Malware Analysis Report

2024-12-07 11:44

Sample ID 241113-vlw9eawdqq
Target 5175b9040aef91e2138dee8578f963e419a9b0994f80c888abb3e69aa43749e7N
SHA256 5175b9040aef91e2138dee8578f963e419a9b0994f80c888abb3e69aa43749e7
Tags
berbew backdoor discovery persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5175b9040aef91e2138dee8578f963e419a9b0994f80c888abb3e69aa43749e7

Threat Level: Known bad

The file 5175b9040aef91e2138dee8578f963e419a9b0994f80c888abb3e69aa43749e7N was found to be: Known bad.

Malicious Activity Summary

berbew backdoor discovery persistence

Berbew family

Adds autorun key to be loaded by Explorer.exe on startup

Berbew

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Program crash

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 17:05

Signatures

Berbew family

berbew

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 17:05

Reported

2024-11-13 17:07

Platform

win7-20240903-en

Max time kernel

84s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5175b9040aef91e2138dee8578f963e419a9b0994f80c888abb3e69aa43749e7N.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Qnghel32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Apgagg32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bkegah32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Aoagccfn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Bgaebe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Ceebklai.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Adlcfjgh.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cocphf32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Users\Admin\AppData\Local\Temp\5175b9040aef91e2138dee8578f963e419a9b0994f80c888abb3e69aa43749e7N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Apgagg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Alqnah32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pkcbnanl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Alnalh32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bjbndpmd.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ceebklai.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Bmpkqklh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Bbmcibjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Cebeem32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Bjmeiq32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bgcbhd32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bcjcme32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Pleofj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Aakjdo32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bjmeiq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Cocphf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Cgoelh32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Alqnah32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Bjbndpmd.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bmpkqklh.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pleofj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Bkegah32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dmbcen32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Dmbcen32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qdncmgbj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Ajmijmnn.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cjonncab.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Alnalh32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Adlcfjgh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Cmedlk32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aakjdo32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bjpaop32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Bgcbhd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Cjonncab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Users\Admin\AppData\Local\Temp\5175b9040aef91e2138dee8578f963e419a9b0994f80c888abb3e69aa43749e7N.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qnghel32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ajmijmnn.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ccjoli32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qdlggg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Qdlggg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Bcjcme32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Bjpaop32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cmedlk32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cepipm32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cgoelh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Cgcnghpl.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Apedah32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aqbdkk32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bgaebe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Ccjoli32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Cfhkhd32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aoagccfn.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cebeem32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cfhkhd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Apedah32.exe N/A

Berbew

backdoor berbew

Berbew family

berbew

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Pkcbnanl.exe N/A
N/A N/A C:\Windows\SysWOW64\Pleofj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qdlggg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qdncmgbj.exe N/A
N/A N/A C:\Windows\SysWOW64\Qnghel32.exe N/A
N/A N/A C:\Windows\SysWOW64\Apedah32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajmijmnn.exe N/A
N/A N/A C:\Windows\SysWOW64\Apgagg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Afdiondb.exe N/A
N/A N/A C:\Windows\SysWOW64\Alnalh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aakjdo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Alqnah32.exe N/A
N/A N/A C:\Windows\SysWOW64\Adlcfjgh.exe N/A
N/A N/A C:\Windows\SysWOW64\Aoagccfn.exe N/A
N/A N/A C:\Windows\SysWOW64\Aqbdkk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bjmeiq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bgaebe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bjpaop32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bgcbhd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bjbndpmd.exe N/A
N/A N/A C:\Windows\SysWOW64\Bmpkqklh.exe N/A
N/A N/A C:\Windows\SysWOW64\Bcjcme32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bbmcibjp.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkegah32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cmedlk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cocphf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cepipm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cgoelh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cebeem32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cjonncab.exe N/A
N/A N/A C:\Windows\SysWOW64\Ceebklai.exe N/A
N/A N/A C:\Windows\SysWOW64\Cgcnghpl.exe N/A
N/A N/A C:\Windows\SysWOW64\Ccjoli32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cfhkhd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dmbcen32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dpapaj32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5175b9040aef91e2138dee8578f963e419a9b0994f80c888abb3e69aa43749e7N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5175b9040aef91e2138dee8578f963e419a9b0994f80c888abb3e69aa43749e7N.exe N/A
N/A N/A C:\Windows\SysWOW64\Pkcbnanl.exe N/A
N/A N/A C:\Windows\SysWOW64\Pkcbnanl.exe N/A
N/A N/A C:\Windows\SysWOW64\Pleofj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pleofj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qdlggg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qdlggg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qdncmgbj.exe N/A
N/A N/A C:\Windows\SysWOW64\Qdncmgbj.exe N/A
N/A N/A C:\Windows\SysWOW64\Qnghel32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qnghel32.exe N/A
N/A N/A C:\Windows\SysWOW64\Apedah32.exe N/A
N/A N/A C:\Windows\SysWOW64\Apedah32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajmijmnn.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajmijmnn.exe N/A
N/A N/A C:\Windows\SysWOW64\Apgagg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Apgagg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Afdiondb.exe N/A
N/A N/A C:\Windows\SysWOW64\Afdiondb.exe N/A
N/A N/A C:\Windows\SysWOW64\Alnalh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Alnalh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aakjdo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aakjdo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Alqnah32.exe N/A
N/A N/A C:\Windows\SysWOW64\Alqnah32.exe N/A
N/A N/A C:\Windows\SysWOW64\Adlcfjgh.exe N/A
N/A N/A C:\Windows\SysWOW64\Adlcfjgh.exe N/A
N/A N/A C:\Windows\SysWOW64\Aoagccfn.exe N/A
N/A N/A C:\Windows\SysWOW64\Aoagccfn.exe N/A
N/A N/A C:\Windows\SysWOW64\Aqbdkk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aqbdkk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bjmeiq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bjmeiq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bgaebe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bgaebe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bjpaop32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bjpaop32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bgcbhd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bgcbhd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bjbndpmd.exe N/A
N/A N/A C:\Windows\SysWOW64\Bjbndpmd.exe N/A
N/A N/A C:\Windows\SysWOW64\Bmpkqklh.exe N/A
N/A N/A C:\Windows\SysWOW64\Bmpkqklh.exe N/A
N/A N/A C:\Windows\SysWOW64\Bcjcme32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bcjcme32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bbmcibjp.exe N/A
N/A N/A C:\Windows\SysWOW64\Bbmcibjp.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkegah32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkegah32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cmedlk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cmedlk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cocphf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cocphf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cepipm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cepipm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cgoelh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cgoelh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cebeem32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cebeem32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cjonncab.exe N/A
N/A N/A C:\Windows\SysWOW64\Cjonncab.exe N/A
N/A N/A C:\Windows\SysWOW64\Ceebklai.exe N/A
N/A N/A C:\Windows\SysWOW64\Ceebklai.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Alnalh32.exe C:\Windows\SysWOW64\Afdiondb.exe N/A
File opened for modification C:\Windows\SysWOW64\Alnalh32.exe C:\Windows\SysWOW64\Afdiondb.exe N/A
File created C:\Windows\SysWOW64\Bmpkqklh.exe C:\Windows\SysWOW64\Bjbndpmd.exe N/A
File opened for modification C:\Windows\SysWOW64\Bcjcme32.exe C:\Windows\SysWOW64\Bmpkqklh.exe N/A
File created C:\Windows\SysWOW64\Mfakaoam.dll C:\Windows\SysWOW64\Bcjcme32.exe N/A
File created C:\Windows\SysWOW64\Lmajfk32.dll C:\Windows\SysWOW64\Bkegah32.exe N/A
File created C:\Windows\SysWOW64\Cofdbf32.dll C:\Users\Admin\AppData\Local\Temp\5175b9040aef91e2138dee8578f963e419a9b0994f80c888abb3e69aa43749e7N.exe N/A
File opened for modification C:\Windows\SysWOW64\Pleofj32.exe C:\Windows\SysWOW64\Pkcbnanl.exe N/A
File created C:\Windows\SysWOW64\Qoblpdnf.dll C:\Windows\SysWOW64\Aakjdo32.exe N/A
File created C:\Windows\SysWOW64\Aqbdkk32.exe C:\Windows\SysWOW64\Aoagccfn.exe N/A
File created C:\Windows\SysWOW64\Cmedlk32.exe C:\Windows\SysWOW64\Bkegah32.exe N/A
File created C:\Windows\SysWOW64\Qnghel32.exe C:\Windows\SysWOW64\Qdncmgbj.exe N/A
File created C:\Windows\SysWOW64\Cebeem32.exe C:\Windows\SysWOW64\Cgoelh32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cjonncab.exe C:\Windows\SysWOW64\Cebeem32.exe N/A
File created C:\Windows\SysWOW64\Hqjpab32.dll C:\Windows\SysWOW64\Apedah32.exe N/A
File created C:\Windows\SysWOW64\Lgpgbj32.dll C:\Windows\SysWOW64\Afdiondb.exe N/A
File created C:\Windows\SysWOW64\Omakjj32.dll C:\Windows\SysWOW64\Ceebklai.exe N/A
File opened for modification C:\Windows\SysWOW64\Bjbndpmd.exe C:\Windows\SysWOW64\Bgcbhd32.exe N/A
File created C:\Windows\SysWOW64\Gdgqdaoh.dll C:\Windows\SysWOW64\Cocphf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Apgagg32.exe C:\Windows\SysWOW64\Ajmijmnn.exe N/A
File created C:\Windows\SysWOW64\Ajmijmnn.exe C:\Windows\SysWOW64\Apedah32.exe N/A
File created C:\Windows\SysWOW64\Adlcfjgh.exe C:\Windows\SysWOW64\Alqnah32.exe N/A
File created C:\Windows\SysWOW64\Hiablm32.dll C:\Windows\SysWOW64\Bmpkqklh.exe N/A
File created C:\Windows\SysWOW64\Cgoelh32.exe C:\Windows\SysWOW64\Cepipm32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dmbcen32.exe C:\Windows\SysWOW64\Cfhkhd32.exe N/A
File created C:\Windows\SysWOW64\Oeopijom.dll C:\Windows\SysWOW64\Cebeem32.exe N/A
File opened for modification C:\Windows\SysWOW64\Qdlggg32.exe C:\Windows\SysWOW64\Pleofj32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bjpaop32.exe C:\Windows\SysWOW64\Bgaebe32.exe N/A
File created C:\Windows\SysWOW64\Gfikmo32.dll C:\Windows\SysWOW64\Bgcbhd32.exe N/A
File created C:\Windows\SysWOW64\Bbmcibjp.exe C:\Windows\SysWOW64\Bcjcme32.exe N/A
File created C:\Windows\SysWOW64\Cepipm32.exe C:\Windows\SysWOW64\Cocphf32.exe N/A
File created C:\Windows\SysWOW64\Ciohdhad.dll C:\Windows\SysWOW64\Cgcnghpl.exe N/A
File created C:\Windows\SysWOW64\Pdkefp32.dll C:\Windows\SysWOW64\Dmbcen32.exe N/A
File created C:\Windows\SysWOW64\Alqnah32.exe C:\Windows\SysWOW64\Aakjdo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dpapaj32.exe C:\Windows\SysWOW64\Dmbcen32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cepipm32.exe C:\Windows\SysWOW64\Cocphf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Afdiondb.exe C:\Windows\SysWOW64\Apgagg32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bgcbhd32.exe C:\Windows\SysWOW64\Bjpaop32.exe N/A
File created C:\Windows\SysWOW64\Fikbiheg.dll C:\Windows\SysWOW64\Cfhkhd32.exe N/A
File created C:\Windows\SysWOW64\Apgagg32.exe C:\Windows\SysWOW64\Ajmijmnn.exe N/A
File created C:\Windows\SysWOW64\Bjpaop32.exe C:\Windows\SysWOW64\Bgaebe32.exe N/A
File created C:\Windows\SysWOW64\Cdpkangm.dll C:\Windows\SysWOW64\Bgaebe32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cmedlk32.exe C:\Windows\SysWOW64\Bkegah32.exe N/A
File created C:\Windows\SysWOW64\Cocphf32.exe C:\Windows\SysWOW64\Cmedlk32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ccjoli32.exe C:\Windows\SysWOW64\Cgcnghpl.exe N/A
File created C:\Windows\SysWOW64\Dmbcen32.exe C:\Windows\SysWOW64\Cfhkhd32.exe N/A
File created C:\Windows\SysWOW64\Incleo32.dll C:\Windows\SysWOW64\Apgagg32.exe N/A
File created C:\Windows\SysWOW64\Kmhnlgkg.dll C:\Windows\SysWOW64\Aoagccfn.exe N/A
File opened for modification C:\Windows\SysWOW64\Ceebklai.exe C:\Windows\SysWOW64\Cjonncab.exe N/A
File opened for modification C:\Windows\SysWOW64\Alqnah32.exe C:\Windows\SysWOW64\Aakjdo32.exe N/A
File created C:\Windows\SysWOW64\Kgloog32.dll C:\Windows\SysWOW64\Cjonncab.exe N/A
File created C:\Windows\SysWOW64\Pleofj32.exe C:\Windows\SysWOW64\Pkcbnanl.exe N/A
