Malware Analysis Report

2024-10-16 04:41

Sample ID 240602-lqfb1sac58
Target virussign.com_bb884b8bdf9d46315c7be0a60b2463d0.vir
SHA256 1b2848437d3bdad1f3642a1eb59d79718274400e011ccc15fb3662ae75c3711b
Tags
backdoor trojan dropper berbew persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1b2848437d3bdad1f3642a1eb59d79718274400e011ccc15fb3662ae75c3711b

Threat Level: Known bad

The file virussign.com_bb884b8bdf9d46315c7be0a60b2463d0.vir was found to be: Known bad.

Malicious Activity Summary

backdoor trojan dropper berbew persistence

Adds autorun key to be loaded by Explorer.exe on startup

Berbew family

Malware Dropper & Backdoor - Berbew

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Program crash

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-02 09:44

Signatures

Berbew family

berbew

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-02 09:43

Reported

2024-06-02 09:46

Platform

win7-20240221-en

Max time kernel

144s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\virussign.com_bb884b8bdf9d46315c7be0a60b2463d0.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Chcqpmep.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ffnphf32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fmlapp32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gphmeo32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Users\Admin\AppData\Local\Temp\virussign.com_bb884b8bdf9d46315c7be0a60b2463d0.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ddeaalpg.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hcifgjgc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Claifkkf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ekholjqg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gmjaic32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hicodd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hpmgqnfl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ihoafpmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ioijbj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ddcdkl32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fmhheqje.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gobgcg32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hkkalk32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ieqeidnl.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cjbmjplb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fejgko32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hgbebiao.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eiaiqn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ejgcdb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Epfhbign.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fckjalhj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fejgko32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gpknlk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hckcmjep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hkkalk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Chcqpmep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Epaogi32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ekholjqg.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ecpgmhai.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Eiomkn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gaqcoc32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hnagjbdf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hhmepp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dmoipopd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Icbimi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ecpgmhai.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ffpmnf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Goddhg32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Emcbkn32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Flabbihl.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gmjaic32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hcnpbi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dnilobkm.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hiqbndpb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hlfdkoin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Henidd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Emcbkn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gacpdbej.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Goddhg32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dmoipopd.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dcknbh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Eiaiqn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hicodd32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Claifkkf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fckjalhj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ffpmnf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fmlapp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hpkjko32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hejoiedd.exe N/A

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Ccfhhffh.exe N/A
N/A N/A C:\Windows\SysWOW64\Chcqpmep.exe N/A
N/A N/A C:\Windows\SysWOW64\Cpjiajeb.exe N/A
N/A N/A C:\Windows\SysWOW64\Cjbmjplb.exe N/A
N/A N/A C:\Windows\SysWOW64\Claifkkf.exe N/A
N/A N/A C:\Windows\SysWOW64\Dngoibmo.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgodbh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dnilobkm.exe N/A
N/A N/A C:\Windows\SysWOW64\Ddcdkl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dmoipopd.exe N/A
N/A N/A C:\Windows\SysWOW64\Ddeaalpg.exe N/A
N/A N/A C:\Windows\SysWOW64\Dmafennb.exe N/A
N/A N/A C:\Windows\SysWOW64\Dcknbh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dfijnd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Emcbkn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Epaogi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejgcdb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ekholjqg.exe N/A
N/A N/A C:\Windows\SysWOW64\Ecpgmhai.exe N/A
N/A N/A C:\Windows\SysWOW64\Eeqdep32.exe N/A
N/A N/A C:\Windows\SysWOW64\Epfhbign.exe N/A
N/A N/A C:\Windows\SysWOW64\Eiomkn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eajaoq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eiaiqn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eloemi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ealnephf.exe N/A
N/A N/A C:\Windows\SysWOW64\Fckjalhj.exe N/A
N/A N/A C:\Windows\SysWOW64\Flabbihl.exe N/A
N/A N/A C:\Windows\SysWOW64\Faokjpfd.exe N/A
N/A N/A C:\Windows\SysWOW64\Fejgko32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ffnphf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmhheqje.exe N/A
N/A N/A C:\Windows\SysWOW64\Fpfdalii.exe N/A
N/A N/A C:\Windows\SysWOW64\Ffpmnf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fjlhneio.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmlapp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gpknlk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gfefiemq.exe N/A
N/A N/A C:\Windows\SysWOW64\Gobgcg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gaqcoc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gelppaof.exe N/A
N/A N/A C:\Windows\SysWOW64\Glfhll32.exe N/A
N/A N/A C:\Windows\SysWOW64\Goddhg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gacpdbej.exe N/A
N/A N/A C:\Windows\SysWOW64\Gkkemh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gmjaic32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gphmeo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hgbebiao.exe N/A
N/A N/A C:\Windows\SysWOW64\Hiqbndpb.exe N/A
N/A N/A C:\Windows\SysWOW64\Hpkjko32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hcifgjgc.exe N/A
N/A N/A C:\Windows\SysWOW64\Hgdbhi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hicodd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hpmgqnfl.exe N/A
N/A N/A C:\Windows\SysWOW64\Hckcmjep.exe N/A
N/A N/A C:\Windows\SysWOW64\Hejoiedd.exe N/A
N/A N/A C:\Windows\SysWOW64\Hnagjbdf.exe N/A
N/A N/A C:\Windows\SysWOW64\Hcnpbi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hellne32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hlfdkoin.exe N/A
N/A N/A C:\Windows\SysWOW64\Hcplhi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Henidd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hhmepp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hkkalk32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\virussign.com_bb884b8bdf9d46315c7be0a60b2463d0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\virussign.com_bb884b8bdf9d46315c7be0a60b2463d0.exe N/A
N/A N/A C:\Windows\SysWOW64\Ccfhhffh.exe N/A
N/A N/A C:\Windows\SysWOW64\Ccfhhffh.exe N/A
N/A N/A C:\Windows\SysWOW64\Chcqpmep.exe N/A
N/A N/A C:\Windows\SysWOW64\Chcqpmep.exe N/A
N/A N/A C:\Windows\SysWOW64\Cpjiajeb.exe N/A
N/A N/A C:\Windows\SysWOW64\Cpjiajeb.exe N/A
N/A N/A C:\Windows\SysWOW64\Cjbmjplb.exe N/A
N/A N/A C:\Windows\SysWOW64\Cjbmjplb.exe N/A
N/A N/A C:\Windows\SysWOW64\Claifkkf.exe N/A
N/A N/A C:\Windows\SysWOW64\Claifkkf.exe N/A
N/A N/A C:\Windows\SysWOW64\Dngoibmo.exe N/A
N/A N/A C:\Windows\SysWOW64\Dngoibmo.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgodbh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgodbh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dnilobkm.exe N/A
N/A N/A C:\Windows\SysWOW64\Dnilobkm.exe N/A
N/A N/A C:\Windows\SysWOW64\Ddcdkl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ddcdkl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dmoipopd.exe N/A
N/A N/A C:\Windows\SysWOW64\Dmoipopd.exe N/A
N/A N/A C:\Windows\SysWOW64\Ddeaalpg.exe N/A
N/A N/A C:\Windows\SysWOW64\Ddeaalpg.exe N/A
N/A N/A C:\Windows\SysWOW64\Dmafennb.exe N/A
N/A N/A C:\Windows\SysWOW64\Dmafennb.exe N/A
N/A N/A C:\Windows\SysWOW64\Dcknbh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dcknbh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dfijnd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dfijnd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Emcbkn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Emcbkn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Epaogi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Epaogi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejgcdb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejgcdb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ekholjqg.exe N/A
N/A N/A C:\Windows\SysWOW64\Ekholjqg.exe N/A
N/A N/A C:\Windows\SysWOW64\Ecpgmhai.exe N/A
N/A N/A C:\Windows\SysWOW64\Ecpgmhai.exe N/A
N/A N/A C:\Windows\SysWOW64\Eeqdep32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eeqdep32.exe N/A
N/A N/A C:\Windows\SysWOW64\Epfhbign.exe N/A
N/A N/A C:\Windows\SysWOW64\Epfhbign.exe N/A
N/A N/A C:\Windows\SysWOW64\Eiomkn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eiomkn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eajaoq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eajaoq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eiaiqn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eiaiqn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebinic32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebinic32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ealnephf.exe N/A
N/A N/A C:\Windows\SysWOW64\Ealnephf.exe N/A
N/A N/A C:\Windows\SysWOW64\Fckjalhj.exe N/A
N/A N/A C:\Windows\SysWOW64\Fckjalhj.exe N/A
N/A N/A C:\Windows\SysWOW64\Flabbihl.exe N/A
N/A N/A C:\Windows\SysWOW64\Flabbihl.exe N/A
N/A N/A C:\Windows\SysWOW64\Faokjpfd.exe N/A
N/A N/A C:\Windows\SysWOW64\Faokjpfd.exe N/A
N/A N/A C:\Windows\SysWOW64\Fejgko32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fejgko32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ffnphf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ffnphf32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Gmjaic32.exe C:\Windows\SysWOW64\Gkkemh32.exe N/A
File created C:\Windows\SysWOW64\Gphmeo32.exe C:\Windows\SysWOW64\Gmjaic32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hicodd32.exe C:\Windows\SysWOW64\Hgdbhi32.exe N/A
File created C:\Windows\SysWOW64\Ddeaalpg.exe C:\Windows\SysWOW64\Dmoipopd.exe N/A
File opened for modification C:\Windows\SysWOW64\Glfhll32.exe C:\Windows\SysWOW64\Gelppaof.exe N/A
File created C:\Windows\SysWOW64\Jjcpjl32.dll C:\Windows\SysWOW64\Gphmeo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hkkalk32.exe C:\Windows\SysWOW64\Hhmepp32.exe N/A
File created C:\Windows\SysWOW64\Anapbp32.dll C:\Windows\SysWOW64\Dnilobkm.exe N/A
File created C:\Windows\SysWOW64\Fejgko32.exe C:\Windows\SysWOW64\Faokjpfd.exe N/A
File opened for modification C:\Windows\SysWOW64\Iagfoe32.exe C:\Windows\SysWOW64\Ioijbj32.exe N/A
File created C:\Windows\SysWOW64\Claifkkf.exe C:\Windows\SysWOW64\Cjbmjplb.exe N/A
File created C:\Windows\SysWOW64\Dcknbh32.exe C:\Windows\SysWOW64\Dmafennb.exe N/A
File created C:\Windows\SysWOW64\Eajaoq32.exe C:\Windows\SysWOW64\Eiomkn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dngoibmo.exe C:\Windows\SysWOW64\Claifkkf.exe N/A
File opened for modification C:\Windows\SysWOW64\Emcbkn32.exe C:\Windows\SysWOW64\Dfijnd32.exe N/A
File opened for modification C:\Windows\SysWOW64\Gaqcoc32.exe C:\Windows\SysWOW64\Gobgcg32.exe N/A
File created C:\Windows\SysWOW64\Pabakh32.dll C:\Windows\SysWOW64\Gaqcoc32.exe N/A
File created C:\Windows\SysWOW64\Hnagjbdf.exe C:\Windows\SysWOW64\Hejoiedd.exe N/A
File created C:\Windows\SysWOW64\Pafagk32.dll C:\Windows\SysWOW64\Dmafennb.exe N/A
File created C:\Windows\SysWOW64\Dfijnd32.exe C:\Windows\SysWOW64\Dcknbh32.exe N/A
File created C:\Windows\SysWOW64\Emcbkn32.exe C:\Windows\SysWOW64\Dfijnd32.exe N/A
File created C:\Windows\SysWOW64\Efjcibje.dll C:\Windows\SysWOW64\Eiomkn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Flabbihl.exe C:\Windows\SysWOW64\Fckjalhj.exe N/A
File opened for modification C:\Windows\SysWOW64\Gobgcg32.exe C:\Windows\SysWOW64\Gfefiemq.exe N/A
File created C:\Windows\SysWOW64\Gbhfilfi.dll C:\Windows\SysWOW64\Ccfhhffh.exe N/A
File opened for modification C:\Windows\SysWOW64\Ekholjqg.exe C:\Windows\SysWOW64\Ejgcdb32.exe N/A
File created C:\Windows\SysWOW64\Hellne32.exe C:\Windows\SysWOW64\Hcnpbi32.exe N/A
File created C:\Windows\SysWOW64\Ihoafpmp.exe C:\Windows\SysWOW64\Ieqeidnl.exe N/A
File created C:\Windows\SysWOW64\Dgodbh32.exe C:\Windows\SysWOW64\Dngoibmo.exe N/A
File created C:\Windows\SysWOW64\Ekholjqg.exe C:\Windows\SysWOW64\Ejgcdb32.exe N/A
File created C:\Windows\SysWOW64\Lanfmb32.dll C:\Windows\SysWOW64\Epfhbign.exe N/A
