Malware Analysis Report

2025-01-22 16:26

Sample ID 241002-garmwszcln
Target 2d02f92aab69b9088deb04eeae8e8bc4ccf5278d2c2ec5d7e2097048d96b2f6eN
SHA256 2d02f92aab69b9088deb04eeae8e8bc4ccf5278d2c2ec5d7e2097048d96b2f6e
Tags
berbew discovery persistence gozi backdoor banker isfb trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2d02f92aab69b9088deb04eeae8e8bc4ccf5278d2c2ec5d7e2097048d96b2f6e

Threat Level: Known bad

The file 2d02f92aab69b9088deb04eeae8e8bc4ccf5278d2c2ec5d7e2097048d96b2f6eN was found to be: Known bad.

Malicious Activity Summary

berbew discovery persistence gozi backdoor banker isfb trojan

Adds autorun key to be loaded by Explorer.exe on startup

Berbew family

Gozi

Berbew

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Program crash

System Location Discovery: System Language Discovery

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-02 05:36

Signatures

Berbew family

berbew

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-02 05:36

Reported

2024-10-02 05:38

Platform

win7-20240729-en

Max time kernel

16s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2d02f92aab69b9088deb04eeae8e8bc4ccf5278d2c2ec5d7e2097048d96b2f6eN.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Users\Admin\AppData\Local\Temp\2d02f92aab69b9088deb04eeae8e8bc4ccf5278d2c2ec5d7e2097048d96b2f6eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Users\Admin\AppData\Local\Temp\2d02f92aab69b9088deb04eeae8e8bc4ccf5278d2c2ec5d7e2097048d96b2f6eN.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Oegdcj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Oegdcj32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Olalpdbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Olalpdbc.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Oegdcj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Olalpdbc.exe N/A
N/A N/A C:\Windows\SysWOW64\Ockdmn32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Oegdcj32.exe C:\Users\Admin\AppData\Local\Temp\2d02f92aab69b9088deb04eeae8e8bc4ccf5278d2c2ec5d7e2097048d96b2f6eN.exe N/A
File opened for modification C:\Windows\SysWOW64\Oegdcj32.exe C:\Users\Admin\AppData\Local\Temp\2d02f92aab69b9088deb04eeae8e8bc4ccf5278d2c2ec5d7e2097048d96b2f6eN.exe N/A
File created C:\Windows\SysWOW64\Olalpdbc.exe C:\Windows\SysWOW64\Oegdcj32.exe N/A
File created C:\Windows\SysWOW64\Khhaomjd.dll C:\Windows\SysWOW64\Olalpdbc.exe N/A
File created C:\Windows\SysWOW64\Lncacf32.dll C:\Users\Admin\AppData\Local\Temp\2d02f92aab69b9088deb04eeae8e8bc4ccf5278d2c2ec5d7e2097048d96b2f6eN.exe N/A
File opened for modification C:\Windows\SysWOW64\Olalpdbc.exe C:\Windows\SysWOW64\Oegdcj32.exe N/A
File created C:\Windows\SysWOW64\Lkdjamga.dll C:\Windows\SysWOW64\Oegdcj32.exe N/A
File created C:\Windows\SysWOW64\Ockdmn32.exe C:\Windows\SysWOW64\Olalpdbc.exe N/A
File opened for modification C:\Windows\SysWOW64\Ockdmn32.exe C:\Windows\SysWOW64\Olalpdbc.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oegdcj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Olalpdbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ockdmn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2d02f92aab69b9088deb04eeae8e8bc4ccf5278d2c2ec5d7e2097048d96b2f6eN.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\2d02f92aab69b9088deb04eeae8e8bc4ccf5278d2c2ec5d7e2097048d96b2f6eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\2d02f92aab69b9088deb04eeae8e8bc4ccf5278d2c2ec5d7e2097048d96b2f6eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lncacf32.dll" C:\Users\Admin\AppData\Local\Temp\2d02f92aab69b9088deb04eeae8e8bc4ccf5278d2c2ec5d7e2097048d96b2f6eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Oegdcj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkdjamga.dll" C:\Windows\SysWOW64\Oegdcj32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Olalpdbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Olalpdbc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node C:\Users\Admin\AppData\Local\Temp\2d02f92aab69b9088deb04eeae8e8bc4ccf5278d2c2ec5d7e2097048d96b2f6eN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} C:\Users\Admin\AppData\Local\Temp\2d02f92aab69b9088deb04eeae8e8bc4ccf5278d2c2ec5d7e2097048d96b2f6eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\2d02f92aab69b9088deb04eeae8e8bc4ccf5278d2c2ec5d7e2097048d96b2f6eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Oegdcj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khhaomjd.dll" C:\Windows\SysWOW64\Olalpdbc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2308 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2d02f92aab69b9088deb04eeae8e8bc4ccf5278d2c2ec5d7e2097048d96b2f6eN.exe C:\Windows\SysWOW64\Oegdcj32.exe
PID 2308 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2d02f92aab69b9088deb04eeae8e8bc4ccf5278d2c2ec5d7e2097048d96b2f6eN.exe C:\Windows\SysWOW64\Oegdcj32.exe
PID 2308 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2d02f92aab69b9088deb04eeae8e8bc4ccf5278d2c2ec5d7e2097048d96b2f6eN.exe C:\Windows\SysWOW64\Oegdcj32.exe
PID 2308 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2d02f92aab69b9088deb04eeae8e8bc4ccf5278d2c2ec5d7e2097048d96b2f6eN.exe C:\Windows\SysWOW64\Oegdcj32.exe
PID 1724 wrote to memory of 2348 N/A C:\Windows\SysWOW64\Oegdcj32.exe C:\Windows\SysWOW64\Olalpdbc.exe
PID 1724 wrote to memory of 2348 N/A C:\Windows\SysWOW64\Oegdcj32.exe C:\Windows\SysWOW64\Olalpdbc.exe
PID 1724 wrote to memory of 2348 N/A C:\Windows\SysWOW64\Oegdcj32.exe C:\Windows\SysWOW64\Olalpdbc.exe
PID 1724 wrote to memory of 2348 N/A C:\Windows\SysWOW64\Oegdcj32.exe C:\Windows\SysWOW64\Olalpdbc.exe
PID 2348 wrote to memory of 3060 N/A C:\Windows\SysWOW64\Olalpdbc.exe C:\Windows\SysWOW64\Ockdmn32.exe
PID 2348 wrote to memory of 3060 N/A C:\Windows\SysWOW64\Olalpdbc.exe C:\Windows\SysWOW64\Ockdmn32.exe
PID 2348 wrote to memory of 3060 N/A C:\Windows\SysWOW64\Olalpdbc.exe C:\Windows\SysWOW64\Ockdmn32.exe
PID 2348 wrote to memory of 3060 N/A C:\Windows\SysWOW64\Olalpdbc.exe C:\Windows\SysWOW64\Ockdmn32.exe
PID 3060 wrote to memory of 580 N/A C:\Windows\SysWOW64\Ockdmn32.exe C:\Windows\SysWOW64\WerFault.exe
PID 3060 wrote to memory of 580 N/A C:\Windows\SysWOW64\Ockdmn32.exe C:\Windows\SysWOW64\WerFault.exe
PID 3060 wrote to memory of 580 N/A C:\Windows\SysWOW64\Ockdmn32.exe C:\Windows\SysWOW64\WerFault.exe
PID 3060 wrote to memory of 580 N/A C:\Windows\SysWOW64\Ockdmn32.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2d02f92aab69b9088deb04eeae8e8bc4ccf5278d2c2ec5d7e2097048d96b2f6eN.exe

"C:\Users\Admin\AppData\Local\Temp\2d02f92aab69b9088deb04eeae8e8bc4ccf5278d2c2ec5d7e2097048d96b2f6eN.exe"

C:\Windows\SysWOW64\Oegdcj32.exe

C:\Windows\system32\Oegdcj32.exe

C:\Windows\SysWOW64\Olalpdbc.exe

C:\Windows\system32\Olalpdbc.exe

C:\Windows\SysWOW64\Ockdmn32.exe

C:\Windows\system32\Ockdmn32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 140

