Malware Analysis Report

2025-01-23 05:10

Sample ID 240521-x3m36sfg38
Target 05efea1b575f07acf54d2325ca017e4572c66bd15b2d17bf79d6bc26b8585d93.exe
SHA256 05efea1b575f07acf54d2325ca017e4572c66bd15b2d17bf79d6bc26b8585d93
Tags
backdoor trojan dropper berbew persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

05efea1b575f07acf54d2325ca017e4572c66bd15b2d17bf79d6bc26b8585d93

Threat Level: Known bad

The file 05efea1b575f07acf54d2325ca017e4572c66bd15b2d17bf79d6bc26b8585d93.exe was found to be: Known bad.

Malicious Activity Summary

backdoor trojan dropper berbew persistence

Malware Dropper & Backdoor - Berbew

Adds autorun key to be loaded by Explorer.exe on startup

Berbew family

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Program crash

Unsigned PE

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-21 19:22

Signatures

Berbew family

berbew

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-21 19:22

Reported

2024-05-21 19:25

Platform

win7-20231129-en

Max time kernel

122s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\05efea1b575f07acf54d2325ca017e4572c66bd15b2d17bf79d6bc26b8585d93.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Fhffaj32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ffpmnf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Hhjhkq32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Amejeljk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Fbgmbg32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hcifgjgc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Hkkalk32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eqonkmdh.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hcnpbi32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Idceea32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cjbmjplb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gieojq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Hnojdcfi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Cbnbobin.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dmafennb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Egamfkdh.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Epieghdk.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eiaiqn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Fmcoja32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hdhbam32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Geolea32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Hgbebiao.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cgmkmecg.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fjdbnf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Eijcpoac.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ihoafpmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Amejeljk.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ailkjmpo.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ddcdkl32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Flmefm32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Adeplhib.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Claifkkf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Djnpnc32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Djnpnc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ffpmnf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Gicbeald.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ghhofmql.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Cjbmjplb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Epaogi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Fmekoalh.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Facdeo32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hhjhkq32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Chhjkl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Chhjkl32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fhkpmjln.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Iknnbklc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Fjgoce32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Users\Admin\AppData\Local\Temp\05efea1b575f07acf54d2325ca017e4572c66bd15b2d17bf79d6bc26b8585d93.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qhooggdn.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bpfcgg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ddagfm32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dgodbh32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dgaqgh32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ejbfhfaj.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Faagpp32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fdapak32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fhffaj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Fhkpmjln.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ekholjqg.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hnojdcfi.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hggomh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Bhcdaibd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Dnlidb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Dmafennb.exe N/A

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Qhooggdn.exe N/A
N/A N/A C:\Windows\SysWOW64\Adeplhib.exe N/A
N/A N/A C:\Windows\SysWOW64\Aplpai32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ampqjm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Apajlhka.exe N/A
N/A N/A C:\Windows\SysWOW64\Amejeljk.exe N/A
N/A N/A C:\Windows\SysWOW64\Ailkjmpo.exe N/A
N/A N/A C:\Windows\SysWOW64\Bpfcgg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhcdaibd.exe N/A
N/A N/A C:\Windows\SysWOW64\Begeknan.exe N/A
N/A N/A C:\Windows\SysWOW64\Bnbjopoi.exe N/A
N/A N/A C:\Windows\SysWOW64\Bdlblj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cgmkmecg.exe N/A
N/A N/A C:\Windows\SysWOW64\Cngcjo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ccfhhffh.exe N/A
N/A N/A C:\Windows\SysWOW64\Chcqpmep.exe N/A
N/A N/A C:\Windows\SysWOW64\Cjbmjplb.exe N/A
N/A N/A C:\Windows\SysWOW64\Claifkkf.exe N/A
N/A N/A C:\Windows\SysWOW64\Cbnbobin.exe N/A
N/A N/A C:\Windows\SysWOW64\Chhjkl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhjgal32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dodonf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ddagfm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgodbh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Djnpnc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ddcdkl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgaqgh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dnlidb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dmoipopd.exe N/A
N/A N/A C:\Windows\SysWOW64\Djbiicon.exe N/A
N/A N/A C:\Windows\SysWOW64\Dmafennb.exe N/A
N/A N/A C:\Windows\SysWOW64\Djefobmk.exe N/A
N/A N/A C:\Windows\SysWOW64\Eihfjo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eqonkmdh.exe N/A
N/A N/A C:\Windows\SysWOW64\Epaogi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebpkce32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eijcpoac.exe N/A
N/A N/A C:\Windows\SysWOW64\Ekholjqg.exe N/A
N/A N/A C:\Windows\SysWOW64\Efppoc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eecqjpee.exe N/A
N/A N/A C:\Windows\SysWOW64\Egamfkdh.exe N/A
N/A N/A C:\Windows\SysWOW64\Epieghdk.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebgacddo.exe N/A
N/A N/A C:\Windows\SysWOW64\Eiaiqn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eloemi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejbfhfaj.exe N/A
N/A N/A C:\Windows\SysWOW64\Fehjeo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fhffaj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fjdbnf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fnpnndgp.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmcoja32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fejgko32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fhhcgj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fjgoce32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmekoalh.exe N/A
N/A N/A C:\Windows\SysWOW64\Faagpp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fhkpmjln.exe N/A
N/A N/A C:\Windows\SysWOW64\Ffnphf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Filldb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Facdeo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fdapak32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ffpmnf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fjlhneio.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmjejphb.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\05efea1b575f07acf54d2325ca017e4572c66bd15b2d17bf79d6bc26b8585d93.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\05efea1b575f07acf54d2325ca017e4572c66bd15b2d17bf79d6bc26b8585d93.exe N/A
N/A N/A C:\Windows\SysWOW64\Qhooggdn.exe N/A
N/A N/A C:\Windows\SysWOW64\Qhooggdn.exe N/A
N/A N/A C:\Windows\SysWOW64\Adeplhib.exe N/A
N/A N/A C:\Windows\SysWOW64\Adeplhib.exe N/A
N/A N/A C:\Windows\SysWOW64\Aplpai32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aplpai32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ampqjm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ampqjm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Apajlhka.exe N/A
N/A N/A C:\Windows\SysWOW64\Apajlhka.exe N/A
N/A N/A C:\Windows\SysWOW64\Amejeljk.exe N/A
N/A N/A C:\Windows\SysWOW64\Amejeljk.exe N/A
N/A N/A C:\Windows\SysWOW64\Ailkjmpo.exe N/A
N/A N/A C:\Windows\SysWOW64\Ailkjmpo.exe N/A
N/A N/A C:\Windows\SysWOW64\Bpfcgg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bpfcgg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhcdaibd.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhcdaibd.exe N/A
N/A N/A C:\Windows\SysWOW64\Begeknan.exe N/A
N/A N/A C:\Windows\SysWOW64\Begeknan.exe N/A
N/A N/A C:\Windows\SysWOW64\Bnbjopoi.exe N/A
N/A N/A C:\Windows\SysWOW64\Bnbjopoi.exe N/A
N/A N/A C:\Windows\SysWOW64\Bdlblj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bdlblj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cgmkmecg.exe N/A
N/A N/A C:\Windows\SysWOW64\Cgmkmecg.exe N/A
N/A N/A C:\Windows\SysWOW64\Cngcjo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cngcjo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ccfhhffh.exe N/A
N/A N/A C:\Windows\SysWOW64\Ccfhhffh.exe N/A
N/A N/A C:\Windows\SysWOW64\Chcqpmep.exe N/A
N/A N/A C:\Windows\SysWOW64\Chcqpmep.exe N/A
N/A N/A C:\Windows\SysWOW64\Cjbmjplb.exe N/A
N/A N/A C:\Windows\SysWOW64\Cjbmjplb.exe N/A
N/A N/A C:\Windows\SysWOW64\Claifkkf.exe N/A
N/A N/A C:\Windows\SysWOW64\Claifkkf.exe N/A
N/A N/A C:\Windows\SysWOW64\Cbnbobin.exe N/A
N/A N/A C:\Windows\SysWOW64\Cbnbobin.exe N/A
N/A N/A C:\Windows\SysWOW64\Chhjkl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Chhjkl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhjgal32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhjgal32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dodonf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dodonf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ddagfm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ddagfm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgodbh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgodbh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Djnpnc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Djnpnc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ddcdkl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ddcdkl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgaqgh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgaqgh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dnlidb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dnlidb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dmoipopd.exe N/A
N/A N/A C:\Windows\SysWOW64\Dmoipopd.exe N/A
N/A N/A C:\Windows\SysWOW64\Djbiicon.exe N/A
N/A N/A C:\Windows\SysWOW64\Djbiicon.exe N/A
N/A N/A C:\Windows\SysWOW64\Dmafennb.exe N/A
N/A N/A C:\Windows\SysWOW64\Dmafennb.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Chhpdp32.dll C:\Windows\SysWOW64\Ghhofmql.exe N/A
File created C:\Windows\SysWOW64\Gmjaic32.exe C:\Windows\SysWOW64\Gogangdc.exe N/A
File opened for modification C:\Windows\SysWOW64\Ebgacddo.exe C:\Windows\SysWOW64\Epieghdk.exe N/A
File created C:\Windows\SysWOW64\Gadkgl32.dll C:\Windows\SysWOW64\Fehjeo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ffnphf32.exe C:\Windows\SysWOW64\Fhkpmjln.exe N/A
File opened for modification C:\Windows\SysWOW64\Ekholjqg.exe C:\Windows\SysWOW64\Eijcpoac.exe N/A
File opened for modification C:\Windows\SysWOW64\Cngcjo32.exe C:\Windows\SysWOW64\Cgmkmecg.exe N/A
File created C:\Windows\SysWOW64\Cbnbobin.exe C:\Windows\SysWOW64\Claifkkf.exe N/A
File created C:\Windows\SysWOW64\Dmafennb.exe C:\Windows\SysWOW64\Djbiicon.exe N/A
File created C:\Windows\SysWOW64\Khejeajg.dll C:\Windows\SysWOW64\Hlcgeo32.exe N/A
File created C:\Windows\SysWOW64\Ampqjm32.exe C:\Windows\SysWOW64\Aplpai32.exe N/A
File created C:\Windows\SysWOW64\Lpdhmlbj.dll C:\Windows\SysWOW64\Egamfkdh.exe N/A
File created C:\Windows\SysWOW64\Fmcoja32.exe C:\Windows\SysWOW64\Fnpnndgp.exe N/A
File opened for modification C:\Windows\SysWOW64\Adeplhib.exe C:\Windows\SysWOW64\Qhooggdn.exe N/A
File created C:\Windows\SysWOW64\Jjcpjl32.dll C:\Windows\SysWOW64\Gmjaic32.exe N/A
File created C:\Windows\SysWOW64\Ekholjqg.exe C:\Windows\SysWOW64\Eijcpoac.exe N/A
File created C:\Windows\SysWOW64\Lgahch32.dll C:\Windows\SysWOW64\Fmekoalh.exe N/A
File created C:\Windows\SysWOW64\Ejdmpb32.dll C:\Windows\SysWOW64\Hacmcfge.exe N/A
File created C:\Windows\SysWOW64\Iagfoe32.exe C:\Windows\SysWOW64\Iknnbklc.exe N/A
File created C:\Windows\SysWOW64\Apajlhka.exe C:\Windows\SysWOW64\Ampqjm32.exe N/A
File opened for modification C:\Windows\SysWOW64\Egamfkdh.exe C:\Windows\SysWOW64\Eecqjpee.exe N/A
File opened for modification C:\Windows\SysWOW64\Fjgoce32.exe C:\Windows\SysWOW64\Fhhcgj32.exe N/A
File created C:\Windows\SysWOW64\Hnojdcfi.exe C:\Windows\SysWOW64\Hkpnhgge.exe N/A
File opened for modification C:\Windows\SysWOW64\Hdhbam32.exe C:\Windows\SysWOW64\Hnojdcfi.exe N/A
File created C:\Windows\SysWOW64\Accikb32.dll C:\Windows\SysWOW64\Bdlblj32.exe N/A
File created C:\Windows\SysWOW64\Egamfkdh.exe C:\Windows\SysWOW64\Eecqjpee.exe N/A
File created C:\Windows\SysWOW64\Fjdbnf32.exe C:\Windows\SysWOW64\Fhffaj32.exe N/A
File opened for modification C:\Windows\SysWOW64\Fhhcgj32.exe C:\Windows\SysWOW64\Fejgko32.exe N/A
File created C:\Windows\SysWOW64\Ghfbqn32.exe C:\Windows\SysWOW64\Gicbeald.exe N/A
File created C:\Windows\SysWOW64\Iknnbklc.exe C:\Windows\SysWOW64\Ihoafpmp.exe N/A
File created C:\Windows\SysWOW64\Bnpmlfkm.dll C:\Windows\SysWOW64\Eecqjpee.exe N/A
File created C:\Windows\SysWOW64\Ambcae32.dll C:\Windows\SysWOW64\Eloemi32.exe N/A
File opened for modification C:\Windows\SysWOW64\Fmekoalh.exe C:\Windows\SysWOW64\Fjgoce32.exe N/A
File created C:\Windows\SysWOW64\Nopodm32.dll C:\Windows\SysWOW64\Facdeo32.exe N/A
File created C:\Windows\SysWOW64\Ahpjhc32.dll C:\Windows\SysWOW64\Gieojq32.exe N/A
File created C:\Windows\SysWOW64\Aplpai32.exe C:\Windows\SysWOW64\Adeplhib.exe N/A
File created C:\Windows\SysWOW64\Aifone32.dll C:\Windows\SysWOW64\Ailkjmpo.exe N/A
File created C:\Windows\SysWOW64\Efppoc32.exe C:\Windows\SysWOW64\Ekholjqg.exe N/A
File created C:\Windows\SysWOW64\Pqiqnfej.dll C:\Windows\SysWOW64\Icbimi32.exe N/A
File created C:\Windows\SysWOW64\Fnpnndgp.exe C:\Windows\SysWOW64\Fjdbnf32.exe N/A
File created C:\Windows\SysWOW64\Jmloladn.dll C:\Windows\SysWOW64\Fjdbnf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Facdeo32.exe C:\Windows\SysWOW64\Filldb32.exe N/A
File created C:\Windows\SysWOW64\Oadqjk32.dll C:\Windows\SysWOW64\Dgodbh32.exe N/A
File created C:\Windows\SysWOW64\Epaogi32.exe C:\Windows\SysWOW64\Eqonkmdh.exe N/A
File created C:\Windows\SysWOW64\Ebpkce32.exe C:\Windows\SysWOW64\Epaogi32.exe N/A
File created C:\Windows\SysWOW64\Ffpmnf32.exe C:\Windows\SysWOW64\Fdapak32.exe N/A
File created C:\Windows\SysWOW64\Hhjhkq32.exe C:\Windows\SysWOW64\Hellne32.exe N/A
File created C:\Windows\SysWOW64\Fncann32.dll C:\Windows\SysWOW64\Ddagfm32.exe N/A
File created C:\Windows\SysWOW64\Dmoipopd.exe C:\Windows\SysWOW64\Dnlidb32.exe N/A
File created C:\Windows\SysWOW64\Cfeoofge.dll C:\Windows\SysWOW64\Eihfjo32.exe N/A
File created C:\Windows\SysWOW64\Liqebf32.dll C:\Windows\SysWOW64\Hhjhkq32.exe N/A
File created C:\Windows\SysWOW64\Maomqp32.dll C:\Windows\SysWOW64\Chcqpmep.exe N/A
File created C:\Windows\SysWOW64\Bfekgp32.dll C:\Windows\SysWOW64\Flmefm32.exe N/A
File created C:\Windows\SysWOW64\Hdhbam32.exe C:\Windows\SysWOW64\Hnojdcfi.exe N/A
File opened for modification C:\Windows\SysWOW64\Faagpp32.exe C:\Windows\SysWOW64\Fmekoalh.exe N/A
File created C:\Windows\SysWOW64\Hcifgjgc.exe C:\Windows\SysWOW64\Hpkjko32.exe N/A
File created C:\Windows\SysWOW64\Hkpnhgge.exe C:\Windows\SysWOW64\Hcifgjgc.exe N/A
File opened for modification C:\Windows\SysWOW64\Ihoafpmp.exe C:\Windows\SysWOW64\Idceea32.exe N/A
File created C:\Windows\SysWOW64\Ailkjmpo.exe C:\Windows\SysWOW64\Amejeljk.exe N/A
File created C:\Windows\SysWOW64\Claifkkf.exe C:\Windows\SysWOW64\Cjbmjplb.exe N/A
File opened for modification C:\Windows\SysWOW64\Fjdbnf32.exe C:\Windows\SysWOW64\Fhffaj32.exe N/A
File created C:\Windows\SysWOW64\Gbolehjh.dll C:\Windows\SysWOW64\Ekholjqg.exe N/A
File created C:\Windows\SysWOW64\Ongbcmlc.dll C:\Windows\SysWOW64\Fjgoce32.exe N/A
File created C:\Windows\SysWOW64\Hlcgeo32.exe C:\Windows\SysWOW64\Hggomh32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Iagfoe32.exe

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\05efea1b575f07acf54d2325ca017e4572c66bd15b2d17bf79d6bc26b8585d93.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mocaac32.dll" C:\Windows\SysWOW64\Begeknan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Epaogi32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Eiaiqn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gobgcg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Hnojdcfi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oadqjk32.dll" C:\Windows\SysWOW64\Dgodbh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfeoofge.dll" C:\Windows\SysWOW64\Eihfjo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fmekoalh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Dnlidb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndabhn32.dll" C:\Windows\SysWOW64\Hnojdcfi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Hhjhkq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deokcq32.dll" C:\Windows\SysWOW64\Bnbjopoi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcfdakpf.dll" C:\Windows\SysWOW64\Eijcpoac.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fhkpmjln.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Febhomkh.dll" C:\Windows\SysWOW64\Gkihhhnm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cgmkmecg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Epaogi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hpkjko32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hdhbam32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Eecqjpee.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Fjgoce32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Apajlhka.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Epieghdk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fehjeo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikkbnm32.dll" C:\Windows\SysWOW64\Faagpp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Gpmjak32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hllopfgo.dll" C:\Windows\SysWOW64\Ghmiam32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Hknach32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717} C:\Users\Admin\AppData\Local\Temp\05efea1b575f07acf54d2325ca017e4572c66bd15b2d17bf79d6bc26b8585d93.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Bpfcgg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ddagfm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ekholjqg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cakqnc32.dll" C:\Windows\SysWOW64\Fjlhneio.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnnhje32.dll" C:\Windows\SysWOW64\Gpknlk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Fhkpmjln.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hkkalk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbdijd32.dll" C:\Users\Admin\AppData\Local\Temp\05efea1b575f07acf54d2325ca017e4572c66bd15b2d17bf79d6bc26b8585d93.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Adeplhib.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anapbp32.dll" C:\Windows\SysWOW64\Djnpnc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ddcdkl32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Eijcpoac.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fhhcgj32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Dmoipopd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpbpbqda.dll" C:\Windows\SysWOW64\Djbiicon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Djefobmk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Eiaiqn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aimkgn32.dll" C:\Windows\SysWOW64\Gogangdc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Chcqpmep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppmcfdad.dll" C:\Windows\SysWOW64\Dmafennb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Eihfjo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkamkfgh.dll" C:\Windows\SysWOW64\Filldb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Gogangdc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Idceea32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Accikb32.dll" C:\Windows\SysWOW64\Bdlblj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpbjlbfp.dll" C:\Windows\SysWOW64\Eiaiqn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ejbfhfaj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfknpg.dll" C:\Windows\SysWOW64\Fhffaj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmhfjo32.dll" C:\Windows\SysWOW64\Ghfbqn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ghmiam32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpajnpao.dll" C:\Windows\SysWOW64\Hgbebiao.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Qhooggdn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Adeplhib.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Djnpnc32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3048 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\05efea1b575f07acf54d2325ca017e4572c66bd15b2d17bf79d6bc26b8585d93.exe C:\Windows\SysWOW64\Qhooggdn.exe
PID 3048 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\05efea1b575f07acf54d2325ca017e4572c66bd15b2d17bf79d6bc26b8585d93.exe C:\Windows\SysWOW64\Qhooggdn.exe
PID 3048 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\05efea1b575f07acf54d2325ca017e4572c66bd15b2d17bf79d6bc26b8585d93.exe C:\Windows\SysWOW64\Qhooggdn.exe
PID 3048 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\05efea1b575f07acf54d2325ca017e4572c66bd15b2d17bf79d6bc26b8585d93.exe C:\Windows\SysWOW64\Qhooggdn.exe
PID 1152 wrote to memory of 2764 N/A C:\Windows\SysWOW64\Qhooggdn.exe C:\Windows\SysWOW64\Adeplhib.exe
PID 1152 wrote to memory of 2764 N/A C:\Windows\SysWOW64\Qhooggdn.exe C:\Windows\SysWOW64\Adeplhib.exe
PID 1152 wrote to memory of 2764 N/A C:\Windows\SysWOW64\Qhooggdn.exe C:\Windows\SysWOW64\Adeplhib.exe
PID 1152 wrote to memory of 2764 N/A C:\Windows\SysWOW64\Qhooggdn.exe C:\Windows\SysWOW64\Adeplhib.exe
PID 2764 wrote to memory of 2540 N/A C:\Windows\SysWOW64\Adeplhib.exe C:\Windows\SysWOW64\Aplpai32.exe
PID 2764 wrote to memory of 2540 N/A C:\Windows\SysWOW64\Adeplhib.exe C:\Windows\SysWOW64\Aplpai32.exe
PID 2764 wrote to memory of 2540 N/A C:\Windows\SysWOW64\Adeplhib.exe C:\Windows\SysWOW64\Aplpai32.exe
PID 2764 wrote to memory of 2540 N/A C:\Windows\SysWOW64\Adeplhib.exe C:\Windows\SysWOW64\Aplpai32.exe
PID 2540 wrote to memory of 2628 N/A C:\Windows\SysWOW64\Aplpai32.exe C:\Windows\SysWOW64\Ampqjm32.exe
PID 2540 wrote to memory of 2628 N/A C:\Windows\SysWOW64\Aplpai32.exe C:\Windows\SysWOW64\Ampqjm32.exe
PID 2540 wrote to memory of 2628 N/A C:\Windows\SysWOW64\Aplpai32.exe C:\Windows\SysWOW64\Ampqjm32.exe
PID 2540 wrote to memory of 2628 N/A C:\Windows\SysWOW64\Aplpai32.exe C:\Windows\SysWOW64\Ampqjm32.exe
PID 2628 wrote to memory of 2776 N/A C:\Windows\SysWOW64\Ampqjm32.exe C:\Windows\SysWOW64\Apajlhka.exe
PID 2628 wrote to memory of 2776 N/A C:\Windows\SysWOW64\Ampqjm32.exe C:\Windows\SysWOW64\Apajlhka.exe
PID 2628 wrote to memory of 2776 N/A C:\Windows\SysWOW64\Ampqjm32.exe C:\Windows\SysWOW64\Apajlhka.exe
PID 2628 wrote to memory of 2776 N/A C:\Windows\SysWOW64\Ampqjm32.exe C:\Windows\SysWOW64\Apajlhka.exe
PID 2776 wrote to memory of 2316 N/A C:\Windows\SysWOW64\Apajlhka.exe C:\Windows\SysWOW64\Amejeljk.exe
PID 2776 wrote to memory of 2316 N/A C:\Windows\SysWOW64\Apajlhka.exe C:\Windows\SysWOW64\Amejeljk.exe
PID 2776 wrote to memory of 2316 N/A C:\Windows\SysWOW64\Apajlhka.exe C:\Windows\SysWOW64\Amejeljk.exe
PID 2776 wrote to memory of 2316 N/A C:\Windows\SysWOW64\Apajlhka.exe C:\Windows\SysWOW64\Amejeljk.exe
PID 2316 wrote to memory of 2464 N/A C:\Windows\SysWOW64\Amejeljk.exe C:\Windows\SysWOW64\Ailkjmpo.exe
PID 2316 wrote to memory of 2464 N/A C:\Windows\SysWOW64\Amejeljk.exe C:\Windows\SysWOW64\Ailkjmpo.exe
PID 2316 wrote to memory of 2464 N/A C:\Windows\SysWOW64\Amejeljk.exe C:\Windows\SysWOW64\Ailkjmpo.exe
PID 2316 wrote to memory of 2464 N/A C:\Windows\SysWOW64\Amejeljk.exe C:\Windows\SysWOW64\Ailkjmpo.exe
PID 2464 wrote to memory of 2996 N/A C:\Windows\SysWOW64\Ailkjmpo.exe C:\Windows\SysWOW64\Bpfcgg32.exe
PID 2464 wrote to memory of 2996 N/A C:\Windows\SysWOW64\Ailkjmpo.exe C:\Windows\SysWOW64\Bpfcgg32.exe
PID 2464 wrote to memory of 2996 N/A C:\Windows\SysWOW64\Ailkjmpo.exe C:\Windows\SysWOW64\Bpfcgg32.exe
PID 2464 wrote to memory of 2996 N/A C:\Windows\SysWOW64\Ailkjmpo.exe C:\Windows\SysWOW64\Bpfcgg32.exe
PID 2996 wrote to memory of 2188 N/A C:\Windows\SysWOW64\Bpfcgg32.exe C:\Windows\SysWOW64\Bhcdaibd.exe
PID 2996 wrote to memory of 2188 N/A C:\Windows\SysWOW64\Bpfcgg32.exe C:\Windows\SysWOW64\Bhcdaibd.exe
PID 2996 wrote to memory of 2188 N/A C:\Windows\SysWOW64\Bpfcgg32.exe C:\Windows\SysWOW64\Bhcdaibd.exe
PID 2996 wrote to memory of 2188 N/A C:\Windows\SysWOW64\Bpfcgg32.exe C:\Windows\SysWOW64\Bhcdaibd.exe
PID 2188 wrote to memory of 1728 N/A C:\Windows\SysWOW64\Bhcdaibd.exe C:\Windows\SysWOW64\Begeknan.exe
PID 2188 wrote to memory of 1728 N/A C:\Windows\SysWOW64\Bhcdaibd.exe C:\Windows\SysWOW64\Begeknan.exe
PID 2188 wrote to memory of 1728 N/A C:\Windows\SysWOW64\Bhcdaibd.exe C:\Windows\SysWOW64\Begeknan.exe
PID 2188 wrote to memory of 1728 N/A C:\Windows\SysWOW64\Bhcdaibd.exe C:\Windows\SysWOW64\Begeknan.exe
PID 1728 wrote to memory of 1612 N/A C:\Windows\SysWOW64\Begeknan.exe C:\Windows\SysWOW64\Bnbjopoi.exe
PID 1728 wrote to memory of 1612 N/A C:\Windows\SysWOW64\Begeknan.exe C:\Windows\SysWOW64\Bnbjopoi.exe
PID 1728 wrote to memory of 1612 N/A C:\Windows\SysWOW64\Begeknan.exe C:\Windows\SysWOW64\Bnbjopoi.exe
PID 1728 wrote to memory of 1612 N/A C:\Windows\SysWOW64\Begeknan.exe C:\Windows\SysWOW64\Bnbjopoi.exe
PID 1612 wrote to memory of 1364 N/A C:\Windows\SysWOW64\Bnbjopoi.exe C:\Windows\SysWOW64\Bdlblj32.exe
PID 1612 wrote to memory of 1364 N/A C:\Windows\SysWOW64\Bnbjopoi.exe C:\Windows\SysWOW64\Bdlblj32.exe
PID 1612 wrote to memory of 1364 N/A C:\Windows\SysWOW64\Bnbjopoi.exe C:\Windows\SysWOW64\Bdlblj32.exe
PID 1612 wrote to memory of 1364 N/A C:\Windows\SysWOW64\Bnbjopoi.exe C:\Windows\SysWOW64\Bdlblj32.exe
PID 1364 wrote to memory of 1796 N/A C:\Windows\SysWOW64\Bdlblj32.exe C:\Windows\SysWOW64\Cgmkmecg.exe
PID 1364 wrote to memory of 1796 N/A C:\Windows\SysWOW64\Bdlblj32.exe C:\Windows\SysWOW64\Cgmkmecg.exe
PID 1364 wrote to memory of 1796 N/A C:\Windows\SysWOW64\Bdlblj32.exe C:\Windows\SysWOW64\Cgmkmecg.exe
PID 1364 wrote to memory of 1796 N/A C:\Windows\SysWOW64\Bdlblj32.exe C:\Windows\SysWOW64\Cgmkmecg.exe
PID 1796 wrote to memory of 1080 N/A C:\Windows\SysWOW64\Cgmkmecg.exe C:\Windows\SysWOW64\Cngcjo32.exe
PID 1796 wrote to memory of 1080 N/A C:\Windows\SysWOW64\Cgmkmecg.exe C:\Windows\SysWOW64\Cngcjo32.exe
PID 1796 wrote to memory of 1080 N/A C:\Windows\SysWOW64\Cgmkmecg.exe C:\Windows\SysWOW64\Cngcjo32.exe
PID 1796 wrote to memory of 1080 N/A C:\Windows\SysWOW64\Cgmkmecg.exe C:\Windows\SysWOW64\Cngcjo32.exe
PID 1080 wrote to memory of 1296 N/A C:\Windows\SysWOW64\Cngcjo32.exe C:\Windows\SysWOW64\Ccfhhffh.exe
PID 1080 wrote to memory of 1296 N/A C:\Windows\SysWOW64\Cngcjo32.exe C:\Windows\SysWOW64\Ccfhhffh.exe
PID 1080 wrote to memory of 1296 N/A C:\Windows\SysWOW64\Cngcjo32.exe C:\Windows\SysWOW64\Ccfhhffh.exe
PID 1080 wrote to memory of 1296 N/A C:\Windows\SysWOW64\Cngcjo32.exe C:\Windows\SysWOW64\Ccfhhffh.exe
PID 1296 wrote to memory of 1320 N/A C:\Windows\SysWOW64\Ccfhhffh.exe C:\Windows\SysWOW64\Chcqpmep.exe
PID 1296 wrote to memory of 1320 N/A C:\Windows\SysWOW64\Ccfhhffh.exe C:\Windows\SysWOW64\Chcqpmep.exe
PID 1296 wrote to memory of 1320 N/A C:\Windows\SysWOW64\Ccfhhffh.exe C:\Windows\SysWOW64\Chcqpmep.exe
PID 1296 wrote to memory of 1320 N/A C:\Windows\SysWOW64\Ccfhhffh.exe C:\Windows\SysWOW64\Chcqpmep.exe

