Malware Analysis Report

2024-11-15 10:30

Sample ID 241110-cc3eyszmcp
Target b51b8bc28e0132fc1fca130073211213f0635143b8db2b9d18bdb1fce7e92e28
SHA256 b51b8bc28e0132fc1fca130073211213f0635143b8db2b9d18bdb1fce7e92e28
Tags
berbew backdoor discovery persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b51b8bc28e0132fc1fca130073211213f0635143b8db2b9d18bdb1fce7e92e28

Threat Level: Known bad

The file b51b8bc28e0132fc1fca130073211213f0635143b8db2b9d18bdb1fce7e92e28 was found to be: Known bad.

Malicious Activity Summary

berbew backdoor discovery persistence

Berbew family

Adds autorun key to be loaded by Explorer.exe on startup

Berbew

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Program crash

Unsigned PE

System Location Discovery: System Language Discovery

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:56

Reported

2024-11-10 01:59

Platform

win7-20240903-en

Max time kernel

122s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b51b8bc28e0132fc1fca130073211213f0635143b8db2b9d18bdb1fce7e92e28.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Agdjkogm.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Abbeflpf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Bejdiffp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ojigbhlp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Aaheie32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Cmgechbh.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cpfaocal.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Pngphgbf.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Akmjfn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Annbhi32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Beejng32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Pmccjbaf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Qiladcdh.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bhfcpb32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pkdgpo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Aaloddnn.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Apdhjq32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cbdnko32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Pqemdbaj.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pqemdbaj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Qgmdjp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Qqeicede.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aaloddnn.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cmjbhh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Clmbddgp.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pngphgbf.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Amelne32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Balkchpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Bkglameg.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ogmhkmki.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ajgpbj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Acpdko32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cmgechbh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Pjbjhgde.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aaloddnn.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Blkioa32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Bdmddc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Bobhal32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Pckoam32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pjpnbg32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pmccjbaf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Bfpnmj32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bonoflae.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Okdkal32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Pgbafl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Pqjfoa32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ajgpbj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Cdoajb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Users\Admin\AppData\Local\Temp\b51b8bc28e0132fc1fca130073211213f0635143b8db2b9d18bdb1fce7e92e28.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pckoam32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qgoapp32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Apoooa32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bbgnak32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Bbgnak32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Balkchpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Oqacic32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bfpnmj32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pjbjhgde.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bkglameg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Qbplbi32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qflhbhgg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Abbeflpf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Blkioa32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bphbeplm.exe N/A

Berbew

backdoor berbew

Berbew family

berbew

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Okdkal32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oqacic32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ojigbhlp.exe N/A
N/A N/A C:\Windows\SysWOW64\Oqcpob32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ogmhkmki.exe N/A
N/A N/A C:\Windows\SysWOW64\Pngphgbf.exe N/A
N/A N/A C:\Windows\SysWOW64\Pqemdbaj.exe N/A
N/A N/A C:\Windows\SysWOW64\Pcdipnqn.exe N/A
N/A N/A C:\Windows\SysWOW64\Pnimnfpc.exe N/A
N/A N/A C:\Windows\SysWOW64\Pqhijbog.exe N/A
N/A N/A C:\Windows\SysWOW64\Pgbafl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pjpnbg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pqjfoa32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pcibkm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pjbjhgde.exe N/A
N/A N/A C:\Windows\SysWOW64\Pkdgpo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pckoam32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pdlkiepd.exe N/A
N/A N/A C:\Windows\SysWOW64\Pmccjbaf.exe N/A
N/A N/A C:\Windows\SysWOW64\Pkfceo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qbplbi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qflhbhgg.exe N/A
N/A N/A C:\Windows\SysWOW64\Qgmdjp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qodlkm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qqeicede.exe N/A
N/A N/A C:\Windows\SysWOW64\Qiladcdh.exe N/A
N/A N/A C:\Windows\SysWOW64\Qgoapp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aaheie32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aecaidjl.exe N/A
N/A N/A C:\Windows\SysWOW64\Akmjfn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Achojp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Agdjkogm.exe N/A
N/A N/A C:\Windows\SysWOW64\Annbhi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aaloddnn.exe N/A
N/A N/A C:\Windows\SysWOW64\Aaloddnn.exe N/A
N/A N/A C:\Windows\SysWOW64\Apoooa32.exe N/A
N/A N/A C:\Windows\SysWOW64\Amcpie32.exe N/A
N/A N/A C:\Windows\SysWOW64\Apalea32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajgpbj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Amelne32.exe N/A
N/A N/A C:\Windows\SysWOW64\Apdhjq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Acpdko32.exe N/A
N/A N/A C:\Windows\SysWOW64\Abbeflpf.exe N/A
N/A N/A C:\Windows\SysWOW64\Aeqabgoj.exe N/A
N/A N/A C:\Windows\SysWOW64\Blkioa32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bfpnmj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Biojif32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bphbeplm.exe N/A
N/A N/A C:\Windows\SysWOW64\Bbgnak32.exe N/A
N/A N/A C:\Windows\SysWOW64\Beejng32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhdgjb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Blobjaba.exe N/A
N/A N/A C:\Windows\SysWOW64\Bonoflae.exe N/A
N/A N/A C:\Windows\SysWOW64\Balkchpi.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhfcpb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bjdplm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bmclhi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bejdiffp.exe N/A
N/A N/A C:\Windows\SysWOW64\Bdmddc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkglameg.exe N/A
N/A N/A C:\Windows\SysWOW64\Bobhal32.exe N/A
N/A N/A C:\Windows\SysWOW64\Baadng32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cdoajb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cfnmfn32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b51b8bc28e0132fc1fca130073211213f0635143b8db2b9d18bdb1fce7e92e28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b51b8bc28e0132fc1fca130073211213f0635143b8db2b9d18bdb1fce7e92e28.exe N/A
N/A N/A C:\Windows\SysWOW64\Okdkal32.exe N/A
N/A N/A C:\Windows\SysWOW64\Okdkal32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oqacic32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oqacic32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ojigbhlp.exe N/A
N/A N/A C:\Windows\SysWOW64\Ojigbhlp.exe N/A
N/A N/A C:\Windows\SysWOW64\Oqcpob32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oqcpob32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ogmhkmki.exe N/A
N/A N/A C:\Windows\SysWOW64\Ogmhkmki.exe N/A
N/A N/A C:\Windows\SysWOW64\Pngphgbf.exe N/A
N/A N/A C:\Windows\SysWOW64\Pngphgbf.exe N/A
N/A N/A C:\Windows\SysWOW64\Pqemdbaj.exe N/A
N/A N/A C:\Windows\SysWOW64\Pqemdbaj.exe N/A
N/A N/A C:\Windows\SysWOW64\Pcdipnqn.exe N/A
N/A N/A C:\Windows\SysWOW64\Pcdipnqn.exe N/A
N/A N/A C:\Windows\SysWOW64\Pnimnfpc.exe N/A
N/A N/A C:\Windows\SysWOW64\Pnimnfpc.exe N/A
N/A N/A C:\Windows\SysWOW64\Pqhijbog.exe N/A
N/A N/A C:\Windows\SysWOW64\Pqhijbog.exe N/A
N/A N/A C:\Windows\SysWOW64\Pgbafl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pgbafl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pjpnbg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pjpnbg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pqjfoa32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pqjfoa32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pcibkm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pcibkm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pjbjhgde.exe N/A
N/A N/A C:\Windows\SysWOW64\Pjbjhgde.exe N/A
N/A N/A C:\Windows\SysWOW64\Pkdgpo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pkdgpo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pckoam32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pckoam32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pdlkiepd.exe N/A
N/A N/A C:\Windows\SysWOW64\Pdlkiepd.exe N/A
N/A N/A C:\Windows\SysWOW64\Pmccjbaf.exe N/A
N/A N/A C:\Windows\SysWOW64\Pmccjbaf.exe N/A
N/A N/A C:\Windows\SysWOW64\Pkfceo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pkfceo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qbplbi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qbplbi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qflhbhgg.exe N/A
N/A N/A C:\Windows\SysWOW64\Qflhbhgg.exe N/A
N/A N/A C:\Windows\SysWOW64\Qgmdjp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qgmdjp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qodlkm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qodlkm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qqeicede.exe N/A
N/A N/A C:\Windows\SysWOW64\Qqeicede.exe N/A
N/A N/A C:\Windows\SysWOW64\Qiladcdh.exe N/A
N/A N/A C:\Windows\SysWOW64\Qiladcdh.exe N/A
N/A N/A C:\Windows\SysWOW64\Qgoapp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qgoapp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aaheie32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aaheie32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aecaidjl.exe N/A
N/A N/A C:\Windows\SysWOW64\Aecaidjl.exe N/A
N/A N/A C:\Windows\SysWOW64\Akmjfn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Akmjfn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Achojp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Achojp32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Ojigbhlp.exe C:\Windows\SysWOW64\Oqacic32.exe N/A
File created C:\Windows\SysWOW64\Ogmhkmki.exe C:\Windows\SysWOW64\Oqcpob32.exe N/A
File opened for modification C:\Windows\SysWOW64\Pqhijbog.exe C:\Windows\SysWOW64\Pnimnfpc.exe N/A
File opened for modification C:\Windows\SysWOW64\Qgmdjp32.exe C:\Windows\SysWOW64\Qflhbhgg.exe N/A
File opened for modification C:\Windows\SysWOW64\Aaloddnn.exe C:\Windows\SysWOW64\Annbhi32.exe N/A
File created C:\Windows\SysWOW64\Apalea32.exe C:\Windows\SysWOW64\Amcpie32.exe N/A
File created C:\Windows\SysWOW64\Bmnbjfam.dll C:\Windows\SysWOW64\Apalea32.exe N/A
File created C:\Windows\SysWOW64\Bdmddc32.exe C:\Windows\SysWOW64\Bejdiffp.exe N/A
File opened for modification C:\Windows\SysWOW64\Cbdnko32.exe C:\Windows\SysWOW64\Cpfaocal.exe N/A
File opened for modification C:\Windows\SysWOW64\Pjbjhgde.exe C:\Windows\SysWOW64\Pcibkm32.exe N/A
File opened for modification C:\Windows\SysWOW64\Apoooa32.exe C:\Windows\SysWOW64\Aaloddnn.exe N/A
File created C:\Windows\SysWOW64\Cpfaocal.exe C:\Windows\SysWOW64\Cmgechbh.exe N/A
File opened for modification C:\Windows\SysWOW64\Cklfll32.exe C:\Windows\SysWOW64\Cbdnko32.exe N/A
File opened for modification C:\Windows\SysWOW64\Pdlkiepd.exe C:\Windows\SysWOW64\Pckoam32.exe N/A
File created C:\Windows\SysWOW64\Mabanhgg.dll C:\Windows\SysWOW64\Cdoajb32.exe N/A
File created C:\Windows\SysWOW64\Jhgkeald.dll C:\Windows\SysWOW64\Blkioa32.exe N/A
File opened for modification C:\Windows\SysWOW64\Oqcpob32.exe C:\Windows\SysWOW64\Ojigbhlp.exe N/A
File created C:\Windows\SysWOW64\Bobhal32.exe C:\Windows\SysWOW64\Bkglameg.exe N/A
File opened for modification C:\Windows\SysWOW64\Ceegmj32.exe C:\Windows\SysWOW64\Cddjebgb.exe N/A
File created C:\Windows\SysWOW64\Bjpdmqog.dll C:\Windows\SysWOW64\Cfnmfn32.exe N/A
File created C:\Windows\SysWOW64\Qgoapp32.exe C:\Windows\SysWOW64\Qiladcdh.exe N/A
File opened for modification C:\Windows\SysWOW64\Amelne32.exe C:\Windows\SysWOW64\Ajgpbj32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bhdgjb32.exe C:\Windows\SysWOW64\Beejng32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ajgpbj32.exe C:\Windows\SysWOW64\Apalea32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cmjbhh32.exe C:\Windows\SysWOW64\Cklfll32.exe N/A
File created C:\Windows\SysWOW64\Amcpie32.exe C:\Windows\SysWOW64\Apoooa32.exe N/A
File created C:\Windows\SysWOW64\Abbeflpf.exe C:\Windows\SysWOW64\Acpdko32.exe N/A
File created C:\Windows\SysWOW64\Aaheie32.exe C:\Windows\SysWOW64\Qgoapp32.exe N/A
File created C:\Windows\SysWOW64\Bfpnmj32.exe C:\Windows\SysWOW64\Blkioa32.exe N/A
File created C:\Windows\SysWOW64\Pjbjhgde.exe C:\Windows\SysWOW64\Pcibkm32.exe N/A
File created C:\Windows\SysWOW64\Ajgpbj32.exe C:\Windows\SysWOW64\Apalea32.exe N/A
File created C:\Windows\SysWOW64\Blkahecm.dll C:\Windows\SysWOW64\Pckoam32.exe N/A
File created C:\Windows\SysWOW64\Balkchpi.exe C:\Windows\SysWOW64\Bonoflae.exe N/A
File created C:\Windows\SysWOW64\Ckpfcfnm.dll C:\Windows\SysWOW64\Cklfll32.exe N/A
File opened for modification C:\Windows\SysWOW64\Pngphgbf.exe C:\Windows\SysWOW64\Ogmhkmki.exe N/A
File opened for modification C:\Windows\SysWOW64\Biojif32.exe C:\Windows\SysWOW64\Bfpnmj32.exe N/A
File created C:\Windows\SysWOW64\Cjnolikh.dll C:\Windows\SysWOW64\Bejdiffp.exe N/A
File created C:\Windows\SysWOW64\Ghkekdhl.dll C:\Windows\SysWOW64\Okdkal32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ojigbhlp.exe C:\Windows\SysWOW64\Oqacic32.exe N/A
File created C:\Windows\SysWOW64\Pqjfoa32.exe C:\Windows\SysWOW64\Pjpnbg32.exe N/A
File opened for modification C:\Windows\SysWOW64\Amcpie32.exe C:\Windows\SysWOW64\Apoooa32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cdoajb32.exe C:\Windows\SysWOW64\Baadng32.exe N/A
File opened for modification C:\Windows\SysWOW64\Pcdipnqn.exe C:\Windows\SysWOW64\Pqemdbaj.exe N/A
File created C:\Windows\SysWOW64\Qqeicede.exe C:\Windows\SysWOW64\Qodlkm32.exe N/A
File created C:\Windows\SysWOW64\Annbhi32.exe C:\Windows\SysWOW64\Agdjkogm.exe N/A
File opened for modification C:\Windows\SysWOW64\Apdhjq32.exe C:\Windows\SysWOW64\Amelne32.exe N/A
File created C:\Windows\SysWOW64\Acpdko32.exe C:\Windows\SysWOW64\Apdhjq32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bdmddc32.exe C:\Windows\SysWOW64\Bejdiffp.exe N/A
File opened for modification C:\Windows\SysWOW64\Bphbeplm.exe C:\Windows\SysWOW64\Biojif32.exe N/A
File created C:\Windows\SysWOW64\Hocjoqin.dll C:\Windows\SysWOW64\Bonoflae.exe N/A
File created C:\Windows\SysWOW64\Ljacemio.dll C:\Windows\SysWOW64\Bobhal32.exe N/A
