Malware Analysis Report

2024-10-16 04:59

Sample ID 240602-yjjgbach5t
Target virussign.com_a537d2478356f0fb5710b888e178f7e0.vir
SHA256 62d7925c29c53e19cc3247b35b31c5b1431533d2e17e961340da6f562dfd9d0f
Tags
backdoor dropper persistence trojan berbew
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

62d7925c29c53e19cc3247b35b31c5b1431533d2e17e961340da6f562dfd9d0f

Threat Level: Known bad

The file virussign.com_a537d2478356f0fb5710b888e178f7e0.vir was found to be: Known bad.

Malicious Activity Summary

backdoor dropper persistence trojan berbew

Berbew family

Adds autorun key to be loaded by Explorer.exe on startup

Malware Dropper & Backdoor - Berbew

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-02 19:48

Signatures

Berbew family

berbew

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-02 19:48

Reported

2024-06-02 19:51

Platform

win10v2004-20240508-en

Max time kernel

139s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\virussign.com_a537d2478356f0fb5710b888e178f7e0.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kapfiqoj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lljdai32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Klhnfo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cogddd32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Giljfddl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Joekag32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fnipbc32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ocohmc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cdmfllhn.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mqhfoebo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nckkfp32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Klfaapbl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pnifekmd.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qobhkjdi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hnbeeiji.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cfnjpfcl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Iliinc32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Haodle32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Iamamcop.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Oplfkeob.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fefedmil.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ibfnqmpf.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jcmdaljn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kcpjnjii.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ckeimm32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jenmcggo.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bpkdjofm.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ojdgnn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qpeahb32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Iamamcop.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Enkdaepb.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Iepaaico.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Iidphgcn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mjaabq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jcfggkac.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lmdnbn32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Iahgad32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nmfmde32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Users\Admin\AppData\Local\Temp\virussign.com_a537d2478356f0fb5710b888e178f7e0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bakgoh32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cfbcke32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gmojkj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nfqnbjfi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ncqlkemc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Onkidm32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Oaplqh32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aogiap32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Adkgje32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fbgihaji.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nnojho32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nflkbanj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pmnbfhal.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ommceclc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fpimlfke.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Iinjhh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jmbhoeid.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jilfifme.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ooibkpmi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Alpbecod.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Klahfp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mcelpggq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Giljfddl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pmaffnce.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aajhndkb.exe N/A

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Nmlddqem.exe N/A
N/A N/A C:\Windows\SysWOW64\Ndflak32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nhahaiec.exe N/A
N/A N/A C:\Windows\SysWOW64\Njpdnedf.exe N/A
N/A N/A C:\Windows\SysWOW64\Oeehkn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Odhifjkg.exe N/A
N/A N/A C:\Windows\SysWOW64\Onnmdcjm.exe N/A
N/A N/A C:\Windows\SysWOW64\Oeheqm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Olanmgig.exe N/A
N/A N/A C:\Windows\SysWOW64\Omcjep32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oejbfmpg.exe N/A
N/A N/A C:\Windows\SysWOW64\Ohhnbhok.exe N/A
N/A N/A C:\Windows\SysWOW64\Omegjomb.exe N/A
N/A N/A C:\Windows\SysWOW64\Odoogi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oacoqnci.exe N/A
N/A N/A C:\Windows\SysWOW64\Odalmibl.exe N/A
N/A N/A C:\Windows\SysWOW64\Oogpjbbb.exe N/A
N/A N/A C:\Windows\SysWOW64\Pddhbipj.exe N/A
N/A N/A C:\Windows\SysWOW64\Pknqoc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pmlmkn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pdfehh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Plmmif32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pmoiqneg.exe N/A
N/A N/A C:\Windows\SysWOW64\Pdhbmh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pmaffnce.exe N/A
N/A N/A C:\Windows\SysWOW64\Phfjcf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Popbpqjh.exe N/A
N/A N/A C:\Windows\SysWOW64\Pdmkhgho.exe N/A
N/A N/A C:\Windows\SysWOW64\Pocpfphe.exe N/A
N/A N/A C:\Windows\SysWOW64\Qdphngfl.exe N/A
N/A N/A C:\Windows\SysWOW64\Qoelkp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qhmqdemc.exe N/A
N/A N/A C:\Windows\SysWOW64\Aogiap32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aeaanjkl.exe N/A
N/A N/A C:\Windows\SysWOW64\Ahpmjejp.exe N/A
N/A N/A C:\Windows\SysWOW64\Aknifq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aahbbkaq.exe N/A
N/A N/A C:\Windows\SysWOW64\Adfnofpd.exe N/A
N/A N/A C:\Windows\SysWOW64\Akqfkp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Anobgl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aefjii32.exe N/A
N/A N/A C:\Windows\SysWOW64\Alpbecod.exe N/A
N/A N/A C:\Windows\SysWOW64\Aonoao32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aehgnied.exe N/A
N/A N/A C:\Windows\SysWOW64\Adkgje32.exe N/A
N/A N/A C:\Windows\SysWOW64\Akepfpcl.exe N/A
N/A N/A C:\Windows\SysWOW64\Anclbkbp.exe N/A
N/A N/A C:\Windows\SysWOW64\Aekddhcb.exe N/A
N/A N/A C:\Windows\SysWOW64\Alelqb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bnfihkqm.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhkmec32.exe N/A
N/A N/A C:\Windows\SysWOW64\Boeebnhp.exe N/A
N/A N/A C:\Windows\SysWOW64\Bepmoh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhnikc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bklfgo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bafndi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bddjpd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bojomm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bnmoijje.exe N/A
N/A N/A C:\Windows\SysWOW64\Bedgjgkg.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkaobnio.exe N/A
N/A N/A C:\Windows\SysWOW64\Bakgoh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bffcpg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bheplb32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Omcjep32.exe C:\Windows\SysWOW64\Olanmgig.exe N/A
File created C:\Windows\SysWOW64\Kmdpiacg.dll C:\Windows\SysWOW64\Bddjpd32.exe N/A
File created C:\Windows\SysWOW64\Ilphdlqh.exe C:\Windows\SysWOW64\Ibgdlg32.exe N/A
File created C:\Windows\SysWOW64\Qffkpn32.dll C:\Windows\SysWOW64\Bakgoh32.exe N/A
File created C:\Windows\SysWOW64\Hbjoeojc.exe C:\Windows\SysWOW64\Hplbickp.exe N/A
File created C:\Windows\SysWOW64\Fcokoohi.dll C:\Windows\SysWOW64\Ngjkfd32.exe N/A
File created C:\Windows\SysWOW64\Binlfp32.dll C:\Windows\SysWOW64\Nqbpojnp.exe N/A
File opened for modification C:\Windows\SysWOW64\Nfohgqlg.exe C:\Windows\SysWOW64\Ncqlkemc.exe N/A
File created C:\Windows\SysWOW64\Oakbehfe.exe C:\Windows\SysWOW64\Onmfimga.exe N/A
File created C:\Windows\SysWOW64\Dhclmp32.exe C:\Windows\SysWOW64\Dbicpfdk.exe N/A
File created C:\Windows\SysWOW64\Lblldc32.dll C:\Windows\SysWOW64\Ibfnqmpf.exe N/A
File opened for modification C:\Windows\SysWOW64\Jcoaglhk.exe C:\Windows\SysWOW64\Jpaekqhh.exe N/A
File created C:\Windows\SysWOW64\Kncaec32.exe C:\Windows\SysWOW64\Kflide32.exe N/A
File created C:\Windows\SysWOW64\Jaonbc32.exe C:\Windows\SysWOW64\Jblmgf32.exe N/A
File created C:\Windows\SysWOW64\Jbepme32.exe C:\Windows\SysWOW64\Jeapcq32.exe N/A
File created C:\Windows\SysWOW64\Okehmlqi.dll C:\Windows\SysWOW64\Mmpmnl32.exe N/A
File created C:\Windows\SysWOW64\Cepjip32.dll C:\Windows\SysWOW64\Dgeenfog.exe N/A
File opened for modification C:\Windows\SysWOW64\Efjbcakl.exe C:\Windows\SysWOW64\Ebnfbcbc.exe N/A
File created C:\Windows\SysWOW64\Enkdaepb.exe C:\Windows\SysWOW64\Ekmhejao.exe N/A
File created C:\Windows\SysWOW64\Idefqiag.dll C:\Windows\SysWOW64\Lfeljd32.exe N/A
File created C:\Windows\SysWOW64\Akkeajoj.dll C:\Windows\SysWOW64\Mokmdh32.exe N/A
File created C:\Windows\SysWOW64\Ddligq32.exe C:\Windows\SysWOW64\Dbnmke32.exe N/A
File created C:\Windows\SysWOW64\Egdagc32.dll C:\Windows\SysWOW64\Jcanll32.exe N/A
File created C:\Windows\SysWOW64\Nfaemp32.exe C:\Windows\SysWOW64\Ncchae32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dglkoeio.exe C:\Windows\SysWOW64\Ddnobj32.exe N/A
File created C:\Windows\SysWOW64\Qoelkp32.exe C:\Windows\SysWOW64\Qdphngfl.exe N/A
File created C:\Windows\SysWOW64\Bgaclkia.dll C:\Windows\SysWOW64\Hoclopne.exe N/A
File opened for modification C:\Windows\SysWOW64\Iinjhh32.exe C:\Windows\SysWOW64\Iebngial.exe N/A
File created C:\Windows\SysWOW64\Jcfggkac.exe C:\Windows\SysWOW64\Jphkkpbp.exe N/A
File opened for modification C:\Windows\SysWOW64\Lqmmmmph.exe C:\Windows\SysWOW64\Lmaamn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mokmdh32.exe C:\Windows\SysWOW64\Mmmqhl32.exe N/A
File created C:\Windows\SysWOW64\Aoqqpnlk.dll C:\Windows\SysWOW64\Cdnmfclj.exe N/A
File created C:\Windows\SysWOW64\Ckkpjkai.dll C:\Windows\SysWOW64\Ncchae32.exe N/A
File created C:\Windows\SysWOW64\Flhkmbmp.dll C:\Windows\SysWOW64\Oplfkeob.exe N/A
File created C:\Windows\SysWOW64\Flbfjl32.dll C:\Windows\SysWOW64\Ocjoadei.exe N/A
File created C:\Windows\SysWOW64\Ohofdmkm.dll C:\Windows\SysWOW64\Efjbcakl.exe N/A
File created C:\Windows\SysWOW64\Occmjg32.dll C:\Windows\SysWOW64\Pjbcplpe.exe N/A
File created C:\Windows\SysWOW64\Ffchaq32.dll C:\Windows\SysWOW64\Aehgnied.exe N/A
File opened for modification C:\Windows\SysWOW64\Jinboekc.exe C:\Windows\SysWOW64\Jebfng32.exe N/A
File created C:\Windows\SysWOW64\Aonhghjl.exe C:\Windows\SysWOW64\Adhdjpjf.exe N/A
File opened for modification C:\Windows\SysWOW64\Bkgeainn.exe C:\Windows\SysWOW64\Bdmmeo32.exe N/A
File created C:\Windows\SysWOW64\Dmkalh32.dll C:\Windows\SysWOW64\Fijkdmhn.exe N/A
File opened for modification C:\Windows\SysWOW64\Qhmqdemc.exe C:\Windows\SysWOW64\Qoelkp32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ilqoobdd.exe C:\Windows\SysWOW64\Imnocf32.exe N/A
File created C:\Windows\SysWOW64\Fmggcl32.dll C:\Windows\SysWOW64\Kgdpni32.exe N/A
File opened for modification C:\Windows\SysWOW64\Lqkqhm32.exe C:\Windows\SysWOW64\Ljqhkckn.exe N/A
File opened for modification C:\Windows\SysWOW64\Aefjii32.exe C:\Windows\SysWOW64\Anobgl32.exe N/A
File opened for modification C:\Windows\SysWOW64\Flmqlg32.exe C:\Windows\SysWOW64\Fechomko.exe N/A
File created C:\Windows\SysWOW64\Jpaekqhh.exe C:\Windows\SysWOW64\Jleijb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dggbcf32.exe C:\Windows\SysWOW64\Ddifgk32.exe N/A
File created C:\Windows\SysWOW64\Pcegclgp.exe C:\Windows\SysWOW64\Pmkofa32.exe N/A
File created C:\Windows\SysWOW64\Keiifian.dll C:\Windows\SysWOW64\Qhhpop32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dnajppda.exe C:\Windows\SysWOW64\Dggbcf32.exe N/A
File created C:\Windows\SysWOW64\Gnqfcbnj.exe C:\Windows\SysWOW64\Glbjggof.exe N/A
File created C:\Windows\SysWOW64\Gmafajfi.exe C:\Windows\SysWOW64\Gejopl32.exe N/A
File created C:\Windows\SysWOW64\Ebggoi32.dll C:\Windows\SysWOW64\Bklomh32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mmhgmmbf.exe C:\Windows\SysWOW64\Mnegbp32.exe N/A
File created C:\Windows\SysWOW64\Alapqh32.dll C:\Windows\SysWOW64\Mfenglqf.exe N/A
File created C:\Windows\SysWOW64\Qidpon32.dll C:\Windows\SysWOW64\Nqoloc32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ibgdlg32.exe C:\Windows\SysWOW64\Ihbponja.exe N/A
File opened for modification C:\Windows\SysWOW64\Ocgkan32.exe C:\Windows\SysWOW64\Ommceclc.exe N/A
File created C:\Windows\SysWOW64\Mmacdg32.dll C:\Windows\SysWOW64\Klahfp32.exe N/A
File created C:\Windows\SysWOW64\Nnojho32.exe C:\Windows\SysWOW64\Mjcngpjh.exe N/A
File created C:\Windows\SysWOW64\Dkahilkl.exe C:\Windows\SysWOW64\Dhclmp32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Pififb32.exe

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aefjii32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aekddhcb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agchinmk.dll" C:\Windows\SysWOW64\Bepmoh32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ddnfmqng.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkjcgjio.dll" C:\Windows\SysWOW64\Jenmcggo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leboon32.dll" C:\Windows\SysWOW64\Kcjjhdjb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dbocfo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Eqdpgk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ebfign32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ekdnei32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmggcl32.dll" C:\Windows\SysWOW64\Kgdpni32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hccdbf32.dll" C:\Windows\SysWOW64\Ojdgnn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnnnfkal.dll" C:\Windows\SysWOW64\Gicgpelg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Amjbbfgo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Onmfimga.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aajhndkb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jblmgf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jcoaglhk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nmipdk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcndmiqg.dll" C:\Windows\SysWOW64\Loacdc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hegaehem.dll" C:\Windows\SysWOW64\Bedgjgkg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Qfmmplad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Giljfddl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cnindhpg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Efjbcakl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nflkbanj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Oclkgccf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dahmfpap.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgamhc32.dll" C:\Windows\SysWOW64\Dbocfo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibkgme32.dll" C:\Windows\SysWOW64\Oacoqnci.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aolece32.dll" C:\Windows\SysWOW64\Fpkibf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pdenmbkk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nhahaiec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipjijkpg.dll" C:\Windows\SysWOW64\Dojqjdbl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chflphjh.dll" C:\Windows\SysWOW64\Iefgbh32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nmdgikhi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bgnffj32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Gicgpelg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Almoijfo.dll" C:\Windows\SysWOW64\Klhnfo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmgagk32.dll" C:\Windows\SysWOW64\Mqafhl32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Aekddhcb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gnqfcbnj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Iepaaico.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmigpf32.dll" C:\Windows\SysWOW64\Qdphngfl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nqoloc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmjhab32.dll" C:\Windows\SysWOW64\Jnlkedai.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ongbqjjf.dll" C:\Windows\SysWOW64\Dooaoj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ackekpfe.dll" C:\Windows\SysWOW64\Adkgje32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aaoaic32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Geoapenf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pknqoc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kegpifod.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ddgibkpc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ilphdlqh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebcneqod.dll" C:\Windows\SysWOW64\Fihnomjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hplbickp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmfqknfm.dll" C:\Windows\SysWOW64\Lnangaoa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cammjakm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Njljch32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jekqmhia.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ocohmc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lljdai32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gahamgib.dll" C:\Windows\SysWOW64\Dbnmke32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lblldc32.dll" C:\Windows\SysWOW64\Ibfnqmpf.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1860 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\virussign.com_a537d2478356f0fb5710b888e178f7e0.exe C:\Windows\SysWOW64\Nmlddqem.exe
PID 1860 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\virussign.com_a537d2478356f0fb5710b888e178f7e0.exe C:\Windows\SysWOW64\Nmlddqem.exe
PID 1860 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\virussign.com_a537d2478356f0fb5710b888e178f7e0.exe C:\Windows\SysWOW64\Nmlddqem.exe
PID 4924 wrote to memory of 1492 N/A C:\Windows\SysWOW64\Nmlddqem.exe C:\Windows\SysWOW64\Ndflak32.exe
PID 4924 wrote to memory of 1492 N/A C:\Windows\SysWOW64\Nmlddqem.exe C:\Windows\SysWOW64\Ndflak32.exe
PID 4924 wrote to memory of 1492 N/A C:\Windows\SysWOW64\Nmlddqem.exe C:\Windows\SysWOW64\Ndflak32.exe
PID 1492 wrote to memory of 1832 N/A C:\Windows\SysWOW64\Ndflak32.exe C:\Windows\SysWOW64\Nhahaiec.exe
PID 1492 wrote to memory of 1832 N/A C:\Windows\SysWOW64\Ndflak32.exe C:\Windows\SysWOW64\Nhahaiec.exe
PID 1492 wrote to memory of 1832 N/A C:\Windows\SysWOW64\Ndflak32.exe C:\Windows\SysWOW64\Nhahaiec.exe
PID 1832 wrote to memory of 744 N/A C:\Windows\SysWOW64\Nhahaiec.exe C:\Windows\SysWOW64\Njpdnedf.exe
PID 1832 wrote to memory of 744 N/A C:\Windows\SysWOW64\Nhahaiec.exe C:\Windows\SysWOW64\Njpdnedf.exe
PID 1832 wrote to memory of 744 N/A C:\Windows\SysWOW64\Nhahaiec.exe C:\Windows\SysWOW64\Njpdnedf.exe
PID 744 wrote to memory of 3376 N/A C:\Windows\SysWOW64\Njpdnedf.exe C:\Windows\SysWOW64\Oeehkn32.exe
PID 744 wrote to memory of 3376 N/A C:\Windows\SysWOW64\Njpdnedf.exe C:\Windows\SysWOW64\Oeehkn32.exe
PID 744 wrote to memory of 3376 N/A C:\Windows\SysWOW64\Njpdnedf.exe C:\Windows\SysWOW64\Oeehkn32.exe
PID 3376 wrote to memory of 1564 N/A C:\Windows\SysWOW64\Oeehkn32.exe C:\Windows\SysWOW64\Odhifjkg.exe
PID 3376 wrote to memory of 1564 N/A C:\Windows\SysWOW64\Oeehkn32.exe C:\Windows\SysWOW64\Odhifjkg.exe
PID 3376 wrote to memory of 1564 N/A C:\Windows\SysWOW64\Oeehkn32.exe C:\Windows\SysWOW64\Odhifjkg.exe
PID 1564 wrote to memory of 2620 N/A C:\Windows\SysWOW64\Odhifjkg.exe C:\Windows\SysWOW64\Onnmdcjm.exe
PID 1564 wrote to memory of 2620 N/A C:\Windows\SysWOW64\Odhifjkg.exe C:\Windows\SysWOW64\Onnmdcjm.exe
PID 1564 wrote to memory of 2620 N/A C:\Windows\SysWOW64\Odhifjkg.exe C:\Windows\SysWOW64\Onnmdcjm.exe
PID 2620 wrote to memory of 1176 N/A C:\Windows\SysWOW64\Onnmdcjm.exe C:\Windows\SysWOW64\Oeheqm32.exe
PID 2620 wrote to memory of 1176 N/A C:\Windows\SysWOW64\Onnmdcjm.exe C:\Windows\SysWOW64\Oeheqm32.exe
PID 2620 wrote to memory of 1176 N/A C:\Windows\SysWOW64\Onnmdcjm.exe C:\Windows\SysWOW64\Oeheqm32.exe
PID 1176 wrote to memory of 3976 N/A C:\Windows\SysWOW64\Oeheqm32.exe C:\Windows\SysWOW64\Olanmgig.exe
PID 1176 wrote to memory of 3976 N/A C:\Windows\SysWOW64\Oeheqm32.exe C:\Windows\SysWOW64\Olanmgig.exe
PID 1176 wrote to memory of 3976 N/A C:\Windows\SysWOW64\Oeheqm32.exe C:\Windows\SysWOW64\Olanmgig.exe
PID 3976 wrote to memory of 3096 N/A C:\Windows\SysWOW64\Olanmgig.exe C:\Windows\SysWOW64\Omcjep32.exe
PID 3976 wrote to memory of 3096 N/A C:\Windows\SysWOW64\Olanmgig.exe C:\Windows\SysWOW64\Omcjep32.exe
PID 3976 wrote to memory of 3096 N/A C:\Windows\SysWOW64\Olanmgig.exe C:\Windows\SysWOW64\Omcjep32.exe
PID 3096 wrote to memory of 4784 N/A C:\Windows\SysWOW64\Omcjep32.exe C:\Windows\SysWOW64\Oejbfmpg.exe
PID 3096 wrote to memory of 4784 N/A C:\Windows\SysWOW64\Omcjep32.exe C:\Windows\SysWOW64\Oejbfmpg.exe
PID 3096 wrote to memory of 4784 N/A C:\Windows\SysWOW64\Omcjep32.exe C:\Windows\SysWOW64\Oejbfmpg.exe
PID 4784 wrote to memory of 2876 N/A C:\Windows\SysWOW64\Oejbfmpg.exe C:\Windows\SysWOW64\Ohhnbhok.exe
PID 4784 wrote to memory of 2876 N/A C:\Windows\SysWOW64\Oejbfmpg.exe C:\Windows\SysWOW64\Ohhnbhok.exe
PID 4784 wrote to memory of 2876 N/A C:\Windows\SysWOW64\Oejbfmpg.exe C:\Windows\SysWOW64\Ohhnbhok.exe
PID 2876 wrote to memory of 5036 N/A C:\Windows\SysWOW64\Ohhnbhok.exe C:\Windows\SysWOW64\Omegjomb.exe
PID 2876 wrote to memory of 5036 N/A C:\Windows\SysWOW64\Ohhnbhok.exe C:\Windows\SysWOW64\Omegjomb.exe
PID 2876 wrote to memory of 5036 N/A C:\Windows\SysWOW64\Ohhnbhok.exe C:\Windows\SysWOW64\Omegjomb.exe
PID 5036 wrote to memory of 2636 N/A C:\Windows\SysWOW64\Omegjomb.exe C:\Windows\SysWOW64\Odoogi32.exe
PID 5036 wrote to memory of 2636 N/A C:\Windows\SysWOW64\Omegjomb.exe C:\Windows\SysWOW64\Odoogi32.exe
PID 5036 wrote to memory of 2636 N/A C:\Windows\SysWOW64\Omegjomb.exe C:\Windows\SysWOW64\Odoogi32.exe
PID 2636 wrote to memory of 544 N/A C:\Windows\SysWOW64\Odoogi32.exe C:\Windows\SysWOW64\Oacoqnci.exe
PID 2636 wrote to memory of 544 N/A C:\Windows\SysWOW64\Odoogi32.exe C:\Windows\SysWOW64\Oacoqnci.exe
PID 2636 wrote to memory of 544 N/A C:\Windows\SysWOW64\Odoogi32.exe C:\Windows\SysWOW64\Oacoqnci.exe
PID 544 wrote to memory of 1700 N/A C:\Windows\SysWOW64\Oacoqnci.exe C:\Windows\SysWOW64\Odalmibl.exe
PID 544 wrote to memory of 1700 N/A C:\Windows\SysWOW64\Oacoqnci.exe C:\Windows\SysWOW64\Odalmibl.exe
PID 544 wrote to memory of 1700 N/A C:\Windows\SysWOW64\Oacoqnci.exe C:\Windows\SysWOW64\Odalmibl.exe
PID 1700 wrote to memory of 3604 N/A C:\Windows\SysWOW64\Odalmibl.exe C:\Windows\SysWOW64\Oogpjbbb.exe
PID 1700 wrote to memory of 3604 N/A C:\Windows\SysWOW64\Odalmibl.exe C:\Windows\SysWOW64\Oogpjbbb.exe
PID 1700 wrote to memory of 3604 N/A C:\Windows\SysWOW64\Odalmibl.exe C:\Windows\SysWOW64\Oogpjbbb.exe
PID 3604 wrote to memory of 3148 N/A C:\Windows\SysWOW64\Oogpjbbb.exe C:\Windows\SysWOW64\Pddhbipj.exe
PID 3604 wrote to memory of 3148 N/A C:\Windows\SysWOW64\Oogpjbbb.exe C:\Windows\SysWOW64\Pddhbipj.exe
PID 3604 wrote to memory of 3148 N/A C:\Windows\SysWOW64\Oogpjbbb.exe C:\Windows\SysWOW64\Pddhbipj.exe
PID 3148 wrote to memory of 1780 N/A C:\Windows\SysWOW64\Pddhbipj.exe C:\Windows\SysWOW64\Pknqoc32.exe
PID 3148 wrote to memory of 1780 N/A C:\Windows\SysWOW64\Pddhbipj.exe C:\Windows\SysWOW64\Pknqoc32.exe
PID 3148 wrote to memory of 1780 N/A C:\Windows\SysWOW64\Pddhbipj.exe C:\Windows\SysWOW64\Pknqoc32.exe
PID 1780 wrote to memory of 3780 N/A C:\Windows\SysWOW64\Pknqoc32.exe C:\Windows\SysWOW64\Pmlmkn32.exe
PID 1780 wrote to memory of 3780 N/A C:\Windows\SysWOW64\Pknqoc32.exe C:\Windows\SysWOW64\Pmlmkn32.exe
PID 1780 wrote to memory of 3780 N/A C:\Windows\SysWOW64\Pknqoc32.exe C:\Windows\SysWOW64\Pmlmkn32.exe
PID 3780 wrote to memory of 1596 N/A C:\Windows\SysWOW64\Pmlmkn32.exe C:\Windows\SysWOW64\Pdfehh32.exe
PID 3780 wrote to memory of 1596 N/A C:\Windows\SysWOW64\Pmlmkn32.exe C:\Windows\SysWOW64\Pdfehh32.exe
PID 3780 wrote to memory of 1596 N/A C:\Windows\SysWOW64\Pmlmkn32.exe C:\Windows\SysWOW64\Pdfehh32.exe
PID 1596 wrote to memory of 2892 N/A C:\Windows\SysWOW64\Pdfehh32.exe C:\Windows\SysWOW64\Plmmif32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\virussign.com_a537d2478356f0fb5710b888e178f7e0.exe

