Malware Analysis Report

2025-01-23 05:53

Sample ID 240522-whze2aba99
Target 31184d8ed942388a3eb30d53ad83bb934a1f9afa41fea3b191488b0206a53504.exe
SHA256 31184d8ed942388a3eb30d53ad83bb934a1f9afa41fea3b191488b0206a53504
Tags
backdoor trojan dropper berbew persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

31184d8ed942388a3eb30d53ad83bb934a1f9afa41fea3b191488b0206a53504

Threat Level: Known bad

The file 31184d8ed942388a3eb30d53ad83bb934a1f9afa41fea3b191488b0206a53504.exe was found to be: Known bad.

Malicious Activity Summary

backdoor trojan dropper berbew persistence

Malware Dropper & Backdoor - Berbew

Berbew family

Adds autorun key to be loaded by Explorer.exe on startup

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Program crash

Unsigned PE

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-22 17:56

Signatures

Berbew family

berbew

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 17:56

Reported

2024-05-22 17:58

Platform

win7-20240221-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\31184d8ed942388a3eb30d53ad83bb934a1f9afa41fea3b191488b0206a53504.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dgaqgh32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hlcgeo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gieojq32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gobgcg32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dqhhknjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dmoipopd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Djbiicon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Elmigj32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fbgmbg32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ekklaj32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dfgmhd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Eihfjo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hkkalk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ghoegl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gfefiemq.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ghkllmoi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Eqonkmdh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fhhcgj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hgdbhi32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ffbicfoc.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gacpdbej.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dhmcfkme.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ennaieib.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gieojq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gobgcg32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hgilchkf.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hlfdkoin.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hkkalk32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fioija32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hejoiedd.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hhmepp32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eiaiqn32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gbijhg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hlakpp32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gfefiemq.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gkkemh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dhmcfkme.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dnilobkm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hjhhocjj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Doobajme.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fddmgjpo.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ghfbqn32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Glfhll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hiqbndpb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hpocfncj.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hodpgjha.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ebinic32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ffbicfoc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fioija32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gopkmhjk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hjjddchg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Feeiob32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Faagpp32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hlakpp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hdhbam32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gangic32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ghkllmoi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dbpodagk.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Faagpp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fhkpmjln.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gpmjak32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hahjpbad.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Icbimi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dfgmhd32.exe N/A

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Cdlnkmha.exe N/A
N/A N/A C:\Windows\SysWOW64\Cobbhfhg.exe N/A
N/A N/A C:\Windows\SysWOW64\Dbpodagk.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhjgal32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dodonf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dngoibmo.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhmcfkme.exe N/A
N/A N/A C:\Windows\SysWOW64\Dnilobkm.exe N/A
N/A N/A C:\Windows\SysWOW64\Dqhhknjp.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgaqgh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dmoipopd.exe N/A
N/A N/A C:\Windows\SysWOW64\Dchali32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dfgmhd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Djbiicon.exe N/A
N/A N/A C:\Windows\SysWOW64\Doobajme.exe N/A
N/A N/A C:\Windows\SysWOW64\Dfijnd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eihfjo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eqonkmdh.exe N/A
N/A N/A C:\Windows\SysWOW64\Ecmkghcl.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebpkce32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejgcdb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eijcpoac.exe N/A
N/A N/A C:\Windows\SysWOW64\Ekholjqg.exe N/A
N/A N/A C:\Windows\SysWOW64\Efncicpm.exe N/A
N/A N/A C:\Windows\SysWOW64\Eeqdep32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ekklaj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebedndfa.exe N/A
N/A N/A C:\Windows\SysWOW64\Eiomkn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Elmigj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Enkece32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eiaiqn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eloemi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ennaieib.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebinic32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fhffaj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fnpnndgp.exe N/A
N/A N/A C:\Windows\SysWOW64\Faokjpfd.exe N/A
N/A N/A C:\Windows\SysWOW64\Fhhcgj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fnbkddem.exe N/A
N/A N/A C:\Windows\SysWOW64\Faagpp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fhkpmjln.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmhheqje.exe N/A
N/A N/A C:\Windows\SysWOW64\Fpfdalii.exe N/A
N/A N/A C:\Windows\SysWOW64\Fdapak32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fioija32.exe N/A
N/A N/A C:\Windows\SysWOW64\Flmefm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fddmgjpo.exe N/A
N/A N/A C:\Windows\SysWOW64\Fbgmbg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ffbicfoc.exe N/A
N/A N/A C:\Windows\SysWOW64\Feeiob32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmlapp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gpknlk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gbijhg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gfefiemq.exe N/A
N/A N/A C:\Windows\SysWOW64\Ghfbqn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gpmjak32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gopkmhjk.exe N/A
N/A N/A C:\Windows\SysWOW64\Gangic32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gieojq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gldkfl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gobgcg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gelppaof.exe N/A
N/A N/A C:\Windows\SysWOW64\Ghkllmoi.exe N/A
N/A N/A C:\Windows\SysWOW64\Glfhll32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\31184d8ed942388a3eb30d53ad83bb934a1f9afa41fea3b191488b0206a53504.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31184d8ed942388a3eb30d53ad83bb934a1f9afa41fea3b191488b0206a53504.exe N/A
N/A N/A C:\Windows\SysWOW64\Cdlnkmha.exe N/A
N/A N/A C:\Windows\SysWOW64\Cdlnkmha.exe N/A
N/A N/A C:\Windows\SysWOW64\Cobbhfhg.exe N/A
N/A N/A C:\Windows\SysWOW64\Cobbhfhg.exe N/A
N/A N/A C:\Windows\SysWOW64\Dbpodagk.exe N/A
N/A N/A C:\Windows\SysWOW64\Dbpodagk.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhjgal32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhjgal32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dodonf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dodonf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dngoibmo.exe N/A
N/A N/A C:\Windows\SysWOW64\Dngoibmo.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhmcfkme.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhmcfkme.exe N/A
N/A N/A C:\Windows\SysWOW64\Dnilobkm.exe N/A
N/A N/A C:\Windows\SysWOW64\Dnilobkm.exe N/A
N/A N/A C:\Windows\SysWOW64\Dqhhknjp.exe N/A
N/A N/A C:\Windows\SysWOW64\Dqhhknjp.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgaqgh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgaqgh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dmoipopd.exe N/A
N/A N/A C:\Windows\SysWOW64\Dmoipopd.exe N/A
N/A N/A C:\Windows\SysWOW64\Dchali32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dchali32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dfgmhd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dfgmhd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Djbiicon.exe N/A
N/A N/A C:\Windows\SysWOW64\Djbiicon.exe N/A
N/A N/A C:\Windows\SysWOW64\Doobajme.exe N/A
N/A N/A C:\Windows\SysWOW64\Doobajme.exe N/A
N/A N/A C:\Windows\SysWOW64\Dfijnd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dfijnd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eihfjo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eihfjo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eqonkmdh.exe N/A
N/A N/A C:\Windows\SysWOW64\Eqonkmdh.exe N/A
N/A N/A C:\Windows\SysWOW64\Ecmkghcl.exe N/A
N/A N/A C:\Windows\SysWOW64\Ecmkghcl.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebpkce32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebpkce32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejgcdb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejgcdb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eijcpoac.exe N/A
N/A N/A C:\Windows\SysWOW64\Eijcpoac.exe N/A
N/A N/A C:\Windows\SysWOW64\Ekholjqg.exe N/A
N/A N/A C:\Windows\SysWOW64\Ekholjqg.exe N/A
N/A N/A C:\Windows\SysWOW64\Efncicpm.exe N/A
N/A N/A C:\Windows\SysWOW64\Efncicpm.exe N/A
N/A N/A C:\Windows\SysWOW64\Eeqdep32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eeqdep32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ekklaj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ekklaj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebedndfa.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebedndfa.exe N/A
N/A N/A C:\Windows\SysWOW64\Eiomkn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eiomkn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Elmigj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Elmigj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Enkece32.exe N/A
N/A N/A C:\Windows\SysWOW64\Enkece32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eiaiqn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eiaiqn32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Cfeoofge.dll C:\Windows\SysWOW64\Eihfjo32.exe N/A
File created C:\Windows\SysWOW64\Hdfflm32.exe C:\Windows\SysWOW64\Hahjpbad.exe N/A
File created C:\Windows\SysWOW64\Hkkmeglp.dll C:\Windows\SysWOW64\Hgdbhi32.exe N/A
File created C:\Windows\SysWOW64\Djbiicon.exe C:\Windows\SysWOW64\Dfgmhd32.exe N/A
File created C:\Windows\SysWOW64\Lgahch32.dll C:\Windows\SysWOW64\Fnbkddem.exe N/A
File created C:\Windows\SysWOW64\Fdapak32.exe C:\Windows\SysWOW64\Fpfdalii.exe N/A
File opened for modification C:\Windows\SysWOW64\Fdapak32.exe C:\Windows\SysWOW64\Fpfdalii.exe N/A
File opened for modification C:\Windows\SysWOW64\Gbijhg32.exe C:\Windows\SysWOW64\Gpknlk32.exe N/A
File created C:\Windows\SysWOW64\Cobbhfhg.exe C:\Windows\SysWOW64\Cdlnkmha.exe N/A
File created C:\Windows\SysWOW64\Dhmcfkme.exe C:\Windows\SysWOW64\Dngoibmo.exe N/A
File opened for modification C:\Windows\SysWOW64\Dnilobkm.exe C:\Windows\SysWOW64\Dhmcfkme.exe N/A
File opened for modification C:\Windows\SysWOW64\Glfhll32.exe C:\Windows\SysWOW64\Ghkllmoi.exe N/A
File created C:\Windows\SysWOW64\Fenhecef.dll C:\Windows\SysWOW64\Hgilchkf.exe N/A
File created C:\Windows\SysWOW64\Fhkpmjln.exe C:\Windows\SysWOW64\Faagpp32.exe N/A
File created C:\Windows\SysWOW64\Fpfdalii.exe C:\Windows\SysWOW64\Fmhheqje.exe N/A
File opened for modification C:\Windows\SysWOW64\Hlcgeo32.exe C:\Windows\SysWOW64\Hejoiedd.exe N/A
File created C:\Windows\SysWOW64\Hgmhlp32.dll C:\Windows\SysWOW64\Dqhhknjp.exe N/A
File created C:\Windows\SysWOW64\Kcfdakpf.dll C:\Windows\SysWOW64\Eijcpoac.exe N/A
File created C:\Windows\SysWOW64\Hghmjpap.dll C:\Windows\SysWOW64\Gbijhg32.exe N/A
File created C:\Windows\SysWOW64\Gphmeo32.exe C:\Windows\SysWOW64\Gmjaic32.exe N/A
File created C:\Windows\SysWOW64\Njqaac32.dll C:\Windows\SysWOW64\Ebpkce32.exe N/A
File created C:\Windows\SysWOW64\Fbgmbg32.exe C:\Windows\SysWOW64\Fddmgjpo.exe N/A
File opened for modification C:\Windows\SysWOW64\Gobgcg32.exe C:\Windows\SysWOW64\Gldkfl32.exe N/A
File created C:\Windows\SysWOW64\Mncnkh32.dll C:\Windows\SysWOW64\Gopkmhjk.exe N/A
File opened for modification C:\Windows\SysWOW64\Gieojq32.exe C:\Windows\SysWOW64\Gangic32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ghoegl32.exe C:\Windows\SysWOW64\Gphmeo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ihoafpmp.exe C:\Windows\SysWOW64\Ieqeidnl.exe N/A
File created C:\Windows\SysWOW64\Eqonkmdh.exe C:\Windows\SysWOW64\Eihfjo32.exe N/A
File created C:\Windows\SysWOW64\Egadpgfp.dll C:\Windows\SysWOW64\Faokjpfd.exe N/A
File opened for modification C:\Windows\SysWOW64\Fmlapp32.exe C:\Windows\SysWOW64\Feeiob32.exe N/A
File created C:\Windows\SysWOW64\Anllbdkl.dll C:\Windows\SysWOW64\Hicodd32.exe N/A
File created C:\Windows\SysWOW64\Hciofb32.dll C:\Windows\SysWOW64\Hlcgeo32.exe N/A
File created C:\Windows\SysWOW64\Dbpodagk.exe C:\Windows\SysWOW64\Cobbhfhg.exe N/A
File created C:\Windows\SysWOW64\Gopkmhjk.exe C:\Windows\SysWOW64\Gpmjak32.exe N/A
File opened for modification C:\Windows\SysWOW64\Gkkemh32.exe C:\Windows\SysWOW64\Ggpimica.exe N/A
File created C:\Windows\SysWOW64\Pnnclg32.dll C:\Windows\SysWOW64\Gieojq32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hgdbhi32.exe C:\Windows\SysWOW64\Hdfflm32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hlfdkoin.exe C:\Windows\SysWOW64\Hjhhocjj.exe N/A
File created C:\Windows\SysWOW64\Dnilobkm.exe C:\Windows\SysWOW64\Dhmcfkme.exe N/A
File created C:\Windows\SysWOW64\Cgcmfjnn.dll C:\Windows\SysWOW64\Doobajme.exe N/A
File created C:\Windows\SysWOW64\Acpmei32.dll C:\Windows\SysWOW64\Eloemi32.exe N/A
File created C:\Windows\SysWOW64\Dhjgal32.exe C:\Windows\SysWOW64\Dbpodagk.exe N/A
File opened for modification C:\Windows\SysWOW64\Dodonf32.exe C:\Windows\SysWOW64\Dhjgal32.exe N/A
File created C:\Windows\SysWOW64\Ecmkghcl.exe C:\Windows\SysWOW64\Eqonkmdh.exe N/A
File opened for modification C:\Windows\SysWOW64\Eiaiqn32.exe C:\Windows\SysWOW64\Enkece32.exe N/A
File created C:\Windows\SysWOW64\Ghqknigk.dll C:\Windows\SysWOW64\Fdapak32.exe N/A
File opened for modification C:\Windows\SysWOW64\Fddmgjpo.exe C:\Windows\SysWOW64\Flmefm32.exe N/A
File created C:\Windows\SysWOW64\Cbolpc32.dll C:\Windows\SysWOW64\Dodonf32.exe N/A
File created C:\Windows\SysWOW64\Naeqjnho.dll C:\Windows\SysWOW64\Dgaqgh32.exe N/A
File created C:\Windows\SysWOW64\Eiaiqn32.exe C:\Windows\SysWOW64\Enkece32.exe N/A
File created C:\Windows\SysWOW64\Ooghhh32.dll C:\Windows\SysWOW64\Ghkllmoi.exe N/A
File created C:\Windows\SysWOW64\Qlidlf32.dll C:\Windows\SysWOW64\Flmefm32.exe N/A
File created C:\Windows\SysWOW64\Bfekgp32.dll C:\Windows\SysWOW64\Fddmgjpo.exe N/A
File created C:\Windows\SysWOW64\Gldkfl32.exe C:\Windows\SysWOW64\Gieojq32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ekklaj32.exe C:\Windows\SysWOW64\Eeqdep32.exe N/A
File created C:\Windows\SysWOW64\Gfoihbdp.dll C:\Windows\SysWOW64\Fmlapp32.exe N/A
File opened for modification C:\Windows\SysWOW64\Gangic32.exe C:\Windows\SysWOW64\Gopkmhjk.exe N/A
File created C:\Windows\SysWOW64\Dngoibmo.exe C:\Windows\SysWOW64\Dodonf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dhmcfkme.exe C:\Windows\SysWOW64\Dngoibmo.exe N/A
File created C:\Windows\SysWOW64\Dgaqgh32.exe C:\Windows\SysWOW64\Dqhhknjp.exe N/A
File created C:\Windows\SysWOW64\Phofkg32.dll C:\Windows\SysWOW64\Hahjpbad.exe N/A
File created C:\Windows\SysWOW64\Hicodd32.exe C:\Windows\SysWOW64\Hgdbhi32.exe N/A
File created C:\Windows\SysWOW64\Ljenlcfa.dll C:\Windows\SysWOW64\Eqonkmdh.exe N/A
File created C:\Windows\SysWOW64\Enkece32.exe C:\Windows\SysWOW64\Elmigj32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Iagfoe32.exe

