Malware Analysis Report

2025-08-06 02:35

Sample ID 241111-pnakjayhkr
Target 08a30dee9cfecef451b9d1ad2da84da3bcd74309a5c55ba276b9e8d3b03b2f48N.exe
SHA256 e8eaf9490dbbcc19dc3e90ea6bda091755ee82221b291fe70ed19d48594c9c31
Tags
berbew backdoor discovery persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e8eaf9490dbbcc19dc3e90ea6bda091755ee82221b291fe70ed19d48594c9c31

Threat Level: Known bad

The file 08a30dee9cfecef451b9d1ad2da84da3bcd74309a5c55ba276b9e8d3b03b2f48N.exe was found to be: Known bad.

Malicious Activity Summary

berbew backdoor discovery persistence

Berbew family

Adds autorun key to be loaded by Explorer.exe on startup

Berbew

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Program crash

System Location Discovery: System Language Discovery

Unsigned PE

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 12:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-11 12:28

Reported

2024-11-11 12:30

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

97s

Command Line

"C:\Users\Admin\AppData\Local\Temp\08a30dee9cfecef451b9d1ad2da84da3bcd74309a5c55ba276b9e8d3b03b2f48N.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mmbfpp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Cmiflbel.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cnkplejl.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dfpgffpm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Pfolbmje.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Aeniabfd.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Odapnf32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pmdkch32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Amddjegd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Amddjegd.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Banllbdn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Nlmllkja.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pggbkagp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Aminee32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Accfbokl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Banllbdn.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ncdgcf32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nggjdc32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Oncofm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Cndikf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Odapnf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Pnonbk32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dmefhako.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Olhlhjpd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ampkof32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bfhhoi32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lphoelqn.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qfcfml32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Afmhck32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Chagok32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ceehho32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mgkjhe32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pnonbk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ceehho32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Nggjdc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Pgefeajb.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cmiflbel.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Users\Admin\AppData\Local\Temp\08a30dee9cfecef451b9d1ad2da84da3bcd74309a5c55ba276b9e8d3b03b2f48N.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nnqbanmo.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Afoeiklb.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Baicac32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bffkij32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Chokikeb.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ceckcp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Mgimcebb.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Afhohlbj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Afhohlbj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Bnhjohkb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Baicac32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cnicfe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Likjcbkc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Bnbmefbg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Afmhck32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cenahpha.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Chokikeb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Lbdolh32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mgimcebb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Cenahpha.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ceckcp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Dejacond.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Nnqbanmo.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Odmgcgbi.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Onjegled.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Cnicfe32.exe N/A

Berbew

backdoor berbew

Berbew family

berbew

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Likjcbkc.exe N/A
N/A N/A C:\Windows\SysWOW64\Lbdolh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lmiciaaj.exe N/A
N/A N/A C:\Windows\SysWOW64\Lphoelqn.exe N/A
N/A N/A C:\Windows\SysWOW64\Meiaib32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mgimcebb.exe N/A
N/A N/A C:\Windows\SysWOW64\Mmbfpp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mgkjhe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mnebeogl.exe N/A
N/A N/A C:\Windows\SysWOW64\Ncdgcf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nlmllkja.exe N/A
N/A N/A C:\Windows\SysWOW64\Neeqea32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nloiakho.exe N/A
N/A N/A C:\Windows\SysWOW64\Nggjdc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nnqbanmo.exe N/A
N/A N/A C:\Windows\SysWOW64\Oncofm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Odmgcgbi.exe N/A
N/A N/A C:\Windows\SysWOW64\Olhlhjpd.exe N/A
N/A N/A C:\Windows\SysWOW64\Odapnf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ogpmjb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Onjegled.exe N/A
N/A N/A C:\Windows\SysWOW64\Pgefeajb.exe N/A
N/A N/A C:\Windows\SysWOW64\Pnonbk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pggbkagp.exe N/A
N/A N/A C:\Windows\SysWOW64\Pmdkch32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pqbdjfln.exe N/A
N/A N/A C:\Windows\SysWOW64\Pfolbmje.exe N/A
N/A N/A C:\Windows\SysWOW64\Pqdqof32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qfcfml32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qqijje32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ampkof32.exe N/A
N/A N/A C:\Windows\SysWOW64\Afhohlbj.exe N/A
N/A N/A C:\Windows\SysWOW64\Amddjegd.exe N/A
N/A N/A C:\Windows\SysWOW64\Afmhck32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aeniabfd.exe N/A
N/A N/A C:\Windows\SysWOW64\Afoeiklb.exe N/A
N/A N/A C:\Windows\SysWOW64\Aminee32.exe N/A
N/A N/A C:\Windows\SysWOW64\Accfbokl.exe N/A
N/A N/A C:\Windows\SysWOW64\Bnhjohkb.exe N/A
N/A N/A C:\Windows\SysWOW64\Bjokdipf.exe N/A
N/A N/A C:\Windows\SysWOW64\Baicac32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bffkij32.exe N/A
N/A N/A C:\Windows\SysWOW64\Beglgani.exe N/A
N/A N/A C:\Windows\SysWOW64\Bfhhoi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Banllbdn.exe N/A
N/A N/A C:\Windows\SysWOW64\Bfkedibe.exe N/A
N/A N/A C:\Windows\SysWOW64\Bnbmefbg.exe N/A
N/A N/A C:\Windows\SysWOW64\Chjaol32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cndikf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cenahpha.exe N/A
N/A N/A C:\Windows\SysWOW64\Cfpnph32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cmiflbel.exe N/A
N/A N/A C:\Windows\SysWOW64\Chokikeb.exe N/A
N/A N/A C:\Windows\SysWOW64\Cnicfe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ceckcp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Chagok32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cnkplejl.exe N/A
N/A N/A C:\Windows\SysWOW64\Ceehho32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cffdpghg.exe N/A
N/A N/A C:\Windows\SysWOW64\Cnnlaehj.exe N/A
N/A N/A C:\Windows\SysWOW64\Dfiafg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dejacond.exe N/A
N/A N/A C:\Windows\SysWOW64\Dmefhako.exe N/A
N/A N/A C:\Windows\SysWOW64\Ddonekbl.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Lffnijnj.dll C:\Windows\SysWOW64\Mmbfpp32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ogpmjb32.exe C:\Windows\SysWOW64\Odapnf32.exe N/A
File created C:\Windows\SysWOW64\Kofpij32.dll C:\Windows\SysWOW64\Beglgani.exe N/A
File opened for modification C:\Windows\SysWOW64\Dmllipeg.exe C:\Windows\SysWOW64\Dgbdlf32.exe N/A
File created C:\Windows\SysWOW64\Deimfpda.dll C:\Windows\SysWOW64\Likjcbkc.exe N/A
File created C:\Windows\SysWOW64\Cmlihfed.dll C:\Windows\SysWOW64\Meiaib32.exe N/A
File created C:\Windows\SysWOW64\Bfkedibe.exe C:\Windows\SysWOW64\Banllbdn.exe N/A
File created C:\Windows\SysWOW64\Dapgdeib.dll C:\Windows\SysWOW64\Mnebeogl.exe N/A
File opened for modification C:\Windows\SysWOW64\Afhohlbj.exe C:\Windows\SysWOW64\Ampkof32.exe N/A
File created C:\Windows\SysWOW64\Mgbpghdn.dll C:\Windows\SysWOW64\Aminee32.exe N/A
File created C:\Windows\SysWOW64\Ddonekbl.exe C:\Windows\SysWOW64\Dmefhako.exe N/A
File created C:\Windows\SysWOW64\Bobiobnp.dll C:\Windows\SysWOW64\Dfpgffpm.exe N/A
File created C:\Windows\SysWOW64\Dbagnedl.dll C:\Windows\SysWOW64\Pmdkch32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bffkij32.exe C:\Windows\SysWOW64\Baicac32.exe N/A
File created C:\Windows\SysWOW64\Bnbmefbg.exe C:\Windows\SysWOW64\Bfkedibe.exe N/A
File created C:\Windows\SysWOW64\Cndikf32.exe C:\Windows\SysWOW64\Chjaol32.exe N/A
File created C:\Windows\SysWOW64\Kngpec32.dll C:\Windows\SysWOW64\Dgbdlf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Likjcbkc.exe C:\Users\Admin\AppData\Local\Temp\08a30dee9cfecef451b9d1ad2da84da3bcd74309a5c55ba276b9e8d3b03b2f48N.exe N/A
File opened for modification C:\Windows\SysWOW64\Mgimcebb.exe C:\Windows\SysWOW64\Meiaib32.exe N/A
File created C:\Windows\SysWOW64\Nlmllkja.exe C:\Windows\SysWOW64\Ncdgcf32.exe N/A
File created C:\Windows\SysWOW64\Gnpllc32.dll C:\Windows\SysWOW64\Nggjdc32.exe N/A
File created C:\Windows\SysWOW64\Afhohlbj.exe C:\Windows\SysWOW64\Ampkof32.exe N/A
File created C:\Windows\SysWOW64\Flgehc32.dll C:\Windows\SysWOW64\Cenahpha.exe N/A
File created C:\Windows\SysWOW64\Cmiflbel.exe C:\Windows\SysWOW64\Cfpnph32.exe N/A
File opened for modification C:\Windows\SysWOW64\Lmiciaaj.exe C:\Windows\SysWOW64\Lbdolh32.exe N/A
File created C:\Windows\SysWOW64\Nodfmh32.dll C:\Windows\SysWOW64\Lphoelqn.exe N/A
File opened for modification C:\Windows\SysWOW64\Pgefeajb.exe C:\Windows\SysWOW64\Onjegled.exe N/A
File created C:\Windows\SysWOW64\Pqdqof32.exe C:\Windows\SysWOW64\Pfolbmje.exe N/A
File created C:\Windows\SysWOW64\Bjokdipf.exe C:\Windows\SysWOW64\Bnhjohkb.exe N/A
File opened for modification C:\Windows\SysWOW64\Cnnlaehj.exe C:\Windows\SysWOW64\Cffdpghg.exe N/A
File created C:\Windows\SysWOW64\Ingfla32.dll C:\Windows\SysWOW64\Cffdpghg.exe N/A
File created C:\Windows\SysWOW64\Odapnf32.exe C:\Windows\SysWOW64\Olhlhjpd.exe N/A
File created C:\Windows\SysWOW64\Fqjamcpe.dll C:\Windows\SysWOW64\Chjaol32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cnkplejl.exe C:\Windows\SysWOW64\Chagok32.exe N/A
File created C:\Windows\SysWOW64\Ochpdn32.dll C:\Windows\SysWOW64\Pfolbmje.exe N/A
File opened for modification C:\Windows\SysWOW64\Qfcfml32.exe C:\Windows\SysWOW64\Pqdqof32.exe N/A
File created C:\Windows\SysWOW64\Lommhphi.dll C:\Windows\SysWOW64\Accfbokl.exe N/A
File created C:\Windows\SysWOW64\Bfhhoi32.exe C:\Windows\SysWOW64\Beglgani.exe N/A
File created C:\Windows\SysWOW64\Naekcf32.dll C:\Windows\SysWOW64\Olhlhjpd.exe N/A
File created C:\Windows\SysWOW64\Onjegled.exe C:\Windows\SysWOW64\Ogpmjb32.exe N/A
File created C:\Windows\SysWOW64\Jekpanpa.dll C:\Windows\SysWOW64\Cnkplejl.exe N/A
File opened for modification C:\Windows\SysWOW64\Odapnf32.exe C:\Windows\SysWOW64\Olhlhjpd.exe N/A
File created C:\Windows\SysWOW64\Hjlena32.dll C:\Windows\SysWOW64\Afmhck32.exe N/A
File created C:\Windows\SysWOW64\Cnicfe32.exe C:\Windows\SysWOW64\Chokikeb.exe N/A
File created C:\Windows\SysWOW64\Dfiafg32.exe C:\Windows\SysWOW64\Cnnlaehj.exe N/A
File created C:\Windows\SysWOW64\Popodg32.dll C:\Windows\SysWOW64\Pnonbk32.exe N/A
File opened for modification C:\Windows\SysWOW64\Pqbdjfln.exe C:\Windows\SysWOW64\Pmdkch32.exe N/A
File created C:\Windows\SysWOW64\Pfolbmje.exe C:\Windows\SysWOW64\Pqbdjfln.exe N/A
File created C:\Windows\SysWOW64\Lbdolh32.exe C:\Windows\SysWOW64\Likjcbkc.exe N/A
File opened for modification C:\Windows\SysWOW64\Meiaib32.exe C:\Windows\SysWOW64\Lphoelqn.exe N/A
File opened for modification C:\Windows\SysWOW64\Mmbfpp32.exe C:\Windows\SysWOW64\Mgimcebb.exe N/A
File created C:\Windows\SysWOW64\Nggjdc32.exe C:\Windows\SysWOW64\Nloiakho.exe N/A
File opened for modification C:\Windows\SysWOW64\Cffdpghg.exe C:\Windows\SysWOW64\Ceehho32.exe N/A
File created C:\Windows\SysWOW64\Nnqbanmo.exe C:\Windows\SysWOW64\Nggjdc32.exe N/A
File created C:\Windows\SysWOW64\Amddjegd.exe C:\Windows\SysWOW64\Afhohlbj.exe N/A
File created C:\Windows\SysWOW64\Bkjpmk32.dll C:\Windows\SysWOW64\Aeniabfd.exe N/A
File created C:\Windows\SysWOW64\Bnhjohkb.exe C:\Windows\SysWOW64\Accfbokl.exe N/A
File created C:\Windows\SysWOW64\Bneljh32.dll C:\Windows\SysWOW64\Bjokdipf.exe N/A
File created C:\Windows\SysWOW64\Lemphdgj.dll C:\Windows\SysWOW64\Mgkjhe32.exe N/A
File created C:\Windows\SysWOW64\Nnjaqjfh.dll C:\Windows\SysWOW64\Banllbdn.exe N/A
File opened for modification C:\Windows\SysWOW64\Dfpgffpm.exe C:\Windows\SysWOW64\Deokon32.exe N/A
File created C:\Windows\SysWOW64\Fmijnn32.dll C:\Windows\SysWOW64\Mgimcebb.exe N/A
File opened for modification C:\Windows\SysWOW64\Pmdkch32.exe C:\Windows\SysWOW64\Pggbkagp.exe N/A
File opened for modification C:\Windows\SysWOW64\Ceckcp32.exe C:\Windows\SysWOW64\Cnicfe32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Dmllipeg.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Olhlhjpd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Odapnf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Beglgani.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cmiflbel.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lphoelqn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mnebeogl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nggjdc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oncofm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Amddjegd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aminee32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ncdgcf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pqbdjfln.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bffkij32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cffdpghg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nloiakho.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pggbkagp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qqijje32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ddonekbl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ceehho32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cnnlaehj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dfpgffpm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Likjcbkc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Accfbokl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bfkedibe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ceckcp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ampkof32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Baicac32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Neeqea32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pgefeajb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pmdkch32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qfcfml32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cfpnph32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dejacond.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dgbdlf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mgimcebb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Onjegled.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pqdqof32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bfhhoi32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aeniabfd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bnbmefbg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cndikf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Deokon32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nnqbanmo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bnhjohkb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Chjaol32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cnkplejl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mmbfpp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pnonbk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Chokikeb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dodbbdbb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dmjocp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lbdolh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cenahpha.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dmllipeg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Afhohlbj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bjokdipf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\08a30dee9cfecef451b9d1ad2da84da3bcd74309a5c55ba276b9e8d3b03b2f48N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mgkjhe32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Odmgcgbi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ogpmjb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nlmllkja.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pfolbmje.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dfiafg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dmefhako.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Olhlhjpd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lbdolh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll" C:\Windows\SysWOW64\Dmjocp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehmdjdgk.dll" C:\Windows\SysWOW64\Qqijje32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bneljh32.dll" C:\Windows\SysWOW64\Bjokdipf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bffkij32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll" C:\Windows\SysWOW64\Ceckcp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kboeke32.dll" C:\Windows\SysWOW64\Ampkof32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll" C:\Windows\SysWOW64\Bfkedibe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bjokdipf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cfpnph32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ceehho32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dejacond.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll" C:\Windows\SysWOW64\Dodbbdbb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gokgpogl.dll" C:\Windows\SysWOW64\Pqdqof32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cnkplejl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Cndikf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cffdpghg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdkkfn32.dll" C:\Windows\SysWOW64\Lbdolh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mnebeogl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Neeqea32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Oncofm32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Odapnf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pfolbmje.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Dfpgffpm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjlena32.dll" C:\Windows\SysWOW64\Afmhck32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgbpghdn.dll" C:\Windows\SysWOW64\Aminee32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\08a30dee9cfecef451b9d1ad2da84da3bcd74309a5c55ba276b9e8d3b03b2f48N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717} C:\Users\Admin\AppData\Local\Temp\08a30dee9cfecef451b9d1ad2da84da3bcd74309a5c55ba276b9e8d3b03b2f48N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Likjcbkc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejfenk32.dll" C:\Windows\SysWOW64\Onjegled.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbpfgbfp.dll" C:\Windows\SysWOW64\Afhohlbj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Baicac32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll" C:\Windows\SysWOW64\Cenahpha.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll" C:\Windows\SysWOW64\Cfpnph32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dodbbdbb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll" C:\Windows\SysWOW64\Cmiflbel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll" C:\Windows\SysWOW64\Ceehho32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knfoif32.dll" C:\Windows\SysWOW64\Nnqbanmo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Pgefeajb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Bffkij32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll" C:\Windows\SysWOW64\Ddonekbl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll" C:\Windows\SysWOW64\Chokikeb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Chagok32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deimfpda.dll" C:\Windows\SysWOW64\Likjcbkc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkijij32.dll" C:\Windows\SysWOW64\Cndikf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nnqbanmo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bfkedibe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Odmgcgbi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naekcf32.dll" C:\Windows\SysWOW64\Olhlhjpd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Pggbkagp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pqbdjfln.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Qqijje32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Accfbokl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cndikf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Mmbfpp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ncdgcf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmcjho32.dll" C:\Windows\SysWOW64\Nloiakho.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cenahpha.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofpij32.dll" C:\Windows\SysWOW64\Beglgani.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Chjaol32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dgbdlf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Baicac32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Chokikeb.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3620 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\08a30dee9cfecef451b9d1ad2da84da3bcd74309a5c55ba276b9e8d3b03b2f48N.exe C:\Windows\SysWOW64\Likjcbkc.exe
PID 3620 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\08a30dee9cfecef451b9d1ad2da84da3bcd74309a5c55ba276b9e8d3b03b2f48N.exe C:\Windows\SysWOW64\Likjcbkc.exe
PID 3620 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\08a30dee9cfecef451b9d1ad2da84da3bcd74309a5c55ba276b9e8d3b03b2f48N.exe C:\Windows\SysWOW64\Likjcbkc.exe
PID 1744 wrote to memory of 956 N/A C:\Windows\SysWOW64\Likjcbkc.exe C:\Windows\SysWOW64\Lbdolh32.exe
PID 1744 wrote to memory of 956 N/A C:\Windows\SysWOW64\Likjcbkc.exe C:\Windows\SysWOW64\Lbdolh32.exe
PID 1744 wrote to memory of 956 N/A C:\Windows\SysWOW64\Likjcbkc.exe C:\Windows\SysWOW64\Lbdolh32.exe
PID 956 wrote to memory of 1696 N/A C:\Windows\SysWOW64\Lbdolh32.exe C:\Windows\SysWOW64\Lmiciaaj.exe
PID 956 wrote to memory of 1696 N/A C:\Windows\SysWOW64\Lbdolh32.exe C:\Windows\SysWOW64\Lmiciaaj.exe
PID 956 wrote to memory of 1696 N/A C:\Windows\SysWOW64\Lbdolh32.exe C:\Windows\SysWOW64\Lmiciaaj.exe
PID 1696 wrote to memory of 2656 N/A C:\Windows\SysWOW64\Lmiciaaj.exe C:\Windows\SysWOW64\Lphoelqn.exe
PID 1696 wrote to memory of 2656 N/A C:\Windows\SysWOW64\Lmiciaaj.exe C:\Windows\SysWOW64\Lphoelqn.exe
PID 1696 wrote to memory of 2656 N/A C:\Windows\SysWOW64\Lmiciaaj.exe C:\Windows\SysWOW64\Lphoelqn.exe
PID 2656 wrote to memory of 2012 N/A C:\Windows\SysWOW64\Lphoelqn.exe C:\Windows\SysWOW64\Meiaib32.exe
PID 2656 wrote to memory of 2012 N/A C:\Windows\SysWOW64\Lphoelqn.exe C:\Windows\SysWOW64\Meiaib32.exe
PID 2656 wrote to memory of 2012 N/A C:\Windows\SysWOW64\Lphoelqn.exe C:\Windows\SysWOW64\Meiaib32.exe
PID 2012 wrote to memory of 2600 N/A C:\Windows\SysWOW64\Meiaib32.exe C:\Windows\SysWOW64\Mgimcebb.exe
PID 2012 wrote to memory of 2600 N/A C:\Windows\SysWOW64\Meiaib32.exe C:\Windows\SysWOW64\Mgimcebb.exe
PID 2012 wrote to memory of 2600 N/A C:\Windows\SysWOW64\Meiaib32.exe C:\Windows\SysWOW64\Mgimcebb.exe
PID 2600 wrote to memory of 2232 N/A C:\Windows\SysWOW64\Mgimcebb.exe C:\Windows\SysWOW64\Mmbfpp32.exe
PID 2600 wrote to memory of 2232 N/A C:\Windows\SysWOW64\Mgimcebb.exe C:\Windows\SysWOW64\Mmbfpp32.exe
PID 2600 wrote to memory of 2232 N/A C:\Windows\SysWOW64\Mgimcebb.exe C:\Windows\SysWOW64\Mmbfpp32.exe
PID 2232 wrote to memory of 4784 N/A C:\Windows\SysWOW64\Mmbfpp32.exe C:\Windows\SysWOW64\Mgkjhe32.exe
PID 2232 wrote to memory of 4784 N/A C:\Windows\SysWOW64\Mmbfpp32.exe C:\Windows\SysWOW64\Mgkjhe32.exe
PID 2232 wrote to memory of 4784 N/A C:\Windows\SysWOW64\Mmbfpp32.exe C:\Windows\SysWOW64\Mgkjhe32.exe
PID 4784 wrote to memory of 5024 N/A C:\Windows\SysWOW64\Mgkjhe32.exe C:\Windows\SysWOW64\Mnebeogl.exe
PID 4784 wrote to memory of 5024 N/A C:\Windows\SysWOW64\Mgkjhe32.exe C:\Windows\SysWOW64\Mnebeogl.exe
PID 4784 wrote to memory of 5024 N/A C:\Windows\SysWOW64\Mgkjhe32.exe C:\Windows\SysWOW64\Mnebeogl.exe
PID 5024 wrote to memory of 1456 N/A C:\Windows\SysWOW64\Mnebeogl.exe C:\Windows\SysWOW64\Ncdgcf32.exe
PID 5024 wrote to memory of 1456 N/A C:\Windows\SysWOW64\Mnebeogl.exe C:\Windows\SysWOW64\Ncdgcf32.exe
PID 5024 wrote to memory of 1456 N/A C:\Windows\SysWOW64\Mnebeogl.exe C:\Windows\SysWOW64\Ncdgcf32.exe
PID 1456 wrote to memory of 3400 N/A C:\Windows\SysWOW64\Ncdgcf32.exe C:\Windows\SysWOW64\Nlmllkja.exe
PID 1456 wrote to memory of 3400 N/A C:\Windows\SysWOW64\Ncdgcf32.exe C:\Windows\SysWOW64\Nlmllkja.exe
PID 1456 wrote to memory of 3400 N/A C:\Windows\SysWOW64\Ncdgcf32.exe C:\Windows\SysWOW64\Nlmllkja.exe
PID 3400 wrote to memory of 1256 N/A C:\Windows\SysWOW64\Nlmllkja.exe C:\Windows\SysWOW64\Neeqea32.exe
PID 3400 wrote to memory of 1256 N/A C:\Windows\SysWOW64\Nlmllkja.exe C:\Windows\SysWOW64\Neeqea32.exe
PID 3400 wrote to memory of 1256 N/A C:\Windows\SysWOW64\Nlmllkja.exe C:\Windows\SysWOW64\Neeqea32.exe
PID 1256 wrote to memory of 2104 N/A C:\Windows\SysWOW64\Neeqea32.exe C:\Windows\SysWOW64\Nloiakho.exe
PID 1256 wrote to memory of 2104 N/A C:\Windows\SysWOW64\Neeqea32.exe C:\Windows\SysWOW64\Nloiakho.exe
PID 1256 wrote to memory of 2104 N/A C:\Windows\SysWOW64\Neeqea32.exe C:\Windows\SysWOW64\Nloiakho.exe
PID 2104 wrote to memory of 1972 N/A C:\Windows\SysWOW64\Nloiakho.exe C:\Windows\SysWOW64\Nggjdc32.exe
PID 2104 wrote to memory of 1972 N/A C:\Windows\SysWOW64\Nloiakho.exe C:\Windows\SysWOW64\Nggjdc32.exe
PID 2104 wrote to memory of 1972 N/A C:\Windows\SysWOW64\Nloiakho.exe C:\Windows\SysWOW64\Nggjdc32.exe
PID 1972 wrote to memory of 3024 N/A C:\Windows\SysWOW64\Nggjdc32.exe C:\Windows\SysWOW64\Nnqbanmo.exe
PID 1972 wrote to memory of 3024 N/A C:\Windows\SysWOW64\Nggjdc32.exe C:\Windows\SysWOW64\Nnqbanmo.exe
PID 1972 wrote to memory of 3024 N/A C:\Windows\SysWOW64\Nggjdc32.exe C:\Windows\SysWOW64\Nnqbanmo.exe
PID 3024 wrote to memory of 4596 N/A C:\Windows\SysWOW64\Nnqbanmo.exe C:\Windows\SysWOW64\Oncofm32.exe
PID 3024 wrote to memory of 4596 N/A C:\Windows\SysWOW64\Nnqbanmo.exe C:\Windows\SysWOW64\Oncofm32.exe
PID 3024 wrote to memory of 4596 N/A C:\Windows\SysWOW64\Nnqbanmo.exe C:\Windows\SysWOW64\Oncofm32.exe
PID 4596 wrote to memory of 4616 N/A C:\Windows\SysWOW64\Oncofm32.exe C:\Windows\SysWOW64\Odmgcgbi.exe
PID 4596 wrote to memory of 4616 N/A C:\Windows\SysWOW64\Oncofm32.exe C:\Windows\SysWOW64\Odmgcgbi.exe
PID 4596 wrote to memory of 4616 N/A C:\Windows\SysWOW64\Oncofm32.exe C:\Windows\SysWOW64\Odmgcgbi.exe
PID 4616 wrote to memory of 4992 N/A C:\Windows\SysWOW64\Odmgcgbi.exe C:\Windows\SysWOW64\Olhlhjpd.exe
PID 4616 wrote to memory of 4992 N/A C:\Windows\SysWOW64\Odmgcgbi.exe C:\Windows\SysWOW64\Olhlhjpd.exe
PID 4616 wrote to memory of 4992 N/A C:\Windows\SysWOW64\Odmgcgbi.exe C:\Windows\SysWOW64\Olhlhjpd.exe
PID 4992 wrote to memory of 3004 N/A C:\Windows\SysWOW64\Olhlhjpd.exe C:\Windows\SysWOW64\Odapnf32.exe
PID 4992 wrote to memory of 3004 N/A C:\Windows\SysWOW64\Olhlhjpd.exe C:\Windows\SysWOW64\Odapnf32.exe
PID 4992 wrote to memory of 3004 N/A C:\Windows\SysWOW64\Olhlhjpd.exe C:\Windows\SysWOW64\Odapnf32.exe
PID 3004 wrote to memory of 4228 N/A C:\Windows\SysWOW64\Odapnf32.exe C:\Windows\SysWOW64\Ogpmjb32.exe
PID 3004 wrote to memory of 4228 N/A C:\Windows\SysWOW64\Odapnf32.exe C:\Windows\SysWOW64\Ogpmjb32.exe
PID 3004 wrote to memory of 4228 N/A C:\Windows\SysWOW64\Odapnf32.exe C:\Windows\SysWOW64\Ogpmjb32.exe
PID 4228 wrote to memory of 404 N/A C:\Windows\SysWOW64\Ogpmjb32.exe C:\Windows\SysWOW64\Onjegled.exe
PID 4228 wrote to memory of 404 N/A C:\Windows\SysWOW64\Ogpmjb32.exe C:\Windows\SysWOW64\Onjegled.exe
PID 4228 wrote to memory of 404 N/A C:\Windows\SysWOW64\Ogpmjb32.exe C:\Windows\SysWOW64\Onjegled.exe
PID 404 wrote to memory of 2776 N/A C:\Windows\SysWOW64\Onjegled.exe C:\Windows\SysWOW64\Pgefeajb.exe