"C:\Users\Admin\AppData\Local\Temp\virussign.com_a537d2478356f0fb5710b888e178f7e0.exe"

C:\Windows\SysWOW64\Nmlddqem.exe

C:\Windows\system32\Nmlddqem.exe

C:\Windows\SysWOW64\Ndflak32.exe

C:\Windows\system32\Ndflak32.exe

C:\Windows\SysWOW64\Nhahaiec.exe

C:\Windows\system32\Nhahaiec.exe

C:\Windows\SysWOW64\Njpdnedf.exe

C:\Windows\system32\Njpdnedf.exe

C:\Windows\SysWOW64\Oeehkn32.exe

C:\Windows\system32\Oeehkn32.exe

C:\Windows\SysWOW64\Odhifjkg.exe

C:\Windows\system32\Odhifjkg.exe

C:\Windows\SysWOW64\Onnmdcjm.exe

C:\Windows\system32\Onnmdcjm.exe

C:\Windows\SysWOW64\Oeheqm32.exe

C:\Windows\system32\Oeheqm32.exe

C:\Windows\SysWOW64\Olanmgig.exe

C:\Windows\system32\Olanmgig.exe

C:\Windows\SysWOW64\Omcjep32.exe

C:\Windows\system32\Omcjep32.exe

C:\Windows\SysWOW64\Oejbfmpg.exe

C:\Windows\system32\Oejbfmpg.exe

C:\Windows\SysWOW64\Ohhnbhok.exe

C:\Windows\system32\Ohhnbhok.exe

C:\Windows\SysWOW64\Omegjomb.exe

C:\Windows\system32\Omegjomb.exe

C:\Windows\SysWOW64\Odoogi32.exe

C:\Windows\system32\Odoogi32.exe

C:\Windows\SysWOW64\Oacoqnci.exe

C:\Windows\system32\Oacoqnci.exe

C:\Windows\SysWOW64\Odalmibl.exe

C:\Windows\system32\Odalmibl.exe

C:\Windows\SysWOW64\Oogpjbbb.exe

C:\Windows\system32\Oogpjbbb.exe

C:\Windows\SysWOW64\Pddhbipj.exe

C:\Windows\system32\Pddhbipj.exe

C:\Windows\SysWOW64\Pknqoc32.exe

C:\Windows\system32\Pknqoc32.exe

C:\Windows\SysWOW64\Pmlmkn32.exe

C:\Windows\system32\Pmlmkn32.exe

C:\Windows\SysWOW64\Pdfehh32.exe

C:\Windows\system32\Pdfehh32.exe

C:\Windows\SysWOW64\Plmmif32.exe

C:\Windows\system32\Plmmif32.exe

C:\Windows\SysWOW64\Pmoiqneg.exe

C:\Windows\system32\Pmoiqneg.exe

C:\Windows\SysWOW64\Pdhbmh32.exe

C:\Windows\system32\Pdhbmh32.exe

C:\Windows\SysWOW64\Pmaffnce.exe

C:\Windows\system32\Pmaffnce.exe

C:\Windows\SysWOW64\Phfjcf32.exe

C:\Windows\system32\Phfjcf32.exe

C:\Windows\SysWOW64\Popbpqjh.exe

C:\Windows\system32\Popbpqjh.exe

C:\Windows\SysWOW64\Pdmkhgho.exe

C:\Windows\system32\Pdmkhgho.exe

C:\Windows\SysWOW64\Pocpfphe.exe

C:\Windows\system32\Pocpfphe.exe

C:\Windows\SysWOW64\Qdphngfl.exe

C:\Windows\system32\Qdphngfl.exe

C:\Windows\SysWOW64\Qoelkp32.exe

C:\Windows\system32\Qoelkp32.exe

C:\Windows\SysWOW64\Qhmqdemc.exe

C:\Windows\system32\Qhmqdemc.exe

C:\Windows\SysWOW64\Aogiap32.exe

C:\Windows\system32\Aogiap32.exe

C:\Windows\SysWOW64\Aeaanjkl.exe

C:\Windows\system32\Aeaanjkl.exe

C:\Windows\SysWOW64\Ahpmjejp.exe

C:\Windows\system32\Ahpmjejp.exe

C:\Windows\SysWOW64\Aknifq32.exe

C:\Windows\system32\Aknifq32.exe

C:\Windows\SysWOW64\Aahbbkaq.exe

C:\Windows\system32\Aahbbkaq.exe

C:\Windows\SysWOW64\Adfnofpd.exe

C:\Windows\system32\Adfnofpd.exe

C:\Windows\SysWOW64\Akqfkp32.exe

C:\Windows\system32\Akqfkp32.exe

C:\Windows\SysWOW64\Anobgl32.exe

C:\Windows\system32\Anobgl32.exe

C:\Windows\SysWOW64\Aefjii32.exe

C:\Windows\system32\Aefjii32.exe

C:\Windows\SysWOW64\Alpbecod.exe

C:\Windows\system32\Alpbecod.exe

C:\Windows\SysWOW64\Aonoao32.exe

C:\Windows\system32\Aonoao32.exe

C:\Windows\SysWOW64\Aehgnied.exe

C:\Windows\system32\Aehgnied.exe

C:\Windows\SysWOW64\Adkgje32.exe

C:\Windows\system32\Adkgje32.exe

C:\Windows\SysWOW64\Akepfpcl.exe

C:\Windows\system32\Akepfpcl.exe

C:\Windows\SysWOW64\Anclbkbp.exe

C:\Windows\system32\Anclbkbp.exe

C:\Windows\SysWOW64\Aekddhcb.exe

C:\Windows\system32\Aekddhcb.exe

C:\Windows\SysWOW64\Alelqb32.exe

C:\Windows\system32\Alelqb32.exe

C:\Windows\SysWOW64\Bnfihkqm.exe

C:\Windows\system32\Bnfihkqm.exe

C:\Windows\SysWOW64\Bhkmec32.exe

C:\Windows\system32\Bhkmec32.exe

C:\Windows\SysWOW64\Boeebnhp.exe

C:\Windows\system32\Boeebnhp.exe

C:\Windows\SysWOW64\Bepmoh32.exe

C:\Windows\system32\Bepmoh32.exe

C:\Windows\SysWOW64\Bhnikc32.exe

C:\Windows\system32\Bhnikc32.exe

C:\Windows\SysWOW64\Bklfgo32.exe

C:\Windows\system32\Bklfgo32.exe

C:\Windows\SysWOW64\Bafndi32.exe

C:\Windows\system32\Bafndi32.exe

C:\Windows\SysWOW64\Bddjpd32.exe

C:\Windows\system32\Bddjpd32.exe

C:\Windows\SysWOW64\Bojomm32.exe

C:\Windows\system32\Bojomm32.exe

C:\Windows\SysWOW64\Bnmoijje.exe

C:\Windows\system32\Bnmoijje.exe

C:\Windows\SysWOW64\Bedgjgkg.exe

C:\Windows\system32\Bedgjgkg.exe

C:\Windows\SysWOW64\Bkaobnio.exe

C:\Windows\system32\Bkaobnio.exe

C:\Windows\SysWOW64\Bakgoh32.exe

C:\Windows\system32\Bakgoh32.exe

C:\Windows\SysWOW64\Bffcpg32.exe

C:\Windows\system32\Bffcpg32.exe

C:\Windows\SysWOW64\Bheplb32.exe

C:\Windows\system32\Bheplb32.exe

C:\Windows\SysWOW64\Coohhlpe.exe

C:\Windows\system32\Coohhlpe.exe

C:\Windows\SysWOW64\Camddhoi.exe

C:\Windows\system32\Camddhoi.exe

C:\Windows\SysWOW64\Cdlqqcnl.exe

C:\Windows\system32\Cdlqqcnl.exe

C:\Windows\SysWOW64\Ckeimm32.exe

C:\Windows\system32\Ckeimm32.exe

C:\Windows\SysWOW64\Cndeii32.exe

C:\Windows\system32\Cndeii32.exe

C:\Windows\SysWOW64\Cdnmfclj.exe

C:\Windows\system32\Cdnmfclj.exe

C:\Windows\SysWOW64\Cleegp32.exe

C:\Windows\system32\Cleegp32.exe

C:\Windows\SysWOW64\Cnfaohbj.exe

C:\Windows\system32\Cnfaohbj.exe

C:\Windows\SysWOW64\Cfnjpfcl.exe

C:\Windows\system32\Cfnjpfcl.exe

C:\Windows\SysWOW64\Clgbmp32.exe

C:\Windows\system32\Clgbmp32.exe

C:\Windows\SysWOW64\Cnindhpg.exe

C:\Windows\system32\Cnindhpg.exe

C:\Windows\SysWOW64\Cfpffeaj.exe

C:\Windows\system32\Cfpffeaj.exe

C:\Windows\SysWOW64\Cohkokgj.exe

C:\Windows\system32\Cohkokgj.exe

C:\Windows\SysWOW64\Cfbcke32.exe

C:\Windows\system32\Cfbcke32.exe

C:\Windows\SysWOW64\Chqogq32.exe

C:\Windows\system32\Chqogq32.exe

C:\Windows\SysWOW64\Dmlkhofd.exe

C:\Windows\system32\Dmlkhofd.exe

C:\Windows\SysWOW64\Dokgdkeh.exe

C:\Windows\system32\Dokgdkeh.exe

C:\Windows\SysWOW64\Dbicpfdk.exe

C:\Windows\system32\Dbicpfdk.exe

C:\Windows\SysWOW64\Dhclmp32.exe

C:\Windows\system32\Dhclmp32.exe

C:\Windows\SysWOW64\Dkahilkl.exe

C:\Windows\system32\Dkahilkl.exe

C:\Windows\SysWOW64\Dbkqfe32.exe

C:\Windows\system32\Dbkqfe32.exe

C:\Windows\SysWOW64\Ddjmba32.exe

C:\Windows\system32\Ddjmba32.exe

C:\Windows\SysWOW64\Dooaoj32.exe

C:\Windows\system32\Dooaoj32.exe

C:\Windows\SysWOW64\Dbnmke32.exe

C:\Windows\system32\Dbnmke32.exe

C:\Windows\SysWOW64\Ddligq32.exe

C:\Windows\system32\Ddligq32.exe

C:\Windows\SysWOW64\Dmcain32.exe

C:\Windows\system32\Dmcain32.exe

C:\Windows\SysWOW64\Dbpjaeoc.exe

C:\Windows\system32\Dbpjaeoc.exe

C:\Windows\SysWOW64\Ddnfmqng.exe

C:\Windows\system32\Ddnfmqng.exe

C:\Windows\SysWOW64\Dmennnni.exe

C:\Windows\system32\Dmennnni.exe

C:\Windows\SysWOW64\Dodjjimm.exe

C:\Windows\system32\Dodjjimm.exe

C:\Windows\SysWOW64\Dfnbgc32.exe

C:\Windows\system32\Dfnbgc32.exe

C:\Windows\SysWOW64\Eiloco32.exe

C:\Windows\system32\Eiloco32.exe

C:\Windows\SysWOW64\Eofgpikj.exe

C:\Windows\system32\Eofgpikj.exe

C:\Windows\SysWOW64\Ebdcld32.exe

C:\Windows\system32\Ebdcld32.exe

C:\Windows\SysWOW64\Eecphp32.exe

C:\Windows\system32\Eecphp32.exe

C:\Windows\SysWOW64\Emjgim32.exe

C:\Windows\system32\Emjgim32.exe

C:\Windows\SysWOW64\Ekmhejao.exe

C:\Windows\system32\Ekmhejao.exe

C:\Windows\SysWOW64\Enkdaepb.exe

C:\Windows\system32\Enkdaepb.exe

C:\Windows\SysWOW64\Efblbbqd.exe

C:\Windows\system32\Efblbbqd.exe

C:\Windows\SysWOW64\Eiahnnph.exe

C:\Windows\system32\Eiahnnph.exe

C:\Windows\SysWOW64\Ekodjiol.exe

C:\Windows\system32\Ekodjiol.exe

C:\Windows\SysWOW64\Ennqfenp.exe

C:\Windows\system32\Ennqfenp.exe

C:\Windows\SysWOW64\Efeihb32.exe

C:\Windows\system32\Efeihb32.exe

C:\Windows\SysWOW64\Eehicoel.exe

C:\Windows\system32\Eehicoel.exe

C:\Windows\SysWOW64\Emoadlfo.exe

C:\Windows\system32\Emoadlfo.exe

C:\Windows\SysWOW64\Enpmld32.exe

C:\Windows\system32\Enpmld32.exe

C:\Windows\SysWOW64\Efgemb32.exe

C:\Windows\system32\Efgemb32.exe

C:\Windows\SysWOW64\Eifaim32.exe

C:\Windows\system32\Eifaim32.exe

C:\Windows\SysWOW64\Ekdnei32.exe

C:\Windows\system32\Ekdnei32.exe

C:\Windows\SysWOW64\Ebnfbcbc.exe

C:\Windows\system32\Ebnfbcbc.exe

C:\Windows\SysWOW64\Efjbcakl.exe

C:\Windows\system32\Efjbcakl.exe

C:\Windows\SysWOW64\Fihnomjp.exe

C:\Windows\system32\Fihnomjp.exe

C:\Windows\SysWOW64\Fmcjpl32.exe

C:\Windows\system32\Fmcjpl32.exe

C:\Windows\SysWOW64\Fpbflg32.exe

C:\Windows\system32\Fpbflg32.exe

C:\Windows\SysWOW64\Fbpchb32.exe

C:\Windows\system32\Fbpchb32.exe

C:\Windows\SysWOW64\Feoodn32.exe

C:\Windows\system32\Feoodn32.exe

C:\Windows\SysWOW64\Fijkdmhn.exe

C:\Windows\system32\Fijkdmhn.exe

C:\Windows\SysWOW64\Fpdcag32.exe

C:\Windows\system32\Fpdcag32.exe

C:\Windows\SysWOW64\Ffnknafg.exe

C:\Windows\system32\Ffnknafg.exe

C:\Windows\SysWOW64\Fnipbc32.exe

C:\Windows\system32\Fnipbc32.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1280,i,1697479186275492802,18058102846092193784,262144 --variations-seed-version --mojo-platform-channel-handle=3744 /prefetch:8

