Malware Analysis Report

2025-06-16 06:34

Sample ID 240825-k8n67sybkq
Target 95045afa4561cfd463467f7907210a30N.exe
SHA256 3e028e5d31bfd22c72a116a92b0e2d30811c7df6c66691d5fbdac55416723d90
Tags
discovery persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3e028e5d31bfd22c72a116a92b0e2d30811c7df6c66691d5fbdac55416723d90

Threat Level: Known bad

The file 95045afa4561cfd463467f7907210a30N.exe was found to be: Known bad.

Malicious Activity Summary

discovery persistence

Adds autorun key to be loaded by Explorer.exe on startup

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Program crash

Unsigned PE

System Location Discovery: System Language Discovery

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-25 09:16

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-25 09:16

Reported

2024-08-25 09:18

Platform

win7-20240729-en

Max time kernel

32s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\95045afa4561cfd463467f7907210a30N.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mhdcbjal.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Niilmi32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ombhgljn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lppkgi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mqgahh32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mlnbmikh.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lkoidcaj.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lppkgi32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lednal32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lolbjahp.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nndhpqma.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nglmifca.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nmpkal32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ojdlkp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ojdlkp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Oiglfm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Oenmkngi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lcqdidim.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Njaoeq32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Oepianef.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lgjcdc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mlnbmikh.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mffgfo32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nglmifca.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nbaafocg.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ncejcg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mfoqephq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lafekm32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lkafib32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Olgehh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Oepianef.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Klimcf32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nkjeod32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Njmejaqb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nnhakp32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nbodpo32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mhgpgjoj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Njmejaqb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Users\Admin\AppData\Local\Temp\95045afa4561cfd463467f7907210a30N.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mkqbhf32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ofmiea32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lkafib32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lcqdidim.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mffgfo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mhdcbjal.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nplkhh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ljhppo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lolbjahp.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mogene32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nbodpo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lkoidcaj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lamkllea.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ljhppo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nnknqpgi.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lahaqm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ncejcg32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lamkllea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lhegcg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mliibj32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mnakjaoc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nndhpqma.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ombhgljn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Oclpdf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mhgpgjoj.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Klimcf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lafekm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lkoidcaj.exe N/A
N/A N/A C:\Windows\SysWOW64\Lahaqm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lednal32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lkafib32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lolbjahp.exe N/A
N/A N/A C:\Windows\SysWOW64\Lhegcg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lkccob32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lamkllea.exe N/A
N/A N/A C:\Windows\SysWOW64\Lppkgi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lgjcdc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ljhppo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lcqdidim.exe N/A
N/A N/A C:\Windows\SysWOW64\Mfoqephq.exe N/A
N/A N/A C:\Windows\SysWOW64\Mliibj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mogene32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mgomoboc.exe N/A
N/A N/A C:\Windows\SysWOW64\Mjmiknng.exe N/A
N/A N/A C:\Windows\SysWOW64\Mqgahh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mcendc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mfdjpo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mlnbmikh.exe N/A
N/A N/A C:\Windows\SysWOW64\Mkqbhf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mffgfo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mhdcbjal.exe N/A
N/A N/A C:\Windows\SysWOW64\Mnakjaoc.exe N/A
N/A N/A C:\Windows\SysWOW64\Mhgpgjoj.exe N/A
N/A N/A C:\Windows\SysWOW64\Nndhpqma.exe N/A
N/A N/A C:\Windows\SysWOW64\Nbodpo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Niilmi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nglmifca.exe N/A
N/A N/A C:\Windows\SysWOW64\Nbaafocg.exe N/A
N/A N/A C:\Windows\SysWOW64\Nkjeod32.exe N/A
N/A N/A C:\Windows\SysWOW64\Njmejaqb.exe N/A
N/A N/A C:\Windows\SysWOW64\Nnhakp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ncejcg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nnknqpgi.exe N/A
N/A N/A C:\Windows\SysWOW64\Nplkhh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Njaoeq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nmpkal32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ojdlkp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oiglfm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ombhgljn.exe N/A
N/A N/A C:\Windows\SysWOW64\Oclpdf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oenmkngi.exe N/A
N/A N/A C:\Windows\SysWOW64\Olgehh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ofmiea32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oepianef.exe N/A
N/A N/A C:\Windows\SysWOW64\Ohnemidj.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\95045afa4561cfd463467f7907210a30N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95045afa4561cfd463467f7907210a30N.exe N/A
N/A N/A C:\Windows\SysWOW64\Klimcf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Klimcf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lafekm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lafekm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lkoidcaj.exe N/A
N/A N/A C:\Windows\SysWOW64\Lkoidcaj.exe N/A
N/A N/A C:\Windows\SysWOW64\Lahaqm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lahaqm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lednal32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lednal32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lkafib32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lkafib32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lolbjahp.exe N/A
N/A N/A C:\Windows\SysWOW64\Lolbjahp.exe N/A
N/A N/A C:\Windows\SysWOW64\Lhegcg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lhegcg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lkccob32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lkccob32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lamkllea.exe N/A
N/A N/A C:\Windows\SysWOW64\Lamkllea.exe N/A
N/A N/A C:\Windows\SysWOW64\Lppkgi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lppkgi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lgjcdc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lgjcdc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ljhppo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ljhppo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lcqdidim.exe N/A
N/A N/A C:\Windows\SysWOW64\Lcqdidim.exe N/A
N/A N/A C:\Windows\SysWOW64\Mfoqephq.exe N/A
N/A N/A C:\Windows\SysWOW64\Mfoqephq.exe N/A
N/A N/A C:\Windows\SysWOW64\Mliibj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mliibj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mogene32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mogene32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mgomoboc.exe N/A
N/A N/A C:\Windows\SysWOW64\Mgomoboc.exe N/A
N/A N/A C:\Windows\SysWOW64\Mjmiknng.exe N/A
N/A N/A C:\Windows\SysWOW64\Mjmiknng.exe N/A
N/A N/A C:\Windows\SysWOW64\Mqgahh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mqgahh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mcendc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mcendc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mfdjpo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mfdjpo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mlnbmikh.exe N/A
N/A N/A C:\Windows\SysWOW64\Mlnbmikh.exe N/A
N/A N/A C:\Windows\SysWOW64\Mkqbhf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mkqbhf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mffgfo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mffgfo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mhdcbjal.exe N/A
N/A N/A C:\Windows\SysWOW64\Mhdcbjal.exe N/A
N/A N/A C:\Windows\SysWOW64\Mnakjaoc.exe N/A
N/A N/A C:\Windows\SysWOW64\Mnakjaoc.exe N/A
N/A N/A C:\Windows\SysWOW64\Mhgpgjoj.exe N/A
N/A N/A C:\Windows\SysWOW64\Mhgpgjoj.exe N/A
N/A N/A C:\Windows\SysWOW64\Nndhpqma.exe N/A
N/A N/A C:\Windows\SysWOW64\Nndhpqma.exe N/A
N/A N/A C:\Windows\SysWOW64\Nbodpo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nbodpo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Niilmi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Niilmi32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Cpikne32.dll C:\Windows\SysWOW64\Mcendc32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mkqbhf32.exe C:\Windows\SysWOW64\Mlnbmikh.exe N/A
File created C:\Windows\SysWOW64\Mffgfo32.exe C:\Windows\SysWOW64\Mkqbhf32.exe N/A
File created C:\Windows\SysWOW64\Qegpeh32.dll C:\Windows\SysWOW64\Nnknqpgi.exe N/A
File opened for modification C:\Windows\SysWOW64\Ohnemidj.exe C:\Windows\SysWOW64\Oepianef.exe N/A
File opened for modification C:\Windows\SysWOW64\Lkoidcaj.exe C:\Windows\SysWOW64\Lafekm32.exe N/A
File created C:\Windows\SysWOW64\Mcendc32.exe C:\Windows\SysWOW64\Mqgahh32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mhgpgjoj.exe C:\Windows\SysWOW64\Mnakjaoc.exe N/A
File opened for modification C:\Windows\SysWOW64\Lafekm32.exe C:\Windows\SysWOW64\Klimcf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mogene32.exe C:\Windows\SysWOW64\Mliibj32.exe N/A
File opened for modification C:\Windows\SysWOW64\Niilmi32.exe C:\Windows\SysWOW64\Nbodpo32.exe N/A
File created C:\Windows\SysWOW64\Jligibpk.dll C:\Windows\SysWOW64\Oclpdf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Oepianef.exe C:\Windows\SysWOW64\Ofmiea32.exe N/A
File created C:\Windows\SysWOW64\Lkccob32.exe C:\Windows\SysWOW64\Lhegcg32.exe N/A
File created C:\Windows\SysWOW64\Lcqdidim.exe C:\Windows\SysWOW64\Ljhppo32.exe N/A
File created C:\Windows\SysWOW64\Ceahlg32.dll C:\Windows\SysWOW64\Niilmi32.exe N/A
File created C:\Windows\SysWOW64\Idomll32.dll C:\Windows\SysWOW64\Njaoeq32.exe N/A
File created C:\Windows\SysWOW64\Mgomoboc.exe C:\Windows\SysWOW64\Mogene32.exe N/A
File opened for modification C:\Windows\SysWOW64\Nbodpo32.exe C:\Windows\SysWOW64\Nndhpqma.exe N/A
File created C:\Windows\SysWOW64\Dpmmdfgc.dll C:\Windows\SysWOW64\Mgomoboc.exe N/A
File created C:\Windows\SysWOW64\Mhgpgjoj.exe C:\Windows\SysWOW64\Mnakjaoc.exe N/A
File created C:\Windows\SysWOW64\Oepianef.exe C:\Windows\SysWOW64\Ofmiea32.exe N/A
File created C:\Windows\SysWOW64\Lamkllea.exe C:\Windows\SysWOW64\Lkccob32.exe N/A
File created C:\Windows\SysWOW64\Mnakjaoc.exe C:\Windows\SysWOW64\Mhdcbjal.exe N/A
File created C:\Windows\SysWOW64\Nndhpqma.exe C:\Windows\SysWOW64\Mhgpgjoj.exe N/A
File created C:\Windows\SysWOW64\Nnknqpgi.exe C:\Windows\SysWOW64\Ncejcg32.exe N/A
File opened for modification C:\Windows\SysWOW64\Nmpkal32.exe C:\Windows\SysWOW64\Njaoeq32.exe N/A
File created C:\Windows\SysWOW64\Ckhkbc32.dll C:\Windows\SysWOW64\Lafekm32.exe N/A
File opened for modification C:\Windows\SysWOW64\Lcqdidim.exe C:\Windows\SysWOW64\Ljhppo32.exe N/A
File created C:\Windows\SysWOW64\Oenmkngi.exe C:\Windows\SysWOW64\Oclpdf32.exe N/A
File created C:\Windows\SysWOW64\Cealdmqc.dll C:\Windows\SysWOW64\Lahaqm32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ljhppo32.exe C:\Windows\SysWOW64\Lgjcdc32.exe N/A
File created C:\Windows\SysWOW64\Eighpgge.dll C:\Windows\SysWOW64\Ojdlkp32.exe N/A
File created C:\Windows\SysWOW64\Lednal32.exe C:\Windows\SysWOW64\Lahaqm32.exe N/A
File created C:\Windows\SysWOW64\Dgcdjk32.dll C:\Windows\SysWOW64\Mhdcbjal.exe N/A
File opened for modification C:\Windows\SysWOW64\Nbaafocg.exe C:\Windows\SysWOW64\Nglmifca.exe N/A
File created C:\Windows\SysWOW64\Mqlenpag.dll C:\Windows\SysWOW64\Lamkllea.exe N/A
File created C:\Windows\SysWOW64\Eefpnicb.dll C:\Windows\SysWOW64\Lcqdidim.exe N/A
File created C:\Windows\SysWOW64\Kcgjllbn.dll C:\Windows\SysWOW64\Mogene32.exe N/A
File created C:\Windows\SysWOW64\Klilah32.dll C:\Windows\SysWOW64\Mqgahh32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mhdcbjal.exe C:\Windows\SysWOW64\Mffgfo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Klimcf32.exe C:\Users\Admin\AppData\Local\Temp\95045afa4561cfd463467f7907210a30N.exe N/A
File opened for modification C:\Windows\SysWOW64\Mffgfo32.exe C:\Windows\SysWOW64\Mkqbhf32.exe N/A
File created C:\Windows\SysWOW64\Hpamlo32.dll C:\Windows\SysWOW64\Ombhgljn.exe N/A
File opened for modification C:\Windows\SysWOW64\Lahaqm32.exe C:\Windows\SysWOW64\Lkoidcaj.exe N/A
File opened for modification C:\Windows\SysWOW64\Mliibj32.exe C:\Windows\SysWOW64\Mfoqephq.exe N/A
File created C:\Windows\SysWOW64\Mfdjpo32.exe C:\Windows\SysWOW64\Mcendc32.exe N/A
File opened for modification C:\Windows\SysWOW64\Nndhpqma.exe C:\Windows\SysWOW64\Mhgpgjoj.exe N/A
File opened for modification C:\Windows\SysWOW64\Ncejcg32.exe C:\Windows\SysWOW64\Nnhakp32.exe N/A
File created C:\Windows\SysWOW64\Dpeack32.dll C:\Windows\SysWOW64\Oiglfm32.exe N/A
File created C:\Windows\SysWOW64\Ofmiea32.exe C:\Windows\SysWOW64\Olgehh32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ofmiea32.exe C:\Windows\SysWOW64\Olgehh32.exe N/A