File created C:\Windows\SysWOW64\Clmbddgp.exe C:\Windows\SysWOW64\Cmjbhh32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ogmhkmki.exe C:\Windows\SysWOW64\Oqcpob32.exe N/A
File created C:\Windows\SysWOW64\Pngphgbf.exe C:\Windows\SysWOW64\Ogmhkmki.exe N/A
File created C:\Windows\SysWOW64\Nlpdbghp.dll C:\Windows\SysWOW64\Pqhijbog.exe N/A
File opened for modification C:\Windows\SysWOW64\Pqjfoa32.exe C:\Windows\SysWOW64\Pjpnbg32.exe N/A
File created C:\Windows\SysWOW64\Pkfceo32.exe C:\Windows\SysWOW64\Pmccjbaf.exe N/A
File created C:\Windows\SysWOW64\Ceegmj32.exe C:\Windows\SysWOW64\Cddjebgb.exe N/A
File created C:\Windows\SysWOW64\Pcibkm32.exe C:\Windows\SysWOW64\Pqjfoa32.exe N/A
File created C:\Windows\SysWOW64\Dnabbkhk.dll C:\Windows\SysWOW64\Baadng32.exe N/A
File created C:\Windows\SysWOW64\Bpodeegi.dll C:\Windows\SysWOW64\Pnimnfpc.exe N/A
File created C:\Windows\SysWOW64\Ffjmmbcg.dll C:\Windows\SysWOW64\Pkdgpo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bhfcpb32.exe C:\Windows\SysWOW64\Balkchpi.exe N/A
File created C:\Windows\SysWOW64\Aheefb32.dll C:\Windows\SysWOW64\Cbdnko32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Ceegmj32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ckiigmcd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ogmhkmki.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pcibkm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pmccjbaf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qgmdjp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Akmjfn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Annbhi32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aaloddnn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pckoam32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qqeicede.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Apdhjq32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cpfaocal.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oqacic32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pcdipnqn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aaloddnn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Apalea32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b51b8bc28e0132fc1fca130073211213f0635143b8db2b9d18bdb1fce7e92e28.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pjbjhgde.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pdlkiepd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Balkchpi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Clmbddgp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pnimnfpc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Apoooa32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aeqabgoj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Blkioa32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bkglameg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bobhal32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cklfll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cddjebgb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ojigbhlp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pngphgbf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pjpnbg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pqjfoa32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qflhbhgg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cfnmfn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ceegmj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Achojp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bejdiffp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cmgechbh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cdoajb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Okdkal32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oqcpob32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pqemdbaj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pgbafl32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ajgpbj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bbgnak32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Blobjaba.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cmjbhh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Agdjkogm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bfpnmj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bphbeplm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pkdgpo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qiladcdh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aecaidjl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Beejng32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bdmddc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pqhijbog.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qgoapp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Amcpie32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Acpdko32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Biojif32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Amelne32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bhdgjb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bonoflae.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pjpnbg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aheefb32.dll" C:\Windows\SysWOW64\Cbdnko32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Qbplbi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bjdplm32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Qiladcdh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qqeicede.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emfmdo32.dll" C:\Windows\SysWOW64\Aaheie32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Amelne32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecjdib32.dll" C:\Windows\SysWOW64\Apdhjq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aipheffp.dll" C:\Windows\SysWOW64\Pmccjbaf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Bkglameg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqcngnae.dll" C:\Windows\SysWOW64\Cmgechbh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pqjfoa32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Pcibkm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aaheie32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aecaidjl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ajgpbj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cbdnko32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlpdbghp.dll" C:\Windows\SysWOW64\Pqhijbog.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plnfdigq.dll" C:\Windows\SysWOW64\Qbplbi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elmnchif.dll" C:\Windows\SysWOW64\Aecaidjl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Achojp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Achojp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Apalea32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmfkdm32.dll" C:\Windows\SysWOW64\Acpdko32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qgmdjp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Aeqabgoj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Bphbeplm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Bejdiffp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okbekdoi.dll" C:\Windows\SysWOW64\Akmjfn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Bobhal32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Amcpie32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Cfnmfn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Napoohch.dll" C:\Windows\SysWOW64\Achojp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qflhbhgg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bobhal32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjpdmqog.dll" C:\Windows\SysWOW64\Cfnmfn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cmgechbh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pdlkiepd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idlgcclp.dll" C:\Windows\SysWOW64\Qgoapp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cklfll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blkahecm.dll" C:\Windows\SysWOW64\Pckoam32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Aaheie32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnabbkhk.dll" C:\Windows\SysWOW64\Baadng32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pqemdbaj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Agdjkogm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebjnie32.dll" C:\Windows\SysWOW64\Ajgpbj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cpfaocal.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\b51b8bc28e0132fc1fca130073211213f0635143b8db2b9d18bdb1fce7e92e28.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Pckoam32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmdgdp32.dll" C:\Windows\SysWOW64\Bfpnmj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeqmqeba.dll" C:\Windows\SysWOW64\Pkfceo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Pkfceo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nacehmno.dll" C:\Windows\SysWOW64\Qgmdjp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Abbeflpf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ojigbhlp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Agdjkogm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Apalea32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opacnnhp.dll" C:\Windows\SysWOW64\Bjdplm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffjmmbcg.dll" C:\Windows\SysWOW64\Pkdgpo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Qodlkm32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Baadng32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Cdoajb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Cbdnko32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2828 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\b51b8bc28e0132fc1fca130073211213f0635143b8db2b9d18bdb1fce7e92e28.exe C:\Windows\SysWOW64\Okdkal32.exe
PID 2828 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\b51b8bc28e0132fc1fca130073211213f0635143b8db2b9d18bdb1fce7e92e28.exe C:\Windows\SysWOW64\Okdkal32.exe
PID 2828 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\b51b8bc28e0132fc1fca130073211213f0635143b8db2b9d18bdb1fce7e92e28.exe C:\Windows\SysWOW64\Okdkal32.exe
PID 2828 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\b51b8bc28e0132fc1fca130073211213f0635143b8db2b9d18bdb1fce7e92e28.exe C:\Windows\SysWOW64\Okdkal32.exe
PID 3068 wrote to memory of 2812 N/A C:\Windows\SysWOW64\Okdkal32.exe C:\Windows\SysWOW64\Oqacic32.exe
PID 3068 wrote to memory of 2812 N/A C:\Windows\SysWOW64\Okdkal32.exe C:\Windows\SysWOW64\Oqacic32.exe
PID 3068 wrote to memory of 2812 N/A C:\Windows\SysWOW64\Okdkal32.exe C:\Windows\SysWOW64\Oqacic32.exe
PID 3068 wrote to memory of 2812 N/A C:\Windows\SysWOW64\Okdkal32.exe C:\Windows\SysWOW64\Oqacic32.exe
PID 2812 wrote to memory of 2700 N/A C:\Windows\SysWOW64\Oqacic32.exe C:\Windows\SysWOW64\Ojigbhlp.exe
PID 2812 wrote to memory of 2700 N/A C:\Windows\SysWOW64\Oqacic32.exe C:\Windows\SysWOW64\Ojigbhlp.exe
PID 2812 wrote to memory of 2700 N/A C:\Windows\SysWOW64\Oqacic32.exe C:\Windows\SysWOW64\Ojigbhlp.exe
PID 2812 wrote to memory of 2700 N/A C:\Windows\SysWOW64\Oqacic32.exe C:\Windows\SysWOW64\Ojigbhlp.exe
PID 2700 wrote to memory of 2664 N/A C:\Windows\SysWOW64\Ojigbhlp.exe C:\Windows\SysWOW64\Oqcpob32.exe
PID 2700 wrote to memory of 2664 N/A C:\Windows\SysWOW64\Ojigbhlp.exe C:\Windows\SysWOW64\Oqcpob32.exe
PID 2700 wrote to memory of 2664 N/A C:\Windows\SysWOW64\Ojigbhlp.exe C:\Windows\SysWOW64\Oqcpob32.exe
PID 2700 wrote to memory of 2664 N/A C:\Windows\SysWOW64\Ojigbhlp.exe C:\Windows\SysWOW64\Oqcpob32.exe
PID 2664 wrote to memory of 536 N/A C:\Windows\SysWOW64\Oqcpob32.exe C:\Windows\SysWOW64\Ogmhkmki.exe
PID 2664 wrote to memory of 536 N/A C:\Windows\SysWOW64\Oqcpob32.exe C:\Windows\SysWOW64\Ogmhkmki.exe
PID 2664 wrote to memory of 536 N/A C:\Windows\SysWOW64\Oqcpob32.exe C:\Windows\SysWOW64\Ogmhkmki.exe
PID 2664 wrote to memory of 536 N/A C:\Windows\SysWOW64\Oqcpob32.exe C:\Windows\SysWOW64\Ogmhkmki.exe
PID 536 wrote to memory of 956 N/A C:\Windows\SysWOW64\Ogmhkmki.exe C:\Windows\SysWOW64\Pngphgbf.exe
PID 536 wrote to memory of 956 N/A C:\Windows\SysWOW64\Ogmhkmki.exe C:\Windows\SysWOW64\Pngphgbf.exe
PID 536 wrote to memory of 956 N/A C:\Windows\SysWOW64\Ogmhkmki.exe C:\Windows\SysWOW64\Pngphgbf.exe
PID 536 wrote to memory of 956 N/A C:\Windows\SysWOW64\Ogmhkmki.exe C:\Windows\SysWOW64\Pngphgbf.exe
PID 956 wrote to memory of 2140 N/A C:\Windows\SysWOW64\Pngphgbf.exe C:\Windows\SysWOW64\Pqemdbaj.exe
PID 956 wrote to memory of 2140 N/A C:\Windows\SysWOW64\Pngphgbf.exe C:\Windows\SysWOW64\Pqemdbaj.exe
PID 956 wrote to memory of 2140 N/A C:\Windows\SysWOW64\Pngphgbf.exe C:\Windows\SysWOW64\Pqemdbaj.exe
PID 956 wrote to memory of 2140 N/A C:\Windows\SysWOW64\Pngphgbf.exe C:\Windows\SysWOW64\Pqemdbaj.exe
PID 2140 wrote to memory of 1968 N/A C:\Windows\SysWOW64\Pqemdbaj.exe C:\Windows\SysWOW64\Pcdipnqn.exe
PID 2140 wrote to memory of 1968 N/A C:\Windows\SysWOW64\Pqemdbaj.exe C:\Windows\SysWOW64\Pcdipnqn.exe
PID 2140 wrote to memory of 1968 N/A C:\Windows\SysWOW64\Pqemdbaj.exe C:\Windows\SysWOW64\Pcdipnqn.exe
PID 2140 wrote to memory of 1968 N/A C:\Windows\SysWOW64\Pqemdbaj.exe C:\Windows\SysWOW64\Pcdipnqn.exe
PID 1968 wrote to memory of 2568 N/A C:\Windows\SysWOW64\Pcdipnqn.exe C:\Windows\SysWOW64\Pnimnfpc.exe
PID 1968 wrote to memory of 2568 N/A C:\Windows\SysWOW64\Pcdipnqn.exe C:\Windows\SysWOW64\Pnimnfpc.exe
PID 1968 wrote to memory of 2568 N/A C:\Windows\SysWOW64\Pcdipnqn.exe C:\Windows\SysWOW64\Pnimnfpc.exe
PID 1968 wrote to memory of 2568 N/A C:\Windows\SysWOW64\Pcdipnqn.exe C:\Windows\SysWOW64\Pnimnfpc.exe
PID 2568 wrote to memory of 2992 N/A C:\Windows\SysWOW64\Pnimnfpc.exe C:\Windows\SysWOW64\Pqhijbog.exe
PID 2568 wrote to memory of 2992 N/A C:\Windows\SysWOW64\Pnimnfpc.exe C:\Windows\SysWOW64\Pqhijbog.exe
PID 2568 wrote to memory of 2992 N/A C:\Windows\SysWOW64\Pnimnfpc.exe C:\Windows\SysWOW64\Pqhijbog.exe
PID 2568 wrote to memory of 2992 N/A C:\Windows\SysWOW64\Pnimnfpc.exe C:\Windows\SysWOW64\Pqhijbog.exe
PID 2992 wrote to memory of 3040 N/A C:\Windows\SysWOW64\Pqhijbog.exe C:\Windows\SysWOW64\Pgbafl32.exe
PID 2992 wrote to memory of 3040 N/A C:\Windows\SysWOW64\Pqhijbog.exe C:\Windows\SysWOW64\Pgbafl32.exe
PID 2992 wrote to memory of 3040 N/A C:\Windows\SysWOW64\Pqhijbog.exe C:\Windows\SysWOW64\Pgbafl32.exe
PID 2992 wrote to memory of 3040 N/A C:\Windows\SysWOW64\Pqhijbog.exe C:\Windows\SysWOW64\Pgbafl32.exe
PID 3040 wrote to memory of 1132 N/A C:\Windows\SysWOW64\Pgbafl32.exe C:\Windows\SysWOW64\Pjpnbg32.exe
PID 3040 wrote to memory of 1132 N/A C:\Windows\SysWOW64\Pgbafl32.exe C:\Windows\SysWOW64\Pjpnbg32.exe
PID 3040 wrote to memory of 1132 N/A C:\Windows\SysWOW64\Pgbafl32.exe C:\Windows\SysWOW64\Pjpnbg32.exe
PID 3040 wrote to memory of 1132 N/A C:\Windows\SysWOW64\Pgbafl32.exe C:\Windows\SysWOW64\Pjpnbg32.exe
PID 1132 wrote to memory of 1444 N/A C:\Windows\SysWOW64\Pjpnbg32.exe C:\Windows\SysWOW64\Pqjfoa32.exe
PID 1132 wrote to memory of 1444 N/A C:\Windows\SysWOW64\Pjpnbg32.exe C:\Windows\SysWOW64\Pqjfoa32.exe
PID 1132 wrote to memory of 1444 N/A C:\Windows\SysWOW64\Pjpnbg32.exe C:\Windows\SysWOW64\Pqjfoa32.exe
PID 1132 wrote to memory of 1444 N/A C:\Windows\SysWOW64\Pjpnbg32.exe C:\Windows\SysWOW64\Pqjfoa32.exe
PID 1444 wrote to memory of 2052 N/A C:\Windows\SysWOW64\Pqjfoa32.exe C:\Windows\SysWOW64\Pcibkm32.exe
PID 1444 wrote to memory of 2052 N/A C:\Windows\SysWOW64\Pqjfoa32.exe C:\Windows\SysWOW64\Pcibkm32.exe
PID 1444 wrote to memory of 2052 N/A C:\Windows\SysWOW64\Pqjfoa32.exe C:\Windows\SysWOW64\Pcibkm32.exe
PID 1444 wrote to memory of 2052 N/A C:\Windows\SysWOW64\Pqjfoa32.exe C:\Windows\SysWOW64\Pcibkm32.exe
PID 2052 wrote to memory of 2152 N/A C:\Windows\SysWOW64\Pcibkm32.exe C:\Windows\SysWOW64\Pjbjhgde.exe
PID 2052 wrote to memory of 2152 N/A C:\Windows\SysWOW64\Pcibkm32.exe C:\Windows\SysWOW64\Pjbjhgde.exe
PID 2052 wrote to memory of 2152 N/A C:\Windows\SysWOW64\Pcibkm32.exe C:\Windows\SysWOW64\Pjbjhgde.exe
PID 2052 wrote to memory of 2152 N/A C:\Windows\SysWOW64\Pcibkm32.exe C:\Windows\SysWOW64\Pjbjhgde.exe
PID 2152 wrote to memory of 1108 N/A C:\Windows\SysWOW64\Pjbjhgde.exe C:\Windows\SysWOW64\Pkdgpo32.exe
PID 2152 wrote to memory of 1108 N/A C:\Windows\SysWOW64\Pjbjhgde.exe C:\Windows\SysWOW64\Pkdgpo32.exe
PID 2152 wrote to memory of 1108 N/A C:\Windows\SysWOW64\Pjbjhgde.exe C:\Windows\SysWOW64\Pkdgpo32.exe
PID 2152 wrote to memory of 1108 N/A C:\Windows\SysWOW64\Pjbjhgde.exe C:\Windows\SysWOW64\Pkdgpo32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b51b8bc28e0132fc1fca130073211213f0635143b8db2b9d18bdb1fce7e92e28.exe