C:\Windows\SysWOW64\Ffqhcq32.exe

C:\Windows\system32\Ffqhcq32.exe

C:\Windows\SysWOW64\Fechomko.exe

C:\Windows\system32\Fechomko.exe

C:\Windows\SysWOW64\Flmqlg32.exe

C:\Windows\system32\Flmqlg32.exe

C:\Windows\SysWOW64\Fpimlfke.exe

C:\Windows\system32\Fpimlfke.exe

C:\Windows\SysWOW64\Fbgihaji.exe

C:\Windows\system32\Fbgihaji.exe

C:\Windows\SysWOW64\Fefedmil.exe

C:\Windows\system32\Fefedmil.exe

C:\Windows\SysWOW64\Fmmmfj32.exe

C:\Windows\system32\Fmmmfj32.exe

C:\Windows\SysWOW64\Fpkibf32.exe

C:\Windows\system32\Fpkibf32.exe

C:\Windows\SysWOW64\Fnnjmbpm.exe

C:\Windows\system32\Fnnjmbpm.exe

C:\Windows\SysWOW64\Gehbjm32.exe

C:\Windows\system32\Gehbjm32.exe

C:\Windows\SysWOW64\Gmojkj32.exe

C:\Windows\system32\Gmojkj32.exe

C:\Windows\SysWOW64\Glbjggof.exe

C:\Windows\system32\Glbjggof.exe

C:\Windows\SysWOW64\Gnqfcbnj.exe

C:\Windows\system32\Gnqfcbnj.exe

C:\Windows\SysWOW64\Gfhndpol.exe

C:\Windows\system32\Gfhndpol.exe

C:\Windows\SysWOW64\Gejopl32.exe

C:\Windows\system32\Gejopl32.exe

C:\Windows\SysWOW64\Gmafajfi.exe

C:\Windows\system32\Gmafajfi.exe

C:\Windows\SysWOW64\Gppcmeem.exe

C:\Windows\system32\Gppcmeem.exe

C:\Windows\SysWOW64\Gbnoiqdq.exe

C:\Windows\system32\Gbnoiqdq.exe

C:\Windows\SysWOW64\Gemkelcd.exe

C:\Windows\system32\Gemkelcd.exe

C:\Windows\SysWOW64\Gmdcfidg.exe

C:\Windows\system32\Gmdcfidg.exe

C:\Windows\SysWOW64\Gpbpbecj.exe

C:\Windows\system32\Gpbpbecj.exe

C:\Windows\SysWOW64\Gflhoo32.exe

C:\Windows\system32\Gflhoo32.exe

C:\Windows\SysWOW64\Gmfplibd.exe

C:\Windows\system32\Gmfplibd.exe

C:\Windows\SysWOW64\Gpelhd32.exe

C:\Windows\system32\Gpelhd32.exe

C:\Windows\SysWOW64\Gfodeohd.exe

C:\Windows\system32\Gfodeohd.exe

C:\Windows\SysWOW64\Gpgind32.exe

C:\Windows\system32\Gpgind32.exe

C:\Windows\SysWOW64\Hipmfjee.exe

C:\Windows\system32\Hipmfjee.exe

C:\Windows\SysWOW64\Hibjli32.exe

C:\Windows\system32\Hibjli32.exe

C:\Windows\SysWOW64\Hplbickp.exe

C:\Windows\system32\Hplbickp.exe

C:\Windows\SysWOW64\Hbjoeojc.exe

C:\Windows\system32\Hbjoeojc.exe

C:\Windows\SysWOW64\Hidgai32.exe

C:\Windows\system32\Hidgai32.exe

C:\Windows\SysWOW64\Hoaojp32.exe

C:\Windows\system32\Hoaojp32.exe

C:\Windows\SysWOW64\Hfhgkmpj.exe

C:\Windows\system32\Hfhgkmpj.exe

C:\Windows\SysWOW64\Hifcgion.exe

C:\Windows\system32\Hifcgion.exe

C:\Windows\SysWOW64\Hoclopne.exe

C:\Windows\system32\Hoclopne.exe

C:\Windows\SysWOW64\Hbohpn32.exe

C:\Windows\system32\Hbohpn32.exe

C:\Windows\SysWOW64\Hemdlj32.exe

C:\Windows\system32\Hemdlj32.exe

C:\Windows\SysWOW64\Hmdlmg32.exe

C:\Windows\system32\Hmdlmg32.exe

C:\Windows\SysWOW64\Hlglidlo.exe

C:\Windows\system32\Hlglidlo.exe

C:\Windows\SysWOW64\Hoeieolb.exe

C:\Windows\system32\Hoeieolb.exe

C:\Windows\SysWOW64\Ifmqfm32.exe

C:\Windows\system32\Ifmqfm32.exe

C:\Windows\SysWOW64\Iepaaico.exe

C:\Windows\system32\Iepaaico.exe

C:\Windows\SysWOW64\Iliinc32.exe

C:\Windows\system32\Iliinc32.exe

C:\Windows\SysWOW64\Ibcaknbi.exe

C:\Windows\system32\Ibcaknbi.exe

C:\Windows\SysWOW64\Iebngial.exe

C:\Windows\system32\Iebngial.exe

C:\Windows\SysWOW64\Iinjhh32.exe

C:\Windows\system32\Iinjhh32.exe

C:\Windows\SysWOW64\Illfdc32.exe

C:\Windows\system32\Illfdc32.exe

C:\Windows\SysWOW64\Iojbpo32.exe

C:\Windows\system32\Iojbpo32.exe

C:\Windows\SysWOW64\Ibfnqmpf.exe

C:\Windows\system32\Ibfnqmpf.exe

C:\Windows\SysWOW64\Iedjmioj.exe

C:\Windows\system32\Iedjmioj.exe

C:\Windows\SysWOW64\Imkbnf32.exe

C:\Windows\system32\Imkbnf32.exe

C:\Windows\SysWOW64\Ilnbicff.exe

C:\Windows\system32\Ilnbicff.exe

C:\Windows\SysWOW64\Iomoenej.exe

C:\Windows\system32\Iomoenej.exe

C:\Windows\SysWOW64\Igdgglfl.exe

C:\Windows\system32\Igdgglfl.exe

C:\Windows\SysWOW64\Iefgbh32.exe

C:\Windows\system32\Iefgbh32.exe

C:\Windows\SysWOW64\Imnocf32.exe

C:\Windows\system32\Imnocf32.exe

C:\Windows\SysWOW64\Ilqoobdd.exe

C:\Windows\system32\Ilqoobdd.exe

C:\Windows\SysWOW64\Ioolkncg.exe

C:\Windows\system32\Ioolkncg.exe

C:\Windows\SysWOW64\Ickglm32.exe

C:\Windows\system32\Ickglm32.exe

C:\Windows\SysWOW64\Ieidhh32.exe

C:\Windows\system32\Ieidhh32.exe

C:\Windows\SysWOW64\Iidphgcn.exe

C:\Windows\system32\Iidphgcn.exe

C:\Windows\SysWOW64\Ilcldb32.exe

C:\Windows\system32\Ilcldb32.exe

C:\Windows\SysWOW64\Joahqn32.exe

C:\Windows\system32\Joahqn32.exe

C:\Windows\SysWOW64\Jcmdaljn.exe

C:\Windows\system32\Jcmdaljn.exe

C:\Windows\SysWOW64\Jekqmhia.exe

C:\Windows\system32\Jekqmhia.exe

C:\Windows\SysWOW64\Jmbhoeid.exe

C:\Windows\system32\Jmbhoeid.exe

C:\Windows\SysWOW64\Jleijb32.exe

C:\Windows\system32\Jleijb32.exe

C:\Windows\SysWOW64\Jpaekqhh.exe

C:\Windows\system32\Jpaekqhh.exe

C:\Windows\SysWOW64\Jcoaglhk.exe

C:\Windows\system32\Jcoaglhk.exe

C:\Windows\SysWOW64\Jgkmgk32.exe

C:\Windows\system32\Jgkmgk32.exe

C:\Windows\SysWOW64\Jenmcggo.exe

C:\Windows\system32\Jenmcggo.exe

C:\Windows\SysWOW64\Jmeede32.exe

C:\Windows\system32\Jmeede32.exe

C:\Windows\SysWOW64\Jpcapp32.exe

C:\Windows\system32\Jpcapp32.exe

C:\Windows\SysWOW64\Jcanll32.exe

C:\Windows\system32\Jcanll32.exe

C:\Windows\SysWOW64\Jepjhg32.exe

C:\Windows\system32\Jepjhg32.exe

C:\Windows\SysWOW64\Jilfifme.exe

C:\Windows\system32\Jilfifme.exe

C:\Windows\SysWOW64\Jljbeali.exe

C:\Windows\system32\Jljbeali.exe

C:\Windows\SysWOW64\Johnamkm.exe

C:\Windows\system32\Johnamkm.exe

C:\Windows\SysWOW64\Jcdjbk32.exe

C:\Windows\system32\Jcdjbk32.exe

C:\Windows\SysWOW64\Jebfng32.exe

C:\Windows\system32\Jebfng32.exe

C:\Windows\SysWOW64\Jinboekc.exe

C:\Windows\system32\Jinboekc.exe

C:\Windows\SysWOW64\Jphkkpbp.exe

C:\Windows\system32\Jphkkpbp.exe

C:\Windows\SysWOW64\Jcfggkac.exe

C:\Windows\system32\Jcfggkac.exe

C:\Windows\SysWOW64\Jedccfqg.exe

C:\Windows\system32\Jedccfqg.exe

C:\Windows\SysWOW64\Jnlkedai.exe

C:\Windows\system32\Jnlkedai.exe

C:\Windows\SysWOW64\Jlolpq32.exe

C:\Windows\system32\Jlolpq32.exe

C:\Windows\SysWOW64\Kpjgaoqm.exe

C:\Windows\system32\Kpjgaoqm.exe

C:\Windows\SysWOW64\Komhll32.exe

C:\Windows\system32\Komhll32.exe

C:\Windows\SysWOW64\Kgdpni32.exe

C:\Windows\system32\Kgdpni32.exe

C:\Windows\SysWOW64\Kegpifod.exe

C:\Windows\system32\Kegpifod.exe

C:\Windows\SysWOW64\Klahfp32.exe

C:\Windows\system32\Klahfp32.exe

C:\Windows\SysWOW64\Kpmdfonj.exe

C:\Windows\system32\Kpmdfonj.exe

C:\Windows\SysWOW64\Kckqbj32.exe

C:\Windows\system32\Kckqbj32.exe

C:\Windows\SysWOW64\Kgflcifg.exe

C:\Windows\system32\Kgflcifg.exe

C:\Windows\SysWOW64\Kjeiodek.exe

C:\Windows\system32\Kjeiodek.exe

C:\Windows\SysWOW64\Klcekpdo.exe

C:\Windows\system32\Klcekpdo.exe

C:\Windows\SysWOW64\Kpoalo32.exe

C:\Windows\system32\Kpoalo32.exe

C:\Windows\SysWOW64\Kcmmhj32.exe

C:\Windows\system32\Kcmmhj32.exe

C:\Windows\SysWOW64\Kgiiiidd.exe

C:\Windows\system32\Kgiiiidd.exe

C:\Windows\SysWOW64\Kflide32.exe

C:\Windows\system32\Kflide32.exe

C:\Windows\SysWOW64\Kncaec32.exe

C:\Windows\system32\Kncaec32.exe

C:\Windows\SysWOW64\Klfaapbl.exe

C:\Windows\system32\Klfaapbl.exe

C:\Windows\SysWOW64\Kodnmkap.exe

C:\Windows\system32\Kodnmkap.exe

C:\Windows\SysWOW64\Kcpjnjii.exe

C:\Windows\system32\Kcpjnjii.exe

C:\Windows\SysWOW64\Kgkfnh32.exe

C:\Windows\system32\Kgkfnh32.exe

C:\Windows\SysWOW64\Kjjbjd32.exe

C:\Windows\system32\Kjjbjd32.exe

C:\Windows\SysWOW64\Klhnfo32.exe

C:\Windows\system32\Klhnfo32.exe

C:\Windows\SysWOW64\Kpcjgnhb.exe

C:\Windows\system32\Kpcjgnhb.exe

C:\Windows\SysWOW64\Kcbfcigf.exe

C:\Windows\system32\Kcbfcigf.exe

C:\Windows\SysWOW64\Kfpcoefj.exe

C:\Windows\system32\Kfpcoefj.exe

C:\Windows\SysWOW64\Kngkqbgl.exe

C:\Windows\system32\Kngkqbgl.exe

C:\Windows\SysWOW64\Lljklo32.exe

C:\Windows\system32\Lljklo32.exe

C:\Windows\SysWOW64\Lpfgmnfp.exe

C:\Windows\system32\Lpfgmnfp.exe

C:\Windows\SysWOW64\Lgpoihnl.exe

C:\Windows\system32\Lgpoihnl.exe

C:\Windows\SysWOW64\Ljnlecmp.exe

C:\Windows\system32\Ljnlecmp.exe

C:\Windows\SysWOW64\Lnjgfb32.exe

C:\Windows\system32\Lnjgfb32.exe

C:\Windows\SysWOW64\Llmhaold.exe

C:\Windows\system32\Llmhaold.exe

C:\Windows\SysWOW64\Lokdnjkg.exe

C:\Windows\system32\Lokdnjkg.exe

C:\Windows\SysWOW64\Lcgpni32.exe

C:\Windows\system32\Lcgpni32.exe

C:\Windows\SysWOW64\Lfeljd32.exe

C:\Windows\system32\Lfeljd32.exe

C:\Windows\SysWOW64\Ljqhkckn.exe

C:\Windows\system32\Ljqhkckn.exe

C:\Windows\SysWOW64\Lqkqhm32.exe

C:\Windows\system32\Lqkqhm32.exe

C:\Windows\SysWOW64\Lomqcjie.exe

C:\Windows\system32\Lomqcjie.exe

C:\Windows\SysWOW64\Lgdidgjg.exe

C:\Windows\system32\Lgdidgjg.exe

C:\Windows\SysWOW64\Ljceqb32.exe

C:\Windows\system32\Ljceqb32.exe

C:\Windows\SysWOW64\Lmaamn32.exe

C:\Windows\system32\Lmaamn32.exe

C:\Windows\SysWOW64\Lqmmmmph.exe

C:\Windows\system32\Lqmmmmph.exe

C:\Windows\SysWOW64\Lckiihok.exe

C:\Windows\system32\Lckiihok.exe

C:\Windows\SysWOW64\Lggejg32.exe

C:\Windows\system32\Lggejg32.exe

C:\Windows\SysWOW64\Lfjfecno.exe

C:\Windows\system32\Lfjfecno.exe

C:\Windows\SysWOW64\Lnangaoa.exe

C:\Windows\system32\Lnangaoa.exe

C:\Windows\SysWOW64\Lmdnbn32.exe

C:\Windows\system32\Lmdnbn32.exe

C:\Windows\SysWOW64\Lobjni32.exe

C:\Windows\system32\Lobjni32.exe

C:\Windows\SysWOW64\Lcnfohmi.exe

C:\Windows\system32\Lcnfohmi.exe

C:\Windows\SysWOW64\Lflbkcll.exe

C:\Windows\system32\Lflbkcll.exe

C:\Windows\SysWOW64\Ljhnlb32.exe

C:\Windows\system32\Ljhnlb32.exe

C:\Windows\SysWOW64\Mmfkhmdi.exe

C:\Windows\system32\Mmfkhmdi.exe

C:\Windows\SysWOW64\Mqafhl32.exe

C:\Windows\system32\Mqafhl32.exe

C:\Windows\SysWOW64\Mcpcdg32.exe

C:\Windows\system32\Mcpcdg32.exe

C:\Windows\SysWOW64\Mgloefco.exe

C:\Windows\system32\Mgloefco.exe

C:\Windows\SysWOW64\Mfnoqc32.exe

C:\Windows\system32\Mfnoqc32.exe

C:\Windows\SysWOW64\Mnegbp32.exe

C:\Windows\system32\Mnegbp32.exe

C:\Windows\SysWOW64\Mmhgmmbf.exe

C:\Windows\system32\Mmhgmmbf.exe

C:\Windows\SysWOW64\Mogcihaj.exe

C:\Windows\system32\Mogcihaj.exe

C:\Windows\SysWOW64\Mcbpjg32.exe

C:\Windows\system32\Mcbpjg32.exe

C:\Windows\SysWOW64\Mjlhgaqp.exe

C:\Windows\system32\Mjlhgaqp.exe

C:\Windows\SysWOW64\Mnhdgpii.exe

C:\Windows\system32\Mnhdgpii.exe

C:\Windows\SysWOW64\Mmkdcm32.exe

C:\Windows\system32\Mmkdcm32.exe

C:\Windows\SysWOW64\Moipoh32.exe

C:\Windows\system32\Moipoh32.exe

C:\Windows\SysWOW64\Mcelpggq.exe

C:\Windows\system32\Mcelpggq.exe

C:\Windows\SysWOW64\Mjodla32.exe

C:\Windows\system32\Mjodla32.exe

C:\Windows\SysWOW64\Mmmqhl32.exe

C:\Windows\system32\Mmmqhl32.exe

C:\Windows\SysWOW64\Mokmdh32.exe

C:\Windows\system32\Mokmdh32.exe

C:\Windows\SysWOW64\Mgbefe32.exe

C:\Windows\system32\Mgbefe32.exe

C:\Windows\SysWOW64\Mjaabq32.exe

C:\Windows\system32\Mjaabq32.exe

C:\Windows\SysWOW64\Mmpmnl32.exe

C:\Windows\system32\Mmpmnl32.exe

C:\Windows\SysWOW64\Monjjgkb.exe

C:\Windows\system32\Monjjgkb.exe

C:\Windows\SysWOW64\Mcifkf32.exe

C:\Windows\system32\Mcifkf32.exe

C:\Windows\SysWOW64\Mjcngpjh.exe

C:\Windows\system32\Mjcngpjh.exe

C:\Windows\SysWOW64\Nnojho32.exe

C:\Windows\system32\Nnojho32.exe

C:\Windows\SysWOW64\Nqmfdj32.exe

C:\Windows\system32\Nqmfdj32.exe

C:\Windows\SysWOW64\Nopfpgip.exe

C:\Windows\system32\Nopfpgip.exe

C:\Windows\SysWOW64\Nggnadib.exe

C:\Windows\system32\Nggnadib.exe

C:\Windows\SysWOW64\Njfkmphe.exe

C:\Windows\system32\Njfkmphe.exe

C:\Windows\SysWOW64\Nmdgikhi.exe

C:\Windows\system32\Nmdgikhi.exe

C:\Windows\SysWOW64\Npbceggm.exe

C:\Windows\system32\Npbceggm.exe

C:\Windows\SysWOW64\Ngjkfd32.exe

C:\Windows\system32\Ngjkfd32.exe

C:\Windows\SysWOW64\Nflkbanj.exe

C:\Windows\system32\Nflkbanj.exe

C:\Windows\SysWOW64\Nncccnol.exe

C:\Windows\system32\Nncccnol.exe

C:\Windows\SysWOW64\Nqbpojnp.exe

C:\Windows\system32\Nqbpojnp.exe

C:\Windows\SysWOW64\Ncqlkemc.exe

C:\Windows\system32\Ncqlkemc.exe

C:\Windows\SysWOW64\Nfohgqlg.exe

C:\Windows\system32\Nfohgqlg.exe

C:\Windows\SysWOW64\Nnfpinmi.exe

C:\Windows\system32\Nnfpinmi.exe

C:\Windows\SysWOW64\Nmipdk32.exe

C:\Windows\system32\Nmipdk32.exe

C:\Windows\SysWOW64\Npgmpf32.exe

C:\Windows\system32\Npgmpf32.exe

C:\Windows\SysWOW64\Ncchae32.exe

C:\Windows\system32\Ncchae32.exe

C:\Windows\SysWOW64\Nfaemp32.exe

C:\Windows\system32\Nfaemp32.exe

C:\Windows\SysWOW64\Nmkmjjaa.exe

C:\Windows\system32\Nmkmjjaa.exe

C:\Windows\SysWOW64\Npiiffqe.exe

C:\Windows\system32\Npiiffqe.exe

C:\Windows\SysWOW64\Ngqagcag.exe

C:\Windows\system32\Ngqagcag.exe

C:\Windows\SysWOW64\Nfcabp32.exe

C:\Windows\system32\Nfcabp32.exe

C:\Windows\SysWOW64\Onkidm32.exe

C:\Windows\system32\Onkidm32.exe

C:\Windows\SysWOW64\Omnjojpo.exe

C:\Windows\system32\Omnjojpo.exe

C:\Windows\SysWOW64\Oplfkeob.exe

C:\Windows\system32\Oplfkeob.exe

C:\Windows\SysWOW64\Ogcnmc32.exe

C:\Windows\system32\Ogcnmc32.exe

C:\Windows\SysWOW64\Ojajin32.exe

C:\Windows\system32\Ojajin32.exe

C:\Windows\SysWOW64\Onmfimga.exe

C:\Windows\system32\Onmfimga.exe

C:\Windows\SysWOW64\Oakbehfe.exe

C:\Windows\system32\Oakbehfe.exe

C:\Windows\SysWOW64\Ocjoadei.exe

C:\Windows\system32\Ocjoadei.exe

C:\Windows\SysWOW64\Ogekbb32.exe

C:\Windows\system32\Ogekbb32.exe

C:\Windows\SysWOW64\Ojdgnn32.exe

C:\Windows\system32\Ojdgnn32.exe

C:\Windows\SysWOW64\Ombcji32.exe

C:\Windows\system32\Ombcji32.exe

C:\Windows\SysWOW64\Oclkgccf.exe

C:\Windows\system32\Oclkgccf.exe

C:\Windows\SysWOW64\Oghghb32.exe

C:\Windows\system32\Oghghb32.exe

C:\Windows\SysWOW64\Ojfcdnjc.exe

C:\Windows\system32\Ojfcdnjc.exe

C:\Windows\SysWOW64\Omdppiif.exe

C:\Windows\system32\Omdppiif.exe

C:\Windows\SysWOW64\Oaplqh32.exe

C:\Windows\system32\Oaplqh32.exe

C:\Windows\SysWOW64\Ocohmc32.exe

C:\Windows\system32\Ocohmc32.exe

C:\Windows\SysWOW64\Ofmdio32.exe

C:\Windows\system32\Ofmdio32.exe

C:\Windows\SysWOW64\Ondljl32.exe

C:\Windows\system32\Ondljl32.exe

C:\Windows\SysWOW64\Opeiadfg.exe

C:\Windows\system32\Opeiadfg.exe

C:\Windows\SysWOW64\Pfoann32.exe