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Fhhcgj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcfdakpf.dll" C:\Windows\SysWOW64\Eijcpoac.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fmlapp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gkkemh32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ghoegl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hgilchkf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hodpgjha.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll" C:\Windows\SysWOW64\Iknnbklc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dbpodagk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ghkllmoi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ggpimica.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Gmjaic32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hacmcfge.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhfkbo32.dll" C:\Windows\SysWOW64\Hacmcfge.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chhpdp32.dll" C:\Windows\SysWOW64\Gldkfl32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ennaieib.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgahch32.dll" C:\Windows\SysWOW64\Fnbkddem.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Doobajme.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ennaieib.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Fmhheqje.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipjchc32.dll" C:\Windows\SysWOW64\Fbgmbg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elpbcapg.dll" C:\Windows\SysWOW64\Goddhg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfbenjka.dll" C:\Windows\SysWOW64\Dbpodagk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dhmcfkme.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Enkece32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ffbicfoc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hdfflm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqpofkjo.dll" C:\Windows\SysWOW64\Ihoafpmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbolpc32.dll" C:\Windows\SysWOW64\Dodonf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Fpfdalii.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgdmei32.dll" C:\Windows\SysWOW64\Gpmjak32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Gelppaof.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ebedndfa.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Gieojq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnnclg32.dll" C:\Windows\SysWOW64\Gieojq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ghkllmoi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hlcgeo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fclomp32.dll" C:\Windows\SysWOW64\Dfijnd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fioija32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Gacpdbej.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hiqbndpb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ecmkghcl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpajnpao.dll" C:\Windows\SysWOW64\Ghoegl32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Icbimi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgmhlp32.dll" C:\Windows\SysWOW64\Dqhhknjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmjdk32.dll" C:\Windows\SysWOW64\Gmjaic32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hlcgeo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejdmpb32.dll" C:\Windows\SysWOW64\Hhmepp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Icbimi32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Fmlapp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnmgmhmc.dll" C:\Windows\SysWOW64\Fioija32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Flmefm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnnhje32.dll" C:\Windows\SysWOW64\Gpknlk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anllbdkl.dll" C:\Windows\SysWOW64\Hicodd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hicodd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nopodm32.dll" C:\Windows\SysWOW64\Fpfdalii.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egadpgfp.dll" C:\Windows\SysWOW64\Faokjpfd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hlfdkoin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgqjffca.dll" C:\Windows\SysWOW64\Ejgcdb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ejgcdb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooghhh32.dll" C:\Windows\SysWOW64\Ghkllmoi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljenlcfa.dll" C:\Windows\SysWOW64\Eqonkmdh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Fnbkddem.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkkmeglp.dll" C:\Windows\SysWOW64\Hgdbhi32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1040 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\31184d8ed942388a3eb30d53ad83bb934a1f9afa41fea3b191488b0206a53504.exe C:\Windows\SysWOW64\Cdlnkmha.exe
PID 1040 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\31184d8ed942388a3eb30d53ad83bb934a1f9afa41fea3b191488b0206a53504.exe C:\Windows\SysWOW64\Cdlnkmha.exe
PID 1040 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\31184d8ed942388a3eb30d53ad83bb934a1f9afa41fea3b191488b0206a53504.exe C:\Windows\SysWOW64\Cdlnkmha.exe
PID 1040 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\31184d8ed942388a3eb30d53ad83bb934a1f9afa41fea3b191488b0206a53504.exe C:\Windows\SysWOW64\Cdlnkmha.exe
PID 1752 wrote to memory of 2556 N/A C:\Windows\SysWOW64\Cdlnkmha.exe C:\Windows\SysWOW64\Cobbhfhg.exe
PID 1752 wrote to memory of 2556 N/A C:\Windows\SysWOW64\Cdlnkmha.exe C:\Windows\SysWOW64\Cobbhfhg.exe
PID 1752 wrote to memory of 2556 N/A C:\Windows\SysWOW64\Cdlnkmha.exe C:\Windows\SysWOW64\Cobbhfhg.exe
PID 1752 wrote to memory of 2556 N/A C:\Windows\SysWOW64\Cdlnkmha.exe C:\Windows\SysWOW64\Cobbhfhg.exe
PID 2556 wrote to memory of 2568 N/A C:\Windows\SysWOW64\Cobbhfhg.exe C:\Windows\SysWOW64\Dbpodagk.exe
PID 2556 wrote to memory of 2568 N/A C:\Windows\SysWOW64\Cobbhfhg.exe C:\Windows\SysWOW64\Dbpodagk.exe
PID 2556 wrote to memory of 2568 N/A C:\Windows\SysWOW64\Cobbhfhg.exe C:\Windows\SysWOW64\Dbpodagk.exe
PID 2556 wrote to memory of 2568 N/A C:\Windows\SysWOW64\Cobbhfhg.exe C:\Windows\SysWOW64\Dbpodagk.exe
PID 2568 wrote to memory of 2096 N/A C:\Windows\SysWOW64\Dbpodagk.exe C:\Windows\SysWOW64\Dhjgal32.exe
PID 2568 wrote to memory of 2096 N/A C:\Windows\SysWOW64\Dbpodagk.exe C:\Windows\SysWOW64\Dhjgal32.exe
PID 2568 wrote to memory of 2096 N/A C:\Windows\SysWOW64\Dbpodagk.exe C:\Windows\SysWOW64\Dhjgal32.exe
PID 2568 wrote to memory of 2096 N/A C:\Windows\SysWOW64\Dbpodagk.exe C:\Windows\SysWOW64\Dhjgal32.exe
PID 2096 wrote to memory of 2640 N/A C:\Windows\SysWOW64\Dhjgal32.exe C:\Windows\SysWOW64\Dodonf32.exe
PID 2096 wrote to memory of 2640 N/A C:\Windows\SysWOW64\Dhjgal32.exe C:\Windows\SysWOW64\Dodonf32.exe
PID 2096 wrote to memory of 2640 N/A C:\Windows\SysWOW64\Dhjgal32.exe C:\Windows\SysWOW64\Dodonf32.exe
PID 2096 wrote to memory of 2640 N/A C:\Windows\SysWOW64\Dhjgal32.exe C:\Windows\SysWOW64\Dodonf32.exe
PID 2640 wrote to memory of 2488 N/A C:\Windows\SysWOW64\Dodonf32.exe C:\Windows\SysWOW64\Dngoibmo.exe
PID 2640 wrote to memory of 2488 N/A C:\Windows\SysWOW64\Dodonf32.exe C:\Windows\SysWOW64\Dngoibmo.exe
PID 2640 wrote to memory of 2488 N/A C:\Windows\SysWOW64\Dodonf32.exe C:\Windows\SysWOW64\Dngoibmo.exe
PID 2640 wrote to memory of 2488 N/A C:\Windows\SysWOW64\Dodonf32.exe C:\Windows\SysWOW64\Dngoibmo.exe
PID 2488 wrote to memory of 304 N/A C:\Windows\SysWOW64\Dngoibmo.exe C:\Windows\SysWOW64\Dhmcfkme.exe
PID 2488 wrote to memory of 304 N/A C:\Windows\SysWOW64\Dngoibmo.exe C:\Windows\SysWOW64\Dhmcfkme.exe
PID 2488 wrote to memory of 304 N/A C:\Windows\SysWOW64\Dngoibmo.exe C:\Windows\SysWOW64\Dhmcfkme.exe
PID 2488 wrote to memory of 304 N/A C:\Windows\SysWOW64\Dngoibmo.exe C:\Windows\SysWOW64\Dhmcfkme.exe
PID 304 wrote to memory of 1664 N/A C:\Windows\SysWOW64\Dhmcfkme.exe C:\Windows\SysWOW64\Dnilobkm.exe
PID 304 wrote to memory of 1664 N/A C:\Windows\SysWOW64\Dhmcfkme.exe C:\Windows\SysWOW64\Dnilobkm.exe
PID 304 wrote to memory of 1664 N/A C:\Windows\SysWOW64\Dhmcfkme.exe C:\Windows\SysWOW64\Dnilobkm.exe
PID 304 wrote to memory of 1664 N/A C:\Windows\SysWOW64\Dhmcfkme.exe C:\Windows\SysWOW64\Dnilobkm.exe
PID 1664 wrote to memory of 1592 N/A C:\Windows\SysWOW64\Dnilobkm.exe C:\Windows\SysWOW64\Dqhhknjp.exe
PID 1664 wrote to memory of 1592 N/A C:\Windows\SysWOW64\Dnilobkm.exe C:\Windows\SysWOW64\Dqhhknjp.exe
PID 1664 wrote to memory of 1592 N/A C:\Windows\SysWOW64\Dnilobkm.exe C:\Windows\SysWOW64\Dqhhknjp.exe
PID 1664 wrote to memory of 1592 N/A C:\Windows\SysWOW64\Dnilobkm.exe C:\Windows\SysWOW64\Dqhhknjp.exe
PID 1592 wrote to memory of 1468 N/A C:\Windows\SysWOW64\Dqhhknjp.exe C:\Windows\SysWOW64\Dgaqgh32.exe
PID 1592 wrote to memory of 1468 N/A C:\Windows\SysWOW64\Dqhhknjp.exe C:\Windows\SysWOW64\Dgaqgh32.exe
PID 1592 wrote to memory of 1468 N/A C:\Windows\SysWOW64\Dqhhknjp.exe C:\Windows\SysWOW64\Dgaqgh32.exe
PID 1592 wrote to memory of 1468 N/A C:\Windows\SysWOW64\Dqhhknjp.exe C:\Windows\SysWOW64\Dgaqgh32.exe
PID 1468 wrote to memory of 312 N/A C:\Windows\SysWOW64\Dgaqgh32.exe C:\Windows\SysWOW64\Dmoipopd.exe
PID 1468 wrote to memory of 312 N/A C:\Windows\SysWOW64\Dgaqgh32.exe C:\Windows\SysWOW64\Dmoipopd.exe
PID 1468 wrote to memory of 312 N/A C:\Windows\SysWOW64\Dgaqgh32.exe C:\Windows\SysWOW64\Dmoipopd.exe
PID 1468 wrote to memory of 312 N/A C:\Windows\SysWOW64\Dgaqgh32.exe C:\Windows\SysWOW64\Dmoipopd.exe
PID 312 wrote to memory of 1568 N/A C:\Windows\SysWOW64\Dmoipopd.exe C:\Windows\SysWOW64\Dchali32.exe
PID 312 wrote to memory of 1568 N/A C:\Windows\SysWOW64\Dmoipopd.exe C:\Windows\SysWOW64\Dchali32.exe
PID 312 wrote to memory of 1568 N/A C:\Windows\SysWOW64\Dmoipopd.exe C:\Windows\SysWOW64\Dchali32.exe
PID 312 wrote to memory of 1568 N/A C:\Windows\SysWOW64\Dmoipopd.exe C:\Windows\SysWOW64\Dchali32.exe
PID 1568 wrote to memory of 2560 N/A C:\Windows\SysWOW64\Dchali32.exe C:\Windows\SysWOW64\Dfgmhd32.exe
PID 1568 wrote to memory of 2560 N/A C:\Windows\SysWOW64\Dchali32.exe C:\Windows\SysWOW64\Dfgmhd32.exe
PID 1568 wrote to memory of 2560 N/A C:\Windows\SysWOW64\Dchali32.exe C:\Windows\SysWOW64\Dfgmhd32.exe
PID 1568 wrote to memory of 2560 N/A C:\Windows\SysWOW64\Dchali32.exe C:\Windows\SysWOW64\Dfgmhd32.exe
PID 2560 wrote to memory of 1696 N/A C:\Windows\SysWOW64\Dfgmhd32.exe C:\Windows\SysWOW64\Djbiicon.exe
PID 2560 wrote to memory of 1696 N/A C:\Windows\SysWOW64\Dfgmhd32.exe C:\Windows\SysWOW64\Djbiicon.exe
PID 2560 wrote to memory of 1696 N/A C:\Windows\SysWOW64\Dfgmhd32.exe C:\Windows\SysWOW64\Djbiicon.exe
PID 2560 wrote to memory of 1696 N/A C:\Windows\SysWOW64\Dfgmhd32.exe C:\Windows\SysWOW64\Djbiicon.exe
PID 1696 wrote to memory of 564 N/A C:\Windows\SysWOW64\Djbiicon.exe C:\Windows\SysWOW64\Doobajme.exe
PID 1696 wrote to memory of 564 N/A C:\Windows\SysWOW64\Djbiicon.exe C:\Windows\SysWOW64\Doobajme.exe
PID 1696 wrote to memory of 564 N/A C:\Windows\SysWOW64\Djbiicon.exe C:\Windows\SysWOW64\Doobajme.exe
PID 1696 wrote to memory of 564 N/A C:\Windows\SysWOW64\Djbiicon.exe C:\Windows\SysWOW64\Doobajme.exe
PID 564 wrote to memory of 2028 N/A C:\Windows\SysWOW64\Doobajme.exe C:\Windows\SysWOW64\Dfijnd32.exe
PID 564 wrote to memory of 2028 N/A C:\Windows\SysWOW64\Doobajme.exe C:\Windows\SysWOW64\Dfijnd32.exe
PID 564 wrote to memory of 2028 N/A C:\Windows\SysWOW64\Doobajme.exe C:\Windows\SysWOW64\Dfijnd32.exe
PID 564 wrote to memory of 2028 N/A C:\Windows\SysWOW64\Doobajme.exe C:\Windows\SysWOW64\Dfijnd32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\31184d8ed942388a3eb30d53ad83bb934a1f9afa41fea3b191488b0206a53504.exe

"C:\Users\Admin\AppData\Local\Temp\31184d8ed942388a3eb30d53ad83bb934a1f9afa41fea3b191488b0206a53504.exe"