File created C:\Windows\SysWOW64\Iinnfbbo.dll C:\Windows\SysWOW64\Oenmkngi.exe N/A
File created C:\Windows\SysWOW64\Ciomamim.dll C:\Windows\SysWOW64\Lkoidcaj.exe N/A
File opened for modification C:\Windows\SysWOW64\Mfoqephq.exe C:\Windows\SysWOW64\Lcqdidim.exe N/A
File created C:\Windows\SysWOW64\Mjmiknng.exe C:\Windows\SysWOW64\Mgomoboc.exe N/A
File created C:\Windows\SysWOW64\Lkffpabj.dll C:\Windows\SysWOW64\Mkqbhf32.exe N/A
File created C:\Windows\SysWOW64\Iknkfi32.dll C:\Windows\SysWOW64\Nbaafocg.exe N/A
File created C:\Windows\SysWOW64\Lafekm32.exe C:\Windows\SysWOW64\Klimcf32.exe N/A
File created C:\Windows\SysWOW64\Niilmi32.exe C:\Windows\SysWOW64\Nbodpo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Njaoeq32.exe C:\Windows\SysWOW64\Nplkhh32.exe N/A
File created C:\Windows\SysWOW64\Nmpkal32.exe C:\Windows\SysWOW64\Njaoeq32.exe N/A
File created C:\Windows\SysWOW64\Oclpdf32.exe C:\Windows\SysWOW64\Ombhgljn.exe N/A
File created C:\Windows\SysWOW64\Lolbjahp.exe C:\Windows\SysWOW64\Lkafib32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Ohnemidj.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lafekm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mnakjaoc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lahaqm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mhdcbjal.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ncejcg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nbodpo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Njaoeq32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Olgehh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Klimcf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mjmiknng.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nbaafocg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oiglfm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lkafib32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Njmejaqb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mgomoboc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mkqbhf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lhegcg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lgjcdc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lcqdidim.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mogene32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lkccob32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nkjeod32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\95045afa4561cfd463467f7907210a30N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mfoqephq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mqgahh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oepianef.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ojdlkp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oclpdf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oenmkngi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lolbjahp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ljhppo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nglmifca.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nmpkal32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mffgfo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mhgpgjoj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nnhakp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ohnemidj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lamkllea.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Niilmi32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nnknqpgi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ombhgljn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ofmiea32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mliibj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mcendc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mfdjpo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nndhpqma.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lkoidcaj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lppkgi32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nplkhh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lednal32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mlnbmikh.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpjgehii.dll" C:\Windows\SysWOW64\Njmejaqb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Depojmnb.dll" C:\Windows\SysWOW64\Nndhpqma.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cekfdc32.dll" C:\Windows\SysWOW64\Lppkgi32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mqgahh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pajicf32.dll" C:\Windows\SysWOW64\Mfdjpo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nbodpo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nbaafocg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejkdfong.dll" C:\Windows\SysWOW64\Klimcf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkffpabj.dll" C:\Windows\SysWOW64\Mkqbhf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lafekm32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mliibj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpikne32.dll" C:\Windows\SysWOW64\Mcendc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcdjk32.dll" C:\Windows\SysWOW64\Mhdcbjal.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mnakjaoc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nbodpo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpeack32.dll" C:\Windows\SysWOW64\Oiglfm32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node C:\Users\Admin\AppData\Local\Temp\95045afa4561cfd463467f7907210a30N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Oiglfm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbkgliff.dll" C:\Windows\SysWOW64\Mfoqephq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ofmiea32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Oepianef.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\95045afa4561cfd463467f7907210a30N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lamkllea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glfijb32.dll" C:\Windows\SysWOW64\Mhgpgjoj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ncejcg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Oclpdf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckhkbc32.dll" C:\Windows\SysWOW64\Lafekm32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mhgpgjoj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mhgpgjoj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Njaoeq32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lgjcdc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lppkgi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcgjllbn.dll" C:\Windows\SysWOW64\Mogene32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klilah32.dll" C:\Windows\SysWOW64\Mqgahh32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mhdcbjal.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nkjeod32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ombhgljn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jligibpk.dll" C:\Windows\SysWOW64\Oclpdf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\95045afa4561cfd463467f7907210a30N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lednal32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mhdcbjal.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nmpkal32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iinnfbbo.dll" C:\Windows\SysWOW64\Oenmkngi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lahaqm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idjfdadn.dll" C:\Windows\SysWOW64\Lkafib32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nglmifca.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nmpkal32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eighpgge.dll" C:\Windows\SysWOW64\Ojdlkp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdfjnimm.dll" C:\Windows\SysWOW64\Olgehh32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Klimcf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mlnbmikh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mnakjaoc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iknkfi32.dll" C:\Windows\SysWOW64\Nbaafocg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ncejcg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mfoqephq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nafbcl32.dll" C:\Windows\SysWOW64\Ofmiea32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lhegcg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nglmifca.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Oenmkngi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lkafib32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lkoidcaj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lhegcg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mfdjpo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mfdjpo32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3036 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\95045afa4561cfd463467f7907210a30N.exe C:\Windows\SysWOW64\Klimcf32.exe
PID 3036 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\95045afa4561cfd463467f7907210a30N.exe C:\Windows\SysWOW64\Klimcf32.exe
PID 3036 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\95045afa4561cfd463467f7907210a30N.exe C:\Windows\SysWOW64\Klimcf32.exe
PID 3036 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\95045afa4561cfd463467f7907210a30N.exe C:\Windows\SysWOW64\Klimcf32.exe
PID 1464 wrote to memory of 1212 N/A C:\Windows\SysWOW64\Klimcf32.exe C:\Windows\SysWOW64\Lafekm32.exe
PID 1464 wrote to memory of 1212 N/A C:\Windows\SysWOW64\Klimcf32.exe C:\Windows\SysWOW64\Lafekm32.exe
PID 1464 wrote to memory of 1212 N/A C:\Windows\SysWOW64\Klimcf32.exe C:\Windows\SysWOW64\Lafekm32.exe
PID 1464 wrote to memory of 1212 N/A C:\Windows\SysWOW64\Klimcf32.exe C:\Windows\SysWOW64\Lafekm32.exe
PID 1212 wrote to memory of 2888 N/A C:\Windows\SysWOW64\Lafekm32.exe C:\Windows\SysWOW64\Lkoidcaj.exe
PID 1212 wrote to memory of 2888 N/A C:\Windows\SysWOW64\Lafekm32.exe C:\Windows\SysWOW64\Lkoidcaj.exe
PID 1212 wrote to memory of 2888 N/A C:\Windows\SysWOW64\Lafekm32.exe C:\Windows\SysWOW64\Lkoidcaj.exe
PID 1212 wrote to memory of 2888 N/A C:\Windows\SysWOW64\Lafekm32.exe C:\Windows\SysWOW64\Lkoidcaj.exe
PID 2888 wrote to memory of 2168 N/A C:\Windows\SysWOW64\Lkoidcaj.exe C:\Windows\SysWOW64\Lahaqm32.exe
PID 2888 wrote to memory of 2168 N/A C:\Windows\SysWOW64\Lkoidcaj.exe C:\Windows\SysWOW64\Lahaqm32.exe
PID 2888 wrote to memory of 2168 N/A C:\Windows\SysWOW64\Lkoidcaj.exe C:\Windows\SysWOW64\Lahaqm32.exe
PID 2888 wrote to memory of 2168 N/A C:\Windows\SysWOW64\Lkoidcaj.exe C:\Windows\SysWOW64\Lahaqm32.exe
PID 2168 wrote to memory of 2944 N/A C:\Windows\SysWOW64\Lahaqm32.exe C:\Windows\SysWOW64\Lednal32.exe
PID 2168 wrote to memory of 2944 N/A C:\Windows\SysWOW64\Lahaqm32.exe C:\Windows\SysWOW64\Lednal32.exe
PID 2168 wrote to memory of 2944 N/A C:\Windows\SysWOW64\Lahaqm32.exe C:\Windows\SysWOW64\Lednal32.exe
PID 2168 wrote to memory of 2944 N/A C:\Windows\SysWOW64\Lahaqm32.exe C:\Windows\SysWOW64\Lednal32.exe
PID 2944 wrote to memory of 2612 N/A C:\Windows\SysWOW64\Lednal32.exe C:\Windows\SysWOW64\Lkafib32.exe
PID 2944 wrote to memory of 2612 N/A C:\Windows\SysWOW64\Lednal32.exe C:\Windows\SysWOW64\Lkafib32.exe
PID 2944 wrote to memory of 2612 N/A C:\Windows\SysWOW64\Lednal32.exe C:\Windows\SysWOW64\Lkafib32.exe
PID 2944 wrote to memory of 2612 N/A C:\Windows\SysWOW64\Lednal32.exe C:\Windows\SysWOW64\Lkafib32.exe
PID 2612 wrote to memory of 3064 N/A C:\Windows\SysWOW64\Lkafib32.exe C:\Windows\SysWOW64\Lolbjahp.exe
PID 2612 wrote to memory of 3064 N/A C:\Windows\SysWOW64\Lkafib32.exe C:\Windows\SysWOW64\Lolbjahp.exe
PID 2612 wrote to memory of 3064 N/A C:\Windows\SysWOW64\Lkafib32.exe C:\Windows\SysWOW64\Lolbjahp.exe
PID 2612 wrote to memory of 3064 N/A C:\Windows\SysWOW64\Lkafib32.exe C:\Windows\SysWOW64\Lolbjahp.exe
PID 3064 wrote to memory of 2712 N/A C:\Windows\SysWOW64\Lolbjahp.exe C:\Windows\SysWOW64\Lhegcg32.exe
PID 3064 wrote to memory of 2712 N/A C:\Windows\SysWOW64\Lolbjahp.exe C:\Windows\SysWOW64\Lhegcg32.exe
PID 3064 wrote to memory of 2712 N/A C:\Windows\SysWOW64\Lolbjahp.exe C:\Windows\SysWOW64\Lhegcg32.exe
PID 3064 wrote to memory of 2712 N/A C:\Windows\SysWOW64\Lolbjahp.exe C:\Windows\SysWOW64\Lhegcg32.exe
PID 2712 wrote to memory of 2472 N/A C:\Windows\SysWOW64\Lhegcg32.exe C:\Windows\SysWOW64\Lkccob32.exe
PID 2712 wrote to memory of 2472 N/A C:\Windows\SysWOW64\Lhegcg32.exe C:\Windows\SysWOW64\Lkccob32.exe
PID 2712 wrote to memory of 2472 N/A C:\Windows\SysWOW64\Lhegcg32.exe C:\Windows\SysWOW64\Lkccob32.exe
PID 2712 wrote to memory of 2472 N/A C:\Windows\SysWOW64\Lhegcg32.exe C:\Windows\SysWOW64\Lkccob32.exe
PID 2472 wrote to memory of 2188 N/A C:\Windows\SysWOW64\Lkccob32.exe C:\Windows\SysWOW64\Lamkllea.exe
PID 2472 wrote to memory of 2188 N/A C:\Windows\SysWOW64\Lkccob32.exe C:\Windows\SysWOW64\Lamkllea.exe
PID 2472 wrote to memory of 2188 N/A C:\Windows\SysWOW64\Lkccob32.exe C:\Windows\SysWOW64\Lamkllea.exe
PID 2472 wrote to memory of 2188 N/A C:\Windows\SysWOW64\Lkccob32.exe C:\Windows\SysWOW64\Lamkllea.exe
PID 2188 wrote to memory of 884 N/A C:\Windows\SysWOW64\Lamkllea.exe C:\Windows\SysWOW64\Lppkgi32.exe
PID 2188 wrote to memory of 884 N/A C:\Windows\SysWOW64\Lamkllea.exe C:\Windows\SysWOW64\Lppkgi32.exe
PID 2188 wrote to memory of 884 N/A C:\Windows\SysWOW64\Lamkllea.exe C:\Windows\SysWOW64\Lppkgi32.exe
PID 2188 wrote to memory of 884 N/A C:\Windows\SysWOW64\Lamkllea.exe C:\Windows\SysWOW64\Lppkgi32.exe
PID 884 wrote to memory of 2828 N/A C:\Windows\SysWOW64\Lppkgi32.exe C:\Windows\SysWOW64\Lgjcdc32.exe
PID 884 wrote to memory of 2828 N/A C:\Windows\SysWOW64\Lppkgi32.exe C:\Windows\SysWOW64\Lgjcdc32.exe
PID 884 wrote to memory of 2828 N/A C:\Windows\SysWOW64\Lppkgi32.exe C:\Windows\SysWOW64\Lgjcdc32.exe
PID 884 wrote to memory of 2828 N/A C:\Windows\SysWOW64\Lppkgi32.exe C:\Windows\SysWOW64\Lgjcdc32.exe
PID 2828 wrote to memory of 2448 N/A C:\Windows\SysWOW64\Lgjcdc32.exe C:\Windows\SysWOW64\Ljhppo32.exe
PID 2828 wrote to memory of 2448 N/A C:\Windows\SysWOW64\Lgjcdc32.exe C:\Windows\SysWOW64\Ljhppo32.exe
PID 2828 wrote to memory of 2448 N/A C:\Windows\SysWOW64\Lgjcdc32.exe C:\Windows\SysWOW64\Ljhppo32.exe
PID 2828 wrote to memory of 2448 N/A C:\Windows\SysWOW64\Lgjcdc32.exe C:\Windows\SysWOW64\Ljhppo32.exe
PID 2448 wrote to memory of 820 N/A C:\Windows\SysWOW64\Ljhppo32.exe C:\Windows\SysWOW64\Lcqdidim.exe
PID 2448 wrote to memory of 820 N/A C:\Windows\SysWOW64\Ljhppo32.exe C:\Windows\SysWOW64\Lcqdidim.exe
PID 2448 wrote to memory of 820 N/A C:\Windows\SysWOW64\Ljhppo32.exe C:\Windows\SysWOW64\Lcqdidim.exe
PID 2448 wrote to memory of 820 N/A C:\Windows\SysWOW64\Ljhppo32.exe C:\Windows\SysWOW64\Lcqdidim.exe
PID 820 wrote to memory of 2996 N/A C:\Windows\SysWOW64\Lcqdidim.exe C:\Windows\SysWOW64\Mfoqephq.exe
PID 820 wrote to memory of 2996 N/A C:\Windows\SysWOW64\Lcqdidim.exe C:\Windows\SysWOW64\Mfoqephq.exe
PID 820 wrote to memory of 2996 N/A C:\Windows\SysWOW64\Lcqdidim.exe C:\Windows\SysWOW64\Mfoqephq.exe
PID 820 wrote to memory of 2996 N/A C:\Windows\SysWOW64\Lcqdidim.exe C:\Windows\SysWOW64\Mfoqephq.exe
PID 2996 wrote to memory of 2440 N/A C:\Windows\SysWOW64\Mfoqephq.exe C:\Windows\SysWOW64\Mliibj32.exe
PID 2996 wrote to memory of 2440 N/A C:\Windows\SysWOW64\Mfoqephq.exe C:\Windows\SysWOW64\Mliibj32.exe
PID 2996 wrote to memory of 2440 N/A C:\Windows\SysWOW64\Mfoqephq.exe C:\Windows\SysWOW64\Mliibj32.exe
PID 2996 wrote to memory of 2440 N/A C:\Windows\SysWOW64\Mfoqephq.exe C:\Windows\SysWOW64\Mliibj32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\95045afa4561cfd463467f7907210a30N.exe

