Malware Analysis Report

2025-08-11 08:28

Sample ID 241111-mxs25aybrp
Target 9b3d7dc58bee2d81215c500af42086b0829b1c68408f09aa0e6586954bc3e29aN
SHA256 9b3d7dc58bee2d81215c500af42086b0829b1c68408f09aa0e6586954bc3e29a
Tags
berbew backdoor discovery persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9b3d7dc58bee2d81215c500af42086b0829b1c68408f09aa0e6586954bc3e29a

Threat Level: Known bad

The file 9b3d7dc58bee2d81215c500af42086b0829b1c68408f09aa0e6586954bc3e29aN was found to be: Known bad.

Malicious Activity Summary

berbew backdoor discovery persistence

Adds autorun key to be loaded by Explorer.exe on startup

Berbew

Berbew family

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Program crash

System Location Discovery: System Language Discovery

Unsigned PE

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 10:51

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 10:51

Reported

2024-11-11 10:53

Platform

win7-20241010-en

Max time kernel

107s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9b3d7dc58bee2d81215c500af42086b0829b1c68408f09aa0e6586954bc3e29aN.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Dinneo32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ifdlng32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kfaalh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Dfkhndca.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jigbebhb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kigndekn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Jplfkjbd.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Laqojfli.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ljldnhid.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ngpqfp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Hqnjek32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jllqplnp.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dfkhndca.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Cdmepgce.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hjmlhbbg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Jnagmc32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bqijljfd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Kkjpggkn.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jgjkfi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Eheglk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Emdmjamj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Bgghac32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Khgkpl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Kmkihbho.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Fdiqpigl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Pbemboof.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fmohco32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Ccmpce32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Glbaei32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ncpdbohb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ajckilei.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cinafkkd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Hjmlhbbg.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Demaoj32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ghbljk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Iknafhjb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kbmome32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Bfoeil32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Hcjilgdb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Aclpaali.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Anadojlo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Ghbljk32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ibacbcgg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Indnnfdn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Feddombd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Hgqlafap.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Ioeclg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Glchpp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Ohfcfb32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Edlafebn.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hqnjek32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fkefbcmf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Cinafkkd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Hmmdin32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jplfkjbd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Fgocmc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Ajhddk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Jgjkfi32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Klecfkff.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qemldifo.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aognbnkm.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gpggei32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Glpepj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Jipaip32.exe N/A

Berbew

backdoor berbew

Berbew family

berbew

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Bqijljfd.exe N/A
N/A N/A C:\Windows\SysWOW64\Ccmpce32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cinafkkd.exe N/A
N/A N/A C:\Windows\SysWOW64\Dfkhndca.exe N/A
N/A N/A C:\Windows\SysWOW64\Dinneo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eheglk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Emdmjamj.exe N/A
N/A N/A C:\Windows\SysWOW64\Eipgjaoi.exe N/A
N/A N/A C:\Windows\SysWOW64\Fpohakbp.exe N/A
N/A N/A C:\Windows\SysWOW64\Ggagmjbq.exe N/A
N/A N/A C:\Windows\SysWOW64\Glchpp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gqcnln32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hkolakkb.exe N/A
N/A N/A C:\Windows\SysWOW64\Hbkqdepm.exe N/A
N/A N/A C:\Windows\SysWOW64\Indnnfdn.exe N/A
N/A N/A C:\Windows\SysWOW64\Ifdlng32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jigbebhb.exe N/A
N/A N/A C:\Windows\SysWOW64\Kigndekn.exe N/A
N/A N/A C:\Windows\SysWOW64\Kgnkci32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lonibk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ldjbkb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Laqojfli.exe N/A
N/A N/A C:\Windows\SysWOW64\Ljldnhid.exe N/A
N/A N/A C:\Windows\SysWOW64\Lnjldf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mloiec32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mfgnnhkc.exe N/A
N/A N/A C:\Windows\SysWOW64\Mbqkiind.exe N/A
N/A N/A C:\Windows\SysWOW64\Ngpqfp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ndcapd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nckkgp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nqokpd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ncpdbohb.exe N/A
N/A N/A C:\Windows\SysWOW64\Obeacl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Onnnml32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ohfcfb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oejcpf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pbemboof.exe N/A
N/A N/A C:\Windows\SysWOW64\Pmjaohol.exe N/A
N/A N/A C:\Windows\SysWOW64\Plpopddd.exe N/A
N/A N/A C:\Windows\SysWOW64\Qldhkc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qemldifo.exe N/A
N/A N/A C:\Windows\SysWOW64\Adaiee32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aognbnkm.exe N/A
N/A N/A C:\Windows\SysWOW64\Addfkeid.exe N/A
N/A N/A C:\Windows\SysWOW64\Adfbpega.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajckilei.exe N/A
N/A N/A C:\Windows\SysWOW64\Aclpaali.exe N/A
N/A N/A C:\Windows\SysWOW64\Anadojlo.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajhddk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bfoeil32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkknac32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bddbjhlp.exe N/A
N/A N/A C:\Windows\SysWOW64\Bbhccm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bolcma32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bgghac32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cgidfcdk.exe N/A
N/A N/A C:\Windows\SysWOW64\Cdmepgce.exe N/A
N/A N/A C:\Windows\SysWOW64\Demaoj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dnefhpma.exe N/A
N/A N/A C:\Windows\SysWOW64\Dfcgbb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Emoldlmc.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejcmmp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Edlafebn.exe N/A
N/A N/A C:\Windows\SysWOW64\Emdeok32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b3d7dc58bee2d81215c500af42086b0829b1c68408f09aa0e6586954bc3e29aN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b3d7dc58bee2d81215c500af42086b0829b1c68408f09aa0e6586954bc3e29aN.exe N/A
N/A N/A C:\Windows\SysWOW64\Bqijljfd.exe N/A
N/A N/A C:\Windows\SysWOW64\Bqijljfd.exe N/A
N/A N/A C:\Windows\SysWOW64\Ccmpce32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ccmpce32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cinafkkd.exe N/A
N/A N/A C:\Windows\SysWOW64\Cinafkkd.exe N/A
N/A N/A C:\Windows\SysWOW64\Dfkhndca.exe N/A
N/A N/A C:\Windows\SysWOW64\Dfkhndca.exe N/A
N/A N/A C:\Windows\SysWOW64\Dinneo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dinneo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eheglk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eheglk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Emdmjamj.exe N/A
N/A N/A C:\Windows\SysWOW64\Emdmjamj.exe N/A
N/A N/A C:\Windows\SysWOW64\Eipgjaoi.exe N/A
N/A N/A C:\Windows\SysWOW64\Eipgjaoi.exe N/A
N/A N/A C:\Windows\SysWOW64\Fpohakbp.exe N/A
N/A N/A C:\Windows\SysWOW64\Fpohakbp.exe N/A
N/A N/A C:\Windows\SysWOW64\Ggagmjbq.exe N/A
N/A N/A C:\Windows\SysWOW64\Ggagmjbq.exe N/A
N/A N/A C:\Windows\SysWOW64\Glchpp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Glchpp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gqcnln32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gqcnln32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hkolakkb.exe N/A
N/A N/A C:\Windows\SysWOW64\Hkolakkb.exe N/A
N/A N/A C:\Windows\SysWOW64\Hbkqdepm.exe N/A
N/A N/A C:\Windows\SysWOW64\Hbkqdepm.exe N/A
N/A N/A C:\Windows\SysWOW64\Indnnfdn.exe N/A
N/A N/A C:\Windows\SysWOW64\Indnnfdn.exe N/A
N/A N/A C:\Windows\SysWOW64\Ifdlng32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ifdlng32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jigbebhb.exe N/A
N/A N/A C:\Windows\SysWOW64\Jigbebhb.exe N/A
N/A N/A C:\Windows\SysWOW64\Kigndekn.exe N/A
N/A N/A C:\Windows\SysWOW64\Kigndekn.exe N/A
N/A N/A C:\Windows\SysWOW64\Kgnkci32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kgnkci32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lonibk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lonibk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ldjbkb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ldjbkb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Laqojfli.exe N/A
N/A N/A C:\Windows\SysWOW64\Laqojfli.exe N/A
N/A N/A C:\Windows\SysWOW64\Ljldnhid.exe N/A
N/A N/A C:\Windows\SysWOW64\Ljldnhid.exe N/A
N/A N/A C:\Windows\SysWOW64\Lnjldf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lnjldf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mloiec32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mloiec32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mfgnnhkc.exe N/A
N/A N/A C:\Windows\SysWOW64\Mfgnnhkc.exe N/A
N/A N/A C:\Windows\SysWOW64\Mbqkiind.exe N/A
N/A N/A C:\Windows\SysWOW64\Mbqkiind.exe N/A
N/A N/A C:\Windows\SysWOW64\Ngpqfp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ngpqfp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ndcapd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ndcapd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nckkgp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nckkgp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nqokpd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nqokpd32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Eheglk32.exe C:\Windows\SysWOW64\Dinneo32.exe N/A
File created C:\Windows\SysWOW64\Ndcapd32.exe C:\Windows\SysWOW64\Ngpqfp32.exe N/A
File opened for modification C:\Windows\SysWOW64\Khgkpl32.exe C:\Windows\SysWOW64\Jplfkjbd.exe N/A
File created C:\Windows\SysWOW64\Glchpp32.exe C:\Windows\SysWOW64\Ggagmjbq.exe N/A
File created C:\Windows\SysWOW64\Hkolakkb.exe C:\Windows\SysWOW64\Gqcnln32.exe N/A
File created C:\Windows\SysWOW64\Pcfahenq.dll C:\Windows\SysWOW64\Adaiee32.exe N/A
File created C:\Windows\SysWOW64\Oejcpf32.exe C:\Windows\SysWOW64\Ohfcfb32.exe N/A
File created C:\Windows\SysWOW64\Jkbolo32.dll C:\Windows\SysWOW64\Plpopddd.exe N/A
File created C:\Windows\SysWOW64\Kpachc32.dll C:\Windows\SysWOW64\Feddombd.exe N/A
File opened for modification C:\Windows\SysWOW64\Jigbebhb.exe C:\Windows\SysWOW64\Ifdlng32.exe N/A
File created C:\Windows\SysWOW64\Mbqkiind.exe C:\Windows\SysWOW64\Mfgnnhkc.exe N/A
File opened for modification C:\Windows\SysWOW64\Kkjpggkn.exe C:\Windows\SysWOW64\Klecfkff.exe N/A
File created C:\Windows\SysWOW64\Ibacbcgg.exe C:\Windows\SysWOW64\Hiioin32.exe N/A
File created C:\Windows\SysWOW64\Glehgdkn.dll C:\Windows\SysWOW64\Hbkqdepm.exe N/A
File created C:\Windows\SysWOW64\Qldhkc32.exe C:\Windows\SysWOW64\Plpopddd.exe N/A
File created C:\Windows\SysWOW64\Bddbjhlp.exe C:\Windows\SysWOW64\Bkknac32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dfkhndca.exe C:\Windows\SysWOW64\Cinafkkd.exe N/A
File created C:\Windows\SysWOW64\Pjnpem32.dll C:\Windows\SysWOW64\Glchpp32.exe N/A
File created C:\Windows\SysWOW64\Nckkgp32.exe C:\Windows\SysWOW64\Ndcapd32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hqnjek32.exe C:\Windows\SysWOW64\Hcjilgdb.exe N/A
File opened for modification C:\Windows\SysWOW64\Eipgjaoi.exe C:\Windows\SysWOW64\Emdmjamj.exe N/A
File opened for modification C:\Windows\SysWOW64\Bddbjhlp.exe C:\Windows\SysWOW64\Bkknac32.exe N/A
File opened for modification C:\Windows\SysWOW64\Efljhq32.exe C:\Windows\SysWOW64\Emdeok32.exe N/A
File created C:\Windows\SysWOW64\Pgejcl32.dll C:\Windows\SysWOW64\Hgqlafap.exe N/A
File created C:\Windows\SysWOW64\Kkjpggkn.exe C:\Windows\SysWOW64\Klecfkff.exe N/A
File created C:\Windows\SysWOW64\Lgdqap32.dll C:\Windows\SysWOW64\Emdmjamj.exe N/A
File created C:\Windows\SysWOW64\Gqcnln32.exe C:\Windows\SysWOW64\Glchpp32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ejcmmp32.exe C:\Windows\SysWOW64\Emoldlmc.exe N/A
File opened for modification C:\Windows\SysWOW64\Jnagmc32.exe C:\Windows\SysWOW64\Iamfdo32.exe N/A
File created C:\Windows\SysWOW64\Ifdlng32.exe C:\Windows\SysWOW64\Indnnfdn.exe N/A
File created C:\Windows\SysWOW64\Pkkkap32.dll C:\Windows\SysWOW64\Lnjldf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Emdeok32.exe C:\Windows\SysWOW64\Edlafebn.exe N/A
File created C:\Windows\SysWOW64\Ipbkjl32.dll C:\Windows\SysWOW64\Kmkihbho.exe N/A
File opened for modification C:\Windows\SysWOW64\Fdiqpigl.exe C:\Windows\SysWOW64\Fmohco32.exe N/A
File created C:\Windows\SysWOW64\Ghbljk32.exe C:\Windows\SysWOW64\Gpggei32.exe N/A
File opened for modification C:\Windows\SysWOW64\Libjncnc.exe C:\Windows\SysWOW64\Kmkihbho.exe N/A
File created C:\Windows\SysWOW64\Iamfdo32.exe C:\Windows\SysWOW64\Icifjk32.exe N/A
File created C:\Windows\SysWOW64\Ikbilijo.dll C:\Windows\SysWOW64\Jllqplnp.exe N/A
File created C:\Windows\SysWOW64\Lffkcfke.dll C:\Windows\SysWOW64\Ohfcfb32.exe N/A
File created C:\Windows\SysWOW64\Elbafomj.dll C:\Windows\SysWOW64\Qemldifo.exe N/A
File created C:\Windows\SysWOW64\Aclpaali.exe C:\Windows\SysWOW64\Ajckilei.exe N/A
File opened for modification C:\Windows\SysWOW64\Hbkqdepm.exe C:\Windows\SysWOW64\Hkolakkb.exe N/A
File created C:\Windows\SysWOW64\Jmfjecle.dll C:\Windows\SysWOW64\Fmohco32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ioeclg32.exe C:\Windows\SysWOW64\Ibacbcgg.exe N/A
File created C:\Windows\SysWOW64\Ilalae32.dll C:\Windows\SysWOW64\Eimcjl32.exe N/A
File created C:\Windows\SysWOW64\Lbjofi32.exe C:\Windows\SysWOW64\Libjncnc.exe N/A
File created C:\Windows\SysWOW64\Ngpqfp32.exe C:\Windows\SysWOW64\Mbqkiind.exe N/A
File opened for modification C:\Windows\SysWOW64\Bkknac32.exe C:\Windows\SysWOW64\Bfoeil32.exe N/A
File created C:\Windows\SysWOW64\Dhnhab32.dll C:\Windows\SysWOW64\Dfcgbb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Fkefbcmf.exe C:\Windows\SysWOW64\Fdiqpigl.exe N/A
File created C:\Windows\SysWOW64\Eipgjaoi.exe C:\Windows\SysWOW64\Emdmjamj.exe N/A
File created C:\Windows\SysWOW64\Kgnkci32.exe C:\Windows\SysWOW64\Kigndekn.exe N/A
File created C:\Windows\SysWOW64\Bbhccm32.exe C:\Windows\SysWOW64\Bddbjhlp.exe N/A
File created C:\Windows\SysWOW64\Dokmejcg.dll C:\Windows\SysWOW64\Ldjbkb32.exe N/A
File created C:\Windows\SysWOW64\Hlekjpbi.dll C:\Windows\SysWOW64\Klecfkff.exe N/A
File created C:\Windows\SysWOW64\Ipafocdg.dll C:\Windows\SysWOW64\Libjncnc.exe N/A
File created C:\Windows\SysWOW64\Ajckilei.exe C:\Windows\SysWOW64\Adfbpega.exe N/A
File created C:\Windows\SysWOW64\Bolcma32.exe C:\Windows\SysWOW64\Bbhccm32.exe N/A
File created C:\Windows\SysWOW64\Fkefbcmf.exe C:\Windows\SysWOW64\Fdiqpigl.exe N/A
File opened for modification C:\Windows\SysWOW64\Jipaip32.exe C:\Windows\SysWOW64\Jllqplnp.exe N/A
File created C:\Windows\SysWOW64\Eheglk32.exe C:\Windows\SysWOW64\Dinneo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Lnjldf32.exe C:\Windows\SysWOW64\Ljldnhid.exe N/A
File opened for modification C:\Windows\SysWOW64\Pmjaohol.exe C:\Windows\SysWOW64\Pbemboof.exe N/A
File created C:\Windows\SysWOW64\Ifolhann.exe C:\Windows\SysWOW64\Ioeclg32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Lbjofi32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ioeclg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hkolakkb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Addfkeid.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Iamfdo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kgnkci32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Glbaei32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gefmcp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Indnnfdn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ghbljk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qemldifo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ajckilei.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dnefhpma.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jgjkfi32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jmfcop32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bqijljfd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dfkhndca.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ohfcfb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Eimcjl32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fdiqpigl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fgocmc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jfcabd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fpohakbp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kkjpggkn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ngpqfp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Adfbpega.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hffibceh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Eipgjaoi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jigbebhb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Adaiee32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Libjncnc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nqokpd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qldhkc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gockgdeh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hgqlafap.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hiioin32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fkefbcmf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gpggei32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ggagmjbq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Onnnml32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ncpdbohb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dfcgbb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cinafkkd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lnjldf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Obeacl32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jplfkjbd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Plpopddd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Feddombd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fijbco32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kigndekn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lonibk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bddbjhlp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bgghac32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gekfnoog.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gqcnln32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Laqojfli.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Glchpp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nckkgp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mloiec32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jipaip32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Khgkpl32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ldjbkb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cdmepgce.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Edlafebn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hqnjek32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Icifjk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kfaalh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Indnnfdn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ljldnhid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Pmjaohol.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node C:\Users\Admin\AppData\Local\Temp\9b3d7dc58bee2d81215c500af42086b0829b1c68408f09aa0e6586954bc3e29aN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fchook32.dll" C:\Windows\SysWOW64\Bqijljfd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bieepc32.dll" C:\Windows\SysWOW64\Emoldlmc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qldhkc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igcphbih.dll" C:\Windows\SysWOW64\Ajhddk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqhkjacc.dll" C:\Windows\SysWOW64\Bbhccm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inppon32.dll" C:\Windows\SysWOW64\Bolcma32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gekfnoog.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hcjilgdb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\9b3d7dc58bee2d81215c500af42086b0829b1c68408f09aa0e6586954bc3e29aN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nqokpd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bddbjhlp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Ohfcfb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Fgocmc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkjcap32.dll" C:\Windows\SysWOW64\Hffibceh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Icifjk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ldjbkb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Lnjldf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Hffibceh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilalae32.dll" C:\Windows\SysWOW64\Eimcjl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fgocmc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckkhdaei.dll" C:\Windows\SysWOW64\Gpggei32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kkjpggkn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Kigndekn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eckfklnl.dll" C:\Windows\SysWOW64\Cdmepgce.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ejcmmp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Gekfnoog.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffdmihcc.dll" C:\Windows\SysWOW64\Ioeclg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Iamfdo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jnagmc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Mbqkiind.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Onnnml32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Anadojlo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iinkmi32.dll" C:\Windows\SysWOW64\Ndcapd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcfahenq.dll" C:\Windows\SysWOW64\Adaiee32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Bfoeil32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ibacbcgg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Ioeclg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Ccmpce32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fpohakbp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aondioej.dll" C:\Windows\SysWOW64\Ggagmjbq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Ibacbcgg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Jllqplnp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdnfmn32.dll" C:\Windows\SysWOW64\Kbmome32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mloiec32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbjjjgna.dll" C:\Windows\SysWOW64\Pbemboof.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Qemldifo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Eimcjl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Feddombd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Jnagmc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgnenf32.dll" C:\Users\Admin\AppData\Local\Temp\9b3d7dc58bee2d81215c500af42086b0829b1c68408f09aa0e6586954bc3e29aN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ncpdbohb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Dfcgbb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Khgkpl32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Hkolakkb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nehhoand.dll" C:\Windows\SysWOW64\Obeacl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Plpopddd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Aognbnkm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Gockgdeh.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1552 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\9b3d7dc58bee2d81215c500af42086b0829b1c68408f09aa0e6586954bc3e29aN.exe C:\Windows\SysWOW64\Bqijljfd.exe
PID 1552 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\9b3d7dc58bee2d81215c500af42086b0829b1c68408f09aa0e6586954bc3e29aN.exe C:\Windows\SysWOW64\Bqijljfd.exe
PID 1552 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\9b3d7dc58bee2d81215c500af42086b0829b1c68408f09aa0e6586954bc3e29aN.exe C:\Windows\SysWOW64\Bqijljfd.exe
PID 1552 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\9b3d7dc58bee2d81215c500af42086b0829b1c68408f09aa0e6586954bc3e29aN.exe C:\Windows\SysWOW64\Bqijljfd.exe
PID 1700 wrote to memory of 2036 N/A C:\Windows\SysWOW64\Bqijljfd.exe C:\Windows\SysWOW64\Ccmpce32.exe
PID 1700 wrote to memory of 2036 N/A C:\Windows\SysWOW64\Bqijljfd.exe C:\Windows\SysWOW64\Ccmpce32.exe
PID 1700 wrote to memory of 2036 N/A C:\Windows\SysWOW64\Bqijljfd.exe C:\Windows\SysWOW64\Ccmpce32.exe
PID 1700 wrote to memory of 2036 N/A C:\Windows\SysWOW64\Bqijljfd.exe C:\Windows\SysWOW64\Ccmpce32.exe
PID 2036 wrote to memory of 2744 N/A C:\Windows\SysWOW64\Ccmpce32.exe C:\Windows\SysWOW64\Cinafkkd.exe
PID 2036 wrote to memory of 2744 N/A C:\Windows\SysWOW64\Ccmpce32.exe C:\Windows\SysWOW64\Cinafkkd.exe
PID 2036 wrote to memory of 2744 N/A C:\Windows\SysWOW64\Ccmpce32.exe C:\Windows\SysWOW64\Cinafkkd.exe
PID 2036 wrote to memory of 2744 N/A C:\Windows\SysWOW64\Ccmpce32.exe C:\Windows\SysWOW64\Cinafkkd.exe
PID 2744 wrote to memory of 2996 N/A C:\Windows\SysWOW64\Cinafkkd.exe C:\Windows\SysWOW64\Dfkhndca.exe
PID 2744 wrote to memory of 2996 N/A C:\Windows\SysWOW64\Cinafkkd.exe C:\Windows\SysWOW64\Dfkhndca.exe
PID 2744 wrote to memory of 2996 N/A C:\Windows\SysWOW64\Cinafkkd.exe C:\Windows\SysWOW64\Dfkhndca.exe
PID 2744 wrote to memory of 2996 N/A C:\Windows\SysWOW64\Cinafkkd.exe C:\Windows\SysWOW64\Dfkhndca.exe
PID 2996 wrote to memory of 1904 N/A C:\Windows\SysWOW64\Dfkhndca.exe C:\Windows\SysWOW64\Dinneo32.exe
PID 2996 wrote to memory of 1904 N/A C:\Windows\SysWOW64\Dfkhndca.exe C:\Windows\SysWOW64\Dinneo32.exe
PID 2996 wrote to memory of 1904 N/A C:\Windows\SysWOW64\Dfkhndca.exe C:\Windows\SysWOW64\Dinneo32.exe
PID 2996 wrote to memory of 1904 N/A C:\Windows\SysWOW64\Dfkhndca.exe C:\Windows\SysWOW64\Dinneo32.exe
PID 1904 wrote to memory of 2740 N/A C:\Windows\SysWOW64\Dinneo32.exe C:\Windows\SysWOW64\Eheglk32.exe
PID 1904 wrote to memory of 2740 N/A C:\Windows\SysWOW64\Dinneo32.exe C:\Windows\SysWOW64\Eheglk32.exe
PID 1904 wrote to memory of 2740 N/A C:\Windows\SysWOW64\Dinneo32.exe C:\Windows\SysWOW64\Eheglk32.exe
PID 1904 wrote to memory of 2740 N/A C:\Windows\SysWOW64\Dinneo32.exe C:\Windows\SysWOW64\Eheglk32.exe
PID 2740 wrote to memory of 2080 N/A C:\Windows\SysWOW64\Eheglk32.exe C:\Windows\SysWOW64\Emdmjamj.exe
PID 2740 wrote to memory of 2080 N/A C:\Windows\SysWOW64\Eheglk32.exe C:\Windows\SysWOW64\Emdmjamj.exe
PID 2740 wrote to memory of 2080 N/A C:\Windows\SysWOW64\Eheglk32.exe C:\Windows\SysWOW64\Emdmjamj.exe
PID 2740 wrote to memory of 2080 N/A C:\Windows\SysWOW64\Eheglk32.exe C:\Windows\SysWOW64\Emdmjamj.exe
PID 2080 wrote to memory of 1936 N/A C:\Windows\SysWOW64\Emdmjamj.exe C:\Windows\SysWOW64\Eipgjaoi.exe
PID 2080 wrote to memory of 1936 N/A C:\Windows\SysWOW64\Emdmjamj.exe C:\Windows\SysWOW64\Eipgjaoi.exe
PID 2080 wrote to memory of 1936 N/A C:\Windows\SysWOW64\Emdmjamj.exe C:\Windows\SysWOW64\Eipgjaoi.exe
PID 2080 wrote to memory of 1936 N/A C:\Windows\SysWOW64\Emdmjamj.exe C:\Windows\SysWOW64\Eipgjaoi.exe
PID 1936 wrote to memory of 2720 N/A C:\Windows\SysWOW64\Eipgjaoi.exe C:\Windows\SysWOW64\Fpohakbp.exe
PID 1936 wrote to memory of 2720 N/A C:\Windows\SysWOW64\Eipgjaoi.exe C:\Windows\SysWOW64\Fpohakbp.exe
PID 1936 wrote to memory of 2720 N/A C:\Windows\SysWOW64\Eipgjaoi.exe C:\Windows\SysWOW64\Fpohakbp.exe
PID 1936 wrote to memory of 2720 N/A C:\Windows\SysWOW64\Eipgjaoi.exe C:\Windows\SysWOW64\Fpohakbp.exe
PID 2720 wrote to memory of 560 N/A C:\Windows\SysWOW64\Fpohakbp.exe C:\Windows\SysWOW64\Ggagmjbq.exe
PID 2720 wrote to memory of 560 N/A C:\Windows\SysWOW64\Fpohakbp.exe C:\Windows\SysWOW64\Ggagmjbq.exe
PID 2720 wrote to memory of 560 N/A C:\Windows\SysWOW64\Fpohakbp.exe C:\Windows\SysWOW64\Ggagmjbq.exe
PID 2720 wrote to memory of 560 N/A C:\Windows\SysWOW64\Fpohakbp.exe C:\Windows\SysWOW64\Ggagmjbq.exe
PID 560 wrote to memory of 1884 N/A C:\Windows\SysWOW64\Ggagmjbq.exe C:\Windows\SysWOW64\Glchpp32.exe
PID 560 wrote to memory of 1884 N/A C:\Windows\SysWOW64\Ggagmjbq.exe C:\Windows\SysWOW64\Glchpp32.exe
PID 560 wrote to memory of 1884 N/A C:\Windows\SysWOW64\Ggagmjbq.exe C:\Windows\SysWOW64\Glchpp32.exe
PID 560 wrote to memory of 1884 N/A C:\Windows\SysWOW64\Ggagmjbq.exe C:\Windows\SysWOW64\Glchpp32.exe
PID 1884 wrote to memory of 2572 N/A C:\Windows\SysWOW64\Glchpp32.exe C:\Windows\SysWOW64\Gqcnln32.exe
PID 1884 wrote to memory of 2572 N/A C:\Windows\SysWOW64\Glchpp32.exe C:\Windows\SysWOW64\Gqcnln32.exe
PID 1884 wrote to memory of 2572 N/A C:\Windows\SysWOW64\Glchpp32.exe C:\Windows\SysWOW64\Gqcnln32.exe
PID 1884 wrote to memory of 2572 N/A C:\Windows\SysWOW64\Glchpp32.exe C:\Windows\SysWOW64\Gqcnln32.exe
PID 2572 wrote to memory of 2168 N/A C:\Windows\SysWOW64\Gqcnln32.exe C:\Windows\SysWOW64\Hkolakkb.exe
PID 2572 wrote to memory of 2168 N/A C:\Windows\SysWOW64\Gqcnln32.exe C:\Windows\SysWOW64\Hkolakkb.exe
PID 2572 wrote to memory of 2168 N/A C:\Windows\SysWOW64\Gqcnln32.exe C:\Windows\SysWOW64\Hkolakkb.exe
PID 2572 wrote to memory of 2168 N/A C:\Windows\SysWOW64\Gqcnln32.exe C:\Windows\SysWOW64\Hkolakkb.exe
PID 2168 wrote to memory of 2288 N/A C:\Windows\SysWOW64\Hkolakkb.exe C:\Windows\SysWOW64\Hbkqdepm.exe
PID 2168 wrote to memory of 2288 N/A C:\Windows\SysWOW64\Hkolakkb.exe C:\Windows\SysWOW64\Hbkqdepm.exe
PID 2168 wrote to memory of 2288 N/A C:\Windows\SysWOW64\Hkolakkb.exe C:\Windows\SysWOW64\Hbkqdepm.exe
PID 2168 wrote to memory of 2288 N/A C:\Windows\SysWOW64\Hkolakkb.exe C:\Windows\SysWOW64\Hbkqdepm.exe
PID 2288 wrote to memory of 1064 N/A C:\Windows\SysWOW64\Hbkqdepm.exe C:\Windows\SysWOW64\Indnnfdn.exe
PID 2288 wrote to memory of 1064 N/A C:\Windows\SysWOW64\Hbkqdepm.exe C:\Windows\SysWOW64\Indnnfdn.exe
PID 2288 wrote to memory of 1064 N/A C:\Windows\SysWOW64\Hbkqdepm.exe C:\Windows\SysWOW64\Indnnfdn.exe
PID 2288 wrote to memory of 1064 N/A C:\Windows\SysWOW64\Hbkqdepm.exe C:\Windows\SysWOW64\Indnnfdn.exe
PID 1064 wrote to memory of 688 N/A C:\Windows\SysWOW64\Indnnfdn.exe C:\Windows\SysWOW64\Ifdlng32.exe
PID 1064 wrote to memory of 688 N/A C:\Windows\SysWOW64\Indnnfdn.exe C:\Windows\SysWOW64\Ifdlng32.exe
PID 1064 wrote to memory of 688 N/A C:\Windows\SysWOW64\Indnnfdn.exe C:\Windows\SysWOW64\Ifdlng32.exe
PID 1064 wrote to memory of 688 N/A C:\Windows\SysWOW64\Indnnfdn.exe C:\Windows\SysWOW64\Ifdlng32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9b3d7dc58bee2d81215c500af42086b0829b1c68408f09aa0e6586954bc3e29aN.exe

