Malware Analysis Report

2025-08-05 11:27

Sample ID 241112-rjwnbaxmel
Target a4c09ba7f1ed47c725b37d44d521c3e5abea101ff8691d88ffa9dc9fd8656a08.exe
SHA256 a4c09ba7f1ed47c725b37d44d521c3e5abea101ff8691d88ffa9dc9fd8656a08
Tags
berbew backdoor discovery persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a4c09ba7f1ed47c725b37d44d521c3e5abea101ff8691d88ffa9dc9fd8656a08

Threat Level: Known bad

The file a4c09ba7f1ed47c725b37d44d521c3e5abea101ff8691d88ffa9dc9fd8656a08.exe was found to be: Known bad.

Malicious Activity Summary

berbew backdoor discovery persistence

Berbew

Adds autorun key to be loaded by Explorer.exe on startup

Berbew family

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

System Location Discovery: System Language Discovery

Program crash

Unsigned PE

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-12 14:13

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-12 14:13

Reported

2024-11-12 14:16

Platform

win7-20241010-en

Max time kernel

13s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a4c09ba7f1ed47c725b37d44d521c3e5abea101ff8691d88ffa9dc9fd8656a08.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jcfjhj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Lijepc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Nmgjee32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nejdjf32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Biceoj32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Knddcg32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Amhopfof.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Dkekmp32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dlfgehqk.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dilddl32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jcdmbk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Jcfjhj32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mgoaap32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pkfiaqgk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Pkfiaqgk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Dilddl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Lkcgapjl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ollcee32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Paghojip.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Kkckblgq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Lfdbcing.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Chkoef32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Dpdpkfga.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Dalfdjdl.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kkckblgq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Lffohikd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ndjhpcoe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Amebjgai.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cfgehn32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cligkdlm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ogddhmdl.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cahmik32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Users\Admin\AppData\Local\Temp\a4c09ba7f1ed47c725b37d44d521c3e5abea101ff8691d88ffa9dc9fd8656a08.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Aoihaa32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dajiok32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Bjnhnn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Cahmik32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kninog32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lkfdfo32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Olopjddf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Panehkaj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Pkkblp32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bmhkojab.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Oaqeogll.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Caccnllf.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kjkehhjf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Mgoaap32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Mcfbfaao.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Mfihml32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Dkpabqoa.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mfihml32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ndjhpcoe.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Paghojip.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qmcedg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Dbkffc32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Noplmlok.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pkkblp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Mmemoe32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Panehkaj.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Penjdien.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Aialjgbh.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lkcgapjl.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lfdbcing.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mcfbfaao.exe N/A