C:\Windows\system32\Pfoann32.exe

C:\Windows\SysWOW64\Pnfiplog.exe

C:\Windows\system32\Pnfiplog.exe

C:\Windows\SysWOW64\Paeelgnj.exe

C:\Windows\system32\Paeelgnj.exe

C:\Windows\SysWOW64\Phonha32.exe

C:\Windows\system32\Phonha32.exe

C:\Windows\SysWOW64\Pfandnla.exe

C:\Windows\system32\Pfandnla.exe

C:\Windows\SysWOW64\Pnifekmd.exe

C:\Windows\system32\Pnifekmd.exe

C:\Windows\SysWOW64\Pagbaglh.exe

C:\Windows\system32\Pagbaglh.exe

C:\Windows\SysWOW64\Pdenmbkk.exe

C:\Windows\system32\Pdenmbkk.exe

C:\Windows\SysWOW64\Phajna32.exe

C:\Windows\system32\Phajna32.exe

C:\Windows\SysWOW64\Pjpfjl32.exe

C:\Windows\system32\Pjpfjl32.exe

C:\Windows\SysWOW64\Pmnbfhal.exe

C:\Windows\system32\Pmnbfhal.exe

C:\Windows\SysWOW64\Pdhkcb32.exe

C:\Windows\system32\Pdhkcb32.exe

C:\Windows\SysWOW64\Phcgcqab.exe

C:\Windows\system32\Phcgcqab.exe

C:\Windows\SysWOW64\Pjbcplpe.exe

C:\Windows\system32\Pjbcplpe.exe

C:\Windows\SysWOW64\Ppolhcnm.exe

C:\Windows\system32\Ppolhcnm.exe

C:\Windows\SysWOW64\Phfcipoo.exe

C:\Windows\system32\Phfcipoo.exe

C:\Windows\SysWOW64\Pfiddm32.exe

C:\Windows\system32\Pfiddm32.exe

C:\Windows\SysWOW64\Pmblagmf.exe

C:\Windows\system32\Pmblagmf.exe

C:\Windows\SysWOW64\Qhhpop32.exe

C:\Windows\system32\Qhhpop32.exe

C:\Windows\SysWOW64\Qobhkjdi.exe

C:\Windows\system32\Qobhkjdi.exe

C:\Windows\SysWOW64\Qpcecb32.exe

C:\Windows\system32\Qpcecb32.exe

C:\Windows\SysWOW64\Qfmmplad.exe

C:\Windows\system32\Qfmmplad.exe

C:\Windows\SysWOW64\Qmgelf32.exe

C:\Windows\system32\Qmgelf32.exe

C:\Windows\SysWOW64\Qpeahb32.exe

C:\Windows\system32\Qpeahb32.exe

C:\Windows\SysWOW64\Ahmjjoig.exe

C:\Windows\system32\Ahmjjoig.exe

C:\Windows\SysWOW64\Akkffkhk.exe

C:\Windows\system32\Akkffkhk.exe

C:\Windows\SysWOW64\Amjbbfgo.exe

C:\Windows\system32\Amjbbfgo.exe

C:\Windows\SysWOW64\Adcjop32.exe

C:\Windows\system32\Adcjop32.exe

C:\Windows\SysWOW64\Aknbkjfh.exe

C:\Windows\system32\Aknbkjfh.exe

C:\Windows\SysWOW64\Amlogfel.exe

C:\Windows\system32\Amlogfel.exe

C:\Windows\SysWOW64\Apjkcadp.exe

C:\Windows\system32\Apjkcadp.exe

C:\Windows\SysWOW64\Ahaceo32.exe

C:\Windows\system32\Ahaceo32.exe

C:\Windows\SysWOW64\Akpoaj32.exe

C:\Windows\system32\Akpoaj32.exe

C:\Windows\SysWOW64\Aajhndkb.exe

C:\Windows\system32\Aajhndkb.exe

C:\Windows\SysWOW64\Adhdjpjf.exe

C:\Windows\system32\Adhdjpjf.exe

C:\Windows\SysWOW64\Aonhghjl.exe

C:\Windows\system32\Aonhghjl.exe

C:\Windows\SysWOW64\Apodoq32.exe

C:\Windows\system32\Apodoq32.exe

C:\Windows\SysWOW64\Aopemh32.exe

C:\Windows\system32\Aopemh32.exe

C:\Windows\SysWOW64\Aaoaic32.exe

C:\Windows\system32\Aaoaic32.exe

C:\Windows\SysWOW64\Bdmmeo32.exe

C:\Windows\system32\Bdmmeo32.exe

C:\Windows\SysWOW64\Bkgeainn.exe

C:\Windows\system32\Bkgeainn.exe

C:\Windows\SysWOW64\Bmeandma.exe

C:\Windows\system32\Bmeandma.exe

C:\Windows\SysWOW64\Bgnffj32.exe

C:\Windows\system32\Bgnffj32.exe

C:\Windows\SysWOW64\Bmhocd32.exe

C:\Windows\system32\Bmhocd32.exe

C:\Windows\SysWOW64\Bdagpnbk.exe

C:\Windows\system32\Bdagpnbk.exe

C:\Windows\SysWOW64\Bklomh32.exe

C:\Windows\system32\Bklomh32.exe

C:\Windows\SysWOW64\Bmjkic32.exe

C:\Windows\system32\Bmjkic32.exe

C:\Windows\SysWOW64\Bddcenpi.exe

C:\Windows\system32\Bddcenpi.exe

C:\Windows\SysWOW64\Boihcf32.exe

C:\Windows\system32\Boihcf32.exe

C:\Windows\SysWOW64\Bpkdjofm.exe

C:\Windows\system32\Bpkdjofm.exe

C:\Windows\SysWOW64\Bkphhgfc.exe

C:\Windows\system32\Bkphhgfc.exe

C:\Windows\SysWOW64\Cpmapodj.exe

C:\Windows\system32\Cpmapodj.exe

C:\Windows\SysWOW64\Ckbemgcp.exe

C:\Windows\system32\Ckbemgcp.exe

C:\Windows\SysWOW64\Cammjakm.exe

C:\Windows\system32\Cammjakm.exe

C:\Windows\SysWOW64\Cponen32.exe

C:\Windows\system32\Cponen32.exe

C:\Windows\SysWOW64\Chfegk32.exe

C:\Windows\system32\Chfegk32.exe

C:\Windows\SysWOW64\Ckebcg32.exe

C:\Windows\system32\Ckebcg32.exe

C:\Windows\SysWOW64\Caojpaij.exe

C:\Windows\system32\Caojpaij.exe

C:\Windows\SysWOW64\Cdmfllhn.exe

C:\Windows\system32\Cdmfllhn.exe

C:\Windows\SysWOW64\Ckgohf32.exe

C:\Windows\system32\Ckgohf32.exe

C:\Windows\SysWOW64\Caageq32.exe

C:\Windows\system32\Caageq32.exe

C:\Windows\SysWOW64\Cpdgqmnb.exe

C:\Windows\system32\Cpdgqmnb.exe

C:\Windows\SysWOW64\Ckjknfnh.exe

C:\Windows\system32\Ckjknfnh.exe

C:\Windows\SysWOW64\Cpfcfmlp.exe

C:\Windows\system32\Cpfcfmlp.exe

C:\Windows\SysWOW64\Cogddd32.exe

C:\Windows\system32\Cogddd32.exe

C:\Windows\SysWOW64\Dddllkbf.exe

C:\Windows\system32\Dddllkbf.exe

C:\Windows\SysWOW64\Dojqjdbl.exe

C:\Windows\system32\Dojqjdbl.exe

C:\Windows\SysWOW64\Dahmfpap.exe

C:\Windows\system32\Dahmfpap.exe

C:\Windows\SysWOW64\Dpkmal32.exe

C:\Windows\system32\Dpkmal32.exe

C:\Windows\SysWOW64\Ddgibkpc.exe

C:\Windows\system32\Ddgibkpc.exe

C:\Windows\SysWOW64\Dgeenfog.exe

C:\Windows\system32\Dgeenfog.exe

C:\Windows\SysWOW64\Dolmodpi.exe

C:\Windows\system32\Dolmodpi.exe

C:\Windows\SysWOW64\Dnonkq32.exe

C:\Windows\system32\Dnonkq32.exe

C:\Windows\SysWOW64\Dakikoom.exe

C:\Windows\system32\Dakikoom.exe

C:\Windows\SysWOW64\Ddifgk32.exe

C:\Windows\system32\Ddifgk32.exe

C:\Windows\SysWOW64\Dggbcf32.exe

C:\Windows\system32\Dggbcf32.exe

C:\Windows\SysWOW64\Dnajppda.exe

C:\Windows\system32\Dnajppda.exe

C:\Windows\SysWOW64\Damfao32.exe

C:\Windows\system32\Damfao32.exe

C:\Windows\SysWOW64\Ddkbmj32.exe

C:\Windows\system32\Ddkbmj32.exe

C:\Windows\SysWOW64\Dgjoif32.exe

C:\Windows\system32\Dgjoif32.exe

C:\Windows\SysWOW64\Dbocfo32.exe

C:\Windows\system32\Dbocfo32.exe

C:\Windows\SysWOW64\Ddnobj32.exe

C:\Windows\system32\Ddnobj32.exe

C:\Windows\SysWOW64\Dglkoeio.exe

C:\Windows\system32\Dglkoeio.exe

C:\Windows\SysWOW64\Eqdpgk32.exe

C:\Windows\system32\Eqdpgk32.exe

C:\Windows\SysWOW64\Edplhjhi.exe

C:\Windows\system32\Edplhjhi.exe

C:\Windows\SysWOW64\Ekjded32.exe

C:\Windows\system32\Ekjded32.exe

C:\Windows\SysWOW64\Enhpao32.exe

C:\Windows\system32\Enhpao32.exe

C:\Windows\SysWOW64\Edbiniff.exe

C:\Windows\system32\Edbiniff.exe

C:\Windows\SysWOW64\Ehndnh32.exe

C:\Windows\system32\Ehndnh32.exe

C:\Windows\SysWOW64\Eklajcmc.exe

C:\Windows\system32\Eklajcmc.exe

C:\Windows\SysWOW64\Ebfign32.exe

C:\Windows\system32\Ebfign32.exe

C:\Windows\SysWOW64\Eqiibjlj.exe

C:\Windows\system32\Eqiibjlj.exe

C:\Windows\SysWOW64\Ehpadhll.exe

C:\Windows\system32\Ehpadhll.exe

C:\Windows\SysWOW64\Egcaod32.exe

C:\Windows\system32\Egcaod32.exe

C:\Windows\SysWOW64\Eojiqb32.exe

C:\Windows\system32\Eojiqb32.exe

C:\Windows\SysWOW64\Ebifmm32.exe

C:\Windows\system32\Ebifmm32.exe

C:\Windows\SysWOW64\Ekajec32.exe

C:\Windows\system32\Ekajec32.exe

C:\Windows\SysWOW64\Eghkjdoa.exe

C:\Windows\system32\Eghkjdoa.exe

C:\Windows\SysWOW64\Fqppci32.exe

C:\Windows\system32\Fqppci32.exe

C:\Windows\SysWOW64\Fndpmndl.exe

C:\Windows\system32\Fndpmndl.exe

C:\Windows\SysWOW64\Fgmdec32.exe

C:\Windows\system32\Fgmdec32.exe

C:\Windows\SysWOW64\Filapfbo.exe

C:\Windows\system32\Filapfbo.exe

C:\Windows\SysWOW64\Fniihmpf.exe

C:\Windows\system32\Fniihmpf.exe

C:\Windows\SysWOW64\Fganqbgg.exe

C:\Windows\system32\Fganqbgg.exe

C:\Windows\SysWOW64\Fbgbnkfm.exe

C:\Windows\system32\Fbgbnkfm.exe

C:\Windows\SysWOW64\Fgcjfbed.exe

C:\Windows\system32\Fgcjfbed.exe

C:\Windows\SysWOW64\Gbiockdj.exe

C:\Windows\system32\Gbiockdj.exe

C:\Windows\SysWOW64\Gicgpelg.exe

C:\Windows\system32\Gicgpelg.exe

C:\Windows\SysWOW64\Gpmomo32.exe

C:\Windows\system32\Gpmomo32.exe

C:\Windows\SysWOW64\Gejhef32.exe

C:\Windows\system32\Gejhef32.exe

C:\Windows\SysWOW64\Gpolbo32.exe

C:\Windows\system32\Gpolbo32.exe

C:\Windows\SysWOW64\Glfmgp32.exe

C:\Windows\system32\Glfmgp32.exe

C:\Windows\SysWOW64\Geoapenf.exe

C:\Windows\system32\Geoapenf.exe

C:\Windows\SysWOW64\Gngeik32.exe

C:\Windows\system32\Gngeik32.exe

C:\Windows\SysWOW64\Giljfddl.exe

C:\Windows\system32\Giljfddl.exe

C:\Windows\SysWOW64\Hlkfbocp.exe

C:\Windows\system32\Hlkfbocp.exe

C:\Windows\SysWOW64\Hecjke32.exe

C:\Windows\system32\Hecjke32.exe

C:\Windows\SysWOW64\Hhaggp32.exe

C:\Windows\system32\Hhaggp32.exe

C:\Windows\SysWOW64\Hajkqfoe.exe

C:\Windows\system32\Hajkqfoe.exe

C:\Windows\SysWOW64\Hhdcmp32.exe

C:\Windows\system32\Hhdcmp32.exe

C:\Windows\SysWOW64\Hicpgc32.exe

C:\Windows\system32\Hicpgc32.exe

C:\Windows\SysWOW64\Haodle32.exe

C:\Windows\system32\Haodle32.exe

C:\Windows\SysWOW64\Hnbeeiji.exe

C:\Windows\system32\Hnbeeiji.exe

C:\Windows\SysWOW64\Hihibbjo.exe

C:\Windows\system32\Hihibbjo.exe

C:\Windows\SysWOW64\Ihmfco32.exe

C:\Windows\system32\Ihmfco32.exe

C:\Windows\SysWOW64\Iimcma32.exe

C:\Windows\system32\Iimcma32.exe

C:\Windows\SysWOW64\Iahgad32.exe

C:\Windows\system32\Iahgad32.exe

C:\Windows\SysWOW64\Ihbponja.exe

C:\Windows\system32\Ihbponja.exe

C:\Windows\SysWOW64\Ibgdlg32.exe

C:\Windows\system32\Ibgdlg32.exe

C:\Windows\SysWOW64\Ilphdlqh.exe

C:\Windows\system32\Ilphdlqh.exe

C:\Windows\SysWOW64\Iamamcop.exe

C:\Windows\system32\Iamamcop.exe

C:\Windows\SysWOW64\Jhgiim32.exe

C:\Windows\system32\Jhgiim32.exe

C:\Windows\SysWOW64\Jblmgf32.exe

C:\Windows\system32\Jblmgf32.exe

C:\Windows\SysWOW64\Jaonbc32.exe

C:\Windows\system32\Jaonbc32.exe

C:\Windows\SysWOW64\Jhifomdj.exe

C:\Windows\system32\Jhifomdj.exe

C:\Windows\SysWOW64\Jppnpjel.exe

C:\Windows\system32\Jppnpjel.exe

C:\Windows\SysWOW64\Jemfhacc.exe

C:\Windows\system32\Jemfhacc.exe

C:\Windows\SysWOW64\Jhkbdmbg.exe

C:\Windows\system32\Jhkbdmbg.exe

C:\Windows\SysWOW64\Joekag32.exe

C:\Windows\system32\Joekag32.exe

C:\Windows\SysWOW64\Jpegkj32.exe

C:\Windows\system32\Jpegkj32.exe

C:\Windows\SysWOW64\Jeapcq32.exe

C:\Windows\system32\Jeapcq32.exe

C:\Windows\SysWOW64\Jbepme32.exe

C:\Windows\system32\Jbepme32.exe

C:\Windows\SysWOW64\Kakmna32.exe

C:\Windows\system32\Kakmna32.exe

C:\Windows\SysWOW64\Kcjjhdjb.exe

C:\Windows\system32\Kcjjhdjb.exe

C:\Windows\SysWOW64\Kapfiqoj.exe

C:\Windows\system32\Kapfiqoj.exe

C:\Windows\SysWOW64\Kemooo32.exe

C:\Windows\system32\Kemooo32.exe

C:\Windows\SysWOW64\Lljdai32.exe

C:\Windows\system32\Lljdai32.exe

C:\Windows\SysWOW64\Lindkm32.exe

C:\Windows\system32\Lindkm32.exe

C:\Windows\SysWOW64\Lpgmhg32.exe

C:\Windows\system32\Lpgmhg32.exe

C:\Windows\SysWOW64\Lhcali32.exe

C:\Windows\system32\Lhcali32.exe

C:\Windows\SysWOW64\Lakfeodm.exe

C:\Windows\system32\Lakfeodm.exe

C:\Windows\SysWOW64\Lplfcf32.exe

C:\Windows\system32\Lplfcf32.exe

C:\Windows\SysWOW64\Lfiokmkc.exe

C:\Windows\system32\Lfiokmkc.exe

C:\Windows\SysWOW64\Loacdc32.exe

C:\Windows\system32\Loacdc32.exe

C:\Windows\SysWOW64\Mjggal32.exe

C:\Windows\system32\Mjggal32.exe

C:\Windows\SysWOW64\Modpib32.exe

C:\Windows\system32\Modpib32.exe

C:\Windows\SysWOW64\Mablfnne.exe

C:\Windows\system32\Mablfnne.exe

C:\Windows\SysWOW64\Mjidgkog.exe

C:\Windows\system32\Mjidgkog.exe

C:\Windows\SysWOW64\Mcaipa32.exe

C:\Windows\system32\Mcaipa32.exe

C:\Windows\SysWOW64\Mjlalkmd.exe

C:\Windows\system32\Mjlalkmd.exe

C:\Windows\SysWOW64\Mfbaalbi.exe

C:\Windows\system32\Mfbaalbi.exe

C:\Windows\SysWOW64\Mqhfoebo.exe

C:\Windows\system32\Mqhfoebo.exe

C:\Windows\SysWOW64\Mfenglqf.exe

C:\Windows\system32\Mfenglqf.exe

C:\Windows\SysWOW64\Njbgmjgl.exe

C:\Windows\system32\Njbgmjgl.exe

C:\Windows\SysWOW64\Nckkfp32.exe

C:\Windows\system32\Nckkfp32.exe

C:\Windows\SysWOW64\Nqoloc32.exe

C:\Windows\system32\Nqoloc32.exe

C:\Windows\SysWOW64\Nmfmde32.exe

C:\Windows\system32\Nmfmde32.exe

C:\Windows\SysWOW64\Njjmni32.exe

C:\Windows\system32\Njjmni32.exe

C:\Windows\SysWOW64\Nqcejcha.exe

C:\Windows\system32\Nqcejcha.exe

C:\Windows\SysWOW64\Nfqnbjfi.exe

C:\Windows\system32\Nfqnbjfi.exe

C:\Windows\SysWOW64\Njljch32.exe

C:\Windows\system32\Njljch32.exe

C:\Windows\SysWOW64\Nqfbpb32.exe

C:\Windows\system32\Nqfbpb32.exe

C:\Windows\SysWOW64\Ooibkpmi.exe

C:\Windows\system32\Ooibkpmi.exe

C:\Windows\SysWOW64\Ojnfihmo.exe

C:\Windows\system32\Ojnfihmo.exe

C:\Windows\SysWOW64\Ommceclc.exe

C:\Windows\system32\Ommceclc.exe

C:\Windows\SysWOW64\Ocgkan32.exe

C:\Windows\system32\Ocgkan32.exe

C:\Windows\SysWOW64\Ofegni32.exe

C:\Windows\system32\Ofegni32.exe

C:\Windows\SysWOW64\Oonlfo32.exe

C:\Windows\system32\Oonlfo32.exe

C:\Windows\SysWOW64\Ofgdcipq.exe

C:\Windows\system32\Ofgdcipq.exe

C:\Windows\SysWOW64\Oophlo32.exe

C:\Windows\system32\Oophlo32.exe

C:\Windows\SysWOW64\Omdieb32.exe

C:\Windows\system32\Omdieb32.exe

C:\Windows\SysWOW64\Oflmnh32.exe

C:\Windows\system32\Oflmnh32.exe

C:\Windows\SysWOW64\Pqbala32.exe

C:\Windows\system32\Pqbala32.exe

C:\Windows\SysWOW64\Pfojdh32.exe

C:\Windows\system32\Pfojdh32.exe

C:\Windows\SysWOW64\Pcbkml32.exe

C:\Windows\system32\Pcbkml32.exe

C:\Windows\SysWOW64\Pmkofa32.exe

C:\Windows\system32\Pmkofa32.exe

C:\Windows\SysWOW64\Pcegclgp.exe

C:\Windows\system32\Pcegclgp.exe

C:\Windows\SysWOW64\Piapkbeg.exe

C:\Windows\system32\Piapkbeg.exe

C:\Windows\SysWOW64\Pfepdg32.exe

C:\Windows\system32\Pfepdg32.exe

C:\Windows\SysWOW64\Ppnenlka.exe

C:\Windows\system32\Ppnenlka.exe

C:\Windows\SysWOW64\Pjcikejg.exe

C:\Windows\system32\Pjcikejg.exe

C:\Windows\SysWOW64\Pififb32.exe

C:\Windows\system32\Pififb32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 13244 -ip 13244

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 13244 -s 412

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 234.17.178.52.in-addr.arpa udp

Files

memory/1860-1-0x0000000000432000-0x0000000000433000-memory.dmp

memory/1860-0-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Nmlddqem.exe

MD5 e985ccaf02eee3bc9cde39ec0409fffb
SHA1 a096086cf6e0022c0b0bbe75a3c5a4e6d2b354e3
SHA256 c87772eb13c3181d1b3f5af7f636bbd2dcd2ea62de4188f4869b3e48cb0b87f9
SHA512 567bd8bd037914438e2ee3b1d9549eeadb7853b5edb08c6b808af63f1c603680d345a49b5e4a8a69861afe7af853af67f4513250cda0eba30f108c85ba5b0769