Processes

C:\Users\Admin\AppData\Local\Temp\05efea1b575f07acf54d2325ca017e4572c66bd15b2d17bf79d6bc26b8585d93.exe

"C:\Users\Admin\AppData\Local\Temp\05efea1b575f07acf54d2325ca017e4572c66bd15b2d17bf79d6bc26b8585d93.exe"

C:\Windows\SysWOW64\Qhooggdn.exe

C:\Windows\system32\Qhooggdn.exe

C:\Windows\SysWOW64\Adeplhib.exe

C:\Windows\system32\Adeplhib.exe

C:\Windows\SysWOW64\Aplpai32.exe

C:\Windows\system32\Aplpai32.exe

C:\Windows\SysWOW64\Ampqjm32.exe

C:\Windows\system32\Ampqjm32.exe

C:\Windows\SysWOW64\Apajlhka.exe

C:\Windows\system32\Apajlhka.exe

C:\Windows\SysWOW64\Amejeljk.exe

C:\Windows\system32\Amejeljk.exe

C:\Windows\SysWOW64\Ailkjmpo.exe

C:\Windows\system32\Ailkjmpo.exe

C:\Windows\SysWOW64\Bpfcgg32.exe

C:\Windows\system32\Bpfcgg32.exe

C:\Windows\SysWOW64\Bhcdaibd.exe

C:\Windows\system32\Bhcdaibd.exe

C:\Windows\SysWOW64\Begeknan.exe

C:\Windows\system32\Begeknan.exe

C:\Windows\SysWOW64\Bnbjopoi.exe

C:\Windows\system32\Bnbjopoi.exe

C:\Windows\SysWOW64\Bdlblj32.exe

C:\Windows\system32\Bdlblj32.exe

C:\Windows\SysWOW64\Cgmkmecg.exe

C:\Windows\system32\Cgmkmecg.exe

C:\Windows\SysWOW64\Cngcjo32.exe

C:\Windows\system32\Cngcjo32.exe

C:\Windows\SysWOW64\Ccfhhffh.exe

C:\Windows\system32\Ccfhhffh.exe

C:\Windows\SysWOW64\Chcqpmep.exe

C:\Windows\system32\Chcqpmep.exe

C:\Windows\SysWOW64\Cjbmjplb.exe

C:\Windows\system32\Cjbmjplb.exe

C:\Windows\SysWOW64\Claifkkf.exe

C:\Windows\system32\Claifkkf.exe

C:\Windows\SysWOW64\Cbnbobin.exe

C:\Windows\system32\Cbnbobin.exe

C:\Windows\SysWOW64\Chhjkl32.exe

C:\Windows\system32\Chhjkl32.exe

C:\Windows\SysWOW64\Dhjgal32.exe

C:\Windows\system32\Dhjgal32.exe

C:\Windows\SysWOW64\Dodonf32.exe

C:\Windows\system32\Dodonf32.exe

C:\Windows\SysWOW64\Ddagfm32.exe

C:\Windows\system32\Ddagfm32.exe

C:\Windows\SysWOW64\Dgodbh32.exe

C:\Windows\system32\Dgodbh32.exe

C:\Windows\SysWOW64\Djnpnc32.exe

C:\Windows\system32\Djnpnc32.exe

C:\Windows\SysWOW64\Ddcdkl32.exe

C:\Windows\system32\Ddcdkl32.exe

C:\Windows\SysWOW64\Dgaqgh32.exe

C:\Windows\system32\Dgaqgh32.exe

C:\Windows\SysWOW64\Dnlidb32.exe

C:\Windows\system32\Dnlidb32.exe

C:\Windows\SysWOW64\Dmoipopd.exe

C:\Windows\system32\Dmoipopd.exe

C:\Windows\SysWOW64\Djbiicon.exe

C:\Windows\system32\Djbiicon.exe

C:\Windows\SysWOW64\Dmafennb.exe

C:\Windows\system32\Dmafennb.exe

C:\Windows\SysWOW64\Djefobmk.exe

C:\Windows\system32\Djefobmk.exe

C:\Windows\SysWOW64\Eihfjo32.exe

C:\Windows\system32\Eihfjo32.exe

C:\Windows\SysWOW64\Eqonkmdh.exe

C:\Windows\system32\Eqonkmdh.exe

C:\Windows\SysWOW64\Epaogi32.exe

C:\Windows\system32\Epaogi32.exe

C:\Windows\SysWOW64\Ebpkce32.exe

C:\Windows\system32\Ebpkce32.exe

C:\Windows\SysWOW64\Eijcpoac.exe

C:\Windows\system32\Eijcpoac.exe

C:\Windows\SysWOW64\Ekholjqg.exe

C:\Windows\system32\Ekholjqg.exe

C:\Windows\SysWOW64\Efppoc32.exe

C:\Windows\system32\Efppoc32.exe

C:\Windows\SysWOW64\Eecqjpee.exe

C:\Windows\system32\Eecqjpee.exe

C:\Windows\SysWOW64\Egamfkdh.exe

C:\Windows\system32\Egamfkdh.exe

C:\Windows\SysWOW64\Epieghdk.exe

C:\Windows\system32\Epieghdk.exe

C:\Windows\SysWOW64\Ebgacddo.exe

C:\Windows\system32\Ebgacddo.exe

C:\Windows\SysWOW64\Eiaiqn32.exe

C:\Windows\system32\Eiaiqn32.exe

C:\Windows\SysWOW64\Eloemi32.exe

C:\Windows\system32\Eloemi32.exe

C:\Windows\SysWOW64\Ejbfhfaj.exe

C:\Windows\system32\Ejbfhfaj.exe

C:\Windows\SysWOW64\Fehjeo32.exe

C:\Windows\system32\Fehjeo32.exe

C:\Windows\SysWOW64\Fhffaj32.exe

C:\Windows\system32\Fhffaj32.exe

C:\Windows\SysWOW64\Fjdbnf32.exe

C:\Windows\system32\Fjdbnf32.exe

C:\Windows\SysWOW64\Fnpnndgp.exe

C:\Windows\system32\Fnpnndgp.exe

C:\Windows\SysWOW64\Fmcoja32.exe

C:\Windows\system32\Fmcoja32.exe

C:\Windows\SysWOW64\Fejgko32.exe

C:\Windows\system32\Fejgko32.exe

C:\Windows\SysWOW64\Fhhcgj32.exe

C:\Windows\system32\Fhhcgj32.exe

C:\Windows\SysWOW64\Fjgoce32.exe

C:\Windows\system32\Fjgoce32.exe

C:\Windows\SysWOW64\Fmekoalh.exe

C:\Windows\system32\Fmekoalh.exe

C:\Windows\SysWOW64\Faagpp32.exe

C:\Windows\system32\Faagpp32.exe

C:\Windows\SysWOW64\Fhkpmjln.exe

C:\Windows\system32\Fhkpmjln.exe

C:\Windows\SysWOW64\Ffnphf32.exe

C:\Windows\system32\Ffnphf32.exe

C:\Windows\SysWOW64\Filldb32.exe

C:\Windows\system32\Filldb32.exe

C:\Windows\SysWOW64\Facdeo32.exe

C:\Windows\system32\Facdeo32.exe

C:\Windows\SysWOW64\Fdapak32.exe

C:\Windows\system32\Fdapak32.exe

C:\Windows\SysWOW64\Ffpmnf32.exe

C:\Windows\system32\Ffpmnf32.exe

C:\Windows\SysWOW64\Fjlhneio.exe

C:\Windows\system32\Fjlhneio.exe

C:\Windows\SysWOW64\Fmjejphb.exe

C:\Windows\system32\Fmjejphb.exe

C:\Windows\SysWOW64\Flmefm32.exe

C:\Windows\system32\Flmefm32.exe

C:\Windows\SysWOW64\Fbgmbg32.exe

C:\Windows\system32\Fbgmbg32.exe

C:\Windows\SysWOW64\Ffbicfoc.exe

C:\Windows\system32\Ffbicfoc.exe

C:\Windows\SysWOW64\Fiaeoang.exe

C:\Windows\system32\Fiaeoang.exe

C:\Windows\SysWOW64\Gpknlk32.exe

C:\Windows\system32\Gpknlk32.exe

C:\Windows\SysWOW64\Gbijhg32.exe

C:\Windows\system32\Gbijhg32.exe

C:\Windows\SysWOW64\Gicbeald.exe

C:\Windows\system32\Gicbeald.exe

C:\Windows\SysWOW64\Ghfbqn32.exe

C:\Windows\system32\Ghfbqn32.exe

C:\Windows\SysWOW64\Gpmjak32.exe

C:\Windows\system32\Gpmjak32.exe

C:\Windows\SysWOW64\Gangic32.exe

C:\Windows\system32\Gangic32.exe

C:\Windows\SysWOW64\Gieojq32.exe

C:\Windows\system32\Gieojq32.exe

C:\Windows\SysWOW64\Ghhofmql.exe

C:\Windows\system32\Ghhofmql.exe

C:\Windows\SysWOW64\Gobgcg32.exe

C:\Windows\system32\Gobgcg32.exe

C:\Windows\SysWOW64\Gaqcoc32.exe

C:\Windows\system32\Gaqcoc32.exe

C:\Windows\SysWOW64\Gdopkn32.exe

C:\Windows\system32\Gdopkn32.exe

C:\Windows\SysWOW64\Gkihhhnm.exe

C:\Windows\system32\Gkihhhnm.exe

C:\Windows\SysWOW64\Gmgdddmq.exe

C:\Windows\system32\Gmgdddmq.exe

C:\Windows\SysWOW64\Geolea32.exe

C:\Windows\system32\Geolea32.exe

C:\Windows\SysWOW64\Ghmiam32.exe

C:\Windows\system32\Ghmiam32.exe

C:\Windows\SysWOW64\Gogangdc.exe

C:\Windows\system32\Gogangdc.exe

C:\Windows\SysWOW64\Gmjaic32.exe

C:\Windows\system32\Gmjaic32.exe

C:\Windows\SysWOW64\Hgbebiao.exe

C:\Windows\system32\Hgbebiao.exe

C:\Windows\SysWOW64\Hknach32.exe

C:\Windows\system32\Hknach32.exe

C:\Windows\SysWOW64\Hpkjko32.exe

C:\Windows\system32\Hpkjko32.exe

C:\Windows\SysWOW64\Hcifgjgc.exe

C:\Windows\system32\Hcifgjgc.exe

C:\Windows\SysWOW64\Hkpnhgge.exe

C:\Windows\system32\Hkpnhgge.exe

C:\Windows\SysWOW64\Hnojdcfi.exe

C:\Windows\system32\Hnojdcfi.exe

C:\Windows\SysWOW64\Hdhbam32.exe

C:\Windows\system32\Hdhbam32.exe

C:\Windows\SysWOW64\Hggomh32.exe

C:\Windows\system32\Hggomh32.exe

C:\Windows\SysWOW64\Hlcgeo32.exe

C:\Windows\system32\Hlcgeo32.exe

C:\Windows\SysWOW64\Hcnpbi32.exe

C:\Windows\system32\Hcnpbi32.exe

C:\Windows\SysWOW64\Hellne32.exe

C:\Windows\system32\Hellne32.exe

C:\Windows\SysWOW64\Hhjhkq32.exe

C:\Windows\system32\Hhjhkq32.exe

C:\Windows\SysWOW64\Hodpgjha.exe

C:\Windows\system32\Hodpgjha.exe

C:\Windows\SysWOW64\Hacmcfge.exe

C:\Windows\system32\Hacmcfge.exe

C:\Windows\SysWOW64\Hkkalk32.exe

C:\Windows\system32\Hkkalk32.exe

C:\Windows\SysWOW64\Icbimi32.exe

C:\Windows\system32\Icbimi32.exe

C:\Windows\SysWOW64\Idceea32.exe

C:\Windows\system32\Idceea32.exe

C:\Windows\SysWOW64\Ihoafpmp.exe

C:\Windows\system32\Ihoafpmp.exe

C:\Windows\SysWOW64\Iknnbklc.exe

C:\Windows\system32\Iknnbklc.exe

C:\Windows\SysWOW64\Iagfoe32.exe

C:\Windows\system32\Iagfoe32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1844 -s 140

Network

N/A

Files

memory/3048-0-0x0000000000400000-0x0000000000443000-memory.dmp

\Windows\SysWOW64\Qhooggdn.exe

MD5 785920263dae6e05b7eee159441d72ed
SHA1 91ecb4f7d885dce2d909d153c6cbcd86661430ab
SHA256 8d29d2d2ca9afdca1fa6421faca0e775cf6b1e0463045775547e8b2360afc96d
SHA512 ada64fc1a74d2fe7e981ca25a0af564f703513f9b83771f8ddaf0eafe832c0e8b8e469a51d847cf4678e9bbcc1fa0b2313ee84b59c23d57facd06cda95f11d6e

memory/3048-6-0x0000000000250000-0x0000000000293000-memory.dmp

\Windows\SysWOW64\Adeplhib.exe

MD5 24e082474d2f44f044ca7bf1e4c42428
SHA1 2e2311083963afe2838c401ac5cfbf730f1ff85a
SHA256 2dc865b4e434bedf93507357a8788cc4c82d5d4535cfc8396f45747953500a12
SHA512 3326af7ab078763372f7044fb6fe7124a77f814ef46ee0513345986e3b5ccbafeeb1e469db14e8074b2f6880bdbb928365f7a3c4747a4525e92f9f51d34c9038

memory/2764-26-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1152-20-0x00000000002E0000-0x0000000000323000-memory.dmp

\Windows\SysWOW64\Aplpai32.exe

MD5 4bfd3cd61c75a320a9e3de2b1b70ca27
SHA1 c4b44e9770384b715d745b508518647338a9763e
SHA256 051b71a0f4f6bd8f3968af8e8424233adc7429d5daee3169c1a1f57fa35da23b
SHA512 9bbaa9dfb07f6a5a31d9b900d296a1ae3c442721a7cfb859f4633e3547a3d39abf17242c1e1b43f73b8ecf7eaec82efd283cf01a0f02efe5ecd727627b9e61e8

memory/2764-33-0x0000000000250000-0x0000000000293000-memory.dmp

memory/2540-40-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Ampqjm32.exe

MD5 307f1dd3234cf6de4f6fc45da87e837a
SHA1 47e81c6de58d2e45959e879df74d91aba40fe165
SHA256 e2c2e60f7e48d2dedc3559a1818b7c6953cf477954821ca663a43893392ee2de
SHA512 ba196987f835886cc284d0dd3a94c3b98e10218309ced47826c5ca356201ee3179833536708ab7680a3bc038824c7a7e526a41cc72462f39d9e50ea29974fe1a

memory/2628-53-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Fabnbook.dll

MD5 ad9ff2fc75b0a7a2b1d652cf3468966a
SHA1 24305b543a215f5b333c6e89c6271dbe74fc25c1
SHA256 2cea6f66884304a9891116eaeb11a75da6dc268c1e9fbd8ca50bc6447cc81301
SHA512 6790edfcde1c535d9e8dc97b157cdbb04926228222ece0e2d49c482061b15dca555739bbcb8ef07c7e9a634be6ccce2918137a70f52bd07a379176c4faa6a4f1

\Windows\SysWOW64\Apajlhka.exe

MD5 6578726a3a8f621e1fbb1eaf1def6d74
SHA1 691d66ee455ee97c115b2a7773885c9a9b68e365
SHA256 33422fb7bb99c2438eb66600fa3385ba4e917980be64b86eabf1e606fae9c44f
SHA512 d19afe1bb90790d1e9e8a704f30776ca016e8a5776ed743b99ae00b3586d2cd086d7b75d31a8a836d20290a4927483577818f923b5cf98b619efb92b98a11c5c

memory/2628-61-0x00000000003B0000-0x00000000003F3000-memory.dmp

\Windows\SysWOW64\Amejeljk.exe

MD5 18c5fbf1ab38c421511f4d688fa31b33
SHA1 46d21e3730e9a147d3b924ed2c6d6814c848029d
SHA256 5e0a24d40fc023e34692bd570466b06b94b7f93243afd8de71ce4f2cf2fd7c04
SHA512 6a48cac95cb386a536388aa932862e70b8b2654d46b1c26658aa91a9f37e6f9153bad2a98420347fb43ddd32fbc248dd26558fabf376027ca7a2afef119f87ff

memory/2316-79-0x0000000000400000-0x0000000000443000-memory.dmp

\Windows\SysWOW64\Ailkjmpo.exe

MD5 82a87eb9071a4c01d85026fa4d982513
SHA1 af3e78dde1316b02c799cf52de68155828b3fef7
SHA256 f12404bd043634cf45ad3d5da0ddaba229dc85d9c2ba770bb61a66589286f351
SHA512 4be7d977e16324a86d7470cdac80fa981325d4c92dc572b49096ee890fb23e495e7ad3d0ff8cd2c5ab10ffe88022abddbadc206825af8285886f2eaf2a5f87ba

memory/2464-92-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Bpfcgg32.exe

MD5 d883c45bccd6de0e5914b7d3d3091300
SHA1 4c0edb980d2a9bef3cbbf06aff48b573cf63f864
SHA256 8bff227a8e67a70ca7f4dff12eeaa25b332000fa75e4792dc29ab2c4289f80b3
SHA512 65c7ab4451c25b62559b9f8681da42831c6fbb439990f3a91a68e8b7d12fa7c24119785ad375696f93a7f58c9f846e6b5eb6eb63049e02d3252f79825ab19b2d

memory/2996-105-0x0000000000400000-0x0000000000443000-memory.dmp

\Windows\SysWOW64\Bhcdaibd.exe

MD5 04694e83c86c489752d53466e51232bf
SHA1 eae712a11aca247452fcbe99d8e68a079acc84fd
SHA256 97166c5fc9fc006059d004362e38deb1b8597493a0b47bd5ba1080d980b4826a
SHA512 421ec02bcf4994a392ad8d6ccd389f262892a04a83ce5b0b14956522a2eba471cdd69498affde6aa817989d60385abd7ee1a70c9b182e078e3f8fe08fb126400

memory/2996-113-0x0000000000270000-0x00000000002B3000-memory.dmp

C:\Windows\SysWOW64\Begeknan.exe

MD5 8979ae8c6a8a6258528672e58475075a
SHA1 cb2c2a3798c251b0478ef4ab04880f73c24f1c3e
SHA256 4586df5602e4df86ae278a0075b66cab4669f18cc8e41c1b075e37b831f53136
SHA512 1bc40e34e80bdd3de85bbbd61b367b72822f9b5695170a41172583932dd5ac9dc3f8861d00d5e77f15fd6a39f3ee749b551707c5d5f015d6ae6e5cd6d77c9356

memory/2188-130-0x0000000000450000-0x0000000000493000-memory.dmp

memory/2188-126-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1728-133-0x0000000000400000-0x0000000000443000-memory.dmp

\Windows\SysWOW64\Bnbjopoi.exe

MD5 843ebe2f13bb0900848fc04a7e0b87a0
SHA1 babdf2c3e2baf73c4ffad3f7a63ecf7c56663862
SHA256 021d3a0df9d5c256e543161575f51a9c2de6c0fa0cbcc94c523153d48a367ad2
SHA512 8c08e85538aee14eb8cbe70f93b2a13eb6a0f4b21250471af9732d2ded87823d554f23ded94a109783ad53315f2a31a0e321151f510a021890ddb58108fbca35

memory/1728-141-0x00000000002D0000-0x0000000000313000-memory.dmp

\Windows\SysWOW64\Bdlblj32.exe

MD5 04c4809491e18fa3cc34c3a572e62e6c
SHA1 691fcbe6ac66981ff6bc173281988509b27422ea
SHA256 19ed0131843d6338facf19005ddd37c0d796a2ea27296033074a8cac50540e8a
SHA512 d78d23fbcca57f9a06a8097a8dab5a76c81a00f244f6dae164782a835b1944fcd144ecc1ffa8cd172141f9894768c138a1971cfe6457f670f690bf4d781ad3d0

memory/1612-149-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1364-160-0x0000000000400000-0x0000000000443000-memory.dmp

\Windows\SysWOW64\Cgmkmecg.exe

MD5 8ce411e289f55cd9a875605e795b5d6b
SHA1 d60bb724668da29a4c3195fd05f26044434c2ddc
SHA256 612f74e74c5379748016184ad66f51e7e09b5a2beb36cdad4aaed64e1830ff21
SHA512 ddeb61d7d4acaca787dc859f4687f56d407be744d1eba945009cf7f50cf61ef78e2d863223479d0bfdacff8f52c3da9472070dcc72f90900ea78d4270d3776b7

memory/1364-168-0x0000000000450000-0x0000000000493000-memory.dmp

memory/1796-179-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Cngcjo32.exe