Berbew

backdoor berbew

Berbew family

berbew

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Jcdmbk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jcfjhj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kkckblgq.exe N/A
N/A N/A C:\Windows\SysWOW64\Knddcg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kjkehhjf.exe N/A
N/A N/A C:\Windows\SysWOW64\Kninog32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lfdbcing.exe N/A
N/A N/A C:\Windows\SysWOW64\Lffohikd.exe N/A
N/A N/A C:\Windows\SysWOW64\Lkcgapjl.exe N/A
N/A N/A C:\Windows\SysWOW64\Lkfdfo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lijepc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mgoaap32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mcfbfaao.exe N/A
N/A N/A C:\Windows\SysWOW64\Mhckloge.exe N/A
N/A N/A C:\Windows\SysWOW64\Mfihml32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mmemoe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nmgjee32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nfpnnk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nokcbm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ndjhpcoe.exe N/A
N/A N/A C:\Windows\SysWOW64\Noplmlok.exe N/A
N/A N/A C:\Windows\SysWOW64\Nejdjf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oaqeogll.exe N/A
N/A N/A C:\Windows\SysWOW64\Oacbdg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ollcee32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ogddhmdl.exe N/A
N/A N/A C:\Windows\SysWOW64\Panehkaj.exe N/A
N/A N/A C:\Windows\SysWOW64\Pkfiaqgk.exe N/A
N/A N/A C:\Windows\SysWOW64\Penjdien.exe N/A
N/A N/A C:\Windows\SysWOW64\Pkkblp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pdcgeejf.exe N/A
N/A N/A C:\Windows\SysWOW64\Paghojip.exe N/A
N/A N/A C:\Windows\SysWOW64\Qdhqpe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qmcedg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Amebjgai.exe N/A
N/A N/A C:\Windows\SysWOW64\Amhopfof.exe N/A
N/A N/A C:\Windows\SysWOW64\Aoihaa32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aialjgbh.exe N/A
N/A N/A C:\Windows\SysWOW64\Bmhkojab.exe N/A
N/A N/A C:\Windows\SysWOW64\Bgmolb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bjnhnn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Biceoj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cfgehn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cbnfmo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Chkoef32.exe N/A
N/A N/A C:\Windows\SysWOW64\Caccnllf.exe N/A
N/A N/A C:\Windows\SysWOW64\Cligkdlm.exe N/A
N/A N/A C:\Windows\SysWOW64\Caepdk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cfbhlb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cahmik32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dkpabqoa.exe N/A
N/A N/A C:\Windows\SysWOW64\Dajiok32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dbkffc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dalfdjdl.exe N/A
N/A N/A C:\Windows\SysWOW64\Dkekmp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dlfgehqk.exe N/A
N/A N/A C:\Windows\SysWOW64\Denknngk.exe N/A
N/A N/A C:\Windows\SysWOW64\Dpdpkfga.exe N/A
N/A N/A C:\Windows\SysWOW64\Dilddl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eceimadb.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c09ba7f1ed47c725b37d44d521c3e5abea101ff8691d88ffa9dc9fd8656a08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c09ba7f1ed47c725b37d44d521c3e5abea101ff8691d88ffa9dc9fd8656a08.exe N/A
N/A N/A C:\Windows\SysWOW64\Jcdmbk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jcdmbk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jcfjhj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jcfjhj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kkckblgq.exe N/A
N/A N/A C:\Windows\SysWOW64\Kkckblgq.exe N/A
N/A N/A C:\Windows\SysWOW64\Knddcg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Knddcg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kjkehhjf.exe N/A
N/A N/A C:\Windows\SysWOW64\Kjkehhjf.exe N/A
N/A N/A C:\Windows\SysWOW64\Kninog32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kninog32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lfdbcing.exe N/A
N/A N/A C:\Windows\SysWOW64\Lfdbcing.exe N/A
N/A N/A C:\Windows\SysWOW64\Lffohikd.exe N/A
N/A N/A C:\Windows\SysWOW64\Lffohikd.exe N/A
N/A N/A C:\Windows\SysWOW64\Lkcgapjl.exe N/A
N/A N/A C:\Windows\SysWOW64\Lkcgapjl.exe N/A
N/A N/A C:\Windows\SysWOW64\Lkfdfo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lkfdfo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lijepc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lijepc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mgoaap32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mgoaap32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mcfbfaao.exe N/A
N/A N/A C:\Windows\SysWOW64\Mcfbfaao.exe N/A
N/A N/A C:\Windows\SysWOW64\Mhckloge.exe N/A
N/A N/A C:\Windows\SysWOW64\Mhckloge.exe N/A
N/A N/A C:\Windows\SysWOW64\Mfihml32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mfihml32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mmemoe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mmemoe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nmgjee32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nmgjee32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nfpnnk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nfpnnk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nokcbm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nokcbm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ndjhpcoe.exe N/A
N/A N/A C:\Windows\SysWOW64\Ndjhpcoe.exe N/A
N/A N/A C:\Windows\SysWOW64\Noplmlok.exe N/A
N/A N/A C:\Windows\SysWOW64\Noplmlok.exe N/A
N/A N/A C:\Windows\SysWOW64\Nejdjf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nejdjf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oaqeogll.exe N/A
N/A N/A C:\Windows\SysWOW64\Oaqeogll.exe N/A
N/A N/A C:\Windows\SysWOW64\Oacbdg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oacbdg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Olopjddf.exe N/A
N/A N/A C:\Windows\SysWOW64\Olopjddf.exe N/A
N/A N/A C:\Windows\SysWOW64\Ogddhmdl.exe N/A
N/A N/A C:\Windows\SysWOW64\Ogddhmdl.exe N/A
N/A N/A C:\Windows\SysWOW64\Panehkaj.exe N/A
N/A N/A C:\Windows\SysWOW64\Panehkaj.exe N/A
N/A N/A C:\Windows\SysWOW64\Pkfiaqgk.exe N/A
N/A N/A C:\Windows\SysWOW64\Pkfiaqgk.exe N/A
N/A N/A C:\Windows\SysWOW64\Penjdien.exe N/A
N/A N/A C:\Windows\SysWOW64\Penjdien.exe N/A
N/A N/A C:\Windows\SysWOW64\Pkkblp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pkkblp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pdcgeejf.exe N/A
N/A N/A C:\Windows\SysWOW64\Pdcgeejf.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Bfkfbm32.dll C:\Windows\SysWOW64\Dilddl32.exe N/A
File created C:\Windows\SysWOW64\Knddcg32.exe C:\Windows\SysWOW64\Kkckblgq.exe N/A
File created C:\Windows\SysWOW64\Eobjmken.dll C:\Windows\SysWOW64\Bjnhnn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Chkoef32.exe C:\Windows\SysWOW64\Cbnfmo32.exe N/A
File created C:\Windows\SysWOW64\Caepdk32.exe C:\Windows\SysWOW64\Cligkdlm.exe N/A
File opened for modification C:\Windows\SysWOW64\Dkekmp32.exe C:\Windows\SysWOW64\Dalfdjdl.exe N/A
File opened for modification C:\Windows\SysWOW64\Mcfbfaao.exe C:\Windows\SysWOW64\Mgoaap32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mmemoe32.exe C:\Windows\SysWOW64\Mfihml32.exe N/A
File created C:\Windows\SysWOW64\Aialjgbh.exe C:\Windows\SysWOW64\Aoihaa32.exe N/A
File opened for modification C:\Windows\SysWOW64\Caepdk32.exe C:\Windows\SysWOW64\Cligkdlm.exe N/A
File created C:\Windows\SysWOW64\Dilddl32.exe C:\Windows\SysWOW64\Dpdpkfga.exe N/A
File created C:\Windows\SysWOW64\Bjnhnn32.exe C:\Windows\SysWOW64\Bgmolb32.exe N/A
File created C:\Windows\SysWOW64\Dkpabqoa.exe C:\Windows\SysWOW64\Cahmik32.exe N/A
File created C:\Windows\SysWOW64\Pbkkql32.dll C:\Windows\SysWOW64\Mhckloge.exe N/A
File created C:\Windows\SysWOW64\Nejdjf32.exe C:\Windows\SysWOW64\Noplmlok.exe N/A
File created C:\Windows\SysWOW64\Ollcee32.exe C:\Windows\SysWOW64\Oacbdg32.exe N/A
File created C:\Windows\SysWOW64\Hnjfjm32.dll C:\Windows\SysWOW64\Penjdien.exe N/A
File opened for modification C:\Windows\SysWOW64\Amhopfof.exe C:\Windows\SysWOW64\Amebjgai.exe N/A
File created C:\Windows\SysWOW64\Ihdhmkjd.dll C:\Windows\SysWOW64\Paghojip.exe N/A
File created C:\Windows\SysWOW64\Dbkffc32.exe C:\Windows\SysWOW64\Dajiok32.exe N/A
File created C:\Windows\SysWOW64\Aecmfopg.dll C:\Windows\SysWOW64\Lijepc32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ndjhpcoe.exe C:\Windows\SysWOW64\Nokcbm32.exe N/A
File created C:\Windows\SysWOW64\Pkfiaqgk.exe C:\Windows\SysWOW64\Panehkaj.exe N/A
File created C:\Windows\SysWOW64\Penjdien.exe C:\Windows\SysWOW64\Pkfiaqgk.exe N/A
File created C:\Windows\SysWOW64\Pkkblp32.exe C:\Windows\SysWOW64\Penjdien.exe N/A
File created C:\Windows\SysWOW64\Noplmlok.exe C:\Windows\SysWOW64\Ndjhpcoe.exe N/A
File opened for modification C:\Windows\SysWOW64\Cfgehn32.exe C:\Windows\SysWOW64\Biceoj32.exe N/A
File created C:\Windows\SysWOW64\Cmmlkk32.dll C:\Windows\SysWOW64\Kkckblgq.exe N/A
File created C:\Windows\SysWOW64\Mcfbfaao.exe C:\Windows\SysWOW64\Mgoaap32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mhckloge.exe C:\Windows\SysWOW64\Mcfbfaao.exe N/A
File created C:\Windows\SysWOW64\Ppfhfkhm.dll C:\Windows\SysWOW64\Mcfbfaao.exe N/A
File created C:\Windows\SysWOW64\Nmgjee32.exe C:\Windows\SysWOW64\Mmemoe32.exe N/A
File created C:\Windows\SysWOW64\Biceoj32.exe C:\Windows\SysWOW64\Bjnhnn32.exe N/A
File created C:\Windows\SysWOW64\Ngcjbg32.dll C:\Windows\SysWOW64\Caccnllf.exe N/A
File created C:\Windows\SysWOW64\Paebkkhn.dll C:\Windows\SysWOW64\Cligkdlm.exe N/A
File opened for modification C:\Windows\SysWOW64\Kkckblgq.exe C:\Windows\SysWOW64\Jcfjhj32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mgoaap32.exe C:\Windows\SysWOW64\Lijepc32.exe N/A
File created C:\Windows\SysWOW64\Ogddhmdl.exe C:\Windows\SysWOW64\Olopjddf.exe N/A
File opened for modification C:\Windows\SysWOW64\Pkkblp32.exe C:\Windows\SysWOW64\Penjdien.exe N/A
File created C:\Windows\SysWOW64\Hegfajbc.dll C:\Windows\SysWOW64\Qdhqpe32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cfbhlb32.exe C:\Windows\SysWOW64\Caepdk32.exe N/A
File created C:\Windows\SysWOW64\Flnjii32.dll C:\Windows\SysWOW64\Caepdk32.exe N/A
File created C:\Windows\SysWOW64\Dcemgk32.dll C:\Windows\SysWOW64\Aoihaa32.exe N/A
File created C:\Windows\SysWOW64\Cfbhlb32.exe C:\Windows\SysWOW64\Caepdk32.exe N/A
File created C:\Windows\SysWOW64\Inpiogfm.dll C:\Windows\SysWOW64\Denknngk.exe N/A
File opened for modification C:\Windows\SysWOW64\Kjkehhjf.exe C:\Windows\SysWOW64\Knddcg32.exe N/A
File created C:\Windows\SysWOW64\Jdekhe32.dll C:\Windows\SysWOW64\Lkcgapjl.exe N/A
File opened for modification C:\Windows\SysWOW64\Penjdien.exe C:\Windows\SysWOW64\Pkfiaqgk.exe N/A
File created C:\Windows\SysWOW64\Mikelp32.dll C:\Windows\SysWOW64\Amebjgai.exe N/A
File opened for modification C:\Windows\SysWOW64\Dalfdjdl.exe C:\Windows\SysWOW64\Dbkffc32.exe N/A
File created C:\Windows\SysWOW64\Jcfjhj32.exe C:\Windows\SysWOW64\Jcdmbk32.exe N/A
File opened for modification C:\Windows\SysWOW64\Kninog32.exe C:\Windows\SysWOW64\Kjkehhjf.exe N/A
File created C:\Windows\SysWOW64\Eohhqjab.dll C:\Windows\SysWOW64\Lffohikd.exe N/A
File created C:\Windows\SysWOW64\Lijepc32.exe C:\Windows\SysWOW64\Lkfdfo32.exe N/A
File created C:\Windows\SysWOW64\Mhckloge.exe C:\Windows\SysWOW64\Mcfbfaao.exe N/A
File created C:\Windows\SysWOW64\Kcclakie.dll C:\Windows\SysWOW64\Dbkffc32.exe N/A
File created C:\Windows\SysWOW64\Djnbkg32.dll C:\Windows\SysWOW64\Dpdpkfga.exe N/A
File created C:\Windows\SysWOW64\Bleppqce.dll C:\Windows\SysWOW64\Dkekmp32.exe N/A
File created C:\Windows\SysWOW64\Hddpfjgq.dll C:\Windows\SysWOW64\Nmgjee32.exe N/A
File created C:\Windows\SysWOW64\Gdbcbcgp.dll C:\Windows\SysWOW64\Nokcbm32.exe N/A
File created C:\Windows\SysWOW64\Amebjgai.exe C:\Windows\SysWOW64\Qmcedg32.exe N/A
File opened for modification C:\Windows\SysWOW64\Caccnllf.exe C:\Windows\SysWOW64\Chkoef32.exe N/A
File created C:\Windows\SysWOW64\Gkldecjp.dll C:\Windows\SysWOW64\Chkoef32.exe N/A
File created C:\Windows\SysWOW64\Eejqea32.dll C:\Windows\SysWOW64\Dkpabqoa.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Eceimadb.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dajiok32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dalfdjdl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oacbdg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ogddhmdl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Penjdien.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nfpnnk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Noplmlok.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lkcgapjl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lkfdfo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mcfbfaao.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bmhkojab.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Biceoj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dpdpkfga.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jcfjhj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kkckblgq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nmgjee32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cligkdlm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cfbhlb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mmemoe32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Panehkaj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aoihaa32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a4c09ba7f1ed47c725b37d44d521c3e5abea101ff8691d88ffa9dc9fd8656a08.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pkfiaqgk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pdcgeejf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aialjgbh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Caccnllf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jcdmbk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kjkehhjf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lffohikd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cbnfmo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dkpabqoa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Eceimadb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mfihml32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qdhqpe32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cahmik32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bjnhnn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cfgehn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dbkffc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dlfgehqk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nokcbm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ndjhpcoe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nejdjf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qmcedg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Amebjgai.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Denknngk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kninog32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mhckloge.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oaqeogll.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lijepc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dkekmp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Olopjddf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pkkblp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Amhopfof.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lfdbcing.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mgoaap32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ollcee32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Chkoef32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Caepdk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dilddl32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Knddcg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Paghojip.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bgmolb32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmmlkk32.dll" C:\Windows\SysWOW64\Kkckblgq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dlfgehqk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\a4c09ba7f1ed47c725b37d44d521c3e5abea101ff8691d88ffa9dc9fd8656a08.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aecmfopg.dll" C:\Windows\SysWOW64\Lijepc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ollcee32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ogddhmdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faeaddaj.dll" C:\Windows\SysWOW64\Dajiok32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Dbkffc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\a4c09ba7f1ed47c725b37d44d521c3e5abea101ff8691d88ffa9dc9fd8656a08.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Panehkaj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Aoihaa32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aialjgbh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jngakhdp.dll" C:\Windows\SysWOW64\Oaqeogll.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nfpnnk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pkkblp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Cbnfmo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dkpabqoa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcclakie.dll" C:\Windows\SysWOW64\Dbkffc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Dkekmp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdekhe32.dll" C:\Windows\SysWOW64\Lkcgapjl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Mcfbfaao.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Mmemoe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Amhopfof.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcemgk32.dll" C:\Windows\SysWOW64\Aoihaa32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bgmolb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Dilddl32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Kjkehhjf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Oaqeogll.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Amebjgai.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lijepc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hddpfjgq.dll" C:\Windows\SysWOW64\Nmgjee32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Panehkaj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Bmhkojab.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Bgmolb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node C:\Users\Admin\AppData\Local\Temp\a4c09ba7f1ed47c725b37d44d521c3e5abea101ff8691d88ffa9dc9fd8656a08.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nokcbm32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Oacbdg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnjfjm32.dll" C:\Windows\SysWOW64\Penjdien.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihdhmkjd.dll" C:\Windows\SysWOW64\Paghojip.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Cfgehn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cfgehn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Chkoef32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Kninog32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edljdb32.dll" C:\Windows\SysWOW64\Ndjhpcoe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Giedhjnn.dll" C:\Windows\SysWOW64\Oacbdg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Pkfiaqgk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnimikan.dll" C:\Windows\SysWOW64\Bmhkojab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eobjmken.dll" C:\Windows\SysWOW64\Bjnhnn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbbbhigf.dll" C:\Windows\SysWOW64\Cfgehn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngcjbg32.dll" C:\Windows\SysWOW64\Caccnllf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmibhn32.dll" C:\Windows\SysWOW64\Jcdmbk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfkfbm32.dll" C:\Windows\SysWOW64\Dilddl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Caccnllf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mgoaap32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Bjnhnn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpkphm32.dll" C:\Windows\SysWOW64\Lfdbcing.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmbjkm32.dll" C:\Windows\SysWOW64\Pdcgeejf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bmhkojab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfkhnhf.dll" C:\Windows\SysWOW64\Bgmolb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klheoobo.dll" C:\Windows\SysWOW64\Cbnfmo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inpiogfm.dll" C:\Windows\SysWOW64\Denknngk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Knddcg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mohkpn32.dll" C:\Windows\SysWOW64\Dlfgehqk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dpdpkfga.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 816 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\a4c09ba7f1ed47c725b37d44d521c3e5abea101ff8691d88ffa9dc9fd8656a08.exe C:\Windows\SysWOW64\Jcdmbk32.exe
PID 816 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\a4c09ba7f1ed47c725b37d44d521c3e5abea101ff8691d88ffa9dc9fd8656a08.exe C:\Windows\SysWOW64\Jcdmbk32.exe
PID 816 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\a4c09ba7f1ed47c725b37d44d521c3e5abea101ff8691d88ffa9dc9fd8656a08.exe C:\Windows\SysWOW64\Jcdmbk32.exe
PID 816 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\a4c09ba7f1ed47c725b37d44d521c3e5abea101ff8691d88ffa9dc9fd8656a08.exe C:\Windows\SysWOW64\Jcdmbk32.exe
PID 2724 wrote to memory of 2888 N/A C:\Windows\SysWOW64\Jcdmbk32.exe C:\Windows\SysWOW64\Jcfjhj32.exe
PID 2724 wrote to memory of 2888 N/A C:\Windows\SysWOW64\Jcdmbk32.exe C:\Windows\SysWOW64\Jcfjhj32.exe
PID 2724 wrote to memory of 2888 N/A C:\Windows\SysWOW64\Jcdmbk32.exe C:\Windows\SysWOW64\Jcfjhj32.exe
PID 2724 wrote to memory of 2888 N/A C:\Windows\SysWOW64\Jcdmbk32.exe C:\Windows\SysWOW64\Jcfjhj32.exe
PID 2888 wrote to memory of 3004 N/A C:\Windows\SysWOW64\Jcfjhj32.exe C:\Windows\SysWOW64\Kkckblgq.exe
PID 2888 wrote to memory of 3004 N/A C:\Windows\SysWOW64\Jcfjhj32.exe C:\Windows\SysWOW64\Kkckblgq.exe
PID 2888 wrote to memory of 3004 N/A C:\Windows\SysWOW64\Jcfjhj32.exe C:\Windows\SysWOW64\Kkckblgq.exe
PID 2888 wrote to memory of 3004 N/A C:\Windows\SysWOW64\Jcfjhj32.exe C:\Windows\SysWOW64\Kkckblgq.exe
PID 3004 wrote to memory of 1892 N/A C:\Windows\SysWOW64\Kkckblgq.exe C:\Windows\SysWOW64\Knddcg32.exe
PID 3004 wrote to memory of 1892 N/A C:\Windows\SysWOW64\Kkckblgq.exe C:\Windows\SysWOW64\Knddcg32.exe
PID 3004 wrote to memory of 1892 N/A C:\Windows\SysWOW64\Kkckblgq.exe C:\Windows\SysWOW64\Knddcg32.exe
PID 3004 wrote to memory of 1892 N/A C:\Windows\SysWOW64\Kkckblgq.exe C:\Windows\SysWOW64\Knddcg32.exe
PID 1892 wrote to memory of 2800 N/A C:\Windows\SysWOW64\Knddcg32.exe C:\Windows\SysWOW64\Kjkehhjf.exe
PID 1892 wrote to memory of 2800 N/A C:\Windows\SysWOW64\Knddcg32.exe C:\Windows\SysWOW64\Kjkehhjf.exe
PID 1892 wrote to memory of 2800 N/A C:\Windows\SysWOW64\Knddcg32.exe C:\Windows\SysWOW64\Kjkehhjf.exe
PID 1892 wrote to memory of 2800 N/A C:\Windows\SysWOW64\Knddcg32.exe C:\Windows\SysWOW64\Kjkehhjf.exe
PID 2800 wrote to memory of 2796 N/A C:\Windows\SysWOW64\Kjkehhjf.exe C:\Windows\SysWOW64\Kninog32.exe
PID 2800 wrote to memory of 2796 N/A C:\Windows\SysWOW64\Kjkehhjf.exe C:\Windows\SysWOW64\Kninog32.exe
PID 2800 wrote to memory of 2796 N/A C:\Windows\SysWOW64\Kjkehhjf.exe C:\Windows\SysWOW64\Kninog32.exe
PID 2800 wrote to memory of 2796 N/A C:\Windows\SysWOW64\Kjkehhjf.exe C:\Windows\SysWOW64\Kninog32.exe
PID 2796 wrote to memory of 2428 N/A C:\Windows\SysWOW64\Kninog32.exe C:\Windows\SysWOW64\Lfdbcing.exe
PID 2796 wrote to memory of 2428 N/A C:\Windows\SysWOW64\Kninog32.exe C:\Windows\SysWOW64\Lfdbcing.exe
PID 2796 wrote to memory of 2428 N/A C:\Windows\SysWOW64\Kninog32.exe C:\Windows\SysWOW64\Lfdbcing.exe
PID 2796 wrote to memory of 2428 N/A C:\Windows\SysWOW64\Kninog32.exe C:\Windows\SysWOW64\Lfdbcing.exe
PID 2428 wrote to memory of 736 N/A C:\Windows\SysWOW64\Lfdbcing.exe C:\Windows\SysWOW64\Lffohikd.exe
PID 2428 wrote to memory of 736 N/A C:\Windows\SysWOW64\Lfdbcing.exe C:\Windows\SysWOW64\Lffohikd.exe
PID 2428 wrote to memory of 736 N/A C:\Windows\SysWOW64\Lfdbcing.exe C:\Windows\SysWOW64\Lffohikd.exe
PID 2428 wrote to memory of 736 N/A C:\Windows\SysWOW64\Lfdbcing.exe C:\Windows\SysWOW64\Lffohikd.exe
PID 736 wrote to memory of 2828 N/A C:\Windows\SysWOW64\Lffohikd.exe C:\Windows\SysWOW64\Lkcgapjl.exe
PID 736 wrote to memory of 2828 N/A C:\Windows\SysWOW64\Lffohikd.exe C:\Windows\SysWOW64\Lkcgapjl.exe
PID 736 wrote to memory of 2828 N/A C:\Windows\SysWOW64\Lffohikd.exe C:\Windows\SysWOW64\Lkcgapjl.exe
PID 736 wrote to memory of 2828 N/A C:\Windows\SysWOW64\Lffohikd.exe C:\Windows\SysWOW64\Lkcgapjl.exe
PID 2828 wrote to memory of 2044 N/A C:\Windows\SysWOW64\Lkcgapjl.exe C:\Windows\SysWOW64\Lkfdfo32.exe
PID 2828 wrote to memory of 2044 N/A C:\Windows\SysWOW64\Lkcgapjl.exe C:\Windows\SysWOW64\Lkfdfo32.exe
PID 2828 wrote to memory of 2044 N/A C:\Windows\SysWOW64\Lkcgapjl.exe C:\Windows\SysWOW64\Lkfdfo32.exe
PID 2828 wrote to memory of 2044 N/A C:\Windows\SysWOW64\Lkcgapjl.exe C:\Windows\SysWOW64\Lkfdfo32.exe
PID 2044 wrote to memory of 2684 N/A C:\Windows\SysWOW64\Lkfdfo32.exe C:\Windows\SysWOW64\Lijepc32.exe
PID 2044 wrote to memory of 2684 N/A C:\Windows\SysWOW64\Lkfdfo32.exe C:\Windows\SysWOW64\Lijepc32.exe
PID 2044 wrote to memory of 2684 N/A C:\Windows\SysWOW64\Lkfdfo32.exe C:\Windows\SysWOW64\Lijepc32.exe
PID 2044 wrote to memory of 2684 N/A C:\Windows\SysWOW64\Lkfdfo32.exe C:\Windows\SysWOW64\Lijepc32.exe
PID 2684 wrote to memory of 2104 N/A C:\Windows\SysWOW64\Lijepc32.exe C:\Windows\SysWOW64\Mgoaap32.exe
PID 2684 wrote to memory of 2104 N/A C:\Windows\SysWOW64\Lijepc32.exe C:\Windows\SysWOW64\Mgoaap32.exe
PID 2684 wrote to memory of 2104 N/A C:\Windows\SysWOW64\Lijepc32.exe C:\Windows\SysWOW64\Mgoaap32.exe
PID 2684 wrote to memory of 2104 N/A C:\Windows\SysWOW64\Lijepc32.exe C:\Windows\SysWOW64\Mgoaap32.exe
PID 2104 wrote to memory of 2960 N/A C:\Windows\SysWOW64\Mgoaap32.exe C:\Windows\SysWOW64\Mcfbfaao.exe
PID 2104 wrote to memory of 2960 N/A C:\Windows\SysWOW64\Mgoaap32.exe C:\Windows\SysWOW64\Mcfbfaao.exe
PID 2104 wrote to memory of 2960 N/A C:\Windows\SysWOW64\Mgoaap32.exe C:\Windows\SysWOW64\Mcfbfaao.exe
PID 2104 wrote to memory of 2960 N/A C:\Windows\SysWOW64\Mgoaap32.exe C:\Windows\SysWOW64\Mcfbfaao.exe
PID 2960 wrote to memory of 1512 N/A C:\Windows\SysWOW64\Mcfbfaao.exe C:\Windows\SysWOW64\Mhckloge.exe
PID 2960 wrote to memory of 1512 N/A C:\Windows\SysWOW64\Mcfbfaao.exe C:\Windows\SysWOW64\Mhckloge.exe
PID 2960 wrote to memory of 1512 N/A C:\Windows\SysWOW64\Mcfbfaao.exe C:\Windows\SysWOW64\Mhckloge.exe
PID 2960 wrote to memory of 1512 N/A C:\Windows\SysWOW64\Mcfbfaao.exe C:\Windows\SysWOW64\Mhckloge.exe
PID 1512 wrote to memory of 1960 N/A C:\Windows\SysWOW64\Mhckloge.exe C:\Windows\SysWOW64\Mfihml32.exe
PID 1512 wrote to memory of 1960 N/A C:\Windows\SysWOW64\Mhckloge.exe C:\Windows\SysWOW64\Mfihml32.exe
PID 1512 wrote to memory of 1960 N/A C:\Windows\SysWOW64\Mhckloge.exe C:\Windows\SysWOW64\Mfihml32.exe
PID 1512 wrote to memory of 1960 N/A C:\Windows\SysWOW64\Mhckloge.exe C:\Windows\SysWOW64\Mfihml32.exe
PID 1960 wrote to memory of 2496 N/A C:\Windows\SysWOW64\Mfihml32.exe C:\Windows\SysWOW64\Mmemoe32.exe
PID 1960 wrote to memory of 2496 N/A C:\Windows\SysWOW64\Mfihml32.exe C:\Windows\SysWOW64\Mmemoe32.exe
PID 1960 wrote to memory of 2496 N/A C:\Windows\SysWOW64\Mfihml32.exe C:\Windows\SysWOW64\Mmemoe32.exe
PID 1960 wrote to memory of 2496 N/A C:\Windows\SysWOW64\Mfihml32.exe C:\Windows\SysWOW64\Mmemoe32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a4c09ba7f1ed47c725b37d44d521c3e5abea101ff8691d88ffa9dc9fd8656a08.exe