C:\Windows\SysWOW64\Ndflak32.exe

MD5 ba7bb243b9bcacee456e80f0d7d776b5
SHA1 7bb8c68a770faeae135bcb535fc3283cd9258342
SHA256 169de15e99779a82fa6b35a3c684c05fb11eeb1239c762ece7da060f5309a24c
SHA512 da8d6e239dff13705f7ec74aeb17a2196acd58058ac022e6b7d3a0931d809c55b9c07d763c158d6281937f9c47cd8aa0b0a9ff642852ec4c950ab81346f08f38

C:\Windows\SysWOW64\Nhahaiec.exe

MD5 d0475d2f55e6aa4c8dde658eb12c134e
SHA1 50053b584938bddff606697a21ba2409c147880c
SHA256 deada72acf723d85125a8b7d84b2a5f165330500e5b89faf28f0e2bbcfb8bc9e
SHA512 6595b9b3c48bd8ff363495e18dc8d03e081a7134a0af208bde8082182c43988266fad1b9e6d44c0fde71e9a16f2cc833c7a694e2198f8e48aa6ffbd4882f2942

memory/1832-29-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Njpdnedf.exe

MD5 025e08a6f9a1ca89a38f3a382bb3cdfe
SHA1 dc92972f927a39d08834817091c23ee8796f6ede
SHA256 2c70ad276fe9d5e30de9dab8955ed049ae20e92253d41d86cf49d3a7b257240e
SHA512 85ee57900cbfe8576b4377a3ce64281e2342554aa677d9d84c0316d099c12bdcc88be4036e288c0ae3cde7bd6b12c230a9d44681ed0b6460f2b76331b553948a

memory/744-33-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1492-21-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Oeehkn32.exe

MD5 4b03d34768cc795920c652bc7c94e996
SHA1 7ebbb8ddf8d6961dd727d76084da4ad04f4eba7e
SHA256 d442a645e1fcabfc8be04d08d12c0110fe4417e998fabdd98e5adbaf2bdc6ddd
SHA512 f2786b9f258aad9f0239cde98dd7eab107a2c6d4033e547b8bfa1dc22ec0ed5a95bdb71a62e1e659eef0132522582c7828258b9422395e4fb84e4bd27b6221e6

C:\Windows\SysWOW64\Odhifjkg.exe

MD5 24dba2b94c61ec0ccaaf36e185ef7f10
SHA1 4d9e4629c78dcfe72c2d7411daede9489688c959
SHA256 947953fb125649a743776accab1deb899cf935327ca314d7eee5dbeee00496c0
SHA512 b43f71e89d0e2d1717b8f64af274985a99e53b1868890fa4ef3533cb38ea453db0b24473bce52fbd03af72bcd756efe0d7088fe230341474fddbd1a898e08af8

memory/3376-45-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4924-14-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Onnmdcjm.exe

MD5 0c24eea6c67f34dd84a7f628250f3f7e
SHA1 584518b3b1f05bf1ed4bba0ccdfa097ed6b3cf56
SHA256 99e7fe8d5d741a12c8e6373ee62695b9b62159462b68e87b3490f36988447731
SHA512 c5427b4f154b0553471df71a09b6a633d7769deab4f60029017182522eeeaf8023d7f08fd91ffe1b8d846de78db040a328dec3f7914f66067d1cf66d93f03dce

memory/1564-54-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2620-57-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Oeheqm32.exe

MD5 1758299af632d92778e466403868b75e
SHA1 da9efa7eec23923b83ca17f1ab5f2be93eb3d19b
SHA256 db902047ae2a49fad2ff55cca8119d77180f6e89218610556f7b45a469c3c934
SHA512 5f0a83c0054a12c46db6b3faf737cc9bd0c3db5a00b12979494044f5bd0e37d70618aa67592780671a2fbecbd8e213be2f058667f1bd39681067ca9ea7b798da

memory/1176-65-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Olanmgig.exe

MD5 1359142458b93af8b673ae8f668a03b1
SHA1 d8894a99a1b7bc295a885cd8ab7078f06d05c497
SHA256 2c2eb6623167b2c2ca3297a2b608c427c22620b76fbcb706c6444ebf30ddbc50
SHA512 b03dc6a77e4979b7709ff5aac997514a041fb56ff8bbe608b56c807ff6cb3688c904699dece3cca62cecf47238e18b9498bbb98709d81c112e156252ff6b8617

memory/3976-73-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Omcjep32.exe

MD5 0f5be4ee373339ccd1dc857eddc69ec8
SHA1 bf51a1305f1a7faefc4f9b88e23a110f8a76f53f
SHA256 3f20b4d3f998d798e4a680db7ceefb3bf8f014c602ea62d09a275aaa4ec7164d
SHA512 5e13591acd382ddd9cd448621a927f858037d742e38890afb3f7c5794e5f95fe0c7ae700d55c0d21449a13d5f283416b96f1fc2bfcb53fa7fe6d7e3414171a54

memory/3096-81-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Oejbfmpg.exe

MD5 d6e2a0391f236228c4eb28e1cd163ec0
SHA1 9f8790c76fe214fd180e89e95daf75877d6bd295
SHA256 25f23654516bee29a49bad614db8456bb847ab0ba739cf314aaf8e3949209a3d
SHA512 250fed489cb1a566d87234c5b34756e219eb8d98e540fda5647a3d4029470bdcc9fcb3bd3d14970cf5a123f21efdf8536e66648e11eb21802e530be392883dc3

memory/4784-89-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Ohhnbhok.exe

MD5 22a7e82e647a71b26c6d7e0e17a9f77c
SHA1 b8f69f2e30fa2d481e0a9f80e04492994048b826
SHA256 670a59c773f243319a1cfe72e0a30d04d0a456725990375cb527a308e53c079d
SHA512 d35ad5d170f17c2fc57422512f48dd8e4a65800e05d312b075fe8cdd633f6a5fb733150b6b3ca960d6c71032792d5b5c42eacb747de129df9897527f6cb8d236

memory/2876-97-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Omegjomb.exe

MD5 03def6f23ff63675891912876bee9dd1
SHA1 8b5dcc3283f99818784d9be60edfcc5a0ede45d4
SHA256 945efe5739d77e4ab50214f2d06c2aae5b74db9ca44f008e8d25abdad79c1464
SHA512 51b905f983e1cfbdc13b717f008ce6dad41ccc6a2a787bfac232065cb8d9749044bcf7e3f5213d8de01442b438bd2dc9484ca41a208144754d76b12846a3cd8b

memory/5036-104-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Odoogi32.exe

MD5 d0d9c9075cd76e020a45207d6a3bd9f1
SHA1 61972864558136afbcf490cc2f5d1071b046c3bb
SHA256 1000aeb39de5cb97a1b6f0495d586809c63557d89124b3f004de104a3303059e
SHA512 7eddcccb0891a6139d6de0117f543f12d27bf1f7956ae6050b468de5a6d0d2a45223f45c0af92529309497747122a1b04fab0851bd20b088c00bf3f149dfaf30

memory/2636-112-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Oacoqnci.exe

MD5 ab0cb66e1f5c6678ec246993a078c4ba
SHA1 4330da3a1fae7d7c395b786d34ca3f320532c2cb
SHA256 62bd2dc7841d0cc42f79bd13dfb782c4c19adb21d26bf04021cb774ace8d1814
SHA512 cd2eec9cbd73d44810f5f3ae7d6f60be9987fb065dc229a27216cd6f71792d5c94c0b0709fd88f539d4d9a25c3625b4575f934582f031aaa2cb21a6d48cecd01

memory/544-121-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Odalmibl.exe

MD5 400c0667ae0351b5d0a54c32cf96d4ea
SHA1 d67684a1a8e06ec42cd81bfacb2f5bcfe33f55c4
SHA256 2d490816b75d475625ffad69592a6511d9d0870a34d91d842226adce9c2088a6
SHA512 934130ee4f6f7ea5145daae31829b70d76a84a4395502eef7f46575acda176528e3ea8ce7c300b678fd2885afaa74d3d8e5672f2139ef7984d9506b55b29140e

memory/1700-128-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Oogpjbbb.exe

MD5 e47400304bacceacd443a4855cf4044a
SHA1 513d5902402f90425c56931a968dfdb4cdd5f884
SHA256 3660d1dda96131739eaea23358ec1671069c6371b3de16e9b0cf1fd299897155
SHA512 cdc24d39e760c11105490bf737b351e0a473c437fc49aa688576e1adf36ad24f3a392333fe5b88211a33f750e65a97f1f91e0de9b53335ffb92f0a37cb50abea

memory/3604-136-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Pddhbipj.exe

MD5 a0df6300f9a57f27cc0ca4f3183dd213
SHA1 5021dde9d4c11f30df2e60d87d61c5c8c41d826c
SHA256 c25cb169014d3df30df7bc4e19ad4d8c0e785cb5b910f1dffb351b4dacc5d386
SHA512 5a42b586e5ab4d0ff1500df1ffba40a854ff1f1f95a96eac30fb91068b1e301ff2e791f6d8c2355a2c916b49c6a5a3f58caf1784156d65b5ab638a5259909d2e

memory/3148-145-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Pknqoc32.exe

MD5 6f1a6b0ff490ae24e83b07543b1adf22
SHA1 72f0ff2e2eb599ee59cb669bea468de1b31abb1f
SHA256 90fa8067ceff353a37dad927b7ca16aafbe724dcd22f4870419e665d2c7ffc71
SHA512 9d1ee12f240c5388948a6e789c5204434bf6628a785a5768a804a518569ed794b5685e0a3f9d69442e60e0bdde1a59158dc2629963ceff65d67e49e5b154110d

memory/1780-153-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Pmlmkn32.exe

MD5 f569febc08c6b5deaace0dd29586bbf3
SHA1 f7df968a42a4e78b6fe9ca23dc55d5bc33c1e9ee
SHA256 4331e082ed1cab34b9c2498172c5fbd1b805c2a8f81d76c20e93083a75e39b62
SHA512 317d7ee04600fa965570c53b7cf018c1ff3e4024ba172556081949981bd3fba6e8e74a5cf914bc9d0f80dc1cb542fa9acefd3bfeb6966b82a7531a8f3aabbeae

memory/3780-161-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Pdfehh32.exe

MD5 b03ded83b0945ab302373a84d3e35c20
SHA1 46cea3134733773675a791e9d3a946cfa33d37f4
SHA256 4cf40e5be575ce255eb138d611c017a6a34f8b1d2b4637e9044aa7da058b5345
SHA512 72cf2e0f15c69081d0d647f7a4df2f56e7d0436df2b3b7ea8d8b8f231030df2b896cfd70782403b9739efa8f83e8868eda7e808368d3243d2e86d8313216e16c

memory/1596-169-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2892-176-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Plmmif32.exe

MD5 3458e92447cf98166e73ce0ab16db231
SHA1 e4df010570a44692605dd0d9507501219bcea864
SHA256 fc548254e342b1d77d3aeedfb6ab293e711af4ab11339347ddc8ad8346f8a38b
SHA512 f1dedba10327290768bfdeb8d58bead4c0fa7748f5e49e5d4e478f564c3aa4f03e517bf4fdc99f392ba866403916969adb54bd4f1eaf0af894d538fa386cb7d2

memory/3000-185-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Pmoiqneg.exe

MD5 e191cb40dbf718fe88653030991cb58f
SHA1 8bb6a6166bb109680a0d337fcbca2bcd1faa91ad
SHA256 aba76de25100cc601518d9f653a06f5e5b23038487dec4df4430cb4ef03f7fdc
SHA512 0ac9e55e52488482df38047e8b78f62d1026e5b4cd0c4229e744bfc592471e93f44bc3d56d843e9c5b02b2428d54905e89141bd9b167d673a514864d2049735d

C:\Windows\SysWOW64\Pdhbmh32.exe

MD5 0a39f9558195388732503a3b12035313
SHA1 fdf271a02f55125142c7f058ff831210511a8355
SHA256 2791a74e5416f6fe4559e1a8d5f1abe0c429ee4b83dbb7f0e08c408391d9f4eb
SHA512 5e7b5541f5a3c38af3ddfe55cf93273cbd36c38e5649fe6f96e4fba3c1caaa89f0d1e5fa317589ed02697e0c0e40e900f471bc85ffda4bb74c395fe8dfb9526d

memory/4500-193-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Pmaffnce.exe

MD5 5cd4c58a285b44f43080a3c74b447b2b
SHA1 8a9e7afdab689a6ce313b8761f08fd0bcef523f0
SHA256 94fecdd1efc047b67da5dbb8e43864f3ac5fd4c282c68f54a2614357dc66b966
SHA512 9f4273f0a99289e9e03ef65a73bed82a80433ad1a6c08288ed80d13c0d3be356b7c51285196c214274d2134099e5a36ff89e9a7e8b542111f1a4927b3ee2b155

memory/1620-201-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Phfjcf32.exe

MD5 bee671c4bc171b6141658bb9842d6a1b
SHA1 741bd2f3af5e88e7c4cbcfb8ef5a071feb67314c
SHA256 6ac618f633904cbe33cbcd219a0be48d93d95bbec8a69d48edfef75dc53901ef
SHA512 41c810001bfcbf1daa958b77bdf2213608f427a041687ea510e2897aca5b290d193b760d437f838f4c8fbf96ee4c3ef93c65f3f139ea8c3c3483b98004f590a3

memory/1568-209-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Popbpqjh.exe

MD5 25b68f3c1a7463c9f1fa75263afc757e
SHA1 122401216b3b8c2fbefe29d341bc9bf5ee348a51
SHA256 a8bf310a1e6300cf7d27e3be7e83f7864e8983777ae204cc9884c3e0894d7ece
SHA512 a090d32e8a71e731aadcca64d94e81ce1e36fda0b378f5077802cd7c3e405d863570e56754ff773cfb48e0f4d70eecea00e60264686f9afdc7c6fdafebb02581

memory/1968-217-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Pdmkhgho.exe

MD5 3802a678d44a300d9cf6244e802b8d16
SHA1 735ca2941e9b0ad17c6489b896379c01e490a5b5
SHA256 0433459a72809d79d9383e6896cfa8d455ba6da2f5a83ce6c44052523b8fad8b
SHA512 293c8a0646e4e625610a6740329b5ef93a09b1c9e1d6fa2c9d985e3d99e3f5b357082300bce301516c020b316b1e9abe73e1f386aabf6f38eca71092a5aef4e4

memory/3956-229-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Pocpfphe.exe

MD5 6507b5ca8252efd6bf3db4a64a956637
SHA1 6485b54a26186480f3a1e90834ec4b7ebc0f7678
SHA256 18279c189b180efff1cadb30fbd991adc03283f1e6a9cf1e7396d142cb0523db
SHA512 fd22ada6b7f5b877db6d3a5268e177020b1a688b42eb4af4cc8a45d6984a7d2de89fccbb979d72951cbec576f521b2cb6037c454f9941fbe00e1e44b27b08a97

memory/2252-233-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2564-240-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Qdphngfl.exe

MD5 1c4aa2fa0ac4a6dd75c9889d71836f65
SHA1 35c5d7d027c0cc55355cf96001aaca2eff68d699
SHA256 4c767c025d300c4be8f103ac6cbfa05e22b53af9d832a6e2b990f68ff8f2d4b7
SHA512 aed195c99bd778c24e605050e852545ace160cbb8ed02ee1383d0e41a1f6d181820cb0703f2e2cc389abec28b8a2f5bf209f084f0cfa1a37ef2049aed85dc5f1

C:\Windows\SysWOW64\Qoelkp32.exe

MD5 e268ccbd34d299e7f819641f6487e1cd
SHA1 aea26cec6f4bb85ee0d25cd534222eecc649d573
SHA256 df1d4eb719311a69f71801562828b7e685a2461f3d4fcf05fa41151fbff1d384
SHA512 2e7906cccd14763e66b33486a0a78d2441dc3b28e2fbca990b8e003b1092c717886a8d64d0b3a802a739311e0662b01fec1a9847d6df12177488fb12e5c871fe

memory/4848-249-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Qhmqdemc.exe

MD5 fa8b9253660b6ea8d058010141f93e2a
SHA1 a8338609e8c6b4027e6b0470de12027dface363c
SHA256 57fb384eef7d1279439f241c59a29b5ba0adf237817438f04efe488a222286e7
SHA512 6d6db48bf863e4331f985329ad732c2504185eee90e343185e246a28892fb32156e6593f22f0a339470949f5103c0ff52765f9d08eb3925c74778928d1c6a556

memory/2992-257-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4064-263-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3480-269-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1504-275-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3052-281-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1632-292-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2184-293-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4624-299-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3152-305-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2820-311-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4348-317-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1208-323-0x0000000000400000-0x0000000000442000-memory.dmp

memory/552-333-0x0000000000400000-0x0000000000442000-memory.dmp

memory/32-335-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4612-345-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3340-347-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1412-353-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Alelqb32.exe

MD5 c7ba4a423cd7b093815c6ae50c5b575c
SHA1 514483b733fde7dcd8693f2ae86d8d2d86cc2f84
SHA256 719f4c95de33bc980bd432b1f1fbb0a0a6176afd046fda7f410bc042b9edfa62
SHA512 792df1816c73a8611c3060561777960103c8c39bdb0a613213f752eace7bc126f001b7af7823db16aabaf5af53b2b3d856990336eb970be21f576db4dfe7747d

memory/3284-359-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4724-369-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2216-371-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3064-377-0x0000000000400000-0x0000000000442000-memory.dmp

memory/5088-383-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4072-390-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1260-395-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4704-401-0x0000000000400000-0x0000000000442000-memory.dmp

memory/548-407-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4084-417-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2160-424-0x0000000000400000-0x0000000000442000-memory.dmp

memory/232-425-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Bkaobnio.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/3160-431-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4564-437-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4968-443-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3752-454-0x0000000000400000-0x0000000000442000-memory.dmp

memory/5132-459-0x0000000000400000-0x0000000000442000-memory.dmp

memory/5172-461-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Cdlqqcnl.exe

MD5 8f3122e502492c91a2e0def056276c12
SHA1 2f15315ad42de968b9b6bcd3471fa19068d667e8
SHA256 736df430cc4e5b4f1ae8d542067ed9898ba60807176956df81ebce330a6ba1df
SHA512 3fdd8702557631461503e6e306f4508df9474ebaa70f69e1156ec2a06af54f6ac8d8908d5e9801ae6aa1958bd348d1942d3d30c989aa4ae6e685e466699d9051

memory/5260-471-0x0000000000400000-0x0000000000442000-memory.dmp

memory/5316-473-0x0000000000400000-0x0000000000442000-memory.dmp

memory/5368-479-0x0000000000400000-0x0000000000442000-memory.dmp

memory/5408-485-0x0000000000400000-0x0000000000442000-memory.dmp

memory/5448-494-0x0000000000400000-0x0000000000442000-memory.dmp

memory/5488-498-0x0000000000400000-0x0000000000442000-memory.dmp

memory/5528-503-0x0000000000400000-0x0000000000442000-memory.dmp

memory/5572-509-0x0000000000400000-0x0000000000442000-memory.dmp

memory/5612-515-0x0000000000400000-0x0000000000442000-memory.dmp

memory/5656-521-0x0000000000400000-0x0000000000442000-memory.dmp

memory/5696-527-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1860-533-0x0000000000400000-0x0000000000442000-memory.dmp

memory/5736-538-0x0000000000400000-0x0000000000442000-memory.dmp

memory/5780-540-0x0000000000400000-0x0000000000442000-memory.dmp

memory/5820-546-0x0000000000400000-0x0000000000442000-memory.dmp

memory/5860-552-0x0000000000400000-0x0000000000442000-memory.dmp

memory/5900-562-0x0000000000400000-0x0000000000442000-memory.dmp

memory/5940-568-0x0000000000400000-0x0000000000442000-memory.dmp

memory/5980-575-0x0000000000400000-0x0000000000442000-memory.dmp

memory/744-574-0x0000000000400000-0x0000000000442000-memory.dmp

memory/6020-580-0x0000000000400000-0x0000000000442000-memory.dmp

memory/6068-583-0x0000000000400000-0x0000000000442000-memory.dmp

memory/6108-594-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2620-589-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4436-602-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1176-600-0x0000000000400000-0x0000000000442000-memory.dmp

memory/5252-608-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3976-607-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Eiloco32.exe

MD5 4f8fbf3f3f39c993291ea13fa2d9b8cb
SHA1 1fd1028cd0fa5b6191224bb785ea1382b5b2d7c0
SHA256 d4ccbef3ea56d480c71cd74539793a0dac9d4c253618b0d3cf2abe1bbca530a9
SHA512 dbdda43b11d22b0c64df0e84257ecf65452b9861c1f30b8a5b7bb2a6c8fc97a10149e19252ac2608498fb678576020de747a8088bd4067f5c5408a50bc04bf95

C:\Windows\SysWOW64\Gflhoo32.exe

MD5 95b394557bf6aab073e534fbba7c68f7
SHA1 cb01f6822675501e4ef97e7ce79ee67b08a268e9
SHA256 205159f210b0514850ffce65fecf9baf5e03e2b2713e3f08000760ce127cdbc5
SHA512 cf986d08b9723691c78d02cd48067311329d3d50694679f891d4adf523657f7215e25e6ce3d149d1613ac667a779c3763e1e71b3f68f5a66996e8e40e95acccf