"C:\Users\Admin\AppData\Local\Temp\95045afa4561cfd463467f7907210a30N.exe"

C:\Windows\SysWOW64\Klimcf32.exe

C:\Windows\system32\Klimcf32.exe

C:\Windows\SysWOW64\Lafekm32.exe

C:\Windows\system32\Lafekm32.exe

C:\Windows\SysWOW64\Lkoidcaj.exe

C:\Windows\system32\Lkoidcaj.exe

C:\Windows\SysWOW64\Lahaqm32.exe

C:\Windows\system32\Lahaqm32.exe

C:\Windows\SysWOW64\Lednal32.exe

C:\Windows\system32\Lednal32.exe

C:\Windows\SysWOW64\Lkafib32.exe

C:\Windows\system32\Lkafib32.exe

C:\Windows\SysWOW64\Lolbjahp.exe

C:\Windows\system32\Lolbjahp.exe

C:\Windows\SysWOW64\Lhegcg32.exe

C:\Windows\system32\Lhegcg32.exe

C:\Windows\SysWOW64\Lkccob32.exe

C:\Windows\system32\Lkccob32.exe

C:\Windows\SysWOW64\Lamkllea.exe

C:\Windows\system32\Lamkllea.exe

C:\Windows\SysWOW64\Lppkgi32.exe

C:\Windows\system32\Lppkgi32.exe

C:\Windows\SysWOW64\Lgjcdc32.exe

C:\Windows\system32\Lgjcdc32.exe

C:\Windows\SysWOW64\Ljhppo32.exe

C:\Windows\system32\Ljhppo32.exe

C:\Windows\SysWOW64\Lcqdidim.exe

C:\Windows\system32\Lcqdidim.exe

C:\Windows\SysWOW64\Mfoqephq.exe

C:\Windows\system32\Mfoqephq.exe

C:\Windows\SysWOW64\Mliibj32.exe

C:\Windows\system32\Mliibj32.exe

C:\Windows\SysWOW64\Mogene32.exe

C:\Windows\system32\Mogene32.exe

C:\Windows\SysWOW64\Mgomoboc.exe

C:\Windows\system32\Mgomoboc.exe

C:\Windows\SysWOW64\Mjmiknng.exe

C:\Windows\system32\Mjmiknng.exe

C:\Windows\SysWOW64\Mqgahh32.exe

C:\Windows\system32\Mqgahh32.exe

C:\Windows\SysWOW64\Mcendc32.exe

C:\Windows\system32\Mcendc32.exe

C:\Windows\SysWOW64\Mfdjpo32.exe

C:\Windows\system32\Mfdjpo32.exe

C:\Windows\SysWOW64\Mlnbmikh.exe

C:\Windows\system32\Mlnbmikh.exe

C:\Windows\SysWOW64\Mkqbhf32.exe

C:\Windows\system32\Mkqbhf32.exe

C:\Windows\SysWOW64\Mffgfo32.exe

C:\Windows\system32\Mffgfo32.exe

C:\Windows\SysWOW64\Mhdcbjal.exe

C:\Windows\system32\Mhdcbjal.exe

C:\Windows\SysWOW64\Mnakjaoc.exe

C:\Windows\system32\Mnakjaoc.exe

C:\Windows\SysWOW64\Mhgpgjoj.exe

C:\Windows\system32\Mhgpgjoj.exe

C:\Windows\SysWOW64\Nndhpqma.exe

C:\Windows\system32\Nndhpqma.exe

C:\Windows\SysWOW64\Nbodpo32.exe

C:\Windows\system32\Nbodpo32.exe

C:\Windows\SysWOW64\Niilmi32.exe

C:\Windows\system32\Niilmi32.exe

C:\Windows\SysWOW64\Nglmifca.exe

C:\Windows\system32\Nglmifca.exe

C:\Windows\SysWOW64\Nbaafocg.exe

C:\Windows\system32\Nbaafocg.exe

C:\Windows\SysWOW64\Nkjeod32.exe

C:\Windows\system32\Nkjeod32.exe

C:\Windows\SysWOW64\Njmejaqb.exe

C:\Windows\system32\Njmejaqb.exe

C:\Windows\SysWOW64\Nnhakp32.exe

C:\Windows\system32\Nnhakp32.exe

C:\Windows\SysWOW64\Ncejcg32.exe

C:\Windows\system32\Ncejcg32.exe

C:\Windows\SysWOW64\Nnknqpgi.exe

C:\Windows\system32\Nnknqpgi.exe

C:\Windows\SysWOW64\Nplkhh32.exe

C:\Windows\system32\Nplkhh32.exe

C:\Windows\SysWOW64\Njaoeq32.exe

C:\Windows\system32\Njaoeq32.exe

C:\Windows\SysWOW64\Nmpkal32.exe

C:\Windows\system32\Nmpkal32.exe

C:\Windows\SysWOW64\Ojdlkp32.exe

C:\Windows\system32\Ojdlkp32.exe

C:\Windows\SysWOW64\Oiglfm32.exe

C:\Windows\system32\Oiglfm32.exe

C:\Windows\SysWOW64\Ombhgljn.exe

C:\Windows\system32\Ombhgljn.exe

C:\Windows\SysWOW64\Oclpdf32.exe

C:\Windows\system32\Oclpdf32.exe

C:\Windows\SysWOW64\Oenmkngi.exe

C:\Windows\system32\Oenmkngi.exe

C:\Windows\SysWOW64\Olgehh32.exe

C:\Windows\system32\Olgehh32.exe

C:\Windows\SysWOW64\Ofmiea32.exe

C:\Windows\system32\Ofmiea32.exe

C:\Windows\SysWOW64\Oepianef.exe

C:\Windows\system32\Oepianef.exe

C:\Windows\SysWOW64\Ohnemidj.exe

C:\Windows\system32\Ohnemidj.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 588 -s 140