Processes

C:\Users\Admin\AppData\Local\Temp\08a30dee9cfecef451b9d1ad2da84da3bcd74309a5c55ba276b9e8d3b03b2f48N.exe

"C:\Users\Admin\AppData\Local\Temp\08a30dee9cfecef451b9d1ad2da84da3bcd74309a5c55ba276b9e8d3b03b2f48N.exe"

C:\Windows\SysWOW64\Likjcbkc.exe

C:\Windows\system32\Likjcbkc.exe

C:\Windows\SysWOW64\Lbdolh32.exe

C:\Windows\system32\Lbdolh32.exe

C:\Windows\SysWOW64\Lmiciaaj.exe

C:\Windows\system32\Lmiciaaj.exe

C:\Windows\SysWOW64\Lphoelqn.exe

C:\Windows\system32\Lphoelqn.exe

C:\Windows\SysWOW64\Meiaib32.exe

C:\Windows\system32\Meiaib32.exe

C:\Windows\SysWOW64\Mgimcebb.exe

C:\Windows\system32\Mgimcebb.exe

C:\Windows\SysWOW64\Mmbfpp32.exe

C:\Windows\system32\Mmbfpp32.exe

C:\Windows\SysWOW64\Mgkjhe32.exe

C:\Windows\system32\Mgkjhe32.exe

C:\Windows\SysWOW64\Mnebeogl.exe

C:\Windows\system32\Mnebeogl.exe

C:\Windows\SysWOW64\Ncdgcf32.exe

C:\Windows\system32\Ncdgcf32.exe

C:\Windows\SysWOW64\Nlmllkja.exe

C:\Windows\system32\Nlmllkja.exe

C:\Windows\SysWOW64\Neeqea32.exe

C:\Windows\system32\Neeqea32.exe

C:\Windows\SysWOW64\Nloiakho.exe

C:\Windows\system32\Nloiakho.exe

C:\Windows\SysWOW64\Nggjdc32.exe

C:\Windows\system32\Nggjdc32.exe

C:\Windows\SysWOW64\Nnqbanmo.exe

C:\Windows\system32\Nnqbanmo.exe

C:\Windows\SysWOW64\Oncofm32.exe

C:\Windows\system32\Oncofm32.exe

C:\Windows\SysWOW64\Odmgcgbi.exe

C:\Windows\system32\Odmgcgbi.exe

C:\Windows\SysWOW64\Olhlhjpd.exe

C:\Windows\system32\Olhlhjpd.exe

C:\Windows\SysWOW64\Odapnf32.exe

C:\Windows\system32\Odapnf32.exe

C:\Windows\SysWOW64\Ogpmjb32.exe

C:\Windows\system32\Ogpmjb32.exe

C:\Windows\SysWOW64\Onjegled.exe

C:\Windows\system32\Onjegled.exe

C:\Windows\SysWOW64\Pgefeajb.exe

C:\Windows\system32\Pgefeajb.exe

C:\Windows\SysWOW64\Pnonbk32.exe

C:\Windows\system32\Pnonbk32.exe

C:\Windows\SysWOW64\Pggbkagp.exe

C:\Windows\system32\Pggbkagp.exe

C:\Windows\SysWOW64\Pmdkch32.exe

C:\Windows\system32\Pmdkch32.exe

C:\Windows\SysWOW64\Pqbdjfln.exe

C:\Windows\system32\Pqbdjfln.exe

C:\Windows\SysWOW64\Pfolbmje.exe

C:\Windows\system32\Pfolbmje.exe

C:\Windows\SysWOW64\Pqdqof32.exe

C:\Windows\system32\Pqdqof32.exe

C:\Windows\SysWOW64\Qfcfml32.exe

C:\Windows\system32\Qfcfml32.exe

C:\Windows\SysWOW64\Qqijje32.exe

C:\Windows\system32\Qqijje32.exe

C:\Windows\SysWOW64\Ampkof32.exe

C:\Windows\system32\Ampkof32.exe

C:\Windows\SysWOW64\Afhohlbj.exe

C:\Windows\system32\Afhohlbj.exe

C:\Windows\SysWOW64\Amddjegd.exe

C:\Windows\system32\Amddjegd.exe

C:\Windows\SysWOW64\Afmhck32.exe

C:\Windows\system32\Afmhck32.exe

C:\Windows\SysWOW64\Aeniabfd.exe

C:\Windows\system32\Aeniabfd.exe

C:\Windows\SysWOW64\Afoeiklb.exe

C:\Windows\system32\Afoeiklb.exe

C:\Windows\SysWOW64\Aminee32.exe

C:\Windows\system32\Aminee32.exe

C:\Windows\SysWOW64\Accfbokl.exe

C:\Windows\system32\Accfbokl.exe

C:\Windows\SysWOW64\Bnhjohkb.exe

C:\Windows\system32\Bnhjohkb.exe

C:\Windows\SysWOW64\Bjokdipf.exe

C:\Windows\system32\Bjokdipf.exe

C:\Windows\SysWOW64\Baicac32.exe

C:\Windows\system32\Baicac32.exe

C:\Windows\SysWOW64\Bffkij32.exe

C:\Windows\system32\Bffkij32.exe

C:\Windows\SysWOW64\Beglgani.exe

C:\Windows\system32\Beglgani.exe

C:\Windows\SysWOW64\Bfhhoi32.exe

C:\Windows\system32\Bfhhoi32.exe

C:\Windows\SysWOW64\Banllbdn.exe

C:\Windows\system32\Banllbdn.exe

C:\Windows\SysWOW64\Bfkedibe.exe

C:\Windows\system32\Bfkedibe.exe

C:\Windows\SysWOW64\Bnbmefbg.exe

C:\Windows\system32\Bnbmefbg.exe

C:\Windows\SysWOW64\Chjaol32.exe

C:\Windows\system32\Chjaol32.exe

C:\Windows\SysWOW64\Cndikf32.exe

C:\Windows\system32\Cndikf32.exe

C:\Windows\SysWOW64\Cenahpha.exe

C:\Windows\system32\Cenahpha.exe

C:\Windows\SysWOW64\Cfpnph32.exe

C:\Windows\system32\Cfpnph32.exe

C:\Windows\SysWOW64\Cmiflbel.exe

C:\Windows\system32\Cmiflbel.exe

C:\Windows\SysWOW64\Chokikeb.exe

C:\Windows\system32\Chokikeb.exe

C:\Windows\SysWOW64\Cnicfe32.exe

C:\Windows\system32\Cnicfe32.exe

C:\Windows\SysWOW64\Ceckcp32.exe

C:\Windows\system32\Ceckcp32.exe

C:\Windows\SysWOW64\Chagok32.exe

C:\Windows\system32\Chagok32.exe

C:\Windows\SysWOW64\Cnkplejl.exe

C:\Windows\system32\Cnkplejl.exe

C:\Windows\SysWOW64\Ceehho32.exe

C:\Windows\system32\Ceehho32.exe

C:\Windows\SysWOW64\Cffdpghg.exe

C:\Windows\system32\Cffdpghg.exe

C:\Windows\SysWOW64\Cnnlaehj.exe

C:\Windows\system32\Cnnlaehj.exe

C:\Windows\SysWOW64\Dfiafg32.exe

C:\Windows\system32\Dfiafg32.exe

C:\Windows\SysWOW64\Dejacond.exe

C:\Windows\system32\Dejacond.exe

C:\Windows\SysWOW64\Dmefhako.exe

C:\Windows\system32\Dmefhako.exe

C:\Windows\SysWOW64\Ddonekbl.exe

C:\Windows\system32\Ddonekbl.exe

C:\Windows\SysWOW64\Dodbbdbb.exe

C:\Windows\system32\Dodbbdbb.exe

C:\Windows\SysWOW64\Deokon32.exe

C:\Windows\system32\Deokon32.exe

C:\Windows\SysWOW64\Dfpgffpm.exe

C:\Windows\system32\Dfpgffpm.exe

C:\Windows\SysWOW64\Dmjocp32.exe

C:\Windows\system32\Dmjocp32.exe

C:\Windows\SysWOW64\Dgbdlf32.exe

C:\Windows\system32\Dgbdlf32.exe

C:\Windows\SysWOW64\Dmllipeg.exe

C:\Windows\system32\Dmllipeg.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3280 -ip 3280

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3280 -s 412

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/3620-0-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1744-7-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Likjcbkc.exe

MD5 4dc5637bece21dbc5324312f4bc7568d
SHA1 c19e14d85efc81bf13f64154cba5bcf46f98305e
SHA256 fd5ce06a3abc7444f99f80c23ea0a63347d0e71fcc906c104b7992e56f01b518
SHA512 a533b4f01f2ae9cc538371d015c44a9157c7f4a68ba18a829323957692331a4489b3ed4609a310dca3db5ce773814140c2be0b52ef4cf26108a40830e88cdfd5

C:\Windows\SysWOW64\Lbdolh32.exe

MD5 14ee15ec59e31451bf047d0980c25dc2
SHA1 d7f113ca01b4d5a6cddb83ceed95fbd1ba0cbc12
SHA256 97a0b58457e931f138161d785670d16256ffdd256497e3fb8de82ffaa4e69763
SHA512 be62d403826823e21dbf1faebc2c399bb7f6ba9d23380c9d802b943e63328e8784ed58c059e47153f133a359af3a56a94b35cecb3b34d5739170680acec80a57

memory/956-16-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Lmiciaaj.exe

MD5 5ffa25370dbbb4d932a092ae43a0bfc0
SHA1 1a9ecf36bc6c3f80bda5a69ed524fb90e873678d
SHA256 251889203f9d03c10f1ddfe13cded4af3ffe11f87d357000597f1da8bb1f4e03
SHA512 8b35b736f89f0fd61949c266e55861f3ad199d65277e06d8e0fdf096edcc41a777796631b52b7e5a7d245eb7d499c5f4102829d0fb69e2f2f20366ad2a9f133e

C:\Windows\SysWOW64\Lphoelqn.exe

MD5 79814ccd9d0c8c3f356c77ba097a708e
SHA1 9aea7ad4db6b9468358fd725147bb4af1230d6d9
SHA256 b74f2a6a5bcb3344b6365c6dc856e4451a00c05ffcd18e0bec0394c5672f5c83
SHA512 ce1adeb56f1ec9399f4f20a06b05e93999ff78c2795c6f2df81fcc6aa2c6aa5b5e7488e6bdf861ade472476f9b85a03a4891a7bc14af0ccbc10c45e70b56604b

memory/2656-31-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1696-29-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Nodfmh32.dll

MD5 8e8855859aa804a91ace2f51edf1e6e1
SHA1 e45955a19e25b249a9e3f92dbf3bf3f25ad4ff5e
SHA256 382bff50cf24603b1e43c00dd502f14f643739225758448d2c5cba75b2554571
SHA512 a13bdd9199919f1353eb36255a045609094b85d7514c61e715d20cce2d5f6140cef21ddd677c02066e24347ab7c9a4ddca5f013bbfb0dfa9feeeeaa9e69b215d

C:\Windows\SysWOW64\Meiaib32.exe

MD5 1efdbffb32f1af6a64ecdbac87f1875a
SHA1 dd172992a7f01c7ad45f415ba1af0f4dd0795317
SHA256 35152ac9cc1e6c587d93cf503864be5e4f47bdd9f2ad48369093ec691be5abe1
SHA512 969ba1e173bf64f0c6dad8065ed5b67eea0849825ae5a6a04cfaeb841c7629fcfcb1ada61b206e32eb78b2be86abbf32fa661d3a51cde79b83703ef09c80e5d0

memory/2012-39-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2600-47-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Mgimcebb.exe

MD5 22c408ec59f975e571a9716767b9b91a
SHA1 be3b0220fb79b4cf3230f4317364deab64b01382
SHA256 fd75c06a7480744f000b1a051edd4e06823cf56c5140afdde4789fa1eea6c93a
SHA512 b4cbe7f1f2658e2f50e9489dd3aab5a5294b06d4be1075dfaa8b0f5d1e3689183e7bdc139c37fe1e335ad3ad543b2cc31144bf6edd8e49788a81f7da56801776