"C:\Users\Admin\AppData\Local\Temp\a4c09ba7f1ed47c725b37d44d521c3e5abea101ff8691d88ffa9dc9fd8656a08.exe"

C:\Windows\SysWOW64\Jcdmbk32.exe

C:\Windows\system32\Jcdmbk32.exe

C:\Windows\SysWOW64\Jcfjhj32.exe

C:\Windows\system32\Jcfjhj32.exe

C:\Windows\SysWOW64\Kkckblgq.exe

C:\Windows\system32\Kkckblgq.exe

C:\Windows\SysWOW64\Knddcg32.exe

C:\Windows\system32\Knddcg32.exe

C:\Windows\SysWOW64\Kjkehhjf.exe

C:\Windows\system32\Kjkehhjf.exe

C:\Windows\SysWOW64\Kninog32.exe

C:\Windows\system32\Kninog32.exe

C:\Windows\SysWOW64\Lfdbcing.exe

C:\Windows\system32\Lfdbcing.exe

C:\Windows\SysWOW64\Lffohikd.exe

C:\Windows\system32\Lffohikd.exe

C:\Windows\SysWOW64\Lkcgapjl.exe

C:\Windows\system32\Lkcgapjl.exe

C:\Windows\SysWOW64\Lkfdfo32.exe

C:\Windows\system32\Lkfdfo32.exe

C:\Windows\SysWOW64\Lijepc32.exe

C:\Windows\system32\Lijepc32.exe

C:\Windows\SysWOW64\Mgoaap32.exe

C:\Windows\system32\Mgoaap32.exe

C:\Windows\SysWOW64\Mcfbfaao.exe

C:\Windows\system32\Mcfbfaao.exe

C:\Windows\SysWOW64\Mhckloge.exe

C:\Windows\system32\Mhckloge.exe

C:\Windows\SysWOW64\Mfihml32.exe

C:\Windows\system32\Mfihml32.exe

C:\Windows\SysWOW64\Mmemoe32.exe

C:\Windows\system32\Mmemoe32.exe

C:\Windows\SysWOW64\Nmgjee32.exe

C:\Windows\system32\Nmgjee32.exe

C:\Windows\SysWOW64\Nfpnnk32.exe

C:\Windows\system32\Nfpnnk32.exe

C:\Windows\SysWOW64\Nokcbm32.exe

C:\Windows\system32\Nokcbm32.exe

C:\Windows\SysWOW64\Ndjhpcoe.exe

C:\Windows\system32\Ndjhpcoe.exe

C:\Windows\SysWOW64\Noplmlok.exe

C:\Windows\system32\Noplmlok.exe

C:\Windows\SysWOW64\Nejdjf32.exe

C:\Windows\system32\Nejdjf32.exe

C:\Windows\SysWOW64\Oaqeogll.exe

C:\Windows\system32\Oaqeogll.exe

C:\Windows\SysWOW64\Oacbdg32.exe

C:\Windows\system32\Oacbdg32.exe

C:\Windows\SysWOW64\Ollcee32.exe

C:\Windows\system32\Ollcee32.exe

C:\Windows\SysWOW64\Olopjddf.exe

C:\Windows\system32\Olopjddf.exe

C:\Windows\SysWOW64\Ogddhmdl.exe

C:\Windows\system32\Ogddhmdl.exe

C:\Windows\SysWOW64\Panehkaj.exe

C:\Windows\system32\Panehkaj.exe

C:\Windows\SysWOW64\Pkfiaqgk.exe

C:\Windows\system32\Pkfiaqgk.exe

C:\Windows\SysWOW64\Penjdien.exe

C:\Windows\system32\Penjdien.exe

C:\Windows\SysWOW64\Pkkblp32.exe

C:\Windows\system32\Pkkblp32.exe

C:\Windows\SysWOW64\Pdcgeejf.exe

C:\Windows\system32\Pdcgeejf.exe

C:\Windows\SysWOW64\Paghojip.exe

C:\Windows\system32\Paghojip.exe

C:\Windows\SysWOW64\Qdhqpe32.exe

C:\Windows\system32\Qdhqpe32.exe

C:\Windows\SysWOW64\Qmcedg32.exe

C:\Windows\system32\Qmcedg32.exe

C:\Windows\SysWOW64\Amebjgai.exe

C:\Windows\system32\Amebjgai.exe

C:\Windows\SysWOW64\Amhopfof.exe

C:\Windows\system32\Amhopfof.exe

C:\Windows\SysWOW64\Aoihaa32.exe

C:\Windows\system32\Aoihaa32.exe

C:\Windows\SysWOW64\Aialjgbh.exe

C:\Windows\system32\Aialjgbh.exe

C:\Windows\SysWOW64\Bmhkojab.exe

C:\Windows\system32\Bmhkojab.exe

C:\Windows\SysWOW64\Bgmolb32.exe

C:\Windows\system32\Bgmolb32.exe

C:\Windows\SysWOW64\Bjnhnn32.exe

C:\Windows\system32\Bjnhnn32.exe

C:\Windows\SysWOW64\Biceoj32.exe

C:\Windows\system32\Biceoj32.exe

C:\Windows\SysWOW64\Cfgehn32.exe

C:\Windows\system32\Cfgehn32.exe

C:\Windows\SysWOW64\Cbnfmo32.exe

C:\Windows\system32\Cbnfmo32.exe

C:\Windows\SysWOW64\Chkoef32.exe

C:\Windows\system32\Chkoef32.exe

C:\Windows\SysWOW64\Caccnllf.exe

C:\Windows\system32\Caccnllf.exe

C:\Windows\SysWOW64\Cligkdlm.exe

C:\Windows\system32\Cligkdlm.exe

C:\Windows\SysWOW64\Caepdk32.exe

C:\Windows\system32\Caepdk32.exe

C:\Windows\SysWOW64\Cfbhlb32.exe

C:\Windows\system32\Cfbhlb32.exe

C:\Windows\SysWOW64\Cahmik32.exe

C:\Windows\system32\Cahmik32.exe

C:\Windows\SysWOW64\Dkpabqoa.exe

C:\Windows\system32\Dkpabqoa.exe

C:\Windows\SysWOW64\Dajiok32.exe

C:\Windows\system32\Dajiok32.exe

C:\Windows\SysWOW64\Dbkffc32.exe

C:\Windows\system32\Dbkffc32.exe

C:\Windows\SysWOW64\Dalfdjdl.exe

C:\Windows\system32\Dalfdjdl.exe

C:\Windows\SysWOW64\Dkekmp32.exe

C:\Windows\system32\Dkekmp32.exe

C:\Windows\SysWOW64\Dlfgehqk.exe

C:\Windows\system32\Dlfgehqk.exe

C:\Windows\SysWOW64\Denknngk.exe

C:\Windows\system32\Denknngk.exe

C:\Windows\SysWOW64\Dpdpkfga.exe

C:\Windows\system32\Dpdpkfga.exe

C:\Windows\SysWOW64\Dilddl32.exe

C:\Windows\system32\Dilddl32.exe

C:\Windows\SysWOW64\Eceimadb.exe

C:\Windows\system32\Eceimadb.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 140

Network

N/A

Files

memory/816-0-0x0000000000400000-0x0000000000435000-memory.dmp

\Windows\SysWOW64\Jcdmbk32.exe

MD5 8ecc63efc012f9d0e8e15b966fb7053c
SHA1 ea0082d8b8c5fa63c8f1e142e1cf49020047248e
SHA256 5a73bd6071e54aab5cdc5fc11a0af50c0c884d631295712c664ab3a01f6b9b2f
SHA512 dd54ef4a89e6727ee8fb8080febedffb3ea58f71a626dd96b28f5c1236061a56026ca51969f70d6343d9eeed0752d9b9c745bb46f5330c33e1e9dfb8fb440e04

memory/2724-14-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2724-21-0x00000000002A0000-0x00000000002D5000-memory.dmp

memory/816-13-0x00000000002A0000-0x00000000002D5000-memory.dmp

memory/816-12-0x00000000002A0000-0x00000000002D5000-memory.dmp

\Windows\SysWOW64\Jcfjhj32.exe

MD5 95b214bd445e062cfee165bc3499e9c3
SHA1 4d2f396d3af295ae59d092f041b5489ddce91f02
SHA256 89971e5776060de2e9dbaa7f7df67ff34fb8d9f5a0737d0dfbc6b0b9177a085e
SHA512 9beff3f9f717fca990776eef352f9192aabfab54dd33c12b080ee7fb050cf04bf77d30195788e8f7a95d58215964b7552a8dd332573b2f19d57fa589c8c3c7a1

\Windows\SysWOW64\Kkckblgq.exe

MD5 2778618c8f00c7480e37779cf39540c9
SHA1 bfca288471a395f4d40515adf7182d00126f2382
SHA256 2f6c5903f4b5621c1491ee13993e621fcb32ff41dda72f77483b1a2c5e0cf096
SHA512 fc49e0f11f75b947cec216bc2f946ec7f248678895e572c3acbc3329c6aa0136b6af41243978b774a3bba6c56bae2221e8b0891522ad05d12d6ffaa229707a21

memory/3004-41-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2888-40-0x0000000000220000-0x0000000000255000-memory.dmp

\Windows\SysWOW64\Knddcg32.exe

MD5 8697856f1fba22b8c1ac58fc846adb10
SHA1 21b591f92dd7d5c6b63cbb005deb7a4ef2649d5d
SHA256 db19fcd558c848f1378eed2220b6d2f5aee7002649c6202734be0b36157f0271
SHA512 51207f732fd5911fd50dbfbc5af40d8d9cda2b4e0cb848dc866ffb22890b338ec66de5dc6e97139247a9e8890487e6afe3fb2ef7f5c0f47e55b68d90a6213a5a

memory/3004-49-0x0000000000220000-0x0000000000255000-memory.dmp

C:\Windows\SysWOW64\Gigpekfk.dll

MD5 b15f75c3eae57178fcb1f356675450ae
SHA1 8fdd5f70a1464d1dd01770b35444524a46836d93
SHA256 0f82a87d26391b760f6cbb86f28d20f99172dcd5fcb88b7105248f2579102501
SHA512 257ebbe5b00e6f1b46ba1dd4e3fc37ec550f23f89fcab3df4cbf7ebec1c4eeb0ab87a47ac71db2ed91076ff44510a469851ef267f55c41efe8e9ba28a51ebe95

memory/1892-55-0x0000000000400000-0x0000000000435000-memory.dmp

\Windows\SysWOW64\Kjkehhjf.exe

MD5 88dd34788e8081d6b491c6a3951aa381
SHA1 2c8bfc0c0021f64e92cc403b1c7a480144362537
SHA256 c888ed4d7bbc4c86350fab5c55445b560800b77f0858885c98ddbbcd4d24ec39
SHA512 5697fc6210d1048ba6d0bfac1d975c1aa5dd87e858c03d6260c4d4fbbf6605f825b0f795eb51d934a440471c482d58a7f0230d0cc100d7680c7d45d01889fb38

memory/2800-68-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2800-76-0x00000000002B0000-0x00000000002E5000-memory.dmp

\Windows\SysWOW64\Kninog32.exe

MD5 fe985ebcdc4af1a20e6367952c8e0518
SHA1 1d6bdcb83e6a4fff3776a48c8205002ce7945a7b
SHA256 2a9ff1f7e2e1b7b12a5f9462b949d721bd8349ec15f489c10adb2ed844c33bcf
SHA512 b361bb25e92bbbac6ff4a360fa2d7f4abcad61ee81cbe4074e4d4fb86f5f49be7867df46726b1015e4add07ec76ebf061d0f42041bece37b262b5ac2e255d3f1

\Windows\SysWOW64\Lfdbcing.exe

MD5 f48c80cbc50bf741b370e89328549bdf
SHA1 6da98e62670b3342a43981384146ee4c18a124b9
SHA256 c1754a9f610de3ac249b02f216592ffde6cc223b1780b39844369df7bc15011b
SHA512 9c7c2baec95d873c4a14399b415a1f1ccfb33beec7e235a90553cf713341501fa1f647c505b0bbcc8fcc647e58335d1c5d0c52a6373c50fed846065f99028f37

memory/2796-94-0x0000000000270000-0x00000000002A5000-memory.dmp

\Windows\SysWOW64\Lffohikd.exe

MD5 3d330db4dff8f320f2e37fc64edae9f0
SHA1 349ebc2f081f9516a897805d59d752cb8b46ad92
SHA256 aab8fcff39042ab22eb45b0e985d3ca04c487d98e2942b636465c4d88f372a74
SHA512 4023f6945355b856ce30919e87671804d943175f75660a0610c9defc05169673e421069aaa862132bb2a882065ce090a7d3c813cdc297252981923d68871a4a0

memory/2428-103-0x0000000000220000-0x0000000000255000-memory.dmp

memory/736-108-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Lkcgapjl.exe

MD5 9cb5a65e0c542c2e61c9f14954c9f4ac
SHA1 31246b4cb864c64822fa1e9a35f4206feffce2bd
SHA256 147eb54c3550adaca603abbf212eb6b2bdcc1b8e040d9df803612fb1a0e8fcbf
SHA512 7584e9d584e5b18302f1de27a06311d7b3ce6eebddbc3774e7eaebc2d0beeb845ba0c06b3708585e26f78a10fdc05d3471a5ac3bb3481ec8c3c24df8e09eb7de

memory/2828-121-0x0000000000400000-0x0000000000435000-memory.dmp

\Windows\SysWOW64\Lkfdfo32.exe

MD5 8ca0a62414d7fae798d8b3b3e8bc9ce7
SHA1 3cd3d8b581289425abff616e0204effe3d18c668
SHA256 f9146b3ef514433c5c74a53fdb050ad66a9a2caba4aed77eb6aa459cd29f0fbf
SHA512 75fd928a00fea2c107fc18c7f6f33e94c683a3b8b0693398aab85e3cdcad2a7e501e3f2026c59427397a69eab93e562e8c3dd8cba154d2ddfde6c325763093f1

memory/2828-133-0x0000000000220000-0x0000000000255000-memory.dmp

\Windows\SysWOW64\Lijepc32.exe

MD5 5d65009501992f2343d0b5530f7dbe69
SHA1 c2ca11cede6aaeea44c4993304b6fff44a89cea9
SHA256 d36a1345f58eb72692f49cc86b90c23ac8e06a428a5da62fb38ebde3f48f2808
SHA512 d695ce7d0b73707fa875e71716fddbcef5eea2fa0c595999f1f01ab19e7aaa244877d7538484b3bd100f4eb719090a9474d2bd26c06b337e9cbadba2606ba4d6