File created C:\Windows\SysWOW64\Fmhheqje.exe C:\Windows\SysWOW64\Ffnphf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hcnpbi32.exe C:\Windows\SysWOW64\Hnagjbdf.exe N/A
File created C:\Windows\SysWOW64\Kcfdakpf.dll C:\Windows\SysWOW64\Ejgcdb32.exe N/A
File created C:\Windows\SysWOW64\Hghmjpap.dll C:\Windows\SysWOW64\Gpknlk32.exe N/A
File created C:\Windows\SysWOW64\Gkkemh32.exe C:\Windows\SysWOW64\Gacpdbej.exe N/A
File created C:\Windows\SysWOW64\Henidd32.exe C:\Windows\SysWOW64\Hcplhi32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hhmepp32.exe C:\Windows\SysWOW64\Henidd32.exe N/A
File created C:\Windows\SysWOW64\Hcifgjgc.exe C:\Windows\SysWOW64\Hpkjko32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ieqeidnl.exe C:\Windows\SysWOW64\Icbimi32.exe N/A
File created C:\Windows\SysWOW64\Lpbjlbfp.dll C:\Windows\SysWOW64\Eiaiqn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Fmhheqje.exe C:\Windows\SysWOW64\Ffnphf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Fpfdalii.exe C:\Windows\SysWOW64\Fmhheqje.exe N/A
File created C:\Windows\SysWOW64\Lefmambf.dll C:\Windows\SysWOW64\Dmoipopd.exe N/A
File created C:\Windows\SysWOW64\Faokjpfd.exe C:\Windows\SysWOW64\Flabbihl.exe N/A
File created C:\Windows\SysWOW64\Ooghhh32.dll C:\Windows\SysWOW64\Gelppaof.exe N/A
File created C:\Windows\SysWOW64\Enlbgc32.dll C:\Windows\SysWOW64\Hejoiedd.exe N/A
File created C:\Windows\SysWOW64\Ffpmnf32.exe C:\Windows\SysWOW64\Fpfdalii.exe N/A
File created C:\Windows\SysWOW64\Dngoibmo.exe C:\Windows\SysWOW64\Claifkkf.exe N/A
File opened for modification C:\Windows\SysWOW64\Eloemi32.exe C:\Windows\SysWOW64\Eiaiqn32.exe N/A
File created C:\Windows\SysWOW64\Ohbepi32.dll C:\Windows\SysWOW64\Fmhheqje.exe N/A
File created C:\Windows\SysWOW64\Fpfdalii.exe C:\Windows\SysWOW64\Fmhheqje.exe N/A
File created C:\Windows\SysWOW64\Cgcmfjnn.dll C:\Windows\SysWOW64\Dcknbh32.exe N/A
File created C:\Windows\SysWOW64\Eiaiqn32.exe C:\Windows\SysWOW64\Eajaoq32.exe N/A
File created C:\Windows\SysWOW64\Eloemi32.exe C:\Windows\SysWOW64\Eiaiqn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Gfefiemq.exe C:\Windows\SysWOW64\Gpknlk32.exe N/A
File created C:\Windows\SysWOW64\Aimkgn32.dll C:\Windows\SysWOW64\Gkkemh32.exe N/A
File created C:\Windows\SysWOW64\Hkkalk32.exe C:\Windows\SysWOW64\Hhmepp32.exe N/A
File created C:\Windows\SysWOW64\Epaogi32.exe C:\Windows\SysWOW64\Emcbkn32.exe N/A
File created C:\Windows\SysWOW64\Hpmgqnfl.exe C:\Windows\SysWOW64\Hicodd32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hpmgqnfl.exe C:\Windows\SysWOW64\Hicodd32.exe N/A
File created C:\Windows\SysWOW64\Nfmjcmjd.dll C:\Windows\SysWOW64\Icbimi32.exe N/A
File created C:\Windows\SysWOW64\Jiiegafd.dll C:\Windows\SysWOW64\Ealnephf.exe N/A
File created C:\Windows\SysWOW64\Icbimi32.exe C:\Windows\SysWOW64\Hkkalk32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdhaablp.dll" C:\Windows\SysWOW64\Henidd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Icbimi32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ihoafpmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Glfhll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ejgcdb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fndldonj.dll" C:\Windows\SysWOW64\Gobgcg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiogaqdb.dll" C:\Windows\SysWOW64\Hellne32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maomqp32.dll" C:\Windows\SysWOW64\Cpjiajeb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pljpdpao.dll" C:\Windows\SysWOW64\Hcnpbi32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hkkalk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdmaibnf.dll" C:\Windows\SysWOW64\Chcqpmep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fejgko32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codpklfq.dll" C:\Windows\SysWOW64\Hiqbndpb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hgdbhi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkbcpgjj.dll" C:\Users\Admin\AppData\Local\Temp\virussign.com_bb884b8bdf9d46315c7be0a60b2463d0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ihoafpmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dngoibmo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ebinic32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dfijnd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmqgncdn.dll" C:\Windows\SysWOW64\Dfijnd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpbjlbfp.dll" C:\Windows\SysWOW64\Eiaiqn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Flabbihl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Goddhg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hepmggig.dll" C:\Windows\SysWOW64\Hckcmjep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cpjiajeb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hellne32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdeced32.dll" C:\Windows\SysWOW64\Dgodbh32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Henidd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Eiomkn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Faokjpfd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcdooi32.dll" C:\Windows\SysWOW64\Fpfdalii.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhbpij32.dll" C:\Windows\SysWOW64\Glfhll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Gmjaic32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hgbebiao.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecmkgokh.dll" C:\Windows\SysWOW64\Hkkalk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ddeaalpg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ffpmnf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fealjk32.dll" C:\Windows\SysWOW64\Hpkjko32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hkkalk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\virussign.com_bb884b8bdf9d46315c7be0a60b2463d0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ieqeidnl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajlppdeb.dll" C:\Windows\SysWOW64\Fckjalhj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fpfdalii.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dmafennb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Epaogi32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ecpgmhai.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ffpmnf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Fmlapp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ddeaalpg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gelppaof.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hnagjbdf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hlfdkoin.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hcplhi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hhmepp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll" C:\Windows\SysWOW64\Ioijbj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Chcqpmep.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Gphmeo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjcpjl32.dll" C:\Windows\SysWOW64\Gphmeo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gphmeo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omabcb32.dll" C:\Windows\SysWOW64\Hgbebiao.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Gpknlk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pafagk32.dll" C:\Windows\SysWOW64\Dmafennb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqmnhocj.dll" C:\Windows\SysWOW64\Flabbihl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Flabbihl.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1132 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\virussign.com_bb884b8bdf9d46315c7be0a60b2463d0.exe C:\Windows\SysWOW64\Ccfhhffh.exe
PID 1132 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\virussign.com_bb884b8bdf9d46315c7be0a60b2463d0.exe C:\Windows\SysWOW64\Ccfhhffh.exe
PID 1132 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\virussign.com_bb884b8bdf9d46315c7be0a60b2463d0.exe C:\Windows\SysWOW64\Ccfhhffh.exe
PID 1132 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\virussign.com_bb884b8bdf9d46315c7be0a60b2463d0.exe C:\Windows\SysWOW64\Ccfhhffh.exe
PID 2372 wrote to memory of 3068 N/A C:\Windows\SysWOW64\Ccfhhffh.exe C:\Windows\SysWOW64\Chcqpmep.exe
PID 2372 wrote to memory of 3068 N/A C:\Windows\SysWOW64\Ccfhhffh.exe C:\Windows\SysWOW64\Chcqpmep.exe
PID 2372 wrote to memory of 3068 N/A C:\Windows\SysWOW64\Ccfhhffh.exe C:\Windows\SysWOW64\Chcqpmep.exe
PID 2372 wrote to memory of 3068 N/A C:\Windows\SysWOW64\Ccfhhffh.exe C:\Windows\SysWOW64\Chcqpmep.exe
PID 3068 wrote to memory of 2684 N/A C:\Windows\SysWOW64\Chcqpmep.exe C:\Windows\SysWOW64\Cpjiajeb.exe
PID 3068 wrote to memory of 2684 N/A C:\Windows\SysWOW64\Chcqpmep.exe C:\Windows\SysWOW64\Cpjiajeb.exe
PID 3068 wrote to memory of 2684 N/A C:\Windows\SysWOW64\Chcqpmep.exe C:\Windows\SysWOW64\Cpjiajeb.exe
PID 3068 wrote to memory of 2684 N/A C:\Windows\SysWOW64\Chcqpmep.exe C:\Windows\SysWOW64\Cpjiajeb.exe
PID 2684 wrote to memory of 2560 N/A C:\Windows\SysWOW64\Cpjiajeb.exe C:\Windows\SysWOW64\Cjbmjplb.exe
PID 2684 wrote to memory of 2560 N/A C:\Windows\SysWOW64\Cpjiajeb.exe C:\Windows\SysWOW64\Cjbmjplb.exe
PID 2684 wrote to memory of 2560 N/A C:\Windows\SysWOW64\Cpjiajeb.exe C:\Windows\SysWOW64\Cjbmjplb.exe
PID 2684 wrote to memory of 2560 N/A C:\Windows\SysWOW64\Cpjiajeb.exe C:\Windows\SysWOW64\Cjbmjplb.exe
PID 2560 wrote to memory of 2496 N/A C:\Windows\SysWOW64\Cjbmjplb.exe C:\Windows\SysWOW64\Claifkkf.exe
PID 2560 wrote to memory of 2496 N/A C:\Windows\SysWOW64\Cjbmjplb.exe C:\Windows\SysWOW64\Claifkkf.exe
PID 2560 wrote to memory of 2496 N/A C:\Windows\SysWOW64\Cjbmjplb.exe C:\Windows\SysWOW64\Claifkkf.exe
PID 2560 wrote to memory of 2496 N/A C:\Windows\SysWOW64\Cjbmjplb.exe C:\Windows\SysWOW64\Claifkkf.exe
PID 2496 wrote to memory of 2516 N/A C:\Windows\SysWOW64\Claifkkf.exe C:\Windows\SysWOW64\Dngoibmo.exe
PID 2496 wrote to memory of 2516 N/A C:\Windows\SysWOW64\Claifkkf.exe C:\Windows\SysWOW64\Dngoibmo.exe
PID 2496 wrote to memory of 2516 N/A C:\Windows\SysWOW64\Claifkkf.exe C:\Windows\SysWOW64\Dngoibmo.exe
PID 2496 wrote to memory of 2516 N/A C:\Windows\SysWOW64\Claifkkf.exe C:\Windows\SysWOW64\Dngoibmo.exe
PID 2516 wrote to memory of 2216 N/A C:\Windows\SysWOW64\Dngoibmo.exe C:\Windows\SysWOW64\Dgodbh32.exe
PID 2516 wrote to memory of 2216 N/A C:\Windows\SysWOW64\Dngoibmo.exe C:\Windows\SysWOW64\Dgodbh32.exe
PID 2516 wrote to memory of 2216 N/A C:\Windows\SysWOW64\Dngoibmo.exe C:\Windows\SysWOW64\Dgodbh32.exe
PID 2516 wrote to memory of 2216 N/A C:\Windows\SysWOW64\Dngoibmo.exe C:\Windows\SysWOW64\Dgodbh32.exe
PID 2216 wrote to memory of 2544 N/A C:\Windows\SysWOW64\Dgodbh32.exe C:\Windows\SysWOW64\Dnilobkm.exe
PID 2216 wrote to memory of 2544 N/A C:\Windows\SysWOW64\Dgodbh32.exe C:\Windows\SysWOW64\Dnilobkm.exe
PID 2216 wrote to memory of 2544 N/A C:\Windows\SysWOW64\Dgodbh32.exe C:\Windows\SysWOW64\Dnilobkm.exe
PID 2216 wrote to memory of 2544 N/A C:\Windows\SysWOW64\Dgodbh32.exe C:\Windows\SysWOW64\Dnilobkm.exe
PID 2544 wrote to memory of 1972 N/A C:\Windows\SysWOW64\Dnilobkm.exe C:\Windows\SysWOW64\Ddcdkl32.exe
PID 2544 wrote to memory of 1972 N/A C:\Windows\SysWOW64\Dnilobkm.exe C:\Windows\SysWOW64\Ddcdkl32.exe
PID 2544 wrote to memory of 1972 N/A C:\Windows\SysWOW64\Dnilobkm.exe C:\Windows\SysWOW64\Ddcdkl32.exe
PID 2544 wrote to memory of 1972 N/A C:\Windows\SysWOW64\Dnilobkm.exe C:\Windows\SysWOW64\Ddcdkl32.exe
PID 1972 wrote to memory of 1688 N/A C:\Windows\SysWOW64\Ddcdkl32.exe C:\Windows\SysWOW64\Dmoipopd.exe
PID 1972 wrote to memory of 1688 N/A C:\Windows\SysWOW64\Ddcdkl32.exe C:\Windows\SysWOW64\Dmoipopd.exe
PID 1972 wrote to memory of 1688 N/A C:\Windows\SysWOW64\Ddcdkl32.exe C:\Windows\SysWOW64\Dmoipopd.exe
PID 1972 wrote to memory of 1688 N/A C:\Windows\SysWOW64\Ddcdkl32.exe C:\Windows\SysWOW64\Dmoipopd.exe
PID 1688 wrote to memory of 1984 N/A C:\Windows\SysWOW64\Dmoipopd.exe C:\Windows\SysWOW64\Ddeaalpg.exe
PID 1688 wrote to memory of 1984 N/A C:\Windows\SysWOW64\Dmoipopd.exe C:\Windows\SysWOW64\Ddeaalpg.exe
PID 1688 wrote to memory of 1984 N/A C:\Windows\SysWOW64\Dmoipopd.exe C:\Windows\SysWOW64\Ddeaalpg.exe
PID 1688 wrote to memory of 1984 N/A C:\Windows\SysWOW64\Dmoipopd.exe C:\Windows\SysWOW64\Ddeaalpg.exe
PID 1984 wrote to memory of 2500 N/A C:\Windows\SysWOW64\Ddeaalpg.exe C:\Windows\SysWOW64\Dmafennb.exe
PID 1984 wrote to memory of 2500 N/A C:\Windows\SysWOW64\Ddeaalpg.exe C:\Windows\SysWOW64\Dmafennb.exe
PID 1984 wrote to memory of 2500 N/A C:\Windows\SysWOW64\Ddeaalpg.exe C:\Windows\SysWOW64\Dmafennb.exe
PID 1984 wrote to memory of 2500 N/A C:\Windows\SysWOW64\Ddeaalpg.exe C:\Windows\SysWOW64\Dmafennb.exe
PID 2500 wrote to memory of 1524 N/A C:\Windows\SysWOW64\Dmafennb.exe C:\Windows\SysWOW64\Dcknbh32.exe
PID 2500 wrote to memory of 1524 N/A C:\Windows\SysWOW64\Dmafennb.exe C:\Windows\SysWOW64\Dcknbh32.exe
PID 2500 wrote to memory of 1524 N/A C:\Windows\SysWOW64\Dmafennb.exe C:\Windows\SysWOW64\Dcknbh32.exe
PID 2500 wrote to memory of 1524 N/A C:\Windows\SysWOW64\Dmafennb.exe C:\Windows\SysWOW64\Dcknbh32.exe
PID 1524 wrote to memory of 1152 N/A C:\Windows\SysWOW64\Dcknbh32.exe C:\Windows\SysWOW64\Dfijnd32.exe
PID 1524 wrote to memory of 1152 N/A C:\Windows\SysWOW64\Dcknbh32.exe C:\Windows\SysWOW64\Dfijnd32.exe
PID 1524 wrote to memory of 1152 N/A C:\Windows\SysWOW64\Dcknbh32.exe C:\Windows\SysWOW64\Dfijnd32.exe
PID 1524 wrote to memory of 1152 N/A C:\Windows\SysWOW64\Dcknbh32.exe C:\Windows\SysWOW64\Dfijnd32.exe
PID 1152 wrote to memory of 2188 N/A C:\Windows\SysWOW64\Dfijnd32.exe C:\Windows\SysWOW64\Emcbkn32.exe
PID 1152 wrote to memory of 2188 N/A C:\Windows\SysWOW64\Dfijnd32.exe C:\Windows\SysWOW64\Emcbkn32.exe
PID 1152 wrote to memory of 2188 N/A C:\Windows\SysWOW64\Dfijnd32.exe C:\Windows\SysWOW64\Emcbkn32.exe
PID 1152 wrote to memory of 2188 N/A C:\Windows\SysWOW64\Dfijnd32.exe C:\Windows\SysWOW64\Emcbkn32.exe
PID 2188 wrote to memory of 484 N/A C:\Windows\SysWOW64\Emcbkn32.exe C:\Windows\SysWOW64\Epaogi32.exe
PID 2188 wrote to memory of 484 N/A C:\Windows\SysWOW64\Emcbkn32.exe C:\Windows\SysWOW64\Epaogi32.exe
PID 2188 wrote to memory of 484 N/A C:\Windows\SysWOW64\Emcbkn32.exe C:\Windows\SysWOW64\Epaogi32.exe
PID 2188 wrote to memory of 484 N/A C:\Windows\SysWOW64\Emcbkn32.exe C:\Windows\SysWOW64\Epaogi32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\virussign.com_bb884b8bdf9d46315c7be0a60b2463d0.exe