MD5 73ca2efae478e1ba834a4f3b01b8a586
SHA1 62561b4810cb0fc2a08bb9349c295b605359958b
SHA256 4b3cf877fd29849945bd1da381709767dcdf65d374de7442a4a6befc3aa2118a
SHA512 cd22434c65853415a572df39c1b075fa3ca6d223b9130896e5c1682965d41f5bc8433d7042f0d2ee30d9702b30cee41b933197f7d99a19a758b680b8ba732bdc

memory/1080-187-0x0000000000400000-0x0000000000443000-memory.dmp

\Windows\SysWOW64\Ccfhhffh.exe

MD5 737dae487c51cc4b5829a4fa06223860
SHA1 586fd3807e979d66ba76c16474c1bc6a8a522206
SHA256 0af2ee80e43d1692d4312aa3ae7ee165f2598481966e2c2083c9489ee017369b
SHA512 839a068787e265d4d13f16d6585834591b7f7edfa22b56766da2336b4459835b3975a8e30e496314a1e62df83d683a5d00669b911655795b95857f1b6ddeb2a5

memory/1080-199-0x0000000000330000-0x0000000000373000-memory.dmp

memory/1296-202-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Chcqpmep.exe

MD5 7ce750bec251642d0daaf171f7af57d1
SHA1 024f33b4f28866fa4c174c4d0d57bcd2b0b113c9
SHA256 31919a1087a80fc549d8577550055bc36a7ef5a8dbcd75674e13b3122dc282b0
SHA512 94b73e53ffb86a0a0a9b75683f2f1194ea82641cd932c870d5b04fd228f5680be68a18313a926fc6e5a9f80c2d4e440ef3e680aafbe888202f7fde0a59e0f081

memory/1320-214-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Cjbmjplb.exe

MD5 6f8fef903164b2c844ae1dec63e907ce
SHA1 42343764661ac188f938524f7786058402f72e39
SHA256 bac19ad9f928720100f926b05ea03dd1d39e8ee865ca2048dd654b4986e8b887
SHA512 66de2d4607ed209d1e42a3766d3b671bacd024119926ad326b993d00a89cdf08029de44baf9ae8f3ffab80f4d82481cbedf2d9f4f5f10c6317a253781bb72993

memory/652-229-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Claifkkf.exe

MD5 900b6b1245bca0c43fabed562c1c61d0
SHA1 74067c5071d858e7db8d7b86d60eaacf3379f410
SHA256 3ed3a14d76552e69f4aec8b6856c8e7455c1c75d5a13a12866b26f8d7e3d1e46
SHA512 4cc5882a7e341feda6aa4a9d3fb8f881f7e55e49739d48cb4fa7062f560d85306a8e2a2e7be16d5ca69e9e5d0d715819306d51fe85b1683384a8a7afe233331d

memory/2024-233-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Cbnbobin.exe

MD5 91e245171f51ace143d75a387a2f3d11
SHA1 90c4bfe7d2a22e65fbdfc6e2b4a46c1105303eda
SHA256 8f8fabec0b53e3f96e42cb806de0ba39bdfb6064f46e02680ea2f067b585a1a3
SHA512 408d8476d79168879c40967551fb404b095b9d2ba45a2435f928cedd1a954e7ff5aaa046196a122d27a665710b6d0b8cd6390dc95c36e3a1cd827d816929cf3e

memory/2796-244-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2024-243-0x0000000000250000-0x0000000000293000-memory.dmp

memory/2024-242-0x0000000000250000-0x0000000000293000-memory.dmp

C:\Windows\SysWOW64\Chhjkl32.exe

MD5 7ac269ae737cb28654cfeac28dd4f18d
SHA1 787e438e3c1736bdf23089f11c521ff82c40d6ae
SHA256 47c3c3582f473e1d2f82062fae02ab9ed0eea2c2c8133ba7d3006d710659322b
SHA512 cdfbdb75d81e1126436ebaee275e423cdf08a6e698c76d3d117d5cbbc866e4e14761d16371f89e62ce2873f629930f31e9c96d381171ce195163c3251260f0ea

memory/2364-255-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2796-254-0x0000000000290000-0x00000000002D3000-memory.dmp

memory/2796-253-0x0000000000290000-0x00000000002D3000-memory.dmp

memory/2364-261-0x0000000000300000-0x0000000000343000-memory.dmp

C:\Windows\SysWOW64\Dhjgal32.exe

MD5 0fe6afd31a8dfaaf49f10ec9979a04c8
SHA1 5d9a7ae62de357e22271a18d4893760b56e9b3f7
SHA256 0aa251f8da64c8a367f69790a900acde66b5883b1a56752d1a707c1d06d49314
SHA512 f5839b5d3316459380585a1a32b90ad4cdc1b57a1582425d736600717364b0c179091f7fee514e99d4e9ddd665da1f909c5cb402f15a1711c982a8151e5aef14

memory/1140-269-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2364-268-0x0000000000300000-0x0000000000343000-memory.dmp

C:\Windows\SysWOW64\Dodonf32.exe

MD5 3e66672e1202a1fe20a84431ce956926
SHA1 0b8e59e68a3e09b60e709424a495bc409f1dd30f
SHA256 a312bbd33d9481524468f5fab465c21ac8a87a3f12d83b57fcd9ec7067824201
SHA512 1aa14f484a1a114a8cc985e5b01dcbf54e354f32b29ba0370da32b461ab4c1cbb0ca9883758d20f69c390851e4bf4006efff4ada232fd17325b3d73816a83760

memory/2932-277-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1140-276-0x00000000002C0000-0x0000000000303000-memory.dmp

C:\Windows\SysWOW64\Ddagfm32.exe

MD5 5c097a0218ce4488547b4e74d1029644
SHA1 74a7f58b2c4987889a4cfc69df332c41a81aba6d
SHA256 3221472dc13c76d69735f8235001348230e6514266d968299b5e0d8e12fb1026
SHA512 a0ac6290c9a02b4097ecf88dbd275216b37e560ae8265cdf6f3bae09680ad94b0dcf216a91d81460f6cb019c487780ab04feb6d26d7f61f3449ae0eaea8ea251

memory/3032-288-0x0000000000400000-0x0000000000443000-memory.dmp

memory/3032-302-0x0000000000250000-0x0000000000293000-memory.dmp

memory/3032-298-0x0000000000250000-0x0000000000293000-memory.dmp

memory/2080-309-0x0000000000250000-0x0000000000293000-memory.dmp

memory/2416-310-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2080-308-0x0000000000250000-0x0000000000293000-memory.dmp

C:\Windows\SysWOW64\Djnpnc32.exe

MD5 4a7ee7b0ce85f9e839bc617b3930fb0a
SHA1 30a194721ad425c175edcd2ef5859260746f219b
SHA256 3a33cfc141de3c040daeb6b897d6a3b4fb8dc6bc223cf549db90929e574e9841
SHA512 ca139c0b1686f128a3d87e9293b16f18da4a4b9250fc9e3339845b33af2022617a12df672e53419b7eaf7b523fa6f40e0ff8fa385d661bd2d7d7dab58771415f

memory/2080-303-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Dgodbh32.exe

MD5 3a3b3c2e9f6add0f2af7af85c03a6856
SHA1 c0d36d59e55e920672ca722c7e0b4f5a978379b4
SHA256 5f99f15acffbfd3e2312d053fe766681e703ab7837a14e90e6eb87e9396ec7b9
SHA512 0cd58e06e88affa01cb6bade1500f0a60bb95064c023851071b8d2952339f358b7a651229380728cafd7a0e5effe7f7baeba2ce735fd634058951850d8298f82

memory/2932-287-0x0000000000310000-0x0000000000353000-memory.dmp

memory/2932-283-0x0000000000310000-0x0000000000353000-memory.dmp

memory/2416-319-0x0000000000450000-0x0000000000493000-memory.dmp

memory/1812-321-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Dnlidb32.exe

MD5 1a1eb41b0f6b30c60f8665806772fefa
SHA1 5c903c3de031dc3b93bd00ebaefb8d843069e233
SHA256 817e68dc503e528a02f2fa5b0cc00aeb81ce647340ec81710955123d1cf27250
SHA512 4e7523b881938cd8343792fa73b3fc795fa5e8386917a45cc26a0d12b94a1b6750f21ffe27d080c2546a35e82fc3af835c60243baf90208c8b7f5158489e0989

memory/2884-347-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2108-346-0x0000000000370000-0x00000000003B3000-memory.dmp

memory/2108-345-0x0000000000370000-0x00000000003B3000-memory.dmp

memory/2884-349-0x0000000000280000-0x00000000002C3000-memory.dmp

memory/2108-332-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Dmoipopd.exe

MD5 dca4194c39701910c415f80ed6b79018
SHA1 c98d81b55fc753acba3bcb0d914cc4eb0066b368
SHA256 795bd93b5e06e99d43d12223b787eea668b71291955df22a8072fd40bbd8b79e
SHA512 9e38d04a2a6ab889acb2dd3693920588ff0fbc193497865f3a6fc374f69ea89424067f2f5ace3c5619f1d7034984016f26722e5279590cf4ee8b322dc6106e60

memory/1812-331-0x00000000002D0000-0x0000000000313000-memory.dmp

memory/2900-357-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2624-368-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2900-364-0x00000000006B0000-0x00000000006F3000-memory.dmp

C:\Windows\SysWOW64\Dmafennb.exe

MD5 91154310dffc68a3359470d8006ee6e5
SHA1 71b4bc84117453a434f2688b61c40bb4ee806044
SHA256 40b861d56d4be60ebdc74b656bb2fb907769fd0c28a9262f36d1ae1e228a5afa
SHA512 79ae228edcefef02ed3d5ebd93f31eb6d8131c05d318ed08ac76a8f2e783b44b0c6ac591a03f8d363f383c5c33ddb8e77aa524401ea0dc1bd1132b0eb51df67c

memory/2900-363-0x00000000006B0000-0x00000000006F3000-memory.dmp

memory/2624-375-0x00000000002D0000-0x0000000000313000-memory.dmp

memory/2652-376-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Djefobmk.exe

MD5 a4c3ad71b2a0f27af1b105a589d22b0f
SHA1 11cfdedb4fd6dd237f429e8727ac809bdb41962e
SHA256 6d49744da942b5162a3c76d821421d879ea1318cd605601bbdc52762fb740aa3
SHA512 852c492b449a6071f6c59770115acc0f2b873102e1c1130735ce1d1b6083d141c1f2c6f45adc3a96f8117b193d3e0b7809d3e16c4faf760aafa798caff196149

memory/2624-374-0x00000000002D0000-0x0000000000313000-memory.dmp

C:\Windows\SysWOW64\Eihfjo32.exe

MD5 78da108f5997344a885f76ce0cd03ba3
SHA1 e4dcdc5a05ee8b97ae86ce1ccb80e3e368803f06
SHA256 56007543e5e0790b21ba036caa8aece03b3d8432d9d509b09ccf6e2e7b8c09f9
SHA512 4ebce6c743ee978e14268bbde88e5d176f5ab7d147902b8c79489794e98554f86c617eac40f29d51f8ec741d13afd376c0526eef2db5f7485f30f7798233c387

memory/2748-408-0x0000000000260000-0x00000000002A3000-memory.dmp

memory/2480-409-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1268-419-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2480-418-0x0000000000450000-0x0000000000493000-memory.dmp

C:\Windows\SysWOW64\Ebpkce32.exe

MD5 d09e2791ebc71f6825f33ae2dfe50265
SHA1 c0a89b7ef5022827b83b19a5bfd828990e7b1bc8
SHA256 e282f5c3db2c6bbc71165cd1ecc2d97c55005fd34d14c575f3eb768ad806210d
SHA512 580e54a1d8d53e957185cd13be3570678ae4b405e6faf4247c5e4e136932edb1efbdf65ff4adfa19dbb9b14b939cc71fc260eeeae59f3cbc3d726836b9896ff0

memory/2140-430-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Ekholjqg.exe

MD5 327e13b892876afce886fdde5c672b19
SHA1 38c2307aa80a3e7f22191504fbce6177e81a09e4
SHA256 20425de763d864f70796daa18cedcf0e3a1e749af887896068a8b57d9563f5cf
SHA512 dcaf70bf52807231876cb27b1d69aedd08cb98a2a4c2679125211a4535db42779fe3468f52fff321c9b780592ebaa1868f1f6c002762c54de279feab0a9f2f9d

memory/1732-446-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2140-445-0x0000000000290000-0x00000000002D3000-memory.dmp

memory/2140-444-0x0000000000290000-0x00000000002D3000-memory.dmp

C:\Windows\SysWOW64\Eijcpoac.exe

MD5 9e00daab08a2e4820ed20b2aeaddd20b
SHA1 e4c40abcf6a269c68b219127238d00f7044ffed8
SHA256 c0e35a7ba2fa84b4995df63c291e61d8f4afa0c07f7fb2a356c6e48612a8421f
SHA512 3b207c1568f6db78405ebbba96a4f57c222b2abcef1c8e86357df08ba0212162085ffd07e556927197aed242c84b0745438e172b2173111081f39b5160d76c3f

memory/1624-462-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2612-473-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Egamfkdh.exe

MD5 6df08424242b6b9b761a181c7bcb3de5
SHA1 a499fd8c2f79f8236a3332a0f1e25510a2213821
SHA256 f7d2a2beb9e95850a42d25fb79c47b768ffe16372603d504c37bfc317b7ee72b
SHA512 4b1ead01145fc80c17c575cf92d78fc9715f93f332b44f21f86b006abfb6687df264562fcf4b5bfa5943441c6e53fc9d45463f9702d11d6ea3af0f6b1f73f8d8

memory/2612-479-0x0000000000260000-0x00000000002A3000-memory.dmp

memory/2612-488-0x0000000000260000-0x00000000002A3000-memory.dmp

memory/3048-503-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Ebgacddo.exe

MD5 3f5f75d9a42b2eedc5a52a95da403e3e
SHA1 8c15b3fc321a05fc827624b37ac0dc29a16f8b79
SHA256 d2d98fbbe352d2d7b151b92c6de548c7b18586d96d9bb7cdd0a16d13797c718c
SHA512 58a9110a4cb80c24be2ed9438da8b0ceecfa13cdbfc4ddc66d47e4980a6c4d6369f6854588497cf7a23bb49fd48fabd3bb7e876c542bb41a3cfbdaf8c0ead465

C:\Windows\SysWOW64\Eloemi32.exe

MD5 8414f4d6e4e8a59a24b87645f90640ab
SHA1 3a92d24520d3f402ed21c503bb2a96e5922db3c1
SHA256 aaee20c4857de4014511449eda62c90caec92ed363e1f7b6f91aeb605ee9b62f
SHA512 b705a51529f9f4967a9128392046ae4719bea1f751e4a63de22803bd560e33839d365498e14da1f43f8ad4a05119a0303128a16674f4d2555c4bbef475803875

C:\Windows\SysWOW64\Ejbfhfaj.exe

MD5 0c8b1251f9df666a83314325dd0f3524
SHA1 35952eb71d71c726c1d6b75ad857adac24680711
SHA256 0db77e9ea9bac96fe31ac06605ea57036d8224bb8de4b0fc96c25960f45ca6aa
SHA512 900b2bc895f8891b0b1216e572bda839173bbb4c78e24d78c4b308edc6b51c458c0598997b5aca18720bc9897940312ab0df5bd8c00b44e2d3afa065a931d550

C:\Windows\SysWOW64\Fehjeo32.exe

MD5 d3fd4b1354eda773a75f046ff36e2b01
SHA1 fde90390b0849a004ab41b9656331f4f13418a0c
SHA256 1a8f3f7a4e89a483c300a0c80e374bb6c59730c9d6f13c8250168b76e717ff0a
SHA512 3eb5cd95d471990da05fc165dd2b1b8eab05915159d275891e7af8c5b8c880ac74468b4160873b95c28b401b372bb465bd9714e45f310c47d0b53b65b4a1d457

C:\Windows\SysWOW64\Fhffaj32.exe

MD5 8245ac080eeb22c4a4ce5a6eff1bfc99
SHA1 6ab81cdd3d0f1770ec672539ad362eea49dc008c
SHA256 a8074fe62283997f8e9df99cd362271cae2638cbc6a33211f74a3d45fd029d0b
SHA512 eea4e92b067ffb01306ee8623ddb958e902bfb93d55088904dedbc7d684ea795e107b7221344c0dedd6903cd11ee13d4f04607b15bd2126941833d53263d7f27

C:\Windows\SysWOW64\Fnpnndgp.exe

MD5 c6a21020962d9b9543d9c0f1c3d0d7dc
SHA1 5661d0cc8dc196302a93aadd7dd3251922994384
SHA256 a8fae82f559b952ee780aec6f644a2d9f166a386daa02662f550e5f7ad8cea00
SHA512 8d39e28cdc8061bd216586beb6fb69abdf9262b8044295c3b84802e19f712d3dbdd4c291193f6846b05d130ff118c58333ef80aedbc41abd40f39523da87d10b

C:\Windows\SysWOW64\Fmcoja32.exe

MD5 632fe28cfeff24683d5471c7a8d8b14b
SHA1 0528a98675f2fdbc4deffb334cade1e8a6d1ea67
SHA256 323d2814500badbcc38cae69349761a5fdf33dc96888ce5193562e29675b0434
SHA512 94b08801e9e55d5a4d6b86443f694aa9216f5e6310f5907d39ddfebae87af33bc81bc854a8301a3c5fa3f3c177955a4c805002bb176ff5d4caf7bfd69df1cdb6

C:\Windows\SysWOW64\Fejgko32.exe

MD5 bb7b986dfcc1a9c8814487c7c0dd43ca
SHA1 b916cdc0eee13edb2107b1491951bd8c108b5554
SHA256 7c01766698a192fdca1546b5e2e334738a5ee8b63b347afade873f6721d2a8d4
SHA512 eaf17a71d6c2736fd824162809c5208c6037cdb22dc0d5a870f5edfb8f86128dea5f24fe1e281ec2f02aaeaabbf31e6143d16498295072c8a34a84a4d2240f4b

C:\Windows\SysWOW64\Fmekoalh.exe

MD5 beae42d0f9695bb726e028fb28ee98a2
SHA1 1994089c284b0bd40cd5f423535572149eb9755b
SHA256 34e8caffa73839c04e475d986c16d5554e42d4de6d00530168693521bab6054f
SHA512 503c83c3d57988ac0f087af0569f315a6afee1db93ed85ebc8f4332cf45b8e802cd18e2ab7248a84cea8685dc4659ebca10e4225f0f2dbbd2c6a705b2a7a0705

C:\Windows\SysWOW64\Fjgoce32.exe

MD5 6fbda299d3d723280d6fb0f3f2d7d651
SHA1 5e4f869754def044476cb987d0340b88c43e5ddf
SHA256 aa5b4d36c52babda1647a3935933a3ca1a78ac673d829268a6d77c3bd0f20ef7
SHA512 f5778c506814dfdd7deb2bf3013d5a12fcdb43d2972a00db3f6f2641dde65475ee9536480c0b9b566687a992d6a79c8e5b4b51d8e1f8bf1af96e96b079f81a8a

C:\Windows\SysWOW64\Filldb32.exe

MD5 9f0255bea9bd75de5401b9ea67c0b326
SHA1 097c2941789110e4a1fc69e2472492b32d91e21f
SHA256 a6f0a4c9b941080bd88ef26a65baf3dd445199ff2d89480f4486515d073bb12a
SHA512 8f6f9790d0b8dc5298e529bb597de479f8f6f21cd7fc330568fc1d4102d083918456bd5c4bbf252744020833266d18c3dcf0cbc5230ace8e1a559e86a65a5585

C:\Windows\SysWOW64\Facdeo32.exe

MD5 03fe0ec25d486f2dd9952f7758dba119
SHA1 2a3e667f647b436ffc630d93e58480b099637506
SHA256 bf5a1a2f3377c797cf91d96dec10b1291eb1beed6956ba62a1c05a52a4e5669b
SHA512 f0625e2b6cd0c1b87acf1c247c42fa96edf052acc962ac26bd895ee9041f2dda4802e48411a49e473a374094f62013a023b6f1c9abcae90e87c2aa00aea6b0dd

C:\Windows\SysWOW64\Fdapak32.exe

MD5 f280432f24018d2696682ee69e24c95e
SHA1 926eb9bb8188567465de8f00d7e6b42a169ee05c
SHA256 d6289a782b7ee5d1ce86c41e2487d6e16a50d122cf4136b0d7009c103a526fdf
SHA512 a1fde6c3a370ac8184b92a82a9296cf8d1da91baaaba2dd623abd0ff7c0b5b03354bff8eb4bea0423b6db4207afefcf2ea1740ff136524afebc0236517eb4b9b

C:\Windows\SysWOW64\Ffpmnf32.exe

MD5 5f622935a9d82a9cf96a0104ffb6a010
SHA1 fe1b6e94965efa90ca57c35a17400dddf9b35e95
SHA256 17d67c74d5b31238bd2108a935bc3c76deb57188e37ab2a1e77ea29756455e47
SHA512 ca119f0e7b532ccc64e62b43b019b480bee973dbc9ee028a74a32ab4da756cf3ec5d8148481f4cbb95e4829952bfbe79f164395a924e912d2083aab65a101a75

C:\Windows\SysWOW64\Fjlhneio.exe

MD5 c02d0b7a19ca441d85dd1b7f26dc8e9a
SHA1 32d6be8806a066904780f28576acfc7542a3ba95
SHA256 95a430ba77289f4b8801851353a2055b5f1c003962225d9e90d9ec828ec657f2
SHA512 a1003139cd5f59a815253eaa433e331f32582a2afe22b1c9a82bc69517bd7fef02b9655170618e406d8c3112bfecdab8d49cc18b420ad62479c4e8f89f1e1bf8

C:\Windows\SysWOW64\Ffnphf32.exe

MD5 a576b206cbde5975fdbd5eba7e36cda2
SHA1 9524efd34b1d5446784371a34292b8b44683670c
SHA256 ac9027c34b3c37641ee4471aef44f4d64a246ea8d0e2d93671c6adb768c82f41
SHA512 059ba25940e4f707a9a377a2bbccc46e9991383ab7ff3da24e74654ee80bc0f2457a4490b4be611b0ed8054cbf434d399b7622632928bbf02f5b694ee38b6f15

C:\Windows\SysWOW64\Fmjejphb.exe

MD5 53d9d18493004822696e90d6bce7c2b3
SHA1 3e79ec62e9889584c5e9d369f2b882adc44ae493
SHA256 a32fe74039cec4cb3deed5d41e1692b0c0bf38a022436b017df42628f70731cd
SHA512 4d209a06fb85722c74006c40e63fc16a8b863e607cfccb6cd0e3b48adcc2eb3871677f244c1dd552944a45949df63370eed950cd8a72187ef495cb5457dcaa95

C:\Windows\SysWOW64\Fhkpmjln.exe

MD5 7895743ee9832eeee1d370f692d329e8
SHA1 289ee8fa09df383e0c86bbf39b044e5ac95e80ab
SHA256 447ad1eb8d11dd8da132d52337ebb6b54bb6cabe9719317de11ca40f5daf4a26
SHA512 a2523ef75d251992f267adc52cf77ee2c77c506efad565420b1a41e32f6ebbbaa15fa421aaac951f52f676f38812a3381a4af3436428c6632400d6a6c17e9097

C:\Windows\SysWOW64\Faagpp32.exe

MD5 56fa39af9a2029d44a4cb2129002b77c
SHA1 4141e24c3afa0777dde095b0e0dc075e5291daca
SHA256 bcea4ffb4a03122e33767da2cbff580df7b628170180cd55b4a2a250d0fb1cb1
SHA512 73c5f923331c74e30c1c5bed04c18e18f16e0266c1e9e82d2f87989baadad60f0e226b8ea7d2a83cad0f1a4e5353d6c5eb0092b1e7b5cd24c2cdc6cc1191ef0e

C:\Windows\SysWOW64\Flmefm32.exe

MD5 fd00bd8c28f992af1e528c5d98d0f01a
SHA1 cfa7fa00de5b4a36fa108a4f742b3c884600b7be
SHA256 fe96d57e531735b8efb871c656843af7f3735efff3fba95f15317d3221eab57f
SHA512 eca04daa8dc19b58cb0e23bde73145fde175fa2ee90f4bd62aba9716679a5fb64af19fefc834ee6c3b6355baa2a5f7cc6056f8350cb763762427c3ea255b4481

C:\Windows\SysWOW64\Fbgmbg32.exe

MD5 639c9e59e9c27d1ed231215f2a2d2777
SHA1 3c5f08b20713f31d5ad77a9878a30123a24a7ef8
SHA256 534bb1f47be0e9e55e7ce4ed9db9ca12ec1518417275a08bebe068bee4c0db87
SHA512 12ece128ce6a14a4d638f6d6e4a403df90aa227d8cc4969bef76d4bf9b4ccee6afb278d6ac7a9ea4cea33b3163d23140c43b7ee79cfc127451b74fb88616248b

C:\Windows\SysWOW64\Ffbicfoc.exe

MD5 324f52e3ce8055358c0f47579ac5b669
SHA1 9584ca9818dad18a1e5420297bbbe480bcdd2432
SHA256 1b847aad2e3437704e15897d7e0cded881389b2af41e02bef96600c865a31ea9
SHA512 77a9bca42d8c12209c97771524cf4daf520d3861d9588f31927c471f7f627a6f1f4d1f99ac1b1b7480238d1cb81039aa8ecb405cf761cdc4bf8ba55dbbcd8591

C:\Windows\SysWOW64\Fiaeoang.exe

MD5 3612b8b14c5d243f38c210931594b9aa
SHA1 d5a0dc05857d5263a85b8911ad2ceb667767f4af
SHA256 41a73595d7cc6cb464b89f81bad75cb752a9aa863d7a5e704480c506653f890a
SHA512 487f4bbb72249eea5ba6a4e9f01354a98f5cb4aff5495ffb9cb766a05faa60c173a4db6b81f3c20ace62bdbe86454f4c45492dccc3e55ab4b3b6093866ba366d