memory/2044-143-0x00000000001B0000-0x00000000001E5000-memory.dmp

memory/2684-148-0x0000000000400000-0x0000000000435000-memory.dmp

\Windows\SysWOW64\Mgoaap32.exe

MD5 ebd41d0aa4eca9cf297e9ea4331da2ee
SHA1 832fd87e7da80373d92acfb3817dbcc3d220c868
SHA256 043768bbc37cef60f21e8bf0ee5124dfb1e6106549d6eac8e59307a8b43b6728
SHA512 34380fc57d2d575e6e56b47701d8c51b511f35e649b51b5ae09c906509b335fe6a6cee59151a9f29282a84b19c2840e04590077c34bdc60d3b5c57c6f5a6bb00

memory/2104-161-0x0000000000400000-0x0000000000435000-memory.dmp

\Windows\SysWOW64\Mcfbfaao.exe

MD5 c7ccbf772596480784e84d80a437b511
SHA1 45987a7b2c41f9de23a489f80a6751d5b230f458
SHA256 919c10ec785d3ca51e2845ee068fd8f4224fbc87adc8c76527f004f2e29f475b
SHA512 8259422bcf1f6eacdcaeda3c1f21d75e6a17a05880f2df9873ed327462198f4e73a6d0fa9af028198f9183ed5828a86796d0ff5f35a92360954d8d390f6b6dd0

memory/2104-169-0x00000000001C0000-0x00000000001F5000-memory.dmp

memory/2960-175-0x0000000000400000-0x0000000000435000-memory.dmp

\Windows\SysWOW64\Mhckloge.exe

MD5 5a578e0d1d31fea083f2d475936066a4
SHA1 9241bad84ad2864167cfaff859bcc5f63ccd3756
SHA256 72d9eebe3f6e4467e0612393b9d31f77bce53811d8548c2b74e8365ae1e73345
SHA512 69f39a0b2e98de0f947c16eb8d7187e606dfe140c22d50b37f049a8c1c013b1dc960e5c5466fb84ae0cfc22dedb6e892b92d2dec9a23bb641f68b571d19a12ac

memory/2960-182-0x00000000003C0000-0x00000000003F5000-memory.dmp

\Windows\SysWOW64\Mfihml32.exe

MD5 98c0d304a420f0cbcc58e265d63d6ef8
SHA1 6a2a6580456fca98eb1c8fdf03c705d6a1d7f535
SHA256 ee3ef13ebb2dcc6497bc7af412b2b76f2f48a452e9cd78fa8a44a26d78908891
SHA512 ba63224c5faffb8d0270bd8f98f90bc1651f3fcee5ef343e92d09b898fc1ffdadee1050028b75211438dd33b64660975cda80bf207463d37bb5a0d42b9df2172

memory/1960-201-0x0000000000400000-0x0000000000435000-memory.dmp

\Windows\SysWOW64\Mmemoe32.exe

MD5 968eb2e0149e96aa3b068d39602cc48f
SHA1 8d0b7d6de9756177d8341fb765b4ad72b35d22c9
SHA256 500a8a1f70b58b18514748f479bea438f37a776aacba643b2f2c1bae59f7d683
SHA512 cb6127d8c829bd713887e276d75a89f0b1625a8e753827ed1f555aa263ac237f2efe3acabd21acbdf7a1bee2638c8c0b818705449d3cfec1a4760a6cca340425

memory/1960-211-0x0000000000230000-0x0000000000265000-memory.dmp

C:\Windows\SysWOW64\Nmgjee32.exe

MD5 2a930a67147b97dbf6d875bf9bd193c1
SHA1 7566c205e6071886fc2a914936da64e158bb2256
SHA256 bdcf34e6800d618e26ff2108dde695d289e93dc7d77e8d697e0f1a2ab2f0bcc6
SHA512 213ab00a26b87e083ebb193ee5ab9c49c461ce68226c2a752e8c7b52233fa91403b1214c6b0d5f209b24487a5f8bd70a8c8e6ebedd2342f2dfe461fa0048a6a2

memory/2516-224-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2516-230-0x0000000000220000-0x0000000000255000-memory.dmp

C:\Windows\SysWOW64\Nfpnnk32.exe

MD5 466870559ffa13df273fa4ff3c022f98
SHA1 4d0155e3f1199972183ac358dbe67f2cc7cc516c
SHA256 8a1dd49060bb63a0a8f4537dd576ca1813d0a5dffca0f64bf4db39e1111fa160
SHA512 f76ac97960667223fc6df4ddc51e868c7219ba3ca32eb7749c76367568b4bce23fd7c31ba10ada42921e9d92223bb391b31bbf8bc9f09614826b42e38117dab2

memory/1500-238-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1500-240-0x0000000000260000-0x0000000000295000-memory.dmp

C:\Windows\SysWOW64\Nokcbm32.exe

MD5 364286305b618cb3c5357d59cf4d7fc7
SHA1 64c7b69060190eacb68922ad05ce958f55341b10
SHA256 a673d2aceb9b061df0b284ef792bab82ae35c7536668dcca37b32285a094326e
SHA512 ce4d30690c06ebc903418b01847f8e1913325492baa9711e04138dcae100c63cbfcb1627aa2ce4a06b0e8439f88aa56ae7ffdf06568dfad4a38f1657389d9b1e

memory/2332-252-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Noplmlok.exe

MD5 37f4118059993e4566e58d423a257bd9
SHA1 f47314168b7b2e31674b16da9b03103b58ff8c2a
SHA256 6f64c6ca2f3d93d9c59e2d822a88a790cf762049b8b2d7051cc2db1f21b628eb
SHA512 6ffe61613f9c3799455c0de32d7d08ce3adf2189c719863e873773a2cdbd1ebf20736ec4396c5c6243de49dd3173dbe2c56cc5f6606f0104c9b0087200392a6f

C:\Windows\SysWOW64\Ndjhpcoe.exe

MD5 4a94b0a919a0c897ed5cdfb20a7855ee
SHA1 8dada736e7bb4060c5b556a896560859c42802ad
SHA256 f6f7a1cd40e24b30eb3450b89b62f85d9a45fbda3dcccec025c9c1d3ad40602b
SHA512 e913f7f0b34f7b47b155978de223d23b79b86262f62a1501b385faab58da141f41407591848283fee417c7223dfc61ad39bff0c3f57527bc82b69309d2b59309

memory/1064-261-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1064-267-0x0000000000220000-0x0000000000255000-memory.dmp

C:\Windows\SysWOW64\Nejdjf32.exe

MD5 0c1a2eb185d0c7ecec7a89663a00ade6
SHA1 08f5258a43e4dc4811ee4eace73ec62d8a85d227
SHA256 082e850a022aab74083b0aae3530f391399df20fda109b800e976ac09de260fd
SHA512 14cb82aa444c8416e065e2687ea9e7e8ac76fd01ac106592f6bc49f2b3dc7b54bf1c31bbc15bc60d1eee20e9f6b9550701d97732181d4933349d8e894c75a693

memory/2352-271-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2352-277-0x00000000003C0000-0x00000000003F5000-memory.dmp

C:\Windows\SysWOW64\Oaqeogll.exe

MD5 6957e1f4030e6e9e4fa7e66d6346b012
SHA1 108ac9610e7da470cb71ec4a11ec1ce8ffe594cd
SHA256 d341a66d89f72a4be5af286f81f93accae560690119fad3b337eeba123587bd5
SHA512 162c19b149d6a744b8f716fc4c193cc8ab94abfee92d4e7af09742c0fa809206c8347c394aacf9b324d598f13b8b8489f014eda441daafb0111c36e5fd96ca0a

memory/2352-281-0x00000000003C0000-0x00000000003F5000-memory.dmp

memory/2124-287-0x0000000000220000-0x0000000000255000-memory.dmp

C:\Windows\SysWOW64\Oacbdg32.exe

MD5 2794527f307e4c4b4c5796653e49c4fd
SHA1 e984385719ba086109add72382153d10d30cce74
SHA256 87bbb96ae8a93ce2a02b6cb503c46a4091e816fef6473e3d97f0b2b8724eb6e3
SHA512 b8bf7d6a7b430137275f7cd83a4aca11f5706eacb6626c6a0ebec9d43f8660d7c0f89e788ad740635eaa1bfcde8f8e913da42a32bac57024d7ffd7a198ed16b2

memory/2124-291-0x0000000000220000-0x0000000000255000-memory.dmp

memory/1712-292-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1712-298-0x0000000000220000-0x0000000000255000-memory.dmp

C:\Windows\SysWOW64\Ollcee32.exe

MD5 9c45b5cc9c052b6318290af10092f0ff
SHA1 d206ce0a260c3ca11e320e34ae64c983261b3333
SHA256 1fd037dc8c5cab1793421618e53454a4c4da875d4c67947429c22d9a52285157
SHA512 b3195327e811254e3e8ded55b7ad86b8176236ea2ada00957714cd5e0f3cf11c50116087ec28999525b3b1c1fa15de9d1484735ece149389ab830a0d2891be7d

memory/872-303-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1712-302-0x0000000000220000-0x0000000000255000-memory.dmp

memory/872-304-0x00000000005D0000-0x0000000000605000-memory.dmp

memory/2296-306-0x0000000000400000-0x0000000000435000-memory.dmp

memory/872-305-0x00000000005D0000-0x0000000000605000-memory.dmp

C:\Windows\SysWOW64\Ogddhmdl.exe

MD5 53b835946399bce1b5f215d12e6774a3
SHA1 1dbf15616e4338f79d56bdcf798a1999ab34bf0a
SHA256 3b25e32d418f458d87d3b5f3d8e0bcad51dc192fb5cc86ff94f3dda719b16599
SHA512 23bd81c20778f1d2766835f0babaf2147297a214873068997c680df9992e7489dcd32f3b9771030dcfa2f1643ebbe9eccc43324c4309164b4ac6eabf7cb7354c

memory/2296-312-0x0000000000260000-0x0000000000295000-memory.dmp

memory/2296-316-0x0000000000260000-0x0000000000295000-memory.dmp

C:\Windows\SysWOW64\Panehkaj.exe

MD5 dc6d62249447b3a9acb289941e300a6d
SHA1 90c43fbffa4634a4ee1f4d207ac57a7f9b0d9200
SHA256 b5fc3d3209765425e941f040243b025a9ffe66c856feb542d2838c797bc310cf
SHA512 cff2b4937b9217b4071ae62687ee61400671b8da79be4b4d315e289dd986fb88864d33f566039cb2ae7a5d836b3bacfb13176077e2b8e01200aec8f8c1b6c877

memory/2116-331-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3020-338-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2116-337-0x0000000000490000-0x00000000004C5000-memory.dmp

memory/2116-336-0x0000000000490000-0x00000000004C5000-memory.dmp

C:\Windows\SysWOW64\Pkfiaqgk.exe

MD5 039410b3149bffce7215a2dbd139b6ed
SHA1 52927e91ddfbc9e58fec167abaf8d3245c084a16
SHA256 2baa390c0e44a38e4441f5beef7764aab44901c84e50a81c59804159fe42bcf5
SHA512 b4fe2d22e5d7adb6677dc23167b889023ca8e06794c349efc40f0d1996a3d9fbf01487436e155fea9e0e9875a1041844a195d10b4c5091972f7ff35640bf4a85

memory/832-326-0x0000000000220000-0x0000000000255000-memory.dmp

memory/832-325-0x0000000000220000-0x0000000000255000-memory.dmp

memory/816-344-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2724-350-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2784-355-0x0000000000400000-0x0000000000435000-memory.dmp

memory/816-349-0x00000000002A0000-0x00000000002D5000-memory.dmp

memory/3020-348-0x0000000000220000-0x0000000000255000-memory.dmp

C:\Windows\SysWOW64\Penjdien.exe

MD5 bc1d11ca9e622d7cb8f412fceffadc9d
SHA1 d3ce029c13b81851e165738f70248779c5f8cfce
SHA256 7311feb025899558180027a7643064a3b75b197588dbcaf42cd7c83f328d2827
SHA512 23b2b40756f58cc3b14538331256ead9ae49f0efffa08b2e9f409bbd756869583afa6afa6c02901066a726225328d2b25b3a48dba418f36f45ea53dc57016153

memory/2804-360-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Pkkblp32.exe

MD5 94586d0d9cdf626bc77938568f022e44
SHA1 abbb4991e97ad67d79c1e6ba63f7ed606b042b37
SHA256 2cec28de7587d60c03a78035170fd5c5db9eae737a75a1ef2b552a7fea6a1490
SHA512 267955039f536d7f26553a3ccd16a1449b39862d6447ce194a6c389508371c37a8df942cdd0aea83043ba69a96862410233c545d1b967f437cdb30c1f94a517e

C:\Windows\SysWOW64\Pdcgeejf.exe

MD5 62aaf9dbc1b6eac903b92d54b04831f2
SHA1 458891583126a6cbea5ffea12ff30db62823cb59
SHA256 23a4c8e8cd219146fd34ef2581eee354c2ac72905c505ad5da9d2073eba61dd6
SHA512 f8388be0e96b83afc41795b04527c0637cbef60e45c07dca78f5527aba3ef13f6d6163c96015c80146f9ba31ab60601fb1dd3bf862473dc2121dc7357c7dcf6c

memory/2888-369-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3004-374-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2804-380-0x0000000000250000-0x0000000000285000-memory.dmp

C:\Windows\SysWOW64\Paghojip.exe

MD5 44455e2fd8130b1163c0e137b6c5e9ce
SHA1 10928c6222869e81369d2581f58faca5d9b8b2c9
SHA256 ef1cdaef4c03d33c23c75403f9bf484c5566d70f02d2fa13e6e1c84cba3f318a
SHA512 3cffd2f6141992eae2ae054f651fe5f7c91fdcc0d705c3829ecab6eb41cc0dcd1aac09146268a0550b2a5b43c668cdf0560c01b7de8aea0fcfc0e9b1affa53d9

memory/2804-376-0x0000000000250000-0x0000000000285000-memory.dmp

memory/2824-381-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2900-382-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2900-388-0x0000000000220000-0x0000000000255000-memory.dmp

C:\Windows\SysWOW64\Qdhqpe32.exe

MD5 747497df4b70d2ce6485ec0e8dd74645
SHA1 781fc5581989d3b4ffe8c96d6ad5d5f21784749e
SHA256 5fa27676f361c62ea519ef0bd83732f10beb801f5c646ba25836bd648189e85f
SHA512 22bc791d36d8da9b69925306c2ae0589faebc7304abecf4d21f89519712c318961f4fa2edfc0cc2878773c3a16d3e74d9100463f6329e11492e105f678078bf7

memory/2900-396-0x0000000000220000-0x0000000000255000-memory.dmp

memory/2312-398-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3004-399-0x0000000000220000-0x0000000000255000-memory.dmp

memory/1892-403-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Qmcedg32.exe

MD5 8e0554f396e53a53c5d87d77ebaf33ca
SHA1 1ca50f85c2645a3a3f4fc0cfae37cb70e623554c
SHA256 1de3f5ee116421ce1e19214403b248e0ec857786d49a9d4cbc131a44b5dae150
SHA512 03d138866e1f684c681a889d0c4168430e58fbd8a45c24e1609006390b7baf6d7976fb1466d42a62c61c0200b35702223538fc34331e0d6290d5561f40541009

memory/812-404-0x0000000000400000-0x0000000000435000-memory.dmp

memory/812-410-0x0000000000220000-0x0000000000255000-memory.dmp

memory/616-415-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2800-414-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Amebjgai.exe

