Malware Analysis Report

2025-03-15 07:27

Sample ID 241119-j7t6dsscrd
Target c600e4ccdd77fefb163ca90012c4cfd340efb5fc018983b21a1bb8a21c8c2fa9N.exe
SHA256 c600e4ccdd77fefb163ca90012c4cfd340efb5fc018983b21a1bb8a21c8c2fa9
Tags
berbew gozi backdoor banker discovery isfb persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c600e4ccdd77fefb163ca90012c4cfd340efb5fc018983b21a1bb8a21c8c2fa9

Threat Level: Known bad

The file c600e4ccdd77fefb163ca90012c4cfd340efb5fc018983b21a1bb8a21c8c2fa9N.exe was found to be: Known bad.

Malicious Activity Summary

berbew gozi backdoor banker discovery isfb persistence trojan

Berbew family

Adds autorun key to be loaded by Explorer.exe on startup

Berbew

Gozi

Gozi family

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Program crash

System Location Discovery: System Language Discovery

Unsigned PE

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-19 08:19

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-19 08:19

Reported

2024-11-19 08:21

Platform

win7-20240903-en

Max time kernel

26s

Max time network

18s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c600e4ccdd77fefb163ca90012c4cfd340efb5fc018983b21a1bb8a21c8c2fa9N.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bmeimhdj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bilmcf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Becnhgmg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pdaheq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pbnoliap.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Baohhgnf.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bmeimhdj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cpfaocal.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cbdnko32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Users\Admin\AppData\Local\Temp\c600e4ccdd77fefb163ca90012c4cfd340efb5fc018983b21a1bb8a21c8c2fa9N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pmjqcc32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qkhpkoen.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qqeicede.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Aganeoip.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aaolidlk.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Acmhepko.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Becnhgmg.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Users\Admin\AppData\Local\Temp\c600e4ccdd77fefb163ca90012c4cfd340efb5fc018983b21a1bb8a21c8c2fa9N.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pmjqcc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Abbeflpf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bjbcfn32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bkglameg.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cklfll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cklfll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Afgkfl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Aaloddnn.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Poapfn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Poapfn32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aaheie32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Baohhgnf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bkglameg.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cpfaocal.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pdaheq32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pbkbgjcc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Aaolidlk.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bilmcf32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bjbcfn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Aaheie32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aganeoip.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aaloddnn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Acmhepko.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qqeicede.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Afgkfl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pbkbgjcc.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pbnoliap.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qkhpkoen.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Abbeflpf.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bjdplm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bjdplm32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pfdabino.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pfdabino.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cbdnko32.exe N/A

Berbew

backdoor berbew

Berbew family

berbew

Gozi

banker trojan gozi

Gozi family

gozi

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c600e4ccdd77fefb163ca90012c4cfd340efb5fc018983b21a1bb8a21c8c2fa9N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c600e4ccdd77fefb163ca90012c4cfd340efb5fc018983b21a1bb8a21c8c2fa9N.exe N/A
N/A N/A C:\Windows\SysWOW64\Pmjqcc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pmjqcc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pdaheq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pdaheq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pfdabino.exe N/A
N/A N/A C:\Windows\SysWOW64\Pfdabino.exe N/A
N/A N/A C:\Windows\SysWOW64\Pbkbgjcc.exe N/A
N/A N/A C:\Windows\SysWOW64\Pbkbgjcc.exe N/A
N/A N/A C:\Windows\SysWOW64\Pbnoliap.exe N/A
N/A N/A C:\Windows\SysWOW64\Pbnoliap.exe N/A
N/A N/A C:\Windows\SysWOW64\Poapfn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Poapfn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qkhpkoen.exe N/A
N/A N/A C:\Windows\SysWOW64\Qkhpkoen.exe N/A
N/A N/A C:\Windows\SysWOW64\Qqeicede.exe N/A
N/A N/A C:\Windows\SysWOW64\Qqeicede.exe N/A
N/A N/A C:\Windows\SysWOW64\Aaheie32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aaheie32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aganeoip.exe N/A
N/A N/A C:\Windows\SysWOW64\Aganeoip.exe N/A
N/A N/A C:\Windows\SysWOW64\Afgkfl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Afgkfl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aaloddnn.exe N/A
N/A N/A C:\Windows\SysWOW64\Aaloddnn.exe N/A
N/A N/A C:\Windows\SysWOW64\Aaolidlk.exe N/A
N/A N/A C:\Windows\SysWOW64\Aaolidlk.exe N/A
N/A N/A C:\Windows\SysWOW64\Acmhepko.exe N/A
N/A N/A C:\Windows\SysWOW64\Acmhepko.exe N/A
N/A N/A C:\Windows\SysWOW64\Abbeflpf.exe N/A
N/A N/A C:\Windows\SysWOW64\Abbeflpf.exe N/A
N/A N/A C:\Windows\SysWOW64\Bilmcf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bilmcf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Becnhgmg.exe N/A
N/A N/A C:\Windows\SysWOW64\Becnhgmg.exe N/A
N/A N/A C:\Windows\SysWOW64\Bjbcfn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bjbcfn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bjdplm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bjdplm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Baohhgnf.exe N/A
N/A N/A C:\Windows\SysWOW64\Baohhgnf.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkglameg.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkglameg.exe N/A
N/A N/A C:\Windows\SysWOW64\Bmeimhdj.exe N/A
N/A N/A C:\Windows\SysWOW64\Bmeimhdj.exe N/A
N/A N/A C:\Windows\SysWOW64\Cpfaocal.exe N/A
N/A N/A C:\Windows\SysWOW64\Cpfaocal.exe N/A
N/A N/A C:\Windows\SysWOW64\Cbdnko32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cbdnko32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cklfll32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cklfll32.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Becnhgmg.exe C:\Windows\SysWOW64\Bilmcf32.exe N/A
File created C:\Windows\SysWOW64\Bjdplm32.exe C:\Windows\SysWOW64\Bjbcfn32.exe N/A
File created C:\Windows\SysWOW64\Bmeimhdj.exe C:\Windows\SysWOW64\Bkglameg.exe N/A
File created C:\Windows\SysWOW64\Gfpifm32.dll C:\Windows\SysWOW64\Cpfaocal.exe N/A
File created C:\Windows\SysWOW64\Aganeoip.exe C:\Windows\SysWOW64\Aaheie32.exe N/A
File created C:\Windows\SysWOW64\Afgkfl32.exe C:\Windows\SysWOW64\Aganeoip.exe N/A
File created C:\Windows\SysWOW64\Gmfkdm32.dll C:\Windows\SysWOW64\Acmhepko.exe N/A
File created C:\Windows\SysWOW64\Dqcngnae.dll C:\Windows\SysWOW64\Bmeimhdj.exe N/A
File created C:\Windows\SysWOW64\Qhiphb32.dll C:\Windows\SysWOW64\Poapfn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bjdplm32.exe C:\Windows\SysWOW64\Bjbcfn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Baohhgnf.exe C:\Windows\SysWOW64\Bjdplm32.exe N/A
File created C:\Windows\SysWOW64\Nfolbbmp.dll C:\Windows\SysWOW64\Bjdplm32.exe N/A
File created C:\Windows\SysWOW64\Mdqfkmom.dll C:\Windows\SysWOW64\Baohhgnf.exe N/A
File created C:\Windows\SysWOW64\Cbdnko32.exe C:\Windows\SysWOW64\Cpfaocal.exe N/A
File created C:\Windows\SysWOW64\Cklfll32.exe C:\Windows\SysWOW64\Cbdnko32.exe N/A
File opened for modification C:\Windows\SysWOW64\Afgkfl32.exe C:\Windows\SysWOW64\Aganeoip.exe N/A
File opened for modification C:\Windows\SysWOW64\Aaloddnn.exe C:\Windows\SysWOW64\Afgkfl32.exe N/A
File created C:\Windows\SysWOW64\Acmhepko.exe C:\Windows\SysWOW64\Aaolidlk.exe N/A
File opened for modification C:\Windows\SysWOW64\Bilmcf32.exe C:\Windows\SysWOW64\Abbeflpf.exe N/A
File created C:\Windows\SysWOW64\Becnhgmg.exe C:\Windows\SysWOW64\Bilmcf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bmeimhdj.exe C:\Windows\SysWOW64\Bkglameg.exe N/A
File created C:\Windows\SysWOW64\Dhbkakib.dll C:\Windows\SysWOW64\Pdaheq32.exe N/A
File opened for modification C:\Windows\SysWOW64\Qkhpkoen.exe C:\Windows\SysWOW64\Poapfn32.exe N/A
File created C:\Windows\SysWOW64\Cophek32.dll C:\Windows\SysWOW64\Aganeoip.exe N/A
File opened for modification C:\Windows\SysWOW64\Acmhepko.exe C:\Windows\SysWOW64\Aaolidlk.exe N/A
File created C:\Windows\SysWOW64\Baohhgnf.exe C:\Windows\SysWOW64\Bjdplm32.exe N/A
File created C:\Windows\SysWOW64\Ocdneocc.dll C:\Users\Admin\AppData\Local\Temp\c600e4ccdd77fefb163ca90012c4cfd340efb5fc018983b21a1bb8a21c8c2fa9N.exe N/A
File opened for modification C:\Windows\SysWOW64\Qqeicede.exe C:\Windows\SysWOW64\Qkhpkoen.exe N/A
File created C:\Windows\SysWOW64\Abbeflpf.exe C:\Windows\SysWOW64\Acmhepko.exe N/A
File created C:\Windows\SysWOW64\Hqlhpf32.dll C:\Windows\SysWOW64\Becnhgmg.exe N/A
File opened for modification C:\Windows\SysWOW64\Cpfaocal.exe C:\Windows\SysWOW64\Bmeimhdj.exe N/A
File created C:\Windows\SysWOW64\Bjbcfn32.exe C:\Windows\SysWOW64\Becnhgmg.exe N/A
File created C:\Windows\SysWOW64\Bkglameg.exe C:\Windows\SysWOW64\Baohhgnf.exe N/A
File created C:\Windows\SysWOW64\Pmjqcc32.exe C:\Users\Admin\AppData\Local\Temp\c600e4ccdd77fefb163ca90012c4cfd340efb5fc018983b21a1bb8a21c8c2fa9N.exe N/A
File opened for modification C:\Windows\SysWOW64\Poapfn32.exe C:\Windows\SysWOW64\Pbnoliap.exe N/A
File created C:\Windows\SysWOW64\Qqeicede.exe C:\Windows\SysWOW64\Qkhpkoen.exe N/A
File created C:\Windows\SysWOW64\Aaloddnn.exe C:\Windows\SysWOW64\Afgkfl32.exe N/A
File opened for modification C:\Windows\SysWOW64\Abbeflpf.exe C:\Windows\SysWOW64\Acmhepko.exe N/A
File created C:\Windows\SysWOW64\Aaolidlk.exe C:\Windows\SysWOW64\Aaloddnn.exe N/A
File created C:\Windows\SysWOW64\Bfqgjgep.dll C:\Windows\SysWOW64\Aaloddnn.exe N/A
File opened for modification C:\Windows\SysWOW64\Cklfll32.exe C:\Windows\SysWOW64\Cbdnko32.exe N/A
File opened for modification C:\Windows\SysWOW64\Pfdabino.exe C:\Windows\SysWOW64\Pdaheq32.exe N/A
File created C:\Windows\SysWOW64\Igciil32.dll C:\Windows\SysWOW64\Pfdabino.exe N/A
File created C:\Windows\SysWOW64\Pbnoliap.exe C:\Windows\SysWOW64\Pbkbgjcc.exe N/A
File opened for modification C:\Windows\SysWOW64\Aganeoip.exe C:\Windows\SysWOW64\Aaheie32.exe N/A
File created C:\Windows\SysWOW64\Hbcicn32.dll C:\Windows\SysWOW64\Aaheie32.exe N/A
File opened for modification C:\Windows\SysWOW64\Pmjqcc32.exe C:\Users\Admin\AppData\Local\Temp\c600e4ccdd77fefb163ca90012c4cfd340efb5fc018983b21a1bb8a21c8c2fa9N.exe N/A
File created C:\Windows\SysWOW64\Qkhpkoen.exe C:\Windows\SysWOW64\Poapfn32.exe N/A
File created C:\Windows\SysWOW64\Lgahjhop.dll C:\Windows\SysWOW64\Abbeflpf.exe N/A
File created C:\Windows\SysWOW64\Fpcopobi.dll C:\Windows\SysWOW64\Bjbcfn32.exe N/A
File created C:\Windows\SysWOW64\Cpfaocal.exe C:\Windows\SysWOW64\Bmeimhdj.exe N/A
File created C:\Windows\SysWOW64\Pbkbgjcc.exe C:\Windows\SysWOW64\Pfdabino.exe N/A
File opened for modification C:\Windows\SysWOW64\Pbnoliap.exe C:\Windows\SysWOW64\Pbkbgjcc.exe N/A
File created C:\Windows\SysWOW64\Lbbjgn32.dll C:\Windows\SysWOW64\Pbnoliap.exe N/A
File created C:\Windows\SysWOW64\Mhpeoj32.dll C:\Windows\SysWOW64\Afgkfl32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ceegmj32.exe C:\Windows\SysWOW64\Cklfll32.exe N/A
File created C:\Windows\SysWOW64\Lclclfdi.dll C:\Windows\SysWOW64\Pbkbgjcc.exe N/A
File opened for modification C:\Windows\SysWOW64\Aaheie32.exe C:\Windows\SysWOW64\Qqeicede.exe N/A
File created C:\Windows\SysWOW64\Idlgcclp.dll C:\Windows\SysWOW64\Qqeicede.exe N/A
File created C:\Windows\SysWOW64\Bilmcf32.exe C:\Windows\SysWOW64\Abbeflpf.exe N/A
File created C:\Windows\SysWOW64\Ceegmj32.exe C:\Windows\SysWOW64\Cklfll32.exe N/A
File opened for modification C:\Windows\SysWOW64\Pdaheq32.exe C:\Windows\SysWOW64\Pmjqcc32.exe N/A
File opened for modification C:\Windows\SysWOW64\Aaolidlk.exe C:\Windows\SysWOW64\Aaloddnn.exe N/A
File created C:\Windows\SysWOW64\Gioicn32.dll C:\Windows\SysWOW64\Aaolidlk.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Ceegmj32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pbnoliap.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qqeicede.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bilmcf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cbdnko32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pdaheq32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Becnhgmg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pbkbgjcc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qkhpkoen.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aaheie32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Afgkfl32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aaolidlk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cklfll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pfdabino.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Abbeflpf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bmeimhdj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ceegmj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aganeoip.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bjdplm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Baohhgnf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bkglameg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aaloddnn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Acmhepko.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bjbcfn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cpfaocal.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c600e4ccdd77fefb163ca90012c4cfd340efb5fc018983b21a1bb8a21c8c2fa9N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pmjqcc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Poapfn32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhbkakib.dll" C:\Windows\SysWOW64\Pdaheq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igciil32.dll" C:\Windows\SysWOW64\Pfdabino.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pbkbgjcc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimbjlde.dll" C:\Windows\SysWOW64\Bkglameg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bmeimhdj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqcngnae.dll" C:\Windows\SysWOW64\Bmeimhdj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Poapfn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfqgjgep.dll" C:\Windows\SysWOW64\Aaloddnn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bilmcf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\c600e4ccdd77fefb163ca90012c4cfd340efb5fc018983b21a1bb8a21c8c2fa9N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhiphb32.dll" C:\Windows\SysWOW64\Poapfn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bjdplm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pdaheq32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Qkhpkoen.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bjdplm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfpifm32.dll" C:\Windows\SysWOW64\Cpfaocal.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aheefb32.dll" C:\Windows\SysWOW64\Cbdnko32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node C:\Users\Admin\AppData\Local\Temp\c600e4ccdd77fefb163ca90012c4cfd340efb5fc018983b21a1bb8a21c8c2fa9N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plfmnipm.dll" C:\Windows\SysWOW64\Pmjqcc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pmjqcc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Poapfn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idlgcclp.dll" C:\Windows\SysWOW64\Qqeicede.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cophek32.dll" C:\Windows\SysWOW64\Aganeoip.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bilmcf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bjbcfn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfolbbmp.dll" C:\Windows\SysWOW64\Bjdplm32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\c600e4ccdd77fefb163ca90012c4cfd340efb5fc018983b21a1bb8a21c8c2fa9N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aaloddnn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aaolidlk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Acmhepko.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Abbeflpf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bkglameg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Afgkfl32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Acmhepko.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Abbeflpf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Becnhgmg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bjbcfn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpcopobi.dll" C:\Windows\SysWOW64\Bjbcfn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cklfll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pmjqcc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pfdabino.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gioicn32.dll" C:\Windows\SysWOW64\Aaolidlk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Baohhgnf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoogfhfp.dll" C:\Windows\SysWOW64\Cklfll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} C:\Users\Admin\AppData\Local\Temp\c600e4ccdd77fefb163ca90012c4cfd340efb5fc018983b21a1bb8a21c8c2fa9N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Afgkfl32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Aaloddnn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmfkdm32.dll" C:\Windows\SysWOW64\Acmhepko.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Baohhgnf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbcicn32.dll" C:\Windows\SysWOW64\Aaheie32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Becnhgmg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdqfkmom.dll" C:\Windows\SysWOW64\Baohhgnf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bmeimhdj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocdneocc.dll" C:\Users\Admin\AppData\Local\Temp\c600e4ccdd77fefb163ca90012c4cfd340efb5fc018983b21a1bb8a21c8c2fa9N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pdaheq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lclclfdi.dll" C:\Windows\SysWOW64\Pbkbgjcc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Qqeicede.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qqeicede.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aganeoip.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgahjhop.dll" C:\Windows\SysWOW64\Abbeflpf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\c600e4ccdd77fefb163ca90012c4cfd340efb5fc018983b21a1bb8a21c8c2fa9N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qkhpkoen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhpeoj32.dll" C:\Windows\SysWOW64\Afgkfl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqlhpf32.dll" C:\Windows\SysWOW64\Becnhgmg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2884 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\c600e4ccdd77fefb163ca90012c4cfd340efb5fc018983b21a1bb8a21c8c2fa9N.exe C:\Windows\SysWOW64\Pmjqcc32.exe
PID 2884 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\c600e4ccdd77fefb163ca90012c4cfd340efb5fc018983b21a1bb8a21c8c2fa9N.exe C:\Windows\SysWOW64\Pmjqcc32.exe
PID 2884 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\c600e4ccdd77fefb163ca90012c4cfd340efb5fc018983b21a1bb8a21c8c2fa9N.exe C:\Windows\SysWOW64\Pmjqcc32.exe
PID 2884 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\c600e4ccdd77fefb163ca90012c4cfd340efb5fc018983b21a1bb8a21c8c2fa9N.exe C:\Windows\SysWOW64\Pmjqcc32.exe
PID 2596 wrote to memory of 2236 N/A C:\Windows\SysWOW64\Pmjqcc32.exe C:\Windows\SysWOW64\Pdaheq32.exe
PID 2596 wrote to memory of 2236 N/A C:\Windows\SysWOW64\Pmjqcc32.exe C:\Windows\SysWOW64\Pdaheq32.exe
PID 2596 wrote to memory of 2236 N/A C:\Windows\SysWOW64\Pmjqcc32.exe C:\Windows\SysWOW64\Pdaheq32.exe
PID 2596 wrote to memory of 2236 N/A C:\Windows\SysWOW64\Pmjqcc32.exe C:\Windows\SysWOW64\Pdaheq32.exe
PID 2236 wrote to memory of 2632 N/A C:\Windows\SysWOW64\Pdaheq32.exe C:\Windows\SysWOW64\Pfdabino.exe
PID 2236 wrote to memory of 2632 N/A C:\Windows\SysWOW64\Pdaheq32.exe C:\Windows\SysWOW64\Pfdabino.exe
PID 2236 wrote to memory of 2632 N/A C:\Windows\SysWOW64\Pdaheq32.exe C:\Windows\SysWOW64\Pfdabino.exe
PID 2236 wrote to memory of 2632 N/A C:\Windows\SysWOW64\Pdaheq32.exe C:\Windows\SysWOW64\Pfdabino.exe
PID 2632 wrote to memory of 2652 N/A C:\Windows\SysWOW64\Pfdabino.exe C:\Windows\SysWOW64\Pbkbgjcc.exe
PID 2632 wrote to memory of 2652 N/A C:\Windows\SysWOW64\Pfdabino.exe C:\Windows\SysWOW64\Pbkbgjcc.exe
PID 2632 wrote to memory of 2652 N/A C:\Windows\SysWOW64\Pfdabino.exe C:\Windows\SysWOW64\Pbkbgjcc.exe
PID 2632 wrote to memory of 2652 N/A C:\Windows\SysWOW64\Pfdabino.exe C:\Windows\SysWOW64\Pbkbgjcc.exe
PID 2652 wrote to memory of 1344 N/A C:\Windows\SysWOW64\Pbkbgjcc.exe C:\Windows\SysWOW64\Pbnoliap.exe
PID 2652 wrote to memory of 1344 N/A C:\Windows\SysWOW64\Pbkbgjcc.exe C:\Windows\SysWOW64\Pbnoliap.exe
PID 2652 wrote to memory of 1344 N/A C:\Windows\SysWOW64\Pbkbgjcc.exe C:\Windows\SysWOW64\Pbnoliap.exe
PID 2652 wrote to memory of 1344 N/A C:\Windows\SysWOW64\Pbkbgjcc.exe C:\Windows\SysWOW64\Pbnoliap.exe
PID 1344 wrote to memory of 584 N/A C:\Windows\SysWOW64\Pbnoliap.exe C:\Windows\SysWOW64\Poapfn32.exe
PID 1344 wrote to memory of 584 N/A C:\Windows\SysWOW64\Pbnoliap.exe C:\Windows\SysWOW64\Poapfn32.exe
PID 1344 wrote to memory of 584 N/A C:\Windows\SysWOW64\Pbnoliap.exe C:\Windows\SysWOW64\Poapfn32.exe
PID 1344 wrote to memory of 584 N/A C:\Windows\SysWOW64\Pbnoliap.exe C:\Windows\SysWOW64\Poapfn32.exe
PID 584 wrote to memory of 2504 N/A C:\Windows\SysWOW64\Poapfn32.exe C:\Windows\SysWOW64\Qkhpkoen.exe
PID 584 wrote to memory of 2504 N/A C:\Windows\SysWOW64\Poapfn32.exe C:\Windows\SysWOW64\Qkhpkoen.exe
PID 584 wrote to memory of 2504 N/A C:\Windows\SysWOW64\Poapfn32.exe C:\Windows\SysWOW64\Qkhpkoen.exe
PID 584 wrote to memory of 2504 N/A C:\Windows\SysWOW64\Poapfn32.exe C:\Windows\SysWOW64\Qkhpkoen.exe
PID 2504 wrote to memory of 2532 N/A C:\Windows\SysWOW64\Qkhpkoen.exe C:\Windows\SysWOW64\Qqeicede.exe
PID 2504 wrote to memory of 2532 N/A C:\Windows\SysWOW64\Qkhpkoen.exe C:\Windows\SysWOW64\Qqeicede.exe
PID 2504 wrote to memory of 2532 N/A C:\Windows\SysWOW64\Qkhpkoen.exe C:\Windows\SysWOW64\Qqeicede.exe
PID 2504 wrote to memory of 2532 N/A C:\Windows\SysWOW64\Qkhpkoen.exe C:\Windows\SysWOW64\Qqeicede.exe
PID 2532 wrote to memory of 3036 N/A C:\Windows\SysWOW64\Qqeicede.exe C:\Windows\SysWOW64\Aaheie32.exe
PID 2532 wrote to memory of 3036 N/A C:\Windows\SysWOW64\Qqeicede.exe C:\Windows\SysWOW64\Aaheie32.exe
PID 2532 wrote to memory of 3036 N/A C:\Windows\SysWOW64\Qqeicede.exe C:\Windows\SysWOW64\Aaheie32.exe
PID 2532 wrote to memory of 3036 N/A C:\Windows\SysWOW64\Qqeicede.exe C:\Windows\SysWOW64\Aaheie32.exe
PID 3036 wrote to memory of 2676 N/A C:\Windows\SysWOW64\Aaheie32.exe C:\Windows\SysWOW64\Aganeoip.exe
PID 3036 wrote to memory of 2676 N/A C:\Windows\SysWOW64\Aaheie32.exe C:\Windows\SysWOW64\Aganeoip.exe
PID 3036 wrote to memory of 2676 N/A C:\Windows\SysWOW64\Aaheie32.exe C:\Windows\SysWOW64\Aganeoip.exe
PID 3036 wrote to memory of 2676 N/A C:\Windows\SysWOW64\Aaheie32.exe C:\Windows\SysWOW64\Aganeoip.exe
PID 2676 wrote to memory of 2960 N/A C:\Windows\SysWOW64\Aganeoip.exe C:\Windows\SysWOW64\Afgkfl32.exe
PID 2676 wrote to memory of 2960 N/A C:\Windows\SysWOW64\Aganeoip.exe C:\Windows\SysWOW64\Afgkfl32.exe
PID 2676 wrote to memory of 2960 N/A C:\Windows\SysWOW64\Aganeoip.exe C:\Windows\SysWOW64\Afgkfl32.exe
PID 2676 wrote to memory of 2960 N/A C:\Windows\SysWOW64\Aganeoip.exe C:\Windows\SysWOW64\Afgkfl32.exe
PID 2960 wrote to memory of 2092 N/A C:\Windows\SysWOW64\Afgkfl32.exe C:\Windows\SysWOW64\Aaloddnn.exe
PID 2960 wrote to memory of 2092 N/A C:\Windows\SysWOW64\Afgkfl32.exe C:\Windows\SysWOW64\Aaloddnn.exe
PID 2960 wrote to memory of 2092 N/A C:\Windows\SysWOW64\Afgkfl32.exe C:\Windows\SysWOW64\Aaloddnn.exe
PID 2960 wrote to memory of 2092 N/A C:\Windows\SysWOW64\Afgkfl32.exe C:\Windows\SysWOW64\Aaloddnn.exe
PID 2092 wrote to memory of 552 N/A C:\Windows\SysWOW64\Aaloddnn.exe C:\Windows\SysWOW64\Aaolidlk.exe
PID 2092 wrote to memory of 552 N/A C:\Windows\SysWOW64\Aaloddnn.exe C:\Windows\SysWOW64\Aaolidlk.exe
PID 2092 wrote to memory of 552 N/A C:\Windows\SysWOW64\Aaloddnn.exe C:\Windows\SysWOW64\Aaolidlk.exe
PID 2092 wrote to memory of 552 N/A C:\Windows\SysWOW64\Aaloddnn.exe C:\Windows\SysWOW64\Aaolidlk.exe
PID 552 wrote to memory of 2244 N/A C:\Windows\SysWOW64\Aaolidlk.exe C:\Windows\SysWOW64\Acmhepko.exe
PID 552 wrote to memory of 2244 N/A C:\Windows\SysWOW64\Aaolidlk.exe C:\Windows\SysWOW64\Acmhepko.exe
PID 552 wrote to memory of 2244 N/A C:\Windows\SysWOW64\Aaolidlk.exe C:\Windows\SysWOW64\Acmhepko.exe
PID 552 wrote to memory of 2244 N/A C:\Windows\SysWOW64\Aaolidlk.exe C:\Windows\SysWOW64\Acmhepko.exe
PID 2244 wrote to memory of 3060 N/A C:\Windows\SysWOW64\Acmhepko.exe C:\Windows\SysWOW64\Abbeflpf.exe
PID 2244 wrote to memory of 3060 N/A C:\Windows\SysWOW64\Acmhepko.exe C:\Windows\SysWOW64\Abbeflpf.exe
PID 2244 wrote to memory of 3060 N/A C:\Windows\SysWOW64\Acmhepko.exe C:\Windows\SysWOW64\Abbeflpf.exe
PID 2244 wrote to memory of 3060 N/A C:\Windows\SysWOW64\Acmhepko.exe C:\Windows\SysWOW64\Abbeflpf.exe
PID 3060 wrote to memory of 2324 N/A C:\Windows\SysWOW64\Abbeflpf.exe C:\Windows\SysWOW64\Bilmcf32.exe
PID 3060 wrote to memory of 2324 N/A C:\Windows\SysWOW64\Abbeflpf.exe C:\Windows\SysWOW64\Bilmcf32.exe
PID 3060 wrote to memory of 2324 N/A C:\Windows\SysWOW64\Abbeflpf.exe C:\Windows\SysWOW64\Bilmcf32.exe
PID 3060 wrote to memory of 2324 N/A C:\Windows\SysWOW64\Abbeflpf.exe C:\Windows\SysWOW64\Bilmcf32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c600e4ccdd77fefb163ca90012c4cfd340efb5fc018983b21a1bb8a21c8c2fa9N.exe