C:\Windows\SysWOW64\Fhhcgj32.exe

MD5 1fd4407f1cba03dc4ab24be029c3c19d
SHA1 3454b5c528570fea185aa08315a0550d8be3f5be
SHA256 6945b28035580475b72e9109ca78a583349fe7e2614cc644ba288c085e4cc66f
SHA512 d7c407e7e4284cdd3451d9455a427f784c9e32a1d598fcf083d47b6ff8211817a30aa861d9de44a6de03b892901142dab62217f28a14c58c94a1d61fae3ec395

C:\Windows\SysWOW64\Fjdbnf32.exe

MD5 6af2ee76472832224a7bbb5fc1e75746
SHA1 59d5ec652f8b144533bf6e5e4eb3f7c1cb8be8dd
SHA256 1f7f95d30624c8fbfc25be0f6338536778c97d20424833be1b138038c9c95d32
SHA512 2c2c8c2a821dfcdcc35eaadd563b6e368848b397020398507a2c83c5bde23d10560bb260f4c88c29d68af4e8ccc4acb05cdbf66f92204d09eb22b6170ca30a51

C:\Windows\SysWOW64\Gpknlk32.exe

MD5 2f99b7a06c91c74f29519de75704214e
SHA1 8c30922f4bae42674f349a1eb92b2580d9df364d
SHA256 9cf603d886c78277d4052ffcd6a40f7184b53debc1a26750a86189debc071cbc
SHA512 989e4706e84296f35b6c1034f6dff127ef10a1af60bc4fbf26ab7a5a6a54d1cdb3e0de9d1b3c4e0dca61a533b463b5d2095a72a2a972abd1da63a474627ada81

C:\Windows\SysWOW64\Gicbeald.exe

MD5 1e295d17a4ccb519fa1b3af4fe3b1e37
SHA1 274e85a774faf7cdde56ba0baa4980e585c6adc2
SHA256 f983856e8ae7cb9648ca2f43a5f3b064a060097b2c75dbec3d81b498dc17dad9
SHA512 fb4dbeadf8eb8d33ef0fdd4124bfe95fc388567c7149106303a5a0b4749c0a28a4031d6dafd45cce6ed9573ba10522610870cfaeba620958c72ce64beb8b23ed

C:\Windows\SysWOW64\Ghfbqn32.exe

MD5 2019710a479f9492c098b6800ca0d013
SHA1 6c14b1d0eddf116cba3ea77cd4ba2d2ec665898a
SHA256 e655a3b9f7fe57caa841608b61c60f0721c0e9ce361cbe3fbe73f81bc3588ce6
SHA512 cda5df09c91b48c4e88bb2ff903514c3c093719c74e743a137977bd029a6555d755b6891c2600c492b204f82e191fff8772f296aa208b6806241d804c81fd123

C:\Windows\SysWOW64\Gbijhg32.exe

MD5 ce25452e9b959347aed696b0088954ce
SHA1 677fc6a6b7ac14d5d34cffd88d584af745b82151
SHA256 ab883c27144097ffaaf796b2821ba446508ef4ea2f86f8e0fcb0f4fbb9dc748f
SHA512 956f488515cfc96bca7d24223c7879adfad9b98e0dc2ff2298bcb7fc5de3d5aaa8f1d6fe77f9dd9b7676e559b2ed3a613473dd25f4b1d5b6252d1d5d0bb0b615

C:\Windows\SysWOW64\Gpmjak32.exe

MD5 94df620d17b1634fa4135db64450ef0a
SHA1 a1e5f7147aa63a2b5035414dc66c3e308a450bcc
SHA256 139056b3a2d8056fd5e06bfd3f69bfedc76a76ace02dbe2567e79ffddeb70931
SHA512 5ff77cbab3348d9546529acd877d1682223f2c464a444a030f5c27a975eb3639cd0a4399474e333d74410adec6c674957baa8e49d33896ea192bcb4e0bf7d9ca

C:\Windows\SysWOW64\Eiaiqn32.exe

MD5 2fb2b674a6d01e1abcf0e1b214db2937
SHA1 0bafb1b5c234b3c6520bb9b9d8d21808547ec59e
SHA256 97a2e2d989696e5afcf4e2adab1063366a7caebeeed52808f2ef630635307794
SHA512 7adbab4df7c87ec3b9d073879e84c6a61f639e5aeb0cffc5f964e33f563f64bb45c74e5ab6240a4ce864ecf1e514cc5e37766be8bd84e7bf274a30447a1203c4

memory/308-499-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1452-493-0x0000000000300000-0x0000000000343000-memory.dmp

C:\Windows\SysWOW64\Epieghdk.exe

MD5 c5f05f44061c5cf584c5dae280a2ce03
SHA1 a9efc1d40fac7dc6426d23f0c98637d1fb725c3f
SHA256 f7ddb1fd590df5db401e246b82bd0cd89e6cfd91b8014d2430a2904387978ee8
SHA512 d6bbf5246a8e288626f3db80358d65b97b3b32b7c922c232a69ce2462eed18fc3354ee8e4d82d03ccf0149b431a6b0eabd9f5ed7e70f4f8e8c1d660aa1081326

memory/1452-489-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Gangic32.exe

MD5 40cfaaa56b5751d27863f7b7b2ac42cd
SHA1 1f3321126dca7139f5c0901addae542f4cbd217f
SHA256 207eabe4fbaa276027fefddddaa4589ee4c0222051ed731155ea1feb9b797101
SHA512 40edc49fbb45fff2fbeb79e245ba9f21f6106a9978d5271fba7808dad3678cb3949b1af3bce8e3dbe7cd4e6d118cc971789affcc2ea85e2b571d976a95ded228

C:\Windows\SysWOW64\Gieojq32.exe

MD5 ff1356ef6e99af14f8925b0c2d8573c4
SHA1 163d9b1aa9c50661036e933ec029dabfb6cd386c
SHA256 9fe63c6666ef28ca78189866e1d44a884d80f23ddb60a5f19be8146783194bc6
SHA512 88d10e579948cda66fc60dca5ffe3e0f76ffbe5c595563cffdad4fc696471869aee82aeccd1fb8343dddb23aaebe19f707613d575a93070aecf296df07c2ef85

C:\Windows\SysWOW64\Ghhofmql.exe

MD5 4c1d06f347bca35ec7c7ea61fab44c24
SHA1 68132486df7df46d4ae67f523061cb81c72b6084
SHA256 fd9cedc53d1339c7f0737cd42e3061b8db6c48da6db2027bdb72f56bf24073de
SHA512 3afaee36e8535ab0404761729928413aa72b7d4e9eb3024849d8ff9b9d2648cfa684d99da726759c504f28562296cc26f5334ca2d10bddad63d97c7c779820ae

memory/1624-472-0x0000000000250000-0x0000000000293000-memory.dmp

memory/1624-471-0x0000000000250000-0x0000000000293000-memory.dmp

C:\Windows\SysWOW64\Eecqjpee.exe

MD5 e76a525798210b92a4c62f1af1d7f7ab
SHA1 cd7f24bcbf7d194998bfd8dd094bb7571289b19c
SHA256 d281de07912a96650c735b7b95ed7d174c47001a5916c492a626840173c4fc42
SHA512 2646c2e47c3ce4a59b8678d292a4f16c3e238a55ad330bf29f178f7ee674aeb82c1133f1d3026b4ede4c111ae353cf81e3b93cbab77d3d6218cc4f924d34dcc2

C:\Windows\SysWOW64\Gobgcg32.exe

MD5 38ce0e4ed4dc361755887bc2ae82b6a7
SHA1 6bc597d4dddabef21c52b02e998a2fccd9df13c3
SHA256 1ba88c221e047bc4fe29ce05ad513119342d63fbf5a875164ac14f453e9f019f
SHA512 91a8adcfdc9db6226fefe4ecd03f00800790dc3217ccbd8c5dc77d2e3f2093ba7588c87a6cbb05b917c518f7747a26d2fbf2c4a9c5b4205690497bf9d713a5f5

C:\Windows\SysWOW64\Gaqcoc32.exe

MD5 fed5a7224ee5c0122e52f0af50ea4257
SHA1 decf84895895fb14466d745db240c638a9c050db
SHA256 37b9a254c05c903fdb8c1f4a8aab8ffeb2f6058d74f2d845b65b7de15eaa22cd
SHA512 6d37b0fee22f83d9964ba79f0783a48c4f9ca1fc7915a0b847457c392594b42adb29fd41dbf6e84fb3a9d37e51b61b71a09a7990f926de6f3b3ab3306451cdc3

memory/1648-461-0x0000000000250000-0x0000000000293000-memory.dmp

C:\Windows\SysWOW64\Efppoc32.exe

MD5 853e47a068dbcea648bcccf51de2ed4b
SHA1 282d2ddabc92e038e97b2aa2acb9c08d1930ffeb
SHA256 0be6a07682a0b99e4b99eef808590d7a9e8d9c0c07949dff92a83649ead63a5e
SHA512 49d6ca7eb2a14a4034b64ab8840a7e8b8d5bbfbcc96eb9ebdb53852f709d37f8cea1eb68fc3027370564a657e876c2a95589ce636ea34ba0f8aeac3d36edc655

memory/1732-456-0x0000000000340000-0x0000000000383000-memory.dmp

memory/1648-453-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1732-450-0x0000000000340000-0x0000000000383000-memory.dmp

memory/1268-429-0x0000000000290000-0x00000000002D3000-memory.dmp

memory/2480-428-0x0000000000450000-0x0000000000493000-memory.dmp

C:\Windows\SysWOW64\Gdopkn32.exe

MD5 cd83a3b80cf153f714fd80045af1e1de
SHA1 2692196abe5f58ea032b5c49ab2dcb7117a676bd
SHA256 4103b121be5967c86502e75a5e1e207be9abe27b9a7abe9a3a7fd73ca26cf75d
SHA512 6fa94d42c62d8170857a862ac0999c5b7d4cd4698f96c4fcf344cb025006c6d93f884a79beae13da19e57594d7dc5137fa05aa0d3f10554cf5c84cd3ee19da86

C:\Windows\SysWOW64\Epaogi32.exe

MD5 15aeb663f8dc3374b69f98b4959b4cdd
SHA1 6845f5dec32e47b7e03700434229a97eb4b68138
SHA256 00bb12c0e76be7c21b67bb6a31edc501fa07c671da3218003c78b9ac8b0dad41
SHA512 a1c418de1befbbaab8e6d1a73bfb070fafd3fd3b4bc0e2306b8b650335c5eaddd56a6de4cf2c466776584a7ed556ff93a32baf9be547485daa71be5b7a98439d

memory/2748-407-0x0000000000260000-0x00000000002A3000-memory.dmp

C:\Windows\SysWOW64\Gkihhhnm.exe

MD5 e21b52a6fab8d33287df00c96bd07b22
SHA1 672eae8e7119dcd2b084645e03ff60c656dd0a11
SHA256 e109a0751401de2b0ca12fbc8604e01149ee46081fbf28cee1a3defda84bdf4a
SHA512 5187eefbae4e84faaae970f37214f7931e6596e0faf1024b8902a9f7bae7914187acd7476cdb1b15349bc323913751540d157000967cc3cc9df8c002704aaeb8

C:\Windows\SysWOW64\Eqonkmdh.exe

MD5 6c57f00f4a8f661987407508366bff9f
SHA1 717a845c270618257dff3d4bc04e4f1762a64fa8
SHA256 a526ce8037af8eba23ef594c6538219aa3917f74d13cb152b0956d1306a6b83f
SHA512 2f92b5ee2fa8931a6315fdfa345a04028ac860edb175086c526570f1ba26ce6f9e5217ef9ce10cf6cc4b1ecfa731ee2b284673397295e9dd26439fb819348248

memory/2748-398-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2520-397-0x00000000002E0000-0x0000000000323000-memory.dmp

memory/2520-396-0x00000000002E0000-0x0000000000323000-memory.dmp

memory/2520-395-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2652-394-0x0000000000290000-0x00000000002D3000-memory.dmp

memory/2652-391-0x0000000000290000-0x00000000002D3000-memory.dmp

C:\Windows\SysWOW64\Djbiicon.exe

MD5 93da5ca14080db1b626636d599beba41
SHA1 4ea87d93fa9375e48209ddcd371094b35f8aa8b2
SHA256 7d21dc5d00420ec46ae554a835d3cc5651b44ab36b4ef508f5fcfc2e3ba63ff2
SHA512 32f8ae785c59b2e1f81d38bd5737fd88988dd408c7929e38a49b6d9037200dad917e5b9e255e820838b5b4eb8f46e05e7518a20b23a55f3a372b3389c971f769

memory/2884-353-0x0000000000280000-0x00000000002C3000-memory.dmp

memory/1812-330-0x00000000002D0000-0x0000000000313000-memory.dmp

C:\Windows\SysWOW64\Dgaqgh32.exe

MD5 c5845ac17aa37baff6005348950b216a
SHA1 dfe4ee1f225e2fb2f672fddcaebb35c362c897c1
SHA256 4f9a5c4f26ea5d870994f8662f487714896aec0435780f073ac1d07e4585026c
SHA512 461e2cebb8963cd260ca5bd522f35a6ba221e21348016d44dd6513dbbff3851c3186a5065692abe993825b23ce9651cdb429e70e8a4a64faa3a9b966bf4df19e

C:\Windows\SysWOW64\Gmgdddmq.exe

MD5 9a0c8eeb119f06463bb7d5a7027c1f8b
SHA1 bea4b23706a84489cfd7277e79de30e03235c147
SHA256 e73d5ed342b5dac29025181887968311a5577408629ecca8bf7752c29873d7e9
SHA512 eccae809c5d58a1da3a6a0e34d8d500b02f4eb2136525de5d9008ba4c69cf7cf50845198294ab87f52fc10d5ee70b5c069336b73965c6f76292be247fe5cb40f

memory/2416-320-0x0000000000450000-0x0000000000493000-memory.dmp

C:\Windows\SysWOW64\Ddcdkl32.exe

MD5 60d6281b40a86290ad7973f5dce302ba
SHA1 a5e094d32217b0d9b85577b916762bc83de5c1d0
SHA256 e40d412a4f8c0ec4aacaf439e4b86e4bb897d5214f9f1e2c5986b4ff347382b1
SHA512 4cb975af3c8eb2cb4a0835eb87364157c3d42dc359be3dcb10c659a8bfb9a9dc2331fa16949fb23393c7add21439985578739592063561b95fe31e8aed86b1f4

memory/1140-275-0x00000000002C0000-0x0000000000303000-memory.dmp

C:\Windows\SysWOW64\Geolea32.exe

MD5 e98a51db2d7f299959a428e75834504d
SHA1 eb1a817447571aa11051b3951e7f32943d8fa119
SHA256 9ff6e406d5e77e35aba4d624c6ee3b9f5eb431ffb7a0764f730096459b4724fe
SHA512 10a87c4ddb5a1e3ac857ba50a6a432d5fbd0115afba1a32f1b9e2277172581deb958b46ac9616a6a6b33c0f1748b55162283c8b6c6b2c331c3598b65331b7fd9

C:\Windows\SysWOW64\Ghmiam32.exe

MD5 ae577d9078e996b2b561a848fd157119
SHA1 37c59d241d5099069e3688a841d7ebcce4445f7f
SHA256 eb9b748529b353aa3979fb2622ad7199453cb7565a83c36cc2adec12785ce65f
SHA512 072a3d713b78820a54e0bb8b1409e50e4aa5bd2dec75022120e5fa8e865bea410de06bce54210d4ba0104e54e2b00f70b20e05f47f352251455796e577be0f3f

C:\Windows\SysWOW64\Gogangdc.exe

MD5 7cf4e108be85952b141c42b483cb90c3
SHA1 8e06aa69920b3b21407ab70217166d41772cbf27
SHA256 8fd9965ebb43b3ed4f55560e76e2122996b3d1358c9cd66cd69b5147e745201b
SHA512 010b09e31c451bb1c9104026cd3b1bf98280ffea0b2d3ee684d47a48d61439176d32ff69cef0e78e894bbb61df6725a8e70ba90b758f745f13afb543d3b169db

C:\Windows\SysWOW64\Gmjaic32.exe

MD5 fb0b02fdda79aa5541131692bcd6cf99
SHA1 6e06ef2cac9910addbeadd4bd5a4d516d84e49ba
SHA256 e4b7781b8f14faf3307b54ea06e9c293789cae9b92248cc9862cd32ed76cfedd
SHA512 66deaeb49cdcb648d10a36e35e4ae3bef024b47e10a244a94a72cb7c7e4369cdcfc3ff480b31fea9b067fd13b18b5849d363eb1768e6386858912fcbaab56523

C:\Windows\SysWOW64\Hgbebiao.exe

MD5 26941bb8382c32085e8dd73056990949
SHA1 97c3110285480be7bd2cb37d7c03441c68d61386
SHA256 73443d6cf7c7dd4f1efaa7e7d92fa8682c69010dd69aaee2384a8028777afe64
SHA512 30abf7243354a12fbb161410b13cd37d4ac44ae8f994a290ee085f137d1ed5c50c9110d6f019351c9d201c6bcb1f62c34e381378ac74c33a8d7bddb04ac57fed

C:\Windows\SysWOW64\Hknach32.exe

MD5 a47761eaf2a4f3e0c273511161e20e6f
SHA1 d98b56d5fefcf354a9c8692e912e31d11b654e5f
SHA256 506312e8d45f679cb5e652147cc3dc59cf3fe675672a49cef10c6737df3d38a6
SHA512 434a827fac86932d9b8e980a1432f9569e98cfc0b640fee7c1003cc9df2d8d8069a813cd7b8c3318d75d8b88abc0b47d48a4c9c6e430f5aea97d1de25cb64638

C:\Windows\SysWOW64\Hpkjko32.exe

MD5 4336c789d5c348cf02aedba5266b6b84
SHA1 49e49808863a130c33448d04e6946e1aad9cbfad
SHA256 48367af74bd8c39f3c23872b067b94e247f592ed2d799355402d6dca2f78de1d
SHA512 ced3df3b8b207aa38d3e04d9529335d164f5cd81b385cbf906e9fd3b0f8bc670e39709f0ad2c25ed90c08602648b91de8ef930987d5e6d109301242ce5a189be

C:\Windows\SysWOW64\Hcifgjgc.exe

MD5 2ad02f136bdc122dcd0ed1e1c9a170f3
SHA1 3a4431a087be2e8daf61cfbc738a06cd42a4b707
SHA256 639ecb2da991beaef64328bb11b3d5324797b57317b832ae7162a3b48bf3c364
SHA512 7c588d94990242680cfbbad217c9cf009aee3c0c7c84ea63ce2b226466036d203b814b6afc09c232d5cbc2a3ad1f88788bf33cb3e4d49f09d9bb183210fe894a

C:\Windows\SysWOW64\Hkpnhgge.exe

MD5 3a1e4ef0f7b6aa7dfaf20b176c0c3782
SHA1 cc708cf31c1cef5639a5761dad59c020e1fd2f8b
SHA256 9935ef7c8b8363a399c45f7952d7082a94978d887652e52ef5d2ee173dbc6e01
SHA512 c826c1bd9ce73de3fd3ddc52193304cf4fa7a4c056f96e9ed5f7ea49f7016913fc9828f03d7668953c1a6b33c4b0fe0601ee60f55f658092d551751db93eab6b

C:\Windows\SysWOW64\Hnojdcfi.exe

MD5 8a1a3225096d17397154730003a69dc2
SHA1 4e6dde0e87715a924f0f6d2763b8f0184291c299
SHA256 f708dc60f1c6d271a0534073aa2c2087c8972ac7d1cb2dad052ff31cb0901c3a
SHA512 5992b0d8f88ae19a3535348e504be2907766126f9a2e338cd672cc78e0972923a2b0868cd094045f75e9dfc8b6ad74ab3583ce660c9c15e9a5bd1b8b807c0afe

C:\Windows\SysWOW64\Hdhbam32.exe

MD5 9d3c9fc7f617e5a16032218a75cc4c45
SHA1 77b0aa514b7e4b600e2c7a2d6f2b7167b85765a4
SHA256 43ec6e382d83f05cd6e9c209132eb04378508465b1bc89c75649c808daa6c083
SHA512 9319c165e3ab1f868b1e071e685fb1a519543ec836b0b57f118e0064f21822557557d7050807dc4a5dee827307988fe6d25d36d5e4c2199b5e7ab6781eeb6140

C:\Windows\SysWOW64\Hggomh32.exe

MD5 8e83a791d21358d324518141e49d3079
SHA1 9fb35307faa11249904a93f7d576a8d7aad24558
SHA256 63a4e39a98b7d09f4b2e2b5ebb93931849fc044db4fa31ada8b2aa77aa6c0c4e
SHA512 77a3bc1cf2c20d0e8463b19746935c393a5585158e155fe54ee49a833aa9628afd557990fbd9f949271fe3095326984e4abeb133b6243fa9a220a620969ecb5a

C:\Windows\SysWOW64\Hlcgeo32.exe

MD5 e2ddf6e36fd43079867009e519563497
SHA1 5f6ba2c882bdc04dcd1dddcdf8e0caeef4af30ef
SHA256 914ef695f0bf8969111fae049be2ce1f6537460e0e37e16ca88ebe1002bf6664
SHA512 b82e8186a95bf8748b44f47d9b132180b22198d5da9b59cb03c9bb36a9b0208b6c02908071433a7d9463f7af79eb212bef907cd7f15817082838cfb2a10096d4

C:\Windows\SysWOW64\Hcnpbi32.exe

MD5 7e76b4430f207ba666a94aa2a88b0ccd
SHA1 cbdaf8dcee85b304f980790bc8925c99e606dd62
SHA256 d0ee3c174139324cba38195290f12f3a6c158b7f5084557cb0a5fb49591e571e
SHA512 98f0390ba8999985a48a2d5146f0278b5d9ef946dda323156a27c60f0b4d59647f3665ff15214a59886c80ab2dcb20549e74525ed6596cc962e74baab9e5d6e6

C:\Windows\SysWOW64\Hellne32.exe

MD5 633cd65bb3ea82e4a2b5fc83f5b81d85
SHA1 0cce433bca42f40bceed45324c80f77c827e4447
SHA256 b2bb9f830f44b8340c73aeccb001d6ba2683fd25c5bb0cce95566418016f0a36
SHA512 f94ee0293fc2bf0a08ab3250719327ddc9160c81d1e724fb62b91305e16e94c077227c3a9569708921005f5b1c1a63eac7504527961ca5d98ee1a43a2326c975

C:\Windows\SysWOW64\Hhjhkq32.exe

MD5 4b79bc7a6ad847ed62af9672198957fc
SHA1 0d02ff717c544f98d56c9bb903e9b9226082beab
SHA256 14fb884f7b69f6e4d4bd482dd514703d7c555c29cd988039e504fd53efd5ad3b
SHA512 dd6eff1cdf54f65cd55960b5a991e023c7d7908cfce3a49effb0b2bfa2cf80962655a73f9bd7fd58e89fc5e30fd9ca9c99466153e5c98d81c8c015174cb42b5d

C:\Windows\SysWOW64\Hodpgjha.exe

MD5 13101651ef39abc678fe4d756680d519
SHA1 b7150330acce0dacdcf2c3318137a0059023ff03
SHA256 4daf704e8c37f52d24de0cb9154d4e87317af57ac840e25b2f93d28d513ad866
SHA512 a13804d83a74e8be473ee8b3e1a298f9e9a33ec44675459410c3607f0d0a0df842aa2e17d47369541f552660b5585735d12f2246febe7b463458b47fc5271f2f

C:\Windows\SysWOW64\Hacmcfge.exe

MD5 9f468b148b6d088f45ba96d0f64356ff
SHA1 97098fb3b5acfb8a66a822e30802569fe792b57d
SHA256 f2407d388628762556e55f5ed211c11cf65d2460862fb48fb25f24a51e0fa638
SHA512 04a612a932ddea232e2a083801107879b55928c33dc7fea5954ce58a94f9a5598b729426f09e849c846a651cb73aae6b68a6af565f50f08bf47d565b5c4d605b

C:\Windows\SysWOW64\Hkkalk32.exe

MD5 02dcdf39bd450b455f91e58f6b416f30
SHA1 cc0a928b2f4de60db647e5befc56b35b5488472f
SHA256 dcc7fab40ed80747515a38ecf156bd9c1fa24df924c8079f9dbc50ca49926c97
SHA512 76ba1cb33c379049d1a457874d80171774a6ae52191e4e0c8ff6bb723ca3dcd55c68262dcaa4ffe8b0b577acf104488a49b845ca31d2707158ddcc2a274f3eea

C:\Windows\SysWOW64\Icbimi32.exe

MD5 e9ca8d0e8a968b1e607b1e1322eeca5a
SHA1 3cdd2598468ad5741603a927719e82fa96612367
SHA256 d029cbbd55d05ffa37299d8d9b63a200d87ac92c9463aea4e6b738f5c670860f
SHA512 83c9903ef0d2f6e9c053a44a658444bff13e0e3bfa7ab5d631e2b421d18719053f8c1013e606137be98056fc3fe3f5dc2e47de1c5af2bb2fa3cd29d48c970d17

C:\Windows\SysWOW64\Idceea32.exe

MD5 8a864fcefedd873c90a71ef970cd2c08
SHA1 b778de305c4223df91bd302e6d67247e22a19a3f
SHA256 fe8880eb24b9798af1cc0c23f777fdcb703b25f7e688f7d6955abd9eaa4d4150
SHA512 2ac39e4466f1412ee4f1962c3b49973c70b41d56a62adee6317a74978936c32844e30fe360e5b0a628c1564c54f7897b486cb76e7244410c983d3ed68612ca25