Network

N/A

Files

memory/3036-0-0x0000000000400000-0x000000000043A000-memory.dmp

\Windows\SysWOW64\Klimcf32.exe

MD5 3d7405000440e9583b1291f7a0644ad4
SHA1 b33d4ee1a3087370516a3b607d9bd5a82c95859a
SHA256 8026b65fd1d548b5abf663eb0399ba2eb8fd521e85a7f696822d4a7e5ce3bc4a
SHA512 6e798e0531d5a866a63feee670d92aa4e96e5301cd3e1d33ce17853d556046a6a7f1ce59fad0e403e06bd1607e03091a8706496258bcffe4bc996bee30f68bed

memory/1464-14-0x0000000000400000-0x000000000043A000-memory.dmp

memory/3036-13-0x0000000000250000-0x000000000028A000-memory.dmp

memory/3036-12-0x0000000000250000-0x000000000028A000-memory.dmp

memory/1212-28-0x0000000000400000-0x000000000043A000-memory.dmp

memory/1464-27-0x0000000000250000-0x000000000028A000-memory.dmp

C:\Windows\SysWOW64\Lafekm32.exe

MD5 ab26234a22ae91195ed87e734a6ab38c
SHA1 c1acd2888595be55b20cdb9e229c409ddc92b552
SHA256 3f8e86f5e709bf0f672c220ef8fba66393a4e1efbbbcb5e8f0d79f9ea6491e98
SHA512 d900be38ca21df0c2ed814a1ff871b880d0358fe0cdbf0be45c90f1135a35518e8207a5b8223cf40701d26b32cd943f29c63784b0b3dbd094ce9c8bfca8046d0

\Windows\SysWOW64\Lkoidcaj.exe

MD5 ea1161bfca1d3ac641790b3da8edec68
SHA1 a8e7a625e98e50e54a669521db05f33d936a14a6
SHA256 ff1187e1d4edc0d950b260d794ca1092af6a4ea7c145942b162aaa0b12c9fa71
SHA512 f08388b0d596b57eb68329de9249bb7436193dbce8a811b98771d0847b0d921f03175053936d6d7d459f7b480b56e038949e34c1789d05de4d30644ece865ca6

memory/2888-42-0x0000000000400000-0x000000000043A000-memory.dmp

memory/1212-40-0x0000000000300000-0x000000000033A000-memory.dmp

\Windows\SysWOW64\Lahaqm32.exe

MD5 4a73c425c8d9a901ad33a505bf718c08
SHA1 84261ee5bd4b43353ff6a2a741e4770af60d0a92
SHA256 fb75640214599be1d118e5028b569a5d8db52832e375ea8ee518b0466e53fccc
SHA512 42cb2845f3c696a139c53c4b503afbdd3adee3eefccb639f94615eb9173efc860682903424b71287a51eaa9eaa3b55d3266549780207a0710b8bb10c0b551cc6

memory/2168-61-0x0000000000400000-0x000000000043A000-memory.dmp

\Windows\SysWOW64\Lednal32.exe

MD5 db5eecf6b4f6ab8e90dc34b48253cb10
SHA1 88630b676369d2beacc0d1108b01434dbad69001
SHA256 dcf9c7289e5a914387e5853380fe74e9b06b9c83350268beb2850a19e6ffb8a6
SHA512 8e781a35a5294088b6c37998f50d31bad3fe119e198adc1b6ac8042adc0917c8b252f0d73e6b9ce8bec88f3fa5b0e62ffef9c3486488ae57c27068a6d0cdfe61

memory/2944-69-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2888-54-0x00000000002E0000-0x000000000031A000-memory.dmp

\Windows\SysWOW64\Lkafib32.exe

MD5 ab1ae3ccc621ab367424685002bec2de
SHA1 c2bed6bc99cc764b9856a90a238ed3f8c269d7e0
SHA256 036906d63bc6ac96362b3924a6c7f0228243e939db8930e4c00b6ce03d6704d8
SHA512 ae5456e4fd01af100f779d67b0bacd1345e04feb76f8df01c9dbffe2966be2cfbc6f2d9e87cfb59dc251bc6c649cea83bb56adc7f41325e74d33e154776d1256

memory/3064-96-0x0000000000400000-0x000000000043A000-memory.dmp

C:\Windows\SysWOW64\Lolbjahp.exe

MD5 3ae11da612e0f1fb7a2598b6752707ce
SHA1 c27687090a97da48c4e672bd5cbb6cad78499d9e
SHA256 a172a7c25d384a42fe54851a490601c44b208e8e656377b7b4463ced69baec05
SHA512 3240315e460c120b3aa985d0006fea169a323b3ced7e23e965ad979741121c3b74360b7392149975f7d19344e6220589a286c019bf7ef543f291efb689af6ff8

memory/2612-83-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2944-82-0x0000000000250000-0x000000000028A000-memory.dmp

memory/3064-104-0x00000000002F0000-0x000000000032A000-memory.dmp

\Windows\SysWOW64\Lhegcg32.exe

MD5 03390418787a87da8ce0d32d72a69730
SHA1 1fc2dcee3d8eaa4af6f96580c2da4237c01bd507
SHA256 1b153d5e62bdcd3f39aa66ffd4cc132bf11552b1e20f80d307509f78e7d8f609
SHA512 3ed429aa7e53ce2455956230800f2e643dedf709ce1426d33a1ece951c6c9400001a4bf0aa3e3edf4d42e4102e8f827589d739999ac73bd608934b46ea67c54c

memory/2712-110-0x0000000000400000-0x000000000043A000-memory.dmp

\Windows\SysWOW64\Lkccob32.exe

MD5 f7623d5d5765f455866df8ebbd9fbb2c
SHA1 6ebaed891189daa048a9a436b1978df2c45fb0d3
SHA256 d0e85e414f8d645821b4ec2ad0f603f9763310bf66f7a6330f76693f877e953f
SHA512 32362b76ecb759bf7614876c5845ae4e97e85231b62e8008f9f9b0ee4f2c9db1d01dc86378948af5167ef18d2a225e282f34cf78ca966c633f52297118fc10a9

memory/2472-123-0x0000000000400000-0x000000000043A000-memory.dmp

\Windows\SysWOW64\Lamkllea.exe

MD5 45c5e25388d0b40bcaf1f1e7140cbf89
SHA1 73d24c1b4c66d227c42a49e128856a2e4842ceeb
SHA256 47f5e78b673bcc8cb77ffb5b7827f03702e1df82fd55abd6e6c342677c132aac
SHA512 6c7901ee020210cb10b26bf2de7993db714d8d5928c073550653e965b632eb9d4cef516daeb7d63dd55f0e3cac83157f4c8c97b72bfc4ede8debae914203ebb2

memory/2188-141-0x0000000000400000-0x000000000043A000-memory.dmp

\Windows\SysWOW64\Lppkgi32.exe

MD5 19cdfd78176fb26e4a398ae941dd970a
SHA1 4130805723304a37ed9ac52d97165d6501266eeb
SHA256 141dc3319c0b00ccebbb186168992446b7764d841948f15562b4d97e2772c143
SHA512 8c99c375f8168423d7957cf139a0bf61200a60667a5297457a883343873f24e43d30882338d055e0d0af9722aadc5afb279775bda43c5ee9ab9e352aa4d3cb59

memory/884-149-0x0000000000400000-0x000000000043A000-memory.dmp

\Windows\SysWOW64\Lgjcdc32.exe

MD5 d7e29b25b3e83e7775fd6d12a37be93e
SHA1 818f0ab4df4b8db20054b91c5d54c98f8335df6f
SHA256 47e3117dea240aa2bcf47edc74b8814ec9f52b0974183ec3c95298d0bf932e3e
SHA512 d2b3027f2b339373ab1768a5982ebe7301f3b0e3049e63356dcf359d0c794cc55ed4ee5a303eab81ccadfc8e113022667974b1847e792bfd325d2d8f3c3515c3

memory/884-157-0x0000000000250000-0x000000000028A000-memory.dmp

memory/884-162-0x0000000000250000-0x000000000028A000-memory.dmp

C:\Windows\SysWOW64\Ljhppo32.exe

MD5 1936b717632145d1426aebba92fa9640
SHA1 5d338b737c5d60a864b4089861806a6bc1617273
SHA256 b7bc6b5c70313a3554b37b3027f50f39a4aa554399db854e58c9aa5cef24fe56
SHA512 a9d5b3961d072901e7488db31d010a5febaa297dc77fe64fc6afea69de8a51596ba7a5122e7469cd08759d993b746e909584acc5d34398d4f2c10bbca068683e

memory/2448-176-0x0000000000400000-0x000000000043A000-memory.dmp

\Windows\SysWOW64\Lcqdidim.exe

MD5 e2ffec7b2ede96e17682faa890fea279
SHA1 bb8c76985fdbaf31a0a6576f3c5ae1bfaae3cafc
SHA256 4dbb27fcde107d160c5e200dba9495e9a948b1c9f2bfbd3b99fe75081978ec86
SHA512 c4b2e755c5dec34c2bfda30dd4cbd813efd42cf08a75bb3b419d6e7871fe446d212e08bb71e30e3b3a54a8ebf51e01756407ccb395281cf4b322e5f1878b91b0

memory/2996-201-0x0000000000400000-0x000000000043A000-memory.dmp

C:\Windows\SysWOW64\Mfoqephq.exe

MD5 3233e6b9c2e6eb3a042965e27256cb9f
SHA1 b1e2edd27a1eed885ac855bda8b23e4df4b0d377
SHA256 ac6cf81e0ad16c669e50a22f55446dd1310d53dba04abfccf816cb90b7670d61
SHA512 f383ed99e6103f01a06a3c682e1b1c5f6cd5540e5bf71ff7d8371076bed2ff05abd56e1bce6392fb89af49127c38c8adbf69169d654c674321e831571138d7df

\Windows\SysWOW64\Mliibj32.exe

MD5 ecd40a8b073c04a9314320c5c16f230c
SHA1 288fce1d1bc9160eeec3c5599fb0fef83ee6e629
SHA256 3967f3cea1b963eb1e1b3e98c842f341a5b89dc541a50230d5b3ecf5f39c11b7
SHA512 b42f2d8bcdae006f6f6af705f9b70c1f5add82a0349b4160638d8aef3b3b18ffe97e8e508bceeffeba57bae0226dc49e2f5f7fbf165eaec6d1e7bb873553da4e

memory/2236-226-0x0000000000400000-0x000000000043A000-memory.dmp

C:\Windows\SysWOW64\Mogene32.exe

MD5 bc7e5e5308ba5aa3f5a40a73b58be8a2
SHA1 667930ded46cfe606567fa39fd687f755a6175f7
SHA256 2d575032033c8fcda5e0a898d5377448f403ffb0af9945a5ff7fae0e78413e38
SHA512 cede68ba5a6c32ebc02ee484a8da6d18bbed98dcd9b2127a33d81a114018ab36d1162cb9e5c1a165fb7aef7fe6d9dc3a0f7e8e7b7281034ae6996be019010674

C:\Windows\SysWOW64\Mgomoboc.exe

MD5 2c5e25299a6d7003752307d79197b398
SHA1 99562c24d2819b0e7e4f8cb2f47ecaa064ca33ce
SHA256 4bf7eb47a93ac0b7976daf8343b2c4d2e3140c04031b919ea03632ba773868a4
SHA512 9dc963adb77e17cff2767c87788b65e7974291f035048e1df67498703388a24c4c8c4373e355be81199eab0a9604d5e421bf42c795a0e1411602b2e0b87af844

C:\Windows\SysWOW64\Mjmiknng.exe

MD5 a5d7ecb6dc84a543a670d771710f4cd4
SHA1 f2dcdffb707dd777d8414e1af3d3bdb912163c22
SHA256 0abbde0237aeab7c79d385f1c4983029f78fa745de5cc32cf6708a79417612bb
SHA512 97f7b2864a59e67b4150aee50d7adc225e1e1ddc6235681b1d00a996b31dcefe24c5d9c327434e6566c115a09782393832576bb0e4610a2854d8a4099f86f638

memory/2296-240-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2296-246-0x0000000000250000-0x000000000028A000-memory.dmp

memory/828-260-0x0000000000400000-0x000000000043A000-memory.dmp

memory/1764-259-0x0000000000250000-0x000000000028A000-memory.dmp

C:\Windows\SysWOW64\Mcendc32.exe

MD5 411fce4716866faa2a8b3b2de752dcc7
SHA1 8b285b09e782d4fd2a2a3d0950da2bc63018de1d
SHA256 7cdd3f466322468145b2f54c28df7da203580751fd687967ecedb1537f6e3340
SHA512 4e79717d73433a6f281d5de18441421463bb1c77f81097e15d6fdea5887ba758fb303c7c3df8eac59e9fc63c1f4dcbe64485272e24ec63b6dccb5fee406b9f07

memory/1764-255-0x0000000000250000-0x000000000028A000-memory.dmp

C:\Windows\SysWOW64\Mqgahh32.exe

MD5 003ecd7b35c431f2a12fe412bcdd2f6c
SHA1 961547d071dbe51d49c9d4baa0577afc3e0ed719
SHA256 6060ac9d74534145a678412918acce47a9e82cc8e7489b1ac83fba2a7dce3938
SHA512 6519fffde49a303b15c21272c7c78492ac5f08b58b0893a105c01f3ab9c9f699238b3d7a411225de1b6e36e55948594b4daefd34eddbcf61599acbe6cfc35f3e

memory/2196-271-0x0000000000400000-0x000000000043A000-memory.dmp

memory/828-270-0x00000000002D0000-0x000000000030A000-memory.dmp

memory/828-269-0x00000000002D0000-0x000000000030A000-memory.dmp

C:\Windows\SysWOW64\Mfdjpo32.exe

MD5 241ee1b3bbc5983c454564e3e44b2745
SHA1 d8b4ecba8760705eead5ceb5279f666cc2602f50
SHA256 76d4459342764799f85614352f2381b20f88a60f944e579063b2c17e2b33d2ef
SHA512 0442bf44b30ac024bc9aaa06614ffbf311fe527e5ce12223c112cebb26298f93e4c8293e48801471347d6985cbb0aab09406de3da5e3a59ca9f61cbfef4be381

memory/1756-282-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2196-281-0x0000000001F30000-0x0000000001F6A000-memory.dmp

memory/2196-280-0x0000000001F30000-0x0000000001F6A000-memory.dmp

C:\Windows\SysWOW64\Mlnbmikh.exe

MD5 7ccc69d10c27e8a4fba80ee44137b152
SHA1 b2a3fc0e63fffd1547de4801afd7064bf3c3a547
SHA256 8c5847e9ee70831a741cba989a932113d20e2d934ccfdfead0868b8d5ca1c2cb
SHA512 55b79738e240b0a9a1f795acfc7fb40da41c1f22ae74386f3794b00c9d13c19897b174e95b6e7f6cc558ab1bbc414e36cc5d5ffbe18b79f222cc66985a2cf7f4

memory/1756-288-0x0000000000270000-0x00000000002AA000-memory.dmp

memory/1756-292-0x0000000000270000-0x00000000002AA000-memory.dmp

C:\Windows\SysWOW64\Mkqbhf32.exe

MD5 40ade1002d50f251488f968319619cd1
SHA1 f1665eeca8f7ae3c263a10bb0dbb86317b5a4069
SHA256 94793c2b62363ae835de07ddb968fd6f6a072cd37de9126799aa4dfe619ef862
SHA512 67a51c4aa57f7c5a11caacc7a7acc0e43ddf2d3b973d13bdff4311bdf44ee8a61366e73382cab65aa10e61074f0e93a2554c60e1a93bb4b0f1758a03a4a7430b

memory/908-297-0x0000000000400000-0x000000000043A000-memory.dmp

memory/1364-304-0x0000000000400000-0x000000000043A000-memory.dmp

memory/908-303-0x0000000000260000-0x000000000029A000-memory.dmp

memory/908-302-0x0000000000260000-0x000000000029A000-memory.dmp

C:\Windows\SysWOW64\Mffgfo32.exe

MD5 d38cad8d3125b8973d925cbbb9eaac89
SHA1 6e1e5450b2791558c7117c2adb8c84a257e19c96
SHA256 c5c6352e9ef00f7706ef4ff7399708d72fbcfe1d4908463cff1ffa6688c52e2f
SHA512 08aa6346862ebf8662038a7e4c45a79efc08dc0839c52524ad6caa8ea7480779084bf2d3e9e37bf62252aeee9bf61c1c6561d83a94068eb218475eb8412a3667

memory/1364-309-0x0000000000280000-0x00000000002BA000-memory.dmp

C:\Windows\SysWOW64\Mhdcbjal.exe

MD5 859844f7d2a2acd6576d379bc31ba759
SHA1 bada03129dbbbdef2895b70b5e24cb9e9251e893
SHA256 dee6df36209f867181825154bcb76dea3f5fa52f98d55505b2b30b5a6f5ce741
SHA512 971cd020bfe299f3efc67314e24dffb95df21ea8bec5beedb6589b120320949d7f13a9d6902a633dd8c17823ead8cb3b22b2efc70dc5a1948300d73c02a4cc7c

memory/2516-315-0x0000000000400000-0x000000000043A000-memory.dmp

memory/1364-314-0x0000000000280000-0x00000000002BA000-memory.dmp

memory/2876-326-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2516-325-0x0000000000290000-0x00000000002CA000-memory.dmp

memory/2516-324-0x0000000000290000-0x00000000002CA000-memory.dmp

C:\Windows\SysWOW64\Mnakjaoc.exe

MD5 15131f1f29272fb3e3534e38e8d1e603
SHA1 c4d5f5809ceb1248ee10f8cdf7c508fcddcbfd19
SHA256 fbdf871049ddfe28e46a1d616c2ddc880b7a3e8500689e05624d138fea09678f
SHA512 097a4cf380870e1b59bf98376d95b5c25e0be3a8df288c2e39a952aa125ea19618517acd210449f6d89fab6620030adfd022fcf5c02ec8ea74246924b725ede7

memory/2876-332-0x0000000000250000-0x000000000028A000-memory.dmp

C:\Windows\SysWOW64\Mhgpgjoj.exe

MD5 d74d9c4046e71cbddad761b613f7fe87
SHA1 ae55bfca53b259bff8e761a027e47af438cd15b1
SHA256 364196ffb1256faeb2bd7d0e8509d3c63097ae8f5032cc4cf0262c166471446e
SHA512 d04a3a97dee471e058b722fd2a113f7ec171d2ffc03d202f82600489b056603e97b5a69a2fb225015941f116c77322e0e15a74c6d6edbe6d13e84b3e7082b85b

memory/2876-340-0x0000000000250000-0x000000000028A000-memory.dmp

memory/2908-346-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2768-345-0x0000000000270000-0x00000000002AA000-memory.dmp