"C:\Users\Admin\AppData\Local\Temp\9b3d7dc58bee2d81215c500af42086b0829b1c68408f09aa0e6586954bc3e29aN.exe"

C:\Windows\SysWOW64\Bqijljfd.exe

C:\Windows\system32\Bqijljfd.exe

C:\Windows\SysWOW64\Ccmpce32.exe

C:\Windows\system32\Ccmpce32.exe

C:\Windows\SysWOW64\Cinafkkd.exe

C:\Windows\system32\Cinafkkd.exe

C:\Windows\SysWOW64\Dfkhndca.exe

C:\Windows\system32\Dfkhndca.exe

C:\Windows\SysWOW64\Dinneo32.exe

C:\Windows\system32\Dinneo32.exe

C:\Windows\SysWOW64\Eheglk32.exe

C:\Windows\system32\Eheglk32.exe

C:\Windows\SysWOW64\Emdmjamj.exe

C:\Windows\system32\Emdmjamj.exe

C:\Windows\SysWOW64\Eipgjaoi.exe

C:\Windows\system32\Eipgjaoi.exe

C:\Windows\SysWOW64\Fpohakbp.exe

C:\Windows\system32\Fpohakbp.exe

C:\Windows\SysWOW64\Ggagmjbq.exe

C:\Windows\system32\Ggagmjbq.exe

C:\Windows\SysWOW64\Glchpp32.exe

C:\Windows\system32\Glchpp32.exe

C:\Windows\SysWOW64\Gqcnln32.exe

C:\Windows\system32\Gqcnln32.exe

C:\Windows\SysWOW64\Hkolakkb.exe

C:\Windows\system32\Hkolakkb.exe

C:\Windows\SysWOW64\Hbkqdepm.exe

C:\Windows\system32\Hbkqdepm.exe

C:\Windows\SysWOW64\Indnnfdn.exe

C:\Windows\system32\Indnnfdn.exe

C:\Windows\SysWOW64\Ifdlng32.exe

C:\Windows\system32\Ifdlng32.exe

C:\Windows\SysWOW64\Jigbebhb.exe

C:\Windows\system32\Jigbebhb.exe

C:\Windows\SysWOW64\Kigndekn.exe

C:\Windows\system32\Kigndekn.exe

C:\Windows\SysWOW64\Kgnkci32.exe

C:\Windows\system32\Kgnkci32.exe

C:\Windows\SysWOW64\Lonibk32.exe

C:\Windows\system32\Lonibk32.exe

C:\Windows\SysWOW64\Ldjbkb32.exe

C:\Windows\system32\Ldjbkb32.exe

C:\Windows\SysWOW64\Laqojfli.exe

C:\Windows\system32\Laqojfli.exe

C:\Windows\SysWOW64\Ljldnhid.exe

C:\Windows\system32\Ljldnhid.exe

C:\Windows\SysWOW64\Lnjldf32.exe

C:\Windows\system32\Lnjldf32.exe

C:\Windows\SysWOW64\Mloiec32.exe

C:\Windows\system32\Mloiec32.exe

C:\Windows\SysWOW64\Mfgnnhkc.exe

C:\Windows\system32\Mfgnnhkc.exe

C:\Windows\SysWOW64\Mbqkiind.exe

C:\Windows\system32\Mbqkiind.exe

C:\Windows\SysWOW64\Ngpqfp32.exe

C:\Windows\system32\Ngpqfp32.exe

C:\Windows\SysWOW64\Ndcapd32.exe

C:\Windows\system32\Ndcapd32.exe

C:\Windows\SysWOW64\Nckkgp32.exe

C:\Windows\system32\Nckkgp32.exe

C:\Windows\SysWOW64\Nqokpd32.exe

C:\Windows\system32\Nqokpd32.exe

C:\Windows\SysWOW64\Ncpdbohb.exe

C:\Windows\system32\Ncpdbohb.exe

C:\Windows\SysWOW64\Obeacl32.exe

C:\Windows\system32\Obeacl32.exe

C:\Windows\SysWOW64\Onnnml32.exe

C:\Windows\system32\Onnnml32.exe

C:\Windows\SysWOW64\Ohfcfb32.exe

C:\Windows\system32\Ohfcfb32.exe

C:\Windows\SysWOW64\Oejcpf32.exe

C:\Windows\system32\Oejcpf32.exe

C:\Windows\SysWOW64\Pbemboof.exe

C:\Windows\system32\Pbemboof.exe

C:\Windows\SysWOW64\Pmjaohol.exe

C:\Windows\system32\Pmjaohol.exe

C:\Windows\SysWOW64\Plpopddd.exe

C:\Windows\system32\Plpopddd.exe

C:\Windows\SysWOW64\Qldhkc32.exe

C:\Windows\system32\Qldhkc32.exe

C:\Windows\SysWOW64\Qemldifo.exe

C:\Windows\system32\Qemldifo.exe

C:\Windows\SysWOW64\Adaiee32.exe

C:\Windows\system32\Adaiee32.exe

C:\Windows\SysWOW64\Aognbnkm.exe

C:\Windows\system32\Aognbnkm.exe

C:\Windows\SysWOW64\Addfkeid.exe

C:\Windows\system32\Addfkeid.exe

C:\Windows\SysWOW64\Adfbpega.exe

C:\Windows\system32\Adfbpega.exe

C:\Windows\SysWOW64\Ajckilei.exe

C:\Windows\system32\Ajckilei.exe

C:\Windows\SysWOW64\Aclpaali.exe

C:\Windows\system32\Aclpaali.exe

C:\Windows\SysWOW64\Anadojlo.exe

C:\Windows\system32\Anadojlo.exe

C:\Windows\SysWOW64\Ajhddk32.exe

C:\Windows\system32\Ajhddk32.exe

C:\Windows\SysWOW64\Bfoeil32.exe

C:\Windows\system32\Bfoeil32.exe

C:\Windows\SysWOW64\Bkknac32.exe

C:\Windows\system32\Bkknac32.exe

C:\Windows\SysWOW64\Bddbjhlp.exe

C:\Windows\system32\Bddbjhlp.exe

C:\Windows\SysWOW64\Bbhccm32.exe

C:\Windows\system32\Bbhccm32.exe

C:\Windows\SysWOW64\Bolcma32.exe

C:\Windows\system32\Bolcma32.exe

C:\Windows\SysWOW64\Bgghac32.exe

C:\Windows\system32\Bgghac32.exe

C:\Windows\SysWOW64\Cgidfcdk.exe

C:\Windows\system32\Cgidfcdk.exe

C:\Windows\SysWOW64\Cdmepgce.exe

C:\Windows\system32\Cdmepgce.exe

C:\Windows\SysWOW64\Demaoj32.exe

C:\Windows\system32\Demaoj32.exe

C:\Windows\SysWOW64\Dnefhpma.exe

C:\Windows\system32\Dnefhpma.exe

C:\Windows\SysWOW64\Dfcgbb32.exe

C:\Windows\system32\Dfcgbb32.exe

C:\Windows\SysWOW64\Emoldlmc.exe

C:\Windows\system32\Emoldlmc.exe

C:\Windows\SysWOW64\Ejcmmp32.exe

C:\Windows\system32\Ejcmmp32.exe

C:\Windows\SysWOW64\Edlafebn.exe

C:\Windows\system32\Edlafebn.exe

C:\Windows\SysWOW64\Emdeok32.exe

C:\Windows\system32\Emdeok32.exe

C:\Windows\SysWOW64\Efljhq32.exe

C:\Windows\system32\Efljhq32.exe

C:\Windows\SysWOW64\Eimcjl32.exe

C:\Windows\system32\Eimcjl32.exe

C:\Windows\SysWOW64\Feddombd.exe

C:\Windows\system32\Feddombd.exe

C:\Windows\SysWOW64\Fmohco32.exe

C:\Windows\system32\Fmohco32.exe

C:\Windows\SysWOW64\Fdiqpigl.exe

C:\Windows\system32\Fdiqpigl.exe

C:\Windows\SysWOW64\Fkefbcmf.exe

C:\Windows\system32\Fkefbcmf.exe

C:\Windows\SysWOW64\Fijbco32.exe

C:\Windows\system32\Fijbco32.exe

C:\Windows\SysWOW64\Fgocmc32.exe

C:\Windows\system32\Fgocmc32.exe

C:\Windows\SysWOW64\Gpggei32.exe

C:\Windows\system32\Gpggei32.exe

C:\Windows\SysWOW64\Ghbljk32.exe

C:\Windows\system32\Ghbljk32.exe

C:\Windows\SysWOW64\Gefmcp32.exe

C:\Windows\system32\Gefmcp32.exe

C:\Windows\SysWOW64\Glpepj32.exe

C:\Windows\system32\Glpepj32.exe

C:\Windows\SysWOW64\Glbaei32.exe

C:\Windows\system32\Glbaei32.exe

C:\Windows\SysWOW64\Gekfnoog.exe

C:\Windows\system32\Gekfnoog.exe

C:\Windows\SysWOW64\Gockgdeh.exe

C:\Windows\system32\Gockgdeh.exe

C:\Windows\SysWOW64\Hjmlhbbg.exe

C:\Windows\system32\Hjmlhbbg.exe

C:\Windows\SysWOW64\Hgqlafap.exe

C:\Windows\system32\Hgqlafap.exe

C:\Windows\SysWOW64\Hmmdin32.exe

C:\Windows\system32\Hmmdin32.exe

C:\Windows\SysWOW64\Hffibceh.exe

C:\Windows\system32\Hffibceh.exe

C:\Windows\SysWOW64\Hcjilgdb.exe

C:\Windows\system32\Hcjilgdb.exe

C:\Windows\SysWOW64\Hqnjek32.exe

C:\Windows\system32\Hqnjek32.exe

C:\Windows\SysWOW64\Hiioin32.exe

C:\Windows\system32\Hiioin32.exe

C:\Windows\SysWOW64\Ibacbcgg.exe

C:\Windows\system32\Ibacbcgg.exe

C:\Windows\SysWOW64\Ioeclg32.exe

C:\Windows\system32\Ioeclg32.exe

C:\Windows\SysWOW64\Ifolhann.exe

C:\Windows\system32\Ifolhann.exe

C:\Windows\SysWOW64\Ibfmmb32.exe

C:\Windows\system32\Ibfmmb32.exe

C:\Windows\SysWOW64\Iknafhjb.exe

C:\Windows\system32\Iknafhjb.exe

C:\Windows\SysWOW64\Icifjk32.exe

C:\Windows\system32\Icifjk32.exe

C:\Windows\SysWOW64\Iamfdo32.exe

C:\Windows\system32\Iamfdo32.exe

C:\Windows\SysWOW64\Jnagmc32.exe

C:\Windows\system32\Jnagmc32.exe

C:\Windows\SysWOW64\Jgjkfi32.exe

C:\Windows\system32\Jgjkfi32.exe

C:\Windows\SysWOW64\Jmfcop32.exe

C:\Windows\system32\Jmfcop32.exe

C:\Windows\SysWOW64\Jllqplnp.exe

C:\Windows\system32\Jllqplnp.exe

C:\Windows\SysWOW64\Jipaip32.exe

C:\Windows\system32\Jipaip32.exe

C:\Windows\SysWOW64\Jfcabd32.exe

C:\Windows\system32\Jfcabd32.exe

C:\Windows\SysWOW64\Jplfkjbd.exe

C:\Windows\system32\Jplfkjbd.exe

C:\Windows\SysWOW64\Khgkpl32.exe

C:\Windows\system32\Khgkpl32.exe

C:\Windows\SysWOW64\Kbmome32.exe

C:\Windows\system32\Kbmome32.exe

C:\Windows\SysWOW64\Klecfkff.exe

C:\Windows\system32\Klecfkff.exe

C:\Windows\SysWOW64\Kkjpggkn.exe

C:\Windows\system32\Kkjpggkn.exe

C:\Windows\SysWOW64\Kfaalh32.exe

C:\Windows\system32\Kfaalh32.exe

C:\Windows\SysWOW64\Kmkihbho.exe

C:\Windows\system32\Kmkihbho.exe

C:\Windows\SysWOW64\Libjncnc.exe

C:\Windows\system32\Libjncnc.exe

C:\Windows\SysWOW64\Lbjofi32.exe

C:\Windows\system32\Lbjofi32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 140