C:\Windows\SysWOW64\Hibjli32.exe

MD5 1f2f643a8102c38328af9397eb42f0eb
SHA1 adc1a9a59dffa19b5e718738e35f6cc4fe228a46
SHA256 bfc69790e26be7b7e6c574bec7ceaa11cd70fbf7bdb893d089b424503fb95785
SHA512 93d5fbdaaa2d814a3d8ebb77ebbf8332414e591f83c7369025d664208b06e7dfca3cfb7c4d7c22fd6c131b9f3081f00da46828826afcd9a3f0601e80d32044d4

C:\Windows\SysWOW64\Hifcgion.exe

MD5 6dbd705fc2400105490dd65520157757
SHA1 8286f6bbb9023c3f0c3994f07b27d6b7a99403eb
SHA256 09fd28def17cf1ba893bf5d1eeb4cf1d9c3f4de99d9d3cc193413c0224b0b3e6
SHA512 32581d4eed930baa926abcee557598400ccd364b054a8567671577a5619a0411a3916d319815e050d1497e0008fffdb12632e5859f22e6d04810d87f844a40a9

C:\Windows\SysWOW64\Ibcaknbi.exe

MD5 417ff51791fed13c4fc274c53f06504e
SHA1 179b8e4b0a0995a7cf98e22bb839d2c0eacaf29f
SHA256 4285cc435f938fcbc3bd6735ddec1c8fbdf7f92db641f038a22c4b4aee42f7d4
SHA512 e4291e90107332c39292603922b9136c6e88bc4f352041ca9df6952502efe9eadfcb11daca5fb4f283c8c289eb4bcb8c95bc38706fca45db7c62e1aa33eb2657

C:\Windows\SysWOW64\Jpaekqhh.exe

MD5 249138b1d3633a6bd5558277d034e6af
SHA1 a02d65d9c574657167d8195fafa7083c0238c4e9
SHA256 7b721f7bc1236bf967c9d84f25b59ac1df08fcb22f3c3a1aafd02263da8083f7
SHA512 2e02ea24ee4e6fe5a6db4efe119b9ee1566a05a1dcc8b5204237dbaefd40f9949c9375536ec0ea994d165cb536cadb7baffa585cc3a799254566d0cca15dc30b

C:\Windows\SysWOW64\Kegpifod.exe

MD5 bfb9b87795950356439ca1d5f2aae960
SHA1 0fcfd95dcc9cd3cf24175b204688bf9443ad12aa
SHA256 f1cdf81d05c241b6dec75b3c61c09bbe68b967bc27022823b7becd513de43f2a
SHA512 373d8b2a5420f8aff582a416702900b51f6dd744c02187f7568f12a5edadf9bba1b25a4fe482c50d8db2b1357007e6770e21a490d1aaedd2562ef69792a9caea

C:\Windows\SysWOW64\Lokdnjkg.exe

MD5 74ac038a5d2d5d8630d524fe9fde722e
SHA1 6810ebad25a25187ad2cebdb5609fb4524836799
SHA256 700d5ae3b21533ea1cbd31446f33e37badebbca4c49cdf39b949820fd986a167
SHA512 0193a9be76b65c9ef63ee69360dfdda9f18af54940fcac75b93d3286c0316756865c9fc0ff7154c9ad55ab771d50fe4d21ec844f9683b0bba4cc0b3d1d64c3c3

C:\Windows\SysWOW64\Lobjni32.exe

MD5 c4214f11f7bfd8f6fbf4196cbe970fa9
SHA1 36910a474f1971df4e35a1255c39320860487487
SHA256 b21468664947b94c53fedbdbeca074ed9d3e0f54d58b794f98fca9a52502a38d
SHA512 ae45918d16a9650d29249bfe3b300a9d5c732d4bf86b6a1b1bfb102a2ba8167c6ee9f53d2fe65864f80b7bd7d734ae82e5d57476ebac2e2a28b7901c2bf01260

C:\Windows\SysWOW64\Nmkmjjaa.exe

MD5 d905b30aadade651a826c2804abdc3f2
SHA1 a290a82af308708b211fb5770f71646483e433eb
SHA256 4f3d5c29712f074425ce381281770464809e99343ebb3bca2334413f4bc9ed50
SHA512 0dcfdbdedbf9ad65c94c0b773d7f232e727853611f4e8e2131bd6d0844cd459eb19a5eaae8ed11941fc8877d0b3f4d4d367fcddcbb448679467b48dde156578d

C:\Windows\SysWOW64\Ondljl32.exe

MD5 a37aa08dd3649ee60de140a6e4d5b65e
SHA1 1e1546eb007fe2a3a56acca256fe54423c57079c
SHA256 ee4e7c9b110a7f82c273ec502f5db1ca6fe16e0f687643320136a9232624a0c6
SHA512 a1529e2f4a49cd489954f2465e1c2baf925a29eafbb2f40474477d917d8ca7fc7f1093e8e014d42ebfce6b1f22bdf1904f1b9bc07ffc09f0d8786c3fd526f1f4

C:\Windows\SysWOW64\Qhhpop32.exe

MD5 b468dd397fae2bc299eedc358b393b9b
SHA1 aa26d18b92ffa07133bea5e61120f6a20294c982
SHA256 28b1c72994d72742827e1b4cc964992899b5b7be71686a98771fee460994eab8
SHA512 8134e679bf45d6eb8ce75e003877de0598385c606b8594c5447ff0a8f194bd3d2bffb8780e371e784bace1833aca57e2a45cabfcee0067fe107ec928e9becff5

C:\Windows\SysWOW64\Qpeahb32.exe

MD5 b4209075bddda4284809857190dcc401
SHA1 c9434a0669d71a2d3aa2301f7870f44a91bae7cb
SHA256 a950a4741008f7badc135af1606cd08a48de0f9ce30a5c6f0d8e63c86aeb19f8
SHA512 9e9bc28c9454fd358e18da965fb75923097c61de72f5ef145274c7304b2fbc55d4c31426fababc5996d9969bb23fe125b91f105ece6be474b30bcd5e1210ac5c

C:\Windows\SysWOW64\Ahaceo32.exe

MD5 da88f3c031faad504b785fd1afbe62f5
SHA1 8bcbde041f6472b9f05af02ef5c31c4a133547b1
SHA256 3f4236a29c233c5a1da9a53a8a1580b5fd7fb364c358b9e4e5c59332633bbfbe
SHA512 3d97ca8b177e1bf5852e7b1e8ba7dc20b9e97ead11a79f653be97fea55aac8cc34347195657e070c1ac022b19c5fba9f96e46ca77f15173a57bf3fc1f9806550

C:\Windows\SysWOW64\Aonhghjl.exe

MD5 60824c78240bcc4db907da3cdc063a62
SHA1 aebaded1254eac7ecf8545ece9907c1afbe3074b
SHA256 b29d61cece56447597684a6576bbfb634e7c397acb7f11b2a84a99114dc56988
SHA512 b04c916b2cf615fc557e11e91b327adb9fd49bc81f4d40f28e52cb70cb1a3ecb4c39ea356ac87a94369cd1346ca473150cb2802a2bf43b4559c8869b9a5b1eb4

C:\Windows\SysWOW64\Bgnffj32.exe

MD5 b4b997c6f8bf19d241c88b939e41f26a
SHA1 93e291ab67a727a510a241bd2eec473897b00fb5
SHA256 e897c377df7f7f7d7e733e7543db27f9cdfbb3323707b1fc2f8440317a75370c
SHA512 dd0b687a237a9e03950525d65f42b08d0ad99e48fe1f05019b591656a9844feb42e5669ad643f2cbea7bd714ec06d05146d89ca8ace2428e6e346ef7644edea9

C:\Windows\SysWOW64\Bdagpnbk.exe

MD5 618d20eeefc1f96949d12fc179846331
SHA1 d0197ea6f850a4a83cb7f46652240b0c18081cef
SHA256 635237df1e159c1d1aabcab52893533ab71f34b339c5d923ad02f5d12da2f3f2
SHA512 dcc915bc5ec1a53cfaa48c9f0a11f1de5d99e8759f05f0e68f2233fe9498ccae01fdde479d7c6bdccd135a43d88227298d26758dadc9c82daaa07e6cb5cafd2c

C:\Windows\SysWOW64\Boihcf32.exe

MD5 75c82eccb919bb04ba3b2682f6c8447e
SHA1 a81c610bca1323ee593e635097d26f1189659d5c
SHA256 cc897f7ebe234b84625d0c9a710fd11e57439919ff47b4415da3a058dfcf8b79
SHA512 5db2fbb40c93922a88350b18de593524043ed0f85f9be4fb36c95a1d52e9768678274cabe9a73d87a181fe20e6cc38048a66012a0ec42c0ddd1c8ff168330732

C:\Windows\SysWOW64\Cpdgqmnb.exe

MD5 d0831ada504da87b0148bee9afff697e
SHA1 34d83b82a2755e14777edbc98f7e56ab26e53032
SHA256 dc75acdd634874eaa8033dd9ce82a7b16af3c647c6b64e4a5d7a39ecf3983a57
SHA512 316bb9b84b707ec96433c9bf1ca4da2d63778a2a2e15ed8413c83a37610600c794f7188ad3477675f0d4c31992bb20cb461133cb30827f2aa5c643625f208830

C:\Windows\SysWOW64\Cpfcfmlp.exe

MD5 9c5904d0289ae0118f7dc56b7fb4c80c
SHA1 83e60582fd66f33425adc32f833f257f396fc384
SHA256 c12a79d8aedbc8193fa3669b1ad5eb0fd82c524bb4603af914112176274e9ce6
SHA512 e9e82fc2f7191f418a869b2ce49563a896bac614142385b8c422dc81903ee6c121140d30fb88266a896000916002a83ac7f44dc52a403faece860d26aa8f59ca

C:\Windows\SysWOW64\Dddllkbf.exe

MD5 35614cb2c0fe3cdf93c702aa2b09d87e
SHA1 4a09db76ccfa307ea4f52b169b07626d730cb15f
SHA256 294496cf11305a77e3118f514ea7f8c20f99296887028904f90597d935088113
SHA512 9422636a9928794e7746e67a655674f2fc86d4f5c9cae5432d25def133cee2a053d96dc7de16441de2f38a28904864fabebbe4d80e1b780657e8b68741e1311b

C:\Windows\SysWOW64\Ehpadhll.exe

MD5 671e3c4671db762efbc81a7fe8cd44bc
SHA1 144156a9a3b91012f10cd85962a41a4ce5b64911
SHA256 9d867e5d945ed8fc1d0db75b6daefbacfe550399d4b3d6d90a684e3f890fc0e8
SHA512 2cd3c52052458d8169f6f404a90184530d8381d643b46fad711f631064979187b6348fe5445029803146e7a6cd920b1cec36e5d74ba36ea99f93cbc5535f3583

C:\Windows\SysWOW64\Eghkjdoa.exe

MD5 3436db1786f5987260669770a89cb7ee
SHA1 8a40768b3f52dee75edde938a3664c537fccb6e2
SHA256 a8357648e07132c6283b6e4c7359719de2d25bc1b87abfecbfe5e3025321e608
SHA512 2dbe6b47e50e83870f9049aaa9cfd5ac11a24f3399d6eea4af408aa19e783f7ed28c8b90914202cca6bcb2135fe4dcf99fdb691b4ac7801fed9f4222cc1ee8cc

C:\Windows\SysWOW64\Fndpmndl.exe

MD5 c056e02a2814745e4312b262143a8a23
SHA1 3acb2108ebe7804dd842715ef730305025f895d5
SHA256 3deab5bb680a0256676076182384627963eaf48147860503b0c6a97f71b4bae0
SHA512 79378bf5aaa8885d0206de50775555780e9735fabe1ecaa9ff9f52b306f326c6a3d0ca66c7229cd9c8937fc6b1376e6cacec92931552bc6e19d8468b9acceaa3

C:\Windows\SysWOW64\Fgmdec32.exe

MD5 7ee837486bc4bbad50c0be4a19b64a4d
SHA1 3729421cb053d9c3685c4e4a678d565432a5f435
SHA256 ea8a2598b44cd6cf0f31115dce09bebbfa89b63ad38a4dfca96c29cd0585cbfe
SHA512 a9768e01c1cbd9c6469688d44b106941dbf3f12e41adfadf0a9b2f39899d60b9fd51137852fb4aa442e721bb735020c21d955595889633ef739499ed6978dfe7

C:\Windows\SysWOW64\Fniihmpf.exe

MD5 8de981a2a043b866dc545f5091542e0e
SHA1 6c314348df6e78751d60c921c81d54acc9e78854
SHA256 417afd423f945c8058a77f6f47edb79d0f376718569c793a2dced0965375176d
SHA512 c37f431f666bcff8556e76f9d699d38818b9096100a7f13258852a4b2de5a4651e993c37b2c204a64d0e41e4557b0d591e83d1c00477d0deb679333a0ddd1f6f

C:\Windows\SysWOW64\Gpolbo32.exe

MD5 0047478bd1ef46f91148dc291ba9ec9f
SHA1 7a7ace65a8264b287011130603f517d3f58e3925
SHA256 725ec7947253ded3c9abb7b22f5c6f96b9c7c6dbafdee412a8c427ada739e925
SHA512 0144b5a20e56753a09902a023f5266e59c26fa5b9c4d09f7000da66f581d8a07c9e6ea1cc9b5769ba5a3cb94e54a25eba2d351bdf6df0b7aa2412000c73270a7

C:\Windows\SysWOW64\Gngeik32.exe

MD5 ff26498bab561ba392722ac1651046af
SHA1 45d9bd3883ba8253be4dd1142ca5ff98ff6f3f9f
SHA256 bc65fa19de59a4f20f81450603f9e486a85771a446e55e96ff519bfb5d0790fa
SHA512 4bfc377eed27cf083175cc3e9b617f09002dba72216ed4dfff8ffddb80c8e77a0717267333e55fce1c941ff8e5d2fcfbfd28e57bd104e66fd1f248251eb77854

C:\Windows\SysWOW64\Hajkqfoe.exe

MD5 a5890c6d832ae94fadf6395c94901481
SHA1 67a36c06f16263bba6daafe3f40f61d0341bbd88
SHA256 3186c476f675089e49388b62796022fda2b453e7af31dc4aebba2751c19f49bd
SHA512 3f0fbce70a1c1bba205bc749dfff2ac5cd3674fa55533c225b3df4f7a45bc4e6e8a7042a2f0f7a11069628491b2be57736c764e977070ed8d342acf5ef123eac

C:\Windows\SysWOW64\Jemfhacc.exe

MD5 6f953be20a10de1f9cd3fb35d316b729
SHA1 7fae150014c3c70758a9c24cfc11474bfb3080e0
SHA256 9c49286d5d70343ad96445cd898d3bd22bd6db97d2f01014aebd034b5060029d
SHA512 ac30830f41759d0c73e1cf29385bad21e466fddf9abe75e4b112d8a077dc134904a500a2c32f26e42e17cca1bcb055e470dacac9b729a87f8ef74d23ae99b6a6

C:\Windows\SysWOW64\Jeapcq32.exe

MD5 f93c1c91fc6767558fb4a309738e53d2
SHA1 179ddb8da9cc2dfc691b1c0af70c96134f6f96a1
SHA256 66b7433fcbcc5b278771b6341f27da0b6aa116f5a8cea3bdcb48e1cf9699e0e1
SHA512 21ffa94f893d1c0724258cc9f32cc1ff09c383aa0105fe7222c3833d2bbaada405e43eafe13499f74f7bc940aa7d4bd9bcf87d445cb01e2f5de25b70bb59ff71

C:\Windows\SysWOW64\Lakfeodm.exe

MD5 32915a13c5fc3a254ae62b68bdcb6992
SHA1 8d808ce890bcd98c564fcfa3fe152305bebcf9e0
SHA256 3cf72a81e8ed111cde1ebc1d898fcee41ab06e275c01f79242236e552151e9e3
SHA512 f4f5af7f5690edc608bc234918abda0781f217f15a99f2705875f003439000a85b2a00fcbc1f5ebca97f6b9d7b9c9883d1488bc1f67657e65d77d1d525b79f07

C:\Windows\SysWOW64\Mjidgkog.exe

MD5 e1a4a4a2f368a1173ecb7a0ef77ff622
SHA1 61d9b65778bbad3c8ae5b776d253c5f44dcc6f50
SHA256 3f69a513000168f82d7b18959be850e7b55e8f4b73a3d6bbb5d32b12a89cac27
SHA512 4e544267171b7d70e70ec7d7aa4471fb93f2c31479b2104daa798c9284299ef80f2445ad03a8f62dd2e17061d45efcaa6b72a533a0272921949b5cbc4f59a170

C:\Windows\SysWOW64\Mfenglqf.exe

MD5 4955b670e16cfc9de4ce3153b82206d1
SHA1 bae10f03270d879c82f4def3c4f8e982eaeb2e6f
SHA256 8bf86678c75abc383f724666e9d65947bd67d725fa95c53da77e227a38b73a41
SHA512 036c157bce55bd2e961cbee62f225cd92f6eed5b53ce9b4c896107bd8d46b68fb895b1e47924b250bc802fda46ca56c216ee4a51599309c8cc078b6c23869e41

C:\Windows\SysWOW64\Oophlo32.exe

MD5 97f92ae3a09bbe2f4a748a41e24dad34
SHA1 c4fb6a4547aec5562ab483bb699fefa7934b2f06
SHA256 9c32ce4d39e37158e6599ce6bf4ee16f37d06b56e819468260b3a21127c0d0a7
SHA512 edbcb994eb3962eb7ecb306fcdbd0771a646df89675892597cedf023df37d29099d40984f8bfb2af6605285cdfe088d38ba8cf99459d458c2e94bcbe908b9cff

C:\Windows\SysWOW64\Oflmnh32.exe

MD5 b52e713490700ebf376769cbb8a31f62
SHA1 59f77020858c7ceb2180734d1ab2d07ce78f0e28
SHA256 0db74382d5e45c3d0c839df0e31dc89ce700920072484a6645607116cea11553
SHA512 ce771e143a2b07a1808cc074016554705e84775fa70e245f35b03abc83461360393092e19b032d83a9a56fd2d8551e15900298bbe13d7860adf1fb59a087c895

C:\Windows\SysWOW64\Pfepdg32.exe

MD5 8690186b7043d7e5dcfa2ec6102786c5
SHA1 91dc897212963f65f43771f23fca5e1e18738e90
SHA256 96df1d1510ad440d994249ae7375d404d545ad6d9eb7277c6eab84dd5281f6c4
SHA512 7796e5846329bccd9054ac1cd837ebb235f4b45f1d112bc9bd92629610f67787feffea7b9a11766084e9461af026e53447d0057046f183a1be72fa941ec38301

C:\Windows\SysWOW64\Ppnenlka.exe

MD5 22637f9cdeda7d1f0ed4a481dec431cc
SHA1 e8b4480cf7a9ff2521cd71e88ab139d09a7157aa
SHA256 ce1f3800cffad30c6efa126c750014c2eaa5b6e43f746a0a2b9caf905add0169
SHA512 2ae458287be496af11f3e5eabd5c598a526d044a90907632e4f1bbb6fad3e4c96a66093347e6dda7b769fe6b4f6f22b0a86224011e2bbd2c602377093f7890b1

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-02 19:48

Reported

2024-06-02 19:51

Platform

win7-20240508-en

Max time kernel

118s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\virussign.com_a537d2478356f0fb5710b888e178f7e0.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ejbfhfaj.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fhhcgj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Filldb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hgbebiao.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hggomh32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Enihne32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gbijhg32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gelppaof.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hkpnhgge.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gbijhg32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fnbkddem.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fdoclk32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Filldb32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Globlmmj.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ghfbqn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hdhbam32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hkkalk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fhhcgj32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Flabbihl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fdoclk32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ffpmnf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fioija32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gobgcg32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gacpdbej.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Icbimi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Eajaoq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Globlmmj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gegfdb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ggpimica.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hodpgjha.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hacmcfge.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Users\Admin\AppData\Local\Temp\virussign.com_a537d2478356f0fb5710b888e178f7e0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ffbicfoc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gejcjbah.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hdhbam32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hlcgeo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hodpgjha.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Idceea32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Elmigj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fjdbnf32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fioija32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hggomh32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Users\Admin\AppData\Local\Temp\virussign.com_a537d2478356f0fb5710b888e178f7e0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ealnephf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Flabbihl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Facdeo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gaemjbcg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hiqbndpb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hkkalk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Enihne32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hacmcfge.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ejbfhfaj.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ffbicfoc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gelppaof.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gacpdbej.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Eeqdep32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eajaoq32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hcnpbi32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Elmigj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ghkllmoi.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ggpimica.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Idceea32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gobgcg32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gaemjbcg.exe N/A