C:\Windows\SysWOW64\Nndhpqma.exe

MD5 37c5b48a199afba814615eb037db30d9
SHA1 03ea245f12a75908b2724845f4c08dce082c9422
SHA256 9fc5958653745357d07b6563948cdcbe452cb47be9eb377956c1716c331fc825
SHA512 be7de90707bc68ac596e3338dd04afd18f292e4740b4c455870c5d51cfbfa24f2b19ddcc7db7a720b8159fb64f213cedd8cfae022fca57bbecb24756f80d6aa9

memory/2908-352-0x0000000000250000-0x000000000028A000-memory.dmp

C:\Windows\SysWOW64\Nbodpo32.exe

MD5 bc2f2a7906c4307ae8ddec52c04a7e7f
SHA1 c77db41e66145d5a9099f872048d5b0d46941ef4
SHA256 1b31e213dc607941e179bdf4c7f17b7bb43b4e389fa55716ab9bb286df471705
SHA512 72236714e0eaa6138fca90bbd59cc2bd1e8dd52f7ab4c50a782c03ba32e9f8a5cf12ce79f358b6f376b6b0932d9d59768cf622a664cfbcc4ab47eddc98197668

memory/2800-361-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2908-360-0x0000000000250000-0x000000000028A000-memory.dmp

memory/2316-368-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2800-367-0x0000000000250000-0x000000000028A000-memory.dmp

memory/2800-366-0x0000000000250000-0x000000000028A000-memory.dmp

C:\Windows\SysWOW64\Niilmi32.exe

MD5 f9e6b6878c027728bfba5ab9b8c9e5bb
SHA1 43041e937e534d428eb5d410a1251ef049a9296a
SHA256 58ff067ecdaca47e59ceb118520c92153673385910f750217b51eac87d42388b
SHA512 1e2c0b6c271274f62865ea615ead1cf71b9c90d99e20f9a23631c3e0ee158c7d800867a8f5dbad8ed963f76d5d3f1eeaef8c6c8bf91bab2da8f3940caa400d33

memory/2316-374-0x0000000000260000-0x000000000029A000-memory.dmp

C:\Windows\SysWOW64\Nglmifca.exe

MD5 18a89d50d4e1cba6966d50b3d637f926
SHA1 0074fc5c31e774b8fc81e2f3887e056f86cf5b79
SHA256 d7757e74630e44887aac2fbcc8af599a246c90bcfd42688c969fe8a01915f13b
SHA512 3b02bd02265087cc17dad412c94ac6bdb7e884c255d5105609d2a72239fc5f1194c5f1e5b84391a675a4f6fa29d037a7202a3d6ccfb43b9ae42194111dbbfb0b

memory/3036-381-0x0000000000400000-0x000000000043A000-memory.dmp

memory/3036-382-0x0000000000250000-0x000000000028A000-memory.dmp

memory/1456-389-0x0000000000400000-0x000000000043A000-memory.dmp

memory/624-388-0x00000000002F0000-0x000000000032A000-memory.dmp

C:\Windows\SysWOW64\Nbaafocg.exe

MD5 da6f3c0f24f86c703a9ea439b2c70938
SHA1 67155d9da1c681b942cb361649fe09e223281d0f
SHA256 90a20d3be1d8e144e7c47086865650c889a4bf6023c32b4cf6e2770ba6774229
SHA512 78ca29aa44d6b6c6118e22f6e16bbd7629cd9b625114e9900560e3a57280a37f2c7f09a51fb93199d3dd1063b356b21f1ae21bbbc5dcc5f62b49de4288bc0ce5

C:\Windows\SysWOW64\Nkjeod32.exe

MD5 fbe216af2eaa56540cc04fcd63ed8e76
SHA1 ff43bc3826e5508755e2f6fe2868f23b1820409f
SHA256 6b3c5999d190b832cb432906121c5e00a9ab930abcd2d5e81b8d84bc2466915e
SHA512 0e20d2882b5caa6c2b7b681f06cd844a4db0d6bd503d0684d9b20034bfbaafb2e614a70488e7aad21d36ff03b2943e27d43b1e910182387d3b632600cea54004

memory/1456-406-0x0000000000250000-0x000000000028A000-memory.dmp

memory/1156-409-0x0000000000400000-0x000000000043A000-memory.dmp

memory/1212-408-0x0000000000300000-0x000000000033A000-memory.dmp

memory/2056-407-0x0000000000250000-0x000000000028A000-memory.dmp

C:\Windows\SysWOW64\Njmejaqb.exe

MD5 cf09a81117ae97f9d25af319209e0aa5
SHA1 74c98482194648a2bf823dd4380a65257539d901
SHA256 1bde7affc25d5575463f970707b01a297f943f50636a4588d46f98e245b09acc
SHA512 48419270570fa56ec9e83c1be132f3ecf027be308d6dd8aa2e9117a93dbf79f7dc6ed3e4d0c62914f0e06979ce15c85fa052180223b0ad6f432712ba4be07dae

C:\Windows\SysWOW64\Nnhakp32.exe

MD5 ac0935e7fc152e5662b046117f8418c7
SHA1 96ff85824823cf4b43d8394b71902fc4a1e9e8ec
SHA256 5e8aa0fb6a4213776b35d2c3221a60128410947d733eedf5d17f1cfcf6d63186
SHA512 e599c8ac7f8f288b9e8fd109d74fc08b6f1cffdf9fb5174b8590d81ffbbff43148aa71d277761ab6b608b6e9519912dab5bf9f609ab87caac048805ef46f43b2

memory/2340-427-0x0000000000250000-0x000000000028A000-memory.dmp

memory/1052-428-0x0000000000400000-0x000000000043A000-memory.dmp

memory/1156-426-0x0000000000250000-0x000000000028A000-memory.dmp

C:\Windows\SysWOW64\Ncejcg32.exe

MD5 0fe3aafdc0d6893c7cae70dd911c8ddb
SHA1 0eb82be125ccd7a57eb2428231e2f7835f66fb7a
SHA256 6ffb654ded3db7911140a8b3c41514472f571ea354dd7154063a897e4796265e
SHA512 a64e719bb2cd89851df4ac7cf87544cd7bf491846d7b143983204212d9a917e89d50d0722ae0cce9b80a5df2d635b3c12192fb013b04394dbf29b72f2a712992

memory/2944-437-0x0000000000250000-0x000000000028A000-memory.dmp

C:\Windows\SysWOW64\Nnknqpgi.exe

MD5 874f49d32e090e9a973d2a54646c2c6c
SHA1 b7686803044aceb389c7e420ea4b77247aacdef5
SHA256 33763909581319c5a0de95f2bfe570e67395f912fd572c7ea8e1afeb466343b7
SHA512 095d9da4ff3a33be4f4cbfdb31af96bca2ff54d7cd696318189ee65c567cf49244dcecc8e69acbb1aef8d8ef5b5871c854a3f632de0f4462b7f6252a36398446

memory/2612-438-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2204-448-0x0000000000250000-0x000000000028A000-memory.dmp

memory/1624-449-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2204-447-0x0000000000400000-0x000000000043A000-memory.dmp

C:\Windows\SysWOW64\Nplkhh32.exe

MD5 515197daa9617dc8431c86713004c877
SHA1 a1c1f946b450c0e70508768f23e8928fd81d0878
SHA256 ec3940e5f07a0b470b4ff6c1041182b2f5298ad9ca70e802d852cb6b7643a28e
SHA512 f60f06e58dc8855bf8b2485201a02ec42065eb2b14b766366ad4b927e37d11283057ded66a32250007d8f5fc3df8f97a0ab003411bd49833e5f8d481b3200ae0

memory/2428-460-0x0000000000400000-0x000000000043A000-memory.dmp

memory/1624-459-0x0000000000300000-0x000000000033A000-memory.dmp

memory/2220-470-0x0000000000400000-0x000000000043A000-memory.dmp

memory/3064-469-0x00000000002F0000-0x000000000032A000-memory.dmp

C:\Windows\SysWOW64\Nmpkal32.exe

MD5 d46a28911f35b638effb9ee5054a1609
SHA1 43444b14ad6cbacca81abfacabc8d59030b40fb9
SHA256 39d6305a18c829c783ee11d670fb7ad331e6404c2a132879bec3d2635cef2ca6
SHA512 06f6ee95b203166b6193b4ac230901fd025838a53d741d1acfff34ce5d9e1783272bbc4365c3832da547824fdade00471442ffbb41d4ace6960f7785a99c72ae

memory/1624-458-0x0000000000300000-0x000000000033A000-memory.dmp

C:\Windows\SysWOW64\Njaoeq32.exe

MD5 23b84e8c3208293d17e969b0c22cdb33
SHA1 6c2909b8ead1c86f4686ffc456ff4b978d09561d
SHA256 0343fe5fc9e195fbcf329b47803d54673c3c74b8b2a0a3557f2a8d05416b2e31
SHA512 773779e19a1d230822f3d34c396fb232bbd9978b70a1747ca07646b278192d2a14be7bf5371a60b008dc677c67f73e69deae3fd33de0da5ec70cd2f711e2ad85

C:\Windows\SysWOW64\Ojdlkp32.exe

MD5 083d7b8cf868cc462afddda11279a8cb
SHA1 48014b3c34a9b7ae24a9406f108575a5b949c2ea
SHA256 4f3ae0b47606915878b01e01d1f8c3754fa3cbbfe99a667a4bceadbc855bdf99
SHA512 ef92fd98a3646b32baa1142e437a706e9c6dfab578213a726d525b833233a9ac23f4cb9bec163400d6c11c02b7762b181a0b00c8ad85f5a58bcb41ae975a5e28

memory/2220-479-0x0000000000250000-0x000000000028A000-memory.dmp

memory/2072-480-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2416-490-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2072-489-0x0000000000250000-0x000000000028A000-memory.dmp

C:\Windows\SysWOW64\Oiglfm32.exe

MD5 980eda0a8a88ad0b94eca610eff97f51
SHA1 63a1a20bdfa6a0ff71925b7a5bdca50c72743e6d
SHA256 a0a0e3bf9f6ba257eb0733227ed447c938635b97c09b3f9d28d428def3d6a710
SHA512 9ccfadef54f3e26f541171e0dead8753dfd2733536a079b085a57bfb6866b6b8a858022064cbcfe1686318b69b44ccf6a6e085f09cbb71bad52a5fcd270e1837

C:\Windows\SysWOW64\Ombhgljn.exe

MD5 caa4dfdf7bca34af6ad3fc123192338c
SHA1 03e8898eecd33c015ec4be25dba1f5d29d9e19fb
SHA256 8197f9e4a98b1abec8f3bed2e8f9fbc6966eef320789e628a2a485ac9eee51e3
SHA512 1394f544f463d00b143ad40ba559913175156a7b6a2a5fc595de1c4e5a1b0c268e816d4b6dc937f8aa44731014074e9b1efc59069ba12130e4bea22fc578570b

memory/2504-499-0x0000000000400000-0x000000000043A000-memory.dmp

memory/912-509-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2504-508-0x0000000000260000-0x000000000029A000-memory.dmp

C:\Windows\SysWOW64\Oclpdf32.exe

MD5 f2fe4fb9d3e9e7bbf2dbcd38f3dc01db
SHA1 911bf3756c28bca33a5fbcb5cc9f4b6cbf2477d2
SHA256 cda49d8d66fd1b1813d1e0e83913ce6be9d1fd41bc841eb9a985d536c02c5dc3
SHA512 e10f355030d52152b57ac12e4161af5ac8340425289cf0abe025204cc9bd36b0667ab5ddcdb31b624448dec2b635585eae6ec3d2acd53ffcc713caee9bf3b497

memory/912-518-0x0000000000260000-0x000000000029A000-memory.dmp

C:\Windows\SysWOW64\Oenmkngi.exe

MD5 431e2b13eb6fc21bf0c1dc08ec99ff1c
SHA1 d22818b97f8d15ce5d3d85ef35cf400ea0cd51cb
SHA256 0e62e33ea386aeda7f55e72892f5a707cad9014d25d5831345a24e8e92aaa57f
SHA512 9af38e951d01fba92d320bae3e13a0d7476a6e224fe3138e88c61a53280d4faa1e229394c841dcc56578aa4f61db793d3fada9f1297b01960d69e0c35e156c64

memory/2436-528-0x0000000000260000-0x000000000029A000-memory.dmp

memory/1548-529-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2436-527-0x0000000000400000-0x000000000043A000-memory.dmp

C:\Windows\SysWOW64\Olgehh32.exe

MD5 153193c00d361ad1ad56dde0750d0a34
SHA1 95b0cdee311835868162ffd61375df295a381f44
SHA256 65bd95f516ad9e8d2b3d884955fc5d409858cf80ff0b67707b50fbb6113e2575
SHA512 7af45e0756627141af6e486daa73fdcc4637f104db1d2a2bacdbbe4c675fdcaa6b5f474582110ca9807e65740fd417a9b7cab8067d76bd2f12cc305b05d02261

C:\Windows\SysWOW64\Ofmiea32.exe

MD5 d3f7eb4cf10f7150ffa059b602fb4247
SHA1 bf8922e23ab88288cb537f42ae250acb7b9a2249
SHA256 d63f79887e6476e29aa67f77da1e7384d5dd07ed4eed0022420b9ed4dd045c64
SHA512 fbe7d9e79448d2fa535bca089ac267bcdf869ff2eb1da4ff3c2d755b9d3a84c0ae00bd482103663348bba0320c69f983e18832c0d8f31e7f6c911ac221e3ddf8

memory/688-548-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2460-547-0x0000000000250000-0x000000000028A000-memory.dmp

memory/2460-546-0x0000000000250000-0x000000000028A000-memory.dmp

C:\Windows\SysWOW64\Oepianef.exe

MD5 158898b811f8cf8bb7ae97771ef7b372
SHA1 c30c5bc9fa22d0e0878249d801a5bdb82299210d
SHA256 a4df7bc41ca5e0e5edde9a0d3043721cea6022f893d7fc36f5d79eec371ab78e
SHA512 1c7b94ab33230761920a46a5b6b7be8a23e8f677ca3cba0bc072ca8653007073e4e4853ff9b1a47d0d0275e836a4e59e30f6341e33cf94ab5fceec990f66d242

C:\Windows\SysWOW64\Ohnemidj.exe

MD5 4b4ccef141b0c830d88ed4130d6d97cb
SHA1 bf8e863fb8e53e285105dd28cb8ef7b484fd897c
SHA256 c866bc2d6137d4b318abde5afb71bd899501eba2325fecab495b58148fc7f4e3
SHA512 3e014ee7fd92cadb152e4e5be99425c0ea6b37af83fef17f5b77d67c8999470d81dbb440af1c57b4626e9aa86e614d0b531d9d8cf69356728ad2987fc21a83b2

memory/588-557-0x0000000000400000-0x000000000043A000-memory.dmp

memory/1764-558-0x0000000000250000-0x000000000028A000-memory.dmp

memory/1764-559-0x0000000000250000-0x000000000028A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-25 09:16