"C:\Users\Admin\AppData\Local\Temp\virussign.com_bb884b8bdf9d46315c7be0a60b2463d0.exe"

C:\Windows\SysWOW64\Ccfhhffh.exe

C:\Windows\system32\Ccfhhffh.exe

C:\Windows\SysWOW64\Chcqpmep.exe

C:\Windows\system32\Chcqpmep.exe

C:\Windows\SysWOW64\Cpjiajeb.exe

C:\Windows\system32\Cpjiajeb.exe

C:\Windows\SysWOW64\Cjbmjplb.exe

C:\Windows\system32\Cjbmjplb.exe

C:\Windows\SysWOW64\Claifkkf.exe

C:\Windows\system32\Claifkkf.exe

C:\Windows\SysWOW64\Dngoibmo.exe

C:\Windows\system32\Dngoibmo.exe

C:\Windows\SysWOW64\Dgodbh32.exe

C:\Windows\system32\Dgodbh32.exe

C:\Windows\SysWOW64\Dnilobkm.exe

C:\Windows\system32\Dnilobkm.exe

C:\Windows\SysWOW64\Ddcdkl32.exe

C:\Windows\system32\Ddcdkl32.exe

C:\Windows\SysWOW64\Dmoipopd.exe

C:\Windows\system32\Dmoipopd.exe

C:\Windows\SysWOW64\Ddeaalpg.exe

C:\Windows\system32\Ddeaalpg.exe

C:\Windows\SysWOW64\Dmafennb.exe

C:\Windows\system32\Dmafennb.exe

C:\Windows\SysWOW64\Dcknbh32.exe

C:\Windows\system32\Dcknbh32.exe

C:\Windows\SysWOW64\Dfijnd32.exe

C:\Windows\system32\Dfijnd32.exe

C:\Windows\SysWOW64\Emcbkn32.exe

C:\Windows\system32\Emcbkn32.exe

C:\Windows\SysWOW64\Epaogi32.exe

C:\Windows\system32\Epaogi32.exe

C:\Windows\SysWOW64\Ejgcdb32.exe

C:\Windows\system32\Ejgcdb32.exe

C:\Windows\SysWOW64\Ekholjqg.exe

C:\Windows\system32\Ekholjqg.exe

C:\Windows\SysWOW64\Ecpgmhai.exe

C:\Windows\system32\Ecpgmhai.exe

C:\Windows\SysWOW64\Eeqdep32.exe

C:\Windows\system32\Eeqdep32.exe

C:\Windows\SysWOW64\Epfhbign.exe

C:\Windows\system32\Epfhbign.exe

C:\Windows\SysWOW64\Eiomkn32.exe

C:\Windows\system32\Eiomkn32.exe

C:\Windows\SysWOW64\Eajaoq32.exe

C:\Windows\system32\Eajaoq32.exe

C:\Windows\SysWOW64\Eiaiqn32.exe

C:\Windows\system32\Eiaiqn32.exe

C:\Windows\SysWOW64\Eloemi32.exe

C:\Windows\system32\Eloemi32.exe

C:\Windows\SysWOW64\Ebinic32.exe

C:\Windows\system32\Ebinic32.exe

C:\Windows\SysWOW64\Ealnephf.exe

C:\Windows\system32\Ealnephf.exe

C:\Windows\SysWOW64\Fckjalhj.exe

C:\Windows\system32\Fckjalhj.exe

C:\Windows\SysWOW64\Flabbihl.exe

C:\Windows\system32\Flabbihl.exe

C:\Windows\SysWOW64\Faokjpfd.exe

C:\Windows\system32\Faokjpfd.exe

C:\Windows\SysWOW64\Fejgko32.exe

C:\Windows\system32\Fejgko32.exe

C:\Windows\SysWOW64\Ffnphf32.exe

C:\Windows\system32\Ffnphf32.exe

C:\Windows\SysWOW64\Fmhheqje.exe

C:\Windows\system32\Fmhheqje.exe

C:\Windows\SysWOW64\Fpfdalii.exe

C:\Windows\system32\Fpfdalii.exe

C:\Windows\SysWOW64\Ffpmnf32.exe

C:\Windows\system32\Ffpmnf32.exe

C:\Windows\SysWOW64\Fjlhneio.exe

C:\Windows\system32\Fjlhneio.exe

C:\Windows\SysWOW64\Fmlapp32.exe

C:\Windows\system32\Fmlapp32.exe

C:\Windows\SysWOW64\Gpknlk32.exe

C:\Windows\system32\Gpknlk32.exe

C:\Windows\SysWOW64\Gfefiemq.exe

C:\Windows\system32\Gfefiemq.exe

C:\Windows\SysWOW64\Gobgcg32.exe

C:\Windows\system32\Gobgcg32.exe

C:\Windows\SysWOW64\Gaqcoc32.exe

C:\Windows\system32\Gaqcoc32.exe

C:\Windows\SysWOW64\Gelppaof.exe

C:\Windows\system32\Gelppaof.exe

C:\Windows\SysWOW64\Glfhll32.exe

C:\Windows\system32\Glfhll32.exe

C:\Windows\SysWOW64\Goddhg32.exe

C:\Windows\system32\Goddhg32.exe

C:\Windows\SysWOW64\Gacpdbej.exe

C:\Windows\system32\Gacpdbej.exe

C:\Windows\SysWOW64\Gkkemh32.exe

C:\Windows\system32\Gkkemh32.exe

C:\Windows\SysWOW64\Gmjaic32.exe

C:\Windows\system32\Gmjaic32.exe

C:\Windows\SysWOW64\Gphmeo32.exe

C:\Windows\system32\Gphmeo32.exe

C:\Windows\SysWOW64\Hgbebiao.exe

C:\Windows\system32\Hgbebiao.exe

C:\Windows\SysWOW64\Hiqbndpb.exe

C:\Windows\system32\Hiqbndpb.exe

C:\Windows\SysWOW64\Hpkjko32.exe

C:\Windows\system32\Hpkjko32.exe

C:\Windows\SysWOW64\Hcifgjgc.exe

C:\Windows\system32\Hcifgjgc.exe

C:\Windows\SysWOW64\Hgdbhi32.exe

C:\Windows\system32\Hgdbhi32.exe

C:\Windows\SysWOW64\Hicodd32.exe

C:\Windows\system32\Hicodd32.exe

C:\Windows\SysWOW64\Hpmgqnfl.exe

C:\Windows\system32\Hpmgqnfl.exe

C:\Windows\SysWOW64\Hckcmjep.exe

C:\Windows\system32\Hckcmjep.exe

C:\Windows\SysWOW64\Hejoiedd.exe

C:\Windows\system32\Hejoiedd.exe

C:\Windows\SysWOW64\Hnagjbdf.exe

C:\Windows\system32\Hnagjbdf.exe

C:\Windows\SysWOW64\Hcnpbi32.exe

C:\Windows\system32\Hcnpbi32.exe

C:\Windows\SysWOW64\Hellne32.exe

C:\Windows\system32\Hellne32.exe

C:\Windows\SysWOW64\Hlfdkoin.exe

C:\Windows\system32\Hlfdkoin.exe

C:\Windows\SysWOW64\Hcplhi32.exe

C:\Windows\system32\Hcplhi32.exe

C:\Windows\SysWOW64\Henidd32.exe

C:\Windows\system32\Henidd32.exe

C:\Windows\SysWOW64\Hhmepp32.exe

C:\Windows\system32\Hhmepp32.exe

C:\Windows\SysWOW64\Hkkalk32.exe

C:\Windows\system32\Hkkalk32.exe

C:\Windows\SysWOW64\Icbimi32.exe

C:\Windows\system32\Icbimi32.exe

C:\Windows\SysWOW64\Ieqeidnl.exe

C:\Windows\system32\Ieqeidnl.exe

C:\Windows\SysWOW64\Ihoafpmp.exe

C:\Windows\system32\Ihoafpmp.exe

C:\Windows\SysWOW64\Ioijbj32.exe

C:\Windows\system32\Ioijbj32.exe

C:\Windows\SysWOW64\Iagfoe32.exe

C:\Windows\system32\Iagfoe32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 140

Network

N/A

Files

memory/1132-4-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1132-6-0x0000000000250000-0x0000000000283000-memory.dmp

\Windows\SysWOW64\Ccfhhffh.exe

MD5 617c1cdcd5f9aecaf3c78e2545123c8d
SHA1 83a81d6046fa070b3fd51fc8fe5a51167d72ab4f
SHA256 2a7f5b99a893e8021a106dc412bb20e918c8f42c4a44aa2e033eaf5a4711ec34
SHA512 8291730196c818f6c530960761fee91df190e8e96480484c058ddb5e95a8dc58a367e0e88b6f39a2461bff952ad0e58c5b35d28d2117e0fad57e347b0b627f55

memory/1132-18-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2372-19-0x0000000000400000-0x0000000000433000-memory.dmp

\Windows\SysWOW64\Chcqpmep.exe

MD5 8a8004a955ee0ec08cc386eab609e699
SHA1 7eb7d3b633803573a87340aee73ac2dcdfa5a9de
SHA256 63d866c0a18eb8101b351ee377f835015e9ddf047d5d9a41e037983b8fb37769
SHA512 82cea2356d04f6957706bf7aec60ddb52b296fd6fc5379966f52f6b95382e4b7127fcd8c4702250926746bb016f835e02adabcf657e8470e85c9b700293ba2c7

memory/3068-31-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2372-27-0x0000000000250000-0x0000000000283000-memory.dmp

memory/3068-36-0x0000000000280000-0x00000000002B3000-memory.dmp

\Windows\SysWOW64\Cpjiajeb.exe

MD5 dd070d9dcbadb5c1fbdd52d7583a7f4f
SHA1 84b745f0e8fd0bf4524f4ebce3885fd8a50e5677
SHA256 05fb9761f8da4de15823fe85c3e6cfea04924253c32f4411c96c5a9c1bd876e7
SHA512 982261294a3c165d3e53f81d631d43f8d452e1a005b471d974750c71c29403de21d4ab4d03c50424df53adc200b4ffd7e778fe2695e2698df6a947afbaade46a

memory/2684-42-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Cjbmjplb.exe

MD5 c32aa00be8900b4dbb993e834352c0e6
SHA1 1f66d4e1974381218b43af4d703439a6a1d87ff6
SHA256 38441e6a04ec45b3acb22bd4ccf55e71e60d87b23916639c8e12da237a35782b
SHA512 22a891f980d38b592d3895375b721970071ea5a4a7c64df91014d9b6f750d9cd022e147cb33ad98b3bde9180df3327ba205601eb74caae2e61ca46192a43817b

\Windows\SysWOW64\Claifkkf.exe

MD5 ef35330521a048abb95621c1a39646ff
SHA1 5ce1c42a1effd521eff927dd952aa451c5870c1a
SHA256 f780d1438926f2f3b23b9fc0f274bebd85a548c66bf49903dba3d341f70dc8ec
SHA512 60fc35265db2ea50a5c2d91e5de16ae941ab44ffcbdc5ab9f37a1d457ae89dd315aeeac2e21707e5707ec797cf02403571f24ff904f52026dd98366ea2e54450

memory/2560-70-0x0000000000440000-0x0000000000473000-memory.dmp

memory/2496-72-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2560-69-0x0000000000440000-0x0000000000473000-memory.dmp

memory/2560-57-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2684-56-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2684-55-0x0000000000250000-0x0000000000283000-memory.dmp

\Windows\SysWOW64\Dgodbh32.exe

MD5 6518cabff9739542086a6ed1f3194686
SHA1 2f2c291d70800bdf0f75ea54a35306898fedaaf2
SHA256 9cf029837d448f5aa5a421eb7d71e2e0c931a2a5d8d7063ce0183abeb8800965
SHA512 652ece319f6d7adab843f1be2125ba0ad87fe92bdb67295260c00ccba8f0269580f2844d40de778aece92c3f07c2da4cd56eff8a253ae56aa45ca4c411107440

\Windows\SysWOW64\Dnilobkm.exe

MD5 a5dee606bdd3001466b4f92a9ec8cd30
SHA1 96738955dc455395fc094d4094b8abe2d225f6ce
SHA256 e73041698e48affbd526713f4e6b50477ce9deb376e20804b7bc706c7a2432ee
SHA512 94db6d3a512982d6f66da48145ba43fabad5baead7d6658ae12f9e7573621fdf6d46a6faa4aeb04cf6a5800bea1486f0f4247eed813e5de225d84221cd1551d7

C:\Windows\SysWOW64\Ddcdkl32.exe

MD5 340ec2230d5e63fe95ea4b8398f79902
SHA1 410f65e0c74a74da65b77b04c89d491d094ff954
SHA256 5d68cf295fac56dc7c35c3fec741043a3f1d5e9ebc0d71ef3ebc40e481b95b32
SHA512 d7b81f25b3f1c1d3067add523d9bcb3f775a1d9dc3b18ed578ebaf5fd299260a8be3b39e1cc4334337ee837b9bef19fcfe8087a77b2c84a7c6bddd9c6a3bece3

memory/1972-127-0x0000000000400000-0x0000000000433000-memory.dmp

\Windows\SysWOW64\Dmoipopd.exe

MD5 67ca45166179acd1244c89f4e801ec2b
SHA1 b60de89ebc70f489921427bd10ca0f8ab22e53c6
SHA256 d4356c4ebd8c91f54385d9dc3ab159c0a3d451614ad74ee8e7f8006fb308cab9
SHA512 e8d6628ee38a274103a2745ca52eb9918e32b45893a0542015f65c95523d30482e72d73bdd212451f2d37bc8df7f58af337377a5383d1ec7e6de5517d7c35006

C:\Windows\SysWOW64\Ddeaalpg.exe

MD5 619f45ce703f1845f0ef69c4a4674910
SHA1 7990ac2d4633f738f6bcd3b168d82b81d997bd78
SHA256 e53ed22e4ba3e51fb44a6bcb869ee22b342659e7461b292ba890f1bb5c65f546
SHA512 149f32d7a99d60a032a0259508580e6a8aed553aa7a989353e8500b0647c2024004d92076983b1510c296d5881b714296cccd01ab8a6912a9b8b46a4a1de6f17

C:\Windows\SysWOW64\Dmafennb.exe

MD5 cd63437a82a3c5d3eb70d35d40a8f74f
SHA1 340e13ec5d31b074261d9ecfe4631e89bae8a1db
SHA256 f8a084483d6bd57e18bd35774a865583951380a308c5c0bf422a7f5e0c999319
SHA512 4b39f290a7633c78435dc2039d64df91373bfc42692143cebd832f8ef12c71113c6997011dbc9fd6be2d2621d5135ed435792909a30ce0d661afcbba224cc75b

memory/1524-182-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Emcbkn32.exe

MD5 f13a67906e640935f814f1a6d7f6e969
SHA1 d2d08e2e3f5b2ddacd16ab01e7467b9b664f08f9
SHA256 caf4baca0bb37ee0a9dc6b90c549591a0c3c822d7220ec6a0fb515687b594650
SHA512 720827e75956ffefca97b6e26c2d0d3f77d905955267707cfd59e1c65696f5d039e3c63e9e8cfebc87e45c25836f7e3e290a20b2b2e8898a66bf5d110e345148

C:\Windows\SysWOW64\Epaogi32.exe

MD5 4be68412d5e837185c95e30d701b3fa8
SHA1 4746267bb1b4e147c955b0ac1b95a2162ef39d5f
SHA256 6e9c60dc3f1c31a4cfe586a096ee4c1c1cf1a1a9438735f0dec2c1a4d54b4c7c
SHA512 2ac2c4917b5818903c5fec168a673a14a955290968f7fe07d4c033ec0eb5e6007f66075db1cf440c069ee4efb8713d0118b91a1d2203cfb38b502c75abbcf7a3

memory/936-231-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ecpgmhai.exe

MD5 e2a7b2b3925debead379a6e9aa07f50a
SHA1 3b2c6b1392024d08ea0a60341434e9938c640581
SHA256 b16fe7b9aa9141197b142b62c15f80e96decaf6e29a0b64dd2e3a522a1e2d2d8
SHA512 3282a0dfa32e4329c7493059abd9b8d8bf07d4b0912d64c03bad774a60e7ee042359222aa508a8db087c1b65e1fd6fb3acc362ac114ce4fd6bd49d48f5b00eb8

memory/2308-251-0x0000000000400000-0x0000000000433000-memory.dmp

memory/832-250-0x0000000000250000-0x0000000000283000-memory.dmp

memory/832-241-0x0000000000400000-0x0000000000433000-memory.dmp

memory/936-240-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2308-262-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2080-272-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2168-271-0x00000000002E0000-0x0000000000313000-memory.dmp

C:\Windows\SysWOW64\Epfhbign.exe

MD5 1c46dbee396f587e93954a079b86519e
SHA1 d51ffc3c58bb524c346596b5d7037a7c58c44ff4
SHA256 493bd89c93b1a783d1409ac4a946872b0d5ef5b6e55bc7b342dce40039496ebe
SHA512 886205d628ddf4642a3317bb962760c2703f4d8ac0efa7651eb101210ee0a36d6126a57edcfefc9ec5147d717d3d2043979be8ec87d255f688ecbf061a202053

memory/2968-293-0x0000000000400000-0x0000000000433000-memory.dmp

memory/892-308-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2972-316-0x00000000005D0000-0x0000000000603000-memory.dmp

memory/2380-332-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Flabbihl.exe

MD5 bf739d266e172641aba72ea3df4b9f6e
SHA1 7864c4fa070f512a70ad76dba20b4bbde9343c5f
SHA256 737d9c46d2663b89b1b634d3fdbb0d93338b7cec8579f05922049a710b3a857b
SHA512 4e3f09866524de8b47cb0b52037f20a2b3ac46915b43ab620810aa364de87ead4311ffbbfd9eaa1dfc4c75e4703a2f662d3589d957a44fc01d5b265371148f6b

memory/2660-361-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2472-373-0x0000000001F30000-0x0000000001F63000-memory.dmp

memory/2472-372-0x0000000001F30000-0x0000000001F63000-memory.dmp

memory/1384-371-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ffnphf32.exe

MD5 f899ded5e50c320bdb20d94f87445926
SHA1 87fd31cddfd5930685b165fef8284443a9bf530c
SHA256 d5cc5a05cf82799d9da95258da5a87b6b63f4893b4ee8a2d7a6dbde4bdc97d06
SHA512 8f66b2e34c778c292c7804e9927300cc55588b56e53e6e3cce18ca63475397e65da4fc1fbdb44ccaf85ddb9181bd4907c5d9d3f5ab55baa0dff1d8875f182f16

C:\Windows\SysWOW64\Fmhheqje.exe

MD5 4fe4698c1acf131e8d377a32b31f8fb7
SHA1 dbe9feb92201df68cef0f8760ffdf73c17bd035f
SHA256 706f9b529e4245c2dd72b914e23d111a4dc95cee6af40da53772936dcf49bb0e
SHA512 3cca1de3b263bdced0581baed9d3d46925a87122a91e30a44b2d035100cd804be1d3809fa1afe0c59d252d211d993a33ef21844f1408f0cb37d488b27a4258a6

memory/2040-417-0x00000000002F0000-0x0000000000323000-memory.dmp

memory/1624-423-0x0000000000260000-0x0000000000293000-memory.dmp

memory/3044-428-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Fmlapp32.exe