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Eeqdep32.exe N/A
N/A N/A C:\Windows\SysWOW64\Enihne32.exe N/A
N/A N/A C:\Windows\SysWOW64\Elmigj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eajaoq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejbfhfaj.exe N/A
N/A N/A C:\Windows\SysWOW64\Ealnephf.exe N/A
N/A N/A C:\Windows\SysWOW64\Flabbihl.exe N/A
N/A N/A C:\Windows\SysWOW64\Fjdbnf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fhhcgj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fnbkddem.exe N/A
N/A N/A C:\Windows\SysWOW64\Fdoclk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Filldb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Facdeo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ffpmnf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fioija32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ffbicfoc.exe N/A
N/A N/A C:\Windows\SysWOW64\Globlmmj.exe N/A
N/A N/A C:\Windows\SysWOW64\Gbijhg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gegfdb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ghfbqn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gejcjbah.exe N/A
N/A N/A C:\Windows\SysWOW64\Gobgcg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gelppaof.exe N/A
N/A N/A C:\Windows\SysWOW64\Ghkllmoi.exe N/A
N/A N/A C:\Windows\SysWOW64\Gacpdbej.exe N/A
N/A N/A C:\Windows\SysWOW64\Ggpimica.exe N/A
N/A N/A C:\Windows\SysWOW64\Gaemjbcg.exe N/A
N/A N/A C:\Windows\SysWOW64\Hgbebiao.exe N/A
N/A N/A C:\Windows\SysWOW64\Hiqbndpb.exe N/A
N/A N/A C:\Windows\SysWOW64\Hkpnhgge.exe N/A
N/A N/A C:\Windows\SysWOW64\Hdhbam32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hggomh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hlcgeo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hcnpbi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hodpgjha.exe N/A
N/A N/A C:\Windows\SysWOW64\Hacmcfge.exe N/A
N/A N/A C:\Windows\SysWOW64\Hkkalk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Icbimi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Idceea32.exe N/A
N/A N/A C:\Windows\SysWOW64\Iagfoe32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\virussign.com_a537d2478356f0fb5710b888e178f7e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\virussign.com_a537d2478356f0fb5710b888e178f7e0.exe N/A
N/A N/A C:\Windows\SysWOW64\Eeqdep32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eeqdep32.exe N/A
N/A N/A C:\Windows\SysWOW64\Enihne32.exe N/A
N/A N/A C:\Windows\SysWOW64\Enihne32.exe N/A
N/A N/A C:\Windows\SysWOW64\Elmigj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Elmigj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eajaoq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eajaoq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejbfhfaj.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejbfhfaj.exe N/A
N/A N/A C:\Windows\SysWOW64\Ealnephf.exe N/A
N/A N/A C:\Windows\SysWOW64\Ealnephf.exe N/A
N/A N/A C:\Windows\SysWOW64\Flabbihl.exe N/A
N/A N/A C:\Windows\SysWOW64\Flabbihl.exe N/A
N/A N/A C:\Windows\SysWOW64\Fjdbnf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fjdbnf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fhhcgj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fhhcgj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fnbkddem.exe N/A
N/A N/A C:\Windows\SysWOW64\Fnbkddem.exe N/A
N/A N/A C:\Windows\SysWOW64\Fdoclk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fdoclk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Filldb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Filldb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Facdeo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Facdeo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ffpmnf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ffpmnf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fioija32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fioija32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ffbicfoc.exe N/A
N/A N/A C:\Windows\SysWOW64\Ffbicfoc.exe N/A
N/A N/A C:\Windows\SysWOW64\Globlmmj.exe N/A
N/A N/A C:\Windows\SysWOW64\Globlmmj.exe N/A
N/A N/A C:\Windows\SysWOW64\Gbijhg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gbijhg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gegfdb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gegfdb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ghfbqn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ghfbqn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gejcjbah.exe N/A
N/A N/A C:\Windows\SysWOW64\Gejcjbah.exe N/A
N/A N/A C:\Windows\SysWOW64\Gobgcg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gobgcg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gelppaof.exe N/A
N/A N/A C:\Windows\SysWOW64\Gelppaof.exe N/A
N/A N/A C:\Windows\SysWOW64\Ghkllmoi.exe N/A
N/A N/A C:\Windows\SysWOW64\Ghkllmoi.exe N/A
N/A N/A C:\Windows\SysWOW64\Gacpdbej.exe N/A
N/A N/A C:\Windows\SysWOW64\Gacpdbej.exe N/A
N/A N/A C:\Windows\SysWOW64\Ggpimica.exe N/A
N/A N/A C:\Windows\SysWOW64\Ggpimica.exe N/A
N/A N/A C:\Windows\SysWOW64\Gaemjbcg.exe N/A
N/A N/A C:\Windows\SysWOW64\Gaemjbcg.exe N/A
N/A N/A C:\Windows\SysWOW64\Hgbebiao.exe N/A
N/A N/A C:\Windows\SysWOW64\Hgbebiao.exe N/A
N/A N/A C:\Windows\SysWOW64\Hiqbndpb.exe N/A
N/A N/A C:\Windows\SysWOW64\Hiqbndpb.exe N/A
N/A N/A C:\Windows\SysWOW64\Hkpnhgge.exe N/A
N/A N/A C:\Windows\SysWOW64\Hkpnhgge.exe N/A
N/A N/A C:\Windows\SysWOW64\Hdhbam32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hdhbam32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Ogjbla32.dll C:\Windows\SysWOW64\Enihne32.exe N/A
File created C:\Windows\SysWOW64\Jjcpjl32.dll C:\Windows\SysWOW64\Gaemjbcg.exe N/A
File opened for modification C:\Windows\SysWOW64\Hkkalk32.exe C:\Windows\SysWOW64\Hacmcfge.exe N/A
File created C:\Windows\SysWOW64\Pabakh32.dll C:\Windows\SysWOW64\Gobgcg32.exe N/A
File created C:\Windows\SysWOW64\Hkpnhgge.exe C:\Windows\SysWOW64\Hiqbndpb.exe N/A
File opened for modification C:\Windows\SysWOW64\Hggomh32.exe C:\Windows\SysWOW64\Hdhbam32.exe N/A
File created C:\Windows\SysWOW64\Ecmkgokh.dll C:\Windows\SysWOW64\Hkkalk32.exe N/A
File created C:\Windows\SysWOW64\Gbijhg32.exe C:\Windows\SysWOW64\Globlmmj.exe N/A
File created C:\Windows\SysWOW64\Ocjcidbb.dll C:\Windows\SysWOW64\Gbijhg32.exe N/A
File created C:\Windows\SysWOW64\Liqebf32.dll C:\Windows\SysWOW64\Hcnpbi32.exe N/A
File opened for modification C:\Windows\SysWOW64\Eajaoq32.exe C:\Windows\SysWOW64\Elmigj32.exe N/A
File created C:\Windows\SysWOW64\Flabbihl.exe C:\Windows\SysWOW64\Ealnephf.exe N/A
File created C:\Windows\SysWOW64\Egadpgfp.dll C:\Windows\SysWOW64\Fjdbnf32.exe N/A
File created C:\Windows\SysWOW64\Ipjchc32.dll C:\Windows\SysWOW64\Fioija32.exe N/A
File created C:\Windows\SysWOW64\Gegfdb32.exe C:\Windows\SysWOW64\Gbijhg32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hkpnhgge.exe C:\Windows\SysWOW64\Hiqbndpb.exe N/A
File created C:\Windows\SysWOW64\Pffgja32.dll C:\Windows\SysWOW64\Hiqbndpb.exe N/A
File created C:\Windows\SysWOW64\Eeqdep32.exe C:\Users\Admin\AppData\Local\Temp\virussign.com_a537d2478356f0fb5710b888e178f7e0.exe N/A
File opened for modification C:\Windows\SysWOW64\Enihne32.exe C:\Windows\SysWOW64\Eeqdep32.exe N/A
File opened for modification C:\Windows\SysWOW64\Fjdbnf32.exe C:\Windows\SysWOW64\Flabbihl.exe N/A
File created C:\Windows\SysWOW64\Dchfknpg.dll C:\Windows\SysWOW64\Flabbihl.exe N/A
File opened for modification C:\Windows\SysWOW64\Ffpmnf32.exe C:\Windows\SysWOW64\Facdeo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Globlmmj.exe C:\Windows\SysWOW64\Ffbicfoc.exe N/A
File opened for modification C:\Windows\SysWOW64\Gelppaof.exe C:\Windows\SysWOW64\Gobgcg32.exe N/A
File created C:\Windows\SysWOW64\Gcmjhbal.dll C:\Windows\SysWOW64\Ejbfhfaj.exe N/A
File created C:\Windows\SysWOW64\Dcdooi32.dll C:\Windows\SysWOW64\Facdeo32.exe N/A
File created C:\Windows\SysWOW64\Hlcgeo32.exe C:\Windows\SysWOW64\Hggomh32.exe N/A
File created C:\Windows\SysWOW64\Dhggeddb.dll C:\Windows\SysWOW64\Fdoclk32.exe N/A
File opened for modification C:\Windows\SysWOW64\Fioija32.exe C:\Windows\SysWOW64\Ffpmnf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ffbicfoc.exe C:\Windows\SysWOW64\Fioija32.exe N/A
File opened for modification C:\Windows\SysWOW64\Gbijhg32.exe C:\Windows\SysWOW64\Globlmmj.exe N/A
File created C:\Windows\SysWOW64\Hdhbam32.exe C:\Windows\SysWOW64\Hkpnhgge.exe N/A
File created C:\Windows\SysWOW64\Hkkalk32.exe C:\Windows\SysWOW64\Hacmcfge.exe N/A
File opened for modification C:\Windows\SysWOW64\Icbimi32.exe C:\Windows\SysWOW64\Hkkalk32.exe N/A
File created C:\Windows\SysWOW64\Ambcae32.dll C:\Windows\SysWOW64\Eajaoq32.exe N/A
File created C:\Windows\SysWOW64\Kjpfgi32.dll C:\Windows\SysWOW64\Gegfdb32.exe N/A
File created C:\Windows\SysWOW64\Ndabhn32.dll C:\Windows\SysWOW64\Hkpnhgge.exe N/A
File created C:\Windows\SysWOW64\Fjdbnf32.exe C:\Windows\SysWOW64\Flabbihl.exe N/A
File created C:\Windows\SysWOW64\Ggpimica.exe C:\Windows\SysWOW64\Gacpdbej.exe N/A
File created C:\Windows\SysWOW64\Omabcb32.dll C:\Windows\SysWOW64\Hgbebiao.exe N/A
File opened for modification C:\Windows\SysWOW64\Idceea32.exe C:\Windows\SysWOW64\Icbimi32.exe N/A
File created C:\Windows\SysWOW64\Iagfoe32.exe C:\Windows\SysWOW64\Idceea32.exe N/A
File created C:\Windows\SysWOW64\Ajlppdeb.dll C:\Windows\SysWOW64\Ealnephf.exe N/A
File opened for modification C:\Windows\SysWOW64\Fhhcgj32.exe C:\Windows\SysWOW64\Fjdbnf32.exe N/A
File created C:\Windows\SysWOW64\Olndbg32.dll C:\Windows\SysWOW64\Fnbkddem.exe N/A
File opened for modification C:\Windows\SysWOW64\Facdeo32.exe C:\Windows\SysWOW64\Filldb32.exe N/A
File created C:\Windows\SysWOW64\Ffbicfoc.exe C:\Windows\SysWOW64\Fioija32.exe N/A
File created C:\Windows\SysWOW64\Globlmmj.exe C:\Windows\SysWOW64\Ffbicfoc.exe N/A
File opened for modification C:\Windows\SysWOW64\Hiqbndpb.exe C:\Windows\SysWOW64\Hgbebiao.exe N/A
File opened for modification C:\Windows\SysWOW64\Eeqdep32.exe C:\Users\Admin\AppData\Local\Temp\virussign.com_a537d2478356f0fb5710b888e178f7e0.exe N/A
File created C:\Windows\SysWOW64\Fhhcgj32.exe C:\Windows\SysWOW64\Fjdbnf32.exe N/A
File created C:\Windows\SysWOW64\Hiqbndpb.exe C:\Windows\SysWOW64\Hgbebiao.exe N/A
File opened for modification C:\Windows\SysWOW64\Ealnephf.exe C:\Windows\SysWOW64\Ejbfhfaj.exe N/A
File opened for modification C:\Windows\SysWOW64\Gaemjbcg.exe C:\Windows\SysWOW64\Ggpimica.exe N/A
File opened for modification C:\Windows\SysWOW64\Hcnpbi32.exe C:\Windows\SysWOW64\Hlcgeo32.exe N/A
File created C:\Windows\SysWOW64\Icbimi32.exe C:\Windows\SysWOW64\Hkkalk32.exe N/A
File created C:\Windows\SysWOW64\Lnnhje32.dll C:\Windows\SysWOW64\Globlmmj.exe N/A
File opened for modification C:\Windows\SysWOW64\Hodpgjha.exe C:\Windows\SysWOW64\Hcnpbi32.exe N/A
File created C:\Windows\SysWOW64\Fioija32.exe C:\Windows\SysWOW64\Ffpmnf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ghkllmoi.exe C:\Windows\SysWOW64\Gelppaof.exe N/A
File opened for modification C:\Windows\SysWOW64\Hdhbam32.exe C:\Windows\SysWOW64\Hkpnhgge.exe N/A
File created C:\Windows\SysWOW64\Gacpdbej.exe C:\Windows\SysWOW64\Ghkllmoi.exe N/A
File opened for modification C:\Windows\SysWOW64\Iagfoe32.exe C:\Windows\SysWOW64\Idceea32.exe N/A
File opened for modification C:\Windows\SysWOW64\Gejcjbah.exe C:\Windows\SysWOW64\Ghfbqn32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Iagfoe32.exe

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaeldika.dll" C:\Windows\SysWOW64\Fhhcgj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll" C:\Windows\SysWOW64\Idceea32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Enihne32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hlcgeo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejdmpb32.dll" C:\Windows\SysWOW64\Hacmcfge.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndabhn32.dll" C:\Windows\SysWOW64\Hkpnhgge.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fnbkddem.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hacmcfge.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hkkalk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egadpgfp.dll" C:\Windows\SysWOW64\Fjdbnf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjcpjl32.dll" C:\Windows\SysWOW64\Gaemjbcg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hggomh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khejeajg.dll" C:\Windows\SysWOW64\Hlcgeo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hodpgjha.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njgcpp32.dll" C:\Windows\SysWOW64\Gacpdbej.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjnifgah.dll" C:\Windows\SysWOW64\Hggomh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hcnpbi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecmkgokh.dll" C:\Windows\SysWOW64\Hkkalk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Elmigj32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Fioija32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fioija32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hgbebiao.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcdooi32.dll" C:\Windows\SysWOW64\Facdeo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Facdeo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gacpdbej.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\virussign.com_a537d2478356f0fb5710b888e178f7e0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ambcae32.dll" C:\Windows\SysWOW64\Eajaoq32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Gbijhg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ghkllmoi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Idceea32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node C:\Users\Admin\AppData\Local\Temp\virussign.com_a537d2478356f0fb5710b888e178f7e0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alogkm32.dll" C:\Windows\SysWOW64\Hodpgjha.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocjcidbb.dll" C:\Windows\SysWOW64\Gbijhg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hacmcfge.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjpfgi32.dll" C:\Windows\SysWOW64\Gegfdb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iecimppi.dll" C:\Windows\SysWOW64\Eeqdep32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hodpgjha.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Eeqdep32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfknpg.dll" C:\Windows\SysWOW64\Flabbihl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iebpge32.dll" C:\Windows\SysWOW64\Gelppaof.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Gacpdbej.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcaciakh.dll" C:\Windows\SysWOW64\Ggpimica.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hiqbndpb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efjcibje.dll" C:\Windows\SysWOW64\Elmigj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gaemjbcg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Filldb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqiqnfej.dll" C:\Windows\SysWOW64\Icbimi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhggeddb.dll" C:\Windows\SysWOW64\Fdoclk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipjchc32.dll" C:\Windows\SysWOW64\Fioija32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Globlmmj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ghfbqn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pffgja32.dll" C:\Windows\SysWOW64\Hiqbndpb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Eajaoq32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Filldb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Fhhcgj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Facdeo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pabakh32.dll" C:\Windows\SysWOW64\Gobgcg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Icbimi32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ealnephf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Enihne32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ejbfhfaj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghqknigk.dll" C:\Windows\SysWOW64\Ffpmnf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpqpdnop.dll" C:\Windows\SysWOW64\Ffbicfoc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogjbla32.dll" C:\Windows\SysWOW64\Enihne32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3056 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\virussign.com_a537d2478356f0fb5710b888e178f7e0.exe C:\Windows\SysWOW64\Eeqdep32.exe
PID 3056 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\virussign.com_a537d2478356f0fb5710b888e178f7e0.exe C:\Windows\SysWOW64\Eeqdep32.exe
PID 3056 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\virussign.com_a537d2478356f0fb5710b888e178f7e0.exe C:\Windows\SysWOW64\Eeqdep32.exe
PID 3056 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\virussign.com_a537d2478356f0fb5710b888e178f7e0.exe C:\Windows\SysWOW64\Eeqdep32.exe
PID 1952 wrote to memory of 2844 N/A C:\Windows\SysWOW64\Eeqdep32.exe C:\Windows\SysWOW64\Enihne32.exe
PID 1952 wrote to memory of 2844 N/A C:\Windows\SysWOW64\Eeqdep32.exe C:\Windows\SysWOW64\Enihne32.exe
PID 1952 wrote to memory of 2844 N/A C:\Windows\SysWOW64\Eeqdep32.exe C:\Windows\SysWOW64\Enihne32.exe
PID 1952 wrote to memory of 2844 N/A C:\Windows\SysWOW64\Eeqdep32.exe C:\Windows\SysWOW64\Enihne32.exe
PID 2844 wrote to memory of 2672 N/A C:\Windows\SysWOW64\Enihne32.exe C:\Windows\SysWOW64\Elmigj32.exe
PID 2844 wrote to memory of 2672 N/A C:\Windows\SysWOW64\Enihne32.exe C:\Windows\SysWOW64\Elmigj32.exe
PID 2844 wrote to memory of 2672 N/A C:\Windows\SysWOW64\Enihne32.exe C:\Windows\SysWOW64\Elmigj32.exe
PID 2844 wrote to memory of 2672 N/A C:\Windows\SysWOW64\Enihne32.exe C:\Windows\SysWOW64\Elmigj32.exe
PID 2672 wrote to memory of 2720 N/A C:\Windows\SysWOW64\Elmigj32.exe C:\Windows\SysWOW64\Eajaoq32.exe
PID 2672 wrote to memory of 2720 N/A C:\Windows\SysWOW64\Elmigj32.exe C:\Windows\SysWOW64\Eajaoq32.exe
PID 2672 wrote to memory of 2720 N/A C:\Windows\SysWOW64\Elmigj32.exe C:\Windows\SysWOW64\Eajaoq32.exe
PID 2672 wrote to memory of 2720 N/A C:\Windows\SysWOW64\Elmigj32.exe C:\Windows\SysWOW64\Eajaoq32.exe
PID 2720 wrote to memory of 2648 N/A C:\Windows\SysWOW64\Eajaoq32.exe C:\Windows\SysWOW64\Ejbfhfaj.exe
PID 2720 wrote to memory of 2648 N/A C:\Windows\SysWOW64\Eajaoq32.exe C:\Windows\SysWOW64\Ejbfhfaj.exe
PID 2720 wrote to memory of 2648 N/A C:\Windows\SysWOW64\Eajaoq32.exe C:\Windows\SysWOW64\Ejbfhfaj.exe
PID 2720 wrote to memory of 2648 N/A C:\Windows\SysWOW64\Eajaoq32.exe C:\Windows\SysWOW64\Ejbfhfaj.exe
PID 2648 wrote to memory of 2668 N/A C:\Windows\SysWOW64\Ejbfhfaj.exe C:\Windows\SysWOW64\Ealnephf.exe
PID 2648 wrote to memory of 2668 N/A C:\Windows\SysWOW64\Ejbfhfaj.exe C:\Windows\SysWOW64\Ealnephf.exe
PID 2648 wrote to memory of 2668 N/A C:\Windows\SysWOW64\Ejbfhfaj.exe C:\Windows\SysWOW64\Ealnephf.exe
PID 2648 wrote to memory of 2668 N/A C:\Windows\SysWOW64\Ejbfhfaj.exe C:\Windows\SysWOW64\Ealnephf.exe
PID 2668 wrote to memory of 2592 N/A C:\Windows\SysWOW64\Ealnephf.exe C:\Windows\SysWOW64\Flabbihl.exe
PID 2668 wrote to memory of 2592 N/A C:\Windows\SysWOW64\Ealnephf.exe C:\Windows\SysWOW64\Flabbihl.exe
PID 2668 wrote to memory of 2592 N/A C:\Windows\SysWOW64\Ealnephf.exe C:\Windows\SysWOW64\Flabbihl.exe
PID 2668 wrote to memory of 2592 N/A C:\Windows\SysWOW64\Ealnephf.exe C:\Windows\SysWOW64\Flabbihl.exe
PID 2592 wrote to memory of 3048 N/A C:\Windows\SysWOW64\Flabbihl.exe C:\Windows\SysWOW64\Fjdbnf32.exe
PID 2592 wrote to memory of 3048 N/A C:\Windows\SysWOW64\Flabbihl.exe C:\Windows\SysWOW64\Fjdbnf32.exe
PID 2592 wrote to memory of 3048 N/A C:\Windows\SysWOW64\Flabbihl.exe C:\Windows\SysWOW64\Fjdbnf32.exe
PID 2592 wrote to memory of 3048 N/A C:\Windows\SysWOW64\Flabbihl.exe C:\Windows\SysWOW64\Fjdbnf32.exe
PID 3048 wrote to memory of 2976 N/A C:\Windows\SysWOW64\Fjdbnf32.exe C:\Windows\SysWOW64\Fhhcgj32.exe
PID 3048 wrote to memory of 2976 N/A C:\Windows\SysWOW64\Fjdbnf32.exe C:\Windows\SysWOW64\Fhhcgj32.exe
PID 3048 wrote to memory of 2976 N/A C:\Windows\SysWOW64\Fjdbnf32.exe C:\Windows\SysWOW64\Fhhcgj32.exe
PID 3048 wrote to memory of 2976 N/A C:\Windows\SysWOW64\Fjdbnf32.exe C:\Windows\SysWOW64\Fhhcgj32.exe
PID 2976 wrote to memory of 2140 N/A C:\Windows\SysWOW64\Fhhcgj32.exe C:\Windows\SysWOW64\Fnbkddem.exe
PID 2976 wrote to memory of 2140 N/A C:\Windows\SysWOW64\Fhhcgj32.exe C:\Windows\SysWOW64\Fnbkddem.exe
PID 2976 wrote to memory of 2140 N/A C:\Windows\SysWOW64\Fhhcgj32.exe C:\Windows\SysWOW64\Fnbkddem.exe
PID 2976 wrote to memory of 2140 N/A C:\Windows\SysWOW64\Fhhcgj32.exe C:\Windows\SysWOW64\Fnbkddem.exe
PID 2140 wrote to memory of 1736 N/A C:\Windows\SysWOW64\Fnbkddem.exe C:\Windows\SysWOW64\Fdoclk32.exe
PID 2140 wrote to memory of 1736 N/A C:\Windows\SysWOW64\Fnbkddem.exe C:\Windows\SysWOW64\Fdoclk32.exe
PID 2140 wrote to memory of 1736 N/A C:\Windows\SysWOW64\Fnbkddem.exe C:\Windows\SysWOW64\Fdoclk32.exe
PID 2140 wrote to memory of 1736 N/A C:\Windows\SysWOW64\Fnbkddem.exe C:\Windows\SysWOW64\Fdoclk32.exe
PID 1736 wrote to memory of 2600 N/A C:\Windows\SysWOW64\Fdoclk32.exe C:\Windows\SysWOW64\Filldb32.exe
PID 1736 wrote to memory of 2600 N/A C:\Windows\SysWOW64\Fdoclk32.exe C:\Windows\SysWOW64\Filldb32.exe
PID 1736 wrote to memory of 2600 N/A C:\Windows\SysWOW64\Fdoclk32.exe C:\Windows\SysWOW64\Filldb32.exe
PID 1736 wrote to memory of 2600 N/A C:\Windows\SysWOW64\Fdoclk32.exe C:\Windows\SysWOW64\Filldb32.exe
PID 2600 wrote to memory of 2752 N/A C:\Windows\SysWOW64\Filldb32.exe C:\Windows\SysWOW64\Facdeo32.exe
PID 2600 wrote to memory of 2752 N/A C:\Windows\SysWOW64\Filldb32.exe C:\Windows\SysWOW64\Facdeo32.exe
PID 2600 wrote to memory of 2752 N/A C:\Windows\SysWOW64\Filldb32.exe C:\Windows\SysWOW64\Facdeo32.exe
PID 2600 wrote to memory of 2752 N/A C:\Windows\SysWOW64\Filldb32.exe C:\Windows\SysWOW64\Facdeo32.exe
PID 2752 wrote to memory of 1680 N/A C:\Windows\SysWOW64\Facdeo32.exe C:\Windows\SysWOW64\Ffpmnf32.exe
PID 2752 wrote to memory of 1680 N/A C:\Windows\SysWOW64\Facdeo32.exe C:\Windows\SysWOW64\Ffpmnf32.exe
PID 2752 wrote to memory of 1680 N/A C:\Windows\SysWOW64\Facdeo32.exe C:\Windows\SysWOW64\Ffpmnf32.exe
PID 2752 wrote to memory of 1680 N/A C:\Windows\SysWOW64\Facdeo32.exe C:\Windows\SysWOW64\Ffpmnf32.exe
PID 1680 wrote to memory of 320 N/A C:\Windows\SysWOW64\Ffpmnf32.exe C:\Windows\SysWOW64\Fioija32.exe
PID 1680 wrote to memory of 320 N/A C:\Windows\SysWOW64\Ffpmnf32.exe C:\Windows\SysWOW64\Fioija32.exe
PID 1680 wrote to memory of 320 N/A C:\Windows\SysWOW64\Ffpmnf32.exe C:\Windows\SysWOW64\Fioija32.exe
PID 1680 wrote to memory of 320 N/A C:\Windows\SysWOW64\Ffpmnf32.exe C:\Windows\SysWOW64\Fioija32.exe
PID 320 wrote to memory of 2304 N/A C:\Windows\SysWOW64\Fioija32.exe C:\Windows\SysWOW64\Ffbicfoc.exe
PID 320 wrote to memory of 2304 N/A C:\Windows\SysWOW64\Fioija32.exe C:\Windows\SysWOW64\Ffbicfoc.exe
PID 320 wrote to memory of 2304 N/A C:\Windows\SysWOW64\Fioija32.exe C:\Windows\SysWOW64\Ffbicfoc.exe
PID 320 wrote to memory of 2304 N/A C:\Windows\SysWOW64\Fioija32.exe C:\Windows\SysWOW64\Ffbicfoc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\virussign.com_a537d2478356f0fb5710b888e178f7e0.exe