Network

N/A

Files

memory/2308-4-0x0000000000400000-0x0000000000453000-memory.dmp

\Windows\SysWOW64\Oegdcj32.exe

MD5 d1c23bc8515abe135d13740c8d6f32ea
SHA1 d4b42458d1f2f8baf3fccac92e3c45cd4025302f
SHA256 d2d5589c8acbe345c95c6c42952b4e6858bac8633782f9868f311b6672ed7fe7
SHA512 f34e416c63cbb427ce0f5b45cfc75c1ae04109cd37c4f928921970ed30e112a8982d9e94e61c2f9c8382f856e3564e59c791394c7a6fa2df5391b947fae5125b

memory/1724-13-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2308-12-0x0000000000460000-0x00000000004B3000-memory.dmp

memory/2348-31-0x0000000000400000-0x0000000000453000-memory.dmp

\Windows\SysWOW64\Ockdmn32.exe

MD5 fe492eacdd1115681cb1b6eb86a04c61
SHA1 e8378112facaa0ce6d4cf6700c724999cabdda83
SHA256 d3fe3f90e48f2d7a4446bee95aebf21271f234cdf825c6f8a8c9e02a74b3c9ef
SHA512 8a4bb03e49ad8f0465e3521412a684597a37d6ca92555fd1b7b0620aab0b7c86b76de5e729ec28ecc0e5876ef9bbcd8986fd9fc3f7181d2cabad6b753c52e13e

memory/3060-40-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2348-39-0x00000000002F0000-0x0000000000343000-memory.dmp

C:\Windows\SysWOW64\Olalpdbc.exe

MD5 74ecd263a56d3ce7aa75e367787d35e8
SHA1 2f7bf15ff9e3845f5c87281930c1514b2eb47f53
SHA256 592fecb3d661f4eca5f4421176cf4a225cdc3f97aea5030073e7f06ef2fe1488
SHA512 946aef3134162ab07012d766758650d2e3e5e7478c819c94b88393daf4ab7504aa19db4ef2b6b60beab4a897c6ce14069689662f85b02551e3f7c4d7a6829a2d

memory/3060-52-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2308-51-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2348-49-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1724-48-0x0000000000400000-0x0000000000453000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-02 05:36

Reported

2024-10-02 05:38

Platform

win10v2004-20240802-en

Max time kernel

94s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2d02f92aab69b9088deb04eeae8e8bc4ccf5278d2c2ec5d7e2097048d96b2f6eN.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ajanck32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ambgef32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bchomn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bchomn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cnicfe32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aepefb32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cnkplejl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cnkplejl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ceehho32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ddonekbl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Daconoae.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dhmgki32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Daekdooc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bganhm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Beihma32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ceqnmpfo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Chcddk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Djgjlelk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qgqeappe.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bjmnoi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bjokdipf.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Beihma32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bfkedibe.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Calhnpgn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Calhnpgn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ddjejl32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Delnin32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Users\Admin\AppData\Local\Temp\2d02f92aab69b9088deb04eeae8e8bc4ccf5278d2c2ec5d7e2097048d96b2f6eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Aqncedbp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bebblb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bganhm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bmngqdpj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cfpnph32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aqkgpedc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ageolo32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aeklkchg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bebblb32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ceqnmpfo.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cnicfe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cdfkolkf.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Users\Admin\AppData\Local\Temp\2d02f92aab69b9088deb04eeae8e8bc4ccf5278d2c2ec5d7e2097048d96b2f6eN.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qfcfml32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ajfhnjhq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Aepefb32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ddmaok32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Djgjlelk.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dobfld32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ddonekbl.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dfnjafap.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ajfhnjhq.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Amgapeea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bmkjkd32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bmngqdpj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cfpnph32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dopigd32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qjoankoi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qcgffqei.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ajanck32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bmpcfdmg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cndikf32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cnnlaehj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bmkjkd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bfkedibe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cndikf32.exe N/A