MD5 6df314581c7eb891564f0efe06f16090
SHA1 bc19f12629809d3a8fc8408bcfdffe7d18f59873
SHA256 63505a6f599859c94ccb92e4f6bef4269d280b11e6043eb0ed5f3502e46b1692
SHA512 e62770d0f0afaf37730b5321f86867a3cbe4bad94f79bcf23e2df13a9351e58ce95bf4aead7657da39c93bc740629a0308484863e73a1d6553923d72b8705c72

C:\Windows\SysWOW64\Gpknlk32.exe

MD5 6d58b659ed0772aae943b92fe0c4a078
SHA1 b5ff7320f1ab0987b175f20277508166b53cb684
SHA256 3a7a9d191fbe1506652dfc7a2c5a6ac5bad1a911378465608d60b26d6e246323
SHA512 fd5d67f1dc8d6233cd0322a293d1e116215a2f5e6f740db1d8488d650c139a9b3b66f1c531de67e514df71e8d1d6f64529b1547d0dea52fd13bde354d57aac7e

memory/1160-451-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1948-449-0x0000000000250000-0x0000000000283000-memory.dmp

memory/1948-448-0x0000000000250000-0x0000000000283000-memory.dmp

memory/840-460-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Gelppaof.exe

MD5 d1cb6e2aaedaee094301324ffcb096d6
SHA1 7bb5b4258af457d9e4b1588a60137b0c6791be8e
SHA256 c628b16fa0aff503cf2890b7b41c15c5f427d31efc2b6460043bca1176e15d18
SHA512 7b23480e4548fbaae9608b4e68b559fbda1b64b88b18bddff1c9cc92d52230f1e8fe3e9d006fcf4c076019a8103aa7b61228d8094f43af3c559ab9c357a4163f

C:\Windows\SysWOW64\Glfhll32.exe

MD5 8abf0691e1ee8080d18a1eddc81b8fc5
SHA1 842ac8ed07b5c09bfd24af0c2103d55c65c16655
SHA256 204c04a413acc47140b75c1ce0020feecb114ba867e931cfeb19724df09bbc38
SHA512 f4c77093a78b70099290eea5c982d77ff01ba06fdccc8fd299dfcb370231d30cd0d948dce8af950caa9e9933fe7a90a76aa1c6b4235028cf404541b74bce52ec

C:\Windows\SysWOW64\Gacpdbej.exe

MD5 a4a9f31ae838493f5e1083fc9c61d5a4
SHA1 e725b2a21944a41ae95bfe2643d74a558fd9e662
SHA256 07de983f5260776d99a338213ff3608fab4b7c32fdbccb91ced0372e1f607791
SHA512 4d80457af730ebc3ad900b258c31ff990e20888e223a8e81e553f91de05e1a680d40568a8476d5973e3422b79f80da54ef70f2b339d4b5466ce92fc263e53dc1

C:\Windows\SysWOW64\Gkkemh32.exe

MD5 20232fd5c106c2b6bb7e752de6825b63
SHA1 016e757bddc5b10e22fd3558d88ac27b54afb03a
SHA256 f5846edfb06815d4e3f5fb7da69fcdb8c37099b166952b22f088d67df9730685
SHA512 01c755f57a96bd69693033ad8a20e827d73745cc502bf269b8ada4c0fa767c80a843360c2e28d9e6496c550f90ae594d7e0a4d6b628494f3c08f7fe8ce5bd1a3

C:\Windows\SysWOW64\Hgbebiao.exe

MD5 70f76fcab3bebbc9427258f552b4fbed
SHA1 c62a9f2d73e7a7837b316c8f4c1c3bcb6a65b705
SHA256 ee12bf8066356dfd5221baa09c07d4bf5b3286edddbf075a524b085221a5a5d0
SHA512 323e21012d49948c83b9147f63cca9888070ff0cfa2c3d09f57280664bce7e0edcfdc8adf2c650867465c09e568577681ce99b533d3fbd9ff1089eeefe72289a

C:\Windows\SysWOW64\Hpkjko32.exe

MD5 3216364fb8756907a27d5c0c30ba028e
SHA1 e383b4756847d862c0e6917cb2267d71cd16a2cb
SHA256 a5851f888a24f6cf04c83f48734d27370a3ddece57cb92e1d185068f8037935a
SHA512 c4e4fd0caa652c11170d089465e2e011b535dcd2c016f5cd4e1467cbafd927f6abbe63ede4650c5ed1ed213d89e9ccf3c2b8e4775fcbf463e6fa901738058e2a

C:\Windows\SysWOW64\Hckcmjep.exe

MD5 0f4de615c7c7c36905ea4c6d13dba357
SHA1 e7f0648cff3055b12786a843c141957586fab8ea
SHA256 4faf2e967d472df4b7439015b9ba884dfce0041f8cd8c541c9d37354b1997392
SHA512 3b8152131781f3e87b39b26daf8a0dc104c129b8cd959471730c281b40543f16c255caa99e5e6f8275c68c6522adbf02ab9cc13d7e58b15239bb0728dd8eabf1

C:\Windows\SysWOW64\Hejoiedd.exe

MD5 c6724e00e314d51000aabd4a7aa5effe
SHA1 645865b8ca0cdb3fe4a9604fc63727b22f2db769
SHA256 b575a7c2a4c6a50b841b668afd8a9243479c03effe481e6c5013a13e93c22100
SHA512 36bf7149ef09997e9ef399822a31332b8dcb7506393c93f5f0e85cf17132463ff2cad9a310c4fd35fac3b49f048f00fc6647079373a2c35b89c7dfebfc8d6750

C:\Windows\SysWOW64\Hellne32.exe

MD5 3c2cb2f616a40625bcd7599f1930a986
SHA1 495809c88d1749a4f13b2720958693fd218df4db
SHA256 7bd5622c21d0c4966c6d225c614e2475105636dbb2fa256b13a1c9953750b3a0
SHA512 8033e3fe78a4e1adc81accf74e81196aa2cad3f6591f9f77a4f74aa51a68cc29075745fcdccc5421e2ce35b53bc41abd5ff6f681966881bef7fb7390408f24a7

C:\Windows\SysWOW64\Henidd32.exe

MD5 a6a32dc190da22142280dd68ee919420
SHA1 af9c95a2a37644715017fd03ef73f81bd807b948
SHA256 55d62f569e5c8d310039dd314edbcffd88e0d40c40c34e8b8216f23dab8405a1
SHA512 e4400874188337139ef86c3cb29d8c1ec63886de43aa9bbf091c41e7d4e4e72eecf8f87e122a1a76a1d5c4f558bc248389e15840c0a83a47218ab682487d791c

C:\Windows\SysWOW64\Hhmepp32.exe

MD5 183a76c8518e543c841d9a7ae3d59bb2
SHA1 e433cd9b0993bfcd1b0a3471e500fe9e732ec69d
SHA256 69a3ed2717fc9b554637d8a3ded1e3fe471f8cb2eaa41ba3ac8d4f9d5210dc34
SHA512 b38268d70e893db8361bd95d6893f25d1db3eddb0059f4d08ff0abced2b788867268d61132794fe1bafa552a8c288be380e871c807c1badb4671ea7f2d5926cf

C:\Windows\SysWOW64\Icbimi32.exe

MD5 2513edc877a7bb3dc90abfbae0c7a4fd
SHA1 616b64ccbe0a2a4c3c2704b64d746e47990ff167
SHA256 3ea52cef32c57a98c50ab42018e382f0b073cf0cce54a716d63de712940a9220
SHA512 bce69b71e0ca8f7542f5fb5860e23bc0f4068053101a71225c1a41510ea0c912a4c807e76db6dfc49de9fa6645566267543b35b77217c0b409f8a2fd6be0fda7

C:\Windows\SysWOW64\Ieqeidnl.exe

MD5 1a19eef7acd3f8419ecdabfa44bd6d78
SHA1 822eb5041fefb4778675c8507e3f7b3275d86476
SHA256 cf08c9a00933bcd0e8c0d6b7bca6e7287b7c9247300ea72fca62667a607ab694
SHA512 06d7c4e820aa31d607be7269eb92c6fa325a67314bee6e5577c4cce63e24e767674aa2eb73eb54d1ce4e1f6ed4a534051bba39ddb14e5dca3ca2339693f185b5

C:\Windows\SysWOW64\Ioijbj32.exe

MD5 8c9b6febab2c42693eccbd8f439d7688
SHA1 e9584bc7f2e749a2d3052fac3c881336cbcf0610
SHA256 c4d62b918a91d00f336d3642a61b7d391036f5e909da3d97e2f45cd137fcc0a6
SHA512 c361104441918f99b30075d6e46fe676332fd3c4e3e8ebcf56b2c3b28a9e3242ac710ab47f676af6da138d696a32f716f9f0940d700317c979b2f048941f227f

C:\Windows\SysWOW64\Iagfoe32.exe

MD5 a33ccb4c0027cbbf6bba41a66813287c
SHA1 a171c0e23bacf74cc67722a16771b68c2503f91b
SHA256 5c9c2f5423ae6f8dae6b80e689ec02134b6dec41b0f99d80f75a518e71669677
SHA512 811c669cd01057588503f7e8b1e3b1582411f1fa4c693929156a867c237dccdd6bd038908be42eb3c2ef3ca776d3565787dfcb6f7838eb0bcb726961dab234dc

C:\Windows\SysWOW64\Ihoafpmp.exe

MD5 a9964507fc2f32ac1fc007b48a18dc4e
SHA1 620df53bf1c8f77c64bbc815fe108e76c8db4b28
SHA256 d6a809040e407d34b1e1b59914e680218bd8b74d14ec3d89afe4f605e72ee231
SHA512 cbdd719aa0c9a30c7fd14ef983838fa8ea137a953fb63232506d9c090b9546d0f0ff60339f21d2eb69c3c8e05167660d092891406a2604526802618618529a61

C:\Windows\SysWOW64\Hkkalk32.exe

MD5 311b351800a186885bf0899699cdadff
SHA1 9d84fe6c181b447ba44608bfd56c5c986179fd0f
SHA256 761f564a8c34193991ebbc06adb34ef9369b5f8a8732d805d3bd81871dcbbfdf
SHA512 27b8166b552ddc9d1e6e0d7c4de684494853a5d21f6c64be1bb822a377379a51d70a7c0cbb582f2c3878a027918e484f8924202fa0ce62f101c181ec2924cfa3

C:\Windows\SysWOW64\Hcplhi32.exe

MD5 3e9cf3d767907fb7c023d3996de49242
SHA1 32c9786d1eb4ec805da31fbea47d9899f33c13c4
SHA256 056d5e0202982eaabe7b0ffb0f95dd5c30d4a9b92acbf558b062f5205a4c4071
SHA512 33714d5c1ab297338d246e1b96c273eaf34c222816d9f3853295f0e381bd7364aa8be02c6f6e3664b025579792a78fdd9d2d12f5f97ce5501bc2abb9e48427ab

C:\Windows\SysWOW64\Hlfdkoin.exe

MD5 701780107f512c6867ab328651542f66
SHA1 fd89191ae09cb22ab04a81fa456df5a8a6d35a5b
SHA256 9217f8a210bffa05f473bbd216d3f65ca3d0beca780bc8061ad3eb7558138f03
SHA512 007b3c0f6facd391e55980e70c259b668ffee19c61bd639f0f15e6cec7904ceb24d987f380695c2f5c12763917b9b733d1f7d49af1141262cd0c67fe700152b5

C:\Windows\SysWOW64\Hcnpbi32.exe

MD5 8e08ff6b2b48eda14364b1594d957054
SHA1 122e2f60f87da77c6d95e1f348d8d4ae10e1d947
SHA256 b4d83c310bf069ec57fb52cfe6f98ecc8c313220b556cb43feefc130c2593c1a
SHA512 37133d8bac25f9c83e29fdb17711a711605533ca486e74d2796e5e194be63498bc6fb444df9b0ab92be61ff43c5b499cf9531ab3bc3c7e0a0d5ca824df36cfcd

C:\Windows\SysWOW64\Hnagjbdf.exe

MD5 0c73db97db2e5cbd0ccb5ca82acf9584
SHA1 fbcb948137aa253a27ccb4b9c7f7ef65f48255b4
SHA256 fe0112ce2f033da39b8b0d94880db9c44a1bb69098434dc9b8d85a0e3e0d724d
SHA512 9535ddac3c03f79d3603d685d6768358899acf82b08d1df76eb5aaa7050b1ec9da522ed4c1e43956c48db6b6ed86204943bd82845a2219047b2e9526eb58d858

C:\Windows\SysWOW64\Hpmgqnfl.exe

MD5 6628bb176d7b68392cd65724d9f7325f
SHA1 6c9a03621a786529a04b356b44fd7c910b4a5308
SHA256 8b87b55539a412dc57eec6ada52dcc110365e4e6e80e99203ad4f9018a63a3ca
SHA512 8ffa3b630a45f47386c0e3395c7a480f6ba8fcec550838f7075e150e7a67e35a9dabdb6edeb7cdc3d9fa26f129055d880609abe1f294ceebd33730541bac4c63

C:\Windows\SysWOW64\Hicodd32.exe

MD5 2882e971acf11b2e1bdde2a659eccfdf
SHA1 c19d7d2071f0b41fb9d74e0bb1614b11944567de
SHA256 2cf1a10565fd4d13a999468890849ced86cec6f78e1e29b5b3f508e258949c4f
SHA512 d7c8391f6e87316ffed55cdb6d6516dac5676eeaeb55b4f64310592e856e65bdf0227e010f14a3be6eae28a06b5d888c084c84a434ad7c6df033ed08c4afc6e8

C:\Windows\SysWOW64\Hgdbhi32.exe

MD5 bec65e3f433dad54b9a2bcd0514a37ef
SHA1 992ffe6a0d51526c282ffc2f1e0db1feb0c0c4dd
SHA256 61c7b65ae3a430c439b185976baaabdca419024e2156210f2940a56d05d220b0
SHA512 fd8bd839934bd474348a25d7d4259b8d1dbd27a4bb0ae182cd7ef77854b0f441633ace626d1dba0bf700995763f866d9df15729677e3a02de4d75f826585e1d9

C:\Windows\SysWOW64\Hcifgjgc.exe

MD5 e95f63af8909cb655ad2d63ecf55ebd7
SHA1 dbbc41ba1d4b6d820be77ba18ab50b90492e8491
SHA256 c48663986afa593709826ec5e9aaf9bab66b2f7466786e1e0d15904ab045cccb
SHA512 9cb049dbc3976169344d4315ea9e9e56a77490d317220d2dfa014e06c73533684f2a0bc0ce142b4d81c04ab162e7b635c285fd6ff081bc003e80b17879c67353

C:\Windows\SysWOW64\Hiqbndpb.exe

MD5 96ae8fe315b405e6ff90f52aba2660da
SHA1 1d3d1090349b971e5743706605169c561e22976e
SHA256 26ab82e2dd6bea2e1bc9f32897c997b2330e70d3ff5c2d0dad945cec8b045056
SHA512 29993fd141f09f7307862de74c995cee6e0e60bceeeaee7f0db1b9690e590fc6ba98a77bd771b7dcee03324905fbeb3298169cb9db7a718e51dfd256d9b6abd9

C:\Windows\SysWOW64\Gphmeo32.exe

MD5 0f1a471828f0f4d2c05083644b0689bb
SHA1 cf3a62d1529a83de1c3fc6db1bf0b47ea0f4f313
SHA256 aeb9e2a59c5eeef9c2fe284f9314f2fda9be75119970195f086f63f3b3bb581f
SHA512 4033dfcc16a5628f2434c76b4bbbdd4e998c3192fe57c96a1242f025c4f6434bbce44817812095a2f81841a57786d35fc37d363f87a9cc908217e947ef086b1b