Reported

2024-08-25 09:18

Platform

win10v2004-20240802-en

Max time kernel

107s

Max time network

108s

Command Line

"C:\Users\Admin\AppData\Local\Temp\95045afa4561cfd463467f7907210a30N.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ocgmpccl.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pnfdcjkg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ajkaii32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mdehlk32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nilcjp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Oponmilc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ajanck32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bffkij32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nljofl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nggjdc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qdbiedpa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dmcibama.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ddmaok32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Oponmilc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pggbkagp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cagobalc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Olkhmi32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pdkcde32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Medgncoe.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ndfqbhia.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Oncofm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Npmagine.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bmpcfdmg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ocgmpccl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pmoahijl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pgioqq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bapiabak.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Djgjlelk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lphoelqn.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mpablkhc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ngbpidjh.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dhhnpjmh.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ngmgne32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Anogiicl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cnffqf32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ogbipa32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qcgffqei.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Agglboim.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cjpckf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cdcoim32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cfbkeh32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cmlcbbcj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pmannhhj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qqijje32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bffkij32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pdifoehl.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pfaigm32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qjoankoi.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ageolo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Aminee32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Users\Admin\AppData\Local\Temp\95045afa4561cfd463467f7907210a30N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nckndeni.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ogpmjb32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dfiafg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dmefhako.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Deagdn32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Meiaib32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Migjoaaf.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pggbkagp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bnbmefbg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Djdmffnn.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cfbkeh32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dhocqigp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Njnpppkn.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Lingibiq.exe N/A
N/A N/A C:\Windows\SysWOW64\Lllcen32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lphoelqn.exe N/A
N/A N/A C:\Windows\SysWOW64\Medgncoe.exe N/A
N/A N/A C:\Windows\SysWOW64\Mlopkm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mdehlk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mgddhf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mibpda32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mplhql32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mckemg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Meiaib32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mmpijp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mpoefk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mgimcebb.exe N/A
N/A N/A C:\Windows\SysWOW64\Migjoaaf.exe N/A
N/A N/A C:\Windows\SysWOW64\Mpablkhc.exe N/A
N/A N/A C:\Windows\SysWOW64\Mcpnhfhf.exe N/A
N/A N/A C:\Windows\SysWOW64\Menjdbgj.exe N/A
N/A N/A C:\Windows\SysWOW64\Mnebeogl.exe N/A
N/A N/A C:\Windows\SysWOW64\Npcoakfp.exe N/A
N/A N/A C:\Windows\SysWOW64\Ngmgne32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nilcjp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nljofl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ncdgcf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Njnpppkn.exe N/A
N/A N/A C:\Windows\SysWOW64\Ndcdmikd.exe N/A
N/A N/A C:\Windows\SysWOW64\Ngbpidjh.exe N/A
N/A N/A C:\Windows\SysWOW64\Njqmepik.exe N/A
N/A N/A C:\Windows\SysWOW64\Nnlhfn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ndfqbhia.exe N/A
N/A N/A C:\Windows\SysWOW64\Njciko32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nlaegk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Npmagine.exe N/A
N/A N/A C:\Windows\SysWOW64\Nckndeni.exe N/A
N/A N/A C:\Windows\SysWOW64\Nggjdc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Njefqo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oponmilc.exe N/A
N/A N/A C:\Windows\SysWOW64\Ogifjcdp.exe N/A
N/A N/A C:\Windows\SysWOW64\Ojgbfocc.exe N/A
N/A N/A C:\Windows\SysWOW64\Oncofm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Odmgcgbi.exe N/A
N/A N/A C:\Windows\SysWOW64\Ocpgod32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ofnckp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Olhlhjpd.exe N/A
N/A N/A C:\Windows\SysWOW64\Odocigqg.exe N/A
N/A N/A C:\Windows\SysWOW64\Ognpebpj.exe N/A
N/A N/A C:\Windows\SysWOW64\Ojllan32.exe N/A
N/A N/A C:\Windows\SysWOW64\Olkhmi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Odapnf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ogpmjb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ofcmfodb.exe N/A
N/A N/A C:\Windows\SysWOW64\Onjegled.exe N/A
N/A N/A C:\Windows\SysWOW64\Oqhacgdh.exe N/A
N/A N/A C:\Windows\SysWOW64\Ocgmpccl.exe N/A
N/A N/A C:\Windows\SysWOW64\Ogbipa32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ojaelm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pmoahijl.exe N/A
N/A N/A C:\Windows\SysWOW64\Pqknig32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pcijeb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pjcbbmif.exe N/A
N/A N/A C:\Windows\SysWOW64\Pmannhhj.exe N/A
N/A N/A C:\Windows\SysWOW64\Pdifoehl.exe N/A
N/A N/A C:\Windows\SysWOW64\Pggbkagp.exe N/A
N/A N/A C:\Windows\SysWOW64\Pjeoglgc.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Qdbiedpa.exe C:\Windows\SysWOW64\Qnhahj32.exe N/A
File created C:\Windows\SysWOW64\Jdbnaa32.dll C:\Windows\SysWOW64\Qqijje32.exe N/A
File created C:\Windows\SysWOW64\Jjjald32.dll C:\Windows\SysWOW64\Danecp32.exe N/A
File opened for modification C:\Windows\SysWOW64\Njnpppkn.exe C:\Windows\SysWOW64\Ncdgcf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Pcijeb32.exe C:\Windows\SysWOW64\Pqknig32.exe N/A
File opened for modification C:\Windows\SysWOW64\Pjcbbmif.exe C:\Windows\SysWOW64\Pcijeb32.exe N/A
File created C:\Windows\SysWOW64\Qeobam32.dll C:\Windows\SysWOW64\Qcgffqei.exe N/A
File created C:\Windows\SysWOW64\Ijfjal32.dll C:\Windows\SysWOW64\Medgncoe.exe N/A
File opened for modification C:\Windows\SysWOW64\Oqhacgdh.exe C:\Windows\SysWOW64\Onjegled.exe N/A
File opened for modification C:\Windows\SysWOW64\Ojaelm32.exe C:\Windows\SysWOW64\Ogbipa32.exe N/A
File created C:\Windows\SysWOW64\Nilcjp32.exe C:\Windows\SysWOW64\Ngmgne32.exe N/A
File created C:\Windows\SysWOW64\Bapiabak.exe C:\Windows\SysWOW64\Bnbmefbg.exe N/A
File created C:\Windows\SysWOW64\Eflgme32.dll C:\Windows\SysWOW64\Bffkij32.exe N/A
File created C:\Windows\SysWOW64\Ogfilp32.dll C:\Windows\SysWOW64\Chjaol32.exe N/A
File opened for modification C:\Windows\SysWOW64\Danecp32.exe C:\Windows\SysWOW64\Dmcibama.exe N/A
File created C:\Windows\SysWOW64\Naekcf32.dll C:\Windows\SysWOW64\Olkhmi32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mgddhf32.exe C:\Windows\SysWOW64\Mdehlk32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mckemg32.exe C:\Windows\SysWOW64\Mplhql32.exe N/A
File created C:\Windows\SysWOW64\Npmagine.exe C:\Windows\SysWOW64\Nlaegk32.exe N/A
File created C:\Windows\SysWOW64\Bmngqdpj.exe C:\Windows\SysWOW64\Bnkgeg32.exe N/A
File created C:\Windows\SysWOW64\Cndikf32.exe C:\Windows\SysWOW64\Cjinkg32.exe N/A
File created C:\Windows\SysWOW64\Mgddhf32.exe C:\Windows\SysWOW64\Mdehlk32.exe N/A
File created C:\Windows\SysWOW64\Popodg32.dll C:\Windows\SysWOW64\Pdifoehl.exe N/A
File opened for modification C:\Windows\SysWOW64\Qgqeappe.exe C:\Windows\SysWOW64\Qdbiedpa.exe N/A
File created C:\Windows\SysWOW64\Ffpmlcim.dll C:\Windows\SysWOW64\Cjpckf32.exe N/A
File created C:\Windows\SysWOW64\Ingfla32.dll C:\Windows\SysWOW64\Cffdpghg.exe N/A
File opened for modification C:\Windows\SysWOW64\Nckndeni.exe C:\Windows\SysWOW64\Npmagine.exe N/A
File created C:\Windows\SysWOW64\Chempj32.dll C:\Windows\SysWOW64\Qgqeappe.exe N/A
File created C:\Windows\SysWOW64\Cdfkolkf.exe C:\Windows\SysWOW64\Cagobalc.exe N/A
File created C:\Windows\SysWOW64\Jffggf32.dll C:\Windows\SysWOW64\Cagobalc.exe N/A
File created C:\Windows\SysWOW64\Deagdn32.exe C:\Windows\SysWOW64\Daekdooc.exe N/A
File created C:\Windows\SysWOW64\Pmannhhj.exe C:\Windows\SysWOW64\Pjcbbmif.exe N/A
File created C:\Windows\SysWOW64\Ageolo32.exe C:\Windows\SysWOW64\Anmjcieo.exe N/A
File created C:\Windows\SysWOW64\Odocigqg.exe C:\Windows\SysWOW64\Olhlhjpd.exe N/A
File created C:\Windows\SysWOW64\Dmllipeg.exe C:\Windows\SysWOW64\Dhocqigp.exe N/A
File created C:\Windows\SysWOW64\Lipdae32.dll C:\Windows\SysWOW64\Pnfdcjkg.exe N/A
File created C:\Windows\SysWOW64\Panfqmhb.dll C:\Windows\SysWOW64\Pcijeb32.exe N/A
File created C:\Windows\SysWOW64\Pgioqq32.exe C:\Windows\SysWOW64\Pdkcde32.exe N/A
File created C:\Windows\SysWOW64\Echdno32.dll C:\Windows\SysWOW64\Cmlcbbcj.exe N/A
File created C:\Windows\SysWOW64\Pjcbbmif.exe C:\Windows\SysWOW64\Pcijeb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bfdodjhm.exe C:\Windows\SysWOW64\Bcebhoii.exe N/A
File created C:\Windows\SysWOW64\Pmdkch32.exe C:\Windows\SysWOW64\Pjeoglgc.exe N/A
File created C:\Windows\SysWOW64\Qcgffqei.exe C:\Windows\SysWOW64\Qqijje32.exe N/A
File created C:\Windows\SysWOW64\Ogpmjb32.exe C:\Windows\SysWOW64\Odapnf32.exe N/A
File created C:\Windows\SysWOW64\Bfddbh32.dll C:\Windows\SysWOW64\Ajkaii32.exe N/A
File created C:\Windows\SysWOW64\Pcijeb32.exe C:\Windows\SysWOW64\Pqknig32.exe N/A
File created C:\Windows\SysWOW64\Pdkcde32.exe C:\Windows\SysWOW64\Pmdkch32.exe N/A
File opened for modification C:\Windows\SysWOW64\Medgncoe.exe C:\Windows\SysWOW64\Lphoelqn.exe N/A
File created C:\Windows\SysWOW64\Lommhphi.dll C:\Windows\SysWOW64\Bfabnjjp.exe N/A
File opened for modification C:\Windows\SysWOW64\Ceehho32.exe C:\Windows\SysWOW64\Cmnpgb32.exe N/A
File created C:\Windows\SysWOW64\Gcdmai32.dll C:\Windows\SysWOW64\Ogpmjb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Aqncedbp.exe C:\Windows\SysWOW64\Anogiicl.exe N/A
File created C:\Windows\SysWOW64\Afoeiklb.exe C:\Windows\SysWOW64\Acqimo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dfiafg32.exe C:\Windows\SysWOW64\Dhfajjoj.exe N/A
File created C:\Windows\SysWOW64\Mplhql32.exe C:\Windows\SysWOW64\Mibpda32.exe N/A
File created C:\Windows\SysWOW64\Ojllan32.exe C:\Windows\SysWOW64\Ognpebpj.exe N/A
File opened for modification C:\Windows\SysWOW64\Ofcmfodb.exe C:\Windows\SysWOW64\Ogpmjb32.exe N/A
File created C:\Windows\SysWOW64\Ocpgod32.exe C:\Windows\SysWOW64\Odmgcgbi.exe N/A
File created C:\Windows\SysWOW64\Ofcmfodb.exe C:\Windows\SysWOW64\Ogpmjb32.exe N/A
File created C:\Windows\SysWOW64\Oahicipe.dll C:\Windows\SysWOW64\Afoeiklb.exe N/A
File created C:\Windows\SysWOW64\Cnnlaehj.exe C:\Windows\SysWOW64\Cffdpghg.exe N/A
File created C:\Windows\SysWOW64\Mcpnhfhf.exe C:\Windows\SysWOW64\Mpablkhc.exe N/A
File created C:\Windows\SysWOW64\Kmcjho32.dll C:\Windows\SysWOW64\Nckndeni.exe N/A
File created C:\Windows\SysWOW64\Cmnpgb32.exe C:\Windows\SysWOW64\Cjpckf32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Dmllipeg.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cdabcm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cnffqf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ceehho32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Baicac32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ndcdmikd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Afmhck32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bjddphlq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lphoelqn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Agoabn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cjpckf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cegdnopg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Agglboim.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mdehlk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mgddhf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mnebeogl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cdcoim32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lllcen32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ngbpidjh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Njqmepik.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nlaegk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Afoeiklb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dfiafg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mgimcebb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oncofm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ojllan32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ofcmfodb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pcijeb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pcppfaka.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aepefb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bjfaeh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ojgbfocc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cfpnph32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bcoenmao.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cmqmma32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dhfajjoj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mckemg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nljofl32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ofnckp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Olhlhjpd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Anmjcieo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cmlcbbcj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Menjdbgj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Djgjlelk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ncdgcf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mpablkhc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Njnpppkn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Odmgcgbi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Odapnf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pjeoglgc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pcbmka32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cjinkg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Meiaib32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qcgffqei.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ajkaii32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bagflcje.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cdhhdlid.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Chcddk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oqhacgdh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ojaelm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ajanck32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ageolo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nckndeni.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pdifoehl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pgioqq32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehaaclak.dll" C:\Windows\SysWOW64\Pdkcde32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bfdodjhm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dhfajjoj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ddmaok32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibbmq32.dll" C:\Windows\SysWOW64\Njqmepik.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aeklkchg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cmqmma32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cffdpghg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Danecp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ojgbfocc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ocpgod32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pdkcde32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ojaelm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cjinkg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cmlcbbcj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nodfmh32.dll" C:\Windows\SysWOW64\Mckemg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgldjcmk.dll" C:\Windows\SysWOW64\Qnhahj32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Anogiicl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cdcoim32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll" C:\Windows\SysWOW64\Bapiabak.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cjinkg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll" C:\Windows\SysWOW64\Cjkjpgfi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lphoelqn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhbopgfn.dll" C:\Windows\SysWOW64\Nnlhfn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Odapnf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ocgmpccl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfhkicbi.dll" C:\Windows\SysWOW64\Mplhql32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Migjoaaf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pqbdjfln.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cjmgfgdf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dmefhako.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfbgbeai.dll" C:\Windows\SysWOW64\Odapnf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pgioqq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deeiam32.dll" C:\Windows\SysWOW64\Pgioqq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cdhhdlid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Medgncoe.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pncgmkmj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pcppfaka.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mlopkm32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\95045afa4561cfd463467f7907210a30N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebinhj32.dll" C:\Windows\SysWOW64\Mdehlk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Deagdn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldamee32.dll" C:\Windows\SysWOW64\Ogbipa32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empbnb32.dll" C:\Windows\SysWOW64\Pcbmka32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bffkij32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckijjqka.dll" C:\Windows\SysWOW64\Lphoelqn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pcijeb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pdifoehl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Baicac32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bfhhoi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll" C:\Windows\SysWOW64\Cagobalc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dhfajjoj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfdjmlhn.dll" C:\Windows\SysWOW64\Ognpebpj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pmoahijl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glbandkm.dll" C:\Windows\SysWOW64\Bcebhoii.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjpmk32.dll" C:\Windows\SysWOW64\Acqimo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Migjoaaf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Odapnf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pmdkch32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cndikf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cjpckf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Odmgcgbi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgppolie.dll" C:\Windows\SysWOW64\Ojaelm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oahicipe.dll" C:\Windows\SysWOW64\Afoeiklb.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3208 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\95045afa4561cfd463467f7907210a30N.exe C:\Windows\SysWOW64\Lingibiq.exe
PID 3208 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\95045afa4561cfd463467f7907210a30N.exe C:\Windows\SysWOW64\Lingibiq.exe
PID 3208 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\95045afa4561cfd463467f7907210a30N.exe C:\Windows\SysWOW64\Lingibiq.exe
PID 4756 wrote to memory of 3320 N/A C:\Windows\SysWOW64\Lingibiq.exe C:\Windows\SysWOW64\Lllcen32.exe
PID 4756 wrote to memory of 3320 N/A C:\Windows\SysWOW64\Lingibiq.exe C:\Windows\SysWOW64\Lllcen32.exe
PID 4756 wrote to memory of 3320 N/A C:\Windows\SysWOW64\Lingibiq.exe C:\Windows\SysWOW64\Lllcen32.exe
PID 3320 wrote to memory of 3780 N/A C:\Windows\SysWOW64\Lllcen32.exe C:\Windows\SysWOW64\Lphoelqn.exe
PID 3320 wrote to memory of 3780 N/A C:\Windows\SysWOW64\Lllcen32.exe C:\Windows\SysWOW64\Lphoelqn.exe
PID 3320 wrote to memory of 3780 N/A C:\Windows\SysWOW64\Lllcen32.exe C:\Windows\SysWOW64\Lphoelqn.exe
PID 3780 wrote to memory of 2656 N/A C:\Windows\SysWOW64\Lphoelqn.exe C:\Windows\SysWOW64\Medgncoe.exe
PID 3780 wrote to memory of 2656 N/A C:\Windows\SysWOW64\Lphoelqn.exe C:\Windows\SysWOW64\Medgncoe.exe
PID 3780 wrote to memory of 2656 N/A C:\Windows\SysWOW64\Lphoelqn.exe C:\Windows\SysWOW64\Medgncoe.exe
PID 2656 wrote to memory of 1900 N/A C:\Windows\SysWOW64\Medgncoe.exe C:\Windows\SysWOW64\Mlopkm32.exe
PID 2656 wrote to memory of 1900 N/A C:\Windows\SysWOW64\Medgncoe.exe C:\Windows\SysWOW64\Mlopkm32.exe
PID 2656 wrote to memory of 1900 N/A C:\Windows\SysWOW64\Medgncoe.exe C:\Windows\SysWOW64\Mlopkm32.exe
PID 1900 wrote to memory of 2176 N/A C:\Windows\SysWOW64\Mlopkm32.exe C:\Windows\SysWOW64\Mdehlk32.exe
PID 1900 wrote to memory of 2176 N/A C:\Windows\SysWOW64\Mlopkm32.exe C:\Windows\SysWOW64\Mdehlk32.exe
PID 1900 wrote to memory of 2176 N/A C:\Windows\SysWOW64\Mlopkm32.exe C:\Windows\SysWOW64\Mdehlk32.exe
PID 2176 wrote to memory of 4824 N/A C:\Windows\SysWOW64\Mdehlk32.exe C:\Windows\SysWOW64\Mgddhf32.exe
PID 2176 wrote to memory of 4824 N/A C:\Windows\SysWOW64\Mdehlk32.exe C:\Windows\SysWOW64\Mgddhf32.exe
PID 2176 wrote to memory of 4824 N/A C:\Windows\SysWOW64\Mdehlk32.exe C:\Windows\SysWOW64\Mgddhf32.exe
PID 4824 wrote to memory of 1792 N/A C:\Windows\SysWOW64\Mgddhf32.exe C:\Windows\SysWOW64\Mibpda32.exe
PID 4824 wrote to memory of 1792 N/A C:\Windows\SysWOW64\Mgddhf32.exe C:\Windows\SysWOW64\Mibpda32.exe
PID 4824 wrote to memory of 1792 N/A C:\Windows\SysWOW64\Mgddhf32.exe C:\Windows\SysWOW64\Mibpda32.exe
PID 1792 wrote to memory of 4944 N/A C:\Windows\SysWOW64\Mibpda32.exe C:\Windows\SysWOW64\Mplhql32.exe
PID 1792 wrote to memory of 4944 N/A C:\Windows\SysWOW64\Mibpda32.exe C:\Windows\SysWOW64\Mplhql32.exe
PID 1792 wrote to memory of 4944 N/A C:\Windows\SysWOW64\Mibpda32.exe C:\Windows\SysWOW64\Mplhql32.exe
PID 4944 wrote to memory of 1604 N/A C:\Windows\SysWOW64\Mplhql32.exe C:\Windows\SysWOW64\Mckemg32.exe
PID 4944 wrote to memory of 1604 N/A C:\Windows\SysWOW64\Mplhql32.exe C:\Windows\SysWOW64\Mckemg32.exe
PID 4944 wrote to memory of 1604 N/A C:\Windows\SysWOW64\Mplhql32.exe C:\Windows\SysWOW64\Mckemg32.exe
PID 1604 wrote to memory of 3096 N/A C:\Windows\SysWOW64\Mckemg32.exe C:\Windows\SysWOW64\Meiaib32.exe
PID 1604 wrote to memory of 3096 N/A C:\Windows\SysWOW64\Mckemg32.exe C:\Windows\SysWOW64\Meiaib32.exe
PID 1604 wrote to memory of 3096 N/A C:\Windows\SysWOW64\Mckemg32.exe C:\Windows\SysWOW64\Meiaib32.exe
PID 3096 wrote to memory of 4584 N/A C:\Windows\SysWOW64\Meiaib32.exe C:\Windows\SysWOW64\Mmpijp32.exe
PID 3096 wrote to memory of 4584 N/A C:\Windows\SysWOW64\Meiaib32.exe C:\Windows\SysWOW64\Mmpijp32.exe
PID 3096 wrote to memory of 4584 N/A C:\Windows\SysWOW64\Meiaib32.exe C:\Windows\SysWOW64\Mmpijp32.exe
PID 4584 wrote to memory of 2348 N/A C:\Windows\SysWOW64\Mmpijp32.exe C:\Windows\SysWOW64\Mpoefk32.exe
PID 4584 wrote to memory of 2348 N/A C:\Windows\SysWOW64\Mmpijp32.exe C:\Windows\SysWOW64\Mpoefk32.exe
PID 4584 wrote to memory of 2348 N/A C:\Windows\SysWOW64\Mmpijp32.exe C:\Windows\SysWOW64\Mpoefk32.exe
PID 2348 wrote to memory of 380 N/A C:\Windows\SysWOW64\Mpoefk32.exe C:\Windows\SysWOW64\Mgimcebb.exe
PID 2348 wrote to memory of 380 N/A C:\Windows\SysWOW64\Mpoefk32.exe C:\Windows\SysWOW64\Mgimcebb.exe
PID 2348 wrote to memory of 380 N/A C:\Windows\SysWOW64\Mpoefk32.exe C:\Windows\SysWOW64\Mgimcebb.exe
PID 380 wrote to memory of 1220 N/A C:\Windows\SysWOW64\Mgimcebb.exe C:\Windows\SysWOW64\Migjoaaf.exe
PID 380 wrote to memory of 1220 N/A C:\Windows\SysWOW64\Mgimcebb.exe C:\Windows\SysWOW64\Migjoaaf.exe
PID 380 wrote to memory of 1220 N/A C:\Windows\SysWOW64\Mgimcebb.exe C:\Windows\SysWOW64\Migjoaaf.exe
PID 1220 wrote to memory of 2220 N/A C:\Windows\SysWOW64\Migjoaaf.exe C:\Windows\SysWOW64\Mpablkhc.exe
PID 1220 wrote to memory of 2220 N/A C:\Windows\SysWOW64\Migjoaaf.exe C:\Windows\SysWOW64\Mpablkhc.exe
PID 1220 wrote to memory of 2220 N/A C:\Windows\SysWOW64\Migjoaaf.exe C:\Windows\SysWOW64\Mpablkhc.exe
PID 2220 wrote to memory of 1672 N/A C:\Windows\SysWOW64\Mpablkhc.exe C:\Windows\SysWOW64\Mcpnhfhf.exe
PID 2220 wrote to memory of 1672 N/A C:\Windows\SysWOW64\Mpablkhc.exe C:\Windows\SysWOW64\Mcpnhfhf.exe
PID 2220 wrote to memory of 1672 N/A C:\Windows\SysWOW64\Mpablkhc.exe C:\Windows\SysWOW64\Mcpnhfhf.exe
PID 1672 wrote to memory of 3988 N/A C:\Windows\SysWOW64\Mcpnhfhf.exe C:\Windows\SysWOW64\Menjdbgj.exe
PID 1672 wrote to memory of 3988 N/A C:\Windows\SysWOW64\Mcpnhfhf.exe C:\Windows\SysWOW64\Menjdbgj.exe
PID 1672 wrote to memory of 3988 N/A C:\Windows\SysWOW64\Mcpnhfhf.exe C:\Windows\SysWOW64\Menjdbgj.exe
PID 3988 wrote to memory of 3428 N/A C:\Windows\SysWOW64\Menjdbgj.exe C:\Windows\SysWOW64\Mnebeogl.exe
PID 3988 wrote to memory of 3428 N/A C:\Windows\SysWOW64\Menjdbgj.exe C:\Windows\SysWOW64\Mnebeogl.exe
PID 3988 wrote to memory of 3428 N/A C:\Windows\SysWOW64\Menjdbgj.exe C:\Windows\SysWOW64\Mnebeogl.exe
PID 3428 wrote to memory of 2920 N/A C:\Windows\SysWOW64\Mnebeogl.exe C:\Windows\SysWOW64\Npcoakfp.exe
PID 3428 wrote to memory of 2920 N/A C:\Windows\SysWOW64\Mnebeogl.exe C:\Windows\SysWOW64\Npcoakfp.exe
PID 3428 wrote to memory of 2920 N/A C:\Windows\SysWOW64\Mnebeogl.exe C:\Windows\SysWOW64\Npcoakfp.exe
PID 2920 wrote to memory of 4348 N/A C:\Windows\SysWOW64\Npcoakfp.exe C:\Windows\SysWOW64\Ngmgne32.exe
PID 2920 wrote to memory of 4348 N/A C:\Windows\SysWOW64\Npcoakfp.exe C:\Windows\SysWOW64\Ngmgne32.exe
PID 2920 wrote to memory of 4348 N/A C:\Windows\SysWOW64\Npcoakfp.exe C:\Windows\SysWOW64\Ngmgne32.exe
PID 4348 wrote to memory of 2468 N/A C:\Windows\SysWOW64\Ngmgne32.exe C:\Windows\SysWOW64\Nilcjp32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\95045afa4561cfd463467f7907210a30N.exe