"C:\Users\Admin\AppData\Local\Temp\c600e4ccdd77fefb163ca90012c4cfd340efb5fc018983b21a1bb8a21c8c2fa9N.exe"

C:\Windows\SysWOW64\Pmjqcc32.exe

C:\Windows\system32\Pmjqcc32.exe

C:\Windows\SysWOW64\Pdaheq32.exe

C:\Windows\system32\Pdaheq32.exe

C:\Windows\SysWOW64\Pfdabino.exe

C:\Windows\system32\Pfdabino.exe

C:\Windows\SysWOW64\Pbkbgjcc.exe

C:\Windows\system32\Pbkbgjcc.exe

C:\Windows\SysWOW64\Pbnoliap.exe

C:\Windows\system32\Pbnoliap.exe

C:\Windows\SysWOW64\Poapfn32.exe

C:\Windows\system32\Poapfn32.exe

C:\Windows\SysWOW64\Qkhpkoen.exe

C:\Windows\system32\Qkhpkoen.exe

C:\Windows\SysWOW64\Qqeicede.exe

C:\Windows\system32\Qqeicede.exe

C:\Windows\SysWOW64\Aaheie32.exe

C:\Windows\system32\Aaheie32.exe

C:\Windows\SysWOW64\Aganeoip.exe

C:\Windows\system32\Aganeoip.exe

C:\Windows\SysWOW64\Afgkfl32.exe

C:\Windows\system32\Afgkfl32.exe

C:\Windows\SysWOW64\Aaloddnn.exe

C:\Windows\system32\Aaloddnn.exe

C:\Windows\SysWOW64\Aaolidlk.exe

C:\Windows\system32\Aaolidlk.exe

C:\Windows\SysWOW64\Acmhepko.exe

C:\Windows\system32\Acmhepko.exe

C:\Windows\SysWOW64\Abbeflpf.exe

C:\Windows\system32\Abbeflpf.exe

C:\Windows\SysWOW64\Bilmcf32.exe

C:\Windows\system32\Bilmcf32.exe

C:\Windows\SysWOW64\Becnhgmg.exe

C:\Windows\system32\Becnhgmg.exe

C:\Windows\SysWOW64\Bjbcfn32.exe

C:\Windows\system32\Bjbcfn32.exe

C:\Windows\SysWOW64\Bjdplm32.exe

C:\Windows\system32\Bjdplm32.exe

C:\Windows\SysWOW64\Baohhgnf.exe

C:\Windows\system32\Baohhgnf.exe

C:\Windows\SysWOW64\Bkglameg.exe

C:\Windows\system32\Bkglameg.exe

C:\Windows\SysWOW64\Bmeimhdj.exe

C:\Windows\system32\Bmeimhdj.exe

C:\Windows\SysWOW64\Cpfaocal.exe

C:\Windows\system32\Cpfaocal.exe

C:\Windows\SysWOW64\Cbdnko32.exe

C:\Windows\system32\Cbdnko32.exe

C:\Windows\SysWOW64\Cklfll32.exe

C:\Windows\system32\Cklfll32.exe

C:\Windows\SysWOW64\Ceegmj32.exe

C:\Windows\system32\Ceegmj32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2788 -s 140

Network

N/A

Files

memory/2884-0-0x0000000000400000-0x0000000000468000-memory.dmp

C:\Windows\SysWOW64\Pmjqcc32.exe

MD5 87c79364cf9863646dd78722ce4b111b
SHA1 3bd4fdb4e6d54cc1c7e0ea695a901b3a22a546c1
SHA256 c93ee1a1198cfd35a3fd175343ecb4a5bc05c41677f1b963a08e976d4677603b
SHA512 94002cbcdc2aa32391db42870d7bb2cd13a93d6e656619ec85e74f54195ebfd1950a3f09e9d1efaeaf8bc8187d9c7666c997d496bac22f7118ce7338666c97a6

memory/2884-17-0x0000000000330000-0x0000000000398000-memory.dmp

C:\Windows\SysWOW64\Pdaheq32.exe

MD5 2bf55f68a6af26dbb372057fb7563605
SHA1 f0a61088462ff8b9fc1baed419f1ad04904bca02
SHA256 98351bf64f19f0bb09284a1ff99859a9e8705788d06ab87009986766070a2f39
SHA512 92a14624b3bf950794f3f2aabd59be3dcc7bebc70a0a8b9fa84213a4173f72793d6bc359434c73455615ae588a555f4a7cb794f5196b520215e38bb60422cd3b

memory/2596-25-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2236-26-0x0000000000400000-0x0000000000468000-memory.dmp

\Windows\SysWOW64\Pfdabino.exe

MD5 22290b74a7e6aaa31dce6936b23823a7
SHA1 7432b083790b63197845c02169ef5cec1b5f8cc9
SHA256 84e6678c4f6daa01632e65d4ca729703c2665579a50b6a09fb16d28d5edd4d04
SHA512 1c1f1cd28b2b428071ec926a903869e9d5feee402eab7c937469f6d9e5e8e8ba04efe05088c5d2d1aaaad8ca78edf934f281a12e05654395613bef9abb6ff0ae

memory/2632-39-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2652-52-0x0000000000400000-0x0000000000468000-memory.dmp

C:\Windows\SysWOW64\Pbkbgjcc.exe

MD5 ff5c9dbc12adc768dfa34487523c764d
SHA1 3bdea1e4a105d927694d1a3b38910e533b5f621a
SHA256 5d0ae160d5aa196453bd4055da97dee7b7277bfe55eafffa02fde75b6cf8b1c7
SHA512 a301cfdc4d15757ee9de99b78046fb9e03f8b36191b707a1ff03c8c090f3b020b2a16185f02f6eaedbae8467fbd4cb7deed0ef6785bb1de806c8fd1afd3d1cf6

\Windows\SysWOW64\Pbnoliap.exe

MD5 1ba3ce30ef34cdb7258ff3b0c3981be6
SHA1 710f2990145d5a66a736c5b149d4b5a657fa34a6
SHA256 6eb507fecf813d532461fac329e11e472fba6804678e44319b3b43c1216377aa
SHA512 4de9b5e0ad32f02ed7bf3b1963f5c2d1b06d58272cd12a5085e4aa593998dae36045c1b097580cf310b19e61f22d2bc287715168984a3efac148fed99a87a396

memory/2652-59-0x0000000000250000-0x00000000002B8000-memory.dmp

\Windows\SysWOW64\Poapfn32.exe

MD5 4b1616a3a4ee9d452a949474f7375396
SHA1 7cb411a7e2b0d27f96690bde05f3e5e7bdd8c752
SHA256 63baaf240e7d94f2d78c227baf19c608e4f3c47ad4e9891e2c8210edbff798d1
SHA512 db2e80c710e65c5673486a6816c82156d0bfbf5383a55bd70c0f795d2d0dc5d78293e19032bdcf0a080ee6f2f8a065c9117ac16891b8e14fb1a8d13f69c9a21a

memory/584-78-0x0000000000400000-0x0000000000468000-memory.dmp

\Windows\SysWOW64\Qkhpkoen.exe

MD5 932b6f2da1a72b3204b4868e6f23a25b
SHA1 0c9951149e44e508d4ad4ba38b0057c28e68adfa
SHA256 df34956890017af6ef04dff8d72601723f023ff892f887c9ae2bd9081f5453d2
SHA512 4ccc10dd44c98af83f264b7f4ccc9ec41b8df064c907cc6b292833b7d7fab21daaba2c940c8df67663e926dc8a866a0847460b0d3763b2d565bc64e336de4a44

memory/584-86-0x0000000000250000-0x00000000002B8000-memory.dmp

\Windows\SysWOW64\Qqeicede.exe

MD5 d734abbcd50cc0dec2e06cab3e543bfb
SHA1 23f0daa69aecede276ffce60b43e255df41c3ca4
SHA256 5244d22e7e5cbf02c6452e65fd2707dc18ff67c2b970fae9e410f4a0b3d337e6
SHA512 c4d0077a043e3153bb505525ff9ef31434ed10d28fa05bbbfad8a93033d0dbcbf78de54819eb440bd5d9d1f639a57420b0d309475cb43d0ca5f82ab7abf981d0

memory/2532-104-0x0000000000400000-0x0000000000468000-memory.dmp

\Windows\SysWOW64\Aaheie32.exe

MD5 d5fba8583c545b4ba2d2a153c9a2b5de
SHA1 72a55914a26b559c4381189cd83980e9a4ca90e5
SHA256 cb2f350479fc35174ac65ee5ee027bbef5e86c221455827dded7fb43915b62b6
SHA512 8d3e14df32c3c82759934fb34570922a605fcd515a9700f4327e15c0fb5b902111cb70ce8ae68e38bc804804e75989679d11eaac0bef52e66597a03f9077b28a

C:\Windows\SysWOW64\Aganeoip.exe

MD5 4c00a1972131735dab25ce0a1c3a938f
SHA1 9ad03b6a7e5d2d1ddce456a1f0dbad5374290b0c
SHA256 3c576b7c75d58eb95eeb726730ef839b3b7e0ae64aada649cef20cd3fa720472
SHA512 d05d6a275777d80684857e33aeea6b55e8406b1511e83ee9d24a2a94eeea6c4adc67c35d8ee697c4d592747fcbc1609ae05e2c719b84837ceeb1ed9126e34862

memory/2676-129-0x0000000000400000-0x0000000000468000-memory.dmp

\Windows\SysWOW64\Afgkfl32.exe

MD5 3aea35428da56d73af20a4ee906ddbda
SHA1 511ab078f5e5b00adb39e918676a7031cd98cdf0
SHA256 1d1f137ae1348cc19fee435d1f23ad3a83ad2500ae0b9b137d68875cd4a4f0ea
SHA512 e5cf403adf1a6d7418e9587caa469635586c1f903a32856d68097b5ae333dbf27e2f684f6edf8afee3ca05faa98b14486aab9e3db4c6228f3e7cbb51d40a3318

memory/2676-137-0x0000000000250000-0x00000000002B8000-memory.dmp

\Windows\SysWOW64\Aaloddnn.exe

MD5 e0e3d3bcdb70417c5ef0f6331315dd01
SHA1 4bc3515247e97e1506d5b80c983b027a00bdb542
SHA256 a379cc7e92acbd92e6cab108fabfcb601378f9d66f9312198260d9be5d501b58
SHA512 1b983c6f36de95b215daa6f6633e34fd84b8078baf4fa885ae56b69c6810b70d30ab1cf6d89d5d15143c4cce81c4141bf5148676176d3be4f054a19c190f2146

memory/2960-154-0x0000000000250000-0x00000000002B8000-memory.dmp

memory/2092-157-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2960-155-0x0000000000250000-0x00000000002B8000-memory.dmp