C:\Windows\SysWOW64\Mmbfpp32.exe

MD5 f252b824646ad0bdd62e0b6543b5db21
SHA1 7843ea5a1468b2630afdba10110e12d89875d589
SHA256 cc575a85cc7a4f0f5e5a2ff7c994c91de16ae3a660472eccbc760b9f296b15a6
SHA512 ed00f34f5d7e7f0179dd93a6024cb3806c9ce593fa790818d7451d1282e3d95c5751447d592a735ea0f5ac1d78610b2cb4e4c391bec7a4a15f14bcaf8910cb80

memory/2232-56-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Mgkjhe32.exe

MD5 0c2d65b99eee76a5b0ff0b4adf9b6488
SHA1 1f1f0537821e30d6d2a41e0612b5e05bbb00c135
SHA256 6889dc4ed004634eeff3a32abed4fd05bf23e9c7c2f3227ed61092c646cb1806
SHA512 e4af3d223cdb6b4c01b50cedf06b8839f1951fa569825d14d290f28a5614156093c916897bf8e7f0aab539bb37a3911b4b5584d6ee08c689bc3f4a5f5b01672b

memory/4784-64-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Mnebeogl.exe

MD5 42c915b1dc1ba5411848765d0dcc5994
SHA1 8fb5196a237675a6b0979979e59bb61ab4049839
SHA256 10655f16f08cdad455ec884c861c1d6415fdd30f91b2713479d901f3808210f0
SHA512 a9cfb68c39531800100ca4d01c4273baf694827ad4dbd65b88341a54016b73c0967c6deeebd226620955cedf281a49307e8bb905e43c597a234019d9e238f375

memory/5024-72-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Ncdgcf32.exe

MD5 aeba101a48e9bd851ece95c6a5ad5cac
SHA1 0f888b4c0553327d8d6be86a9527172c9c47b3bf
SHA256 4f222c7ea24d74bc0ca2d00dc2f66ca99d11b128b1cb743a24bf54bf90dd1253
SHA512 a256be53da068de27f5dc2acf682d0d00efed8f9006ee94ea2a990a5ab06faf65d411d9431395e3b4828d55bc142e31dbef07edec1deff5174638964f06e2e8a

memory/1456-79-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3400-87-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Nlmllkja.exe

MD5 f9ef871c43dfde22ab3ea03abf7c28f9
SHA1 bde58f9dcd70878f08ee2d02c76b4c2af5d9c68d
SHA256 81a25da239b81ee0990c6989605becf2705701c2d1663854859ed77858b2d425
SHA512 14a76103159bc721928032cc273ef8a32e192f3caaf737c933555c39dd470ae10c8937732a0efa424c83482a94d3b0594686f1c134c8771f4e71e0d1a38e0679

C:\Windows\SysWOW64\Neeqea32.exe

MD5 d63a2b0db64b202df0cee211fed3ad03
SHA1 4885317d384cbcde5d4fa4bad75b78382b6977d4
SHA256 884221634173640682ac58ff0caffe59e07896a97a1a828e9a2640de9ca949bc
SHA512 0e9eaadd658a1b6cf8eb29a197fca813e7c0dd19438eb118f8fd0aa676934ee421a2785dc4f0d378f823f99b7a992bf16be62e99be7bd013ce645a6cc2ba9562

memory/1256-96-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Nloiakho.exe

MD5 394f3567ef45693f86e1e80a0218906f
SHA1 82d8731a17e71b9f6579e4333f96124a843ae44b
SHA256 5a445659f486bbe7e9b95218e4cfc4c5651ab27679857a3ff2f0860f49b50e95
SHA512 48d4410447f85f44bdd7709ef388dcabceda9186824e545c1174f776d806e9afe8705c0bb33d461ac2feb2317f19e11dd3a9755be2e4f1c2fbb73c9738438a91

memory/2104-103-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Nggjdc32.exe

MD5 684547473f82574c53e335a9a3f0cb33
SHA1 37e7484cacf45b7a1e7987beb27d5fdccff5c1bd
SHA256 48257ccfc7abfb6a9739ca904acf2f935b3d240a2cd74731b829cf3839174d0f
SHA512 124a5698144caa9ab709d73dd4da21bbd96585a2dd93351051712749fbe8889d60ca5569c769fd170391a4885bf061628f747dbca5f4c9b6e5e0792ebecae1a9

memory/1972-112-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Nnqbanmo.exe

MD5 906ee72e81725d60e30839d308031ed9
SHA1 4a60542cdaf67aee47a2b1455f7c2e8577a12a02
SHA256 11a5339b87ce904401c19960f202a3748ca79fa396f9d25b6b4c236230fa30e2
SHA512 1ad1d0bfdbdf24acdf09de6f8fb12e115482f27a9f038daa19efc1a9d6027fc47b187e7a32561c796cdfe65e437784e3e16c04bae511caee02e5b207a1fcfda7

memory/3024-120-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Oncofm32.exe

MD5 b5a4e2dbf80d6fd6e319d3c7b6737a6d
SHA1 6206c0975ec22f029ecdd33c29a0aba1c5d783fe
SHA256 f049607672553295f2bf32e5d65f4de0755ae854987f132976599647c18fea99
SHA512 0af84452117a36f8f05a7373164cf2a57d8377f14c2016c7a5720bd8435980b3fc1022ff78fa711701ed00b02c870945c3b0481684e0614069ce717b56ca6ec9

memory/4596-128-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Odmgcgbi.exe

MD5 fd39674ae4a45595608f0744fd990221
SHA1 c8230906101d9bcc601034499a0547bd3deb8a5e
SHA256 451bf4630b4c7010a9d6b26ec3b08af8d60806dc16e25d422b8b6eabe167d749
SHA512 70c75ed5e004afcc02a0a56dafdf331a3b70e7ad9c3c0f592787dd250d6cca4bf92973c3855098b1520cf392f9635d570cd1ea36f3316006210292ec6124b7cd

memory/4616-137-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Olhlhjpd.exe

MD5 1203ec78a8499bacd41e77c9fad5ec09
SHA1 a67c7f133e602a7960b5c53413ecc6598c4b8aea
SHA256 2970bc6449add2bc082514f2c14821c7c8362c93184d69395051717b0c032321
SHA512 f23b5defe03396c5b9690c0d28b828965de1caddb083d81156b512b61ba8a6fcc8de0dbd3195ac82d343a78e7521a2eb706ca15ead0859d4662ab13c0004991d

memory/4992-143-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Odapnf32.exe

MD5 00dd76973ae80772ac9cdccfb2dd8962
SHA1 f809ce92d23195f9703b190a42cde5a582c5845f
SHA256 97e973947898e140549a24f3993fbc498cccb679da11abe10b0ebe301591cffd
SHA512 f4b2365c2b81e7516085a8b59a5324dad1c8c6cf1b03ae6280e3e0133a773783d6d6cb193158d1d388eb1b2e0a94484bc593a356ae8e6d01bfb6b71ac37386a5

memory/3004-156-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Ogpmjb32.exe

MD5 bfac207f8470cd1796478927eacac477
SHA1 434d993c65d4fff8459b16da1b6662f46bf5b29b
SHA256 b83643d72887076039f5d85e982780a0cce28efb675b734ce7b5b4af3e773360
SHA512 3d4f4c9067c87cbce56fdd208ed49af9502d7bb7bfcd02274d504c2a990f90ec610a6e111c414ce86758182f8b969c90f0ec00cfb4fddb5064739175e017b742

memory/4228-160-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Onjegled.exe

MD5 1230c43dc2dc474850de6e84bd7ee576
SHA1 cef13155a97b18c9f46c86da654322a1f03305c1
SHA256 3bb6be8f773a6c814e3f4be41ceb34e7f73f4a4132b3b76d34520f158adf5224
SHA512 4ce88d8fd8a9a579c289c071e8123027fc6dfe3d0af2326bc3871be93597ebfca243663aef8217065943199cdee227700c3389b1964e39d2df2b8a264c3eaea8

memory/404-167-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Pgefeajb.exe

MD5 93c90c57693127a9d138552d7f962876
SHA1 dbd730854fe111f566806c6c419215063a68f7cd
SHA256 4b383d9a77214a77e3df7f544bd7c05736767b822ccb2a17dc230d3e80db04dd
SHA512 9a6aa25224587ef05edcd156389db8b1d9a91a7d79ec59a3403f104971c7755f9791ce1c22f1b907c0b9267235db85611eeb1533d6e165328336c191c131afda

memory/2776-175-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Pnonbk32.exe

MD5 bbe14ec246c429715644e6e0c14fa634
SHA1 1289e4d68c957abc3758db4a4fc62dc4db909b37
SHA256 5efb78504aae8c3baffe79b94d8202c18ab4221d69cc7a387b9182cccab9bcde
SHA512 5c4d4c993a3e5d13b9a0fd8a57484354f0d862951036d662e83163d9b71aceca0da6de3adb51d42b654593464e03155c679b52c695616ff764771eb1bef65d4d

memory/3740-183-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3660-191-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Pggbkagp.exe

MD5 2b0bc438eb1a0f3b96770ecbbb716423
SHA1 f5d3aaf233500390f7fd164631b4a44a4c75922c
SHA256 26996b1226131e757c1faa3dac5a4f5fdd440215a6a125f6252547fca29a0c0c
SHA512 047690e619c4cfea54b1aa7fbf75d2708f33a85026fb90225f38db33ee81311d48802bb9569f55f45e9aee4fde4320e5e25141c03c1c82d2f83253d735db7724

C:\Windows\SysWOW64\Pmdkch32.exe

MD5 3ad3e5869a9a0a0c99fd83b88db73980
SHA1 9eb51c975854765c028cdbf55422379b8c812902
SHA256 71336c8d2598ba82229736769d9e6978fa4f8bf9fa211b26d45bb06062fbe92d
SHA512 bb7f335b310e1681d51fb1c9a07dbbaf56e93625f8c4bf5ce4269cd6286bfb5ab71fe39ef769b0cb1da782fb65f60090daacb6c0c5fe3553e13e51eb66c7130d

memory/3252-199-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Pqbdjfln.exe

MD5 d9469ce833e07c20902a4f4a5b9bcc7c
SHA1 47feedab61550cff23499f127d2939c142cb5618
SHA256 110d1e3cb558e98fb213a61b2b5f7642365934ab82f708812993435872733e9e
SHA512 f282c2f1985f9ffa1af88f21e2be11f2d4503e3abd181cb4e395776c4215afb1d9e058723c00a559cfaf04b40b6565c48b1319e148b1016125a2c92e2c31c755

memory/2916-207-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Pfolbmje.exe

MD5 87f78d854a2ea869546dcfedcabca15a
SHA1 e3895fde49f965848a5ef3711c8030e48811e09d
SHA256 76b2e740c8c1deb2f600c0b42dac86127f224ecbeaf926f538330e818adfc8ce
SHA512 43092b991493d7b014feeaa9851e7a5db7b7d416fe15b11b1d66b015652d04df81aabb86ecaba17f720b9e7367efa4e97b171567e4e02118836e2362bbfafadc

memory/876-216-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Pqdqof32.exe

MD5 7a1b0c070aa205f69a056b2db719e083
SHA1 a36d0782a684aa205f25731421d68e95ed5017d3
SHA256 5eb56f22535df2782dea07dcc52f0669092242734dab3dbd989c48ed532eebf6
SHA512 081ee8709343305768fff01736ae73a4a41659ce420b8c5446db8f18e8953e4b3a0d23ffd7aa844615ef460dc2b4770c830743f2a9ba8f4af17f535ccb62bde9

memory/740-224-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Qfcfml32.exe

MD5 0666cad29ca0440d23fd9f0bf6013f86
SHA1 2d5a71ddf9301c694b716e57c6c7c6de468edd07
SHA256 3f9487d31804ffad3efca9fa860b7dc240aa3314876c2594e2113be1f1c2e61c
SHA512 dc84a21e24bbc3882ad66ad3e6d5cfe9e852025f186deeae9280ecfd7a1e098c156c913c4e159d01f02d40ac6e3fd58ac33880a4223a36fb169576ab39a6dd66

memory/2696-231-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Qqijje32.exe

MD5 d0c3c3e24058a43e5ff89b0233998a19
SHA1 74b1870798085c18847faf5fabfb374063090c88
SHA256 9d909ff4c9d0714c4b1d6f06b0be206bfa1117e8d9547c12687f40111f9dae58
SHA512 9deb0d530833ab3f848ce758c1523c80499b6b99c8241440786212ca63341741a2135d0ee0651de738bbe1eda6ad86b83d091583de0e3346a329caa66deeb8ef

memory/4416-240-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1272-247-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Ampkof32.exe

MD5 07f4a3a9d17d6d3161cb7800ee6093ca
SHA1 30c6677e8c86d767d27aba85bb318e0ad8aaa7c0
SHA256 ad9cef602eb338b8e6cca0e8481b8e1fa8999c1bb671b6cd0a5f60c0eb339447
SHA512 d8649dd6c42c3cb409c11a37e5e3c76570fe860bc8829e4f7ddbedb3d51b7f6765cbaeb841c682e8ad12c04ec4234f159e99739ad1904203676205a96d1e100e

C:\Windows\SysWOW64\Afhohlbj.exe

MD5 6b39a5b48be65da56ce495e9cf7121cc
SHA1 e2f28df7cf05c085b93da2bbd3913d4eaf94a99c
SHA256 7b8f176e7868fb85db214d7a53e1ca0c6ec7c62cffbd85236d8004cb5ade1d20
SHA512 165ebdb95478868e2254404866dd37d136260be44d3c40850affc49442d8071866d018192f2526fba75fab8ca455fd1af79435d481bd24e248a876e4768aeb26

memory/2744-255-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4836-262-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Afmhck32.exe

MD5 633166dd4cde66b9ff03393531db2862
SHA1 2936f1215b5b2fff2aae4047973a7a8126bb4834
SHA256 218b685bf44f8e3ab99ca3a5e167cc615d1b9634fa2ad5ff5d9c47fc6224da2e
SHA512 c77324d49b39c004d3c995558d5d51f2546611d5bf788a9fd452267d6c82f380876afcd17f5c596d5482f732f797c6831c13acf4dc7dad73acf8706cb7a5ea4c

memory/2772-272-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3344-274-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2284-280-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3456-286-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Accfbokl.exe

MD5 cdc02ee585e81cf2d586c4b4001272a7
SHA1 e8f928ab83337419a1b50ba45e15a7c6f0f68543
SHA256 169150a6cc0af693e3e693fc21b3ef26c5dd2729812eb08d8014119ae0fedabc
SHA512 884d0eab04ae16f868d3b7950e222f9c0dd06f75063b772341cb2a9298df6ba442e38ab49e605f4b1e6dad74175809602ec1ae8fbbbd0c738599513428599c71

memory/60-292-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4952-298-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1416-304-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2688-310-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Bffkij32.exe

MD5 dc331f642ee639cb3fb402b18f02481e
SHA1 cd487641af04c08445d1d2e8d253b1934bb2a3c1
SHA256 e3e1db43219618e5d0532f912397b981040f8e5f92f71f36bad54611460bb2aa
SHA512 a3a63d148d0322f4178018e012cef4398184db58c788a0d2ebe72ddb044962f98e79e77263f49492b83d7497109fcefcff88c4fd4a6145619f92f4803176fd1c

memory/2368-316-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4584-322-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3536-328-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Banllbdn.exe

MD5 82febd1ff4ebc9389d01033677a33f26
SHA1 61921ef37d5830af8da7f6ead932a77b51b964a1
SHA256 de8d130897ffacb2edbb52ea5db9a7eddc439f5ead886a6e1256b4a090da20b7
SHA512 01cfada23cdcbfb2e1162d7bea2d43b61e22327d561bd4d369e72d30d2d200e3cac4b52b6e0bfdd0bdd15e9beebfc69cc153beda7c7fd17e31c28280a1407e46

memory/2976-334-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1656-340-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Bnbmefbg.exe

MD5 8f106de90e0c263a79a5e0e1bd06b5e8
SHA1 3e9bb2ca7f5158c66c18fcd79004bfc98561fb7d
SHA256 8a305a2d83f48c19b79b469fbf83aa2f0563b68dec7bc001f8bdf7c6ba01a544
SHA512 ece20736ee3773c7d74a1f89793c12c8f36daf83aa4851622f797e9493e9639520a53e223ec81d9740753b8ff7a9b6c74b4f6f6846a231bb531721b47934d956

memory/1652-346-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3392-352-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3756-358-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1076-364-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4468-370-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3948-376-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4392-382-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3048-388-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3848-394-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3676-400-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2800-406-0x0000000000400000-0x0000000000435000-memory.dmp

memory/464-412-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2132-418-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3592-424-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1916-430-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Dejacond.exe

MD5 eac0413315aabba1311a105b76f0b564
SHA1 a41e8157420354b54961e21473a391b1e8ba88e0
SHA256 803f09d24a6842769686e12678ca3bca07c721a5dc8bb94d03408c3883beebd4
SHA512 c806c13a577f6f2740658726c874884c75306e065410d4641ba49c284090b7472bf84fabead4c968d0dde35aeff8edc46ef0899ae64bdc6356a31962eb0a61f7

memory/4608-436-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1524-442-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Ddonekbl.exe

MD5 145e9cf48b52996b2769753e5cf4e41f
SHA1 bc82691556bc050ce3e25f8c67f0eadae6eb5919
SHA256 157cf5b3d5de1b19096ddcb4616e334cb26efeadaa3870c4b5a50433ced97d41
SHA512 07c7ad252088091cae782eb058245324f5445e5ee3dd7d9e9aa195e050ccb5442b9e034c8615148534faca953340a021d43e9ef847602900887f170bff7f0fb9

memory/2964-448-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2900-454-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4004-460-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2448-466-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4028-472-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2608-478-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3280-484-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3280-485-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4028-487-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2608-486-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1524-492-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4608-493-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1916-494-0x0000000000400000-0x0000000000435000-memory.dmp

memory/464-497-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3676-499-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4468-504-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3392-507-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1656-509-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1652-508-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3756-506-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1076-505-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3948-503-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4392-502-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3848-500-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3048-501-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2800-498-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2132-496-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3592-495-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2964-491-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2900-490-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4004-489-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2448-488-0x0000000000400000-0x0000000000435000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 12:28

Reported

2024-11-11 12:30

Platform

win7-20241010-en

Max time kernel

74s

Max time network

20s

Command Line

"C:\Users\Admin\AppData\Local\Temp\08a30dee9cfecef451b9d1ad2da84da3bcd74309a5c55ba276b9e8d3b03b2f48N.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Bmjhdi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Jjkiie32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Fgjkmijh.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ieppjclf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Caepdk32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Egchmfnd.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ghgjflof.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Nfpnnk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Bcoffd32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nmacej32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Caepdk32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dmecokhm.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kninog32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nalldh32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hpjeknfi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Jjilde32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Oingii32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bmjhdi32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dmcgik32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Nmacej32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Pcnhmdli.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gpeoakhc.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dibhjokm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Dkmghe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Cahmik32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nklaipbj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Clnhajlc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Dhaefepn.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cejfckie.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Oophlpag.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aialjgbh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Qifpqi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Jidbifmb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Bghfacem.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Odfofhic.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ileoknhh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Jafmngde.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Jdjgfomh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Niqgof32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Abeghmmn.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dkmghe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Eqnillbb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Lelljepm.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fkambhgf.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Idemkp32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Abeghmmn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Cbnfmo32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ibmkbh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Gpeoakhc.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kbkgig32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Kdlpkb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Oiljcj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Papank32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ekhjlioa.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Milaecdp.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Oeegnj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Dkbnhq32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fbfldc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Hdhnal32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Kkckblgq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Oeegnj32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qoaaqb32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fkoqmhii.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Fkoqmhii.exe N/A