Network

N/A

Files

memory/1552-0-0x0000000000400000-0x0000000000433000-memory.dmp

\Windows\SysWOW64\Bqijljfd.exe

MD5 ef7a5bdf2fc59dc22fcdf0c030e84aeb
SHA1 0d67d1f99af3ed5e019ffa552a94d1a046b4ecb5
SHA256 514d41b5f249dc92fbd01b36089063b0dc67733a8e8016977e388a865a6a261f
SHA512 a892cb175cb98b4b361c2a1357e72a2557d56670ce93502d5fb5e63a1a262c4e80f1cb31b7755da08fdc717781d008c528a9a01f250cf3f1ea5ed0b3811fd421

memory/1552-7-0x00000000002A0000-0x00000000002D3000-memory.dmp

memory/1552-12-0x00000000002A0000-0x00000000002D3000-memory.dmp

memory/1700-14-0x0000000000400000-0x0000000000433000-memory.dmp

\Windows\SysWOW64\Ccmpce32.exe

MD5 8f2fe940dfd25bd28f8ff0c49c31a8e6
SHA1 b9912b7b16b6c4af9f5b3bce10d9b6d339bfc591
SHA256 ad64f7aea7ecc9ec9c2d11248196ec27b08f0ad25e7b4ffe183f992aea924cfc
SHA512 5206ed915c4d0bebdbc97a1a896058886fbe67d2c5038275d2ef3c4c27ea4ada2e135173601000716623016adb0a569c26a9981a78d5b5eef9bfbbd681daac1b

memory/1700-21-0x0000000000220000-0x0000000000253000-memory.dmp

\Windows\SysWOW64\Cinafkkd.exe

MD5 be2e396dcf447989aa977d921d455990
SHA1 1af1c4dc732824510cbece97dd5110015acd8c28
SHA256 13dcdc0db25b53477d4de41f74ab9e713efc80ac97230acde54ef50beb1935b0
SHA512 65019e905f2b4b3357b2c551a02ebc2897284a77a7f73170cd90e57bd612943db8d459cc92fe7136659cde0e35b2654edfae8ad2abe564b1c5c7da2c8aebdd09

memory/2744-42-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2036-40-0x0000000000220000-0x0000000000253000-memory.dmp

memory/2036-39-0x0000000000220000-0x0000000000253000-memory.dmp

\Windows\SysWOW64\Dfkhndca.exe

MD5 edd25b895a2080f78e51d9dcbc4cffa0
SHA1 1094bd5dd591c50e47333c1c24a87dc5dfd60811
SHA256 0b0b9b9e059ffb6825cfcdc8cf7c60bd995e8946f18103f65fd105dfa128fef0
SHA512 a0d7f099bdd30b8e0814b7de1be1b2a93280dd37f336fb6e09a7c80c0012abb62d40285fbccde3b9dcd7a0c554bc821dfa2095c14066196ec7d9ecc3ca0a5fcb

memory/2996-56-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2744-50-0x0000000000220000-0x0000000000253000-memory.dmp

C:\Windows\SysWOW64\Aeojbkal.dll

MD5 30bd23670a656c1fd1a4ec94abc1127e
SHA1 52ccbc0287ebdaf7e806193423f389034d5adbac
SHA256 e84fcde073b926898cb94302de94b0d241d41c300e6fdae928a21ee8d9158a81
SHA512 6f59f8f1f8341e167d3affdf77fbf779db2de664e9adae1c5575d3884d6ead112c80859f6c7996ac7ecd80a5428ca51ffbb3995f026262de7cd73069cbd74c8f

\Windows\SysWOW64\Dinneo32.exe

MD5 82dfce8060bfa5554a276489ae10923b
SHA1 e3584501436bbc305c1aa8c5db80b53ec47557d1
SHA256 d6d6cc9caf5072ba215b997dbbfa41734be651e292fa421cabefc44ed5f6ec1f
SHA512 11d1bcf697af5cf57f789cd96a2e8044f65d165eea0d27ae26eaa7264d027d21ce27c815d00b8fa7d2bcfc1b299eb84dcb26bee8b80b974652a3b37dfdf82cd4

memory/2996-68-0x00000000002A0000-0x00000000002D3000-memory.dmp

memory/1904-70-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1904-77-0x0000000000440000-0x0000000000473000-memory.dmp

\Windows\SysWOW64\Eheglk32.exe

MD5 76806e1d925b8a0b770859e8fd0683da
SHA1 3637cb054bd0ec0619caae473d04069be8205ac7
SHA256 0a891d8b6b147b09be1f8b77a674590697b6f105aa326e5fc6db44eb9794d91a
SHA512 7a088b7a5ec0d98656a1748fd0966a8c81402b6ae32cf126c04da3b02646c1cae139ff25f12c70cae3c34a2087a8a69bc255cc3edb4ea4840f1c4a74ab4449cc

memory/2740-91-0x00000000002B0000-0x00000000002E3000-memory.dmp

\Windows\SysWOW64\Emdmjamj.exe

MD5 a2a9d5f0437eac1f7c4323bca2dbc9ca
SHA1 c7bbe57461b20b9bea061ad4aa04de3bd86d1c4f
SHA256 823a3e3c7567282238c4838f809df3cc07e4c719f5bd8b9b4287dcb4951c079c
SHA512 dea4389d48ffb1d40d7d14f97e9fed6e06f61a599ffc5f2f90b225b5a602febdda5061cb714640a064a40f693da8a2ecb78fb682e694cede7503d82c58c9f3f1

memory/2080-97-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2080-110-0x00000000001B0000-0x00000000001E3000-memory.dmp

memory/1936-111-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Eipgjaoi.exe

MD5 9a55044d0290d4129ee6d4f6674a27fb
SHA1 f216724fe9b3e8e78520cf81b9b6f2b0f20283fb
SHA256 4bdec75db3125a47266cb19b28be11258bc970f34bfd89fcce6c853ef5c9a589
SHA512 137133050406fe81a4a02d6f7063a12f845c61487ea62b5c83f69393d7f3aa966b8d6a79022356b5481b3ba9ba84e692cb81d48ab0a37e02fd5d780b7bcf2737

\Windows\SysWOW64\Fpohakbp.exe

MD5 b088ab61a52ed09ee5ac25c2cc74cacd
SHA1 0f31fe736e76ea04166b6cf1ff9e623c84687ccc
SHA256 0f7b754b0f82d29626d938c74dba84548542ad27dbcc788e4453a4358c7a062a
SHA512 665879fc98806e159db58cadffbb41e40ff1948c8391bea716f9f3a926b2b46b94bc60048694841c3384736ab397644839df632d5d5d197898f6981140db9ce7

memory/2720-125-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1936-123-0x0000000000440000-0x0000000000473000-memory.dmp

memory/2720-133-0x0000000000220000-0x0000000000253000-memory.dmp

\Windows\SysWOW64\Ggagmjbq.exe

MD5 a6d6857b8a9303e81aefd698b65307b2
SHA1 1de585855fe4e91d6fc7281057221524620cfa57
SHA256 2bd2862f18b85495513eb1daca328bc67adccd1167f35255f1c0c02e088ef003
SHA512 2982cd4cca2dbf823786ffb642f395a44d7e63a47f7ea2656c7cd8cad26319c5c604ff231d188f727f25a60e0994c5fd38e2cffadfeca5f1535e6ae1eb88a7d9

\Windows\SysWOW64\Glchpp32.exe

MD5 71b38971b5e6a44057d3ac9917726eb3
SHA1 f95070d74892f7a036ce666a3b5c7abfebe91662
SHA256 53c01cecc9e57e6b3c1b0029baaedd9263de5924a7c540b0d4267a6b11302a7d
SHA512 210e3a3e3cab06f2684c488fc6d864e182ea078308e0f25549b4cfb8ab1ed35d989ca8e1d479785af23f53da548721a071aa7ff180414656c7407eb4dc5ccfef

memory/1884-152-0x0000000000400000-0x0000000000433000-memory.dmp

memory/560-150-0x0000000000220000-0x0000000000253000-memory.dmp

\Windows\SysWOW64\Gqcnln32.exe

MD5 05dcd7f17b099254b51d8d3400c707df
SHA1 13456c57f649eb3cb4f25d8f93263d09d6cfeede
SHA256 6b12b88c669f96673fb0f0405b5b83c1f0e40a4c20d164c875e1d020ed31f2bc
SHA512 12af2442d767bb92a6823c091de6d536b7710235f5249046125fa462202cc8487658dff6e4d28995ae29eb3119108315633558bbbda759ed82bdb900b0fd717f

memory/1884-159-0x0000000000220000-0x0000000000253000-memory.dmp

\Windows\SysWOW64\Hkolakkb.exe

MD5 b42a42d2d50b38689d2096e4e541066b
SHA1 64c8181967960d637ca495e90dd58eb57d41a0ef
SHA256 cd3d955d729e38873a73d7accaba09db9eb91843a069ba7ae6a0fc02717ed973
SHA512 ee248a86b2128f3400c23d793900500332ac6152550f2458e3b2a65fe6a2f13e1194ace3012fffadfd22432b90a63b024a08aeab136ba3ce24981d9b104f8215

memory/2572-177-0x0000000000220000-0x0000000000253000-memory.dmp

memory/2168-179-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2168-187-0x0000000000260000-0x0000000000293000-memory.dmp

\Windows\SysWOW64\Hbkqdepm.exe

MD5 ddb60dda79b31de05a3661653f87d1e0
SHA1 add58fe22676ceba80136483a613860dd1b49671
SHA256 ecbdc09a66c9d454497cc209a58fed8356e29e4f31a6bf3961bb57e1c760b1c6
SHA512 32b0b53a5b6a76cf5e7b015811932a2d21f60e7b1871a143773a0a5019cb735635cf74b7d6825c34b14723a1ded3ac70a773ce42d571de5f37ce86e1e1eb0274

\Windows\SysWOW64\Indnnfdn.exe

MD5 6971cf6daf1f0ba9c2f9892ed909639e
SHA1 62ca0ddaffa21554a728587f9c173f7ae525470f
SHA256 8ffcb58964352f5b64f45b5bef762de5e30099d33caed6bde42287c8da4a1497
SHA512 7bf86b9ea9ba4719468738f1c2357fafca9aa38a70eeda4f9b23d2525a1eb498e1052f111ed937386e27d8587aa8fce98f7070f523e4c79f0ebbe0b61a6a65a2

memory/2288-198-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1064-207-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2288-205-0x0000000000220000-0x0000000000253000-memory.dmp

\Windows\SysWOW64\Ifdlng32.exe

MD5 2c60a71c906f66dca2b14899fe0e50bd
SHA1 08b62bed489326b064b9e44e922000f64644e863
SHA256 1371613fcadb8cde6afa650302b00806ce76439c9e6b3207bbd2f656d2d63732
SHA512 d22088921fd2393e42a458699e4815f551b1f9534270b16e2b9a5460c3f89c59d6e003a3ff8eb1ab5950b0c7b3608da5200b46fe28aecfc2ab711537a48421fa

memory/688-221-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1064-219-0x0000000000220000-0x0000000000253000-memory.dmp

memory/688-228-0x0000000000220000-0x0000000000253000-memory.dmp

C:\Windows\SysWOW64\Jigbebhb.exe

MD5 49ee551635e2d4d72f39172d9364011f
SHA1 eb2bdce49dc50509690d5604c1b4a78aaff2f5c1
SHA256 06c125d8a4f523bd40484f698c1cc8fbca63eb77afd04dd0736db46ad3ad9e55
SHA512 4a59683e7b66a5a2a5a34cc14f3e8ef6d0b9b77cbd46e36e52b09977200baae3a282b99de3c95b63c1c71ec31bf4d6e440c21ce8bf4e0f089bd9e6dc1a401986

memory/2424-237-0x00000000003A0000-0x00000000003D3000-memory.dmp

memory/1724-241-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Kigndekn.exe

MD5 a8f8385d9b7326702941f6c7466b0a37
SHA1 00775f24d9974d514adcb2f8a6d16cb1108cb5de
SHA256 089edc9f13854fdabd3be3d715ebc582cc77e47549cac40382bcdef81fbf4192
SHA512 736ad95e159e5aeccd10268cbb36c4924821bb80074c65909a94f372638921ace8ab4423e95169fdcc1ca6a8e72a5169f070377738b8c407e87ea3c46b4cf9b7

C:\Windows\SysWOW64\Kgnkci32.exe

MD5 242363e60604681f7e53568056439dee
SHA1 ffafb0af7e3eba4fd89067d7e94aea139b1280e4
SHA256 a37a6c58accd2bf36c7feacc9c83debffa2e20407376b84f10ea795df3be8b59
SHA512 0a809c3914426e1628d1cf3b4ebc61c31861b70388c7103447d60258e99d7789fda81b53e0fb1312f5bda1114332b25b068db6554a65b0576b9d27e32e57fb8c

memory/1724-248-0x0000000000220000-0x0000000000253000-memory.dmp

C:\Windows\SysWOW64\Lonibk32.exe

MD5 0c963f578df058af0b8d242b962371f2
SHA1 bae616878c1b39f2a3258f37001e2a1b0bb6ff9c
SHA256 fb43c601c2e092ac36e13cd0e45dbf05b97bb6598874f783b62756f8d2f8ec93
SHA512 a3ea36e25dccaca4dea0325f83e3ad0a291b48ead22f05089997c135f4aa391beb3f828b9530bf88706948912a5d9df8e09987976e6dded5d26a9b36db050737

memory/2044-260-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1416-259-0x0000000000440000-0x0000000000473000-memory.dmp

C:\Windows\SysWOW64\Ldjbkb32.exe

MD5 2dda356c34782f57a44d8d9f3b205c8e
SHA1 05df38254bfbd4c747021bf9b4c22541e27de0b0
SHA256 c6fe1e1f967a2940042c4db9b4628817250089aa0ae05347c439c76ce81f1a1f
SHA512 c46ccca1b1cb212f4d76fcffff3e3ea99b464b8cf10d496933bf8b72bab80176dff2a33e79be7c3708b51927865894ea2f7f0620c03a4fd4e8d26cc17fa36ae6

memory/2044-269-0x00000000002B0000-0x00000000002E3000-memory.dmp

memory/2372-270-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2372-276-0x0000000000220000-0x0000000000253000-memory.dmp

C:\Windows\SysWOW64\Laqojfli.exe

MD5 922ad14dfa687be5514adfc219ff4458
SHA1 4ffdd25156dbf68b72b5b0262842b318dc92da87
SHA256 83d6b671618aa07e04ec90b5a74946c03e930e39b14331b6c0c584c86b937f7e
SHA512 a0f25834c7c29044e7b6a5c2849e47e1d36e2c478abdaf35d8f750a5d751161a35f8e78062472ed1df85c09e3889dd5ef558b39cf849d4f67d3cf59297e763cd

memory/1820-285-0x0000000000220000-0x0000000000253000-memory.dmp

C:\Windows\SysWOW64\Ljldnhid.exe

MD5 dfec1c2734fe5223f3d0be44319f1686
SHA1 9a2353e2e134d61682ca6bdd845a1e8085565988
SHA256 e6ac953b0e842ade955a6d07bc5ad3b15682b46d9541b9e0f08ed9da01088a17
SHA512 0f01a36eecd4db5e3015e2c11ed7044ae89399735560d2f3cf305c1d665524832244d6e8487b311f31e6827c4e312f715799a5116e68042fcfb4021b1ffefc45

memory/2452-294-0x0000000000440000-0x0000000000473000-memory.dmp

C:\Windows\SysWOW64\Lnjldf32.exe

MD5 43b241df1c7c52e35d82f6e0d21474cb
SHA1 8b46674cd69ef0b4c177eccc0e28c43075be7d5f
SHA256 5a156e4b5f74303812de17e88758583cd25dca830fc1a5a44e1d31e40d1c4a0f
SHA512 d5754729bc0298dbdee5aee98b2d6a5fa846a7350608ccd6ea0ec7bb8e28dd56295486016295f6a03a31eb8ec02e6026b1a031cf7a7e9ef8fe6a55a6db6e2c5b

memory/2452-298-0x0000000000440000-0x0000000000473000-memory.dmp

memory/864-303-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Mloiec32.exe

MD5 5d09d4e82dbb65cf81613519e94e1bb6
SHA1 395ae53d485010013466da734ab36f309b9a630b
SHA256 660988f5c2ebdf3d952135fdff51ab031fedb0daa959c3f25d90aa5f24dbe503
SHA512 222437ae16c1b2257fd3ae06a7b679324ec35cdee1dee9bad8ae6cebc2ba4029bd5e10a9d1f282856b9e09ed18c60653f79aab499ae5d51e209027cb92d75ac9

memory/788-310-0x0000000000400000-0x0000000000433000-memory.dmp

memory/864-309-0x0000000000220000-0x0000000000253000-memory.dmp

memory/864-308-0x0000000000220000-0x0000000000253000-memory.dmp

C:\Windows\SysWOW64\Mfgnnhkc.exe

MD5 7c436e3ee7c0ba387a338eb955b0dfd1
SHA1 f5bad8b32a6d2bc1c024f4bb5241e2e75e27abfa
SHA256 7096e12003c49e405bdd36c19ef1f4b86e666ca01e7a77f3f3d12e1d0b7846fa
SHA512 230d8540728184b76864090a4951cff55e1beaaca6c5b0f8974ed4dbbe51ad98e73846639d5a896533b2dad2529d4d72a959b98875d5a36529625db362a2c861

memory/788-320-0x00000000002D0000-0x0000000000303000-memory.dmp

memory/788-319-0x00000000002D0000-0x0000000000303000-memory.dmp

memory/1564-325-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1564-331-0x0000000000280000-0x00000000002B3000-memory.dmp

memory/2388-332-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1564-330-0x0000000000280000-0x00000000002B3000-memory.dmp