C:\Windows\SysWOW64\Gmjaic32.exe

MD5 c14d7221d16d607098ac7befef0d7874
SHA1 34eb0a3e468962d4c8ffbc0dfa95d7822aa6d026
SHA256 66169db2f2c186dc86f530b6caa4517315a28ecaa126541b6b4f28eba39dbb7d
SHA512 5fad914a4c42438c9faa8c5d6577b45d414dc37619374f6a1ef84b9a74ab95e80dd973de8bde867dd5338a23ad55fe646aab72c3389b6aa5d52f3c7f2ea172bd

C:\Windows\SysWOW64\Goddhg32.exe

MD5 3c47240c0fda1fb53ca1d563072e4dca
SHA1 496c18e5f06691c0a56ed8f05fe66626c8bd314f
SHA256 9b554bd388c02e873822c8f3c90732192a1c2b5250c263db4ca5495f8cd3700a
SHA512 adc0858813e920f8e14a7ed79df79ef2d60c9a60b8167eae5e92cb24f651d9cc55b999ae7fa7e684ac3c5f8e87d9326c23ada1fbdf1815a83e7b8b3d6009e79f

memory/1088-479-0x0000000000400000-0x0000000000433000-memory.dmp

memory/840-478-0x0000000000250000-0x0000000000283000-memory.dmp

memory/840-477-0x0000000000250000-0x0000000000283000-memory.dmp

C:\Windows\SysWOW64\Gaqcoc32.exe

MD5 c729d24fa801ca15c17068cb87bf4e44
SHA1 774a9547ab16bce9c527ccbb85af35955883cb0a
SHA256 c483048b9f33f23ef6e6686acfa308dcb237156a06318d809084e0bc97db8fb8
SHA512 d992ea76706b9f2ca4f4b91f7f360785e5f9ce358d43402d6ec6347a1fc58bd3e4813f7c33a6ccf353d806c6ea9c50c92280d89715a595490162817b1b355c9f

C:\Windows\SysWOW64\Gobgcg32.exe

MD5 4be673afdcc797f7079eb7ab39ccc530
SHA1 21cfe402822ae2b0fefbfabcf8e4918b97c04fc1
SHA256 9976f9c16f88f2ea5834f5ebd364f8e6776fed10c64b09cd786d3366ea1f07af
SHA512 c74c6acd39e6ffffd5f04e671b8bbf09fd07c311066067ff0afc721467812559e36c7361ef7c0db4eb16f41ffbf84ae0a364a346613a31e635cbc5b0910a28c8

memory/1160-459-0x0000000000250000-0x0000000000283000-memory.dmp

C:\Windows\SysWOW64\Gfefiemq.exe

MD5 aad6c760e140a43c791b7c7f11fbe60c
SHA1 5d46540ff4aca513bc5c22f37bfe853391bc3f26
SHA256 b62e7570d4e54c04faa89e9729757da86fea11b1974e2445c3bee259ad5522d0
SHA512 b6f065fdafedca0f81e11717b0709cc9487f3ce18da9dc80b786cabd9a75a6c3e011a3bc23769fd8795f638ec53439b42a7fd77a7e051e1234fe443389f3195f

memory/1948-440-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3044-438-0x0000000000280000-0x00000000002B3000-memory.dmp

memory/3044-437-0x0000000000280000-0x00000000002B3000-memory.dmp

memory/1624-427-0x0000000000260000-0x0000000000293000-memory.dmp

C:\Windows\SysWOW64\Fjlhneio.exe

MD5 9f5c6090d91207371aece94310585604
SHA1 2f99d700b7e685dae7f731c464297215878aa495
SHA256 17e5a80f6b2769ff5e28f7ab7d665cd5e43badd485af24882d8a4ea20caf804a
SHA512 c182afc9f0e058f1322615cd6596dfd546717eaaa3c3f204eb94278a3181040e6e1c52f92beb24febe549346eed28cea91c2e78e413e9ad73ef611a02224f2e8

memory/2040-416-0x00000000002F0000-0x0000000000323000-memory.dmp

memory/1624-415-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2040-414-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2568-413-0x0000000001F40000-0x0000000001F73000-memory.dmp

C:\Windows\SysWOW64\Ffpmnf32.exe

MD5 0efba50f01ee7b2f08616ac6374cf4b1
SHA1 b882a37d2e9c4c4f63da0c8f163e0d8e935e5619
SHA256 e2bbe1bf3bbffc90b14e40c902eeeb2a8fe57512edb7719c96e2cbc29deaafe8
SHA512 c40284ff60b4f498769ef968f83a9cb69e49c23f49b3528a61b85d8fa29f58a39ed6301691f55e016e862634aef7ebf543064ea71737cedd9fdf98cc1aa9dfa3

memory/2568-404-0x0000000001F40000-0x0000000001F73000-memory.dmp

C:\Windows\SysWOW64\Fpfdalii.exe

MD5 d378be4834d5c54534d9f1c2962ba938
SHA1 fd15a6020d4fcf9c5b45415c415df61f17305ec2
SHA256 0e1530f496b925dcca60ee9e3c4697d5f27fe8bcf1c6f933f7ed9710507a1ea0
SHA512 723d38df0090486fc92ccc94da01c73b0b6f9c5ebde5d72e43be65a280fb61db87a7e19735978ba17cc700a634d5d519d97ccbc2f5d635b3523e2fb6c1f3952a

memory/2568-399-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2892-398-0x0000000000440000-0x0000000000473000-memory.dmp

memory/2892-397-0x0000000000440000-0x0000000000473000-memory.dmp

memory/2892-388-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1384-387-0x0000000000250000-0x0000000000283000-memory.dmp

memory/1384-386-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2472-370-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Fejgko32.exe

MD5 ad1c50a47eb47b503b1c24f79372acd4
SHA1 ce2af46c583d2f80eea7d7cef4b159672aab81a8
SHA256 5ccf349bab0126904fa359ea78095d3a54d3e4c8f3d3337d6d8df0cefa04da63
SHA512 245605b2bedda553c7a11bba027cf39e4a33ba964e390dcba7b34c7b18e300b9a7b9cd71f449d5ba65992f98cf2a67357cb05e1a88e4861b420ad3f173d6f222

memory/2660-360-0x0000000000250000-0x0000000000283000-memory.dmp

C:\Windows\SysWOW64\Faokjpfd.exe

MD5 0756ddff0d99f62d22177b914f8a391b
SHA1 8c7f389298bc792371c245b980c37dd86addedae
SHA256 5c4c8a0a477b288cea92d1c4e6b73ac639f0cbcf486ad62e225dd65f60346e47
SHA512 a0963bd7ac67a36882bb057ba2cf4f7153048f11ed6be0c5dfa41af00023e8bf78d9b69ec136c48cfc2a5314712aab99190071f7d0047456741cc857a2d72dbe

memory/2660-351-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2692-350-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2692-349-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2692-344-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2380-343-0x00000000002D0000-0x0000000000303000-memory.dmp

memory/2380-342-0x00000000002D0000-0x0000000000303000-memory.dmp

C:\Windows\SysWOW64\Fckjalhj.exe

MD5 de6370f123e73e8bfd4e2ec683515641
SHA1 b21c18c959eef619a9505322ec89572b039ba79f
SHA256 a81c459699dee84c4e009a126da4e0e0d2a127203570db3abfab6c980313f104
SHA512 2c7c8f90474f7180b9e242e5ef086088994286f85f2e3fa8793b06a96519413718a3a4ec1c2ed33294bcdf1b55de70c5d1ccc55581ab4c4bf727b961be5e8ffd

memory/1604-328-0x0000000000250000-0x0000000000283000-memory.dmp

memory/1604-327-0x0000000000250000-0x0000000000283000-memory.dmp

C:\Windows\SysWOW64\Ealnephf.exe

MD5 98d03c4e5f7cef103aa7d82fe66fb0e8
SHA1 1efde74d77907becfbba2ed55bccf465a2629e8d
SHA256 b5a0e25a52e8c445ad1b1340e9f6d54a1703cf2a11e3204f3d949ff191d533a9
SHA512 e784c83838a570a77bc83647a0dcfcccfd76ef36eb638fb37bc2ab22bd09d74779b28983a055a7b95f43e981a565214454ef82274cec47f60fd04f99f5ba7b86

memory/1604-323-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2972-322-0x00000000005D0000-0x0000000000603000-memory.dmp

memory/2972-315-0x0000000000400000-0x0000000000433000-memory.dmp

memory/892-314-0x00000000002F0000-0x0000000000323000-memory.dmp

memory/892-313-0x00000000002F0000-0x0000000000323000-memory.dmp

C:\Windows\SysWOW64\Eloemi32.exe

MD5 66d0f5221d13dd27723f9c0e6cdc2cb4
SHA1 e81e4ba3bb6f18c88af3674fe96fcaedb6ec324a
SHA256 ecc2a57beac254cafd5ed87d0c1bd27b704be9dac7ece6ebd3c6e19dee8ab428
SHA512 21c69361590ca87fa8499ad8b301dcce4fd18fc0a83173d6e753948f0faf9133ad7abeb9085ad3c97efc6627d4dce6b4edff8d3976063353754273151bf5067c

memory/2968-306-0x0000000000440000-0x0000000000473000-memory.dmp

memory/2968-303-0x0000000000440000-0x0000000000473000-memory.dmp

C:\Windows\SysWOW64\Eiaiqn32.exe

MD5 9ef753c2a881fd9407744ead7da52820
SHA1 2c13a46761a799185c673fd6b6dcea67da890421
SHA256 9732d741c0db0a26e12b5ee8a9b777b89105086763328fefae2258c5b7626864
SHA512 0b0732aa269dc9daa68f4b3fdc24518359b94c9295d283f7e34857e98ac10f1c0f71f300ef1e6e4aa7367a6eaaaabe34922c03a343a24f8b4a2a5cdbde52463b

C:\Windows\SysWOW64\Eajaoq32.exe

MD5 2a84648f4ef635998088d5a7640c741f
SHA1 aeddb2cdd5860ec54142a0bc4ebc253072a6e52f
SHA256 aaf1726955e60f14e565d81cdb1855ec0b6536bd29bca5e44adf87f27ad07569
SHA512 35619bf82ceee1a3144ca189e5469d07e3467a11ed2752caf05d5a3345df75525ba7d89086fb45001ac503450d948cbda418079251b0cf75275592e1fc20a6f4

memory/2804-292-0x00000000002E0000-0x0000000000313000-memory.dmp

memory/2804-287-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2080-286-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2080-285-0x0000000000250000-0x0000000000283000-memory.dmp

C:\Windows\SysWOW64\Eiomkn32.exe

MD5 a80385edcdb83ca9aeeab1811547bfb2
SHA1 8d3f4ce812679eb35a601a002c0c7da60bd3215e
SHA256 570b26d6e80d94e90d5c4bba439bf5fd62a19c5bfe689565b8a157fb4e06b7d4
SHA512 38f37093a8e8dbdcf2e5b2e7d4a50f9e529fa6065f52d97b742ef489bed023bd65984e9cbdfe1d0d468d3e390ad33114f6bcfc92900e2160055a0fc6686ed299

memory/2168-261-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2308-260-0x0000000000250000-0x0000000000283000-memory.dmp

C:\Windows\SysWOW64\Eeqdep32.exe

MD5 a9958921b49db02f859111d0eb289649
SHA1 aaf8d5bd0608fa488dbe63f4b0e57c8f0649dbbf
SHA256 fa3763690afe0915010cc44c709f48b8e5a4d850da8d235c62fd708216f3bdcb
SHA512 b7878d20882c58d808b95a370199923c657e50280e73b11166187067444ac2d9b6e131f3a62a928a939793adaa7dfe8301c3588f75e11bc45e84cf8bcc8d07bf

C:\Windows\SysWOW64\Ekholjqg.exe

MD5 f595292ba05172cb6352c734ab283e94
SHA1 2f4795336f7e68b052ad543259bf0eaad272cbc8
SHA256 b520b0650867e358ece631a07ebdae48deda1f987f7d83c1a8d186db5fdf9d5a
SHA512 8d56f651940cb09f8100087db7d0d0e665675a25653e8d5ba9fbfbaac978ac1381de6dd1f658e97633135aee0efed4960c419d7378a8d79f5c6dc77541259c36

C:\Windows\SysWOW64\Ejgcdb32.exe

MD5 8fcdd6cbe22fc29dc46965d0e6357356
SHA1 102e0dd50daa6d406de1f10e85d9f7942ce57883
SHA256 e37a67ed3fb0acd51bf6f2f46657b750081b61d2d08b957e1f8777bcf2d65f0f
SHA512 b572d80af99d18e8be7fdbea998e9382b77d2de417675c3f9588cbbd31f3575d15ba218eb79554e448ce74a98a95175e9a2984692fb02523bc8ecdf179338c6e

memory/484-225-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2188-215-0x00000000005D0000-0x0000000000603000-memory.dmp

memory/2188-208-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1152-199-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Dfijnd32.exe

MD5 f62d2b29df4c03a937bfbeeb995f5b5e
SHA1 64ad6e7f26a5a34a478a0f70c6aad2177922372c
SHA256 38a95abab7cc7d842d2c306ef1cc64d71fd88e59e73be87378d0908ca0af46ea
SHA512 8bcb81c9c7c5d03d32cc6e182fb16df556d9b95b0ba49fec007454e8927275f1583cda83403cbdacf599794534c2d4210e5598a32099810e2153d4759b50791a

C:\Windows\SysWOW64\Dcknbh32.exe

MD5 67160fc5ad8a7522d810c0f64f54d6b3
SHA1 0bfb76aa079a70c8823dd3d8ce421c500b9815cd
SHA256 142ee55160d0ad81df14f8610417067f475f5abcd52b5a7f1069115509ff74f2
SHA512 f6b4e000b3c5a135e386d4ee9497a4eae3b977585f353dd1224f0edcc248f1532915805c67a25f1728cd1c18f5a22543aa01aae40b409111da0d05498e2e16c8

memory/1984-180-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2500-174-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1984-173-0x0000000000250000-0x0000000000283000-memory.dmp

memory/1984-171-0x0000000000250000-0x0000000000283000-memory.dmp

memory/1688-143-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2544-114-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2216-101-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2516-100-0x00000000002D0000-0x0000000000303000-memory.dmp

memory/2516-94-0x00000000002D0000-0x0000000000303000-memory.dmp

memory/2516-93-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Dngoibmo.exe

MD5 dda9fbe361303ca1c141add854d50960
SHA1 10236cb117cef78c92f0ea84086e53e704a96c9f
SHA256 568d7a034f5aa06348b2f4f18f93ddb427c0fcb1dfe73456e0ba78b2459479d0
SHA512 4e8d2de59bc6f05a1f23716e64353040b54a4a194d2c304410e8804820e31cebee8be27d5c3f85449f5a0188e59974d08f8f1b24241ebbeb588e2d0e2803df3a

memory/2496-80-0x0000000000280000-0x00000000002B3000-memory.dmp

memory/1384-853-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2660-851-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2380-849-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2972-845-0x0000000000400000-0x0000000000433000-memory.dmp

memory/892-844-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2968-843-0x0000000000400000-0x0000000000433000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-02 09:43

Reported

2024-06-02 09:46

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\virussign.com_bb884b8bdf9d46315c7be0a60b2463d0.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Users\Admin\AppData\Local\Temp\virussign.com_bb884b8bdf9d46315c7be0a60b2463d0.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lkiqbl32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mpkbebbf.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mpdelajl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mgnnhk32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mdiklqhm.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nacbfdao.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kgdbkohf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mglack32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nkjjij32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nggqoj32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mamleegg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nddkgonp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kdopod32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lklnhlfb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mciobn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mjcgohig.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nbkhfc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mahbje32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Maohkd32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ndidbn32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kdopod32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lkiqbl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mpmokb32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Njcpee32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Njcpee32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kibnhjgj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mahbje32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ldmlpbbj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mciobn32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mpmokb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Maohkd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nafokcol.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nqklmpdd.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lcmofolg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mnocof32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mgghhlhq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ndidbn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mamleegg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mcnhmm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nkncdifl.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ncihikcg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ldaeka32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lklnhlfb.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mkepnjng.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mcbahlip.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mjqjih32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mgnnhk32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nnhfee32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kmegbjgn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kgphpo32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mkpgck32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mkpgck32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mnapdf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Maaepd32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Njogjfoj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nnmopdep.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mjcgohig.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mjjmog32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nkjjij32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ngedij32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lcmofolg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lnjjdgee.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mgghhlhq.exe N/A