C:\Windows\SysWOW64\Ihoafpmp.exe

MD5 7810038f48cc2e84361005e49b908822
SHA1 80d9cf2f4971c29e72b3c1f4329de03026837681
SHA256 0ca413bdc3060ba47fdb3f28591f8639802dcc5926084a763c51e3fe7fd3839e
SHA512 2f0121f8e42fcdc62e521cf9e15174cd8f7ff9a8aea02764228dd7c21a4cffdd85d685411ae1ec7d623bd16eec93f4d846659cdaca3ca85f210bafea1d7e049e

C:\Windows\SysWOW64\Iknnbklc.exe

MD5 0fccf8fc0c962de9e8ad4f8a0a2e2c71
SHA1 76ef5e8058a49a0f43729bc3530a6ea0252c8125
SHA256 1dda035146eb7fc9a757eac4a59dffcc52b245a076560d35f9e6d2d42f40648c
SHA512 b284100fe5fcd8d40f29c7760dd5415ce56223a04f035509fc09f9f5852c6ad28a1f77268ccecd13763e2a627909196d76cb088ebb1aa1c6677c06670ea58c4b

C:\Windows\SysWOW64\Iagfoe32.exe

MD5 169cbdf970d0c857d3f42c76f38215a3
SHA1 da4a891e3d8570c8a40798e4a6ebc5ad7b0563fc
SHA256 8385c94e4150713d738a05d64016f64f0a83faaa714de512db2a8f6f3287a0c4
SHA512 2dd03c4f71ad0e24e0c8091166ad8be7eb52190f98dd4003ba437d7588b241ec20511b64bb38f0bb97fc5e28bfe7060c8d8c014a2a6dc4572a4210d80aec0453

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-21 19:22

Reported

2024-05-21 19:25

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\05efea1b575f07acf54d2325ca017e4572c66bd15b2d17bf79d6bc26b8585d93.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qeemej32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dhidjpqc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Adgbpc32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Acqimo32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ndidbn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ffddka32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Gfbploob.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hodgkc32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aeklkchg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Bhaebcen.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fkopnh32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ofnckp32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pgnilpah.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Aanjpk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Flnlhk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Gkoiefmj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Iiaephpc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kdeoemeg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kibgmdcn.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Banllbdn.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pqpnombl.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Foabofnn.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hecmijim.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cdkldb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Hfcicmqp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Iehfdi32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kdcbom32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ojgbfocc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Okolkg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Odgqdlnj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Pqnaim32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ekemhj32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ecmeig32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Nilcjp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Nljofl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Pkceffcd.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bnlnon32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Eleiam32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jpijnqkp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jblpek32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kpbmco32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Nqiogp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Dhnnep32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ecandfpd.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hfcicmqp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qffbbldm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ldoaklml.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nnhfee32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Nqfbaq32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Becifhfj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bdhfhe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Bnnjen32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ilidbbgl.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lekehdgp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Medgncoe.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Users\Admin\AppData\Local\Temp\05efea1b575f07acf54d2325ca017e4572c66bd15b2d17bf79d6bc26b8585d93.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Acmflf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Febgea32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Lffhfh32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lingibiq.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cegdnopg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Aegikj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Dceohhja.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gkoiefmj.exe N/A

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Mjhqjg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mcpebmkb.exe N/A
N/A N/A C:\Windows\SysWOW64\Mjjmog32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nnhfee32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nqfbaq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nnjbke32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nqiogp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nnolfdcn.exe N/A
N/A N/A C:\Windows\SysWOW64\Ndidbn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nggqoj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ojhiqefo.exe N/A
N/A N/A C:\Windows\SysWOW64\Obangb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Occkojkm.exe N/A
N/A N/A C:\Windows\SysWOW64\Oqgkhnjf.exe N/A
N/A N/A C:\Windows\SysWOW64\Okloegjl.exe N/A
N/A N/A C:\Windows\SysWOW64\Onklabip.exe N/A
N/A N/A C:\Windows\SysWOW64\Oqihnn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Okolkg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Onmhgb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Odgqdlnj.exe N/A
N/A N/A C:\Windows\SysWOW64\Pgemphmn.exe N/A
N/A N/A C:\Windows\SysWOW64\Pnpemb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pbkamqmd.exe N/A
N/A N/A C:\Windows\SysWOW64\Pqnaim32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pclneicb.exe N/A
N/A N/A C:\Windows\SysWOW64\Pghieg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pkceffcd.exe N/A
N/A N/A C:\Windows\SysWOW64\Pnbbbabh.exe N/A
N/A N/A C:\Windows\SysWOW64\Pbmncp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pqpnombl.exe N/A
N/A N/A C:\Windows\SysWOW64\Peljol32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pgjfkg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pkfblfab.exe N/A
N/A N/A C:\Windows\SysWOW64\Pjhbgb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pbpjhp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pabkdmpi.exe N/A
N/A N/A C:\Windows\SysWOW64\Pengdk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pgmcqggf.exe N/A
N/A N/A C:\Windows\SysWOW64\Pkhoae32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pjkombfj.exe N/A
N/A N/A C:\Windows\SysWOW64\Pnfkma32.exe N/A
N/A N/A C:\Windows\SysWOW64\Paegjl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pcccfh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pkjlge32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pjmlbbdg.exe N/A
N/A N/A C:\Windows\SysWOW64\Pnihcq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pagdol32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qecppkdm.exe N/A
N/A N/A C:\Windows\SysWOW64\Qcepkg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qkmhlekj.exe N/A
N/A N/A C:\Windows\SysWOW64\Qjpiha32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qbgqio32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qajadlja.exe N/A
N/A N/A C:\Windows\SysWOW64\Qeemej32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qgciaf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qjbena32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qnnanphk.exe N/A
N/A N/A C:\Windows\SysWOW64\Qalnjkgo.exe N/A
N/A N/A C:\Windows\SysWOW64\Aegikj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Agffge32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajdbcano.exe N/A
N/A N/A C:\Windows\SysWOW64\Anpncp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aanjpk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Acmflf32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Oqgkhnjf.exe C:\Windows\SysWOW64\Occkojkm.exe N/A
File created C:\Windows\SysWOW64\Nggdeh32.dll C:\Windows\SysWOW64\Acmflf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Abbpem32.exe C:\Windows\SysWOW64\Abpcon32.exe N/A
File opened for modification C:\Windows\SysWOW64\Fhgjblfq.exe C:\Windows\SysWOW64\Fooeif32.exe N/A
File created C:\Windows\SysWOW64\Dndgjk32.dll C:\Windows\SysWOW64\Ieolehop.exe N/A
File created C:\Windows\SysWOW64\Kpjcdn32.exe C:\Windows\SysWOW64\Kipkhdeq.exe N/A
File opened for modification C:\Windows\SysWOW64\Foabofnn.exe C:\Windows\SysWOW64\Fhgjblfq.exe N/A
File opened for modification C:\Windows\SysWOW64\Kmdqgd32.exe C:\Windows\SysWOW64\Kfjhkjle.exe N/A
File created C:\Windows\SysWOW64\Jpnchp32.exe C:\Windows\SysWOW64\Jidklf32.exe N/A
File created C:\Windows\SysWOW64\Efhaoapj.dll C:\Windows\SysWOW64\Ligqhc32.exe N/A
File opened for modification C:\Windows\SysWOW64\Nnlhfn32.exe C:\Windows\SysWOW64\Neeqea32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ligqhc32.exe C:\Windows\SysWOW64\Lekehdgp.exe N/A
File created C:\Windows\SysWOW64\Ldleel32.exe C:\Windows\SysWOW64\Ligqhc32.exe N/A
File created C:\Windows\SysWOW64\Pqdqof32.exe C:\Windows\SysWOW64\Pfolbmje.exe N/A
File opened for modification C:\Windows\SysWOW64\Cegdnopg.exe C:\Windows\SysWOW64\Cdhhdlid.exe N/A
File created C:\Windows\SysWOW64\Pponmema.dll C:\Windows\SysWOW64\Nnjbke32.exe N/A
File created C:\Windows\SysWOW64\Ibqpimpl.exe C:\Windows\SysWOW64\Icnpmp32.exe N/A
File created C:\Windows\SysWOW64\Dmllipeg.exe C:\Windows\SysWOW64\Dddhpjof.exe N/A
File opened for modification C:\Windows\SysWOW64\Pkceffcd.exe C:\Windows\SysWOW64\Pghieg32.exe N/A
File created C:\Windows\SysWOW64\Nconcm32.dll C:\Windows\SysWOW64\Bejogg32.exe N/A
File opened for modification C:\Windows\SysWOW64\Kpeiioac.exe C:\Windows\SysWOW64\Kmfmmcbo.exe N/A
File created C:\Windows\SysWOW64\Mmcdaagm.dll C:\Windows\SysWOW64\Ocgmpccl.exe N/A
File opened for modification C:\Windows\SysWOW64\Nlaegk32.exe C:\Windows\SysWOW64\Njciko32.exe N/A
File created C:\Windows\SysWOW64\Hfligghk.dll C:\Windows\SysWOW64\Njciko32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cdiooblp.exe C:\Windows\SysWOW64\Cbqlfkmi.exe N/A
File created C:\Windows\SysWOW64\Gmoeoidl.exe C:\Windows\SysWOW64\Gdhmnlcj.exe N/A
File created C:\Windows\SysWOW64\Bhoilahe.dll C:\Windows\SysWOW64\Jeklag32.exe N/A
File opened for modification C:\Windows\SysWOW64\Kbceejpf.exe C:\Windows\SysWOW64\Kpeiioac.exe N/A
File opened for modification C:\Windows\SysWOW64\Kfckahdj.exe C:\Windows\SysWOW64\Kdeoemeg.exe N/A
File created C:\Windows\SysWOW64\Lingibiq.exe C:\Windows\SysWOW64\Lgokmgjm.exe N/A
File created C:\Windows\SysWOW64\Cajolcjk.dll C:\Windows\SysWOW64\Ecandfpd.exe N/A
File opened for modification C:\Windows\SysWOW64\Gcojed32.exe C:\Windows\SysWOW64\Gkhbdg32.exe N/A
File created C:\Windows\SysWOW64\Icpnnd32.dll C:\Windows\SysWOW64\Kbceejpf.exe N/A
File created C:\Windows\SysWOW64\Hodgkc32.exe C:\Windows\SysWOW64\Hmfkoh32.exe N/A
File created C:\Windows\SysWOW64\Lphoelqn.exe C:\Windows\SysWOW64\Lmiciaaj.exe N/A
File opened for modification C:\Windows\SysWOW64\Ndcdmikd.exe C:\Windows\SysWOW64\Nlmllkja.exe N/A
File created C:\Windows\SysWOW64\Hhapkbgi.dll C:\Windows\SysWOW64\Mjhqjg32.exe N/A
File created C:\Windows\SysWOW64\Geegicjl.dll C:\Windows\SysWOW64\Mcpebmkb.exe N/A
File opened for modification C:\Windows\SysWOW64\Ojhiqefo.exe C:\Windows\SysWOW64\Nggqoj32.exe N/A
File created C:\Windows\SysWOW64\Lfkgaokd.dll C:\Windows\SysWOW64\Febgea32.exe N/A
File opened for modification C:\Windows\SysWOW64\Gcagkdba.exe C:\Windows\SysWOW64\Glhonj32.exe N/A
File created C:\Windows\SysWOW64\Gebgohck.dll C:\Windows\SysWOW64\Lffhfh32.exe N/A
File created C:\Windows\SysWOW64\Mjjmog32.exe C:\Windows\SysWOW64\Mcpebmkb.exe N/A
File created C:\Windows\SysWOW64\Pabkdmpi.exe C:\Windows\SysWOW64\Pbpjhp32.exe N/A
File created C:\Windows\SysWOW64\Fqplhmkl.dll C:\Windows\SysWOW64\Jbhfjljd.exe N/A
File opened for modification C:\Windows\SysWOW64\Eabbjc32.exe C:\Windows\SysWOW64\Eocenh32.exe N/A
File created C:\Windows\SysWOW64\Hiefcj32.exe C:\Windows\SysWOW64\Gblngpbd.exe N/A
File opened for modification C:\Windows\SysWOW64\Pclgkb32.exe C:\Windows\SysWOW64\Pqmjog32.exe N/A
File created C:\Windows\SysWOW64\Epogol32.dll C:\Windows\SysWOW64\Pcccfh32.exe N/A
File created C:\Windows\SysWOW64\Iphkfg32.dll C:\Windows\SysWOW64\Bjpaooda.exe N/A
File created C:\Windows\SysWOW64\Jffldcca.dll C:\Windows\SysWOW64\Dkljak32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bcjlcn32.exe C:\Windows\SysWOW64\Bgcknmop.exe N/A
File created C:\Windows\SysWOW64\Pjoheljj.dll C:\Windows\SysWOW64\Pjkombfj.exe N/A
File created C:\Windows\SysWOW64\Pjmlbbdg.exe C:\Windows\SysWOW64\Pkjlge32.exe N/A
File created C:\Windows\SysWOW64\Onjegled.exe C:\Windows\SysWOW64\Ofcmfodb.exe N/A
File created C:\Windows\SysWOW64\Dlncan32.exe C:\Windows\SysWOW64\Dedkdcie.exe N/A
File created C:\Windows\SysWOW64\Aainof32.dll C:\Windows\SysWOW64\Eleiam32.exe N/A
File created C:\Windows\SysWOW64\Ncnaabfm.dll C:\Windows\SysWOW64\Jefbfgig.exe N/A
File created C:\Windows\SysWOW64\Mlcifmbl.exe C:\Windows\SysWOW64\Meiaib32.exe N/A
File created C:\Windows\SysWOW64\Becifhfj.exe C:\Windows\SysWOW64\Abbpem32.exe N/A
File created C:\Windows\SysWOW64\Hcbpab32.exe C:\Windows\SysWOW64\Hkkhqd32.exe N/A
File created C:\Windows\SysWOW64\Ieolehop.exe C:\Windows\SysWOW64\Ibqpimpl.exe N/A
File created C:\Windows\SysWOW64\Echdno32.dll C:\Windows\SysWOW64\Cdcoim32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mcpebmkb.exe C:\Windows\SysWOW64\Mjhqjg32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Dmllipeg.exe

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Anpncp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iphkfg32.dll" C:\Windows\SysWOW64\Bjpaooda.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijcoimpn.dll" C:\Windows\SysWOW64\Gcagkdba.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ldjhpl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pnbbbabh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ldoaklml.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Bcjlcn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nggqoj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qjpiha32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ippggbck.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ncdgcf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bjokdipf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Deokon32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ocgmpccl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Daolnf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Eoolbinc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ehgqln32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Fcfhof32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Hkdbpe32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Kmdqgd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Mgkjhe32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Nnqbanmo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Olhlhjpd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ieolehop.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Nnlhfn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nqfbaq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cdkldb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ecandfpd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Iiaephpc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhkngh32.dll" C:\Windows\SysWOW64\Kibgmdcn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pcccfh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Eepjpb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ibqpimpl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Lboeaifi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ndaggimg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Qddfkd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Beeflhdh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gmoeoidl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Dhpjkojk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Flnlhk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Defbnajo.dll" C:\Windows\SysWOW64\Fhjfhl32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Mplhql32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll" C:\Windows\SysWOW64\Deokon32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocljjj32.dll" C:\Windows\SysWOW64\Ngdmod32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpkman32.dll" C:\Windows\SysWOW64\Peljol32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Bkidenlg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Hmfkoh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll" C:\Windows\SysWOW64\Dogogcpo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Eocenh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjdgcbkb.dll" C:\Windows\SysWOW64\Bnlnon32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Oqhacgdh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Nnjbke32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jpgmha32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nepgjaeg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pncgmkmj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acjoke32.dll" C:\Windows\SysWOW64\Pkfblfab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mlampmdo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qecppkdm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ofeilobp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdldlm32.dll" C:\Windows\SysWOW64\Pnfkma32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olgkhn32.dll" C:\Windows\SysWOW64\Eamhodmf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Docjlc32.dll" C:\Windows\SysWOW64\Iiaephpc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfpbkoql.dll" C:\Windows\SysWOW64\Oqhacgdh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keajjc32.dll" C:\Windows\SysWOW64\Hmjdjgjo.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1816 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\05efea1b575f07acf54d2325ca017e4572c66bd15b2d17bf79d6bc26b8585d93.exe C:\Windows\SysWOW64\Mjhqjg32.exe
PID 1816 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\05efea1b575f07acf54d2325ca017e4572c66bd15b2d17bf79d6bc26b8585d93.exe C:\Windows\SysWOW64\Mjhqjg32.exe
PID 1816 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\05efea1b575f07acf54d2325ca017e4572c66bd15b2d17bf79d6bc26b8585d93.exe C:\Windows\SysWOW64\Mjhqjg32.exe
PID 952 wrote to memory of 3232 N/A C:\Windows\SysWOW64\Mjhqjg32.exe C:\Windows\SysWOW64\Mcpebmkb.exe
PID 952 wrote to memory of 3232 N/A C:\Windows\SysWOW64\Mjhqjg32.exe C:\Windows\SysWOW64\Mcpebmkb.exe
PID 952 wrote to memory of 3232 N/A C:\Windows\SysWOW64\Mjhqjg32.exe C:\Windows\SysWOW64\Mcpebmkb.exe
PID 3232 wrote to memory of 1212 N/A C:\Windows\SysWOW64\Mcpebmkb.exe C:\Windows\SysWOW64\Mjjmog32.exe
PID 3232 wrote to memory of 1212 N/A C:\Windows\SysWOW64\Mcpebmkb.exe C:\Windows\SysWOW64\Mjjmog32.exe
PID 3232 wrote to memory of 1212 N/A C:\Windows\SysWOW64\Mcpebmkb.exe C:\Windows\SysWOW64\Mjjmog32.exe
PID 1212 wrote to memory of 4484 N/A C:\Windows\SysWOW64\Mjjmog32.exe C:\Windows\SysWOW64\Nnhfee32.exe
PID 1212 wrote to memory of 4484 N/A C:\Windows\SysWOW64\Mjjmog32.exe C:\Windows\SysWOW64\Nnhfee32.exe
PID 1212 wrote to memory of 4484 N/A C:\Windows\SysWOW64\Mjjmog32.exe C:\Windows\SysWOW64\Nnhfee32.exe
PID 4484 wrote to memory of 856 N/A C:\Windows\SysWOW64\Nnhfee32.exe C:\Windows\SysWOW64\Nqfbaq32.exe
PID 4484 wrote to memory of 856 N/A C:\Windows\SysWOW64\Nnhfee32.exe C:\Windows\SysWOW64\Nqfbaq32.exe
PID 4484 wrote to memory of 856 N/A C:\Windows\SysWOW64\Nnhfee32.exe C:\Windows\SysWOW64\Nqfbaq32.exe
PID 856 wrote to memory of 1312 N/A C:\Windows\SysWOW64\Nqfbaq32.exe C:\Windows\SysWOW64\Nnjbke32.exe
PID 856 wrote to memory of 1312 N/A C:\Windows\SysWOW64\Nqfbaq32.exe C:\Windows\SysWOW64\Nnjbke32.exe
PID 856 wrote to memory of 1312 N/A C:\Windows\SysWOW64\Nqfbaq32.exe C:\Windows\SysWOW64\Nnjbke32.exe
PID 1312 wrote to memory of 1436 N/A C:\Windows\SysWOW64\Nnjbke32.exe C:\Windows\SysWOW64\Nqiogp32.exe
PID 1312 wrote to memory of 1436 N/A C:\Windows\SysWOW64\Nnjbke32.exe C:\Windows\SysWOW64\Nqiogp32.exe
PID 1312 wrote to memory of 1436 N/A C:\Windows\SysWOW64\Nnjbke32.exe C:\Windows\SysWOW64\Nqiogp32.exe
PID 1436 wrote to memory of 5096 N/A C:\Windows\SysWOW64\Nqiogp32.exe C:\Windows\SysWOW64\Nnolfdcn.exe
PID 1436 wrote to memory of 5096 N/A C:\Windows\SysWOW64\Nqiogp32.exe C:\Windows\SysWOW64\Nnolfdcn.exe
PID 1436 wrote to memory of 5096 N/A C:\Windows\SysWOW64\Nqiogp32.exe C:\Windows\SysWOW64\Nnolfdcn.exe
PID 5096 wrote to memory of 1364 N/A C:\Windows\SysWOW64\Nnolfdcn.exe C:\Windows\SysWOW64\Ndidbn32.exe
PID 5096 wrote to memory of 1364 N/A C:\Windows\SysWOW64\Nnolfdcn.exe C:\Windows\SysWOW64\Ndidbn32.exe
PID 5096 wrote to memory of 1364 N/A C:\Windows\SysWOW64\Nnolfdcn.exe C:\Windows\SysWOW64\Ndidbn32.exe
PID 1364 wrote to memory of 3384 N/A C:\Windows\SysWOW64\Ndidbn32.exe C:\Windows\SysWOW64\Nggqoj32.exe
PID 1364 wrote to memory of 3384 N/A C:\Windows\SysWOW64\Ndidbn32.exe C:\Windows\SysWOW64\Nggqoj32.exe
PID 1364 wrote to memory of 3384 N/A C:\Windows\SysWOW64\Ndidbn32.exe C:\Windows\SysWOW64\Nggqoj32.exe
PID 3384 wrote to memory of 1556 N/A C:\Windows\SysWOW64\Nggqoj32.exe C:\Windows\SysWOW64\Ojhiqefo.exe
PID 3384 wrote to memory of 1556 N/A C:\Windows\SysWOW64\Nggqoj32.exe C:\Windows\SysWOW64\Ojhiqefo.exe
PID 3384 wrote to memory of 1556 N/A C:\Windows\SysWOW64\Nggqoj32.exe C:\Windows\SysWOW64\Ojhiqefo.exe
PID 1556 wrote to memory of 3148 N/A C:\Windows\SysWOW64\Ojhiqefo.exe C:\Windows\SysWOW64\Obangb32.exe
PID 1556 wrote to memory of 3148 N/A C:\Windows\SysWOW64\Ojhiqefo.exe C:\Windows\SysWOW64\Obangb32.exe
PID 1556 wrote to memory of 3148 N/A C:\Windows\SysWOW64\Ojhiqefo.exe C:\Windows\SysWOW64\Obangb32.exe
PID 3148 wrote to memory of 3372 N/A C:\Windows\SysWOW64\Obangb32.exe C:\Windows\SysWOW64\Occkojkm.exe
PID 3148 wrote to memory of 3372 N/A C:\Windows\SysWOW64\Obangb32.exe C:\Windows\SysWOW64\Occkojkm.exe
PID 3148 wrote to memory of 3372 N/A C:\Windows\SysWOW64\Obangb32.exe C:\Windows\SysWOW64\Occkojkm.exe
PID 3372 wrote to memory of 4464 N/A C:\Windows\SysWOW64\Occkojkm.exe C:\Windows\SysWOW64\Oqgkhnjf.exe
PID 3372 wrote to memory of 4464 N/A C:\Windows\SysWOW64\Occkojkm.exe C:\Windows\SysWOW64\Oqgkhnjf.exe
PID 3372 wrote to memory of 4464 N/A C:\Windows\SysWOW64\Occkojkm.exe C:\Windows\SysWOW64\Oqgkhnjf.exe
PID 4464 wrote to memory of 556 N/A C:\Windows\SysWOW64\Oqgkhnjf.exe C:\Windows\SysWOW64\Okloegjl.exe
PID 4464 wrote to memory of 556 N/A C:\Windows\SysWOW64\Oqgkhnjf.exe C:\Windows\SysWOW64\Okloegjl.exe
PID 4464 wrote to memory of 556 N/A C:\Windows\SysWOW64\Oqgkhnjf.exe C:\Windows\SysWOW64\Okloegjl.exe
PID 556 wrote to memory of 948 N/A C:\Windows\SysWOW64\Okloegjl.exe C:\Windows\SysWOW64\Onklabip.exe
PID 556 wrote to memory of 948 N/A C:\Windows\SysWOW64\Okloegjl.exe C:\Windows\SysWOW64\Onklabip.exe
PID 556 wrote to memory of 948 N/A C:\Windows\SysWOW64\Okloegjl.exe C:\Windows\SysWOW64\Onklabip.exe
PID 948 wrote to memory of 3872 N/A C:\Windows\SysWOW64\Onklabip.exe C:\Windows\SysWOW64\Oqihnn32.exe
PID 948 wrote to memory of 3872 N/A C:\Windows\SysWOW64\Onklabip.exe C:\Windows\SysWOW64\Oqihnn32.exe
PID 948 wrote to memory of 3872 N/A C:\Windows\SysWOW64\Onklabip.exe C:\Windows\SysWOW64\Oqihnn32.exe
PID 3872 wrote to memory of 4636 N/A C:\Windows\SysWOW64\Oqihnn32.exe C:\Windows\SysWOW64\Okolkg32.exe
PID 3872 wrote to memory of 4636 N/A C:\Windows\SysWOW64\Oqihnn32.exe C:\Windows\SysWOW64\Okolkg32.exe
PID 3872 wrote to memory of 4636 N/A C:\Windows\SysWOW64\Oqihnn32.exe C:\Windows\SysWOW64\Okolkg32.exe
PID 4636 wrote to memory of 3508 N/A C:\Windows\SysWOW64\Okolkg32.exe C:\Windows\SysWOW64\Onmhgb32.exe
PID 4636 wrote to memory of 3508 N/A C:\Windows\SysWOW64\Okolkg32.exe C:\Windows\SysWOW64\Onmhgb32.exe
PID 4636 wrote to memory of 3508 N/A C:\Windows\SysWOW64\Okolkg32.exe C:\Windows\SysWOW64\Onmhgb32.exe
PID 3508 wrote to memory of 2136 N/A C:\Windows\SysWOW64\Onmhgb32.exe C:\Windows\SysWOW64\Odgqdlnj.exe
PID 3508 wrote to memory of 2136 N/A C:\Windows\SysWOW64\Onmhgb32.exe C:\Windows\SysWOW64\Odgqdlnj.exe
PID 3508 wrote to memory of 2136 N/A C:\Windows\SysWOW64\Onmhgb32.exe C:\Windows\SysWOW64\Odgqdlnj.exe
PID 2136 wrote to memory of 2180 N/A C:\Windows\SysWOW64\Odgqdlnj.exe C:\Windows\SysWOW64\Pgemphmn.exe
PID 2136 wrote to memory of 2180 N/A C:\Windows\SysWOW64\Odgqdlnj.exe C:\Windows\SysWOW64\Pgemphmn.exe
PID 2136 wrote to memory of 2180 N/A C:\Windows\SysWOW64\Odgqdlnj.exe C:\Windows\SysWOW64\Pgemphmn.exe
PID 2180 wrote to memory of 2892 N/A C:\Windows\SysWOW64\Pgemphmn.exe C:\Windows\SysWOW64\Pnpemb32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\05efea1b575f07acf54d2325ca017e4572c66bd15b2d17bf79d6bc26b8585d93.exe