File opened for modification C:\Windows\SysWOW64\Qdncmgbj.exe C:\Windows\SysWOW64\Qdlggg32.exe N/A
File opened for modification C:\Windows\SysWOW64\Apedah32.exe C:\Windows\SysWOW64\Qnghel32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cgoelh32.exe C:\Windows\SysWOW64\Cepipm32.exe N/A
File created C:\Windows\SysWOW64\Cgcnghpl.exe C:\Windows\SysWOW64\Ceebklai.exe N/A
File created C:\Windows\SysWOW64\Nlbjim32.dll C:\Windows\SysWOW64\Pkcbnanl.exe N/A
File opened for modification C:\Windows\SysWOW64\Aakjdo32.exe C:\Windows\SysWOW64\Alnalh32.exe N/A
File opened for modification C:\Windows\SysWOW64\Aqbdkk32.exe C:\Windows\SysWOW64\Aoagccfn.exe N/A
File created C:\Windows\SysWOW64\Bgaebe32.exe C:\Windows\SysWOW64\Bjmeiq32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bgaebe32.exe C:\Windows\SysWOW64\Bjmeiq32.exe N/A
File created C:\Windows\SysWOW64\Cpqmndme.dll C:\Windows\SysWOW64\Qnghel32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bjmeiq32.exe C:\Windows\SysWOW64\Aqbdkk32.exe N/A
File created C:\Windows\SysWOW64\Dfefmpeo.dll C:\Windows\SysWOW64\Bjpaop32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\system32†Fpbdkn32.¾ll C:\Windows\SysWOW64\Dpapaj32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bjbndpmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bbmcibjp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cebeem32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ceebklai.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aoagccfn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bjmeiq32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bgcbhd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Alnalh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bcjcme32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ccjoli32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bmpkqklh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bkegah32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qdlggg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Apedah32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Apgagg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cfhkhd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pkcbnanl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Alqnah32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cepipm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bjpaop32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dpapaj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5175b9040aef91e2138dee8578f963e419a9b0994f80c888abb3e69aa43749e7N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qdncmgbj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Adlcfjgh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cgcnghpl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qnghel32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bgaebe32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cjonncab.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aakjdo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aqbdkk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cmedlk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cocphf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cgoelh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pleofj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ajmijmnn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Afdiondb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dmbcen32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cjonncab.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Aakjdo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Alnalh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cmedlk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgloog32.dll" C:\Windows\SysWOW64\Cjonncab.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Ccjoli32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fikbiheg.dll" C:\Windows\SysWOW64\Cfhkhd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Apgagg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfikmo32.dll" C:\Windows\SysWOW64\Bgcbhd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ccjoli32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Bjmeiq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Adlcfjgh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfefmpeo.dll" C:\Windows\SysWOW64\Bjpaop32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Cepipm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cgoelh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkdqjn32.dll" C:\Windows\SysWOW64\Ccjoli32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olbkdn32.dll" C:\Windows\SysWOW64\Qdncmgbj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Incjbkig.dll" C:\Windows\SysWOW64\Ajmijmnn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Alqnah32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Bgcbhd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cgcnghpl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831} C:\Users\Admin\AppData\Local\Temp\5175b9040aef91e2138dee8578f963e419a9b0994f80c888abb3e69aa43749e7N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Cgoelh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll" C:\Windows\SysWOW64\Dmbcen32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiablm32.dll" C:\Windows\SysWOW64\Bmpkqklh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpqmndme.dll" C:\Windows\SysWOW64\Qnghel32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oabhggjd.dll" C:\Windows\SysWOW64\Bjmeiq32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Bbmcibjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciohdhad.dll" C:\Windows\SysWOW64\Cgcnghpl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\5175b9040aef91e2138dee8578f963e419a9b0994f80c888abb3e69aa43749e7N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbjclbek.dll" C:\Windows\SysWOW64\Alnalh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdgqdaoh.dll" C:\Windows\SysWOW64\Cocphf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CL‰ID\ÿs C:\Windows\SysWOW64\Dpapaj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqjpab32.dll" C:\Windows\SysWOW64\Apedah32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Ceebklai.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Qdlggg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qdlggg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aqbdkk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Bjpaop32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bjpaop32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Bkegah32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeopijom.dll" C:\Windows\SysWOW64\Cebeem32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cofdbf32.dll" C:\Users\Admin\AppData\Local\Temp\5175b9040aef91e2138dee8578f963e419a9b0994f80c888abb3e69aa43749e7N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Cjonncab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aldhcb32.dll" C:\Windows\SysWOW64\Qdlggg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Alqnah32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmhnlgkg.dll" C:\Windows\SysWOW64\Aoagccfn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cocphf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Dmbcen32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Pleofj32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Cfhkhd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Afdiondb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fiqhbk32.dll" C:\Windows\SysWOW64\Alqnah32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bgaebe32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Bmpkqklh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cfhkhd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbcjo32.dll" C:\Windows\SysWOW64\Pleofj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjdhe32.dll" C:\Windows\SysWOW64\Bbmcibjp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Ajmijmnn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdpkangm.dll" C:\Windows\SysWOW64\Bgaebe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pijjilik.dll" C:\Windows\SysWOW64\Bjbndpmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Cmedlk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Incleo32.dll" C:\Windows\SysWOW64\Apgagg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Bcjcme32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1768 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\5175b9040aef91e2138dee8578f963e419a9b0994f80c888abb3e69aa43749e7N.exe C:\Windows\SysWOW64\Pkcbnanl.exe
PID 1768 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\5175b9040aef91e2138dee8578f963e419a9b0994f80c888abb3e69aa43749e7N.exe C:\Windows\SysWOW64\Pkcbnanl.exe
PID 1768 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\5175b9040aef91e2138dee8578f963e419a9b0994f80c888abb3e69aa43749e7N.exe C:\Windows\SysWOW64\Pkcbnanl.exe
PID 1768 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\5175b9040aef91e2138dee8578f963e419a9b0994f80c888abb3e69aa43749e7N.exe C:\Windows\SysWOW64\Pkcbnanl.exe
PID 3028 wrote to memory of 2188 N/A C:\Windows\SysWOW64\Pkcbnanl.exe C:\Windows\SysWOW64\Pleofj32.exe
PID 3028 wrote to memory of 2188 N/A C:\Windows\SysWOW64\Pkcbnanl.exe C:\Windows\SysWOW64\Pleofj32.exe
PID 3028 wrote to memory of 2188 N/A C:\Windows\SysWOW64\Pkcbnanl.exe C:\Windows\SysWOW64\Pleofj32.exe
PID 3028 wrote to memory of 2188 N/A C:\Windows\SysWOW64\Pkcbnanl.exe C:\Windows\SysWOW64\Pleofj32.exe
PID 2188 wrote to memory of 1292 N/A C:\Windows\SysWOW64\Pleofj32.exe C:\Windows\SysWOW64\Qdlggg32.exe
PID 2188 wrote to memory of 1292 N/A C:\Windows\SysWOW64\Pleofj32.exe C:\Windows\SysWOW64\Qdlggg32.exe
PID 2188 wrote to memory of 1292 N/A C:\Windows\SysWOW64\Pleofj32.exe C:\Windows\SysWOW64\Qdlggg32.exe
PID 2188 wrote to memory of 1292 N/A C:\Windows\SysWOW64\Pleofj32.exe C:\Windows\SysWOW64\Qdlggg32.exe
PID 1292 wrote to memory of 2808 N/A C:\Windows\SysWOW64\Qdlggg32.exe C:\Windows\SysWOW64\Qdncmgbj.exe
PID 1292 wrote to memory of 2808 N/A C:\Windows\SysWOW64\Qdlggg32.exe C:\Windows\SysWOW64\Qdncmgbj.exe
PID 1292 wrote to memory of 2808 N/A C:\Windows\SysWOW64\Qdlggg32.exe C:\Windows\SysWOW64\Qdncmgbj.exe
PID 1292 wrote to memory of 2808 N/A C:\Windows\SysWOW64\Qdlggg32.exe C:\Windows\SysWOW64\Qdncmgbj.exe
PID 2808 wrote to memory of 2832 N/A C:\Windows\SysWOW64\Qdncmgbj.exe C:\Windows\SysWOW64\Qnghel32.exe
PID 2808 wrote to memory of 2832 N/A C:\Windows\SysWOW64\Qdncmgbj.exe C:\Windows\SysWOW64\Qnghel32.exe
PID 2808 wrote to memory of 2832 N/A C:\Windows\SysWOW64\Qdncmgbj.exe C:\Windows\SysWOW64\Qnghel32.exe
PID 2808 wrote to memory of 2832 N/A C:\Windows\SysWOW64\Qdncmgbj.exe C:\Windows\SysWOW64\Qnghel32.exe
PID 2832 wrote to memory of 2636 N/A C:\Windows\SysWOW64\Qnghel32.exe C:\Windows\SysWOW64\Apedah32.exe
PID 2832 wrote to memory of 2636 N/A C:\Windows\SysWOW64\Qnghel32.exe C:\Windows\SysWOW64\Apedah32.exe
PID 2832 wrote to memory of 2636 N/A C:\Windows\SysWOW64\Qnghel32.exe C:\Windows\SysWOW64\Apedah32.exe
PID 2832 wrote to memory of 2636 N/A C:\Windows\SysWOW64\Qnghel32.exe C:\Windows\SysWOW64\Apedah32.exe
PID 2636 wrote to memory of 2544 N/A C:\Windows\SysWOW64\Apedah32.exe C:\Windows\SysWOW64\Ajmijmnn.exe
PID 2636 wrote to memory of 2544 N/A C:\Windows\SysWOW64\Apedah32.exe C:\Windows\SysWOW64\Ajmijmnn.exe
PID 2636 wrote to memory of 2544 N/A C:\Windows\SysWOW64\Apedah32.exe C:\Windows\SysWOW64\Ajmijmnn.exe
PID 2636 wrote to memory of 2544 N/A C:\Windows\SysWOW64\Apedah32.exe C:\Windows\SysWOW64\Ajmijmnn.exe
PID 2544 wrote to memory of 2848 N/A C:\Windows\SysWOW64\Ajmijmnn.exe C:\Windows\SysWOW64\Apgagg32.exe
PID 2544 wrote to memory of 2848 N/A C:\Windows\SysWOW64\Ajmijmnn.exe C:\Windows\SysWOW64\Apgagg32.exe
PID 2544 wrote to memory of 2848 N/A C:\Windows\SysWOW64\Ajmijmnn.exe C:\Windows\SysWOW64\Apgagg32.exe
PID 2544 wrote to memory of 2848 N/A C:\Windows\SysWOW64\Ajmijmnn.exe C:\Windows\SysWOW64\Apgagg32.exe
PID 2848 wrote to memory of 2356 N/A C:\Windows\SysWOW64\Apgagg32.exe C:\Windows\SysWOW64\Afdiondb.exe
PID 2848 wrote to memory of 2356 N/A C:\Windows\SysWOW64\Apgagg32.exe C:\Windows\SysWOW64\Afdiondb.exe
PID 2848 wrote to memory of 2356 N/A C:\Windows\SysWOW64\Apgagg32.exe C:\Windows\SysWOW64\Afdiondb.exe
PID 2848 wrote to memory of 2356 N/A C:\Windows\SysWOW64\Apgagg32.exe C:\Windows\SysWOW64\Afdiondb.exe
PID 2356 wrote to memory of 1940 N/A C:\Windows\SysWOW64\Afdiondb.exe C:\Windows\SysWOW64\Alnalh32.exe
PID 2356 wrote to memory of 1940 N/A C:\Windows\SysWOW64\Afdiondb.exe C:\Windows\SysWOW64\Alnalh32.exe
PID 2356 wrote to memory of 1940 N/A C:\Windows\SysWOW64\Afdiondb.exe C:\Windows\SysWOW64\Alnalh32.exe
PID 2356 wrote to memory of 1940 N/A C:\Windows\SysWOW64\Afdiondb.exe C:\Windows\SysWOW64\Alnalh32.exe
PID 1940 wrote to memory of 1484 N/A C:\Windows\SysWOW64\Alnalh32.exe C:\Windows\SysWOW64\Aakjdo32.exe
PID 1940 wrote to memory of 1484 N/A C:\Windows\SysWOW64\Alnalh32.exe C:\Windows\SysWOW64\Aakjdo32.exe
PID 1940 wrote to memory of 1484 N/A C:\Windows\SysWOW64\Alnalh32.exe C:\Windows\SysWOW64\Aakjdo32.exe
PID 1940 wrote to memory of 1484 N/A C:\Windows\SysWOW64\Alnalh32.exe C:\Windows\SysWOW64\Aakjdo32.exe
PID 1484 wrote to memory of 1284 N/A C:\Windows\SysWOW64\Aakjdo32.exe C:\Windows\SysWOW64\Alqnah32.exe
PID 1484 wrote to memory of 1284 N/A C:\Windows\SysWOW64\Aakjdo32.exe C:\Windows\SysWOW64\Alqnah32.exe
PID 1484 wrote to memory of 1284 N/A C:\Windows\SysWOW64\Aakjdo32.exe C:\Windows\SysWOW64\Alqnah32.exe
PID 1484 wrote to memory of 1284 N/A C:\Windows\SysWOW64\Aakjdo32.exe C:\Windows\SysWOW64\Alqnah32.exe
PID 1284 wrote to memory of 628 N/A C:\Windows\SysWOW64\Alqnah32.exe C:\Windows\SysWOW64\Adlcfjgh.exe
PID 1284 wrote to memory of 628 N/A C:\Windows\SysWOW64\Alqnah32.exe C:\Windows\SysWOW64\Adlcfjgh.exe
PID 1284 wrote to memory of 628 N/A C:\Windows\SysWOW64\Alqnah32.exe C:\Windows\SysWOW64\Adlcfjgh.exe
PID 1284 wrote to memory of 628 N/A C:\Windows\SysWOW64\Alqnah32.exe C:\Windows\SysWOW64\Adlcfjgh.exe
PID 628 wrote to memory of 2748 N/A C:\Windows\SysWOW64\Adlcfjgh.exe C:\Windows\SysWOW64\Aoagccfn.exe
PID 628 wrote to memory of 2748 N/A C:\Windows\SysWOW64\Adlcfjgh.exe C:\Windows\SysWOW64\Aoagccfn.exe
PID 628 wrote to memory of 2748 N/A C:\Windows\SysWOW64\Adlcfjgh.exe C:\Windows\SysWOW64\Aoagccfn.exe
PID 628 wrote to memory of 2748 N/A C:\Windows\SysWOW64\Adlcfjgh.exe C:\Windows\SysWOW64\Aoagccfn.exe
PID 2748 wrote to memory of 1656 N/A C:\Windows\SysWOW64\Aoagccfn.exe C:\Windows\SysWOW64\Aqbdkk32.exe
PID 2748 wrote to memory of 1656 N/A C:\Windows\SysWOW64\Aoagccfn.exe C:\Windows\SysWOW64\Aqbdkk32.exe
PID 2748 wrote to memory of 1656 N/A C:\Windows\SysWOW64\Aoagccfn.exe C:\Windows\SysWOW64\Aqbdkk32.exe
PID 2748 wrote to memory of 1656 N/A C:\Windows\SysWOW64\Aoagccfn.exe C:\Windows\SysWOW64\Aqbdkk32.exe
PID 1656 wrote to memory of 1396 N/A C:\Windows\SysWOW64\Aqbdkk32.exe C:\Windows\SysWOW64\Bjmeiq32.exe
PID 1656 wrote to memory of 1396 N/A C:\Windows\SysWOW64\Aqbdkk32.exe C:\Windows\SysWOW64\Bjmeiq32.exe
PID 1656 wrote to memory of 1396 N/A C:\Windows\SysWOW64\Aqbdkk32.exe C:\Windows\SysWOW64\Bjmeiq32.exe
PID 1656 wrote to memory of 1396 N/A C:\Windows\SysWOW64\Aqbdkk32.exe C:\Windows\SysWOW64\Bjmeiq32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5175b9040aef91e2138dee8578f963e419a9b0994f80c888abb3e69aa43749e7N.exe