MD5 cfb5eb98171b083ec7ea834502ccb240
SHA1 9d7bdd5acb7d44a536d2fdb168fc653328b4d146
SHA256 7f7603f3ee382a4dce2ce2dbd7e75b0a14dc5f3f46c44a0408037985bc872975
SHA512 65f4efbc327dbdac59e19a57956cdaa8793fa5e8302488c6a915942ae55b554e542d8a0ea96c565bb738dadbb48e612c412252df6ce70d5a91b1051341bd0d31

memory/2796-425-0x0000000000400000-0x0000000000435000-memory.dmp

memory/548-426-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2428-424-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Amhopfof.exe

MD5 3ee806d889c0cce04f6d47ac093c6011
SHA1 9645983d5c95f2d4eab0f75bd9c6ebeeea636f48
SHA256 9a0cac61a1badee0dfb8b37cc056ae51ec497491c73d9429f15a8e3e05c8d189
SHA512 09e5c38b2248cdaaf96774ef03d9b85e65a023da834655e450c36bb3ae395f044dddf67ec5517b248820384d33bbcc3c0e864a1749c4ef2663c99acae9fe59ce

memory/2428-432-0x0000000000220000-0x0000000000255000-memory.dmp

memory/3048-437-0x0000000000400000-0x0000000000435000-memory.dmp

memory/548-436-0x0000000000220000-0x0000000000255000-memory.dmp

C:\Windows\SysWOW64\Aoihaa32.exe

MD5 640cc21672476e63f251826ed67882c1
SHA1 7e3eed4a3861660eb5262261736ee879577c3ad4
SHA256 746b3dc6729e9eefe36980b28d9b91a7af958b26178b4ddbba34eee509fd99e0
SHA512 1986b398904c2b648fcf34c878ed604c942e4b4d21690f4cac03012afe7c64b8a068dc9edf13a3eedc75c27f2d9a7810f8fa2e5d693d13b131bdbbcfec4f7d75

C:\Windows\SysWOW64\Aialjgbh.exe

MD5 a58d5e81fba5617e62ba17a3ab8f5c3a
SHA1 9e7be3bc5c6532447d769cc3bf07daf94ee43730
SHA256 7e6eaceca1fdf01aafe70c79bf79ad8e2aaa4c198af3763abb4d6a779fbf0089
SHA512 b832890e63d8a4c6fb50a00e37502945f21ec0a48d74328fc0d3ae71378a1be71e8908a29734a11fff237158fe1f6597f0abaf7c9b278e3fd3cf0165f5d42c24

memory/3048-443-0x0000000000220000-0x0000000000255000-memory.dmp

memory/2828-448-0x0000000000400000-0x0000000000435000-memory.dmp

memory/736-447-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2828-463-0x0000000000220000-0x0000000000255000-memory.dmp

memory/2140-458-0x00000000001B0000-0x00000000001E5000-memory.dmp

memory/944-469-0x0000000000400000-0x0000000000435000-memory.dmp

memory/944-468-0x0000000000220000-0x0000000000255000-memory.dmp

C:\Windows\SysWOW64\Bgmolb32.exe

MD5 1a8e2da315da2e5cfd23b1f5c8daebd6
SHA1 0dea34d072da34a3fff9551878bd7bbdf9d83acd
SHA256 0dcffba0413f84836490c5130aec16c965086ba17d09b308b4ca6a8221f49077
SHA512 587e3a56f5526ee27276004dee27438833e6573ddeef7d96924f47fae11c1a965ff08389ca60a4d3606757e7439c3250ff1b5b54096d34ce6976cf5b6c082049

C:\Windows\SysWOW64\Bmhkojab.exe

MD5 cfe629090df05b6bd0e3cefcc2fec699
SHA1 fda9c4c4cf51d4b7b086b9e1ce67b0eda126351d
SHA256 e6788d385ba2e94c916faabb3a7e693d0efaef4f936e1b8d530145cafb9c8565
SHA512 b535e5723ceb5054d8a53a3486bfb219b70526a2c8e068e86b6f9d207603bfe4123d483eb6230a0ccbca474010160daeef01a9d37056f3e71a4a56168cbd2b38

memory/2140-453-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2044-470-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2112-472-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2044-471-0x00000000001B0000-0x00000000001E5000-memory.dmp

C:\Windows\SysWOW64\Bjnhnn32.exe

MD5 5eb733d55c66bf37c773ea4c837015fb
SHA1 3021123343314a7fea0a2dd00908fb24a186f805
SHA256 1d8243700dc6ef443ab2936b40031a7798daa71e0277e2746bdf9e400d3ee9b4
SHA512 be1660d12e8b538a19e8ed0ce84d78d0bcf0c542b549410d47c605d668d2b34e1b109200a2ff85ebd05a047c6b6a5be8f2e5a69736ee4757eaade2a88ace12ba

memory/924-483-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2112-481-0x0000000000220000-0x0000000000255000-memory.dmp

memory/2684-482-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Biceoj32.exe

MD5 202cd181acf1c80743db5930d0e3c226
SHA1 fa695e97ef5146cde88ca09ca57720660d7b467b
SHA256 e919b7fdd1b186c926a8de0b1cfe686a6a5363d86e0a82fa0425c8b0963ef546
SHA512 52035f0385ed77272692044def41f81f4211b3e9cee0b68672d6a3b0fc3909a5d038afb11b9f4c4dca43a9b0942cd8d47d016a9c43592b372b91c11ef05d0452

memory/1864-493-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2104-492-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Cfgehn32.exe

MD5 ca554f26e6664fff6f9ccd62bb7b94e3
SHA1 d56925736e30dece1f7d4937339fcc90fcd32505
SHA256 de4986d147bfc5e75bcc9f0bed610f43e217912bf7387b3b62f20212fb8f5fd3
SHA512 0ee41b6b48afc2bec80d9099676a29f82d42861c6c207d86c25856406447ec40e68f3a73155c5bb9a5cbf5ac557ddca20d4714da27362f455baee01c3bab6021

memory/2104-502-0x00000000001C0000-0x00000000001F5000-memory.dmp

memory/2104-503-0x00000000001C0000-0x00000000001F5000-memory.dmp

C:\Windows\SysWOW64\Cbnfmo32.exe

MD5 ee008392db9a9b3cd5383375f8b23b61
SHA1 3a87557d553e5e6386c38c8f81b8d52b28039bd8
SHA256 820966776048c37e903fdffa4d6f9f1c6ed49c544220e1da086ca69e66f15fea
SHA512 70f2a5ac31714063e54a333625cb9c5c23ba6c3021e5416dec9e2ba3350a3336347958a27bb0d8bb06f526a0bcf370b006c892ce1783efb9db503afc38eb8fd4

C:\Windows\SysWOW64\Chkoef32.exe

MD5 044ca20052ae1394b02e242ea5dd3151
SHA1 ab0865727f0725179d1090477c282f5f74baf70e
SHA256 4af28330d12f2241bc7e54c4b043f8b9fdbdb5e2dca8d460c97324ad01a98b92
SHA512 4d9cba1f6a589733dbd3ecd57063fb7425db01d22b05808dbc15f2e8e022e957b31b0ddb92e270911d8e6a27e7de6b52f45b9f8298b8fd99261d57c93a25fc43

C:\Windows\SysWOW64\Caccnllf.exe

MD5 ee6f933709728ec96fbb8964b60039a1
SHA1 9c84fe8e8ddcc9bd9fdb6fdeae6b02f5f67f53ed
SHA256 c0917325c104a107225e3130cb0c986bf4019ab103ad8ed9dea1a1a4a06fe511
SHA512 8055246dd300aea6bc7182be620e96bc3105bb6862363713c61934798b49f501540647420ac6f0180bd51cc3828fb984892ef2b475bda43e4f3809c6c0eda8e7

C:\Windows\SysWOW64\Cligkdlm.exe

MD5 e188cc982c78b5cb24d029b31ca3b7e6
SHA1 7eefb1c75927584a2f8dfe6590f753a9e9d13131
SHA256 7e021863a567b1e2a53c77872054a4687cb4f024b2017062e2907533f6153b60
SHA512 53038a51e9cfe44d78fa95625dae2edefafa2be30e6a5e62b1842d0bc663cbd5acc1bca5ae8a95dd132106a7053503eb97159289fae2e424c29b089506fcae01

C:\Windows\SysWOW64\Caepdk32.exe

MD5 06bcb98667864ab5af4c80b51f1593b8
SHA1 c95c6bea222974c1dcb99bef83cb0e8c5620de9c
SHA256 b50f67db5de1332aab956c9eee59527aa3401daebcc0ce1959a766db37965101
SHA512 b54d6d072b71e34d010a47b87b26dc1cc799834cf70ecc1c73273aae5ebccf0d597672331fde70c59935c87dd4120eb96485b082e84ad0b2a798c804f662f916

C:\Windows\SysWOW64\Cfbhlb32.exe

MD5 8d78e9572e0136cd562adf09e8fc90f7
SHA1 3d761da93aacd0e1d7c9b3aef4416cf1459be40d
SHA256 3dc334321b21ca1a7b61c290a337c774eb027b8510525a0693889542341f409c
SHA512 cb6b06370f23f7cddb76c71d7f719549cdc5c711c1662409165edde9ac92cbe0b8d5245d254588e7ce383a396cdbbe032683160fe75e614d4ba3dc1efef05bb9

C:\Windows\SysWOW64\Cahmik32.exe

MD5 16c3c4091fbca9728c4c8e3d3d1de732
SHA1 0396898811c08c5c7d27a1b7b46be7fb0dc52a35
SHA256 8785ec65173ce33a3b85e490401a82be521f0a7962c9d1bef21577d9df24f8aa
SHA512 6eafbc60ff870628c2803ebffdb1f6098cec8e4607387ceb8c76408c9c0b0290a37ec422d238e30d91ceedf2e57166a1b10f14176d7355284217faea8f1054c7

C:\Windows\SysWOW64\Dkpabqoa.exe

MD5 3c300abb1b9f5e6f69a8159678f95687
SHA1 60dd6bf6af3e96f9c71312b392dac2085008e5a4
SHA256 377a7bbe3e41d783232d46a53d9117396b4f7ce1ff57522ec541a509260a3ad1
SHA512 99a68528952ebb5ae9649b5ad85c19a3b9272a9131e742a500bd517525702d4762761ba77f17efad2db903b8f6469e6dbfbd1a475681b4e77731078e273dfdfc

C:\Windows\SysWOW64\Dajiok32.exe

MD5 6b50f081874a6e77276fa88102f12832
SHA1 a47d4065d5a99c5527e6ba8af2bad6d65cddf601
SHA256 8a19aba11cc96d81bdf3269c48257e764493d9463da0a732b5a5bb9fa2bf3458
SHA512 004daec373a66b9ba466bd9812238a179c32e8835718a99ebcb0244c3a51e4d10746d971952cc0df7b9c9db408d7022efc87a07079025928ba8666a7ef79501d

C:\Windows\SysWOW64\Dbkffc32.exe

MD5 39f5e9eb7b6493c9aafdea9d5ff172cc
SHA1 41ba5132674eab2fdd5b4eaff485f6a9b9ecddd5
SHA256 a06ffe22857e07a600783c3db71a794bc53ed216f9b158d17cfb0c244f242d44
SHA512 79eac7cb315e2460192f26de47d7c14f232506b5258a1d0515c3c083086f92cdb784e8f3347e46ea9ff111605e53ae46dc0ec97fce6d7bec782c9119dcde22ba

C:\Windows\SysWOW64\Dalfdjdl.exe

MD5 96ced8f0c24438edb9dbc73d7192244e
SHA1 a8f3f2a189d21c1a3f40d82274f92dcfa524863d
SHA256 1bf6ef1c15f85c5a48f18133bf0d0176589e487bcf5a35baab5f98d317269408
SHA512 0379b89cd65f13d2bbe3d392324ad0b01d76e14fead25914ad687136cc84d5f936e1248074ce3c843d9a9e1c0cc4ace767bf078344683c72d3d24c221f5b34ee

C:\Windows\SysWOW64\Dkekmp32.exe

MD5 1b290c88d2b327e97c09468375754007
SHA1 a38a11f144eb47a42d2b28ac9192b52153a4e991
SHA256 b1572f05cf81a4b95352b0a385fed841b69a91c234355eed31367902287aea3d
SHA512 91951210678b3c6dba62985c2ac30abba1012112b0262f1c9803ce992ddbbd72ee196ac7ae58bc35a3d6d50ef19488122ec487a3bfc5a80f7a7a425ec5f92916

C:\Windows\SysWOW64\Dlfgehqk.exe

MD5 a1fc5ccb73a2cccce941145c64b7f060
SHA1 9ccddd9ce96c2570b8a6127cfb5906bfd1c6324e
SHA256 949b90209f689eb92e2cddbc8b223b56ee342ed916a415086c1b9d2e09406b0b
SHA512 68780c77857cb8f23fcc5d84d9318193e0f3dcb0fe475d817c3d3ecdb32bdcb63f9a1b3d9fe6222cdfb0944be9a8edb0eff0ea64f27f68c8decd785bf404ed08

C:\Windows\SysWOW64\Denknngk.exe

MD5 e89c2f695e150a20f01af3cfc4654480
SHA1 84a8b8293515eb8d57c0ac595ae50356895a1138
SHA256 a3144008b0d0c1e148598f850304f955304aa2e60d1c9104c2e7f033f09c069b
SHA512 52f101c71d52cde380fa4d3c33130c9919d25547a41388b00e36929464733469765b4c4a23819afbc8d8e8277b1e19cb891deb7c48426bdd3c758b3917ef7ad8

C:\Windows\SysWOW64\Dpdpkfga.exe

MD5 d50adbb7f6bb458e639cb3e122ec935b
SHA1 79b946dc3e7c4cf359c697961f1b0836131f21be
SHA256 10e6cb746160132a35787ceac4f7d718fa939890ac8dfe6923f89d6edd2cece8
SHA512 b78585f90bc1e5c5f575b1ad789711fc12c750a8c9b5dc71a6c0be8ac1b561b0c950331aa2b2b3a504c4ed1f305f7aba4888de9037d79c595baac88c4157d850

C:\Windows\SysWOW64\Dilddl32.exe

MD5 a3e80a56024e9dd79d0d5964f669c8b9
SHA1 b0c44afc485252fd000b5ea78a137cab1e29e2af
SHA256 8d51cf3625d8b38de5569a0dd15f807685837b6b5b50e2acb61577034b68f271
SHA512 748e048b6cc92d100849cd1b9edefd25c1baf34ae85bc6bfed232fc2f78f40e41dd66373e9e7d01b3beb4f11f277b8179e830912c773e39a6646ded583cc313d

C:\Windows\SysWOW64\Eceimadb.exe

MD5 e90dbcceb59d5ddc54545bd9bef746c4
SHA1 93a381526260e7b34b5ae766cf7aae75af6bb49f
SHA256 acff5f04de1b24b7b9126e4e219708f62dce479cec8bbce16baf618e29a9ad9a
SHA512 6a45d4a35cd0d9d0b732213745a94bf948925860806a7a6604fabe5dbd0156c5b698924d526e26be807056cb69377b2944faa67f0135a28ff7a0bdf9695c25fa