Berbew

backdoor berbew

Gozi

banker trojan gozi

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Qgqeappe.exe N/A
N/A N/A C:\Windows\SysWOW64\Qfcfml32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qjoankoi.exe N/A
N/A N/A C:\Windows\SysWOW64\Qcgffqei.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajanck32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aqkgpedc.exe N/A
N/A N/A C:\Windows\SysWOW64\Ageolo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ambgef32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aqncedbp.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajfhnjhq.exe N/A
N/A N/A C:\Windows\SysWOW64\Aeklkchg.exe N/A
N/A N/A C:\Windows\SysWOW64\Amgapeea.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajkaii32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aminee32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aepefb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bjmnoi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bmkjkd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bebblb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bganhm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bjokdipf.exe N/A
N/A N/A C:\Windows\SysWOW64\Bmngqdpj.exe N/A
N/A N/A C:\Windows\SysWOW64\Bchomn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bmpcfdmg.exe N/A
N/A N/A C:\Windows\SysWOW64\Bgehcmmm.exe N/A
N/A N/A C:\Windows\SysWOW64\Beihma32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bfkedibe.exe N/A
N/A N/A C:\Windows\SysWOW64\Bcoenmao.exe N/A
N/A N/A C:\Windows\SysWOW64\Cndikf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cfpnph32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ceqnmpfo.exe N/A
N/A N/A C:\Windows\SysWOW64\Cnicfe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cdfkolkf.exe N/A
N/A N/A C:\Windows\SysWOW64\Cnkplejl.exe N/A
N/A N/A C:\Windows\SysWOW64\Ceehho32.exe N/A
N/A N/A C:\Windows\SysWOW64\Chcddk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cnnlaehj.exe N/A
N/A N/A C:\Windows\SysWOW64\Calhnpgn.exe N/A
N/A N/A C:\Windows\SysWOW64\Ddjejl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dopigd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ddmaok32.exe N/A
N/A N/A C:\Windows\SysWOW64\Djgjlelk.exe N/A
N/A N/A C:\Windows\SysWOW64\Dobfld32.exe N/A
N/A N/A C:\Windows\SysWOW64\Delnin32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ddonekbl.exe N/A
N/A N/A C:\Windows\SysWOW64\Dfnjafap.exe N/A
N/A N/A C:\Windows\SysWOW64\Daconoae.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhmgki32.exe N/A
N/A N/A C:\Windows\SysWOW64\Daekdooc.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhocqigp.exe N/A
N/A N/A C:\Windows\SysWOW64\Dmllipeg.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Ajanck32.exe C:\Windows\SysWOW64\Qcgffqei.exe N/A
File opened for modification C:\Windows\SysWOW64\Aminee32.exe C:\Windows\SysWOW64\Ajkaii32.exe N/A
File created C:\Windows\SysWOW64\Fqjamcpe.dll C:\Windows\SysWOW64\Bcoenmao.exe N/A
File created C:\Windows\SysWOW64\Nnjaqjfh.dll C:\Windows\SysWOW64\Beihma32.exe N/A
File created C:\Windows\SysWOW64\Gmcfdb32.dll C:\Windows\SysWOW64\Dobfld32.exe N/A
File created C:\Windows\SysWOW64\Ehfnmfki.dll C:\Windows\SysWOW64\Ajanck32.exe N/A
File created C:\Windows\SysWOW64\Amgapeea.exe C:\Windows\SysWOW64\Aeklkchg.exe N/A
File opened for modification C:\Windows\SysWOW64\Ajkaii32.exe C:\Windows\SysWOW64\Amgapeea.exe N/A
File created C:\Windows\SysWOW64\Phiifkjp.dll C:\Windows\SysWOW64\Bmkjkd32.exe N/A
File created C:\Windows\SysWOW64\Kbejge32.dll C:\Windows\SysWOW64\Bmngqdpj.exe N/A
File created C:\Windows\SysWOW64\Aepefb32.exe C:\Windows\SysWOW64\Aminee32.exe N/A
File created C:\Windows\SysWOW64\Bebblb32.exe C:\Windows\SysWOW64\Bmkjkd32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bchomn32.exe C:\Windows\SysWOW64\Bmngqdpj.exe N/A
File created C:\Windows\SysWOW64\Ebdijfii.dll C:\Windows\SysWOW64\Bmpcfdmg.exe N/A
File opened for modification C:\Windows\SysWOW64\Delnin32.exe C:\Windows\SysWOW64\Dobfld32.exe N/A
File created C:\Windows\SysWOW64\Chcddk32.exe C:\Windows\SysWOW64\Ceehho32.exe N/A
File created C:\Windows\SysWOW64\Fpdaoioe.dll C:\Windows\SysWOW64\Daconoae.exe N/A
File created C:\Windows\SysWOW64\Ibaabn32.dll C:\Windows\SysWOW64\Ageolo32.exe N/A
File created C:\Windows\SysWOW64\Ldfgeigq.dll C:\Windows\SysWOW64\Aepefb32.exe N/A
File created C:\Windows\SysWOW64\Naeheh32.dll C:\Windows\SysWOW64\Cnnlaehj.exe N/A
File opened for modification C:\Windows\SysWOW64\Djgjlelk.exe C:\Windows\SysWOW64\Ddmaok32.exe N/A
File created C:\Windows\SysWOW64\Qjoankoi.exe C:\Windows\SysWOW64\Qfcfml32.exe N/A
File created C:\Windows\SysWOW64\Cdfkolkf.exe C:\Windows\SysWOW64\Cnicfe32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ddjejl32.exe C:\Windows\SysWOW64\Calhnpgn.exe N/A
File created C:\Windows\SysWOW64\Aqkgpedc.exe C:\Windows\SysWOW64\Ajanck32.exe N/A
File created C:\Windows\SysWOW64\Bmkjkd32.exe C:\Windows\SysWOW64\Bjmnoi32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cndikf32.exe C:\Windows\SysWOW64\Bcoenmao.exe N/A
File created C:\Windows\SysWOW64\Jjjald32.dll C:\Windows\SysWOW64\Dopigd32.exe N/A
File created C:\Windows\SysWOW64\Ddmaok32.exe C:\Windows\SysWOW64\Dopigd32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dobfld32.exe C:\Windows\SysWOW64\Djgjlelk.exe N/A
File created C:\Windows\SysWOW64\Qcgffqei.exe C:\Windows\SysWOW64\Qjoankoi.exe N/A
File opened for modification C:\Windows\SysWOW64\Bjmnoi32.exe C:\Windows\SysWOW64\Aepefb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bmpcfdmg.exe C:\Windows\SysWOW64\Bchomn32.exe N/A
File created C:\Windows\SysWOW64\Bfkedibe.exe C:\Windows\SysWOW64\Beihma32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cnicfe32.exe C:\Windows\SysWOW64\Ceqnmpfo.exe N/A
File created C:\Windows\SysWOW64\Beeppfin.dll C:\Windows\SysWOW64\Ddmaok32.exe N/A
File created C:\Windows\SysWOW64\Dobfld32.exe C:\Windows\SysWOW64\Djgjlelk.exe N/A
File created C:\Windows\SysWOW64\Akmfnc32.dll C:\Windows\SysWOW64\Bjmnoi32.exe N/A
File created C:\Windows\SysWOW64\Bgehcmmm.exe C:\Windows\SysWOW64\Bmpcfdmg.exe N/A
File created C:\Windows\SysWOW64\Jekpanpa.dll C:\Windows\SysWOW64\Cnkplejl.exe N/A
File opened for modification C:\Windows\SysWOW64\Calhnpgn.exe C:\Windows\SysWOW64\Cnnlaehj.exe N/A
File opened for modification C:\Windows\SysWOW64\Dopigd32.exe C:\Windows\SysWOW64\Ddjejl32.exe N/A
File opened for modification C:\Windows\SysWOW64\Qfcfml32.exe C:\Windows\SysWOW64\Qgqeappe.exe N/A
File opened for modification C:\Windows\SysWOW64\Bjokdipf.exe C:\Windows\SysWOW64\Bganhm32.exe N/A
File created C:\Windows\SysWOW64\Flgehc32.dll C:\Windows\SysWOW64\Cndikf32.exe N/A
File created C:\Windows\SysWOW64\Cnnlaehj.exe C:\Windows\SysWOW64\Chcddk32.exe N/A
File opened for modification C:\Windows\SysWOW64\Daconoae.exe C:\Windows\SysWOW64\Dfnjafap.exe N/A
File created C:\Windows\SysWOW64\Efmolq32.dll C:\Windows\SysWOW64\Aqkgpedc.exe N/A
File opened for modification C:\Windows\SysWOW64\Ambgef32.exe C:\Windows\SysWOW64\Ageolo32.exe N/A
File created C:\Windows\SysWOW64\Cndikf32.exe C:\Windows\SysWOW64\Bcoenmao.exe N/A
File created C:\Windows\SysWOW64\Cfpnph32.exe C:\Windows\SysWOW64\Cndikf32.exe N/A
File created C:\Windows\SysWOW64\Ambgef32.exe C:\Windows\SysWOW64\Ageolo32.exe N/A
File created C:\Windows\SysWOW64\Cnkplejl.exe C:\Windows\SysWOW64\Cdfkolkf.exe N/A
File created C:\Windows\SysWOW64\Alcidkmm.dll C:\Windows\SysWOW64\Djgjlelk.exe N/A
File opened for modification C:\Windows\SysWOW64\Bmkjkd32.exe C:\Windows\SysWOW64\Bjmnoi32.exe N/A
File created C:\Windows\SysWOW64\Qopkop32.dll C:\Windows\SysWOW64\Bebblb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Qgqeappe.exe C:\Users\Admin\AppData\Local\Temp\2d02f92aab69b9088deb04eeae8e8bc4ccf5278d2c2ec5d7e2097048d96b2f6eN.exe N/A