"C:\Users\Admin\AppData\Local\Temp\b51b8bc28e0132fc1fca130073211213f0635143b8db2b9d18bdb1fce7e92e28.exe"

C:\Windows\SysWOW64\Okdkal32.exe

C:\Windows\system32\Okdkal32.exe

C:\Windows\SysWOW64\Oqacic32.exe

C:\Windows\system32\Oqacic32.exe

C:\Windows\SysWOW64\Ojigbhlp.exe

C:\Windows\system32\Ojigbhlp.exe

C:\Windows\SysWOW64\Oqcpob32.exe

C:\Windows\system32\Oqcpob32.exe

C:\Windows\SysWOW64\Ogmhkmki.exe

C:\Windows\system32\Ogmhkmki.exe

C:\Windows\SysWOW64\Pngphgbf.exe

C:\Windows\system32\Pngphgbf.exe

C:\Windows\SysWOW64\Pqemdbaj.exe

C:\Windows\system32\Pqemdbaj.exe

C:\Windows\SysWOW64\Pcdipnqn.exe

C:\Windows\system32\Pcdipnqn.exe

C:\Windows\SysWOW64\Pnimnfpc.exe

C:\Windows\system32\Pnimnfpc.exe

C:\Windows\SysWOW64\Pqhijbog.exe

C:\Windows\system32\Pqhijbog.exe

C:\Windows\SysWOW64\Pgbafl32.exe

C:\Windows\system32\Pgbafl32.exe

C:\Windows\SysWOW64\Pjpnbg32.exe

C:\Windows\system32\Pjpnbg32.exe

C:\Windows\SysWOW64\Pqjfoa32.exe

C:\Windows\system32\Pqjfoa32.exe

C:\Windows\SysWOW64\Pcibkm32.exe

C:\Windows\system32\Pcibkm32.exe

C:\Windows\SysWOW64\Pjbjhgde.exe

C:\Windows\system32\Pjbjhgde.exe

C:\Windows\SysWOW64\Pkdgpo32.exe

C:\Windows\system32\Pkdgpo32.exe

C:\Windows\SysWOW64\Pckoam32.exe

C:\Windows\system32\Pckoam32.exe

C:\Windows\SysWOW64\Pdlkiepd.exe

C:\Windows\system32\Pdlkiepd.exe

C:\Windows\SysWOW64\Pmccjbaf.exe

C:\Windows\system32\Pmccjbaf.exe

C:\Windows\SysWOW64\Pkfceo32.exe

C:\Windows\system32\Pkfceo32.exe

C:\Windows\SysWOW64\Qbplbi32.exe

C:\Windows\system32\Qbplbi32.exe

C:\Windows\SysWOW64\Qflhbhgg.exe

C:\Windows\system32\Qflhbhgg.exe

C:\Windows\SysWOW64\Qgmdjp32.exe

C:\Windows\system32\Qgmdjp32.exe

C:\Windows\SysWOW64\Qodlkm32.exe

C:\Windows\system32\Qodlkm32.exe

C:\Windows\SysWOW64\Qqeicede.exe

C:\Windows\system32\Qqeicede.exe

C:\Windows\SysWOW64\Qiladcdh.exe

C:\Windows\system32\Qiladcdh.exe

C:\Windows\SysWOW64\Qgoapp32.exe

C:\Windows\system32\Qgoapp32.exe

C:\Windows\SysWOW64\Aaheie32.exe

C:\Windows\system32\Aaheie32.exe

C:\Windows\SysWOW64\Aecaidjl.exe

C:\Windows\system32\Aecaidjl.exe

C:\Windows\SysWOW64\Akmjfn32.exe

C:\Windows\system32\Akmjfn32.exe

C:\Windows\SysWOW64\Achojp32.exe

C:\Windows\system32\Achojp32.exe

C:\Windows\SysWOW64\Agdjkogm.exe

C:\Windows\system32\Agdjkogm.exe

C:\Windows\SysWOW64\Annbhi32.exe

C:\Windows\system32\Annbhi32.exe

C:\Windows\SysWOW64\Aaloddnn.exe

C:\Windows\system32\Aaloddnn.exe

C:\Windows\SysWOW64\Aaloddnn.exe

C:\Windows\system32\Aaloddnn.exe

C:\Windows\SysWOW64\Apoooa32.exe

C:\Windows\system32\Apoooa32.exe

C:\Windows\SysWOW64\Amcpie32.exe

C:\Windows\system32\Amcpie32.exe

C:\Windows\SysWOW64\Apalea32.exe

C:\Windows\system32\Apalea32.exe

C:\Windows\SysWOW64\Ajgpbj32.exe

C:\Windows\system32\Ajgpbj32.exe

C:\Windows\SysWOW64\Amelne32.exe

C:\Windows\system32\Amelne32.exe

C:\Windows\SysWOW64\Apdhjq32.exe

C:\Windows\system32\Apdhjq32.exe

C:\Windows\SysWOW64\Acpdko32.exe

C:\Windows\system32\Acpdko32.exe

C:\Windows\SysWOW64\Abbeflpf.exe

C:\Windows\system32\Abbeflpf.exe

C:\Windows\SysWOW64\Aeqabgoj.exe

C:\Windows\system32\Aeqabgoj.exe

C:\Windows\SysWOW64\Blkioa32.exe

C:\Windows\system32\Blkioa32.exe

C:\Windows\SysWOW64\Bfpnmj32.exe

C:\Windows\system32\Bfpnmj32.exe

C:\Windows\SysWOW64\Biojif32.exe

C:\Windows\system32\Biojif32.exe

C:\Windows\SysWOW64\Bphbeplm.exe

C:\Windows\system32\Bphbeplm.exe

C:\Windows\SysWOW64\Bbgnak32.exe

C:\Windows\system32\Bbgnak32.exe

C:\Windows\SysWOW64\Beejng32.exe

C:\Windows\system32\Beejng32.exe

C:\Windows\SysWOW64\Bhdgjb32.exe

C:\Windows\system32\Bhdgjb32.exe

C:\Windows\SysWOW64\Blobjaba.exe

C:\Windows\system32\Blobjaba.exe

C:\Windows\SysWOW64\Bonoflae.exe

C:\Windows\system32\Bonoflae.exe

C:\Windows\SysWOW64\Balkchpi.exe

C:\Windows\system32\Balkchpi.exe

C:\Windows\SysWOW64\Bhfcpb32.exe

C:\Windows\system32\Bhfcpb32.exe

C:\Windows\SysWOW64\Bjdplm32.exe

C:\Windows\system32\Bjdplm32.exe

C:\Windows\SysWOW64\Bmclhi32.exe

C:\Windows\system32\Bmclhi32.exe

C:\Windows\SysWOW64\Bejdiffp.exe

C:\Windows\system32\Bejdiffp.exe

C:\Windows\SysWOW64\Bdmddc32.exe

C:\Windows\system32\Bdmddc32.exe

C:\Windows\SysWOW64\Bkglameg.exe

C:\Windows\system32\Bkglameg.exe

C:\Windows\SysWOW64\Bobhal32.exe

C:\Windows\system32\Bobhal32.exe

C:\Windows\SysWOW64\Baadng32.exe

C:\Windows\system32\Baadng32.exe

C:\Windows\SysWOW64\Cdoajb32.exe

C:\Windows\system32\Cdoajb32.exe

C:\Windows\SysWOW64\Cfnmfn32.exe

C:\Windows\system32\Cfnmfn32.exe

C:\Windows\SysWOW64\Ckiigmcd.exe

C:\Windows\system32\Ckiigmcd.exe

C:\Windows\SysWOW64\Cmgechbh.exe

C:\Windows\system32\Cmgechbh.exe

C:\Windows\SysWOW64\Cpfaocal.exe

C:\Windows\system32\Cpfaocal.exe

C:\Windows\SysWOW64\Cbdnko32.exe

C:\Windows\system32\Cbdnko32.exe

C:\Windows\SysWOW64\Cklfll32.exe

C:\Windows\system32\Cklfll32.exe

C:\Windows\SysWOW64\Cmjbhh32.exe

C:\Windows\system32\Cmjbhh32.exe

C:\Windows\SysWOW64\Clmbddgp.exe

C:\Windows\system32\Clmbddgp.exe

C:\Windows\SysWOW64\Cddjebgb.exe

C:\Windows\system32\Cddjebgb.exe

C:\Windows\SysWOW64\Ceegmj32.exe

C:\Windows\system32\Ceegmj32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 140

Network

N/A

Files

memory/2828-0-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Okdkal32.exe

MD5 e31c2e879ee36b7cafc8dd853040d015
SHA1 c7bb04d8b983faf355db0a758333a6c11f253386
SHA256 4c0f3773e4ee1348c47541ffe73f93046cf6cc8e9f25332417b477d38677ba35
SHA512 1185ad9a74130ec041195197d0e4a519e13e36810fa03ec35e371b53c0b0f638e91bf24c441b160c141aec289b7647f379bdc7437c46d07358e958058cdfc760

memory/3068-14-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2828-12-0x0000000000440000-0x0000000000475000-memory.dmp

memory/2828-11-0x0000000000440000-0x0000000000475000-memory.dmp

\Windows\SysWOW64\Oqacic32.exe

MD5 98845d48881a8271265eb52e275729d0
SHA1 349ccfd78a53acfc1fb174abccfd69138e88024b
SHA256 e88b7d0004774ec770c3a2e0e00c0bbc9947bae6fc47b00e849a38df2860c70e
SHA512 487df9b857189ef636f8fabcbdb585db4eaf71cc89ac400d252afc2f476fba14d60ad8f3bdf5c95a6c678c25606c3e9d2f805ce73109951eb9a82a7637167a3d

memory/2812-28-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3068-27-0x00000000002D0000-0x0000000000305000-memory.dmp

\Windows\SysWOW64\Ojigbhlp.exe

MD5 86778cfeb1131983bc2f2e29e2b7ec4e
SHA1 157a5e50eea0947dca721957b8fb0b5506cb7dff
SHA256 ed93e62c5b732a349fde0e39c151a4d4742abe04c461bd07670234461a3460db
SHA512 e938e7dc4d761dfd91b590665a9aa1140b9b264003bf078e6d6cca49e4a0c7e514b12ebaceaa165c313e55ca4817505e6b2c2c97e98e8246c9f8f10e700a2dea

memory/2812-36-0x0000000000250000-0x0000000000285000-memory.dmp

memory/2700-49-0x0000000000250000-0x0000000000285000-memory.dmp

\Windows\SysWOW64\Oqcpob32.exe

MD5 f659c49b4790d52ec64c234c7b893284
SHA1 ddbb887c592716219f6c569922dcd6cb546a1df2
SHA256 a0556a1afda98d05a09c3d5a722afb53635a52482f7fbacad108b04f1bacf0c7
SHA512 b1f015aec9af72e22fd949e39835117202a411098d40869e6de87d203cc3c1e43513b03f8751a5f718b9b8cc6a8495e7b5c053dd5cd50d112611f92654f71ce4

memory/2664-55-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Ihlfga32.dll

MD5 e354e8e66359b623ecda8a5c591def83
SHA1 2c06ebf3d67b54fdcabbac8fcabdd7a2e409983d
SHA256 f08202a92b3c8c5585de15929e4618268cf1ebda205b55e1383b1ae7339971de
SHA512 4cd1d0bcd54eb9d05e8f682f29e5f7a98252931ed86e6d7ac4b2e7ac6b4cbf6c684b66a9c91b0f9d798a2665bb79fb8c1bce5822d86d75bb1dc40c4520c6ec7a

\Windows\SysWOW64\Ogmhkmki.exe

MD5 de68735f30cd2de41f35caaf902222ba
SHA1 5f486f6f2289550b3aad5b76ca08bb513cb3a01b
SHA256 7590233f88c33c3c0350b2607b5dd30c03d19f10483f0fde6a624c40cb4152bb
SHA512 10bfddae7cb8b68a4a72eb549f2ee2fa17c361f8b9733b339eef354d05e66a8478b3c60252ed80bcb57d2a009558b37eb84f418b396b25c18ca0f81614731b2b

memory/2664-62-0x0000000000440000-0x0000000000475000-memory.dmp

\Windows\SysWOW64\Pngphgbf.exe

MD5 2622a10acb24bb2e789801c0d7eb9d65
SHA1 d99d474f0715186879f40252506e44fd53eea4b9
SHA256 9b5f25637ee3450a6245e2769323fa40c8574cfdfa6121338161c86807ba4d2b
SHA512 464d81efad2a9008c7d65b221d58f39c8ab5e2f9fb1cc89db1cba10f1c4468a1bd5a6ed1761f5bee697a760b78465ea3d8903557a4a56aae3db496c830130ffb

memory/956-81-0x0000000000400000-0x0000000000435000-memory.dmp

\Windows\SysWOW64\Pqemdbaj.exe

MD5 0c60a639ab7066279e7604f37d725138
SHA1 b96ab376df14d5ef3d9a815d001e8e1e698427bc
SHA256 e7c790bed449bca4eb6ceca96e6fea91090b99f37886be4d228259cf8412cf85
SHA512 2af4f647eaf3997d7b18d59998cd03fea1556f28c99a3b7795cff195590bac8d0394607e5dd0c87d375fe5bd7ef09e76eca05a20f2c1d14e46e223586cbd2728

memory/2140-94-0x0000000000400000-0x0000000000435000-memory.dmp

\Windows\SysWOW64\Pcdipnqn.exe

MD5 d8c72e6e64b91b9b650b248dc7d9b075
SHA1 f194febab27345f515c7beab179c03975b138745
SHA256 eb0166427e539711ac1701a352fe3d1eb20366ea5cf7f4fb9313f4bcf434a736
SHA512 2673970f797bbd8fad8b88a00880b5b8aa7b137928a35a592f0866a80d43dbb0ce3314f8e613b40ecaf503adaaed17b4ca32f4887cc781aeeecd96beff25de58

memory/1968-107-0x0000000000400000-0x0000000000435000-memory.dmp

\Windows\SysWOW64\Pnimnfpc.exe

MD5 418481777008fe3de19020c428075cb4
SHA1 a1f0e8c528b067adb25e8d3a9846468faaaee654
SHA256 6c47007709369510d88635438551b611af4882329dabfd977cad506d8bfd8fc3
SHA512 23312fd6a711e6e8692c4c5abf245c03d841672308f8347b49387352bd9c9eac0e3392ffbace782be7577fb404cf3bb29c4a6e7b760a8dd3f81a4f5b392726e3

memory/1968-114-0x0000000000250000-0x0000000000285000-memory.dmp

C:\Windows\SysWOW64\Pqhijbog.exe

MD5 86f0efc445410c467df2becb23e5fcfc
SHA1 daa6610c7f89d4d2d2182b007328231770c90228
SHA256 a261b61c7fca0a38838d05794df158c5ccb7d5117cacd9247c6c52e103faa0be
SHA512 eb816916f2686900b95efd35a8f5e5a033ede233ceb55c4df0ab1c32a891a6a0c84c778f3970009756b46927a80bf93a394cded25543c10d7dde6be26b4f5704

memory/2992-133-0x0000000000400000-0x0000000000435000-memory.dmp

\Windows\SysWOW64\Pgbafl32.exe

MD5 d6b1193015c31346eaaf00ab79e63c47
SHA1 837d37d4d1232dfdb9b1c0a5131dcf0272025dc4
SHA256 4406f6a42d703a93306d3970b737fdc0d13a646d191f6328858307f60a06bd34
SHA512 f5ad35c3cdaed5f87a2ec062e719839aa4a895e4ac5c444833df109514d9dff77f054896f9f15efb2c966e195f41d2b82b416700650f5f637660ee7206513f8a

memory/2992-140-0x0000000000260000-0x0000000000295000-memory.dmp

memory/1132-159-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Pjpnbg32.exe

MD5 ab86c7621d03dcfaa2a9bc776592e3fe
SHA1 f3204ee53f1af62d5f071a43e11d75597192943c
SHA256 8554c0f7f3478aca315257d60dbac760c93bb6cc4ea07e1867c369b66d223dc3
SHA512 837ffe955e7271023efe1a700130975e3c8ac393bb5b3d5f0e7be68493b5089d9068988090c28a38c6ab2b1e9382e5e686ab2105daaa3d466ddf93ef73227aad

\Windows\SysWOW64\Pqjfoa32.exe

MD5 0728d4e9da9b4589d023be42b92609dc
SHA1 38baff8205d219a4f1717905dd23c9b0ac0f0f2c
SHA256 b1af690cd28dd20a243a3ece7afb41abf94c9b2054cfd2579d4b6226ed317d4b
SHA512 9cae76b89af6a3304f660a4464b6f01e103f9aed5de62b7e57434233d57c7ad705dcb28153d91d2a99fa72e7657efb33867fa8cd7f439193d4c9e1474243e24e

memory/1132-166-0x0000000000250000-0x0000000000285000-memory.dmp

memory/1444-174-0x0000000000400000-0x0000000000435000-memory.dmp

\Windows\SysWOW64\Pcibkm32.exe

MD5 b02bda0e77b089cfad0682df9e5be695
SHA1 8a7e3db04e9ff2563893267277a35f8d33312808
SHA256 0c7403a03c3857f5a269127e4b80d1b8d48878612c3241de0efec08bf0443a40
SHA512 d7f57c24a68c1b9ef7c441078dd746269fb1f3a4d60aeb189695287d212acfbcc144652f9d37b950b538fc9adc52eb41521f2b2859865a7b2288ca712d3271c0

memory/1444-181-0x0000000000440000-0x0000000000475000-memory.dmp

\Windows\SysWOW64\Pjbjhgde.exe

MD5 1f965352149b6f721b19fd1371a205d3
SHA1 3ad53045fb1359bdfc9c98bf9d207908c120368b
SHA256 aa5f6077c0b7c4c45931f650f2b50f35f94e42361687d8ca90ea13196aa0a3f0
SHA512 fea4aae631d9ff994a58d998cdf059ae39b0dc25696339c799e9e496727bec3bbd180a54039cad3efee2856f299196f416ec491898015b1baf12da55da3dfb45

memory/2052-193-0x0000000000250000-0x0000000000285000-memory.dmp

memory/2152-200-0x0000000000400000-0x0000000000435000-memory.dmp

\Windows\SysWOW64\Pkdgpo32.exe

MD5 a98f14b1fc3ce38274157f5a9576a70c
SHA1 07df3925413bee9523a75d435a27f11d04669ad3
SHA256 47e8be6aab512aa65833593a0ddce7ec220191e3347c4b4a4bd0670921141db7
SHA512 274507859366bade193a22b6203b81fa2c417e928a603a187871f192d9f8cfa7acdc9fc0ef3932b4401b09a3198ae67b398373d7e76f5cc99a8ab75f853a966c

memory/1108-213-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1108-220-0x0000000000260000-0x0000000000295000-memory.dmp

C:\Windows\SysWOW64\Pckoam32.exe

MD5 e7e5607bd693ebf32b2c266aabbbb54c
SHA1 25e63507905eb88d6093b0eb77a16797d7bd2e40
SHA256 ee9a1b23d2da8d88f2aed577d47b92eba0180b5e51f261735db8b7bdc821d3eb
SHA512 03aed9b9eb7c35a5efe10cf5ab160f00b32a88f3b9e0f1f867245b4104f547c6ba21ff4cf5a67da7457f62ade85e4779651b39c9f7d6fb791f317f7e96de1b3d

memory/408-229-0x00000000002A0000-0x00000000002D5000-memory.dmp

C:\Windows\SysWOW64\Pdlkiepd.exe

MD5 da0757d57e38654a0cfbf825cc94c575
SHA1 4f0e1a4e6537af0dad345482888f8599f857f7df
SHA256 58b3d6e51cbb5915f51d84cf318efa7089785aa8752282cfaf17c41c47b496e1
SHA512 70ec7e5ddc5fc230a978dfaf4b1e2005a3e58086c388881c21f005532c675e567de541d4540305c539bcccf7fe5fc66203a23503425d995e68fa11072ba27fb5

memory/2372-238-0x0000000000280000-0x00000000002B5000-memory.dmp

C:\Windows\SysWOW64\Pmccjbaf.exe

MD5 ae13ddaa96f970037525128480ba9059
SHA1 aab3202248b3dd5bd6fefe9715c77bd14b27ee49
SHA256 6c1e6d3fa6f75e47a0efb11a618a6a73879c239390ed8c5f9e7ab5e3cdacf438
SHA512 f231d9295a4cc4a8896328acea06c7d0c6968e8810f5cfbc3a366309b9b3d9b81e7c0f3b267d8143a17de89eb08ab5fd2434a19d05053960be04ef6b7f0a7d95

memory/1568-246-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Pkfceo32.exe