C:\Windows\SysWOW64\Mbqkiind.exe

MD5 3cfc26fc38889e6f6c703fcb82cdcfc6
SHA1 c622514801a171d4ac8574ef5a67f4667efe8e17
SHA256 52448c14912d691171610b99d4f068a008bafab657722daef5bb652c8f66d454
SHA512 754b1ce3fbb478a5ed1218e5508104c415934c9eb30b29b5dfc12f41389207da948734d8b7f929076d4231fb678b46fbe1e123c0634caa785e9dfe7db8a06b48

C:\Windows\SysWOW64\Ngpqfp32.exe

MD5 211789d68371133126e5db89db7663b4
SHA1 b69e101c1835d53639fb7d84eb52822646732c66
SHA256 5cddbb2925248c701fc98da5c6e9fe2aed0e988d4f4951fb76a9136b50c7184e
SHA512 edcd522b15456bbd194313508cbdc31bebb524466a8603896e19e28405699b18e340b27d2e5b1353aa42a3e0c2e064f57b9816a2287486062d55ac48be3a5452

memory/2724-348-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1552-343-0x00000000002A0000-0x00000000002D3000-memory.dmp

memory/2656-355-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2724-354-0x00000000002C0000-0x00000000002F3000-memory.dmp

memory/1700-353-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ndcapd32.exe

MD5 8fe2e98dd9a4636f844f9e61c6290e6e
SHA1 d2c2d5e5d2e343ffa8a7c226feeeb586b87ba890
SHA256 f5c2642c5f2a4c35d9177ac72227edc5260031b2c591a60692f9cd196d503c53
SHA512 ad1587c2634afe9cfbe9d386a18a69d3d4615040d0679f53271699eecd14523c49449c5cf0180a912f297a4376d24b0dc000aa6ff2c9afcc41171c5afd60062d

memory/2388-342-0x00000000001B0000-0x00000000001E3000-memory.dmp

memory/1552-341-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2036-369-0x0000000000220000-0x0000000000253000-memory.dmp

memory/2896-370-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2656-365-0x0000000000440000-0x0000000000473000-memory.dmp

memory/2036-364-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Nckkgp32.exe

MD5 2c6f4fefa0c56b37b65bdd2d583c6be1
SHA1 0d7c966769c18810b489caf96812ff1618a1df05
SHA256 e9d40a36f07562bc575aef4ebd92055968c99e1dd5a2150c7af201a157fd50af
SHA512 3ab857a54eecd5147a0dd0f0a61149d6be3d66108c3d1eed73de566acf197d952e0cbf3fdb57052301f32efbf84e97f48268b7a97321bf70bbce1b6c71db9193

memory/2896-376-0x0000000000230000-0x0000000000263000-memory.dmp

C:\Windows\SysWOW64\Nqokpd32.exe

MD5 29f14df26ab8ada5e83bd8a3d0129b08
SHA1 2f37a51c9bb2908a82c73a4ea13816be2c413915
SHA256 0dfdff89d76cee2fd811a7c1d7261646bf05a489d18fbd0b0b355d800d59a5a4
SHA512 516322889cb51f12dfbe78f1055b2f9e216c003b97ae1ad589592d689548092c63d46aeecba647e62dc0c254832cd90b1b9df01a6871dd00d053fd1123801bc8

memory/2744-377-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ncpdbohb.exe

MD5 d9eb2188283cd0c458bf121b9afe89fb
SHA1 46e535f7b993399b1a63c5c8dce9d58a31b58cca
SHA256 427afa415b1d5ce14bba6e86604af5754c948e2a42eda21ff47177a2b785539a
SHA512 2ff6bf06edb96860e3b91e4e3bdc8b9d024b6079a72085a8795f68f4fbe01e56c3ceb1c8dd4e66ce98dc26a1943b816a5b7254f233d12450aff113483a2ab0cf

memory/2632-384-0x0000000000220000-0x0000000000253000-memory.dmp

memory/2632-382-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2996-388-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2996-394-0x00000000002A0000-0x00000000002D3000-memory.dmp

memory/772-393-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Obeacl32.exe

MD5 349722652367740dc4233ce2be9d33b5
SHA1 44bbfd2f64aba7d3eb5800aa17815e8ea0b9df29
SHA256 8f2d02635542c7b37e6374fb415b479d05853ca9dbf3f41dc193b1a9d272ce30
SHA512 617b68d63aa44c005fa10cd32d960a61922e7739b6ce80a36e2f5950355c37d125f36355b72cdaaef8793c8cd5c8f5b20be0a599e41094152996be8cdd943f61

memory/2600-400-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1904-399-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Onnnml32.exe

MD5 2fae424ff272b888e355bafe4be43399
SHA1 c4537f8b8153dd0e9160ad6e3540e2a1475f3a5e
SHA256 20d0756a83d296081190b6ef2dcd4f68aed6b5acfd26df6c7a7d132be21892d4
SHA512 b0c714f039cc6980c6527877ea8acf62b11997e6e3f5b4a3d5c91a81856e4fe632c1c5148424ae24ebf6c2b2ce4f473946ef3d9909a482b85869723433621768

memory/3016-414-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2740-413-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ohfcfb32.exe

MD5 41e6c27b8890ea90af7da0cc30e2877e
SHA1 fbc62a57ce92b33a567eb53114f945762aae9134
SHA256 4062ff871d8a5541a7812afcf16a0c600c9a4158eee707dc75cbd9cef63ab92b
SHA512 43861c2ec5cbbc8e8d34d777c153b897f041e0713ffa111971dc6b29f3cea18123faf9d59598629dd954a2e9a3126f6c5a3b810c48f71bf69cb2b765a80b3840

memory/2840-423-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3016-420-0x00000000002B0000-0x00000000002E3000-memory.dmp

memory/3016-419-0x00000000002B0000-0x00000000002E3000-memory.dmp

memory/1936-434-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2080-433-0x00000000001B0000-0x00000000001E3000-memory.dmp

memory/2868-435-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2840-432-0x0000000000340000-0x0000000000373000-memory.dmp

memory/2840-431-0x0000000000340000-0x0000000000373000-memory.dmp

memory/2080-428-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Oejcpf32.exe

MD5 647e1924ee495528011c213180c97f64
SHA1 9c48466359540b6138be24cbe07bd77903261214
SHA256 088ef54d1876106279871f2412726a5c025ea13a72cbe5a22784238c02d9fea3
SHA512 63617a510a8f861e4c6c5a88f39e841058e6e77a59d4686aa54ff8312f62ac1033d62daa89b2bc34f5fde2f92238bc3b4fc972534251c1f5fdeba94db630717e

C:\Windows\SysWOW64\Pbemboof.exe

MD5 af7b873b1638b90f30c73066daacb4d1
SHA1 6c8883e9a1e82e9d6406e75e6ce7aa28eff7293f
SHA256 e62edca88e211c954b95a49d185ed46e280ac953336253b0a691548dd10446bd
SHA512 4c55f8a1e8366881b2e51532e50d04675dea469e3ab83b84357750f9be2c82da57d0fa93c2eeb285acf1562af6c4679abd614e9e9ea29e65ac6506187da4921b

memory/1936-444-0x0000000000440000-0x0000000000473000-memory.dmp

memory/1284-451-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2868-449-0x0000000000220000-0x0000000000253000-memory.dmp

memory/2868-445-0x0000000000220000-0x0000000000253000-memory.dmp

memory/1284-457-0x0000000000300000-0x0000000000333000-memory.dmp

memory/2808-460-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1284-458-0x0000000000300000-0x0000000000333000-memory.dmp

memory/2720-456-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Pmjaohol.exe

MD5 c114a9dca286f7c5adcfeeb9611f24de
SHA1 9131d98ef02423d094d2759ac206d5c59c5893ed
SHA256 69055ffec59f41f316cfdd0c3035ce4dec5f60b533e94a158986680f7a8fdb27
SHA512 0c79f76ba299eced63815c698acfa1cc85315fe6a3da205138f5cc4d27abb215d8b1fd8557e0862e122301c09f5b36a4a4933128981452f3cbddb85f47565dfd

C:\Windows\SysWOW64\Plpopddd.exe

MD5 532e08aa2e9e670a3177d492d9b0f97f
SHA1 43cd7d0e7e1c7de5a1cf2129d6c48d0c7595ca9d
SHA256 ca05510030126a4af43e123874991e163b622e77a5686b6be6e4ba48f2a047ab
SHA512 c517e53e3f2d82dbc140a9062686409a95ed6cb171e40f76bbef9a54f39265983270bd5d0940dd7123f2def6b6ee2d10ade7fa7cb17897184cf355ff50c8f8ed

memory/2808-470-0x0000000000220000-0x0000000000253000-memory.dmp

memory/2248-471-0x0000000000400000-0x0000000000433000-memory.dmp

memory/560-469-0x0000000000220000-0x0000000000253000-memory.dmp

memory/560-468-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Qldhkc32.exe

MD5 8bc0e54ce05f55f46343171357714745
SHA1 5d1c94d6cd544deee815b1e4c607ea83079442fc
SHA256 cca574500fc86237d05206ac68ad87081ca18d5446eb5345c4bba30135241ec2
SHA512 1a6881e92f314f030cfb9aab45f0e968ed964fc63fe31311f35c05d74ff50ffe5e5380e396a362036d809396346ee6da397cd17992d05278510ea90dc64460d0

C:\Windows\SysWOW64\Qemldifo.exe

MD5 0203267034aab677c610a95274acf3f6
SHA1 05177c18ae7aab077ef2a084b0f1743a2f484985
SHA256 8e5ff520bd03579a73d7a86cf7edd600de3f5ee3fe6307a365e961bcce9a8073
SHA512 5f30b31d0274cc7edbfbf0bcc17a324b1a3deda1166433ca5e9ed57d035f4cf65ba43be897affeeb53a7944727d04879edb62dd867a1687c02cd7f39f1880d9d

C:\Windows\SysWOW64\Adaiee32.exe

MD5 9b853cfd396ee38927839a4ee4ac153f
SHA1 8c02007378cd7e797253c6ed3a83e7fd8c988d64
SHA256 059e3b469688eeb82a6401ce71df7e98c04668ba5dbfa7aa518de8d2cbac2750
SHA512 92f89c7180503177796a61c77aa3c6d6789a9e91a0dee1bc988879f4f99e718777404ac39b8651f7c6253a1492575f182e2217f3efa95a1f39e4cdc8d0b95a83

C:\Windows\SysWOW64\Aognbnkm.exe

MD5 a6a7c738e3de2b330605d4c3c78dc04c
SHA1 cdebfc4026f6894664781990640e10634b07cac7
SHA256 691513a680a10d45cbbba03aa696056257732538a44f45d85ede2a8f6039fc73
SHA512 2d26ea27a6503b368dd802966dab1dc686d59020c6a74746d5edd6e6aceb36c7cf903d52dc6f7ed273aa07d937bd186b74361a3541126f01caff6bb954e55859

C:\Windows\SysWOW64\Addfkeid.exe

MD5 e6ff3733a6569be022e0b7bbc2ab3c5c
SHA1 7aec73338d38d24374d78a97297ade9bd120b661
SHA256 ce1063b0d7387c16f610f61d277c431635b6ddb747f9c5e75b6a7ea5def0155b
SHA512 9a54aad344bb50e2e885f30940ddba65a5987daf04629731013ddc527585e3e7144b639e407f4d6194f5bb7212e458441d7d52b1d133bec1025643748ebe45ed

C:\Windows\SysWOW64\Adfbpega.exe

MD5 0463150f917ad056e58cf2b0a14ea0f0
SHA1 0a9a17e33fac0d41f3b60667f3ee2c58b1c1f5ad
SHA256 bac05c173f39de811423873b10dcba80db566243957dad29fe05ce2fcb9c1554
SHA512 51da724bb9308664833d64d0b78eb8c245b14388d9255fe56f42522436c371502db234b2ce96460eaecdfc0118e0944c00be79d2544ab7c5720c316ac225688e

C:\Windows\SysWOW64\Ajckilei.exe

MD5 3c7f23ec28e3af4ae08f13ea19234c32
SHA1 044fb018e35e0cdb4bb30daa6ba4ba9b5cf7814e
SHA256 3e23f6f3df3b89a3e4d9a529504b6075a82b134e74fde114ab11c95c57f2a874
SHA512 977419a3cb3a532f51ef0e9253a36646ac04627d40b80b2cded93953cd6f0de02a98888cfdd4b40486921e2d00f80cc9de0948c2e6b09813d7241fcbc16756b7

C:\Windows\SysWOW64\Aclpaali.exe

MD5 2e5ae3be33ba67eb49faabefdb0785ca
SHA1 43526f42a91bb6d0a1ae46452e21302f73ac8adb
SHA256 c4847b155de95c237a49a681ca120d77863047c1bb0bec16a46081161179fb92
SHA512 1620eb5f53aa7a53aa1e355716ead7080f3e81ef3244cd21948d17635ec885ec5701ae85d8020d41b5f4996c9e08a3a293fa941c934f618d19156798bd279cb6

C:\Windows\SysWOW64\Anadojlo.exe

MD5 4b360912feb09b6660b84808b04a9dbf
SHA1 ef1db8aab8940488b9a3ce0f85b5733e90e227ba
SHA256 533e59786671426a4e5361c13fc4d8ada5a3ad3f0b48aab917e5ac0fdc7ae7d5
SHA512 a9bbb1bf979b5266ecf657ff4c435f99890861df6266a2b248a31edf957980a8e10e61b8635aed9e7eb91b606c534ae13af3f9c8491f76e84c0e8fca3800d48e

C:\Windows\SysWOW64\Ajhddk32.exe

MD5 e93afa81ccf773cc20d1b5cc6a1bd607
SHA1 6d2b7c8d13937352f96889d9a267a3e6e1f4726f
SHA256 8139aa25a4418c2737a8fdffd74fb1d0b22afcabc8b0d95ba8de5188f7d26be8
SHA512 c5e61e36eb0970e15c9ff3926f480464e51c12264795c8135d8956cc3edc9e06a77bd01d6c916694e02b67c065a39d7ce7bb312df063bf9569b8b41c4f6e2d6c

C:\Windows\SysWOW64\Bfoeil32.exe

MD5 df49a91894755101e6748d0d311e63df
SHA1 e236c4455317a9c58f81673f2d1203acaadc015c
SHA256 23e700334ae22243fc14286e848c81b2ca1e164ebb5ae93e3564451a8e8fadc5
SHA512 324ac1fb4b5cda98319b2969d5b93234f29b803aae865cc82c38939df8a31b9f4e1110c984f2ed7a1f1ea013080e6a4a6782b190c957dd3e078da3368d68d4d1

C:\Windows\SysWOW64\Bkknac32.exe

MD5 a47339dfc1709b895b08926fa00ffebf
SHA1 41942c3a0f60efb103765888f860eb012259c78d
SHA256 c42b7bca988fd6d2681c9780c0ead2ed320645163a9284cd438e3f16712917c8
SHA512 ebfe0bb7507ab2bf80bb5c94eb3b7e6805f84903efca42ac0195693a617ab3ce59de8f67368cd84d2909a438b24e6e3592fd332bcd9a9feb4df609280110e7c0

C:\Windows\SysWOW64\Bddbjhlp.exe

MD5 1281e9f5438c9483eaa9097d26d7d1f4
SHA1 8bb305b57ac768d3eca93fa6d83c75879d37c3cb
SHA256 4d69969605ace271896b70788813308f35d3a44e802ebd92011a9b8a42cdfa2c
SHA512 d6d843957c6425153489734eb162884d10861d146a0c2027c137b8453146d5a475e8fe3f2cfa306d023df9ee5c5223e5d54cce8abb04637a53f4435513ea2949

C:\Windows\SysWOW64\Bbhccm32.exe

MD5 534524d2da0b8c5edc72e4d5fa7eceb1
SHA1 f0a582992b0c7bf558543500858d8a776bd6804d
SHA256 3485243ae8891f967b77be3f0952cdf61749cdc6575f3af2c7c717717e746124
SHA512 a125ee146616be7a87a0dbb867aea1a8b2af236733460dff162b8d39d9b9133f1788a3b9b027f51326d24275f2290de3421db493ff018c7e7eb5b65f997a5b9d

C:\Windows\SysWOW64\Bolcma32.exe

MD5 2408aba29f9cbb2e15701035a1a866b0
SHA1 0b4456bf24d031e98f5e21daea7ad705bad5e504
SHA256 666b2e4240304895b124921599b0d204f697fed5bc428e0c165bcd6aa4db925c
SHA512 d25797f34c51d20b995faae6b68bb10f1839df107b49e85caca5c54fe0435b304b1d2354b2b759fc852c532ff69b754696053a17b105e78c4c5e0af4a298c14c

C:\Windows\SysWOW64\Bgghac32.exe

MD5 d7f529c9d57e72f965c4a68fb2c34229
SHA1 6d25a1de3843f4bad807d3bc15414ee7381e901b
SHA256 ebbec06b14a8d2f34bfc35ceb4078c63f9ef0e917c46f04dd9158432b3f995ad
SHA512 c7fe3a3809acffe5ce87871831179447b931b8cf364eeb45cbb1671e934d4e7a3265337bd9407308cc88f8f95c3425cd08c493ba5460a8c878b6dad144086320

C:\Windows\SysWOW64\Cgidfcdk.exe

MD5 8e2f77a3874ad7c9dd72c1741c326696
SHA1 40b6a829ea89354cf888ec5cd03d9f418d2f6e9c
SHA256 2deae06eb776ee97b0c7c562b2c14ffd93aab5e5cf0ecc397db11fd8976f7d64
SHA512 125932da7041da3a067090220a6d6e18a8f365a1e591dcbd52d18b8e3fbcaa8990adc0cdd9e49c6f2ba9091ef521655165f789bdf5585d260c6ca01eded108d0

C:\Windows\SysWOW64\Cdmepgce.exe

MD5 b481753c2714d3e304fe608793052fbb
SHA1 001c34ac967ccaf1d8cf163163b8518f32289546
SHA256 4b2b8b50ace249b83c3a653067b789a89b1b5b50d4f4fe019ae38b36dcee4c28
SHA512 227ca901eed6f2ac33ce1577cda17c61dd7a46edda2ee0fc85cf1d16c41520ad5c5822b6991a0adac012b119e28e27d5adab071b9b7a722b45b824a7287f1d55

C:\Windows\SysWOW64\Demaoj32.exe

MD5 07c4fa8bfe473b22fb63b20e51a5b5c7
SHA1 a5c6fcc4b15cdb698a6a3e82f606ccab8c882df4
SHA256 5feb9df477a46e2b708e078c5cd9a884bf2d48d2b52ce2171e45b4c4ddd15f14
SHA512 4303dcfb55577fdd0984c4d8408ce00e5018fad235c6686c6eceec59e3a495e5c30618c6d8694de3b9bf8be16a8e5b3ce4107acaced68bf3c3ccee02afb26a18

C:\Windows\SysWOW64\Dnefhpma.exe

MD5 9b339be288a9ad537d0a6d776875d873
SHA1 5f064f49a5479991332168516b00b19405f40a2f
SHA256 2e2fb3498e292bfd12bd8f2bd0f6a9ddc99e9ada2cbfe920454a6631271e188f
SHA512 128df57f50961f1085e595bc8de416cdaca43d6d2311dd7b3b58731d5af41fc5af330f6fd91339fb8bddb7f5f104a38ac2a93a56b4ce0feb0760b9945d5554d2

C:\Windows\SysWOW64\Dfcgbb32.exe

MD5 360582a23ea1c6b11ed99ff57fa186e1
SHA1 41f7f42bfa372625dea8600ba42035beb2347b8c
SHA256 e3e7c45cc9278871151c301c1ec02fdc2f86e60315bbade7b7fd04009fefe534
SHA512 fa34d2eb7e7c11df2e02ed0cbfe9e28d938e93ae15a124470ccb379518e93977741af3955164d984861c961d9c662c43b3137ed9f6cecdfd49e5b32c049f5693