File created C:\Windows\SysWOW64\Qciaajej.dll C:\Users\Admin\AppData\Local\Temp\2d02f92aab69b9088deb04eeae8e8bc4ccf5278d2c2ec5d7e2097048d96b2f6eN.exe N/A
File created C:\Windows\SysWOW64\Gokgpogl.dll C:\Windows\SysWOW64\Qgqeappe.exe N/A
File created C:\Windows\SysWOW64\Aqncedbp.exe C:\Windows\SysWOW64\Ambgef32.exe N/A
File created C:\Windows\SysWOW64\Bfddbh32.dll C:\Windows\SysWOW64\Ajkaii32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dmllipeg.exe C:\Windows\SysWOW64\Dhocqigp.exe N/A
File created C:\Windows\SysWOW64\Ajkaii32.exe C:\Windows\SysWOW64\Amgapeea.exe N/A
File created C:\Windows\SysWOW64\Bjokdipf.exe C:\Windows\SysWOW64\Bganhm32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Dmllipeg.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bmpcfdmg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cnicfe32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cdfkolkf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dmllipeg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qcgffqei.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ajanck32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aqkgpedc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ajfhnjhq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Amgapeea.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bmngqdpj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bfkedibe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bcoenmao.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2d02f92aab69b9088deb04eeae8e8bc4ccf5278d2c2ec5d7e2097048d96b2f6eN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cfpnph32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bchomn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bgehcmmm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cndikf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ddjejl32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Djgjlelk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dfnjafap.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ageolo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Calhnpgn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Delnin32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dhocqigp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cnkplejl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aqncedbp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aminee32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bmkjkd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Beihma32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ceehho32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Chcddk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dhmgki32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qfcfml32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qjoankoi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ambgef32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aeklkchg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ajkaii32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bebblb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bganhm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bjokdipf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qgqeappe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dopigd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ddmaok32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cnnlaehj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ceqnmpfo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dobfld32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ddonekbl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bjmnoi32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Daconoae.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Daekdooc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aepefb32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dhmgki32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Qfcfml32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aeklkchg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll" C:\Windows\SysWOW64\Ceqnmpfo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ddmaok32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ickfifmb.dll" C:\Windows\SysWOW64\Aqncedbp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfiloih.dll" C:\Windows\SysWOW64\Aminee32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bcoenmao.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ddmaok32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dhocqigp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfddbh32.dll" C:\Windows\SysWOW64\Ajkaii32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Calhnpgn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ddonekbl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dhocqigp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dfnjafap.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Daconoae.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Qgqeappe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qcgffqei.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijjfldq.dll" C:\Windows\SysWOW64\Bchomn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bfkedibe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qgqeappe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cnnlaehj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bebblb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ceqnmpfo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cnicfe32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Daekdooc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ageolo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phiifkjp.dll" C:\Windows\SysWOW64\Bmkjkd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Chcddk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Djgjlelk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qopkop32.dll" C:\Windows\SysWOW64\Bebblb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll" C:\Windows\SysWOW64\Calhnpgn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll" C:\Windows\SysWOW64\Djgjlelk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ajanck32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aqncedbp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ajkaii32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akmfnc32.dll" C:\Windows\SysWOW64\Bjmnoi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Delnin32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Daconoae.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldfgeigq.dll" C:\Windows\SysWOW64\Aepefb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cndikf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll" C:\Windows\SysWOW64\Cnicfe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll" C:\Windows\SysWOW64\Delnin32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gokgpogl.dll" C:\Windows\SysWOW64\Qgqeappe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll" C:\Windows\SysWOW64\Cdfkolkf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ddonekbl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll" C:\Windows\SysWOW64\Daconoae.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qeobam32.dll" C:\Windows\SysWOW64\Qcgffqei.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Amgapeea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bjokdipf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bchomn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bchomn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll" C:\Windows\SysWOW64\Beihma32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ceqnmpfo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cnicfe32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} C:\Users\Admin\AppData\Local\Temp\2d02f92aab69b9088deb04eeae8e8bc4ccf5278d2c2ec5d7e2097048d96b2f6eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ajkaii32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Aminee32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aepefb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cnkplejl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll" C:\Windows\SysWOW64\Dobfld32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cdfkolkf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll" C:\Windows\SysWOW64\Cnkplejl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll" C:\Windows\SysWOW64\Ceehho32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3184 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\2d02f92aab69b9088deb04eeae8e8bc4ccf5278d2c2ec5d7e2097048d96b2f6eN.exe C:\Windows\SysWOW64\Qgqeappe.exe