C:\Windows\SysWOW64\Aaolidlk.exe

MD5 845124e395d8956b975a33f943e504f7
SHA1 dccc3cf95c39f682f6ae153c960d20baaca7e0a8
SHA256 8e848b058a7e603aa69ab1b0e3dcc93c8a10c1098cadc7b0baa32e3621546929
SHA512 ad9cab28e584a992345e9ced1e254c1c75dca339d75c32d70e6d5d1cfb2b01d9632a29051281c38f4eba8b8a7ce5af02317e70c749df1e423a8496a21d1a0fcf

memory/2092-170-0x0000000000250000-0x00000000002B8000-memory.dmp

memory/2092-169-0x0000000000250000-0x00000000002B8000-memory.dmp

C:\Windows\SysWOW64\Acmhepko.exe

MD5 39e523f6a7ab989bcbebe151b864658c
SHA1 f633e62e84722fc4d24eb88ce76e7cb50eee2985
SHA256 00466205a22af9f0e7f51db43a19131ae2f7fa5e0732efcd2f2aa8209bf9fd19
SHA512 fbd2e3ef0a2df04040ee6e501f946ba07ed563d37a87cfaaee20735c8facefdce5f58458fdb428e94f8ff7dedbaa4d848909b3c9d9dab26f8281cb2a760bf047

memory/552-192-0x0000000002040000-0x00000000020A8000-memory.dmp

memory/2244-186-0x0000000000400000-0x0000000000468000-memory.dmp

memory/552-185-0x0000000002040000-0x00000000020A8000-memory.dmp

memory/552-184-0x0000000000400000-0x0000000000468000-memory.dmp

C:\Windows\SysWOW64\Abbeflpf.exe

MD5 683ff554604113a7aa784589ecd590ca
SHA1 fe6dbffad72ee92c912f886426edf2231ebaaa70
SHA256 56e78ffc0dd6d8017ad38433f47d516e17f5747413f7d4c08e55c65110d9db93
SHA512 68a89547c0178626cf13b9ff42ac5b880d45ac405206055afe0f3cea3a81ca6a9c2325ae79ae87d6fed3cafc76a310a577ad0bebadde6bc67255315a50df5b51

memory/3060-207-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2244-200-0x00000000002D0000-0x0000000000338000-memory.dmp

memory/2244-199-0x00000000002D0000-0x0000000000338000-memory.dmp

\Windows\SysWOW64\Bilmcf32.exe

MD5 ee8f4b0351ca8f3942dac4f7260d04ac
SHA1 0e510295b592096cf7aeb2c6bf262ad32dee4246
SHA256 9e07e010d20ca4f5d28200359f52da0e5d6893981c905e6b463d7924f47655a6
SHA512 2a8f4fa2b7da9f6f2ce399e7ffb91672ad3ef1261f96e0c1addbeccefce9daa8b08d5d5c10a5c9633f86250a46df6ab8d2cbc85a76d0aa4c2d730ac8fda0ab5f

memory/2324-217-0x0000000000400000-0x0000000000468000-memory.dmp

memory/3060-216-0x0000000001FD0000-0x0000000002038000-memory.dmp

memory/3060-214-0x0000000001FD0000-0x0000000002038000-memory.dmp

C:\Windows\SysWOW64\Becnhgmg.exe

MD5 da9e257c226e7bbfaffff5ad891eb517
SHA1 3cd49509a3ece7ad2d5228ca23a61fed3c83b071
SHA256 8945f58c6d51094e6d9396f91e51c9cd0a52f523fde010d5d988018ab3475b8c
SHA512 ad7f104da036c0c89dc0f80f5f80d913c11a73d4222966c5196bc1ce0e6e4e26e48db8976fe22dc83faf375a37404981d0fd52257c25303422ec837c39837ea8

memory/2324-228-0x00000000002D0000-0x0000000000338000-memory.dmp

memory/2160-232-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2324-227-0x00000000002D0000-0x0000000000338000-memory.dmp

memory/2160-235-0x00000000002E0000-0x0000000000348000-memory.dmp

C:\Windows\SysWOW64\Bjbcfn32.exe

MD5 4279b7899bc154ed181dfae1e30e1dc3
SHA1 3849d31bd575849d1b1ffb32d7aef64a4dd25cb0
SHA256 bfffdc2ffe105b5df0481de16ccd9b203ccc5f6d69954ba08a92b81c14f76479
SHA512 d9b2130169fcf41ad0dd2a8b588b512946ef8f755c717235a6220dc28abbcd7749dccd02376646124e9d26dad3e2fc2e99f2b31e082fb0a2b8fc81b043cb2e49

memory/1524-240-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2160-239-0x00000000002E0000-0x0000000000348000-memory.dmp

C:\Windows\SysWOW64\Bjdplm32.exe

MD5 5e0e6becc29ccb3a1a0b96c19589fca1
SHA1 d2da4c9acf1b2b4198a6dc38dd81603a6c50c895
SHA256 4e15441b09d9783026fa842f8b0dfd0c8491d5264f72c78039e8e0edaf62a40d
SHA512 e8981ee1d0c652461b67295df4bd625cfd72e60332a10e7bdcb7f4c3e70f26dcc81c572c95046402066191158d83bf1c26310e341f48b4dfd3a2804a085170d8

memory/1260-251-0x0000000000400000-0x0000000000468000-memory.dmp

memory/1524-250-0x0000000000330000-0x0000000000398000-memory.dmp

memory/1524-249-0x0000000000330000-0x0000000000398000-memory.dmp

C:\Windows\SysWOW64\Baohhgnf.exe

MD5 3a60dbdd354f4be25a6073d7cb2cced2
SHA1 bfcae50661a32b1eddbb936c78a86a4bef006230
SHA256 d46566d5676a1b0a80c313edee14c0484583a1eadaea85f6eca3fc5c7f8c4181
SHA512 7fa2a47254b29b5cb642ae64573345156500221b1fbc0dfbcff0a55079a13e92e75700dff6fe75b892fd762f6e43f6ec38750c0404da66db940b983fc6c77186

memory/1260-260-0x0000000000300000-0x0000000000368000-memory.dmp

memory/616-261-0x0000000000400000-0x0000000000468000-memory.dmp

C:\Windows\SysWOW64\Bkglameg.exe

MD5 f8bf45f99e1d1009ff33abe534cec94e
SHA1 d006d32d9a3e0b92f84042b9776e85211867e833
SHA256 db1d39244cc172fa261319e1f32f23cacce7548360420e9baa0958b0dde470f2
SHA512 7cc02dad12f026a0d743c32a643f39650ed75d7ea02f841113b4feb88f61f842da0a6b077f9980783d1f625baee9cc24b76f4da26a81c7d8935d1f21847414ad

memory/616-274-0x0000000001F90000-0x0000000001FF8000-memory.dmp

memory/616-275-0x0000000001F90000-0x0000000001FF8000-memory.dmp

C:\Windows\SysWOW64\Bmeimhdj.exe

MD5 42e80748ea54750e55ae9d41e3c6b817
SHA1 acba568d5f2ed3caaa8f3a4e40538587239cddb1
SHA256 14e19c51fb74c0b7ad98b621d0359ff5828f8c7554b33f92dcc0925f7e1f16dd
SHA512 fc3c727d826be98de995f1bdc02cffe26d8d3dac73904784b4abc3199ebd4c98f7f82a6fd34ddd3e10e70d5fe0b65712698225e3da6dce325c37efdd30035958

memory/2800-282-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2120-281-0x0000000000280000-0x00000000002E8000-memory.dmp

memory/2120-280-0x0000000000280000-0x00000000002E8000-memory.dmp

C:\Windows\SysWOW64\Cpfaocal.exe

MD5 f5909d2a27f3a3012e50490ef9fb5dc9
SHA1 137e011613ca2864e23304f6959d2a28a4a486f3
SHA256 916a7d9ae3db2c9163164f5cd2e1c1bb06654e041662177c1d57dffc85757534
SHA512 95583806b1c621e98b5d0710056cbed2aa54615b6ea341e2be8744de2fa104004c4737038578f0879c44d8853d0df1f967ccec2a84dbb49ba040f6b86bf7ee50

memory/2800-292-0x0000000000300000-0x0000000000368000-memory.dmp

memory/1964-297-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2800-291-0x0000000000300000-0x0000000000368000-memory.dmp

memory/2832-308-0x0000000000400000-0x0000000000468000-memory.dmp

memory/1964-303-0x0000000000390000-0x00000000003F8000-memory.dmp

memory/1964-302-0x0000000000390000-0x00000000003F8000-memory.dmp

C:\Windows\SysWOW64\Cbdnko32.exe

MD5 cf71c69f4dfed4404b58461072f11d6b
SHA1 943b5b4040eab9a3dff0d0aa34f7c30c9fdf7816
SHA256 3df25a56541fb2236d5037b15a297f2c19916a7acae3e59ee73619da44b05477
SHA512 117c5402e23158b888c250e04f3522bb42f98c1d7b2bc8808ca752e9b797647ffedbd032724ff448512adc64c6c20ad87eb0e0dfb44a6050898ebe05ae38f1ab

C:\Windows\SysWOW64\Cklfll32.exe

MD5 a30f0db239a19bd06a8ed33d0ade701f
SHA1 169d627169bb7bccd6a180958dfaa62e1ddf68b4
SHA256 4b53f9b265a33849722f53773242e157f9bb13112b3e9eb1f965d812e9af070f
SHA512 c23614cfd8d7c19c5039d189d329df096e1e168e94f795e404cfcbe9005c239883c25d82bdbfcd5e71fadc96a807d1c8738e995e6b9de1aef6c1971a4ecc73bb

memory/2832-314-0x00000000002D0000-0x0000000000338000-memory.dmp

memory/2740-319-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2832-313-0x00000000002D0000-0x0000000000338000-memory.dmp

memory/2788-326-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2740-325-0x0000000000260000-0x00000000002C8000-memory.dmp

memory/2740-324-0x0000000000260000-0x00000000002C8000-memory.dmp

C:\Windows\SysWOW64\Ceegmj32.exe

MD5 dccf4400af71c9033a4b09a58343ee19
SHA1 cc732df12413ef7111ef8ef067cdf480d190454e
SHA256 09325efa4ab4fc56e9d85cd0b4cbf31b20e22221f88191ef5f217d26f5c06b7f
SHA512 b7dd63179605cb77700981c4de9da1dd30825e8932e51a3a3dadd1031b9062316d4694b59c5c24a789af011b656d9961da8a42c543ea5cad3193159bfba62d5f

memory/2652-361-0x0000000000400000-0x0000000000468000-memory.dmp

memory/584-373-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2504-379-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2504-378-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2532-377-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2532-376-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2884-375-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2884-374-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2740-372-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2596-371-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2652-370-0x0000000000400000-0x0000000000468000-memory.dmp

memory/1344-368-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2236-367-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2632-364-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2740-359-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2800-360-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2800-357-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2960-358-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2092-356-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2960-355-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2676-354-0x0000000000400000-0x0000000000468000-memory.dmp

memory/3036-353-0x0000000000400000-0x0000000000468000-memory.dmp

memory/552-350-0x0000000000400000-0x0000000000468000-memory.dmp

memory/552-348-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2324-347-0x0000000000400000-0x0000000000468000-memory.dmp

memory/1964-346-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2788-344-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2244-343-0x0000000000400000-0x0000000000468000-memory.dmp

memory/3060-342-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2160-339-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2788-338-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2160-337-0x0000000000400000-0x0000000000468000-memory.dmp

memory/1260-335-0x0000000000400000-0x0000000000468000-memory.dmp

memory/616-334-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2120-331-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2832-330-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2120-329-0x0000000000400000-0x0000000000468000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-19 08:19

Reported

2024-11-19 08:21

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c600e4ccdd77fefb163ca90012c4cfd340efb5fc018983b21a1bb8a21c8c2fa9N.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Oiojkffd.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bpnnakmf.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cpljbi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dcaloc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jnfgbc32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jdhiej32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pfdppdop.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aloeii32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lcjide32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bjjohe32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bmpadpnc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nfgkilok.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Inoaadih.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Iannnphl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pkcenj32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Edhoie32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pfijkc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nfgkilok.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dkanob32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Egfkfa32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ejegblid.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jjmhgd32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pbikjl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Okcmgmjg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cmagpihd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Llekcj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Llidnjkc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cdeimhkb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hglfol32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fgadgilh.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pfjqei32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cikkeppa.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ejpngm32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Abimfcid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pamhmb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ejbklm32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Epnidpme.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fpeoeogm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ljkhbnlo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ockkbqne.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mdkhidoj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nollbldc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Acfmjf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Liaelpdj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mcmoab32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ajcigf32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aflfag32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dpnpmb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pbikjl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lhaagfik.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Aloeii32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Abimfcid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Amoacl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kecekkjh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lkpncb32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nhpgpboi.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cionei32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nhldoifj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ibhqlc32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jaljon32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Laalak32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Abkjlb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Longjpoe.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pijbmnhk.exe N/A