"C:\Users\Admin\AppData\Local\Temp\05efea1b575f07acf54d2325ca017e4572c66bd15b2d17bf79d6bc26b8585d93.exe"

C:\Windows\SysWOW64\Mjhqjg32.exe

C:\Windows\system32\Mjhqjg32.exe

C:\Windows\SysWOW64\Mcpebmkb.exe

C:\Windows\system32\Mcpebmkb.exe

C:\Windows\SysWOW64\Mjjmog32.exe

C:\Windows\system32\Mjjmog32.exe

C:\Windows\SysWOW64\Nnhfee32.exe

C:\Windows\system32\Nnhfee32.exe

C:\Windows\SysWOW64\Nqfbaq32.exe

C:\Windows\system32\Nqfbaq32.exe

C:\Windows\SysWOW64\Nnjbke32.exe

C:\Windows\system32\Nnjbke32.exe

C:\Windows\SysWOW64\Nqiogp32.exe

C:\Windows\system32\Nqiogp32.exe

C:\Windows\SysWOW64\Nnolfdcn.exe

C:\Windows\system32\Nnolfdcn.exe

C:\Windows\SysWOW64\Ndidbn32.exe

C:\Windows\system32\Ndidbn32.exe

C:\Windows\SysWOW64\Nggqoj32.exe

C:\Windows\system32\Nggqoj32.exe

C:\Windows\SysWOW64\Ojhiqefo.exe

C:\Windows\system32\Ojhiqefo.exe

C:\Windows\SysWOW64\Obangb32.exe

C:\Windows\system32\Obangb32.exe

C:\Windows\SysWOW64\Occkojkm.exe

C:\Windows\system32\Occkojkm.exe

C:\Windows\SysWOW64\Oqgkhnjf.exe

C:\Windows\system32\Oqgkhnjf.exe

C:\Windows\SysWOW64\Okloegjl.exe

C:\Windows\system32\Okloegjl.exe

C:\Windows\SysWOW64\Onklabip.exe

C:\Windows\system32\Onklabip.exe

C:\Windows\SysWOW64\Oqihnn32.exe

C:\Windows\system32\Oqihnn32.exe

C:\Windows\SysWOW64\Okolkg32.exe

C:\Windows\system32\Okolkg32.exe

C:\Windows\SysWOW64\Onmhgb32.exe

C:\Windows\system32\Onmhgb32.exe

C:\Windows\SysWOW64\Odgqdlnj.exe

C:\Windows\system32\Odgqdlnj.exe

C:\Windows\SysWOW64\Pgemphmn.exe

C:\Windows\system32\Pgemphmn.exe

C:\Windows\SysWOW64\Pnpemb32.exe

C:\Windows\system32\Pnpemb32.exe

C:\Windows\SysWOW64\Pbkamqmd.exe

C:\Windows\system32\Pbkamqmd.exe

C:\Windows\SysWOW64\Pqnaim32.exe

C:\Windows\system32\Pqnaim32.exe

C:\Windows\SysWOW64\Pclneicb.exe

C:\Windows\system32\Pclneicb.exe

C:\Windows\SysWOW64\Pghieg32.exe

C:\Windows\system32\Pghieg32.exe

C:\Windows\SysWOW64\Pkceffcd.exe

C:\Windows\system32\Pkceffcd.exe

C:\Windows\SysWOW64\Pnbbbabh.exe

C:\Windows\system32\Pnbbbabh.exe

C:\Windows\SysWOW64\Pbmncp32.exe

C:\Windows\system32\Pbmncp32.exe

C:\Windows\SysWOW64\Pqpnombl.exe

C:\Windows\system32\Pqpnombl.exe

C:\Windows\SysWOW64\Peljol32.exe

C:\Windows\system32\Peljol32.exe

C:\Windows\SysWOW64\Pgjfkg32.exe

C:\Windows\system32\Pgjfkg32.exe

C:\Windows\SysWOW64\Pkfblfab.exe

C:\Windows\system32\Pkfblfab.exe

C:\Windows\SysWOW64\Pjhbgb32.exe

C:\Windows\system32\Pjhbgb32.exe

C:\Windows\SysWOW64\Pbpjhp32.exe

C:\Windows\system32\Pbpjhp32.exe

C:\Windows\SysWOW64\Pabkdmpi.exe

C:\Windows\system32\Pabkdmpi.exe

C:\Windows\SysWOW64\Pengdk32.exe

C:\Windows\system32\Pengdk32.exe

C:\Windows\SysWOW64\Pgmcqggf.exe

C:\Windows\system32\Pgmcqggf.exe

C:\Windows\SysWOW64\Pkhoae32.exe

C:\Windows\system32\Pkhoae32.exe

C:\Windows\SysWOW64\Pjkombfj.exe

C:\Windows\system32\Pjkombfj.exe

C:\Windows\SysWOW64\Pnfkma32.exe

C:\Windows\system32\Pnfkma32.exe

C:\Windows\SysWOW64\Paegjl32.exe

C:\Windows\system32\Paegjl32.exe

C:\Windows\SysWOW64\Pcccfh32.exe

C:\Windows\system32\Pcccfh32.exe

C:\Windows\SysWOW64\Pkjlge32.exe

C:\Windows\system32\Pkjlge32.exe

C:\Windows\SysWOW64\Pjmlbbdg.exe

C:\Windows\system32\Pjmlbbdg.exe

C:\Windows\SysWOW64\Pnihcq32.exe

C:\Windows\system32\Pnihcq32.exe

C:\Windows\SysWOW64\Pagdol32.exe

C:\Windows\system32\Pagdol32.exe

C:\Windows\SysWOW64\Qecppkdm.exe

C:\Windows\system32\Qecppkdm.exe

C:\Windows\SysWOW64\Qcepkg32.exe

C:\Windows\system32\Qcepkg32.exe

C:\Windows\SysWOW64\Qkmhlekj.exe

C:\Windows\system32\Qkmhlekj.exe

C:\Windows\SysWOW64\Qjpiha32.exe

C:\Windows\system32\Qjpiha32.exe

C:\Windows\SysWOW64\Qbgqio32.exe

C:\Windows\system32\Qbgqio32.exe

C:\Windows\SysWOW64\Qajadlja.exe

C:\Windows\system32\Qajadlja.exe

C:\Windows\SysWOW64\Qeemej32.exe

C:\Windows\system32\Qeemej32.exe

C:\Windows\SysWOW64\Qgciaf32.exe

C:\Windows\system32\Qgciaf32.exe

C:\Windows\SysWOW64\Qjbena32.exe

C:\Windows\system32\Qjbena32.exe

C:\Windows\SysWOW64\Qnnanphk.exe

C:\Windows\system32\Qnnanphk.exe

C:\Windows\SysWOW64\Qalnjkgo.exe

C:\Windows\system32\Qalnjkgo.exe

C:\Windows\SysWOW64\Aegikj32.exe

C:\Windows\system32\Aegikj32.exe

C:\Windows\SysWOW64\Agffge32.exe

C:\Windows\system32\Agffge32.exe

C:\Windows\SysWOW64\Ajdbcano.exe

C:\Windows\system32\Ajdbcano.exe

C:\Windows\SysWOW64\Anpncp32.exe

C:\Windows\system32\Anpncp32.exe

C:\Windows\SysWOW64\Aanjpk32.exe

C:\Windows\system32\Aanjpk32.exe

C:\Windows\SysWOW64\Acmflf32.exe

C:\Windows\system32\Acmflf32.exe

C:\Windows\SysWOW64\Aldomc32.exe

C:\Windows\system32\Aldomc32.exe

C:\Windows\SysWOW64\Acocaf32.exe

C:\Windows\system32\Acocaf32.exe

C:\Windows\SysWOW64\Abpcon32.exe

C:\Windows\system32\Abpcon32.exe

C:\Windows\SysWOW64\Abbpem32.exe

C:\Windows\system32\Abbpem32.exe

C:\Windows\SysWOW64\Becifhfj.exe

C:\Windows\system32\Becifhfj.exe

C:\Windows\SysWOW64\Bhaebcen.exe

C:\Windows\system32\Bhaebcen.exe

C:\Windows\SysWOW64\Bjpaooda.exe

C:\Windows\system32\Bjpaooda.exe

C:\Windows\SysWOW64\Bnlnon32.exe

C:\Windows\system32\Bnlnon32.exe

C:\Windows\SysWOW64\Beeflhdh.exe

C:\Windows\system32\Beeflhdh.exe

C:\Windows\SysWOW64\Bdhfhe32.exe

C:\Windows\system32\Bdhfhe32.exe

C:\Windows\SysWOW64\Blpnib32.exe

C:\Windows\system32\Blpnib32.exe

C:\Windows\SysWOW64\Bnnjen32.exe

C:\Windows\system32\Bnnjen32.exe

C:\Windows\SysWOW64\Balfaiil.exe

C:\Windows\system32\Balfaiil.exe

C:\Windows\SysWOW64\Bdkcmdhp.exe

C:\Windows\system32\Bdkcmdhp.exe

C:\Windows\SysWOW64\Blbknaib.exe

C:\Windows\system32\Blbknaib.exe

C:\Windows\SysWOW64\Bopgjmhe.exe

C:\Windows\system32\Bopgjmhe.exe

C:\Windows\SysWOW64\Bblckl32.exe

C:\Windows\system32\Bblckl32.exe

C:\Windows\SysWOW64\Bejogg32.exe

C:\Windows\system32\Bejogg32.exe

C:\Windows\SysWOW64\Bldgdago.exe

C:\Windows\system32\Bldgdago.exe

C:\Windows\SysWOW64\Bjghpn32.exe

C:\Windows\system32\Bjghpn32.exe

C:\Windows\SysWOW64\Bbnpqk32.exe

C:\Windows\system32\Bbnpqk32.exe

C:\Windows\SysWOW64\Bemlmgnp.exe

C:\Windows\system32\Bemlmgnp.exe

C:\Windows\SysWOW64\Bkidenlg.exe

C:\Windows\system32\Bkidenlg.exe

C:\Windows\SysWOW64\Cbqlfkmi.exe

C:\Windows\system32\Cbqlfkmi.exe

C:\Windows\SysWOW64\Cdiooblp.exe

C:\Windows\system32\Cdiooblp.exe

C:\Windows\SysWOW64\Conclk32.exe

C:\Windows\system32\Conclk32.exe

C:\Windows\SysWOW64\Cdkldb32.exe

C:\Windows\system32\Cdkldb32.exe

C:\Windows\SysWOW64\Daolnf32.exe

C:\Windows\system32\Daolnf32.exe

C:\Windows\SysWOW64\Dhidjpqc.exe

C:\Windows\system32\Dhidjpqc.exe

C:\Windows\SysWOW64\Daaicfgd.exe

C:\Windows\system32\Daaicfgd.exe

C:\Windows\SysWOW64\Dlgmpogj.exe

C:\Windows\system32\Dlgmpogj.exe

C:\Windows\SysWOW64\Dbaemi32.exe

C:\Windows\system32\Dbaemi32.exe

C:\Windows\SysWOW64\Deoaid32.exe

C:\Windows\system32\Deoaid32.exe

C:\Windows\SysWOW64\Dhnnep32.exe

C:\Windows\system32\Dhnnep32.exe

C:\Windows\SysWOW64\Dkljak32.exe

C:\Windows\system32\Dkljak32.exe

C:\Windows\SysWOW64\Dafbne32.exe

C:\Windows\system32\Dafbne32.exe

C:\Windows\SysWOW64\Dhpjkojk.exe

C:\Windows\system32\Dhpjkojk.exe

C:\Windows\SysWOW64\Dkoggkjo.exe

C:\Windows\system32\Dkoggkjo.exe

C:\Windows\SysWOW64\Dceohhja.exe

C:\Windows\system32\Dceohhja.exe

C:\Windows\SysWOW64\Dedkdcie.exe

C:\Windows\system32\Dedkdcie.exe

C:\Windows\SysWOW64\Dlncan32.exe

C:\Windows\system32\Dlncan32.exe

C:\Windows\SysWOW64\Eaklidoi.exe

C:\Windows\system32\Eaklidoi.exe

C:\Windows\SysWOW64\Edihepnm.exe

C:\Windows\system32\Edihepnm.exe

C:\Windows\SysWOW64\Eoolbinc.exe

C:\Windows\system32\Eoolbinc.exe

C:\Windows\SysWOW64\Eamhodmf.exe

C:\Windows\system32\Eamhodmf.exe

C:\Windows\SysWOW64\Ehgqln32.exe

C:\Windows\system32\Ehgqln32.exe

C:\Windows\SysWOW64\Ekemhj32.exe

C:\Windows\system32\Ekemhj32.exe

C:\Windows\SysWOW64\Ecmeig32.exe

C:\Windows\system32\Ecmeig32.exe

C:\Windows\SysWOW64\Ednaqo32.exe

C:\Windows\system32\Ednaqo32.exe

C:\Windows\SysWOW64\Eleiam32.exe

C:\Windows\system32\Eleiam32.exe

C:\Windows\SysWOW64\Eocenh32.exe

C:\Windows\system32\Eocenh32.exe

C:\Windows\SysWOW64\Eabbjc32.exe

C:\Windows\system32\Eabbjc32.exe

C:\Windows\SysWOW64\Ehljfnpn.exe

C:\Windows\system32\Ehljfnpn.exe

C:\Windows\SysWOW64\Ekjfcipa.exe

C:\Windows\system32\Ekjfcipa.exe

C:\Windows\SysWOW64\Ecandfpd.exe

C:\Windows\system32\Ecandfpd.exe

C:\Windows\SysWOW64\Eepjpb32.exe

C:\Windows\system32\Eepjpb32.exe

C:\Windows\SysWOW64\Ehnglm32.exe

C:\Windows\system32\Ehnglm32.exe

C:\Windows\SysWOW64\Fkmchi32.exe

C:\Windows\system32\Fkmchi32.exe

C:\Windows\SysWOW64\Febgea32.exe

C:\Windows\system32\Febgea32.exe

C:\Windows\SysWOW64\Fkopnh32.exe

C:\Windows\system32\Fkopnh32.exe

C:\Windows\SysWOW64\Fcfhof32.exe

C:\Windows\system32\Fcfhof32.exe

C:\Windows\SysWOW64\Ffddka32.exe

C:\Windows\system32\Ffddka32.exe

C:\Windows\SysWOW64\Flnlhk32.exe

C:\Windows\system32\Flnlhk32.exe

C:\Windows\SysWOW64\Fomhdg32.exe

C:\Windows\system32\Fomhdg32.exe

C:\Windows\SysWOW64\Ffgqqaip.exe

C:\Windows\system32\Ffgqqaip.exe

C:\Windows\SysWOW64\Fhemmlhc.exe

C:\Windows\system32\Fhemmlhc.exe

C:\Windows\SysWOW64\Fooeif32.exe

C:\Windows\system32\Fooeif32.exe

C:\Windows\SysWOW64\Fhgjblfq.exe

C:\Windows\system32\Fhgjblfq.exe

C:\Windows\SysWOW64\Foabofnn.exe

C:\Windows\system32\Foabofnn.exe

C:\Windows\SysWOW64\Ffkjlp32.exe

C:\Windows\system32\Ffkjlp32.exe

C:\Windows\SysWOW64\Fhjfhl32.exe

C:\Windows\system32\Fhjfhl32.exe

C:\Windows\SysWOW64\Gkhbdg32.exe

C:\Windows\system32\Gkhbdg32.exe

C:\Windows\SysWOW64\Gcojed32.exe

C:\Windows\system32\Gcojed32.exe

C:\Windows\SysWOW64\Ghlcnk32.exe

C:\Windows\system32\Ghlcnk32.exe

C:\Windows\SysWOW64\Glhonj32.exe

C:\Windows\system32\Glhonj32.exe

C:\Windows\SysWOW64\Gcagkdba.exe

C:\Windows\system32\Gcagkdba.exe

C:\Windows\SysWOW64\Gdcdbl32.exe

C:\Windows\system32\Gdcdbl32.exe

C:\Windows\SysWOW64\Gmjlcj32.exe

C:\Windows\system32\Gmjlcj32.exe

C:\Windows\SysWOW64\Gcddpdpo.exe

C:\Windows\system32\Gcddpdpo.exe

C:\Windows\SysWOW64\Gfbploob.exe

C:\Windows\system32\Gfbploob.exe

C:\Windows\SysWOW64\Ghaliknf.exe

C:\Windows\system32\Ghaliknf.exe

C:\Windows\SysWOW64\Gkoiefmj.exe

C:\Windows\system32\Gkoiefmj.exe

C:\Windows\SysWOW64\Gcfqfc32.exe

C:\Windows\system32\Gcfqfc32.exe

C:\Windows\SysWOW64\Gdhmnlcj.exe

C:\Windows\system32\Gdhmnlcj.exe

C:\Windows\SysWOW64\Gmoeoidl.exe

C:\Windows\system32\Gmoeoidl.exe

C:\Windows\SysWOW64\Gomakdcp.exe

C:\Windows\system32\Gomakdcp.exe

C:\Windows\SysWOW64\Gblngpbd.exe

C:\Windows\system32\Gblngpbd.exe

C:\Windows\SysWOW64\Hiefcj32.exe

C:\Windows\system32\Hiefcj32.exe

C:\Windows\SysWOW64\Hkdbpe32.exe

C:\Windows\system32\Hkdbpe32.exe

C:\Windows\SysWOW64\Hckjacjg.exe

C:\Windows\system32\Hckjacjg.exe

C:\Windows\SysWOW64\Hihbijhn.exe

C:\Windows\system32\Hihbijhn.exe

C:\Windows\SysWOW64\Hkfoeega.exe

C:\Windows\system32\Hkfoeega.exe

C:\Windows\SysWOW64\Hcmgfbhd.exe

C:\Windows\system32\Hcmgfbhd.exe

C:\Windows\SysWOW64\Heocnk32.exe

C:\Windows\system32\Heocnk32.exe

C:\Windows\SysWOW64\Hmfkoh32.exe

C:\Windows\system32\Hmfkoh32.exe

C:\Windows\SysWOW64\Hodgkc32.exe

C:\Windows\system32\Hodgkc32.exe

C:\Windows\SysWOW64\Hbbdholl.exe

C:\Windows\system32\Hbbdholl.exe

C:\Windows\SysWOW64\Himldi32.exe

C:\Windows\system32\Himldi32.exe

C:\Windows\SysWOW64\Hkkhqd32.exe

C:\Windows\system32\Hkkhqd32.exe

C:\Windows\SysWOW64\Hcbpab32.exe

C:\Windows\system32\Hcbpab32.exe

C:\Windows\SysWOW64\Hecmijim.exe

C:\Windows\system32\Hecmijim.exe

C:\Windows\SysWOW64\Hmjdjgjo.exe

C:\Windows\system32\Hmjdjgjo.exe

C:\Windows\SysWOW64\Hcdmga32.exe

C:\Windows\system32\Hcdmga32.exe

C:\Windows\SysWOW64\Hfcicmqp.exe

C:\Windows\system32\Hfcicmqp.exe

C:\Windows\SysWOW64\Iiaephpc.exe

C:\Windows\system32\Iiaephpc.exe

C:\Windows\SysWOW64\Ipknlb32.exe

C:\Windows\system32\Ipknlb32.exe

C:\Windows\SysWOW64\Ibjjhn32.exe

C:\Windows\system32\Ibjjhn32.exe

C:\Windows\SysWOW64\Iehfdi32.exe

C:\Windows\system32\Iehfdi32.exe

C:\Windows\SysWOW64\Imoneg32.exe

C:\Windows\system32\Imoneg32.exe

C:\Windows\SysWOW64\Ipnjab32.exe

C:\Windows\system32\Ipnjab32.exe

C:\Windows\SysWOW64\Iblfnn32.exe

C:\Windows\system32\Iblfnn32.exe

C:\Windows\SysWOW64\Iejcji32.exe

C:\Windows\system32\Iejcji32.exe

C:\Windows\SysWOW64\Imakkfdg.exe

C:\Windows\system32\Imakkfdg.exe

C:\Windows\SysWOW64\Ippggbck.exe

C:\Windows\system32\Ippggbck.exe

C:\Windows\SysWOW64\Ibnccmbo.exe

C:\Windows\system32\Ibnccmbo.exe

C:\Windows\SysWOW64\Iemppiab.exe

C:\Windows\system32\Iemppiab.exe

C:\Windows\SysWOW64\Imdgqfbd.exe

C:\Windows\system32\Imdgqfbd.exe

C:\Windows\SysWOW64\Icnpmp32.exe

C:\Windows\system32\Icnpmp32.exe

C:\Windows\SysWOW64\Ibqpimpl.exe

C:\Windows\system32\Ibqpimpl.exe

C:\Windows\SysWOW64\Ieolehop.exe

C:\Windows\system32\Ieolehop.exe

C:\Windows\SysWOW64\Ilidbbgl.exe

C:\Windows\system32\Ilidbbgl.exe

C:\Windows\SysWOW64\Jfoiokfb.exe

C:\Windows\system32\Jfoiokfb.exe

C:\Windows\SysWOW64\Jmhale32.exe

C:\Windows\system32\Jmhale32.exe

C:\Windows\SysWOW64\Jpgmha32.exe

C:\Windows\system32\Jpgmha32.exe

C:\Windows\SysWOW64\Jedeph32.exe

C:\Windows\system32\Jedeph32.exe

C:\Windows\SysWOW64\Jpijnqkp.exe

C:\Windows\system32\Jpijnqkp.exe

C:\Windows\SysWOW64\Jbhfjljd.exe

C:\Windows\system32\Jbhfjljd.exe

C:\Windows\SysWOW64\Jefbfgig.exe

C:\Windows\system32\Jefbfgig.exe

C:\Windows\SysWOW64\Jbjcolha.exe

C:\Windows\system32\Jbjcolha.exe

C:\Windows\SysWOW64\Jidklf32.exe

C:\Windows\system32\Jidklf32.exe

C:\Windows\SysWOW64\Jpnchp32.exe

C:\Windows\system32\Jpnchp32.exe

C:\Windows\SysWOW64\Jblpek32.exe

C:\Windows\system32\Jblpek32.exe

C:\Windows\SysWOW64\Jeklag32.exe

C:\Windows\system32\Jeklag32.exe

C:\Windows\SysWOW64\Jlednamo.exe

C:\Windows\system32\Jlednamo.exe

C:\Windows\SysWOW64\Kfjhkjle.exe

C:\Windows\system32\Kfjhkjle.exe

C:\Windows\SysWOW64\Kmdqgd32.exe

C:\Windows\system32\Kmdqgd32.exe

C:\Windows\SysWOW64\Kpbmco32.exe

C:\Windows\system32\Kpbmco32.exe

C:\Windows\SysWOW64\Kbaipkbi.exe

C:\Windows\system32\Kbaipkbi.exe

C:\Windows\SysWOW64\Kepelfam.exe

C:\Windows\system32\Kepelfam.exe

C:\Windows\SysWOW64\Kmfmmcbo.exe

C:\Windows\system32\Kmfmmcbo.exe

C:\Windows\SysWOW64\Kpeiioac.exe

C:\Windows\system32\Kpeiioac.exe

C:\Windows\SysWOW64\Kbceejpf.exe

C:\Windows\system32\Kbceejpf.exe

C:\Windows\SysWOW64\Kebbafoj.exe

C:\Windows\system32\Kebbafoj.exe

C:\Windows\SysWOW64\Klljnp32.exe

C:\Windows\system32\Klljnp32.exe

C:\Windows\SysWOW64\Kdcbom32.exe

C:\Windows\system32\Kdcbom32.exe

C:\Windows\SysWOW64\Kfankifm.exe

C:\Windows\system32\Kfankifm.exe

C:\Windows\SysWOW64\Kipkhdeq.exe

C:\Windows\system32\Kipkhdeq.exe

C:\Windows\SysWOW64\Kpjcdn32.exe

C:\Windows\system32\Kpjcdn32.exe

C:\Windows\SysWOW64\Kdeoemeg.exe

C:\Windows\system32\Kdeoemeg.exe

C:\Windows\SysWOW64\Kfckahdj.exe

C:\Windows\system32\Kfckahdj.exe

C:\Windows\SysWOW64\Kibgmdcn.exe

C:\Windows\system32\Kibgmdcn.exe

C:\Windows\SysWOW64\Kdgljmcd.exe

C:\Windows\system32\Kdgljmcd.exe

C:\Windows\SysWOW64\Lffhfh32.exe

C:\Windows\system32\Lffhfh32.exe

C:\Windows\SysWOW64\Lmppcbjd.exe

C:\Windows\system32\Lmppcbjd.exe

C:\Windows\SysWOW64\Ldjhpl32.exe

C:\Windows\system32\Ldjhpl32.exe

C:\Windows\SysWOW64\Lekehdgp.exe

C:\Windows\system32\Lekehdgp.exe

C:\Windows\SysWOW64\Ligqhc32.exe

C:\Windows\system32\Ligqhc32.exe

C:\Windows\SysWOW64\Ldleel32.exe

C:\Windows\system32\Ldleel32.exe

C:\Windows\SysWOW64\Lboeaifi.exe

C:\Windows\system32\Lboeaifi.exe

C:\Windows\SysWOW64\Lenamdem.exe

C:\Windows\system32\Lenamdem.exe

C:\Windows\SysWOW64\Lmdina32.exe

C:\Windows\system32\Lmdina32.exe

C:\Windows\SysWOW64\Ldoaklml.exe

C:\Windows\system32\Ldoaklml.exe

C:\Windows\SysWOW64\Lbabgh32.exe

C:\Windows\system32\Lbabgh32.exe

C:\Windows\SysWOW64\Lmgfda32.exe

C:\Windows\system32\Lmgfda32.exe

C:\Windows\SysWOW64\Lpebpm32.exe

C:\Windows\system32\Lpebpm32.exe

C:\Windows\SysWOW64\Lgokmgjm.exe

C:\Windows\system32\Lgokmgjm.exe

C:\Windows\SysWOW64\Lingibiq.exe

C:\Windows\system32\Lingibiq.exe

C:\Windows\SysWOW64\Lmiciaaj.exe

C:\Windows\system32\Lmiciaaj.exe