PID 3184 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\2d02f92aab69b9088deb04eeae8e8bc4ccf5278d2c2ec5d7e2097048d96b2f6eN.exe C:\Windows\SysWOW64\Qgqeappe.exe
PID 3184 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\2d02f92aab69b9088deb04eeae8e8bc4ccf5278d2c2ec5d7e2097048d96b2f6eN.exe C:\Windows\SysWOW64\Qgqeappe.exe
PID 4324 wrote to memory of 4952 N/A C:\Windows\SysWOW64\Qgqeappe.exe C:\Windows\SysWOW64\Qfcfml32.exe
PID 4324 wrote to memory of 4952 N/A C:\Windows\SysWOW64\Qgqeappe.exe C:\Windows\SysWOW64\Qfcfml32.exe
PID 4324 wrote to memory of 4952 N/A C:\Windows\SysWOW64\Qgqeappe.exe C:\Windows\SysWOW64\Qfcfml32.exe
PID 4952 wrote to memory of 3504 N/A C:\Windows\SysWOW64\Qfcfml32.exe C:\Windows\SysWOW64\Qjoankoi.exe
PID 4952 wrote to memory of 3504 N/A C:\Windows\SysWOW64\Qfcfml32.exe C:\Windows\SysWOW64\Qjoankoi.exe
PID 4952 wrote to memory of 3504 N/A C:\Windows\SysWOW64\Qfcfml32.exe C:\Windows\SysWOW64\Qjoankoi.exe
PID 3504 wrote to memory of 1284 N/A C:\Windows\SysWOW64\Qjoankoi.exe C:\Windows\SysWOW64\Qcgffqei.exe
PID 3504 wrote to memory of 1284 N/A C:\Windows\SysWOW64\Qjoankoi.exe C:\Windows\SysWOW64\Qcgffqei.exe
PID 3504 wrote to memory of 1284 N/A C:\Windows\SysWOW64\Qjoankoi.exe C:\Windows\SysWOW64\Qcgffqei.exe
PID 1284 wrote to memory of 1004 N/A C:\Windows\SysWOW64\Qcgffqei.exe C:\Windows\SysWOW64\Ajanck32.exe
PID 1284 wrote to memory of 1004 N/A C:\Windows\SysWOW64\Qcgffqei.exe C:\Windows\SysWOW64\Ajanck32.exe
PID 1284 wrote to memory of 1004 N/A C:\Windows\SysWOW64\Qcgffqei.exe C:\Windows\SysWOW64\Ajanck32.exe
PID 1004 wrote to memory of 4228 N/A C:\Windows\SysWOW64\Ajanck32.exe C:\Windows\SysWOW64\Aqkgpedc.exe
PID 1004 wrote to memory of 4228 N/A C:\Windows\SysWOW64\Ajanck32.exe C:\Windows\SysWOW64\Aqkgpedc.exe
PID 1004 wrote to memory of 4228 N/A C:\Windows\SysWOW64\Ajanck32.exe C:\Windows\SysWOW64\Aqkgpedc.exe
PID 4228 wrote to memory of 3972 N/A C:\Windows\SysWOW64\Aqkgpedc.exe C:\Windows\SysWOW64\Ageolo32.exe
PID 4228 wrote to memory of 3972 N/A C:\Windows\SysWOW64\Aqkgpedc.exe C:\Windows\SysWOW64\Ageolo32.exe
PID 4228 wrote to memory of 3972 N/A C:\Windows\SysWOW64\Aqkgpedc.exe C:\Windows\SysWOW64\Ageolo32.exe
PID 3972 wrote to memory of 116 N/A C:\Windows\SysWOW64\Ageolo32.exe C:\Windows\SysWOW64\Ambgef32.exe
PID 3972 wrote to memory of 116 N/A C:\Windows\SysWOW64\Ageolo32.exe C:\Windows\SysWOW64\Ambgef32.exe
PID 3972 wrote to memory of 116 N/A C:\Windows\SysWOW64\Ageolo32.exe C:\Windows\SysWOW64\Ambgef32.exe
PID 116 wrote to memory of 540 N/A C:\Windows\SysWOW64\Ambgef32.exe C:\Windows\SysWOW64\Aqncedbp.exe
PID 116 wrote to memory of 540 N/A C:\Windows\SysWOW64\Ambgef32.exe C:\Windows\SysWOW64\Aqncedbp.exe
PID 116 wrote to memory of 540 N/A C:\Windows\SysWOW64\Ambgef32.exe C:\Windows\SysWOW64\Aqncedbp.exe
PID 540 wrote to memory of 1568 N/A C:\Windows\SysWOW64\Aqncedbp.exe C:\Windows\SysWOW64\Ajfhnjhq.exe
PID 540 wrote to memory of 1568 N/A C:\Windows\SysWOW64\Aqncedbp.exe C:\Windows\SysWOW64\Ajfhnjhq.exe
PID 540 wrote to memory of 1568 N/A C:\Windows\SysWOW64\Aqncedbp.exe C:\Windows\SysWOW64\Ajfhnjhq.exe
PID 1568 wrote to memory of 3208 N/A C:\Windows\SysWOW64\Ajfhnjhq.exe C:\Windows\SysWOW64\Aeklkchg.exe
PID 1568 wrote to memory of 3208 N/A C:\Windows\SysWOW64\Ajfhnjhq.exe C:\Windows\SysWOW64\Aeklkchg.exe
PID 1568 wrote to memory of 3208 N/A C:\Windows\SysWOW64\Ajfhnjhq.exe C:\Windows\SysWOW64\Aeklkchg.exe
PID 3208 wrote to memory of 4716 N/A C:\Windows\SysWOW64\Aeklkchg.exe C:\Windows\SysWOW64\Amgapeea.exe
PID 3208 wrote to memory of 4716 N/A C:\Windows\SysWOW64\Aeklkchg.exe C:\Windows\SysWOW64\Amgapeea.exe
PID 3208 wrote to memory of 4716 N/A C:\Windows\SysWOW64\Aeklkchg.exe C:\Windows\SysWOW64\Amgapeea.exe
PID 4716 wrote to memory of 4996 N/A C:\Windows\SysWOW64\Amgapeea.exe C:\Windows\SysWOW64\Ajkaii32.exe
PID 4716 wrote to memory of 4996 N/A C:\Windows\SysWOW64\Amgapeea.exe C:\Windows\SysWOW64\Ajkaii32.exe
PID 4716 wrote to memory of 4996 N/A C:\Windows\SysWOW64\Amgapeea.exe C:\Windows\SysWOW64\Ajkaii32.exe
PID 4996 wrote to memory of 4056 N/A C:\Windows\SysWOW64\Ajkaii32.exe C:\Windows\SysWOW64\Aminee32.exe
PID 4996 wrote to memory of 4056 N/A C:\Windows\SysWOW64\Ajkaii32.exe C:\Windows\SysWOW64\Aminee32.exe
PID 4996 wrote to memory of 4056 N/A C:\Windows\SysWOW64\Ajkaii32.exe C:\Windows\SysWOW64\Aminee32.exe
PID 4056 wrote to memory of 2024 N/A C:\Windows\SysWOW64\Aminee32.exe C:\Windows\SysWOW64\Aepefb32.exe
PID 4056 wrote to memory of 2024 N/A C:\Windows\SysWOW64\Aminee32.exe C:\Windows\SysWOW64\Aepefb32.exe
PID 4056 wrote to memory of 2024 N/A C:\Windows\SysWOW64\Aminee32.exe C:\Windows\SysWOW64\Aepefb32.exe
PID 2024 wrote to memory of 1300 N/A C:\Windows\SysWOW64\Aepefb32.exe C:\Windows\SysWOW64\Bjmnoi32.exe
PID 2024 wrote to memory of 1300 N/A C:\Windows\SysWOW64\Aepefb32.exe C:\Windows\SysWOW64\Bjmnoi32.exe
PID 2024 wrote to memory of 1300 N/A C:\Windows\SysWOW64\Aepefb32.exe C:\Windows\SysWOW64\Bjmnoi32.exe
PID 1300 wrote to memory of 4912 N/A C:\Windows\SysWOW64\Bjmnoi32.exe C:\Windows\SysWOW64\Bmkjkd32.exe
PID 1300 wrote to memory of 4912 N/A C:\Windows\SysWOW64\Bjmnoi32.exe C:\Windows\SysWOW64\Bmkjkd32.exe
PID 1300 wrote to memory of 4912 N/A C:\Windows\SysWOW64\Bjmnoi32.exe C:\Windows\SysWOW64\Bmkjkd32.exe
PID 4912 wrote to memory of 1560 N/A C:\Windows\SysWOW64\Bmkjkd32.exe C:\Windows\SysWOW64\Bebblb32.exe
PID 4912 wrote to memory of 1560 N/A C:\Windows\SysWOW64\Bmkjkd32.exe C:\Windows\SysWOW64\Bebblb32.exe
PID 4912 wrote to memory of 1560 N/A C:\Windows\SysWOW64\Bmkjkd32.exe C:\Windows\SysWOW64\Bebblb32.exe
PID 1560 wrote to memory of 5108 N/A C:\Windows\SysWOW64\Bebblb32.exe C:\Windows\SysWOW64\Bganhm32.exe
PID 1560 wrote to memory of 5108 N/A C:\Windows\SysWOW64\Bebblb32.exe C:\Windows\SysWOW64\Bganhm32.exe
PID 1560 wrote to memory of 5108 N/A C:\Windows\SysWOW64\Bebblb32.exe C:\Windows\SysWOW64\Bganhm32.exe
PID 5108 wrote to memory of 5032 N/A C:\Windows\SysWOW64\Bganhm32.exe C:\Windows\SysWOW64\Bjokdipf.exe
PID 5108 wrote to memory of 5032 N/A C:\Windows\SysWOW64\Bganhm32.exe C:\Windows\SysWOW64\Bjokdipf.exe
PID 5108 wrote to memory of 5032 N/A C:\Windows\SysWOW64\Bganhm32.exe C:\Windows\SysWOW64\Bjokdipf.exe
PID 5032 wrote to memory of 1820 N/A C:\Windows\SysWOW64\Bjokdipf.exe C:\Windows\SysWOW64\Bmngqdpj.exe
PID 5032 wrote to memory of 1820 N/A C:\Windows\SysWOW64\Bjokdipf.exe C:\Windows\SysWOW64\Bmngqdpj.exe
PID 5032 wrote to memory of 1820 N/A C:\Windows\SysWOW64\Bjokdipf.exe C:\Windows\SysWOW64\Bmngqdpj.exe
PID 1820 wrote to memory of 4556 N/A C:\Windows\SysWOW64\Bmngqdpj.exe C:\Windows\SysWOW64\Bchomn32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2d02f92aab69b9088deb04eeae8e8bc4ccf5278d2c2ec5d7e2097048d96b2f6eN.exe