Berbew

backdoor berbew

Berbew family

berbew

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Kbnjig32.exe N/A
N/A N/A C:\Windows\SysWOW64\Klgoalkh.exe N/A
N/A N/A C:\Windows\SysWOW64\Kcqgnfbe.exe N/A
N/A N/A C:\Windows\SysWOW64\Keappapf.exe N/A
N/A N/A C:\Windows\SysWOW64\Kahpebej.exe N/A
N/A N/A C:\Windows\SysWOW64\Lchmoe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Liaelpdj.exe N/A
N/A N/A C:\Windows\SysWOW64\Llpahkcm.exe N/A
N/A N/A C:\Windows\SysWOW64\Lcjide32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ljfogo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Llekcj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lpbcii32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ljkhbnlo.exe N/A
N/A N/A C:\Windows\SysWOW64\Llidnjkc.exe N/A
N/A N/A C:\Windows\SysWOW64\Mjmdgn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mlnnii32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mbkfap32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mffbbomn.exe N/A
N/A N/A C:\Windows\SysWOW64\Mplfog32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mqnceg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mcmoab32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nbblbo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nhldoifj.exe N/A
N/A N/A C:\Windows\SysWOW64\Nofmlc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nhnadidg.exe N/A
N/A N/A C:\Windows\SysWOW64\Njnnnllj.exe N/A
N/A N/A C:\Windows\SysWOW64\Nqhfkf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Njpjdkig.exe N/A
N/A N/A C:\Windows\SysWOW64\Nfgkilok.exe N/A
N/A N/A C:\Windows\SysWOW64\Oqlofeoa.exe N/A
N/A N/A C:\Windows\SysWOW64\Ockkbqne.exe N/A
N/A N/A C:\Windows\SysWOW64\Ooalga32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oijqpg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oodimaaf.exe N/A
N/A N/A C:\Windows\SysWOW64\Obbeimaj.exe N/A
N/A N/A C:\Windows\SysWOW64\Ojimjjal.exe N/A
N/A N/A C:\Windows\SysWOW64\Opfebqpd.exe N/A
N/A N/A C:\Windows\SysWOW64\Obdbolog.exe N/A
N/A N/A C:\Windows\SysWOW64\Oiojkffd.exe N/A
N/A N/A C:\Windows\SysWOW64\Oqfblcgf.exe N/A
N/A N/A C:\Windows\SysWOW64\Opibhq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ppkonp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pbikjl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Piccfe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pfgdpj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pamhmb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pfjqei32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pmcibc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pflmkimc.exe N/A
N/A N/A C:\Windows\SysWOW64\Ppdbdo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pfnjqikq.exe N/A
N/A N/A C:\Windows\SysWOW64\Qpgoinaa.exe N/A
N/A N/A C:\Windows\SysWOW64\Qiocbd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qbggkiob.exe N/A
N/A N/A C:\Windows\SysWOW64\Ammlhbnh.exe N/A
N/A N/A C:\Windows\SysWOW64\Apkhdn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aidlmcdl.exe N/A
N/A N/A C:\Windows\SysWOW64\Adiqjlcb.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajcigf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Amaeca32.exe N/A
N/A N/A C:\Windows\SysWOW64\Afjjlg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Amdbiahp.exe N/A
N/A N/A C:\Windows\SysWOW64\Adnjek32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aflfag32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Keqieklj.exe C:\Windows\SysWOW64\Khmhlg32.exe N/A
File created C:\Windows\SysWOW64\Gkbhpocn.dll C:\Windows\SysWOW64\Opibhq32.exe N/A
File created C:\Windows\SysWOW64\Iecamf32.dll C:\Windows\SysWOW64\Djnaamol.exe N/A
File created C:\Windows\SysWOW64\Ggbchm32.exe C:\Windows\SysWOW64\Gedgla32.exe N/A
File created C:\Windows\SysWOW64\Agolnflf.dll C:\Windows\SysWOW64\Hekmmqme.exe N/A
File created C:\Windows\SysWOW64\Bepobppn.dll C:\Windows\SysWOW64\Nhpgpboi.exe N/A
File created C:\Windows\SysWOW64\Bnchjo32.dll C:\Windows\SysWOW64\Pbidoe32.exe N/A
File opened for modification C:\Windows\SysWOW64\Nqhfkf32.exe C:\Windows\SysWOW64\Njnnnllj.exe N/A
File opened for modification C:\Windows\SysWOW64\Dablmkba.exe C:\Windows\SysWOW64\Djldlnao.exe N/A
File created C:\Windows\SysWOW64\Fbebihbl.exe C:\Windows\SysWOW64\Fcbefalp.exe N/A
File created C:\Windows\SysWOW64\Cgjbcebq.exe C:\Windows\SysWOW64\Bpqjfk32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mkepeo32.exe C:\Windows\SysWOW64\Mdkhidoj.exe N/A
File created C:\Windows\SysWOW64\Cionei32.exe C:\Windows\SysWOW64\Cmhmqhbl.exe N/A
File created C:\Windows\SysWOW64\Kbkfiaco.exe C:\Windows\SysWOW64\Kjdnhcbl.exe N/A
File created C:\Windows\SysWOW64\Dlhofd32.dll C:\Windows\SysWOW64\Femnbg32.exe N/A
File created C:\Windows\SysWOW64\Lhkdneaq.exe C:\Windows\SysWOW64\Laalak32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ppdbdo32.exe C:\Windows\SysWOW64\Pflmkimc.exe N/A
File opened for modification C:\Windows\SysWOW64\Epnidpme.exe C:\Windows\SysWOW64\Eidqgf32.exe N/A
File created C:\Windows\SysWOW64\Gjocoi32.exe C:\Windows\SysWOW64\Gcekbokj.exe N/A
File created C:\Windows\SysWOW64\Ajhhlpmm.dll C:\Windows\SysWOW64\Mclhfl32.exe N/A
File opened for modification C:\Windows\SysWOW64\Oqlofeoa.exe C:\Windows\SysWOW64\Nfgkilok.exe N/A
File created C:\Windows\SysWOW64\Jdpklo32.dll C:\Windows\SysWOW64\Dcaloc32.exe N/A
File created C:\Windows\SysWOW64\Fanajimp.dll C:\Windows\SysWOW64\Leebqk32.exe N/A
File created C:\Windows\SysWOW64\Nikpidbp.dll C:\Windows\SysWOW64\Bmkhip32.exe N/A
File created C:\Windows\SysWOW64\Ghblpi32.dll C:\Windows\SysWOW64\Mdkhidoj.exe N/A
File created C:\Windows\SysWOW64\Dlddme32.dll C:\Windows\SysWOW64\Pfijkc32.exe N/A
File created C:\Windows\SysWOW64\Edghoo32.exe C:\Windows\SysWOW64\Emnpbepd.exe N/A
File created C:\Windows\SysWOW64\Fkdpod32.dll C:\Windows\SysWOW64\Dappgk32.exe N/A
File opened for modification C:\Windows\SysWOW64\Pigfgo32.exe C:\Windows\SysWOW64\Pfijkc32.exe N/A
File created C:\Windows\SysWOW64\Gckmqbod.dll C:\Windows\SysWOW64\Aflpgq32.exe N/A
File created C:\Windows\SysWOW64\Fpjhpo32.exe C:\Windows\SysWOW64\Fnllcc32.exe N/A
File created C:\Windows\SysWOW64\Mmgqogpe.dll C:\Users\Admin\AppData\Local\Temp\c600e4ccdd77fefb163ca90012c4cfd340efb5fc018983b21a1bb8a21c8c2fa9N.exe N/A
File opened for modification C:\Windows\SysWOW64\Mcmoab32.exe C:\Windows\SysWOW64\Mqnceg32.exe N/A
File opened for modification C:\Windows\SysWOW64\Oqfblcgf.exe C:\Windows\SysWOW64\Oiojkffd.exe N/A
File created C:\Windows\SysWOW64\Mjcclf32.dll C:\Windows\SysWOW64\Gbaaeggo.exe N/A
File opened for modification C:\Windows\SysWOW64\Gjocoi32.exe C:\Windows\SysWOW64\Gcekbokj.exe N/A
File created C:\Windows\SysWOW64\Pcmjdg32.exe C:\Windows\SysWOW64\Pmcbgmcg.exe N/A
File opened for modification C:\Windows\SysWOW64\Ljfogo32.exe C:\Windows\SysWOW64\Lcjide32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ooalga32.exe C:\Windows\SysWOW64\Ockkbqne.exe N/A
File created C:\Windows\SysWOW64\Jicnaean.dll C:\Windows\SysWOW64\Pfjqei32.exe N/A
File created C:\Windows\SysWOW64\Niacgmml.dll C:\Windows\SysWOW64\Ephing32.exe N/A
File created C:\Windows\SysWOW64\Klgoalkh.exe C:\Windows\SysWOW64\Kbnjig32.exe N/A
File opened for modification C:\Windows\SysWOW64\Gdpnabgb.exe C:\Windows\SysWOW64\Gbaaeggo.exe N/A
File created C:\Windows\SysWOW64\Khoebgkn.exe C:\Windows\SysWOW64\Keqieklj.exe N/A
File opened for modification C:\Windows\SysWOW64\Pcmjdg32.exe C:\Windows\SysWOW64\Pmcbgmcg.exe N/A
File opened for modification C:\Windows\SysWOW64\Adnjek32.exe C:\Windows\SysWOW64\Amdbiahp.exe N/A
File created C:\Windows\SysWOW64\Lcpikn32.exe C:\Windows\SysWOW64\Llfqnc32.exe N/A
File created C:\Windows\SysWOW64\Afjjlg32.exe C:\Windows\SysWOW64\Amaeca32.exe N/A
File opened for modification C:\Windows\SysWOW64\Odpjkalb.exe C:\Windows\SysWOW64\Oboaif32.exe N/A
File created C:\Windows\SysWOW64\Qpgoinaa.exe C:\Windows\SysWOW64\Pfnjqikq.exe N/A
File created C:\Windows\SysWOW64\Bhjnom32.dll C:\Windows\SysWOW64\Apmnpg32.exe N/A
File created C:\Windows\SysWOW64\Epnidpme.exe C:\Windows\SysWOW64\Eidqgf32.exe N/A
File created C:\Windows\SysWOW64\Ldkobgmm.exe C:\Windows\SysWOW64\Longjpoe.exe N/A
File created C:\Windows\SysWOW64\Qohjnfpf.dll C:\Windows\SysWOW64\Edekip32.exe N/A
File created C:\Windows\SysWOW64\Fllpjp32.exe C:\Windows\SysWOW64\Fgogai32.exe N/A
File opened for modification C:\Windows\SysWOW64\Nofmlc32.exe C:\Windows\SysWOW64\Nhldoifj.exe N/A
File created C:\Windows\SysWOW64\Elnplg32.dll C:\Windows\SysWOW64\Ecfejc32.exe N/A
File created C:\Windows\SysWOW64\Kaikfmma.dll C:\Windows\SysWOW64\Pccgnibo.exe N/A
File created C:\Windows\SysWOW64\Dkppekog.dll C:\Windows\SysWOW64\Aijlcl32.exe N/A
File created C:\Windows\SysWOW64\Bncpqm32.dll C:\Windows\SysWOW64\Badgdold.exe N/A
File created C:\Windows\SysWOW64\Pliioanb.dll C:\Windows\SysWOW64\Ggbchm32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hccgcmoj.exe C:\Windows\SysWOW64\Hbakld32.exe N/A
File opened for modification C:\Windows\SysWOW64\Khmhlg32.exe C:\Windows\SysWOW64\Koddcagp.exe N/A
File created C:\Windows\SysWOW64\Gkfbhn32.dll C:\Windows\SysWOW64\Edhoie32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Fpleen32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pigfgo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Njpjdkig.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jjmhgd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pbidoe32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ojimjjal.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fkbpmmdg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jhloeikc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pfbcjdab.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pkcenj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nofmlc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kbdiopkd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Femnbg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Klgoalkh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kcqgnfbe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dfhhjmbe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lhkdneaq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ooalga32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Amdbiahp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Khmhlg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Blmakgeg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mbkfap32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pfgdpj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mdikce32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Omioaokb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pfdppdop.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Abimfcid.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Eekalg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Opfebqpd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pamhmb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Egihkqhn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Longjpoe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mdkhidoj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Blhhpg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Eghaajdb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lchmoe32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nfgkilok.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Obbeimaj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qpgoinaa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hbjdkepd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aidlmcdl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mamlmi32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fpcbop32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jomncb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mecnbhle.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mclhfl32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nbblbo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bfhfne32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cgjbcebq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dgkljb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Icljjkgp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aflpgq32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fdcgkn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Keappapf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c600e4ccdd77fefb163ca90012c4cfd340efb5fc018983b21a1bb8a21c8c2fa9N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Obdbolog.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ppdbdo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pfnjqikq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dablmkba.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cbcico32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ppkonp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cpljbi32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Keqieklj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pieiao32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Amanik32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jdhiej32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjodin32.dll" C:\Windows\SysWOW64\Cmagpihd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idelqf32.dll" C:\Windows\SysWOW64\Liaelpdj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Fkbpmmdg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hjjbkg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmcebmaa.dll" C:\Windows\SysWOW64\Hbjdkepd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djilbf32.dll" C:\Windows\SysWOW64\Kbnjig32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Baiqpo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Acfmjf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Eekalg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dappgk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cccjfnfq.dll" C:\Windows\SysWOW64\Mkepeo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfiqnn32.dll" C:\Windows\SysWOW64\Clfdaeml.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Qecpgo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Qiocbd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ddlong32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ephing32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Fbebihbl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kilicb32.dll" C:\Windows\SysWOW64\Aegibnhg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kahpebej.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qbggkiob.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Epgbca32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nikpidbp.dll" C:\Windows\SysWOW64\Bmkhip32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kbdiopkd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Amoacl32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cbcico32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fnllcc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Milgfoef.dll" C:\Windows\SysWOW64\Mecnbhle.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Edghoo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dancal32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Fnopci32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdijlhkm.dll" C:\Windows\SysWOW64\Lkpncb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Apkhdn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaikfmma.dll" C:\Windows\SysWOW64\Pccgnibo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pbidoe32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Llekcj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gnciohah.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pieiao32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ienackeo.dll" C:\Windows\SysWOW64\Dccbjm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bknkdbpo.dll" C:\Windows\SysWOW64\Diihfn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmofnhi.dll" C:\Windows\SysWOW64\Omioaokb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Liaelpdj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nhnadidg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Digkqn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ddlong32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eghaag32.dll" C:\Windows\SysWOW64\Qpgoinaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cikkeppa.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mhpnid32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aijlcl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fgogai32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ammlhbnh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aflfag32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Abimfcid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nknclm32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Keappapf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emjfdh32.dll" C:\Windows\SysWOW64\Opfebqpd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Diihfn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kecekkjh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Apmnpg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Adnjek32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cpljbi32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dcaloc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Edhoie32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cionei32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3112 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\c600e4ccdd77fefb163ca90012c4cfd340efb5fc018983b21a1bb8a21c8c2fa9N.exe C:\Windows\SysWOW64\Kbnjig32.exe
PID 3112 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\c600e4ccdd77fefb163ca90012c4cfd340efb5fc018983b21a1bb8a21c8c2fa9N.exe C:\Windows\SysWOW64\Kbnjig32.exe
PID 3112 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\c600e4ccdd77fefb163ca90012c4cfd340efb5fc018983b21a1bb8a21c8c2fa9N.exe C:\Windows\SysWOW64\Kbnjig32.exe
PID 4768 wrote to memory of 688 N/A C:\Windows\SysWOW64\Kbnjig32.exe C:\Windows\SysWOW64\Klgoalkh.exe
PID 4768 wrote to memory of 688 N/A C:\Windows\SysWOW64\Kbnjig32.exe C:\Windows\SysWOW64\Klgoalkh.exe
PID 4768 wrote to memory of 688 N/A C:\Windows\SysWOW64\Kbnjig32.exe C:\Windows\SysWOW64\Klgoalkh.exe
PID 688 wrote to memory of 2716 N/A C:\Windows\SysWOW64\Klgoalkh.exe C:\Windows\SysWOW64\Kcqgnfbe.exe
PID 688 wrote to memory of 2716 N/A C:\Windows\SysWOW64\Klgoalkh.exe C:\Windows\SysWOW64\Kcqgnfbe.exe
PID 688 wrote to memory of 2716 N/A C:\Windows\SysWOW64\Klgoalkh.exe C:\Windows\SysWOW64\Kcqgnfbe.exe
PID 2716 wrote to memory of 2552 N/A C:\Windows\SysWOW64\Kcqgnfbe.exe C:\Windows\SysWOW64\Keappapf.exe
PID 2716 wrote to memory of 2552 N/A C:\Windows\SysWOW64\Kcqgnfbe.exe C:\Windows\SysWOW64\Keappapf.exe
PID 2716 wrote to memory of 2552 N/A C:\Windows\SysWOW64\Kcqgnfbe.exe C:\Windows\SysWOW64\Keappapf.exe
PID 2552 wrote to memory of 2740 N/A C:\Windows\SysWOW64\Keappapf.exe C:\Windows\SysWOW64\Kahpebej.exe
PID 2552 wrote to memory of 2740 N/A C:\Windows\SysWOW64\Keappapf.exe C:\Windows\SysWOW64\Kahpebej.exe
PID 2552 wrote to memory of 2740 N/A C:\Windows\SysWOW64\Keappapf.exe C:\Windows\SysWOW64\Kahpebej.exe
PID 2740 wrote to memory of 4368 N/A C:\Windows\SysWOW64\Kahpebej.exe C:\Windows\SysWOW64\Lchmoe32.exe
PID 2740 wrote to memory of 4368 N/A C:\Windows\SysWOW64\Kahpebej.exe C:\Windows\SysWOW64\Lchmoe32.exe
PID 2740 wrote to memory of 4368 N/A C:\Windows\SysWOW64\Kahpebej.exe C:\Windows\SysWOW64\Lchmoe32.exe
PID 4368 wrote to memory of 1068 N/A C:\Windows\SysWOW64\Lchmoe32.exe C:\Windows\SysWOW64\Liaelpdj.exe
PID 4368 wrote to memory of 1068 N/A C:\Windows\SysWOW64\Lchmoe32.exe C:\Windows\SysWOW64\Liaelpdj.exe
PID 4368 wrote to memory of 1068 N/A C:\Windows\SysWOW64\Lchmoe32.exe C:\Windows\SysWOW64\Liaelpdj.exe
PID 1068 wrote to memory of 4604 N/A C:\Windows\SysWOW64\Liaelpdj.exe C:\Windows\SysWOW64\Llpahkcm.exe
PID 1068 wrote to memory of 4604 N/A C:\Windows\SysWOW64\Liaelpdj.exe C:\Windows\SysWOW64\Llpahkcm.exe
PID 1068 wrote to memory of 4604 N/A C:\Windows\SysWOW64\Liaelpdj.exe C:\Windows\SysWOW64\Llpahkcm.exe
PID 4604 wrote to memory of 5004 N/A C:\Windows\SysWOW64\Llpahkcm.exe C:\Windows\SysWOW64\Lcjide32.exe
PID 4604 wrote to memory of 5004 N/A C:\Windows\SysWOW64\Llpahkcm.exe C:\Windows\SysWOW64\Lcjide32.exe
PID 4604 wrote to memory of 5004 N/A C:\Windows\SysWOW64\Llpahkcm.exe C:\Windows\SysWOW64\Lcjide32.exe
PID 5004 wrote to memory of 844 N/A C:\Windows\SysWOW64\Lcjide32.exe C:\Windows\SysWOW64\Ljfogo32.exe
PID 5004 wrote to memory of 844 N/A C:\Windows\SysWOW64\Lcjide32.exe C:\Windows\SysWOW64\Ljfogo32.exe
PID 5004 wrote to memory of 844 N/A C:\Windows\SysWOW64\Lcjide32.exe C:\Windows\SysWOW64\Ljfogo32.exe
PID 844 wrote to memory of 3528 N/A C:\Windows\SysWOW64\Ljfogo32.exe C:\Windows\SysWOW64\Llekcj32.exe
PID 844 wrote to memory of 3528 N/A C:\Windows\SysWOW64\Ljfogo32.exe C:\Windows\SysWOW64\Llekcj32.exe
PID 844 wrote to memory of 3528 N/A C:\Windows\SysWOW64\Ljfogo32.exe C:\Windows\SysWOW64\Llekcj32.exe
PID 3528 wrote to memory of 4872 N/A C:\Windows\SysWOW64\Llekcj32.exe C:\Windows\SysWOW64\Lpbcii32.exe
PID 3528 wrote to memory of 4872 N/A C:\Windows\SysWOW64\Llekcj32.exe C:\Windows\SysWOW64\Lpbcii32.exe
PID 3528 wrote to memory of 4872 N/A C:\Windows\SysWOW64\Llekcj32.exe C:\Windows\SysWOW64\Lpbcii32.exe
PID 4872 wrote to memory of 2412 N/A C:\Windows\SysWOW64\Lpbcii32.exe C:\Windows\SysWOW64\Ljkhbnlo.exe
PID 4872 wrote to memory of 2412 N/A C:\Windows\SysWOW64\Lpbcii32.exe C:\Windows\SysWOW64\Ljkhbnlo.exe
PID 4872 wrote to memory of 2412 N/A C:\Windows\SysWOW64\Lpbcii32.exe C:\Windows\SysWOW64\Ljkhbnlo.exe
PID 2412 wrote to memory of 4436 N/A C:\Windows\SysWOW64\Ljkhbnlo.exe C:\Windows\SysWOW64\Llidnjkc.exe
PID 2412 wrote to memory of 4436 N/A C:\Windows\SysWOW64\Ljkhbnlo.exe C:\Windows\SysWOW64\Llidnjkc.exe
PID 2412 wrote to memory of 4436 N/A C:\Windows\SysWOW64\Ljkhbnlo.exe C:\Windows\SysWOW64\Llidnjkc.exe
PID 4436 wrote to memory of 1492 N/A C:\Windows\SysWOW64\Llidnjkc.exe C:\Windows\SysWOW64\Mjmdgn32.exe
PID 4436 wrote to memory of 1492 N/A C:\Windows\SysWOW64\Llidnjkc.exe C:\Windows\SysWOW64\Mjmdgn32.exe
PID 4436 wrote to memory of 1492 N/A C:\Windows\SysWOW64\Llidnjkc.exe C:\Windows\SysWOW64\Mjmdgn32.exe
PID 1492 wrote to memory of 1248 N/A C:\Windows\SysWOW64\Mjmdgn32.exe C:\Windows\SysWOW64\Mlnnii32.exe
PID 1492 wrote to memory of 1248 N/A C:\Windows\SysWOW64\Mjmdgn32.exe C:\Windows\SysWOW64\Mlnnii32.exe
PID 1492 wrote to memory of 1248 N/A C:\Windows\SysWOW64\Mjmdgn32.exe C:\Windows\SysWOW64\Mlnnii32.exe
PID 1248 wrote to memory of 4620 N/A C:\Windows\SysWOW64\Mlnnii32.exe C:\Windows\SysWOW64\Mbkfap32.exe
PID 1248 wrote to memory of 4620 N/A C:\Windows\SysWOW64\Mlnnii32.exe C:\Windows\SysWOW64\Mbkfap32.exe
PID 1248 wrote to memory of 4620 N/A C:\Windows\SysWOW64\Mlnnii32.exe C:\Windows\SysWOW64\Mbkfap32.exe
PID 4620 wrote to memory of 4408 N/A C:\Windows\SysWOW64\Mbkfap32.exe C:\Windows\SysWOW64\Mffbbomn.exe
PID 4620 wrote to memory of 4408 N/A C:\Windows\SysWOW64\Mbkfap32.exe C:\Windows\SysWOW64\Mffbbomn.exe
PID 4620 wrote to memory of 4408 N/A C:\Windows\SysWOW64\Mbkfap32.exe C:\Windows\SysWOW64\Mffbbomn.exe
PID 4408 wrote to memory of 4480 N/A C:\Windows\SysWOW64\Mffbbomn.exe C:\Windows\SysWOW64\Mplfog32.exe
PID 4408 wrote to memory of 4480 N/A C:\Windows\SysWOW64\Mffbbomn.exe C:\Windows\SysWOW64\Mplfog32.exe
PID 4408 wrote to memory of 4480 N/A C:\Windows\SysWOW64\Mffbbomn.exe C:\Windows\SysWOW64\Mplfog32.exe
PID 4480 wrote to memory of 4276 N/A C:\Windows\SysWOW64\Mplfog32.exe C:\Windows\SysWOW64\Mqnceg32.exe
PID 4480 wrote to memory of 4276 N/A C:\Windows\SysWOW64\Mplfog32.exe C:\Windows\SysWOW64\Mqnceg32.exe
PID 4480 wrote to memory of 4276 N/A C:\Windows\SysWOW64\Mplfog32.exe C:\Windows\SysWOW64\Mqnceg32.exe
PID 4276 wrote to memory of 708 N/A C:\Windows\SysWOW64\Mqnceg32.exe C:\Windows\SysWOW64\Mcmoab32.exe
PID 4276 wrote to memory of 708 N/A C:\Windows\SysWOW64\Mqnceg32.exe C:\Windows\SysWOW64\Mcmoab32.exe
PID 4276 wrote to memory of 708 N/A C:\Windows\SysWOW64\Mqnceg32.exe C:\Windows\SysWOW64\Mcmoab32.exe
PID 708 wrote to memory of 1144 N/A C:\Windows\SysWOW64\Mcmoab32.exe C:\Windows\SysWOW64\Nbblbo32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c600e4ccdd77fefb163ca90012c4cfd340efb5fc018983b21a1bb8a21c8c2fa9N.exe

"C:\Users\Admin\AppData\Local\Temp\c600e4ccdd77fefb163ca90012c4cfd340efb5fc018983b21a1bb8a21c8c2fa9N.exe"