C:\Windows\SysWOW64\Lphoelqn.exe

C:\Windows\system32\Lphoelqn.exe

C:\Windows\SysWOW64\Mdckfk32.exe

C:\Windows\system32\Mdckfk32.exe

C:\Windows\SysWOW64\Medgncoe.exe

C:\Windows\system32\Medgncoe.exe

C:\Windows\SysWOW64\Mlopkm32.exe

C:\Windows\system32\Mlopkm32.exe

C:\Windows\SysWOW64\Mpjlklok.exe

C:\Windows\system32\Mpjlklok.exe

C:\Windows\SysWOW64\Mgddhf32.exe

C:\Windows\system32\Mgddhf32.exe

C:\Windows\SysWOW64\Mibpda32.exe

C:\Windows\system32\Mibpda32.exe

C:\Windows\SysWOW64\Mlampmdo.exe

C:\Windows\system32\Mlampmdo.exe

C:\Windows\SysWOW64\Mplhql32.exe

C:\Windows\system32\Mplhql32.exe

C:\Windows\SysWOW64\Mgfqmfde.exe

C:\Windows\system32\Mgfqmfde.exe

C:\Windows\SysWOW64\Meiaib32.exe

C:\Windows\system32\Meiaib32.exe

C:\Windows\SysWOW64\Mlcifmbl.exe

C:\Windows\system32\Mlcifmbl.exe

C:\Windows\SysWOW64\Mcmabg32.exe

C:\Windows\system32\Mcmabg32.exe

C:\Windows\SysWOW64\Melnob32.exe

C:\Windows\system32\Melnob32.exe

C:\Windows\SysWOW64\Mmbfpp32.exe

C:\Windows\system32\Mmbfpp32.exe

C:\Windows\SysWOW64\Mlefklpj.exe

C:\Windows\system32\Mlefklpj.exe

C:\Windows\SysWOW64\Mgkjhe32.exe

C:\Windows\system32\Mgkjhe32.exe

C:\Windows\SysWOW64\Miifeq32.exe

C:\Windows\system32\Miifeq32.exe

C:\Windows\SysWOW64\Mlhbal32.exe

C:\Windows\system32\Mlhbal32.exe

C:\Windows\SysWOW64\Npcoakfp.exe

C:\Windows\system32\Npcoakfp.exe

C:\Windows\SysWOW64\Ncbknfed.exe

C:\Windows\system32\Ncbknfed.exe

C:\Windows\SysWOW64\Nepgjaeg.exe

C:\Windows\system32\Nepgjaeg.exe

C:\Windows\SysWOW64\Nilcjp32.exe

C:\Windows\system32\Nilcjp32.exe

C:\Windows\SysWOW64\Nljofl32.exe

C:\Windows\system32\Nljofl32.exe

C:\Windows\SysWOW64\Ndaggimg.exe

C:\Windows\system32\Ndaggimg.exe

C:\Windows\SysWOW64\Ncdgcf32.exe

C:\Windows\system32\Ncdgcf32.exe

C:\Windows\SysWOW64\Njnpppkn.exe

C:\Windows\system32\Njnpppkn.exe

C:\Windows\SysWOW64\Nlmllkja.exe

C:\Windows\system32\Nlmllkja.exe

C:\Windows\SysWOW64\Ndcdmikd.exe

C:\Windows\system32\Ndcdmikd.exe

C:\Windows\SysWOW64\Neeqea32.exe

C:\Windows\system32\Neeqea32.exe

C:\Windows\SysWOW64\Nnlhfn32.exe

C:\Windows\system32\Nnlhfn32.exe

C:\Windows\SysWOW64\Npjebj32.exe

C:\Windows\system32\Npjebj32.exe

C:\Windows\SysWOW64\Ndfqbhia.exe

C:\Windows\system32\Ndfqbhia.exe

C:\Windows\SysWOW64\Ngdmod32.exe

C:\Windows\system32\Ngdmod32.exe

C:\Windows\SysWOW64\Njciko32.exe

C:\Windows\system32\Njciko32.exe

C:\Windows\SysWOW64\Nlaegk32.exe

C:\Windows\system32\Nlaegk32.exe

C:\Windows\SysWOW64\Ndhmhh32.exe

C:\Windows\system32\Ndhmhh32.exe

C:\Windows\SysWOW64\Nggjdc32.exe

C:\Windows\system32\Nggjdc32.exe

C:\Windows\SysWOW64\Nfjjppmm.exe

C:\Windows\system32\Nfjjppmm.exe

C:\Windows\SysWOW64\Nnqbanmo.exe

C:\Windows\system32\Nnqbanmo.exe

C:\Windows\SysWOW64\Oponmilc.exe

C:\Windows\system32\Oponmilc.exe

C:\Windows\SysWOW64\Ocnjidkf.exe

C:\Windows\system32\Ocnjidkf.exe

C:\Windows\SysWOW64\Ogifjcdp.exe

C:\Windows\system32\Ogifjcdp.exe

C:\Windows\SysWOW64\Ojgbfocc.exe

C:\Windows\system32\Ojgbfocc.exe

C:\Windows\SysWOW64\Olfobjbg.exe

C:\Windows\system32\Olfobjbg.exe

C:\Windows\SysWOW64\Odmgcgbi.exe

C:\Windows\system32\Odmgcgbi.exe

C:\Windows\SysWOW64\Ofnckp32.exe

C:\Windows\system32\Ofnckp32.exe

C:\Windows\SysWOW64\Oneklm32.exe

C:\Windows\system32\Oneklm32.exe

C:\Windows\SysWOW64\Olhlhjpd.exe

C:\Windows\system32\Olhlhjpd.exe

C:\Windows\SysWOW64\Odocigqg.exe

C:\Windows\system32\Odocigqg.exe

C:\Windows\SysWOW64\Ognpebpj.exe

C:\Windows\system32\Ognpebpj.exe

C:\Windows\SysWOW64\Ojllan32.exe

C:\Windows\system32\Ojllan32.exe

C:\Windows\SysWOW64\Oqfdnhfk.exe

C:\Windows\system32\Oqfdnhfk.exe

C:\Windows\SysWOW64\Ocdqjceo.exe

C:\Windows\system32\Ocdqjceo.exe

C:\Windows\SysWOW64\Ofcmfodb.exe

C:\Windows\system32\Ofcmfodb.exe

C:\Windows\SysWOW64\Onjegled.exe

C:\Windows\system32\Onjegled.exe

C:\Windows\SysWOW64\Oqhacgdh.exe

C:\Windows\system32\Oqhacgdh.exe

C:\Windows\SysWOW64\Ocgmpccl.exe

C:\Windows\system32\Ocgmpccl.exe

C:\Windows\SysWOW64\Ofeilobp.exe

C:\Windows\system32\Ofeilobp.exe

C:\Windows\SysWOW64\Pmoahijl.exe

C:\Windows\system32\Pmoahijl.exe

C:\Windows\SysWOW64\Pdfjifjo.exe

C:\Windows\system32\Pdfjifjo.exe

C:\Windows\SysWOW64\Pfhfan32.exe

C:\Windows\system32\Pfhfan32.exe

C:\Windows\SysWOW64\Pnonbk32.exe

C:\Windows\system32\Pnonbk32.exe

C:\Windows\SysWOW64\Pqmjog32.exe

C:\Windows\system32\Pqmjog32.exe

C:\Windows\SysWOW64\Pclgkb32.exe

C:\Windows\system32\Pclgkb32.exe

C:\Windows\SysWOW64\Pfjcgn32.exe

C:\Windows\system32\Pfjcgn32.exe

C:\Windows\SysWOW64\Pmdkch32.exe

C:\Windows\system32\Pmdkch32.exe

C:\Windows\SysWOW64\Pflplnlg.exe

C:\Windows\system32\Pflplnlg.exe

C:\Windows\SysWOW64\Pncgmkmj.exe

C:\Windows\system32\Pncgmkmj.exe

C:\Windows\SysWOW64\Pqbdjfln.exe

C:\Windows\system32\Pqbdjfln.exe

C:\Windows\SysWOW64\Pfolbmje.exe

C:\Windows\system32\Pfolbmje.exe

C:\Windows\SysWOW64\Pqdqof32.exe

C:\Windows\system32\Pqdqof32.exe

C:\Windows\SysWOW64\Pgnilpah.exe

C:\Windows\system32\Pgnilpah.exe

C:\Windows\SysWOW64\Qqfmde32.exe

C:\Windows\system32\Qqfmde32.exe

C:\Windows\SysWOW64\Qceiaa32.exe

C:\Windows\system32\Qceiaa32.exe

C:\Windows\SysWOW64\Qjoankoi.exe

C:\Windows\system32\Qjoankoi.exe

C:\Windows\SysWOW64\Qddfkd32.exe

C:\Windows\system32\Qddfkd32.exe

C:\Windows\SysWOW64\Qffbbldm.exe

C:\Windows\system32\Qffbbldm.exe

C:\Windows\SysWOW64\Adgbpc32.exe

C:\Windows\system32\Adgbpc32.exe

C:\Windows\SysWOW64\Agglboim.exe

C:\Windows\system32\Agglboim.exe

C:\Windows\SysWOW64\Aeklkchg.exe

C:\Windows\system32\Aeklkchg.exe

C:\Windows\SysWOW64\Ajhddjfn.exe

C:\Windows\system32\Ajhddjfn.exe

C:\Windows\SysWOW64\Amgapeea.exe

C:\Windows\system32\Amgapeea.exe

C:\Windows\SysWOW64\Acqimo32.exe

C:\Windows\system32\Acqimo32.exe

C:\Windows\SysWOW64\Afoeiklb.exe

C:\Windows\system32\Afoeiklb.exe

C:\Windows\SysWOW64\Anfmjhmd.exe

C:\Windows\system32\Anfmjhmd.exe

C:\Windows\SysWOW64\Aepefb32.exe

C:\Windows\system32\Aepefb32.exe

C:\Windows\SysWOW64\Bjmnoi32.exe

C:\Windows\system32\Bjmnoi32.exe

C:\Windows\SysWOW64\Bagflcje.exe

C:\Windows\system32\Bagflcje.exe

C:\Windows\SysWOW64\Bcebhoii.exe

C:\Windows\system32\Bcebhoii.exe

C:\Windows\SysWOW64\Bjokdipf.exe

C:\Windows\system32\Bjokdipf.exe

C:\Windows\SysWOW64\Bchomn32.exe

C:\Windows\system32\Bchomn32.exe

C:\Windows\SysWOW64\Bgcknmop.exe

C:\Windows\system32\Bgcknmop.exe

C:\Windows\SysWOW64\Bcjlcn32.exe

C:\Windows\system32\Bcjlcn32.exe

C:\Windows\SysWOW64\Bnpppgdj.exe

C:\Windows\system32\Bnpppgdj.exe

C:\Windows\SysWOW64\Banllbdn.exe

C:\Windows\system32\Banllbdn.exe

C:\Windows\SysWOW64\Cjinkg32.exe

C:\Windows\system32\Cjinkg32.exe

C:\Windows\SysWOW64\Cnffqf32.exe

C:\Windows\system32\Cnffqf32.exe

C:\Windows\SysWOW64\Cdcoim32.exe

C:\Windows\system32\Cdcoim32.exe

C:\Windows\SysWOW64\Cagobalc.exe

C:\Windows\system32\Cagobalc.exe

C:\Windows\SysWOW64\Cdhhdlid.exe

C:\Windows\system32\Cdhhdlid.exe

C:\Windows\SysWOW64\Cegdnopg.exe

C:\Windows\system32\Cegdnopg.exe

C:\Windows\SysWOW64\Dmcibama.exe

C:\Windows\system32\Dmcibama.exe

C:\Windows\SysWOW64\Deokon32.exe

C:\Windows\system32\Deokon32.exe

C:\Windows\SysWOW64\Dogogcpo.exe

C:\Windows\system32\Dogogcpo.exe

C:\Windows\SysWOW64\Dddhpjof.exe

C:\Windows\system32\Dddhpjof.exe

C:\Windows\SysWOW64\Dmllipeg.exe

C:\Windows\system32\Dmllipeg.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 9688 -ip 9688

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 9688 -s 416

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp

Files

memory/1816-0-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Mjhqjg32.exe

MD5 3a2b82d9a97b1e94eb514ec4133771e7
SHA1 3eb6cff80f26901828d136a9a6f58d75a669591c
SHA256 cfa6a7f407330a6474dec25aa7251f4f514968e74f1b203a63923d56da875b5f
SHA512 64fe53e8102ffe0cda9629cb5535b87505f2009cfdbfb4f57067512b8dde7f1514e3912b142057226d87efe2063050beb06b900cb16dde34ed1a8ee559f6f106

memory/952-7-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Mcpebmkb.exe

MD5 0a91e52d33708454a69eeb1ec5ed3645
SHA1 11f37e3da081c9fa311dbdd09090e3b2df046438
SHA256 fb7cd3153141a6abc8201075870928b603c19d4ab97248aef925a80552f46709
SHA512 60f782ae26e554bc993ae127db32533f680a21188c549cb2287fc47c3dbe1d13ed6d53080fe4cabc68e104eb1adec60611d626b9b1125d791ef608f5012489c5

memory/3232-20-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Mjjmog32.exe

MD5 dba7a2a9933a6ab8a957075a70a2b4ae
SHA1 7222dcfa04dd90110269eea8fbb91e27289459c4
SHA256 a6477b8a176f4f63084bca872e2d7c623b3979e5d5e17e2ec641ce690215a145
SHA512 762324e60191a8b0efaa9d0cacee280ae0c648e157fe13d07e58ce7c2400cb99241c66e9b100393a3fac0c2bf5f2441d37bd2ed883263b26da6b0c3440b895b3

memory/1212-24-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Nnhfee32.exe

MD5 a8f55768386d6b8806d5af50e096521a
SHA1 abe1234d6e924a77c0058fd25a3c6cdb06bf6afa
SHA256 5db6358183721fe8923aeedb5d438197a2ce2866c43696f828b8df2065ec0205
SHA512 24273036cf65c6495b0aa660239c50d3dc53c556aa1ac46f00e6f8966f95388af8ea009fa64489c7d72f293eada00a28539db26998f195c0b31cf78fe19c278c

memory/4484-36-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Npckna32.dll

MD5 f9601aceac546c07f240bda6648e1d2e
SHA1 ef3f634811fe0f2e9f174fe15c66b9aa9532bd12
SHA256 77298e452774dff5509ac2455b18e9da4d4265b864253245a1a8789b7c15cf1d
SHA512 5306c6ef0a6f6f76d83d461e67ec7810286107950534e260f9ae073ef00250ccb0cefaec57c5afc18ca74227956cfaa107c6fdf2dbef747208b28ee609e5a10a

C:\Windows\SysWOW64\Nqfbaq32.exe

MD5 79b77fe27ec70eac11e2ea0616959edb
SHA1 a2d60e301c4567c482c9d6aebafed93b3493a0d5
SHA256 cdc0b4ddd3a9fe680469ce3bfc862d429d2161752aeeff3b9c20c851437a8e33
SHA512 6d74f089ac04090c7c0fd565f98bb4f0706917b179ea1ce3ccf66b5c5b8c30498865a817f68190bc063ef91e30e916e8ee918882452f988c95dcc0986b14de28

memory/856-40-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Nnjbke32.exe

MD5 83cc41cc06b51d2ae364223881a54471
SHA1 d8edb9de1c11567699b766ef095be36c0cd8c005
SHA256 555cf26ad6a68a2644b60da3f627c4ac64617fd3304dd81ab3132da2ea123fd2
SHA512 8fe0aea3e9531e1b1682c6c043aad1477545fc884e3ccab7e3f7509f2cad0b1765bd08396f62e98a6f808fd9cd958f373c7350a65dd8eb16e514e8bbc3b105f3

C:\Windows\SysWOW64\Nqiogp32.exe

MD5 82d8100a9125cb76fa9c2f70469c15bc
SHA1 8a26e7588041a078e7312efdab201b62d8149462
SHA256 581e204b90f07f702b4422415f84b03461ab14c7f0df0f223098f46527bd171f
SHA512 8d564ae3bfae8588a58bb6c678438668a957ee1e4a7edd14d4d3ea16f42472dc5679c88336df8402659241bfe3676dd271e6935511f512acf655b95d5c2bf8f4

memory/1436-56-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1312-53-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Nnolfdcn.exe

MD5 c0e33b38a4860b4d1718bfc39a0321fa
SHA1 60325b3ded50b7e4cf46e01d452b06203dd44cb6
SHA256 dc75ff7ca2c3b6a5bc0997c23be928e998456d76042fa8efd3f08e56cad83d7a
SHA512 9d3fb23cf828c38002714fdf47d3a47e3dacac7cf06815686d0c65bc4a9f9be5f6b57796017dc03028f1a1f8cc0751b71d807e22b0a5a66debd90e666e1303c8

memory/5096-63-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1364-72-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Ndidbn32.exe

MD5 30c54227c006630042e9efb506f8ea7a
SHA1 68cc5bbdd86b9a91241b8c244bae1d5d78f926b3
SHA256 1400cbe79f09e7c7998b4b51516917be3232d75673a7465413e76376057616ef
SHA512 49b3a7dc1bd9dce1d142f86a041b12276abb210224fb4ece15256b3278cb088574269c8f630c77a579c8b9273d014200c42453f713559284199553caf91a1196

C:\Windows\SysWOW64\Nggqoj32.exe

MD5 d2a1d349c31e211f8f390b4ea1ca276c
SHA1 2080cb744038888cecd4b01022973e20b24bf264
SHA256 69e476c5438c0a2216d3e5038d4e413704a34d5b593373ad58f9f3f220d6d79c
SHA512 610ff3658c16c9c8118928649d7e3a1b6f934724031ebb92c1b5af1588a8c762c75ebedca42186fdcc473fe04135a820815bff3a03984d3f67554a7cc62481e7

memory/3384-80-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Ojhiqefo.exe

MD5 06fb38a8a8d35fbfa367572694d7876d
SHA1 712059abf2cf3688248175d3742cf30a8a2bf636
SHA256 ec84c1c632f129b34de768ca53ae8ef158c5caca127be1064c596bc4c233896f
SHA512 c19ce375c4fe1c1771baf7509f0736688d4cff0423860e553013b8da035aefbd7c4754ca3e03c19d48678f5df1472461b13a12c6443a3fcc4bf4e6ae10878f8e

C:\Windows\SysWOW64\Ojhiqefo.exe

MD5 e30d4c1313a7b7f4d846df98915aded4
SHA1 93146bb07340abcd2f36ee2f6b9c177ef3c586d0
SHA256 33d101382ab6646750b8a35064bef44fd2aa3c47910cc1fc7e30da45d12f51e7
SHA512 f66cc1925e5a05c1fa13ad60648802f1e2151a2f78eb5625a30edab96838ed1eda6a4f56d1a6a447983f7969e6356622aade3e7761337fed40d7b093b45d9023

memory/1556-88-0x0000000000400000-0x0000000000443000-memory.dmp

memory/3148-95-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Obangb32.exe

MD5 2177faca7b76dec182ef3701f10ccb19
SHA1 1b9fa77ccc02a71b36eee937c6abb323d01b9ef2
SHA256 0ba9bbbf6a4df51009be778511fca3f70ef1d766fd49a7afbd2f1099ef7ced12
SHA512 1d14645a6c54ec8a8fad4a808a2d8ffbc85c0c7672594b148e2fcf02de1f14bd41068e0f49ca2996305894481b4a97582ecc472152bce880d3136011fc175c4a

C:\Windows\SysWOW64\Occkojkm.exe

MD5 d41a9f4abcece8fb3273b18a580129da
SHA1 c75cbab6a7c3d2a688b4b9d5a7963e719a3c76d5
SHA256 be2d0bc77901483999967d233098b6a20cf44229052bcb73c1c1a1fd61944079
SHA512 084c7e7255092246fb8ca849835b81c4847ac7b090e647cada1272e6cf9acc0d697c9a78883d9d4c44ff282e58aa6ec5f78054d6ce7a9c4c69094ce4988a7cde

memory/3372-103-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Oqgkhnjf.exe

MD5 542b42e95aca8c7203b7269e10099fe7
SHA1 efc998916c5e4a1303a3a26af81fde0019806484
SHA256 7554d790d652e8e6e8b7d3892e08656f9f2988720137985a6833f40de2b59435
SHA512 6aa68ccfa189007de8932d58ea26795d81e4354b82b5eabea5c9e3a004aba31a45e5d0b10c0daba1b5bd8fb3722daf069037d70ab640f635a12d3863ab3c251d

memory/4464-111-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Okloegjl.exe

MD5 5257acf1b48625eaa6066b7a611e73af
SHA1 7236a63157d14dc96a991b6af516f945257c0788
SHA256 aa61b64e1b5fffe56dc92c14ad0e4943ce3942a1b14ab47c44bc14179f9b7785
SHA512 4009b728f885ab79b3e2a0f0bd60862cad9f1a681bfd29b52c9bb8035e799f1b0ba8ce76580b682d1ebefefc3b3fb1bac7bf6c518f472be67f07a99f2d2067b6

memory/556-124-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Onklabip.exe

MD5 4cd625a4af3b4178f985a02cdb7a2cf9
SHA1 e87ebf4fc8e6da92e5189f514f44f170aaa15c17
SHA256 4137421f0bf6325b57df1763441fc67a528e74a04fd27b70b221bf1cef6844f3
SHA512 5d36f83cab948c3f782fce4d2115500697b251a2a0adf0ef0784cabd85914fb4d9ab9b84dbf41bf798e642e62c284e15892eb6e6fb72d6a5d6c699e2ebdcd686

memory/948-128-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Oqihnn32.exe

MD5 4139d85b9dd67875594f4966102bae19
SHA1 0d219e1bc5988bcc0d65631fa72aacad71e423eb
SHA256 34e61bf6d29ae6c2f5125599a175636e0f996b25c94b2c42ff88ebeba28317ca
SHA512 d214ef04b7566a438daa73e091484c69685c3529f9a901c5135284287629479d68a8d83ef3b885bf08c4bc5462e0a71c078078f27501d3811bc6766a32c18a89

memory/3872-136-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Okolkg32.exe

MD5 0d0aa620d9524d324c702fc584d97f39
SHA1 d17114e17dbc2cbe6f6f9a8eb7298de254dc3dcb
SHA256 309e6720b9eeaab901b7f24fcf72aeb2f918a93b20be8c71befa1856d56a400d
SHA512 b95c8acad53fd60d25881b4f4912c02665ba824c2f0e9dcb663fe49c6026f287b5d5070fc53ed0a151fbfe15e16d25f49d675c33a8e4a939d336bc82a5bfe548

C:\Windows\SysWOW64\Onmhgb32.exe

MD5 8f876e8c90c61c357f606f64c2788aaf
SHA1 33a8886c712e378eb3b41dc004c0e1c2bd25953f
SHA256 6827d2e7ce04c512d8992413a5505254a6e2f2e39c6093a4162896275a7c0281
SHA512 df15379123f8a12ef9a0acef4c89ff6b20604fb02636a6ef12e68048a47a6b92aa76b1d731656acb801b5593412ce9b5af62599907868b4ed33f98d0ac0773ca

C:\Windows\SysWOW64\Pnpemb32.exe

MD5 fb12a8b7b3aa04dc64cd32a18b3d1a83
SHA1 da9e39042296719e84f41a3f33cab795997670af
SHA256 a6153206167b69c49184152f9d07958c643f0fead01707d1171cae533fee45b7
SHA512 a28d2079efa7525d941a1749ab3e52f8733b4060ff5cd91d9e260db055f559b9b18d113da92f65e990d35c363a45aa07bfaf5826382cc09e78b76fa295ce4172

C:\Windows\SysWOW64\Pbkamqmd.exe

MD5 91362157018e2b3fc0f5e7614c1e838d
SHA1 26f9267abd7965c47118cd591baf5d56f4265404
SHA256 ae406bdd9d4ec847aeb7a29f3c1f6fb7bcab1403f914ecb53def18ae12a14395
SHA512 54766430e87111f39a8f8cb70ebf0250e067b886fd6de70f703c1fa9f6fcc6801ad6838ec8febb09204b12787b2bef6f991555726061304c114a4a9c3eca863e