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Kmegbjgn.exe N/A
N/A N/A C:\Windows\SysWOW64\Kdopod32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kgphpo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kgdbkohf.exe N/A
N/A N/A C:\Windows\SysWOW64\Kibnhjgj.exe N/A
N/A N/A C:\Windows\SysWOW64\Lcmofolg.exe N/A
N/A N/A C:\Windows\SysWOW64\Lmccchkn.exe N/A
N/A N/A C:\Windows\SysWOW64\Ldmlpbbj.exe N/A
N/A N/A C:\Windows\SysWOW64\Lkiqbl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lnhmng32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ldaeka32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lklnhlfb.exe N/A
N/A N/A C:\Windows\SysWOW64\Lnjjdgee.exe N/A
N/A N/A C:\Windows\SysWOW64\Lknjmkdo.exe N/A
N/A N/A C:\Windows\SysWOW64\Mjqjih32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mahbje32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mpkbebbf.exe N/A
N/A N/A C:\Windows\SysWOW64\Mciobn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mkpgck32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mjcgohig.exe N/A
N/A N/A C:\Windows\SysWOW64\Mnocof32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mpmokb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mdiklqhm.exe N/A
N/A N/A C:\Windows\SysWOW64\Mgghhlhq.exe N/A
N/A N/A C:\Windows\SysWOW64\Mkbchk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mnapdf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mamleegg.exe N/A
N/A N/A C:\Windows\SysWOW64\Mdkhapfj.exe N/A
N/A N/A C:\Windows\SysWOW64\Mcnhmm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mkepnjng.exe N/A
N/A N/A C:\Windows\SysWOW64\Mjhqjg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Maohkd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mdmegp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mglack32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mjjmog32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mpdelajl.exe N/A
N/A N/A C:\Windows\SysWOW64\Mcbahlip.exe N/A
N/A N/A C:\Windows\SysWOW64\Mgnnhk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nkjjij32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nnhfee32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nacbfdao.exe N/A
N/A N/A C:\Windows\SysWOW64\Ndbnboqb.exe N/A
N/A N/A C:\Windows\SysWOW64\Njogjfoj.exe N/A
N/A N/A C:\Windows\SysWOW64\Nafokcol.exe N/A
N/A N/A C:\Windows\SysWOW64\Nddkgonp.exe N/A
N/A N/A C:\Windows\SysWOW64\Ncgkcl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nkncdifl.exe N/A
N/A N/A C:\Windows\SysWOW64\Nnmopdep.exe N/A
N/A N/A C:\Windows\SysWOW64\Nqklmpdd.exe N/A
N/A N/A C:\Windows\SysWOW64\Ncihikcg.exe N/A
N/A N/A C:\Windows\SysWOW64\Ngedij32.exe N/A
N/A N/A C:\Windows\SysWOW64\Njcpee32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nbkhfc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ndidbn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nggqoj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nkcmohbg.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Ngedij32.exe C:\Windows\SysWOW64\Ncihikcg.exe N/A
File opened for modification C:\Windows\SysWOW64\Ndidbn32.exe C:\Windows\SysWOW64\Nbkhfc32.exe N/A
File created C:\Windows\SysWOW64\Lkiqbl32.exe C:\Windows\SysWOW64\Ldmlpbbj.exe N/A
File opened for modification C:\Windows\SysWOW64\Nnhfee32.exe C:\Windows\SysWOW64\Nkjjij32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ndbnboqb.exe C:\Windows\SysWOW64\Nacbfdao.exe N/A
File opened for modification C:\Windows\SysWOW64\Nnmopdep.exe C:\Windows\SysWOW64\Nkncdifl.exe N/A
File created C:\Windows\SysWOW64\Paadnmaq.dll C:\Windows\SysWOW64\Ncihikcg.exe N/A
File created C:\Windows\SysWOW64\Eplmgmol.dll C:\Windows\SysWOW64\Kmegbjgn.exe N/A
File opened for modification C:\Windows\SysWOW64\Mahbje32.exe C:\Windows\SysWOW64\Mjqjih32.exe N/A
File created C:\Windows\SysWOW64\Mcnhmm32.exe C:\Windows\SysWOW64\Mdkhapfj.exe N/A
File created C:\Windows\SysWOW64\Dihcoe32.dll C:\Windows\SysWOW64\Nacbfdao.exe N/A
File created C:\Windows\SysWOW64\Lelgbkio.dll C:\Windows\SysWOW64\Mpdelajl.exe N/A
File opened for modification C:\Windows\SysWOW64\Mgnnhk32.exe C:\Windows\SysWOW64\Mcbahlip.exe N/A
File opened for modification C:\Windows\SysWOW64\Nacbfdao.exe C:\Windows\SysWOW64\Nnhfee32.exe N/A
File created C:\Windows\SysWOW64\Lfcbokki.dll C:\Windows\SysWOW64\Ndbnboqb.exe N/A
File created C:\Windows\SysWOW64\Bheenp32.dll C:\Windows\SysWOW64\Ldaeka32.exe N/A
File created C:\Windows\SysWOW64\Lknjmkdo.exe C:\Windows\SysWOW64\Lnjjdgee.exe N/A
File created C:\Windows\SysWOW64\Mjqjih32.exe C:\Windows\SysWOW64\Lknjmkdo.exe N/A
File created C:\Windows\SysWOW64\Mdiklqhm.exe C:\Windows\SysWOW64\Mpmokb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Nbkhfc32.exe C:\Windows\SysWOW64\Njcpee32.exe N/A
File created C:\Windows\SysWOW64\Jnngob32.dll C:\Windows\SysWOW64\Lnjjdgee.exe N/A
File created C:\Windows\SysWOW64\Lifenaok.dll C:\Windows\SysWOW64\Mpkbebbf.exe N/A
File opened for modification C:\Windows\SysWOW64\Mjjmog32.exe C:\Windows\SysWOW64\Mglack32.exe N/A
File created C:\Windows\SysWOW64\Ljfemn32.dll C:\Windows\SysWOW64\Nnmopdep.exe N/A
File opened for modification C:\Windows\SysWOW64\Mglack32.exe C:\Windows\SysWOW64\Mdmegp32.exe N/A
File opened for modification C:\Windows\SysWOW64\Kgdbkohf.exe C:\Windows\SysWOW64\Kgphpo32.exe N/A
File created C:\Windows\SysWOW64\Ldaeka32.exe C:\Windows\SysWOW64\Lnhmng32.exe N/A
File created C:\Windows\SysWOW64\Ckegia32.dll C:\Windows\SysWOW64\Lnhmng32.exe N/A
File created C:\Windows\SysWOW64\Njcqqgjb.dll C:\Windows\SysWOW64\Mamleegg.exe N/A
File created C:\Windows\SysWOW64\Nnhfee32.exe C:\Windows\SysWOW64\Nkjjij32.exe N/A
File created C:\Windows\SysWOW64\Ncgkcl32.exe C:\Windows\SysWOW64\Nddkgonp.exe N/A
File created C:\Windows\SysWOW64\Pkckjila.dll C:\Windows\SysWOW64\Nqklmpdd.exe N/A
File created C:\Windows\SysWOW64\Ockcknah.dll C:\Windows\SysWOW64\Mpmokb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mcnhmm32.exe C:\Windows\SysWOW64\Mdkhapfj.exe N/A
File created C:\Windows\SysWOW64\Gbbkdl32.dll C:\Windows\SysWOW64\Maaepd32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mcbahlip.exe C:\Windows\SysWOW64\Mpdelajl.exe N/A
File opened for modification C:\Windows\SysWOW64\Mpdelajl.exe C:\Windows\SysWOW64\Maaepd32.exe N/A
File created C:\Windows\SysWOW64\Nggqoj32.exe C:\Windows\SysWOW64\Ndidbn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Kmegbjgn.exe C:\Users\Admin\AppData\Local\Temp\virussign.com_bb884b8bdf9d46315c7be0a60b2463d0.exe N/A
File created C:\Windows\SysWOW64\Kgdbkohf.exe C:\Windows\SysWOW64\Kgphpo32.exe N/A
File created C:\Windows\SysWOW64\Fogjfmfe.dll C:\Windows\SysWOW64\Kgphpo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mkepnjng.exe C:\Windows\SysWOW64\Mcnhmm32.exe N/A
File created C:\Windows\SysWOW64\Kmegbjgn.exe C:\Users\Admin\AppData\Local\Temp\virussign.com_bb884b8bdf9d46315c7be0a60b2463d0.exe N/A
File opened for modification C:\Windows\SysWOW64\Lnhmng32.exe C:\Windows\SysWOW64\Lkiqbl32.exe N/A
File opened for modification C:\Windows\SysWOW64\Maohkd32.exe C:\Windows\SysWOW64\Mjhqjg32.exe N/A
File created C:\Windows\SysWOW64\Addjcmqn.dll C:\Windows\SysWOW64\Ndidbn32.exe N/A
File created C:\Windows\SysWOW64\Nqklmpdd.exe C:\Windows\SysWOW64\Nnmopdep.exe N/A
File created C:\Windows\SysWOW64\Hnibdpde.dll C:\Windows\SysWOW64\Nggqoj32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mkbchk32.exe C:\Windows\SysWOW64\Mgghhlhq.exe N/A
File created C:\Windows\SysWOW64\Oaehlf32.dll C:\Windows\SysWOW64\Mdmegp32.exe N/A
File created C:\Windows\SysWOW64\Mcbahlip.exe C:\Windows\SysWOW64\Mpdelajl.exe N/A
File opened for modification C:\Windows\SysWOW64\Nafokcol.exe C:\Windows\SysWOW64\Njogjfoj.exe N/A
File opened for modification C:\Windows\SysWOW64\Nddkgonp.exe C:\Windows\SysWOW64\Nafokcol.exe N/A
File created C:\Windows\SysWOW64\Lcmofolg.exe C:\Windows\SysWOW64\Kibnhjgj.exe N/A
File opened for modification C:\Windows\SysWOW64\Mnocof32.exe C:\Windows\SysWOW64\Mjcgohig.exe N/A
File created C:\Windows\SysWOW64\Mglack32.exe C:\Windows\SysWOW64\Mdmegp32.exe N/A
File created C:\Windows\SysWOW64\Hnfmbf32.dll C:\Windows\SysWOW64\Mcbahlip.exe N/A
File created C:\Windows\SysWOW64\Jgengpmj.dll C:\Windows\SysWOW64\Mnapdf32.exe N/A
File created C:\Windows\SysWOW64\Mkepnjng.exe C:\Windows\SysWOW64\Mcnhmm32.exe N/A
File created C:\Windows\SysWOW64\Nacbfdao.exe C:\Windows\SysWOW64\Nnhfee32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ncgkcl32.exe C:\Windows\SysWOW64\Nddkgonp.exe N/A
File opened for modification C:\Windows\SysWOW64\Ldaeka32.exe C:\Windows\SysWOW64\Lnhmng32.exe N/A
File opened for modification C:\Windows\SysWOW64\Lklnhlfb.exe C:\Windows\SysWOW64\Ldaeka32.exe N/A
File created C:\Windows\SysWOW64\Mkpgck32.exe C:\Windows\SysWOW64\Mciobn32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lmccchkn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Njcpee32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ndidbn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kgphpo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mjqjih32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mkbchk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mamleegg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mcbahlip.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll" C:\Windows\SysWOW64\Nddkgonp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll" C:\Windows\SysWOW64\Mciobn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mdmegp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll" C:\Windows\SysWOW64\Nnmopdep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll" C:\Windows\SysWOW64\Nbkhfc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Njcpee32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kmegbjgn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lknjmkdo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mpmokb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mamleegg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Maohkd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nacbfdao.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll" C:\Windows\SysWOW64\Nafokcol.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lcmofolg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcqqgjb.dll" C:\Windows\SysWOW64\Mamleegg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll" C:\Windows\SysWOW64\Mpdelajl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nggqoj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgengpmj.dll" C:\Windows\SysWOW64\Mnapdf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nnmopdep.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nqklmpdd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpcbnd32.dll" C:\Windows\SysWOW64\Kgdbkohf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmafhe32.dll" C:\Windows\SysWOW64\Lcmofolg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiidlll.dll" C:\Windows\SysWOW64\Ldmlpbbj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mkpgck32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll" C:\Windows\SysWOW64\Nkjjij32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll" C:\Windows\SysWOW64\Nggqoj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\virussign.com_bb884b8bdf9d46315c7be0a60b2463d0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mpdelajl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nafokcol.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nbkhfc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll" C:\Windows\SysWOW64\Ncgkcl32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} C:\Users\Admin\AppData\Local\Temp\virussign.com_bb884b8bdf9d46315c7be0a60b2463d0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kibnhjgj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ldmlpbbj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lnhmng32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mnocof32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mpdelajl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Njogjfoj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mgghhlhq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Maohkd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Maaepd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll" C:\Windows\SysWOW64\Nnhfee32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll" C:\Windows\SysWOW64\Ngedij32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogjfmfe.dll" C:\Windows\SysWOW64\Kgphpo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mdiklqhm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mdiklqhm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Maaepd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ncgkcl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdigkkd.dll" C:\Windows\SysWOW64\Mahbje32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mcbahlip.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nkjjij32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll" C:\Windows\SysWOW64\Njogjfoj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lkiqbl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkankc32.dll" C:\Windows\SysWOW64\Mnocof32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcifj32.dll" C:\Windows\SysWOW64\Mdkhapfj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll" C:\Windows\SysWOW64\Nkncdifl.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3968 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\virussign.com_bb884b8bdf9d46315c7be0a60b2463d0.exe C:\Windows\SysWOW64\Kmegbjgn.exe
PID 3968 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\virussign.com_bb884b8bdf9d46315c7be0a60b2463d0.exe C:\Windows\SysWOW64\Kmegbjgn.exe
PID 3968 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\virussign.com_bb884b8bdf9d46315c7be0a60b2463d0.exe C:\Windows\SysWOW64\Kmegbjgn.exe
PID 1412 wrote to memory of 4508 N/A C:\Windows\SysWOW64\Kmegbjgn.exe C:\Windows\SysWOW64\Kdopod32.exe
PID 1412 wrote to memory of 4508 N/A C:\Windows\SysWOW64\Kmegbjgn.exe C:\Windows\SysWOW64\Kdopod32.exe
PID 1412 wrote to memory of 4508 N/A C:\Windows\SysWOW64\Kmegbjgn.exe C:\Windows\SysWOW64\Kdopod32.exe
PID 4508 wrote to memory of 3312 N/A C:\Windows\SysWOW64\Kdopod32.exe C:\Windows\SysWOW64\Kgphpo32.exe
PID 4508 wrote to memory of 3312 N/A C:\Windows\SysWOW64\Kdopod32.exe C:\Windows\SysWOW64\Kgphpo32.exe
PID 4508 wrote to memory of 3312 N/A C:\Windows\SysWOW64\Kdopod32.exe C:\Windows\SysWOW64\Kgphpo32.exe
PID 3312 wrote to memory of 2404 N/A C:\Windows\SysWOW64\Kgphpo32.exe C:\Windows\SysWOW64\Kgdbkohf.exe
PID 3312 wrote to memory of 2404 N/A C:\Windows\SysWOW64\Kgphpo32.exe C:\Windows\SysWOW64\Kgdbkohf.exe
PID 3312 wrote to memory of 2404 N/A C:\Windows\SysWOW64\Kgphpo32.exe C:\Windows\SysWOW64\Kgdbkohf.exe
PID 2404 wrote to memory of 1728 N/A C:\Windows\SysWOW64\Kgdbkohf.exe C:\Windows\SysWOW64\Kibnhjgj.exe
PID 2404 wrote to memory of 1728 N/A C:\Windows\SysWOW64\Kgdbkohf.exe C:\Windows\SysWOW64\Kibnhjgj.exe
PID 2404 wrote to memory of 1728 N/A C:\Windows\SysWOW64\Kgdbkohf.exe C:\Windows\SysWOW64\Kibnhjgj.exe
PID 1728 wrote to memory of 3036 N/A C:\Windows\SysWOW64\Kibnhjgj.exe C:\Windows\SysWOW64\Lcmofolg.exe
PID 1728 wrote to memory of 3036 N/A C:\Windows\SysWOW64\Kibnhjgj.exe C:\Windows\SysWOW64\Lcmofolg.exe
PID 1728 wrote to memory of 3036 N/A C:\Windows\SysWOW64\Kibnhjgj.exe C:\Windows\SysWOW64\Lcmofolg.exe
PID 3036 wrote to memory of 2528 N/A C:\Windows\SysWOW64\Lcmofolg.exe C:\Windows\SysWOW64\Lmccchkn.exe
PID 3036 wrote to memory of 2528 N/A C:\Windows\SysWOW64\Lcmofolg.exe C:\Windows\SysWOW64\Lmccchkn.exe
PID 3036 wrote to memory of 2528 N/A C:\Windows\SysWOW64\Lcmofolg.exe C:\Windows\SysWOW64\Lmccchkn.exe
PID 2528 wrote to memory of 3048 N/A C:\Windows\SysWOW64\Lmccchkn.exe C:\Windows\SysWOW64\Ldmlpbbj.exe
PID 2528 wrote to memory of 3048 N/A C:\Windows\SysWOW64\Lmccchkn.exe C:\Windows\SysWOW64\Ldmlpbbj.exe
PID 2528 wrote to memory of 3048 N/A C:\Windows\SysWOW64\Lmccchkn.exe C:\Windows\SysWOW64\Ldmlpbbj.exe
PID 3048 wrote to memory of 4528 N/A C:\Windows\SysWOW64\Ldmlpbbj.exe C:\Windows\SysWOW64\Lkiqbl32.exe
PID 3048 wrote to memory of 4528 N/A C:\Windows\SysWOW64\Ldmlpbbj.exe C:\Windows\SysWOW64\Lkiqbl32.exe
PID 3048 wrote to memory of 4528 N/A C:\Windows\SysWOW64\Ldmlpbbj.exe C:\Windows\SysWOW64\Lkiqbl32.exe
PID 4528 wrote to memory of 4204 N/A C:\Windows\SysWOW64\Lkiqbl32.exe C:\Windows\SysWOW64\Lnhmng32.exe
PID 4528 wrote to memory of 4204 N/A C:\Windows\SysWOW64\Lkiqbl32.exe C:\Windows\SysWOW64\Lnhmng32.exe
PID 4528 wrote to memory of 4204 N/A C:\Windows\SysWOW64\Lkiqbl32.exe C:\Windows\SysWOW64\Lnhmng32.exe
PID 4204 wrote to memory of 3136 N/A C:\Windows\SysWOW64\Lnhmng32.exe C:\Windows\SysWOW64\Ldaeka32.exe
PID 4204 wrote to memory of 3136 N/A C:\Windows\SysWOW64\Lnhmng32.exe C:\Windows\SysWOW64\Ldaeka32.exe
PID 4204 wrote to memory of 3136 N/A C:\Windows\SysWOW64\Lnhmng32.exe C:\Windows\SysWOW64\Ldaeka32.exe
PID 3136 wrote to memory of 4776 N/A C:\Windows\SysWOW64\Ldaeka32.exe C:\Windows\SysWOW64\Lklnhlfb.exe
PID 3136 wrote to memory of 4776 N/A C:\Windows\SysWOW64\Ldaeka32.exe C:\Windows\SysWOW64\Lklnhlfb.exe
PID 3136 wrote to memory of 4776 N/A C:\Windows\SysWOW64\Ldaeka32.exe C:\Windows\SysWOW64\Lklnhlfb.exe
PID 4776 wrote to memory of 1216 N/A C:\Windows\SysWOW64\Lklnhlfb.exe C:\Windows\SysWOW64\Lnjjdgee.exe
PID 4776 wrote to memory of 1216 N/A C:\Windows\SysWOW64\Lklnhlfb.exe C:\Windows\SysWOW64\Lnjjdgee.exe
PID 4776 wrote to memory of 1216 N/A C:\Windows\SysWOW64\Lklnhlfb.exe C:\Windows\SysWOW64\Lnjjdgee.exe
PID 1216 wrote to memory of 4076 N/A C:\Windows\SysWOW64\Lnjjdgee.exe C:\Windows\SysWOW64\Lknjmkdo.exe
PID 1216 wrote to memory of 4076 N/A C:\Windows\SysWOW64\Lnjjdgee.exe C:\Windows\SysWOW64\Lknjmkdo.exe
PID 1216 wrote to memory of 4076 N/A C:\Windows\SysWOW64\Lnjjdgee.exe C:\Windows\SysWOW64\Lknjmkdo.exe
PID 4076 wrote to memory of 5020 N/A C:\Windows\SysWOW64\Lknjmkdo.exe C:\Windows\SysWOW64\Mjqjih32.exe
PID 4076 wrote to memory of 5020 N/A C:\Windows\SysWOW64\Lknjmkdo.exe C:\Windows\SysWOW64\Mjqjih32.exe
PID 4076 wrote to memory of 5020 N/A C:\Windows\SysWOW64\Lknjmkdo.exe C:\Windows\SysWOW64\Mjqjih32.exe
PID 5020 wrote to memory of 100 N/A C:\Windows\SysWOW64\Mjqjih32.exe C:\Windows\SysWOW64\Mahbje32.exe
PID 5020 wrote to memory of 100 N/A C:\Windows\SysWOW64\Mjqjih32.exe C:\Windows\SysWOW64\Mahbje32.exe
PID 5020 wrote to memory of 100 N/A C:\Windows\SysWOW64\Mjqjih32.exe C:\Windows\SysWOW64\Mahbje32.exe
PID 100 wrote to memory of 5004 N/A C:\Windows\SysWOW64\Mahbje32.exe C:\Windows\SysWOW64\Mpkbebbf.exe
PID 100 wrote to memory of 5004 N/A C:\Windows\SysWOW64\Mahbje32.exe C:\Windows\SysWOW64\Mpkbebbf.exe
PID 100 wrote to memory of 5004 N/A C:\Windows\SysWOW64\Mahbje32.exe C:\Windows\SysWOW64\Mpkbebbf.exe
PID 5004 wrote to memory of 2416 N/A C:\Windows\SysWOW64\Mpkbebbf.exe C:\Windows\SysWOW64\Mciobn32.exe
PID 5004 wrote to memory of 2416 N/A C:\Windows\SysWOW64\Mpkbebbf.exe C:\Windows\SysWOW64\Mciobn32.exe
PID 5004 wrote to memory of 2416 N/A C:\Windows\SysWOW64\Mpkbebbf.exe C:\Windows\SysWOW64\Mciobn32.exe
PID 2416 wrote to memory of 4664 N/A C:\Windows\SysWOW64\Mciobn32.exe C:\Windows\SysWOW64\Mkpgck32.exe
PID 2416 wrote to memory of 4664 N/A C:\Windows\SysWOW64\Mciobn32.exe C:\Windows\SysWOW64\Mkpgck32.exe
PID 2416 wrote to memory of 4664 N/A C:\Windows\SysWOW64\Mciobn32.exe C:\Windows\SysWOW64\Mkpgck32.exe
PID 4664 wrote to memory of 2100 N/A C:\Windows\SysWOW64\Mkpgck32.exe C:\Windows\SysWOW64\Mjcgohig.exe
PID 4664 wrote to memory of 2100 N/A C:\Windows\SysWOW64\Mkpgck32.exe C:\Windows\SysWOW64\Mjcgohig.exe
PID 4664 wrote to memory of 2100 N/A C:\Windows\SysWOW64\Mkpgck32.exe C:\Windows\SysWOW64\Mjcgohig.exe
PID 2100 wrote to memory of 3416 N/A C:\Windows\SysWOW64\Mjcgohig.exe C:\Windows\SysWOW64\Mnocof32.exe
PID 2100 wrote to memory of 3416 N/A C:\Windows\SysWOW64\Mjcgohig.exe C:\Windows\SysWOW64\Mnocof32.exe
PID 2100 wrote to memory of 3416 N/A C:\Windows\SysWOW64\Mjcgohig.exe C:\Windows\SysWOW64\Mnocof32.exe
PID 3416 wrote to memory of 944 N/A C:\Windows\SysWOW64\Mnocof32.exe C:\Windows\SysWOW64\Mpmokb32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\virussign.com_bb884b8bdf9d46315c7be0a60b2463d0.exe