C:\Windows\SysWOW64\Kbnjig32.exe

C:\Windows\system32\Kbnjig32.exe

C:\Windows\SysWOW64\Klgoalkh.exe

C:\Windows\system32\Klgoalkh.exe

C:\Windows\SysWOW64\Kcqgnfbe.exe

C:\Windows\system32\Kcqgnfbe.exe

C:\Windows\SysWOW64\Keappapf.exe

C:\Windows\system32\Keappapf.exe

C:\Windows\SysWOW64\Kahpebej.exe

C:\Windows\system32\Kahpebej.exe

C:\Windows\SysWOW64\Lchmoe32.exe

C:\Windows\system32\Lchmoe32.exe

C:\Windows\SysWOW64\Liaelpdj.exe

C:\Windows\system32\Liaelpdj.exe

C:\Windows\SysWOW64\Llpahkcm.exe

C:\Windows\system32\Llpahkcm.exe

C:\Windows\SysWOW64\Lcjide32.exe

C:\Windows\system32\Lcjide32.exe

C:\Windows\SysWOW64\Ljfogo32.exe

C:\Windows\system32\Ljfogo32.exe

C:\Windows\SysWOW64\Llekcj32.exe

C:\Windows\system32\Llekcj32.exe

C:\Windows\SysWOW64\Lpbcii32.exe

C:\Windows\system32\Lpbcii32.exe

C:\Windows\SysWOW64\Ljkhbnlo.exe

C:\Windows\system32\Ljkhbnlo.exe

C:\Windows\SysWOW64\Llidnjkc.exe

C:\Windows\system32\Llidnjkc.exe

C:\Windows\SysWOW64\Mjmdgn32.exe

C:\Windows\system32\Mjmdgn32.exe

C:\Windows\SysWOW64\Mlnnii32.exe

C:\Windows\system32\Mlnnii32.exe

C:\Windows\SysWOW64\Mbkfap32.exe

C:\Windows\system32\Mbkfap32.exe

C:\Windows\SysWOW64\Mffbbomn.exe

C:\Windows\system32\Mffbbomn.exe

C:\Windows\SysWOW64\Mplfog32.exe

C:\Windows\system32\Mplfog32.exe

C:\Windows\SysWOW64\Mqnceg32.exe

C:\Windows\system32\Mqnceg32.exe

C:\Windows\SysWOW64\Mcmoab32.exe

C:\Windows\system32\Mcmoab32.exe

C:\Windows\SysWOW64\Nbblbo32.exe

C:\Windows\system32\Nbblbo32.exe

C:\Windows\SysWOW64\Nhldoifj.exe

C:\Windows\system32\Nhldoifj.exe

C:\Windows\SysWOW64\Nofmlc32.exe

C:\Windows\system32\Nofmlc32.exe

C:\Windows\SysWOW64\Nhnadidg.exe

C:\Windows\system32\Nhnadidg.exe

C:\Windows\SysWOW64\Njnnnllj.exe

C:\Windows\system32\Njnnnllj.exe

C:\Windows\SysWOW64\Nqhfkf32.exe

C:\Windows\system32\Nqhfkf32.exe

C:\Windows\SysWOW64\Njpjdkig.exe

C:\Windows\system32\Njpjdkig.exe

C:\Windows\SysWOW64\Nfgkilok.exe

C:\Windows\system32\Nfgkilok.exe

C:\Windows\SysWOW64\Oqlofeoa.exe

C:\Windows\system32\Oqlofeoa.exe

C:\Windows\SysWOW64\Ockkbqne.exe

C:\Windows\system32\Ockkbqne.exe

C:\Windows\SysWOW64\Ooalga32.exe

C:\Windows\system32\Ooalga32.exe

C:\Windows\SysWOW64\Oijqpg32.exe

C:\Windows\system32\Oijqpg32.exe

C:\Windows\SysWOW64\Oodimaaf.exe

C:\Windows\system32\Oodimaaf.exe

C:\Windows\SysWOW64\Obbeimaj.exe

C:\Windows\system32\Obbeimaj.exe

C:\Windows\SysWOW64\Ojimjjal.exe

C:\Windows\system32\Ojimjjal.exe

C:\Windows\SysWOW64\Opfebqpd.exe

C:\Windows\system32\Opfebqpd.exe

C:\Windows\SysWOW64\Obdbolog.exe

C:\Windows\system32\Obdbolog.exe

C:\Windows\SysWOW64\Oiojkffd.exe

C:\Windows\system32\Oiojkffd.exe

C:\Windows\SysWOW64\Oqfblcgf.exe

C:\Windows\system32\Oqfblcgf.exe

C:\Windows\SysWOW64\Opibhq32.exe

C:\Windows\system32\Opibhq32.exe

C:\Windows\SysWOW64\Ppkonp32.exe

C:\Windows\system32\Ppkonp32.exe

C:\Windows\SysWOW64\Pbikjl32.exe

C:\Windows\system32\Pbikjl32.exe

C:\Windows\SysWOW64\Piccfe32.exe

C:\Windows\system32\Piccfe32.exe

C:\Windows\SysWOW64\Pfgdpj32.exe

C:\Windows\system32\Pfgdpj32.exe

C:\Windows\SysWOW64\Pamhmb32.exe

C:\Windows\system32\Pamhmb32.exe

C:\Windows\SysWOW64\Pfjqei32.exe

C:\Windows\system32\Pfjqei32.exe

C:\Windows\SysWOW64\Pmcibc32.exe

C:\Windows\system32\Pmcibc32.exe

C:\Windows\SysWOW64\Pflmkimc.exe

C:\Windows\system32\Pflmkimc.exe

C:\Windows\SysWOW64\Ppdbdo32.exe

C:\Windows\system32\Ppdbdo32.exe

C:\Windows\SysWOW64\Pfnjqikq.exe

C:\Windows\system32\Pfnjqikq.exe

C:\Windows\SysWOW64\Qpgoinaa.exe

C:\Windows\system32\Qpgoinaa.exe

C:\Windows\SysWOW64\Qiocbd32.exe

C:\Windows\system32\Qiocbd32.exe

C:\Windows\SysWOW64\Qbggkiob.exe

C:\Windows\system32\Qbggkiob.exe

C:\Windows\SysWOW64\Ammlhbnh.exe

C:\Windows\system32\Ammlhbnh.exe

C:\Windows\SysWOW64\Apkhdn32.exe

C:\Windows\system32\Apkhdn32.exe

C:\Windows\SysWOW64\Aidlmcdl.exe

C:\Windows\system32\Aidlmcdl.exe

C:\Windows\SysWOW64\Adiqjlcb.exe

C:\Windows\system32\Adiqjlcb.exe

C:\Windows\SysWOW64\Ajcigf32.exe

C:\Windows\system32\Ajcigf32.exe

C:\Windows\SysWOW64\Amaeca32.exe

C:\Windows\system32\Amaeca32.exe

C:\Windows\SysWOW64\Afjjlg32.exe

C:\Windows\system32\Afjjlg32.exe

C:\Windows\SysWOW64\Amdbiahp.exe

C:\Windows\system32\Amdbiahp.exe

C:\Windows\SysWOW64\Adnjek32.exe

C:\Windows\system32\Adnjek32.exe

C:\Windows\SysWOW64\Aflfag32.exe

C:\Windows\system32\Aflfag32.exe

C:\Windows\SysWOW64\Abcgghde.exe

C:\Windows\system32\Abcgghde.exe

C:\Windows\SysWOW64\Bjjohe32.exe

C:\Windows\system32\Bjjohe32.exe

C:\Windows\SysWOW64\Badgdold.exe

C:\Windows\system32\Badgdold.exe

C:\Windows\SysWOW64\Bfapmfkk.exe

C:\Windows\system32\Bfapmfkk.exe

C:\Windows\SysWOW64\Bmkhip32.exe

C:\Windows\system32\Bmkhip32.exe

C:\Windows\SysWOW64\Bjohcdab.exe

C:\Windows\system32\Bjohcdab.exe

C:\Windows\SysWOW64\Baiqpo32.exe

C:\Windows\system32\Baiqpo32.exe

C:\Windows\SysWOW64\Bbjmggnm.exe

C:\Windows\system32\Bbjmggnm.exe

C:\Windows\SysWOW64\Bmpadpnc.exe

C:\Windows\system32\Bmpadpnc.exe

C:\Windows\SysWOW64\Bpnnakmf.exe

C:\Windows\system32\Bpnnakmf.exe

C:\Windows\SysWOW64\Bfhfne32.exe

C:\Windows\system32\Bfhfne32.exe

C:\Windows\SysWOW64\Bpqjfk32.exe

C:\Windows\system32\Bpqjfk32.exe

C:\Windows\SysWOW64\Cgjbcebq.exe

C:\Windows\system32\Cgjbcebq.exe

C:\Windows\SysWOW64\Ciioopad.exe

C:\Windows\system32\Ciioopad.exe

C:\Windows\SysWOW64\Cikkeppa.exe

C:\Windows\system32\Cikkeppa.exe

C:\Windows\SysWOW64\Ckkhocgd.exe

C:\Windows\system32\Ckkhocgd.exe

C:\Windows\SysWOW64\Cdclgh32.exe

C:\Windows\system32\Cdclgh32.exe

C:\Windows\SysWOW64\Cagmamlo.exe

C:\Windows\system32\Cagmamlo.exe

C:\Windows\SysWOW64\Cdeimhkb.exe

C:\Windows\system32\Cdeimhkb.exe

C:\Windows\SysWOW64\Cpljbi32.exe

C:\Windows\system32\Cpljbi32.exe

C:\Windows\SysWOW64\Dkanob32.exe

C:\Windows\system32\Dkanob32.exe

C:\Windows\SysWOW64\Dghodc32.exe

C:\Windows\system32\Dghodc32.exe

C:\Windows\SysWOW64\Digkqn32.exe

C:\Windows\system32\Digkqn32.exe

C:\Windows\SysWOW64\Dancal32.exe

C:\Windows\system32\Dancal32.exe

C:\Windows\SysWOW64\Ddlong32.exe

C:\Windows\system32\Ddlong32.exe

C:\Windows\SysWOW64\Dgkljb32.exe

C:\Windows\system32\Dgkljb32.exe

C:\Windows\SysWOW64\Diihfn32.exe

C:\Windows\system32\Diihfn32.exe

C:\Windows\SysWOW64\Dappgk32.exe

C:\Windows\system32\Dappgk32.exe

C:\Windows\SysWOW64\Dcaloc32.exe

C:\Windows\system32\Dcaloc32.exe

C:\Windows\SysWOW64\Djldlnao.exe

C:\Windows\system32\Djldlnao.exe

C:\Windows\SysWOW64\Dablmkba.exe

C:\Windows\system32\Dablmkba.exe

C:\Windows\SysWOW64\Ddaiifae.exe

C:\Windows\system32\Ddaiifae.exe

C:\Windows\SysWOW64\Djnaamol.exe

C:\Windows\system32\Djnaamol.exe

C:\Windows\SysWOW64\Ephing32.exe

C:\Windows\system32\Ephing32.exe

C:\Windows\SysWOW64\Ecfejc32.exe

C:\Windows\system32\Ecfejc32.exe

C:\Windows\SysWOW64\Ejpngm32.exe

C:\Windows\system32\Ejpngm32.exe

C:\Windows\SysWOW64\Epjfcgef.exe

C:\Windows\system32\Epjfcgef.exe

C:\Windows\SysWOW64\Ecibpbdj.exe

C:\Windows\system32\Ecibpbdj.exe

C:\Windows\SysWOW64\Ejbklm32.exe

C:\Windows\system32\Ejbklm32.exe

C:\Windows\SysWOW64\Edhoie32.exe

C:\Windows\system32\Edhoie32.exe

C:\Windows\SysWOW64\Egfkfa32.exe

C:\Windows\system32\Egfkfa32.exe

C:\Windows\SysWOW64\Ejegblid.exe

C:\Windows\system32\Ejegblid.exe

C:\Windows\SysWOW64\Egihkqhn.exe

C:\Windows\system32\Egihkqhn.exe

C:\Windows\SysWOW64\Eanlhihd.exe

C:\Windows\system32\Eanlhihd.exe

C:\Windows\SysWOW64\Egkdapfk.exe

C:\Windows\system32\Egkdapfk.exe

C:\Windows\SysWOW64\Fcbefalp.exe

C:\Windows\system32\Fcbefalp.exe

C:\Windows\SysWOW64\Fbebihbl.exe

C:\Windows\system32\Fbebihbl.exe

C:\Windows\SysWOW64\Fdfkkcom.exe

C:\Windows\system32\Fdfkkcom.exe

C:\Windows\SysWOW64\Fnopci32.exe

C:\Windows\system32\Fnopci32.exe

C:\Windows\SysWOW64\Fdhhqc32.exe

C:\Windows\system32\Fdhhqc32.exe

C:\Windows\SysWOW64\Fkbpmmdg.exe

C:\Windows\system32\Fkbpmmdg.exe

C:\Windows\SysWOW64\Gnciohah.exe

C:\Windows\system32\Gnciohah.exe

C:\Windows\SysWOW64\Gcpago32.exe

C:\Windows\system32\Gcpago32.exe

C:\Windows\SysWOW64\Gbaaeggo.exe

C:\Windows\system32\Gbaaeggo.exe

C:\Windows\SysWOW64\Gdpnabgb.exe

C:\Windows\system32\Gdpnabgb.exe

C:\Windows\SysWOW64\Gcekbokj.exe

C:\Windows\system32\Gcekbokj.exe

C:\Windows\SysWOW64\Gjocoi32.exe

C:\Windows\system32\Gjocoi32.exe

C:\Windows\SysWOW64\Gqiklcjd.exe

C:\Windows\system32\Gqiklcjd.exe

C:\Windows\SysWOW64\Gedgla32.exe

C:\Windows\system32\Gedgla32.exe

C:\Windows\SysWOW64\Ggbchm32.exe

C:\Windows\system32\Ggbchm32.exe

C:\Windows\SysWOW64\Hbjdkepd.exe

C:\Windows\system32\Hbjdkepd.exe

C:\Windows\SysWOW64\Hekmmqme.exe

C:\Windows\system32\Hekmmqme.exe

C:\Windows\SysWOW64\Hcnnhm32.exe

C:\Windows\system32\Hcnnhm32.exe

C:\Windows\SysWOW64\Habnbabi.exe

C:\Windows\system32\Habnbabi.exe

C:\Windows\SysWOW64\Hglfol32.exe

C:\Windows\system32\Hglfol32.exe

C:\Windows\SysWOW64\Hjjbkg32.exe

C:\Windows\system32\Hjjbkg32.exe

C:\Windows\SysWOW64\Hbakld32.exe

C:\Windows\system32\Hbakld32.exe

C:\Windows\SysWOW64\Hccgcmoj.exe

C:\Windows\system32\Hccgcmoj.exe

C:\Windows\SysWOW64\Iebcnpfm.exe

C:\Windows\system32\Iebcnpfm.exe

C:\Windows\SysWOW64\Igqpjkeq.exe

C:\Windows\system32\Igqpjkeq.exe

C:\Windows\SysWOW64\Ijolffed.exe

C:\Windows\system32\Ijolffed.exe

C:\Windows\SysWOW64\Iaidbq32.exe

C:\Windows\system32\Iaidbq32.exe

C:\Windows\SysWOW64\Ilohpi32.exe

C:\Windows\system32\Ilohpi32.exe

C:\Windows\SysWOW64\Ibhqlc32.exe

C:\Windows\system32\Ibhqlc32.exe

C:\Windows\SysWOW64\Iakahpjo.exe

C:\Windows\system32\Iakahpjo.exe

C:\Windows\SysWOW64\Icjmdlib.exe

C:\Windows\system32\Icjmdlib.exe

C:\Windows\SysWOW64\Inoaadih.exe

C:\Windows\system32\Inoaadih.exe

C:\Windows\SysWOW64\Iannnphl.exe

C:\Windows\system32\Iannnphl.exe

C:\Windows\SysWOW64\Icljjkgp.exe

C:\Windows\system32\Icljjkgp.exe

C:\Windows\SysWOW64\Jjholemj.exe

C:\Windows\system32\Jjholemj.exe

C:\Windows\SysWOW64\Jndkmd32.exe

C:\Windows\system32\Jndkmd32.exe

C:\Windows\SysWOW64\Jhloeikc.exe

C:\Windows\system32\Jhloeikc.exe

C:\Windows\SysWOW64\Jnfgbc32.exe

C:\Windows\system32\Jnfgbc32.exe

C:\Windows\SysWOW64\Jjmhgd32.exe

C:\Windows\system32\Jjmhgd32.exe

C:\Windows\SysWOW64\Jhaiqi32.exe

C:\Windows\system32\Jhaiqi32.exe

C:\Windows\SysWOW64\Jdhiej32.exe

C:\Windows\system32\Jdhiej32.exe

C:\Windows\SysWOW64\Jomncb32.exe

C:\Windows\system32\Jomncb32.exe

C:\Windows\SysWOW64\Jaljon32.exe

C:\Windows\system32\Jaljon32.exe

C:\Windows\SysWOW64\Kjdnhcbl.exe

C:\Windows\system32\Kjdnhcbl.exe

C:\Windows\SysWOW64\Kbkfiaco.exe

C:\Windows\system32\Kbkfiaco.exe

C:\Windows\SysWOW64\Kkfkmc32.exe

C:\Windows\system32\Kkfkmc32.exe

C:\Windows\SysWOW64\Kelokl32.exe

C:\Windows\system32\Kelokl32.exe

C:\Windows\SysWOW64\Koddcagp.exe

C:\Windows\system32\Koddcagp.exe

C:\Windows\SysWOW64\Khmhlg32.exe

C:\Windows\system32\Khmhlg32.exe

C:\Windows\SysWOW64\Keqieklj.exe

C:\Windows\system32\Keqieklj.exe

C:\Windows\SysWOW64\Khoebgkn.exe

C:\Windows\system32\Khoebgkn.exe

C:\Windows\SysWOW64\Kknanbja.exe

C:\Windows\system32\Kknanbja.exe

C:\Windows\SysWOW64\Kbdiopkd.exe

C:\Windows\system32\Kbdiopkd.exe

C:\Windows\SysWOW64\Kecekkjh.exe

C:\Windows\system32\Kecekkjh.exe

C:\Windows\SysWOW64\Lhaagfik.exe

C:\Windows\system32\Lhaagfik.exe

C:\Windows\SysWOW64\Lkpncb32.exe

C:\Windows\system32\Lkpncb32.exe

C:\Windows\SysWOW64\Lajfplpl.exe

C:\Windows\system32\Lajfplpl.exe

C:\Windows\SysWOW64\Leebqk32.exe

C:\Windows\system32\Leebqk32.exe

C:\Windows\SysWOW64\Lhdnmf32.exe

C:\Windows\system32\Lhdnmf32.exe

C:\Windows\SysWOW64\Longjpoe.exe

C:\Windows\system32\Longjpoe.exe

C:\Windows\SysWOW64\Ldkobgmm.exe

C:\Windows\system32\Ldkobgmm.exe

C:\Windows\SysWOW64\Llagcdmo.exe

C:\Windows\system32\Llagcdmo.exe

C:\Windows\SysWOW64\Lejlljdp.exe

C:\Windows\system32\Lejlljdp.exe

C:\Windows\SysWOW64\Laalak32.exe

C:\Windows\system32\Laalak32.exe

C:\Windows\SysWOW64\Lhkdneaq.exe