MD5 6d85689e6d2a6372d272fa38b5d077cf
SHA1 0dca478af2ae90144197f0a039b1f96066d35059
SHA256 7ff633f6cfab17977dca927bcca7be5b9c59c98962a9a6e59093b18d49e6095a
SHA512 4754e278c2ec59d4cda3a5a8a06d34911ccb4fe6b46e0be49fd77a4c7d73ece7ef698b1079f92ee27aebd5931339f50cd862273dd82ee2ab3e5efd53dd648c81

memory/1908-251-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1908-257-0x0000000000250000-0x0000000000285000-memory.dmp

C:\Windows\SysWOW64\Qbplbi32.exe

MD5 7d1d8816ebf76e57f57a17f7a76a7d75
SHA1 ff3a1f34e3f3cb1122f7f0896810bb4709ca9a27
SHA256 687b52a7db7470aff60b4b8ced5576b4ac0f23dd84e628b1782766a9d365309d
SHA512 2787664780f39bd0cbdee668d3bfc7125780055e020cd6a8aed1ac067bf80c293c2f2f539e2e2c1befafee3631cb04cbf549a7df9b28cc61e6801322f6256b61

memory/1528-262-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1908-261-0x0000000000250000-0x0000000000285000-memory.dmp

memory/2196-272-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1528-271-0x0000000000250000-0x0000000000285000-memory.dmp

C:\Windows\SysWOW64\Qflhbhgg.exe

MD5 7b68c8d534fb6a5e1ddd2658ad735364
SHA1 d12a6805e89168b7cf9d6f81a1d12e888c626a97
SHA256 310c3493281c8332295dd13bca130719f144812d5d21ddb64125619af9849f73
SHA512 e351263a1378ed676634a9a0edc8417bb1c5e930a35b9603cc1f9bed6197e3e24f1d5ef45b1c8b0ac36ba17e94d5e3e058d8ee3cd959966be5b9991027c915e6

memory/2196-278-0x00000000002E0000-0x0000000000315000-memory.dmp

C:\Windows\SysWOW64\Qgmdjp32.exe

MD5 f944ef81a79d1f26f5a461974690a94c
SHA1 37813a5eae6f1b3d0a9aa3362dac4cf245605fef
SHA256 ee61cfa29a950683a453d875d86602a4de794e212e4435bf910344752986577c
SHA512 8c9b54a69284038bb96474a73f4c4ea9b1a5d587fcd048899d325587631bddfa41ac5b2957a1633575252b933c7d4d78f47bf554206eecc455bc8cd5b2a0668f

memory/2012-283-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2196-282-0x00000000002E0000-0x0000000000315000-memory.dmp

memory/2012-292-0x00000000002F0000-0x0000000000325000-memory.dmp

memory/1548-294-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2012-293-0x00000000002F0000-0x0000000000325000-memory.dmp

C:\Windows\SysWOW64\Qodlkm32.exe

MD5 5c5daf0f5b1491253b6cad84167a746b
SHA1 9577dd8ef7655ab958393fea646b6dc21e2cf883
SHA256 9330511337717bfe66abd81b07b9659abc6ca2ed95d2c0bb4cab1fd5ad524fba
SHA512 369cb3c2e9893ae1eb2d4d82de1b6de461a0b56f9c55cb09f36d4f8636782b862943e216192a6ccf734a7475be165f89a90295aa069e37ca6f4067546d8d9c71

C:\Windows\SysWOW64\Qqeicede.exe

MD5 6535408ec540997293251fc96fa2b574
SHA1 870fc6e9b5d9e6df93f607d2a722851234cacc53
SHA256 c84785ec45c4ed5e113b9cd37c7824d8d6c26d65dd9bf8836affac698b424d6a
SHA512 23216a79892f96c12e171cb5d869bbe8a7f4a9485ed54a1d903b5a2c5fefd29653035738e3766fe99351ac73fd3197c876740dd20722d45ed302d9a0df98dd77

memory/1548-303-0x0000000000250000-0x0000000000285000-memory.dmp

C:\Windows\SysWOW64\Qiladcdh.exe

MD5 dbcf9b2b9b4bc7e51827ab992eb30e6d
SHA1 17a99ef7e78a240b168e3e2d6e1998535d867a53
SHA256 a2d1c00ab41fae6857e65889a6c561b3a68c339aa7173901ab627a3f41142764
SHA512 ca3cc9d6e7adb16a5c286ba1409c865d8861c8d696039682cbb8af66b939bea9a96755d973222acfca24b958a4169bc103c29786dc6536f2003a0ef3db6ab004

memory/2248-317-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1124-316-0x0000000000290000-0x00000000002C5000-memory.dmp

memory/1124-315-0x0000000000290000-0x00000000002C5000-memory.dmp

memory/2248-319-0x0000000000290000-0x00000000002C5000-memory.dmp

memory/2248-324-0x0000000000290000-0x00000000002C5000-memory.dmp

C:\Windows\SysWOW64\Qgoapp32.exe

MD5 a306f2b39d1a0d9240273307697881d3
SHA1 4aafae1894c4a6e296ca06108e85df1b84f126d2
SHA256 599de79a24e7958a3269ce01bbe3e13137e5a5173467764c1b2d17ff2f3a8562
SHA512 ac8a866099e03f1b184d04de5eab03529b49ef6733124be9b5a0293eda63255344af4087cc9881c70db1aa621fba0698d5b8b27c1152641ec6f409012769f4f6

memory/2488-329-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Aaheie32.exe

MD5 9228aa40a491acebeb8df58c49db1dc4
SHA1 d30a303fe5e8286a3c25ab9f22baf0895a22e819
SHA256 a2f79a1a11c9ab17d7f33fb94c273dad8c79f0eddc1493b42ca24b8d1db7757d
SHA512 7a76ac2821d8c6efdc06af410abab6ad649cdfdc532ba880e234261453605f0fae0dd1aa85dab5ea35ccd5deed618f0debfd75b0cdd4fcf2d20b38a165622c88

memory/2828-334-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2640-335-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3068-345-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2640-344-0x0000000000260000-0x0000000000295000-memory.dmp

memory/800-359-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2812-358-0x0000000000250000-0x0000000000285000-memory.dmp

memory/1868-357-0x0000000000330000-0x0000000000365000-memory.dmp

memory/1868-356-0x0000000000330000-0x0000000000365000-memory.dmp

C:\Windows\SysWOW64\Akmjfn32.exe

MD5 e4a90a599fa2e8a3bac206d755085b3b
SHA1 c2302bcf9f273f76582e87148ed9a74b66eaec6d
SHA256 f7f046ea4e6900fe6d244f1c5c28aa40541beee051c0ef9df0df6c27f8fdfe0d
SHA512 87cf476cb14020567470a858b1208b53e8ffd604be7b6945a391b9aee9342bf6a93b981b05b8bed6d0c4954756af0e8d322fa616a9230d341e50d77933de3ad6

memory/1868-351-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2812-350-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Aecaidjl.exe

MD5 9371d735da69b94e28be3b93c9989ec9
SHA1 1b889a499ca3ed398e3fe72653d775e96c1d066e
SHA256 b0d866685a6adb794fcdb4863c107b4a3bff41e43849928a744f712e7fa2e9f9
SHA512 41d4fedfaca371cf7a240b4117ed717e616bcb90d7532c2f537e9c4178f5a7f7d5f73fc2d9f60e9ecf614d5f2c0074387b8f5963cbe538406dc7950689a1b382

memory/2700-364-0x0000000000400000-0x0000000000435000-memory.dmp

memory/800-369-0x0000000000290000-0x00000000002C5000-memory.dmp

memory/1888-370-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Achojp32.exe

MD5 320c629f6186386916f0d598db126a5b
SHA1 001111ec7718c6fb1622ca8cba2ceb93224c1ad5
SHA256 9d5c856d2a5afc1c7cba424ba6673eb2689adf7ee1b2ce507428567cc4cfe294
SHA512 d8365058682bb6a4b1489653968e5e89d5c74beb4426d0c5e246270bf2d57015d69e62442f3d7bdfd07a8ddcc6aff295ed99a2922d66c8c626df1e5535cf406a

C:\Windows\SysWOW64\Agdjkogm.exe

MD5 4bef98b8eadc3bcca468e067f8281424
SHA1 f6e6b40f9861333447bbce13cacdb8d72262f597
SHA256 a94a96541c44272554d5335a0beddd26788c6f52bb56650eae9157e42a2b88a9
SHA512 e12cc4899f827a68e5c780a847369f14bf7ef1187d1791e13b6c7e264994935d1050c038b8e5ae004996c0c3a0c20a8879cb6002bef07f78fd1d4937f5870dd2

memory/536-381-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2532-382-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1888-380-0x0000000000440000-0x0000000000475000-memory.dmp

memory/2664-379-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2532-388-0x0000000000250000-0x0000000000285000-memory.dmp

C:\Windows\SysWOW64\Annbhi32.exe

MD5 047e100f534da3c13aea67cc75d2547c
SHA1 bd457c8a103ae6dce338c6335475d1284b42412c
SHA256 16bd2a75853094742c505229ae8e1fe665bd5d3ca065abb71ca993172c9d3f6d
SHA512 7a65304d7dcd10f3649e1fe34dcf79f874dbfb3d836d9e411aeee6bfc584a8dd1a99708cb9ebe7b0786646d813d6f707bdd3d928da5a2041a8e799329ef2d747

memory/1680-397-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2140-406-0x00000000002C0000-0x00000000002F5000-memory.dmp

memory/2140-405-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2676-402-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2676-404-0x0000000000250000-0x0000000000285000-memory.dmp

memory/956-401-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Aaloddnn.exe

MD5 05a3ac159c1b99b1e4fb381cae613b01
SHA1 0f9db003a9c50760eb5dc79e6674852596c28a35
SHA256 d73480c36db37a088877b58e787047287972bf88efe8ef497557b6f1fde9bb24
SHA512 fe99a0f67817d6b3983b275f14b1cbf85ad21533a8704c50bfbb3bd15a663a76c8d06c69bd0afafc62aa3cd871e9a1bf81d2c242eb851f265f7df29f209b0a04

C:\Windows\SysWOW64\Apoooa32.exe

MD5 b521d331d8be77149d986a8642b2fcb7
SHA1 f96bf79b0194d17bd49034158f6f0dc48302cce0
SHA256 6604439a120b15fabab276963e7f38800d12870b40b4f09f0453c8597709553d
SHA512 355b1d76f7995bb600ef007120f471caeaa44f5a0978b32b1fe73398be8124e91731830dc8bd9fb716eaf938a2c0320a7928abea5e9d9b48f556c0516c57b1e6

memory/2864-415-0x0000000000260000-0x0000000000295000-memory.dmp

memory/2944-418-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1968-417-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2864-416-0x0000000000260000-0x0000000000295000-memory.dmp

C:\Windows\SysWOW64\Amcpie32.exe

MD5 eef888f06fb0c0fdecaf621f5d6b2063
SHA1 2b63dcb5d397b7334b197aa85095fa55c232c439
SHA256 8c2b71175d361d1aa73d6cec82375629170441ea3f4743de30d9d2d39ebd1382
SHA512 a72c8d9bc763b0a2231228572978cbc4329105402243a7af7b5da11f535ae416b1bfaa03f7d4938e4442437a20eaafd5ca83a8d0399a6603615199eb48727eaf

memory/2944-424-0x0000000000440000-0x0000000000475000-memory.dmp

memory/2944-429-0x0000000000440000-0x0000000000475000-memory.dmp

memory/2568-428-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Apalea32.exe

MD5 b542c55d1d3a0878eeeb8fd6509a503e
SHA1 8132c51a36b619e0fad9c8ae035f087cf512d0e5
SHA256 489d8df428463bfa75ff2708215656430a1d1a06c75994f5276311b006fcd7df
SHA512 ed63da8a4502eb8f130d1be2af0cd385959e589bba24903108be0e17433b38c82d26f733ba9370990f7ae9b9c3bb4fbbb0940cd7dc3730d119d1149fcab5fb0c

memory/2780-435-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1420-440-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2992-439-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Ajgpbj32.exe

MD5 60fa14e6ab43daf2837ec491b707d34c
SHA1 d41d8f16656a465d5c77e7afe5785d1cdd449280
SHA256 ca53c36bb9b53e7f313e61b0cec5ca200d7038cc2b147abf51937c946f3d11f7
SHA512 767ed10dea46f585c03744fa70769328572eb8cefbbcd21b7d0806ad0741ed9e53def5efdc96183cc280f07047dee61063c6c8b38a78bcd2b7470c17977fdb8b

memory/3040-450-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1420-449-0x00000000002D0000-0x0000000000305000-memory.dmp

memory/2556-455-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Amelne32.exe

MD5 649ec6ae6cfd63994c86e6a0722aaab3
SHA1 a34ae73eff7514e6074b3b42ddf684175a976916
SHA256 44be65919fd7c3e7529a7ebb91ad42940b8c1bd543acc188b9b87708b9130a74
SHA512 7c0720c4aa0382dd04c6c19cf23ab854c5a27c2c6c8529aa31c367d0e4d5d02913c66540cb8b7820f287e9996070ab7060c1482c2b71140bac1aa4ac9dfd0339

memory/1500-461-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1132-460-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1444-470-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Apdhjq32.exe

MD5 b9d2584488dbee7a25a57cb00a3fe95a
SHA1 64afe7fd9973a4429b2e7ca56255655f3e516634
SHA256 cf7845c986a7c85ecffea84f6f9aaf08cc94b057d1d4495a893c52cf35030d3c
SHA512 970b55aecdcb6ef3fae046e99462f7e35864cb965226a6de3d39edbd14aedc1424e9f4efc4e049e93013fe3b426c37dd02b0191fe3d4d3d31645c56fdb575063

memory/2324-471-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Acpdko32.exe

MD5 3cd007e791ffada49449aae84578c626
SHA1 ddf9362007500fb62554a87f3774d7a0990f7616
SHA256 9d296908f1c384196d399d6bb5089bda39ad1958f71d064ea19c55962cf84321
SHA512 8e5bc2058c3686ac4aae119e404fb97f216a30c28d4fcd90ffd901fd9add9bc4e345fcb1c3cb5760c2f58a2cd57abd83ce0b99822eae01e152a07e749fbb79af

memory/1004-480-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2052-486-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Abbeflpf.exe

MD5 fbe80817407c21d284dd661cf8a9e202
SHA1 cb82a3fab0a930813b1cc0c5c386aa0503060566
SHA256 8962d30e656b05b89e9f028091fa98d1e6098bc8e59b0eb9cec1f2a2bd20d216
SHA512 64d8380c79e6fcc57017f2c342d382f911a0ee0d7b750ef2d017a6ef9bdd9d4dbaacda93ed14750fe06f720d9b8d3053fa79180423657b5eaa581385e21532b1

memory/1004-490-0x00000000002D0000-0x0000000000305000-memory.dmp

memory/1364-491-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2152-500-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1060-501-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Aeqabgoj.exe

MD5 8e5d6156fe0569bef3511d565ff41a5c
SHA1 43416d02a4fc576a5f34d43525c761e576923a65
SHA256 448de70d06f13f45a547c9b0442cee97f9a66967c54251ffd95b9b9f4ad126ab
SHA512 631aebdac05f70785c354539ab4cb5f0f8ce99c24597c44540bea514a63d0662a0baf5e745344d30e3be82cac6cbd3688ce438cf851c756425d7a3e350bfe3cd

C:\Windows\SysWOW64\Blkioa32.exe

MD5 fc42004565bd84516280bd5b316a5adb
SHA1 6529306047a2d48d966a8a9318e9e5cc96429943
SHA256 b870f81bba10684f373b857868c320a1059529e8d981a7f4405bc5606ed13d17
SHA512 8e5807af9618e19d1db85a234ebd577880d77528582f86c5560bb2be79b872005b063677cab1852908d686974b37f5287729f63c73c19c7d1bd4c05a5c6ca241

memory/1108-506-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1388-511-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Bfpnmj32.exe