C:\Windows\SysWOW64\Emoldlmc.exe

MD5 b63cac23fa06f901bac50dc3e4ce08ea
SHA1 9384a6c20c7a1255d875dd033df49666a7e29c2d
SHA256 67456f83756e3562c5c6ae5600d8d01b51ea1c22d65884646cc8c59ff1e64d13
SHA512 75e4f09ca948dc427d51c8e3a7d1c745d8d5d7b4919d19c915db7bf5642a025ff603431a20b1c730c9daea0703a2fe2e01981152a82d1ef1d83137b4e3f33150

C:\Windows\SysWOW64\Ejcmmp32.exe

MD5 6a2bd3ef69577cd145f0992af35a1f6c
SHA1 ecab0964d64d0550e405be466be44fc82dad8882
SHA256 519fd9d63e804aba00293dc184830c27436d10fae0408758e2e4835997ac6978
SHA512 6337986fa66aae58e1208f39cc3a5ff766a2d7a6f05e5bb90a61ba1537ed46cc64588d37e0d1258d1feb01aed8bb426cdd90358d39863ebdbcec341093119e07

C:\Windows\SysWOW64\Edlafebn.exe

MD5 cdbe807564ab67d901e9d02dd8beba26
SHA1 248dfb8229161f22543901984bea876870a527ee
SHA256 17ac7ad5f204631d6385e74d5cbf729609d2653d802183c37cc739d34a258fe6
SHA512 7c14829ce978607062c70ee9820a1362a0210b88c9650f6440bce121617909dde5641ac158d6595a63d010e7d365d7a42fabc61f77ce61eed445ea9678a96e6c

C:\Windows\SysWOW64\Emdeok32.exe

MD5 affed87fcba90c0e5c64cb56050626c1
SHA1 beb67c756115dcbe0808857e6738a7e24ac94e9d
SHA256 a02b35100d274b0d0d261987a0e0137894dc83829bb061e905764f21aba2ec1e
SHA512 a1eff1c6654a67d4c042f09ad3a3353fb77232766704c2b6e8e763a45d8c27559f43cd521989f79fa083c79cf59c73cc34445535ae6fb14f4aea175e7f1ba102

C:\Windows\SysWOW64\Efljhq32.exe

MD5 d8dabf1c39982dba0aa8bcb2419afb2b
SHA1 2998fb2a17d8ac022b5bd5e23a607f53dc85b459
SHA256 c0067f8546df34509f8e9484d0a0b1f1d7a925cd0b0a8b8b70f3436def7a139e
SHA512 f8c450decbfcafe08278cf1d49b2fa6d0e4149910fad2485df508a9a592757400bfcd55cb5a8e40ea405d9bca280e4c28dc574c3db1f19d62e5bafc6c1b4ec34

C:\Windows\SysWOW64\Eimcjl32.exe

MD5 46e01fca7804d3a9a4f2ebb21c266ed0
SHA1 1e530d6d9a5d58740eb21fa1101faa9052bca812
SHA256 b428cbcb17fb650fe26a5bfdfdd80d091b50d8c66ac103ee87bd7c842c4f5d5d
SHA512 6a9899356b35b85b871bc35ae1e05a677317bafcbab998d7ef41d61b98d962c723f06b9b89a05e80802fa904ea2e15d418c415968d8d221baf71517b20a2aba4

C:\Windows\SysWOW64\Feddombd.exe

MD5 59b2261c18af5dd854da868e8a5d250e
SHA1 7218f7cffcd6bea8c18f1392e485d6a1a30afc3b
SHA256 7ceaaa829ec2205e628851590993c9ba53e2c2e771cc3d955e451f17edbc789c
SHA512 e14a121ad28cd3d1732c7361bbdddbfe000f02f2f61036ec15292a60a839c9f95ed5ecd6e2fa9da2f1d3a9341bfa8487b012ded4cbf615ff6b843013b1c859cb

C:\Windows\SysWOW64\Fmohco32.exe

MD5 dff31c7ff37ad2ecb323d2975f695523
SHA1 1004348f9967b8d331d3b728bc5a5f7042a0807e
SHA256 c0c6e56037b01b9413a89040fa779e290a992b0c3ae4ee281766b50d1fe0b6f5
SHA512 2ac3fce63012658755eadbf557b401df5edbf1fc1a1849aedaf269450811a9c2d3f4ea489952906ec6b49351531c6e488c8ed3492b736f30699ecc7e6eb130b2

C:\Windows\SysWOW64\Fdiqpigl.exe

MD5 7f40f3cbe957439f9a468d694091befb
SHA1 28b6d0892ca81d785bdecf7c966dea91b4d7e205
SHA256 d48d9e59c8771c5f3c7e6bbc108b030810ce368f31dfba1675911e1ca397b041
SHA512 b01e71034874194cf12699404db9fe4da685028e6a55703ddd1f885a4a269cf12e3012454373699df3e9e7f971cc7583067b37a253b00259b887d312695f63ad

C:\Windows\SysWOW64\Fkefbcmf.exe

MD5 efe363e9057fbdff2b6cffd0a982c9ce
SHA1 a2ef588b028d9082d92c23aea14692dca4e9a449
SHA256 0a053468be2dd89322288cfb1a4b39d2fb93ab485cee0ff65905b72d6da1086d
SHA512 5161aaed971c12b1c299074dbc12af44a4eae60ae5bd3e686de25168999333449de4e627dca0b965d20dffb705b118ec9788ad3879dd4a1861b9097937d144fc

C:\Windows\SysWOW64\Fijbco32.exe

MD5 d854262685f1c1e866b4cdffdefb5d77
SHA1 159bc78b3d5cf3d02877a427e89673a88550713e
SHA256 3e7dae359c8896653b5a9ce225ae6301ca26e0eff267d5c881a1aa218701ae52
SHA512 be21161f844e538378c2aabe13b67057c194a4ea862725374eb2ccf0855c5f9c1cda1e093f3b107d599fe3cdc26b3fb8beb92d65a2380607391bee86928674fb

C:\Windows\SysWOW64\Fgocmc32.exe

MD5 5358b00b2670237e9f813d140f8af5f1
SHA1 e8f751e28cb4ee4bdf90d5f490cc1545b8849aa5
SHA256 dc72b15a638d94105924ab00ae2f2d0b0bc06f05d2ea0235bdf2fa15da35edc9
SHA512 fc4c929f5954737cb367e64860f128431dca332c616605e7aad31c96ce3404f1dc5d073fa15cc783c5501bc900bd4162b16848f90bda5bbd62fd10bcec6584d8

C:\Windows\SysWOW64\Gpggei32.exe

MD5 cbbbcca1ff613fc1f255f180b5926050
SHA1 b2929ac01bbf0f95c9cab8a3dec770fab667db8b
SHA256 7992b2ece89c74b09c14da136a4ed24f00532ef12d4ab3952e070e3377ba63eb
SHA512 cd4bed8ab1c7fff021e7692151a1782e06e484fa0f33f566bba1b354ce66f9565637b94ad7b54d2b8e584d22adfbb8a32cd5ea675861108d22082f1035bc9f5d

C:\Windows\SysWOW64\Ghbljk32.exe

MD5 3c4efef93aab84fd8477e29268c4f60d
SHA1 f9b784a089b988d45888922e5b0e9cf043ec7576
SHA256 914ec21fc7a954bb8bc3d135298047b42b1ee20d19f11b57da28f2ed3170a896
SHA512 dcec00163fbe71ec84c2055fd3d9fe7f7e1605aadac10a3e3d4bae5c1ceac73289ce54b59a611f5f567b655fbaba52675e73a7ef4dbdd9defa1c15db1961ae9c

C:\Windows\SysWOW64\Gefmcp32.exe

MD5 ff44152c1836187b9383e883426ecac9
SHA1 f2b2ef9169eca2bfdf367be8e2010476a91f26e7
SHA256 05a212c436be504088d446e8d16f6c4886d334410b643f32bcdd58649ef7a954
SHA512 93783fd05decd41d70056e66dbc28df4235d4cbfcb3ed3c9d6126a183104aaf4baefeaabcf6070ea07393ef5784d6acbeb119a12f4a71eaa50b2c780d342a03e

C:\Windows\SysWOW64\Glpepj32.exe

MD5 3da81832aea9302be284c260a194ca09
SHA1 59524802ccb11885f428be907327e7d090b8dd67
SHA256 41d284484a6fa58c6844427b16c2d212b84eafbc5389cb928f1da60ebc42867c
SHA512 566e06bd83f17675d1eb78cdb7d4e8bfff126baebb91b8cbd09fd8e1e7c801b76fe512335f2444fc5a076c9e7fbf9eba12d90f39c75d8e713743533e1a3ca2e2

C:\Windows\SysWOW64\Glbaei32.exe

MD5 dc540a33d6e4e3f16114f8141282fd16
SHA1 30e476399f1f2d59b32cda2e68ab8d5198aced21
SHA256 44464047536a946e668d1bc072ed0fde55300e8cb4429d4e96dc1ef5f1e42001
SHA512 54536f9fbb7a37f873744bffa3cf1376f3b6610e99901ca09b6cb89ca4d80af1f36681bdb3f973542aafad6676ba075f77f57c4fd30ad688094aa38724c4a448

C:\Windows\SysWOW64\Gekfnoog.exe

MD5 bb8c86600746aa827a38ce4b3a5655fa
SHA1 09fb954ddd82b0c8f253ce12798b0e3500dd59c1
SHA256 a69e6e10dda7f03fd3f1fae53bbf9311bf817d9e0f5efbe55755e4efd1164827
SHA512 77f56a2dbc2943e6e052832d41283e46cdfaf0a3262a09e1deae5e23e6278d25733ab54904e3fce34bfc124097c406b67128bd71596dfb418b10374500a1af4c

C:\Windows\SysWOW64\Gockgdeh.exe

MD5 e1bc5bd941464759fcdd5c18a6a91f7f
SHA1 02982b63ec18006df53a0206473907a5ba2c2361
SHA256 554a8b54699bb1ab407b9d0c691b55ca9e6ede8d14e2bf36f17354952ed8689b
SHA512 7566f74708711ac5519d88699522f994a961ca4ce0a102c491d38818132afcd46317c614a3eae0ebdcfdaa7fb188233162c5c2205c639fb107617d6925d98901

C:\Windows\SysWOW64\Hjmlhbbg.exe

MD5 b72fbb71bcb7d5ac7f459990635954af
SHA1 850329256f0c39d3e247520e19221ac5006afb86
SHA256 3082e370d83bf85d46832f9bf90a3be69b9595a97cd369864a6eb29655161902
SHA512 7ff05225778c99a05007b34b65cc1d5eb14912090e2f2bcf1ba2cf55d287dd565c80f078c00328852f15c9c07335a8265a5bd9effbb6261992533425a2689d37

C:\Windows\SysWOW64\Hgqlafap.exe

MD5 7cf5898323866b0a012efd0e34b3875e
SHA1 56e672dbe5705a503af2c6b381e831d489961385
SHA256 e42bfaf4050c34cef4fa99f1bff5693cc4b6c62dbf113ed97fb36f274970fc4a
SHA512 5bfff7ad8fb1d965c19866dac37f56bd8eba026f79b251507c00a7923083bf781a7dea0fa8b58e4324f099fe75cf0c49abecafd66a32892c44ab461cf43261b1

C:\Windows\SysWOW64\Hmmdin32.exe

MD5 b6f28a723e40365c5f722e6b21d316b7
SHA1 cf046e8c8738bf8354935837e6ef37eb4b2cd9a4
SHA256 4f630626a46462a6f41974352fba58a5d5c109fd8ca2870e463fd8e9b6f2131d
SHA512 ac45cdf65ccb86a2ee21de209b6f7804f3b29eccb7c80a237db77437c2a3bec28764f937ffb9eaf2d0ec696227219c1bdfb30173754f2beb807bf17f9ce54175

C:\Windows\SysWOW64\Hffibceh.exe

MD5 846dbd7562637683f4763cb49d5ee424
SHA1 9e5a8f9ebd0aa464a26ae8349d076a4b04ba2bf6
SHA256 5b0f2956b7aa169b80f39e77597c881f398295735d3c575f5f07b49813857a58
SHA512 7e719ba5fc45ab9643d3ff87652c92f6e2808dec7a222f1e232fab1c51df16cdcc2c52d4af27af5a1d63a9f6cd783723e124f4c2558d712cb49e3c8387a41ca4

C:\Windows\SysWOW64\Hcjilgdb.exe

MD5 0e99a4618e515a394377aff009c09eeb
SHA1 c88cacec510cb49eb01e2c246339f287b5168b03
SHA256 989822e86c8f91d94bb8fb4d4fbd0ac89edb7747bcfa63bac132b08a13bd3591
SHA512 cfa614c69f694b0ee3159a2072d9f933d33ef5a296c1ca34071fa08ad8750b819872b25cb1c04553f3ea0dc094adbdcd7edf1dcf6dd0bb8a4ff9beeaff77d5b4

C:\Windows\SysWOW64\Hqnjek32.exe

MD5 aafe10aa6d1460bccf7c5730af55789d
SHA1 a286f644adb2067fc55ca277575347d80a3bf106
SHA256 56f7b32e5c1f8f0afba9006a622815a86155ec6c7e6d3ca6c03f1562121b6032
SHA512 e2de06e07752b3b9e0b05af979d8402e7b1b444bf43582f58de4e7eef77877bcc276b50e80876c09671da3bb6747d9493b78fa0bac97533520fef156b259b394

C:\Windows\SysWOW64\Hiioin32.exe

MD5 e24fb8210cec0c06c11f080d884f362b
SHA1 fa6969ddca3cae4d232349422313916ad2b8ad8f
SHA256 1754eaf1d97802e8769e3e9bbb3373490804a1031e2dd9718fa69cc89cdd0e12
SHA512 63e867cb9b8a2d004bb3bfadf8dee6eb1bd02a60b0526662fa88043fa3fcf6f9126bad53be113eff557b40be7138bb148323dac09d98b2ae2cec456b7c42dfda

C:\Windows\SysWOW64\Ibacbcgg.exe

MD5 9a13fbdc1c4458ce37d0006287f71945
SHA1 6dc0d89a074d434a35e6e16f18e7d59245c8ad6a
SHA256 58ba2fbdf7b48e249fb51cee4dc1beda07ff9dbe0032d5b862cbdd036535ca12
SHA512 5923425ac49d9928c3624e14e2114cf849cebdf47b0d0c6d725c300f4a8fbb0818e1dc158db1e3a476cee8b659a06881b4f796e1db4210779cf848f16149c9cb

C:\Windows\SysWOW64\Ioeclg32.exe

MD5 f86221bba1accddcdf8d5aa08d41a8d7
SHA1 45991effa356749ae681fc9e10eebd1fc37056cc
SHA256 876c11c2589ba64f58551217d18614dee6f30770d1333d788c010cd573ee3e10
SHA512 78a40779ea7a0be1a1e8186ed334d171ec07baa7cc5d0a0eca5b27ebe78870207b6e2dd954a4f7814ff29de10dfda1fb62cfba5ec1cdbc299fc1ea45cdf16883

C:\Windows\SysWOW64\Ifolhann.exe

MD5 bbea2dc1f399050f4a78376a12665d5f
SHA1 48ac24cdb1d89a0c6e8e3d52600a443e19edb7c1
SHA256 da0df4c10d9228bbfca3c8f503f16bd9ee22cd81daf2c27ee17f0128f10c1995
SHA512 e2f842ea35c2f98688b4bb6b4c910893c24e71519ebe63973b94e3e92eccfbfaf8a4ce43c70883fbc48fd85dffad7bc2eb209208b5f76fb946c043992f7a379c

C:\Windows\SysWOW64\Ibfmmb32.exe

MD5 853084202bd5c130b9421b86747a456e
SHA1 79e72f93f92197c7eaa9bc3156e59de1e2f6a353
SHA256 7a253a1d75893beb1fe3390a6a14fb71f7ec88dd954a706a1b4052c6b9c320a6
SHA512 d795491ef80fc29c6c9da98442c796c6a4e4ef0c952eae33d8f1ae5577a9f0534fb66c40d2785dfc0063605cac6bfafe34c1e09a643e63f956a114514f79bcb9

C:\Windows\SysWOW64\Iknafhjb.exe

MD5 dc8e8df72bb77003b9cb0dd181d69ff4
SHA1 3c100d38214417b7b82e835450984ed18314d002
SHA256 aa21051ee3b59038580ec8088b358a3d92d3e58bebb4359b793bcb2637ef8cea
SHA512 9a35a37744f34e71b62a9562055422fac2f40012298dc7db65cb048d6dc41660ac89ce17d09cab87fad055df7facdfe40367adde4f94f119b32fa592e2c84d39

C:\Windows\SysWOW64\Icifjk32.exe

MD5 4f86a5cd408ada78504989dc261e4e19
SHA1 78dd6bac8a40f4dd48aa0691ac06291112ab14ec
SHA256 38e0e8919b646b1951767e073ae8074cf1e29fcd870e30e8cd32875ebffea6f9
SHA512 61a2823736b0e9daadc1ce196f90eb75f72ed9156f7f47fc403910be60153dc089b4111550f16ede6ba1308a1fe15ff514023247171fe62f7122176e8a67a956

C:\Windows\SysWOW64\Iamfdo32.exe

MD5 5ba5976ca167b2afdbed2f5662c31e31
SHA1 8d17459b6d342cab5841d9f30e32f219f3bc4f66
SHA256 217bd29ccaac8665dd9e0120c3b52208d07099a4a14f33f6078029ba27962bf3
SHA512 b0df345be17c2df9f77c6e1e1d121a66b3edeba729c1eaa4db3a3a49fc815f095d5ffa845397ed56cf0ef8199226ac07efa14dd84a8b79aeab1322632ddb6269

C:\Windows\SysWOW64\Jnagmc32.exe

MD5 74aa5240d4e8548a34514aab78f1d281
SHA1 0f330a3dd8d86c518aaff1dc393184a70c005ac1
SHA256 5e277cc09d6a421ef2005fa091e347e36bff0ed20ea541b1a54c0270aed29011
SHA512 d809bae72a94810858b212bbaa746defa47ef170d9e24b2fba1a14a7f09e5a5bedee481e0f7d2c1cccf2171698d4d0beee110805310c6389e20da967072d9f23

C:\Windows\SysWOW64\Jgjkfi32.exe

MD5 09b71e1b60926177a291620feb05ec38
SHA1 8728a5cd10c603d87e20a4000a9b850f8a8a5294
SHA256 8a42c2162a58131f0bdf5ea195b4273be3c60b63cb4e6136c7f8e548ff37333f
SHA512 4763fcce7e6e8a5b4ee7a6d38b55af0fc1f76b1c5279bc22b459f6cfc0dfec49eba4a59ed9af0170496f0c3fe66f6d03e46155f692fe1df2557f0726b6c14181

C:\Windows\SysWOW64\Jmfcop32.exe

MD5 754b1696c92554d01cfb97ca6661f04a
SHA1 cd6d4fa9b1488a63e4a05bf949605ac9945cfbe8
SHA256 869902d41b51a2bba9f7c9e35d8ee8e4b47f68dfaf69a799e69a4b9fa509775d
SHA512 58390010fd59ffb95167ade4d69ec4336f00b140c239adabf386ee320f8aad4e49b2dc21e7b06cb6fe2120365f20315d86409ae13c8bde9ad6ad77da1b2734c7

C:\Windows\SysWOW64\Jllqplnp.exe

MD5 7774dddef42bb4383c946d1131d8c3c4
SHA1 3d54d8f50bd09d5598bb2b47ff160b70c31a0dc3
SHA256 091757e0787760a18cfba34065b949a661809fc1f9a36cd4afa987a710229d28
SHA512 554ee81b80162bd37c67c2f2eef861f04ed91a15c529c673104f19ba94f15283ba2ae5cbae0262a1dd61fa836000895ffe9b7a418e0593f17593c33f098c9600

C:\Windows\SysWOW64\Jipaip32.exe

MD5 2b7c011ee83fe10b11abad6bd6f8583e
SHA1 f6b9e5fa6f8ea703d89e6f562f70918606f26e30
SHA256 231daca0831c654363945a691346b0559812d29bae2ff5fe630a06e63fcf8096
SHA512 da10a554c7eec4b0018c4e902cad12fdd38dae49190baba5f81b56126231b80fdb43417a785adbe4648ed3f94a45e79d05654f4a644f8e9f237bed120843d5fc