"C:\Users\Admin\AppData\Local\Temp\5175b9040aef91e2138dee8578f963e419a9b0994f80c888abb3e69aa43749e7N.exe"

C:\Windows\SysWOW64\Pkcbnanl.exe

C:\Windows\system32\Pkcbnanl.exe

C:\Windows\SysWOW64\Pleofj32.exe

C:\Windows\system32\Pleofj32.exe

C:\Windows\SysWOW64\Qdlggg32.exe

C:\Windows\system32\Qdlggg32.exe

C:\Windows\SysWOW64\Qdncmgbj.exe

C:\Windows\system32\Qdncmgbj.exe

C:\Windows\SysWOW64\Qnghel32.exe

C:\Windows\system32\Qnghel32.exe

C:\Windows\SysWOW64\Apedah32.exe

C:\Windows\system32\Apedah32.exe

C:\Windows\SysWOW64\Ajmijmnn.exe

C:\Windows\system32\Ajmijmnn.exe

C:\Windows\SysWOW64\Apgagg32.exe

C:\Windows\system32\Apgagg32.exe

C:\Windows\SysWOW64\Afdiondb.exe

C:\Windows\system32\Afdiondb.exe

C:\Windows\SysWOW64\Alnalh32.exe

C:\Windows\system32\Alnalh32.exe

C:\Windows\SysWOW64\Aakjdo32.exe

C:\Windows\system32\Aakjdo32.exe

C:\Windows\SysWOW64\Alqnah32.exe

C:\Windows\system32\Alqnah32.exe

C:\Windows\SysWOW64\Adlcfjgh.exe

C:\Windows\system32\Adlcfjgh.exe

C:\Windows\SysWOW64\Aoagccfn.exe

C:\Windows\system32\Aoagccfn.exe

C:\Windows\SysWOW64\Aqbdkk32.exe

C:\Windows\system32\Aqbdkk32.exe

C:\Windows\SysWOW64\Bjmeiq32.exe

C:\Windows\system32\Bjmeiq32.exe

C:\Windows\SysWOW64\Bgaebe32.exe

C:\Windows\system32\Bgaebe32.exe

C:\Windows\SysWOW64\Bjpaop32.exe

C:\Windows\system32\Bjpaop32.exe

C:\Windows\SysWOW64\Bgcbhd32.exe

C:\Windows\system32\Bgcbhd32.exe

C:\Windows\SysWOW64\Bjbndpmd.exe

C:\Windows\system32\Bjbndpmd.exe

C:\Windows\SysWOW64\Bmpkqklh.exe

C:\Windows\system32\Bmpkqklh.exe

C:\Windows\SysWOW64\Bcjcme32.exe

C:\Windows\system32\Bcjcme32.exe

C:\Windows\SysWOW64\Bbmcibjp.exe

C:\Windows\system32\Bbmcibjp.exe

C:\Windows\SysWOW64\Bkegah32.exe

C:\Windows\system32\Bkegah32.exe

C:\Windows\SysWOW64\Cmedlk32.exe

C:\Windows\system32\Cmedlk32.exe

C:\Windows\SysWOW64\Cocphf32.exe

C:\Windows\system32\Cocphf32.exe

C:\Windows\SysWOW64\Cepipm32.exe

C:\Windows\system32\Cepipm32.exe

C:\Windows\SysWOW64\Cgoelh32.exe

C:\Windows\system32\Cgoelh32.exe

C:\Windows\SysWOW64\Cebeem32.exe

C:\Windows\system32\Cebeem32.exe

C:\Windows\SysWOW64\Cjonncab.exe

C:\Windows\system32\Cjonncab.exe

C:\Windows\SysWOW64\Ceebklai.exe

C:\Windows\system32\Ceebklai.exe

C:\Windows\SysWOW64\Cgcnghpl.exe

C:\Windows\system32\Cgcnghpl.exe

C:\Windows\SysWOW64\Ccjoli32.exe

C:\Windows\system32\Ccjoli32.exe

C:\Windows\SysWOW64\Cfhkhd32.exe

C:\Windows\system32\Cfhkhd32.exe

C:\Windows\SysWOW64\Dmbcen32.exe

C:\Windows\system32\Dmbcen32.exe

C:\Windows\SysWOW64\Dpapaj32.exe

C:\Windows\system32\Dpapaj32.exe

Network

N/A

Files

memory/1768-0-0x0000000000400000-0x000000000043C000-memory.dmp

\Windows\SysWOW64\Pkcbnanl.exe

MD5 11a6fcc40a7c5545e39f1595ef49a0c3
SHA1 07e40fb746ea2623ff9f4d7ed605cca6587ca08f
SHA256 a13573ed8e6bc0d035556d4d5f188b6d9bae15fd1071a269974f3307643470f7
SHA512 7697309370de4ddd817b8b9ca89d6cc9a10269624ba3fe22878d43da6c206fe176b440b579f2ca7369bbbad029f511907fb323796ce356ec440d8f069e3e8068