C:\Windows\SysWOW64\Pgjfkg32.exe

MD5 924c3511d0ed77c19102bd56daf8fb0c
SHA1 340697660d456416d6f8a00e4cbdf83b1175bc3a
SHA256 78691942763c2ed52a070a771381b4503eafe42a1bcafe19caf4aa850e7b6c00
SHA512 41f0b200abc24cf0fca80e5cce071637b027e52b8f225486e0d56181856a649797bee58c60b904463ba66b176a2d0895b1dc4b45daaae8a0581f31cda0f06e28

C:\Windows\SysWOW64\Peljol32.exe

MD5 7d3c479e330a244963062353181b38fd
SHA1 c0c33c27d842b2f8c614289319cca333efea8c8f
SHA256 4c063bf2eb55adb09c608126de3cccf8c6cafac81374e24b586cfff79e93c75f
SHA512 fd8da00f7dea5702c67733edc72776bc0cedcc601b1edebdbfc2e537de42e3beda5a8b748b7155eabefb7ebb1b1e71755604d7ec87bd824eed87aa2ddd7ff96c

C:\Windows\SysWOW64\Pqpnombl.exe

MD5 3f3a1de7076288e83d7af6cafebe7065
SHA1 c597dc0b720bdb69567665b4819fcf07bb3d42f0
SHA256 78f94808ade4dfc2bc48972726bd31659ebe0028b33abe78bc12b98e97fa1732
SHA512 3413dc8414e9b61db50c5ba5d7e6005592aad76e899a2d01200e37ae3c80fdca96dfeea2aedaf5a210323887a2f36410bb23bd18dc85d8a313a7be2201f7ac97

C:\Windows\SysWOW64\Pbmncp32.exe

MD5 f01dd974330166e986ed006a703fd510
SHA1 53e65b754d7b40b6bf00003c642f226e112675d6
SHA256 c7dad0356445e7c6f2435ac8d92caabba3731ec6fc19100dd3261b33605aba7b
SHA512 69e0366fd932398c0b1c53ecef175e70bcad12a8913872864ce91bb88e91c2c975e5c82c73b6e4b2c30b78ff7df266ada58545c9f54334421f2e9ce6bf86c35f

C:\Windows\SysWOW64\Pnbbbabh.exe

MD5 749d16694a4b97b05a591ae8f5909f8d
SHA1 ef48780959313ab796bf9188088a38f21d68ec10
SHA256 3e6167f557f80ad0829773408e3662518cc753ddb2f50d3b2b6c75572ae5f8af
SHA512 28ea9ac578fc26a899a0a82b2efb8496b50b4d4d438e348054520ed0b9785f2d17577fb991807451adc21acb482065d319145ee7a2beb733b8366c9bf3097ca0

C:\Windows\SysWOW64\Pkceffcd.exe

MD5 e494cc373300758c9fc3792ce3ea99df
SHA1 1734a0095596b166e8b2c2cf87b0f911c3c4f4b8
SHA256 92b96f55e49a31a763d00ba79c920544f2cbaa1c6c39ed3a73fc2fa9069beec6
SHA512 c938618f3e8f1e162100242b03990a4fa1ff48af8ff3939e67b53a747a286d3142c6eec8e4c938c8e548c79cb51efb4dde359dfb881355766dcaa12c3f4c2370

C:\Windows\SysWOW64\Pghieg32.exe

MD5 87d87d4d51bacd351bb76a7e32cc85cf
SHA1 18dd1b524cc082dbec85e8146d38672e38bb726f
SHA256 6760890beeea364c4e5a1f1bcdcd4cfc5843117b93a3018d1f722aaadf53e40a
SHA512 e58bac8a7f305730ecc253ff862e76ecc5b90f8421de15b83ed2e19c42ed101e6e234caff58b26e806616613080507b82e3b858767f492c3aa5b584b92767ccd

C:\Windows\SysWOW64\Pclneicb.exe

MD5 40de987c13d13033fd4d43071855146b
SHA1 3060c8cb78cefdce7b3a6ac1fea6ce6faa230465
SHA256 ca2fd893e6d357542ff3ee3369045817be7bf2e150229fe94d49abdcfd43ac89
SHA512 0103ad6bd9f1455f89c6dbf24837bb6d681eb7addbb151a2c8261450dd8ad08f46d35abee192aea8f86747b2b63f0b4d780505313763591ae0c42f7e8bf34b66

C:\Windows\SysWOW64\Pqnaim32.exe

MD5 377f564627dd64d62b985d52ed742598
SHA1 022498f892dc24f0dd7bbf8d7c0dcaa09f801dad
SHA256 0d8002c0544a14919d3e673edde91d2af06c85678c7d280056e0bf971c995127
SHA512 b5f15a772578abe8568e4a10dcba2a3e3911d0d71bd3434c922b8e0f712228911df14d1ca36115aad592ce8df6ab8609ac79b9f744413ec787385e177b891bbb

C:\Windows\SysWOW64\Pgemphmn.exe

MD5 b267c9ab8f8589bdbf60d5d0b01f59b5
SHA1 79dc5b81bac1faa01400929fd0e22d6901bef94d
SHA256 3301b55df716eea8628557fe02333e347fd06857a2aca2f96a81aea2766f220b
SHA512 cbacc7f70d508afde7dbd7042a81cacc9e98e4ac37d15dad493fa2f48242fd2fb6a50035645c093252403f7decad2b6dbf459475f857180309d6d3568ed4962d

memory/2136-165-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Odgqdlnj.exe

MD5 0ad7ae903cce7ea0757829b53ea6c22d
SHA1 ede5d31df7024e67e432b827b90cb95e53d366a2
SHA256 0e440708fa5595556c848575a2b33546edd5636a075bfe995bad25bca85b4e2a
SHA512 6fea2039d56bcc4f0717af12fcdfe2b67d376d934c2ca4227b22e62fd6d549a6f789db55b7527dbbd9ac5b38af2452cdbca097f1df440a5968a397745c1b94d7

memory/3508-157-0x0000000000400000-0x0000000000443000-memory.dmp

memory/4636-149-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1464-415-0x0000000000400000-0x0000000000443000-memory.dmp

memory/4392-420-0x0000000000400000-0x0000000000443000-memory.dmp

memory/5084-444-0x0000000000400000-0x0000000000443000-memory.dmp

memory/560-443-0x0000000000400000-0x0000000000443000-memory.dmp

memory/3068-442-0x0000000000400000-0x0000000000443000-memory.dmp

memory/5088-432-0x0000000000400000-0x0000000000443000-memory.dmp

memory/4108-431-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1384-430-0x0000000000400000-0x0000000000443000-memory.dmp

memory/3568-429-0x0000000000400000-0x0000000000443000-memory.dmp

memory/3552-428-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2308-427-0x0000000000400000-0x0000000000443000-memory.dmp

memory/3628-426-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1176-425-0x0000000000400000-0x0000000000443000-memory.dmp

memory/748-424-0x0000000000400000-0x0000000000443000-memory.dmp

memory/860-423-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1076-422-0x0000000000400000-0x0000000000443000-memory.dmp

memory/3104-421-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1244-419-0x0000000000400000-0x0000000000443000-memory.dmp

memory/4932-418-0x0000000000400000-0x0000000000443000-memory.dmp

memory/612-417-0x0000000000400000-0x0000000000443000-memory.dmp

memory/4596-416-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1304-414-0x0000000000400000-0x0000000000443000-memory.dmp

memory/3028-413-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1996-412-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2892-411-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2180-410-0x0000000000400000-0x0000000000443000-memory.dmp

memory/4208-465-0x0000000000400000-0x0000000000443000-memory.dmp

memory/3644-464-0x0000000000400000-0x0000000000443000-memory.dmp

memory/3368-463-0x0000000000400000-0x0000000000443000-memory.dmp

memory/3712-462-0x0000000000400000-0x0000000000443000-memory.dmp

memory/4628-461-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1012-460-0x0000000000400000-0x0000000000443000-memory.dmp

memory/4516-459-0x0000000000400000-0x0000000000443000-memory.dmp

memory/836-458-0x0000000000400000-0x0000000000443000-memory.dmp

memory/4476-457-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1300-456-0x0000000000400000-0x0000000000443000-memory.dmp

memory/4012-455-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2424-449-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1004-448-0x0000000000400000-0x0000000000443000-memory.dmp

memory/5116-447-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2876-446-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1120-445-0x0000000000400000-0x0000000000443000-memory.dmp

memory/3492-440-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2144-439-0x0000000000400000-0x0000000000443000-memory.dmp

memory/5004-438-0x0000000000400000-0x0000000000443000-memory.dmp

memory/468-434-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2692-562-0x0000000000400000-0x0000000000443000-memory.dmp

memory/3060-573-0x0000000000400000-0x0000000000443000-memory.dmp

memory/5368-580-0x0000000000400000-0x0000000000443000-memory.dmp

memory/5332-579-0x0000000000400000-0x0000000000443000-memory.dmp

memory/5296-578-0x0000000000400000-0x0000000000443000-memory.dmp

memory/5260-577-0x0000000000400000-0x0000000000443000-memory.dmp

memory/5228-576-0x0000000000400000-0x0000000000443000-memory.dmp

memory/5188-575-0x0000000000400000-0x0000000000443000-memory.dmp

memory/5156-574-0x0000000000400000-0x0000000000443000-memory.dmp

memory/5016-572-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1672-571-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2808-570-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1648-569-0x0000000000400000-0x0000000000443000-memory.dmp

memory/4896-568-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2344-567-0x0000000000400000-0x0000000000443000-memory.dmp

memory/4920-566-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2236-565-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1712-564-0x0000000000400000-0x0000000000443000-memory.dmp

memory/3496-563-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1532-561-0x0000000000400000-0x0000000000443000-memory.dmp

memory/5532-597-0x0000000000400000-0x0000000000443000-memory.dmp

memory/5496-596-0x0000000000400000-0x0000000000443000-memory.dmp

memory/5588-598-0x0000000000400000-0x0000000000443000-memory.dmp

memory/5636-604-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Cdkldb32.exe

MD5 e5f7864eabb06714ffab3fb7a9bc7c3e
SHA1 cbac97a9088b4c01cef3892349648fb7da6eb731
SHA256 fcbe78c4269f2501c05ca3d2fcaf971029bf05d410494302ec6e06f816968f51
SHA512 be11a9c880f5fe53ee4a93c3eb54d431cfa137574e3cfebea2c5a5f9942770f4ca4c3eadd176274a4ef544897ce7f7b6ba8051fb35917aa11e027f4ef660cb17

memory/5676-610-0x0000000000400000-0x0000000000443000-memory.dmp

memory/5724-617-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Dhidjpqc.exe

MD5 9ee9def732c9271b9476a78018fc0c54
SHA1 dd6295bb81f9b2bc235ab6070473c3d24f2bf17f
SHA256 1ca376465adcbc1c3453277e5a76f36846c4bc2aef67cab3eb707624312361d9
SHA512 32cfe77724319e80283bde29f7e2bdf3658ebe47f913ea296ac56a232a8657cccef310b5d996f306c1afd0b51c609770be50f7191973871b52526edb5b79cfec

memory/5764-626-0x0000000000400000-0x0000000000443000-memory.dmp

memory/5808-628-0x0000000000400000-0x0000000000443000-memory.dmp

memory/5852-634-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Windows\SysWOW64\Dafbne32.exe

MD5 0668f4b370c5b6e3983eab51cc2f2b29
SHA1 0c2b9c4cd39480194ef073e48fe005acac15a606
SHA256 714cba6b5dae6144178b3f982a4c6f21d69fba28860cee1027f24d2009a85e76
SHA512 679742d900888fd9d0b30fe1fffce9b0a5e1b35486ef3a8c6c8cda098d0844afbbce1b7dfae5bbb3238e6a1eaa741afe87dd479a3437ac4d50c4e6a633351695

C:\Windows\SysWOW64\Dedkdcie.exe

MD5 ae45c32010b271b625ac50d2879f79bf
SHA1 7034b499faef14fafbe7aedc84e6b0b936237b5d
SHA256 d03626080fae721ceb3b09d8defb094ac10b5f654da3e10c6c5aa60aad1186a8
SHA512 0c2e8d639f7afc3bb1dad2a2c353331f618047e54aac3feb47b2c270a39092e959f1e919c850a737a73bf32e5bbba6daad047d3e366a3f01d56c796b14698742

C:\Windows\SysWOW64\Fkopnh32.exe

MD5 38d6ff96fc4527e8d10567e51bcc21ab
SHA1 47b6c1d4e67ec27df893a03b12a5cece91188e22
SHA256 6954e9624c5e73fa8a5b8649f79f49d53ec33a07c9c88d647c995ae9304adb06
SHA512 784f28f4ce53d959ab6835eaaa9e9c20d4819102b526d2ddeaf6ca11f81cebdb10a2417442f277583e20143d49a66a8b0bf9bc2b9edcb3d12d214228cbbacda7

C:\Windows\SysWOW64\Fooeif32.exe

MD5 71f7121a14bd854f6d9370e2e1997efd
SHA1 e70a420c464142a942df64070de05202a44ebd0f
SHA256 24390ef6149d9d3cbf72aff2e3bc78c808209f7ae23d4c7e2b27ec67c1ef0a29
SHA512 861595f15aed104f782e39e13b9cd0d48bfd908326fe0e12230be2fe8ccfbb532f2213088bd6bd6fe4022ff7c25dc992ec236743624e42d38929b41674f5973a

C:\Windows\SysWOW64\Ilidbbgl.exe

MD5 523e6c547e0c61b042397aff271a229d
SHA1 627f2ae6af662910e55e98c129c64f15acedaf97
SHA256 3192eb3cebf2619616c6ca26e7fabb032632b391ac1485773b734b792541bc25
SHA512 edf22616ce3430fd5e0bdaccfabd9a13466489d7b1ee872fa3b424e9023f4fcc09f227ded3f3ef757020de25aecd44d48141eecfc9f1dec68cb16b0e52379591

C:\Windows\SysWOW64\Jpgmha32.exe

MD5 3c176f2bab9f84edfc4903ed82c09ee5
SHA1 922b470d71e8acba0323fc8522959d8ea8cc497d
SHA256 c4bf54f1aec7393653baa482af1c2acdc1377004c500a05a7bf083f181467dd3
SHA512 a632547a0aeb39f52e05cb9cb737b1352f947ed93884cd22c858fc6d5a03f604591599e41c839c7a29004c7064ec382ff869586d9c97f2ddda7c43e5a6ec3ddc

C:\Windows\SysWOW64\Jedeph32.exe

MD5 b1c998afa7e71c2faecea524bab7b497
SHA1 f626a5920aafe1bb72b3c7144ebc5310e7f2fc22
SHA256 349a87a2705e84b9c49e6862a6393e87e87f30aaa1b8ef10fa34cde6085648ce
SHA512 8f2be7b49d2969696580841aaa1087ddb0b58678e5d8ed3f1e8c3bf14f08705b1c5fbb4ae6995ba13250aafbb9b3ee0b9287b627aa19807f15491b6c148a56c8

C:\Windows\SysWOW64\Jefbfgig.exe

MD5 25ade0c3e0dfa1d077c0aacfdede4a81
SHA1 aa5ac3f488d818915dd4f084a4842a6ccb0ced2b
SHA256 d62ecca2989289404f8745a49ef4575cb67fa75b095c57d6dce9920bfeb8136c
SHA512 18e15173970d73143d322c34b186526c87a73b9280898851ee7736300b7a0c362278fcfbf0d6451670b36d541c1459c0247af6f153ffc99b326f236cd4794ea5

C:\Windows\SysWOW64\Jpnchp32.exe

MD5 3a221e28e042dc91ea9610c5e5d9537d
SHA1 c05ec8055d73c52917ae23f55a9365803a29ac9c
SHA256 ed85b73e77508dd5b0969f42991e2b2aa756636c23236c74be05e1e981f35eda
SHA512 d76e1c4fc9afd693de8bf9299271f10ddb64f61936cfb47a34c6591ef796fdec69c5658d845c9f15652cc1803d48d26100abaf682a691f008d067827778c4bf2

C:\Windows\SysWOW64\Jlednamo.exe

MD5 23ccb41c257b36081f6eff6f9fb21a4d
SHA1 737d99a12636e53ad0508fab628ed5a460f7ebfe
SHA256 f292faecb859ebe02fb956f5f3c6c6c6a52064fc210baf771fb695b8ce5ff19f
SHA512 81addccb336842410766c0e33db743bb7d73c6f85775f3bfc038fcb857de3f176c3bddd147b0bcb81f702790987618956859dc8b92c8f492a28bc2932362f1d0

C:\Windows\SysWOW64\Kebbafoj.exe

MD5 5bc47aab7ac6b4dedbb18c6b2b7db5a5
SHA1 1d9a800e0f8aa3eaced28260ade523aa65518a32
SHA256 d13450633e010c1f0ff208fb54a387c5e520e47f6eb366659e94efff2e6a6949
SHA512 be3ae75502142ad334d2eea59ee9c3cec4fd21fa6b698dfb584d558b494e20a03a678a279737eb41c352d9c02f482406fa9baaf9e432456c6c3521cf1870addc

C:\Windows\SysWOW64\Kibgmdcn.exe

MD5 a2f10f4460166e0b8a93b076f73e7813
SHA1 2b85470480bb251f2f1f103c240b9bad2131dd28
SHA256 9e22a8cda3a3d1d52e5567cf29c29387857bab5201233a24b70503d48eff6c09
SHA512 85e8b9bb89143143a86999148c82f8694f4939dd9c22b11bf86ae17e52681bc8b9536a59dea373136d66fe51c1d5d9002ec3e813f9276643f2a071a11a488f2e

C:\Windows\SysWOW64\Lffhfh32.exe

MD5 c4baf6a6b7fe9403984fd3e801fa2b84
SHA1 6dfbc0551f2055d7208448f60a8b368225b6e816
SHA256 17ad545aa88811bf94d0bcd9d45732eef546ed2573e7468e1b410bd7c2bbfafd
SHA512 31d80b3b32b0a16b051f0c4ced48499a7887e3bc1ca96fa8c59aa42e45a4a6e1c39fffa0dc1dc353afc8fd6d81c03790ed3612eb247be6160c7aea2392471395

C:\Windows\SysWOW64\Ldjhpl32.exe

MD5 699927013b908032eedb5220753164e7
SHA1 4e33a8c1e8cc7041168b57c58731bf182720222f
SHA256 d299fdc00721133bb27560aadbb6bc847449ca393043b88af5f1b1c097f4161a
SHA512 ebba1b1b687f073dc0aab4712698b8533ce34718c66e0d5bce5904a24b95e0d433bd7dfc595a8445416923128f87f8c9b6517332aca3fcc55b6ac87e32b2ba0c

C:\Windows\SysWOW64\Lpebpm32.exe

MD5 457daaf710e8873799ad1d74cfeb5d86
SHA1 f74c0acc926f1762be1bea8f8c8ef6438751201a
SHA256 558a34faa2971270d4f36296234fb4970b9b04024d7de3702943d61f03fb62e3
SHA512 553554ec3cc66e618f724b42bc8f052dd17e87a46c851994ee6cea6e3a821285d518fd0c7e7c5f8e71722ec8ccf044a98770be57df3bf536ca7d038899e2ab4f

C:\Windows\SysWOW64\Mpjlklok.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\SysWOW64\Mplhql32.exe

MD5 52441d3a8137340fb0bf789447de5f71
SHA1 4bf6b675f3cb88810d64539c687a189dd4476891
SHA256 3a853404d3f6a539289075d62471d6db07c564f74f3ffb6b1458a85044ad77a9
SHA512 5e137b84668353d203a136fd6ded326cbaf5992392fbb98448fd10cdaab01c640ac96f647ff0f022a9b4791158210d6d18378208a63a7a5b95c390b762ff8c3a

C:\Windows\SysWOW64\Mgkjhe32.exe

MD5 f0b8654be94a9b1c6f0c318a43ed92e2
SHA1 22249ecdc88adeef0fc1c0ca2c85f2eafc2aca96
SHA256 c81a2c79f83367c961409fe47d874bf6a046240fd28360ca7bbdee507d7938f6
SHA512 893903b0cb00a08ae866931e57d7fac6b75f6eaa24d9d6d21c58a804f515c47647ff8ebf1014278ce6c816c3d8a03ce1e39afe25dc0e48b02d187409d716c263

C:\Windows\SysWOW64\Ndcdmikd.exe

MD5 90ed3277d2b665076114f3e0f9b5adb7
SHA1 99b815dc0e94738f2670485bb62336fe03083112
SHA256 dab3576e60bbb74dcdf14ec4deb04e6a77b6a61e108860abbead48081e361f1a
SHA512 55dcb6e2ae239bedc44d40905b17954c1421e9b67b34225b1528fada1fe8f2b85e92fa025147670b50551ed75690a819a5fdd9ed6212f474ea316b5b889e76e6

C:\Windows\SysWOW64\Pmdkch32.exe

MD5 a23312d389e8924da0947732b86179d5
SHA1 40ba5260e1b9e3dda1b04776191053a2384c92d2
SHA256 2ca8e6b2b9f804b99406ed057aea916c25ced61009c3000f5bc1324fa133d94b
SHA512 d2e481ed599f6105f7feb1d466ae1722c298f65a8fa38b72285fc0c9062c1cdb86903c58acd0741d8040896ee759cf062c33843eb9d5bc3ee6522b04edb199dc

C:\Windows\SysWOW64\Pqdqof32.exe

MD5 1b91bc9c6b40cb099dca8b4fc7f4fd79
SHA1 2ed5cf63e9767a22047844e35134a1f1a5690e04
SHA256 d4c9cc14af9874e60f0833c4ff1dc403201f23d0b44a6c48bfe04212d009c2bd
SHA512 8b9693978418ebab938b1d300e590d46f83dcffdd07bcc230cd8b8f34110ea4dfad640721a0481ef7a5c4980c32bf1a02e5c176098a459745f759aa6ac04ad6e

C:\Windows\SysWOW64\Pgnilpah.exe

MD5 da5aeddfea028e5b914a6edb5f011e86
SHA1 64624e8ea89cd04aa86da9683592b8a978f78db1
SHA256 f2e696a57e3a0941fbe177e998c30b409b890d4a77c6f0042b14f92b9ffbd460
SHA512 dd7e0f0567624197effff1ec520cc1a236d2f7ce7c38824958d8ea213c3bd5c7c9ac646c42ce461e69351528d11a770c537a26d24b940cd01426c875c05a776f

C:\Windows\SysWOW64\Aeklkchg.exe

MD5 ddf673f46ff81326215e0c259e2e29c6
SHA1 007282e39917b3b91f2ab02c137ffbbf45c8a8a1
SHA256 1ad336bd9ac0e79306df808269a4552dde2efd01c04c48fea361e926ec1b2b02
SHA512 e0daaf7669d7b5911cd3c2debd924f7da1daef62872c01f1d41850617a0983b5071fc91e2bdbaf8f0d20609f1733417305c6267746a2b6702a1d2db412e84e42

C:\Windows\SysWOW64\Aepefb32.exe

MD5 93be574ccfd373c30b1e7784a3663cdf
SHA1 7893b68dad3b0c22f3c2ef0f4d3dffcfb17e6557
SHA256 e21e93dbd8faf5042dba5cae987356704217f667e1c6e2b99cf00fd60b9215ef
SHA512 8316bc54e8309979732573e910b02fde58e93cd038307ab9393936f50a259ba1c8ffe5f9d3fbf666b625b40a942292e7ec5692594fd8a9378c9bbd75e1d2d265

C:\Windows\SysWOW64\Banllbdn.exe

MD5 8cfae3a3597f7df2dda16a097a2a38fa
SHA1 4a5bc5677d83dc78108e592a3ca399f83bc46478
SHA256 8cf0108f1bff780f6df029c68d47eae3ae8acbd343fcf7c87d6df1204b8d3198
SHA512 0c32cea810711c15f213fa557e2179eab7df698568cce91fcb110ecfdb3633476be61b2894cc030d45b2a42909fe33725efefa6538f1123c5586e6ce21a1e145

C:\Windows\SysWOW64\Cnffqf32.exe

MD5 f3931a310dabd1cb01ec72c55af7e6cf
SHA1 1c8412d7f2441fb784c4c1f3cc534ee1da07a9aa
SHA256 1f876b22aacbf6e70ea02a330549003ade294460659c4b8d47613d01fd6dc32c
SHA512 40d35015d6ddddc57a43b7b0ee22a1fd5ce9a114f48a64b5de2e9c3184af17ded01e4b48efd5fb46c7ea0142786212d23b25bbcfea4e1254e064d8fe5fbf4919

C:\Windows\SysWOW64\Cdhhdlid.exe

MD5 1940da00d37065b5e9b972c8ef280746
SHA1 0f4fd56cbbd9c2f58aa704b6f8b0d6a71ce4fa1f
SHA256 673cc609503fb38069c7e6be6e6906410a58dbc98ef5857074d93c4765a03093
SHA512 690e6b0b0c96a82d3981162dabde82545310411ddc07c32649b4326a0c1289f7be7c91d38fd0d1358ee386dede5c7a44b9373a30b3932957aecbee2e416c192d

C:\Windows\SysWOW64\Dmcibama.exe

MD5 75d1d4cfdd968b9681cb7497e628731b
SHA1 708821b27dc8db1284ba67b884a62d1c9a5b068b
SHA256 8b10459cf65cf2cc595d535898c9f3ce58d7656a728b2036198e9a47e793b898
SHA512 b972e78d82901ac738b07a13f5fba39a0d2032979e84bde8c2226d7c38236ffbab38afc5918ec72367412b5c86f5741b61a32b948f6c25504e31d6f2e5978a02