Berbew

backdoor berbew

Berbew family

berbew

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Lcppgbjd.exe N/A
N/A N/A C:\Windows\SysWOW64\Lpgqlc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nklaipbj.exe N/A
N/A N/A C:\Windows\SysWOW64\Nmacej32.exe N/A
N/A N/A C:\Windows\SysWOW64\Odfofhic.exe N/A
N/A N/A C:\Windows\SysWOW64\Pcnhmdli.exe N/A
N/A N/A C:\Windows\SysWOW64\Pdigkk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qifpqi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aidpjm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bleilh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bbannb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bbcjca32.exe N/A
N/A N/A C:\Windows\SysWOW64\Clnhajlc.exe N/A
N/A N/A C:\Windows\SysWOW64\Dibhjokm.exe N/A
N/A N/A C:\Windows\SysWOW64\Dekeeonn.exe N/A
N/A N/A C:\Windows\SysWOW64\Dkjkcfjc.exe N/A
N/A N/A C:\Windows\SysWOW64\Dkmghe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Egchmfnd.exe N/A
N/A N/A C:\Windows\SysWOW64\Elpqemll.exe N/A
N/A N/A C:\Windows\SysWOW64\Eqnillbb.exe N/A
N/A N/A C:\Windows\SysWOW64\Ekhjlioa.exe N/A
N/A N/A C:\Windows\SysWOW64\Emggflfc.exe N/A
N/A N/A C:\Windows\SysWOW64\Fbfldc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fkoqmhii.exe N/A
N/A N/A C:\Windows\SysWOW64\Fkambhgf.exe N/A
N/A N/A C:\Windows\SysWOW64\Feiaknmg.exe N/A
N/A N/A C:\Windows\SysWOW64\Fgjkmijh.exe N/A
N/A N/A C:\Windows\SysWOW64\Gpeoakhc.exe N/A
N/A N/A C:\Windows\SysWOW64\Gindjqnc.exe N/A
N/A N/A C:\Windows\SysWOW64\Gipqpplq.exe N/A
N/A N/A C:\Windows\SysWOW64\Gfdaid32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ghgjflof.exe N/A
N/A N/A C:\Windows\SysWOW64\Hlecmkel.exe N/A
N/A N/A C:\Windows\SysWOW64\Hdqhambg.exe N/A
N/A N/A C:\Windows\SysWOW64\Hpjeknfi.exe N/A
N/A N/A C:\Windows\SysWOW64\Hdhnal32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hmpbja32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ibmkbh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ileoknhh.exe N/A
N/A N/A C:\Windows\SysWOW64\Ilhlan32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ieppjclf.exe N/A
N/A N/A C:\Windows\SysWOW64\Idemkp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Innbde32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jidbifmb.exe N/A
N/A N/A C:\Windows\SysWOW64\Jdjgfomh.exe N/A
N/A N/A C:\Windows\SysWOW64\Jlekja32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jjilde32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jjkiie32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jafmngde.exe N/A
N/A N/A C:\Windows\SysWOW64\Jcfjhj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kbkgig32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kkckblgq.exe N/A
N/A N/A C:\Windows\SysWOW64\Kdlpkb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kcamln32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kninog32.exe N/A
N/A N/A C:\Windows\SysWOW64\Liboodmk.exe N/A
N/A N/A C:\Windows\SysWOW64\Liekddkh.exe N/A
N/A N/A C:\Windows\SysWOW64\Lelljepm.exe N/A
N/A N/A C:\Windows\SysWOW64\Lmcdkbao.exe N/A
N/A N/A C:\Windows\SysWOW64\Milaecdp.exe N/A
N/A N/A C:\Windows\SysWOW64\Mnncii32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nmgjee32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nfpnnk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nokcbm32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\08a30dee9cfecef451b9d1ad2da84da3bcd74309a5c55ba276b9e8d3b03b2f48N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\08a30dee9cfecef451b9d1ad2da84da3bcd74309a5c55ba276b9e8d3b03b2f48N.exe N/A
N/A N/A C:\Windows\SysWOW64\Lcppgbjd.exe N/A
N/A N/A C:\Windows\SysWOW64\Lcppgbjd.exe N/A
N/A N/A C:\Windows\SysWOW64\Lpgqlc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lpgqlc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nklaipbj.exe N/A
N/A N/A C:\Windows\SysWOW64\Nklaipbj.exe N/A
N/A N/A C:\Windows\SysWOW64\Nmacej32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nmacej32.exe N/A
N/A N/A C:\Windows\SysWOW64\Odfofhic.exe N/A
N/A N/A C:\Windows\SysWOW64\Odfofhic.exe N/A
N/A N/A C:\Windows\SysWOW64\Pcnhmdli.exe N/A
N/A N/A C:\Windows\SysWOW64\Pcnhmdli.exe N/A
N/A N/A C:\Windows\SysWOW64\Pdigkk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pdigkk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qifpqi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qifpqi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aidpjm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aidpjm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bleilh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bleilh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bbannb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bbannb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bbcjca32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bbcjca32.exe N/A
N/A N/A C:\Windows\SysWOW64\Clnhajlc.exe N/A
N/A N/A C:\Windows\SysWOW64\Clnhajlc.exe N/A
N/A N/A C:\Windows\SysWOW64\Dibhjokm.exe N/A
N/A N/A C:\Windows\SysWOW64\Dibhjokm.exe N/A
N/A N/A C:\Windows\SysWOW64\Dekeeonn.exe N/A
N/A N/A C:\Windows\SysWOW64\Dekeeonn.exe N/A
N/A N/A C:\Windows\SysWOW64\Dkjkcfjc.exe N/A
N/A N/A C:\Windows\SysWOW64\Dkjkcfjc.exe N/A
N/A N/A C:\Windows\SysWOW64\Dkmghe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dkmghe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Egchmfnd.exe N/A
N/A N/A C:\Windows\SysWOW64\Egchmfnd.exe N/A
N/A N/A C:\Windows\SysWOW64\Elpqemll.exe N/A
N/A N/A C:\Windows\SysWOW64\Elpqemll.exe N/A
N/A N/A C:\Windows\SysWOW64\Eqnillbb.exe N/A
N/A N/A C:\Windows\SysWOW64\Eqnillbb.exe N/A
N/A N/A C:\Windows\SysWOW64\Ekhjlioa.exe N/A
N/A N/A C:\Windows\SysWOW64\Ekhjlioa.exe N/A
N/A N/A C:\Windows\SysWOW64\Emggflfc.exe N/A
N/A N/A C:\Windows\SysWOW64\Emggflfc.exe N/A
N/A N/A C:\Windows\SysWOW64\Fbfldc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fbfldc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fkoqmhii.exe N/A
N/A N/A C:\Windows\SysWOW64\Fkoqmhii.exe N/A
N/A N/A C:\Windows\SysWOW64\Fkambhgf.exe N/A
N/A N/A C:\Windows\SysWOW64\Fkambhgf.exe N/A
N/A N/A C:\Windows\SysWOW64\Feiaknmg.exe N/A
N/A N/A C:\Windows\SysWOW64\Feiaknmg.exe N/A
N/A N/A C:\Windows\SysWOW64\Fgjkmijh.exe N/A
N/A N/A C:\Windows\SysWOW64\Fgjkmijh.exe N/A
N/A N/A C:\Windows\SysWOW64\Gpeoakhc.exe N/A
N/A N/A C:\Windows\SysWOW64\Gpeoakhc.exe N/A
N/A N/A C:\Windows\SysWOW64\Gindjqnc.exe N/A
N/A N/A C:\Windows\SysWOW64\Gindjqnc.exe N/A
N/A N/A C:\Windows\SysWOW64\Gipqpplq.exe N/A
N/A N/A C:\Windows\SysWOW64\Gipqpplq.exe N/A
N/A N/A C:\Windows\SysWOW64\Gfdaid32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gfdaid32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Ieppjclf.exe C:\Windows\SysWOW64\Ilhlan32.exe N/A
File created C:\Windows\SysWOW64\Dgiomabc.exe C:\Windows\SysWOW64\Dkbnhq32.exe N/A
File opened for modification C:\Windows\SysWOW64\Odfofhic.exe C:\Windows\SysWOW64\Nmacej32.exe N/A
File opened for modification C:\Windows\SysWOW64\Clnhajlc.exe C:\Windows\SysWOW64\Bbcjca32.exe N/A
File created C:\Windows\SysWOW64\Cbfajl32.dll C:\Windows\SysWOW64\Elpqemll.exe N/A
File created C:\Windows\SysWOW64\Gniiomgc.dll C:\Windows\SysWOW64\Jdjgfomh.exe N/A
File created C:\Windows\SysWOW64\Mnncii32.exe C:\Windows\SysWOW64\Milaecdp.exe N/A
File opened for modification C:\Windows\SysWOW64\Dcblgbfe.exe C:\Windows\SysWOW64\Dmecokhm.exe N/A
File created C:\Windows\SysWOW64\Gmapcm32.dll C:\Windows\SysWOW64\Odfofhic.exe N/A
File created C:\Windows\SysWOW64\Kcmelmkh.dll C:\Windows\SysWOW64\Aidpjm32.exe N/A
File created C:\Windows\SysWOW64\Ekhjlioa.exe C:\Windows\SysWOW64\Eqnillbb.exe N/A
File opened for modification C:\Windows\SysWOW64\Hdqhambg.exe C:\Windows\SysWOW64\Hlecmkel.exe N/A
File created C:\Windows\SysWOW64\Degjpgmg.dll C:\Windows\SysWOW64\Jidbifmb.exe N/A
File created C:\Windows\SysWOW64\Opgcne32.dll C:\Windows\SysWOW64\Ngkaaolf.exe N/A
File opened for modification C:\Windows\SysWOW64\Oingii32.exe C:\Windows\SysWOW64\Odanqb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bmjhdi32.exe C:\Windows\SysWOW64\Bcoffd32.exe N/A
File opened for modification C:\Windows\SysWOW64\Nklaipbj.exe C:\Windows\SysWOW64\Lpgqlc32.exe N/A
File created C:\Windows\SysWOW64\Odfofhic.exe C:\Windows\SysWOW64\Nmacej32.exe N/A
File created C:\Windows\SysWOW64\Dlhlca32.dll C:\Windows\SysWOW64\Dmcgik32.exe N/A
File opened for modification C:\Windows\SysWOW64\Codgbqmc.exe C:\Windows\SysWOW64\Cbnfmo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Caepdk32.exe C:\Windows\SysWOW64\Codgbqmc.exe N/A
File created C:\Windows\SysWOW64\Modipl32.dll C:\Windows\SysWOW64\Dgiomabc.exe N/A
File created C:\Windows\SysWOW64\Kcamln32.exe C:\Windows\SysWOW64\Kdlpkb32.exe N/A
File created C:\Windows\SysWOW64\Nmgjee32.exe C:\Windows\SysWOW64\Mnncii32.exe N/A
File created C:\Windows\SysWOW64\Ecgckc32.dll C:\Windows\SysWOW64\Ileoknhh.exe N/A
File created C:\Windows\SysWOW64\Cimjoaod.dll C:\Windows\SysWOW64\Plcied32.exe N/A
File created C:\Windows\SysWOW64\Pnllnk32.exe C:\Windows\SysWOW64\Phocfd32.exe N/A
File created C:\Windows\SysWOW64\Eceimadb.exe C:\Windows\SysWOW64\Dcblgbfe.exe N/A
File opened for modification C:\Windows\SysWOW64\Gindjqnc.exe C:\Windows\SysWOW64\Gpeoakhc.exe N/A
File opened for modification C:\Windows\SysWOW64\Ileoknhh.exe C:\Windows\SysWOW64\Ibmkbh32.exe N/A
File created C:\Windows\SysWOW64\Doegcd32.dll C:\Windows\SysWOW64\Niqgof32.exe N/A
File opened for modification C:\Windows\SysWOW64\Papank32.exe C:\Windows\SysWOW64\Plcied32.exe N/A
File created C:\Windows\SysWOW64\Cejfckie.exe C:\Windows\SysWOW64\Behinlkh.exe N/A
File created C:\Windows\SysWOW64\Bhonin32.dll C:\Windows\SysWOW64\Emggflfc.exe N/A
File opened for modification C:\Windows\SysWOW64\Niqgof32.exe C:\Windows\SysWOW64\Nokcbm32.exe N/A
File created C:\Windows\SysWOW64\Oingii32.exe C:\Windows\SysWOW64\Odanqb32.exe N/A
File created C:\Windows\SysWOW64\Dmecokhm.exe C:\Windows\SysWOW64\Dcpoab32.exe N/A
File created C:\Windows\SysWOW64\Hddpfjgq.dll C:\Windows\SysWOW64\Nmgjee32.exe N/A
File opened for modification C:\Windows\SysWOW64\Gpeoakhc.exe C:\Windows\SysWOW64\Fgjkmijh.exe N/A
File created C:\Windows\SysWOW64\Liekddkh.exe C:\Windows\SysWOW64\Liboodmk.exe N/A
File created C:\Windows\SysWOW64\Hpjeknfi.exe C:\Windows\SysWOW64\Hdqhambg.exe N/A
File created C:\Windows\SysWOW64\Hmpbja32.exe C:\Windows\SysWOW64\Hdhnal32.exe N/A
File opened for modification C:\Windows\SysWOW64\Liekddkh.exe C:\Windows\SysWOW64\Liboodmk.exe N/A
File created C:\Windows\SysWOW64\Ipekokia.dll C:\Windows\SysWOW64\Gfdaid32.exe N/A
File created C:\Windows\SysWOW64\Okhjcncb.dll C:\Windows\SysWOW64\Ghgjflof.exe N/A
File created C:\Windows\SysWOW64\Egchmfnd.exe C:\Windows\SysWOW64\Dkmghe32.exe N/A
File created C:\Windows\SysWOW64\Fkoqmhii.exe C:\Windows\SysWOW64\Fbfldc32.exe N/A
File created C:\Windows\SysWOW64\Hdhnal32.exe C:\Windows\SysWOW64\Hpjeknfi.exe N/A
File created C:\Windows\SysWOW64\Kninog32.exe C:\Windows\SysWOW64\Kcamln32.exe N/A
File opened for modification C:\Windows\SysWOW64\Milaecdp.exe C:\Windows\SysWOW64\Lmcdkbao.exe N/A
File opened for modification C:\Windows\SysWOW64\Odanqb32.exe C:\Windows\SysWOW64\Oiljcj32.exe N/A
File opened for modification C:\Windows\SysWOW64\Lpgqlc32.exe C:\Windows\SysWOW64\Lcppgbjd.exe N/A
File created C:\Windows\SysWOW64\Pdigkk32.exe C:\Windows\SysWOW64\Pcnhmdli.exe N/A
File opened for modification C:\Windows\SysWOW64\Bghfacem.exe C:\Windows\SysWOW64\Aialjgbh.exe N/A
File opened for modification C:\Windows\SysWOW64\Oeegnj32.exe C:\Windows\SysWOW64\Oingii32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ajgfnk32.exe C:\Windows\SysWOW64\Qoaaqb32.exe N/A
File created C:\Windows\SysWOW64\Ogjaqc32.dll C:\Windows\SysWOW64\Egchmfnd.exe N/A
File opened for modification C:\Windows\SysWOW64\Jafmngde.exe C:\Windows\SysWOW64\Jjkiie32.exe N/A
File created C:\Windows\SysWOW64\Kihjmonk.dll C:\Windows\SysWOW64\Jjilde32.exe N/A
File created C:\Windows\SysWOW64\Hjidml32.dll C:\Windows\SysWOW64\Lelljepm.exe N/A
File opened for modification C:\Windows\SysWOW64\Nkdpmn32.exe C:\Windows\SysWOW64\Nalldh32.exe N/A
File created C:\Windows\SysWOW64\Eqnillbb.exe C:\Windows\SysWOW64\Elpqemll.exe N/A
File created C:\Windows\SysWOW64\Ilhlan32.exe C:\Windows\SysWOW64\Ileoknhh.exe N/A
File created C:\Windows\SysWOW64\Nklaipbj.exe C:\Windows\SysWOW64\Lpgqlc32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Eceimadb.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dkmghe32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Codgbqmc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dmcgik32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pcnhmdli.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fgjkmijh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lmcdkbao.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Milaecdp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Podbgo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qoaaqb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cahmik32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pdigkk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jcfjhj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nokcbm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gfdaid32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dhaefepn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dcpoab32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bleilh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hpjeknfi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kkckblgq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lelljepm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oophlpag.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\08a30dee9cfecef451b9d1ad2da84da3bcd74309a5c55ba276b9e8d3b03b2f48N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hdqhambg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Liboodmk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dkbnhq32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Eqnillbb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gindjqnc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jjilde32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jjkiie32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pkplgoop.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Eceimadb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lpgqlc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bbannb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oiljcj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hmpbja32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nalldh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gpeoakhc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Caepdk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qifpqi32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fkoqmhii.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Akmlacdn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Behinlkh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Emggflfc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oeegnj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Biahijec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ileoknhh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dcblgbfe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fkambhgf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ghgjflof.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ilhlan32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kcamln32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mnncii32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aialjgbh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hlecmkel.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oingii32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Plcied32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dmecokhm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Odfofhic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dkjkcfjc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nfpnnk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dgiomabc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kdlpkb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ekhjlioa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jafmngde.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfkfbm32.dll" C:\Windows\SysWOW64\Dcblgbfe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hdqhambg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Jidbifmb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Kdlpkb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Podbgo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bmjhdi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Caepdk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Clnhajlc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Elpqemll.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqghocek.dll" C:\Windows\SysWOW64\Kkckblgq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Oingii32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Abeghmmn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ekhjlioa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bghfacem.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Odfofhic.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Qifpqi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jjkiie32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdcfmgg.dll" C:\Windows\SysWOW64\Abeghmmn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Bghfacem.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Fkambhgf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Jlekja32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Oiljcj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lneggnqk.dll" C:\Windows\SysWOW64\Gpeoakhc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hmpbja32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ilhlan32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dcpoab32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ocihgo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aidpjm32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Hdqhambg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Innbde32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Nmgjee32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Oingii32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Pkplgoop.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dekeeonn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Hlecmkel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Niqgof32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Podbgo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Phocfd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hplmnbjm.dll" C:\Windows\SysWOW64\Lpgqlc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgjkje32.dll" C:\Windows\SysWOW64\Fbfldc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ibmkbh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agefobee.dll" C:\Windows\SysWOW64\Podbgo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aialjgbh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nmacej32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lloimaiq.dll" C:\Windows\SysWOW64\Jcfjhj32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ekhjlioa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jafmngde.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Jcfjhj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eocmep32.dll" C:\Windows\SysWOW64\Mnncii32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Oiljcj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nokcbm32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Nkdpmn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717} C:\Users\Admin\AppData\Local\Temp\08a30dee9cfecef451b9d1ad2da84da3bcd74309a5c55ba276b9e8d3b03b2f48N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghboifle.dll" C:\Windows\SysWOW64\Nmacej32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Gfdaid32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ibmkbh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjidml32.dll" C:\Windows\SysWOW64\Lelljepm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Cejfckie.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Dibhjokm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Dkmghe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gindjqnc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Kkckblgq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Mnncii32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaegla32.dll" C:\Windows\SysWOW64\Nklaipbj.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1940 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\08a30dee9cfecef451b9d1ad2da84da3bcd74309a5c55ba276b9e8d3b03b2f48N.exe C:\Windows\SysWOW64\Lcppgbjd.exe
PID 1940 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\08a30dee9cfecef451b9d1ad2da84da3bcd74309a5c55ba276b9e8d3b03b2f48N.exe C:\Windows\SysWOW64\Lcppgbjd.exe
PID 1940 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\08a30dee9cfecef451b9d1ad2da84da3bcd74309a5c55ba276b9e8d3b03b2f48N.exe C:\Windows\SysWOW64\Lcppgbjd.exe
PID 1940 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\08a30dee9cfecef451b9d1ad2da84da3bcd74309a5c55ba276b9e8d3b03b2f48N.exe C:\Windows\SysWOW64\Lcppgbjd.exe
PID 2368 wrote to memory of 1984 N/A C:\Windows\SysWOW64\Lcppgbjd.exe C:\Windows\SysWOW64\Lpgqlc32.exe
PID 2368 wrote to memory of 1984 N/A C:\Windows\SysWOW64\Lcppgbjd.exe C:\Windows\SysWOW64\Lpgqlc32.exe
PID 2368 wrote to memory of 1984 N/A C:\Windows\SysWOW64\Lcppgbjd.exe C:\Windows\SysWOW64\Lpgqlc32.exe
PID 2368 wrote to memory of 1984 N/A C:\Windows\SysWOW64\Lcppgbjd.exe C:\Windows\SysWOW64\Lpgqlc32.exe
PID 1984 wrote to memory of 2168 N/A C:\Windows\SysWOW64\Lpgqlc32.exe C:\Windows\SysWOW64\Nklaipbj.exe
PID 1984 wrote to memory of 2168 N/A C:\Windows\SysWOW64\Lpgqlc32.exe C:\Windows\SysWOW64\Nklaipbj.exe
PID 1984 wrote to memory of 2168 N/A C:\Windows\SysWOW64\Lpgqlc32.exe C:\Windows\SysWOW64\Nklaipbj.exe
PID 1984 wrote to memory of 2168 N/A C:\Windows\SysWOW64\Lpgqlc32.exe C:\Windows\SysWOW64\Nklaipbj.exe
PID 2168 wrote to memory of 3040 N/A C:\Windows\SysWOW64\Nklaipbj.exe C:\Windows\SysWOW64\Nmacej32.exe
PID 2168 wrote to memory of 3040 N/A C:\Windows\SysWOW64\Nklaipbj.exe C:\Windows\SysWOW64\Nmacej32.exe
PID 2168 wrote to memory of 3040 N/A C:\Windows\SysWOW64\Nklaipbj.exe C:\Windows\SysWOW64\Nmacej32.exe
PID 2168 wrote to memory of 3040 N/A C:\Windows\SysWOW64\Nklaipbj.exe C:\Windows\SysWOW64\Nmacej32.exe
PID 3040 wrote to memory of 2920 N/A C:\Windows\SysWOW64\Nmacej32.exe C:\Windows\SysWOW64\Odfofhic.exe
PID 3040 wrote to memory of 2920 N/A C:\Windows\SysWOW64\Nmacej32.exe C:\Windows\SysWOW64\Odfofhic.exe
PID 3040 wrote to memory of 2920 N/A C:\Windows\SysWOW64\Nmacej32.exe C:\Windows\SysWOW64\Odfofhic.exe
PID 3040 wrote to memory of 2920 N/A C:\Windows\SysWOW64\Nmacej32.exe C:\Windows\SysWOW64\Odfofhic.exe
PID 2920 wrote to memory of 2564 N/A C:\Windows\SysWOW64\Odfofhic.exe C:\Windows\SysWOW64\Pcnhmdli.exe
PID 2920 wrote to memory of 2564 N/A C:\Windows\SysWOW64\Odfofhic.exe C:\Windows\SysWOW64\Pcnhmdli.exe
PID 2920 wrote to memory of 2564 N/A C:\Windows\SysWOW64\Odfofhic.exe C:\Windows\SysWOW64\Pcnhmdli.exe
PID 2920 wrote to memory of 2564 N/A C:\Windows\SysWOW64\Odfofhic.exe C:\Windows\SysWOW64\Pcnhmdli.exe
PID 2564 wrote to memory of 3004 N/A C:\Windows\SysWOW64\Pcnhmdli.exe C:\Windows\SysWOW64\Pdigkk32.exe
PID 2564 wrote to memory of 3004 N/A C:\Windows\SysWOW64\Pcnhmdli.exe C:\Windows\SysWOW64\Pdigkk32.exe
PID 2564 wrote to memory of 3004 N/A C:\Windows\SysWOW64\Pcnhmdli.exe C:\Windows\SysWOW64\Pdigkk32.exe
PID 2564 wrote to memory of 3004 N/A C:\Windows\SysWOW64\Pcnhmdli.exe C:\Windows\SysWOW64\Pdigkk32.exe
PID 3004 wrote to memory of 1248 N/A C:\Windows\SysWOW64\Pdigkk32.exe C:\Windows\SysWOW64\Qifpqi32.exe
PID 3004 wrote to memory of 1248 N/A C:\Windows\SysWOW64\Pdigkk32.exe C:\Windows\SysWOW64\Qifpqi32.exe
PID 3004 wrote to memory of 1248 N/A C:\Windows\SysWOW64\Pdigkk32.exe C:\Windows\SysWOW64\Qifpqi32.exe
PID 3004 wrote to memory of 1248 N/A C:\Windows\SysWOW64\Pdigkk32.exe C:\Windows\SysWOW64\Qifpqi32.exe
PID 1248 wrote to memory of 2132 N/A C:\Windows\SysWOW64\Qifpqi32.exe C:\Windows\SysWOW64\Aidpjm32.exe
PID 1248 wrote to memory of 2132 N/A C:\Windows\SysWOW64\Qifpqi32.exe C:\Windows\SysWOW64\Aidpjm32.exe
PID 1248 wrote to memory of 2132 N/A C:\Windows\SysWOW64\Qifpqi32.exe C:\Windows\SysWOW64\Aidpjm32.exe
PID 1248 wrote to memory of 2132 N/A C:\Windows\SysWOW64\Qifpqi32.exe C:\Windows\SysWOW64\Aidpjm32.exe
PID 2132 wrote to memory of 432 N/A C:\Windows\SysWOW64\Aidpjm32.exe C:\Windows\SysWOW64\Bleilh32.exe
PID 2132 wrote to memory of 432 N/A C:\Windows\SysWOW64\Aidpjm32.exe C:\Windows\SysWOW64\Bleilh32.exe
PID 2132 wrote to memory of 432 N/A C:\Windows\SysWOW64\Aidpjm32.exe C:\Windows\SysWOW64\Bleilh32.exe
PID 2132 wrote to memory of 432 N/A C:\Windows\SysWOW64\Aidpjm32.exe C:\Windows\SysWOW64\Bleilh32.exe
PID 432 wrote to memory of 1408 N/A C:\Windows\SysWOW64\Bleilh32.exe C:\Windows\SysWOW64\Bbannb32.exe
PID 432 wrote to memory of 1408 N/A C:\Windows\SysWOW64\Bleilh32.exe C:\Windows\SysWOW64\Bbannb32.exe
PID 432 wrote to memory of 1408 N/A C:\Windows\SysWOW64\Bleilh32.exe C:\Windows\SysWOW64\Bbannb32.exe
PID 432 wrote to memory of 1408 N/A C:\Windows\SysWOW64\Bleilh32.exe C:\Windows\SysWOW64\Bbannb32.exe
PID 1408 wrote to memory of 1340 N/A C:\Windows\SysWOW64\Bbannb32.exe C:\Windows\SysWOW64\Bbcjca32.exe
PID 1408 wrote to memory of 1340 N/A C:\Windows\SysWOW64\Bbannb32.exe C:\Windows\SysWOW64\Bbcjca32.exe
PID 1408 wrote to memory of 1340 N/A C:\Windows\SysWOW64\Bbannb32.exe C:\Windows\SysWOW64\Bbcjca32.exe
PID 1408 wrote to memory of 1340 N/A C:\Windows\SysWOW64\Bbannb32.exe C:\Windows\SysWOW64\Bbcjca32.exe
PID 1340 wrote to memory of 2268 N/A C:\Windows\SysWOW64\Bbcjca32.exe C:\Windows\SysWOW64\Clnhajlc.exe
PID 1340 wrote to memory of 2268 N/A C:\Windows\SysWOW64\Bbcjca32.exe C:\Windows\SysWOW64\Clnhajlc.exe
PID 1340 wrote to memory of 2268 N/A C:\Windows\SysWOW64\Bbcjca32.exe C:\Windows\SysWOW64\Clnhajlc.exe
PID 1340 wrote to memory of 2268 N/A C:\Windows\SysWOW64\Bbcjca32.exe C:\Windows\SysWOW64\Clnhajlc.exe
PID 2268 wrote to memory of 2124 N/A C:\Windows\SysWOW64\Clnhajlc.exe C:\Windows\SysWOW64\Dibhjokm.exe
PID 2268 wrote to memory of 2124 N/A C:\Windows\SysWOW64\Clnhajlc.exe C:\Windows\SysWOW64\Dibhjokm.exe
PID 2268 wrote to memory of 2124 N/A C:\Windows\SysWOW64\Clnhajlc.exe C:\Windows\SysWOW64\Dibhjokm.exe
PID 2268 wrote to memory of 2124 N/A C:\Windows\SysWOW64\Clnhajlc.exe C:\Windows\SysWOW64\Dibhjokm.exe
PID 2124 wrote to memory of 1260 N/A C:\Windows\SysWOW64\Dibhjokm.exe C:\Windows\SysWOW64\Dekeeonn.exe
PID 2124 wrote to memory of 1260 N/A C:\Windows\SysWOW64\Dibhjokm.exe C:\Windows\SysWOW64\Dekeeonn.exe
PID 2124 wrote to memory of 1260 N/A C:\Windows\SysWOW64\Dibhjokm.exe C:\Windows\SysWOW64\Dekeeonn.exe
PID 2124 wrote to memory of 1260 N/A C:\Windows\SysWOW64\Dibhjokm.exe C:\Windows\SysWOW64\Dekeeonn.exe
PID 1260 wrote to memory of 856 N/A C:\Windows\SysWOW64\Dekeeonn.exe C:\Windows\SysWOW64\Dkjkcfjc.exe
PID 1260 wrote to memory of 856 N/A C:\Windows\SysWOW64\Dekeeonn.exe C:\Windows\SysWOW64\Dkjkcfjc.exe
PID 1260 wrote to memory of 856 N/A C:\Windows\SysWOW64\Dekeeonn.exe C:\Windows\SysWOW64\Dkjkcfjc.exe
PID 1260 wrote to memory of 856 N/A C:\Windows\SysWOW64\Dekeeonn.exe C:\Windows\SysWOW64\Dkjkcfjc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\08a30dee9cfecef451b9d1ad2da84da3bcd74309a5c55ba276b9e8d3b03b2f48N.exe

