SHA1 | de4e776024be7f32b3479c55a1a88b9e767c90b3 |
| SHA256 | d506a2d345f69a2cdb3e7ee1bed5cf079c2f3f4fc52be4b405c24b23e7c118b2 |
| SHA512 | 5553564dd1916f3b5c115e705029f1e5f3b96a146644e3643892a175cbf3dd0493d30b615e2f4499078d000733205c88093bfb3c3f1d8ca2f269c4146c582b29 |
C:\Windows\SysWOW64\Qecpgo32.exe
| MD5 | 40fa4b0e0975de74e9c6ee612ad514cd |
| SHA1 | 312dddc4a60490425828e6b959845d9cd8f08ac7 |
| SHA256 | f48c6df609348725026845d2017caad4f3f994f43a1748ad87cf864bb24a9f92 |
| SHA512 | 11629307e077259f08c3607cb4a0ee3f30e4d7122e699cb7bb804bb643082577d703270d6f8dfff6102222a805e9dc7c47d2f0c55948f04ff757c94955586ce3 |
C:\Windows\SysWOW64\Apmnpg32.exe
| MD5 | 41b46424485ccd74557c6d57582d9a8c |
| SHA1 | 4bfc534c559ef79e74227ed725506fd9a67488e0 |
| SHA256 | 9db883d4fd7bde905d72d049443368589c7f6665a57f5491313281f405eb7b47 |
| SHA512 | a076dd15cae9ae16f2732e4bc29601aa74aa9a154a0366e0a873f7483cd9f990d58be83a756d9b054db224a2f884a4915db9c626cad2739b1c80e7e5b6449bef |
C:\Windows\SysWOW64\Bcbmfdhl.exe
| MD5 | edcec53bc47ca6eaec2a322d142cdabd |
| SHA1 | aeb942ee673b3ffccade0ba635c436d9f2283717 |
| SHA256 | cfcfa495a5499bbfef611f59282e7b5b4d99378e6f11cb1b5dc69b7a9578c047 |
| SHA512 | b1c35fa56fb2dfba640ed72b3baf18fce58b1d10107eeb072e40decaf0deb18425d13af44ef73e5afa338d5c5ddf033ba726fa35468a9d7694ccece96bdc46d9 |
C:\Windows\SysWOW64\Dmmglg32.exe
| MD5 | 8953ee51dff05e6e166ef13a0ed98131 |
| SHA1 | 6c526724fc513a3ba688886aaced6f90330bd11e |
| SHA256 | 581d2f4897dd65afc0806d212ed7dc6551f5c435674b65c077b69d9c9e926124 |
| SHA512 | 6335eee0d7db2ecdf95c1211f4c2e7b29c4eafb66e52f9651695a4d3e22f9b6630a36c98d7f997f221cea7efae059e1261a9b9ebddee680fda41d6043a640b72 |
C:\Windows\SysWOW64\Eedklh32.exe
| MD5 | 877a3da8cfa100ceb27d93e8f556a34e |
| SHA1 | 204861874a7536885981a96bb024fc93a0a874c6 |
| SHA256 | 1b680c415f99dbd93b28ea02712ca19223a2ff43f2774db111f81d20d77dd4f9 |
| SHA512 | 383689fcdc6ab2e1aa7c2a7b39ad87149d1216143a12b68f0014f4ae24f27f03bc555dbbfad29f415eaffa8a7e596a635537c601ed1150a6d1f7f93d49460a95 |
C:\Windows\SysWOW64\Edghoo32.exe
| MD5 | e7497dd1ee612550a216c51db6781d3f |
| SHA1 | 8720be2246b3b3d43055fbd15a10a0a4960c0311 |
| SHA256 | a1dcbc10d767294adb6bcf7aeb2ab1f56f036a32e9081cdc8dfd066910a5d6b4 |
| SHA512 | 4806ec4a53eab0f35d3766d5c223cd98d19104023831aa9b78136e8d42cc297c932603017654f16ffeaac192f9e75fe882fad95953769007a4ae44da22dd1dda |
C:\Windows\SysWOW64\Ecoafk32.exe
| MD5 | b3300d20dc4e0b79f759769a83365142 |
| SHA1 | e383611924611d7cf034ebaa77fcf3a03be1e93e |
| SHA256 | 10dcab17f6e6b2b9a437b3b8e8a1b0d2fc28313ccfa5b2bf9935dee4c6a7d726 |
| SHA512 | c2d3665251b3a4b6fb1ebd64eb20f945725f4205d7d16f48d7f08b39c53257b6da5f3849ce47e6a572fa1ae978d055675e8acf2b5f6369a04f32b6acc6c73df1 |
C:\Windows\SysWOW64\Fpcbop32.exe
| MD5 | f459ed4d99ac7e9a3a2b43859a597b7b |
| SHA1 | 2fdad54369527601ce893c0ac8a2313ec51d3d17 |
| SHA256 | 4bbfa90a7869daa953b862dadcab05c02051461726ae1e367d7802710b54e8d4 |
| SHA512 | 8bdd30949a08af3b8e601b9f3ceea397d9ec7e8476b47d0f3617de41845ede6eafe544226e4fd3e1edfb7a550c6282137e327aa42001e00c07443f62f9041280 |
C:\Windows\SysWOW64\Fgogai32.exe
| MD5 | ce412031d1b4a98a9ba03823e94bd347 |
| SHA1 | 0784a6eaa69ca57ff5ba12f0df089a24516cf4a7 |
| SHA256 | 0af549b05a8936383da3187a59df50a92e865daddb0e94dfacb2fa8320431557 |
| SHA512 | 9bd3707e55458e1b6193c6c293ff61b734b9b93f7b1a5a7eae12ebdb5ae9ccf77b4c9830db1240438e543d254d9a32d0b992b9e82e492b68b1afaba050e0a7f3 |
C:\Windows\SysWOW64\Ffgqhe32.exe
| MD5 | 976583cb687f98dbc8c54239880fc7a4 |
| SHA1 | 8b7a4a4c2a54af5ad02bf1053fd5280ab91bb481 |
| SHA256 | 0f6b96faf305160dca715a70094eab502a0cd2cd63c9b6266f8339c2cd1a77dd |
| SHA512 | 6df470ae6134c4590c206f2a63d80796bdbc62fedbb2a0fdd1b4a7c89ec2b673d9e77545760f891cee40e062ec964db8b4da8ca6dea56b87c8130bc9aaedfb01 |
memory/7880-1830-0x0000000000400000-0x0000000000468000-memory.dmp
memory/7708-1847-0x0000000000400000-0x0000000000468000-memory.dmp
memory/7448-1898-0x0000000000400000-0x0000000000468000-memory.dmp
memory/7332-1903-0x0000000000400000-0x0000000000468000-memory.dmp
memory/7144-1925-0x0000000000400000-0x0000000000468000-memory.dmp
memory/6664-1968-0x0000000000400000-0x0000000000468000-memory.dmp
memory/6868-1993-0x0000000000400000-0x0000000000468000-memory.dmp
memory/5516-2139-0x0000000000400000-0x0000000000468000-memory.dmp
memory/936-2168-0x0000000000400000-0x0000000000468000-memory.dmp
memory/3304-2289-0x0000000000400000-0x0000000000468000-memory.dmp
memory/4408-2306-0x0000000000400000-0x0000000000468000-memory.dmp
memory/2716-2335-0x0000000000400000-0x0000000000468000-memory.dmp