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-12 14:13

Reported

2024-11-12 14:15

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a4c09ba7f1ed47c725b37d44d521c3e5abea101ff8691d88ffa9dc9fd8656a08.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cabfga32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Caebma32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cnnlaehj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Cegdnopg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Danecp32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Users\Admin\AppData\Local\Temp\a4c09ba7f1ed47c725b37d44d521c3e5abea101ff8691d88ffa9dc9fd8656a08.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Bchomn32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bfhhoi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Dhocqigp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bchomn32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bnmcjg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Dkifae32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Djgjlelk.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ddonekbl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Dmjocp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Bfhhoi32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bcoenmao.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dfiafg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Banllbdn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Caebma32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Djgjlelk.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cndikf32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dhhnpjmh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Cdcoim32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ddakjkqi.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cffdpghg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Dhhnpjmh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Beglgani.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bapiabak.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cdabcm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Danecp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Bfkedibe.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cjmgfgdf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Cjmgfgdf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ddonekbl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Bnmcjg32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Banllbdn.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cmnpgb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Dkkcge32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dmjocp32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Beglgani.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Cabfga32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cfdhkhjj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Cfdhkhjj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Cffdpghg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Daconoae.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Users\Admin\AppData\Local\Temp\a4c09ba7f1ed47c725b37d44d521c3e5abea101ff8691d88ffa9dc9fd8656a08.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Bcoenmao.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Cagobalc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cagobalc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dkkcge32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dhocqigp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dkifae32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ddakjkqi.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cdcoim32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Cmnpgb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Dfiafg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Cdabcm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Daconoae.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bfkedibe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Bapiabak.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Cndikf32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cegdnopg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Cnnlaehj.exe N/A

Berbew

backdoor berbew

Berbew family

berbew

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Cegdnopg.exe C:\Windows\SysWOW64\Cnnlaehj.exe N/A
File opened for modification C:\Windows\SysWOW64\Dkkcge32.exe C:\Windows\SysWOW64\Ddakjkqi.exe N/A
File created C:\Windows\SysWOW64\Cabfga32.exe C:\Windows\SysWOW64\Cndikf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cdcoim32.exe C:\Windows\SysWOW64\Caebma32.exe N/A
File created C:\Windows\SysWOW64\Nedmmlba.dll C:\Windows\SysWOW64\Caebma32.exe N/A
File created C:\Windows\SysWOW64\Cjmgfgdf.exe C:\Windows\SysWOW64\Cdcoim32.exe N/A
File created C:\Windows\SysWOW64\Gifhkeje.dll C:\Windows\SysWOW64\Daconoae.exe N/A
File created C:\Windows\SysWOW64\Dmjocp32.exe C:\Windows\SysWOW64\Dkkcge32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bnmcjg32.exe C:\Windows\SysWOW64\Bchomn32.exe N/A
File created C:\Windows\SysWOW64\Banllbdn.exe C:\Windows\SysWOW64\Bfhhoi32.exe N/A
File created C:\Windows\SysWOW64\Danecp32.exe C:\Windows\SysWOW64\Dfiafg32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ddakjkqi.exe C:\Windows\SysWOW64\Daconoae.exe N/A
File created C:\Windows\SysWOW64\Ghilmi32.dll C:\Windows\SysWOW64\Cagobalc.exe N/A
File opened for modification C:\Windows\SysWOW64\Dfiafg32.exe C:\Windows\SysWOW64\Cegdnopg.exe N/A
File created C:\Windows\SysWOW64\Kkmjgool.dll C:\Windows\SysWOW64\Cegdnopg.exe N/A
File opened for modification C:\Windows\SysWOW64\Ddonekbl.exe C:\Windows\SysWOW64\Djgjlelk.exe N/A
File created C:\Windows\SysWOW64\Bfhhoi32.exe C:\Windows\SysWOW64\Beglgani.exe N/A
File opened for modification C:\Windows\SysWOW64\Cndikf32.exe C:\Windows\SysWOW64\Bcoenmao.exe N/A
File opened for modification C:\Windows\SysWOW64\Cabfga32.exe C:\Windows\SysWOW64\Cndikf32.exe N/A
File created C:\Windows\SysWOW64\Cdcoim32.exe C:\Windows\SysWOW64\Caebma32.exe N/A
File created C:\Windows\SysWOW64\Oammoc32.dll C:\Windows\SysWOW64\Dkifae32.exe N/A
File created C:\Windows\SysWOW64\Bapiabak.exe C:\Windows\SysWOW64\Bfkedibe.exe N/A
File opened for modification C:\Windows\SysWOW64\Bapiabak.exe C:\Windows\SysWOW64\Bfkedibe.exe N/A
File created C:\Windows\SysWOW64\Maickled.dll C:\Windows\SysWOW64\Cdcoim32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cegdnopg.exe C:\Windows\SysWOW64\Cnnlaehj.exe N/A
File created C:\Windows\SysWOW64\Nnjaqjfh.dll C:\Windows\SysWOW64\Banllbdn.exe N/A
File created C:\Windows\SysWOW64\Mgcail32.dll C:\Windows\SysWOW64\Cnnlaehj.exe N/A
File opened for modification C:\Windows\SysWOW64\Danecp32.exe C:\Windows\SysWOW64\Dfiafg32.exe N/A
File created C:\Windows\SysWOW64\Mjelcfha.dll C:\Windows\SysWOW64\Djgjlelk.exe N/A
File created C:\Windows\SysWOW64\Ddakjkqi.exe C:\Windows\SysWOW64\Daconoae.exe N/A
File created C:\Windows\SysWOW64\Jcbdhp32.dll C:\Windows\SysWOW64\Ddakjkqi.exe N/A
File created C:\Windows\SysWOW64\Caebma32.exe C:\Windows\SysWOW64\Cdabcm32.exe N/A
File created C:\Windows\SysWOW64\Cffdpghg.exe C:\Windows\SysWOW64\Cmnpgb32.exe N/A
File created C:\Windows\SysWOW64\Nbgngp32.dll C:\Windows\SysWOW64\Danecp32.exe N/A
File created C:\Windows\SysWOW64\Ddonekbl.exe C:\Windows\SysWOW64\Djgjlelk.exe N/A
File created C:\Windows\SysWOW64\Cfdhkhjj.exe C:\Windows\SysWOW64\Cagobalc.exe N/A
File created C:\Windows\SysWOW64\Ffpmlcim.dll C:\Windows\SysWOW64\Cfdhkhjj.exe N/A
File opened for modification C:\Windows\SysWOW64\Dhocqigp.exe C:\Windows\SysWOW64\Dmjocp32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dmllipeg.exe C:\Windows\SysWOW64\Dhocqigp.exe N/A
File created C:\Windows\SysWOW64\Bchomn32.exe C:\Users\Admin\AppData\Local\Temp\a4c09ba7f1ed47c725b37d44d521c3e5abea101ff8691d88ffa9dc9fd8656a08.exe N/A
File created C:\Windows\SysWOW64\Mmnbeadp.dll C:\Windows\SysWOW64\Bapiabak.exe N/A
File created C:\Windows\SysWOW64\Cndikf32.exe C:\Windows\SysWOW64\Bcoenmao.exe N/A
File opened for modification C:\Windows\SysWOW64\Caebma32.exe C:\Windows\SysWOW64\Cdabcm32.exe N/A
File created C:\Windows\SysWOW64\Kngpec32.dll C:\Windows\SysWOW64\Dhocqigp.exe N/A
File created C:\Windows\SysWOW64\Beeppfin.dll C:\Windows\SysWOW64\Dhhnpjmh.exe N/A
File opened for modification C:\Windows\SysWOW64\Beglgani.exe C:\Windows\SysWOW64\Bnmcjg32.exe N/A
File created C:\Windows\SysWOW64\Jhbffb32.dll C:\Windows\SysWOW64\Bfkedibe.exe N/A
File created C:\Windows\SysWOW64\Echdno32.dll C:\Windows\SysWOW64\Cjmgfgdf.exe N/A
File opened for modification C:\Windows\SysWOW64\Dhhnpjmh.exe C:\Windows\SysWOW64\Danecp32.exe N/A
File created C:\Windows\SysWOW64\Kbejge32.dll C:\Users\Admin\AppData\Local\Temp\a4c09ba7f1ed47c725b37d44d521c3e5abea101ff8691d88ffa9dc9fd8656a08.exe N/A
File created C:\Windows\SysWOW64\Bmhnkg32.dll C:\Windows\SysWOW64\Bnmcjg32.exe N/A
File opened for modification C:\Windows\SysWOW64\Banllbdn.exe C:\Windows\SysWOW64\Bfhhoi32.exe N/A
File created C:\Windows\SysWOW64\Agjbpg32.dll C:\Windows\SysWOW64\Dfiafg32.exe N/A
File created C:\Windows\SysWOW64\Cnnlaehj.exe C:\Windows\SysWOW64\Cffdpghg.exe N/A
File created C:\Windows\SysWOW64\Dhocqigp.exe C:\Windows\SysWOW64\Dmjocp32.exe N/A
File created C:\Windows\SysWOW64\Cdabcm32.exe C:\Windows\SysWOW64\Cabfga32.exe N/A
File created C:\Windows\SysWOW64\Bhicommo.dll C:\Windows\SysWOW64\Cabfga32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cagobalc.exe C:\Windows\SysWOW64\Cjmgfgdf.exe N/A
File opened for modification C:\Windows\SysWOW64\Cfdhkhjj.exe C:\Windows\SysWOW64\Cagobalc.exe N/A
File opened for modification C:\Windows\SysWOW64\Daconoae.exe C:\Windows\SysWOW64\Dkifae32.exe N/A
File created C:\Windows\SysWOW64\Elkadb32.dll C:\Windows\SysWOW64\Dmjocp32.exe N/A
File created C:\Windows\SysWOW64\Beglgani.exe C:\Windows\SysWOW64\Bnmcjg32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cffdpghg.exe C:\Windows\SysWOW64\Cmnpgb32.exe N/A
File created C:\Windows\SysWOW64\Ingfla32.dll C:\Windows\SysWOW64\Cffdpghg.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Dmllipeg.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a4c09ba7f1ed47c725b37d44d521c3e5abea101ff8691d88ffa9dc9fd8656a08.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bfkedibe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bapiabak.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dmjocp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Banllbdn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cfdhkhjj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dkkcge32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dhocqigp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cnnlaehj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bnmcjg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Beglgani.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bfhhoi32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cabfga32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cdabcm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cjmgfgdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cmnpgb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dmllipeg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Caebma32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cndikf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cdcoim32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cffdpghg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ddonekbl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Daconoae.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cagobalc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Danecp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Djgjlelk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bchomn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dfiafg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dhhnpjmh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dkifae32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ddakjkqi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bcoenmao.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cegdnopg.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dfiafg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll" C:\Windows\SysWOW64\Danecp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Dmjocp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbejge32.dll" C:\Users\Admin\AppData\Local\Temp\a4c09ba7f1ed47c725b37d44d521c3e5abea101ff8691d88ffa9dc9fd8656a08.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Beglgani.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll" C:\Windows\SysWOW64\Cndikf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cdabcm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cfdhkhjj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll" C:\Windows\SysWOW64\Cmnpgb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll" C:\Windows\SysWOW64\Dfiafg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ddakjkqi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Cabfga32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhicommo.dll" C:\Windows\SysWOW64\Cabfga32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cabfga32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Daconoae.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dhocqigp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll" C:\Windows\SysWOW64\Cfdhkhjj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Cnnlaehj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cnnlaehj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Banllbdn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Banllbdn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cndikf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cdcoim32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll" C:\Windows\SysWOW64\Cffdpghg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmjapi32.dll" C:\Windows\SysWOW64\Bchomn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll" C:\Windows\SysWOW64\Bnmcjg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofpij32.dll" C:\Windows\SysWOW64\Beglgani.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll" C:\Windows\SysWOW64\Dmjocp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bcoenmao.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Danecp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll" C:\Windows\SysWOW64\Ddakjkqi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Bchomn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Beglgani.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll" C:\Windows\SysWOW64\Banllbdn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Bfkedibe.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Cndikf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Cdcoim32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll" C:\Windows\SysWOW64\Dhhnpjmh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Dhocqigp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\a4c09ba7f1ed47c725b37d44d521c3e5abea101ff8691d88ffa9dc9fd8656a08.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bnmcjg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bfhhoi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cmnpgb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ddonekbl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dkifae32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Daconoae.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Dkkcge32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Caebma32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Cjmgfgdf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll" C:\Windows\SysWOW64\Cagobalc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dmjocp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ddonekbl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll" C:\Windows\SysWOW64\Dhocqigp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bchomn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Bapiabak.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll" C:\Windows\SysWOW64\Cnnlaehj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll" C:\Windows\SysWOW64\Cegdnopg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Djgjlelk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\a4c09ba7f1ed47c725b37d44d521c3e5abea101ff8691d88ffa9dc9fd8656a08.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Bnmcjg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bfkedibe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll" C:\Windows\SysWOW64\Dkifae32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll" C:\Windows\SysWOW64\Dkkcge32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll" C:\Windows\SysWOW64\Bfkedibe.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2356 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\a4c09ba7f1ed47c725b37d44d521c3e5abea101ff8691d88ffa9dc9fd8656a08.exe C:\Windows\SysWOW64\Bchomn32.exe
PID 2356 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\a4c09ba7f1ed47c725b37d44d521c3e5abea101ff8691d88ffa9dc9fd8656a08.exe C:\Windows\SysWOW64\Bchomn32.exe
PID 2356 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\a4c09ba7f1ed47c725b37d44d521c3e5abea101ff8691d88ffa9dc9fd8656a08.exe C:\Windows\SysWOW64\Bchomn32.exe
PID 3668 wrote to memory of 4424 N/A C:\Windows\SysWOW64\Bchomn32.exe C:\Windows\SysWOW64\Bnmcjg32.exe
PID 3668 wrote to memory of 4424 N/A C:\Windows\SysWOW64\Bchomn32.exe C:\Windows\SysWOW64\Bnmcjg32.exe
PID 3668 wrote to memory of 4424 N/A C:\Windows\SysWOW64\Bchomn32.exe C:\Windows\SysWOW64\Bnmcjg32.exe
PID 4424 wrote to memory of 5056 N/A C:\Windows\SysWOW64\Bnmcjg32.exe C:\Windows\SysWOW64\Beglgani.exe
PID 4424 wrote to memory of 5056 N/A C:\Windows\SysWOW64\Bnmcjg32.exe C:\Windows\SysWOW64\Beglgani.exe
PID 4424 wrote to memory of 5056 N/A C:\Windows\SysWOW64\Bnmcjg32.exe C:\Windows\SysWOW64\Beglgani.exe
PID 5056 wrote to memory of 1440 N/A C:\Windows\SysWOW64\Beglgani.exe C:\Windows\SysWOW64\Bfhhoi32.exe
PID 5056 wrote to memory of 1440 N/A C:\Windows\SysWOW64\Beglgani.exe C:\Windows\SysWOW64\Bfhhoi32.exe
PID 5056 wrote to memory of 1440 N/A C:\Windows\SysWOW64\Beglgani.exe C:\Windows\SysWOW64\Bfhhoi32.exe
PID 1440 wrote to memory of 2300 N/A C:\Windows\SysWOW64\Bfhhoi32.exe C:\Windows\SysWOW64\Banllbdn.exe
PID 1440 wrote to memory of 2300 N/A C:\Windows\SysWOW64\Bfhhoi32.exe C:\Windows\SysWOW64\Banllbdn.exe
PID 1440 wrote to memory of 2300 N/A C:\Windows\SysWOW64\Bfhhoi32.exe C:\Windows\SysWOW64\Banllbdn.exe
PID 2300 wrote to memory of 3492 N/A C:\Windows\SysWOW64\Banllbdn.exe C:\Windows\SysWOW64\Bfkedibe.exe
PID 2300 wrote to memory of 3492 N/A C:\Windows\SysWOW64\Banllbdn.exe C:\Windows\SysWOW64\Bfkedibe.exe
PID 2300 wrote to memory of 3492 N/A C:\Windows\SysWOW64\Banllbdn.exe C:\Windows\SysWOW64\Bfkedibe.exe
PID 3492 wrote to memory of 4044 N/A C:\Windows\SysWOW64\Bfkedibe.exe C:\Windows\SysWOW64\Bapiabak.exe
PID 3492 wrote to memory of 4044 N/A C:\Windows\SysWOW64\Bfkedibe.exe C:\Windows\SysWOW64\Bapiabak.exe
PID 3492 wrote to memory of 4044 N/A C:\Windows\SysWOW64\Bfkedibe.exe C:\Windows\SysWOW64\Bapiabak.exe
PID 4044 wrote to memory of 1216 N/A C:\Windows\SysWOW64\Bapiabak.exe C:\Windows\SysWOW64\Bcoenmao.exe
PID 4044 wrote to memory of 1216 N/A C:\Windows\SysWOW64\Bapiabak.exe C:\Windows\SysWOW64\Bcoenmao.exe
PID 4044 wrote to memory of 1216 N/A C:\Windows\SysWOW64\Bapiabak.exe C:\Windows\SysWOW64\Bcoenmao.exe
PID 1216 wrote to memory of 1048 N/A C:\Windows\SysWOW64\Bcoenmao.exe C:\Windows\SysWOW64\Cndikf32.exe
PID 1216 wrote to memory of 1048 N/A C:\Windows\SysWOW64\Bcoenmao.exe C:\Windows\SysWOW64\Cndikf32.exe
PID 1216 wrote to memory of 1048 N/A C:\Windows\SysWOW64\Bcoenmao.exe C:\Windows\SysWOW64\Cndikf32.exe
PID 1048 wrote to memory of 4760 N/A C:\Windows\SysWOW64\Cndikf32.exe C:\Windows\SysWOW64\Cabfga32.exe
PID 1048 wrote to memory of 4760 N/A C:\Windows\SysWOW64\Cndikf32.exe C:\Windows\SysWOW64\Cabfga32.exe
PID 1048 wrote to memory of 4760 N/A C:\Windows\SysWOW64\Cndikf32.exe C:\Windows\SysWOW64\Cabfga32.exe
PID 4760 wrote to memory of 692 N/A C:\Windows\SysWOW64\Cabfga32.exe C:\Windows\SysWOW64\Cdabcm32.exe
PID 4760 wrote to memory of 692 N/A C:\Windows\SysWOW64\Cabfga32.exe C:\Windows\SysWOW64\Cdabcm32.exe
PID 4760 wrote to memory of 692 N/A C:\Windows\SysWOW64\Cabfga32.exe C:\Windows\SysWOW64\Cdabcm32.exe
PID 692 wrote to memory of 3672 N/A C:\Windows\SysWOW64\Cdabcm32.exe C:\Windows\SysWOW64\Caebma32.exe
PID 692 wrote to memory of 3672 N/A C:\Windows\SysWOW64\Cdabcm32.exe C:\Windows\SysWOW64\Caebma32.exe
PID 692 wrote to memory of 3672 N/A C:\Windows\SysWOW64\Cdabcm32.exe C:\Windows\SysWOW64\Caebma32.exe
PID 3672 wrote to memory of 3068 N/A C:\Windows\SysWOW64\Caebma32.exe C:\Windows\SysWOW64\Cdcoim32.exe
PID 3672 wrote to memory of 3068 N/A C:\Windows\SysWOW64\Caebma32.exe C:\Windows\SysWOW64\Cdcoim32.exe
PID 3672 wrote to memory of 3068 N/A C:\Windows\SysWOW64\Caebma32.exe C:\Windows\SysWOW64\Cdcoim32.exe
PID 3068 wrote to memory of 4752 N/A C:\Windows\SysWOW64\Cdcoim32.exe C:\Windows\SysWOW64\Cjmgfgdf.exe
PID 3068 wrote to memory of 4752 N/A C:\Windows\SysWOW64\Cdcoim32.exe C:\Windows\SysWOW64\Cjmgfgdf.exe
PID 3068 wrote to memory of 4752 N/A C:\Windows\SysWOW64\Cdcoim32.exe C:\Windows\SysWOW64\Cjmgfgdf.exe
PID 4752 wrote to memory of 2440 N/A C:\Windows\SysWOW64\Cjmgfgdf.exe C:\Windows\SysWOW64\Cagobalc.exe
PID 4752 wrote to memory of 2440 N/A C:\Windows\SysWOW64\Cjmgfgdf.exe C:\Windows\SysWOW64\Cagobalc.exe
PID 4752 wrote to memory of 2440 N/A C:\Windows\SysWOW64\Cjmgfgdf.exe C:\Windows\SysWOW64\Cagobalc.exe
PID 2440 wrote to memory of 2612 N/A C:\Windows\SysWOW64\Cagobalc.exe C:\Windows\SysWOW64\Cfdhkhjj.exe
PID 2440 wrote to memory of 2612 N/A C:\Windows\SysWOW64\Cagobalc.exe C:\Windows\SysWOW64\Cfdhkhjj.exe
PID 2440 wrote to memory of 2612 N/A C:\Windows\SysWOW64\Cagobalc.exe C:\Windows\SysWOW64\Cfdhkhjj.exe
PID 2612 wrote to memory of 3616 N/A C:\Windows\SysWOW64\Cfdhkhjj.exe C:\Windows\SysWOW64\Cmnpgb32.exe
PID 2612 wrote to memory of 3616 N/A C:\Windows\SysWOW64\Cfdhkhjj.exe C:\Windows\SysWOW64\Cmnpgb32.exe
PID 2612 wrote to memory of 3616 N/A C:\Windows\SysWOW64\Cfdhkhjj.exe C:\Windows\SysWOW64\Cmnpgb32.exe
PID 3616 wrote to memory of 2960 N/A C:\Windows\SysWOW64\Cmnpgb32.exe C:\Windows\SysWOW64\Cffdpghg.exe
PID 3616 wrote to memory of 2960 N/A C:\Windows\SysWOW64\Cmnpgb32.exe C:\Windows\SysWOW64\Cffdpghg.exe
PID 3616 wrote to memory of 2960 N/A C:\Windows\SysWOW64\Cmnpgb32.exe C:\Windows\SysWOW64\Cffdpghg.exe
PID 2960 wrote to memory of 216 N/A C:\Windows\SysWOW64\Cffdpghg.exe C:\Windows\SysWOW64\Cnnlaehj.exe
PID 2960 wrote to memory of 216 N/A C:\Windows\SysWOW64\Cffdpghg.exe C:\Windows\SysWOW64\Cnnlaehj.exe
PID 2960 wrote to memory of 216 N/A C:\Windows\SysWOW64\Cffdpghg.exe C:\Windows\SysWOW64\Cnnlaehj.exe
PID 216 wrote to memory of 2952 N/A C:\Windows\SysWOW64\Cnnlaehj.exe C:\Windows\SysWOW64\Cegdnopg.exe
PID 216 wrote to memory of 2952 N/A C:\Windows\SysWOW64\Cnnlaehj.exe C:\Windows\SysWOW64\Cegdnopg.exe
PID 216 wrote to memory of 2952 N/A C:\Windows\SysWOW64\Cnnlaehj.exe C:\Windows\SysWOW64\Cegdnopg.exe
PID 2952 wrote to memory of 624 N/A C:\Windows\SysWOW64\Cegdnopg.exe C:\Windows\SysWOW64\Dfiafg32.exe
PID 2952 wrote to memory of 624 N/A C:\Windows\SysWOW64\Cegdnopg.exe C:\Windows\SysWOW64\Dfiafg32.exe
PID 2952 wrote to memory of 624 N/A C:\Windows\SysWOW64\Cegdnopg.exe C:\Windows\SysWOW64\Dfiafg32.exe
PID 624 wrote to memory of 3548 N/A C:\Windows\SysWOW64\Dfiafg32.exe C:\Windows\SysWOW64\Danecp32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a4c09ba7f1ed47c725b37d44d521c3e5abea101ff8691d88ffa9dc9fd8656a08.exe