C:\Windows\system32\Lhkdneaq.exe

C:\Windows\SysWOW64\Llfqnc32.exe

C:\Windows\system32\Llfqnc32.exe

C:\Windows\SysWOW64\Lcpikn32.exe

C:\Windows\system32\Lcpikn32.exe

C:\Windows\SysWOW64\Mlimccgg.exe

C:\Windows\system32\Mlimccgg.exe

C:\Windows\SysWOW64\Meaami32.exe

C:\Windows\system32\Meaami32.exe

C:\Windows\SysWOW64\Mhpnid32.exe

C:\Windows\system32\Mhpnid32.exe

C:\Windows\SysWOW64\Mecnbhle.exe

C:\Windows\system32\Mecnbhle.exe

C:\Windows\SysWOW64\Mlmgob32.exe

C:\Windows\system32\Mlmgob32.exe

C:\Windows\SysWOW64\Mdikce32.exe

C:\Windows\system32\Mdikce32.exe

C:\Windows\SysWOW64\Mlpcdb32.exe

C:\Windows\system32\Mlpcdb32.exe

C:\Windows\SysWOW64\Monpqn32.exe

C:\Windows\system32\Monpqn32.exe

C:\Windows\SysWOW64\Mamlmi32.exe

C:\Windows\system32\Mamlmi32.exe

C:\Windows\SysWOW64\Mdkhidoj.exe

C:\Windows\system32\Mdkhidoj.exe

C:\Windows\SysWOW64\Mkepeo32.exe

C:\Windows\system32\Mkepeo32.exe

C:\Windows\SysWOW64\Mclhfl32.exe

C:\Windows\system32\Mclhfl32.exe

C:\Windows\SysWOW64\Nldmpamj.exe

C:\Windows\system32\Nldmpamj.exe

C:\Windows\SysWOW64\Ndpaddje.exe

C:\Windows\system32\Ndpaddje.exe

C:\Windows\SysWOW64\Nlgiea32.exe

C:\Windows\system32\Nlgiea32.exe

C:\Windows\SysWOW64\Nacbmh32.exe

C:\Windows\system32\Nacbmh32.exe

C:\Windows\SysWOW64\Nogbgl32.exe

C:\Windows\system32\Nogbgl32.exe

C:\Windows\SysWOW64\Nhpgpboi.exe

C:\Windows\system32\Nhpgpboi.exe

C:\Windows\SysWOW64\Nknclm32.exe

C:\Windows\system32\Nknclm32.exe

C:\Windows\SysWOW64\Nollbldc.exe

C:\Windows\system32\Nollbldc.exe

C:\Windows\SysWOW64\Obkhngcf.exe

C:\Windows\system32\Obkhngcf.exe

C:\Windows\SysWOW64\Ohdpka32.exe

C:\Windows\system32\Ohdpka32.exe

C:\Windows\SysWOW64\Okcmgmjg.exe

C:\Windows\system32\Okcmgmjg.exe

C:\Windows\SysWOW64\Odkapb32.exe

C:\Windows\system32\Odkapb32.exe

C:\Windows\SysWOW64\Okeillhd.exe

C:\Windows\system32\Okeillhd.exe

C:\Windows\SysWOW64\Oclamjhf.exe

C:\Windows\system32\Oclamjhf.exe

C:\Windows\SysWOW64\Oboaif32.exe

C:\Windows\system32\Oboaif32.exe

C:\Windows\SysWOW64\Odpjkalb.exe

C:\Windows\system32\Odpjkalb.exe

C:\Windows\SysWOW64\Omioaokb.exe

C:\Windows\system32\Omioaokb.exe

C:\Windows\SysWOW64\Pccgnibo.exe

C:\Windows\system32\Pccgnibo.exe

C:\Windows\SysWOW64\Pfbcjdab.exe

C:\Windows\system32\Pfbcjdab.exe

C:\Windows\SysWOW64\Pippfpqf.exe

C:\Windows\system32\Pippfpqf.exe

C:\Windows\SysWOW64\Pojhcj32.exe

C:\Windows\system32\Pojhcj32.exe

C:\Windows\SysWOW64\Pbidoe32.exe

C:\Windows\system32\Pbidoe32.exe

C:\Windows\SysWOW64\Pfdppdop.exe

C:\Windows\system32\Pfdppdop.exe

C:\Windows\SysWOW64\Pkaihkng.exe

C:\Windows\system32\Pkaihkng.exe

C:\Windows\SysWOW64\Pchaihni.exe

C:\Windows\system32\Pchaihni.exe

C:\Windows\SysWOW64\Peimapdg.exe

C:\Windows\system32\Peimapdg.exe

C:\Windows\SysWOW64\Pieiao32.exe

C:\Windows\system32\Pieiao32.exe

C:\Windows\SysWOW64\Pkcenj32.exe

C:\Windows\system32\Pkcenj32.exe

C:\Windows\SysWOW64\Pcjnoh32.exe

C:\Windows\system32\Pcjnoh32.exe

C:\Windows\SysWOW64\Pfijkc32.exe

C:\Windows\system32\Pfijkc32.exe

C:\Windows\SysWOW64\Pigfgo32.exe

C:\Windows\system32\Pigfgo32.exe

C:\Windows\SysWOW64\Pmcbgmcg.exe

C:\Windows\system32\Pmcbgmcg.exe

C:\Windows\SysWOW64\Pcmjdg32.exe

C:\Windows\system32\Pcmjdg32.exe

C:\Windows\SysWOW64\Pbpjpdao.exe

C:\Windows\system32\Pbpjpdao.exe

C:\Windows\SysWOW64\Pijbmnhk.exe

C:\Windows\system32\Pijbmnhk.exe

C:\Windows\SysWOW64\Pockih32.exe

C:\Windows\system32\Pockih32.exe

C:\Windows\SysWOW64\Qfncfbge.exe

C:\Windows\system32\Qfncfbge.exe

C:\Windows\SysWOW64\Qeqcao32.exe

C:\Windows\system32\Qeqcao32.exe

C:\Windows\SysWOW64\Qkjlniel.exe

C:\Windows\system32\Qkjlniel.exe

C:\Windows\SysWOW64\Qcacogfo.exe

C:\Windows\system32\Qcacogfo.exe

C:\Windows\SysWOW64\Qecpgo32.exe

C:\Windows\system32\Qecpgo32.exe

C:\Windows\SysWOW64\Aphddhlc.exe

C:\Windows\system32\Aphddhlc.exe

C:\Windows\SysWOW64\Aiqimm32.exe

C:\Windows\system32\Aiqimm32.exe

C:\Windows\SysWOW64\Aloeii32.exe

C:\Windows\system32\Aloeii32.exe

C:\Windows\SysWOW64\Acfmjf32.exe

C:\Windows\system32\Acfmjf32.exe

C:\Windows\SysWOW64\Abimfcid.exe

C:\Windows\system32\Abimfcid.exe

C:\Windows\SysWOW64\Aegibnhg.exe

C:\Windows\system32\Aegibnhg.exe

C:\Windows\SysWOW64\Amoacl32.exe

C:\Windows\system32\Amoacl32.exe

C:\Windows\SysWOW64\Apmnpg32.exe

C:\Windows\system32\Apmnpg32.exe

C:\Windows\SysWOW64\Abkjlb32.exe

C:\Windows\system32\Abkjlb32.exe

C:\Windows\SysWOW64\Aejfhn32.exe

C:\Windows\system32\Aejfhn32.exe

C:\Windows\SysWOW64\Amanik32.exe

C:\Windows\system32\Amanik32.exe

C:\Windows\SysWOW64\Aflpgq32.exe

C:\Windows\system32\Aflpgq32.exe

C:\Windows\SysWOW64\Aijlcl32.exe

C:\Windows\system32\Aijlcl32.exe

C:\Windows\SysWOW64\Blhhpg32.exe

C:\Windows\system32\Blhhpg32.exe

C:\Windows\SysWOW64\Bcbmfdhl.exe

C:\Windows\system32\Bcbmfdhl.exe

C:\Windows\SysWOW64\Blmakgeg.exe

C:\Windows\system32\Blmakgeg.exe

C:\Windows\SysWOW64\Biabdkdq.exe

C:\Windows\system32\Biabdkdq.exe

C:\Windows\SysWOW64\Bicojk32.exe

C:\Windows\system32\Bicojk32.exe

C:\Windows\SysWOW64\Cmagpihd.exe

C:\Windows\system32\Cmagpihd.exe

C:\Windows\SysWOW64\Clfdaeml.exe

C:\Windows\system32\Clfdaeml.exe

C:\Windows\SysWOW64\Cbcico32.exe

C:\Windows\system32\Cbcico32.exe

C:\Windows\SysWOW64\Cmhmqhbl.exe

C:\Windows\system32\Cmhmqhbl.exe

C:\Windows\SysWOW64\Cionei32.exe

C:\Windows\system32\Cionei32.exe

C:\Windows\SysWOW64\Dmmglg32.exe

C:\Windows\system32\Dmmglg32.exe

C:\Windows\SysWOW64\Dpnpmb32.exe

C:\Windows\system32\Dpnpmb32.exe

C:\Windows\SysWOW64\Dfhhjmbe.exe

C:\Windows\system32\Dfhhjmbe.exe

C:\Windows\SysWOW64\Dihalh32.exe

C:\Windows\system32\Dihalh32.exe

C:\Windows\SysWOW64\Dpbihbgc.exe

C:\Windows\system32\Dpbihbgc.exe

C:\Windows\SysWOW64\Dmfjaf32.exe

C:\Windows\system32\Dmfjaf32.exe

C:\Windows\SysWOW64\Dccbjm32.exe

C:\Windows\system32\Dccbjm32.exe

C:\Windows\SysWOW64\Eimjgglq.exe

C:\Windows\system32\Eimjgglq.exe

C:\Windows\SysWOW64\Epgbca32.exe

C:\Windows\system32\Epgbca32.exe

C:\Windows\SysWOW64\Eedklh32.exe

C:\Windows\system32\Eedklh32.exe

C:\Windows\SysWOW64\Edekip32.exe

C:\Windows\system32\Edekip32.exe

C:\Windows\SysWOW64\Eefhahob.exe

C:\Windows\system32\Eefhahob.exe

C:\Windows\SysWOW64\Emnpbepd.exe

C:\Windows\system32\Emnpbepd.exe

C:\Windows\SysWOW64\Edghoo32.exe

C:\Windows\system32\Edghoo32.exe

C:\Windows\SysWOW64\Eidqgf32.exe

C:\Windows\system32\Eidqgf32.exe

C:\Windows\SysWOW64\Epnidpme.exe

C:\Windows\system32\Epnidpme.exe

C:\Windows\SysWOW64\Eghaajdb.exe

C:\Windows\system32\Eghaajdb.exe

C:\Windows\SysWOW64\Eekalg32.exe

C:\Windows\system32\Eekalg32.exe

C:\Windows\SysWOW64\Eleiiabj.exe

C:\Windows\system32\Eleiiabj.exe

C:\Windows\SysWOW64\Ecoafk32.exe

C:\Windows\system32\Ecoafk32.exe

C:\Windows\SysWOW64\Femnbg32.exe

C:\Windows\system32\Femnbg32.exe

C:\Windows\SysWOW64\Fpcbop32.exe

C:\Windows\system32\Fpcbop32.exe

C:\Windows\SysWOW64\Fepkgfgg.exe

C:\Windows\system32\Fepkgfgg.exe

C:\Windows\SysWOW64\Fngbidhj.exe

C:\Windows\system32\Fngbidhj.exe

C:\Windows\SysWOW64\Fpeoeogm.exe

C:\Windows\system32\Fpeoeogm.exe

C:\Windows\SysWOW64\Fgogai32.exe

C:\Windows\system32\Fgogai32.exe

C:\Windows\SysWOW64\Fllpjp32.exe

C:\Windows\system32\Fllpjp32.exe

C:\Windows\SysWOW64\Fdcgkn32.exe

C:\Windows\system32\Fdcgkn32.exe

C:\Windows\SysWOW64\Fgadgilh.exe

C:\Windows\system32\Fgadgilh.exe

C:\Windows\SysWOW64\Fnllcc32.exe

C:\Windows\system32\Fnllcc32.exe

C:\Windows\SysWOW64\Fpjhpo32.exe

C:\Windows\system32\Fpjhpo32.exe

C:\Windows\SysWOW64\Ffgqhe32.exe

C:\Windows\system32\Ffgqhe32.exe

C:\Windows\SysWOW64\Fpleen32.exe

C:\Windows\system32\Fpleen32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 8272 -ip 8272

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 8272 -s 408

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 133.130.81.91.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

memory/3112-0-0x0000000000400000-0x0000000000468000-memory.dmp

memory/3112-1-0x0000000000431000-0x0000000000432000-memory.dmp

C:\Windows\SysWOW64\Kbnjig32.exe

MD5 8837ea9763a86d3ed86dbd9f4306460d
SHA1 40a54607ace8a91784684e6172972d60f912cc91
SHA256 c8668c4ac11a02f7b2a03d570b2978bf4c2c93c875abcb9fcc678fdedcfc5d93
SHA512 e57f91c8465ec2c9da4a3f8d74ff2aa85bc089582c967797521ac5f988d942a8626c66571a0fe1710eea3b96e469595140a5da35a3d32b1d901650ca0c7cbb05

memory/4768-8-0x0000000000400000-0x0000000000468000-memory.dmp

C:\Windows\SysWOW64\Klgoalkh.exe

MD5 e0d8cf3db4c354b044d90690c9707e1e
SHA1 70bba3310f7dda383c203eb5ddd4eab0e68b0ac8
SHA256 533f020e8ba39a9f0f34c614cd10a045394b49463ccf0d84fe1a560c4854828c
SHA512 666a78e7a1f9c9d55d1a632e6de574a0493e8e4942e0b2e79179e3e2e6e7d6425efeac67cf5fac7cc4527a44cfbf4f70ebdbd94a6543456f0153ada84c90206d

memory/688-17-0x0000000000400000-0x0000000000468000-memory.dmp

C:\Windows\SysWOW64\Kcqgnfbe.exe

MD5 611ad2ad3a7977af9f7985dab10062ca
SHA1 d6956137056ecaa6a6adf0022c40e75cd903627a
SHA256 5634367ffebf4e86326407a25f74a5edf1da3f951ce13dd20fbec6c165a44ae7
SHA512 8b370a308f607720cf9054c26fd34ce26c7c399871c4e797c90f2a5ccce96eea8cf5e81b1368974150d3da1f53704c18ed8162156e87fcce3097206779c2e47b

memory/2716-25-0x0000000000400000-0x0000000000468000-memory.dmp

C:\Windows\SysWOW64\Keappapf.exe

MD5 f9d81bbf55e617bba685d68c066d442f
SHA1 aea9d0f2dc6d4980e3a97522adb9b24cbf4bcaa4
SHA256 a4c81db8d9be03048bbbb2b6092a5cca957d48a37422e5f8c841ffd2507a0781
SHA512 c4a5efcade466db3515a556aa4d84e8c292579cb5ccdd2b6194ebcb71656b2c4e7d7bfa5c2a72b1dd1440fab7e82d9fedd183632a03b695bdaf95385ac781b2f

memory/2552-32-0x0000000000400000-0x0000000000468000-memory.dmp

C:\Windows\SysWOW64\Kahpebej.exe

MD5 bbd243cfd96f34f5c4ad92f9eb0dfc4a
SHA1 be1ee4b32351fcf656f3733711b8820f5f617177
SHA256 ad301d7cfb31dfa3062c3b85c52210fdf79f737cf85652f7c0340c31ace205b6
SHA512 ea483c62e2744cf00449d09e3020d77febc8404133f49d8f88af4f69adcfc0aca998373b96e3aa0417c4023dcdd4984f14201d79aba9b3fe0c44570e0fa8fda4

memory/2740-40-0x0000000000400000-0x0000000000468000-memory.dmp

C:\Windows\SysWOW64\Lchmoe32.exe

MD5 f94e16c7c40639e119160efb17942c4b
SHA1 e115d054e1a52abb8e6bb7de92546e61bfdc494e
SHA256 57bdd11ae791152a34660f9f17a9ab0f449e9ffe18df41e8ad3fbfb4bc9b1e4f
SHA512 ae4aa591409b8b3bc8d1dc774dcb9ae8af33e2cfc8504eae776207b76aa9e695d85fad9cacbb6654dbbf4fd2724e785cbb984919b725a0bd8d2026ddf7ec9b41

memory/4368-48-0x0000000000400000-0x0000000000468000-memory.dmp

C:\Windows\SysWOW64\Liaelpdj.exe

MD5 1db752288e3197de9715281ff3cbf0c2
SHA1 02d1d4adc1a6c368dbefd00908229c283758bf40
SHA256 43b7b1550422e8aa3b08dbbb55b34cf918f533ad1d0ed6b9556055ac521800f7
SHA512 01e8d6119ecac8c54bc82b84ea01498ab9f3bc269d93cf7e39a519dd8440545a3e4dc0309f8d95da777336cc397e66f0c1be9b2379aa4732b8944df0df503de5

memory/1068-57-0x0000000000400000-0x0000000000468000-memory.dmp

C:\Windows\SysWOW64\Llpahkcm.exe

MD5 9f0f2518f5ba9929c536d576a578adef
SHA1 ced3d9ebeacfaaf8bc0819b4e3c62677b1db566f
SHA256 57f4403c15d9a4e9ae9140c2962c7a0d1b6149bc53a5cbe55c998f8f4237b8fc
SHA512 4ed9598abc48ecf501a8c2ba08dced378571780aae096339fc30e920004063a95a4d3113fa3ba58f5563b1be3edf5c2a185b84dc33b505f942bead1ef1d73911

memory/4604-65-0x0000000000400000-0x0000000000468000-memory.dmp

C:\Windows\SysWOW64\Lcjide32.exe

MD5 687b84a61de3d0b23f6d021550f85776
SHA1 b8f08c22190dd24021605b56a942ab1b95dda600
SHA256 301b03ee3da9fc8f37bcf25413d164d1e46feace8f1b9d52b5f1f9b572e70cf1
SHA512 99d7c46c93a23f1bfe2c0dd06a48b8b5b9962e354efbb13f89c63ef2396f759c4719673eaa550e567c07d00bf4c2bfa34683411fc6e76379c759156756f09d7e

memory/5004-73-0x0000000000400000-0x0000000000468000-memory.dmp

C:\Windows\SysWOW64\Ljfogo32.exe

MD5 96be64ac005f28989ca24f4ddeb53a0b
SHA1 46940e1a08fd04dd3a655da7474e8c38d4c895b6
SHA256 d727cd1069c302558fe69dec09f108a9538586f63a7dc4948f5b7585b4838be5
SHA512 09b10c43d7cbf3e7a2b17bd2e131daf11f840f0c1c40baa599c3836a3414cc81185cdc0acffcd5a0a4511d5ae5135b464fefd81cb5cc8b07a50298a7d7ee0371