MD5 064ebe76ac3a8100461ec1f0a9369602
SHA1 9f2e4480632f8bca82b3d8a581f43bbf9b1f14c6
SHA256 c1cf6eead95cbf87a172ee89acae793f0e8fb5257b8cdb3aa040afcacf01f29e
SHA512 176a1b49934863e251b87b4975ae97d61fa2205c594411cc343fe5ae1178430d52490b652308e13f2089cc402ecf48eb251208271dbebc402ee016badea3c8d8

memory/408-520-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Biojif32.exe

MD5 4deed635edaad4071ab2f4d51c10433f
SHA1 ee88ecee903d85133a24e972c2c1bfa897a66916
SHA256 54870fb0a975c8ff1abd3f1383d4595a870efe0e5b9b0713620069788387a8f2
SHA512 5612853dd5ccdc382c3e00ac72fac3b72808a31021701b8f0d74603f6fff6f0823629c44fbcdb9a7ad20b4241a187ba43c6cca50dfd47eca76c10a745d22272c

C:\Windows\SysWOW64\Bphbeplm.exe

MD5 13f27375023f2f947525a217e8b60ba8
SHA1 b8019c1c0b0b8d00333abf02f0a4a3f96c460a0e
SHA256 df65bafc18c247379f81bd8803fde389a871931a1de4f9a6e93f89d6dcd5a1dd
SHA512 1342d0c3dd1926f40d58b5668b7dc0833b675196823b518d572c753d1548d5d87c771e95292a4d7957d9e2b5460be30b75de1468aad8cd601011518fea322f90

C:\Windows\SysWOW64\Bbgnak32.exe

MD5 ffe4cfc241a5fc468cafe91f12c73f15
SHA1 2b24f2cf7c0cd021ab9de45b0583cfbd5b6557fa
SHA256 3dd60e436e8d7baa2f56d965d451e371c50a24593b8c859b5e13bedd03308fbe
SHA512 2e2e8e2c8503a45d8be8529cddc82a0dbbc5088deedd8e6c11ebd4aaf44e514088da7edbb8bb29d459c6bba6a3ea8f86d3fb6baf72c79319be3d819c609154d8

C:\Windows\SysWOW64\Beejng32.exe

MD5 54dc6c3b06cde3b31b0a120eb5f1ac7c
SHA1 63da40e5fe3e990a871f1d05bfa2c8186b2cb9f6
SHA256 63ffcc5a80b3a2abd9fdd8660655d33225a7206abdb4fefb8947e94e423858a5
SHA512 d780e94cc5a8257d86773e5c4d29e7de29e74f7de669fe677c3d5ec8cf26633552f1b6ff7d2342cd1b941cea7b6753c836ee4727383c7a7e6ef53f8a5642afa1

C:\Windows\SysWOW64\Bhdgjb32.exe

MD5 348730aca3765ce0fefc037fe6d15c08
SHA1 5b4d8845df389d4b9ac8941e55e278fc2183438c
SHA256 2bdac79bef31ffc213cb48f67ae0f87af918a77c7e6ae1a86c71e3aaa4520e9c
SHA512 bf817e4217dee7cf8c377baa1f352b6135bb0ef0e31c063ed60c884d59dcf80525588406bb8f4dd191f02b80f450e65f802cbb4f7c4f02aa82bd7b0769cb0f4e

C:\Windows\SysWOW64\Bonoflae.exe

MD5 0a10c7598d6c1f81acfd148903d29cde
SHA1 8158b58dcf67b2bbe9ed70a0959638c960b70126
SHA256 83714a3acdfc0c984914c64f81df91c371e31ef6e22b21c801d2f96a5b675fc9
SHA512 f0f8ef767221a276405a27fe4cc72de33d3d6e861732eae7200fc006202156c355db622e035a9c992514ab21aeb4eae3521b23f898279c848658ee06f84ed338

C:\Windows\SysWOW64\Blobjaba.exe

MD5 c1e12190a4d2b1189e3f6a337e961bc9
SHA1 f37da382f10c98b0cb25787f6f93d4af5458f6f5
SHA256 d914e5d59d86a2f00405a45560b89c6c174ee416402f427f7f67f985b4d59020
SHA512 d5083625daa5319d1293e73f807804c40461a299fb713518bb9617899d084d940fe05b13bcfc78c25bf519afc41ec2219f6256c3dde01abed6f2dac2aedcd629

C:\Windows\SysWOW64\Balkchpi.exe

MD5 8e1e3bf30eb596b7cf69f963344fb14c
SHA1 05282cef22f5b49dc60c591b0bf71abebdd40c42
SHA256 3c1ba1c4dcb60e599b522c14a4abf846724b448e95bc09523c950cebd5f92e46
SHA512 131f037f885fe67a4dc818796817502220af60d6faab2f2b870c855782a93ab60f5b724cf57d1fb641da5b80c66d2c7b0478415660ea50d344a65f472bf508ea

C:\Windows\SysWOW64\Bhfcpb32.exe

MD5 32004cdf69736f73ae6d99063e5f0955
SHA1 c452bcc9591b01e31cd24d47080166cacc2b0141
SHA256 d991685772818c57c5fdbec89d43e1a0c3ae7a3b2ce46673bc78a64679a96f47
SHA512 1f1f7ef8a817c47946e0f482219231e342cb7a4d2cb1e6b7f97384573dc1f356412b59e2dccf51250f455e992d75e59ce719029cdaada35f05cdde8d00405945

C:\Windows\SysWOW64\Bjdplm32.exe

MD5 bfccc4077aed70e29e1f2aecde48c09a
SHA1 aa255097b7c5d47955c820a2390696685c562d98
SHA256 cb44f042a6b89522e105cb9d3399f767d57cd8e4074222e737ff5a1ede9cce3f
SHA512 25461d43c656a82731fe2208ed7e24bdb37d4f90e3604fc0288b4332001b51bb0855562c1923682675e8832ffb921d1f7b4356c03921216c3ff9a489f87a5c2f

C:\Windows\SysWOW64\Bmclhi32.exe

MD5 5474d5f6da21bc6bf5ed8418d60a0fd3
SHA1 0eac29b05d19f9c93a633250cf4784ec758d5648
SHA256 927da4f467b4a0901f4a0158c590c199fe6d6baa7f184d3a2f85ad47f371551d
SHA512 d2696f8fe0574441816156d3d83dc73081b949616e60533c901b3eea9790188a9a89931a83b0f2d1c5136bf1fd96c15df0020505160210861ee9161b7e6650f3

C:\Windows\SysWOW64\Bejdiffp.exe

MD5 7f5fefa256286f7582432014a4f66033
SHA1 fbfe93af762138eb9618d7f9c756abc35ab4a7fb
SHA256 a1972a42bbbbe11a66f1bb083600d040bcd30aab5626001ccb2fe0460e17e225
SHA512 ded462cf1881002c96c768fcbd9c29032cada47ddb3e450cedc86c026d6421b44f73bd86c979778365bde49e601477f35f4a1c07cb3b1896ea71e4b56ebeab67

C:\Windows\SysWOW64\Bdmddc32.exe

MD5 8ce01e0cb23765f9465c5a1c79159d7a
SHA1 7235b8b0c27fce8a79e4533a181825fadf2de4d7
SHA256 dc8d2125dd612c658379776dae6239259fb3455780c2421448254783fd37049b
SHA512 64c250313cf46e92a0b07fc2cd4dcf119e523f4f4adbb839e7f80c82752792e18d5605344826020b047a850ba1914de204b357b403da5601056729f1266ce59e

C:\Windows\SysWOW64\Bkglameg.exe

MD5 8035729cfd72b6eb0741fb9e58662d2b
SHA1 42d1bbb1526cc21ec53939a44ba9df51f0539469
SHA256 4c10397a98fcf61b88cbace5b780b07c313a24be8f6abd28641a23da6cd1f2fd
SHA512 9d334c5c02e01001aac2f82a4c9a28d569abe6d9bdf6de478f1df2474b38fcfcdaca4b3d21f9c366e5c07080f8d82b751087eddcff91c2d937828bcb77d0229d

C:\Windows\SysWOW64\Bobhal32.exe

MD5 6611ae14c8aa22dbe1bac230d333f3f8
SHA1 139d60149454ee50b1ab9c7ab52ffc8f1c03cb18
SHA256 42d414f6c9aa5cddd939007a81fe5ef49b7b3033f366a0653821e6c467d53c99
SHA512 406cc466aada1d7d248e351dbe45a35aa2f91e363301637aa1f9df8003b2673087e092ef0fa7314918cdd4789b05fcb0b97967df262967eefac52957c320c267

C:\Windows\SysWOW64\Baadng32.exe

MD5 9baae3d1f2575a8c6c5b7e5a1b0dd768
SHA1 d580f4b0cf5da7ab6a18c6f01f1437131a881aa6
SHA256 4398d7a6480ea3fd614846e70f2b0ae656d3636fe787317db853176649cdb21b
SHA512 22a05f791c11b13f7adb628d250d3193b38afefb89bd81fb5b27dab497d4fac7a9b73fe67792a1a1dd775ea989b55000b43608201d17f5a574316ff68f44577e

C:\Windows\SysWOW64\Cdoajb32.exe

MD5 9b28a85228d03d4c032f75fc53b51284
SHA1 41e65ee78e08887009bbdc8b98b417879e7c75ed
SHA256 6f75ac45fe22e89642dcea48ce454dc56676db882caf981fa494c4856056ef02
SHA512 300dba8ee935602a7e9478625e4bebcabd0f829e23f56398c905b10343dfbfd217ad5eca9ad76fc96e9620f049e79e7e5a07722bcd1c8167fab840c7d149c303

C:\Windows\SysWOW64\Cfnmfn32.exe

MD5 0e03947bb01b82649d2a43f1dec5faa1
SHA1 7542fc443c81c3e1a76f47ffa7edc06c3536a63b
SHA256 80fef69074b9afffdc29361810461b16ff929c49155e6331de057f988b359870
SHA512 1265f2bfff3643edbca460e27d3989ffb40ce9cf4c77ec2be9e84971c4fd4d11cfab85150c91f157045a0b34ebba5c3de9624e87f0c69d45cbcee66d2b2e1a47

C:\Windows\SysWOW64\Ckiigmcd.exe

MD5 e4f4c0647f720ec12ad6d5cc18ed121d
SHA1 91a2e41f1a55871df8ea373471d1c063e5a1f6a6
SHA256 6955083eca10fb3be068af772adc76e651c46b7447279b931c42273d8cec363e
SHA512 1abea8ec1ba62c773d91394172bd35de83477b0ddb806f0272a5f9b5a57235704aa1ce76df1f97a50677209f20ddd52053f455924ffc02b34847e9017947034d

C:\Windows\SysWOW64\Cmgechbh.exe

MD5 d290f46c775a3979647206603897f965
SHA1 179416a57aca4987241da0f3652be03b3467541f
SHA256 ebdba3b73ee2c6c6b188dea854de8154ec50c825d26ff4adf4fb3d90bc2a2a0f
SHA512 3ce9f5bfa141e33ccf8438dc8a259c5163833984280f45fb2b294c3b1385cc39db25f57284d96f5bd70c9d8242f1342cf643c0af959110d8d67727ae2033a0da

C:\Windows\SysWOW64\Cpfaocal.exe

MD5 8dda74bbda79bbf2879fd102da6b1cd7
SHA1 ecdece9827091a53faf70dec0bf21539ef28acb0
SHA256 cc306ec651ca7bd6da02a6be7206c148dbac45286262a8f91ce1b9a2a6973191
SHA512 9d0960723f34216ff88cd5b74cadceb4c12677b4bb62a02c5f16063934859e4375b6bf6aa07146f3aecae2980d6fe4b04959b8f3c677f1391ffa6cb555958b0c

C:\Windows\SysWOW64\Cbdnko32.exe

MD5 d5c37258dfb0ab092f5701a4601766b3
SHA1 47de7db6a58d4be24e0742baa2e8b38fcad54257
SHA256 073bfe28a98df6c56ab0d8fc207f174f419c389cc87087d31ff8d8fafae41935
SHA512 071b8a7f27287f755248755deee0e2167daa2458e3fb5cf8a20fc285436d3fa2d0b63c5301f293381adaa12fac8760cfe6819bdaa827b0c1f3677230347d342a

C:\Windows\SysWOW64\Cklfll32.exe

MD5 33df0070b0a04cae2cfac6b627529dd9
SHA1 398f39355488194236e8c3a976430c0f002c19f8
SHA256 1e929f9dd4e5aaff80b4c4fec7b0f2f5fb5021f8a2278bc3bae1d573eb6b4a08
SHA512 a38979c30b9d48d9611875c1c349853667dc91828f5d7f58b04a1717702070dab50aee7e35d1e40a418c1f3eb52863cab57db596507cb3d99aef931cb946c684

C:\Windows\SysWOW64\Cmjbhh32.exe

MD5 3df8b3ca382bed6de5d55c764f43b524
SHA1 4c84dc286e860459d0c620d7056c2c3d1cf19059
SHA256 9be0864e6723dcec494bc8210fa3cdee1d9b4cfca0bfab285350be46294bb8d6
SHA512 7446b7b227dc355c8c9d78f442491f3f9206e614ff9a9a05cc894aa3783ff3ab76526c139d7c2f20ac20c4777344896d0052168668f6496d7eaa38aa503532c4

C:\Windows\SysWOW64\Clmbddgp.exe

MD5 9ad972fe847a79cf98531d20b7a033fd
SHA1 4da8c2010e65448bc292a2bf9f59f67e946912aa
SHA256 2572e255ad3a39d113821d65bef2c174b8c24b85254e0223d1cad85b4c548630
SHA512 12eb4aaba1c70224866c67dc37566e3c7a9355fc575cd1445c7e6a9d50869d274420b2cb65ff5bbfabe32afaf09ada772c3b6375f08baac82cf9238fc756ad61

C:\Windows\SysWOW64\Cddjebgb.exe

MD5 a429e852f8658a72e1278930282bf39d
SHA1 15449db0f1ab5473de9ceb321aa05afe96bc8969
SHA256 403b79059df37bb5a7c2e46ea9b9701859a89841de9178a4e1542b8a58015c85
SHA512 a98fbf29810e4c275029c872e13726c5cbd75cbda4e4f91e25bae4bd502ca18319b4dac9bc76f678c79718c40bb0b3bd8402efd4393046932b83b5da3e50cc22

C:\Windows\SysWOW64\Ceegmj32.exe

MD5 f71f8794021167de09c391ac8d1d4c69
SHA1 40ff125caf674b349a372491ff1ee97f00b07a44
SHA256 54f9657d6f8736b6f0edc3df6898da8a6bb39745b8db868d69f5bdf658d4f698
SHA512 c954373bbde297cfa935b42e9b053ee19d3edcbbdf2068a178d66a86555579d4d54d3b404b93b7bf0faa1be6c43bf2bb1c828ae1c1b0114f7256ce93017c5b2b

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 01:56

Reported

2024-11-10 01:59

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b51b8bc28e0132fc1fca130073211213f0635143b8db2b9d18bdb1fce7e92e28.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Bjddphlq.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cffdpghg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cmqmma32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Dodbbdbb.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bjddphlq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Cfpnph32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Cnffqf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Chjaol32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dfnjafap.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dmgbnq32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dhocqigp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Bfabnjjp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bfkedibe.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ddakjkqi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Dogogcpo.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Djgjlelk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Djgjlelk.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dodbbdbb.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bmpcfdmg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cfbkeh32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Djdmffnn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Agoabn32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cmiflbel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ddakjkqi.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dhhnpjmh.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dmefhako.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Beglgani.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Banllbdn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ceckcp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Cmqmma32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Djdmffnn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Dhocqigp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bganhm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Dknpmdfc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Doilmc32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bebblb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Bgehcmmm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Dfiafg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ceqnmpfo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Dmcibama.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Users\Admin\AppData\Local\Temp\b51b8bc28e0132fc1fca130073211213f0635143b8db2b9d18bdb1fce7e92e28.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Chjaol32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cnffqf32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bmngqdpj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Beeoaapl.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Chagok32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Chagok32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dfiafg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Cndikf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Bcoenmao.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cajlhqjp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Delnin32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aadifclh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Aadifclh.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Banllbdn.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cenahpha.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Dfnjafap.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Bfkedibe.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cdhhdlid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Dfpgffpm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Bebblb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Bmngqdpj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ceqnmpfo.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Agoabn32.exe N/A