"C:\Users\Admin\AppData\Local\Temp\2d02f92aab69b9088deb04eeae8e8bc4ccf5278d2c2ec5d7e2097048d96b2f6eN.exe"

C:\Windows\SysWOW64\Qgqeappe.exe

C:\Windows\system32\Qgqeappe.exe

C:\Windows\SysWOW64\Qfcfml32.exe

C:\Windows\system32\Qfcfml32.exe

C:\Windows\SysWOW64\Qjoankoi.exe

C:\Windows\system32\Qjoankoi.exe

C:\Windows\SysWOW64\Qcgffqei.exe

C:\Windows\system32\Qcgffqei.exe

C:\Windows\SysWOW64\Ajanck32.exe

C:\Windows\system32\Ajanck32.exe

C:\Windows\SysWOW64\Aqkgpedc.exe

C:\Windows\system32\Aqkgpedc.exe

C:\Windows\SysWOW64\Ageolo32.exe

C:\Windows\system32\Ageolo32.exe

C:\Windows\SysWOW64\Ambgef32.exe

C:\Windows\system32\Ambgef32.exe

C:\Windows\SysWOW64\Aqncedbp.exe

C:\Windows\system32\Aqncedbp.exe

C:\Windows\SysWOW64\Ajfhnjhq.exe

C:\Windows\system32\Ajfhnjhq.exe

C:\Windows\SysWOW64\Aeklkchg.exe

C:\Windows\system32\Aeklkchg.exe

C:\Windows\SysWOW64\Amgapeea.exe

C:\Windows\system32\Amgapeea.exe

C:\Windows\SysWOW64\Ajkaii32.exe

C:\Windows\system32\Ajkaii32.exe

C:\Windows\SysWOW64\Aminee32.exe

C:\Windows\system32\Aminee32.exe

C:\Windows\SysWOW64\Aepefb32.exe

C:\Windows\system32\Aepefb32.exe

C:\Windows\SysWOW64\Bjmnoi32.exe

C:\Windows\system32\Bjmnoi32.exe

C:\Windows\SysWOW64\Bmkjkd32.exe

C:\Windows\system32\Bmkjkd32.exe

C:\Windows\SysWOW64\Bebblb32.exe

C:\Windows\system32\Bebblb32.exe

C:\Windows\SysWOW64\Bganhm32.exe

C:\Windows\system32\Bganhm32.exe

C:\Windows\SysWOW64\Bjokdipf.exe

C:\Windows\system32\Bjokdipf.exe

C:\Windows\SysWOW64\Bmngqdpj.exe

C:\Windows\system32\Bmngqdpj.exe

C:\Windows\SysWOW64\Bchomn32.exe

C:\Windows\system32\Bchomn32.exe

C:\Windows\SysWOW64\Bmpcfdmg.exe

C:\Windows\system32\Bmpcfdmg.exe

C:\Windows\SysWOW64\Bgehcmmm.exe

C:\Windows\system32\Bgehcmmm.exe

C:\Windows\SysWOW64\Beihma32.exe

C:\Windows\system32\Beihma32.exe

C:\Windows\SysWOW64\Bfkedibe.exe

C:\Windows\system32\Bfkedibe.exe

C:\Windows\SysWOW64\Bcoenmao.exe

C:\Windows\system32\Bcoenmao.exe

C:\Windows\SysWOW64\Cndikf32.exe

C:\Windows\system32\Cndikf32.exe

C:\Windows\SysWOW64\Cfpnph32.exe

C:\Windows\system32\Cfpnph32.exe

C:\Windows\SysWOW64\Ceqnmpfo.exe

C:\Windows\system32\Ceqnmpfo.exe

C:\Windows\SysWOW64\Cnicfe32.exe

C:\Windows\system32\Cnicfe32.exe

C:\Windows\SysWOW64\Cdfkolkf.exe

C:\Windows\system32\Cdfkolkf.exe

C:\Windows\SysWOW64\Cnkplejl.exe

C:\Windows\system32\Cnkplejl.exe

C:\Windows\SysWOW64\Ceehho32.exe

C:\Windows\system32\Ceehho32.exe

C:\Windows\SysWOW64\Chcddk32.exe

C:\Windows\system32\Chcddk32.exe

C:\Windows\SysWOW64\Cnnlaehj.exe

C:\Windows\system32\Cnnlaehj.exe

C:\Windows\SysWOW64\Calhnpgn.exe

C:\Windows\system32\Calhnpgn.exe

C:\Windows\SysWOW64\Ddjejl32.exe

C:\Windows\system32\Ddjejl32.exe

C:\Windows\SysWOW64\Dopigd32.exe

C:\Windows\system32\Dopigd32.exe

C:\Windows\SysWOW64\Ddmaok32.exe

C:\Windows\system32\Ddmaok32.exe

C:\Windows\SysWOW64\Djgjlelk.exe

C:\Windows\system32\Djgjlelk.exe

C:\Windows\SysWOW64\Dobfld32.exe

C:\Windows\system32\Dobfld32.exe

C:\Windows\SysWOW64\Delnin32.exe

C:\Windows\system32\Delnin32.exe

C:\Windows\SysWOW64\Ddonekbl.exe

C:\Windows\system32\Ddonekbl.exe

C:\Windows\SysWOW64\Dfnjafap.exe

C:\Windows\system32\Dfnjafap.exe

C:\Windows\SysWOW64\Daconoae.exe

C:\Windows\system32\Daconoae.exe

C:\Windows\SysWOW64\Dhmgki32.exe

C:\Windows\system32\Dhmgki32.exe

C:\Windows\SysWOW64\Daekdooc.exe

C:\Windows\system32\Daekdooc.exe

C:\Windows\SysWOW64\Dhocqigp.exe

C:\Windows\system32\Dhocqigp.exe

C:\Windows\SysWOW64\Dmllipeg.exe

C:\Windows\system32\Dmllipeg.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 908 -ip 908

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 908 -s 396

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 101.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

memory/3184-0-0x0000000000400000-0x0000000000453000-memory.dmp

memory/3184-1-0x0000000000432000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Qgqeappe.exe

MD5 7bb950fe2c90627795cf0e51daae955c
SHA1 d8c48c7228cf87778daf8f1727c5a2f3c756ca23
SHA256 3e85342260a7dc53fe5c7be8ebcddb0d25979812a32146ef00c6ffce40b669a9
SHA512 b9f19b8438fb1d440aed2e759a9e1ff274853ebda0e7fc89cd114c7a5c68c66b0ab22967363db40fa722bfce184d750119193fc570b4b3355c800db38dc0a1b5

memory/4324-12-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Qfcfml32.exe

MD5 5cb8d0b283abc38c88f158a633fabe89
SHA1 fa8c7c88fa5deab7edfcfba5a4925ff420facc89
SHA256 fb53de27cd98396e1cd5a70ad85cde3fc8558db7403139f19bda10ccca40e83a
SHA512 4044de697552b50fd14798e686c36774f19714feea6085f9fbe03b1c3ea45b9bad02dd0026b714a4ec07c2a2510913335be0f3ebee23b7eba562a93be861e310

memory/4952-21-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Qjoankoi.exe

MD5 a202233a0a6e3e69f047b0aa9db6b9ee
SHA1 83c42729e9ae22bbc7d2c56686fe363fa11b8847
SHA256 b8f58088d8fea182f42f60302787c337689618a0fa3c6e6c6edfb28dc1a7b67b
SHA512 533d2c77497f1732c8fc7d30fc96f9861ec47bfecafef3b7e09e7c4ecf19fa64aae452f1c98104d55f0c320066a015258361d2d7983ea9fe1ef09f7220bc930a

memory/3504-24-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Qcgffqei.exe

MD5 ddd131fe0a4d86075dd6825020c58b12
SHA1 15baae72fed8152a8decc0f06b0a5b39ca785cc3
SHA256 2eaa32b7249e0b484c047fd542059e2dd9dbbf288f09d2e9f6667739572a2265
SHA512 11de47807b9b590e8317361cb49366fb9fe5fb631c36229200660a74d7a82c6eea3f5b4b2d42bb3c2af96bc2a6f1848966de72a3530f72e313852aed34844818

memory/1284-32-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Ajanck32.exe

MD5 9f4a2a39e84aba62fb729963ff8639a8
SHA1 25493640d8d3291a02e1a29d3332adf5f507c914
SHA256 94295c8f5f9457d22af5650e38fce83ff1c9fe466abe8cc7d8410c3f28bd717b
SHA512 874a2b90cb7676dcfc7330236956dece7b3942fa2b70a340bf8271769acdb08fd5d9ca4743deeb6f572982795d059ff845b980bdf305127971719987376c3ba9

memory/1004-41-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Aqkgpedc.exe

MD5 a712e9157bfc726576f53eaba490e5f5
SHA1 d857a49472b8d7c4b5ff4436b969b613ea67e186
SHA256 db5a050e4fcbea31e3a5c37ed2cfd74ce79a9fe1a83c13e5dc074c4ce27bbf9a
SHA512 0fddcc66cb1113d64432281beb4198858b90285fdbc7644de3d5b3a9bc72774e3808d8fef803d85759786ae0bf06672f1ae2e2d78607f3824e6ae1ab54911c4b

memory/4228-48-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Ageolo32.exe

MD5 441484cb0ee8b4b0504d602fbec9d192
SHA1 e969a6307a75c95b033c45a70784646dcb254ca5
SHA256 ebd8d25580b7dbb530a57977783ce8781da3db83410aecba6bab09c67bbf79d7
SHA512 b6d96e5a5aef0360c238376ca7a185b838547cbfe1502ae4cbade512da6e8dd4401f69677efbe4376729885387e770ced38e8bb514ee7c2cfc9a3fc58baf0192

memory/3972-56-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Ambgef32.exe

MD5 e5aa8c227d43191d4bc1727db50a6a31
SHA1 d380564125a1298224c815ad96e1cb67eb602bf4
SHA256 abec439d29a7efe1d570eade21a6df41f35edb8bb66f42896f8fc3f3b55fe893
SHA512 771261e21cfb212180f2cdec4fb083e444a0678681f282e384c81b3443a562f95d58f8d9b9f94e6713ec2ae5a25d98d59a0d97c21967fbb89ad7a612602b3187

memory/116-69-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Aqncedbp.exe

MD5 2517ed4542ae8621e67ce8cae676c7a1
SHA1 8f095ac8875682f2dbde83edb73c79c5827d9df5
SHA256 6b01768b9ca1b5a0902c39cba52c16851223baf84c198aa28e65467eabee6de8
SHA512 84d8a0f98a77fc12f57d159812fd66ac32bf38143f771ecf632ec6aefe453d5328dc683a539f952d6e15b0d3e8a469ebc8ce6b91224178266b91a48c5a4da8b0

memory/540-72-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Ajfhnjhq.exe

MD5 d80387ca9f3b69edb6badd07ec1ac90e
SHA1 fdc2e2722c2786c7e3b610f3d1de0c8a25676973
SHA256 d6f9ceb56c0c50f424feb82a75c8ae2ba67d223638e7f21df66d2f179e12b777
SHA512 83327d90261c48789556d272783754d011608aa68b8943afbbbbfd21924725eb4a24011d02946fac1b84c47c90044590263d201eefeac1a3f1c689c542ef2dc4

memory/1568-80-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Aeklkchg.exe

MD5 b70dbb34da1b41d1abb1f2a2d852dfd1
SHA1 e7f9fa01f8aaaeb75954d949e67d73735ba11143
SHA256 aae78f2fb4937ecb812092bcc74f5055c6649a93986fe6c80ad0bcc91570b86b
SHA512 c4bd62ab052a574da47bc2feec0891bb0f4cb59d5c9a623e7a5cbaf86894a5de4a3fb672cb799b6135d0a4d2f51fc4ec4e6b19bb35ba44efda24a166e7d50648

memory/3208-88-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Amgapeea.exe

MD5 6b0bb9fc6400c1418d1f9a5d852b874a
SHA1 9a0ce2e3df27b05b2ba2cf22b7d7b0d8006a6bce
SHA256 3f5d88851948e6042cde82da55c004a3e1977991a6c04c44c9345a9173972e9f
SHA512 59dd81bc454cb41dca2e1f91835ebb19f5cf3bd70e14f63184c22bba266e1819b4ec65e1096f96e47478f9374fa721514f275025c2e471e7b4de3f0cb03c54da

memory/4716-96-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Ajkaii32.exe

MD5 b000e4290d541c5abd4fe319e0a01af0
SHA1 dd2f57fca37656ef0ae3414729f788ff07fa618c
SHA256 f9299b261e98f77d260b50d20011eaa133b2e2397b39fb27421a37445baf451f
SHA512 8fe8c43d42f9b4c93f64943540f9f5743ce1eac3fe8b642ae56098f78346a99351128fa7f1ee9d6dd5da1c3c9997de6eff615ed5ddde32dbea166d12d3351d37

memory/4996-104-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Aminee32.exe