C:\Windows\SysWOW64\Llekcj32.exe

MD5 9ded3a975f6373c5a3bd9acae8355f06
SHA1 4c64eda284ff696b52e5283f529b41cc291d7652
SHA256 f961c81feaea2560f312ab5a0e93104f32909c9e64808d2af992b9e3a938ec94
SHA512 5e0d37d5e347d3b6a35953156f3d07f6cf7fb30861df8fbf414390dfd42d6e257482e4c58f93aaa076227c6635bb463abcc08aad95014a733b51fa64bf58606f

memory/3528-89-0x0000000000400000-0x0000000000468000-memory.dmp

memory/844-85-0x0000000000400000-0x0000000000468000-memory.dmp

C:\Windows\SysWOW64\Lpbcii32.exe

MD5 ebe936789cbd68df2bdc3ccf32328243
SHA1 1e524d9c0f106fbf7a2e7982f863c1106871d9e7
SHA256 144f0ef121970b8b6dead7c7a3f67e88d7fe8e660288ab5cd0f44946bdc58faa
SHA512 3231e237f9c43e0e2987e5b6e2277669cac7dd2d017a6e2ca2291803ca8295b798e5e96edf6580a74acf841a1c6e23b8bbf11707bd60eda0617073e0c15f9342

memory/4872-97-0x0000000000400000-0x0000000000468000-memory.dmp

C:\Windows\SysWOW64\Ljkhbnlo.exe

MD5 7a4f4df9162aeaa431d340aa3c9e0aa5
SHA1 018556cdabe5f9c0f79dcc730ddf41b0182b8fbd
SHA256 518eadc97a6ba9c70df29f48b0eea8801119448d9804918d24b698269928a188
SHA512 0827dac66926812f7c7b4097acc5bcd1a44798f8fb14636a356c7cb67483df8e9529fb68c24a7cce3f8092bb9172eed2344e2bb2e7cee4ab7fbb069291031f4b

memory/2412-108-0x0000000000400000-0x0000000000468000-memory.dmp

C:\Windows\SysWOW64\Llidnjkc.exe

MD5 ccf47a8884f04428b6e7c03b49f33dfc
SHA1 448f5d2578b1ef31cdedbe4e5b180aca9ad4acd9
SHA256 90bb784dd492ee04c2de608cfdca328585208b15351f575798f8a737fa3305bd
SHA512 ab757ae0f5b8eda7e967b3d921e1eb38e1c7ba3d121750ada4d4ce781dcb2ae9ecccfea1cf604e812b396ff4dd3179ba461320c6a00dd1c86330e36f0f268e2e

memory/4436-113-0x0000000000400000-0x0000000000468000-memory.dmp

C:\Windows\SysWOW64\Mjmdgn32.exe

MD5 25e69c63816333b987ce0282f8ace647
SHA1 1a78a0f75e8acfb13414d046eb6a3b69f56e55db
SHA256 adbc55037e027fd3de0859868b79551f3083241a3756b2b4c8e75a159d2d3674
SHA512 ddfe6b2b0c9cc8bcd3958868f59e652e5ef0073167c948abf2ce1899e4e3a5ea1dbac00ee043d41bc61e0548bc12078e0da99b9c3f3fd59312de4c0eb29ea77e

memory/1492-120-0x0000000000400000-0x0000000000468000-memory.dmp

C:\Windows\SysWOW64\Mlnnii32.exe

MD5 3d6c979927396218dd3cb47c14646406
SHA1 8bd7adf3962df898060f54bddeebd0810b775d09
SHA256 76e9571d750016e10ed1b9a0848745f45107a2acaa6093331d48489cfce8dc31
SHA512 f21c9904fb30b23781804dd1219d98ff5601269d84ce1f5e898a9a710d58421784d3eaa8d2438909b7478c0b98bafe0210dd46642bb8b5c4d2197c13e6b837be

memory/1248-129-0x0000000000400000-0x0000000000468000-memory.dmp

C:\Windows\SysWOW64\Mbkfap32.exe

MD5 e76ac4760ec73e96f2e0d5fc602f6eeb
SHA1 ec60d5a391a489cfc9ca22ed7049e825f51baf35
SHA256 eee1d4c8e38d196a5da5ce648e29ea056edc2fe085955e48b9d37c597ff596e3
SHA512 f3b30da704aff8f864913f0fbbcb6ef930986acc027d8701a4812e5de2d7e0c353c74f45cc7ff58b3f05169d72bf0223e3dfb287a48a4a9605a556c61b0c9d04

memory/4620-137-0x0000000000400000-0x0000000000468000-memory.dmp

C:\Windows\SysWOW64\Mffbbomn.exe

MD5 e5b64e2e2716b66c49ff63f2bc434941
SHA1 0260d4c35f7a335895f6880254fa47cfbade334f
SHA256 20f4a8bb4bc1fc9313388039bb23559f64e4cf9ab0fec2d7f170f7d3c379589e
SHA512 25e56c8454c442d01a50faeec95bd27813a3236adb905528bba8344266d48daec3206d5388cbbdedd002aadbc4acb21ada5feff7fe6ba3d752f361e2f9bd1bdf

memory/4408-145-0x0000000000400000-0x0000000000468000-memory.dmp

memory/4480-153-0x0000000000400000-0x0000000000468000-memory.dmp

C:\Windows\SysWOW64\Mplfog32.exe

MD5 07657b2ce462019c5dd6538d33ee6356
SHA1 81bb7c482e6e168b39e7e8ca36cbe5f5f7fc48e9
SHA256 8eff3e7e6e6a52e37384ac5531ec529d6c87e8c6952a829af10e04f9803971f9
SHA512 9173c598c3f12a4d3d99369bdb276aa34f1db7b214fae49fd8ea72eb65774c9cbfe97f4ced74b572acb90e3115cde5d0d69cd3d2067cdc8412abf2060c73009c

C:\Windows\SysWOW64\Mqnceg32.exe

MD5 4c1df187f359d15a66b30aefad74a038
SHA1 5bce044a9bf8ee77812ff4342be441ccac06614d
SHA256 888a54b44ede0bb2f098eca5f231c9eadead0e4d4e5f29ba37d2fce5b1575bc0
SHA512 ef0642df119700c8ea513a1a2caeaac88dc9ff2a06d2ea56a1906698659ed1825e9ea5b20d70d125d024f5183f3121d7d8c50d2126d519738bdbf061346600c7

memory/4276-161-0x0000000000400000-0x0000000000468000-memory.dmp

C:\Windows\SysWOW64\Mcmoab32.exe

MD5 2562a3dca19c4d36aca5048edb04f7de
SHA1 1be13ec717c49a701b1fa82cce712f3ab3af67c4
SHA256 93e3e40f927d6b62edd2b061f991c65d461b0e1d36df9763fa7afa067b5aa35a
SHA512 0121d294acd9d492167568c44dac1ae0f91669536b406b15b77cacf80e77dbb33800a61e1cbd47b81b4d34d6d162fff6d67eab22db0c3e566659dd2493724837

memory/708-168-0x0000000000400000-0x0000000000468000-memory.dmp

C:\Windows\SysWOW64\Nbblbo32.exe

MD5 2a58ed445127d01b039c2fc9f0f63dbf
SHA1 3a46898fe617961e2f5fc1e6b948a5e7677f1196
SHA256 d053702441be7d66caaa5b02a0414aec85d95d0d5884c66104271963599569e6
SHA512 230f5549e54117ff9ea9655eb20b20f51638fc45d9d4d88f261433ad78cd2491678b221166c1b31d9f7717e9c7c2fb5ab9e831c62b3377d6b965a0b3329d76ad

memory/1144-176-0x0000000000400000-0x0000000000468000-memory.dmp

C:\Windows\SysWOW64\Nhldoifj.exe

MD5 f5d122d767cd6f9fe1f2bc3abdde1a1f
SHA1 8d99460431fbc08791a78d856f7f57cea202fffa
SHA256 77e8b07af2a48006deefc100d42cb147a41f442444e7685fbe6c1304bf350e25
SHA512 dd24bf388575ffcbaeb6c1f26cb954306f7ba0051d30c7004fef384ec404baec6a48986f0ba78ab2fc03f571c8cc6bea5eaf363067588ae7a538903f8906724b

C:\Windows\SysWOW64\Nofmlc32.exe

MD5 484bcbbc909551e4fa73890532311ab9
SHA1 d90132467a5f85be3adbde8c1e4e680e6c0f71b7
SHA256 ba71a7b3e4afd07aee3d8e3ef323962a72e251fc83cb67866fdb9de3185db59e
SHA512 bfe6263fdda445a43a19998d63e91722597a4351a9bc5c4d4ffb2465ba384a8a0e16a07afcadd9229bbd258607dba198ae390d2fc505c3e2e2784d38be192c22

memory/4104-185-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2976-193-0x0000000000400000-0x0000000000468000-memory.dmp

C:\Windows\SysWOW64\Nhnadidg.exe

MD5 961a77cbdcca7f966f4c7d8b69c2511a
SHA1 2c2c01eb2e85e5908802ec190457ed9b1c4f63f7
SHA256 95f298bf78bac2400101e2c1e33e366c732baaf83bc032de0d6bbb3dceeff8b0
SHA512 c65b0eb9bbb27a04ab7408a66019fb7c87c043c5471fd34f81ddd8e15065e7accc513c2948d83e84195d925b5f6474eada35f4edffe7c4738228279fb4f5a572

memory/3920-201-0x0000000000400000-0x0000000000468000-memory.dmp

C:\Windows\SysWOW64\Njnnnllj.exe

MD5 78ec8df4b80f53c0255c18be85375567
SHA1 1575290f7d9edc876aed4e0e2b10cbc2f9dbf3ec
SHA256 9b5c75445660f9438ce4a3579814542dbf840ad208550f22b8af22ca904471cb
SHA512 6cfe086c7077d5918d3ab0e140551010f4f941743fddfc25c13c1677d5e884665a1fe67135d1cb86b132218975011b8c8153cab3e9f93a966d82ba9831859a79

memory/3304-208-0x0000000000400000-0x0000000000468000-memory.dmp

C:\Windows\SysWOW64\Nqhfkf32.exe

MD5 a64635486696262ea71801a8539f0059
SHA1 115825fa5b1dd16fb7b664a32ea324f1b5d5fcab
SHA256 dfb690d846154b41780def8bd8b3e6f1a082729f4f9301171755de2af3345de1
SHA512 c347e1dcae09d55b9d7846d923955f9c672fdfe25e553ce788eccd14a8b5f49a94556c2bca5ea4347dd0ae7f00c520774aa0f13aa2838fea36113885ec0a98b8

memory/5000-220-0x0000000000400000-0x0000000000468000-memory.dmp

C:\Windows\SysWOW64\Njpjdkig.exe

MD5 a640b3e7954bf05bcf3608272ce4d6f4
SHA1 d4bd1ab3e4ab6764745d897d6bc78fae0e9d30de
SHA256 e188d824e9495a57967bcf155b1c7b483add87368cf0f65107592fe6dde63b75
SHA512 6dbee29841dede02c12b259e6393f2ea5e87c98cbc3835abd72b7011db413e9f4aaeb606e755376ee2b870e2a7da703d9a32ea6091385b98a8b5f80bf6fb26d5

memory/3276-225-0x0000000000400000-0x0000000000468000-memory.dmp

C:\Windows\SysWOW64\Nfgkilok.exe

MD5 2d8a28878e994a0ea8024fe386f18040
SHA1 6467dd03694e8d29de71360fcae96bd302663226
SHA256 e517a22f1ae2ee06692cfff2cb32f7675ed3fc37dc44132e272939089c547a2c
SHA512 eb4a156ed04b077412dbb3716ee51e5ff041cc03642dba1e83fcb4f8f23540cd182aafc9a4ecd9b67d9db3c8137780041ef719e8b9efc1c2ddb921f6b9cd617e

memory/4644-233-0x0000000000400000-0x0000000000468000-memory.dmp

C:\Windows\SysWOW64\Oqlofeoa.exe

MD5 d4ce0f97aba0ffcb2fa5f2791ace221c
SHA1 7a2b38260d74462565b73ea9dc01dd9a012d8258
SHA256 b195e74c37d2f0cb0202cc504c98b057564a84836362eedc695ed7b8bd29398f
SHA512 e0e40a994bad37b4ba57568b03a7a1a2b6388acda7ed0eeeccea1e95ac38f8f5051d1160f8ed8f2fd27bc81f4dccea5c1253c8cab794c600b8a9414118107ae7

memory/212-240-0x0000000000400000-0x0000000000468000-memory.dmp

C:\Windows\SysWOW64\Ockkbqne.exe

MD5 7574786af5c9d8bbcaa23bb04b5888df
SHA1 12574d16846eb98da72b5af1885321239866f9da
SHA256 402d9f733e158f5e44676349bbc97159d4de1bb2830ca486a353bfb8c507ae57
SHA512 7bd7bbeb952d8f740b7051d1f406a514476853cf870a25cc96cf99fd046f61510768c298262792c101f07c1486f2f6356a1b48abfe4be97f23a352e9dcd298b0

memory/4092-248-0x0000000000400000-0x0000000000468000-memory.dmp

C:\Windows\SysWOW64\Ooalga32.exe

MD5 2d55e16bd3024f39d063dc76f59eeadb
SHA1 c128ea33376cc693f288aa10a0a3a7f36d8e8deb
SHA256 9e41d40fc1034b46b6798cf603e7fbe8e8969b519fefb745501662bdb5807855
SHA512 e5475876bacd29a31393f69e695d7c8196a939ebc90eaad158d92f1677f44776b7a7e2bc054c6c0e65c18537ccddf6d9a283fe6a811b58716a2ce93c6e548028

memory/1636-257-0x0000000000400000-0x0000000000468000-memory.dmp

C:\Windows\SysWOW64\Oijqpg32.exe

MD5 911fbb9469adf83132c29fa2f9bfd5ad
SHA1 bd4993f86b18c794b664c03a45bc3babe9e712d5
SHA256 c1e10387de88516d799d62d7ec96a53aedc3612e261b0d2d948a11edef67c08f
SHA512 27cc36530b07dfcfd30f3d42564e2bf2d719cb1159595286c677b5faceff604343c25f01d5b96d6d1d6ac443fe1f3bfd09c91d33e56a7719721c90fbf559c0d0

memory/3876-263-0x0000000000400000-0x0000000000468000-memory.dmp

memory/4320-269-0x0000000000400000-0x0000000000468000-memory.dmp

memory/408-280-0x0000000000400000-0x0000000000468000-memory.dmp

memory/1176-286-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2784-297-0x0000000000400000-0x0000000000468000-memory.dmp

memory/3384-303-0x0000000000400000-0x0000000000468000-memory.dmp

memory/912-308-0x0000000000400000-0x0000000000468000-memory.dmp

memory/3984-310-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2900-321-0x0000000000400000-0x0000000000468000-memory.dmp

memory/1668-327-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2480-333-0x0000000000400000-0x0000000000468000-memory.dmp

C:\Windows\SysWOW64\Pamhmb32.exe

MD5 6395a02578ae22cafb610b1e325ba4c2
SHA1 bc2beb36cd4065077810f05baffaddf16a6d149b
SHA256 764a755b935a5657c3c95e85c7388f5cc4f22500fe66ebae0d841cfcb3fca922
SHA512 5e90830668a07e4ae39eb89c9cff595daf18b99675c3462e0f8cf9a86d172c7ecc4f31fff5627f43382985ff0f133f37506380822b942ed1c3f36906a5e51f34

memory/2000-339-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2756-345-0x0000000000400000-0x0000000000468000-memory.dmp

C:\Windows\SysWOW64\Pmcibc32.exe

MD5 5285c2c54cb09510663b36f367bc0fc0
SHA1 2f04515c18f9c5f415856948ed9aba199cdc7a48
SHA256 0d406592b178dd0ba187b163330b48a8c634b639bce13103b45f592e9fac214d
SHA512 54163ebdae40d18be4e72016d96a77703dab9c378583b915a71b1adc7a739dfa3cd15933eaecc0bc8693aa703f0048861c70954e5788d91bb7942a0f87ae5487

memory/4008-351-0x0000000000400000-0x0000000000468000-memory.dmp

memory/3496-357-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2960-363-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2760-369-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2236-375-0x0000000000400000-0x0000000000468000-memory.dmp

C:\Windows\SysWOW64\Qiocbd32.exe

MD5 96ea479d0a9b598bce2e9780761dfe5c
SHA1 dc871adb4121958b015442e329ac5a5fb35a6a55
SHA256 7515f3acc3638a0c08e127d0a465d4d29989f62ca25e129528344296ff6b618b
SHA512 b4f2d406db73b076c5602872d9358432d9f37250b0f46fc6125a5aa3de8c2904d1e0a16cc0177b2c8f021e267ef64572e11776da8df65da3824d055e97b2550f

memory/4296-381-0x0000000000400000-0x0000000000468000-memory.dmp

memory/4040-387-0x0000000000400000-0x0000000000468000-memory.dmp

memory/5032-393-0x0000000000400000-0x0000000000468000-memory.dmp

memory/4164-399-0x0000000000400000-0x0000000000468000-memory.dmp

memory/3408-405-0x0000000000400000-0x0000000000468000-memory.dmp

memory/3964-411-0x0000000000400000-0x0000000000468000-memory.dmp

memory/324-417-0x0000000000400000-0x0000000000468000-memory.dmp

memory/4624-423-0x0000000000400000-0x0000000000468000-memory.dmp

memory/1716-429-0x0000000000400000-0x0000000000468000-memory.dmp

memory/4764-435-0x0000000000400000-0x0000000000468000-memory.dmp

memory/1060-441-0x0000000000400000-0x0000000000468000-memory.dmp

memory/4484-447-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2816-457-0x0000000000400000-0x0000000000468000-memory.dmp

memory/3936-459-0x0000000000400000-0x0000000000468000-memory.dmp

memory/1644-465-0x0000000000400000-0x0000000000468000-memory.dmp

memory/3812-471-0x0000000000400000-0x0000000000468000-memory.dmp

memory/3208-477-0x0000000000400000-0x0000000000468000-memory.dmp

memory/744-487-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2244-492-0x0000000000400000-0x0000000000468000-memory.dmp

memory/396-495-0x0000000000400000-0x0000000000468000-memory.dmp

memory/3340-501-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2472-512-0x0000000000400000-0x0000000000468000-memory.dmp

memory/1748-518-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2848-524-0x0000000000400000-0x0000000000468000-memory.dmp

memory/4168-530-0x0000000000400000-0x0000000000468000-memory.dmp

C:\Windows\SysWOW64\Cikkeppa.exe

MD5 a826facd494d73590495c863547d2ece
SHA1 118927f65811c4bf0ef0886d382e620f8e273d0b
SHA256 c4856f5c5d89b192c91d746687474ad4be442e8f4415ed9665d37f4a3bf90304
SHA512 279ffa469d37a70d3f25ea09ec92b6f5c422095b2686bee272f6bc141b5b0d67f539d9fcaaa7646511e001d0cf0a6fffe32b3206220a76c142407aa9fee695c8

memory/3112-536-0x0000000000400000-0x0000000000468000-memory.dmp

memory/1620-537-0x0000000000400000-0x0000000000468000-memory.dmp

memory/1312-543-0x0000000000400000-0x0000000000468000-memory.dmp

memory/4768-549-0x0000000000400000-0x0000000000468000-memory.dmp

memory/4360-550-0x0000000000400000-0x0000000000468000-memory.dmp

memory/688-556-0x0000000000400000-0x0000000000468000-memory.dmp

memory/3444-557-0x0000000000400000-0x0000000000468000-memory.dmp

memory/3840-564-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2716-563-0x0000000000400000-0x0000000000468000-memory.dmp

C:\Windows\SysWOW64\Cpljbi32.exe

MD5 760d67d34a080ea3c0a5c13e616335ed
SHA1 45567761d2cb99fdf3c67a930f0420322a404030
SHA256 7121bfd650a74dd2803fda7dba8eeeefab09450258f3eefd9f7e06370277f8c5
SHA512 2b18583518a20ef0c589c368073722c307e359e169e31234415f81f959282653e211877cf05047311d8985669a22040275ab787a3eae7e7ee98ef79ef8620538

memory/2552-570-0x0000000000400000-0x0000000000468000-memory.dmp

memory/980-571-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2740-577-0x0000000000400000-0x0000000000468000-memory.dmp

memory/5036-578-0x0000000000400000-0x0000000000468000-memory.dmp

memory/4368-584-0x0000000000400000-0x0000000000468000-memory.dmp

memory/4540-585-0x0000000000400000-0x0000000000468000-memory.dmp

memory/936-592-0x0000000000400000-0x0000000000468000-memory.dmp

memory/1068-591-0x0000000000400000-0x0000000000468000-memory.dmp

memory/4604-598-0x0000000000400000-0x0000000000468000-memory.dmp

memory/5004-617-0x0000000000400000-0x0000000000468000-memory.dmp

C:\Windows\SysWOW64\Dcaloc32.exe

MD5 c754c9d5a1ea6a482093cfe3d3c60fcd
SHA1 d2e148760047569311e5cfb955f9dd45bd4ff54c
SHA256 3232244c76a3df9fa0d41a06a02ddc05d5aa577851b75fb5efb73f62405d1a48
SHA512 6a32c86f5ab8dce4f388a91f6bccee26ae504ca8bc1331b966d4fe52d07ac2a1e0c1ab07b844b15046bfbc278d8bd5de2e3fe222ca590bc856483706af13ba41

C:\Windows\SysWOW64\Djldlnao.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\SysWOW64\Ddaiifae.exe

MD5 f7dc7bd396f0a0e61a7071fcf9b03d4e
SHA1 9b9a2d81ad8304cf9a8e2d2a5e45305c96a8d5d2
SHA256 2a75cf81000582370dac7699b3d75b44e6e6dd150493dadf4fe6a02846403ef3
SHA512 14609ee8c57aa412ceb69a0db617ac120c751912d6134dfbaa9c12d4c1810d163e74bf4cb5c7dd034a8c2cd8e5551aa6ab357956ac7dde85281e95b08a9f2040

C:\Windows\SysWOW64\Epjfcgef.exe

MD5 d56c2cedfb2f695dfbd5662275b6fb17
SHA1 df6a8d60850856b25f0ede802c64cb7fbf773be0
SHA256 56740f26c31df01619168b32220e32c349f0a68dfc0f4da682f93858196630ba
SHA512 0b15b7e9c67b0e02de362bb89375133783fb877b221743fde387063331f6a4f74f8f46fdc6e2332b0ed12340f9412d0aa85cd6c3a5fdbda6cbf497e08752795f