"C:\Users\Admin\AppData\Local\Temp\08a30dee9cfecef451b9d1ad2da84da3bcd74309a5c55ba276b9e8d3b03b2f48N.exe"

C:\Windows\SysWOW64\Lcppgbjd.exe

C:\Windows\system32\Lcppgbjd.exe

C:\Windows\SysWOW64\Lpgqlc32.exe

C:\Windows\system32\Lpgqlc32.exe

C:\Windows\SysWOW64\Nklaipbj.exe

C:\Windows\system32\Nklaipbj.exe

C:\Windows\SysWOW64\Nmacej32.exe

C:\Windows\system32\Nmacej32.exe

C:\Windows\SysWOW64\Odfofhic.exe

C:\Windows\system32\Odfofhic.exe

C:\Windows\SysWOW64\Pcnhmdli.exe

C:\Windows\system32\Pcnhmdli.exe

C:\Windows\SysWOW64\Pdigkk32.exe

C:\Windows\system32\Pdigkk32.exe

C:\Windows\SysWOW64\Qifpqi32.exe

C:\Windows\system32\Qifpqi32.exe

C:\Windows\SysWOW64\Aidpjm32.exe

C:\Windows\system32\Aidpjm32.exe

C:\Windows\SysWOW64\Bleilh32.exe

C:\Windows\system32\Bleilh32.exe

C:\Windows\SysWOW64\Bbannb32.exe

C:\Windows\system32\Bbannb32.exe

C:\Windows\SysWOW64\Bbcjca32.exe

C:\Windows\system32\Bbcjca32.exe

C:\Windows\SysWOW64\Clnhajlc.exe

C:\Windows\system32\Clnhajlc.exe

C:\Windows\SysWOW64\Dibhjokm.exe

C:\Windows\system32\Dibhjokm.exe

C:\Windows\SysWOW64\Dekeeonn.exe

C:\Windows\system32\Dekeeonn.exe

C:\Windows\SysWOW64\Dkjkcfjc.exe

C:\Windows\system32\Dkjkcfjc.exe

C:\Windows\SysWOW64\Dkmghe32.exe

C:\Windows\system32\Dkmghe32.exe

C:\Windows\SysWOW64\Egchmfnd.exe

C:\Windows\system32\Egchmfnd.exe

C:\Windows\SysWOW64\Elpqemll.exe

C:\Windows\system32\Elpqemll.exe

C:\Windows\SysWOW64\Eqnillbb.exe

C:\Windows\system32\Eqnillbb.exe

C:\Windows\SysWOW64\Ekhjlioa.exe

C:\Windows\system32\Ekhjlioa.exe

C:\Windows\SysWOW64\Emggflfc.exe

C:\Windows\system32\Emggflfc.exe

C:\Windows\SysWOW64\Fbfldc32.exe

C:\Windows\system32\Fbfldc32.exe

C:\Windows\SysWOW64\Fkoqmhii.exe

C:\Windows\system32\Fkoqmhii.exe

C:\Windows\SysWOW64\Fkambhgf.exe

C:\Windows\system32\Fkambhgf.exe

C:\Windows\SysWOW64\Feiaknmg.exe

C:\Windows\system32\Feiaknmg.exe

C:\Windows\SysWOW64\Fgjkmijh.exe

C:\Windows\system32\Fgjkmijh.exe

C:\Windows\SysWOW64\Gpeoakhc.exe

C:\Windows\system32\Gpeoakhc.exe

C:\Windows\SysWOW64\Gindjqnc.exe

C:\Windows\system32\Gindjqnc.exe

C:\Windows\SysWOW64\Gipqpplq.exe

C:\Windows\system32\Gipqpplq.exe

C:\Windows\SysWOW64\Gfdaid32.exe

C:\Windows\system32\Gfdaid32.exe

C:\Windows\SysWOW64\Ghgjflof.exe

C:\Windows\system32\Ghgjflof.exe

C:\Windows\SysWOW64\Hlecmkel.exe

C:\Windows\system32\Hlecmkel.exe

C:\Windows\SysWOW64\Hdqhambg.exe

C:\Windows\system32\Hdqhambg.exe

C:\Windows\SysWOW64\Hpjeknfi.exe

C:\Windows\system32\Hpjeknfi.exe

C:\Windows\SysWOW64\Hdhnal32.exe

C:\Windows\system32\Hdhnal32.exe

C:\Windows\SysWOW64\Hmpbja32.exe

C:\Windows\system32\Hmpbja32.exe

C:\Windows\SysWOW64\Ibmkbh32.exe

C:\Windows\system32\Ibmkbh32.exe

C:\Windows\SysWOW64\Ileoknhh.exe

C:\Windows\system32\Ileoknhh.exe

C:\Windows\SysWOW64\Ilhlan32.exe

C:\Windows\system32\Ilhlan32.exe

C:\Windows\SysWOW64\Ieppjclf.exe

C:\Windows\system32\Ieppjclf.exe

C:\Windows\SysWOW64\Idemkp32.exe

C:\Windows\system32\Idemkp32.exe

C:\Windows\SysWOW64\Innbde32.exe

C:\Windows\system32\Innbde32.exe

C:\Windows\SysWOW64\Jidbifmb.exe

C:\Windows\system32\Jidbifmb.exe

C:\Windows\SysWOW64\Jdjgfomh.exe

C:\Windows\system32\Jdjgfomh.exe

C:\Windows\SysWOW64\Jlekja32.exe

C:\Windows\system32\Jlekja32.exe

C:\Windows\SysWOW64\Jjilde32.exe

C:\Windows\system32\Jjilde32.exe

C:\Windows\SysWOW64\Jjkiie32.exe

C:\Windows\system32\Jjkiie32.exe

C:\Windows\SysWOW64\Jafmngde.exe

C:\Windows\system32\Jafmngde.exe

C:\Windows\SysWOW64\Jcfjhj32.exe

C:\Windows\system32\Jcfjhj32.exe

C:\Windows\SysWOW64\Kbkgig32.exe

C:\Windows\system32\Kbkgig32.exe

C:\Windows\SysWOW64\Kkckblgq.exe

C:\Windows\system32\Kkckblgq.exe

C:\Windows\SysWOW64\Kdlpkb32.exe

C:\Windows\system32\Kdlpkb32.exe

C:\Windows\SysWOW64\Kcamln32.exe

C:\Windows\system32\Kcamln32.exe

C:\Windows\SysWOW64\Kninog32.exe

C:\Windows\system32\Kninog32.exe

C:\Windows\SysWOW64\Liboodmk.exe

C:\Windows\system32\Liboodmk.exe

C:\Windows\SysWOW64\Liekddkh.exe

C:\Windows\system32\Liekddkh.exe

C:\Windows\SysWOW64\Lelljepm.exe

C:\Windows\system32\Lelljepm.exe

C:\Windows\SysWOW64\Lmcdkbao.exe

C:\Windows\system32\Lmcdkbao.exe

C:\Windows\SysWOW64\Milaecdp.exe

C:\Windows\system32\Milaecdp.exe

C:\Windows\SysWOW64\Mnncii32.exe

C:\Windows\system32\Mnncii32.exe

C:\Windows\SysWOW64\Nmgjee32.exe

C:\Windows\system32\Nmgjee32.exe

C:\Windows\SysWOW64\Nfpnnk32.exe

C:\Windows\system32\Nfpnnk32.exe

C:\Windows\SysWOW64\Nokcbm32.exe

C:\Windows\system32\Nokcbm32.exe

C:\Windows\SysWOW64\Niqgof32.exe

C:\Windows\system32\Niqgof32.exe

C:\Windows\SysWOW64\Nalldh32.exe

C:\Windows\system32\Nalldh32.exe

C:\Windows\SysWOW64\Nkdpmn32.exe

C:\Windows\system32\Nkdpmn32.exe

C:\Windows\SysWOW64\Ngkaaolf.exe

C:\Windows\system32\Ngkaaolf.exe

C:\Windows\SysWOW64\Oiljcj32.exe

C:\Windows\system32\Oiljcj32.exe

C:\Windows\SysWOW64\Odanqb32.exe

C:\Windows\system32\Odanqb32.exe

C:\Windows\SysWOW64\Oingii32.exe

C:\Windows\system32\Oingii32.exe

C:\Windows\SysWOW64\Oeegnj32.exe

C:\Windows\system32\Oeegnj32.exe

C:\Windows\SysWOW64\Ocihgo32.exe

C:\Windows\system32\Ocihgo32.exe

C:\Windows\SysWOW64\Oophlpag.exe

C:\Windows\system32\Oophlpag.exe

C:\Windows\SysWOW64\Plcied32.exe

C:\Windows\system32\Plcied32.exe

C:\Windows\SysWOW64\Papank32.exe

C:\Windows\system32\Papank32.exe

C:\Windows\SysWOW64\Podbgo32.exe

C:\Windows\system32\Podbgo32.exe

C:\Windows\SysWOW64\Phocfd32.exe

C:\Windows\system32\Phocfd32.exe

C:\Windows\SysWOW64\Pnllnk32.exe

C:\Windows\system32\Pnllnk32.exe

C:\Windows\SysWOW64\Pkplgoop.exe

C:\Windows\system32\Pkplgoop.exe

C:\Windows\SysWOW64\Qoaaqb32.exe

C:\Windows\system32\Qoaaqb32.exe

C:\Windows\SysWOW64\Ajgfnk32.exe

C:\Windows\system32\Ajgfnk32.exe

C:\Windows\SysWOW64\Acpjga32.exe

C:\Windows\system32\Acpjga32.exe

C:\Windows\SysWOW64\Abeghmmn.exe

C:\Windows\system32\Abeghmmn.exe

C:\Windows\SysWOW64\Akmlacdn.exe

C:\Windows\system32\Akmlacdn.exe

C:\Windows\SysWOW64\Aialjgbh.exe

C:\Windows\system32\Aialjgbh.exe

C:\Windows\SysWOW64\Bghfacem.exe

C:\Windows\system32\Bghfacem.exe

C:\Windows\SysWOW64\Bcoffd32.exe

C:\Windows\system32\Bcoffd32.exe

C:\Windows\SysWOW64\Bmjhdi32.exe

C:\Windows\system32\Bmjhdi32.exe

C:\Windows\SysWOW64\Biahijec.exe

C:\Windows\system32\Biahijec.exe

C:\Windows\SysWOW64\Behinlkh.exe

C:\Windows\system32\Behinlkh.exe

C:\Windows\SysWOW64\Cejfckie.exe

C:\Windows\system32\Cejfckie.exe

C:\Windows\SysWOW64\Cbnfmo32.exe

C:\Windows\system32\Cbnfmo32.exe

C:\Windows\SysWOW64\Codgbqmc.exe

C:\Windows\system32\Codgbqmc.exe

C:\Windows\SysWOW64\Caepdk32.exe

C:\Windows\system32\Caepdk32.exe

C:\Windows\SysWOW64\Cahmik32.exe

C:\Windows\system32\Cahmik32.exe

C:\Windows\SysWOW64\Dhaefepn.exe

C:\Windows\system32\Dhaefepn.exe

C:\Windows\SysWOW64\Dpmjjhmi.exe

C:\Windows\system32\Dpmjjhmi.exe

C:\Windows\SysWOW64\Dkbnhq32.exe

C:\Windows\system32\Dkbnhq32.exe

C:\Windows\SysWOW64\Dgiomabc.exe

C:\Windows\system32\Dgiomabc.exe

C:\Windows\SysWOW64\Dmcgik32.exe

C:\Windows\system32\Dmcgik32.exe

C:\Windows\SysWOW64\Dcpoab32.exe

C:\Windows\system32\Dcpoab32.exe

C:\Windows\SysWOW64\Dmecokhm.exe

C:\Windows\system32\Dmecokhm.exe

C:\Windows\SysWOW64\Dcblgbfe.exe

C:\Windows\system32\Dcblgbfe.exe

C:\Windows\SysWOW64\Eceimadb.exe

C:\Windows\system32\Eceimadb.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2648 -s 140