memory/3028-19-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1768-18-0x0000000000440000-0x000000000047C000-memory.dmp

memory/1768-17-0x0000000000440000-0x000000000047C000-memory.dmp

C:\Windows\SysWOW64\Pleofj32.exe

MD5 540dc8018845a6fbd678df780ed7ab77
SHA1 30547d6fd29e0d31a60dfd3e655e2009058431b3
SHA256 6c966309d25f4670e8174911e9fb9348eedbcbe3823485339f8d9ca45d319705
SHA512 d137177066a6ba5d4d3cc8b70bdbc49d3eced31aeb5cb8f2c6133dcda767249379757e0f05dd0823dde68ebbd36dc3e016c930370f76e22954ed447843d05678

memory/2188-27-0x0000000000400000-0x000000000043C000-memory.dmp

\Windows\SysWOW64\Qdlggg32.exe

MD5 7c990217905ea50d09ba4397d75f9bc7
SHA1 ce5e89f96fb5517a35d0470d9c52777e753b5a47
SHA256 1f03ef8b32a2d0f5cdd064823c2ce5d9df8dfdd78b140c54cf9513d7893a24fd
SHA512 a2b27714918e7e079e2b789601aa1aab11f14ca7d1e03b85caf0fdd34fc0c61c7b4fa60fe404c8484c535de3da13ec8084a64f19cd6c4070982a09b1e382a0c8

memory/2188-34-0x0000000000250000-0x000000000028C000-memory.dmp

memory/2188-41-0x0000000000250000-0x000000000028C000-memory.dmp

\Windows\SysWOW64\Qdncmgbj.exe

MD5 21bbdc1041684969d30c11ffe65f9700
SHA1 8fd84bed1f7e9df68a9b4a269d56aae35f3125de
SHA256 c63832de15161799b97ee1740a5aa151e783568165ef99a5e8125ac1c31e5891
SHA512 98cfaf0f0501ba43c7850c243104c92c42ffac41f4966f07bf1fc2234438a31820cba2f83728392e6ce1559c27b5af492d517bc34dbd50cd08b3619c2e3e21b1

memory/2808-54-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Olbkdn32.dll

MD5 b1c7081c13eaa25419d85091c6290ac9
SHA1 a88c29895a759eda6db4564e501ca0e43f120f96
SHA256 9afc9830714b672861091d7d918e7eff303510a5ef9555257d673443d891b5a6
SHA512 6b3ab4188f31a4ead187b6ad1a23d6edc8df0077115d34ff3f3f51aaa6c79d813ba3d9b8fa4e36faa7781374129280f2aa9eea4c589752181f351027e2cd1d6e

\Windows\SysWOW64\Qnghel32.exe

MD5 947eae214606492dcf74efd9ecd4ddf3
SHA1 f031bfe556d3d49e6c024f1c40ba01691e31d883
SHA256 4ab9fbb588ec06cdef059d37718d547bc5b8fd2b5f8c78d274279c18c70854c6
SHA512 3da24733857938971085c0ff73cdcbcb2e5f91eb0082223668794ebb357e79fc2e8907aca3d99864e3fe53e92600f3592bdb33614e38d4882c2de741f9698cf6

memory/2808-62-0x0000000000250000-0x000000000028C000-memory.dmp

C:\Windows\SysWOW64\Apedah32.exe

MD5 2701ef486ed72274eeb1c27e7edbbffa
SHA1 bcab0fe6a58603ee29dfca3f2b2ccea07746f5e7
SHA256 2771c2e6855247b5e85e032f5a4f723a7bf90769a35d80242a9193c93199385f
SHA512 d461076149012491b064e5c2fe7c0845e6e993664c140ac791bf75c0c205d725934184711c012aa28993ab8ccfb41f398cefd623b73635aeafcb88e0f86e2323

memory/2832-81-0x0000000000250000-0x000000000028C000-memory.dmp

memory/2832-75-0x0000000000400000-0x000000000043C000-memory.dmp

\Windows\SysWOW64\Ajmijmnn.exe

MD5 7c31525868ce8b6b4ba30c92e4785477
SHA1 505ec0fd0584980fdb7781bc302bb643d594c248
SHA256 ce8842302913014a7feaa7ac7b177af3a040573a7bde41e40ceaa95d14211c26
SHA512 6d83e3a16d12c3e6bc04d9f13bd44c9f994140917073097cd62409db7af60688de3cb827efc30f886507a5401e8c7944f31157c3b4fa07374cbfe0ac47b1b678

memory/2636-88-0x00000000002A0000-0x00000000002DC000-memory.dmp

C:\Windows\SysWOW64\Apgagg32.exe

MD5 d960f240a4e40ea74cc8e1efd846f6e1
SHA1 bbf11063bb30bf09a103e7af9a8a49e7ec8eae5b
SHA256 2542a2acd59a28cfdd0bd2ee5a887f5c0677bdd1bee109dca186e9e65f7990ff
SHA512 84a22dee36bbad44cfe500cca026c61bfcfba5590182789d71e05dc9e939dd01fd273ba4d5953e9e085f6973add398dfb1b9007e0defcff0d8f718df662a2582

memory/2848-107-0x0000000000400000-0x000000000043C000-memory.dmp

\Windows\SysWOW64\Afdiondb.exe

MD5 c17a98c69136f1190e3ce6ec76ab1fb7
SHA1 9f6cb0a65c0c16da6d0277e056316ade7252823f
SHA256 88787372ef365f1f347e5bb4b5840b9c70c390e87501afdfb5f53f40e9d2ec3a
SHA512 5dcb13ee44bf5437d70237f10ced19733aeedf50d45ab086fcfb0c1f2e0eb4d1c951420e70f14db4c2c33a30520e26a7d853450fc467e9bb974addf511f7f8ad

memory/2848-114-0x0000000000250000-0x000000000028C000-memory.dmp

memory/2356-121-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1940-134-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Alnalh32.exe

MD5 13f76f5e96c3dcf74417186d65115443
SHA1 9564a8ed4cd6324902f3ee2e03ec25e922b004bc
SHA256 b61cc2577a97abe1d57d717d724dd64854aac0100d8e8f83983ca524c4067493
SHA512 6d1494985121695cd2dece410faa559f05dd5b1f6cd82f5d046820986f7f4312c372b386608e746d78cb0700b55219dbe557a13d2189ad4a7d9d29e0edb00aaa

\Windows\SysWOW64\Aakjdo32.exe

MD5 4fd4331c942ddd17c8b4da75f24731db
SHA1 fb7ea1f26f9ffbdeb390686bb95068207b9a207a
SHA256 98436ab6e4606c8c8409ad8e6594fc707515019f7aa338940db96befe73af422
SHA512 0148071d48328b88f057cecc28823b5d8437aabf048a65ad279b02290b0db5696d06bef948912733d946b9b4d0ff0a2777c1ff04769fdac7fd01b91769bf37cf

memory/1940-141-0x0000000000440000-0x000000000047C000-memory.dmp

memory/1484-153-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1284-161-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Alqnah32.exe

MD5 d73e8d2a566b758d69c5857808cb17c4
SHA1 6b27931e9284ab9e79a12077e58f3484d21ce8d0
SHA256 011f885665c608759b2bd493f39d06ef47f35276d4220b8659acf1b98a86b5cb
SHA512 7487d7d44e3a46f1b63f415a9ba84f7ed2b6f6067b972e55e3f9c3b2e2f65ecccfecfecd7afb46d73d526ce43b51a983c15c3c8210ea9834e159260aa7a65621

\Windows\SysWOW64\Adlcfjgh.exe

MD5 4a2aa49168ecf318abbb1faf66bd63e6
SHA1 b0e96ab5c1b9a8f472ed867e7bb7ed32c9cfc43d
SHA256 d1791f19e17cd8577e3792b43cf0187abe2c04118321c24124477f72f4ac5bd0
SHA512 c9e41c15d08e9cd3e86ab72bb7c248601932401a3cd36ba0c65ae1bd516cd9b61291e1f9565680de0621d183e25a54e3c2651971dc8781cf66a2ce9001f175f9

memory/1284-169-0x00000000002F0000-0x000000000032C000-memory.dmp

memory/628-175-0x0000000000400000-0x000000000043C000-memory.dmp

\Windows\SysWOW64\Aoagccfn.exe

MD5 c92c8ff5eeb69fc6c151f6f7e08174d6
SHA1 68fe0a5c78034c2bb19f25e065ce706199d5cbca
SHA256 4f1342150072364abc2419564dcc153a5ffbc21c8d3afb65205ee822e11fbe49
SHA512 717af78083b2414601fa8d7c39b2d5e630b4fb441e368af2a498bc49a52089cb48b69cceb53064abe99b07db7c17673f9e645936ecda5011212d67f26e9f2b19

memory/2748-188-0x0000000000400000-0x000000000043C000-memory.dmp

\Windows\SysWOW64\Aqbdkk32.exe

MD5 ca80e3815abfd79a9ff2ce86823dfcce
SHA1 00ae2a0a2923f93e4808d80acee91655e63e0e0e
SHA256 c161a6a97b553364435202be2daafb1cbd183db7d3db79a8683fbf30bca4a9cb
SHA512 eed28d1e6dc7b762903dcaf45dab1c9ad293388a0c334b8172cda5aee036db44ecd0ead1372292b67ce9e982e9c313479ab9a09db93c259969b89db5a8dd932d

memory/2748-196-0x0000000000290000-0x00000000002CC000-memory.dmp

\Windows\SysWOW64\Bjmeiq32.exe

MD5 210c5802ab1f7b738a540c20432d6f8a
SHA1 c18c9a19c2a1eca2ea2508e003e7cffe35f82154
SHA256 f5f89b882091ee6beeb3103c47c7321890ac41de117191eaa611f1be20513bf0
SHA512 5d07a8a70f9ad4b22a53c477b4a287b8560d749621aeeed343258181c729073ee24344881055acda1b9504c6154f3ff0ab2b401832c3e063d6db60cfd09edee7

memory/1656-209-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1396-216-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1656-210-0x0000000000270000-0x00000000002AC000-memory.dmp

memory/1396-227-0x00000000002D0000-0x000000000030C000-memory.dmp

C:\Windows\SysWOW64\Bgaebe32.exe

MD5 42e36b76c93a776dca5ffcf3cda39e51
SHA1 a1d12bd3ab5e6f1e061d890c5681777fc89bbd1d
SHA256 b542ead0441c221c396c2989b1358a976ad9517b444bae2190d8c1b2a7fd4992
SHA512 53585e4b11f199900fc00f6e02729df74612fd7470f71104db8f9a8264fd8244772f527794ce20439962d30a49dc62763b67ef453f473cd85196fa58d4dfebb2

memory/1396-223-0x00000000002D0000-0x000000000030C000-memory.dmp

memory/2000-233-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Bjpaop32.exe

MD5 cf12d78eb973535aa20ed404d0252cb5
SHA1 5b7bbb1e2be5c39df0d67745bff65f6dc15b6ab7
SHA256 3871c35790f810c006b2e1d6621bd2971077ee6a5909383d1c1361d2e70801a9
SHA512 34c94f0bbe1cbe525c396d1c7483b44acfeb1100e39cdb3ae5a88d183999fd8dd4edfbcd50c62b01bab4ab56889afd031feeeb6a7892b36fa35bcb400daa17d6

memory/1008-237-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Bgcbhd32.exe

MD5 a4bba69be5f6e45257a449232186b91f
SHA1 2ad4524069d406aa2c10fdbf57ff04bc907a0897
SHA256 10b559c43ffaab5b363f9398a26e239f52b401e47f3e547abe14e362456d838a
SHA512 6b9dc4f9b90cdcb35cc8b75790d21e67ca71264255abdfa7e2adab63de7fae236d4cad1449ec76dc2ece6f50e4b13c71a7d4f98fb225a6a76ad899e17b73ae74

memory/1752-246-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1620-256-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1752-255-0x0000000000250000-0x000000000028C000-memory.dmp

C:\Windows\SysWOW64\Bjbndpmd.exe

MD5 7046ceabc7ca996fb9ab5b1b652a30b2
SHA1 4aa252fc1219f424710d9699d1318e6fecbe90da
SHA256 ba49fe15a76978deff1bf0e4ed880b5db636bc9776d152f1975d261f193165db
SHA512 e3daadf566f46d492362857f86bedb6feed942dc8ab1976b1282356d912808303354ad007d1d16064ec6f10e235767acf86e66baae758bd45e43f28c57e23cdc

C:\Windows\SysWOW64\Bmpkqklh.exe

MD5 704fcbc770cc5737072342cd154e7696
SHA1 42b984f93aab1072c71560a22056e5519db82111
SHA256 87c9e311eb8bfc3567d89ce4eeac09a2554ca818673329cce2895344f80e11ee
SHA512 68521f4eb5d1ae432e9aba33d47778ce13e0cd3355585206d012ff5e30438bbf958afa8e88df71eea54c10a5774ab3495141d7998715a2e4a29e709cc33a957e

memory/1620-265-0x0000000000330000-0x000000000036C000-memory.dmp

memory/2296-270-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Bcjcme32.exe