MD5 b67527c33bcb7d4344489cbad10d487f
SHA1 1bc8d15228bb03043a918f78faa8dc85dc1905dc
SHA256 d5c4ccfe1abf2e064bf6f0313cf59d08203ed1e6f906b710b2f225e7e39cc87c
SHA512 312b2d1964385b435e8d31ed0c24dbf6ec76f7bfc706b0bfa58c2c1b4e74ec8f09e11f8d53744cd1a58cc1099878ac66960d559b751379f10c6500407cc497a2

memory/4056-112-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Aepefb32.exe

MD5 a8f3bffc0ca8817e485937f22720a35f
SHA1 d31759099e0e293b273ec030366c8803c3c3dab4
SHA256 3b69dba5ebe8dde15cf07b7bb7e8ee16cd5d0f18c71f070b81dfb2c2877ef7f0
SHA512 4511f2e79620a60ff8c774b9ecb8ab8ba0b230c0a009d3b7fe1a6783356ed7ff469b52278ba5a518f58088dfb0da1a15794759c4e3a2f0873cfe7e28e3f6c45f

memory/2024-121-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Bjmnoi32.exe

MD5 a0cc0f84c7dab09d81e0e67e7020bd6f
SHA1 db4088cde5c0f6bb64a08cedfa1a62e163125732
SHA256 36f60500b2df8affe2d51c93bc3985c14e9f5697b4757d84ca0156dd327c0879
SHA512 ab8c5faae93260cd3d92dca9ef73de8921009769c1d4467c22e51b13476f6d4cd01dbf0d5376ad2b3306b3f6395161fd75b32055bf4ab709cbea816c867a1dc4

memory/1300-128-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Bmkjkd32.exe

MD5 d2e662ee07976f5b412335b23e940770
SHA1 47c50e7f540d1cfd6644c3c3af2df760a0915c34
SHA256 b82c15d7394ec97c93e2c9ef806bb7ef1276e9ef7f04919d6ae0e5de39d97e13
SHA512 89ff15e0ee8a247ac7a22cfb37760e59819c112f2143bb21fb99e842cd204856789eb32824b37dbaf3b906d4e6145b5cadcb2bddf9f10eb9dcb28acd9b8cf927

memory/4912-137-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Bebblb32.exe

MD5 c27d646550cd7a821124d4539f94c5c8
SHA1 4e05a40caa1e39d5b9891fdd1c2a4c60ed2bf3be
SHA256 53d42e1a4b286edf925202a4b3d8ddc0602affde1666bf422df1033d6bd72315
SHA512 4c3c871a45bf4d667ff9c997230e29b862ccd56ab2e784cde30c0171904e5bfa513de1a235e3897f5f25e758b0a830fcc49eca2882bd6f66f752e316ef39bb72

C:\Windows\SysWOW64\Bganhm32.exe

MD5 1201c841de2afc7ffb03d5d4f6815b2d
SHA1 75c6a1163f2579a1e35a7637494c12095bbb05c1
SHA256 8c39a492490c8b03b8a9c00f600eeceaa149b86ad331a4207b7bde7a094eab41
SHA512 8830afeea4ad603d10c2c7f8ffce91c548ea5850d82ce3676d6b8c5378a7184f92fd948aff6012ce55665369402d444f1c03146268886550a9329da7efcc6775

memory/1560-145-0x0000000000400000-0x0000000000453000-memory.dmp

memory/5108-157-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Bjokdipf.exe

MD5 1af4a8a87af5ab2019e27d3dd5a2f260
SHA1 9b15ecb88f0d1a3a17b80a6279cf1a657e708d49
SHA256 ebc9868fd0ebc31eed094c7e92d691c228b7badec8ffbd3834a3a7d187ce6e07
SHA512 a71d68929b2e3ac9159ef061028ef2decb15a1a1391b1c56a233d22c8749686ffaa3ca1c38e3ae9fec2b4fa1c313151cc8f3f0c880febda4c5a3fcd26c91d664

memory/5032-165-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Bmngqdpj.exe

MD5 a0380572849826bbc73e41b6519d5fd2
SHA1 2993842e167a020984322cfb9d4521d332f6b2a7
SHA256 38906b6d599606ab0afb8b97dd9d85d6973f753b4bb294b3326e8b8211584767
SHA512 a66edd2d6a493fa70b97f0b9d84ee380e3b4df5669cdb02a8fe10bbd2f15d6150570c2b4158b9d04369cb8e34b9fb67fdd72a006fb5967e0c1fe2f68f0aa1810

memory/1820-173-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Bchomn32.exe

MD5 477cc991faaf064f5698f25fe81145dd
SHA1 ac08008da8854764f22a741de56e5188cfca0491
SHA256 a51da9887bfdc99a7fb77de38a88344f01ec06d81b915b74bf8459ec527d5515
SHA512 b9e36b1635558170f586f5ca2f536c99965ff28127165ed50a0d7ab4d86d167626c638349a865fb54e167e5babcd5c33597cc9d301c879daddee7b1e5d38f865

memory/4556-176-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4564-184-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Bmpcfdmg.exe

MD5 38508d6daf090bdf6b29cc8f35bdcb24
SHA1 eab2c11dbb211e5aaf8f074c1963ea31fbd48188
SHA256 ac1741eccce9da233de7dd59681de9e5f91dd71ae2b14271c1d308a3c3f206d4
SHA512 cffddc1b67c85e274e384ebb7a26bf33e95cab0d3ea47477bba6fca5d33a76a6572fe3ad6b9e3e6d5e1a1ae32c4f2ffd4012aa94f674dc012fa486b4cb3f562e

C:\Windows\SysWOW64\Bgehcmmm.exe

MD5 8cf26e9bdf6ec2d5bddf4a99b9d04b7e
SHA1 f804facd5e2bc7b2cec25faf6ab470f3ba7e884f
SHA256 4b87ae186fedcc8d93a8b6cfb506cc5aba8cff9148b9c63d642f6b12262e6aff
SHA512 79bda881a06bb87fdce7727eb003118dce1e85a834b694e2407d00914e0b5c19cd42dd518c899361f8c2a76565c24b6a009c4280e351782b68b0a5f47ba2b42b

memory/3556-192-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Beihma32.exe

MD5 4a4ede0ce2aecb2d2b227b9103de43e5
SHA1 14510c9b45d6131c5799641b2fa731c54e6beb1f
SHA256 caeaa96c47bbfc9fa43e716788ca950e6bd9ef213f9fecbc383f867c358b6b96
SHA512 777ec412d4e207d5393235d8b2456d25f2d5da578e1b6cd7bd0860877e3b0a6baa9b6d30947744935b4a8cd1288443d13c72e8c1abcd2e848ebb3466c2da8b92

memory/4720-200-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Bfkedibe.exe