"C:\Users\Admin\AppData\Local\Temp\95045afa4561cfd463467f7907210a30N.exe"

C:\Windows\SysWOW64\Lingibiq.exe

C:\Windows\system32\Lingibiq.exe

C:\Windows\SysWOW64\Lllcen32.exe

C:\Windows\system32\Lllcen32.exe

C:\Windows\SysWOW64\Lphoelqn.exe

C:\Windows\system32\Lphoelqn.exe

C:\Windows\SysWOW64\Medgncoe.exe

C:\Windows\system32\Medgncoe.exe

C:\Windows\SysWOW64\Mlopkm32.exe

C:\Windows\system32\Mlopkm32.exe

C:\Windows\SysWOW64\Mdehlk32.exe

C:\Windows\system32\Mdehlk32.exe

C:\Windows\SysWOW64\Mgddhf32.exe

C:\Windows\system32\Mgddhf32.exe

C:\Windows\SysWOW64\Mibpda32.exe

C:\Windows\system32\Mibpda32.exe

C:\Windows\SysWOW64\Mplhql32.exe

C:\Windows\system32\Mplhql32.exe

C:\Windows\SysWOW64\Mckemg32.exe

C:\Windows\system32\Mckemg32.exe

C:\Windows\SysWOW64\Meiaib32.exe

C:\Windows\system32\Meiaib32.exe

C:\Windows\SysWOW64\Mmpijp32.exe

C:\Windows\system32\Mmpijp32.exe

C:\Windows\SysWOW64\Mpoefk32.exe

C:\Windows\system32\Mpoefk32.exe

C:\Windows\SysWOW64\Mgimcebb.exe

C:\Windows\system32\Mgimcebb.exe

C:\Windows\SysWOW64\Migjoaaf.exe

C:\Windows\system32\Migjoaaf.exe

C:\Windows\SysWOW64\Mpablkhc.exe

C:\Windows\system32\Mpablkhc.exe

C:\Windows\SysWOW64\Mcpnhfhf.exe

C:\Windows\system32\Mcpnhfhf.exe

C:\Windows\SysWOW64\Menjdbgj.exe

C:\Windows\system32\Menjdbgj.exe

C:\Windows\SysWOW64\Mnebeogl.exe

C:\Windows\system32\Mnebeogl.exe

C:\Windows\SysWOW64\Npcoakfp.exe

C:\Windows\system32\Npcoakfp.exe

C:\Windows\SysWOW64\Ngmgne32.exe

C:\Windows\system32\Ngmgne32.exe

C:\Windows\SysWOW64\Nilcjp32.exe

C:\Windows\system32\Nilcjp32.exe

C:\Windows\SysWOW64\Nljofl32.exe

C:\Windows\system32\Nljofl32.exe

C:\Windows\SysWOW64\Ncdgcf32.exe

C:\Windows\system32\Ncdgcf32.exe

C:\Windows\SysWOW64\Njnpppkn.exe

C:\Windows\system32\Njnpppkn.exe

C:\Windows\SysWOW64\Ndcdmikd.exe

C:\Windows\system32\Ndcdmikd.exe

C:\Windows\SysWOW64\Ngbpidjh.exe

C:\Windows\system32\Ngbpidjh.exe

C:\Windows\SysWOW64\Njqmepik.exe

C:\Windows\system32\Njqmepik.exe

C:\Windows\SysWOW64\Nnlhfn32.exe

C:\Windows\system32\Nnlhfn32.exe

C:\Windows\SysWOW64\Ndfqbhia.exe

C:\Windows\system32\Ndfqbhia.exe

C:\Windows\SysWOW64\Njciko32.exe

C:\Windows\system32\Njciko32.exe

C:\Windows\SysWOW64\Nlaegk32.exe

C:\Windows\system32\Nlaegk32.exe

C:\Windows\SysWOW64\Npmagine.exe

C:\Windows\system32\Npmagine.exe

C:\Windows\SysWOW64\Nckndeni.exe

C:\Windows\system32\Nckndeni.exe

C:\Windows\SysWOW64\Nggjdc32.exe

C:\Windows\system32\Nggjdc32.exe

C:\Windows\SysWOW64\Njefqo32.exe

C:\Windows\system32\Njefqo32.exe

C:\Windows\SysWOW64\Oponmilc.exe

C:\Windows\system32\Oponmilc.exe

C:\Windows\SysWOW64\Ogifjcdp.exe

C:\Windows\system32\Ogifjcdp.exe

C:\Windows\SysWOW64\Ojgbfocc.exe

C:\Windows\system32\Ojgbfocc.exe

C:\Windows\SysWOW64\Oncofm32.exe

C:\Windows\system32\Oncofm32.exe

C:\Windows\SysWOW64\Odmgcgbi.exe

C:\Windows\system32\Odmgcgbi.exe

C:\Windows\SysWOW64\Ocpgod32.exe

C:\Windows\system32\Ocpgod32.exe

C:\Windows\SysWOW64\Ofnckp32.exe

C:\Windows\system32\Ofnckp32.exe

C:\Windows\SysWOW64\Olhlhjpd.exe

C:\Windows\system32\Olhlhjpd.exe

C:\Windows\SysWOW64\Odocigqg.exe

C:\Windows\system32\Odocigqg.exe

C:\Windows\SysWOW64\Ognpebpj.exe

C:\Windows\system32\Ognpebpj.exe

C:\Windows\SysWOW64\Ojllan32.exe

C:\Windows\system32\Ojllan32.exe

C:\Windows\SysWOW64\Olkhmi32.exe

C:\Windows\system32\Olkhmi32.exe

C:\Windows\SysWOW64\Odapnf32.exe

C:\Windows\system32\Odapnf32.exe

C:\Windows\SysWOW64\Ogpmjb32.exe

C:\Windows\system32\Ogpmjb32.exe

C:\Windows\SysWOW64\Ofcmfodb.exe

C:\Windows\system32\Ofcmfodb.exe

C:\Windows\SysWOW64\Onjegled.exe

C:\Windows\system32\Onjegled.exe

C:\Windows\SysWOW64\Oqhacgdh.exe

C:\Windows\system32\Oqhacgdh.exe

C:\Windows\SysWOW64\Ocgmpccl.exe

C:\Windows\system32\Ocgmpccl.exe

C:\Windows\SysWOW64\Ogbipa32.exe

C:\Windows\system32\Ogbipa32.exe

C:\Windows\SysWOW64\Ojaelm32.exe

C:\Windows\system32\Ojaelm32.exe

C:\Windows\SysWOW64\Pmoahijl.exe

C:\Windows\system32\Pmoahijl.exe

C:\Windows\SysWOW64\Pqknig32.exe

C:\Windows\system32\Pqknig32.exe

C:\Windows\SysWOW64\Pcijeb32.exe

C:\Windows\system32\Pcijeb32.exe

C:\Windows\SysWOW64\Pjcbbmif.exe

C:\Windows\system32\Pjcbbmif.exe

C:\Windows\SysWOW64\Pmannhhj.exe

C:\Windows\system32\Pmannhhj.exe

C:\Windows\SysWOW64\Pdifoehl.exe

C:\Windows\system32\Pdifoehl.exe

C:\Windows\SysWOW64\Pggbkagp.exe

C:\Windows\system32\Pggbkagp.exe

C:\Windows\SysWOW64\Pjeoglgc.exe

C:\Windows\system32\Pjeoglgc.exe

C:\Windows\SysWOW64\Pmdkch32.exe

C:\Windows\system32\Pmdkch32.exe

C:\Windows\SysWOW64\Pdkcde32.exe

C:\Windows\system32\Pdkcde32.exe

C:\Windows\SysWOW64\Pgioqq32.exe

C:\Windows\system32\Pgioqq32.exe

C:\Windows\SysWOW64\Pncgmkmj.exe

C:\Windows\system32\Pncgmkmj.exe

C:\Windows\SysWOW64\Pqbdjfln.exe

C:\Windows\system32\Pqbdjfln.exe

C:\Windows\SysWOW64\Pcppfaka.exe

C:\Windows\system32\Pcppfaka.exe

C:\Windows\SysWOW64\Pnfdcjkg.exe

C:\Windows\system32\Pnfdcjkg.exe

C:\Windows\SysWOW64\Pcbmka32.exe

C:\Windows\system32\Pcbmka32.exe

C:\Windows\SysWOW64\Pfaigm32.exe

C:\Windows\system32\Pfaigm32.exe

C:\Windows\SysWOW64\Qnhahj32.exe

C:\Windows\system32\Qnhahj32.exe

C:\Windows\SysWOW64\Qdbiedpa.exe

C:\Windows\system32\Qdbiedpa.exe

C:\Windows\SysWOW64\Qgqeappe.exe

C:\Windows\system32\Qgqeappe.exe

C:\Windows\SysWOW64\Qjoankoi.exe

C:\Windows\system32\Qjoankoi.exe

C:\Windows\SysWOW64\Qqijje32.exe

C:\Windows\system32\Qqijje32.exe

C:\Windows\SysWOW64\Qcgffqei.exe

C:\Windows\system32\Qcgffqei.exe

C:\Windows\SysWOW64\Ajanck32.exe

C:\Windows\system32\Ajanck32.exe

C:\Windows\SysWOW64\Anmjcieo.exe

C:\Windows\system32\Anmjcieo.exe

C:\Windows\SysWOW64\Ageolo32.exe

C:\Windows\system32\Ageolo32.exe

C:\Windows\SysWOW64\Anogiicl.exe

C:\Windows\system32\Anogiicl.exe

C:\Windows\SysWOW64\Aqncedbp.exe

C:\Windows\system32\Aqncedbp.exe

C:\Windows\SysWOW64\Agglboim.exe

C:\Windows\system32\Agglboim.exe

C:\Windows\SysWOW64\Aeklkchg.exe

C:\Windows\system32\Aeklkchg.exe

C:\Windows\SysWOW64\Afmhck32.exe

C:\Windows\system32\Afmhck32.exe

C:\Windows\SysWOW64\Acqimo32.exe

C:\Windows\system32\Acqimo32.exe

C:\Windows\SysWOW64\Afoeiklb.exe

C:\Windows\system32\Afoeiklb.exe

C:\Windows\SysWOW64\Ajkaii32.exe

C:\Windows\system32\Ajkaii32.exe

C:\Windows\SysWOW64\Aminee32.exe

C:\Windows\system32\Aminee32.exe

C:\Windows\SysWOW64\Aepefb32.exe

C:\Windows\system32\Aepefb32.exe

C:\Windows\SysWOW64\Agoabn32.exe

C:\Windows\system32\Agoabn32.exe

C:\Windows\SysWOW64\Bfabnjjp.exe

C:\Windows\system32\Bfabnjjp.exe

C:\Windows\SysWOW64\Bnhjohkb.exe

C:\Windows\system32\Bnhjohkb.exe

C:\Windows\SysWOW64\Bagflcje.exe

C:\Windows\system32\Bagflcje.exe

C:\Windows\SysWOW64\Bcebhoii.exe

C:\Windows\system32\Bcebhoii.exe

C:\Windows\SysWOW64\Bfdodjhm.exe

C:\Windows\system32\Bfdodjhm.exe

C:\Windows\SysWOW64\Bnkgeg32.exe

C:\Windows\system32\Bnkgeg32.exe

C:\Windows\SysWOW64\Bmngqdpj.exe

C:\Windows\system32\Bmngqdpj.exe

C:\Windows\SysWOW64\Baicac32.exe

C:\Windows\system32\Baicac32.exe

C:\Windows\SysWOW64\Bchomn32.exe

C:\Windows\system32\Bchomn32.exe

C:\Windows\SysWOW64\Bffkij32.exe

C:\Windows\system32\Bffkij32.exe

C:\Windows\SysWOW64\Bjagjhnc.exe

C:\Windows\system32\Bjagjhnc.exe

C:\Windows\SysWOW64\Bmpcfdmg.exe

C:\Windows\system32\Bmpcfdmg.exe

C:\Windows\SysWOW64\Bfhhoi32.exe

C:\Windows\system32\Bfhhoi32.exe

C:\Windows\SysWOW64\Bjddphlq.exe

C:\Windows\system32\Bjddphlq.exe

C:\Windows\SysWOW64\Banllbdn.exe

C:\Windows\system32\Banllbdn.exe

C:\Windows\SysWOW64\Bclhhnca.exe

C:\Windows\system32\Bclhhnca.exe

C:\Windows\SysWOW64\Bhhdil32.exe

C:\Windows\system32\Bhhdil32.exe

C:\Windows\SysWOW64\Bjfaeh32.exe

C:\Windows\system32\Bjfaeh32.exe

C:\Windows\SysWOW64\Bnbmefbg.exe

C:\Windows\system32\Bnbmefbg.exe

C:\Windows\SysWOW64\Bapiabak.exe

C:\Windows\system32\Bapiabak.exe

C:\Windows\SysWOW64\Bcoenmao.exe

C:\Windows\system32\Bcoenmao.exe

C:\Windows\SysWOW64\Chjaol32.exe

C:\Windows\system32\Chjaol32.exe

C:\Windows\SysWOW64\Cjinkg32.exe

C:\Windows\system32\Cjinkg32.exe

C:\Windows\SysWOW64\Cndikf32.exe

C:\Windows\system32\Cndikf32.exe

C:\Windows\SysWOW64\Cabfga32.exe

C:\Windows\system32\Cabfga32.exe

C:\Windows\SysWOW64\Cenahpha.exe

C:\Windows\system32\Cenahpha.exe

C:\Windows\SysWOW64\Cdabcm32.exe

C:\Windows\system32\Cdabcm32.exe

C:\Windows\SysWOW64\Cfpnph32.exe

C:\Windows\system32\Cfpnph32.exe

C:\Windows\SysWOW64\Cjkjpgfi.exe

C:\Windows\system32\Cjkjpgfi.exe

C:\Windows\SysWOW64\Cnffqf32.exe

C:\Windows\system32\Cnffqf32.exe

C:\Windows\SysWOW64\Caebma32.exe

C:\Windows\system32\Caebma32.exe

C:\Windows\SysWOW64\Cdcoim32.exe

C:\Windows\system32\Cdcoim32.exe

C:\Windows\SysWOW64\Cfbkeh32.exe

C:\Windows\system32\Cfbkeh32.exe

C:\Windows\SysWOW64\Cjmgfgdf.exe

C:\Windows\system32\Cjmgfgdf.exe

C:\Windows\SysWOW64\Cmlcbbcj.exe

C:\Windows\system32\Cmlcbbcj.exe

C:\Windows\SysWOW64\Cagobalc.exe

C:\Windows\system32\Cagobalc.exe

C:\Windows\SysWOW64\Cdfkolkf.exe

C:\Windows\system32\Cdfkolkf.exe

C:\Windows\SysWOW64\Cfdhkhjj.exe

C:\Windows\system32\Cfdhkhjj.exe

C:\Windows\SysWOW64\Cjpckf32.exe

C:\Windows\system32\Cjpckf32.exe

C:\Windows\SysWOW64\Cmnpgb32.exe

C:\Windows\system32\Cmnpgb32.exe

C:\Windows\SysWOW64\Ceehho32.exe

C:\Windows\system32\Ceehho32.exe

C:\Windows\SysWOW64\Cdhhdlid.exe

C:\Windows\system32\Cdhhdlid.exe

C:\Windows\SysWOW64\Chcddk32.exe

C:\Windows\system32\Chcddk32.exe

C:\Windows\SysWOW64\Cffdpghg.exe

C:\Windows\system32\Cffdpghg.exe

C:\Windows\SysWOW64\Cnnlaehj.exe

C:\Windows\system32\Cnnlaehj.exe

C:\Windows\SysWOW64\Cmqmma32.exe

C:\Windows\system32\Cmqmma32.exe

C:\Windows\SysWOW64\Cegdnopg.exe

C:\Windows\system32\Cegdnopg.exe

C:\Windows\SysWOW64\Dhfajjoj.exe

C:\Windows\system32\Dhfajjoj.exe

C:\Windows\SysWOW64\Dfiafg32.exe

C:\Windows\system32\Dfiafg32.exe

C:\Windows\SysWOW64\Djdmffnn.exe

C:\Windows\system32\Djdmffnn.exe

C:\Windows\SysWOW64\Dmcibama.exe

C:\Windows\system32\Dmcibama.exe

C:\Windows\SysWOW64\Danecp32.exe

C:\Windows\system32\Danecp32.exe

C:\Windows\SysWOW64\Ddmaok32.exe

C:\Windows\system32\Ddmaok32.exe

C:\Windows\SysWOW64\Dhhnpjmh.exe

C:\Windows\system32\Dhhnpjmh.exe

C:\Windows\SysWOW64\Djgjlelk.exe

C:\Windows\system32\Djgjlelk.exe

C:\Windows\SysWOW64\Dmefhako.exe

C:\Windows\system32\Dmefhako.exe

C:\Windows\SysWOW64\Delnin32.exe

C:\Windows\system32\Delnin32.exe

C:\Windows\SysWOW64\Dhkjej32.exe

C:\Windows\system32\Dhkjej32.exe

C:\Windows\SysWOW64\Dfnjafap.exe

C:\Windows\system32\Dfnjafap.exe

C:\Windows\SysWOW64\Dhmgki32.exe

C:\Windows\system32\Dhmgki32.exe

C:\Windows\SysWOW64\Dogogcpo.exe

C:\Windows\system32\Dogogcpo.exe

C:\Windows\SysWOW64\Daekdooc.exe

C:\Windows\system32\Daekdooc.exe

C:\Windows\SysWOW64\Deagdn32.exe

C:\Windows\system32\Deagdn32.exe

C:\Windows\SysWOW64\Dhocqigp.exe

C:\Windows\system32\Dhocqigp.exe

C:\Windows\SysWOW64\Dmllipeg.exe

C:\Windows\system32\Dmllipeg.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 7112 -ip 7112

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 7112 -s 396

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/3208-0-0x0000000000400000-0x000000000043A000-memory.dmp

C:\Windows\SysWOW64\Lingibiq.exe

MD5 00959d2d793bfd723e1482b6ffd5e59c
SHA1 c5bdfd553ed41a283a60fcf437bd16231cdd9593
SHA256 3f490cb5a51f6df61318cf4a03a1a25a1532921b86d1aaa92a9770287a715701
SHA512 18a03831412d45b16d5085b3fd3a959905204f65768ff15ec65cc49b98b10e29d3d9e2c0a8ae4446bea679f5bce6f432e72b0a27a0acbffdacf77a2dfd24ec12

memory/4756-7-0x0000000000400000-0x000000000043A000-memory.dmp

C:\Windows\SysWOW64\Lllcen32.exe

MD5 9f091a457582d5e165cdd12e30f1c3d7
SHA1 f024a26fef45c9050f234a162e096f7b875dd0d6
SHA256 fa9ea80af90a1807b8a85207cc405e76fd64082a5bb93a0ed3e5e3240cec953f
SHA512 5549dd99d6b7779e0f3f2e6e5f2bca69f5ef2e962c36f814188c51326bddd54792399f9aff13cffb04529ad22c3b99a50fc68dec39b909ea19c9a42af0cb8ecb

memory/3320-15-0x0000000000400000-0x000000000043A000-memory.dmp

C:\Windows\SysWOW64\Lphoelqn.exe

MD5 8a0e252df92de3da69a3a9010b0f98db
SHA1 02d4cbfa7d193172d070b97021abaeff46dc271a
SHA256 4f42c5aa7beca99fc6be14ce6522d5a166d3da5db294bbc04c48f179c1801f3a
SHA512 8506b6149a13ca91ee2a7159d79b87365bb1ada686ceb58a3306253c4a563a1a063fae43588051b5c1f43b4449ee701e4a0f9572538577277826775f556cb315

memory/3780-23-0x0000000000400000-0x000000000043A000-memory.dmp

C:\Windows\SysWOW64\Medgncoe.exe

MD5 b67348e2901f2ee54edee9a634e1af6e
SHA1 d0559b7b98d04dcbcd9542c76bb9141e5b7d159e
SHA256 0bdd903bd5219bf45284f447af55f74d520a503b55753bde898514383ba16048
SHA512 721834ddbe69ab231066bfc951587fe773eacd6395721ac85a5c0f096a14eac037cbdd535c432e8f81f8d6c19f4a193b767c2246902d2388481f3a0416ba06ee

memory/2656-31-0x0000000000400000-0x000000000043A000-memory.dmp

C:\Windows\SysWOW64\Mlopkm32.exe

MD5 9c2a28b46bf45f877fd0734af01bf589
SHA1 8ec3d009078df6da46dcb7d983297df57775aec8
SHA256 96976049de59f8d1ec0b0b7c71a1b4f9f3152672e0a539f3624f788f29b57fd0
SHA512 f56c10865c4c352bb50ff807dffeccc3443fa8c043153b4faaa59eeead04eda2f2a791a2ee8f0be1e4dee58fc55030327834c5633925d43791734c258480c8f8

memory/1900-39-0x0000000000400000-0x000000000043A000-memory.dmp

C:\Windows\SysWOW64\Mdehlk32.exe

MD5 c8e1c51b77240c1466323a54040f1988
SHA1 420be7996be18ca41fde5ab2f66c193264e8169b
SHA256 636ac3bba17768eab0551966c95b20d6a20d9e1689370dca63195c8d0e445a1a
SHA512 f5ffeb80b85f1a9301bcfcec2c60fe8a54f3e74aed9cb2e9d64e51006380c02cdad06c3aa6cbc6a67d0e380b69517cdeaf7b5ed4db352c6e7b4cb77195f9a3f9

memory/2176-47-0x0000000000400000-0x000000000043A000-memory.dmp

C:\Windows\SysWOW64\Mgddhf32.exe

MD5 79f468011458f90e7c8b70ee32cc9e00
SHA1 5d19360c81c6fa1077df5971d3c83f6edfa9385a
SHA256 c422a94bb15ce27a72907b2544ed62cc7be7c5e73dfedc04b77a5e3e1723178d
SHA512 c9328dd520f2cb88c14f46dc5fb586937bc5a7afcbd1c03f1dc7a125a699107261a3976f21da8e60fb3206ec22d37046e59bfe6bf5c0b2e826dfc658a205cb29

memory/4824-55-0x0000000000400000-0x000000000043A000-memory.dmp

C:\Windows\SysWOW64\Mibpda32.exe

MD5 d9a47931165cce5c9c5f728e9eb7d8d7
SHA1 2f21bc1d9522a1e8c045896feb285bd406b8e2fb
SHA256 ffd6a49de76c7ca72663fdf3fe4f6aa8ba96fa5f1eef295d7ec98a198754aeac
SHA512 d440fcc9987684ee8125b391735c899ba67a2184202cdce12a2c00fe40c3ab8fe9fee6b09365843c7a39abb849f0f1c1d21255f7a4edbdda377340d0f1528574

memory/1792-63-0x0000000000400000-0x000000000043A000-memory.dmp

C:\Windows\SysWOW64\Mplhql32.exe

MD5 9cedf4adb56de4edb8ea5f61e9aac342
SHA1 a00da68c01db8941362716d45fea825080d52558
SHA256 fb181b6af9f364df2cf09abe1d982c7efd66abef69422751cc096e82d6f64c0b
SHA512 cb6690ae13203ceb1168d6aaa65e15a4cbdf53e3c21f497e648b82a479f67c185e16324f723ae8f36ca9525fcc34d845f281263736de626425a9c11eb07f4c00

memory/4944-72-0x0000000000400000-0x000000000043A000-memory.dmp

C:\Windows\SysWOW64\Mckemg32.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\SysWOW64\Mckemg32.exe

MD5 41f3d0b347ef16dad269fca5bd1be2a3
SHA1 189a434527d95a3d2cd9bafbed82ab132dbd8e30
SHA256 b5bb0c1baed8211b5040da62fe6d0fc29e8932e7a92c6497b2c4924953f812ac
SHA512 744ac5f6b728596fdde6f946e9c7d805225354ca14469c46eaf10f384a9b11510781ba24c8ecbd16e49d70930159f10aa6ad4ba6b0c405b448ead0a81ae366af

memory/1604-80-0x0000000000400000-0x000000000043A000-memory.dmp

C:\Windows\SysWOW64\Meiaib32.exe

MD5 5160c149f7487f4a764fa3cabb7894ef
SHA1 522db8eb8f92073e80d68c8075e18a1b1b6c3623
SHA256 cef81c16ebf4de67bc1fecf6fcc3ef379cdb890a16ae1c919fceb63bcac4ab5b
SHA512 3078cb9a67cf5866a39255fdd440f53c64bfc0665bc109068e842f515333ecf6c102f39863ebca270d404492b4958869768623786ce8e50f95ec2ebadbab638a

memory/3096-88-0x0000000000400000-0x000000000043A000-memory.dmp

C:\Windows\SysWOW64\Mmpijp32.exe

MD5 0228c6bd8bb9af612989ed719e92ed4f
SHA1 d219c892e0d915a0e2e561d952c103d7ceda6097
SHA256 e477b16c69243c4df6bcc714efb43900429358bc30eb9b119a264951fcfdaeaa
SHA512 ff6118440e958a5cd8869b56b05562ad01164b2c2d896e666221d636134845c67fd322c0e6ecbbde011a47adbdadd28f99e930f75ba282e5a0eac4f229942631

memory/4584-96-0x0000000000400000-0x000000000043A000-memory.dmp

C:\Windows\SysWOW64\Mpoefk32.exe

MD5 a9669157cf58ecc863f0f977989af7a0
SHA1 1a4f3203450d190410411509c154f0adcc0aeb1a
SHA256 4148fd323b6846123a2654370c1326518f8063434d69405aaabc8ac7b274a59b
SHA512 7fb9d1767d32dfff4f36c7ae03e0b395db03b4c1e32106c6beb1d15265a8fc4d3ee36ec1fea704870a91fd646eca802a00007fab8ce28154a55dede8a647757f

memory/2348-103-0x0000000000400000-0x000000000043A000-memory.dmp

C:\Windows\SysWOW64\Mgimcebb.exe

MD5 bf6eac01400b1791c48402e847ca65a9
SHA1 30f22792fe9f47cd87f91e898d5d38e80dfaed84
SHA256 c54ad5958ab5b5aa2180e281f08b636eaf6ae4eee26aa7271ee008e13a5584db
SHA512 9bc64b967596cb7a99494b2ddaf096266c0175c1924afee15b3e9738cc895d08701d4f007aa34683cd7bb843dff26ecb0477aa6897b25baa6adf393d303478cd

memory/380-111-0x0000000000400000-0x000000000043A000-memory.dmp

C:\Windows\SysWOW64\Migjoaaf.exe

MD5 bb8c3489e637fb116f447c282efce680
SHA1 f80fe6be77933315b0f0c87325f6184a42a46998
SHA256 4d78ee227ad6d5095efdf0b0d4b76a6d4cafa9c866f0e65e74a2a0361fd83107
SHA512 777e57a3e62246c7682dab6b5f4dbe9db31eaf7036cecb18f0111247cbd0511d18dc9697f7d60c0b2e9b37475a5e0ad3a734736837d14ea38d3ab09ead358754

memory/1220-119-0x0000000000400000-0x000000000043A000-memory.dmp

C:\Windows\SysWOW64\Mpablkhc.exe

MD5 0b6b0f0d3a41c370c49362d746394709
SHA1 a52612c37703f793421312b50c04eded29b34624
SHA256 d67e4a04a455fd7b319b8170ff1badb460b1c976511316c839e3cf95fba9d18d
SHA512 62775d3f216c8987404c9fb330f9a49dc4db7f92e3452c4f7d664f51a70f1d5410e87b65712df7d71250b7c9fd247d5ebff160e389a45bd593175f4ccd0668e5