MD5 8b25743fdf045e53bb9e7c4e4eaf3f1f
SHA1 26987df5dbf0f76eec63545713972fde6aa1701d
SHA256 1ffe294b4b61e189c802ac203c26014ae7d24bca52fe086d41be4b061c2c5a7f
SHA512 66667a4e84ab50677f88d9d35f33169ca5210a9a5e009973d8c16b4eda8e886c9a6a5496b87c0035d5685e27fd2c0fad57e2144dc6d2269939a3a939aed6dc23

memory/988-277-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2296-276-0x0000000000250000-0x000000000028C000-memory.dmp

memory/2296-275-0x0000000000250000-0x000000000028C000-memory.dmp

C:\Windows\SysWOW64\Bbmcibjp.exe

MD5 bec70ef15ffe6cb8632998b7b742241d
SHA1 bd6c15f5548c5c5b84a8da9430fdea46ebe36df0
SHA256 0001993d769ed19144864b91503384b198bb803109d82b692d2dafa07dcfed81
SHA512 d7742f86e1d35795b8ca0c3d07b8d3b94d7a01b5bda8e96775088d92f37f0721bcafec9a5ac33556f7fd5550f11820378a241ce4281a2355f8cf06d5241e389d

memory/988-287-0x0000000000290000-0x00000000002CC000-memory.dmp

memory/1492-292-0x0000000000400000-0x000000000043C000-memory.dmp

memory/988-286-0x0000000000290000-0x00000000002CC000-memory.dmp

C:\Windows\SysWOW64\Bkegah32.exe

MD5 43a37ebf223960b89e37ec6020172fbf
SHA1 b0556eae641e7520a74e27484cd30975b3ecef6e
SHA256 25ff055913ca04664556366d8319d83c69c5a2e8d78d6c53e8e7e8c40b096015
SHA512 aec97b3f73f7ec227461e65c7426c75feb3cf107d0ff49069bec37b6de354b068791590ac79cc451d726d4525d831fb911dab3789e39a09db2d12e9ab933a88b

memory/1632-299-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1492-298-0x0000000000250000-0x000000000028C000-memory.dmp

memory/1492-297-0x0000000000250000-0x000000000028C000-memory.dmp

C:\Windows\SysWOW64\Cmedlk32.exe

MD5 3efd6bdd3073f52653753d6d92a0bf92
SHA1 41f43956555b2532205fac7e2723cd64d60130a1
SHA256 4a09a94131b83d595f6b4bb0aa118b128f036ac8dc2c29c0a2b36578e251f504
SHA512 62e51b34555c52426f97cddd6c2e3b6a8b318b0ec91c948b59ac0f20e7fe3d69f5fa0e93e36fdcc126a7c321e93c18b0d1e5e5c284e8b4a07ea4d06b9bffed74

memory/1632-309-0x00000000002D0000-0x000000000030C000-memory.dmp

memory/1580-310-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1632-308-0x00000000002D0000-0x000000000030C000-memory.dmp

memory/1256-320-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1580-319-0x0000000000330000-0x000000000036C000-memory.dmp

C:\Windows\SysWOW64\Cocphf32.exe

MD5 84b3eb5c052ce020fa2ef95cd88693a6
SHA1 f0bab68c89c19113e6723caccd21aecf713ea251
SHA256 fb14de6bb7f610ac0e6498fc5b921d4fa36505204d75f90f5f1592738420bd5a
SHA512 3ffceef6ad12549e5d3999922311ffd1d9026bc9667ff95af0b6f60f414451c4341d4b437e1c858f6ecdb428685f79b0f69f33b100c76a4a237d1d63966d1465

C:\Windows\SysWOW64\Cepipm32.exe

MD5 ea2b6993930186dd8e4232fc0c9f3c45
SHA1 eac3ffe0f9511bdda22a1029cb12cc09a9d9437e
SHA256 21a00062118824e9b642e9b315bd7f8a71d618240b77e5b0373a8a57d1f27052
SHA512 21b80dcf07e245604f737bab12436d8ff2489af001e4c7fb23867256f8719bba0bb753536952b78a00cec6e5a8b1639bb494567016192dec2546b73e8cf55460

memory/1256-330-0x00000000002E0000-0x000000000031C000-memory.dmp

memory/2800-342-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2160-341-0x0000000000260000-0x000000000029C000-memory.dmp

memory/2160-340-0x0000000000260000-0x000000000029C000-memory.dmp

memory/2160-339-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Cgoelh32.exe

MD5 b0cee4b130493259ca5481760cd37625
SHA1 8b8f1f5f2e6f866b96fb0d5acf7838edf879165a
SHA256 bab51acaf900b91cb70086ea4fbe56bff5c2fc59057506c80ce9784d94068fc9
SHA512 11e6714f17e6eec41037464db269c243a9d2fd5d3da53e9c340510319fd9535a7dd688950761d9f16ec73193b53c432ed88eac128f009a0caedd83f94ed2d483

memory/1256-329-0x00000000002E0000-0x000000000031C000-memory.dmp

C:\Windows\SysWOW64\Cebeem32.exe

MD5 2a88e030ee6177c1fd7902fe60e64425
SHA1 efdf073cd09bc56dcf4df90c1238dd6f19781714
SHA256 e2c358f7f03530ddef0122e7ac22f0cb6451744cfe072995dd0add5991660ebb
SHA512 ed22dfbb29f46469ce9e9c5c78c7cdb62e11709aaa46675259cc8759bd12ccac985f7d4d283f1489f0e34c06f428aa9ffc0d3205a3f1d6572b4736bc20011c8e

memory/1768-356-0x0000000000440000-0x000000000047C000-memory.dmp

memory/1768-351-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Cjonncab.exe

MD5 c60c0ac604b8d4d4e124523c5cc9779b
SHA1 b5f8731dc561c8a64e056285d843ed17888c4e50
SHA256 c6f59be14108c0b77040b8a8fa52681ff2098f9f38acae85684daed37cef99c4
SHA512 e6163b61375fd555ea11ba02e9a84eacfd0859a6bfc106130d422ed55aa164d6133fcf88c435e807204efb5126eef3b891b3bc58629b9301334f827d95c1c3ea

memory/2884-363-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2676-362-0x00000000002C0000-0x00000000002FC000-memory.dmp

memory/2676-358-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2188-369-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2188-374-0x0000000000250000-0x000000000028C000-memory.dmp

memory/2884-373-0x0000000000280000-0x00000000002BC000-memory.dmp

C:\Windows\SysWOW64\Ceebklai.exe

MD5 db3bf409bc46e33dc77050cb15b3148c
SHA1 f1a0d7b49275ef8b7bf92b404629107d5441ebf2
SHA256 5dfdbede7424b4e59f1033e59b27e7cb35eed3208f189c5e2ba146c032073006
SHA512 dcd33b408f6ecf3ac47b228d2a1a49a169903cec362c762464e4f8e549e8e9b2c9018a78275569048e4f12204c7433b8cf69780f29ff7cb7a66bb075a7e0d764

C:\Windows\SysWOW64\Cgcnghpl.exe

MD5 860efe7700277d9dac5165ad2f1c107f
SHA1 529575af2cd418890bdc0aed9d9704def7fa9354
SHA256 ae14c48df49bd50f096fd0c15d96364e187eb80b223c1b3354d627fc6d77233a
SHA512 6ee658d67f2b0a75efcd0a2ad990b1b56963eb857ba1c7dd35f35eb9cb8f44697973ec9af8aeb87e3095c1f9c1b502a99a16e51bbaa6ab672d581b2dc5fa7003

memory/2588-383-0x0000000000400000-0x000000000043C000-memory.dmp

memory/3036-387-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1292-386-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2588-385-0x0000000000250000-0x000000000028C000-memory.dmp

memory/2588-384-0x0000000000250000-0x000000000028C000-memory.dmp

memory/2808-396-0x0000000000400000-0x000000000043C000-memory.dmp

memory/320-397-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Ccjoli32.exe

MD5 814cfc082433c14795efaa478f1246ca
SHA1 ad937ba5c2d4f38f1a753accca51bd5379a3f401
SHA256 47c6fa64882a6b6c081d5f1696c50245a8a1a5fd55e8cd358b741278e08cf27d
SHA512 2168b37ed5b66a4112245bf275d984bb20fbc4d1c87a8db39a28cf54bd7afbe22693b07c4d124a78d1a1bef14f20c4557cf8a22b4c1ac7f423236382ca0ea1f0

C:\Windows\SysWOW64\Cfhkhd32.exe

MD5 255575b0a821c14f694df388f898ef5a
SHA1 ae3135e7b85ffe7d7a72de14e7d14bf0bf665c72
SHA256 de16174383b1e2f1b4da1075ed948e1a61928e2433b61795fc51ea2f1225f8c1
SHA512 d40527a5bdf1729ef561ed5a9372370570d2adc023b89aa197d4cc825cb0e2fa99c4b23cc72d2c535151575317cb7c0a96cb986c93d1ea9acb2359a67d31e241

memory/1244-406-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2832-415-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Dmbcen32.exe

MD5 78c7fc8cc1e2d23b6b491accda6123c7
SHA1 0d2b405bb0fdd848fa2df00a383c882ed4acac44
SHA256 c64b6d817a762a24451ad682648753e2cb59e59c5c01b34011bf2336a352b9b7
SHA512 00224cb7b0362f1834a39cfd83f3416bac8ca7328a840632c4514dbc2a7c829037cf184666304230b4cd40738a80f469365364393def67462c371ee71c5ea3b1

C:\Windows\SysWOW64\Dpapaj32.exe

MD5 51187e09dc9ebabf44f54f48c15650e9
SHA1 833d4c64bb333e7bbbd1ba482c02b5445bf30648
SHA256 b376e65c7991e0d20f93b572fd1ad141028a9a27212fceb2c267a5a408e2e741
SHA512 d842d483212a7d98653e9cd23f7a47f336c613af167c468c4db31aba554dd9910001e3d4d98c51d030e249d39239b697da7a0a810370988dccec817be3b82626

memory/2636-420-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1760-427-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2636-426-0x00000000002A0000-0x00000000002DC000-memory.dmp

memory/2088-422-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1244-429-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2884-434-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2800-433-0x0000000000400000-0x000000000043C000-memory.dmp

memory/3036-432-0x0000000000400000-0x000000000043C000-memory.dmp

memory/320-431-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1760-430-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1580-436-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1632-437-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1256-435-0x0000000000400000-0x000000000043C000-memory.dmp

memory/988-438-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1940-446-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2544-448-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2356-447-0x0000000000400000-0x000000000043C000-memory.dmp

memory/628-445-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2848-444-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1284-443-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1396-442-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1008-441-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1620-440-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1752-439-0x0000000000400000-0x000000000043C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 17:05

Reported

2024-11-13 17:07

Platform

win10v2004-20241007-en

Max time kernel

98s

Max time network

99s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5175b9040aef91e2138dee8578f963e419a9b0994f80c888abb3e69aa43749e7N.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Bnkgeg32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ncdgcf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Nebdoa32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Ndcdmikd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Pjjhbl32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aglemn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Bganhm32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mmnldp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Bmpcfdmg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dmjocp32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bganhm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Cfpnph32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Lllcen32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Meiaib32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Mpablkhc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pgnilpah.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qgcbgo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Aminee32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Ldoaklml.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Ncdgcf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Nnjlpo32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Odapnf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Qdbiedpa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Olkhmi32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qgqeappe.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bjddphlq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Danecp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Npfkgjdn.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Njefqo32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Olcbmj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Ojoign32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Bffkij32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dfpgffpm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Bgehcmmm.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cfpnph32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Chokikeb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Cdhhdlid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Dmjocp32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Opdghh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Ocbddc32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pdfjifjo.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cndikf32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dgbdlf32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Llgjjnlj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Meiaib32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Npjebj32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ocnjidkf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Olmeci32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Cdfkolkf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Dmgbnq32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Melnob32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Mnebeogl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Pjhlml32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qdbiedpa.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Acjclpcf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Bjfaeh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Medgncoe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Mipcob32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Beglgani.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Cajlhqjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Mgddhf32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Oneklm32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Daqbip32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mgkjhe32.exe N/A