C:\Windows\SysWOW64\Eanlhihd.exe

MD5 b5c28cfbb5804069cd5b126b39534c4a
SHA1 10fe7f306544db361cac6898cefb35592c0455be
SHA256 3b7f1ff43149c58e1726a2f7b583920b58bd4f9db5d0e588967655b286bf922b
SHA512 10ddc92cb865d836f855c8c082f5e191435c66b1b7ab4a2075e3e83578912e7e6041758f6adff4939000e130d72399785bdaf3ef8e9ea8250a875b0532e777b6

C:\Windows\SysWOW64\Fcbefalp.exe

MD5 eeca341d38d649d1988c36d5c3a3209c
SHA1 c653fc661456d02160c8671cf9d1426313cbca46
SHA256 3313aa26b3cc1d759559872a2ff43f21a17514b9af548655fbffbc7b06063a1d
SHA512 cb85fa3482e469a45f941bba29710f7dbbe89955fc236736db4df357a1aca06831f2fc37583411b5e4e5cf0507289d352763629d2a2e42870cce48ba7a8a09fc

C:\Windows\SysWOW64\Fbebihbl.exe

MD5 fa854c0f8b87209d156a0552dce1c476
SHA1 27ef5ac7cf1b2f7a1100881bf68bfd968ca397fc
SHA256 a2090ab2512f147126b436425ebd51f837bf1b607becc39fe44e7e312b758232
SHA512 2a4029d97bb81708aeaf0091bafee32551848b866afac729adccfc7b869f01de4741e6cf60fa5c69cd34b06b2e26d1c914157da32c139e9e3d6db4a16a5b7d7c

C:\Windows\SysWOW64\Gnciohah.exe

MD5 f3c48ea99b0ec8310f63cc6d712794ae
SHA1 8aad1b5fccbc7f830165328479895fb44c946541
SHA256 2dd2ec1474f9e43550fca48731c9e25d0aea8d31e39efddeb31004d44b9c0f74
SHA512 36c15e75e532212ed51a830d89d597e6d6af63bd4d1748ce148b588b2d9e722085fad525fb35cc071514aceb9902331222acee0e0027b0f437187074d60ab254

C:\Windows\SysWOW64\Gcekbokj.exe

MD5 b9d393b9368377a4f22b291afaf2c25c
SHA1 44e62d800083d29eb6061e93fdf8f2c88f5f7289
SHA256 b9a69943e5e90dc7d60de5d8ad66fddffbde69cca96d5c82dcccdc7b1cd516a1
SHA512 a40019e161a353329d8de69e849de8cce7c5b2d70bb542ebc6ec16d41f40463268aaf05f2c760ba050f0b61b5ab098c2cedf1405b4bb7a8acf2e178fad56f9cd

C:\Windows\SysWOW64\Gjocoi32.exe

MD5 ca130f94e4b46c1739b686ce0437d747
SHA1 26061b9f3c3351227b1ce681368390b118a73ece
SHA256 070f352747b18a482610892f800675aef597529ccd0e894d641620e5fba6fd5c
SHA512 aa66271fab480e61fa01aca1604962e799042751bafd7ae80d4ee27d41c710988029ed1f4a6f06b3e377f789fa444f3593a5582703871020d71c413deeeb1b4e

C:\Windows\SysWOW64\Hbjdkepd.exe

MD5 5ebb2c5d2cf7cbcfd16c53f648265889
SHA1 0868e689caa2f44e746df495d32eb6c1a4864b52
SHA256 ad633fcf3a9c9ed564ab95097b1453254771d9b1e799e0b080a036478d8e489f
SHA512 e047180bdf5cb8368a420e07d683308fa47596c42260711d238a14a811e3220e6969f02c3369a1923bc1d01611678e0a34777e8b394d89217f38dd58bfca84eb

C:\Windows\SysWOW64\Habnbabi.exe

MD5 4819e8d43f76052b6e4fff6ba17fded5
SHA1 a254d67bba3d65f73150a3e45b157b233681ba18
SHA256 87ff7305002d04f15be470c791810afb9f84df767c82b880f4409cadf2667923
SHA512 7f95f605dc8d56355e3f0ae156208627726d147ada5062f7a51b0c80a7e3c3ee6fe5d5aa5591c30060f9ea61f47b5902db449416c3f69a5964ee98fb03d613b4

C:\Windows\SysWOW64\Hccgcmoj.exe

MD5 6dc98bc8a80aaeff9a2c7eff685eb692
SHA1 ada002ea20039680904972a4102011f553d88e32
SHA256 e061e74839e273f61d622e344824d7662b29a15666bf0023e99eceb739d035e8
SHA512 f561d2e6691d292deff2e536ea1fb2348e31bc886662e3c61b8d4dd84b221179c2e14348ac30a7e1f349eabd367d793b1c7668c3f9baaa22d24f390ad5438974

C:\Windows\SysWOW64\Ilohpi32.exe

MD5 5160fcaa0361211b0b60a8b4a740d947
SHA1 94ecdc45a5444c311357e104e6ae99c238c6fec3
SHA256 fb2e679039a8483ff5e1b9714cc67505e86d6f5c67fd71fa9c6a65d3524b4085
SHA512 a89a56d10aa322dd9a255764d5f9512721357fb1cbb4877260fea798bf1484c5bf52b81a4457d67b6ab5350b7a00450b59b37afd472a2c564237b60deb38d814

C:\Windows\SysWOW64\Icjmdlib.exe

MD5 1300e0c054f59dd8fbfbca84b98ff835
SHA1 15efca630216c043825a573620ff35818e13a724
SHA256 c6a503bbeb2f117cef482d87018a879c1f87d1530c8e8becab7ce2ef6a7baa25
SHA512 1503220a48f1577e73ef76cd6867125e7822fa426571fb68d62a2681c123481bd67b950c353747eb5f7cfaf2a8f648d06208451969fec0f3237bf4b311c8d4b1

C:\Windows\SysWOW64\Jndkmd32.exe

MD5 b85fb535fa748ddc9599863b4e7a52f7
SHA1 5b44e86fdf291e8d3be4351ea115948a3b16f046
SHA256 58b999a50bce0fe33e1f3ede58be6b0a7b3612dd3b2e6f4b9d55f7afa5782786
SHA512 fd823c75e1d34a246db8a8c1e55c5d3a7da0d10eaae6cf025772716a07e8f603dabd9bffa3db200c2fd3104c15bed6eba88ce0853a3caa3edbfefba939be8965

C:\Windows\SysWOW64\Jjmhgd32.exe

MD5 16b4f4104e8deed81e8d30c37652a6bd
SHA1 6983228f447955e78a9f80bae2a4ddfb4dce0c3a
SHA256 ce90319c8fbf11528a6a0a62086ef3929c07b24aabfe9bd7ef7aff8e2c794c24
SHA512 4302a9f9c44f53a3289bdf7c91a4921909bf300eca8c5df7c0b66680711b3eeca3c9fa41bf3d37a421eff49713cc6b6b6526f51890bb0a4aeff28bc3d08fa1b7

C:\Windows\SysWOW64\Jdhiej32.exe

MD5 98795f958a442aa1d8bed04542112692
SHA1 ddb633440973778ec45ae39b97a429bd6f231abe
SHA256 2db6f71f1411c0215c6c873f833e3936a9acdb8ab19e5759959e16f017e3e6bf
SHA512 400bf18aa11d0d337feb2c72df4f9afe405bdbd98ad7d56f3c84e43d6925e021f812855915101973041d732daf6b51a4257245665912f919237da713449061c1

C:\Windows\SysWOW64\Jaljon32.exe

MD5 375b6acfe928ca2829e5744dee980e70
SHA1 1f7fd64d8e5ab86f8b97b1010ab3cbaac56e5b9a
SHA256 3d6fe0487ae5b3a57a9fc741e39e51a8877143791377686aaca064871884fd27
SHA512 a00bb307a1bedcf5556157603bebc70f806ba490d94b9b205b8806d0f396e7006d629fe1c2e5a784c1445ce81056396f2a31f7d27f9a0ae57e8db4346c37cf54

C:\Windows\SysWOW64\Kbkfiaco.exe

MD5 9ed3be3dbfc4610a02f6bd17d2cd4ebf
SHA1 c6e325e3eb3956ce031ad3bbcf34c2ac18a88dc8
SHA256 3624d920c8e2e2e03064573239055c48a6e2ba8dcc7df51d5990bee793fae528
SHA512 c76a05a8a082f95489e9614b28d86f838449201109d4454d64a36caffbb485b97d3d837cc7d53f6d2a9a3d4c6ebd6ca7fafacdb24af54ce5e6996f032f8be6e6

C:\Windows\SysWOW64\Kelokl32.exe

MD5 ff934d368882948c99289b93804e1908
SHA1 01ca67c7897f95221b03d11db6b412d2c5d7a5d1
SHA256 3a1dd93d4ef139e72e88d1a6330bd42a68013fd5c294283a46261526e88c1f0d
SHA512 0b9a509aac80d9a8a1be5226263d6974075b3d3bbd092c06a2cfc1b54abfb1ac3319c15ccd61b99537627e29ffbbb21a1ca4ce62ff21c4e3a8fa68ecb2d84b80

C:\Windows\SysWOW64\Khmhlg32.exe

MD5 77907832b5f7e2cbcee9e2faf8df5542
SHA1 89d5d84b9ee2fb4c8ede8f92d5fb78b4c4183cd5
SHA256 4b9ce5b4ecb252d30fac039110cdda0832be28a0c135b4e0ef5c3cff2f40193d
SHA512 65f0a4013be751e1d8cc70c5b587057e0b86e561cbf43f1614a1e15e5e33483fd0dce0594c40262443d353ae1c4ff23f49ab514b61c96d1c19a8495e10566548

C:\Windows\SysWOW64\Lejlljdp.exe

MD5 a9c473a14054d5cc3cc4b76ba4066955
SHA1 5bcf6b73554ee3f223ca3490349c8a9fd967c54c
SHA256 a907901dbc3b25cd2af4ece58a137f6105e9d779bebdc14f245d8b3622e063b7
SHA512 89960e0c47ab54a9e82050fc12ccfb852a632d9c85656e98ed5831dcc3f050c207ab4e3621cb1a4420a3553e050e1479dd9b5df16f065b6d00b4a8b723565256

C:\Windows\SysWOW64\Mlimccgg.exe

MD5 a3ce7af48a20fc58678261034e3011a2
SHA1 dec12e6248f2ecdaee920a7dc01a9de607d6fc22
SHA256 9bb8e04f65d02705f346ea80cd375f4a571f0a81d52d20b7a26cad7207c791b3
SHA512 5feb4949b38c6a52a5fcdb157f7271b95b506e73edb9c79d2d8145db48af224e7c5960c59fce3552c5f9183a509c89df8271f93170aef06212b495df63da4c26

C:\Windows\SysWOW64\Mhpnid32.exe

MD5 eccd1e426884415f25962bda6d0d61cc
SHA1 543564342a50ef6283a4611a04d413f6ca0dddc8
SHA256 2c48a72c8bc68ac1ccf4959a1d4efc7fe8417f03aab7016bce39435117198f2e
SHA512 1fd523bd907257a6de8c760d292024b4ea9b72ef87f8485e41756fe7ccf95f8e0b15f3b701e5f3322ec00d4825c69a1b8e26f87c0c6175a89d80f81fe0bedffe

C:\Windows\SysWOW64\Mamlmi32.exe

MD5 76f2913944e6aeb080d76e16e127d664
SHA1 2e347def3e07afb4c17e2629a4b7a9b277d82402
SHA256 397b3d50df60ad02c9cd437861b4c84649b26c51889d9c5ccd15a321111e8155
SHA512 d5dd80d47ee363cf806a85521d92145c2fa256bc74b54c9d4b8137d16884f2b1fb6fcc211db4a8eb15f1f376872ad956ea9186b0e4f116c8bfb970e705dccead

C:\Windows\SysWOW64\Mclhfl32.exe

MD5 2d8d2174f6a4f000deb98d10847613e3
SHA1 2ef08ff9c33c5a948722b366c83dc969e9e507b1
SHA256 7fe714420bdb8fd28b8d7026ece19732846dc06f6444e6509f4955f75f32939f
SHA512 914b9d42282337eaab18663d8bee5c86a95eca03a9852c60080ed7cf2d91b3718626920e7a5f994561570da940b6b35fb2c41c06f9b77ff909c9e0ae0a5d3122

C:\Windows\SysWOW64\Nlgiea32.exe

MD5 cf1f1afef15b2022d25f9548f508d101
SHA1 e35b3ab01e04ca7769b66aba758d51cfd9911cbb
SHA256 eeff2df1620d9256ab2e5a72608916b6db40a0c4d8ce9cb173ed2bbdd14aa2ea
SHA512 941b1ab91c581360bfda161d0f8e6617c673d93f19f68c065691745153c2dd78827f099b6778013da4db6c82faabfc1812a96e7c752bbf0ab1604908fd1dcc85

C:\Windows\SysWOW64\Oboaif32.exe

MD5 7710dbe12967fd8f6dd39ecdef46df2c
SHA1 de4e776024be7f32b3479c55a1a88b9e767c90b3
SHA256 d506a2d345f69a2cdb3e7ee1bed5cf079c2f3f4fc52be4b405c24b23e7c118b2
SHA512 5553564dd1916f3b5c115e705029f1e5f3b96a146644e3643892a175cbf3dd0493d30b615e2f4499078d000733205c88093bfb3c3f1d8ca2f269c4146c582b29

C:\Windows\SysWOW64\Qecpgo32.exe

MD5 40fa4b0e0975de74e9c6ee612ad514cd
SHA1 312dddc4a60490425828e6b959845d9cd8f08ac7
SHA256 f48c6df609348725026845d2017caad4f3f994f43a1748ad87cf864bb24a9f92
SHA512 11629307e077259f08c3607cb4a0ee3f30e4d7122e699cb7bb804bb643082577d703270d6f8dfff6102222a805e9dc7c47d2f0c55948f04ff757c94955586ce3

C:\Windows\SysWOW64\Apmnpg32.exe

MD5 41b46424485ccd74557c6d57582d9a8c
SHA1 4bfc534c559ef79e74227ed725506fd9a67488e0
SHA256 9db883d4fd7bde905d72d049443368589c7f6665a57f5491313281f405eb7b47
SHA512 a076dd15cae9ae16f2732e4bc29601aa74aa9a154a0366e0a873f7483cd9f990d58be83a756d9b054db224a2f884a4915db9c626cad2739b1c80e7e5b6449bef

C:\Windows\SysWOW64\Bcbmfdhl.exe

MD5 edcec53bc47ca6eaec2a322d142cdabd
SHA1 aeb942ee673b3ffccade0ba635c436d9f2283717
SHA256 cfcfa495a5499bbfef611f59282e7b5b4d99378e6f11cb1b5dc69b7a9578c047
SHA512 b1c35fa56fb2dfba640ed72b3baf18fce58b1d10107eeb072e40decaf0deb18425d13af44ef73e5afa338d5c5ddf033ba726fa35468a9d7694ccece96bdc46d9

C:\Windows\SysWOW64\Dmmglg32.exe

MD5 8953ee51dff05e6e166ef13a0ed98131
SHA1 6c526724fc513a3ba688886aaced6f90330bd11e
SHA256 581d2f4897dd65afc0806d212ed7dc6551f5c435674b65c077b69d9c9e926124
SHA512 6335eee0d7db2ecdf95c1211f4c2e7b29c4eafb66e52f9651695a4d3e22f9b6630a36c98d7f997f221cea7efae059e1261a9b9ebddee680fda41d6043a640b72

C:\Windows\SysWOW64\Eedklh32.exe

MD5 877a3da8cfa100ceb27d93e8f556a34e
SHA1 204861874a7536885981a96bb024fc93a0a874c6
SHA256 1b680c415f99dbd93b28ea02712ca19223a2ff43f2774db111f81d20d77dd4f9
SHA512 383689fcdc6ab2e1aa7c2a7b39ad87149d1216143a12b68f0014f4ae24f27f03bc555dbbfad29f415eaffa8a7e596a635537c601ed1150a6d1f7f93d49460a95

C:\Windows\SysWOW64\Edghoo32.exe

MD5 e7497dd1ee612550a216c51db6781d3f
SHA1 8720be2246b3b3d43055fbd15a10a0a4960c0311
SHA256 a1dcbc10d767294adb6bcf7aeb2ab1f56f036a32e9081cdc8dfd066910a5d6b4
SHA512 4806ec4a53eab0f35d3766d5c223cd98d19104023831aa9b78136e8d42cc297c932603017654f16ffeaac192f9e75fe882fad95953769007a4ae44da22dd1dda

C:\Windows\SysWOW64\Ecoafk32.exe

MD5 b3300d20dc4e0b79f759769a83365142
SHA1 e383611924611d7cf034ebaa77fcf3a03be1e93e
SHA256 10dcab17f6e6b2b9a437b3b8e8a1b0d2fc28313ccfa5b2bf9935dee4c6a7d726
SHA512 c2d3665251b3a4b6fb1ebd64eb20f945725f4205d7d16f48d7f08b39c53257b6da5f3849ce47e6a572fa1ae978d055675e8acf2b5f6369a04f32b6acc6c73df1

C:\Windows\SysWOW64\Fpcbop32.exe

MD5 f459ed4d99ac7e9a3a2b43859a597b7b
SHA1 2fdad54369527601ce893c0ac8a2313ec51d3d17
SHA256 4bbfa90a7869daa953b862dadcab05c02051461726ae1e367d7802710b54e8d4
SHA512 8bdd30949a08af3b8e601b9f3ceea397d9ec7e8476b47d0f3617de41845ede6eafe544226e4fd3e1edfb7a550c6282137e327aa42001e00c07443f62f9041280

C:\Windows\SysWOW64\Fgogai32.exe

MD5 ce412031d1b4a98a9ba03823e94bd347
SHA1 0784a6eaa69ca57ff5ba12f0df089a24516cf4a7
SHA256 0af549b05a8936383da3187a59df50a92e865daddb0e94dfacb2fa8320431557
SHA512 9bd3707e55458e1b6193c6c293ff61b734b9b93f7b1a5a7eae12ebdb5ae9ccf77b4c9830db1240438e543d254d9a32d0b992b9e82e492b68b1afaba050e0a7f3

C:\Windows\SysWOW64\Ffgqhe32.exe

MD5 976583cb687f98dbc8c54239880fc7a4
SHA1 8b7a4a4c2a54af5ad02bf1053fd5280ab91bb481
SHA256 0f6b96faf305160dca715a70094eab502a0cd2cd63c9b6266f8339c2cd1a77dd
SHA512 6df470ae6134c4590c206f2a63d80796bdbc62fedbb2a0fdd1b4a7c89ec2b673d9e77545760f891cee40e062ec964db8b4da8ca6dea56b87c8130bc9aaedfb01

memory/7880-1830-0x0000000000400000-0x0000000000468000-memory.dmp

memory/7708-1847-0x0000000000400000-0x0000000000468000-memory.dmp

memory/7448-1898-0x0000000000400000-0x0000000000468000-memory.dmp

memory/7332-1903-0x0000000000400000-0x0000000000468000-memory.dmp

memory/7144-1925-0x0000000000400000-0x0000000000468000-memory.dmp

memory/6664-1968-0x0000000000400000-0x0000000000468000-memory.dmp

memory/6868-1993-0x0000000000400000-0x0000000000468000-memory.dmp

memory/5516-2139-0x0000000000400000-0x0000000000468000-memory.dmp

memory/936-2168-0x0000000000400000-0x0000000000468000-memory.dmp

memory/3304-2289-0x0000000000400000-0x0000000000468000-memory.dmp

memory/4408-2306-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2716-2335-0x0000000000400000-0x0000000000468000-memory.dmp