memory/2220-128-0x0000000000400000-0x000000000043A000-memory.dmp

C:\Windows\SysWOW64\Mcpnhfhf.exe

MD5 84ee3407b48abf81fcf7dafd27f65465
SHA1 7692faee155077d7604e6f6f6981e9f5eba99ac4
SHA256 e93398b0bd02faa49bb4f3a4dede89b7cdc927c99bcc3f7bb0046b1b8d87b52f
SHA512 b9dbb1dab44799ce7ce86f58c852417b7e324ea180571134fc23c2e2788ab550f8e7ffd39250bdc8d6dc02f62b6f9a513614620915ac1fa044320030af3abe1a

memory/1672-136-0x0000000000400000-0x000000000043A000-memory.dmp

C:\Windows\SysWOW64\Menjdbgj.exe

MD5 4b5eb9ddba8fe3043f7730850c8de17e
SHA1 0e575ac310d13b0f53bf686e5c5e673ca977a977
SHA256 a87f9c1b3f29157a40ff09a72240f7a9b28da779d3b55f4c904d8715650bdbbe
SHA512 4cc89e70c7ad75cd46bdf354236cf01d2be93c62f58e6b1f28ccfab80c0daaa620077687d465efaf48f6cdb7d7a5bf3e1ef1f3ef3b1b51a8f577456920c69d51

memory/3988-144-0x0000000000400000-0x000000000043A000-memory.dmp

C:\Windows\SysWOW64\Mnebeogl.exe

MD5 f6e52559263cbe0fbd31caaae3dbb4aa
SHA1 17c841a092fdacdf35c7c368da31367c8f277ade
SHA256 6660e3c68a23ed2baadc65d4d79bd5741f55450b2501517a22687545314641c1
SHA512 5eeb1433c112d33802946d5b7f626f94385b8943114bd024645786d9bf4459e447042f562c8bab9757b9f889f2c8a8afd7c720734810f436756601e7836c0338

memory/3428-152-0x0000000000400000-0x000000000043A000-memory.dmp

C:\Windows\SysWOW64\Npcoakfp.exe

MD5 94f05c18bf63ae9bd4e182e7e222b970
SHA1 8bf86d810483c67167fea53bb810942e8ad1d197
SHA256 fde54ad1e100ee2d62a3baf1e80ba04fe8b3ad555f62df331d6779cc3e4729f5
SHA512 abe5eefac5a290ac1a16230b577f5610ca3d46696c51e8d1b79095e37bb9b70ba01ede9dd359387760ef289ce3f7604963bca63a6d32e74eb4fc5c612fc02f87

memory/2920-160-0x0000000000400000-0x000000000043A000-memory.dmp

memory/4348-167-0x0000000000400000-0x000000000043A000-memory.dmp

C:\Windows\SysWOW64\Ngmgne32.exe

MD5 9fc52989a4bb94d465afb126c04f8caf
SHA1 912f7485c1098d5b46bd75aebc731a17c269fc4c
SHA256 d6b36b95a2730fd3f876d1dd4409c46019656630f3bc16dc0bfa2548c48579f0
SHA512 26ba21e717cdc72edcc5cef591ee53eba75549d72d81f7dd39dfe565855498259b2623710fc82fd85fede48f02a3d0fe406cd8f714aa32b70c6e686a850d500a

C:\Windows\SysWOW64\Nilcjp32.exe

MD5 2220fdc3d30dcffcb0ee6edcb8b7c413
SHA1 1e53a31d503eb143bf79d6f167baa9ee76203dad
SHA256 d6824c45747e81f8bc59a218b577f216b3a1e276cf23497f471376a4595a8fab
SHA512 8e6051a28e2a17b4d9c137283fbbf1582092a7b95d8bc7a197497363cd935d88efde3ede3d7d8f670194874201b94cc504fe8cb9cd3768c8d18d01aa36a39a16

memory/2468-175-0x0000000000400000-0x000000000043A000-memory.dmp

C:\Windows\SysWOW64\Nljofl32.exe

MD5 1de84523bf6dff39e3c9912b8dc061cd
SHA1 2cd4f21d2e03d64d14404f7e2bc650374a0ea39f
SHA256 5b98bee81dcae8db89d0370ac21283fe11250a85f08a4228854d61556875550e
SHA512 5af491bed92670ea50e979f425cf8e860b09dc8708c79aaf8d6ae72b9f57aa00644f2011ff4eb8471863a37cb2176a0a41b49b562ec988fa92d31b1648d0bfd6

memory/2636-183-0x0000000000400000-0x000000000043A000-memory.dmp

C:\Windows\SysWOW64\Ncdgcf32.exe

MD5 8c814ffd246eb3c24a7e2fbe39e65426
SHA1 8798e1da4ae667f83aecf4c3420891990ebc665f
SHA256 1cc62f860f939bd6332313283ad0a89b426d88f71cd39c0b28cf2a4a1e22462d
SHA512 451b114a544505d404e6e8097b6e00438aec5be462950c5576392df7aa0115afa86938e5609c514f7ad136e6d79b3e92b96640eaba5a8bf96722a5c9a05914ef

memory/1492-191-0x0000000000400000-0x000000000043A000-memory.dmp

C:\Windows\SysWOW64\Njnpppkn.exe

MD5 853861ad9ef363b6c7c1c2450dab1a9d
SHA1 fbebda6798bbe0711a79aa80f295771705d3aca5
SHA256 6ed6a6e01ce813b0081556586c1ab3201d2e00e79b72c4fbc62ba24786c4fcf0
SHA512 8d19467fe3f8fa892f9447848b3b48d793bf36e309f02f3a3bce12cdb28882b1f7985e759e5d5ef326807a1862634246b4133ef6706b76fb92416432267e8440

memory/1572-199-0x0000000000400000-0x000000000043A000-memory.dmp

C:\Windows\SysWOW64\Ndcdmikd.exe

MD5 fd4d10bfba70de1a0ac91f4865abca83
SHA1 65a11ddee0f106ca1429474321c24dcb913e4857
SHA256 ef638df4d0c1a9687cfe3ed30cc7d6b6393d47a5eec7c08bc5cffb77d88df4f8
SHA512 88e49e22d93bf62397c73e2800980a9ac7db4f5b5f27369598076c66b948093f497a0dd97cb15f6ed7884652a7ddb5c84475ffa6bd67fac1364ac7f8c19d0f74

memory/4820-207-0x0000000000400000-0x000000000043A000-memory.dmp

C:\Windows\SysWOW64\Ngbpidjh.exe

MD5 3eb13c71e7fc102288e505126de9f305
SHA1 f6a7ae1c5e4ffd9bfa9dfdbf46d350b7a9b2ab08
SHA256 73da358b9b685f972a157b25dc9ee2eb6d6d0f539d9d5d9694d460b97e5fa5c4
SHA512 8af3acf52be6d081acb9514147f8c5c03bb0b2aa26f71bd63a59f7dd2e20b6a65cd95e6821e72a705d47deb2856b78da5fc4509286d2be78259cf85629a818c4

memory/3556-215-0x0000000000400000-0x000000000043A000-memory.dmp

C:\Windows\SysWOW64\Njqmepik.exe

MD5 8e03c80eff788161e17716ddaeeea070
SHA1 e0ef9e50b471b9c32b5dee27d81156b3243c00b7
SHA256 6d2233c3987fd56c77d0eb9cc4e2b8235cf73043575bd883e3228c3ca95180db
SHA512 51d2d6c63229c82022f5e72d41c4b3bc477d51d02456fbab78b1241e92fc7f136fae096bb1bb3a10708727094c6a855e582f3dbd0305acf1be53ee34ed45656f

C:\Windows\SysWOW64\Nnlhfn32.exe

MD5 6c099e00c6ccdec63c04157edc75d27b
SHA1 0bc7217daa2dac469d6758e1c024a7acf0eacd97
SHA256 763fc2847d35e1bd31356989ba245ba518435513dc404bd9b070a5b366744f5b
SHA512 798c06e824b7c77a6a7b17d20bc1acd548c2b07c4330b1bd74495cae2e0516832d08dbeee70fbff533473dc48066cdbdd75d7a1093ffc076604d8341903fecb4

memory/4916-232-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2280-229-0x0000000000400000-0x000000000043A000-memory.dmp

C:\Windows\SysWOW64\Ndfqbhia.exe

MD5 eb79851d2dd805a0c5fd8127ff6b200d
SHA1 ecce518a5e6a63ea117cf4438cc214136df2a88d
SHA256 f87d1af4e6083cc117d20abf5d544e4a50cc3652eb00f037a7fc2f7244f02179
SHA512 1a8e253583f619c843bb4b77d58ea6e4f2b9d142d5d0015488f12c7a03fb2f749f57eb0605369fe6eba727c603ff078f9fcf8fd80657f1d806022ab68e34f8dc

memory/3180-239-0x0000000000400000-0x000000000043A000-memory.dmp

C:\Windows\SysWOW64\Njciko32.exe

MD5 be71514ef85b6375205b75ed86b696ce
SHA1 8998ed2711544a06d458bcaf7f0936f882b6962f
SHA256 d486839307e2ce194561559c03f628be4587241628ff55956f7620b21f8b1cb8
SHA512 6a97fc8827270837e1892ffe0c8edcb5bb60ea6696ce02758d077d6db38b65097433b8fe55de142f5dbae80ee6055543849d40fe7bd42bcdd0c683e2f916ab4e

memory/4356-253-0x0000000000400000-0x000000000043A000-memory.dmp

C:\Windows\SysWOW64\Nlaegk32.exe

MD5 3c95c460e20474a2ff630baff0fee4e3
SHA1 d2aa9c221648b605b4d09664a047499d85801031
SHA256 3a871db48aba66bb11de9762c215f27cccd9ef1e51e609e19fdcace444156515
SHA512 686fda45a12c1d68babd498c27dac52d03b8bbf6f22a1f243cc2121cac693dc15b99053bfd6d69dd193b5cb00fd7140181fc9f9d7f6b81c065b4f40c12acf919

memory/2928-260-0x0000000000400000-0x000000000043A000-memory.dmp

C:\Windows\SysWOW64\Nggjdc32.exe

MD5 6bb2ce6b6df17c804d98f4fd5ac336ea
SHA1 fd91aa8cd6f91e968a799d85cb2a1e23da4b3323
SHA256 ef58147013c857c4f2593a2709cfbef24bec1dbf81bc53b152efda02cc528051
SHA512 4a803ff2c22da9f2841b50bc95643d9df7a3969df3feeeeba8c0cb1b191db80435e51aa63cb2c9de10568b9dbd9b5338fb8d41cb19ff801aeefdafe484b2fbe8

memory/4148-268-0x0000000000400000-0x000000000043A000-memory.dmp

memory/3820-266-0x0000000000400000-0x000000000043A000-memory.dmp

memory/5008-279-0x0000000000400000-0x000000000043A000-memory.dmp

memory/3152-285-0x0000000000400000-0x000000000043A000-memory.dmp

memory/464-291-0x0000000000400000-0x000000000043A000-memory.dmp

memory/4396-297-0x0000000000400000-0x000000000043A000-memory.dmp

memory/3936-303-0x0000000000400000-0x000000000043A000-memory.dmp

memory/5056-309-0x0000000000400000-0x000000000043A000-memory.dmp

memory/452-315-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2804-321-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2660-327-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2580-333-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2544-339-0x0000000000400000-0x000000000043A000-memory.dmp

memory/976-345-0x0000000000400000-0x000000000043A000-memory.dmp

memory/4520-351-0x0000000000400000-0x000000000043A000-memory.dmp

memory/5088-362-0x0000000000400000-0x000000000043A000-memory.dmp

memory/1948-363-0x0000000000400000-0x000000000043A000-memory.dmp

memory/4760-369-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2464-375-0x0000000000400000-0x000000000043A000-memory.dmp

memory/4840-381-0x0000000000400000-0x000000000043A000-memory.dmp

memory/3080-392-0x0000000000400000-0x000000000043A000-memory.dmp

memory/1376-398-0x0000000000400000-0x000000000043A000-memory.dmp

memory/1188-405-0x0000000000400000-0x000000000043A000-memory.dmp

memory/4772-410-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2364-416-0x0000000000400000-0x000000000043A000-memory.dmp

memory/1288-422-0x0000000000400000-0x000000000043A000-memory.dmp

memory/1232-428-0x0000000000400000-0x000000000043A000-memory.dmp

memory/456-434-0x0000000000400000-0x000000000043A000-memory.dmp

memory/1116-440-0x0000000000400000-0x000000000043A000-memory.dmp

memory/1476-451-0x0000000000400000-0x000000000043A000-memory.dmp

memory/4648-461-0x0000000000400000-0x000000000043A000-memory.dmp

memory/320-463-0x0000000000400000-0x000000000043A000-memory.dmp

memory/3644-469-0x0000000000400000-0x000000000043A000-memory.dmp

memory/4264-475-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2304-481-0x0000000000400000-0x000000000043A000-memory.dmp

memory/3620-487-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2524-493-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2668-499-0x0000000000400000-0x000000000043A000-memory.dmp

memory/1420-505-0x0000000000400000-0x000000000043A000-memory.dmp

memory/432-511-0x0000000000400000-0x000000000043A000-memory.dmp

memory/3332-517-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2640-523-0x0000000000400000-0x000000000043A000-memory.dmp

memory/5048-529-0x0000000000400000-0x000000000043A000-memory.dmp

memory/4572-535-0x0000000000400000-0x000000000043A000-memory.dmp

memory/3208-541-0x0000000000400000-0x000000000043A000-memory.dmp

memory/4628-542-0x0000000000400000-0x000000000043A000-memory.dmp

memory/4756-548-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2556-549-0x0000000000400000-0x000000000043A000-memory.dmp

C:\Windows\SysWOW64\Ageolo32.exe

MD5 1455c341770645c26dd69ef15e7d8624
SHA1 8ba1804b5fd5e22ed6394229bb8df1a510799363
SHA256 6fed6d741c2d395453a6e1113dffb608930e34d3da048269bcede523b63cba04
SHA512 48a9520e3e4d2f146cc4c7343922cf6ce04f7afcd54164ebfd9ed9c9fa84a1e3c1c03800a4ac110357a0c9a6f63de11085a3be12a76593a1eb60b954fe51eac2

memory/3320-555-0x0000000000400000-0x000000000043A000-memory.dmp

memory/3648-556-0x0000000000400000-0x000000000043A000-memory.dmp

memory/3780-562-0x0000000000400000-0x000000000043A000-memory.dmp

memory/1016-563-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2656-569-0x0000000000400000-0x000000000043A000-memory.dmp

memory/5128-570-0x0000000000400000-0x000000000043A000-memory.dmp

memory/5172-577-0x0000000000400000-0x000000000043A000-memory.dmp

memory/1900-576-0x0000000000400000-0x000000000043A000-memory.dmp

memory/5212-584-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2176-583-0x0000000000400000-0x000000000043A000-memory.dmp

memory/5264-591-0x0000000000400000-0x000000000043A000-memory.dmp

memory/4824-590-0x0000000000400000-0x000000000043A000-memory.dmp

memory/1792-597-0x0000000000400000-0x000000000043A000-memory.dmp

memory/5308-598-0x0000000000400000-0x000000000043A000-memory.dmp

memory/4944-604-0x0000000000400000-0x000000000043A000-memory.dmp

C:\Windows\SysWOW64\Bmngqdpj.exe

MD5 22512858137b218978239466c0419069
SHA1 0d683557ecaf76412ab3ab603886079aa38f7a1d
SHA256 6d56d60e1d81e567d5c0e29e4959af4ae049920583bbb18c2e45aee6c7f4ef8a
SHA512 9f95542a121022e75ecfa49b7ae4ec0e30280292b5f8691706484dd98305a29f72da1ebbb98c82ebdc1f5f24576c9d1f8f88fb71f01dfd1b1812708371c9a6f3

C:\Windows\SysWOW64\Caebma32.exe

MD5 8646e86181c0190ef7f4efe6be5b3500
SHA1 e45b4020dfc1074afe0dfaff8d78e61fd39b6fa1
SHA256 84e97ee3f653a70fd615342e59983a6fb18e82f1d0b8b021c0b7e65fd980c9c3
SHA512 b9d4f60b2ea112e254cba80957226cd91d8e97fd9d63cbdda85dfe724da851de04b8e8ba8f411128e0811455f3bcc5e66f8182cf693f4daf6a85722e475c7cbd

C:\Windows\SysWOW64\Dfnjafap.exe

MD5 c7628c6784f5ad7eeb78d6c12cc821cb
SHA1 c24431d670e128d16c380d7ef65c312a202e0c4f
SHA256 516ac361212db38eb9ec20833619a8a2a1e479ca1afe3b80c1ce635a4715dd5b
SHA512 04b96eaefb240d47274369d76ae9d8f87ba6ce6f8e4b044990b5ea47166c9614c49d6ecf94a37a802af214a5019538084483d421acf1d81b0d6837054cec45e2

C:\Windows\SysWOW64\Dmllipeg.exe

MD5 7ead560bf020b8510f2691c65fcbc44b
SHA1 3ee3655e32362b8cf4b0596629f2d13ae80660d0
SHA256 ecd8c9f0e3113f00c8bd5fd1143145f0afae58c3ab09e7359580f54df3656d3c
SHA512 41b77a1a4fd9dbdc4d7d9fd2f996964c68e53e132e4aec9b880dae632ff57dbb533af68069ad26027f43177fe8d2d050930b535d41205c2483ebdf97fb8511b8