"C:\Users\Admin\AppData\Local\Temp\a4c09ba7f1ed47c725b37d44d521c3e5abea101ff8691d88ffa9dc9fd8656a08.exe"

C:\Windows\SysWOW64\Bchomn32.exe

C:\Windows\system32\Bchomn32.exe

C:\Windows\SysWOW64\Bnmcjg32.exe

C:\Windows\system32\Bnmcjg32.exe

C:\Windows\SysWOW64\Beglgani.exe

C:\Windows\system32\Beglgani.exe

C:\Windows\SysWOW64\Bfhhoi32.exe

C:\Windows\system32\Bfhhoi32.exe

C:\Windows\SysWOW64\Banllbdn.exe

C:\Windows\system32\Banllbdn.exe

C:\Windows\SysWOW64\Bfkedibe.exe

C:\Windows\system32\Bfkedibe.exe

C:\Windows\SysWOW64\Bapiabak.exe

C:\Windows\system32\Bapiabak.exe

C:\Windows\SysWOW64\Bcoenmao.exe

C:\Windows\system32\Bcoenmao.exe

C:\Windows\SysWOW64\Cndikf32.exe

C:\Windows\system32\Cndikf32.exe

C:\Windows\SysWOW64\Cabfga32.exe

C:\Windows\system32\Cabfga32.exe

C:\Windows\SysWOW64\Cdabcm32.exe

C:\Windows\system32\Cdabcm32.exe

C:\Windows\SysWOW64\Caebma32.exe

C:\Windows\system32\Caebma32.exe

C:\Windows\SysWOW64\Cdcoim32.exe

C:\Windows\system32\Cdcoim32.exe

C:\Windows\SysWOW64\Cjmgfgdf.exe

C:\Windows\system32\Cjmgfgdf.exe

C:\Windows\SysWOW64\Cagobalc.exe

C:\Windows\system32\Cagobalc.exe

C:\Windows\SysWOW64\Cfdhkhjj.exe

C:\Windows\system32\Cfdhkhjj.exe

C:\Windows\SysWOW64\Cmnpgb32.exe

C:\Windows\system32\Cmnpgb32.exe

C:\Windows\SysWOW64\Cffdpghg.exe

C:\Windows\system32\Cffdpghg.exe

C:\Windows\SysWOW64\Cnnlaehj.exe

C:\Windows\system32\Cnnlaehj.exe

C:\Windows\SysWOW64\Cegdnopg.exe

C:\Windows\system32\Cegdnopg.exe

C:\Windows\SysWOW64\Dfiafg32.exe

C:\Windows\system32\Dfiafg32.exe

C:\Windows\SysWOW64\Danecp32.exe

C:\Windows\system32\Danecp32.exe

C:\Windows\SysWOW64\Dhhnpjmh.exe

C:\Windows\system32\Dhhnpjmh.exe

C:\Windows\SysWOW64\Djgjlelk.exe

C:\Windows\system32\Djgjlelk.exe

C:\Windows\SysWOW64\Ddonekbl.exe

C:\Windows\system32\Ddonekbl.exe

C:\Windows\SysWOW64\Dkifae32.exe

C:\Windows\system32\Dkifae32.exe

C:\Windows\SysWOW64\Daconoae.exe

C:\Windows\system32\Daconoae.exe

C:\Windows\SysWOW64\Ddakjkqi.exe

C:\Windows\system32\Ddakjkqi.exe

C:\Windows\SysWOW64\Dkkcge32.exe

C:\Windows\system32\Dkkcge32.exe

C:\Windows\SysWOW64\Dmjocp32.exe

C:\Windows\system32\Dmjocp32.exe

C:\Windows\SysWOW64\Dhocqigp.exe

C:\Windows\system32\Dhocqigp.exe

C:\Windows\SysWOW64\Dmllipeg.exe

C:\Windows\system32\Dmllipeg.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5012 -ip 5012

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 408

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 100.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/2356-0-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Bchomn32.exe

MD5 6679dfc4a4119953ed26137e7c68db74
SHA1 6ff6af39fdca6623b2b549c3f93616a93e84b6dc
SHA256 a5ffbbde18627921df683b70499c879ff7890efe296bcc7d0a9ca73f15aa8ac4
SHA512 85c2b1af97b69c6ab9631c73b63ae71bcf3ebea1db9aa486f4b618102dad6cc7e82f19a5c967e716cc2eb422831fa40b959100df76c15b767c14a78945b97da6

memory/3668-7-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Bnmcjg32.exe

MD5 1ed1f314c55d492daa29272c82618ae2
SHA1 e0d2a3eba453f1dc14c6c8abf822075b17dd8db7
SHA256 2e7e1a69c1166eba004e06b37489fcd69a522708503e176eaed2370b3cf0873f
SHA512 d4cfae2fd474f2853409fed19bf7e84b71cf2e0092f11f8b99dfeb4b51609742eafb02de54bfbb109d09508467ebe9a1e9c5561f961aebb7775366bfbd705b72

memory/4424-15-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Beglgani.exe

MD5 d0749f3f2a886e4fa9740590cb760589
SHA1 db0f3ad34696a791daae58476ff02cc3edfe319a
SHA256 ef7005210225b7e439f7c83c34ea9af00b64b6b4da63cc6205d28a085aeeba34
SHA512 6bbd7ebdd80c39d334482761ccb564eaadd9dd1ca218338be7716552aac2ec855b760685e6bf66365670874ac353241b928954637c08c18f491ef346d3caa40f

memory/5056-24-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Bfhhoi32.exe

MD5 b5986319c3e03dcd1d0f8c89e37f9d5a
SHA1 de5a18c107588aa982287ffdd9b9b58c0d8f6e7d
SHA256 a3ddcc13f7ce6a60c89ae2328ee38748b131c6af870e4a8ddb29aca9f8871e25
SHA512 bed782fec1a66acb41b5f7ba9f6fa650ada9cf4f19f16fe399f94e9386d1575f51ad1c0c0dc4e2ef5c94d220ceed27b82fe33dc6a25e0e785c0bf3ce24ece542

memory/1440-31-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Qihfjd32.dll

MD5 1f07bfc729d270fa706c8fc3d91efb3a
SHA1 612ec010dd74ff0038561b30041012eac3d799a3
SHA256 7e7a5e0b65969779e22003c06678b1c7c2fe25eb32ddf8752dd03535baadeb9d
SHA512 96af4c0da35264c1bb711cbae62110fd088e659b925d6efcd744606ac579dbf23ac05149b05ba2d32dd2b4c54e2e3f21b3e8014bf89c7299c503708686d6aa1e