C:\Windows\SysWOW64\Cdlnkmha.exe

C:\Windows\system32\Cdlnkmha.exe

C:\Windows\SysWOW64\Cobbhfhg.exe

C:\Windows\system32\Cobbhfhg.exe

C:\Windows\SysWOW64\Dbpodagk.exe

C:\Windows\system32\Dbpodagk.exe

C:\Windows\SysWOW64\Dhjgal32.exe

C:\Windows\system32\Dhjgal32.exe

C:\Windows\SysWOW64\Dodonf32.exe

C:\Windows\system32\Dodonf32.exe

C:\Windows\SysWOW64\Dngoibmo.exe

C:\Windows\system32\Dngoibmo.exe

C:\Windows\SysWOW64\Dhmcfkme.exe

C:\Windows\system32\Dhmcfkme.exe

C:\Windows\SysWOW64\Dnilobkm.exe

C:\Windows\system32\Dnilobkm.exe

C:\Windows\SysWOW64\Dqhhknjp.exe

C:\Windows\system32\Dqhhknjp.exe

C:\Windows\SysWOW64\Dgaqgh32.exe

C:\Windows\system32\Dgaqgh32.exe

C:\Windows\SysWOW64\Dmoipopd.exe

C:\Windows\system32\Dmoipopd.exe

C:\Windows\SysWOW64\Dchali32.exe

C:\Windows\system32\Dchali32.exe

C:\Windows\SysWOW64\Dfgmhd32.exe

C:\Windows\system32\Dfgmhd32.exe

C:\Windows\SysWOW64\Djbiicon.exe

C:\Windows\system32\Djbiicon.exe

C:\Windows\SysWOW64\Doobajme.exe

C:\Windows\system32\Doobajme.exe

C:\Windows\SysWOW64\Dfijnd32.exe

C:\Windows\system32\Dfijnd32.exe

C:\Windows\SysWOW64\Eihfjo32.exe

C:\Windows\system32\Eihfjo32.exe

C:\Windows\SysWOW64\Eqonkmdh.exe

C:\Windows\system32\Eqonkmdh.exe

C:\Windows\SysWOW64\Ecmkghcl.exe

C:\Windows\system32\Ecmkghcl.exe

C:\Windows\SysWOW64\Ebpkce32.exe

C:\Windows\system32\Ebpkce32.exe

C:\Windows\SysWOW64\Ejgcdb32.exe

C:\Windows\system32\Ejgcdb32.exe

C:\Windows\SysWOW64\Eijcpoac.exe

C:\Windows\system32\Eijcpoac.exe

C:\Windows\SysWOW64\Ekholjqg.exe

C:\Windows\system32\Ekholjqg.exe

C:\Windows\SysWOW64\Efncicpm.exe

C:\Windows\system32\Efncicpm.exe

C:\Windows\SysWOW64\Eeqdep32.exe

C:\Windows\system32\Eeqdep32.exe

C:\Windows\SysWOW64\Ekklaj32.exe

C:\Windows\system32\Ekklaj32.exe

C:\Windows\SysWOW64\Ebedndfa.exe

C:\Windows\system32\Ebedndfa.exe

C:\Windows\SysWOW64\Eiomkn32.exe

C:\Windows\system32\Eiomkn32.exe

C:\Windows\SysWOW64\Elmigj32.exe

C:\Windows\system32\Elmigj32.exe

C:\Windows\SysWOW64\Enkece32.exe

C:\Windows\system32\Enkece32.exe

C:\Windows\SysWOW64\Eiaiqn32.exe

C:\Windows\system32\Eiaiqn32.exe

C:\Windows\SysWOW64\Eloemi32.exe

C:\Windows\system32\Eloemi32.exe

C:\Windows\SysWOW64\Ennaieib.exe

C:\Windows\system32\Ennaieib.exe

C:\Windows\SysWOW64\Ebinic32.exe

C:\Windows\system32\Ebinic32.exe

C:\Windows\SysWOW64\Fhffaj32.exe

C:\Windows\system32\Fhffaj32.exe

C:\Windows\SysWOW64\Fnpnndgp.exe

C:\Windows\system32\Fnpnndgp.exe

C:\Windows\SysWOW64\Faokjpfd.exe

C:\Windows\system32\Faokjpfd.exe

C:\Windows\SysWOW64\Fhhcgj32.exe

C:\Windows\system32\Fhhcgj32.exe

C:\Windows\SysWOW64\Fnbkddem.exe

C:\Windows\system32\Fnbkddem.exe

C:\Windows\SysWOW64\Faagpp32.exe

C:\Windows\system32\Faagpp32.exe

C:\Windows\SysWOW64\Fhkpmjln.exe

C:\Windows\system32\Fhkpmjln.exe

C:\Windows\SysWOW64\Fmhheqje.exe

C:\Windows\system32\Fmhheqje.exe

C:\Windows\SysWOW64\Fpfdalii.exe

C:\Windows\system32\Fpfdalii.exe

C:\Windows\SysWOW64\Fdapak32.exe

C:\Windows\system32\Fdapak32.exe

C:\Windows\SysWOW64\Fioija32.exe

C:\Windows\system32\Fioija32.exe

C:\Windows\SysWOW64\Flmefm32.exe

C:\Windows\system32\Flmefm32.exe

C:\Windows\SysWOW64\Fddmgjpo.exe

C:\Windows\system32\Fddmgjpo.exe

C:\Windows\SysWOW64\Fbgmbg32.exe

C:\Windows\system32\Fbgmbg32.exe

C:\Windows\SysWOW64\Ffbicfoc.exe

C:\Windows\system32\Ffbicfoc.exe

C:\Windows\SysWOW64\Feeiob32.exe

C:\Windows\system32\Feeiob32.exe

C:\Windows\SysWOW64\Fmlapp32.exe

C:\Windows\system32\Fmlapp32.exe

C:\Windows\SysWOW64\Gpknlk32.exe

C:\Windows\system32\Gpknlk32.exe

C:\Windows\SysWOW64\Gbijhg32.exe

C:\Windows\system32\Gbijhg32.exe

C:\Windows\SysWOW64\Gfefiemq.exe

C:\Windows\system32\Gfefiemq.exe

C:\Windows\SysWOW64\Ghfbqn32.exe

C:\Windows\system32\Ghfbqn32.exe

C:\Windows\SysWOW64\Gpmjak32.exe

C:\Windows\system32\Gpmjak32.exe

C:\Windows\SysWOW64\Gopkmhjk.exe

C:\Windows\system32\Gopkmhjk.exe

C:\Windows\SysWOW64\Gangic32.exe

C:\Windows\system32\Gangic32.exe

C:\Windows\SysWOW64\Gieojq32.exe

C:\Windows\system32\Gieojq32.exe

C:\Windows\SysWOW64\Gldkfl32.exe

C:\Windows\system32\Gldkfl32.exe

C:\Windows\SysWOW64\Gobgcg32.exe

C:\Windows\system32\Gobgcg32.exe

C:\Windows\SysWOW64\Gelppaof.exe

C:\Windows\system32\Gelppaof.exe

C:\Windows\SysWOW64\Ghkllmoi.exe

C:\Windows\system32\Ghkllmoi.exe

C:\Windows\SysWOW64\Glfhll32.exe

C:\Windows\system32\Glfhll32.exe

C:\Windows\SysWOW64\Goddhg32.exe

C:\Windows\system32\Goddhg32.exe

C:\Windows\SysWOW64\Gacpdbej.exe

C:\Windows\system32\Gacpdbej.exe

C:\Windows\SysWOW64\Gdamqndn.exe

C:\Windows\system32\Gdamqndn.exe

C:\Windows\SysWOW64\Ggpimica.exe

C:\Windows\system32\Ggpimica.exe

C:\Windows\SysWOW64\Gkkemh32.exe

C:\Windows\system32\Gkkemh32.exe

C:\Windows\SysWOW64\Gmjaic32.exe

C:\Windows\system32\Gmjaic32.exe

C:\Windows\SysWOW64\Gphmeo32.exe

C:\Windows\system32\Gphmeo32.exe

C:\Windows\SysWOW64\Ghoegl32.exe

C:\Windows\system32\Ghoegl32.exe

C:\Windows\SysWOW64\Hknach32.exe

C:\Windows\system32\Hknach32.exe

C:\Windows\SysWOW64\Hiqbndpb.exe

C:\Windows\system32\Hiqbndpb.exe

C:\Windows\SysWOW64\Hahjpbad.exe

C:\Windows\system32\Hahjpbad.exe

C:\Windows\SysWOW64\Hdfflm32.exe

C:\Windows\system32\Hdfflm32.exe

C:\Windows\SysWOW64\Hgdbhi32.exe

C:\Windows\system32\Hgdbhi32.exe

C:\Windows\SysWOW64\Hicodd32.exe

C:\Windows\system32\Hicodd32.exe

C:\Windows\SysWOW64\Hlakpp32.exe

C:\Windows\system32\Hlakpp32.exe

C:\Windows\SysWOW64\Hdhbam32.exe

C:\Windows\system32\Hdhbam32.exe

C:\Windows\SysWOW64\Hggomh32.exe

C:\Windows\system32\Hggomh32.exe

C:\Windows\SysWOW64\Hejoiedd.exe

C:\Windows\system32\Hejoiedd.exe

C:\Windows\SysWOW64\Hlcgeo32.exe

C:\Windows\system32\Hlcgeo32.exe

C:\Windows\SysWOW64\Hpocfncj.exe

C:\Windows\system32\Hpocfncj.exe

C:\Windows\SysWOW64\Hgilchkf.exe

C:\Windows\system32\Hgilchkf.exe

C:\Windows\SysWOW64\Hjhhocjj.exe

C:\Windows\system32\Hjhhocjj.exe

C:\Windows\SysWOW64\Hlfdkoin.exe

C:\Windows\system32\Hlfdkoin.exe

C:\Windows\SysWOW64\Hodpgjha.exe

C:\Windows\system32\Hodpgjha.exe

C:\Windows\SysWOW64\Hacmcfge.exe

C:\Windows\system32\Hacmcfge.exe

C:\Windows\SysWOW64\Hjjddchg.exe

C:\Windows\system32\Hjjddchg.exe

C:\Windows\SysWOW64\Hhmepp32.exe

C:\Windows\system32\Hhmepp32.exe

C:\Windows\SysWOW64\Hkkalk32.exe

C:\Windows\system32\Hkkalk32.exe

C:\Windows\SysWOW64\Icbimi32.exe

C:\Windows\system32\Icbimi32.exe

C:\Windows\SysWOW64\Ieqeidnl.exe

C:\Windows\system32\Ieqeidnl.exe

C:\Windows\SysWOW64\Ihoafpmp.exe

C:\Windows\system32\Ihoafpmp.exe

C:\Windows\SysWOW64\Iknnbklc.exe

C:\Windows\system32\Iknnbklc.exe

C:\Windows\SysWOW64\Iagfoe32.exe

C:\Windows\system32\Iagfoe32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 140

Network

N/A

Files

memory/1040-0-0x0000000000400000-0x0000000000439000-memory.dmp

\Windows\SysWOW64\Cdlnkmha.exe

MD5 c13fb8253bac3d38859d43901134bf74
SHA1 b0bbf13474d7e6a771eb606640aaf49522b6dfab
SHA256 c7c20697d6ceb16c290b7f087f3f4ba15904df3034c32c247948ed6719eac079
SHA512 d661262fe7f2cd0d7f586c0c2cf4ddec5eaa0ae3a544fd5ffa2a59380676d6f0187eae15d8f393b56aa0fb54f1f35545c5f920ccacbf0ac62a9433115689a8b2

memory/1040-6-0x0000000000250000-0x0000000000289000-memory.dmp

memory/1752-13-0x0000000000400000-0x0000000000439000-memory.dmp

\Windows\SysWOW64\Cobbhfhg.exe

MD5 0194ad5b874f74a2f253abe5c7b18c71
SHA1 76e11adf4031a6e92384c0a2180d4489cd39943f
SHA256 4f12e23c9c1d666770c6d78b83650942afcddc1980aecf96602bf80bc2a5cb0d
SHA512 c0ad24485e562ef96547f08111042e8bbf47c7a4efd787289fb4f68393626d84bc899c72c876a8690d4df671c8ed36a47155ffb3be37708ae95414daaad2f350

memory/1752-26-0x0000000000250000-0x0000000000289000-memory.dmp

\Windows\SysWOW64\Dbpodagk.exe

MD5 940b99553d343136fd8c8cadec4f3c2b
SHA1 48542d2dad6d18704e55d09e6ab10a0617525e2f
SHA256 948b7f4425139e5c372c9be3791dff411f608a73acbc82c04082161ec6b54dff
SHA512 6f2cf6a4fd1f8117b6a2449e54f2315c3a2540ec1e6495811cc2cc5996c8f1d4cf0fb442503aee17e883b8c4f636a7e143ee1c29ddd74330a584b861e4fae54d

memory/2556-39-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2568-40-0x0000000000400000-0x0000000000439000-memory.dmp

\Windows\SysWOW64\Dhjgal32.exe

MD5 487cbd879b1fabb698f5c6c507a3dec0
SHA1 cf780f3f6b1fff1c3bd8371439951e5a869cfc6f
SHA256 d9dfb3f08dd4acc6cad3ea5c4354f1a542fefbddc03039a903a33f791e24e87a
SHA512 51f55de2d8570308d6257801852cf1aacd5911ee3a03b7c3c71e608a44538df7310fb50dcd607d9a9223690c0eeb0c505459744c05d94f4d940aa8483b314a82

C:\Windows\SysWOW64\Dodonf32.exe

MD5 03db407a6f71fab576b53eb07d6465f6
SHA1 075775feb75b203e0182fc5a20eee39dbd842f95
SHA256 807ff7e6c76108bafa2f2cc0c559196cbaee5b735d7d95d246c4cc7cda766d57
SHA512 8ca3d93d8908533381d6a0dbf6c0de5cd1c5f0a667acb38e6377411870487385ba88c8144dd6f28d063b7ae463a520d3a8a3263824d99f100b879fb6820ee882

memory/2096-58-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2640-67-0x0000000000400000-0x0000000000439000-memory.dmp

\Windows\SysWOW64\Dngoibmo.exe

MD5 9dbede67059fb2afc12163ca1b6ecc58
SHA1 0d8870f5d16e85eb656ae65e9601dfcfa8ba9f9b
SHA256 59a264e3b7ee87274e184f52e15a27a4384b5b6807674988e64d734c1fb8d71e
SHA512 c1d60c5f0b062a49e512c2c4bfc36aad721b490a66ce271351b315c45fe75de3de3a704a503bfa8a456ba725d51ac527ffd25c77f92c60d6b7999eebc972a700

\Windows\SysWOW64\Dhmcfkme.exe

MD5 09f46a3dbd69d42974cdc115cedebbc2
SHA1 6d45906e67278cdc391a51f83da62f9ab06491cc
SHA256 a5d87549726cabdc2f1d32a52e88df580e74be318a6c3db8508357ea95c04ce2
SHA512 8640d25afac7c11e20fea551c7a4e73ec5b0055f5a1da05cb6a1b60c8d972ea813b2f810e63d76f5c4a3658a43d08ad6c742289a7733c75e2bedf9d9e063c0cb

memory/304-92-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2488-83-0x0000000000400000-0x0000000000439000-memory.dmp

\Windows\SysWOW64\Dnilobkm.exe

MD5 83ba35f61bb221110d1d3d55a59eaece
SHA1 91db950a85e7e5a5a864aeac97a31d529fa7335a
SHA256 ab6d82eea4edc1383b6821505f0f3d06d851fbec620f1d57331c28f7a0dfa226
SHA512 2c2041878b6a8be4fe4b456fbce39ca486c4f6706b5c11beff958c2d5b74d36ee0def65e1025056a5407bcef4b2bf559cb7e785c16f392737f7645ac31e74b3f

C:\Windows\SysWOW64\Dqhhknjp.exe

MD5 c0f6b7e00497dd2b7f9326e0fec5724c
SHA1 96136c6001e2b23aa1037cbb10bdde0b9fe7cae9
SHA256 54744e2efc04ec755938e1692f5e6b90e02782d2f2cfd6f19f12606acc04e987
SHA512 41ffddb300d3e11242503763b3d5d81d8aaf0887a8a1811746a7a949863af3c81d0ee068a1672604ac5f5ebc71a025744ec1ddc750d293d13b680312f203499d

memory/1664-105-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1592-123-0x0000000000400000-0x0000000000439000-memory.dmp

\Windows\SysWOW64\Dgaqgh32.exe

MD5 2c5e8dad4527dc14dd5dd6ff64bc68a5
SHA1 508c2ccd255f88a55bb34d1183a8485dbb053bd2
SHA256 eb9da5d4b66843d1d7a5110f717a84af8053d8ec281fd7fbba9d601ecd186a34
SHA512 9af1733e8e082800cb59c8fd7a91d9bf6333d7616b3f121002eebc3ee67a60ee47e37d8c1129ec6d1f4db5cb25a1f0b344b1cd94803436b45dba1c94c0e64474

memory/1592-126-0x00000000002D0000-0x0000000000309000-memory.dmp

\Windows\SysWOW64\Dmoipopd.exe

MD5 440ec4925a6b81332b999989ccf1466d
SHA1 3511f59e6b4321a7b0886f60f76ad7f386c09d73
SHA256 cb857e8dedea8d2165942b52aba86ab1507e582fbbc47aa14307328ec98acea9
SHA512 a94adec0d729c373d6fa42225d2b0f431b0f18bb8424de4902dbfb47e2fbe345f9eba0a21fe14a437ff29a8f87e574ae8ee2ba163f23fa99243041f7634fc590

memory/1468-139-0x0000000000400000-0x0000000000439000-memory.dmp

memory/312-145-0x0000000000400000-0x0000000000439000-memory.dmp

\Windows\SysWOW64\Dchali32.exe

MD5 3bf052af30e3c547f5c1a6e605099e4e
SHA1 ef8d51b0823a11b39b9a5cf9e73fc0701c7c5cb4
SHA256 b2d0ed96657b101f26516da8f08bc8bed39d627a53f7e5fe9a72a8a5c91180a2
SHA512 87ede8cbca9c8aaf95c6e6ffa16b4f4d8b2019716a9f021083560e9d8794bd8b7519c54cfd57b71c6cb4ef266c411df6ce948a368bd5297a70afa6e9436acbb2

memory/312-152-0x0000000000250000-0x0000000000289000-memory.dmp

\Windows\SysWOW64\Dfgmhd32.exe

MD5 0c670ad3753fcd0daf09e0d34058379d
SHA1 34799d32c187d808aeb8d1ed872f109395e5b1fe
SHA256 f960e6df9a9d3f954859079b0d2a14a50d5d9d7af11059689a09ee83b60f9390
SHA512 ffa544e08b1f7de9bea9459c027a40023ba2a07b6fe3c1cc28eb450f69799db6dad591f3bad4e8af193a220e12a9461d5344ba5fe5566ae3c6d4178c8741af02

memory/2560-171-0x0000000000400000-0x0000000000439000-memory.dmp

\Windows\SysWOW64\Djbiicon.exe

MD5 da782483ae83a800485913827ece2f7b
SHA1 12dd344b23b79afd1228ea437b584b46a1ab19aa
SHA256 c9f47a07cd99dd877b358f93a9e35f5f153ea6935ec12dde376ee570e8ad0b32
SHA512 c2c6591a5e4964cb4fdfc3f166810204711364b00c59aca3f100adec17b5403ed2ba7646ab4d0eabf9db468c543d7f67f2508a293a510b05c83b7f6e4c5fe481

memory/1696-184-0x0000000000400000-0x0000000000439000-memory.dmp

\Windows\SysWOW64\Doobajme.exe

MD5 909e1d171363a4138db135812094d11c
SHA1 6af9ae9b4c3f0a4fda97f066df64ea49e3ff3652
SHA256 9a6e3b0fd4afcb4f4e298fc971c0c0cf7b7c8504ebaa42f7f87bbe379549cd4e
SHA512 1a7b83412f8a97a4c30d0a0c089a71d5ba1e24ce5154c760eefdcdb9ca77c50c1660fb4d0fe35efcf7038fcbf02a0a07d764716d0daa2b3d10264c5d71143f18

memory/564-197-0x0000000000400000-0x0000000000439000-memory.dmp

\Windows\SysWOW64\Dfijnd32.exe

MD5 1cb760658a6320d0afd46ea858521670
SHA1 866cd37d25c5134852e73dadfd47e002d1b3ef52
SHA256 7f61263a06443b5b008f692bdaeb7f1cf612b93a604056a094bae9deb9782ff4
SHA512 babaa30548fae34f71f7d9c6134b73b3a4fa3302afa55e120edf01049f7874e7bf44726490eb93ed594a30e178cfada0f6064062767c3ac2ecdd3b1d0a9c9d9e

memory/2028-210-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Eihfjo32.exe

MD5 6f5c9ee891e0c1d4143538189e9a5759
SHA1 47b354678b0b267de96a1f38387a31e74b5dd796
SHA256 48f0ec66949b697ce886c13ad8a93a22768d20b1ce7e3ad633107bfb14383251
SHA512 95664bf9e1df74713ba235db8859df9098d0896cede8fb404640cd7aed7698ef36a15bdc693c826f2e568ad2f604eaba956e2d7a3faeb234842b0d5c21d4c1bb

memory/1308-224-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1308-226-0x0000000001F70000-0x0000000001FA9000-memory.dmp

C:\Windows\SysWOW64\Eqonkmdh.exe

MD5 ed7af9d57828264f92cef8cf0a8e7c63
SHA1 0a45279e2b32ee79361e473dd296a696c80de057
SHA256 2cdc9a10031c1b2fa01c92c55ff1741cc89217ee6f84a149a5bcf84caa370e8d
SHA512 63b3c202ad1f2199689ac0281d3276ae787ebe1bacc5c1afcf458560eb2926ce0e90a8ed43862dafa1f981e45c78377ef014e3baa2c9bbe6ef84d0c165dacd58

memory/1476-230-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Ecmkghcl.exe

MD5 d6470938638c95d1cf6511ce58da9a09
SHA1 8e98186abbb60544406c4d039873e47d65f26da9
SHA256 a5a69f4aa345ceeb1857f766aaa901a6e7c073c3102b7106c9f0c41cdf0cc7e6
SHA512 25f56d260c695270eb7e67afcfb15e7499626cd360e239e30cf192107637118a1578a46e1929eeab562d76cbb0870950dbda14991953b8226579ade0177acbc4

memory/2988-241-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Ebpkce32.exe

MD5 1f7911225236e2197efa12e70c7bdf5e
SHA1 f35691048397cc1c902d82527202d97c30f1e60a
SHA256 af65ee5091e9deb78f5b97ee40e09f02a5da206f3f693a572dc5ca2e4569fa51
SHA512 4e2bd78358525a631ac57a97066edb9da80ed0642f6e3a5f4354d9070330f9ff87a3680f36c2e613b19a5f9540019a9ddb1dedc2bc2e5443623b46463d75b541

memory/1160-253-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Ejgcdb32.exe

MD5 f3b9597f40a6ee62bd7c5287ecd07724
SHA1 0afc5eb1ea4b862aaca63ce05542e255e7210227
SHA256 c681751de87a8b18c70db0a8420dfbb088e210aa60d49c8e8dd66a4e4b95fce1
SHA512 e8fb861504138497660aaac67dad7aa742f7ad4719ea114358524b7e3e1efa325b20fc99563086b68618da498d337000c8074075c36c61df0c2a4842696649b0

memory/2192-258-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1160-257-0x00000000002E0000-0x0000000000319000-memory.dmp