C:\Windows\SysWOW64\Jfcabd32.exe

MD5 f92cba1ede7ed00da5dd01a8da59e5f7
SHA1 8fc18bd96a7a739903701808a995d4cc60371fc7
SHA256 317ee5d11b5547fbd3789191161ab60db86aba36d2582d8cfa98b7ac9640047d
SHA512 0d732beb55828cc6e3821878cf2edfe46469434333e78b193e175ed4ddc97e5588a29d5aecd5de5b572e060c47e17bd955731272017a50d118c070b932fa4752

C:\Windows\SysWOW64\Jplfkjbd.exe

MD5 8ed2e418db1c8477c446e04d7ca7d3ce
SHA1 e9ad6fe52fa80ae4476b5605cb627a35a3877808
SHA256 84cc8268ebf52462bb61a28c075a1b1d5aff964ffdefd934d1fa50faf51663ef
SHA512 5f56327dbb03e3c7e23a3f86a3482b41bad749183c1b4da697ae36a3e5d26838156ace87d7f4689a323a21000783ef9533eca8ec8b9b6372d4aca2113aa7699c

C:\Windows\SysWOW64\Khgkpl32.exe

MD5 a5b79e79fcc73b66f1131a2951831159
SHA1 a3269f3b8107846d55e0a219e4927b3747e00179
SHA256 44bfeff8c39916a4e55c2cd1dccaaf09028e4664dc41d3426a803ad78b3eab9f
SHA512 f18668df474ae6cadb8ebc4d37275a0c3b134296c9dc4c7214bc49ff6eccc1f43a7fbdeb44d6b41077bee867141b7b3064ad50acadc80176e473881b67ce8480

C:\Windows\SysWOW64\Kbmome32.exe

MD5 4ac143618aaf3443b97f281b5a53995d
SHA1 24283e88e919f0375f0671e7559079b9fc966976
SHA256 b93b9bf5e8c74e24b7bf9f934680a5b99dc10d41758f6ace0fef5a0fd8a96d14
SHA512 90ecd796ee3771fa5193c76bb1d9cb0c82faad6ef5f167ef381bfc469b14c26a7994424e8199bb88f472d0d831b0d00b33da870e57643f8c7b99519280854230

C:\Windows\SysWOW64\Klecfkff.exe

MD5 5b3041e4459d34d7a87b89c37a3c7f9c
SHA1 9dd3d41b6cc03dc9dc28fb07199e71906f4a537d
SHA256 b22fdf7f03dea23bea47f81a8a815232287d0180e4bc8be443fc4075e0fe563d
SHA512 f068e87b81513b4f2a8822d76244ae8ba081b5b10f19e5471848ac01f4eeee2126436bf9ff2ee8fa27261911db676ab48a6017e20d94f4fe0bc9b2b13e68bf4f

C:\Windows\SysWOW64\Kkjpggkn.exe

MD5 c21bab91d5ab54b44b6e94e27624a53d
SHA1 560ed0fc9906ec15be8f6fb9a36c50f585019a4e
SHA256 72887c08687acf38cf1b460c20554d581ca29e49675d53e169e9f8bf5d30775d
SHA512 6e91f1af1b6fb8f85383ac68ae8ec06996c24178cdcd150e26d8f0fa3038c4e7974e7a908253fdd763b18a1061582f207584c775c63c6157e5553fdbb85542b7

C:\Windows\SysWOW64\Kfaalh32.exe

MD5 8565782ea03c82b690b52c569eb46bfb
SHA1 db5e8a56d8fbded399945e07657c20f01fc64b2d
SHA256 9f300236a565e7120c49d257f3cc101b64811b946bf908d4446eb954eb72d862
SHA512 b12ca93618cdf7005062a86fca8547a546fe9453c24dbe15a10a9b8b7331994bb17a65ddb0a4ed26bd4150c0c24d6adf0150e70823e77edceeda19f01d0d7f28

C:\Windows\SysWOW64\Kmkihbho.exe

MD5 aa66839910a363ef0149dab28f7af384
SHA1 3d4b535f6848ad9424250600fdf9ff050419f493
SHA256 6ad220db341fefd375403a6954dbf64ef280b2d113bde23e37b2cfb5b354e0f4
SHA512 14cb3a6e722ba16d744ecb72b2e75957642b1939f75cd10a87353ad40feaec6e9c1e50e932dcac0e7791a1adb28acd6aa81d698885a51aeda23b55441552a6b6

C:\Windows\SysWOW64\Libjncnc.exe

MD5 7d5789103c7858f74c95b8c3ac2d0af7
SHA1 5f3ab301959358a26d132b175deefd11775f8dff
SHA256 cfe10d8a76419ca6aa01fe7e1faa25b629e05949455ec6b6352679a0c8399809
SHA512 371f7f951069a16831fe5f62fcbb0321695e22bc0f26f14ce34a4fc0cc7b9694839bd90996f823798dbfd3686fdf7de863da0dcef017b65b408cbbffc5af4962

C:\Windows\SysWOW64\Lbjofi32.exe

MD5 fde39223df4e65be0bd824a9f2951a17
SHA1 d000d727f6b5cf10b942269356c455ef2ac965e9
SHA256 8fbf8fc83450b3200c54035d3ca7dc634ea301d9cdcf0adb5a1738fcce09b046
SHA512 6b8ec5bbfaccda13744b69aeac8d67d6f3ae058cbb71dccf9ae0bc901914f855236b9b42b6de9acbc51d3aa34470519090470db0e22a1097191d7f259fd1bbf8

memory/528-1353-0x0000000000400000-0x0000000000433000-memory.dmp

memory/940-1351-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1540-1350-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1532-1346-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2812-1343-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2380-1342-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1624-1339-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1688-1336-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1476-1333-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2556-1329-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1972-1355-0x0000000000400000-0x0000000000433000-memory.dmp

memory/640-1340-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1752-1321-0x0000000000400000-0x0000000000433000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-11 10:51

Reported

2024-11-11 10:53

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

97s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9b3d7dc58bee2d81215c500af42086b0829b1c68408f09aa0e6586954bc3e29aN.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Users\Admin\AppData\Local\Temp\9b3d7dc58bee2d81215c500af42086b0829b1c68408f09aa0e6586954bc3e29aN.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ajhddjfn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Ajhddjfn.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cjinkg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Cabfga32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Chokikeb.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Anfmjhmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Aadifclh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Cmgjgcgo.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cjmgfgdf.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Chagok32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bjddphlq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Cdabcm32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dmcibama.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dmgbnq32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Agoabn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Bjfaeh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Cnicfe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Cdhhdlid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Dhhnpjmh.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ddakjkqi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Aabmqd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Bmkjkd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Bebblb32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Belebq32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dejacond.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bnpppgdj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Cdfkolkf.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dhfajjoj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Dmcibama.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Dobfld32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Chjaol32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Cnffqf32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Andqdh32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aglemn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Agoabn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Baicac32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Bcjlcn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Banllbdn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Cjmgfgdf.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dobfld32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cegdnopg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Dhkjej32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bchomn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Bjddphlq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Cjinkg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Cfpnph32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Chokikeb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Calhnpgn.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Daconoae.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dmjocp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Aglemn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Cagobalc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dddhpjof.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bfdodjhm.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aeniabfd.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aepefb32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bebblb32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Banllbdn.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bjfaeh32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cagobalc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Daqbip32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dhkjej32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Anadoi32.exe N/A

Berbew

backdoor berbew

Berbew family

berbew

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Anadoi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aqppkd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aeklkchg.exe N/A
N/A N/A C:\Windows\SysWOW64\Agjhgngj.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajhddjfn.exe N/A
N/A N/A C:\Windows\SysWOW64\Andqdh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aabmqd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aeniabfd.exe N/A
N/A N/A C:\Windows\SysWOW64\Aglemn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajkaii32.exe N/A
N/A N/A C:\Windows\SysWOW64\Anfmjhmd.exe N/A
N/A N/A C:\Windows\SysWOW64\Aadifclh.exe N/A
N/A N/A C:\Windows\SysWOW64\Aepefb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Agoabn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bjmnoi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bnhjohkb.exe N/A
N/A N/A C:\Windows\SysWOW64\Bmkjkd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bebblb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bcebhoii.exe N/A
N/A N/A C:\Windows\SysWOW64\Bfdodjhm.exe N/A
N/A N/A C:\Windows\SysWOW64\Bjokdipf.exe N/A
N/A N/A C:\Windows\SysWOW64\Bnkgeg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Baicac32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bchomn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bgcknmop.exe N/A
N/A N/A C:\Windows\SysWOW64\Bjagjhnc.exe N/A
N/A N/A C:\Windows\SysWOW64\Bnmcjg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Balpgb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bcjlcn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bgehcmmm.exe N/A
N/A N/A C:\Windows\SysWOW64\Bjddphlq.exe N/A
N/A N/A C:\Windows\SysWOW64\Bnpppgdj.exe N/A
N/A N/A C:\Windows\SysWOW64\Banllbdn.exe N/A
N/A N/A C:\Windows\SysWOW64\Bclhhnca.exe N/A
N/A N/A C:\Windows\SysWOW64\Bfkedibe.exe N/A
N/A N/A C:\Windows\SysWOW64\Bjfaeh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bmemac32.exe N/A
N/A N/A C:\Windows\SysWOW64\Belebq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Chjaol32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cjinkg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cmgjgcgo.exe N/A
N/A N/A C:\Windows\SysWOW64\Cabfga32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cdabcm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cfpnph32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cnffqf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cmiflbel.exe N/A
N/A N/A C:\Windows\SysWOW64\Ceqnmpfo.exe N/A
N/A N/A C:\Windows\SysWOW64\Chokikeb.exe N/A
N/A N/A C:\Windows\SysWOW64\Cjmgfgdf.exe N/A
N/A N/A C:\Windows\SysWOW64\Cnicfe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cagobalc.exe N/A
N/A N/A C:\Windows\SysWOW64\Cdfkolkf.exe N/A
N/A N/A C:\Windows\SysWOW64\Chagok32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cjpckf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cmnpgb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cajlhqjp.exe N/A
N/A N/A C:\Windows\SysWOW64\Cdhhdlid.exe N/A
N/A N/A C:\Windows\SysWOW64\Chcddk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cjbpaf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cnnlaehj.exe N/A
N/A N/A C:\Windows\SysWOW64\Calhnpgn.exe N/A
N/A N/A C:\Windows\SysWOW64\Cegdnopg.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhfajjoj.exe N/A
N/A N/A C:\Windows\SysWOW64\Djdmffnn.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Aglemn32.exe C:\Windows\SysWOW64\Aeniabfd.exe N/A
File created C:\Windows\SysWOW64\Anfmjhmd.exe C:\Windows\SysWOW64\Ajkaii32.exe N/A
File created C:\Windows\SysWOW64\Aepefb32.exe C:\Windows\SysWOW64\Aadifclh.exe N/A
File opened for modification C:\Windows\SysWOW64\Bjfaeh32.exe C:\Windows\SysWOW64\Bfkedibe.exe N/A
File created C:\Windows\SysWOW64\Cjmgfgdf.exe C:\Windows\SysWOW64\Chokikeb.exe N/A
File created C:\Windows\SysWOW64\Dobfld32.exe C:\Windows\SysWOW64\Dfknkg32.exe N/A
File created C:\Windows\SysWOW64\Pdheac32.dll C:\Windows\SysWOW64\Dhkjej32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dmjocp32.exe C:\Windows\SysWOW64\Dkkcge32.exe N/A
File created C:\Windows\SysWOW64\Jffggf32.dll C:\Windows\SysWOW64\Cagobalc.exe N/A
File created C:\Windows\SysWOW64\Cacamdcd.dll C:\Windows\SysWOW64\Chagok32.exe N/A
File opened for modification C:\Windows\SysWOW64\Chcddk32.exe C:\Windows\SysWOW64\Cdhhdlid.exe N/A
File created C:\Windows\SysWOW64\Cnnlaehj.exe C:\Windows\SysWOW64\Cjbpaf32.exe N/A
File created C:\Windows\SysWOW64\Dfknkg32.exe C:\Windows\SysWOW64\Dhhnpjmh.exe N/A
File created C:\Windows\SysWOW64\Gfghpl32.dll C:\Windows\SysWOW64\Dddhpjof.exe N/A
File created C:\Windows\SysWOW64\Bcebhoii.exe C:\Windows\SysWOW64\Bebblb32.exe N/A
File created C:\Windows\SysWOW64\Qlgene32.dll C:\Windows\SysWOW64\Cdfkolkf.exe N/A
File opened for modification C:\Windows\SysWOW64\Dgbdlf32.exe C:\Windows\SysWOW64\Dddhpjof.exe N/A
File opened for modification C:\Windows\SysWOW64\Cegdnopg.exe C:\Windows\SysWOW64\Calhnpgn.exe N/A
File created C:\Windows\SysWOW64\Oammoc32.dll C:\Windows\SysWOW64\Dmgbnq32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dddhpjof.exe C:\Windows\SysWOW64\Daekdooc.exe N/A
File created C:\Windows\SysWOW64\Bmkjkd32.exe C:\Windows\SysWOW64\Bnhjohkb.exe N/A
File opened for modification C:\Windows\SysWOW64\Cfpnph32.exe C:\Windows\SysWOW64\Cdabcm32.exe N/A
File created C:\Windows\SysWOW64\Ddonekbl.exe C:\Windows\SysWOW64\Daqbip32.exe N/A
File created C:\Windows\SysWOW64\Cdlgno32.dll C:\Windows\SysWOW64\Bfdodjhm.exe N/A
File created C:\Windows\SysWOW64\Balpgb32.exe C:\Windows\SysWOW64\Bnmcjg32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cmiflbel.exe C:\Windows\SysWOW64\Cnffqf32.exe N/A
File created C:\Windows\SysWOW64\Cdfkolkf.exe C:\Windows\SysWOW64\Cagobalc.exe N/A
File opened for modification C:\Windows\SysWOW64\Cmnpgb32.exe C:\Windows\SysWOW64\Cjpckf32.exe N/A
File created C:\Windows\SysWOW64\Naeheh32.dll C:\Windows\SysWOW64\Cnnlaehj.exe N/A
File created C:\Windows\SysWOW64\Doilmc32.exe C:\Windows\SysWOW64\Dgbdlf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Balpgb32.exe C:\Windows\SysWOW64\Bnmcjg32.exe N/A
File created C:\Windows\SysWOW64\Cfpnph32.exe C:\Windows\SysWOW64\Cdabcm32.exe N/A
File created C:\Windows\SysWOW64\Jbpbca32.dll C:\Windows\SysWOW64\Ddonekbl.exe N/A
File created C:\Windows\SysWOW64\Kdqjac32.dll C:\Windows\SysWOW64\Cmiflbel.exe N/A
File opened for modification C:\Windows\SysWOW64\Dkifae32.exe C:\Windows\SysWOW64\Dhkjej32.exe N/A
File created C:\Windows\SysWOW64\Ihidnp32.dll C:\Windows\SysWOW64\Dkifae32.exe N/A
File created C:\Windows\SysWOW64\Hjjdjk32.dll C:\Windows\SysWOW64\Balpgb32.exe N/A
File created C:\Windows\SysWOW64\Mogqfgka.dll C:\Windows\SysWOW64\Bjfaeh32.exe N/A
File created C:\Windows\SysWOW64\Chokikeb.exe C:\Windows\SysWOW64\Ceqnmpfo.exe N/A
File created C:\Windows\SysWOW64\Bcjlcn32.exe C:\Windows\SysWOW64\Balpgb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ajkaii32.exe C:\Windows\SysWOW64\Aglemn32.exe N/A
File created C:\Windows\SysWOW64\Djdmffnn.exe C:\Windows\SysWOW64\Dhfajjoj.exe N/A
File created C:\Windows\SysWOW64\Kbejge32.dll C:\Windows\SysWOW64\Baicac32.exe N/A
File created C:\Windows\SysWOW64\Hfggmg32.dll C:\Windows\SysWOW64\Bjddphlq.exe N/A
File created C:\Windows\SysWOW64\Nbgngp32.dll C:\Windows\SysWOW64\Dejacond.exe N/A
File created C:\Windows\SysWOW64\Bgehcmmm.exe C:\Windows\SysWOW64\Bcjlcn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ceqnmpfo.exe C:\Windows\SysWOW64\Cmiflbel.exe N/A
File created C:\Windows\SysWOW64\Lfjhbihm.dll C:\Windows\SysWOW64\Cfpnph32.exe N/A
File created C:\Windows\SysWOW64\Ddakjkqi.exe C:\Windows\SysWOW64\Daconoae.exe N/A
File created C:\Windows\SysWOW64\Aglemn32.exe C:\Windows\SysWOW64\Aeniabfd.exe N/A
File created C:\Windows\SysWOW64\Ooojbbid.dll C:\Windows\SysWOW64\Anfmjhmd.exe N/A
File created C:\Windows\SysWOW64\Dmjapi32.dll C:\Windows\SysWOW64\Bjagjhnc.exe N/A
File created C:\Windows\SysWOW64\Jfihel32.dll C:\Windows\SysWOW64\Belebq32.exe N/A
File created C:\Windows\SysWOW64\Dhkjej32.exe C:\Windows\SysWOW64\Ddonekbl.exe N/A
File opened for modification C:\Windows\SysWOW64\Agoabn32.exe C:\Windows\SysWOW64\Aepefb32.exe N/A
File created C:\Windows\SysWOW64\Cmiflbel.exe C:\Windows\SysWOW64\Cnffqf32.exe N/A
File created C:\Windows\SysWOW64\Bbloam32.dll C:\Windows\SysWOW64\Cnffqf32.exe N/A
File created C:\Windows\SysWOW64\Cogflbdn.dll C:\Windows\SysWOW64\Dhhnpjmh.exe N/A
File created C:\Windows\SysWOW64\Daqbip32.exe C:\Windows\SysWOW64\Dobfld32.exe N/A
File created C:\Windows\SysWOW64\Kngpec32.dll C:\Windows\SysWOW64\Doilmc32.exe N/A
File opened for modification C:\Windows\SysWOW64\Aqppkd32.exe C:\Windows\SysWOW64\Anadoi32.exe N/A
File opened for modification C:\Windows\SysWOW64\Aeniabfd.exe C:\Windows\SysWOW64\Aabmqd32.exe N/A
File created C:\Windows\SysWOW64\Bneljh32.dll C:\Windows\SysWOW64\Bnkgeg32.exe N/A
File created C:\Windows\SysWOW64\Belebq32.exe C:\Windows\SysWOW64\Bmemac32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Doilmc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Anadoi32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Anfmjhmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bclhhnca.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Chjaol32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dhhnpjmh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cjinkg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cjpckf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dejacond.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ddonekbl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bnpppgdj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bfkedibe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Chagok32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dddhpjof.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dmllipeg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Balpgb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cdhhdlid.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cjbpaf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aeklkchg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aadifclh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bjmnoi32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bfdodjhm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bjokdipf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cnnlaehj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Calhnpgn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Daqbip32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dmjocp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Agjhgngj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aepefb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bnkgeg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cmiflbel.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Chcddk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Andqdh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bebblb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ceqnmpfo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dfknkg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dhkjej32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bcebhoii.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Baicac32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Banllbdn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dkifae32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bnhjohkb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cabfga32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cnffqf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cmnpgb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cegdnopg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dkkcge32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9b3d7dc58bee2d81215c500af42086b0829b1c68408f09aa0e6586954bc3e29aN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aqppkd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ajhddjfn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bjagjhnc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cfpnph32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bcjlcn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dmgbnq32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ddakjkqi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dgbdlf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aglemn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bgcknmop.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bjfaeh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cjmgfgdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ajkaii32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bchomn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bjddphlq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bmemac32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll" C:\Windows\SysWOW64\Cjbpaf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll" C:\Windows\SysWOW64\Calhnpgn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll" C:\Windows\SysWOW64\Dmgbnq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diphbb32.dll" C:\Windows\SysWOW64\Dgbdlf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfnphnen.dll" C:\Users\Admin\AppData\Local\Temp\9b3d7dc58bee2d81215c500af42086b0829b1c68408f09aa0e6586954bc3e29aN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldfgeigq.dll" C:\Windows\SysWOW64\Agoabn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cmiflbel.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Chcddk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aadifclh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bebblb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Bjokdipf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Djdmffnn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echegpbb.dll" C:\Windows\SysWOW64\Ajhddjfn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Aabmqd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll" C:\Windows\SysWOW64\Cmgjgcgo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cjpckf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cegdnopg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll" C:\Windows\SysWOW64\Ddonekbl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Andqdh32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Agoabn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bchomn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aglemn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Anfmjhmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll" C:\Windows\SysWOW64\Ddakjkqi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Bjmnoi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bnhjohkb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhicommo.dll" C:\Windows\SysWOW64\Cabfga32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cnicfe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akmfnc32.dll" C:\Windows\SysWOW64\Bnhjohkb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Bclhhnca.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Dmgbnq32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Calhnpgn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dmgbnq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll" C:\Windows\SysWOW64\Dddhpjof.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Doilmc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll" C:\Windows\SysWOW64\Chcddk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dfknkg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Agjhgngj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akichh32.dll" C:\Windows\SysWOW64\Bchomn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmjapi32.dll" C:\Windows\SysWOW64\Bjagjhnc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll" C:\Windows\SysWOW64\Cajlhqjp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Cjinkg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cmgjgcgo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll" C:\Windows\SysWOW64\Dkifae32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phiifkjp.dll" C:\Windows\SysWOW64\Bmkjkd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Bgcknmop.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qihfjd32.dll" C:\Windows\SysWOW64\Bnpppgdj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll" C:\Windows\SysWOW64\Bfkedibe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Daekdooc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooojbbid.dll" C:\Windows\SysWOW64\Anfmjhmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Bmkjkd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Bnpppgdj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Daqbip32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Cnicfe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cmnpgb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dmjocp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aeklkchg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Belebq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll" C:\Windows\SysWOW64\Chjaol32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Cnffqf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Bnkgeg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Ddakjkqi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\9b3d7dc58bee2d81215c500af42086b0829b1c68408f09aa0e6586954bc3e29aN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cabfga32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1616 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\9b3d7dc58bee2d81215c500af42086b0829b1c68408f09aa0e6586954bc3e29aN.exe C:\Windows\SysWOW64\Anadoi32.exe
PID 1616 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\9b3d7dc58bee2d81215c500af42086b0829b1c68408f09aa0e6586954bc3e29aN.exe C:\Windows\SysWOW64\Anadoi32.exe
PID 1616 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\9b3d7dc58bee2d81215c500af42086b0829b1c68408f09aa0e6586954bc3e29aN.exe C:\Windows\SysWOW64\Anadoi32.exe
PID 2780 wrote to memory of 4688 N/A C:\Windows\SysWOW64\Anadoi32.exe C:\Windows\SysWOW64\Aqppkd32.exe
PID 2780 wrote to memory of 4688 N/A C:\Windows\SysWOW64\Anadoi32.exe C:\Windows\SysWOW64\Aqppkd32.exe
PID 2780 wrote to memory of 4688 N/A C:\Windows\SysWOW64\Anadoi32.exe C:\Windows\SysWOW64\Aqppkd32.exe
PID 4688 wrote to memory of 3616 N/A C:\Windows\SysWOW64\Aqppkd32.exe C:\Windows\SysWOW64\Aeklkchg.exe
PID 4688 wrote to memory of 3616 N/A C:\Windows\SysWOW64\Aqppkd32.exe C:\Windows\SysWOW64\Aeklkchg.exe
PID 4688 wrote to memory of 3616 N/A C:\Windows\SysWOW64\Aqppkd32.exe C:\Windows\SysWOW64\Aeklkchg.exe
PID 3616 wrote to memory of 3964 N/A C:\Windows\SysWOW64\Aeklkchg.exe C:\Windows\SysWOW64\Agjhgngj.exe
PID 3616 wrote to memory of 3964 N/A C:\Windows\SysWOW64\Aeklkchg.exe C:\Windows\SysWOW64\Agjhgngj.exe
PID 3616 wrote to memory of 3964 N/A C:\Windows\SysWOW64\Aeklkchg.exe C:\Windows\SysWOW64\Agjhgngj.exe
PID 3964 wrote to memory of 1448 N/A C:\Windows\SysWOW64\Agjhgngj.exe C:\Windows\SysWOW64\Ajhddjfn.exe
PID 3964 wrote to memory of 1448 N/A C:\Windows\SysWOW64\Agjhgngj.exe C:\Windows\SysWOW64\Ajhddjfn.exe
PID 3964 wrote to memory of 1448 N/A C:\Windows\SysWOW64\Agjhgngj.exe C:\Windows\SysWOW64\Ajhddjfn.exe
PID 1448 wrote to memory of 228 N/A C:\Windows\SysWOW64\Ajhddjfn.exe C:\Windows\SysWOW64\Andqdh32.exe
PID 1448 wrote to memory of 228 N/A C:\Windows\SysWOW64\Ajhddjfn.exe C:\Windows\SysWOW64\Andqdh32.exe
PID 1448 wrote to memory of 228 N/A C:\Windows\SysWOW64\Ajhddjfn.exe C:\Windows\SysWOW64\Andqdh32.exe
PID 228 wrote to memory of 216 N/A C:\Windows\SysWOW64\Andqdh32.exe C:\Windows\SysWOW64\Aabmqd32.exe
PID 228 wrote to memory of 216 N/A C:\Windows\SysWOW64\Andqdh32.exe C:\Windows\SysWOW64\Aabmqd32.exe
PID 228 wrote to memory of 216 N/A C:\Windows\SysWOW64\Andqdh32.exe C:\Windows\SysWOW64\Aabmqd32.exe
PID 216 wrote to memory of 1612 N/A C:\Windows\SysWOW64\Aabmqd32.exe C:\Windows\SysWOW64\Aeniabfd.exe
PID 216 wrote to memory of 1612 N/A C:\Windows\SysWOW64\Aabmqd32.exe C:\Windows\SysWOW64\Aeniabfd.exe
PID 216 wrote to memory of 1612 N/A C:\Windows\SysWOW64\Aabmqd32.exe C:\Windows\SysWOW64\Aeniabfd.exe
PID 1612 wrote to memory of 556 N/A C:\Windows\SysWOW64\Aeniabfd.exe C:\Windows\SysWOW64\Aglemn32.exe
PID 1612 wrote to memory of 556 N/A C:\Windows\SysWOW64\Aeniabfd.exe C:\Windows\SysWOW64\Aglemn32.exe
PID 1612 wrote to memory of 556 N/A C:\Windows\SysWOW64\Aeniabfd.exe C:\Windows\SysWOW64\Aglemn32.exe
PID 556 wrote to memory of 1980 N/A C:\Windows\SysWOW64\Aglemn32.exe C:\Windows\SysWOW64\Ajkaii32.exe
PID 556 wrote to memory of 1980 N/A C:\Windows\SysWOW64\Aglemn32.exe C:\Windows\SysWOW64\Ajkaii32.exe
PID 556 wrote to memory of 1980 N/A C:\Windows\SysWOW64\Aglemn32.exe C:\Windows\SysWOW64\Ajkaii32.exe
PID 1980 wrote to memory of 2864 N/A C:\Windows\SysWOW64\Ajkaii32.exe C:\Windows\SysWOW64\Anfmjhmd.exe
PID 1980 wrote to memory of 2864 N/A C:\Windows\SysWOW64\Ajkaii32.exe C:\Windows\SysWOW64\Anfmjhmd.exe
PID 1980 wrote to memory of 2864 N/A C:\Windows\SysWOW64\Ajkaii32.exe C:\Windows\SysWOW64\Anfmjhmd.exe
PID 2864 wrote to memory of 2532 N/A C:\Windows\SysWOW64\Anfmjhmd.exe C:\Windows\SysWOW64\Aadifclh.exe
PID 2864 wrote to memory of 2532 N/A C:\Windows\SysWOW64\Anfmjhmd.exe C:\Windows\SysWOW64\Aadifclh.exe
PID 2864 wrote to memory of 2532 N/A C:\Windows\SysWOW64\Anfmjhmd.exe C:\Windows\SysWOW64\Aadifclh.exe
PID 2532 wrote to memory of 2668 N/A C:\Windows\SysWOW64\Aadifclh.exe C:\Windows\SysWOW64\Aepefb32.exe
PID 2532 wrote to memory of 2668 N/A C:\Windows\SysWOW64\Aadifclh.exe C:\Windows\SysWOW64\Aepefb32.exe
PID 2532 wrote to memory of 2668 N/A C:\Windows\SysWOW64\Aadifclh.exe C:\Windows\SysWOW64\Aepefb32.exe
PID 2668 wrote to memory of 840 N/A C:\Windows\SysWOW64\Aepefb32.exe C:\Windows\SysWOW64\Agoabn32.exe
PID 2668 wrote to memory of 840 N/A C:\Windows\SysWOW64\Aepefb32.exe C:\Windows\SysWOW64\Agoabn32.exe
PID 2668 wrote to memory of 840 N/A C:\Windows\SysWOW64\Aepefb32.exe C:\Windows\SysWOW64\Agoabn32.exe
PID 840 wrote to memory of 4860 N/A C:\Windows\SysWOW64\Agoabn32.exe C:\Windows\SysWOW64\Bjmnoi32.exe
PID 840 wrote to memory of 4860 N/A C:\Windows\SysWOW64\Agoabn32.exe C:\Windows\SysWOW64\Bjmnoi32.exe
PID 840 wrote to memory of 4860 N/A C:\Windows\SysWOW64\Agoabn32.exe C:\Windows\SysWOW64\Bjmnoi32.exe
PID 4860 wrote to memory of 4768 N/A C:\Windows\SysWOW64\Bjmnoi32.exe C:\Windows\SysWOW64\Bnhjohkb.exe
PID 4860 wrote to memory of 4768 N/A C:\Windows\SysWOW64\Bjmnoi32.exe C:\Windows\SysWOW64\Bnhjohkb.exe
PID 4860 wrote to memory of 4768 N/A C:\Windows\SysWOW64\Bjmnoi32.exe C:\Windows\SysWOW64\Bnhjohkb.exe
PID 4768 wrote to memory of 4268 N/A C:\Windows\SysWOW64\Bnhjohkb.exe C:\Windows\SysWOW64\Bmkjkd32.exe
PID 4768 wrote to memory of 4268 N/A C:\Windows\SysWOW64\Bnhjohkb.exe C:\Windows\SysWOW64\Bmkjkd32.exe
PID 4768 wrote to memory of 4268 N/A C:\Windows\SysWOW64\Bnhjohkb.exe C:\Windows\SysWOW64\Bmkjkd32.exe
PID 4268 wrote to memory of 3672 N/A C:\Windows\SysWOW64\Bmkjkd32.exe C:\Windows\SysWOW64\Bebblb32.exe
PID 4268 wrote to memory of 3672 N/A C:\Windows\SysWOW64\Bmkjkd32.exe C:\Windows\SysWOW64\Bebblb32.exe
PID 4268 wrote to memory of 3672 N/A C:\Windows\SysWOW64\Bmkjkd32.exe C:\Windows\SysWOW64\Bebblb32.exe
PID 3672 wrote to memory of 2336 N/A C:\Windows\SysWOW64\Bebblb32.exe C:\Windows\SysWOW64\Bcebhoii.exe
PID 3672 wrote to memory of 2336 N/A C:\Windows\SysWOW64\Bebblb32.exe C:\Windows\SysWOW64\Bcebhoii.exe
PID 3672 wrote to memory of 2336 N/A C:\Windows\SysWOW64\Bebblb32.exe C:\Windows\SysWOW64\Bcebhoii.exe
PID 2336 wrote to memory of 4832 N/A C:\Windows\SysWOW64\Bcebhoii.exe C:\Windows\SysWOW64\Bfdodjhm.exe
PID 2336 wrote to memory of 4832 N/A C:\Windows\SysWOW64\Bcebhoii.exe C:\Windows\SysWOW64\Bfdodjhm.exe
PID 2336 wrote to memory of 4832 N/A C:\Windows\SysWOW64\Bcebhoii.exe C:\Windows\SysWOW64\Bfdodjhm.exe
PID 4832 wrote to memory of 1256 N/A C:\Windows\SysWOW64\Bfdodjhm.exe C:\Windows\SysWOW64\Bjokdipf.exe
PID 4832 wrote to memory of 1256 N/A C:\Windows\SysWOW64\Bfdodjhm.exe C:\Windows\SysWOW64\Bjokdipf.exe
PID 4832 wrote to memory of 1256 N/A C:\Windows\SysWOW64\Bfdodjhm.exe C:\Windows\SysWOW64\Bjokdipf.exe
PID 1256 wrote to memory of 3336 N/A C:\Windows\SysWOW64\Bjokdipf.exe C:\Windows\SysWOW64\Bnkgeg32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9b3d7dc58bee2d81215c500af42086b0829b1c68408f09aa0e6586954bc3e29aN.exe