Network

N/A

Files

memory/1940-0-0x0000000000400000-0x0000000000435000-memory.dmp

\Windows\SysWOW64\Lcppgbjd.exe

MD5 6fdd5a03aa5c2e2486c85076835d15d5
SHA1 cf7c267e2ade2c846013b844efcfbb18d7e550e0
SHA256 4e9342be6719634b86602034a4ddad09b179f886e8c9ad9508cfbb5f601e50df
SHA512 784bb3155775e39d51363190c1d3f2bc6c11bad5f8e8648e157413fd5bc92f9ccf0e76516838f8963c8b2dfa6b489191234ba1e2f5a72a1b9021c2a1054da562

memory/2368-19-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1940-12-0x0000000000220000-0x0000000000255000-memory.dmp

memory/1940-11-0x0000000000220000-0x0000000000255000-memory.dmp

memory/1984-29-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Lpgqlc32.exe

MD5 7758daca5ceb421f913854153f3279d6
SHA1 dc477e9d0156d79f21b243ca2772673f13609258
SHA256 564f006090bbd61ead8165b92bea4c15106b8033e3ca03e10dc39e8cf9f1c412
SHA512 696cb3a933ae2890cc57c70924fb5081fad254a90066a36c378c19983f71238d58fc054bdb6d235be97354fa24ab40051d79f2d28fb4784e8d4ceb551a24c84e

memory/2368-27-0x0000000000220000-0x0000000000255000-memory.dmp

memory/2368-26-0x0000000000220000-0x0000000000255000-memory.dmp

\Windows\SysWOW64\Nklaipbj.exe

MD5 2aa538db85fd85d00447dd964fd96bcc
SHA1 726b9b29106c83a4229b9120e08fb92dbb393a24
SHA256 0a50af0158ea07524f4846d860306a49accff254d11a39c3b5f6e4f603da0695
SHA512 848f1f18ae812badf076eb42192794699a309c8fe8dc8cfb2fced81dc93f9ee1485d7c51d756afdd916e0031fea7d4d1354e15d3e488a506fd39fc91b2a1148f

memory/1984-37-0x0000000000220000-0x0000000000255000-memory.dmp

\Windows\SysWOW64\Nmacej32.exe

MD5 03f5c8e58f6a5d43338f05eb41f44ba8
SHA1 3dade5d926ecd0c2b8d3eca8618c9814e3f8dcd5
SHA256 803cc3f654a91caad9555f150d873bfc2f48fbb22a2f913a1a8c8a7c050777ae
SHA512 8a3b165deeff6e7f8d218579bbf571f30ab2f0804ede5c728c80e28d91a93ceff64277795206d7124c9ebc4993b038bb8398ab40b103aa6b8bf947d64d238780

memory/3040-57-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2168-55-0x00000000002C0000-0x00000000002F5000-memory.dmp

memory/2168-54-0x00000000002C0000-0x00000000002F5000-memory.dmp

C:\Windows\SysWOW64\Ghboifle.dll

MD5 78b6cb3eb1f6ca0ea2049eb915fb45ce
SHA1 f3e36323bff075ac5e27efd5646d1ed3393cd657
SHA256 f6e544d32e4beb31e3bef1104aeda5be8ea5b163fb7d4e067b3f95b2293448c9
SHA512 700c192ee3e89f289fba4c2ec60955c91f036d59324bb86282ef5462c48ab3ded4ca6a29978fc71d9e209598b79c166f007316857e956873ea9689bbdebefc63

\Windows\SysWOW64\Odfofhic.exe

MD5 ff74e0974a9231280d6d882bbff4115b
SHA1 906ac3726a23567bc5941b6fa9c0f75acfbc93bb
SHA256 e89fee0bbe0d7af92e7f36fd36379d1cdf4c76170bbb5b72e449bb2fa8ac2354
SHA512 836f5537f49a306cd39ef4e459ae8aeb086f240df39d56cf734d3b427fbbdd7db9b58eb4ebe4cd3082510941b18680010bb7d716681e4877b2130dd929aed5ab

memory/2920-71-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3040-69-0x0000000000270000-0x00000000002A5000-memory.dmp

memory/2564-86-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Pcnhmdli.exe

MD5 e303edc54c1c520744e0bbe8dc3c8854
SHA1 ed2656fe07e7c781be628ed5e2eda55a4870bcfd
SHA256 556959e9e80381f30a943c8c70e00c5dffc00f7417959ca1109aa420d45016fb
SHA512 ee8743de2ba4d6c01a2644355e96e73b92e0e062c6874512add51e8c724d64f75cbdee222f7810fca5c9ae20d6d2f68aa24672bbc9ffa62b85a8f4b6bdbe38a5

memory/2920-84-0x0000000000220000-0x0000000000255000-memory.dmp

memory/2920-83-0x0000000000220000-0x0000000000255000-memory.dmp

\Windows\SysWOW64\Pdigkk32.exe

MD5 f4072df7d8bb41687526e24bb00510f6
SHA1 8871ae08a17e644769484fa9e1d25565b7d578df
SHA256 a73386545e07cc4394dbee6f37ce032a6702ab45c89570a75c4f7282441cd5f0
SHA512 19d1ca8dc20b4ae635a987d4baaa844b3dce14db4741098238c0e7ebbe6cfbb4b3a5aeecd96f4c65b94f64c010bd6fa36c6e0edc86dff0245a559f51854e3521

memory/2564-94-0x0000000000220000-0x0000000000255000-memory.dmp

memory/3004-101-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2564-99-0x0000000000220000-0x0000000000255000-memory.dmp

\Windows\SysWOW64\Qifpqi32.exe

MD5 9cc75322d463c177386b97fd894ac19f
SHA1 81aea243bccec373a3d0e09812793835bd82189f
SHA256 15c22372a94535ba8cf92ad8d586d1c16d4111b8b5132d8b21102afa132572a7
SHA512 7a4ff42e06316436b6abbbbe8f1942e8772f523dfea059f79e62024d506425407dd2d8dc678e1fc8ef536f3b4946751f5ccb8894d92fcf4519bd288b9d083d55

memory/3004-108-0x0000000000230000-0x0000000000265000-memory.dmp

\Windows\SysWOW64\Aidpjm32.exe

MD5 6c2c800d83f721c64343ec36c4037ee9
SHA1 da7d9e2b935df6d2612a5f82248fb505bd00efbc
SHA256 94a3df28b86bcb4de4cdaa77cbf07054a3b469ebc95e376c1f78b92fcb8aa52c
SHA512 7b9b7fb9298b9abf33a7ad8e182f2b0625c445afb8d167d8840ff7da09a6cd7f15f00f758ef20688ac141df77375abf1660fda55abb7c5e527de0aba14e57083

memory/2132-134-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2132-137-0x0000000000250000-0x0000000000285000-memory.dmp

C:\Windows\SysWOW64\Bleilh32.exe

MD5 bfe9da99c843b2a1fdad214984c46963
SHA1 54732b89ad92283065f049e4f22b40739734b71e
SHA256 7889fe8b8951d0708187ec0d803259ccb89a808d5f807781f22e13c5326cded4
SHA512 6cdeb0540328b8bd3ff1ff5f50a62f8694f281178fc992894d30a3f1fba0a67b0890b1c1357f894ce3d5f64553e3d32b0604f38ed1d140c146d043f3d719b9fc

memory/432-144-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2132-142-0x0000000000250000-0x0000000000285000-memory.dmp

\Windows\SysWOW64\Bbannb32.exe

MD5 f8f13d3d5e1ea19d37b6ac9a0ae72f97
SHA1 b57956852d7514a3fb4a8704b3fab069ba3c45ed
SHA256 ae9ba4b235bfa36f8b1fe567989a791a680e93adf82d9c6ae96533bf711eebdb
SHA512 2d00ddb7bc430c42fa47aa65d1597e1d40fd4dc1ad7de906f5dfd8c6467a9cc7a14a31f532e009347c2add08006e97c61c9a73b048492d6b57fc5d438c0fdf10

memory/432-156-0x0000000000220000-0x0000000000255000-memory.dmp

memory/1408-160-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Bbcjca32.exe

MD5 37864ef79cdf9f68a87a798c3ba46a0f
SHA1 f98dde96913fd88cb2abdc475dd66015273dc0bd
SHA256 92f91ebb44ad8309daf50fe4fdc796f5278f36ab5cccad8ee4f57296c80be28c
SHA512 8cf7268a8597537188456c06b3a73913e9a585acf8656eabda5d6120bb49afb84da73b54adae669bc450e524edcb0314c69bcfb6cddeca97900e645c5506750c

memory/1408-171-0x00000000001B0000-0x00000000001E5000-memory.dmp

memory/1340-173-0x0000000000400000-0x0000000000435000-memory.dmp

memory/432-157-0x0000000000220000-0x0000000000255000-memory.dmp

memory/1248-127-0x00000000001C0000-0x00000000001F5000-memory.dmp

memory/1248-122-0x00000000001C0000-0x00000000001F5000-memory.dmp

memory/1340-181-0x0000000000440000-0x0000000000475000-memory.dmp

C:\Windows\SysWOW64\Clnhajlc.exe

MD5 44c64c7701fdc792dd812be2236c03bf
SHA1 cd34f06e152f506beebe93e1b6f08213b1127aa0
SHA256 84696b8c0be7d1cacc1764ac4f9060ebfea06f25489b582e54c2854016d18737
SHA512 a94090865130f1533ca35990aa1497baf58a7e6cd77362d2ff20aef3972cf7288f7ea05cf80a4141be43a76546ff2ec7f0c5d03824071c1713e15a0db52c0b68

\Windows\SysWOW64\Dibhjokm.exe

MD5 0e8d35f1aa20a0287c9b9777f1b5790f
SHA1 36be5210060657e935cfdd9f02c010dbb06339d0
SHA256 967fdec18ef2e7e2a461e3372461f639831634831849bccb0ec641a8017aa49b
SHA512 f115287f50639ec06766ec3e2083a7770125e9096187ce26c89a80557bc33f7f9b6d4e24894d867469f4174bdf362eeecf76ca7de9b8ecc9f65d912b27b720c1

\Windows\SysWOW64\Dekeeonn.exe

MD5 8834ebc175e329c7f8328c0827154bb0
SHA1 eb044559a53703f900da2583e3453076cae596c5
SHA256 92d70a4c945afc896b9fc9980762e2cf172d80dfd82e5a0637570337ddb3bfb0
SHA512 50f6707cf7b00a1b8d1ef3dce5d46c42e7a3c4845ce776882280eab086225fa1411a5383bbf83ac0e7067727286ccc526969c50a581551cd5361995289d9b88b

\Windows\SysWOW64\Dkjkcfjc.exe

MD5 3c2581a717d0b0a4c1667020cc61b4ac
SHA1 055ccac6099b24922d4da481e2242ffaa1a9b4be
SHA256 56751d6ca5769b69b4c103a260045c7f96cf9ffe54a5dd39b33790a59ae6fee6
SHA512 4bb0463278c66e24e63bf2ea54b1d9e63c0720acae0f7008bdf9d677df7ba4c5da4aeb86128e8ea978758016d6edc2678c4ccf27184affcb8315fa20db170b24

memory/856-230-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1812-241-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Egchmfnd.exe

MD5 ce2f94a2147b747ec510ee55164592a2
SHA1 634fc1b6353ad07449e9d9e9de0c98daf118f123
SHA256 5303f55571480c05f55916249f9fcf0eb19db9b34013e718339a90d5e8465390
SHA512 b05f35cf543fff32494aa013370990a8704bc794b0f58fc9d8b3ae64bb7f45b73f8daea05598f0257532d712054e00be2c930c009aef99eff895ddcac5ed23a8

memory/1788-252-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1788-261-0x00000000002E0000-0x0000000000315000-memory.dmp

memory/2300-262-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Eqnillbb.exe

MD5 edfd3d296e771166ccb6865697a06edd
SHA1 43a247b8c270327dc2bc82e7f1c28c5b0edd5796
SHA256 af3d9a264ee8c1ea78eddf69484600f4335a7754317c58c9f06ac10a3ecc9591
SHA512 8975602a80d7aa26c05adcfcc6aa189175197e22f1de1fd1902842cc5bb62682645740107a9dc2358f7a4778dc1b307c5ff947f02fdb2e9a44d2ddcf5b507b58

memory/2096-283-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1744-282-0x00000000002D0000-0x0000000000305000-memory.dmp

memory/1744-281-0x00000000002D0000-0x0000000000305000-memory.dmp

memory/2096-290-0x0000000000220000-0x0000000000255000-memory.dmp

memory/2636-294-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1748-305-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2320-320-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2320-322-0x0000000000220000-0x0000000000255000-memory.dmp

memory/872-333-0x00000000003C0000-0x00000000003F5000-memory.dmp

memory/872-337-0x00000000003C0000-0x00000000003F5000-memory.dmp

memory/1624-352-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1940-358-0x0000000000220000-0x0000000000255000-memory.dmp

C:\Windows\SysWOW64\Gpeoakhc.exe

MD5 4a508e5e33012d7d7d7e3ad241f3cae7
SHA1 f1cdbc36f4a25b9d6a9d960fddac387c39d042df
SHA256 1bc8e6d793e9713c1bfa53d1666f290cccf9f757fe619157025da7c30dc7e162
SHA512 f32f989ca65f08d40a6127522d39ca08823657e6574b062106bd88055d1ef570aaaf5a1857a2ea3f9236062487aee84386b42be97a51a1b9f9285a7a9a3d3a80

memory/1940-357-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2976-369-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1804-382-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1984-381-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2976-380-0x00000000002A0000-0x00000000002D5000-memory.dmp

memory/2828-391-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1968-406-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3040-405-0x0000000000270000-0x00000000002A5000-memory.dmp

memory/1968-417-0x0000000000220000-0x0000000000255000-memory.dmp

memory/3040-418-0x0000000000270000-0x00000000002A5000-memory.dmp

memory/2860-431-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1264-430-0x00000000001B0000-0x00000000001E5000-memory.dmp

C:\Windows\SysWOW64\Hdqhambg.exe

MD5 210936aaab1d0b570945eb185255cad8
SHA1 4bb168dad3a215f9f0cbb11e8d0b1557343fcb40
SHA256 1730b551bd324c6e042081de5b724ccb9dffb3f8a4e9687e70fc312cca96a83e
SHA512 36a626f024464c8d4ace6de3924d5f9e2e859e1e4b62d6b341ec8d56dc2e6ccdcbbf1c23303c7203352c951899b2bfc00dbc7d5896149c6309201fcf86fc48e4

memory/2920-426-0x0000000000220000-0x0000000000255000-memory.dmp

memory/2920-425-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Hpjeknfi.exe

MD5 54b9779dd479d0e8c7d81405e81e1247
SHA1 3f699aeb8918de96a805a73d6701c5408e8d0fd9
SHA256 8cafb3d9f832b7fdfe258d93c2335c0bd99ea4d21097a6610714190a59d1d574
SHA512 dcfe0993ebb5019be08b9c2c3b26510010ebcc443ace6d7287001e471ee2f20e514b2cc1d34772bcf4daba0e6bb953a9a049bcc7e5032469c1c5b24684fe27c5

C:\Windows\SysWOW64\Hmpbja32.exe

MD5 6f1b75517f0ab2c6ee3181c58084d5fa
SHA1 d5555e0887b172270c3bad5c07b7c37e5bcdb383
SHA256 45aea49b8bf2ac34bfcd38a071f79c5b6ecd45706332dcbd1d7aaede02f72b51
SHA512 4ea72410e0b3766e8a43c4b0ee3aa3d0b8e96fecad13de5cab22bdddf6fbbb7ab0ef4ce18c3a777e20efde53142121f7ffeb09c1a1a30ac066e576a167733ae7

C:\Windows\SysWOW64\Ibmkbh32.exe

MD5 1c2ae0a9b9f775c68a7101ec34931d16
SHA1 82c5058cfafb6071f98887e2c8a9ac58da33babf
SHA256 850882b48d469418630ff8de97a327ea4087f8c21b03671abe9d3d60dcb533f4
SHA512 2372a0bbf2db8e5f7122c36bf8c761c3d459694a10dd33b9529b218b71449a8eedcbd615cbbcae6f73877b39fe048b8dc45326f46ae4ec7bd556a066a7238a46

C:\Windows\SysWOW64\Ileoknhh.exe

MD5 a228062f3afa047f73b8dca295fb271e
SHA1 7293dce16a2125c3c1751b184d167c9188ef9347
SHA256 0e711174c1b00c5a5b6035207660fa2dc57d60c3e902259fffe7c57531f5849a
SHA512 40812af2551adaaf5b47a881a746714ef84f5eab7b8aecc0d8d10ad1820244e31dc81e4b240dd360f071e4a47f023bd4c0691f9aec09ca150db1126c3989e066

C:\Windows\SysWOW64\Ilhlan32.exe

MD5 963dc70ba8db590973cddd3c7abf728b
SHA1 62615a0c084722d1e286fc44543df9c9b2cb5bc3
SHA256 bd2c3878dfb1bc72f82efca3cdb0f489f021fb14f6765fdc949723d4ae953e5c
SHA512 775eca145af2b53566ba081122349dc2482b525feaeeadbff0f74517dd3fa1af328038e0dcab97e6f01d000a1aabefaac050fec8fc80aa479a3964d27497a24b

C:\Windows\SysWOW64\Ieppjclf.exe

MD5 6754d8e5b28ff31d6ef87a81937a5b77
SHA1 437792b48680fed2d9ae31f0b66edb2ccbecd72f
SHA256 2db24f8d47a6fc9c9a57502013da41015cff67d83d84e44aa34b54446c62b60b
SHA512 5d9e65b161c15bf1825095fe218ad540c313dfbb5d938cd26e6940f0d3823b1ca53c5091eff7b7364c033322627b39ddb2b58e0d4de385c6494efa0fddbb3595

C:\Windows\SysWOW64\Idemkp32.exe

MD5 44cbdef2260135849417c23c451b9919
SHA1 7f6b99fdde38f79667a99c88a8a222e56d32b065
SHA256 80d2e5115456627f435e43234a9464ddca3ed380aec9a0dd9445c80a2866829b
SHA512 6a599e54db1d569d3978bbec7be3e049bec45f61e6a6ea074b0d36cfd5873d09fee2e9575514a4d22e44e1824caefcc4f2fb653b53348f7830cf0556840d235b

C:\Windows\SysWOW64\Innbde32.exe

MD5 88ec847f769821fb414a102fad693e15
SHA1 4c5e176e7d1565cb47885d95df5756f9df490de2
SHA256 3126a02d01fc4c3001e8defe27236cd4ec11d291648833b02fdaa01caed0dc93
SHA512 bf0baefda2875a85332e4e547faf6f29991f92ee30b57de606aa1f3479b07bc3730e32bbff3a85c3d76dbc33b7b88edfae5efe7669e1ca802370d310d3cdab4a

C:\Windows\SysWOW64\Jidbifmb.exe

MD5 30cc83623d295a7efc8a65d425f39cca
SHA1 96e19fa92d8fe402a4825566a1f3ba1c790eb93d
SHA256 71b30e3144b941427338b21449854610339c9aa08ee2639e93244e65cbb8c70b
SHA512 0450731c0c3263c7928605288d66c86ba1b6f54529c05045d2ce53470b0ca8b2d9a4187846e5e78a62752e4dd3fcd1738279b5709d1b0f134701011233bffc6a

C:\Windows\SysWOW64\Jdjgfomh.exe

MD5 4a27ead6faa5372a3c95185d871ee99c
SHA1 2697a9bbf2a57c7faf7dfbc2bc6925c1656ec887
SHA256 fcf72a916224becd71d25c649390541f885844bc6f1e9e7d7d987321a1232a54
SHA512 e7124b45bb1de6c8507647720b56e6d62c9a79fa5add00472862beda9d5798ed5b0a69ead9f77b8452186d1bab8908e98e3230450d396df44a3fde6b9966d715

C:\Windows\SysWOW64\Jlekja32.exe

MD5 e9233c2b949a76ec079e303a9d15cb0e
SHA1 3be99681fad92da7d9df38f0b4ae9ca60dc3a304
SHA256 cf08d87de45e7b7a993e78960bc3cfc8b709dfdf32fa79f1b854ce14d195a993
SHA512 3a97e802069d58ba76eb826458e10b01423ec75848a648f6baa856a571ec96246540d9dcb9850d09474da9e8a5f3e269a8013ad9097fce636e41f0aff7a16630

C:\Windows\SysWOW64\Jjilde32.exe

MD5 f85782e5fadf489bc15604512025095e
SHA1 5f088fbc52b73e786909e1c389b858cbc22ad828
SHA256 fff02f40b6d5743154adeb12afaee8b36a1e9e7255845f3aaf0c80ff0c2d2d59
SHA512 5f349fef966762c57a6524e90b9fe46caf4f0395ae5e778912412033cb8cd53ddc8816c57729a4558225a9aa44465c6584a2ee4a6b8cdfe34aecf6f7dbcbc23e