C:\Windows\SysWOW64\Eijcpoac.exe

MD5 b7390154a03ffe916aabb24cf07c089d
SHA1 47e6d47ca1b69db96edb68ead09e5dd77d655ecc
SHA256 96dbcfec943bc9a75b7ecd00b39a37d01fa93819d0fa3a88c36178a7c73b82ab
SHA512 c4e3aeeb90bb653e2b5e19a4aeb2f00609c5d7033ada3dc4c8fa2f9091091e84c4e83a361118b830fa578fbceeca6698f13359cc8ac97e6445ce246f8093e337

memory/2192-267-0x00000000002D0000-0x0000000000309000-memory.dmp

memory/1888-272-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Ekholjqg.exe

MD5 cf5574e2e085e9423db0bd42a4e5b1a9
SHA1 f12713e8eb4ed97db06bc6961666b485dc016b34
SHA256 ef8f538c2c952aaa9cfdd25042b7642a7f2265bb764aee2b5f37df8c60e32240
SHA512 b11842f74633b73cb8d06331c2c52e3928e56330f5894b8d0470720c948b8c4d6bde17574897796d68ad3f414fff6920c3c81e6d0b37d79ab83afa8f32143f35

memory/768-279-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1888-278-0x0000000000250000-0x0000000000289000-memory.dmp

memory/1888-277-0x0000000000250000-0x0000000000289000-memory.dmp

C:\Windows\SysWOW64\Efncicpm.exe

MD5 f89d58d2411274a37f8f858f7ff2ebf1
SHA1 b2286aa14b7b0de093d94369859bc74bd1788eaf
SHA256 b48cf3c34bc790607a01e551c59f38faf183f7d243287e0be17bb3057efc4a85
SHA512 773e4e8f7c2915da335d39288e01f8bdad53d9c04282e80dbcf26053d39ed3877118b73e97e1a888f0d85fb1c2ede7a2220063e7f7bd8a8e92083c47fb98668b

memory/768-292-0x00000000002F0000-0x0000000000329000-memory.dmp

memory/960-300-0x0000000000250000-0x0000000000289000-memory.dmp

memory/960-299-0x0000000000250000-0x0000000000289000-memory.dmp

C:\Windows\SysWOW64\Eeqdep32.exe

MD5 fad73550ff92d247f76d0a9a34d9ba25
SHA1 5cc8e84e741b2c72ecc2df02c5f9a858c4b1f041
SHA256 7049afa21295537b41f0559621d7734747872f131631c41412db8656426b7ab6
SHA512 82dd3412ff13af1a200d5a933a84a4594bffe6468f2678a3ccd97a06ba904c8a5b3ef285a30880e7b8cc0804ca6b8f4b65e06c54230a4d177e3b2ee58fedde4e

memory/960-295-0x0000000000400000-0x0000000000439000-memory.dmp

memory/768-294-0x00000000002F0000-0x0000000000329000-memory.dmp

memory/1260-301-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Ekklaj32.exe

MD5 d5b8a675171928e5a6bd2c05164e14c1
SHA1 ff3cb7f9f22a320803d26c9f5922dcb79192a333
SHA256 3111931d8bcb8f14a6028512f3ddd155f7b55d95c7e14d430ec115aa16547be9
SHA512 60576046381fadeeac8f981581bc38a7652d70bd6622d7da977811fb1c7fc440e27a54f07b0e3398e11b0e004973af62275d1efced7e8e062ce8cb978d31f897

memory/2176-316-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Ebedndfa.exe

MD5 573d5ecf6446b3b999ead19c853f5bf4
SHA1 f2726b008b04ec01af3043e86feda2c57456417e
SHA256 6ba587f8c43ac9bd337d6b40c63f249a7a409f89718c98c7001d06d8467135f5
SHA512 1e4f5df3b22f17df15a878636507e70638d4d0bf9ffea99f39d952f7f7d48be4bdb94ce3119fa3f222c41e4a6e1a3f35140b03d03220b65ac3edb6b34f573af6

memory/1260-315-0x0000000000440000-0x0000000000479000-memory.dmp

memory/1260-314-0x0000000000440000-0x0000000000479000-memory.dmp

memory/2176-324-0x0000000000250000-0x0000000000289000-memory.dmp

memory/2176-326-0x0000000000250000-0x0000000000289000-memory.dmp

memory/2516-327-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Eiomkn32.exe

MD5 749b593f06f5d0d8f9e0a97a3859eb02
SHA1 11737b69b4e0ace1547bb9fc899345f8ff496727
SHA256 cfec9d6ac91fcfedeec8a1ba17281b7be294b79726fd03452550d9d51c0a50f5
SHA512 aeb62bfe5587824b8e6ee0e5f5bd984ad959c01f4fc4c1b9618fa0726f1c47c6f1a5d256ac66b7e7b3e2888efbc8a2b8a36a1cba1c6e24d7ca1c45d8c9ed98b8

C:\Windows\SysWOW64\Elmigj32.exe

MD5 1644710213d9dafc155b3dc5e606a27c
SHA1 1798552776fd5e90beba852feaa075391a10ec7e
SHA256 50844b3a588925f7060ecd85d941f9c39c1c7d1b6fbdbd908fd978b7129ce16e
SHA512 7dea1722baf64cf65c9ba0243ef3d64804ef545acb85425e41500b11ccf720d1e10b01fc8786e1e0b7bddfe346e79d74a1a8a1fe85c227e29adab32740f3b578

memory/2580-342-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2516-338-0x0000000000250000-0x0000000000289000-memory.dmp

memory/2516-337-0x0000000000250000-0x0000000000289000-memory.dmp

memory/2728-351-0x0000000000250000-0x0000000000289000-memory.dmp

memory/2580-349-0x0000000000270000-0x00000000002A9000-memory.dmp

C:\Windows\SysWOW64\Enkece32.exe

MD5 1b778ac2ca775aee12f7e9f599b67b5b
SHA1 0c1c1704dfd6a1bdfdcfe69b08062c53c43dedc8
SHA256 5b139b503c2796b0ddf95eb33bba52d9e09ce259f0ebd2a5ca6d675a55e136f2
SHA512 7d95370e2ca32f35a0023639c2671ff5c27142a0de15d459dd0a0d1d4a3de009992c326268b18d4b19f0f949889586fd5d96c11691de20c5c0f9b3f1fdf53734

memory/2728-344-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2540-356-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2728-355-0x0000000000250000-0x0000000000289000-memory.dmp

memory/2580-343-0x0000000000270000-0x00000000002A9000-memory.dmp

C:\Windows\SysWOW64\Eiaiqn32.exe

MD5 7c7bbce66ed4b18a452d420877a6d623
SHA1 7fa00a336d807cfb422803a4d205ab9f6823ede5
SHA256 feb9d77802011db7513e99bad6015a993f6b17afdaa3c6f0db23a9d46db9578a
SHA512 c73a371da2d7b4cc6f8d80a9b826f0ec302baa14a674ecb71667b1376873bc8d090dd328356d7fe2f52fd66e6840f3b8301e5ec315a26586c6f09cc3534a2bff

memory/2440-367-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2540-366-0x0000000000250000-0x0000000000289000-memory.dmp

memory/2540-365-0x0000000000250000-0x0000000000289000-memory.dmp

C:\Windows\SysWOW64\Eloemi32.exe

MD5 c550f9ccf80a70118a985267bc9af2f5
SHA1 27196aa4ea789dee43fe3353e163253e6a9240ac
SHA256 d733ada5d01e172d88536cc6c3a33cf1a717782f75d39d25bdd2e57613b48c76
SHA512 44499ac006ae7ac0e5da225a4f17bc829e87a117e2f8d48ec7863c3ab19e8dc7843b41cb470a206576ff50e7a3018919a33a33b77d1a3ceabe528232357c18d2

C:\Windows\SysWOW64\Ennaieib.exe

MD5 2f69bd2820c0b632f8be5b00ead6e783
SHA1 27377e39692c60c4717cad4319fd0b45fd071779
SHA256 b598ece9b503df0d12c0d324ff302ed46feaeb2c4084b905e04c7e9799b7673a
SHA512 b5648aaf55285f88a4b447469cca13ebc0cffc9fdf30863b4d8654f66d3e07b96d872e74e7262380e85aaf6180a7f1534a9bbf5306a2493ff22257ab4da33758

memory/2440-382-0x00000000002E0000-0x0000000000319000-memory.dmp

memory/2392-389-0x0000000000440000-0x0000000000479000-memory.dmp

memory/2392-388-0x0000000000440000-0x0000000000479000-memory.dmp

memory/2132-387-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2392-386-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2440-381-0x00000000002E0000-0x0000000000319000-memory.dmp

C:\Windows\SysWOW64\Ebinic32.exe

MD5 9d5902c9eebbf47ed89684d23fc0f6e0
SHA1 021efd83159d78371efab36568a871524dfc88a9
SHA256 fe474be076beeb78d252bb2f088f0ea48015178f4bba51b7dc65998074b364ac
SHA512 fcaa00d907a09edf835ef6872d3b2d1431685955e98e0350621d8ebd43454081a50580e847320b480c8c79cbf840303ea47a1c041e92a036f8db812043610259

memory/2132-399-0x0000000000250000-0x0000000000289000-memory.dmp

memory/2132-398-0x0000000000250000-0x0000000000289000-memory.dmp

memory/1780-404-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1780-410-0x0000000000260000-0x0000000000299000-memory.dmp

memory/1780-409-0x0000000000260000-0x0000000000299000-memory.dmp

C:\Windows\SysWOW64\Fhffaj32.exe

MD5 341083b7d6fc7487221b93901477ea5b
SHA1 20a96c99d8d25c7b2b16904ce92e9e5645338a90
SHA256 23dab77dc51027a93feab6e0a049eb13753d80f65a741c49d58f04f6bdbeb210
SHA512 3b9fa98f5103d8ec7940d86601830fe06c4b983b1e69ad31bae4f3d293d67d911151af4a8407f95f17626c43b71e95adfeda72444813360ba7cc2555e8a79dfc

memory/2248-411-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Fnpnndgp.exe

MD5 f835fa144a025b0f12d951e4f5361523
SHA1 a2b60956eecbddd2260ab0159c0a76e5a190fe00
SHA256 bb21a627e320607704d3a0a5775aadd1615c1d76f61dc4f8fef3be50f80f3d5f
SHA512 af78a3d4d8e669f3d2f3793b08e3e245edd9a93b04e0303ab33648ba03a97312d9d9632fe2acb2a2c379b87b418980a6ac7042758d58c95c67152ea9b37e7bd9

C:\Windows\SysWOW64\Faokjpfd.exe

MD5 2edb9eda34208e92d55106ab1b5cdc8c
SHA1 eee164570d1ea2ed5d0f39df75ced210e5c59d33
SHA256 8025b7422c3dd0d2d6cfe4278593f4b03a6a8eece19051730ca97c7758dd05e1
SHA512 8edcf7f51c74297a4565f189c5113cdac7b0e3209c6eed49bdb1d6bf5d944b5eae7cca4d4eccab265b47e3a0ca8a6f314a4ba158b147d6b7c1797b3d0a57bd83

memory/1580-432-0x0000000000250000-0x0000000000289000-memory.dmp

memory/1580-431-0x0000000000250000-0x0000000000289000-memory.dmp

memory/1580-430-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2248-429-0x00000000002F0000-0x0000000000329000-memory.dmp

memory/2248-428-0x00000000002F0000-0x0000000000329000-memory.dmp

memory/764-433-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Fhhcgj32.exe

MD5 1a7acd238aaf283ed611ad643c9f88a7
SHA1 7805690aa2861964177b0f97971386f918b5bb6f
SHA256 45b791126a08ad4a875b518495300759476da4f47ef886f021d03b54eda5f1f8
SHA512 c02051f946adcb71af54754ab50afc8ab12a408845baa344dae28a4d315f096e6b46e5838a11b1c28169953f213f6fec03e5e737a7a738cb3c3318889dce0936

memory/764-446-0x0000000000250000-0x0000000000289000-memory.dmp

memory/764-451-0x0000000000250000-0x0000000000289000-memory.dmp

C:\Windows\SysWOW64\Fnbkddem.exe

MD5 91b4ab8e0d07a196e0ebf32221d7e721
SHA1 e294491f8fc831d58e2f618fad4b40beb424b3ce
SHA256 b79396b8692a209eabe12755133e36d0d124faf8fb3be3eab37c60531e4a2bf2
SHA512 38f3b1e8ca8cf22a9799755083c28fe2e8fd2da5d52997ef8efef964f1ee4e609c8f37ad47735b3e09fe96c21e5e77583d06190549f21776362a2b1147dc6e39

memory/296-452-0x0000000000400000-0x0000000000439000-memory.dmp

memory/296-453-0x0000000000270000-0x00000000002A9000-memory.dmp

memory/2016-459-0x0000000000400000-0x0000000000439000-memory.dmp

memory/296-458-0x0000000000270000-0x00000000002A9000-memory.dmp

C:\Windows\SysWOW64\Faagpp32.exe

MD5 8285a38b5bbe07694a0d6d4c6dd2a1bc
SHA1 343e7af429894c506478e5348db7cb2daef11c28
SHA256 f694a3645c1d25223af7e286686ee4e1e91dcf0bc72fa231b46afcf2cd746dfc
SHA512 f34074092de1810a070a3dfc28e0be6695ef0941cecc3c1996898ee35509f911d8156c36d6a6d51fb5876a98297b1660faf4c14885412cb92225398f71f5c51f

memory/2704-470-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2704-472-0x0000000000440000-0x0000000000479000-memory.dmp

memory/2016-469-0x00000000002E0000-0x0000000000319000-memory.dmp

memory/2016-468-0x00000000002E0000-0x0000000000319000-memory.dmp

C:\Windows\SysWOW64\Fhkpmjln.exe

MD5 4e1666b4e1aeb97d233c1ab2288a4121
SHA1 f725daa12f812b5fc0bb1da1b9428445049deb29
SHA256 bab8a5601e6069597abcf036c5f3ca7aff5bc4c7a9999d588ab1cd6ac0317cab
SHA512 e1ec1a169afb8dc1e02e4000791e34e497ca5a827a5f58d8ec6c2e4b414ba7500ba476cf880e36e250a1e42b126c7c20303d4859ab574d2ad38e793a756d639a

memory/2204-481-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2704-480-0x0000000000440000-0x0000000000479000-memory.dmp

C:\Windows\SysWOW64\Fmhheqje.exe

MD5 8f768eec8ba1bf7c3cb267cc0226ddb7
SHA1 36c4d32350717e7935a8add7033c0e600aa62237
SHA256 652d292b843dc34bc15187e498c8fe37d4cb6d728fa2b3bc66705243168bd160
SHA512 83a022e75f8b629b7095fbae98eaa980cd7f60bffb96aec88074b9c1e7695422e32d952027d2ff4e4be6ef581e231ce7a7038269e133fa997316c9af6f23bc4e

memory/2204-490-0x00000000002D0000-0x0000000000309000-memory.dmp

C:\Windows\SysWOW64\Fpfdalii.exe

MD5 a60de8ab89abbf50101c317ee1493aa1
SHA1 998a12039e6cca47c214085c1b9793bc26f5d492
SHA256 f4c33602d0403045c92f79b2f7575f46429bb310b49c6b103ad5feaa5eb22323
SHA512 3a8a42999ca34cdb10374bf29266b14703fafc904bc046be38a0dcd1dfad036b79701742aeebd608136d066ccd57f5526c2c8def65bfbb2a2a25b4eb1d0a22ac

memory/1068-502-0x0000000000260000-0x0000000000299000-memory.dmp

memory/1068-498-0x0000000000260000-0x0000000000299000-memory.dmp

memory/2680-497-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1068-496-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2204-492-0x00000000002D0000-0x0000000000309000-memory.dmp

C:\Windows\SysWOW64\Fdapak32.exe

MD5 8553c057a2311d70fc2cc82ceba99cf1
SHA1 9e505716c2925f38b4cef250b0bc4d9d1aa7b4ef
SHA256 9dbed30cb2f801c6ee02f28c3d031f079f27e042de36f6c24d474e69888fbad5
SHA512 93947dbd8d255874b81b69bc08a3c37469156b39a8d25b8230d48c0b0c5a29c76062a5949627fbddf542d745ee9c8a8cf20744e11d19ffab86336800807ae6ce

memory/1724-513-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2680-512-0x0000000000250000-0x0000000000289000-memory.dmp

memory/2680-511-0x0000000000250000-0x0000000000289000-memory.dmp

C:\Windows\SysWOW64\Fioija32.exe

MD5 cfb0b934e6750606b2121b60b2dccd34
SHA1 2584b19356323e8fa2ae4b541577a517c6f8886a
SHA256 d3d9fe5f26a5252ff87b6c7ab1ee5a223e94af58b52c3878d951835ab71ba5ab
SHA512 016682e45a5817a74e61fe28100a241689c05f8bb6c07d89f6cdaf524b42a508c938f2283dbaa897d1c7196344c19cad8a886078555ab57c03c0e15fe9ab9b82

memory/1724-519-0x0000000000440000-0x0000000000479000-memory.dmp

C:\Windows\SysWOW64\Flmefm32.exe

MD5 eea663c691520ce4d2dd6dd16c1133a6
SHA1 8ed1638ed5f355c330e0759935d117d3a0d9de1d
SHA256 24bdbfaf96e2969c5617e2c5c0c6e6f0993d860a2fc89f422be236e4dd4c7201
SHA512 382e701d674569d57ce6b405e959798f9a3857b820d3273cfcec22d4d2b8aa166b9cc541806a4c4f0606ed5ef8acb54bb9c167ed60f370966ac6c59fad4e117e

C:\Windows\SysWOW64\Fddmgjpo.exe

MD5 0e17231b80b7b10cd93c2c7c451b2c26
SHA1 43487b7a0b57730efbaf8e7080274c95a4c153d3
SHA256 51a39672532df7b2ba1c27aadecb951179ab0e71e061276afe551c170c52faa0
SHA512 fa6e7ffc3f6f69746cfab094507618e597de38ec6e7672a80a69cdb19505b5f9a32c790f5f6826d4cb905fbcfe6977b39cbfabe1ae2f43af467685e7e871168e