Berbew

backdoor berbew

Berbew family

berbew

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Aadifclh.exe N/A
N/A N/A C:\Windows\SysWOW64\Aepefb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Agoabn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bfabnjjp.exe N/A
N/A N/A C:\Windows\SysWOW64\Bebblb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bganhm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bmngqdpj.exe N/A
N/A N/A C:\Windows\SysWOW64\Beeoaapl.exe N/A
N/A N/A C:\Windows\SysWOW64\Bgcknmop.exe N/A
N/A N/A C:\Windows\SysWOW64\Bmpcfdmg.exe N/A
N/A N/A C:\Windows\SysWOW64\Beglgani.exe N/A
N/A N/A C:\Windows\SysWOW64\Bgehcmmm.exe N/A
N/A N/A C:\Windows\SysWOW64\Bjddphlq.exe N/A
N/A N/A C:\Windows\SysWOW64\Banllbdn.exe N/A
N/A N/A C:\Windows\SysWOW64\Bclhhnca.exe N/A
N/A N/A C:\Windows\SysWOW64\Bfkedibe.exe N/A
N/A N/A C:\Windows\SysWOW64\Bmemac32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bcoenmao.exe N/A
N/A N/A C:\Windows\SysWOW64\Chjaol32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cndikf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cenahpha.exe N/A
N/A N/A C:\Windows\SysWOW64\Cfpnph32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cnffqf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cmiflbel.exe N/A
N/A N/A C:\Windows\SysWOW64\Ceqnmpfo.exe N/A
N/A N/A C:\Windows\SysWOW64\Cfbkeh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cmlcbbcj.exe N/A
N/A N/A C:\Windows\SysWOW64\Ceckcp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Chagok32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cajlhqjp.exe N/A
N/A N/A C:\Windows\SysWOW64\Ceehho32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cdhhdlid.exe N/A
N/A N/A C:\Windows\SysWOW64\Cffdpghg.exe N/A
N/A N/A C:\Windows\SysWOW64\Cmqmma32.exe N/A
N/A N/A C:\Windows\SysWOW64\Calhnpgn.exe N/A
N/A N/A C:\Windows\SysWOW64\Dfiafg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Djdmffnn.exe N/A
N/A N/A C:\Windows\SysWOW64\Dmcibama.exe N/A
N/A N/A C:\Windows\SysWOW64\Danecp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhhnpjmh.exe N/A
N/A N/A C:\Windows\SysWOW64\Djgjlelk.exe N/A
N/A N/A C:\Windows\SysWOW64\Dmefhako.exe N/A
N/A N/A C:\Windows\SysWOW64\Delnin32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dfnjafap.exe N/A
N/A N/A C:\Windows\SysWOW64\Dodbbdbb.exe N/A
N/A N/A C:\Windows\SysWOW64\Dmgbnq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ddakjkqi.exe N/A
N/A N/A C:\Windows\SysWOW64\Dfpgffpm.exe N/A
N/A N/A C:\Windows\SysWOW64\Dogogcpo.exe N/A
N/A N/A C:\Windows\SysWOW64\Daekdooc.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhocqigp.exe N/A
N/A N/A C:\Windows\SysWOW64\Dknpmdfc.exe N/A
N/A N/A C:\Windows\SysWOW64\Doilmc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dmllipeg.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Fqjamcpe.dll C:\Windows\SysWOW64\Chjaol32.exe N/A
File created C:\Windows\SysWOW64\Flgehc32.dll C:\Windows\SysWOW64\Cenahpha.exe N/A
File opened for modification C:\Windows\SysWOW64\Dhhnpjmh.exe C:\Windows\SysWOW64\Danecp32.exe N/A
File created C:\Windows\SysWOW64\Ebdijfii.dll C:\Windows\SysWOW64\Beglgani.exe N/A
File created C:\Windows\SysWOW64\Bclhhnca.exe C:\Windows\SysWOW64\Banllbdn.exe N/A
File opened for modification C:\Windows\SysWOW64\Bclhhnca.exe C:\Windows\SysWOW64\Banllbdn.exe N/A
File opened for modification C:\Windows\SysWOW64\Bmemac32.exe C:\Windows\SysWOW64\Bfkedibe.exe N/A
File created C:\Windows\SysWOW64\Dchfiejc.dll C:\Windows\SysWOW64\Cdhhdlid.exe N/A
File opened for modification C:\Windows\SysWOW64\Aepefb32.exe C:\Windows\SysWOW64\Aadifclh.exe N/A
File created C:\Windows\SysWOW64\Agoabn32.exe C:\Windows\SysWOW64\Aepefb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Beglgani.exe C:\Windows\SysWOW64\Bmpcfdmg.exe N/A
File created C:\Windows\SysWOW64\Djgjlelk.exe C:\Windows\SysWOW64\Dhhnpjmh.exe N/A
File opened for modification C:\Windows\SysWOW64\Dodbbdbb.exe C:\Windows\SysWOW64\Dfnjafap.exe N/A
File created C:\Windows\SysWOW64\Phiifkjp.dll C:\Windows\SysWOW64\Bfabnjjp.exe N/A
File opened for modification C:\Windows\SysWOW64\Bjddphlq.exe C:\Windows\SysWOW64\Bgehcmmm.exe N/A
File created C:\Windows\SysWOW64\Fnmnbf32.dll C:\Windows\SysWOW64\Dfnjafap.exe N/A
File opened for modification C:\Windows\SysWOW64\Cndikf32.exe C:\Windows\SysWOW64\Chjaol32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cdhhdlid.exe C:\Windows\SysWOW64\Ceehho32.exe N/A
File created C:\Windows\SysWOW64\Djdmffnn.exe C:\Windows\SysWOW64\Dfiafg32.exe N/A
File created C:\Windows\SysWOW64\Gmcfdb32.dll C:\Windows\SysWOW64\Dmefhako.exe N/A
File opened for modification C:\Windows\SysWOW64\Doilmc32.exe C:\Windows\SysWOW64\Dknpmdfc.exe N/A
File opened for modification C:\Windows\SysWOW64\Agoabn32.exe C:\Windows\SysWOW64\Aepefb32.exe N/A
File created C:\Windows\SysWOW64\Leqcid32.dll C:\Windows\SysWOW64\Bganhm32.exe N/A
File created C:\Windows\SysWOW64\Bjddphlq.exe C:\Windows\SysWOW64\Bgehcmmm.exe N/A
File created C:\Windows\SysWOW64\Cmqmma32.exe C:\Windows\SysWOW64\Cffdpghg.exe N/A
File created C:\Windows\SysWOW64\Dmgbnq32.exe C:\Windows\SysWOW64\Dodbbdbb.exe N/A
File created C:\Windows\SysWOW64\Bmhnkg32.dll C:\Windows\SysWOW64\Bmpcfdmg.exe N/A
File created C:\Windows\SysWOW64\Mkijij32.dll C:\Windows\SysWOW64\Cndikf32.exe N/A
File created C:\Windows\SysWOW64\Cffdpghg.exe C:\Windows\SysWOW64\Cdhhdlid.exe N/A
File created C:\Windows\SysWOW64\Calhnpgn.exe C:\Windows\SysWOW64\Cmqmma32.exe N/A
File created C:\Windows\SysWOW64\Doilmc32.exe C:\Windows\SysWOW64\Dknpmdfc.exe N/A
File created C:\Windows\SysWOW64\Beeoaapl.exe C:\Windows\SysWOW64\Bmngqdpj.exe N/A
File created C:\Windows\SysWOW64\Bmpcfdmg.exe C:\Windows\SysWOW64\Bgcknmop.exe N/A
File created C:\Windows\SysWOW64\Bbloam32.dll C:\Windows\SysWOW64\Cnffqf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cmlcbbcj.exe C:\Windows\SysWOW64\Cfbkeh32.exe N/A
File opened for modification C:\Windows\SysWOW64\Calhnpgn.exe C:\Windows\SysWOW64\Cmqmma32.exe N/A
File created C:\Windows\SysWOW64\Dmcibama.exe C:\Windows\SysWOW64\Djdmffnn.exe N/A
File created C:\Windows\SysWOW64\Gidbim32.dll C:\Windows\SysWOW64\Djgjlelk.exe N/A
File opened for modification C:\Windows\SysWOW64\Bmpcfdmg.exe C:\Windows\SysWOW64\Bgcknmop.exe N/A
File created C:\Windows\SysWOW64\Bmemac32.exe C:\Windows\SysWOW64\Bfkedibe.exe N/A
File created C:\Windows\SysWOW64\Lfjhbihm.dll C:\Windows\SysWOW64\Cfpnph32.exe N/A
File created C:\Windows\SysWOW64\Cfpnph32.exe C:\Windows\SysWOW64\Cenahpha.exe N/A
File opened for modification C:\Windows\SysWOW64\Cfpnph32.exe C:\Windows\SysWOW64\Cenahpha.exe N/A
File created C:\Windows\SysWOW64\Eifnachf.dll C:\Windows\SysWOW64\Cmlcbbcj.exe N/A
File opened for modification C:\Windows\SysWOW64\Dmcibama.exe C:\Windows\SysWOW64\Djdmffnn.exe N/A
File opened for modification C:\Windows\SysWOW64\Dfpgffpm.exe C:\Windows\SysWOW64\Ddakjkqi.exe N/A
File opened for modification C:\Windows\SysWOW64\Bgcknmop.exe C:\Windows\SysWOW64\Beeoaapl.exe N/A
File created C:\Windows\SysWOW64\Hhqeiena.dll C:\Windows\SysWOW64\Bgehcmmm.exe N/A
File created C:\Windows\SysWOW64\Mmnbeadp.dll C:\Windows\SysWOW64\Bmemac32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dogogcpo.exe C:\Windows\SysWOW64\Dfpgffpm.exe N/A
File created C:\Windows\SysWOW64\Elkadb32.dll C:\Windows\SysWOW64\Daekdooc.exe N/A
File created C:\Windows\SysWOW64\Okgoadbf.dll C:\Windows\SysWOW64\Cffdpghg.exe N/A
File created C:\Windows\SysWOW64\Naeheh32.dll C:\Windows\SysWOW64\Cmqmma32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bfkedibe.exe C:\Windows\SysWOW64\Bclhhnca.exe N/A
File created C:\Windows\SysWOW64\Kdqjac32.dll C:\Windows\SysWOW64\Cmiflbel.exe N/A
File created C:\Windows\SysWOW64\Chagok32.exe C:\Windows\SysWOW64\Ceckcp32.exe N/A
File created C:\Windows\SysWOW64\Dfnjafap.exe C:\Windows\SysWOW64\Delnin32.exe N/A
File created C:\Windows\SysWOW64\Ohmoom32.dll C:\Windows\SysWOW64\Dogogcpo.exe N/A
File opened for modification C:\Windows\SysWOW64\Beeoaapl.exe C:\Windows\SysWOW64\Bmngqdpj.exe N/A
File created C:\Windows\SysWOW64\Beglgani.exe C:\Windows\SysWOW64\Bmpcfdmg.exe N/A
File created C:\Windows\SysWOW64\Ceqnmpfo.exe C:\Windows\SysWOW64\Cmiflbel.exe N/A
File opened for modification C:\Windows\SysWOW64\Banllbdn.exe C:\Windows\SysWOW64\Bjddphlq.exe N/A
File created C:\Windows\SysWOW64\Mogqfgka.dll C:\Windows\SysWOW64\Bfkedibe.exe N/A
File created C:\Windows\SysWOW64\Jekpanpa.dll C:\Windows\SysWOW64\Cajlhqjp.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Dmllipeg.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dmllipeg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cffdpghg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cmqmma32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dknpmdfc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Danecp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bganhm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cndikf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cfbkeh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aadifclh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bgcknmop.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Chjaol32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Delnin32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Banllbdn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bmemac32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cfpnph32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dogogcpo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cenahpha.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Calhnpgn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Beeoaapl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bmpcfdmg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bjddphlq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ddakjkqi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bgehcmmm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bclhhnca.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cdhhdlid.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bfabnjjp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Beglgani.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ceckcp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bcoenmao.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ceehho32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dhhnpjmh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ceqnmpfo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dmcibama.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dmgbnq32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aepefb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bmngqdpj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dfnjafap.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dmefhako.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dfpgffpm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Doilmc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b51b8bc28e0132fc1fca130073211213f0635143b8db2b9d18bdb1fce7e92e28.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cmlcbbcj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Djdmffnn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dhocqigp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cmiflbel.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Chagok32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Daekdooc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dfiafg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Djgjlelk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dodbbdbb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Agoabn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bebblb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bfkedibe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cnffqf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cajlhqjp.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ceckcp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll" C:\Windows\SysWOW64\Chagok32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll" C:\Windows\SysWOW64\Ceehho32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll" C:\Windows\SysWOW64\Cdhhdlid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Calhnpgn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Dhhnpjmh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Dmgbnq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dogogcpo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll" C:\Windows\SysWOW64\Dhocqigp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Doilmc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Beeoaapl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Beglgani.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Bjddphlq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll" C:\Windows\SysWOW64\Djgjlelk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\b51b8bc28e0132fc1fca130073211213f0635143b8db2b9d18bdb1fce7e92e28.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Cmlcbbcj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bjddphlq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cndikf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Cmiflbel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll" C:\Windows\SysWOW64\Chjaol32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Bgcknmop.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll" C:\Windows\SysWOW64\Ddakjkqi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qihfjd32.dll" C:\Windows\SysWOW64\Bjddphlq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bfkedibe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll" C:\Windows\SysWOW64\Cnffqf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll" C:\Windows\SysWOW64\Cfbkeh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Danecp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Delnin32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Bfkedibe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cmlcbbcj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cdhhdlid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll" C:\Windows\SysWOW64\Dhhnpjmh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dmefhako.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Cfpnph32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cfpnph32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cffdpghg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Calhnpgn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll" C:\Windows\SysWOW64\Dmefhako.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Doilmc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqfhilhd.dll" C:\Windows\SysWOW64\Aepefb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Djdmffnn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Bclhhnca.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Dodbbdbb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Daekdooc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbodfcj.dll" C:\Windows\SysWOW64\Agoabn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qopkop32.dll" C:\Windows\SysWOW64\Bebblb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll" C:\Windows\SysWOW64\Bmpcfdmg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bclhhnca.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bmemac32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll" C:\Windows\SysWOW64\Cenahpha.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ceckcp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dfiafg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dmcibama.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Djgjlelk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Dmefhako.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Bmngqdpj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bmpcfdmg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll" C:\Windows\SysWOW64\Cmiflbel.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node C:\Users\Admin\AppData\Local\Temp\b51b8bc28e0132fc1fca130073211213f0635143b8db2b9d18bdb1fce7e92e28.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll" C:\Windows\SysWOW64\Bclhhnca.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll" C:\Windows\SysWOW64\Dfiafg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll" C:\Windows\SysWOW64\Dmcibama.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Danecp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Dknpmdfc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4392 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\b51b8bc28e0132fc1fca130073211213f0635143b8db2b9d18bdb1fce7e92e28.exe C:\Windows\SysWOW64\Aadifclh.exe
PID 4392 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\b51b8bc28e0132fc1fca130073211213f0635143b8db2b9d18bdb1fce7e92e28.exe C:\Windows\SysWOW64\Aadifclh.exe
PID 4392 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\b51b8bc28e0132fc1fca130073211213f0635143b8db2b9d18bdb1fce7e92e28.exe C:\Windows\SysWOW64\Aadifclh.exe
PID 2324 wrote to memory of 4084 N/A C:\Windows\SysWOW64\Aadifclh.exe C:\Windows\SysWOW64\Aepefb32.exe
PID 2324 wrote to memory of 4084 N/A C:\Windows\SysWOW64\Aadifclh.exe C:\Windows\SysWOW64\Aepefb32.exe
PID 2324 wrote to memory of 4084 N/A C:\Windows\SysWOW64\Aadifclh.exe C:\Windows\SysWOW64\Aepefb32.exe
PID 4084 wrote to memory of 2164 N/A C:\Windows\SysWOW64\Aepefb32.exe C:\Windows\SysWOW64\Agoabn32.exe
PID 4084 wrote to memory of 2164 N/A C:\Windows\SysWOW64\Aepefb32.exe C:\Windows\SysWOW64\Agoabn32.exe
PID 4084 wrote to memory of 2164 N/A C:\Windows\SysWOW64\Aepefb32.exe C:\Windows\SysWOW64\Agoabn32.exe
PID 2164 wrote to memory of 3064 N/A C:\Windows\SysWOW64\Agoabn32.exe C:\Windows\SysWOW64\Bfabnjjp.exe
PID 2164 wrote to memory of 3064 N/A C:\Windows\SysWOW64\Agoabn32.exe C:\Windows\SysWOW64\Bfabnjjp.exe
PID 2164 wrote to memory of 3064 N/A C:\Windows\SysWOW64\Agoabn32.exe C:\Windows\SysWOW64\Bfabnjjp.exe
PID 3064 wrote to memory of 4884 N/A C:\Windows\SysWOW64\Bfabnjjp.exe C:\Windows\SysWOW64\Bebblb32.exe
PID 3064 wrote to memory of 4884 N/A C:\Windows\SysWOW64\Bfabnjjp.exe C:\Windows\SysWOW64\Bebblb32.exe
PID 3064 wrote to memory of 4884 N/A C:\Windows\SysWOW64\Bfabnjjp.exe C:\Windows\SysWOW64\Bebblb32.exe
PID 4884 wrote to memory of 2596 N/A C:\Windows\SysWOW64\Bebblb32.exe C:\Windows\SysWOW64\Bganhm32.exe
PID 4884 wrote to memory of 2596 N/A C:\Windows\SysWOW64\Bebblb32.exe C:\Windows\SysWOW64\Bganhm32.exe
PID 4884 wrote to memory of 2596 N/A C:\Windows\SysWOW64\Bebblb32.exe C:\Windows\SysWOW64\Bganhm32.exe
PID 2596 wrote to memory of 2648 N/A C:\Windows\SysWOW64\Bganhm32.exe C:\Windows\SysWOW64\Bmngqdpj.exe
PID 2596 wrote to memory of 2648 N/A C:\Windows\SysWOW64\Bganhm32.exe C:\Windows\SysWOW64\Bmngqdpj.exe
PID 2596 wrote to memory of 2648 N/A C:\Windows\SysWOW64\Bganhm32.exe C:\Windows\SysWOW64\Bmngqdpj.exe
PID 2648 wrote to memory of 2928 N/A C:\Windows\SysWOW64\Bmngqdpj.exe C:\Windows\SysWOW64\Beeoaapl.exe
PID 2648 wrote to memory of 2928 N/A C:\Windows\SysWOW64\Bmngqdpj.exe C:\Windows\SysWOW64\Beeoaapl.exe
PID 2648 wrote to memory of 2928 N/A C:\Windows\SysWOW64\Bmngqdpj.exe C:\Windows\SysWOW64\Beeoaapl.exe
PID 2928 wrote to memory of 2660 N/A C:\Windows\SysWOW64\Beeoaapl.exe C:\Windows\SysWOW64\Bgcknmop.exe
PID 2928 wrote to memory of 2660 N/A C:\Windows\SysWOW64\Beeoaapl.exe C:\Windows\SysWOW64\Bgcknmop.exe
PID 2928 wrote to memory of 2660 N/A C:\Windows\SysWOW64\Beeoaapl.exe C:\Windows\SysWOW64\Bgcknmop.exe
PID 2660 wrote to memory of 5092 N/A C:\Windows\SysWOW64\Bgcknmop.exe C:\Windows\SysWOW64\Bmpcfdmg.exe
PID 2660 wrote to memory of 5092 N/A C:\Windows\SysWOW64\Bgcknmop.exe C:\Windows\SysWOW64\Bmpcfdmg.exe
PID 2660 wrote to memory of 5092 N/A C:\Windows\SysWOW64\Bgcknmop.exe C:\Windows\SysWOW64\Bmpcfdmg.exe
PID 5092 wrote to memory of 4380 N/A C:\Windows\SysWOW64\Bmpcfdmg.exe C:\Windows\SysWOW64\Beglgani.exe
PID 5092 wrote to memory of 4380 N/A C:\Windows\SysWOW64\Bmpcfdmg.exe C:\Windows\SysWOW64\Beglgani.exe
PID 5092 wrote to memory of 4380 N/A C:\Windows\SysWOW64\Bmpcfdmg.exe C:\Windows\SysWOW64\Beglgani.exe
PID 4380 wrote to memory of 2392 N/A C:\Windows\SysWOW64\Beglgani.exe C:\Windows\SysWOW64\Bgehcmmm.exe
PID 4380 wrote to memory of 2392 N/A C:\Windows\SysWOW64\Beglgani.exe C:\Windows\SysWOW64\Bgehcmmm.exe
PID 4380 wrote to memory of 2392 N/A C:\Windows\SysWOW64\Beglgani.exe C:\Windows\SysWOW64\Bgehcmmm.exe
PID 2392 wrote to memory of 4736 N/A C:\Windows\SysWOW64\Bgehcmmm.exe C:\Windows\SysWOW64\Bjddphlq.exe
PID 2392 wrote to memory of 4736 N/A C:\Windows\SysWOW64\Bgehcmmm.exe C:\Windows\SysWOW64\Bjddphlq.exe
PID 2392 wrote to memory of 4736 N/A C:\Windows\SysWOW64\Bgehcmmm.exe C:\Windows\SysWOW64\Bjddphlq.exe
PID 4736 wrote to memory of 2828 N/A C:\Windows\SysWOW64\Bjddphlq.exe C:\Windows\SysWOW64\Banllbdn.exe
PID 4736 wrote to memory of 2828 N/A C:\Windows\SysWOW64\Bjddphlq.exe C:\Windows\SysWOW64\Banllbdn.exe
PID 4736 wrote to memory of 2828 N/A C:\Windows\SysWOW64\Bjddphlq.exe C:\Windows\SysWOW64\Banllbdn.exe
PID 2828 wrote to memory of 8 N/A C:\Windows\SysWOW64\Banllbdn.exe C:\Windows\SysWOW64\Bclhhnca.exe
PID 2828 wrote to memory of 8 N/A C:\Windows\SysWOW64\Banllbdn.exe C:\Windows\SysWOW64\Bclhhnca.exe
PID 2828 wrote to memory of 8 N/A C:\Windows\SysWOW64\Banllbdn.exe C:\Windows\SysWOW64\Bclhhnca.exe
PID 8 wrote to memory of 1436 N/A C:\Windows\SysWOW64\Bclhhnca.exe C:\Windows\SysWOW64\Bfkedibe.exe
PID 8 wrote to memory of 1436 N/A C:\Windows\SysWOW64\Bclhhnca.exe C:\Windows\SysWOW64\Bfkedibe.exe
PID 8 wrote to memory of 1436 N/A C:\Windows\SysWOW64\Bclhhnca.exe C:\Windows\SysWOW64\Bfkedibe.exe
PID 1436 wrote to memory of 4076 N/A C:\Windows\SysWOW64\Bfkedibe.exe C:\Windows\SysWOW64\Bmemac32.exe
PID 1436 wrote to memory of 4076 N/A C:\Windows\SysWOW64\Bfkedibe.exe C:\Windows\SysWOW64\Bmemac32.exe
PID 1436 wrote to memory of 4076 N/A C:\Windows\SysWOW64\Bfkedibe.exe C:\Windows\SysWOW64\Bmemac32.exe
PID 4076 wrote to memory of 2800 N/A C:\Windows\SysWOW64\Bmemac32.exe C:\Windows\SysWOW64\Bcoenmao.exe
PID 4076 wrote to memory of 2800 N/A C:\Windows\SysWOW64\Bmemac32.exe C:\Windows\SysWOW64\Bcoenmao.exe
PID 4076 wrote to memory of 2800 N/A C:\Windows\SysWOW64\Bmemac32.exe C:\Windows\SysWOW64\Bcoenmao.exe
PID 2800 wrote to memory of 3352 N/A C:\Windows\SysWOW64\Bcoenmao.exe C:\Windows\SysWOW64\Chjaol32.exe
PID 2800 wrote to memory of 3352 N/A C:\Windows\SysWOW64\Bcoenmao.exe C:\Windows\SysWOW64\Chjaol32.exe
PID 2800 wrote to memory of 3352 N/A C:\Windows\SysWOW64\Bcoenmao.exe C:\Windows\SysWOW64\Chjaol32.exe
PID 3352 wrote to memory of 776 N/A C:\Windows\SysWOW64\Chjaol32.exe C:\Windows\SysWOW64\Cndikf32.exe
PID 3352 wrote to memory of 776 N/A C:\Windows\SysWOW64\Chjaol32.exe C:\Windows\SysWOW64\Cndikf32.exe
PID 3352 wrote to memory of 776 N/A C:\Windows\SysWOW64\Chjaol32.exe C:\Windows\SysWOW64\Cndikf32.exe
PID 776 wrote to memory of 3608 N/A C:\Windows\SysWOW64\Cndikf32.exe C:\Windows\SysWOW64\Cenahpha.exe
PID 776 wrote to memory of 3608 N/A C:\Windows\SysWOW64\Cndikf32.exe C:\Windows\SysWOW64\Cenahpha.exe
PID 776 wrote to memory of 3608 N/A C:\Windows\SysWOW64\Cndikf32.exe C:\Windows\SysWOW64\Cenahpha.exe
PID 3608 wrote to memory of 3356 N/A C:\Windows\SysWOW64\Cenahpha.exe C:\Windows\SysWOW64\Cfpnph32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b51b8bc28e0132fc1fca130073211213f0635143b8db2b9d18bdb1fce7e92e28.exe