MD5 b586c856269c6254d45aa08cc1f6081b
SHA1 ad22540ab4da9e111a69483c46e616c12368408e
SHA256 e23f0023e617ad5e6cf153494bee52331abdf79171bc52ce3d87f49a31daa024
SHA512 e293525b7beddd3f8f5f787d65ff84c22af583d3a7394bb5c3fd557d43b2df5d2a459e81ac5c401a6c2daa4a8508429f31617a6a587bb5a1b13f547601add23d

memory/756-208-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Bcoenmao.exe

MD5 a2ddfcd04cbfe626f396f5b66428d93e
SHA1 bbded3c0c58c80e2a3b495cacbd3f0263492f36a
SHA256 89393f5ad42a786f6610f3ddedf1e301012a9b9f8da64e851d9ca5cf56403537
SHA512 5fe322d9507fa6afeb2368f66ca59aaf0fd00a2dbe141e230b676c37729733b42ae3bd0cac1fff7b92391748598103529ab5394159ec3090fc5ce19f297ca052

C:\Windows\SysWOW64\Bcoenmao.exe

MD5 8f6114e3e699fc5a2d99a3aee871e4e3
SHA1 5a3447ad41f6c0b097a5f15d942a1f951615c457
SHA256 3e86251da8d6e45f53e2479571771009802a5580c29b603811d01463d0239717
SHA512 4fb48614115eb777ca6b880eadb6072c0a405cdd1dc81d38a80b9aa2114ad46debf24afbefce2bebdf261f6b754179d4f9ec395182190db61e733a6838f08e16

memory/2312-217-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Cndikf32.exe

MD5 9b04eb518f79e30e60b6e77e2182acef
SHA1 edd1e815e4f03235036ab68182f3ae88b125ab9c
SHA256 fbfa302076cdc53c8439cc03b980da77d460afcc96a8f1ad6dac9797d924994e
SHA512 8aab8c839b15eccc80b533264c5b9e455f6d41a610bc3330b58f4a2ba136e8e264e7af777687bc53e978ac8a312e607d5a4ba719d4633b661fc7f2c3d19752eb

memory/1688-225-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Cfpnph32.exe

MD5 4a645d7cadf1f28b5d110f41a2b11ad4
SHA1 b37e62bbcb9cb630706823471cd521a6cee6e71c
SHA256 386d34fa57cab55b2d16eb0bdd79668584ae140cbbcd7221a652d6b51bfaf680
SHA512 9444e93a63857088d53ff010255ea82963d42e124179372c15f349973c3bc83a0fbf63e6258f1e723082f3ceb625eb44cbeb9725f38d583157f44004dc10549f

memory/3328-232-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Ceqnmpfo.exe

MD5 dce7d0860ff638728cfaaa6897a03fc1
SHA1 1e4e3ee841ee7b8d1df07a0fba86714f8eb7c7d4
SHA256 9520be03ef2a071dd471aa49d64bf1f35bb13cefb6cc2e728d10feead6ef0981
SHA512 8956fc6d568983704ec18ef6b88f02b3142c3c1d5b34995ed2fd11c4cb70c45342f08e4099c118900e8a3e5b6b9b499f3d197ff4b4712642519c2dc994440750

memory/3200-240-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Cnicfe32.exe

MD5 33d38ff08109c55c02afc66b1fbee243
SHA1 c95bdae00c55275309926a20c08a3adbb932d17d
SHA256 288f39ff50f717f58701c2e95a1b2acc55f1ed189e7f7206334a5be2050286cb
SHA512 937370aace13057095b52268f803ac5041e5986590fef16245eb1b518f218f41afe5fcfb84312366ddc86be3a5f292f0b426c23211742fd3d5ea07ebedaf8cf5

memory/2756-248-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Cdfkolkf.exe

MD5 66a9b5e8670f250fcdfb95b4842585f8
SHA1 d79a7bf3ba89a7922227fd044e2aed5632f0d794
SHA256 705dece08143d1a7f282a83d8b3a72b3cb5beb32eef8719c016cb09f955b8d40
SHA512 96275a0b7eb5b0367eb76bdf968f0fc7cf42432559d0386c03e2ac95dd93b495fb9af11159df8dec426d459e21134b1914a996d3999a0481e6bcb2c0cbaad792

memory/1500-257-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2780-263-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Ceehho32.exe

MD5 d56d5d56a2bc65b99dd2d20e1ca0d257
SHA1 39dc333188b3604dfa5cb0e4a226f9ce9067a9c4
SHA256 f8238c7b98b25132de5c197c460dbb804cfd5b2790d1952b8ec4800439eb5630
SHA512 d0760207ab10527cb6e81c689b3d19ed2c119137ddb5620739cb1497bcd7d43fe3743b93986527b6d59ed0d15e2944cbe25d0544b3a4c17fcf8ff59c32b7ef14

memory/1836-269-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4768-275-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1828-281-0x0000000000400000-0x0000000000453000-memory.dmp

memory/452-287-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4068-293-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2324-299-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Ddmaok32.exe

MD5 b4f23c77faeff0b1f91bc3c811a7a524
SHA1 29a6c51778032e730dad1135741f7f97d5f598df
SHA256 6cd3319c6e5a8a15291697c48486f8cca761815879701920aeb532804412ae08
SHA512 9722a85624f5dfa86f031d2788b47bc593e5e4a027f1a3e16c794834756fcccb5401a87383234cd099fb648d22d7f468c1b1d256486556a99e0c5d21c79fdaf7

memory/672-305-0x0000000000400000-0x0000000000453000-memory.dmp

memory/3708-311-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2416-317-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Delnin32.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/3520-323-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2424-329-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Dfnjafap.exe

MD5 13c9489e9510a0a017675a3b8149cd0c
SHA1 e8f1b26d6a7458d1b7b25537b85e9655eefb7d9e
SHA256 90597e3904abc887791f53f14151c7f8c26e5b200205e35768294009ee7fd937
SHA512 1dbf9a6aa134538aeaf194a23038dca579f7684469664dc693debb6df2940e93b05a9c7d57d0a908d38e4c42f5ebeecba7492f9a555e44564fcd93a4fffd7e41

memory/4880-335-0x0000000000400000-0x0000000000453000-memory.dmp

memory/384-341-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2180-350-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4764-356-0x0000000000400000-0x0000000000453000-memory.dmp

memory/3028-359-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Windows\SysWOW64\Dmllipeg.exe

MD5 d247051391e970f169501c966256d7b5
SHA1 d4b2770751de84df866b7e663cd6676af16001d6
SHA256 9c0c72b3a1a85ee873bb186897bbf7bec8a018813fd3987c1fd40d5f1e5a30aa
SHA512 3aa1c110cc55651682a11b1fb6cc8cb83691b3a8dcadfd82fb407bff51b7f7536820e7db39b23fb4839455f4f47cdad6c48d9482467780c1a4a98786987cadd9

memory/908-365-0x0000000000400000-0x0000000000453000-memory.dmp

memory/908-368-0x0000000000400000-0x0000000000453000-memory.dmp

memory/3028-369-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4764-371-0x0000000000400000-0x0000000000453000-memory.dmp

memory/384-375-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4880-380-0x0000000000400000-0x0000000000453000-memory.dmp

memory/3520-384-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4068-391-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4564-421-0x0000000000400000-0x0000000000453000-memory.dmp

memory/3972-453-0x0000000000400000-0x0000000000453000-memory.dmp

memory/116-451-0x0000000000400000-0x0000000000453000-memory.dmp

memory/540-449-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1568-447-0x0000000000400000-0x0000000000453000-memory.dmp

memory/3208-445-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4716-443-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4996-441-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4056-439-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2024-437-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1300-435-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4912-433-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1560-431-0x0000000000400000-0x0000000000453000-memory.dmp

memory/5108-429-0x0000000000400000-0x0000000000453000-memory.dmp

memory/5032-427-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1820-425-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4556-423-0x0000000000400000-0x0000000000453000-memory.dmp

memory/3556-419-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4720-417-0x0000000000400000-0x0000000000453000-memory.dmp

memory/756-415-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2312-413-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1688-411-0x0000000000400000-0x0000000000453000-memory.dmp

memory/3328-409-0x0000000000400000-0x0000000000453000-memory.dmp

memory/3200-407-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2756-405-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1500-403-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2780-401-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1836-399-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4768-397-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1828-395-0x0000000000400000-0x0000000000453000-memory.dmp

memory/452-393-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2324-389-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2416-387-0x0000000000400000-0x0000000000453000-memory.dmp

memory/672-386-0x0000000000400000-0x0000000000453000-memory.dmp

memory/3708-382-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2424-378-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2180-373-0x0000000000400000-0x0000000000453000-memory.dmp