C:\Windows\SysWOW64\Fbgmbg32.exe

MD5 0b61a8e1e7c95bc2c658281fe68157b6
SHA1 da4edc277fccb07d0b9ef5577214c54d8ad262c4
SHA256 fb51905e7d25ab7ae87e615c403aa2b50118502b9363f1ccd8ac97c7b1c7abfa
SHA512 e9aa7b54863157db2dca181b617417695f7478f8a836b635ce00aeaddef3594526c012029cae1c8474fa48129ab31c93bb8841bafc6dfed31100e911e2668029

C:\Windows\SysWOW64\Ffbicfoc.exe

MD5 9848cd338e0f765bdc77a3a8bbcaec7f
SHA1 4e2a9b5c2486dcbf8152884733f6205459ee4ec2
SHA256 a966d9fe003eb8a4ea07362f1746ef23eddb845d5fa64094871ca3c35d7cb754
SHA512 23006ef090873d85042c1b62f0542031cb8edd6f7ef1c0bf878dad2a60a680c267395f342f19e524bade87d88c39438c4b0f86c114516d5fb0aef516291ae146

C:\Windows\SysWOW64\Feeiob32.exe

MD5 fd7eb7df33ec2e688dde1c017fa12af8
SHA1 8925fc1ed1f8cd20c9e79506687e949813b3450c
SHA256 ce8c3c08073fa411db6c1b307880f06a13882b91d71eb12f1559db4333816f81
SHA512 cfd19d4987e0b498fa7ae423523d83cc857f847ab936a8582e4931a4cfb24dca515fa4bc995c56aa4e8e9e073b5c4a44ccbe1344d415a685553c0e13c7948c22

C:\Windows\SysWOW64\Fmlapp32.exe

MD5 6bfc4c61dadb9db00f8ecbb84b8b2fc9
SHA1 ca5f8e9ced8c3d205eceb6a6a62442d3dec4dc1b
SHA256 01da4a3e08f2c4dc6a664a59326ed508fb295617a34c84a1e560a37127e24ca4
SHA512 12ade03de13b158766dd581e559d43bd0683385f391965ebc2e72bc3331989db517e7f9f047ab86552be4003a965aa07cfda2d9fdbffa7d8afd0326f81f9ec3c

C:\Windows\SysWOW64\Gpknlk32.exe

MD5 d05e61594bd998d2ef58cbfab38b52d9
SHA1 b00acaf86e86ca49c87c6b0a81a0547f7c474688
SHA256 e3fb07d6e41916655817b65f2de00cf75fd0ca2b876997d053e5bd7c3741ab86
SHA512 23b682942987fd8bec16cc746007ff35d691a8bd8b3f228302a7e922b9db5f2af4f352dd7df5df0cd3a331bacd26a7178581e8c0b11be81eae086a5eed1b5c55

C:\Windows\SysWOW64\Gbijhg32.exe

MD5 da010d65499b938f967e3ee6deacdf4f
SHA1 a7be6ae75d1cd0b99803970cf766792828a6d530
SHA256 10d823291903da87369605d8ba902c1a7d403e18187fca407d795851eda252b8
SHA512 a722d1a1b860cf905ffaa4cca77dba71d8ef6a038b1659df0505b5c53984e28f5f568dc4fa8543e4f1726c765837e6eb0b30a3bb93e28ecaef386edf8039cd77

C:\Windows\SysWOW64\Gfefiemq.exe

MD5 797220f4fd41d3c629884d8858321baf
SHA1 f5ddc0c21f7a3e37b5c592048e6568ed91e90073
SHA256 ae62dfe90e3bf541040624d708c893bd2fc28a4caae36eecc4deb660c6c2ea8d
SHA512 4349b44d42e5a88571fba9edcf88a0c4b9a3cba38bab447d15b17d7eb5488ca6c20d15803a1de997b67fae5b30cfe940b161d38722db92e94170be9aee82f76a

C:\Windows\SysWOW64\Ghfbqn32.exe

MD5 c2d1a4040e0b70bc43687a9b2c095036
SHA1 c8009cbfb77f188d2956104abfbb970600bea480
SHA256 da27d84d6af6e2fe501384f5e185d966fc0f86d09a8655cefa697c5aa59f7caa
SHA512 346869373a73cb372b538c66338d0ace839afb9c178526e429b4931f12ca1cfa593ca6ce5ca24b994b0cc71d59ba477e08bcde362fc645b072ba3839269e5a6d

C:\Windows\SysWOW64\Gpmjak32.exe

MD5 aec731142827360085df8cd949475288
SHA1 c40ff42afe63921323641473dc7eab7978096eca
SHA256 78c8c83a46065562a2d595bea7e13dd5b64964ff40947d2056c2ac148ba29c5d
SHA512 655600ad0ae1bf3c8dacd2d1f8e1f180624483bcfab21ea9e8d737498cf16b425fece47cc90762dc0f74dff27412a8abb0f22c719ca42b3716142b277b6d06ca

C:\Windows\SysWOW64\Gopkmhjk.exe

MD5 674fa09b45d1056f4cc5e9e727562cfa
SHA1 17b9128e58d18a5f42699286597994d6bb2b252f
SHA256 a9775e6ade26fbf55ff8af8849ac7103e7f2d0c2b0ad4bf3fb09d03872fa2fa1
SHA512 5a0d667ba66362c587dddcac0ead140d4d95569c817a362f786b1e49b8a71605c5ff1717456425d4a733cdad357741276acb1101886ad531f4917cd46a813092

C:\Windows\SysWOW64\Gangic32.exe

MD5 e17588da634838520cb11c243576a3fd
SHA1 85293516076b456b4ec0289d58e5f42c882d64a1
SHA256 652d3fc661f16eda16bf2f54c55f78b86f5dc6dcde4ebe21670525e3985fe73d
SHA512 634cf7be116ec6cc59fe080bcc3ded36a6e9c373f1b7d56abbf361a17249055fb150e8986a4c0441104d6037cfe7a994d4f30144f52bf084aea5781d122109a6

C:\Windows\SysWOW64\Gieojq32.exe

MD5 3eaf70cc2df8975880c007a3dd09d61e
SHA1 6ce296b6bd683a032565b3b58582332d957adbf5
SHA256 bda224e982d699d36ce3a1a5b7cd3546d024d1c0b5e7076591e2f20c066a8dea
SHA512 5e1710136d8e5a4b0448c1b26138a3992987251b5e3b64df763d80193d16aa6f9c69841b1fb11942f4a46b10f0aa0b0a5c4ebc33e2a3b3c8582275e3186a095f

C:\Windows\SysWOW64\Gldkfl32.exe

MD5 db12938a7b5912c7f3052747721f62c3
SHA1 3c2ba2971ab18a18c3d1acb481ca14746d9c141d
SHA256 d13663c807a713c3b3ee4688f3dbcf7b4a6c479fbcdb967feebf1506a0a86b15
SHA512 1fdc85f4a544694e615d46977e28288e19cad10094983a340be40d80dcecb440cdc20030f5ad1962dd086272f8dc6db0a3bd01dc2408b6d5f2ccfa1e5181fdcd

C:\Windows\SysWOW64\Gobgcg32.exe

MD5 d5c5ee1197a8c4eaf8f0f9c4f7fc3c51
SHA1 4350084cb44cff035aa6318626136480f23f5f50
SHA256 093b419bca5b6027c07a3dd6065815b466417d4f1d7508e67a4591a8d284182e
SHA512 0b24dc6d686c1e2fe2ab7ef27aab8ea637679c9b3ff18eee60edbb851f48938d8a9217c5bc54d1f2b1632e90516cb7f0b713891af0c8093437c5e492ab15950c

C:\Windows\SysWOW64\Gelppaof.exe

MD5 fe04a42065377e7cb7a3654d4bf626ff
SHA1 93ada92febd4cf9ded9cd0f2576fcd28a6e728c0
SHA256 c4ee4a77ffa71259d5bd2f7d2e3488fe7b9bd6c34fe95653ecf6bc2ba5d6048f
SHA512 4c254d58a8ff115fe0d94811d9092286882a6e64a5ee540f8cbeb0849c1cbc14efe66188e7752974061503500a85b37a3ae4bd58c415447e6fe1c04286c87f21

C:\Windows\SysWOW64\Ghkllmoi.exe

MD5 3a8cddd4e6f624717a8f3578511e5195
SHA1 406d39b1f407e66ec39d136b138ab74c2d135f1e
SHA256 cf993d633d9b9b6ba431745b22c110cc308f3dedf0104671e2c9c4fceb80949b
SHA512 bdcfddef9f62e17ff64ef6532bb03c997a4a16ede0a1879fae01b59a8df79ea07448b2aaf65b6c3dbf722d3c86e5b00dcd0308322d8a282402440db68d9ad49d

C:\Windows\SysWOW64\Glfhll32.exe

MD5 59250fe4de4ac8b4dc8ccd8921df3d16
SHA1 7fc92f752f210e982df06c7447da153e1f8ffa3b
SHA256 b76c78ac778c0d81b3731255dd7e178f709092ddc792913f9e974edee2f6122c
SHA512 227c26be99c6c13775d82930d18fbe08ac3324e948726b6ebf9394d4134cae5099ab1ee4cba92965b6b23d3055d3d18084db1ef9a331740267850bf7c164a941

C:\Windows\SysWOW64\Goddhg32.exe

MD5 eefa78339cfdb6155708bd4be0ca1d91
SHA1 45a5767b965cd66071fc24a3d531da4a64c17b30
SHA256 75d35f50f5e06a2676360bcdf2e8c47514cf8a1e4525d1541338f34284e4f56c
SHA512 7bc4dc6a2625894b28488dfbf9602461c87238ff3a144fb8dbae99acadffeaddc549211be4c52a23f4b0bfcc6742f2f3c5c3c57620a8b09a55deaa76cf48120a

C:\Windows\SysWOW64\Gacpdbej.exe

MD5 08a40cc45047603aaa06fdd081b47d55
SHA1 2f4fa44680ef4d2aef158215d7d0be932fb0f160
SHA256 0e26384dd7dc85e457b6213844a49d21a530fb37655326c8d7a9551cc5da99b5
SHA512 41baebc2c8bb324b06acced12b7ac6946c5d65a6bdf0be92ad008f33ab3698e4102ff2a9cc587bf9429d9523e6852dac10be8b293503a49abae4ec380850976d

C:\Windows\SysWOW64\Gdamqndn.exe

MD5 d62c2e86dc1722d751eabf70e39c7f05
SHA1 ce18a51a8c87f2bcf40cc1be9590f1e31cf38222
SHA256 ad6258880504134b835c153a6bff6cb8631b44a92d0664fc121d8a82d014ce44
SHA512 c0f93cd7e16320664b4e7571fa49adaa9f825933850c65f013d8b784d0c0738f6519f585d05de6d2762e12b5caf729d051021343a33cfa1b3665cacb3b4ece7e

C:\Windows\SysWOW64\Ggpimica.exe

MD5 a8446e239db68811b003cbde24703846
SHA1 fe616ec459e2c12d98b5c7e441598a7e6d046f3f
SHA256 98e35c4d6c1407cad2a110c93372959ae056310c183c549a4ec19ef0e1292d6e
SHA512 745c5e643b721370a6c760d09df9a6b3f05fea3335abf547fb9ad120a87e8e53aa7747db21fce6668b9fb121ab02d1e3f48e33506fcd5d2e99bdb8bb0d225691

C:\Windows\SysWOW64\Gkkemh32.exe

MD5 e1e7519e54631f2c6d184d8e0243dbe1
SHA1 194fb4c51c16a958f316ade101b65dd1a7d71a14
SHA256 99966ec1d7ad160f86e727d68fd9727f4d0b54fb3118e4b9d4c8629af47fda1f
SHA512 43225c0b02aa1a0e5608b09a60e8bf2aaac0d62f38b6371eb05f3b71b3f5b4e64db50dca0175c144347def3cd4c97f5acaa03cbc0558c73249532778ccdd7d82

C:\Windows\SysWOW64\Gmjaic32.exe

MD5 1f3fbffa07ea45b12073a5fc57f2f1c9
SHA1 cc5b1a68f2deb0af352d8d66ac1c6151a7a1e2b0
SHA256 4ff2eed8e9b810b2243fafe3992e3dc6aa89d605b14e60b217bae62bb5b11ca6
SHA512 9eb1e8cbfd53f7d8413dc9a795d431eb526768d32b093f6bf7ba70ea47540122eaefe3e99da0e29085f1d78e7bbeaad2a96afcd72a5d618d3db9fbb5032794cb

C:\Windows\SysWOW64\Gphmeo32.exe

MD5 5bc199b2b41696343025b6c8a3ef3918
SHA1 ad36614934e82320f9407d480710c958f76a1688
SHA256 59da99f8d4de4d6448a4bbc4d78d133236fa4add07ad6bb00311a6dfdcb2115c
SHA512 4d9023949904f52421b2d4cd61c4986e3d419c9f87f6a5077b8e277ab74811758ea8b82bc6b002ef96defae40fa14f5f9c91df6ac5c29db97655969ea859dffb

C:\Windows\SysWOW64\Ghoegl32.exe

MD5 75b86f130c80c4d9e1e36467d2d76d65
SHA1 03a51b33853a43d5c23bec6bc1aee1a9d724eedd
SHA256 34c818ed7da478b806f1a867ace7fbf62f8e0da02cc93fbe1126411cf59c780c
SHA512 0d21b05518d3750223a76d9f626efd4a87e4be321af05acbf17ee859973e1f9735a49ef1edf3521a507938270c046e1c281ca131bebd5fc68da47080d2cd2fec

C:\Windows\SysWOW64\Hknach32.exe

MD5 6230698c17e2800668e80be4e4ecc4eb
SHA1 96c04f2dd560ad92ce49b5c92eb49cea65c47d8d
SHA256 af60d0dd9830fc5e277b7ea7ce5e86e0c662bd38d4221dee06e352c0059d617e
SHA512 0170ad18df53139442e56df8f72d81e2f1858bbeecbc560ef12f41da3cb66b08137ab9bae63d14a26244edea3107b6b668f68e5774cf2db1abc317f41f82469d

C:\Windows\SysWOW64\Hiqbndpb.exe

MD5 e02d40956caf9257a0445531dc564503
SHA1 7de593774af840b5952cf53c0ff6abcf86761c25
SHA256 cc550973c139e2ced85bbaeb54fac4b3cc10046dba62156e0f4d05d47b1346c5
SHA512 24808dd461088baa93e523c2e280f832ae980a63023b58bfc90cdb7e9d70f0a761c79b9fefd1930c0e5bc23dae8caa63262a0f144024f64f38a06b3eef0f4080

C:\Windows\SysWOW64\Hahjpbad.exe

MD5 bff7bf2aebc04be55f08858161645019
SHA1 af48257673fee6c3097e681326cb0a9791c605af
SHA256 f2afb4fc9bf8a9ecaaad8bc4b998f9890f1cddbf795c2f760c437d6d84a7b4b8
SHA512 d44676dcbcb182e6fa5f375cea7a54489d3028f83a4a3228b9d092449c8ec5384482904f9aa32a2751045e39c290af142cdd61db6e3a10f79a4619c8220b0ce5

C:\Windows\SysWOW64\Hdfflm32.exe

MD5 a653131906c32a70109472a545fe06b1
SHA1 288ff8ec7b55adad623727da44fae7f191ef2c06
SHA256 6933f4efb6006760f91ca751ce02eef6ed4b8eb5d86af83b87c1ee9fcd36d8e7
SHA512 e43dfe3d93712eb70be77315319ae246ebaff3e8dc0a53bf785874014e4d7f0b75bc9d7372207c50630407497dca78d5f509966dbeffee51b1e532ff74438a75

C:\Windows\SysWOW64\Hgdbhi32.exe

MD5 33383780533baad820bc3a6973830dbe
SHA1 561c59652f62833c6b9de41d6966778e5fd97185
SHA256 b3047d1ecae785629bbc2f29192e3673f541e41045abbe51909bfff4aaa5c9c9
SHA512 5286c8a2542b3ce59743811189827b424b5c8ab7574a59077d06b9e5f2ba995afa9fe8f0717ac6f62e65338c15436650ff9f869ab7461b9072ee296eb317bb28

C:\Windows\SysWOW64\Hicodd32.exe

MD5 057b5361c4679cd42a1496765eb36c58
SHA1 fe65b6eff342e531bbf4ebd3b4f5145b01f958d5
SHA256 e60f9b71cec13d76c8f6d0807e0cd3776d29bb4d2751344ae0a5aee277803771
SHA512 844b93f6c1c0361e6901ac43ad50c796e80a3a2f574c8e121d392618583749c88b5b6725286b705cd0d47fdf5d92dffe2a6b5218aeac6f14d82b81b27fb40b02

C:\Windows\SysWOW64\Hlakpp32.exe

MD5 af0434bd0e74ce2a97c822c909513444
SHA1 7e56bdd638cfa35098da507cdfba9be88156831b
SHA256 321cbc41525c4f0e77852566e05cd64882ddd0e50e258dd4eb67aeb37dbad01a
SHA512 4a763d5d032efee731d0ffde34569237ba8c02e84fbbb3713bff317836c02ab67867fe554a44549b7a8ba4539db39e4d9bf67da841920c1df86e7aca6ea8de21

C:\Windows\SysWOW64\Hdhbam32.exe

MD5 24999a2b1d006b05e2eb5d433cf54398
SHA1 d703d8e036db1281e2cf54a5e89e261bd57c6184
SHA256 62256b6e64b13060af48fa1b0573cf779f995dfbdde86cede17964f3fc27393c
SHA512 547b3619cc97b802982c8dcda79bf622e27dc7ad215af23fce5b7d8c300d840264e61f779bbc0fa24385e9b416232531239d08f193456edccb5db60e8e0c7fea