Berbew

backdoor berbew

Berbew family

berbew

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Llemdo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ldleel32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lenamdem.exe N/A
N/A N/A C:\Windows\SysWOW64\Llgjjnlj.exe N/A
N/A N/A C:\Windows\SysWOW64\Ldoaklml.exe N/A
N/A N/A C:\Windows\SysWOW64\Lepncd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lmgfda32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ldanqkki.exe N/A
N/A N/A C:\Windows\SysWOW64\Lbdolh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lebkhc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lllcen32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mdckfk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Medgncoe.exe N/A
N/A N/A C:\Windows\SysWOW64\Mipcob32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mlopkm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mdehlk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mgddhf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mmnldp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mplhql32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mckemg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Meiaib32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mmpijp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mlcifmbl.exe N/A
N/A N/A C:\Windows\SysWOW64\Mcmabg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Melnob32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mpablkhc.exe N/A
N/A N/A C:\Windows\SysWOW64\Mgkjhe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mnebeogl.exe N/A
N/A N/A C:\Windows\SysWOW64\Ncbknfed.exe N/A
N/A N/A C:\Windows\SysWOW64\Nepgjaeg.exe N/A
N/A N/A C:\Windows\SysWOW64\Nngokoej.exe N/A
N/A N/A C:\Windows\SysWOW64\Npfkgjdn.exe N/A
N/A N/A C:\Windows\SysWOW64\Ncdgcf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nebdoa32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nnjlpo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nlmllkja.exe N/A
N/A N/A C:\Windows\SysWOW64\Ndcdmikd.exe N/A
N/A N/A C:\Windows\SysWOW64\Neeqea32.exe N/A
N/A N/A C:\Windows\SysWOW64\Njqmepik.exe N/A
N/A N/A C:\Windows\SysWOW64\Npjebj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ndfqbhia.exe N/A
N/A N/A C:\Windows\SysWOW64\Ngdmod32.exe N/A
N/A N/A C:\Windows\SysWOW64\Njciko32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nnneknob.exe N/A
N/A N/A C:\Windows\SysWOW64\Npmagine.exe N/A
N/A N/A C:\Windows\SysWOW64\Nckndeni.exe N/A
N/A N/A C:\Windows\SysWOW64\Nggjdc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Njefqo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Olcbmj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oponmilc.exe N/A
N/A N/A C:\Windows\SysWOW64\Ocnjidkf.exe N/A
N/A N/A C:\Windows\SysWOW64\Oflgep32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ojgbfocc.exe N/A
N/A N/A C:\Windows\SysWOW64\Opakbi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ogkcpbam.exe N/A
N/A N/A C:\Windows\SysWOW64\Ojjolnaq.exe N/A
N/A N/A C:\Windows\SysWOW64\Oneklm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Opdghh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ocbddc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ojllan32.exe N/A
N/A N/A C:\Windows\SysWOW64\Olkhmi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Odapnf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ogpmjb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ojoign32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Ocbddc32.exe C:\Windows\SysWOW64\Opdghh32.exe N/A
File opened for modification C:\Windows\SysWOW64\Aminee32.exe C:\Windows\SysWOW64\Ajkaii32.exe N/A
File created C:\Windows\SysWOW64\Fpnnia32.dll C:\Windows\SysWOW64\Bgcknmop.exe N/A
File opened for modification C:\Windows\SysWOW64\Cffdpghg.exe C:\Windows\SysWOW64\Cdhhdlid.exe N/A
File created C:\Windows\SysWOW64\Mckemg32.exe C:\Windows\SysWOW64\Mplhql32.exe N/A
File created C:\Windows\SysWOW64\Pjeoglgc.exe C:\Windows\SysWOW64\Pggbkagp.exe N/A
File created C:\Windows\SysWOW64\Jlklhm32.dll C:\Windows\SysWOW64\Ajfhnjhq.exe N/A
File created C:\Windows\SysWOW64\Dhkjej32.exe C:\Windows\SysWOW64\Daqbip32.exe N/A
File created C:\Windows\SysWOW64\Pnlaml32.exe C:\Windows\SysWOW64\Ofeilobp.exe N/A
File created C:\Windows\SysWOW64\Mpablkhc.exe C:\Windows\SysWOW64\Melnob32.exe N/A
File created C:\Windows\SysWOW64\Nckndeni.exe C:\Windows\SysWOW64\Npmagine.exe N/A
File created C:\Windows\SysWOW64\Bfajji32.dll C:\Windows\SysWOW64\Ldleel32.exe N/A
File created C:\Windows\SysWOW64\Qfbgbeai.dll C:\Windows\SysWOW64\Odapnf32.exe N/A
File created C:\Windows\SysWOW64\Pmfhig32.exe C:\Windows\SysWOW64\Pjhlml32.exe N/A
File opened for modification C:\Windows\SysWOW64\Nnjlpo32.exe C:\Windows\SysWOW64\Nebdoa32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dhfajjoj.exe C:\Windows\SysWOW64\Cnnlaehj.exe N/A
File created C:\Windows\SysWOW64\Jdipdgch.dll C:\Windows\SysWOW64\Dobfld32.exe N/A
File created C:\Windows\SysWOW64\Clncadfb.dll C:\Windows\SysWOW64\Ogpmjb32.exe N/A
File created C:\Windows\SysWOW64\Pjcbbmif.exe C:\Windows\SysWOW64\Pdfjifjo.exe N/A
File created C:\Windows\SysWOW64\Bhbopgfn.dll C:\Windows\SysWOW64\Npjebj32.exe N/A
File created C:\Windows\SysWOW64\Lebkhc32.exe C:\Windows\SysWOW64\Lbdolh32.exe N/A
File created C:\Windows\SysWOW64\Nkenegog.dll C:\Windows\SysWOW64\Nepgjaeg.exe N/A
File opened for modification C:\Windows\SysWOW64\Baicac32.exe C:\Windows\SysWOW64\Bnkgeg32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cajlhqjp.exe C:\Windows\SysWOW64\Cdfkolkf.exe N/A
File opened for modification C:\Windows\SysWOW64\Dgbdlf32.exe C:\Windows\SysWOW64\Dhocqigp.exe N/A
File created C:\Windows\SysWOW64\Blleba32.dll C:\Windows\SysWOW64\Mlopkm32.exe N/A
File opened for modification C:\Windows\SysWOW64\Olmeci32.exe C:\Windows\SysWOW64\Ojoign32.exe N/A
File created C:\Windows\SysWOW64\Agjhgngj.exe C:\Windows\SysWOW64\Aqppkd32.exe N/A
File opened for modification C:\Windows\SysWOW64\Aglemn32.exe C:\Windows\SysWOW64\Amgapeea.exe N/A
File created C:\Windows\SysWOW64\Melnob32.exe C:\Windows\SysWOW64\Mcmabg32.exe N/A
File created C:\Windows\SysWOW64\Ajfhnjhq.exe C:\Windows\SysWOW64\Aeiofcji.exe N/A
File created C:\Windows\SysWOW64\Aglemn32.exe C:\Windows\SysWOW64\Amgapeea.exe N/A
File opened for modification C:\Windows\SysWOW64\Odapnf32.exe C:\Windows\SysWOW64\Olkhmi32.exe N/A
File created C:\Windows\SysWOW64\Beeoaapl.exe C:\Windows\SysWOW64\Baicac32.exe N/A
File created C:\Windows\SysWOW64\Mmnbeadp.dll C:\Windows\SysWOW64\Bapiabak.exe N/A
File created C:\Windows\SysWOW64\Cjmgfgdf.exe C:\Windows\SysWOW64\Chokikeb.exe N/A
File opened for modification C:\Windows\SysWOW64\Aepefb32.exe C:\Windows\SysWOW64\Aminee32.exe N/A
File created C:\Windows\SysWOW64\Qgqeappe.exe C:\Windows\SysWOW64\Qdbiedpa.exe N/A
File created C:\Windows\SysWOW64\Aepefb32.exe C:\Windows\SysWOW64\Aminee32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cfmajipb.exe C:\Windows\SysWOW64\Bcoenmao.exe N/A
File opened for modification C:\Windows\SysWOW64\Cjmgfgdf.exe C:\Windows\SysWOW64\Chokikeb.exe N/A
File opened for modification C:\Windows\SysWOW64\Llemdo32.exe C:\Users\Admin\AppData\Local\Temp\5175b9040aef91e2138dee8578f963e419a9b0994f80c888abb3e69aa43749e7N.exe N/A
File created C:\Windows\SysWOW64\Fjbodfcj.dll C:\Windows\SysWOW64\Agoabn32.exe N/A
File created C:\Windows\SysWOW64\Bhhdil32.exe C:\Windows\SysWOW64\Banllbdn.exe N/A
File created C:\Windows\SysWOW64\Cfpnph32.exe C:\Windows\SysWOW64\Chmndlge.exe N/A
File created C:\Windows\SysWOW64\Bbloam32.dll C:\Windows\SysWOW64\Cfpnph32.exe N/A
File created C:\Windows\SysWOW64\Cogflbdn.dll C:\Windows\SysWOW64\Dhhnpjmh.exe N/A
File created C:\Windows\SysWOW64\Gilnhifk.dll C:\Users\Admin\AppData\Local\Temp\5175b9040aef91e2138dee8578f963e419a9b0994f80c888abb3e69aa43749e7N.exe N/A
File opened for modification C:\Windows\SysWOW64\Qddfkd32.exe C:\Windows\SysWOW64\Qnjnnj32.exe N/A
File created C:\Windows\SysWOW64\Pjhlml32.exe C:\Windows\SysWOW64\Pgioqq32.exe N/A
File opened for modification C:\Windows\SysWOW64\Qnhahj32.exe C:\Windows\SysWOW64\Pgnilpah.exe N/A
File created C:\Windows\SysWOW64\Oahicipe.dll C:\Windows\SysWOW64\Afoeiklb.exe N/A
File created C:\Windows\SysWOW64\Cnnlaehj.exe C:\Windows\SysWOW64\Cffdpghg.exe N/A
File opened for modification C:\Windows\SysWOW64\Dmgbnq32.exe C:\Windows\SysWOW64\Dhkjej32.exe N/A
File created C:\Windows\SysWOW64\Ndcdmikd.exe C:\Windows\SysWOW64\Nlmllkja.exe N/A
File opened for modification C:\Windows\SysWOW64\Bhhdil32.exe C:\Windows\SysWOW64\Banllbdn.exe N/A
File opened for modification C:\Windows\SysWOW64\Mplhql32.exe C:\Windows\SysWOW64\Mmnldp32.exe N/A
File opened for modification C:\Windows\SysWOW64\Pnlaml32.exe C:\Windows\SysWOW64\Ofeilobp.exe N/A
File created C:\Windows\SysWOW64\Ccdlci32.dll C:\Windows\SysWOW64\Pdpmpdbd.exe N/A
File created C:\Windows\SysWOW64\Papbpdoi.dll C:\Windows\SysWOW64\Qgqeappe.exe N/A
File created C:\Windows\SysWOW64\Pmgmnjcj.dll C:\Windows\SysWOW64\Bjokdipf.exe N/A
File created C:\Windows\SysWOW64\Gbdhjm32.dll C:\Windows\SysWOW64\Neeqea32.exe N/A
File created C:\Windows\SysWOW64\Ogkcpbam.exe C:\Windows\SysWOW64\Opakbi32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ocgmpccl.exe C:\Windows\SysWOW64\Oqhacgdh.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Dmllipeg.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bcebhoii.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mlopkm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nnjlpo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nckndeni.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ogpmjb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Amgapeea.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aminee32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ldoaklml.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dfknkg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dhocqigp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lbdolh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mmpijp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bjokdipf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dopigd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Deagdn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cdfkolkf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Njefqo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ojoign32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pnlaml32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pggbkagp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Agoabn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Chokikeb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mlcifmbl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Melnob32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pmfhig32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bcoenmao.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5175b9040aef91e2138dee8578f963e419a9b0994f80c888abb3e69aa43749e7N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ndcdmikd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pjjhbl32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Anmjcieo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lenamdem.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oneklm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Acjclpcf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bjfaeh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cfmajipb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dhfajjoj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mcmabg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ncdgcf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ogkcpbam.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ngdmod32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Odapnf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ajkaii32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bgehcmmm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dmgbnq32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mdckfk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nebdoa32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ojgbfocc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aeiofcji.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dmllipeg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bjddphlq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cndikf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Baicac32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cmiflbel.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Llgjjnlj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mckemg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Meiaib32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oflgep32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Agjhgngj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aepefb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cajlhqjp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nngokoej.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oponmilc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pdpmpdbd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ambgef32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Nepgjaeg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfdjmlhn.dll" C:\Windows\SysWOW64\Ocbddc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll" C:\Windows\SysWOW64\Dhocqigp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ojjolnaq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Aqppkd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjpmk32.dll" C:\Windows\SysWOW64\Aglemn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Cajlhqjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll" C:\Windows\SysWOW64\Cnnlaehj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Ldoaklml.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lbdolh32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Ojgbfocc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qopkop32.dll" C:\Windows\SysWOW64\Bcebhoii.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfajji32.dll" C:\Windows\SysWOW64\Ldleel32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qnjnnj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingbah32.dll" C:\Windows\SysWOW64\Lebkhc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Opakbi32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Olkhmi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll" C:\Windows\SysWOW64\Cffdpghg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Lebkhc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll" C:\Windows\SysWOW64\Bcoenmao.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Llemdo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Lllcen32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qihfjd32.dll" C:\Windows\SysWOW64\Bjddphlq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Cdhhdlid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Lbdolh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naekcf32.dll" C:\Windows\SysWOW64\Olkhmi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdjinlko.dll" C:\Windows\SysWOW64\Pnlaml32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Dfknkg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcdgbkil.dll" C:\Windows\SysWOW64\Lenamdem.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Ldanqkki.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Meiaib32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmphmhjc.dll" C:\Windows\SysWOW64\Pgnilpah.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nngokoej.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Qddfkd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll" C:\Windows\SysWOW64\Cfmajipb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Deagdn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhgfglco.dll" C:\Windows\SysWOW64\Lmgfda32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfmccd32.dll" C:\Windows\SysWOW64\Ncdgcf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Njciko32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Ddakjkqi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmcjho32.dll" C:\Windows\SysWOW64\Nckndeni.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Oflgep32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Aglemn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll" C:\Windows\SysWOW64\Ddakjkqi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qdbiedpa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll" C:\Windows\SysWOW64\Dfknkg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dfknkg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ddakjkqi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lmgfda32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpkknm32.dll" C:\Windows\SysWOW64\Ndfqbhia.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Odapnf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Pnlaml32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Ncdgcf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Npmagine.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Cjmgfgdf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckijjqka.dll" C:\Windows\SysWOW64\Mdckfk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Nngokoej.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ambgef32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Ajfhnjhq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Npjebj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdjlic32.dll" C:\Windows\SysWOW64\Ocnjidkf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ojllan32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehaaclak.dll" C:\Windows\SysWOW64\Pjeoglgc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Afoeiklb.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1972 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\5175b9040aef91e2138dee8578f963e419a9b0994f80c888abb3e69aa43749e7N.exe C:\Windows\SysWOW64\Llemdo32.exe
PID 1972 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\5175b9040aef91e2138dee8578f963e419a9b0994f80c888abb3e69aa43749e7N.exe C:\Windows\SysWOW64\Llemdo32.exe
PID 1972 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\5175b9040aef91e2138dee8578f963e419a9b0994f80c888abb3e69aa43749e7N.exe C:\Windows\SysWOW64\Llemdo32.exe
PID 3216 wrote to memory of 60 N/A C:\Windows\SysWOW64\Llemdo32.exe C:\Windows\SysWOW64\Ldleel32.exe
PID 3216 wrote to memory of 60 N/A C:\Windows\SysWOW64\Llemdo32.exe C:\Windows\SysWOW64\Ldleel32.exe
PID 3216 wrote to memory of 60 N/A C:\Windows\SysWOW64\Llemdo32.exe C:\Windows\SysWOW64\Ldleel32.exe
PID 60 wrote to memory of 1552 N/A C:\Windows\SysWOW64\Ldleel32.exe C:\Windows\SysWOW64\Lenamdem.exe
PID 60 wrote to memory of 1552 N/A C:\Windows\SysWOW64\Ldleel32.exe C:\Windows\SysWOW64\Lenamdem.exe
PID 60 wrote to memory of 1552 N/A C:\Windows\SysWOW64\Ldleel32.exe C:\Windows\SysWOW64\Lenamdem.exe
PID 1552 wrote to memory of 1580 N/A C:\Windows\SysWOW64\Lenamdem.exe C:\Windows\SysWOW64\Llgjjnlj.exe
PID 1552 wrote to memory of 1580 N/A C:\Windows\SysWOW64\Lenamdem.exe C:\Windows\SysWOW64\Llgjjnlj.exe
PID 1552 wrote to memory of 1580 N/A C:\Windows\SysWOW64\Lenamdem.exe C:\Windows\SysWOW64\Llgjjnlj.exe
PID 1580 wrote to memory of 1172 N/A C:\Windows\SysWOW64\Llgjjnlj.exe C:\Windows\SysWOW64\Ldoaklml.exe
PID 1580 wrote to memory of 1172 N/A C:\Windows\SysWOW64\Llgjjnlj.exe C:\Windows\SysWOW64\Ldoaklml.exe
PID 1580 wrote to memory of 1172 N/A C:\Windows\SysWOW64\Llgjjnlj.exe C:\Windows\SysWOW64\Ldoaklml.exe
PID 1172 wrote to memory of 4492 N/A C:\Windows\SysWOW64\Ldoaklml.exe C:\Windows\SysWOW64\Lepncd32.exe
PID 1172 wrote to memory of 4492 N/A C:\Windows\SysWOW64\Ldoaklml.exe C:\Windows\SysWOW64\Lepncd32.exe
PID 1172 wrote to memory of 4492 N/A C:\Windows\SysWOW64\Ldoaklml.exe C:\Windows\SysWOW64\Lepncd32.exe
PID 4492 wrote to memory of 4856 N/A C:\Windows\SysWOW64\Lepncd32.exe C:\Windows\SysWOW64\Lmgfda32.exe
PID 4492 wrote to memory of 4856 N/A C:\Windows\SysWOW64\Lepncd32.exe C:\Windows\SysWOW64\Lmgfda32.exe
PID 4492 wrote to memory of 4856 N/A C:\Windows\SysWOW64\Lepncd32.exe C:\Windows\SysWOW64\Lmgfda32.exe
PID 4856 wrote to memory of 2708 N/A C:\Windows\SysWOW64\Lmgfda32.exe C:\Windows\SysWOW64\Ldanqkki.exe
PID 4856 wrote to memory of 2708 N/A C:\Windows\SysWOW64\Lmgfda32.exe C:\Windows\SysWOW64\Ldanqkki.exe
PID 4856 wrote to memory of 2708 N/A C:\Windows\SysWOW64\Lmgfda32.exe C:\Windows\SysWOW64\Ldanqkki.exe
PID 2708 wrote to memory of 940 N/A C:\Windows\SysWOW64\Ldanqkki.exe C:\Windows\SysWOW64\Lbdolh32.exe
PID 2708 wrote to memory of 940 N/A C:\Windows\SysWOW64\Ldanqkki.exe C:\Windows\SysWOW64\Lbdolh32.exe
PID 2708 wrote to memory of 940 N/A C:\Windows\SysWOW64\Ldanqkki.exe C:\Windows\SysWOW64\Lbdolh32.exe
PID 940 wrote to memory of 4832 N/A C:\Windows\SysWOW64\Lbdolh32.exe C:\Windows\SysWOW64\Lebkhc32.exe
PID 940 wrote to memory of 4832 N/A C:\Windows\SysWOW64\Lbdolh32.exe C:\Windows\SysWOW64\Lebkhc32.exe
PID 940 wrote to memory of 4832 N/A C:\Windows\SysWOW64\Lbdolh32.exe C:\Windows\SysWOW64\Lebkhc32.exe
PID 4832 wrote to memory of 4024 N/A C:\Windows\SysWOW64\Lebkhc32.exe C:\Windows\SysWOW64\Lllcen32.exe
PID 4832 wrote to memory of 4024 N/A C:\Windows\SysWOW64\Lebkhc32.exe C:\Windows\SysWOW64\Lllcen32.exe
PID 4832 wrote to memory of 4024 N/A C:\Windows\SysWOW64\Lebkhc32.exe C:\Windows\SysWOW64\Lllcen32.exe
PID 4024 wrote to memory of 2476 N/A C:\Windows\SysWOW64\Lllcen32.exe C:\Windows\SysWOW64\Mdckfk32.exe
PID 4024 wrote to memory of 2476 N/A C:\Windows\SysWOW64\Lllcen32.exe C:\Windows\SysWOW64\Mdckfk32.exe
PID 4024 wrote to memory of 2476 N/A C:\Windows\SysWOW64\Lllcen32.exe C:\Windows\SysWOW64\Mdckfk32.exe
PID 2476 wrote to memory of 1064 N/A C:\Windows\SysWOW64\Mdckfk32.exe C:\Windows\SysWOW64\Medgncoe.exe
PID 2476 wrote to memory of 1064 N/A C:\Windows\SysWOW64\Mdckfk32.exe C:\Windows\SysWOW64\Medgncoe.exe
PID 2476 wrote to memory of 1064 N/A C:\Windows\SysWOW64\Mdckfk32.exe C:\Windows\SysWOW64\Medgncoe.exe
PID 1064 wrote to memory of 2392 N/A C:\Windows\SysWOW64\Medgncoe.exe C:\Windows\SysWOW64\Mipcob32.exe
PID 1064 wrote to memory of 2392 N/A C:\Windows\SysWOW64\Medgncoe.exe C:\Windows\SysWOW64\Mipcob32.exe
PID 1064 wrote to memory of 2392 N/A C:\Windows\SysWOW64\Medgncoe.exe C:\Windows\SysWOW64\Mipcob32.exe
PID 2392 wrote to memory of 1468 N/A C:\Windows\SysWOW64\Mipcob32.exe C:\Windows\SysWOW64\Mlopkm32.exe
PID 2392 wrote to memory of 1468 N/A C:\Windows\SysWOW64\Mipcob32.exe C:\Windows\SysWOW64\Mlopkm32.exe
PID 2392 wrote to memory of 1468 N/A C:\Windows\SysWOW64\Mipcob32.exe C:\Windows\SysWOW64\Mlopkm32.exe
PID 1468 wrote to memory of 4592 N/A C:\Windows\SysWOW64\Mlopkm32.exe C:\Windows\SysWOW64\Mdehlk32.exe
PID 1468 wrote to memory of 4592 N/A C:\Windows\SysWOW64\Mlopkm32.exe C:\Windows\SysWOW64\Mdehlk32.exe
PID 1468 wrote to memory of 4592 N/A C:\Windows\SysWOW64\Mlopkm32.exe C:\Windows\SysWOW64\Mdehlk32.exe
PID 4592 wrote to memory of 1924 N/A C:\Windows\SysWOW64\Mdehlk32.exe C:\Windows\SysWOW64\Mgddhf32.exe
PID 4592 wrote to memory of 1924 N/A C:\Windows\SysWOW64\Mdehlk32.exe C:\Windows\SysWOW64\Mgddhf32.exe
PID 4592 wrote to memory of 1924 N/A C:\Windows\SysWOW64\Mdehlk32.exe C:\Windows\SysWOW64\Mgddhf32.exe
PID 1924 wrote to memory of 5116 N/A C:\Windows\SysWOW64\Mgddhf32.exe C:\Windows\SysWOW64\Mmnldp32.exe
PID 1924 wrote to memory of 5116 N/A C:\Windows\SysWOW64\Mgddhf32.exe C:\Windows\SysWOW64\Mmnldp32.exe
PID 1924 wrote to memory of 5116 N/A C:\Windows\SysWOW64\Mgddhf32.exe C:\Windows\SysWOW64\Mmnldp32.exe
PID 5116 wrote to memory of 3516 N/A C:\Windows\SysWOW64\Mmnldp32.exe C:\Windows\SysWOW64\Mplhql32.exe
PID 5116 wrote to memory of 3516 N/A C:\Windows\SysWOW64\Mmnldp32.exe C:\Windows\SysWOW64\Mplhql32.exe
PID 5116 wrote to memory of 3516 N/A C:\Windows\SysWOW64\Mmnldp32.exe C:\Windows\SysWOW64\Mplhql32.exe
PID 3516 wrote to memory of 2928 N/A C:\Windows\SysWOW64\Mplhql32.exe C:\Windows\SysWOW64\Mckemg32.exe
PID 3516 wrote to memory of 2928 N/A C:\Windows\SysWOW64\Mplhql32.exe C:\Windows\SysWOW64\Mckemg32.exe
PID 3516 wrote to memory of 2928 N/A C:\Windows\SysWOW64\Mplhql32.exe C:\Windows\SysWOW64\Mckemg32.exe
PID 2928 wrote to memory of 804 N/A C:\Windows\SysWOW64\Mckemg32.exe C:\Windows\SysWOW64\Meiaib32.exe
PID 2928 wrote to memory of 804 N/A C:\Windows\SysWOW64\Mckemg32.exe C:\Windows\SysWOW64\Meiaib32.exe
PID 2928 wrote to memory of 804 N/A C:\Windows\SysWOW64\Mckemg32.exe C:\Windows\SysWOW64\Meiaib32.exe
PID 804 wrote to memory of 3308 N/A C:\Windows\SysWOW64\Meiaib32.exe C:\Windows\SysWOW64\Mmpijp32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5175b9040aef91e2138dee8578f963e419a9b0994f80c888abb3e69aa43749e7N.exe