C:\Windows\SysWOW64\Banllbdn.exe

MD5 1e97642d84e87fa65b0ae5e32c274c29
SHA1 45a4004e4682ca0241185a173da661415ab355e4
SHA256 9055845cbcc2c2f8c8bbc8cc7edfa4858aebec9b2f197b9da044dcbda6066ff1
SHA512 5d0632a2edd23a29edcfbe5e0c0ff015ad656c5a92367e062f6ee8805890bf76fadb5f0c2423cb114c8286e35e54de9a3db026ce4ef1935849280790f66abb1e

memory/2300-39-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Bfkedibe.exe

MD5 49458093d838f22cd6ea09267cc7d5c8
SHA1 2f3f7d2fe026b80fbe65032e8b6fadd69821edc9
SHA256 e275ac164cf12fdf55a39fb74f07b1eff68cb8e1d907bb53d75e075ee6b67a51
SHA512 59298803f4f31050eec96d2b40d35042c27956893ae9d13ccf9607823b59f73172cfaaa9a4d83ffbd93335f77ac683d87444d8bc67a6191df83f5f7c0c05ef36

memory/3492-48-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Bapiabak.exe

MD5 f853bfe062e4ee93c4c6288ae9a8cbee
SHA1 7d5f3f41f18335107deb0089f9441a057dc56f2b
SHA256 3ee81c16e34b2992266028b7a43d4b9f2832319a76d72148fe2a6c2ef4b0df1b
SHA512 a3b2a0ce7f0b8eb2a3be353d644189ebd1085d0a0f1c123925c89770c8127b583893d9b8f25892b8c5c7a75a0e394f78bd73aa868df47c126ef47f80581dc73e

memory/4044-55-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Bcoenmao.exe

MD5 cb7948332fba205457be26d70552973c
SHA1 11d3b0f5beb41690442aaabc2651e77bca944b00
SHA256 276c42d74551b33141d283f7f832c3e91617530d7888d56ad4d4cd7a5ff85475
SHA512 9bf47f54e48e7e87873d16edded6b2e9632b60f93fc356101bc6e1bf6d2a996e6a0437f43a613ac5d498aa97c4cf911b1a2930102dd311c6bb6b82219bbf99bb

memory/1216-63-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Cndikf32.exe

MD5 69d2cba136eaa501fef033523ed6e219
SHA1 2b3a032c0c2809ad41a3a1d017e66c8fa94aba1e
SHA256 f922d21234faf9c742c5db3538d207c08f05ab575a44657a8a2b34d32cd2fdfc
SHA512 cd8ed5dc63f298ad490cb70eb0f69a4d60b6ffe4a0d6c8d23a85e860c6bc60fc526baf30116e9256fb6e6b1de02b86f818955336d1ddcb03e027cda43ca13736

memory/1048-71-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Cabfga32.exe

MD5 e2efbecc025a2892bb3415550b577ba2
SHA1 0a95afb6cc41a9325147fb17cc4c882d7555a7b4
SHA256 defd70a4fc348e3356afb2b528dea2ca17350dec54babd7cbf2a3ec7c4cf6a01
SHA512 3ba7b32d6a9ebad15f29ed4cc854f753fe5c8ec4721f9c58445f5a932e0c45c2ca086b9f853f11716f49a5375b979dfe89a02b06504de5ee4826a54029ee4543

memory/4760-80-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Cdabcm32.exe

MD5 f50aea14fc63509acac35e2b3fc0e97c
SHA1 f7fa03b0167303b817886fffb6bb2bfbb25672bd
SHA256 385bd452abe38fd79922b25e0ed2ebd866608cd2e2a2960e2e0973ee63345521
SHA512 4963e5260fdd508722ec60969dcc7b8bd65101d0a297fa5466721f75434a85a7905b1660d5929ae85672e176934e26f9603c0560314abbedd7e211672768fdfb

memory/692-87-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Caebma32.exe

MD5 e99e61393d56841e952aab38e35f51a5
SHA1 b08bac06e5cf6162beb4f1ff663f7c2ca7d82ba5
SHA256 5b3a0fe33c23d0b04a1d62239e21b49a6c0f721586a3ea7c0d80474ded3296e4
SHA512 82de2d12dad17f170045c3062fdf371db79db1b15af467ea743fbb3eb0d5bda03475dbdeb5fc6edb15107147a2c706690d40870ca61a6738e11f54bdbde02795

memory/3672-96-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Cdcoim32.exe

MD5 eba8d187a45bb731fdf23eb210eda890
SHA1 10c0f1b8e0d315ca1eeb45240ded1e291d1f868c
SHA256 a019b4c351aeb4d96ae8e7bb875cdeafc0e6fba720d734659596d8e53b4f3d8f
SHA512 d07ad51044f3132b69a45d596183fe312c0722471c2a773788f691efbcf9738547790ed3d565de2c8ae8e988d1a9171e1420337a11fb66c3beb90f8417be6b90

memory/3068-104-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Cjmgfgdf.exe

MD5 fe1739055cb51c4b2be08fbd336b5b77
SHA1 673f05891349912e540f93d8b4e5f457fbb77e22
SHA256 48992ee35ddb51bfffd5ad62b874598574d0ff292216b0dbeb7507f51b48fd64
SHA512 88b4c1571cfef007fa69eec5256da71c74e5593eb09d626b78232e6a1ac78ba0d2a98a3057969fb855d66dde1addb24cc84a5af092fbddad9e3b55c8a5186ad9

memory/4752-111-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Cagobalc.exe

MD5 3211ccd9eb3a6450e82f92bb55231f25
SHA1 ad1ff84abcf25580cebcb035c914565bafa561e4
SHA256 37e1cc2225ce9d28be91c79e9e0f7f24e9a57354df1deaa6528117467ee2af22
SHA512 02b3c839cfb7dfe4b608c14f077f3ddd52f6e3f10c95800f380ad12be1eb7abaab26b9c6fac5dfb66384b46eeafdd4aac70e3146eb8210621a6fd4b639eabdef

memory/2440-119-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Cfdhkhjj.exe

MD5 87aca57cf6d2584741ef2ea00952e023
SHA1 fa7c0ff69206c1329b948605b286f8e3bb632ecc
SHA256 b5bd69b9ddd26676508dd0d81c53b0b98aea897d91a8aad0ea6ebe94b3289e9e
SHA512 29a21c37bf2ddf62933e1c57c9e05125b0a2bd9c019df8c09db37549606426112f103c604bc99fa43d0b0ca32511722cf5fd155f517e6d9d1786476793e4bd28

memory/2612-127-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Cmnpgb32.exe

MD5 4c8ec160cca21f2e25f2839c7a49c501
SHA1 a5572d23f6ca2c9789e57120c343df01f9ba3c40
SHA256 d3fe03e0b29b21ccecd961547862af9028fb3fd0b87250ed374c207bed2cb216
SHA512 fff457eebd19b81a82b0a8342191fa3d8df8cfc011b67bb3f467abe0af0f4948c5f5e70ee405819b6303ad52b70525c26f2f745ac5fff7260b77a573c1712d8d

memory/3616-135-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Cffdpghg.exe

MD5 25069ffa5b2c170936022d56675c46f5
SHA1 080a20f4370fbf6f96d36e6169afbbd0fb594bff
SHA256 d0596fe8cef2e486bd8c4f14aa2949cb85b961e58457f917bd07390f3db9ca13
SHA512 437f5438aa5fc70d4de21b3ffb0ccc714d312106974943a2f90466bf38d23b3d7a17dfac5aa2495c916700106387f2d003080e6232631e61e9f30703a9865e4d

memory/2960-144-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Cnnlaehj.exe

MD5 c7b804cfc65ae2d63be33b54ed418208
SHA1 6b1e809ba5d45d3c0de35743eafc5a0eb5c81f5b
SHA256 e6770633c7cd4337837471f94f66f945353603e3f1f851c7f36ca1e6c738398c
SHA512 a48bce4186f5f241ff33510931b9fa09d24f1cbdcfa6880cc287121dd23eb46de527d1431b594ebbc61800632cb4e07f67eb17ff25369d93dfeed2e78e50ad17

memory/216-152-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Cegdnopg.exe

MD5 4be3b4bc631f0120e3aaca7484b3e849
SHA1 634fdb0dac6201db0a199af62b0447fb50dcf6c0
SHA256 5075eb6e4c1220a82056b71684c88c0e824d460ef1045e44315b0729f8e4600f
SHA512 f5ffbe607d120a3084e0dc4136184b94f2acb17f31b09563ff715fc851665bffe9759fb66f9183b1fd8cd9af66b93d3db4d41032642cfbad6c4a18eb79d154df

memory/2952-159-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Dfiafg32.exe

MD5 7ef692531920cef479e546a048d5fdcd
SHA1 e02300511124c891c53ccc5d5e7cf49ab567d67d
SHA256 1af2ff5d613a5e3217133e6147cf44239e550ab77f553e2561a33e8f97b6fa96
SHA512 7dc06e64632a7aa2dcfa9be6b55ebbd10c78d92a66a177a3da9256adb2b842abedc5ff8f9a80eb11f4d392ab326fd93a48e96cbcc18d9b24d6d60eab9caf8cf8

memory/624-173-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Danecp32.exe

MD5 f1d3e4d94c27d8f74f7b9ef1b4d22721
SHA1 eded94e39634f140e1a454b725567dc4eb1c2ec4
SHA256 fc22a11b8b7f5fbeed01ca7bdb142f7c61582a5d6b3be410144ef6909d9b9cd6
SHA512 faa7049104c54c1e20baaa0dccb56362f5c3d5de8704f7b94261e361e9c9c3b095ba1fa4e41a61ce2d369074cb33fd22a68ae52ddf1e2c3186a366ee1dd9b629

memory/3548-175-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Dhhnpjmh.exe

MD5 e6c57e79d0a2eb6801b6d9d5530bee97
SHA1 a278d7bd43c4457765eb797c6c6d881705bf7353
SHA256 72e9c98456e176d4e3b2e775ed1842691cbad50c88da56a9af8cbc8859615486
SHA512 22e28c05efb8b1454eb111211421a644791d5b31cd8a535eec267d4b1c871e3ba72d6bdc1eb90637f11c09379f08b59cfaaca68f384f3e50c9aa3d333f298670

memory/3320-184-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Djgjlelk.exe

MD5 377452f3e08ad418422c2c679051f1ed
SHA1 5a8c086ed6c0fceb3206ce31ad9155fe777a7610
SHA256 871c6dc78090dae81cad021d56fe7598748e55f1d9caf7e9a71a828e848dfdef
SHA512 4d5cc2cdd5055a24f26b493e6a3797e7fde8c4851514ef56e03a593aaec04a71cf0b93f1429329e4d8921fe08311e3218ab233e159d70514e23c8f7e8ca8b48b

memory/2972-192-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Ddonekbl.exe

MD5 b6f5073d08986444fabf2499f57581f7
SHA1 06f6505bdc0fe8430a676954f34ff45457be10eb
SHA256 6bb30dd946ecee2680b4f79dce065b0d9dbd382f3e0bee335abc98d60978b877
SHA512 5cc1938072651a04c4bb66b75b6ae1ec1563bb4b36341e4bbf98fb8c1e02157f2b18735ad9875ab7335a20afcf59dd238b9c41e9466f50a9064acc4a2ee53ac5

memory/3280-199-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Dkifae32.exe

MD5 a8f03203082936ed0f72f10a7a3bb7b5
SHA1 ad2298a1d88595a25649ffcf61800d6f87b4d2c5
SHA256 d201e3ec159757d8dc9803b47720af575d650ee3605d9bb4f70301b25ed0ad17
SHA512 ef9c88e463f414c99cb3386ec12b105274a8ed55e75d8df81f139b0d078d71ed2ce9dca8a9a142d310eaaf5a95bdb275b4c554815157275cba03dea9ae35e768

memory/2020-207-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Daconoae.exe

MD5 a843d60abff072620c007fa2c6d23b93
SHA1 8248156576eb5b9c766c17ac8a77aa5835c4f261
SHA256 80c281768b40df28ac1c56df7d27a80bdf1dc013500bae5fd8d67f1041eeadfd
SHA512 1daaafa249b5f52ae74f391e21ed36f169bc5d0d4cb438cf2dae3a7861829fc9b0b2f01b0830c5cbac80a1d629e705c1995214758e9a07b79fa4741c83db2918

memory/1248-216-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Ddakjkqi.exe

MD5 15faf27b224306e8f0bc97d15e5e4cd2
SHA1 599c44db73d2596e7d3aa15fbdafb9a1384c30f5
SHA256 76b95e6c5e2c31a320feec7e81fe84be6a17161c4d84020e0b3fe1eff75100ed
SHA512 ddd175724a430771617157838da2e294d7232bc2b17970c126926e4f9832b7499b4128243f31913c5fd4bd6dfb53e821b1ff3c1971f0c37034e642ed2bcbd0e1

memory/5028-224-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Dkkcge32.exe

MD5 2a72e44db8ed5060fb468bed2e3d366f
SHA1 9198213b6e50c7a3de4f7e0a35b3508f909fa5d1
SHA256 3cd3fb77311b356695a8afd52fff16bfe66048eab9873ca256fa344e3424d6d0
SHA512 1f51ea1f155730b8318d258f5448b6720e358d981262560e344645c9943379862307b9330a58ec2983442b99ab47f6640fefb92e3903cc8a1f89d70afa4de89c

memory/3656-236-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Dmjocp32.exe

MD5 f1f277b93fdf5ce688f32d1b15465dc1
SHA1 8cbcf5a1f7571b6a99439a55b38a964f3f8e3d79
SHA256 2d8602006cb003f18f9fe3e7e18778dd914c393098c941d5cb08b7a68e10473a
SHA512 b735d35e891d61ad64456777130157dc56069f9be21ed8e25d189c7eb2c90e1efc22c2e84535d9685007b326cb9d2c8a12019429b8d518ff7ea8cd3604349d31

memory/748-239-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Dhocqigp.exe

MD5 04c7648c66be0b90eedf4ac347d2e87f
SHA1 57ef3addf5b53354a6cc813fb81b86f7b4254603
SHA256 8a398ef2bb8633c29ebc12b073010230d1bd2ee2ab8209006aa904e5dec2f1bc
SHA512 779302c32fe00ee36cfb66d6381b1b3efc2003d697c8d6840cd7cd0f5ae0a6331bf2a4e50304cbdb0fffc153fec0b633e9662c0d0589e6d3af2010addd464ff9

memory/5008-247-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\SysWOW64\Dmllipeg.exe

MD5 974620966e2db39bada22066f194344f
SHA1 ebdd94cbfdd1197e9bc4c612e663c9582f530e31
SHA256 1a041c61d70e110ccd0761788fee76c5870cf7ea07f1632a86f1262a39f0e4c9
SHA512 83aea60d51116eb082ca919444be4133b5c1b166a0c6ab18953342a2367727f0cd3a552f985918e21247a888415d7cacdd554101617720f8c0abc90c4e4b5d35

memory/5012-255-0x0000000000400000-0x0000000000435000-memory.dmp

memory/5012-258-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3280-263-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3320-265-0x0000000000400000-0x0000000000435000-memory.dmp

memory/216-268-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2612-271-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4760-277-0x0000000000400000-0x0000000000435000-memory.dmp

memory/5056-284-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2356-287-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3668-286-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4424-285-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1440-283-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2300-282-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3492-281-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4044-280-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1216-279-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1048-278-0x0000000000400000-0x0000000000435000-memory.dmp

memory/692-276-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3672-275-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3068-274-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4752-273-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2440-272-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3616-270-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2960-269-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2952-267-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3548-266-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2972-264-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2020-262-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1248-261-0x0000000000400000-0x0000000000435000-memory.dmp

memory/5028-260-0x0000000000400000-0x0000000000435000-memory.dmp

memory/748-259-0x0000000000400000-0x0000000000435000-memory.dmp

memory/5008-257-0x0000000000400000-0x0000000000435000-memory.dmp