C:\Windows\SysWOW64\Hggomh32.exe

MD5 4cf74f4cad740eb93e2c2d2244de4058
SHA1 49bda687d119c32f1787d05973235d61435ea37d
SHA256 256cae56cfb095e77191a95e911e197e3939576656c48c7686ad0360c849de7f
SHA512 e8a8baca74ec8bed0d940418ece4e1365e23413b719935e6d443087729d91b74e57c830d463dd8a9ce174cc7e73497f5f401a93c605fc07d63d2c46e6e8bc884

C:\Windows\SysWOW64\Hejoiedd.exe

MD5 268fdde36286f4b2a1ba34c096b61ada
SHA1 6ab8c6ddc0d8632916bd9ecdcd56c9f4550aff68
SHA256 67ae2c75591876994de75babe669374eff3cf2351ee9de3ce2839913b0564e3b
SHA512 75fa642814fb7f0582ea4a71f43a0330005b8b9c498ab5fa35b9a6ba3b29712617233a4713483c76f9e8c0a69f9e91f50d012202a49138f42c59d4213016b794

C:\Windows\SysWOW64\Hlcgeo32.exe

MD5 9a2119622c75cf342f932ea28ce266ba
SHA1 45c873eac16ab7c94ef6cb5fd5a8853664c24dc0
SHA256 46e2b853c595a7b338f1d972e0658d431fa26da26d0ae7239c591efe5c939358
SHA512 b023a15d7ded241a617d6405cd2333a8242b028d1f0664354c1ced5f9afcd3733bc4603beeceb0c89b25688869c0e1b9475af9c229053cb836c6fccbe373a24e

C:\Windows\SysWOW64\Hpocfncj.exe

MD5 7e7ad062657116a59f2a7f75e5ffdfcf
SHA1 8dd25e9118956bcbe26ce734caba068f9797ebd8
SHA256 1abbda01762707578bd511a78f695361c4d164e94c7c469421fb09aa17f2a0e9
SHA512 1ccd6b22cf2d9abac5f0df9e6aec260525c375c397cdfcbe3faf8022f414048067bcf19bb1e189a6e70e8352f94575291f9be41876bb744cc0231952e0a51fca

C:\Windows\SysWOW64\Hgilchkf.exe

MD5 554e6768dace631df41f5e475d1b55d7
SHA1 5bd89ad175420ffa4bd05e92949fd7fd205fdc0f
SHA256 72ea8906f0c7b26cf815adcf3430fb6b8f17e6a9b4eac9927303be65a18b9ee6
SHA512 47e36316c296df189b4cf6aaad2519e1c9a284551cb491bdaa0a4f97833198a2adc115ca18a78d05bb97411350ce3795aee3cd9fb99125b27c20e41a269c5da4

C:\Windows\SysWOW64\Hjhhocjj.exe

MD5 2bdc1d36f569db811b3d867816633ab3
SHA1 e8fcd2a503e7b5e730f533702c5d7926d1c9efce
SHA256 4f3e94a3d6d9b5c817d27ac047c633df8e2ecb840a0c3b1bc2700f76aeafe7a9
SHA512 6c72e297ff232c883bbdb3b98b214e7263ca18d1061417f200d27f0bd2f4f746a286b01d6b69885fc92ac4c752ae741041c9662aaa03779693bd0233ab91bdd9

C:\Windows\SysWOW64\Hlfdkoin.exe

MD5 86d9046911a411669a514e5bce3e6b7a
SHA1 785dcb1d60985fdce89ff30420d23dc24b3c4691
SHA256 5caf85371ddcb7145142cfa068dc57f4172df9e441819b87a9e65eaff7ea6ec7
SHA512 4c1071f9f4e6fc1630829ab6f4a127b7a6ebd2c144d6c8083d5a3c3df1250b992b0dc916d7fc5c5b4e9d8355e023c0d2544f852a95e72e7f26d151a0676bd454

C:\Windows\SysWOW64\Hodpgjha.exe

MD5 35dee71f52e28be72065b26e58c1a553
SHA1 e5db8e5d848b17da98b2a64af9af8e932f325961
SHA256 64eae670ca7220da71b6e27612e3aefd3fd41ee2dbcaed2d38ff50726390a577
SHA512 9983a6469900560b0759e0728f33a8d12a9433edb2e9bb7e53d0877a0198d8bfc65c3493bc6417ab9270830bc8aa914a641b1fdb8af23c7279a6adfe11d7812c

C:\Windows\SysWOW64\Hacmcfge.exe

MD5 4e7b4dc9e3a7c5b77fa406add001c5f8
SHA1 b08b37aa45ec02c3eaa3d381235bd4bfee5c9159
SHA256 efe3166939e00929112c0547959db97bc0d24f8d645a377113af2cdbad8e3c8f
SHA512 498e41028536b0b9a9b6dc87db41b7cffd0a90beef1e72312e6bfb1cc3db39f986ca8279bc0ee651f55804dda4fd0e2ae4b0b6b3e15c8b7aa066fb0eca24a288

C:\Windows\SysWOW64\Hjjddchg.exe

MD5 feb3a8440d68cb241a507b9cf6738e29
SHA1 60496967b8bc3a2c3ba346f934d5299a8d4ee817
SHA256 e6c5ba858874a7cd072e991f16a030fadf872bb05afef44e053e885275a2a12e
SHA512 4675233eadec759e537ba600ebe8e3dd015b49583f3d3cb0e1d2dacaa8472ac4d485d3d7723a13e66572a0dd56fa92796ac6ccfe47efe3cb4152885c2b7fc19c

C:\Windows\SysWOW64\Hhmepp32.exe

MD5 0d5ce56a162f2a8472f92e92d3ad160d
SHA1 4563359971af2ee077a185162b124d37808ed923
SHA256 af8b948c4388142aeae5310974b9c1c129384772d11f905c1cc39f5d96518702
SHA512 a40c6a054d75337c768f03dfa201501a1dcb9f57bf926c4bf2b3f76d80bf55a2e86a618eeeec5dae42d88d8defd50509a8239ff150ea8536e409791b7df8d00c

C:\Windows\SysWOW64\Hkkalk32.exe

MD5 c9fc97a35e7929129b6d390b94376b5e
SHA1 0efedd3380deec3d504a4c61389d2084ea16dc9e
SHA256 dfa86725a4f8ff02b1ccfee2d61e173d011fd7b51f5ec584782b32910a97d15c
SHA512 a6542895da6614201431d7baaa37d90bb5c4467af3c13a1503e7a9148e40886717fe82e79659ed607632b2555f637f0dccd4441cbe9b96cb375836b1a023aa3d

C:\Windows\SysWOW64\Icbimi32.exe

MD5 2ac413e0274cbc6ce9326b753559ba2a
SHA1 e943bd5432461277da8a5bd6f147304a6b752876
SHA256 5d843658a686dcf8449c8e508330e2bf7b8eec858ef689dd69db9788dc4316b7
SHA512 5b9ca7f5383212de6192f6293c85817695865289d3b109a1cba59a3ab8fe75358f78db869e6a8fd9e171731ef3259ba21cb4fbd5743c3322691d2dfda43c525b

C:\Windows\SysWOW64\Ieqeidnl.exe

MD5 0fabe9a758fca54d2471af8b8fac58d4
SHA1 48db413538f2b5bbd78d20ee897e5b77fabed91b
SHA256 a1786bf40bb3a81005b19bfd13afe33479ce8a7e11b95fdaf814f3f0460506b6
SHA512 eabe41c04fa1633c3803aa8f0626aec67abeb4b730d654ce08fb795189ecd51d9a14426559c61497a139d7d7e4ea1d9feea100edd8b8acee9eb8bb6c17da8f4a

C:\Windows\SysWOW64\Ihoafpmp.exe

MD5 afd27e219b18c82a4af5d23930b26348
SHA1 66c57552893f09d4a8ebbe21aa26f143b9824a99
SHA256 815a626e1a49528dae63240b1ad6327ae3a4640beae614dede94c8364742c597
SHA512 d88a0ddb56b4b29c2a6827b22a61d9becede6f10508258c43c064f9061ba86bfe0d3b9b27364eaa3b17602d6292012250aec2cca3c5e36febf51be8e7ab8badc

C:\Windows\SysWOW64\Iknnbklc.exe

MD5 8419b65e959031ad083355202ccca463
SHA1 3942b8cd4aa6a0dc8a9a6bc1bc2cc7fa1b2de33c
SHA256 8055a24414c4396a6794d6b8bc136a178fba03c0b23cfaf65037ed1e0190eb5d
SHA512 a2656b001ea2340186bb399d9ebd63ac38e8e31ea65cca88c099b54d5a602606764f2718adbc6a7c5b75efddbc788e980938ea51d603e7c67b1bd66aac412844

C:\Windows\SysWOW64\Iagfoe32.exe

MD5 6a4d30d8bc742f202ca3f37652afd9b1
SHA1 d24e981e61242ea15bc8943f3e7651bd5465213b
SHA256 4ba981a059fc4730015cb327327d7869b37dafa615007e5c3553a8e398c78597
SHA512 82ec5486e33a9dae9450e49945f2e2c339741fa763a2a5ef6ae5cb8a3a3450f6954e855ae8a5c7ec90987985d4668f7d0e351a009059b046b92cbabc1f6fa856

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-22 17:56

Reported

2024-05-22 17:58

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\31184d8ed942388a3eb30d53ad83bb934a1f9afa41fea3b191488b0206a53504.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Users\Admin\AppData\Local\Temp\31184d8ed942388a3eb30d53ad83bb934a1f9afa41fea3b191488b0206a53504.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Majopeii.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nceonl32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nqiogp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mnlfigcc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mdfofakp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mgghhlhq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mkbchk32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mcnhmm32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mgnnhk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Majopeii.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nkqpjidj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mdpalp32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ngpjnkpf.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mpkbebbf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mdfofakp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mdiklqhm.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mkbchk32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mamleegg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mdkhapfj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mkpgck32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Njljefql.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ncgkcl32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ndidbn32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mnlfigcc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mjeddggd.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nnolfdcn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ndidbn32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mkpgck32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mamleegg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nbhkac32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ndghmo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ndghmo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mpkbebbf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nqfbaq32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nnjbke32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ncgkcl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nkncdifl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nkqpjidj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mjeddggd.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mpolqa32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mgidml32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mkgmcjld.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ngpjnkpf.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nkncdifl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mdkhapfj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mgidml32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mkgmcjld.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mgghhlhq.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mnfipekh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mgnnhk32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nceonl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nqiogp32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Users\Admin\AppData\Local\Temp\31184d8ed942388a3eb30d53ad83bb934a1f9afa41fea3b191488b0206a53504.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mnfipekh.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mdpalp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nbhkac32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mdiklqhm.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nqfbaq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nnjbke32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mpolqa32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mcnhmm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Njljefql.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nnolfdcn.exe N/A

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Mamleegg.exe C:\Windows\SysWOW64\Mjeddggd.exe N/A
File opened for modification C:\Windows\SysWOW64\Mdkhapfj.exe C:\Windows\SysWOW64\Mpolqa32.exe N/A
File created C:\Windows\SysWOW64\Njcqqgjb.dll C:\Windows\SysWOW64\Mpolqa32.exe N/A
File created C:\Windows\SysWOW64\Mkgmcjld.exe C:\Windows\SysWOW64\Mgidml32.exe N/A
File created C:\Windows\SysWOW64\Nqiogp32.exe C:\Windows\SysWOW64\Nnjbke32.exe N/A
File created C:\Windows\SysWOW64\Mpkbebbf.exe C:\Windows\SysWOW64\Mnlfigcc.exe N/A
File opened for modification C:\Windows\SysWOW64\Mdiklqhm.exe C:\Windows\SysWOW64\Majopeii.exe N/A
File opened for modification C:\Windows\SysWOW64\Mgghhlhq.exe C:\Windows\SysWOW64\Mdiklqhm.exe N/A
File opened for modification C:\Windows\SysWOW64\Ndghmo32.exe C:\Windows\SysWOW64\Nbhkac32.exe N/A
File created C:\Windows\SysWOW64\Hnibdpde.dll C:\Windows\SysWOW64\Ndidbn32.exe N/A
File created C:\Windows\SysWOW64\Nnolfdcn.exe C:\Windows\SysWOW64\Nkqpjidj.exe N/A
File created C:\Windows\SysWOW64\Mjeddggd.exe C:\Windows\SysWOW64\Mkbchk32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mcnhmm32.exe C:\Windows\SysWOW64\Mdkhapfj.exe N/A
File created C:\Windows\SysWOW64\Mgidml32.exe C:\Windows\SysWOW64\Mcnhmm32.exe N/A
File created C:\Windows\SysWOW64\Njljefql.exe C:\Windows\SysWOW64\Mgnnhk32.exe N/A
File created C:\Windows\SysWOW64\Nqfbaq32.exe C:\Windows\SysWOW64\Njljefql.exe N/A
File created C:\Windows\SysWOW64\Ncgkcl32.exe C:\Windows\SysWOW64\Nqiogp32.exe N/A
File created C:\Windows\SysWOW64\Pipfna32.dll C:\Windows\SysWOW64\Nqiogp32.exe N/A
File opened for modification C:\Windows\SysWOW64\Nkncdifl.exe C:\Windows\SysWOW64\Ncgkcl32.exe N/A
File created C:\Windows\SysWOW64\Flfmin32.dll C:\Windows\SysWOW64\Mpkbebbf.exe N/A
File opened for modification C:\Windows\SysWOW64\Mkgmcjld.exe C:\Windows\SysWOW64\Mgidml32.exe N/A
File created C:\Windows\SysWOW64\Mgnnhk32.exe C:\Windows\SysWOW64\Mdpalp32.exe N/A
File created C:\Windows\SysWOW64\Nbhkac32.exe C:\Windows\SysWOW64\Nkncdifl.exe N/A
File opened for modification C:\Windows\SysWOW64\Nbhkac32.exe C:\Windows\SysWOW64\Nkncdifl.exe N/A
File created C:\Windows\SysWOW64\Ogpnaafp.dll C:\Windows\SysWOW64\Ndghmo32.exe N/A
File created C:\Windows\SysWOW64\Kmdigkkd.dll C:\Windows\SysWOW64\Mnlfigcc.exe N/A
File created C:\Windows\SysWOW64\Fhpdhp32.dll C:\Windows\SysWOW64\Mnfipekh.exe N/A
File created C:\Windows\SysWOW64\Kcbibebo.dll C:\Windows\SysWOW64\Mgnnhk32.exe N/A
File created C:\Windows\SysWOW64\Dgcifj32.dll C:\Windows\SysWOW64\Mdkhapfj.exe N/A
File created C:\Windows\SysWOW64\Pponmema.dll C:\Windows\SysWOW64\Nnjbke32.exe N/A
File created C:\Windows\SysWOW64\Ipkobd32.dll C:\Windows\SysWOW64\Nkncdifl.exe N/A
File opened for modification C:\Windows\SysWOW64\Nnolfdcn.exe C:\Windows\SysWOW64\Nkqpjidj.exe N/A
File created C:\Windows\SysWOW64\Ockcknah.dll C:\Windows\SysWOW64\Majopeii.exe N/A
File created C:\Windows\SysWOW64\Mkbchk32.exe C:\Windows\SysWOW64\Mgghhlhq.exe N/A
File opened for modification C:\Windows\SysWOW64\Mpolqa32.exe C:\Windows\SysWOW64\Mamleegg.exe N/A
File created C:\Windows\SysWOW64\Npckna32.dll C:\Windows\SysWOW64\Njljefql.exe N/A
File created C:\Windows\SysWOW64\Mlhblb32.dll C:\Windows\SysWOW64\Nceonl32.exe N/A
File created C:\Windows\SysWOW64\Nnjbke32.exe C:\Windows\SysWOW64\Ngpjnkpf.exe N/A
File opened for modification C:\Windows\SysWOW64\Ndidbn32.exe C:\Windows\SysWOW64\Nnolfdcn.exe N/A
File created C:\Windows\SysWOW64\Agbnmibj.dll C:\Windows\SysWOW64\Mdiklqhm.exe N/A
File created C:\Windows\SysWOW64\Odegmceb.dll C:\Windows\SysWOW64\Mamleegg.exe N/A
File opened for modification C:\Windows\SysWOW64\Mgnnhk32.exe C:\Windows\SysWOW64\Mdpalp32.exe N/A
File created C:\Windows\SysWOW64\Nkcmohbg.exe C:\Windows\SysWOW64\Ndidbn32.exe N/A
File created C:\Windows\SysWOW64\Mdiklqhm.exe C:\Windows\SysWOW64\Majopeii.exe N/A
File opened for modification C:\Windows\SysWOW64\Mkbchk32.exe C:\Windows\SysWOW64\Mgghhlhq.exe N/A
File opened for modification C:\Windows\SysWOW64\Mjeddggd.exe C:\Windows\SysWOW64\Mkbchk32.exe N/A
File created C:\Windows\SysWOW64\Hnfmbf32.dll C:\Windows\SysWOW64\Mdpalp32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ncgkcl32.exe C:\Windows\SysWOW64\Nqiogp32.exe N/A
File created C:\Windows\SysWOW64\Bdknoa32.dll C:\Windows\SysWOW64\Nbhkac32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mpkbebbf.exe C:\Windows\SysWOW64\Mnlfigcc.exe N/A
File created C:\Windows\SysWOW64\Majopeii.exe C:\Windows\SysWOW64\Mkpgck32.exe N/A
File created C:\Windows\SysWOW64\Mnfipekh.exe C:\Windows\SysWOW64\Mkgmcjld.exe N/A
File created C:\Windows\SysWOW64\Ngpjnkpf.exe C:\Windows\SysWOW64\Nceonl32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mnlfigcc.exe C:\Users\Admin\AppData\Local\Temp\31184d8ed942388a3eb30d53ad83bb934a1f9afa41fea3b191488b0206a53504.exe N/A
File created C:\Windows\SysWOW64\Mpolqa32.exe C:\Windows\SysWOW64\Mamleegg.exe N/A
File opened for modification C:\Windows\SysWOW64\Mnfipekh.exe C:\Windows\SysWOW64\Mkgmcjld.exe N/A
File opened for modification C:\Windows\SysWOW64\Nkcmohbg.exe C:\Windows\SysWOW64\Ndidbn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mkpgck32.exe C:\Windows\SysWOW64\Mdfofakp.exe N/A
File created C:\Windows\SysWOW64\Gqffnmfa.dll C:\Windows\SysWOW64\Mgghhlhq.exe N/A
File created C:\Windows\SysWOW64\Nkncdifl.exe C:\Windows\SysWOW64\Ncgkcl32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ngpjnkpf.exe C:\Windows\SysWOW64\Nceonl32.exe N/A
File created C:\Windows\SysWOW64\Kmalco32.dll C:\Windows\SysWOW64\Ngpjnkpf.exe N/A
File opened for modification C:\Windows\SysWOW64\Mgidml32.exe C:\Windows\SysWOW64\Mcnhmm32.exe N/A
File created C:\Windows\SysWOW64\Ekipni32.dll C:\Windows\SysWOW64\Mgidml32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Nkcmohbg.exe