"C:\Users\Admin\AppData\Local\Temp\5175b9040aef91e2138dee8578f963e419a9b0994f80c888abb3e69aa43749e7N.exe"

C:\Windows\SysWOW64\Llemdo32.exe

C:\Windows\system32\Llemdo32.exe

C:\Windows\SysWOW64\Ldleel32.exe

C:\Windows\system32\Ldleel32.exe

C:\Windows\SysWOW64\Lenamdem.exe

C:\Windows\system32\Lenamdem.exe

C:\Windows\SysWOW64\Llgjjnlj.exe

C:\Windows\system32\Llgjjnlj.exe

C:\Windows\SysWOW64\Ldoaklml.exe

C:\Windows\system32\Ldoaklml.exe

C:\Windows\SysWOW64\Lepncd32.exe

C:\Windows\system32\Lepncd32.exe

C:\Windows\SysWOW64\Lmgfda32.exe

C:\Windows\system32\Lmgfda32.exe

C:\Windows\SysWOW64\Ldanqkki.exe

C:\Windows\system32\Ldanqkki.exe

C:\Windows\SysWOW64\Lbdolh32.exe

C:\Windows\system32\Lbdolh32.exe

C:\Windows\SysWOW64\Lebkhc32.exe

C:\Windows\system32\Lebkhc32.exe

C:\Windows\SysWOW64\Lllcen32.exe

C:\Windows\system32\Lllcen32.exe

C:\Windows\SysWOW64\Mdckfk32.exe

C:\Windows\system32\Mdckfk32.exe

C:\Windows\SysWOW64\Medgncoe.exe

C:\Windows\system32\Medgncoe.exe

C:\Windows\SysWOW64\Mipcob32.exe

C:\Windows\system32\Mipcob32.exe

C:\Windows\SysWOW64\Mlopkm32.exe

C:\Windows\system32\Mlopkm32.exe

C:\Windows\SysWOW64\Mdehlk32.exe

C:\Windows\system32\Mdehlk32.exe

C:\Windows\SysWOW64\Mgddhf32.exe

C:\Windows\system32\Mgddhf32.exe

C:\Windows\SysWOW64\Mmnldp32.exe

C:\Windows\system32\Mmnldp32.exe

C:\Windows\SysWOW64\Mplhql32.exe

C:\Windows\system32\Mplhql32.exe

C:\Windows\SysWOW64\Mckemg32.exe

C:\Windows\system32\Mckemg32.exe

C:\Windows\SysWOW64\Meiaib32.exe

C:\Windows\system32\Meiaib32.exe

C:\Windows\SysWOW64\Mmpijp32.exe

C:\Windows\system32\Mmpijp32.exe

C:\Windows\SysWOW64\Mlcifmbl.exe

C:\Windows\system32\Mlcifmbl.exe

C:\Windows\SysWOW64\Mcmabg32.exe

C:\Windows\system32\Mcmabg32.exe

C:\Windows\SysWOW64\Melnob32.exe

C:\Windows\system32\Melnob32.exe

C:\Windows\SysWOW64\Mpablkhc.exe

C:\Windows\system32\Mpablkhc.exe

C:\Windows\SysWOW64\Mgkjhe32.exe

C:\Windows\system32\Mgkjhe32.exe

C:\Windows\SysWOW64\Mnebeogl.exe

C:\Windows\system32\Mnebeogl.exe

C:\Windows\SysWOW64\Ncbknfed.exe

C:\Windows\system32\Ncbknfed.exe

C:\Windows\SysWOW64\Nepgjaeg.exe

C:\Windows\system32\Nepgjaeg.exe

C:\Windows\SysWOW64\Nngokoej.exe

C:\Windows\system32\Nngokoej.exe

C:\Windows\SysWOW64\Npfkgjdn.exe

C:\Windows\system32\Npfkgjdn.exe

C:\Windows\SysWOW64\Ncdgcf32.exe

C:\Windows\system32\Ncdgcf32.exe

C:\Windows\SysWOW64\Nebdoa32.exe

C:\Windows\system32\Nebdoa32.exe

C:\Windows\SysWOW64\Nnjlpo32.exe

C:\Windows\system32\Nnjlpo32.exe

C:\Windows\SysWOW64\Nlmllkja.exe

C:\Windows\system32\Nlmllkja.exe

C:\Windows\SysWOW64\Ndcdmikd.exe

C:\Windows\system32\Ndcdmikd.exe

C:\Windows\SysWOW64\Neeqea32.exe

C:\Windows\system32\Neeqea32.exe

C:\Windows\SysWOW64\Njqmepik.exe

C:\Windows\system32\Njqmepik.exe

C:\Windows\SysWOW64\Npjebj32.exe

C:\Windows\system32\Npjebj32.exe

C:\Windows\SysWOW64\Ndfqbhia.exe

C:\Windows\system32\Ndfqbhia.exe

C:\Windows\SysWOW64\Ngdmod32.exe

C:\Windows\system32\Ngdmod32.exe

C:\Windows\SysWOW64\Njciko32.exe

C:\Windows\system32\Njciko32.exe

C:\Windows\SysWOW64\Nnneknob.exe

C:\Windows\system32\Nnneknob.exe

C:\Windows\SysWOW64\Npmagine.exe

C:\Windows\system32\Npmagine.exe

C:\Windows\SysWOW64\Nckndeni.exe

C:\Windows\system32\Nckndeni.exe

C:\Windows\SysWOW64\Nggjdc32.exe

C:\Windows\system32\Nggjdc32.exe

C:\Windows\SysWOW64\Njefqo32.exe

C:\Windows\system32\Njefqo32.exe

C:\Windows\SysWOW64\Olcbmj32.exe

C:\Windows\system32\Olcbmj32.exe

C:\Windows\SysWOW64\Oponmilc.exe

C:\Windows\system32\Oponmilc.exe

C:\Windows\SysWOW64\Ocnjidkf.exe

C:\Windows\system32\Ocnjidkf.exe

C:\Windows\SysWOW64\Oflgep32.exe

C:\Windows\system32\Oflgep32.exe

C:\Windows\SysWOW64\Ojgbfocc.exe

C:\Windows\system32\Ojgbfocc.exe

C:\Windows\SysWOW64\Opakbi32.exe

C:\Windows\system32\Opakbi32.exe

C:\Windows\SysWOW64\Ogkcpbam.exe

C:\Windows\system32\Ogkcpbam.exe

C:\Windows\SysWOW64\Ojjolnaq.exe

C:\Windows\system32\Ojjolnaq.exe

C:\Windows\SysWOW64\Oneklm32.exe

C:\Windows\system32\Oneklm32.exe

C:\Windows\SysWOW64\Opdghh32.exe

C:\Windows\system32\Opdghh32.exe

C:\Windows\SysWOW64\Ocbddc32.exe

C:\Windows\system32\Ocbddc32.exe

C:\Windows\SysWOW64\Ojllan32.exe

C:\Windows\system32\Ojllan32.exe

C:\Windows\SysWOW64\Olkhmi32.exe

C:\Windows\system32\Olkhmi32.exe

C:\Windows\SysWOW64\Odapnf32.exe

C:\Windows\system32\Odapnf32.exe

C:\Windows\SysWOW64\Ogpmjb32.exe

C:\Windows\system32\Ogpmjb32.exe

C:\Windows\SysWOW64\Ojoign32.exe

C:\Windows\system32\Ojoign32.exe

C:\Windows\SysWOW64\Olmeci32.exe

C:\Windows\system32\Olmeci32.exe

C:\Windows\SysWOW64\Oqhacgdh.exe

C:\Windows\system32\Oqhacgdh.exe

C:\Windows\SysWOW64\Ocgmpccl.exe

C:\Windows\system32\Ocgmpccl.exe

C:\Windows\SysWOW64\Ofeilobp.exe

C:\Windows\system32\Ofeilobp.exe

C:\Windows\SysWOW64\Pnlaml32.exe

C:\Windows\system32\Pnlaml32.exe

C:\Windows\SysWOW64\Pdfjifjo.exe

C:\Windows\system32\Pdfjifjo.exe

C:\Windows\SysWOW64\Pjcbbmif.exe

C:\Windows\system32\Pjcbbmif.exe

C:\Windows\SysWOW64\Pggbkagp.exe

C:\Windows\system32\Pggbkagp.exe

C:\Windows\SysWOW64\Pjeoglgc.exe

C:\Windows\system32\Pjeoglgc.exe

C:\Windows\SysWOW64\Pgioqq32.exe

C:\Windows\system32\Pgioqq32.exe

C:\Windows\SysWOW64\Pjhlml32.exe

C:\Windows\system32\Pjhlml32.exe

C:\Windows\SysWOW64\Pmfhig32.exe

C:\Windows\system32\Pmfhig32.exe

C:\Windows\SysWOW64\Pcppfaka.exe

C:\Windows\system32\Pcppfaka.exe

C:\Windows\SysWOW64\Pjjhbl32.exe

C:\Windows\system32\Pjjhbl32.exe

C:\Windows\SysWOW64\Pdpmpdbd.exe

C:\Windows\system32\Pdpmpdbd.exe

C:\Windows\SysWOW64\Pgnilpah.exe

C:\Windows\system32\Pgnilpah.exe

C:\Windows\SysWOW64\Qnhahj32.exe

C:\Windows\system32\Qnhahj32.exe

C:\Windows\SysWOW64\Qdbiedpa.exe

C:\Windows\system32\Qdbiedpa.exe

C:\Windows\SysWOW64\Qgqeappe.exe

C:\Windows\system32\Qgqeappe.exe

C:\Windows\SysWOW64\Qnjnnj32.exe

C:\Windows\system32\Qnjnnj32.exe

C:\Windows\SysWOW64\Qddfkd32.exe

C:\Windows\system32\Qddfkd32.exe

C:\Windows\SysWOW64\Qgcbgo32.exe

C:\Windows\system32\Qgcbgo32.exe

C:\Windows\SysWOW64\Anmjcieo.exe

C:\Windows\system32\Anmjcieo.exe

C:\Windows\SysWOW64\Acjclpcf.exe

C:\Windows\system32\Acjclpcf.exe

C:\Windows\SysWOW64\Ambgef32.exe

C:\Windows\system32\Ambgef32.exe

C:\Windows\SysWOW64\Aeiofcji.exe

C:\Windows\system32\Aeiofcji.exe

C:\Windows\SysWOW64\Ajfhnjhq.exe

C:\Windows\system32\Ajfhnjhq.exe

C:\Windows\SysWOW64\Aqppkd32.exe

C:\Windows\system32\Aqppkd32.exe

C:\Windows\SysWOW64\Agjhgngj.exe

C:\Windows\system32\Agjhgngj.exe

C:\Windows\SysWOW64\Amgapeea.exe

C:\Windows\system32\Amgapeea.exe

C:\Windows\SysWOW64\Aglemn32.exe

C:\Windows\system32\Aglemn32.exe

C:\Windows\SysWOW64\Afoeiklb.exe

C:\Windows\system32\Afoeiklb.exe

C:\Windows\SysWOW64\Ajkaii32.exe

C:\Windows\system32\Ajkaii32.exe

C:\Windows\SysWOW64\Aminee32.exe

C:\Windows\system32\Aminee32.exe

C:\Windows\SysWOW64\Aepefb32.exe

C:\Windows\system32\Aepefb32.exe

C:\Windows\SysWOW64\Agoabn32.exe

C:\Windows\system32\Agoabn32.exe

C:\Windows\SysWOW64\Bfabnjjp.exe

C:\Windows\system32\Bfabnjjp.exe

C:\Windows\SysWOW64\Bcebhoii.exe

C:\Windows\system32\Bcebhoii.exe

C:\Windows\SysWOW64\Bganhm32.exe

C:\Windows\system32\Bganhm32.exe

C:\Windows\SysWOW64\Bjokdipf.exe

C:\Windows\system32\Bjokdipf.exe

C:\Windows\SysWOW64\Bnkgeg32.exe

C:\Windows\system32\Bnkgeg32.exe

C:\Windows\SysWOW64\Baicac32.exe

C:\Windows\system32\Baicac32.exe

C:\Windows\SysWOW64\Beeoaapl.exe

C:\Windows\system32\Beeoaapl.exe

C:\Windows\SysWOW64\Bgcknmop.exe

C:\Windows\system32\Bgcknmop.exe

C:\Windows\SysWOW64\Bffkij32.exe

C:\Windows\system32\Bffkij32.exe

C:\Windows\SysWOW64\Bnmcjg32.exe

C:\Windows\system32\Bnmcjg32.exe

C:\Windows\SysWOW64\Bmpcfdmg.exe

C:\Windows\system32\Bmpcfdmg.exe

C:\Windows\SysWOW64\Beglgani.exe

C:\Windows\system32\Beglgani.exe

C:\Windows\SysWOW64\Bgehcmmm.exe

C:\Windows\system32\Bgehcmmm.exe

C:\Windows\SysWOW64\Bjddphlq.exe

C:\Windows\system32\Bjddphlq.exe

C:\Windows\SysWOW64\Banllbdn.exe

C:\Windows\system32\Banllbdn.exe

C:\Windows\SysWOW64\Bhhdil32.exe

C:\Windows\system32\Bhhdil32.exe

C:\Windows\SysWOW64\Bjfaeh32.exe

C:\Windows\system32\Bjfaeh32.exe

C:\Windows\SysWOW64\Bapiabak.exe

C:\Windows\system32\Bapiabak.exe

C:\Windows\SysWOW64\Bcoenmao.exe

C:\Windows\system32\Bcoenmao.exe

C:\Windows\SysWOW64\Cfmajipb.exe

C:\Windows\system32\Cfmajipb.exe

C:\Windows\SysWOW64\Cndikf32.exe

C:\Windows\system32\Cndikf32.exe

C:\Windows\SysWOW64\Chmndlge.exe

C:\Windows\system32\Chmndlge.exe

C:\Windows\SysWOW64\Cfpnph32.exe

C:\Windows\system32\Cfpnph32.exe

C:\Windows\SysWOW64\Cmiflbel.exe

C:\Windows\system32\Cmiflbel.exe

C:\Windows\SysWOW64\Chokikeb.exe

C:\Windows\system32\Chokikeb.exe

C:\Windows\SysWOW64\Cjmgfgdf.exe

C:\Windows\system32\Cjmgfgdf.exe

C:\Windows\SysWOW64\Cagobalc.exe

C:\Windows\system32\Cagobalc.exe

C:\Windows\SysWOW64\Cdfkolkf.exe

C:\Windows\system32\Cdfkolkf.exe

C:\Windows\SysWOW64\Cajlhqjp.exe

C:\Windows\system32\Cajlhqjp.exe

C:\Windows\SysWOW64\Cdhhdlid.exe

C:\Windows\system32\Cdhhdlid.exe

C:\Windows\SysWOW64\Cffdpghg.exe

C:\Windows\system32\Cffdpghg.exe

C:\Windows\SysWOW64\Cnnlaehj.exe

C:\Windows\system32\Cnnlaehj.exe

C:\Windows\SysWOW64\Dhfajjoj.exe

C:\Windows\system32\Dhfajjoj.exe

C:\Windows\SysWOW64\Dopigd32.exe

C:\Windows\system32\Dopigd32.exe

C:\Windows\SysWOW64\Danecp32.exe

C:\Windows\system32\Danecp32.exe

C:\Windows\SysWOW64\Dhhnpjmh.exe

C:\Windows\system32\Dhhnpjmh.exe

C:\Windows\SysWOW64\Dfknkg32.exe

C:\Windows\system32\Dfknkg32.exe

C:\Windows\SysWOW64\Dobfld32.exe

C:\Windows\system32\Dobfld32.exe

C:\Windows\SysWOW64\Daqbip32.exe

C:\Windows\system32\Daqbip32.exe

C:\Windows\SysWOW64\Dhkjej32.exe

C:\Windows\system32\Dhkjej32.exe

C:\Windows\SysWOW64\Dmgbnq32.exe

C:\Windows\system32\Dmgbnq32.exe

C:\Windows\SysWOW64\Ddakjkqi.exe

C:\Windows\system32\Ddakjkqi.exe

C:\Windows\SysWOW64\Dfpgffpm.exe

C:\Windows\system32\Dfpgffpm.exe

C:\Windows\SysWOW64\Dmjocp32.exe

C:\Windows\system32\Dmjocp32.exe

C:\Windows\SysWOW64\Deagdn32.exe

C:\Windows\system32\Deagdn32.exe

C:\Windows\SysWOW64\Dhocqigp.exe

C:\Windows\system32\Dhocqigp.exe

C:\Windows\SysWOW64\Dgbdlf32.exe

C:\Windows\system32\Dgbdlf32.exe

C:\Windows\SysWOW64\Dmllipeg.exe

C:\Windows\system32\Dmllipeg.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 6588 -ip 6588

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6588 -s 424

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 107.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

memory/1972-0-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Llemdo32.exe

MD5 61bc3c102b236ee230823cecd7b22a9b
SHA1 93a16e88172a86c62d10fcda99de1fa97c7b2275
SHA256 2daf6d6b95564f785ad16ca1314dd5c4705ff47e75f73894b4b6818364edce3a
SHA512 75a25d00800a5cf3bffb99670248fe35900b9a156c0178013796ce5e282089c6748b343c5eba1d8f65e025b154d7dc33f89a156b461aaa9428d50b11f860e6d4

memory/3216-8-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Ldleel32.exe

MD5 8645e485aa3a89e836c239de4b814472
SHA1 ebbf2027a488db8916a25d76be712ddd0c4f11ef
SHA256 565043d3307bd9eea38e84b36c71703aadfb106bed1aee4ceea5da637b075284
SHA512 0adde047c759ada6840cf461cd4d59704ee985f61458ea75c2f0551139f98ffe23c3da4d4b0ca124c5e96b6a2e5056c2c846332e1d9a833eb1da23f451a97a49

memory/60-15-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Lenamdem.exe

MD5 cd96700f95f5319c217095eaece0bea4
SHA1 1c0dd4e37aa7a01f8d66e056e3df01c51a23625f
SHA256 e27407efd9af2ec307ad3fca4173a7adfdc0ef6e8847b220845a0f18950359cd
SHA512 374d9b10712be0b6e33289c33969dc217eafb7b8fd28a82fb4149200d1228012a9e95a18b2fbc22d5197ecf51151d1d3d0f6d9f9d8161a8ebe56ef534e30131a

memory/1552-23-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Llgjjnlj.exe

MD5 3d3e6ef0cfff84b43540d44bdc0a5778
SHA1 54c6de356d7359e2be8b9689a53de2faa2767337
SHA256 5dde1cdd0d9317195d304ff6d7f62a558302abe97738ec44cfdd4ac661d4452a
SHA512 20d4d8706a622e89f5fb5f870f9dd37941186aee7d9b58576437237438c760ba20f342be4b2812d06ef40006da6f20c8f1e60ebdfdb80d4826259a6f7dadc25c

memory/1580-32-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Ldoaklml.exe

MD5 95784d59c377261979f2c7684c21c21e
SHA1 03123c2e0b568b7d68cb9dd98f7a3055dee281a4
SHA256 aa51593da5fc4f3fc89525efdba1d0cb69d0500fa2307eb5c6faf8a7749f1d0b
SHA512 078152ef7d0b62079a038034fd096684a394c1e75101b8584f012aa130e078fdaad0b36bb55bc69e65cec43300ad3bdfc63f1cd42535513ae09b004ec12be67a

C:\Windows\SysWOW64\Hflheb32.dll

MD5 e3bd0553707e343fb6a4c4f7edcb00e8
SHA1 64db2a523cb7081f19b3413ac57b5789b2772c49
SHA256 400918b9f73fa6ae96a9becff20611ef4f7e05a76e9b07823b8012d6559336b6
SHA512 f07555ab822798169e9a72c8102e29aa9cfdccca3cc049f08b163753c7652b5cca7502a1dda87cf040c360527b5bb2021f8679f09fe6b51faee301961493a404

C:\Windows\SysWOW64\Ldoaklml.exe

MD5 7bba9bfbf50c4d3b40b45e10e88efb6d
SHA1 ebff54634476a85b30e55f1d7be61bb3dd2f1ac3
SHA256 889070ebe5ac2d9cf549a6fa1587face48e3a2d96d56ba348591696c8f49e6d1
SHA512 dc4617c07440046708aab657e6d4645eba8a64fac1549adf563a515369da9ee1ea08aeebffa78e5a06b6d33c10ed369eba8b9f690b58ff494b280044031a6b62

memory/1172-39-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Lepncd32.exe

MD5 a486af3943e202ac0810bcad7aa93c6e
SHA1 7a3c2f649744f4884467adf81e66cf9ef19cb9ff
SHA256 f0827bde1d32df84b804dc7ad50c7d6a26d0ba1b0f8bbc01f66e1514b5ac2eb5
SHA512 4c61373eabf4d2b1570f4f24d9b27979e8f8d4d6b99fb307179f8ae48424778a8c8fd38c1731e6617f5371eb008413b851059223fab1e6b390387875fcd5878d

memory/4492-47-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Lmgfda32.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\SysWOW64\Lmgfda32.exe

MD5 5412da8f0ae33786265da50da7e2a12b
SHA1 e005f08c78e3d4311452cd2f1410678ec20a1385
SHA256 5579601a90dbb71df8150591241e9cabf52063bc03f89092ef1f2fcb7817029b
SHA512 b62047637780bcaabfc1a2b8d121a2db11eac4511ec8f762b0f10d6cc8d74c6577bdea422b063b1ccf70ae9c5fd48d9c1167c70103af33a393b3bc8e35298922

memory/4856-55-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Ldanqkki.exe

MD5 0d6b76ded4fc15f1ebb2020f3d5c6a60
SHA1 dfb50e46f11ba602ff0299792d234ee2c7fd8af4
SHA256 8c53af124abffd16825134170f2d38f0e72086972cc9da0daf91c3087a8832ab
SHA512 b95d32763c543f99346e2c5aff60ec85da5c08ae4fdde48bfbdae3b3760b8159cef43f02a616288ba5ce885a4327a36908d5b0a11b330aa6f0a242e5567bb3c7

memory/2708-64-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Lbdolh32.exe

MD5 3ff94eede6361a087fa1d2cd9e891665
SHA1 9d15b9327c95c66f8281c9e628c30c5ce2a3eb84
SHA256 ea7cb6cce42698d1c61be49c7c8bba70d335bc9fee93f4802350127daf3af1c5
SHA512 e24259ac213c8bdc8cc2d930e18d56c5fef0a8de391ad43083864a3715d483a7086bfc5a435151e559465cfd6b1e66f7d4ccc3c1d6c7de27b307732606352cf6

memory/940-71-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Lebkhc32.exe

MD5 9882e271517b824c4ce8e160b4391004
SHA1 7af825ce6943ac7511541fe8a9071a052a15cde6
SHA256 446ab65b6f9f4eca1a791f947cfd4e32620e2f3b2da3654ccae53297f4390b42
SHA512 36e5e4e702062628c20f9d9aeb48b2e1d9f2a538017f1a3a919b1b73408e96e7322cda9dd44c7009ccf60e7033e72d4f9b2e5ff6792a607c2294ce441b8ee936

memory/4832-79-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Lllcen32.exe

MD5 3ab87381098b578dec273ff5d94c1893
SHA1 99e2899c97a877e281d745339e0d570397da2bb7
SHA256 566e9ed89a4cfa2ab7db9d2c696cf84cca7f5141ea2abf415f96690abf69c97f
SHA512 38d4dd4d490ee6cf9ce36732cb41bfa795d6c68f524584f9116af98632288bbfc210b2a4304c42d53b08fb1c60c0ae22684ef83c3d99a1c8833d8d7c730a760d

memory/4024-87-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Mdckfk32.exe

MD5 1f33dea103a9b78b7e180661fb53b058
SHA1 9aaf4ecf4f6d834b8f1906ce2895002cab171588
SHA256 7b8e6c9a359fa9fb92705136baa749595f0193b2e53978c85f5bccb51619528f
SHA512 3e07414fe28d0932d37cc0d2fb45c2a6c71608f79d353a4f065b042a19f196693057d3a191663225cb6ed5612fd752072df78726289cc5187adb6681f2e6418b

memory/2476-96-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Medgncoe.exe

MD5 a5414e2b632f5aacb3a44060691543d8
SHA1 5df9f826fbf797ca879ec239dfae42d971f5a284
SHA256 8c167d6fe6357c31f22fab321667ea75c1a8fd2bc2225cd201c88a6fa6cfe35e
SHA512 dcb14d45eed6fbadf59250f8d583b643b49f2a10006d0d296eec750acf846c3e1db2db10f5020913d28aa777e991ad0a9b75b5249f564c94518b8d84adb1482f

memory/1064-104-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Mipcob32.exe

MD5 c53d6147d95ed620bdfbf2f1634255d7
SHA1 0dde1947fb19e47d1081db06584abd54aa96724c
SHA256 d4d92c08ce41faa2d6db6ec604a1902982c4cec426d61a219a0d62614ed4b91b
SHA512 b319fc0dd7d4298877c64a70d803cbf60c38786001d907bee8cc479937771eaf64827282dfb3fae3f2fc58e28c24fddcf8253abfd3f0e4bf71a4fb3ba8f01179

memory/2392-112-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Mlopkm32.exe

MD5 a554c9b9a6b5cc268613f6c64f472238
SHA1 69783ab9ad8da341453098b3ac965fc13f363e49
SHA256 41971ac9b26e8d0a96c546b15d608efc796c4ff454540b24eb4cbb8c74027174
SHA512 9e49480d379ac49fdf5ce079b49c7cdbd7482a8c8fdda5556235f64b196524e2e088850b8965827ea6467a99bb2015703b669c63eeec543dfbbaf7f50765fe4a

memory/1468-120-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Mdehlk32.exe

MD5 a9f749f54fa8e1ae40ddc09314775ae0
SHA1 21a5344a34a17ef8f5d6672f30a478d999a0ee52
SHA256 946ef1331a46d004b60bb646b43a6be631ac1282a08f8ca221f78109d565645c
SHA512 b0bfc34c2b22042f1662ade12a39289875c2c5cc88787faa5605f58863187db1cabff4e2f4ff0a08a8325b81d747e8c8561bc60943ecd5157750816805ac52e4

memory/4592-127-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Mgddhf32.exe

MD5 4e9644528d1374c4d34b1d782cd6c179
SHA1 f84ce560d5e202807a58c49a63b6759d5fd298d5
SHA256 ba08b1716e7894310b2fe725ac74d67838dc78d9a3f89118bf2682442b92d4b6
SHA512 9aa32a54bd1c3ff3b3a92af24fc03069816e5a8e7885f48a8d8227c95fb72e12b72fcf62a880cb3fad58284fcffc19a3cfca88e9226f386c6ef2f7980848a895

memory/1924-136-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Mmnldp32.exe

MD5 7179f16c979290367224328f53180038
SHA1 92958b7b521aee6832534d67f1c190ab95a64f01
SHA256 6423e40a88b0f83de0d9811f47420088f524f2e7bf2d83d9160db1abf28f3ac1
SHA512 61ec18f6624ce3e0836d251544a509689bbe54793b2779bbc0fb32f638d41acba38cf6e8a1e2488961a6613adc70e360ffb868292f29c1919d76b23b0f007440

memory/5116-144-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Mplhql32.exe

MD5 78095da975b5daf44b1a19bfcee56337
SHA1 7b13a3fa0be17d419f8cff24ee698aadb2f0beb9
SHA256 5b90b4b2554db83f17d1987fd1074e14cc222b376abf9f3fb993cfeff574b270
SHA512 0aadee45a71e7d4b4a878f2ca2d88d24f78999aae2bf5504a4f90f2b57f088cfa73c6693f025856eda11b9fef0b9815679fd15675988420ebd981962551d9291

memory/3516-151-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Mckemg32.exe