"C:\Users\Admin\AppData\Local\Temp\9b3d7dc58bee2d81215c500af42086b0829b1c68408f09aa0e6586954bc3e29aN.exe"

C:\Windows\SysWOW64\Anadoi32.exe

C:\Windows\system32\Anadoi32.exe

C:\Windows\SysWOW64\Aqppkd32.exe

C:\Windows\system32\Aqppkd32.exe

C:\Windows\SysWOW64\Aeklkchg.exe

C:\Windows\system32\Aeklkchg.exe

C:\Windows\SysWOW64\Agjhgngj.exe

C:\Windows\system32\Agjhgngj.exe

C:\Windows\SysWOW64\Ajhddjfn.exe

C:\Windows\system32\Ajhddjfn.exe

C:\Windows\SysWOW64\Andqdh32.exe

C:\Windows\system32\Andqdh32.exe

C:\Windows\SysWOW64\Aabmqd32.exe

C:\Windows\system32\Aabmqd32.exe

C:\Windows\SysWOW64\Aeniabfd.exe

C:\Windows\system32\Aeniabfd.exe

C:\Windows\SysWOW64\Aglemn32.exe

C:\Windows\system32\Aglemn32.exe

C:\Windows\SysWOW64\Ajkaii32.exe

C:\Windows\system32\Ajkaii32.exe

C:\Windows\SysWOW64\Anfmjhmd.exe

C:\Windows\system32\Anfmjhmd.exe

C:\Windows\SysWOW64\Aadifclh.exe

C:\Windows\system32\Aadifclh.exe

C:\Windows\SysWOW64\Aepefb32.exe

C:\Windows\system32\Aepefb32.exe

C:\Windows\SysWOW64\Agoabn32.exe

C:\Windows\system32\Agoabn32.exe

C:\Windows\SysWOW64\Bjmnoi32.exe

C:\Windows\system32\Bjmnoi32.exe

C:\Windows\SysWOW64\Bnhjohkb.exe

C:\Windows\system32\Bnhjohkb.exe

C:\Windows\SysWOW64\Bmkjkd32.exe

C:\Windows\system32\Bmkjkd32.exe

C:\Windows\SysWOW64\Bebblb32.exe

C:\Windows\system32\Bebblb32.exe

C:\Windows\SysWOW64\Bcebhoii.exe

C:\Windows\system32\Bcebhoii.exe

C:\Windows\SysWOW64\Bfdodjhm.exe

C:\Windows\system32\Bfdodjhm.exe

C:\Windows\SysWOW64\Bjokdipf.exe

C:\Windows\system32\Bjokdipf.exe

C:\Windows\SysWOW64\Bnkgeg32.exe

C:\Windows\system32\Bnkgeg32.exe

C:\Windows\SysWOW64\Baicac32.exe

C:\Windows\system32\Baicac32.exe

C:\Windows\SysWOW64\Bchomn32.exe

C:\Windows\system32\Bchomn32.exe

C:\Windows\SysWOW64\Bgcknmop.exe

C:\Windows\system32\Bgcknmop.exe

C:\Windows\SysWOW64\Bjagjhnc.exe

C:\Windows\system32\Bjagjhnc.exe

C:\Windows\SysWOW64\Bnmcjg32.exe

C:\Windows\system32\Bnmcjg32.exe

C:\Windows\SysWOW64\Balpgb32.exe

C:\Windows\system32\Balpgb32.exe

C:\Windows\SysWOW64\Bcjlcn32.exe

C:\Windows\system32\Bcjlcn32.exe

C:\Windows\SysWOW64\Bgehcmmm.exe

C:\Windows\system32\Bgehcmmm.exe

C:\Windows\SysWOW64\Bjddphlq.exe

C:\Windows\system32\Bjddphlq.exe

C:\Windows\SysWOW64\Bnpppgdj.exe

C:\Windows\system32\Bnpppgdj.exe

C:\Windows\SysWOW64\Banllbdn.exe

C:\Windows\system32\Banllbdn.exe

C:\Windows\SysWOW64\Bclhhnca.exe

C:\Windows\system32\Bclhhnca.exe

C:\Windows\SysWOW64\Bfkedibe.exe

C:\Windows\system32\Bfkedibe.exe

C:\Windows\SysWOW64\Bjfaeh32.exe

C:\Windows\system32\Bjfaeh32.exe

C:\Windows\SysWOW64\Bmemac32.exe

C:\Windows\system32\Bmemac32.exe

C:\Windows\SysWOW64\Belebq32.exe

C:\Windows\system32\Belebq32.exe

C:\Windows\SysWOW64\Chjaol32.exe

C:\Windows\system32\Chjaol32.exe

C:\Windows\SysWOW64\Cjinkg32.exe

C:\Windows\system32\Cjinkg32.exe

C:\Windows\SysWOW64\Cmgjgcgo.exe

C:\Windows\system32\Cmgjgcgo.exe

C:\Windows\SysWOW64\Cabfga32.exe

C:\Windows\system32\Cabfga32.exe

C:\Windows\SysWOW64\Cdabcm32.exe

C:\Windows\system32\Cdabcm32.exe

C:\Windows\SysWOW64\Cfpnph32.exe

C:\Windows\system32\Cfpnph32.exe

C:\Windows\SysWOW64\Cnffqf32.exe

C:\Windows\system32\Cnffqf32.exe

C:\Windows\SysWOW64\Cmiflbel.exe

C:\Windows\system32\Cmiflbel.exe

C:\Windows\SysWOW64\Ceqnmpfo.exe

C:\Windows\system32\Ceqnmpfo.exe

C:\Windows\SysWOW64\Chokikeb.exe

C:\Windows\system32\Chokikeb.exe

C:\Windows\SysWOW64\Cjmgfgdf.exe

C:\Windows\system32\Cjmgfgdf.exe

C:\Windows\SysWOW64\Cnicfe32.exe

C:\Windows\system32\Cnicfe32.exe

C:\Windows\SysWOW64\Cagobalc.exe

C:\Windows\system32\Cagobalc.exe

C:\Windows\SysWOW64\Cdfkolkf.exe

C:\Windows\system32\Cdfkolkf.exe

C:\Windows\SysWOW64\Chagok32.exe

C:\Windows\system32\Chagok32.exe

C:\Windows\SysWOW64\Cjpckf32.exe

C:\Windows\system32\Cjpckf32.exe

C:\Windows\SysWOW64\Cmnpgb32.exe

C:\Windows\system32\Cmnpgb32.exe

C:\Windows\SysWOW64\Cajlhqjp.exe

C:\Windows\system32\Cajlhqjp.exe

C:\Windows\SysWOW64\Cdhhdlid.exe

C:\Windows\system32\Cdhhdlid.exe

C:\Windows\SysWOW64\Chcddk32.exe

C:\Windows\system32\Chcddk32.exe

C:\Windows\SysWOW64\Cjbpaf32.exe

C:\Windows\system32\Cjbpaf32.exe

C:\Windows\SysWOW64\Cnnlaehj.exe

C:\Windows\system32\Cnnlaehj.exe

C:\Windows\SysWOW64\Calhnpgn.exe

C:\Windows\system32\Calhnpgn.exe

C:\Windows\SysWOW64\Cegdnopg.exe

C:\Windows\system32\Cegdnopg.exe

C:\Windows\SysWOW64\Dhfajjoj.exe

C:\Windows\system32\Dhfajjoj.exe

C:\Windows\SysWOW64\Djdmffnn.exe

C:\Windows\system32\Djdmffnn.exe

C:\Windows\SysWOW64\Dmcibama.exe

C:\Windows\system32\Dmcibama.exe

C:\Windows\SysWOW64\Dejacond.exe

C:\Windows\system32\Dejacond.exe

C:\Windows\SysWOW64\Dhhnpjmh.exe

C:\Windows\system32\Dhhnpjmh.exe

C:\Windows\SysWOW64\Dfknkg32.exe

C:\Windows\system32\Dfknkg32.exe

C:\Windows\SysWOW64\Dobfld32.exe

C:\Windows\system32\Dobfld32.exe

C:\Windows\SysWOW64\Daqbip32.exe

C:\Windows\system32\Daqbip32.exe

C:\Windows\SysWOW64\Ddonekbl.exe

C:\Windows\system32\Ddonekbl.exe

C:\Windows\SysWOW64\Dhkjej32.exe

C:\Windows\system32\Dhkjej32.exe

C:\Windows\SysWOW64\Dkifae32.exe

C:\Windows\system32\Dkifae32.exe

C:\Windows\SysWOW64\Dmgbnq32.exe

C:\Windows\system32\Dmgbnq32.exe

C:\Windows\SysWOW64\Daconoae.exe

C:\Windows\system32\Daconoae.exe

C:\Windows\SysWOW64\Ddakjkqi.exe

C:\Windows\system32\Ddakjkqi.exe

C:\Windows\SysWOW64\Dkkcge32.exe

C:\Windows\system32\Dkkcge32.exe

C:\Windows\SysWOW64\Dmjocp32.exe

C:\Windows\system32\Dmjocp32.exe

C:\Windows\SysWOW64\Daekdooc.exe

C:\Windows\system32\Daekdooc.exe

C:\Windows\SysWOW64\Dddhpjof.exe

C:\Windows\system32\Dddhpjof.exe

C:\Windows\SysWOW64\Dgbdlf32.exe

C:\Windows\system32\Dgbdlf32.exe

C:\Windows\SysWOW64\Doilmc32.exe

C:\Windows\system32\Doilmc32.exe

C:\Windows\SysWOW64\Dmllipeg.exe

C:\Windows\system32\Dmllipeg.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5720 -ip 5720