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mnfipekh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nceonl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll" C:\Windows\SysWOW64\Ngpjnkpf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nkqpjidj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mjeddggd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mcnhmm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll" C:\Windows\SysWOW64\Nkqpjidj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mgghhlhq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mgnnhk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nceonl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll" C:\Windows\SysWOW64\Njljefql.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcqqgjb.dll" C:\Windows\SysWOW64\Mpolqa32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mgidml32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mkgmcjld.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll" C:\Windows\SysWOW64\Mnfipekh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nnolfdcn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mpkbebbf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Majopeii.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgengpmj.dll" C:\Windows\SysWOW64\Mjeddggd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mdpalp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll" C:\Windows\SysWOW64\Mkpgck32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mdiklqhm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nbhkac32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mamleegg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mdkhapfj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ngpjnkpf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll" C:\Windows\SysWOW64\Ncgkcl32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mkbchk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll" C:\Windows\SysWOW64\Mkbchk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll" C:\Windows\SysWOW64\Nkncdifl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nkqpjidj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mpkbebbf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mgnnhk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\31184d8ed942388a3eb30d53ad83bb934a1f9afa41fea3b191488b0206a53504.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mpolqa32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mdkhapfj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mcnhmm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mgidml32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Majopeii.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mamleegg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mkgmcjld.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nkncdifl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ndghmo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll" C:\Windows\SysWOW64\Nnolfdcn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nnjbke32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll" C:\Windows\SysWOW64\Nqiogp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mkbchk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll" C:\Windows\SysWOW64\Nceonl32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Njljefql.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nkncdifl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ndghmo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mdfofakp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mjeddggd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ndidbn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mgghhlhq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdjjo32.dll" C:\Windows\SysWOW64\Nqfbaq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nqiogp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ndidbn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nqfbaq32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ncgkcl32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nbhkac32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\31184d8ed942388a3eb30d53ad83bb934a1f9afa41fea3b191488b0206a53504.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mkpgck32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll" C:\Windows\SysWOW64\Mkgmcjld.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2840 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\31184d8ed942388a3eb30d53ad83bb934a1f9afa41fea3b191488b0206a53504.exe C:\Windows\SysWOW64\Mnlfigcc.exe
PID 2840 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\31184d8ed942388a3eb30d53ad83bb934a1f9afa41fea3b191488b0206a53504.exe C:\Windows\SysWOW64\Mnlfigcc.exe
PID 2840 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\31184d8ed942388a3eb30d53ad83bb934a1f9afa41fea3b191488b0206a53504.exe C:\Windows\SysWOW64\Mnlfigcc.exe
PID 1812 wrote to memory of 724 N/A C:\Windows\SysWOW64\Mnlfigcc.exe C:\Windows\SysWOW64\Mpkbebbf.exe
PID 1812 wrote to memory of 724 N/A C:\Windows\SysWOW64\Mnlfigcc.exe C:\Windows\SysWOW64\Mpkbebbf.exe
PID 1812 wrote to memory of 724 N/A C:\Windows\SysWOW64\Mnlfigcc.exe C:\Windows\SysWOW64\Mpkbebbf.exe
PID 724 wrote to memory of 4592 N/A C:\Windows\SysWOW64\Mpkbebbf.exe C:\Windows\SysWOW64\Mdfofakp.exe
PID 724 wrote to memory of 4592 N/A C:\Windows\SysWOW64\Mpkbebbf.exe C:\Windows\SysWOW64\Mdfofakp.exe
PID 724 wrote to memory of 4592 N/A C:\Windows\SysWOW64\Mpkbebbf.exe C:\Windows\SysWOW64\Mdfofakp.exe
PID 4592 wrote to memory of 2308 N/A C:\Windows\SysWOW64\Mdfofakp.exe C:\Windows\SysWOW64\Mkpgck32.exe
PID 4592 wrote to memory of 2308 N/A C:\Windows\SysWOW64\Mdfofakp.exe C:\Windows\SysWOW64\Mkpgck32.exe
PID 4592 wrote to memory of 2308 N/A C:\Windows\SysWOW64\Mdfofakp.exe C:\Windows\SysWOW64\Mkpgck32.exe
PID 2308 wrote to memory of 3924 N/A C:\Windows\SysWOW64\Mkpgck32.exe C:\Windows\SysWOW64\Majopeii.exe
PID 2308 wrote to memory of 3924 N/A C:\Windows\SysWOW64\Mkpgck32.exe C:\Windows\SysWOW64\Majopeii.exe
PID 2308 wrote to memory of 3924 N/A C:\Windows\SysWOW64\Mkpgck32.exe C:\Windows\SysWOW64\Majopeii.exe
PID 3924 wrote to memory of 2892 N/A C:\Windows\SysWOW64\Majopeii.exe C:\Windows\SysWOW64\Mdiklqhm.exe
PID 3924 wrote to memory of 2892 N/A C:\Windows\SysWOW64\Majopeii.exe C:\Windows\SysWOW64\Mdiklqhm.exe
PID 3924 wrote to memory of 2892 N/A C:\Windows\SysWOW64\Majopeii.exe C:\Windows\SysWOW64\Mdiklqhm.exe
PID 2892 wrote to memory of 3776 N/A C:\Windows\SysWOW64\Mdiklqhm.exe C:\Windows\SysWOW64\Mgghhlhq.exe
PID 2892 wrote to memory of 3776 N/A C:\Windows\SysWOW64\Mdiklqhm.exe C:\Windows\SysWOW64\Mgghhlhq.exe
PID 2892 wrote to memory of 3776 N/A C:\Windows\SysWOW64\Mdiklqhm.exe C:\Windows\SysWOW64\Mgghhlhq.exe
PID 3776 wrote to memory of 1484 N/A C:\Windows\SysWOW64\Mgghhlhq.exe C:\Windows\SysWOW64\Mkbchk32.exe
PID 3776 wrote to memory of 1484 N/A C:\Windows\SysWOW64\Mgghhlhq.exe C:\Windows\SysWOW64\Mkbchk32.exe
PID 3776 wrote to memory of 1484 N/A C:\Windows\SysWOW64\Mgghhlhq.exe C:\Windows\SysWOW64\Mkbchk32.exe
PID 1484 wrote to memory of 2428 N/A C:\Windows\SysWOW64\Mkbchk32.exe C:\Windows\SysWOW64\Mjeddggd.exe
PID 1484 wrote to memory of 2428 N/A C:\Windows\SysWOW64\Mkbchk32.exe C:\Windows\SysWOW64\Mjeddggd.exe
PID 1484 wrote to memory of 2428 N/A C:\Windows\SysWOW64\Mkbchk32.exe C:\Windows\SysWOW64\Mjeddggd.exe
PID 2428 wrote to memory of 852 N/A C:\Windows\SysWOW64\Mjeddggd.exe C:\Windows\SysWOW64\Mamleegg.exe
PID 2428 wrote to memory of 852 N/A C:\Windows\SysWOW64\Mjeddggd.exe C:\Windows\SysWOW64\Mamleegg.exe
PID 2428 wrote to memory of 852 N/A C:\Windows\SysWOW64\Mjeddggd.exe C:\Windows\SysWOW64\Mamleegg.exe
PID 852 wrote to memory of 1572 N/A C:\Windows\SysWOW64\Mamleegg.exe C:\Windows\SysWOW64\Mpolqa32.exe
PID 852 wrote to memory of 1572 N/A C:\Windows\SysWOW64\Mamleegg.exe C:\Windows\SysWOW64\Mpolqa32.exe
PID 852 wrote to memory of 1572 N/A C:\Windows\SysWOW64\Mamleegg.exe C:\Windows\SysWOW64\Mpolqa32.exe
PID 1572 wrote to memory of 1344 N/A C:\Windows\SysWOW64\Mpolqa32.exe C:\Windows\SysWOW64\Mdkhapfj.exe
PID 1572 wrote to memory of 1344 N/A C:\Windows\SysWOW64\Mpolqa32.exe C:\Windows\SysWOW64\Mdkhapfj.exe
PID 1572 wrote to memory of 1344 N/A C:\Windows\SysWOW64\Mpolqa32.exe C:\Windows\SysWOW64\Mdkhapfj.exe
PID 1344 wrote to memory of 2568 N/A C:\Windows\SysWOW64\Mdkhapfj.exe C:\Windows\SysWOW64\Mcnhmm32.exe
PID 1344 wrote to memory of 2568 N/A C:\Windows\SysWOW64\Mdkhapfj.exe C:\Windows\SysWOW64\Mcnhmm32.exe
PID 1344 wrote to memory of 2568 N/A C:\Windows\SysWOW64\Mdkhapfj.exe C:\Windows\SysWOW64\Mcnhmm32.exe
PID 2568 wrote to memory of 4140 N/A C:\Windows\SysWOW64\Mcnhmm32.exe C:\Windows\SysWOW64\Mgidml32.exe
PID 2568 wrote to memory of 4140 N/A C:\Windows\SysWOW64\Mcnhmm32.exe C:\Windows\SysWOW64\Mgidml32.exe
PID 2568 wrote to memory of 4140 N/A C:\Windows\SysWOW64\Mcnhmm32.exe C:\Windows\SysWOW64\Mgidml32.exe
PID 4140 wrote to memory of 3432 N/A C:\Windows\SysWOW64\Mgidml32.exe C:\Windows\SysWOW64\Mkgmcjld.exe
PID 4140 wrote to memory of 3432 N/A C:\Windows\SysWOW64\Mgidml32.exe C:\Windows\SysWOW64\Mkgmcjld.exe
PID 4140 wrote to memory of 3432 N/A C:\Windows\SysWOW64\Mgidml32.exe C:\Windows\SysWOW64\Mkgmcjld.exe
PID 3432 wrote to memory of 4872 N/A C:\Windows\SysWOW64\Mkgmcjld.exe C:\Windows\SysWOW64\Mnfipekh.exe
PID 3432 wrote to memory of 4872 N/A C:\Windows\SysWOW64\Mkgmcjld.exe C:\Windows\SysWOW64\Mnfipekh.exe
PID 3432 wrote to memory of 4872 N/A C:\Windows\SysWOW64\Mkgmcjld.exe C:\Windows\SysWOW64\Mnfipekh.exe
PID 4872 wrote to memory of 3712 N/A C:\Windows\SysWOW64\Mnfipekh.exe C:\Windows\SysWOW64\Mdpalp32.exe
PID 4872 wrote to memory of 3712 N/A C:\Windows\SysWOW64\Mnfipekh.exe C:\Windows\SysWOW64\Mdpalp32.exe
PID 4872 wrote to memory of 3712 N/A C:\Windows\SysWOW64\Mnfipekh.exe C:\Windows\SysWOW64\Mdpalp32.exe
PID 3712 wrote to memory of 2020 N/A C:\Windows\SysWOW64\Mdpalp32.exe C:\Windows\SysWOW64\Mgnnhk32.exe
PID 3712 wrote to memory of 2020 N/A C:\Windows\SysWOW64\Mdpalp32.exe C:\Windows\SysWOW64\Mgnnhk32.exe
PID 3712 wrote to memory of 2020 N/A C:\Windows\SysWOW64\Mdpalp32.exe C:\Windows\SysWOW64\Mgnnhk32.exe
PID 2020 wrote to memory of 3116 N/A C:\Windows\SysWOW64\Mgnnhk32.exe C:\Windows\SysWOW64\Njljefql.exe
PID 2020 wrote to memory of 3116 N/A C:\Windows\SysWOW64\Mgnnhk32.exe C:\Windows\SysWOW64\Njljefql.exe
PID 2020 wrote to memory of 3116 N/A C:\Windows\SysWOW64\Mgnnhk32.exe C:\Windows\SysWOW64\Njljefql.exe
PID 3116 wrote to memory of 2304 N/A C:\Windows\SysWOW64\Njljefql.exe C:\Windows\SysWOW64\Nqfbaq32.exe
PID 3116 wrote to memory of 2304 N/A C:\Windows\SysWOW64\Njljefql.exe C:\Windows\SysWOW64\Nqfbaq32.exe
PID 3116 wrote to memory of 2304 N/A C:\Windows\SysWOW64\Njljefql.exe C:\Windows\SysWOW64\Nqfbaq32.exe
PID 2304 wrote to memory of 512 N/A C:\Windows\SysWOW64\Nqfbaq32.exe C:\Windows\SysWOW64\Nceonl32.exe
PID 2304 wrote to memory of 512 N/A C:\Windows\SysWOW64\Nqfbaq32.exe C:\Windows\SysWOW64\Nceonl32.exe
PID 2304 wrote to memory of 512 N/A C:\Windows\SysWOW64\Nqfbaq32.exe C:\Windows\SysWOW64\Nceonl32.exe
PID 512 wrote to memory of 3088 N/A C:\Windows\SysWOW64\Nceonl32.exe C:\Windows\SysWOW64\Ngpjnkpf.exe

Processes

C:\Users\Admin\AppData\Local\Temp\31184d8ed942388a3eb30d53ad83bb934a1f9afa41fea3b191488b0206a53504.exe

"C:\Users\Admin\AppData\Local\Temp\31184d8ed942388a3eb30d53ad83bb934a1f9afa41fea3b191488b0206a53504.exe"

C:\Windows\SysWOW64\Mnlfigcc.exe

C:\Windows\system32\Mnlfigcc.exe

C:\Windows\SysWOW64\Mpkbebbf.exe

C:\Windows\system32\Mpkbebbf.exe

C:\Windows\SysWOW64\Mdfofakp.exe

C:\Windows\system32\Mdfofakp.exe

C:\Windows\SysWOW64\Mkpgck32.exe

C:\Windows\system32\Mkpgck32.exe

C:\Windows\SysWOW64\Majopeii.exe

C:\Windows\system32\Majopeii.exe

C:\Windows\SysWOW64\Mdiklqhm.exe

C:\Windows\system32\Mdiklqhm.exe

C:\Windows\SysWOW64\Mgghhlhq.exe

C:\Windows\system32\Mgghhlhq.exe

C:\Windows\SysWOW64\Mkbchk32.exe

C:\Windows\system32\Mkbchk32.exe

C:\Windows\SysWOW64\Mjeddggd.exe

C:\Windows\system32\Mjeddggd.exe

C:\Windows\SysWOW64\Mamleegg.exe

C:\Windows\system32\Mamleegg.exe

C:\Windows\SysWOW64\Mpolqa32.exe

C:\Windows\system32\Mpolqa32.exe

C:\Windows\SysWOW64\Mdkhapfj.exe

C:\Windows\system32\Mdkhapfj.exe

C:\Windows\SysWOW64\Mcnhmm32.exe

C:\Windows\system32\Mcnhmm32.exe

C:\Windows\SysWOW64\Mgidml32.exe

C:\Windows\system32\Mgidml32.exe

C:\Windows\SysWOW64\Mkgmcjld.exe

C:\Windows\system32\Mkgmcjld.exe

C:\Windows\SysWOW64\Mnfipekh.exe

C:\Windows\system32\Mnfipekh.exe

C:\Windows\SysWOW64\Mdpalp32.exe

C:\Windows\system32\Mdpalp32.exe

C:\Windows\SysWOW64\Mgnnhk32.exe

C:\Windows\system32\Mgnnhk32.exe

C:\Windows\SysWOW64\Njljefql.exe

C:\Windows\system32\Njljefql.exe

C:\Windows\SysWOW64\Nqfbaq32.exe

C:\Windows\system32\Nqfbaq32.exe

C:\Windows\SysWOW64\Nceonl32.exe

C:\Windows\system32\Nceonl32.exe

C:\Windows\SysWOW64\Ngpjnkpf.exe

C:\Windows\system32\Ngpjnkpf.exe

C:\Windows\SysWOW64\Nnjbke32.exe

C:\Windows\system32\Nnjbke32.exe

C:\Windows\SysWOW64\Nqiogp32.exe

C:\Windows\system32\Nqiogp32.exe

C:\Windows\SysWOW64\Ncgkcl32.exe

C:\Windows\system32\Ncgkcl32.exe

C:\Windows\SysWOW64\Nkncdifl.exe

C:\Windows\system32\Nkncdifl.exe

C:\Windows\SysWOW64\Nbhkac32.exe

C:\Windows\system32\Nbhkac32.exe

C:\Windows\SysWOW64\Ndghmo32.exe

C:\Windows\system32\Ndghmo32.exe

C:\Windows\SysWOW64\Nkqpjidj.exe

C:\Windows\system32\Nkqpjidj.exe

C:\Windows\SysWOW64\Nnolfdcn.exe

C:\Windows\system32\Nnolfdcn.exe

C:\Windows\SysWOW64\Ndidbn32.exe

C:\Windows\system32\Ndidbn32.exe

C:\Windows\SysWOW64\Nkcmohbg.exe

C:\Windows\system32\Nkcmohbg.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4664 -ip 4664

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 400

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 32.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp

Files

memory/2840-0-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2840-5-0x0000000000431000-0x0000000000432000-memory.dmp

memory/1812-9-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Mpkbebbf.exe

MD5 2c423eb6667931c223e215e03c3f34ee
SHA1 64e319dd872c138f9a965c61c2b60b9abb2f3bf7
SHA256 6310bd3090d287f211c38838e897ab407797227c48c7b84e6c3163de1b2e0fb6
SHA512 c1a3a807af385cf475c415307eec1d4d32e71ae456e8e14071fb1a00455b661c313f3ce2511c2b6d3933d1dd63e8237e6c6fdad7e099fe0bbb188f52f81a6be3

C:\Windows\SysWOW64\Mdfofakp.exe

MD5 a30d38a55ff1d214891477eba8c4c9f6
SHA1 d4ea8c9c43acc037a435fe9f14f361186a1f0c83
SHA256 17adae4e999d5a41ea85f3e90665db2119bdd565d45c515b26585a5dd77147f5
SHA512 bd518e9b88e8b2b5d0da95e1fbef4e57dba31edd3e962207e8a0f79cc8db694bffc48256cc7862c5367d93c56cba57f67cffd3cb6a0eb8f45956be0dcb515c06

memory/4592-30-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Mkpgck32.exe

MD5 6932709089231ae9fd41ca4c2602e32a
SHA1 8fee31dab033ad073e6ad6f9360cbd2555ae1230
SHA256 ce2c4bf668d31e52d5319255e7245e865820f3d907e7fbf972b22bc52230d60f
SHA512 cb4d63f61d6b6ab4d34d9d63a8389c10f26500c8ad65604b55d30d98d20d13c1cfd0ef88aded06848227fadcf9cd6e9e81468484e17fe83dcd6604bd32cb1ee8

memory/724-22-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Mnlfigcc.exe

MD5 7417171cf5268021a9175eb2324b4f61
SHA1 70d37c4d67387e4c7bbfd6db583162a0404d1379
SHA256 bbd939d4651252db3f515cfcf260a16246531cf76bb99f2be10d990f6617cf93
SHA512 afaf3f6e3880fa1988ae5abe9052c54e82fc9f9ef5022acac2a30174ac84dff7c6b23028de3950c4afd26a41128a019cfdcb1ff650360c63b2cdaaefbb2ef381

C:\Windows\SysWOW64\Majopeii.exe

MD5 ece2d0fbb5a9bd6b4c95e123b548c4f0
SHA1 4eb27843dfad7945afa4f6befa425f338df56ace
SHA256 0d9f7ed3df87dd8fbcf0be4a72ae536b8b22c4c353df7a563a40d98cf6e6c67f
SHA512 03e079d12be2e334f4a632f86078cbefc07816945eeb8aefcd3bea3f3c8d9905f737bc8cd66c926edc5c51087eb7a46415f37383a832703b56d887d4e9ebb3bb

memory/2308-38-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3924-46-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Mdiklqhm.exe

MD5 53660c558b106f508145b3ec7c786b67
SHA1 c9a785a2ce42a77b9c56b2aa7a2b2ee98470bc61
SHA256 6c1db608fe8b9052bb455c25f287da974c1013ced189861edac7d7794f68771b
SHA512 5f68bce2d07cd3527e86aedfaa5839f095063bd74cd6e5ebe7a46c6f864ca95d47ab986d84ff95c316a2b78392d986d4f8612cb5d2d891eb911457d2a11f87f9

memory/2892-53-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Mkbchk32.exe

MD5 93c973a1e5be834ecb3ad37aa6cc6bac
SHA1 bd31571bb255b3a91574f6a249d10a1bb089453f
SHA256 e9ba4a6aae66453a051bfce5a700125154008172a2a936be8866ca75721532ff
SHA512 3284099cb9a5e7d476313d923998444140ccdde9df304eb8994968375927acbffe6f92da9783c93d096b0c7c9bdb4a4ef689e10842825373b4a543fbc42c6198

memory/1484-69-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Mamleegg.exe

MD5 c52fd2b5cb6331d40dcda6eae2ccd4c5
SHA1 2afca2129e2c7ff3877f258369926e67def542b2
SHA256 638894f446ac0c1de795f7d8f412daa4fa340b419b421309bd3cb6fd7d487f4c
SHA512 ef5786702a2d5d33d3267450717563dde573b56bf7daa701eb6a5457b0cbe5f61552c56bbaf15091a4c6e3af589b438416c5335fe5f8cd13b5de37caf9449974

C:\Windows\SysWOW64\Mpolqa32.exe

MD5 e4434032eea8b0fd9c44d36c831c07b6
SHA1 dc4fc6dfbea43a30e5a9bce65e7fc63c7a2432e2
SHA256 8703f3e26232d61e286c40a172ef51d4efd3c4a19913f078a1c5ab2923fce2d2
SHA512 aaf91a379717d1826bba305e7813a4795cbdbfc10df849ff089fa29c67762efe68bb4e5f7c9eb8f6bf9090579a9c44c04e51064d9a53e303ab609d9e5528fce0

C:\Windows\SysWOW64\Mcnhmm32.exe

MD5 8170b32d62f3867abf8731838ccd857f
SHA1 cdc09e31d9565144c91d559996a41219727adbe5
SHA256 abc754ff6c66a14b05803de392a183a9c73c029caa44a990a063fb2a7bc76e0d
SHA512 bdabca13515415447d4724d66c8c3931913156f8fd4215632b1e52a20ad015a6abc9f4241709df700a7db971e0830df3a9e4a7efaeb69fc30187852f03f02792

C:\Windows\SysWOW64\Mgidml32.exe

MD5 1232c52171aab59df7dbb3e4da19bd4e
SHA1 a447fd1cb4556c72f87887c1ea127353930b299b
SHA256 63d1888eaa93330ab7036a9d2d97b3518251a1666532d0b89c25225ff91b1692
SHA512 d3977bae9f9e62c65e1f70df3255f0b02c1eb742681424053bb1774ec5266a4ec0d6d6e5e08cfff042b39be6751b6d10839424af07ed0447f405aa53a616ef80

memory/4140-113-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2568-112-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1344-111-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1572-110-0x0000000000400000-0x0000000000439000-memory.dmp

memory/852-109-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2428-108-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Mdkhapfj.exe

MD5 d46bdf13f1c9cc64d65f2ebb5762e5a4
SHA1 7e638662d42cec94b6f6cfee48e1ecb963c5ce8b
SHA256 03fa3a253dced923c8543a84cc08ade1e5b5ff0ff6af4b8f371905b3d5f413c3
SHA512 be5f78a7dc85ab95699093e49f3f5fcbd26b9bd09b2e0da4f977f10b227e26491813420341346523da6b86187221750d23c24fdc6f89ca3b3a7c9c763742df3e

C:\Windows\SysWOW64\Mjeddggd.exe

MD5 345e43b72ad0d4c3b8f82ad39f93b456
SHA1 cac41eda31ed379fd505773dd4137887b4f27615
SHA256 bdc64fa3de0ece0aa748a07dfbef97566e5cb1c99be7c2df76b3da72fe534ab1
SHA512 a9cdb68de83f8189b8d3303aee1114e3ce9db901a136172bbff4c7321ea4b0f92f73e785c259566a8626ed8fb5df7cfda8d3369c5b15bc2287514876d83d50a3

memory/3776-61-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Mgghhlhq.exe

MD5 0496f672ea3e8d9f0bd84de554bf3d90
SHA1 6926fb7dd747c77ecf50365b2acd4f0536daf031
SHA256 5a9c36d2470499bc4e62edd0ddecba7e2b119fc66577b58bfe177654de401e69
SHA512 01184875032cd2a5ecdd2a11b03726f85fe5faf1dcddf86d483d5d072f86e77e82923f3008e0a1e11ed1d935ff34ec787a838c73ae3be278ae0d8fc725efaba6

C:\Windows\SysWOW64\Mkgmcjld.exe

MD5 3d4b200185ef064bae107d8040a89d87
SHA1 74d425410172423fadbb586f5b2d094517571b5a
SHA256 032e7a546bdcca9b9212dbb97a9e2cd1cd4cd1947e85dd0ef1a93201665e5161
SHA512 0d4d5e5f448652ba153a97688c2f1018f9ccb73b1d1de91744e9925a556a9885d7f7c7392d8c20f307dd4cc0ab921f6869fef7002568e30ea46c8225889ab72c

memory/3432-121-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Mnfipekh.exe

MD5 269cdf5440e6b8fea8b06763356d8b33
SHA1 6f09f8dbf9542ec6e0965e95468a4b3959a3290e
SHA256 e7672d57d0c420ba2e7477596bc8bfc65d2d7a8f7c42c2ea6ac6e5a481b287e7
SHA512 3d7732118cc6cf7ca88ed42046a08ad4648501a92313cd38fc312cda8bc43919ea950cda314799f29c2100e7fd4be5d74a72d29edd862c8294d3ce550cc2097e

memory/4872-128-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Mdpalp32.exe

MD5 d8124c2d16383fa3386bf5882dd8553a
SHA1 82256c41b8a23f8c585d680ffe64d9d3631edbaf
SHA256 9ca7ff83060fc759f232e0e69fecdd6f59531000bc8b2c6fba72f1e69e5bec2d
SHA512 120f422b42c3d477605d438f4fd70732ac6715097d79d591cb8eb8253c2bd15047afccd239a82d7cf77ed85df45b5231621ae672d2330c99f3f88b43c298da89

memory/3712-137-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Mgnnhk32.exe

MD5 aa4e3ad3bb252ce83a3981e04a709173
SHA1 f8dcfc77bfaf4ba770f0c056f65461292111b10c
SHA256 113f676730702cc5ada8565417a026751fb7bdad398cad13579c8a600300b143
SHA512 127abfdafb2e430eb872809eaeb1bd5340a87b87e473b287cc52b1de2e20ad5d1893151e8c93fe1312fc9833ef71c1110bdde9f33b57301403ce57e8f9d653b9

memory/2020-145-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Njljefql.exe

MD5 0a4c9759ee0a5c6855474937947f27fd
SHA1 e2cdfedd844af0e8c51fd489d615b323041e5eaa
SHA256 58c0ce99a81962ad846f7a42b2943ade0fb799d4c54a5bcb0bc703b918a918cc
SHA512 8a0c751d297cf7e799b1b583882bba6a405e2477d862992fa87d1a8cf3e6a8a0db34c427f662e40bb9336eb8715ed9b53f1f410b1a5ad94cc94f0b8e3795f87c

memory/3116-153-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Nqfbaq32.exe

MD5 e0626116b79569b49c739d26dc97f78f
SHA1 b7e2494a865ea6c87afd7bdf8ebe68f3e668693a
SHA256 384e84f7a00deb5d908b18c924843dca2400f2437351d030b4e19c4c544765ae
SHA512 f06acbc5382c7cdb2d6a004e5ad4dbb430dd79017520660cadfe5f359afcc07f12effbb569aa0fcdfeee0f7644b7ce9099ce4ea849201bf90847e212a1f7d64e

memory/2304-160-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Nceonl32.exe

MD5 9141ef50de28ab2b83cd4711d6084116
SHA1 0968340b334f2853642fb8e2a000135b3aa59e85
SHA256 8e84433ff16131ff3697a245243566671341b57ebbc2ecd0966cfe9647102e09
SHA512 32872cb2e1936d732c26eab0645c8f2b64f61faf2c54d96f77dd282f18c972476914dff0f74e97561e99c7faf428beeda373b999423f2e2d9f8765c36ada3e2a

memory/512-173-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Ngpjnkpf.exe

MD5 df717a4b54940db6684f1261010fddc4
SHA1 1ec4f83cc63bb93929c59f3613e3649617409e92
SHA256 fa3d13e1082d3a36626b31f29a57b347dbd93946a5b05eed78598952028df984
SHA512 b889fcb9ac1b99aee533c55709f39daf3ada52249ca3727be5522d4c273f574a3e39a54683e1040456526c737f6d55143848299f0a8ff303215ef1d9af7d88b7

memory/3088-177-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Nnjbke32.exe

MD5 19d48691f3ebfc14f64e58a47527a04a
SHA1 01056202adff13f4516a3c8e67c27a184693f088
SHA256 af2a0551612552fbd5e3045095f3a5d3e9656af97b5517b4877a1a58fa51ce24
SHA512 ad0468d58f6898f972368cfb71b8c5302aced95d9d10bd644aedeaef3ce4d9c6b698e25539d12b314f0c2d592986bd828334f42e75fc5b2af4d31f3bd993a498

memory/4956-184-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Nqiogp32.exe

MD5 2025f0cf255d18f0c3a509e0be1a946d
SHA1 cbe3fd8aeda768e44ac44c4de66fc10d14a2a9dc
SHA256 453bfd8b0faae88007cb6852eb94f7ddd0e383cfdb14b12a6cabe9ec03afe109
SHA512 86fc8894d61853d4ab733d87a94bdf0ccb20b17ad578ef62f96c3df2bcea9349787585d9bdd76ae956d06999da9609da83129b5fe8039787477814a78a656875

memory/5104-193-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Ncgkcl32.exe

MD5 b1de26c166f2eddb0952663f312bfb53
SHA1 15742857d4a79858cb493856e61c77776da561e1
SHA256 b22c7df6a3bc9bff4b50195ac10d3816416248496894f5a4be13d5ff69f51359
SHA512 7fa0bf9128266eea97fdec7bdbf1d83ce5dad558ed2a08a8f0e52df93fa84f604c3fa64135120da70b56f4721aab90a339ebcf23f9159ee5232e7d5e2f26a6d1

memory/3320-201-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Nkncdifl.exe

MD5 34e95bdf261f9bc5b750dcc7c0f7a1ef
SHA1 d25b6495a02d68d03dee07381ba06d111cfda77b
SHA256 858fe7978151c2cb6e938bea22e56bd7f322847253756317d74915074ecb7ba1
SHA512 dc6dbce1885ae5a50bcca82eb32669262941177f75dc4fac90f659c5e2a6f74c2c2017421233e1c15dcec872c84bea5a7cc1e3aac867d0427d9248f2fcc661e3

memory/5056-209-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Nbhkac32.exe

MD5 5c3bb0f7f4d044a53000934578adaccf
SHA1 b1cbe509de6cff8bc55493dedf4655c46ea98fe8
SHA256 a8282f01e54254791a101202c3e58cbcfbeacc42a35224ef052cfc9b048def7c
SHA512 d76cf7103e00d84cb4ea25241ba49b65ad2262facc6160de34b0e49be82e9932020b4bccf1dda50728c23fb0ac1349082ea6bc24dd9a0167bc1f200443b014b3

memory/2320-217-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Ndghmo32.exe

MD5 1c675167ad4cd4511b0bded8eab985a2
SHA1 fe6409f4af0353e3c62cfde92fef1b6c710b06cc
SHA256 add97ecb5b96b4d36008baf571915e6f16452171ba3ad887274a5839ce19f6a1
SHA512 c6aff0f6e9cd73b0e7b593bef65f9d31386c037bef4e87cd24c2021a70f541595b50d764105a3d49cf7cf66aeb6fc65b1556e1c50cd0acec9bf08c4827eb4777

memory/2432-225-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Nkqpjidj.exe

MD5 1ea5192707504d81ab2658a47c8ecca0
SHA1 9e92cb837263059710315e9e63b5f5411a864dfc
SHA256 c737e2826bb3fd3766921a8a1f525b0cbe976d56b75f9c0aa2f22fd8816c237b
SHA512 a9808c6989cd3bb406bc4ed038827f10f3313cab85ff540edf9cc7400bae8b210c93d6161add2cae694fd9b4f6939ff33e33200d30df32a23a6554166d4454d3

memory/4796-237-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Nnolfdcn.exe

MD5 75a02dd4c89082bcd52d48ddbc8a5733
SHA1 ceb9928dc3ba0337a9eaf4ebbbe81c6862d138b9
SHA256 2925c870ce92d828ec659bab02abda0493adaf352a34a7590d6608fb8bcb50b5
SHA512 e0e53a0906b25772ba70a94548dccfc7736625a8c64c9542ccbdba56b3178502842fd0d567ba555ad920557b3fcff5f4cd41a8b38c5f4984fd88847c78c4751e

memory/1716-241-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Ndidbn32.exe

MD5 08224233ad6e43a818140e5164c8dced
SHA1 2dc3e80c4c75ace2aad14625af4d5663427d89c1
SHA256 5535775c4171a8df69aa362257a3d044fc8ca508f23531849e31bb148892d1df
SHA512 3cebedd2b0b38a4bc62af8d284964a8e111d977c3ab470d54fd3164d4c160fcba50a083bd4d407b55f09240a448501b0f7510cb0bb52930c5b635eeeb33dbd5e

memory/4352-249-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Windows\SysWOW64\Nkcmohbg.exe

MD5 13d080b44e1d565603dbaa0aa7ba0fe0
SHA1 a5f9fcff787e7c6e0fd9a93fbf720cd84c4970b0
SHA256 13116936edf13c99dc4a371abe9b9ffa2b30cc243249193d9b9bd13fb0af890b
SHA512 42f0787b7a7ead09e0a8093aedfd8499821d9e7ede9e16c83d0b23bff70f6a65018e18c145f53bc1717ba26a03f148d830ae5052bfbc9f152ead82949f04d4d1

memory/4664-256-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4664-258-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4796-261-0x0000000000400000-0x0000000000439000-memory.dmp

memory/5104-277-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3320-278-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4956-276-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3088-275-0x0000000000400000-0x0000000000439000-memory.dmp

memory/512-274-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2304-273-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3116-272-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2020-271-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3712-270-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4872-269-0x0000000000400000-0x0000000000439000-memory.dmp

memory/3432-268-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4140-267-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2840-265-0x0000000000400000-0x0000000000439000-memory.dmp

memory/5056-264-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1812-266-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2320-263-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2432-262-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1716-260-0x0000000000400000-0x0000000000439000-memory.dmp

memory/4352-259-0x0000000000400000-0x0000000000439000-memory.dmp