MD5 051a5b34c55f3a6627704cdd85a5eb65
SHA1 90cbd308482a914f61406ce766ac24f0d9cce339
SHA256 7c9230329eb96fae7541e092abedfd7d4329dcc21799b2676390b6bf9462261d
SHA512 8819f27b300c24c2440ee8fe2a02571d1cd65897990e59b615d91a9fbb795c0744efe850acbfdb04c9e869d6ccba84cef074da31959e68fde5dc9abe45090e04

memory/2928-159-0x0000000000400000-0x000000000043C000-memory.dmp

memory/804-167-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Meiaib32.exe

MD5 658d70e39c4d7ecb842838225824413b
SHA1 7a3e6f056f725a393383749560fc0294ebf30a86
SHA256 ba3a9257785f196f547375e32406821690f9f0b3f0a31ddedd5a78ee8b1573df
SHA512 5d9625e0538fc77b48be2d571596ebe6c605a81f4c19a58678411e124cf11027c14eb6548f644882ec182ce3ff26ca206f51a0598d52234bb1e99bdd34e021ae

C:\Windows\SysWOW64\Mmpijp32.exe

MD5 50b83a5cd3c6b82ab57947ae4506ccc1
SHA1 48b4fa305ebd4fa975e2d2a2e4ad4774e0ca376c
SHA256 38c7cd7f02bd0d483596e53c7dfb77a7d9d00a63c18b7e6a7cbb5e60606e0ab4
SHA512 08903ff1ff2624c0cd0af8b2239f7d081a1d72c36fd1c15dc092dafe860ec98b94fd75a01b73cbc745fd4152a76fa7ee8babf843dc3c6965655906372674046b

memory/3308-175-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Mlcifmbl.exe

MD5 7f748277870a461109e942772e372912
SHA1 7437dc3fc3450b4627712e16373f51b0eeb9fef1
SHA256 0d77c1e968fdb2d7fa1e9208b8f18cca2937a969a35ec45f8cfd6f0331d74037
SHA512 175cb9e3709ad1e5c754dc54eb3fed7e73d31af940539af6059473c6db0c4cc28476cb2e2da5d5eebe8a9c81201ec026de9a16af387ce0f3c697743917185ade

memory/5020-183-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Mcmabg32.exe

MD5 e60af978f3569d7512dfe9ac904c93f4
SHA1 6dee69e8e22c6e45b2c67f079cea68a2dd624774
SHA256 5796c52b15aebb84863e11d277432a8eb1c55d5582137201403065b74f878e1a
SHA512 f6ec6d5189cfd723286b838f8945ac45476b312ba19ca42b6dac66d6b2012cc1d5725a2c8f7df4b748f5ad73fa2d99cc3359497b05f0a5ecb68742f295b8488d

memory/2884-191-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Melnob32.exe

MD5 6bd759aa8f6bbe83ba90a720f8a61e33
SHA1 b72a80f5d1ca964e3decce95e365a5376ff2edcf
SHA256 792f61548d1382d2c690c0dae77471180a0150141a9a49c9ee48fc6a8e098032
SHA512 bdd3d8552fe1769bbcd40b553ae90421763724a32972a9e1068d66baa97cb4c5b2f21920315be3787171f64fa8e6804751ff308d493dc84a7fdd7665733ba734

memory/208-199-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Mpablkhc.exe

MD5 0f23c112cdb9b80d8cb3143c2708168e
SHA1 26d16c0c43079640890e23890781a99b2ed490bd
SHA256 02cf8815d894f6d89b0a65adafbbbcba2b61ab6231f999e3a29c9741049ad938
SHA512 a4149fdcbabfe3a13c300a4ecbc6e22a3b9f6f72e2faada655361dfa5a2d49b3e39b04d6affcf8930804b8d4658e6f4939c8f640fca92f659348632a22653ea3

memory/4544-213-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1340-215-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Mgkjhe32.exe

MD5 6378714a71460bd4c7c4dcf34c6296da
SHA1 51495a9e32f2e015d7215151fffb828a42959bff
SHA256 b4f1d27e19e85325726796c09dce5c810def512666af64ad0186b99acf0cf600
SHA512 d23de1ff4c892b2e8414b04f0abe9d3ba13ceab9eee5a2926d6c18734139b38d785cf9bae98b8028ef113ed2d8330c5eb0e3c5a11f5e36d086c95aaf672d0a84

memory/2060-223-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Mnebeogl.exe

MD5 b58789cf362acb2f73f4252ef7c5faf4
SHA1 036c6dac406077981ef9c04ea5b647cb899aaf15
SHA256 1d87bc707e4775c5a5482ec415c6f47124306a261db2916cdca3d873f3070f2c
SHA512 87af15f6484c38fe3e13ed3b6f4a40a3da38f4faf0801cb41d006cf5153d696f4d89ad92686c94a68581dbc08d642c26279b48dfd215946e1695907a946c6603

C:\Windows\SysWOW64\Ncbknfed.exe

MD5 dfefc6c1ef305bde420ab94d6b5fb780
SHA1 317d2cb619918f4f0218ed2e8115e8172b02f901
SHA256 ac389e9cd82f300676531862d8d67c59cd37d984d6001dbabaadbd77487bfc04
SHA512 6d7107c6614c8d68a421bce94c4d1c312b856814101e40ad2ef56e874cdcc3d14ebd9a8e60260ca0b579b86a4a5ebab2bc4de52d6c2c3544f11634b664044869

memory/4584-231-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Nepgjaeg.exe

MD5 47c43c2d5dab173679ab1acf072a8041
SHA1 2ea1e1d8ea5d2ef3dd03d15eab0cf8db25b19610
SHA256 d7d5b5a6846f2f85a7c8f872df7f5294e392d0645fcb068a7863e384ee986912
SHA512 0efd183dbceb6afb3d26d0d88718f8f007703bcebe72c024271cfb5a2c23497ebaacd993c7076e544c802ebb85f0260789987a2cc630a7a73cd19b480728c21c

memory/2448-239-0x0000000000400000-0x000000000043C000-memory.dmp

memory/3428-247-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Nngokoej.exe

MD5 b59c7626a5cb7f9854d979611fec4318
SHA1 abddd19f0ecdf517720c5ef8516fb2ca765e540d
SHA256 1a8fba95c67eb3bd8a761e12a0a1a5152739e3c3e6bc97b1a3a1f9f29fddbab4
SHA512 7e6f0213f7357d38bf62be17d7d2f8a195f06eb82255e186ad5b317472d88e1be79b62cc5de360f1c3fa4493681c5d1e751349a0ae48afe810ce95ebd4c9cc20

C:\Windows\SysWOW64\Npfkgjdn.exe

MD5 c79d667bd9d82d2aa0ab6e46ded86c18
SHA1 0d0bebe7f88f5ca39bee6bb8fd3c0cec4827c9f3
SHA256 1f43f7ae7a807f22ac07979ba0f72daad6e4bf121138b82d7421697d1a7f61f5
SHA512 629054142d441939b8c6dbe503a5e4e6d8e1416d2513ed78f858d65bd0ac43673af43fc32065d742587b299ef28b44f194f2d203cee36d6168202b43da69a12d

memory/4944-256-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2400-262-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2168-268-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2800-274-0x0000000000400000-0x000000000043C000-memory.dmp

memory/3268-280-0x0000000000400000-0x000000000043C000-memory.dmp

memory/4996-286-0x0000000000400000-0x000000000043C000-memory.dmp

memory/4168-292-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1028-298-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2024-304-0x0000000000400000-0x000000000043C000-memory.dmp

memory/3244-310-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2792-316-0x0000000000400000-0x000000000043C000-memory.dmp

memory/3328-326-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2312-328-0x0000000000400000-0x000000000043C000-memory.dmp

memory/4472-334-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2592-340-0x0000000000400000-0x000000000043C000-memory.dmp

memory/3288-346-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2288-352-0x0000000000400000-0x000000000043C000-memory.dmp

memory/4684-358-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2472-364-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Ocnjidkf.exe

MD5 bb6f779c371b5a29218b8fcde2164307
SHA1 0b175a3cb25ce2e34c0f7f86eb72cafab3e597cb
SHA256 db4bda8b141fff51574deb6446d44e5d10a30d39f817941b5a8c698b06f324a5
SHA512 11ee184069b478699891ade8a03296bf02fc4d48c2faafa549039064c893ee4d4cf128987200cbae13f9f289af8b128238d6ff3309bd1eac921c8a252427ae88

memory/3572-370-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2248-376-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2544-382-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2936-388-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2208-394-0x0000000000400000-0x000000000043C000-memory.dmp

memory/464-400-0x0000000000400000-0x000000000043C000-memory.dmp

memory/400-406-0x0000000000400000-0x000000000043C000-memory.dmp

memory/4316-412-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2568-418-0x0000000000400000-0x000000000043C000-memory.dmp

memory/4548-424-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1880-434-0x0000000000400000-0x000000000043C000-memory.dmp

memory/860-436-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2484-442-0x0000000000400000-0x000000000043C000-memory.dmp

memory/4920-448-0x0000000000400000-0x000000000043C000-memory.dmp

memory/3112-454-0x0000000000400000-0x000000000043C000-memory.dmp

memory/4392-466-0x0000000000400000-0x000000000043C000-memory.dmp

memory/4452-465-0x0000000000400000-0x000000000043C000-memory.dmp

memory/3684-472-0x0000000000400000-0x000000000043C000-memory.dmp

memory/4620-478-0x0000000000400000-0x000000000043C000-memory.dmp

memory/5040-484-0x0000000000400000-0x000000000043C000-memory.dmp

memory/3900-490-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1536-496-0x0000000000400000-0x000000000043C000-memory.dmp

memory/4844-502-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Pgioqq32.exe

MD5 f22f9abc3b2b2fe6043af838a45cc9cd
SHA1 382b2b67d6f85961043f02e8b4fb8d8d606e5775
SHA256 c6725a96ef1ea7e2f83e8680833a9d76a2d43f3bbfcba7341f6e69f37caa411c
SHA512 db2e428f1cc820fe7f61f9e3cb850c91a62494093289ef72be7fe568a82a5b2e9f4c82ea28cc78ed5b11019aa8bfdc19a2d702138992ba7b86130b6932bbbb1f

memory/2620-508-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1300-514-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2052-520-0x0000000000400000-0x000000000043C000-memory.dmp

memory/3552-526-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2908-532-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2396-538-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1972-544-0x0000000000400000-0x000000000043C000-memory.dmp

memory/3192-545-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1436-552-0x0000000000400000-0x000000000043C000-memory.dmp

memory/3216-551-0x0000000000400000-0x000000000043C000-memory.dmp

memory/4580-559-0x0000000000400000-0x000000000043C000-memory.dmp

memory/60-558-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1996-566-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1552-565-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1580-572-0x0000000000400000-0x000000000043C000-memory.dmp

memory/3576-573-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1172-579-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1056-584-0x0000000000400000-0x000000000043C000-memory.dmp

memory/4492-586-0x0000000000400000-0x000000000043C000-memory.dmp

memory/5152-587-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Anmjcieo.exe

MD5 7a9773f88feedc786a3167a292a23993
SHA1 57e45258e390fc57279aad611c85a8ac8bd099aa
SHA256 8363a4bc535a475d9153698cfe398abcf513c6765b5f4442d1135b0d4da4c9d6
SHA512 2a209ba36c4a320731b2e769855981501ca8c0c9f204d659533c51b68a3494bef32e2f9f5e01518e3daad8f127b630366fd21c80edaabaa138f79adba969655b

memory/5200-594-0x0000000000400000-0x000000000043C000-memory.dmp

memory/4856-593-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Ajfhnjhq.exe

MD5 d63df0bd983a2f1c01acc46ec6c7e88b
SHA1 77855e29e90b5699d7e75c38707a62f7d335829d
SHA256 f3a5bbfed47f0acf97d34b3503de624a41b5552fa848cbac8618a03f62e76423
SHA512 431d12e9f0040d256b2a010123a9d13cd8df2be1ee32463effc037931f8f325b99f69b31a4419904ae5859bf426e694d9b1e05ec03e248c1dbd5349b207e1f0a

C:\Windows\SysWOW64\Bcoenmao.exe

MD5 63504fa65dd85df42959407b45d8539c
SHA1 3a799559aba13a5a8e91450e6dc8095e5559c292
SHA256 fb8bce97d7d58c1c6e31167cb37cf133d56dcdadf0be3237ec90793759df61fa
SHA512 6ceba7a1ba98c1dffa93710a41d90324d1dd4277e5cb5cc506512e6e0dec15549e0b068ee8c4377333d6b53a1499a5829bea740656345d2319544130cfebf38a

C:\Windows\SysWOW64\Cmiflbel.exe

MD5 b482e763931972e41fd1b0cf36e8733e
SHA1 e86b410e28d2ee22c9d586b67bc5d3f2606003b3
SHA256 f06bd1b9e55a13ca4fd516c6e44f211bb6473f014f9b01f32b28d785f480090d
SHA512 672a6fa93e99c2ab54074295601a283322a5edc0bc5ee1992fb559be6b5fe1970c5a01b54cc09824b5e340b1c037dbde2485860b7f54d4df7d8626a7089ca6c1

C:\Windows\SysWOW64\Cjmgfgdf.exe

MD5 41762e0be501a33e455bdbab8a196ee8
SHA1 e268c95058b8c4f8f217f6b9d855291ca58d92a8
SHA256 60c4131699095f46d3987b9b2f3dccb38cd04a3050ecf6a2195682791e1e5f5c
SHA512 cc11062e97e240eeca143a817716e997caf5c89736b7b3a2f2e26c6952e6051be43203fd1dbe61e2817abb1a585498583e021663b87c3e98a8156d56eceaa8a4

C:\Windows\SysWOW64\Cdfkolkf.exe

MD5 37da7d2b53003188ea61a0f60c8da848
SHA1 7c1ea475570483bf96bbd19d7ef2e9b4d9489692
SHA256 79168e6d37ba6c01bd763756cbace30331a5e0a8694f0abf5481405e71a4a205
SHA512 9cd111d613e49b1524a5daaae805bc6102f5465e8bea04362ec6a5f0a1ba26d149b72f3272688b501b56663d6b32b2609940d359be451858ba479ad2f9e2db7f

C:\Windows\SysWOW64\Cffdpghg.exe

MD5 f219c9daa19dd361a65bc0e2d97e18f4
SHA1 90b845ac0d98938fe6c8adc002b622e58f1afc14
SHA256 f5b33f19dd78e13019a15a6b3a9ff14197b20bfe97b1e753dd0ed5011a0b386d
SHA512 dfcd5e6e5ee4314fc90a751a62ed261f01c96a52d592ce7105eb5ee76ff87c7d6679df5583b212718d385ede89ac1c60f064830430965c379f79e659ad69c6b8

C:\Windows\SysWOW64\Dhkjej32.exe

MD5 a59d1e13a8dcaa9d6a6ee5c723ed833c
SHA1 a9145ba37fbeada52157e856b65bf5e0b8d809ee
SHA256 17524d4b95c7743cb44106967ead6a3af6590c0e1bcd31763dcf295facd164f3
SHA512 349b3502c269b635b6d7e16c174b915e8f5d6422728c26e9530a38bed9a6e6077d3024a5a0a9b955a7c07753bcbd6d10eb924b62494f4dce3871448c5384e23b

C:\Windows\SysWOW64\Dmllipeg.exe

MD5 20a4b57000745af9f42725dc5c649749
SHA1 d8d0fd59ba45716b45ad483ab0eb936649263f55
SHA256 5ba3ac5846a6381a282d7017aa67dbcb7c12b2ba425a117fdf281ba5d886e2f4
SHA512 06473cd2f21b05390dbf1f4cee77b53bd4cd04e88149ff6c948b6b1a2da823693adc032fb1a73063468bad509c02869993e2ab78314615ffb96ca50474e278c8