C:\Windows\SysWOW64\Jjkiie32.exe

MD5 f815b48ee0b175f3481de88a84f5c18b
SHA1 b6bc0e14051f5eda611538f639e2db8eab427683
SHA256 8ee43b18fcd7c105cccbfc533a1a9201d5e779f4795df108091ea410563bf1e9
SHA512 cce8069138709e3bfc9effc1f961ff54c0007821c8597702897e1d09b584192f1ddb8ee8ed07630cdba47053f6c774f9b501ff38daa6e2a84694c877cc53bfc9

C:\Windows\SysWOW64\Jafmngde.exe

MD5 2e74434526fdbc679a4130c3aff2d4d8
SHA1 733173aca3125f59d67079a3c600bf4173863011
SHA256 75c005a547b0dafa1fa698fe513c1342c9b7998b6e5a3de043886d7f3516dffd
SHA512 ed31587fa153d1b86127256947d8fa7d245e6a045c769b5dcb669ce6fc7283638c829c4562af6064e475f222e7f4446e2784e4de586e9ff02ad27588034557c4

C:\Windows\SysWOW64\Jcfjhj32.exe

MD5 f6a5c3e9d2bbd04ad05e53e7812aebad
SHA1 5f72441f8869889c58f4037d2112692391432b4b
SHA256 3e579d3e301564c9dd718cf2b8fea3cc797f93425d87ff82b9e82a5b5e126659
SHA512 26a4c500249228e31ede5e6b7d3ad349bc4b7b9cf843c9d440147c966882875933ddb19a9a8bb995364fad2c9c3a0f3854b545fea8a0399af6c5a8897270ae4c

C:\Windows\SysWOW64\Kbkgig32.exe

MD5 ec5ecb3d7c02e1395c4dc05c08224308
SHA1 c40e523ba19c001411a90bff2696351ce6cfc742
SHA256 e9d28e79dd52f118dc5dc979693156296ffea5cbf6c92b6ca9c3c83c4b9ecd9d
SHA512 bde04efb30450a5b1d12247e32465dc14291e13a8da0ea29dca867e33dcbec13669f6346c94139c2570f62a77362443aab5b0cec630e6bdf196ad81914ac1d20

C:\Windows\SysWOW64\Kkckblgq.exe

MD5 34e12909cab0648b1e74d505f54e9ce0
SHA1 3a49b52402e7e3d0c2ebcf74240a29a506c9e442
SHA256 66a2ce81ca3aa986ee69559a5f9c253c5d08c0f96b0677b31c8d8690c957c0c0
SHA512 19c18a4ff5c1aa6f4a238478912e1025ee9f3598e6547e22ae0873c4d672bb8f2f5ec79a5cff2d1eb7043f42cc6857a377a9c222f010d0785ffcaed3868c2a9c

C:\Windows\SysWOW64\Kdlpkb32.exe

MD5 1e5c55cd365dfbd049af70f6e7f26e2b
SHA1 9aa94a9fc2d002b7da9a4df89e15949764b3651d
SHA256 7e29329903aa27e79e53c596c8422258e2a82dbd05308843a69f617a67fd5713
SHA512 aac95ee8be6ab7080eda406b6ca81c294a9dd902ca620e5d6129720a9d19370509abff7521a15c37b64ff0f7050c50f2a2237cd3b5ff4bbdeff6886b0c5fe2fa

C:\Windows\SysWOW64\Kcamln32.exe

MD5 9331f9473d767bf609fd54b75f1c1251
SHA1 8d55292e9d1ea1543c250cf21311b46c9c1a344d
SHA256 366ddbb2147aa2b360d9a9ef02c16c8948911e8a200a1b5639c9b9361e369e4b
SHA512 25b71ab16a966b3527734ffd17529e4ee7e1243a592bc81460a1e41c4f03db7fa2edc283a4e908945f23fdb31d7f7fbb269ef37f6e9a6b768b8a2fcf6017da8c

C:\Windows\SysWOW64\Kninog32.exe

MD5 43a216d09211cb4d01fa4f7bdb1d8e3b
SHA1 914d1128d36f7b765db682212098ded2da25b07b
SHA256 8de0504eac26cd43710accda9d90193e32aea06ec4e45c8c4def65df82e0fe2d
SHA512 6b0bb1c393e89b786bfcbb2db02dcdaa6c31cac30c961d0109f1cd73035d135528a3f54b3f39a2437fe6bc29fc23ec35975d32d96f2e0fa8a7bd93b6b9ca85d7

C:\Windows\SysWOW64\Liboodmk.exe

MD5 cb155db933c1903a0a4a4f5ca47f86c8
SHA1 df6790f7bd15c956b805817ec80bc4e70272d086
SHA256 91fd4b55177c6b679040c9a9b38d93025e4753ebec862143293127230a72dc7e
SHA512 f2ae11be7d785b24ba21c66b00caf218cc837407c4163afd9c3b5437d0a61b6af4c8278967b74afc888a5bb6d0fe5be5c886119e2f1c5316033d74c9b51977c6

C:\Windows\SysWOW64\Liekddkh.exe

MD5 52eebb967bd0cb84eb1e49a66ce148c4
SHA1 17f9fa7ab0eb1c89b22e62e4edd95baee84b78c4
SHA256 1aad6c048f3eb1903f33240f71b121691dcb528c49b7771721838b48aa0d5917
SHA512 c38ffc3aaa08f9050e730ac73afec7dae59b92bc4a503c0ae1a49f939cd119cea929a28148f111b082528b15fb409a8d89eb0f9079b4506e244a715a0defe600

C:\Windows\SysWOW64\Lelljepm.exe

MD5 4df0cf4bee99779a78b03935d4006731
SHA1 249df9d506aa5a401bb5337186f31935d49ad712
SHA256 142c2fa02dd2546ccde618d45e796eecf4d6204dcb7454e6ffa9ca4c2718dde4
SHA512 84b4d58279474b384ff419d42ccc124a74aa6549034de46f02f6893a60ce8d3deeb40168288b8b28b00ad6a060417aad80d8ee7fa91c7398cfda936c03f69ab6

C:\Windows\SysWOW64\Lmcdkbao.exe

MD5 89d89aac9f4daf23dfaa57dd9ee60d04
SHA1 2a4f3cb1c4880ee00941667b1a12cfca14d01547
SHA256 a6b556f34cacbfb0d98dfcf2253cb1714f9ab70bac3ee091ac4c854b26df3b3e
SHA512 a850f9116d910e999aca290955d65ddcd2701a2995ab32cfe904a071b631f7ca6aa655ae2be5fb3a38e10277aeeb01ec1d6451b6c8c9fef3e6fe9a843817e1d6

C:\Windows\SysWOW64\Hdhnal32.exe

MD5 048a00d77291e89f7d1ea7fc74ec6813
SHA1 d56a5d594ef1338a60bb807d825b37eb5b2eef5f
SHA256 44b9bb85f308627a9bfe164714dee8a41c2cf784da912615c986df5af511182d
SHA512 6438540b58094b57648f832554c9f6406f4a1ed9c14853bb04ec8eaf55b8d3cf68922e825df2e4df696019c2d66a3e86b024099169056d319a208ce41c180721

memory/1264-423-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Hlecmkel.exe

MD5 499c4a7f155f43d339579714eace22e1
SHA1 7007059e76ad74ea2c8f62b70411cfc71c50ebce
SHA256 26e20d7ae5073e92f258bea2f22b9d817fe32040ec82ece85f3ea399be397a59
SHA512 0d81b5e56039119cd69fd42cb4859e18cca2cfbf7d0946432636a4a4433422b3923944c41cc9bdc7bbcc97ca1e99b2cc55e2f4b26ef6222c82d6f41a1dd85328

memory/1968-413-0x0000000000220000-0x0000000000255000-memory.dmp

memory/3040-411-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Milaecdp.exe

MD5 4a4563937b5c52788eca8178fb6b8230
SHA1 057b6dd6751d5aeeb2f063d8eeb8415d40b097a9
SHA256 7a75aaed995982d4424dd40202f00f00c7bc0af85001eb39f4427fb1dc9b39f5
SHA512 0b0a0877040f0b0231d7845e3e092b6bf1e9f2bbd27467c3cbd59e46c10e30d84f19281457b6b8a37677fd3e9d493019ba1d259d933bb64d4bb92694cfced0d3

memory/2168-404-0x00000000002C0000-0x00000000002F5000-memory.dmp

memory/2168-403-0x00000000002C0000-0x00000000002F5000-memory.dmp

memory/2828-402-0x0000000000220000-0x0000000000255000-memory.dmp

memory/2828-401-0x0000000000220000-0x0000000000255000-memory.dmp

C:\Windows\SysWOW64\Mnncii32.exe

MD5 b8cbae0f8021f8fe170d047907fccfe5
SHA1 c51ebe5ab8ab9d90f494d91824b8228d07c9451e
SHA256 a630568053d59f8adcec7abccf6d5417c469f684eb006a164640a52b196d3647
SHA512 3d41cbf3408bc1cfae0184e47790b84dedc27db7897a5f075704d50822078fda0696b0bd88c909e8a03de4f7655953a8fd0d672523f2d905992dd554360523f9

memory/2168-400-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Nfpnnk32.exe

MD5 930f7d80618e9b75b46e3e3fbbbba2af
SHA1 3b76d71a52cc7203d307d9a60818be07f7a52c94
SHA256 b3b6d3d29fc76542c52a40ea476c2e44c209e5cd933758c3fe05e405390aff79
SHA512 d5556ce9f75a9d419b2976f0a4a0df8a1c60cc71bef68039d4e09aa1c8868eafb55ddb8e8cf2ce7fcb0f200cd0448bb6715dfafab35cd9c2dd9f3e1ffbbd73b1

C:\Windows\SysWOW64\Nokcbm32.exe

MD5 ac3dd48dbf2947f32f469434da2e74e6
SHA1 3ce100512ffc68a7ebcbf5bb984d8d3f1ada5acd
SHA256 5a7e6faa3c493115415dbc9beb02f0569746109b4223a638c52e4e336d104514
SHA512 64b972975b96e271d7e54b282ef4228040b5bfe553e562b7064131cc1dc629212c3ec4741fcde958c8c710b66b3bb482e7237773fdbb9fb1063a74a781df316b

C:\Windows\SysWOW64\Niqgof32.exe

MD5 fc5557aa7b70842494e5974c877940c8
SHA1 876a464fe29396fd9f319a26543cd7fb159787d1
SHA256 b1e902f2d59c1e9144fc500bef49f274f27f62a9e608d2b144b5e2cb98f938eb
SHA512 ce3da08e496eeb0c635073ee68e00070ef23dccb159f02a396bb367f09b3c1250ef4ccdb54561942755d385619b63596f8eded28c97f4bba7065fa8bc4e9dd1e

C:\Windows\SysWOW64\Nalldh32.exe

MD5 92a20eaf82827d4d9961894570c7999b
SHA1 8bf0baae32ad3602d5b40ecdd4dc02d69983dd14
SHA256 936bc122bdd08d694fc5af9eb8bf901667999ffe9c89f9aec059b1bba13f1dba
SHA512 d20f621e1e6872e9bd3eec8787a8ad3a5c5dcd45b9a847ec2a28c5e17ae12ca1e0e34f0b60dd29186f7a3527f1ce0db0c7a675bc8f97bc6e2403c3f875505256

C:\Windows\SysWOW64\Nkdpmn32.exe

MD5 4f787ca2d0d523b696d43c2d738bec94
SHA1 a34c51524d7dafb95db030144d564113984c9aeb
SHA256 f6eb4a14493c784b975b4419a146253cb729be01cf1f91ac420c37f719f57947
SHA512 c84fa8cb37263b3737bb50c2231a419751fe228e27b789a8f059b07fadb68a07277e46fa9eb0b59ee01a2f56735a34f71e4df94cadcaa45e50e4ecb14865f61a

C:\Windows\SysWOW64\Nmgjee32.exe

MD5 913f5b87a914d32cd39baaefe64fe9ee
SHA1 fa617612f6f4ec0ac96e6f3091c8ba565aab2e3e
SHA256 084d14688942cfa1039ec0520a95d333b9ebdb5141e433d669d7bb2344d87a2a
SHA512 f43d0c689848e189939db01c163bbb2b07108f487395dae9b66830c6532a788b051503147789e8c895007f33bfff84ffb68bcdd2f6b20439598bc6fe4a8e5a32

C:\Windows\SysWOW64\Ngkaaolf.exe

MD5 824aec73f00d5da4d2a74d55b8e1b95f
SHA1 6be50e2b880502a8be62c5de894f85c03555dd7f
SHA256 6fe57690ba56414752993d0edc8bda289b674ac91d6b76762e940221d200318e
SHA512 73cff1868cdb400ce473243e1d4b7d9c1ea9ea04b5a0d2738660bcbc87682836df2bca93b68b21ac4076aaf314b1db830be03fa5f381a1c9b928a96284c75bfd

C:\Windows\SysWOW64\Oiljcj32.exe

MD5 0bd8c217273935437ea7f096bafb9910
SHA1 457cf030210a9ec30cfb6496217b607665b03533
SHA256 4c0ba4342af8fac15b5573d50d5911242df3fcf9d8adffc4840ef23bff293ff6
SHA512 896e340c5fd844ee7ba21c2a9529868fdda702a26b8eb323cb7cd2587056543951f8b7aa678e94dea8867c64764629ca2ca81d739bf7b327c2dff8d9e559f73e

C:\Windows\SysWOW64\Oingii32.exe

MD5 8e3125c390e599adbe220aa1d55ecd52
SHA1 6e547771eb1dcffc27e12d8ae095feaab35d15ba
SHA256 2da4ea0581b65a34e41472da430966dced1e3d427d0d4a95541cc7bd6946346c
SHA512 5f019a108c1ef0bf8fcbe48cd66fe523d8758901b497b3f44691125f0251edd60f671793cc8219163f8dcafdf50890fb258218fd5eedbbc91738eded7b850539

C:\Windows\SysWOW64\Oeegnj32.exe

MD5 bb4a0ac8437ddd1132e4262bfb1e8754
SHA1 c4124d7f784776333bfde9e188430593a76efa9d
SHA256 704c43d14b834aa11e0a5a0cb27077284927be8ab3c79f0fdc1a57d60bb8256d
SHA512 5b7e464f36735d9855cf494fd047812158002ada34f67a2be924e73172ce3be1354c439b6a15464062e794797968a6b1968346ab32a08945df87b7c52e581472

C:\Windows\SysWOW64\Ocihgo32.exe

MD5 62483e3389ba5a632118b9f01ca47432
SHA1 e0236766d993566ebc10d817814d0ec48e753661
SHA256 c73131053f29b7b61089d6b5bf4e38c23bb49b72dc654088d3d298b3040f0dc6
SHA512 9961e78218d719688aebbc07141111a9eaaf20668ab85b0c848417bff8227c0a764462bf7bb0537e7b398999fbc4207f5b6faf09a66462d2dbd12afb3e0b26a2

C:\Windows\SysWOW64\Oophlpag.exe

MD5 d72c7a7c45000e057cc38fa3301ad694
SHA1 ada93b5ac67f00f8fcda04ac433053633ac2fce6
SHA256 5cc0abdc0c4eb38c716d523673f823cd5afb0d973cb246da3040f29ffce6f356
SHA512 3d05910afafb8bc656392b20d5908a1050272d0243aae7cd212dc1a3167cc70453c3cb663d09a53d4c19c32002a63f342b31715b29e822a384ae1e8adbc56afb

C:\Windows\SysWOW64\Plcied32.exe

MD5 f3e5e0f9c28ef9579f584f394900dd9e
SHA1 6014acfec660c55545a701fbd3d5750ee12bc068
SHA256 3423608c7f12c3868e334bd86a67372d28c0a19acbb04986658106155b990182
SHA512 9b121e223c311dbdae36075cdbb8cfd3eb84e97f536a7ed8757778513f1e79f392dc404597b3993a217ef11d3263846ba6dcb99e57ba3812cf5cbbc7a60c8d7d

C:\Windows\SysWOW64\Papank32.exe

MD5 f5e770a628c424adc27931ad096fcacd
SHA1 7054e4be48cf3d345f73173e90b7cbbe87fd11d9
SHA256 88ebdb7aec036a5a6dece978d304d4e20ad4757dccdf55d3ca9d23cc9276da53
SHA512 f2d59df0f38e5b89e52b5945f512e78542df77f0364afa3115e4e22f11a4d5fcc5a40eef6c4b55730de03a4f41113ddced0fdcb525f1b6509273ac290f23f304

C:\Windows\SysWOW64\Podbgo32.exe

MD5 61ffd860c9a3adb888d8b5a1b38cf028
SHA1 00cb77917669847160d205f2402e042e950bc2f4
SHA256 eae88a2472caeead90e510b2fce5ac81bc814f8945145379b6280478ade56e41
SHA512 528e657fb39ff235c05a99d541c8f7148e4c5f414aff7dbd0075d764a8aacc26893b0e382decad00b107558bc7c149ccb044109f57d1399eac8328f115df6ebf

C:\Windows\SysWOW64\Pnllnk32.exe

MD5 e278bfc68bb14db7c697dff712e66ad2
SHA1 d1a7401c8410dd10723b3a9c07bd812266bc4853
SHA256 972c5cc8696eeb7c19c6e78425db7cee05ff72f26cbcc100a456601922c46122
SHA512 b05284ca30fbd45875d3c2bf926ad149c6b64999e8ace44e7ee406b01508aa4fffa404d7272d964520922a1949588f2c364c83cd477ef5a6d1629b64d566a1be

C:\Windows\SysWOW64\Pkplgoop.exe

MD5 0739015995074c8f6c3fd27dd50f7370
SHA1 2772a0f388d5c05d902fed2d6f6d8856c0b9f3b9
SHA256 d9a6133b3df731aabb737d1f08e0324cbe42058d2f823ff0f91d1241dc97285d
SHA512 8838b2f0599e50e4301e30bd1cf7d3ef01ca3087dd965ba2a2f092e91646ceb44685417f7f9263599b0245e4cf78ae0ed4616a0364cde1c511ee721549f79147

C:\Windows\SysWOW64\Phocfd32.exe

MD5 0a0515ae4f8b5fee1009cd86b54270ed
SHA1 c9c33bfb281b13038cbd2701cb30049941137b52
SHA256 5489c5d3892aeec6c2e2040dda6ab6c1ec37f04c3948558d8421338e93184aab
SHA512 3d290da2caf9256132b7e0d8a9756adfbcc6fcf209faf3815b66280d01b3e31b537f5d1dc861481eb0ca6528cd6e986973bc12633eb3cf95ac80cc4177f3658d

C:\Windows\SysWOW64\Qoaaqb32.exe

MD5 5dc68764a51fa25b521e5cc063ff698d
SHA1 5672c8ee97451ff4981faebe107fdb44ef2dc4e8
SHA256 dd3c84bc3b5e6290ec27c4baa43a982a77dda6e9df3f767b8e444cd60d4c7c94
SHA512 5b07294fd29a4833ad35f512e1f8f535e1d3dcc84eadac156f17bfc373604ca0747819cf72473f856fbc5842ddd46abae97a5873282786004b67ffc9859510f3

C:\Windows\SysWOW64\Ajgfnk32.exe

MD5 39221c72296fda333fc851eb20ff04f0
SHA1 50f8a59b41ba313c3685023ddff0a431ed65ed04
SHA256 9996b2a3a9fd6ddaa7bb21c2a7fcab1cc9aa54a9e6fd8933e4e019d91bf722e5
SHA512 c88f80bdcedf2f7f4f4e115ae983de4a99aeb5a076b508c759482dbeb54a94bacb54249dc2dc62647c1854de09e33664b6993f3adb296da8210647114066a3ea

C:\Windows\SysWOW64\Acpjga32.exe

MD5 633aecc3d1b087d15a65c6e93509fd7b
SHA1 57e13d0bd01a952ef88e0867da5085b4b6147b25
SHA256 3b1c4a9d82cbeb4b935209ee8fe10e3170a9ce16271103aeab21cdd89423c0be
SHA512 fc3d9ce50368448eb97a4314ae57eac1f0f0b89ab098fa8d4a3295e7d9f7be808f87c5ac996b2aaceab5ba4e7f830c32e6f2bc5d31bb39cc13e8283003dc871e

C:\Windows\SysWOW64\Abeghmmn.exe

MD5 daa1c5d488c264c5c6f1f089a49fce11
SHA1 881f9170131ddc96d05d0fa3310a915c89e84c0c
SHA256 00f18666fe84664d903046f2dd799b65aa183a5a710cf59509dc64f12399f271
SHA512 870fb3bf0df106a1f854fe201d4caa533391d22a30dc2e5a20c5a7e1113f352c9943eb3a35282472e4c9e953a710f0d6e686329fdb4966548b846e5a95550aee