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5720 -s 408

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/1616-0-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Anadoi32.exe

MD5 4ffabc8aa292472ba34637f8181be062
SHA1 1a0485e044e7335cc1a1150a0ce1319e143710af
SHA256 5af6633f74fd23c8f09c5483405480f3fe0c02b8d2fb2e153500a2844c01411e
SHA512 98a775e9ba19d750254c4d91a924a21c30d922d0fa332eaf5c5052e2a4fbdcd3357ed7c55bb86a98b3d582e8314dde070247dac1daaca71e972fe843c5b735bd

memory/2780-12-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4688-20-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Aeklkchg.exe

MD5 9033d2981a18a605291db997d583e8ba
SHA1 462b074949397d5edb14d9d314afebf180dab27e
SHA256 7809e0976306cb102204ba2ebbaae7c0eda72ed092255e334357168c775b9cc1
SHA512 d84d566ad229330854ae2e48616308018c185a1a381df78cfd78af746545328d520ecdaae79cd9a2c1baaff60ac6ebae23f5217dcbe3e14367eeb245aaa04cdb

memory/3616-28-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Agjhgngj.exe

MD5 2bbefa417553b86165dc8d011c97fc57
SHA1 8711abb550a7e386a5e68225efdb78a5f46a978b
SHA256 ff6c247408a44fd63fe151f299d329c699feb716bf9df7ab4ce44bf7dd0625b2
SHA512 b22e6cc8bf571b8442872fc54ff6f126e472ed15090801bcce54a026301d7f401055951cbf37931069e0c2deb04726f914efd7fa0447d9e9fa8d83c7dbc18553

C:\Windows\SysWOW64\Oicmfmok.dll

MD5 6e1123c58d25ad4d90730094ef185322
SHA1 e8a011a5a72e7d6614fb35a86a19949627dbfb84
SHA256 1d9b9b034c223ba26694923179b9e53719ecf7c23c2fcc956ec4b5f1e51bf305
SHA512 0fd7c987d76a701ae67db5e5a7546e16fe08612833ab2da6f46f069a58e9815bf6ef1a9cd33aab7d4a755abacc0275fcda0bc0adaab313b96d6694c2fbc320a5

C:\Windows\SysWOW64\Ajhddjfn.exe

MD5 54e978ae72a7372572bb100b8968ceda
SHA1 89afc3b6d88a985ecc49a88546fe7693fca54c22
SHA256 d415ef949795eb5991a23adb6942e0c48973686aac9eeb2fc38a25e3ecfe031f
SHA512 7cc4919cbc5948a587826b2a0d71cf7d48f68802be784b3c60f90a4fe032b572e1dd97b943cee50892f27e2aac0a23a4b53a88dc90ed9cad56b2596e7066c564

C:\Windows\SysWOW64\Andqdh32.exe

MD5 6dc4d3d60446c2792db0f620f604a920
SHA1 74adaf0531eb962faada1e27e78a5978b34b43b7
SHA256 5b85099359f9c2f998c54cfd864f46a117512a7b9540bfb710eb5d6cbec2ae1d
SHA512 39c02a117e84edf80159433e278ef625da3b95654ff7783d7a6004192693a5a40a32face58890c3f9608779964c071553f4782ac710806f8124f610436b10e2b

memory/228-52-0x0000000000400000-0x0000000000433000-memory.dmp

memory/216-60-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1612-68-0x0000000000400000-0x0000000000433000-memory.dmp

memory/556-76-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Anfmjhmd.exe

MD5 4e8648a8a43145c59be715ce33b11161
SHA1 a2c750a493cc18c9b64bb02138a7c7aed89e9900
SHA256 1337ffbc4136d0409c1b72f8a857f95ed4c7b731595879f954d6fbe9a0798b54
SHA512 f8e4b9067ef57e6c4ba1233f8d17aaf8a5d95fec1fa4b528cfe18d2a423afea9158a5565bd3e0facbc87b5698821a6cddf4d2e5dab410eeb913dadf1888965cc

memory/2668-108-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Bchomn32.exe

MD5 a195a979c34925e77e64a4990ae3dbdc
SHA1 db3c57f42347a0bf90a8d2ca26463707b265412a
SHA256 88eba9656e880f701ee6ac096eb0f6ae1be3759ed1468a89bd2fbb8009bbc119
SHA512 91728d0e1d6839a5ee28332d99e731d005be3349c44385097c4a034ccee4fcaa73ddbadb88819c57956793f9200d33572301a7994bf5f9f07be09832cd933b84

C:\Windows\SysWOW64\Bgehcmmm.exe

MD5 e9e24e680f9f139d7ccb43d986a9bc85
SHA1 bef665ac2e4a8dde81affaeb6ebe9c58e7194050
SHA256 4ef1144eb56d4f31a4f3bea11085bd6542ebfe3f79784f0fce6261e2e8093d9d
SHA512 c8bc2f932de67214c7527d57d55ec8786b510b5976330cc0bf22e0eb11101312e5e2dcec83e51a6b67da1bd9e40268d5f5ccce24385b9a291336a635c4cf71c8

memory/2320-291-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4784-315-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2732-375-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4232-464-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5196-489-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5356-513-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5596-550-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5680-562-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5720-563-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5636-556-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1616-549-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5564-543-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5516-536-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5476-531-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5436-525-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5396-519-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5316-507-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5276-501-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5236-495-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5156-483-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2348-477-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3936-471-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4108-458-0x0000000000400000-0x0000000000433000-memory.dmp

memory/628-453-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3896-447-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1772-445-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1552-434-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2020-429-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3740-423-0x0000000000400000-0x0000000000433000-memory.dmp

memory/404-417-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2416-411-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3248-405-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2996-399-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3492-392-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4568-387-0x0000000000400000-0x0000000000433000-memory.dmp

memory/532-380-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1816-368-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2060-363-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4700-356-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3972-351-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1736-345-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3928-339-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1572-333-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1124-327-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4264-321-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1996-309-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3392-302-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3452-296-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1948-284-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2384-279-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4724-273-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4304-267-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4284-261-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Bnpppgdj.exe

MD5 22218f9a90c350d2da5fcc0438caad69
SHA1 12941900aed12da89233110f97d4b8507d910af6
SHA256 21c37f7e0a31e02fef89aa9516e9ad0859b8f65744b8b40fd9a361c9d446a782
SHA512 0ae4fc4cefdbac42bc1a88280196d916d8c228f664477fbe89a9bbc45ba9352db5b79b568a23b577ab160fd4ae7aa2605845df8f432f6951902daa10af1f5f6d

memory/464-252-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Bjddphlq.exe

MD5 d589cb5b698778459710e02f545b5db3
SHA1 288abd678422e5ed3726e49c4610d1f7c5e2bda4
SHA256 5a4ec4a2159baa5d785115cf1bb91a540723e5bb97bf000e8169a89f9a54b8ad
SHA512 c03ed5f4a1f5f728c5f7e2f4343898107b5b4a5d2d0c0fdeac4057cb86709ffa5e6bdde3d082af616bc127ffa8d0c5e7921536c6be3a0badf1619df35778eaeb

memory/5068-245-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2748-236-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Bcjlcn32.exe

MD5 786e59a353a4fcc1ab519f84a27f6cff
SHA1 b167bb7d78037018a64c6b6ea5630bf7e9d3cf4d
SHA256 4ff2665bd6e3c34009feb528a2093a66a540a4c552efea660dc6bfbb68c752f8
SHA512 f80167cadbed951e65974c38aa7be5d6ceda7651913a99ef5fe68bf83e6900b0cc99799a864387ac81594de7886851dd10e488eaa81f3a2d0ea0cade8c552506

memory/3624-229-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Balpgb32.exe

MD5 05817ed39385a3762f1a7484114e11bb
SHA1 fcfb845f5ec3a1afbe728b4cad4262f7f39066ed
SHA256 ec74ccfd19af4d5c0c545af6662fc16a1dbceda41ba94d791418ebf289642578
SHA512 3fc80399f86764d26e49330208d3046af3a520824fef075c7e3e121adac961ef9e33f1e9bdae497896cc3939d7dfb5f8134ad1766d4483f02bb9260623c6596c

memory/4052-221-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Bnmcjg32.exe

MD5 0ae159163e8566c045f7c58b1f0406ba
SHA1 7f286abe9b947677ddd578831ddb5c8b3f0a915d
SHA256 a348ab21a063970932400b1fdc3fff7beecddc9c5bd97fc99c50a784f374e86d
SHA512 71e01c394b850122cfccbb32ffabcd78d0cfcbcde6e218c97380f312c3f9757c69d62ed7396e7fc0e0e1fe79781bfa8f1927284c10e0c9dfc5a01ca1098bc742

memory/3892-213-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Bjagjhnc.exe

MD5 6e9801b31315492eeba2db98408adfcb
SHA1 725addc8c30916a33fee2542ff57ea8ebe61e609
SHA256 68a589fcc4bb5851544039af57029b11a40d365db29c21e03de0dbf74e9ec05b
SHA512 bf42a9d8d1001d7d6c2503bab19a16aa5f1f4c893a034946a9be8bfc5f4fc469f4f6b5355891327b8d59798cbbaf025e04a6c1c26b85c733ee6798bf8b382c56

memory/3880-204-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Bgcknmop.exe

MD5 03b18db24a7eaed60251d152f040f675
SHA1 dd0f9ec8639efffba8c9751cf7cbbede009bcfd2
SHA256 d45f8f4660d57c36ed357b5e3c18453173ba6be2c63d2e9412fd35f394a200ce
SHA512 f31d513978821ae80aa11f80c30d7b8c73e8781a64b2839e527ba07cb53569c7bd4c16076d400d287666ce5c4a98f22ceff12830ce8439eda4df66626adca0ee

memory/3588-197-0x0000000000400000-0x0000000000433000-memory.dmp

memory/336-188-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Baicac32.exe

MD5 2e87eea3b2eac62c29cffddc7a7bdb07
SHA1 a2da2d7eb388361223249b2bd5789254ad9d5916
SHA256 61aa0a3c16b05065952f1c81d8c05495c24765ab8f725c62f53af9a5ac17657d
SHA512 fa6d414166c543ad028f3b844c793d11df5999d5d3494d4f7a172fbaf5198b456e9474f8989ee0380aafb29545727ebb9e561d71d23017460c778c28995a9fd5

memory/3336-180-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Bnkgeg32.exe

MD5 c740db47b5b808dc2c08c40adf4b515a
SHA1 d0455335f8f882a8962df4c37232ea6284361824
SHA256 e9f34b7ff02daff0c2a87523d23cdb6c2dbba4e218d610c9034394d831a206fb
SHA512 e4a3b128646756f9468f74c8d1944dc688647d7b2ce35392f5f290d1a4418431c7d9999672091a08cbffe678dbf6546df8c29349b55a819e8e99ad26a68e4ee8

memory/1256-173-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Bjokdipf.exe

MD5 b308e8e93ff5e694facb802d2c6373c6
SHA1 0dff637ba0b35ae738533051dd9b9542ddf303fa
SHA256 ad8ad43bb23f579ada4b8075f3c82bebb9312c1db037ef94020568eda3369da4
SHA512 fb8dcea8ee8dc46aabc15e7f36a7abd82f03800d3c99629e7faec76b82856de97f70025c103176159856455b6474e2e0a8b36b75dfc176a1eaf97f6be9f1be51

memory/4832-164-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Bfdodjhm.exe

MD5 3cda09660b34ecf2d14433873c983c9a
SHA1 dc37780155b72c4a54c1543408b6e8fb5cab2869
SHA256 e6c458327f9a6623a2fe12da2fce90f296e05eb68436f0462effc5eef715ec43
SHA512 7fa5ffad96c26ff32abece4c00ea9cc56c41acbf51d949d1c7db22a6e778060eb567f210e806aea0dfac4dca947509b8f93b79dcc6e559b69ba315713b2b76df

memory/2336-157-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Bcebhoii.exe

MD5 9241beba41c378685658f4dcf73eab46
SHA1 25f7e74b4f32aa97ea001ca3ff54f12ac16ae139
SHA256 29864d08a28638f6ce16c4f309cf68d9abc2fe77dae689dbddefdb2a2d61687f
SHA512 03f91c2676fd717e2d354302256452dcc112eb7eb2d929f37b93403c06eb41699de1d50d2d14bbb90e39967a944c24da05dddd01e616e97914a9305a6000161e

memory/3672-148-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Bebblb32.exe

MD5 8fe9eda04d39a1b92b99bb117fa96e6f
SHA1 20eba5ad6f8b93d805c78704054a89c7248c6efa
SHA256 4d747ae878c711078a4a9f5acb9d1a7e07a79666e9950317c0f24d761634294f
SHA512 8be8e51cf721202ea9f80dd68707af1ed83b79670b8b26931c71ec7ad3b6b39ca063e929fae01f37ca2daebc2c33cc368f2c8b5fcfb79ebcaf8390a333365c38

memory/4268-140-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Bmkjkd32.exe

MD5 d976e3ae9ece8489471ef7f8afcb335e
SHA1 b5da39c03eae1ab7e7b1e856124f16c25dc0f717
SHA256 b8e410fc8e772f1a422188d0673271c1ab6f1b26a2b34d899fdf8156a8913ec7
SHA512 1f477c46170885eab831bb5120add1999729a8c7f75d01732e4dcea6cb5b67c01881b33d88f10cb2a240a3b4665eeadcec7f561224ad636a9f44b340f5ae68f8

memory/4768-133-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Bnhjohkb.exe

MD5 5e423dd3bec5f6579a1688034fa13e42
SHA1 6b4590ad9ae0c5a027f62d2b322cbc2101960973
SHA256 f0677a4c4c8b99752b05c419f9d6310d52a38a986c698fc5a7ab597225175432
SHA512 abdc2c634087ddea475c0526d85a499da7f67b65789d2c7171e795379e6e6f4bc96e86b37f27b0c1102cac6f5d7d16e5115a84efe19e086e053761dc2ee0e96f

memory/4860-124-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Bjmnoi32.exe

MD5 f6a8245f959cab9fbcd18d89044a176c
SHA1 62fea54aba3b05b4fbc85c0d67d8da131b2fe8b6
SHA256 5ac49e35f5ff23a72a1fa1a3556f378777a8cd2012de413a8b5383e687d6fcc0
SHA512 c50c894286bc9f68a82da155e90536b75ad56df1799feec4c776525e61dc586595ae1f506c1a04b382b21ec0cca7b9821a602a278a774a4253111408aaf3c131

memory/840-117-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Agoabn32.exe

MD5 c46908b167b12e58b88c244a0d2c6419
SHA1 cf35b424fc4fd467a5cd99a080b2d4df31ec0102
SHA256 4b22b23d4c4d5523e7aa65790029298b0ede415f09dba843a2f3608e38bc5a13
SHA512 9ca6074131867e3a0d3b67e68e327d2fa9c5e9f7f5a5bf183eacffe202ea0d4c3afcd84afe022fb0b6a60df2b0c7213469d39acc820f6ea08e7a3348862a0d7a

C:\Windows\SysWOW64\Aepefb32.exe

MD5 b7939ed895f271fe437ab6f59a5a36fe
SHA1 63fcdedaf7693f075c1493b73d2badb333036378
SHA256 83d0ca1cbe71ccbbda877ec96e824bf2c14a4aad085a43d4057d3e6daab882c3
SHA512 29afce1ffdd61ea6a21c2306cf46dc9c09bd210da4787464ee550c024c77c9984a6bfdee47b6671195e2c2dccc6ee70985f84637b5e4c85647c321bafca766da

memory/2532-100-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Aadifclh.exe

MD5 76483984f8b2bff03f185a16e6be996b
SHA1 adc95cd8ccc4aeb48838ef70e365d65f35a7825f
SHA256 14fc25a18db423ab6de3ba789d01c6ba876d46327743c353ab10e420ed176ef1
SHA512 afff813f6218120726a89b09319a0855b68c75a7d8ad894c7a3bbaf6f2f4c4ab0d185ba9703b564659339781b8c1e97b3cbf75c88ee53bbef350d1a0fc54e46f

memory/2864-92-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1980-84-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ajkaii32.exe

MD5 ce53cdd0fac74c87ee4613b2fea5192e
SHA1 8f598a91ec21a5a5fce149cee3766d6535ab24b9
SHA256 5f0e75834ba00008219daa765f8ab3a502973152ddf8101fc346294ed52f63b1
SHA512 e40f5232c121072e963b72cbd12ddcf6efd9d737133e9596d2e126fb222914ccf5f8e87373edb247802f2f154cc1a487d3564dc720de9608507b5836ff808365

C:\Windows\SysWOW64\Aglemn32.exe

MD5 5b887951738160872b2b94b2dfdf426c
SHA1 4000da3e13ba7be4bae36ec7c73100a4090cf984
SHA256 c4545a96259a0722acee2cec39aa1d55d76ad605eea9acb9cb63cbe304de44fd
SHA512 7f29f0cbfc460d2078e842d749e5f00d9b559cc005d31767889385194c9aaa9c2b32af3cf84c74ffb2b9189b5226f2a6180c9f067b23c75f3026107634758ca2

C:\Windows\SysWOW64\Aeniabfd.exe

MD5 fc193cca4ef6d18159e7c6c97d7785fb
SHA1 22ecdb554eb63b1660203838ef2720166ae938cf
SHA256 a6fc962d18d2192d674fed0280a4b03872300460e685d1ef6ffaa537511960ee
SHA512 2c092f04e2dc488c40a87596ec29cc16f320a4352931b134f46db58f408389d946a946d272d52563be0e71e7b72256e6f97edafa2850a08644e4882cc42dbfcd

C:\Windows\SysWOW64\Aabmqd32.exe

MD5 5caba83cabf3aaed4cbc94c42ce5e0e4
SHA1 aadd6257512939517869d3b6d23401f18e8654e8
SHA256 39038682c45c852002c9a46489192ecef9bae4f6f16bb0a203343e72a8045f95
SHA512 1df41df88c660273c6d7bfe51fcb1293ba766657ec3e6a4efa8a74868572e10d08c8c377ca4dca8ac8496e3764a97fb6890e11e6acea9c1f1e7b3891c9f9df72

memory/1448-44-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3964-32-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Aqppkd32.exe

MD5 a7f7759e023d90bdebe75b43a067fc65
SHA1 8ba9798615f6018e63448a0c52efb0bbc6de1257
SHA256 6deb7d6c3f1306a50906236c0df25fa3f95d39612910fa424454f9a696668496
SHA512 1b651abbfffdb451490bfc740a51161411344b30b68dedd54bd1c9b79e6297b4c02e8c00d97fc6d9e6b76fe9320146315f6e6f9960847415fe4a5adebf61c961

memory/3964-564-0x0000000000400000-0x0000000000433000-memory.dmp