"C:\Users\Admin\AppData\Local\Temp\virussign.com_bb884b8bdf9d46315c7be0a60b2463d0.exe"

C:\Windows\SysWOW64\Kmegbjgn.exe

C:\Windows\system32\Kmegbjgn.exe

C:\Windows\SysWOW64\Kdopod32.exe

C:\Windows\system32\Kdopod32.exe

C:\Windows\SysWOW64\Kgphpo32.exe

C:\Windows\system32\Kgphpo32.exe

C:\Windows\SysWOW64\Kgdbkohf.exe

C:\Windows\system32\Kgdbkohf.exe

C:\Windows\SysWOW64\Kibnhjgj.exe

C:\Windows\system32\Kibnhjgj.exe

C:\Windows\SysWOW64\Lcmofolg.exe

C:\Windows\system32\Lcmofolg.exe

C:\Windows\SysWOW64\Lmccchkn.exe

C:\Windows\system32\Lmccchkn.exe

C:\Windows\SysWOW64\Ldmlpbbj.exe

C:\Windows\system32\Ldmlpbbj.exe

C:\Windows\SysWOW64\Lkiqbl32.exe

C:\Windows\system32\Lkiqbl32.exe

C:\Windows\SysWOW64\Lnhmng32.exe

C:\Windows\system32\Lnhmng32.exe

C:\Windows\SysWOW64\Ldaeka32.exe

C:\Windows\system32\Ldaeka32.exe

C:\Windows\SysWOW64\Lklnhlfb.exe

C:\Windows\system32\Lklnhlfb.exe

C:\Windows\SysWOW64\Lnjjdgee.exe

C:\Windows\system32\Lnjjdgee.exe

C:\Windows\SysWOW64\Lknjmkdo.exe

C:\Windows\system32\Lknjmkdo.exe

C:\Windows\SysWOW64\Mjqjih32.exe

C:\Windows\system32\Mjqjih32.exe

C:\Windows\SysWOW64\Mahbje32.exe

C:\Windows\system32\Mahbje32.exe

C:\Windows\SysWOW64\Mpkbebbf.exe

C:\Windows\system32\Mpkbebbf.exe

C:\Windows\SysWOW64\Mciobn32.exe

C:\Windows\system32\Mciobn32.exe

C:\Windows\SysWOW64\Mkpgck32.exe

C:\Windows\system32\Mkpgck32.exe

C:\Windows\SysWOW64\Mjcgohig.exe

C:\Windows\system32\Mjcgohig.exe

C:\Windows\SysWOW64\Mnocof32.exe

C:\Windows\system32\Mnocof32.exe

C:\Windows\SysWOW64\Mpmokb32.exe

C:\Windows\system32\Mpmokb32.exe

C:\Windows\SysWOW64\Mdiklqhm.exe

C:\Windows\system32\Mdiklqhm.exe

C:\Windows\SysWOW64\Mgghhlhq.exe

C:\Windows\system32\Mgghhlhq.exe

C:\Windows\SysWOW64\Mkbchk32.exe

C:\Windows\system32\Mkbchk32.exe

C:\Windows\SysWOW64\Mnapdf32.exe

C:\Windows\system32\Mnapdf32.exe

C:\Windows\SysWOW64\Mamleegg.exe

C:\Windows\system32\Mamleegg.exe

C:\Windows\SysWOW64\Mdkhapfj.exe

C:\Windows\system32\Mdkhapfj.exe

C:\Windows\SysWOW64\Mcnhmm32.exe

C:\Windows\system32\Mcnhmm32.exe

C:\Windows\SysWOW64\Mkepnjng.exe

C:\Windows\system32\Mkepnjng.exe

C:\Windows\SysWOW64\Mjhqjg32.exe

C:\Windows\system32\Mjhqjg32.exe

C:\Windows\SysWOW64\Maohkd32.exe

C:\Windows\system32\Maohkd32.exe

C:\Windows\SysWOW64\Mdmegp32.exe

C:\Windows\system32\Mdmegp32.exe

C:\Windows\SysWOW64\Mglack32.exe

C:\Windows\system32\Mglack32.exe

C:\Windows\SysWOW64\Mjjmog32.exe

C:\Windows\system32\Mjjmog32.exe

C:\Windows\SysWOW64\Maaepd32.exe

C:\Windows\system32\Maaepd32.exe

C:\Windows\SysWOW64\Mpdelajl.exe

C:\Windows\system32\Mpdelajl.exe

C:\Windows\SysWOW64\Mcbahlip.exe

C:\Windows\system32\Mcbahlip.exe

C:\Windows\SysWOW64\Mgnnhk32.exe

C:\Windows\system32\Mgnnhk32.exe

C:\Windows\SysWOW64\Nkjjij32.exe

C:\Windows\system32\Nkjjij32.exe

C:\Windows\SysWOW64\Nnhfee32.exe

C:\Windows\system32\Nnhfee32.exe

C:\Windows\SysWOW64\Nacbfdao.exe

C:\Windows\system32\Nacbfdao.exe

C:\Windows\SysWOW64\Ndbnboqb.exe

C:\Windows\system32\Ndbnboqb.exe

C:\Windows\SysWOW64\Njogjfoj.exe

C:\Windows\system32\Njogjfoj.exe

C:\Windows\SysWOW64\Nafokcol.exe

C:\Windows\system32\Nafokcol.exe

C:\Windows\SysWOW64\Nddkgonp.exe

C:\Windows\system32\Nddkgonp.exe

C:\Windows\SysWOW64\Ncgkcl32.exe

C:\Windows\system32\Ncgkcl32.exe

C:\Windows\SysWOW64\Nkncdifl.exe

C:\Windows\system32\Nkncdifl.exe

C:\Windows\SysWOW64\Nnmopdep.exe

C:\Windows\system32\Nnmopdep.exe

C:\Windows\SysWOW64\Nqklmpdd.exe

C:\Windows\system32\Nqklmpdd.exe

C:\Windows\SysWOW64\Ncihikcg.exe

C:\Windows\system32\Ncihikcg.exe

C:\Windows\SysWOW64\Ngedij32.exe

C:\Windows\system32\Ngedij32.exe

C:\Windows\SysWOW64\Njcpee32.exe

C:\Windows\system32\Njcpee32.exe

C:\Windows\SysWOW64\Nbkhfc32.exe

C:\Windows\system32\Nbkhfc32.exe

C:\Windows\SysWOW64\Ndidbn32.exe

C:\Windows\system32\Ndidbn32.exe

C:\Windows\SysWOW64\Nggqoj32.exe

C:\Windows\system32\Nggqoj32.exe

C:\Windows\SysWOW64\Nkcmohbg.exe

C:\Windows\system32\Nkcmohbg.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4104 -ip 4104

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4104 -s 400

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 27.173.189.20.in-addr.arpa udp

Files

memory/3968-0-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3968-1-0x0000000000431000-0x0000000000432000-memory.dmp

C:\Windows\SysWOW64\Kmegbjgn.exe

MD5 bed67e072e3405a7d02e86bd9d97d74a
SHA1 b20e9656c70847ecc1815032d01dbdef552a8a9c
SHA256 d27433984ae02a42a21a9850b3dac449bddfe1940aeef6d57a2cfc7da8006f20
SHA512 5f305f7f902d52f3b988549fac19b5702dcc890a4a615254cd2afe4317a122d76876f0e329b264c1fc0ec301d594cd465cb622b99b9ac21ba7daf88dc3846d19

memory/1412-9-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Kdopod32.exe

MD5 f554edb99afaab4ff813236575ca2e0c
SHA1 eb462e32933ed5f9768bb36593d051c48b6dd1bf
SHA256 5ca64a6ec85c79d910376e9d617ea45f0da07381a299e8121192081c951d1519
SHA512 38ef0671c10dff102b19154b1a59822c133d161b1adbb03685d38e86bff4f2e34b8fea61e7a1ec224a1a5a283ffe04bd4422cdca2428b80c7b38fd42fa260c3b

memory/4508-21-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3312-25-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Kgphpo32.exe

MD5 c55f7bf09f30415ecc4237492bf23d1f
SHA1 d607869236e3e99a8d3d83657b66edf81d7283d8
SHA256 1bd48195118ed33cb66cefcf52f6bd36c03b0b6ea39e19bb08c82c4daedcc6e5
SHA512 375d34e3968acdcb7a48dbc620951173149f82410ab383ea0495cdde50f8dab14538def65adbd1783079140459a860ce81b902cad28086f518d291ded7f86591