"C:\Users\Admin\AppData\Local\Temp\b51b8bc28e0132fc1fca130073211213f0635143b8db2b9d18bdb1fce7e92e28.exe"

C:\Windows\SysWOW64\Aadifclh.exe

C:\Windows\system32\Aadifclh.exe

C:\Windows\SysWOW64\Aepefb32.exe

C:\Windows\system32\Aepefb32.exe

C:\Windows\SysWOW64\Agoabn32.exe

C:\Windows\system32\Agoabn32.exe

C:\Windows\SysWOW64\Bfabnjjp.exe

C:\Windows\system32\Bfabnjjp.exe

C:\Windows\SysWOW64\Bebblb32.exe

C:\Windows\system32\Bebblb32.exe

C:\Windows\SysWOW64\Bganhm32.exe

C:\Windows\system32\Bganhm32.exe

C:\Windows\SysWOW64\Bmngqdpj.exe

C:\Windows\system32\Bmngqdpj.exe

C:\Windows\SysWOW64\Beeoaapl.exe

C:\Windows\system32\Beeoaapl.exe

C:\Windows\SysWOW64\Bgcknmop.exe

C:\Windows\system32\Bgcknmop.exe

C:\Windows\SysWOW64\Bmpcfdmg.exe

C:\Windows\system32\Bmpcfdmg.exe

C:\Windows\SysWOW64\Beglgani.exe

C:\Windows\system32\Beglgani.exe

C:\Windows\SysWOW64\Bgehcmmm.exe

C:\Windows\system32\Bgehcmmm.exe

C:\Windows\SysWOW64\Bjddphlq.exe

C:\Windows\system32\Bjddphlq.exe

C:\Windows\SysWOW64\Banllbdn.exe

C:\Windows\system32\Banllbdn.exe

C:\Windows\SysWOW64\Bclhhnca.exe

C:\Windows\system32\Bclhhnca.exe

C:\Windows\SysWOW64\Bfkedibe.exe

C:\Windows\system32\Bfkedibe.exe

C:\Windows\SysWOW64\Bmemac32.exe

C:\Windows\system32\Bmemac32.exe

C:\Windows\SysWOW64\Bcoenmao.exe

C:\Windows\system32\Bcoenmao.exe

C:\Windows\SysWOW64\Chjaol32.exe

C:\Windows\system32\Chjaol32.exe

C:\Windows\SysWOW64\Cndikf32.exe

C:\Windows\system32\Cndikf32.exe

C:\Windows\SysWOW64\Cenahpha.exe

C:\Windows\system32\Cenahpha.exe

C:\Windows\SysWOW64\Cfpnph32.exe

C:\Windows\system32\Cfpnph32.exe

C:\Windows\SysWOW64\Cnffqf32.exe

C:\Windows\system32\Cnffqf32.exe

C:\Windows\SysWOW64\Cmiflbel.exe

C:\Windows\system32\Cmiflbel.exe

C:\Windows\SysWOW64\Ceqnmpfo.exe

C:\Windows\system32\Ceqnmpfo.exe

C:\Windows\SysWOW64\Cfbkeh32.exe

C:\Windows\system32\Cfbkeh32.exe

C:\Windows\SysWOW64\Cmlcbbcj.exe

C:\Windows\system32\Cmlcbbcj.exe

C:\Windows\SysWOW64\Ceckcp32.exe

C:\Windows\system32\Ceckcp32.exe

C:\Windows\SysWOW64\Chagok32.exe

C:\Windows\system32\Chagok32.exe

C:\Windows\SysWOW64\Cajlhqjp.exe

C:\Windows\system32\Cajlhqjp.exe

C:\Windows\SysWOW64\Ceehho32.exe

C:\Windows\system32\Ceehho32.exe

C:\Windows\SysWOW64\Cdhhdlid.exe

C:\Windows\system32\Cdhhdlid.exe

C:\Windows\SysWOW64\Cffdpghg.exe

C:\Windows\system32\Cffdpghg.exe

C:\Windows\SysWOW64\Cmqmma32.exe

C:\Windows\system32\Cmqmma32.exe

C:\Windows\SysWOW64\Calhnpgn.exe

C:\Windows\system32\Calhnpgn.exe

C:\Windows\SysWOW64\Dfiafg32.exe

C:\Windows\system32\Dfiafg32.exe

C:\Windows\SysWOW64\Djdmffnn.exe

C:\Windows\system32\Djdmffnn.exe

C:\Windows\SysWOW64\Dmcibama.exe

C:\Windows\system32\Dmcibama.exe

C:\Windows\SysWOW64\Danecp32.exe

C:\Windows\system32\Danecp32.exe

C:\Windows\SysWOW64\Dhhnpjmh.exe

C:\Windows\system32\Dhhnpjmh.exe

C:\Windows\SysWOW64\Djgjlelk.exe

C:\Windows\system32\Djgjlelk.exe

C:\Windows\SysWOW64\Dmefhako.exe

C:\Windows\system32\Dmefhako.exe

C:\Windows\SysWOW64\Delnin32.exe

C:\Windows\system32\Delnin32.exe

C:\Windows\SysWOW64\Dfnjafap.exe

C:\Windows\system32\Dfnjafap.exe

C:\Windows\SysWOW64\Dodbbdbb.exe

C:\Windows\system32\Dodbbdbb.exe

C:\Windows\SysWOW64\Dmgbnq32.exe

C:\Windows\system32\Dmgbnq32.exe

C:\Windows\SysWOW64\Ddakjkqi.exe

C:\Windows\system32\Ddakjkqi.exe

C:\Windows\SysWOW64\Dfpgffpm.exe

C:\Windows\system32\Dfpgffpm.exe

C:\Windows\SysWOW64\Dogogcpo.exe

C:\Windows\system32\Dogogcpo.exe

C:\Windows\SysWOW64\Daekdooc.exe

C:\Windows\system32\Daekdooc.exe

C:\Windows\SysWOW64\Dhocqigp.exe

C:\Windows\system32\Dhocqigp.exe

C:\Windows\SysWOW64\Dknpmdfc.exe

C:\Windows\system32\Dknpmdfc.exe

C:\Windows\SysWOW64\Doilmc32.exe

C:\Windows\system32\Doilmc32.exe

C:\Windows\SysWOW64\Dmllipeg.exe

C:\Windows\system32\Dmllipeg.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4848 -ip 4848

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 408

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

memory/4392-0-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Aadifclh.exe

MD5 d9a7e70253e7254cbe251bda0af1fc08
SHA1 015226feea70ea5b47e77cf9934cca8021c9fb6a
SHA256 7b6f2016cd007b0f435e42377ec444c0aa4ab15f09edf8aa6051b9bcf6ff64bf
SHA512 cb0273ca51c520cfd0f07ebc8c6e477d018da549c24d78db95ba1cc4a21f16bcb6fa938e938a92d26531f5da6fcc8685c346e31a18affb124529ee62c487ddc0

memory/2324-7-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Aepefb32.exe

MD5 9eac242ddcc79565e8c0026fdc0b5d0e
SHA1 bfd60b8ac366d3a640062e98fd44f68c09030482
SHA256 9b371aff8b563e5037c5a25025146cef7bb2892aa95c64b8ad9029b954f65f94
SHA512 5df96edab29a59a61e9a6144d0102fb1782455528ce009cc06e2401af3f0350f8f623af4bb2258c9bef170a7e685ad0dabdb8cd780f14c0f1c1ec2c71b05659a

memory/4084-16-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2164-28-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Bfabnjjp.exe

MD5 aec6c65ee950a42a31280e6e162b3b06
SHA1 a92665ecae5db828246f557b39217b552b4929e2
SHA256 1ae63d955d58571201e13fed271a02828625d67cc7f9184c934ce36f80ba5966
SHA512 803ea2279ff169a84b4b6247834f57160147f3f59f81f161133a938083bfa32e749324299ded04315c901a7a80093d3af1fe99cdd9a22c33883efd1b429bc80a

memory/3064-32-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Agoabn32.exe

MD5 ca0c53796898c1b3665f2cbafd72907c
SHA1 ad27ddc080db68debbe1fa6e79a66fa5e635f809
SHA256 65820ac344ab38ca97ef5d90d1a8b020a0855de8becc94a2fa6bc202f114d2bf
SHA512 d98c69edf5a0f1cf0a6e81e5f0f0ad743a21be5bc5ca903c810f8a5f90f555c95f83832da570392775b4aa8720e920d76dd2e2d432a115a36dfc3b7abffe9908

C:\Windows\SysWOW64\Phiifkjp.dll

MD5 ec91f06b4d590882573031b752c92cbe
SHA1 8ebe73a38950f267113164cee75cf0062a13046c
SHA256 5834c142272f491f836612ac77a67c633a0c59234e512996bbb63312e24297db
SHA512 31f8ca358ec4d6668ca75d4fc9fea7f2e6e48c671890317493fbf16e63614e724da519c5a96dc1c7a1fb1ecb3f0ebc3804ed26d25c0604d89685856397469067

memory/4884-40-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Bebblb32.exe

MD5 d3b9a4de53937b2e29182e5c1dbd36c2
SHA1 ae08a56948a8ec92354eae8b469007f0465dce48
SHA256 9762b209aa148ecb54d6a8e6bbc8756d1ce711989aae37d2557725f38e8a626a
SHA512 414b78515c6b43ab2f5427cdac4a35e6142910800b390c72a8128c33d4e7a80e68d583c02c4b058b3a84756ac5b4fc5adc4507c35bee4fa742739ab544ae6314