C:\Windows\SysWOW64\Akmlacdn.exe

MD5 9583aa3caec645b9922517e2e0f09884
SHA1 e043b2d7d35781117b2f8dab16a5e482f8950061
SHA256 8428d545728fffd49336529047aa8e4be89411894f78153385da13dbaa5a7952
SHA512 c9dba1c3e14fd6304d2ec201583fdb49aafca81a495b9f1ec0ccddba2c4b47116a2a6d3eebad7264b36cffa8f19884f6aedf8fd9edfac6b481311c704219da79

C:\Windows\SysWOW64\Aialjgbh.exe

MD5 b164468d2713771b9923ee10b75424c0
SHA1 757cdc49c2816bbf545abac122965d3a4a193179
SHA256 f359b4b55b1b48085ecffdb6a95add7d45a3e997b42c6bb31484a1174f37735c
SHA512 38940711e444720fb7bcafe543590f9b4d11984a3f77f92e74b3fb41ce912b415c42335e021ab5340cb19ab8264221ec62473b91d92522c6e3892ce339b9cbfa

C:\Windows\SysWOW64\Odanqb32.exe

MD5 b1e4de2f7f0f75d422c22fa0dcb019e7
SHA1 5b6791ad34ba30651bbd55133b5e0b5c2f823a8c
SHA256 1b6b9f00e5f2a9794d9e36e1a1f9e63a1a3643863740afe5cdb85dde0323b925
SHA512 f9da39fcaa9b001877bc62dc8d38298da7a7590da976a4327b408f8752699593f8846315f4b4fe00c67fbfe1a2f65f4e800b8d025b50e59dfce964d214ffbf50

C:\Windows\SysWOW64\Bghfacem.exe

MD5 38ed7d763b720d3bec6c6056b91095f7
SHA1 f3c990e180911ad62b7ff3eb60b4ca5575265692
SHA256 c62c9ad124670194be5eeba7dac966b27f7c8d80fd27cf878e2261f596586ba1
SHA512 9d31d7ace84d1519017cce9c3fdb2ed3b1f635e93dfccbf70387c1c4c845d1ee99e715aa3438fe6fbfc9ea1e5de59c98d05f68d2e8da4431cef7768d4b22dcfc

C:\Windows\SysWOW64\Bcoffd32.exe

MD5 98159f8c4ac992200b5c8ced054c5254
SHA1 761fb6c7fb24d4db6bc6f483104cdd6de38b1b72
SHA256 e85d715f2f1f5beb48dc3f6202304aabb9b53ce0c16d3cac7ac4f5b4c21aec17
SHA512 7352aed6b8d4b58129300191a0786660ff82df1c9d3026af895c33d944ac224cbc9e4d9df0771a3a605ff3b7c8751b0cbfb72e6019ddb6fd36f2103c2df592be

C:\Windows\SysWOW64\Ghgjflof.exe

MD5 ed5af40fce263df9060c7d6704b9fd9d
SHA1 c777ea416ac603d5e1a0e53ac66d4d89ea11f865
SHA256 4804476f32c2095835dd344e27cc488a60e0ed771d35eee8c1b759b39a12d943
SHA512 c43751e80d50163dcd23b6ab061c41061d24af4233e6cfc6d83d90bb421a19bd737312aace6479ab5094ac005a7cfac6e5f113fc5f007c24e7857c2b6d3440d9

C:\Windows\SysWOW64\Gfdaid32.exe

MD5 db69aa0a9a78fb94a849e132fba99499
SHA1 60c50e0b5b54b26e7839a2edb35b7b4fb0ccbc23
SHA256 9cd722430e67bcb25d3a4bcdd056fd3c7cc6de70536c0e886c15c91dfe141a2a
SHA512 9a76003687ba9e47c9d2a4571cd5eec1be7208df661e0bbb82645e3309be535ffcdb202b59cbd4f1017161590278f2957347d5d7f037eba2e49017334d447f0d

C:\Windows\SysWOW64\Bmjhdi32.exe

MD5 948c3136cc53a70d0a8bffa8a264027e
SHA1 0780d3b99a1e1abf05980fffb7be4604053be528
SHA256 1b40641edc4b2eb083138560a5ae1a758d147dc0afbb63f625a4d17d890556fd
SHA512 5524e33b45f4efaf51df0eadac540ee50681c8e26e5a8567e01b81345d7d2082967088913aae823397eec57784e570648f5996ae790de965fdc176f7517f9017

C:\Windows\SysWOW64\Biahijec.exe

MD5 ca6d77c5ae2fd0c15ab23d9ae31f22a6
SHA1 1e289cf29effe715480012ac8e4597c0ee368c38
SHA256 4f51ef34ba9fa270c5e4eed4734c401a6b30f8fed25bb73a7aaf624727efd669
SHA512 dd77afbe4969590f0689bad899ac5b4983792b23117f332c855c90a4d0a79af5864492e8b7fbda45e9725dbb571bd8bcf1a8bf46327c61e8c1779a7f2369ea79

C:\Windows\SysWOW64\Behinlkh.exe

MD5 b7a3867260555cd8b25394b6e84ec9f4
SHA1 3994e2695ee3aa73d2c72ee20f5878cf5f494f3d
SHA256 41e66ea890ffbfc54be3d3149f1289020365ad8ce2a350a85291d72058f5f53a
SHA512 a645503b7dd94ac9d64200f9a9c1ce04ae288b97b9aab3d0b886594e52730eebf1e322a5c12e978e31a65cdbdff5ba5d671e46b6bcdf8e7932e98d940b11ff72

C:\Windows\SysWOW64\Cejfckie.exe

MD5 7caf29a0a660dbc9b81dca2c23ae158e
SHA1 7b99b042e4e5b346464afe3e6d8e259efbc96274
SHA256 64978d4a4bc2beaa0ff6d7e028a4bed4578bfcc44809efdf368def773e97e3a1
SHA512 50f26ba0fecc9c4f3f618d9b39deac3414d6d53046988e4ac4bd80966d9ce8ba064fba8e3e8c53ad991455cc6a1e89e5a638227a97de553a0eedfb8d0ba0267c

C:\Windows\SysWOW64\Cbnfmo32.exe

MD5 cf88cff161fd3e0196f181f280da1574
SHA1 8697d826db9dfdabd39986a5b889954bccf31d24
SHA256 bdc866baee23f4c38754c4e773154c492d0863aa4d31e795acdbd13f47a9bc8d
SHA512 8520dcd25fda94a7075cc0ca3bffbd2705822514d4f478abd0803ce06d9aa63f4d2c2d361876286c5ca14e18f9dae5b5cbafcedd420d982c64516affe9bc0730

C:\Windows\SysWOW64\Codgbqmc.exe

MD5 43a2dcfd7322a2e6aa83b9d253c9dd4f
SHA1 5ec176873f08f1f3b881b51b006e8ac3658bd646
SHA256 a40c12cab7a51573076e7b9ae932096e56ec93d972afab44d35f6da58e1b8764
SHA512 6d307dac56c584a0dabe8afbdc73a38f71d8abad65c9cff5caf46f44ecd3ad9bc14c6d46ff2b648f02d16cd890586a179987dd68038f36e26e1887117ee43c19

memory/2976-379-0x00000000002A0000-0x00000000002D5000-memory.dmp

C:\Windows\SysWOW64\Caepdk32.exe

MD5 d038c06d36229daeff54caf2372c24ae
SHA1 ebaac4327c32c51cd7fe145a2d25d1fbf6e55f79
SHA256 b694861182efd6ec5ff18cde52226c5edf69f40ce2e831c8ff8b18121becdc44
SHA512 97d542481d975c00aba40b10b75ce2cfae821d07201168e988bf52456211ebb75f6f363f4c883b8a1774c8bbcbf4887971337926901d1153afaa6e9c58f2fd25

C:\Windows\SysWOW64\Dpmjjhmi.exe

MD5 6abd3fba7bf38dad009428fdf8bba4f3
SHA1 b3ee036a4924e5da425965bec9275e02835fda18
SHA256 faee159806316511a6fd642e1f6a5478593239e7ecd4feb82903b4b40b2da490
SHA512 793ede0750317a491a0b665bc3640808558d7108d2aa3b12fd8e5cfa22681761e0f8d5e65abdcb39d60cfd2e8c1d94b60f4bbdb2cae655e30c0a4391b7f4a857

C:\Windows\SysWOW64\Dgiomabc.exe

MD5 20e7f8d04eb2239aa4b3611a13d315dc
SHA1 4ca1aaacd78f2359cb515609fa6ad6ef8dcd58fd
SHA256 0648e91f93f93d88ef14a8018dec8122350ba0d1ade50ac1dfea5e14b2ee28c7
SHA512 4b2e285cb17949eb78ce5f7a87d4231e4f59d235a2fd8d56ba1e3856471a2d7e045167925fef386ec451a6ce357efe696d4154527f9fa0a16d7470e06154974b

C:\Windows\SysWOW64\Dmcgik32.exe

MD5 98fda40980012f446e90a0b99d9d0bd3
SHA1 250beaaee23c77417e1ab304ab179aeb08fc4a83
SHA256 b8eb0a9d30fceafb3da0fc0d4547ac75d4c2241a6a09f026d67558221ce4aabd
SHA512 eb361d4ba3852f301d2e58565f2b39d749d83b11d70b5f9ee5740f9cfc57bfc2f10764da88d6e502980e0885e7b7235bd86b459383999f4a44139b46fe6c8c08

C:\Windows\SysWOW64\Dcpoab32.exe

MD5 ee1cacd5cebd4ff8dd6b6c952fe404b9
SHA1 409c8592b27ef8d2fcc4fcfe2d1ffce7dbec6a50
SHA256 1093d4ff8613256094833f554c7e3b1a4ad5609900feb97156b70478ee034996
SHA512 bbb6a21c2bdb2e00aae15a5d1905cf69f21b04cd609e2541167b2964f59e05bafceec7c93b263a7139b360f65c80e3f53dc6d00e84ab1c5d1e9abb653f2f946e

C:\Windows\SysWOW64\Dmecokhm.exe

MD5 16f792e638a01adad9b0f67464dd7ee9
SHA1 06f79c3509bf8a965a0c04fa851d71b47cd8259a
SHA256 a923b9d8a235d36102cb466e495e8d463da5ccc3dead0254547a7eca2cff604d
SHA512 f87f1942280ec076503685e6bf17a237adee0aaf37e3eb7ae5edfb321e70fe6e00c0d25ac3fe28f4499f0b73c4954bacc50ce1d4a7ed49f694c06ef357e8b0c8

C:\Windows\SysWOW64\Dcblgbfe.exe

MD5 339e812518155c57cc72049541ccdf51
SHA1 119d49b043a395b80b15f84e6b000c4049c24033
SHA256 1e057a2744309e380e2a5d5300613c6fe6d402187d5130444526cafb4227128b
SHA512 a9c5fbb22560d42b56bca937325aeaaae3c457511813336006e3f05e7217c952951c98bc31ab3ac0c204c2d1a3da4f27048bbbe3cbac65c522677b73855547e8

C:\Windows\SysWOW64\Dkbnhq32.exe

MD5 e91a080afe31d32ea9fbf35e40398ec2
SHA1 c402ba28146249a1a46f1f662862cce3ac7f3136
SHA256 fbac41babc65f52a4da92994085a25a4070d31b779dc9b813f688ced5ac774af
SHA512 ec01c824a1f2bb3f9bd51257cf6bf67aa219e67b6b39893eb7eb2db75a9c1c6f62514427bd83a173da60ce087564f2caaf952dca50703633c6f88f1c5efc02e5

C:\Windows\SysWOW64\Dhaefepn.exe

MD5 b147af077e31e258f28f63188fcb223b
SHA1 138296614a605d62594ee08d9823bb9b5c363bcd
SHA256 99ce7d8d301f18867b72447646d6cf9e85d1724aaf5bb23da106a8e9611e510b
SHA512 02c04fdd62c48c7e1c2661c2ade74ca005e2020446489d5e7c1e606794e1e828894545e3d39ada726b998c3c6aac38e437488744585c638659c92807f5164914

C:\Windows\SysWOW64\Cahmik32.exe

MD5 769ae931c02726609f3ab6bc8dc50ef9
SHA1 f06704d36de3225d46135baf2cf51b6caf3524c0
SHA256 0dec6d945d952c66743c65f7b781cb676c679c5fcc6ee0fc41acedd86afc3839
SHA512 3d41cdbd23869b8f2cde2bf43d916f651b0f8c4dd606ee56a47d5d6c5c0e54ecacbbfa55cec731c4a856572bcc8dec06c4a6557166e3f8c8c28a87fce63969d6

memory/2368-375-0x0000000000220000-0x0000000000255000-memory.dmp

C:\Windows\SysWOW64\Eceimadb.exe

MD5 7950735278c352ecba0fc9983130cf8a
SHA1 c5e0608e4ca1b0139cc3378fdedfbb3db6f2d35b
SHA256 f179a953c2a6256537347b6f22b07170ec3c365b9bde855f376362e025b8c066
SHA512 a08c7acc0dc300084dd1a4cac57c5e8df3c8e25a11fca4c3643e17446b9d6a5d4c9662c0301d659875ae8945117bb117082186a4f6e100bfd2d18df222bf43dc

C:\Windows\SysWOW64\Gipqpplq.exe

MD5 9ad0f288f262e3496ef7a1c481bc905e
SHA1 75b4df1d2b7d27964282dcb9b5eafafbc8c446d6
SHA256 12dfeeebbcf5aca4f7e6007ebed01c98408a6f2be4b0cc6accb29195eb0beb04
SHA512 bf86736dfd3656e88cd6462b7b85f4aea50d55489dfbb4c65d4c02eb5633a725331003be39d1c789446451f547af49705490d8ae01eb14e382cca1e5a498881a

memory/2964-368-0x0000000000220000-0x0000000000255000-memory.dmp

C:\Windows\SysWOW64\Gindjqnc.exe

MD5 4bb355a939b15fb974ece7fd900ecaa1
SHA1 5a8732dbab78f3da9b74e22eca0411c8ef74818c
SHA256 1995f1cf4d1763c309e86bafe02866671ac49883e7de38da1d85c541fa9f7610
SHA512 c20631b4817823ce39ad0d0f843b69527bfafb0ddd25d339d5f7e8cfd8363b28c2e9f77adb792f2c97615d57a232045caaafd6b81feabaefb806f803bcb45187

memory/1624-354-0x0000000000440000-0x0000000000475000-memory.dmp

C:\Windows\SysWOW64\Fgjkmijh.exe

MD5 1785fc4d2b96c8b68df2ad47b741fdc7
SHA1 b3933de33ed4a2346294549f75932734af04933c
SHA256 7b4d7ae66d7fc2a997408ff25d74fa8e71f75f99606eb2c5017c1ffedede546c
SHA512 550ce35164d372ed57e7d0e53278b9251fa3e699f6009417a7c6690697464d5105c9a87577afa4b4fd10ef9827476de6e28ed40576e6cf244660e3029e6f8762

memory/2164-347-0x0000000000320000-0x0000000000355000-memory.dmp

memory/2164-343-0x0000000000320000-0x0000000000355000-memory.dmp

C:\Windows\SysWOW64\Feiaknmg.exe

MD5 a042f9e072f8ddbc00ea7d8875dd5929
SHA1 fdc3b80613e57c47b7a9bf255e09eec38a364c0e
SHA256 8d0858d139ca4d0a15f855f1f3ae91c98278fd192d3a7872d93b4f03263a446f
SHA512 571fe76160392556d2da1b024dca32291738f7f3a14cdb25adbb3562611bd73e12cc209cf838764a0781941eaad83ec09f53f7ddbf6f9a021036c2741e6b9b2c

memory/872-327-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2320-326-0x0000000000220000-0x0000000000255000-memory.dmp

C:\Windows\SysWOW64\Fkambhgf.exe

MD5 f6ca3b5b5d88646cd0c89c8780a6e0d2
SHA1 21da53f1b881aa849a56759f46348a5711cf8fac
SHA256 26baab4ab1d0222c8b53be4c6f390c4672d5a283246b254324feb97ff4f27bf1
SHA512 9cd62db2cd4f6cc3cafe793932952a2c8274c44cd43243a868f917e3bad07eb997f5b846dd0290c8f0c6e0965ef360ace0a6088c45533000b6681ff48a903fcf

memory/1748-318-0x00000000001B0000-0x00000000001E5000-memory.dmp

memory/1748-314-0x00000000001B0000-0x00000000001E5000-memory.dmp

C:\Windows\SysWOW64\Fkoqmhii.exe

MD5 3ef86eafe73bd828144ecd2b4777e09d
SHA1 d5453a2a94b435fe782ced48199910e07c03a155
SHA256 b530bbd8af6fe37fe01f8be2825e86a846ff95ee64e2fcebf0ec56c5d0985908
SHA512 e60cf1b016e511e3e3d53b8fb599fc5107f7eb7b1bf808b64038655215d1a949317c8c81bb4dd82e30adb70daa0fbbc279deda7504d84194de1773434c5c1ac2

memory/2636-304-0x0000000000220000-0x0000000000255000-memory.dmp

memory/2636-303-0x0000000000220000-0x0000000000255000-memory.dmp

C:\Windows\SysWOW64\Fbfldc32.exe

MD5 5fd9a0899c01f6ee3248eafa80a1b24c
SHA1 21a74d5b330e3b8a62a7ce6cdc75ecf2dc1cacca
SHA256 f8ea14a032eb42f474742cbe1655837713e6527e8674f510155bf23e62f09bac
SHA512 0b4902fb61c7591f80a7e9049b72dad76fbba8aaf6b9b53a1ee78864d1b7e019c89f3ae7e6a87ccf3aff095335f71a1f79490e85ee14330793893bd3f3dbaef6

memory/2096-293-0x0000000000220000-0x0000000000255000-memory.dmp

C:\Windows\SysWOW64\Emggflfc.exe

MD5 942134facaa79876c6ebe9a9de45089f
SHA1 ad7a1892685a5ca82eda3aa85fcf66280a75a4ef
SHA256 48c6b90bcda1deab41266527fa000a0416e7d6d1fa6604b64bbd6cd5af1e3bf2
SHA512 7fd1ee561922cff2dd93221d1c9f5e319e0c908d70ed9c0319b134d529fead1b8b5ced1ea826c925a696b0d6374b72da731ffbd602e028b036ef9c039836f699

C:\Windows\SysWOW64\Ekhjlioa.exe

MD5 91456cfe822b0a741f42091abf96c8d3
SHA1 15c826bb501dc7a249e6d9b511e21e2a6aee956a
SHA256 5b8c17848e006a99d424c687e1011abd5d2df9ed04ce935077c2963bc6541fa1
SHA512 a8ce744a27596ad0c6308fec1dd9cc697e8f297c53f9612086bf04159c87cf29d6c56876f3e66e0845cb1d57f3004033aa595866d2801ee3886c304374ecdcfc

memory/1744-272-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2300-271-0x0000000000220000-0x0000000000255000-memory.dmp

C:\Windows\SysWOW64\Elpqemll.exe

MD5 093472fb4446aecbc88ab5d947602fab
SHA1 e95f7ab357d63377c4e1e4a241490b0c4489cc0a
SHA256 b6df7d37eaf159a5182af98f772c4c006fc2bb43705c6fd685d76795241edaff
SHA512 51e9d3d8b5558aa2d0f138668fb61e3c42451fa229700693b2a5398dc907f78d567a4cf27607dad34ef96b93eac6d770b0417882855495ff5cf38dc39d775c20

memory/1812-251-0x0000000000230000-0x0000000000265000-memory.dmp

memory/1812-250-0x0000000000230000-0x0000000000265000-memory.dmp

memory/856-240-0x00000000001B0000-0x00000000001E5000-memory.dmp

C:\Windows\SysWOW64\Dkmghe32.exe

MD5 032f1f3b70e978f84c59b6225d2a3bcf
SHA1 e2af0df7c58f2a22c15dc02373ac712c919ca121
SHA256 3e08526d17de076b2d2d15e805d27d99a10715fb997177e784171a941347fa15
SHA512 f661a2447e312413b769d0cb270035c3b9246c40e0410c430bbca62331b4d7e8487b465430f19ac7ab3f2ecad6d26acb1929a86da7ae0b21bdecd823e143a4a0

memory/1260-228-0x0000000000220000-0x0000000000255000-memory.dmp

memory/1260-227-0x0000000000220000-0x0000000000255000-memory.dmp

memory/1260-215-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2124-213-0x0000000000220000-0x0000000000255000-memory.dmp

memory/2124-208-0x0000000000220000-0x0000000000255000-memory.dmp

memory/2268-199-0x0000000000220000-0x0000000000255000-memory.dmp

memory/2268-198-0x0000000000220000-0x0000000000255000-memory.dmp