C:\Windows\SysWOW64\Kgdbkohf.exe

MD5 3ef6bca2d2e931f22ad88639c67fc1c6
SHA1 acfc374c5e51f91fb94c904dd133cf3cb8e503a7
SHA256 638eea5351281d864bf7d727640f9ee073a9d93a7af990824b8458e34093463d
SHA512 dcdb8497015d6bbb3f838cd417ba72d234853d39176eede23af1961bd2a973ebdc72c48197f80c5103be6161f51daafb4525d464828c5e3c76c9d9907ae94f2a

memory/2404-33-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Kibnhjgj.exe

MD5 0c399212799dbb4fe06451c59b9d501a
SHA1 409d6e4c534475924d573311e95a73c0d3ccd2e3
SHA256 70c6eb9a73b2d6111036d7b726a5b9c056471dd9fdcaebcaf8907af0ed94c5c0
SHA512 f00609715efa7828ecf0292e21cde0489b13f78de9746ba9b35448e37af286609a9e90c07344f0a250fdd85462cb394e600f1bdd2f68f3ab0fa61d72818a79fd

memory/1728-41-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Lcmofolg.exe

MD5 64c89812bb51a240d03c60975870bd07
SHA1 5335aebcebdae59676bf571ade1c8f3e00a01897
SHA256 0ac6776457966c08edff61fff06017a178cfbb97236748cd7e3216f3217b6e8c
SHA512 9a122b0f743f91c9a6b9626e28d2a8498d6bcc821bae4c9762ff6a553ae0fbe8762f9311e33cea4be2074498b5ae53a029d0fd918c5111c7af2b43f922c4476c

memory/3036-49-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Lmccchkn.exe

MD5 5596ee972da14cb1c2f8e4e6c6b1091e
SHA1 4c4abdddf961ea4509243e212f1c7c1e9237b0a8
SHA256 0456d74bc41c9dfce9fba783cb45eb317431208c222058a80b3b67c2b28855ca
SHA512 db8254cdbaa57d00109efda89982da2e9e271a9040bbddc0d8b95e2368e07f92df88d3b07be6860b9e8683c3659d2c074f5ee1386008fc31002e77b38941de8b

memory/2528-57-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ldmlpbbj.exe

MD5 86f731d3c3e7f263c228152098299312
SHA1 21b9d268e40e3cb943a5c25f2957e885cfe826bf
SHA256 ffb24fa4cbaccf340b994d1ddc3c49af1b78891d142841b05be8eae8a57ccb53
SHA512 36bbb3fca22b2baf2891320aefc39b392d590496936ff7894e84a5904b1d756f1bbc64f89816a133cfda55f9389dd4356b3c3a2c838c83deed398cad82eb74e4

memory/3048-69-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Lkiqbl32.exe

MD5 20e0f04e843231a70b620455b3c02681
SHA1 be91740ab9b17522e7068218ec50b9e2120b87ff
SHA256 c38771194a410af067a2fdd32e62675ec71fbd4111d0c5aee57ee3b427bed854
SHA512 46abe98561fb8f60d47409206f472cf9b0aee2bc863d2e855eecce234db789cdb8a0a158428f92b44f28c37765c2ed893fa8f3effc3cf0bc55647593fd57132a

memory/4528-77-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4204-80-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ldaeka32.exe

MD5 e290b0b88ead13be387ea06fa28f1033
SHA1 58ceb168f04d662638c3769c323a86afe1b71c54
SHA256 d0449f4705cf9e10d021e2b91b53233213a2422d6ccdac2514201b2206fadf48
SHA512 3665ca5f19fab5472801f045083723615b7d77f5cbfe71d07aae08184303b235bc9aad67b05a582cb949a47753eef861ba551e82ff3e587d77af997d85f2ed30

C:\Windows\SysWOW64\Lklnhlfb.exe

MD5 1d4400c666306df922db994e767e253a
SHA1 36ab5fbd9134b485f8417cc7a5a2c43d256bab6b
SHA256 ed4f3110f3e71c778d6843908dc063889034cfbfb471bd651282cfb0ec73e0e9
SHA512 620c4208dd846181c37de82da52f46f2536d21b06446f8b8deefb7e015e5130ae9a55b9dc58cf1b25a12cba9a3cd4f204431bd6a5d120fd9ffe1d809849f615d

memory/4776-101-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Mpkbebbf.exe

MD5 2c4014dbad541ca4ed5c2be39d3991cf
SHA1 6024a2e01eefc03cc6fb4e2bbc68b8ca9503aaf9
SHA256 f102d64acaa10047c3e216be4597864467c8b8ab3e8b30cc607705211f17aa7b
SHA512 5002c6915e659965386db3277c52c7cfc9275a0b4f8fe57967107edb8855ae58dc086463f3ddbd126146a6b297a0b184024e0ff616e6dea1a4bc12bde17b5ae9

C:\Windows\SysWOW64\Mkpgck32.exe

MD5 03fb6f1639b63fe1a73885640e1938ee
SHA1 5370599ef1e7ebcb64b0af66ab9a64607cee75af
SHA256 e4afa77055acf34191c545d4e77d09b9217455c3f19b5c94be4f990982585ad1
SHA512 e1bcb9901a26d26aca0bf6639a475d877e02bccf9910ed40c7365e9e8e3cc4683f4671e76264fb7c6f122e298905ba81e2a4e05c89b4b012983b7aeb65619325

C:\Windows\SysWOW64\Mnocof32.exe

MD5 685403cf25944db40a402a9a35c429b8
SHA1 739e65d2b7fa4b8dcb40accd6935926f7668fea1
SHA256 896878f963a73cc2abdd859910bc8791b8db098d9ab729c6a0bcfb21b0aae35c
SHA512 7009cabcd724922379072e6705b98604c32e9da1ac857a3e743d49b9d2c8a8896179cbc06aacdb41f7c0e2f946de3fbcf93317be13b7c1a8ab1e62d0b74b5fef

C:\Windows\SysWOW64\Mdiklqhm.exe

MD5 6bc3368afd5269f68c98089b048b936b
SHA1 219928f1655860495b7b94c3ee0ff86dac79c858
SHA256 9fe8881632e545b82f5ab08c429b7fdca80adeb47463720fff3de9101ab7255e
SHA512 adb64b84f2484fa6bbfcdf61572aadf47ac3c8861cf8eb7e73ef85dd884edde2a17eb1eff3035e5876c9bfe32ff80d72c1d68a1272a39be2b7ea9d6189cd5595

C:\Windows\SysWOW64\Mnapdf32.exe

MD5 1cfab1a5ac270d123df586b9e80ada63
SHA1 d8272dfa096af57196ca7bb020ce07d2c11ac386
SHA256 a8eabe84f3d2ffbe2ef46abebbbca77ee475b3054795f59e5006cf3eb90368af
SHA512 cf696c5ebec8b05daf65cf8d40854c59a40052902bdc3cb9af7704cbfd7a68607c1d92e91def33bf180749b03d1ca906a1f3cfe560229c7cd76b3b98fef509e6

C:\Windows\SysWOW64\Mkepnjng.exe

MD5 32549ec2155aff608d58efaa488d47d9
SHA1 a14c85231579e443081ca591a868de60d8e90438
SHA256 829e49bc9062c6d7c5e9b7e5d3127a7840774f98faac86bc5afbeed67d76712f
SHA512 42b7f5eea9f63a9dd7e123e249508500c5f44b242d9e31fb7ddafc5664d3bceff87b9ef2d50e41d2be92945855f24b1d79cd9261743cb59a8bf038578db868b4

memory/2732-421-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3968-468-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1412-466-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3312-463-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2404-461-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1728-459-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3036-457-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2528-455-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4204-451-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1216-447-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4076-445-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5020-443-0x0000000000400000-0x0000000000433000-memory.dmp

memory/100-441-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5004-439-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2416-437-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4664-435-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2100-433-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3416-431-0x0000000000400000-0x0000000000433000-memory.dmp

memory/944-429-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3356-427-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2224-425-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1012-423-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2368-419-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3532-417-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3944-415-0x0000000000400000-0x0000000000433000-memory.dmp

memory/668-413-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3648-411-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3404-409-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4604-407-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1084-405-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4032-403-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2692-401-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4368-399-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5116-397-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1600-395-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4984-393-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4660-391-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4964-389-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4808-387-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1556-385-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2620-383-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2632-381-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3556-379-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2688-377-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1280-375-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1408-373-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1616-371-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3288-369-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1300-367-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4848-365-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3700-363-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1676-361-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4104-359-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Maohkd32.exe

MD5 cd0bdbe0575ffd3ba167a3e0d67dba3d
SHA1 8fc9d5b14ebba5347bf422c226483b1fc9937c7d
SHA256 1c351c8990931dd82e6c03994685d83e37e5de58a8a51839653e7f958b960c4d
SHA512 eaaa915d85b06774062a89e0c7bd1a0919576973351719226c58da2b1dcc5c18cb0c0c2faa6b50ded4bec387ab4b09d77fb73d2f68cf4b6fb1683f184d99d249

C:\Windows\SysWOW64\Mjhqjg32.exe

MD5 dc310802d37c024dfc7dc5a9fc29e1f9
SHA1 7dd4a7a202e47a341fdc8ba04fe4bc7dcd8d0e84
SHA256 4bb5652583ed16597d0239466c079ec385a2585913a65c7f88dc608df0b99c54
SHA512 4d574f023b84b5e863022344dd280d46bf3ed537964d136b5c03fc705b4f0d5666731a667a0e6708a917ca706c0d59e94f523877d6e49adddb7885b8326c33ea

C:\Windows\SysWOW64\Mcnhmm32.exe

MD5 bd9edd56d59e390cacca093a097da616
SHA1 64390441686403f632f1779cf0e0ea4092462a76
SHA256 8763bf321e5795b6e4f190f970eeb988546bd61b92f99e587943dce07bc19e8c
SHA512 92b81a372cb9c032d8e4bbb276945068012cd853e7aa8a22e269389b9c81b6840fa18b9910af32c724e79baf73c285c5d51715f15d880a6d563b4504876f7e01

C:\Windows\SysWOW64\Mdkhapfj.exe

MD5 c423460db200f8b3fa86e882fa9ee3b5
SHA1 384e9ce2fc764b487daa1ba4b76981c63b120848
SHA256 5e005a2f4d4c986196d7720adf374864dbd724c48e77fafcbe120191f0ebc890
SHA512 ca0cc53c7ea091c35b8189060e9b18400634dd257741d7895d0fd21752fb8d137f38ffe42015076e98b8bf299ca314ef3f3bf60a53243560e87ee0dd48af9e08

C:\Windows\SysWOW64\Mamleegg.exe

MD5 8aed59bdf8b443b425b3bcccc6460b6a
SHA1 fd6b85981c3e06bfbbe23949d813261a428055c7
SHA256 25dfd81207c9622eb19b926089c1572251fdc45ecc39db21e5e61c096a422bf3
SHA512 b90977d32b3a358366e000be5bac0cc8cd2ee0631efd4e8e78fe613408e1df96415eb77495e77ee07c878bda38fd3886c980a737a97aac8c918ebd026932060f

C:\Windows\SysWOW64\Mkbchk32.exe

MD5 4280b3002a84284f5fc1d663543c0703
SHA1 fab1996cf7c86b898e4eaafb92fc11fc79774e11
SHA256 e090c77101ffad76e01c662b83062762f69508dc5f989cc39da10798c07f48e6
SHA512 85d363f4b1ae13d01dfd0fe7b253c7d0803dd86c0b9998f23eb2dee62bad0012e261438790820b7a92d0289679a30784776c75946fb5f5104d99b443acc10e98

C:\Windows\SysWOW64\Mgghhlhq.exe

MD5 db40ede8365baa07b421b1dcaf3776de
SHA1 9b42735d744edae275293c7259221f3348298296
SHA256 e12a7a00f76810bac5825be15980bafb3849eca4e5b3cd7f8e5ca081ba6993ad
SHA512 693478619d6cc858ec948e902276730d080b9816f429e2437979544c50d62dfc1126e93ef7495e18d09bed54ce1f3f8a7038f94c1e839d0504edb9d9574c5e86

C:\Windows\SysWOW64\Mpmokb32.exe

MD5 32d772485a5afa6fdc43777a8437da77
SHA1 bc47e150d973d049a8f6e4c848e71a77d57f9f51
SHA256 9fbfbf09373253706a2ba96c3dd9921f595cd80f0fd12ef4503fc5eb4753c4ab
SHA512 0c04d3cbeb7a89d0a2dace6f7f8863b7241812b9f53c244a7283d645f0ef62e399e9f33e6ff9bf5a83501906f282bd8575816db60e0b6d6c8c6f9535ceaf38ef

C:\Windows\SysWOW64\Mjcgohig.exe

MD5 1ef906f9db8d06f2e1ae219eb0288a4c
SHA1 f9ac85e34515df9b0152655fd41b38154f3a2a0f
SHA256 1932bb0653af1d69c0da6de126e5abef116ed4be1be3c15c10919d674df30fbe
SHA512 56a957d4b026298cc062cbbacfb26f657aa7951877b5b3215a3db9fbb21b1bb08d2cfe19453f48a6cd5e4ceebd85dea22fe3d363e6d012a5c87caedf090586a9

C:\Windows\SysWOW64\Mciobn32.exe

MD5 220da927fc10a801dfcda0ed666132e9
SHA1 1f93b64d0e38d985b80249d02865a4bf1decb317
SHA256 ea1562d9a08d02789506d8951fefdfe4084384c0a8dac2d8f5e2be999722e78e
SHA512 573128ed85142fb93f66da3d3d6098b4fb4cbf49771b114f75848d9d4fdede0cd76fe99a32d90d07e14b0d6b1a38f4284bc8cd1fa419ea68aa8bc7509f77cfb6

C:\Windows\SysWOW64\Mahbje32.exe

MD5 ffe5f621d4c7607b4ecaa50fd33c3626
SHA1 d6831f3e1ed3e9624dc2be7c5ff2db95d1878060
SHA256 b3fb7b7de3951b498e4482e187890c8ed0cdf6cefaad6aa08f2224b4540271d4
SHA512 4926834f27f8cd99900bec5625e1ac305fced29821c8fa043414ca27e7e5264facb88f92107591e3450fc18ac48b6cacf3a817a0ce01cd577678f65823456ab3

C:\Windows\SysWOW64\Mjqjih32.exe

MD5 349034756ba5753e9a4062876a527064
SHA1 de859e2eadd32707699365c515b2c64bdd44426c
SHA256 9eae2ecfe3f40ecb9d2853fc1dd273cb6e97e887ea9c6af02b97ed81a33a46ad
SHA512 ca9f8676ff667f7cbae67c5f1f9f7ecddb3ad0e5d865ecae4418afef8e7679e1925100bb7eddc773a0a89ec9add268e992785446fa39d8d4bd85d2230ce5ca27

C:\Windows\SysWOW64\Lknjmkdo.exe

MD5 8d7ba5d6e6a10207446dc9c525a6d33d
SHA1 9a568969cc0c3cb8823e609837dad1837b210c93
SHA256 671ef1673a049d12a46b5c4e56d94c5df9f2ff308b805ee06bea24f7a1c95867
SHA512 ef955bc0ef2e1a43261202c3b8b5e44bb84bdbc26170e49ed0bd5b235b6a786dedc67d5003adbb2985996a89ebde28c7baa8d6d6addd7f32061c86d86e4d913c

C:\Windows\SysWOW64\Lnjjdgee.exe

MD5 4d32d35764fc17f62900df1b933d76ed
SHA1 736166ddcf2684565617869902ec804b3f37b2a1
SHA256 ab8e141d7c65a8a2680450efd8cb750edfb11f89525abcb50ae24854dee1c589
SHA512 0d2b9d87623e8123f2dc6c192750efc69c550fb1091eb9f0fb7254ba73bc1a4606e6c0bc71f064e8658c1b027e5a4050c1869de349fe7b995b0e35b12f0d41d4

memory/3136-93-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Lnhmng32.exe

MD5 d92c9c48d5688278453bda7c89e31a06
SHA1 fbe99f58c620eb42d08a7b730441688e5c262917
SHA256 05e9300ecb295c12fa3bc47642eadabb2c2682d01f4369b78d2a97f88dfb02a2
SHA512 9b53cc9552d3a6f9d537c2553724f2cb707488be11e808c7c582a1544a50807e34f8833c635a4a6187c6d4b508f9adbf6c672b75f2f840328271474b4d49f729