C:\Windows\SysWOW64\Bganhm32.exe

MD5 0dbbc82c281670926f537b884db19f58
SHA1 dbabc92ed8a381809708f45e74d02ecf469752e0
SHA256 fc2e7e3284f8c056bc8f63221a13d8d6edd1ed38b8b8891779fcfca79a2ec9a9
SHA512 41b6da9b57ded609d039ae809ac0998b3ffbee7aec2b9e6493b8534edaa43494e9de0933892bf0e5b84207cdeb84031dae3972d3e078b19e9658f6d9aa5f22eb

memory/2596-47-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Bmngqdpj.exe

MD5 4c00f467dc33180c92ee119e34caf097
SHA1 1f37739a3dad2dd090b1347806e90494d5ba5832
SHA256 dd70b57c7b684657467ec63d4737284dc0533feb685473af72863930cb0be7f4
SHA512 5b6b0bb3176c58e6467ccfc902b079b99cf5c098a1eb839859cd0b26ef669ac43d81e09db30401ba9c278c273c086e931a628769b1bde7fc9019227a22dd5027

memory/2648-56-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Beeoaapl.exe

MD5 7f0bcde0b43686c44c717e3df73dfeb0
SHA1 7efe863c6d9f5ae4a25d9d666fc16a7a0a6aed63
SHA256 95d1a4c4411e86b3944817d35b55922caa13618838899b54ca155cf6042e76be
SHA512 18e646ed2b6cd84655771d74b0edd616333e8d196ebbaff2485acbbe954b1fe3877cbdbe633f022111c34cd16de14e3fd47ec26b5ca16e9a92e1545efd628d88

C:\Windows\SysWOW64\Beeoaapl.exe

MD5 ef6b1118a0412d8daafbe18df34b8f7d
SHA1 164edd6b44d244b362045c35c85c449b81829fd7
SHA256 4d941ed9f9797cc781b1207ee2ba282ef3170116a6e5667920f4151d863469dc
SHA512 af59fdeca376e3562d12627ca22fd0c978fdca4538354ef92b0169e1eaac90ff28889c3b6b6d53df39653aa75b72245caf33ac392847d407596f86b3bad5f2de

memory/2928-64-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Bgcknmop.exe

MD5 5da3f45229a214b2ca97d57e2de449de
SHA1 e2780785bed4e0b0ffc6780c6237e2c4f2c00be1
SHA256 6bfd16362250181ae498c4ba1c9f459c65e028c38e6676501ac0a90f90da93b6
SHA512 beaaf959d44055522b538f3cfecd643490e3a4d9b404eac3daaeaecdb4179fdd1a6fc792dc3cfe75dcce095b3a09c0274ebea2bfaf4a7fff299c5d3f6a7691c9

memory/2660-71-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Bmpcfdmg.exe

MD5 3ecf365d5dd5d8112339cec6c87cb713
SHA1 bbad02985e8f187c961a163bb61e32c96fb730a9
SHA256 06f5b34121960b136416dbc5249fd201a10187aefa004dc4ffa44c1353fbbbcb
SHA512 38cd5d62ba6c290f7750b34bae7c4ad9f042c0623e95a33b7f402b15033b7c757f71ef12307a810b2937e8e13f8e7643d09497a1608c984d19bcc81bbd2198c9

memory/5092-80-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Beglgani.exe

MD5 67d7735176103b73703943abc5c89a7f
SHA1 24ae193e0508e45e3ab8e022f36738fbd6e27d9c
SHA256 44d1a89b7a87cd7dd09b1d1b51f2d4587f64c41db3882c631dacde5e07d456b6
SHA512 18bcffbbfd5cf2a1cc230de7d4150b368a1cba348f28bcbfd14e5d934e1c761876a6a018e10fbb257e487bfbe0506d1ad3414ade0fe52190134ae93c165e421f

memory/4380-88-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Bgehcmmm.exe

MD5 3bd9acb3dd9c7bfec4e43b5a0d2c5a3b
SHA1 04306812c68431533e9db2320361ae9d9526f98d
SHA256 c6670b8bef36d2ec2f6e19ced3a111c259fb385d7c632559f6c2301880148ef2
SHA512 b31c60f4df7b9a7e343384ee095d4333f849ac7660460e1495d984a890e7cc90a6ad39d9d75d90ecaaa01cf570950dbba98dcded69648594bc673f82ba18e62f

memory/2392-95-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Bjddphlq.exe

MD5 8b1f963c30e8d67f3d18dba9d2033f0e
SHA1 bf037eded307303e266c07f3d21f6a381260b5de
SHA256 4e350c81fd9b6eff8e4e7fe5ea8714f1384963a00ad52e4b19dbac529311593f
SHA512 72061357c883235e485df1a34c4b829a3212195cd59ad3d44be64f5cecd8dad6780024b1768394c7b662acc294a6a202a7f660bf97e1bc6f1a0bd25ce3cbeefb

memory/4736-103-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Banllbdn.exe

MD5 fb1eb59695d1072705c6542f9b5a01d2
SHA1 d15a7b4feec9f37159b89e86d7c0ea0e5da78baa
SHA256 64c05de0e91494e95a28fad693bdf17d76005a766a42f7b4efbf254eb2d4db3d
SHA512 2b16f07dc36661f46db841931fb33391397b33e6a6a5c3b5c7f6d5e380e678c8b408b738412977b5eb6018b3cda661727984714677868739120ec0ea1a861975

memory/2828-112-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Bclhhnca.exe

MD5 4aa3808962fde5c7bf208bc29547f38a
SHA1 5d68116a3967c434da36fd43140ad6a36471a350
SHA256 98ca02a9ffaf2a56d46b519515f17fc0df1126cd8deb0a1e05e94b28ed476e27
SHA512 710b5bd5a44adb26e99ca84a17111004ede03d4a54bcda5bae044cc9e02c32ad73374040d5021e1406d5701dbd8b2e73b7438fec35981bee020f2cd3b3cb10a2

memory/8-119-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Bfkedibe.exe

MD5 3a04a03a02803496b612a8f31c40cacc
SHA1 1a8905727de50b915bd6df13554a5812050a6905
SHA256 6524d70597b827a076c7f37a80fb15dd368cc46cc5f5e629d301a0cc6ee6d9ce
SHA512 bacb2af4742587ed68d5952acbcb9592d6ff8750aef93ad78cc3957a8c9ea87a95e21753fb7695a66f490b2754955bbf00730359a9392a09ea8ba180c0e35197

memory/1436-128-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Bmemac32.exe

MD5 f2eb38af03a52dfaf3ef7fd98b1dc0b4
SHA1 da9243d8876215a60c787c2804d42686bfb41872
SHA256 0395b6e6812b9b59d8b2c083e0da8381f8c251b8cce1bab5ad443db0f2cc7d4f
SHA512 b6e7e9fc7929d1bdd4f5e18966c3dd50372c9db747c51117ba73ad83fa37331878ef0de5191f545c861d525d6077c88a2b1e16be8d9762ba37ef78534ffb6515

memory/4076-135-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Bcoenmao.exe

MD5 521e9d4b4946b77ef5a6cb3e1a8c0f86
SHA1 78f3bad4aa929b888bb282a729e21e4f41cf2032
SHA256 c98ac751a6a00ebf9e33e235d4b98c3f53f7253291c1832088083933cbc35133
SHA512 181c7304dd15044d049dcb44c6305bb1e3d04a2305030f3cfe8815f1a49c07f59b3a424def21791528f84e2a8241e299ccf6cd2e02a5d793698a1f819737d917

memory/2800-144-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Chjaol32.exe

MD5 8c31528d8a6380d15708e01838f7d7a5
SHA1 dada853f9a5737b50bbcd9dd609cadb89e649143
SHA256 3fb45896cebc0358416a3c33404b604bdaaa75556e8bc2b838f11b8aabe232ed
SHA512 30263643a1c96946ccc395a047d7652dfc34f76de39f8a14d5b27e94cd80409e49df4353911bca9f65045a9c5b7f508fed53b895c25917ff1abeac7ff918502f

memory/3352-151-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Cndikf32.exe

MD5 f40ca3f553adff0375d85732f1e73948
SHA1 c4057e42a6d8a37de57341bdd734de24fe5bc987
SHA256 f7b97c5667ad18f3ce1bd51cfcd15cfdd1929d19296fb9165c6f7e3a7d4aa87d
SHA512 477338936b6659d4d957f0bd14b61014218b883299487eb1689a53019643af3a83d3397ca484e525f05734d719e0bad0573d3a75e971f0836bbdb99336fa5a82

memory/776-159-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Cenahpha.exe

MD5 d20671ca6b716ccfba8aa1fd2daaeb63
SHA1 47063b900549d631c714058a7d1507d332531916
SHA256 e0bccf329734abbb705aa6f3781adfbd2cdf6958307d98601ce9d3370fcc8050
SHA512 f67570d50b5ca8d44cbdd1d1d4ddc72a7213627b9e37ef8021e8da16034c83d01b4d45e38090ecf17a70999fdcd260fd7a57d01ff1f5dc0c7a5e2c96806cfe90

memory/3608-167-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Cfpnph32.exe

MD5 5f49072462ed52d808fe70b00374953a
SHA1 84bf97090bb89173b16d816f6e4becf58137c76e
SHA256 c1ec4dcc2adf89eabb409016fba85e0268153a205b4fe01bf75ad45357dd4606
SHA512 8e78bf80d645253cefc7b2543a1f51dee8de43776fc14cd05f9d0c85887e5e63e4206a26a7a24e80b01b9174d067b2bd0564600795798ca112c00f3b2b58631f

memory/3356-175-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Cnffqf32.exe

MD5 16a6537d5af05126780596d048572d05
SHA1 84f757cbf1dc9d2033095d0d017f6bc02d69981c
SHA256 3b5730bc60a9cac39ff8aeec511ed0acd4c7b0c8e4472a3bcf07a63f319b648e
SHA512 f9a76521f24bd192c71fa17a93d8adb1e9212eefc8c52b24f24af238cd7a9487533fefad63c1181ba6fa59c51766dccfb1c490f3ade6273685eca2ae8ced0488

memory/1256-188-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Cmiflbel.exe

MD5 53cadcd42948b9cfeb46164d736a6fc7
SHA1 b8f32e6de98369bddd008639422cc70d54d9bcf3
SHA256 d1da324a800fa132f79610de839c25d5a7b6e55bc66e740a325edcf05c63ad83
SHA512 a3fea619c4b28a6f1f371fd1f4af450eb99b479edace5d0b00b23ec92a3f0144ca0949f01700dadb9c1f77f50c371b17acda5ab659edf22c8ffaf6219bfee588

memory/2424-192-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Ceqnmpfo.exe

MD5 2be5557191cff7ddf9278300ab381169
SHA1 f086717e8278be8b1a99dfd6303485220d18831c
SHA256 2b5be965b0e25a066a67962a682d9a878b00a25b56d2b6dcab5b222353ffa078
SHA512 3fd5de050d55c77b0bb36a71ceccd8a0e29fe77225668e379c1efa031cc26543deaf4839201765aa4ce8d47fc890efbf3486cd861eb6b12cee71b5403468e523

memory/1972-200-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Cfbkeh32.exe

MD5 159afa7977c394131c0ee82778c9259a
SHA1 3c5b43921d2fa6a4d4c52277c15c83d30599d944
SHA256 5aab28595a0ad58077c9324397ac3ff225d1a53a32bb2ea40054b0edc00a6cbf
SHA512 31d20981c85e439e3f676c7e9c255842b41c91a9b80ca56afd0c52eb0c30c2fedb76e6010391746a71934fdb4af4ffe1d730b8c8883fa74b8c64fa0baf013f94

memory/4652-207-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Cmlcbbcj.exe

MD5 097b93d6d396e6391f3d389e7677889e
SHA1 3b3943b55bee46f725b8052969f67e9a7a7da48e
SHA256 7406a0203c1bf54d88fbccd6fefb022c85414173bee2d3b2457df33c238e2f33
SHA512 33d6b896d93a22228e414ec981532187dc2d8fddb7ef21f77e5040401d34b8a587b925886ea4d64bcb3b17dc8184f547e5d89b8fe158a2dac0220d292ff61031

memory/3096-216-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Ceckcp32.exe

MD5 8c438636f5f2b41b2e275b061b6859a1
SHA1 dc719874a72aa6d38394fd47c00db3262f14788e
SHA256 00479c7450576648ed09190737087d63f02bcb52b95fd7faef001e8cfd29c2f8
SHA512 05ed6fe9f83b62bbc7c64ed334ff72da6a1c6f27d84ff304366caf34ba8443ba892e83b3db81b2b1b517574a759e24733aff39b0a94e8fc2ba4e07b8907b942b

memory/1620-228-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Chagok32.exe

MD5 d1734fb67cdd6b16f54b0ab1207bf383
SHA1 2f9c0a1276b0acb22593fc64cbb3e9f8108d25e3
SHA256 f39012506b7e3f076a5bdc180665889067a030da29a4fcf7caeca1b3d3302910
SHA512 979699830896395c483b73b972368c0c4e2a9b84ae5b4f769dcc159d82904180362e8cdf4ad9c4650f11906624beb11acf344f186721742f6f3c9e38b5648ccc

memory/624-231-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Cajlhqjp.exe

MD5 18d6fee0aa93c3b211bb46437a8d441d
SHA1 f8018588caf1ab6f2e575c3038901dea13a3700f
SHA256 aaa73976549efce22236cbbe3b576b8aa8c84e545964f7b177ab0f07fa142c46
SHA512 a76485f56ef103d753de21bab029e84fd254ba3ae0795ef74f0fe708c90e3b149d35fe311b8b90323e93894bd7f3e40cfac13b9f0229faa9fd79a131f596ebfc

C:\Windows\SysWOW64\Ceehho32.exe

MD5 b6d78e4d956b5044443e6cb5956e4d3b
SHA1 342b5f64b08b15ae819755ea8894bce22ec75ffe
SHA256 8a4908f712e87c1ad33e70f661267d63e1e13ed48d8ee12139dda88bca4d72bb
SHA512 9a24f420fb51504449b24a7a376c84aeb092be9e8f602edac2a7f453f8a4bc5296002705bcee8cd7081ef2c85b0dce6c2780ed16d3d49c53eecd2c890f9f86d5

memory/5112-244-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4920-252-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1460-256-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2856-262-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Cdhhdlid.exe

MD5 b3feb0055d8839f127418ebe7c0ec3b9
SHA1 db5ef88603a3133796de15f80a640293b6cf38ae
SHA256 07b602371c2e1495a23ddc11f65aaf6caf7a46c1193a26f18e4635b62121d5a0
SHA512 ad7180cd325830ffdada88b066664cf64fd8023f8f50b0645a461d2d2d363bdf0069be45f4cb33622e19aa0f301119544463b83fbb750947760ee9caae22cb27

memory/2096-268-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1360-274-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4572-280-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3740-292-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4080-291-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3656-298-0x0000000000400000-0x0000000000435000-memory.dmp

memory/812-304-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1200-310-0x0000000000400000-0x0000000000435000-memory.dmp

memory/744-316-0x0000000000400000-0x0000000000435000-memory.dmp

memory/5004-322-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1188-328-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2300-338-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3292-340-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1392-346-0x0000000000400000-0x0000000000435000-memory.dmp

memory/228-352-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3824-358-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3308-364-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2168-370-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3060-376-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2984-382-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Dmllipeg.exe

MD5 464a88cdd99c8c5b9090daffee0c0a74
SHA1 0e7dd95877b718f484d5bb40941eebb6c3eabc7b
SHA256 ac9d192ae191a295a051399f6141ecd2a90af4716d2f44f99e1df1ea9523453c
SHA512 9287cb3085368f3a22b96cc000b9217960b24a755a79d19a2589c5ac2402353a56d31f27ccdbff4a5755489ac8df3e37faf3582ce7019951e9a143d3bae23888

memory/4848-388-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4848-389-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2984-390-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3824-395-0x0000000000400000-0x0000000000435000-memory.dmp

memory/5004-399-0x0000000000400000-0x0000000000435000-memory.dmp

memory/744-400-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4652-412-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3352-419-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2660-429-0x0000000000400000-0x0000000000435000-memory.dmp

memory/5092-428-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4380-427-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2392-426-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4736-425-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2828-424-0x0000000000400000-0x0000000000435000-memory.dmp

memory/8-423-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1436-422-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4076-421-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2800-420-0x0000000000400000-0x0000000000435000-memory.dmp

memory/776-418-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3608-417-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3356-416-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1256-415-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2424-414-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1972-413-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3096-411-0x0000000000400000-0x0000000000435000-memory.dmp

memory/624-410-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1460-409-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2856-408-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2096-407-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1360-406-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4572-405-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3740-404-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3656-403-0x0000000000400000-0x0000000000435000-memory.dmp

memory/812-402-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1200-401-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1188-398-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3292-397-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1392-396-0x0000000000400000-0x0000000000435000-memory.dmp

memory/228-394-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3308-393-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3060-391-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2168-392-0x0000000000400000-0x0000000000435000-memory.dmp