"C:\Users\Admin\AppData\Local\Temp\virussign.com_a537d2478356f0fb5710b888e178f7e0.exe"

C:\Windows\SysWOW64\Eeqdep32.exe

C:\Windows\system32\Eeqdep32.exe

C:\Windows\SysWOW64\Enihne32.exe

C:\Windows\system32\Enihne32.exe

C:\Windows\SysWOW64\Elmigj32.exe

C:\Windows\system32\Elmigj32.exe

C:\Windows\SysWOW64\Eajaoq32.exe

C:\Windows\system32\Eajaoq32.exe

C:\Windows\SysWOW64\Ejbfhfaj.exe

C:\Windows\system32\Ejbfhfaj.exe

C:\Windows\SysWOW64\Ealnephf.exe

C:\Windows\system32\Ealnephf.exe

C:\Windows\SysWOW64\Flabbihl.exe

C:\Windows\system32\Flabbihl.exe

C:\Windows\SysWOW64\Fjdbnf32.exe

C:\Windows\system32\Fjdbnf32.exe

C:\Windows\SysWOW64\Fhhcgj32.exe

C:\Windows\system32\Fhhcgj32.exe

C:\Windows\SysWOW64\Fnbkddem.exe

C:\Windows\system32\Fnbkddem.exe

C:\Windows\SysWOW64\Fdoclk32.exe

C:\Windows\system32\Fdoclk32.exe

C:\Windows\SysWOW64\Filldb32.exe

C:\Windows\system32\Filldb32.exe

C:\Windows\SysWOW64\Facdeo32.exe

C:\Windows\system32\Facdeo32.exe

C:\Windows\SysWOW64\Ffpmnf32.exe

C:\Windows\system32\Ffpmnf32.exe

C:\Windows\SysWOW64\Fioija32.exe

C:\Windows\system32\Fioija32.exe

C:\Windows\SysWOW64\Ffbicfoc.exe

C:\Windows\system32\Ffbicfoc.exe

C:\Windows\SysWOW64\Globlmmj.exe

C:\Windows\system32\Globlmmj.exe

C:\Windows\SysWOW64\Gbijhg32.exe

C:\Windows\system32\Gbijhg32.exe

C:\Windows\SysWOW64\Gegfdb32.exe

C:\Windows\system32\Gegfdb32.exe

C:\Windows\SysWOW64\Ghfbqn32.exe

C:\Windows\system32\Ghfbqn32.exe

C:\Windows\SysWOW64\Gejcjbah.exe

C:\Windows\system32\Gejcjbah.exe

C:\Windows\SysWOW64\Gobgcg32.exe

C:\Windows\system32\Gobgcg32.exe

C:\Windows\SysWOW64\Gelppaof.exe

C:\Windows\system32\Gelppaof.exe

C:\Windows\SysWOW64\Ghkllmoi.exe

C:\Windows\system32\Ghkllmoi.exe

C:\Windows\SysWOW64\Gacpdbej.exe

C:\Windows\system32\Gacpdbej.exe

C:\Windows\SysWOW64\Ggpimica.exe

C:\Windows\system32\Ggpimica.exe

C:\Windows\SysWOW64\Gaemjbcg.exe

C:\Windows\system32\Gaemjbcg.exe

C:\Windows\SysWOW64\Hgbebiao.exe

C:\Windows\system32\Hgbebiao.exe

C:\Windows\SysWOW64\Hiqbndpb.exe

C:\Windows\system32\Hiqbndpb.exe

C:\Windows\SysWOW64\Hkpnhgge.exe

C:\Windows\system32\Hkpnhgge.exe

C:\Windows\SysWOW64\Hdhbam32.exe

C:\Windows\system32\Hdhbam32.exe

C:\Windows\SysWOW64\Hggomh32.exe

C:\Windows\system32\Hggomh32.exe

C:\Windows\SysWOW64\Hlcgeo32.exe

C:\Windows\system32\Hlcgeo32.exe

C:\Windows\SysWOW64\Hcnpbi32.exe

C:\Windows\system32\Hcnpbi32.exe

C:\Windows\SysWOW64\Hodpgjha.exe

C:\Windows\system32\Hodpgjha.exe

C:\Windows\SysWOW64\Hacmcfge.exe

C:\Windows\system32\Hacmcfge.exe

C:\Windows\SysWOW64\Hkkalk32.exe

C:\Windows\system32\Hkkalk32.exe

C:\Windows\SysWOW64\Icbimi32.exe

C:\Windows\system32\Icbimi32.exe

C:\Windows\SysWOW64\Idceea32.exe

C:\Windows\system32\Idceea32.exe

C:\Windows\SysWOW64\Iagfoe32.exe

C:\Windows\system32\Iagfoe32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 140

Network

N/A

Files

memory/3056-0-0x0000000000400000-0x0000000000442000-memory.dmp

\Windows\SysWOW64\Eeqdep32.exe

MD5 f99ed3430d21b5c805e1c871f2c4f1cb
SHA1 106d1155e6aad9b6754626e50ed32d278a2546ad
SHA256 9914acfe08f9ab548f0a2319906eadb6b01532fb98309fab01bd7c8afe4d7bfe
SHA512 587c4039fa6b761d4ebc13dd5202933f370676d13e87ff32427d6a8a1c38a764465534f81a5987b6fa3f2ca92b9a53d3434995913ade77cbb450f540ef060533

memory/3056-6-0x0000000000310000-0x0000000000352000-memory.dmp

C:\Windows\SysWOW64\Enihne32.exe

MD5 c1971fd89fccffebd8933fcb5486c5e9
SHA1 26ab74c8d1e50d37a897523b25ff65fce97d98db
SHA256 1b12216cde2f953a01725004c0f7c236a3bf5802a27710b867a61c08437d0090
SHA512 2375f54825f921aa089d4581fc2511aff10947a385607bad9ead91c42babdebbab6b22d6a756eb0e00bdc699e57383459e6c9e6053a06946c1351edf394b3c84

memory/2844-26-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1952-25-0x0000000000250000-0x0000000000292000-memory.dmp

\Windows\SysWOW64\Elmigj32.exe

MD5 26f7a41ec4bfbec2861921156e2fc081
SHA1 69770dc6512490b9b56c8c121096f4bb69baa1e9
SHA256 258a382dedad4b1e509add61d26a19b1c9f5e785fd7a9777bbc16b79ab8cd0fd
SHA512 3299b9480234e15a1b4300800e31297b339193e56f1094d6a02a4087295f77f620a9c532f0f75324e8ab5715a9a00a323261d883319cc4fac8ae15ab7ac5941b

memory/2844-34-0x0000000000280000-0x00000000002C2000-memory.dmp

memory/2672-40-0x0000000000400000-0x0000000000442000-memory.dmp

\Windows\SysWOW64\Eajaoq32.exe

MD5 e62f3c1f31b0f82d08b86751d569bed1
SHA1 b0ed2827d67064fcd4f80818b2c855cbda77bc7e
SHA256 47951699368c3932c5d50a30f4c3b7c0d36ee8721f1baf20022e9a4faf3996bd
SHA512 b346f60c5cd501b4cad67b5a3dccd98fe39924affe5183e2cd0a3e242db5f8ad2dc02fed07f79820dd8c3a6a58dbaeb019b0fe506f40e5a3ba825d8a1ddcf930

memory/2720-53-0x0000000000400000-0x0000000000442000-memory.dmp

\Windows\SysWOW64\Ejbfhfaj.exe

MD5 1c6944dab7f2679827a39b6c2de3bc8e
SHA1 409ab6f2aedc3321c4567bea55487aa5c11f34dd
SHA256 628f63d8ac928e22878b8c1f57eeb10c16e53b30f8704fe1a4b6abd425800912
SHA512 955dcb1910e612d383b9aa671e9a182a2abb593ba2c45a2774a192a91dce88f795db42ed1f03a71e3b9c96608cac3d9199f0eeb56e5338922dfb8d8aa160f9f6

memory/2720-60-0x0000000000250000-0x0000000000292000-memory.dmp

\Windows\SysWOW64\Ealnephf.exe

MD5 f896e375b0f80d4d399bf670503a408f
SHA1 a824966d5cab7f09662dd60b0e8da50c0b7c3b55
SHA256 90d6fa3c9667029f747b8cb537690017598258d4d076b37d4d4e87755a9d198e
SHA512 399a63da2b260f9ed46230efce11a294c0ab543e954f99abc04ed181f11588e7cfe799cee7324e84098011d9dd7c1662cc0b29aaa97120046e763279169c5842

memory/2668-79-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Flabbihl.exe

MD5 55d51862ddc133a61a1c542debeb7b20
SHA1 f59dd6f8cede70b45144196b9c89774ccaaec60a
SHA256 80dc39eff42e46a0336552aab02688f98c55e42d6767c220a6cbe24b5a184568
SHA512 b0360208a9670e54762e04c2f0782528cfdd663326d41f34621c794db68e6b2a3a8e02fa36637a830382aaaafc8eadd44160ee2956235bf228ebc20546b23956

\Windows\SysWOW64\Fjdbnf32.exe

MD5 5b16089b50c5229f92e0448c0049c38d
SHA1 d4918882f6f672069a2a6218260e2b361c069570
SHA256 1a5ee5619101943a1017dd0033e4cb8dc597f370333e1ff6cb4e1f01b3ebd8a7
SHA512 7b279eac536ca1eab9fc9ff220a2189290bf3893075a5903f669357ba629cd763f4c9844448b7eb04f3dafb2f0bd73a141fce86224c55a03a1a8b1492797dcf8

memory/3048-105-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2592-92-0x0000000000400000-0x0000000000442000-memory.dmp

\Windows\SysWOW64\Fhhcgj32.exe

MD5 677c47535e9a64db4bb9c1903ac27164
SHA1 9537000228adf56fbaa9668c8321bfcf7b5b7826
SHA256 fb53e69b67d172306e7edc9e8284c7a43c7c96894c5117919a95ba8545ddc738
SHA512 05171460781246d542d2ab8cc39e58d1dff2687f65eaf6cf765f6ae8dc28df57678dd6becddeeaeb2d2214ab2a5c05136eb4b6a570f10ee2a5fa6da99d75f8ab

memory/3048-113-0x0000000000250000-0x0000000000292000-memory.dmp

\Windows\SysWOW64\Fnbkddem.exe

MD5 5903b0b768dbc22e90d934af01ffa112
SHA1 60af310780d5aa7170eb03c61bb8f2482b15563a
SHA256 173c347ae7df595384824db464ea3e2408fda096ec18f8f5e38865a14346cd01
SHA512 bfc8990ace89ad6aaf48834b179a0cdd8e7208f01b7ddcd8ba771bc2356d88c584d8799a28061558dd761eac1bee1c5ce55f719dc118aa36db9060f6ef0b22aa

memory/2140-131-0x0000000000400000-0x0000000000442000-memory.dmp

\Windows\SysWOW64\Fdoclk32.exe

MD5 424397f72f53f5fed8f64e8556366394
SHA1 33ef7fe97fa39f9fe903d98c604f64298d83a7be
SHA256 78bb96b3c6314d766e2625513c0c29bc431ec1e0c871480547633e50116d54f7
SHA512 755702c910eb6a2e3507fcfefed8242294fd35e1b05e560316874b7573020c915733927e868bb21e5007c8d14b9b41ead2d47bceba82a1db164bb33d1b32d8c3

memory/1736-144-0x0000000000400000-0x0000000000442000-memory.dmp

\Windows\SysWOW64\Filldb32.exe

MD5 2a1e6b8b32dfb07eb6803bbc1b353f7b
SHA1 959b5dc911a271f599ced594dcdfed03ba5f50af
SHA256 9729099a506b3b7484746f8b736e20d77252f1a88fdcfddba396b3dff0e351dc
SHA512 76cd7b0ac5889ee634956279ba53413c1c9ef445ac4d641b4994242533e99ff948726bc2791c3cbdae20d3ddc2717137a20cba81f7642bf1ba6b8b3e0bf7c7c3

memory/2600-158-0x0000000000400000-0x0000000000442000-memory.dmp

\Windows\SysWOW64\Facdeo32.exe

MD5 32fb49c3b5b6a302b90076d818b886b7
SHA1 fa5a915f5e134f024a259b38c5e55de2bd3e39c5
SHA256 c40c682607770a4ce9da69af43d8374436b00bffb4aaf9c76c2edc881eb77d37
SHA512 cd961b2282fb102ecfbadb224a5118f0de69494f3387b10e996e2ab58c89f33a68fcf29e1f5ace0f450ad0646fc7353be70a8b4be95819e70e376754a67f2070

memory/2752-170-0x0000000000400000-0x0000000000442000-memory.dmp

\Windows\SysWOW64\Ffpmnf32.exe

MD5 ba62a47ccd813554e2a383fb552ced0c
SHA1 3a9385b0d96ce41851ad407461e43bf37e3dd9fc
SHA256 5467a0401312e45e3195b5d6bb03efd4478e381ed5b8daacba23c828f1a8f2aa
SHA512 07777494372690ab5acfd9e6b84898493b0d677e3e42215dde675d2fc0eceffb956d3ed8a8aea8aea74d51ad65398e9e80b498bad94c5a762c3195d114e5257d

memory/1680-183-0x0000000000400000-0x0000000000442000-memory.dmp

\Windows\SysWOW64\Fioija32.exe

MD5 6e10c8127110512679bcb4f6e5cf98ea
SHA1 9f7a960d9c3e4ec7fa72d88572ae2b2044546d50
SHA256 d3d91f0498c59fee0dad164ba7ae54bcffb4254fd006207957baa556ddfcd294
SHA512 29ae3077a162e11627c422dc88646800c30e0e9c497ae075885dfa53587294b2464f942c6d6e299b54ac32658e02dba2247ed7873d986397462b90c8226983d9

memory/1680-191-0x0000000000250000-0x0000000000292000-memory.dmp

memory/320-202-0x0000000000400000-0x0000000000442000-memory.dmp

\Windows\SysWOW64\Ffbicfoc.exe

MD5 4534a3917e8d39c58da85076572a5660
SHA1 2e84cc81b978d09fa7e4767762caee91d77de4c4
SHA256 6e6839fbb9bcb3fe81a6e3fbe43aa45c5f25dc81988103b13eb0780c256ba85c
SHA512 df9f014b83056d644efc0a98626eedfa6a9978d47527db70885ea0abf4e0f842a7244deccdf6774f6b84f4ea4af50f32f20922ed41d4867843086928e7b9eac1

memory/2304-210-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2304-220-0x0000000000250000-0x0000000000292000-memory.dmp

C:\Windows\SysWOW64\Globlmmj.exe

MD5 fe4ee8d1df3d840c86322dad4ec65f80
SHA1 eed798f49ab480e8876e0ee3e5aa437c39f6d240
SHA256 22d51f3659cf7ed6b9cb125d17cb726aa29a9926272e93be1e13b166b134b67b
SHA512 83c99f9b545ec8757343b4e3022e890686ab0d971698fbbf1ac0b5e42eed8c95269832ee6d1f2dd11845a82feda35d7f2093e51511d2010b2c315a08261bd05d

C:\Windows\SysWOW64\Gbijhg32.exe

MD5 ccc5f2057c690544a758993f6016a5ad
SHA1 0ee9fa57b7af874b9f3c54adc0567bf674d2606a
SHA256 4ccb3c0b9f3e47bdb234a3c29199d18f0f54f324ab655016e384688dcd3ebc01
SHA512 5604b85a022ca1cbbf1d0bd2b0b4b91447bdbdc5acf50bd845861f1fffead9dcf529ba1a7b1cac5695321badb921f215b16e197d8ecf54dc2b9a7f7a2d77ec10

memory/1312-229-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Gegfdb32.exe

MD5 84a71992c1ab158f2c2c0d375d339a94
SHA1 2e0d1df66b43273b066f909088cda2def324761b
SHA256 7c0ea2a18206771543f104eeaedfc6c0a4e32ce526b4f7da53ffc9b86b06e9ca
SHA512 059d9674e7d51db5c0bcd1276b3b978261c285c17f179718c3f1b21a01e1f67c39c69950e55e6c3474e21830542fb12ec6bba4be42b6693edeba96d415caa96c

memory/1132-244-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1312-243-0x0000000000250000-0x0000000000292000-memory.dmp

memory/1312-242-0x0000000000250000-0x0000000000292000-memory.dmp

memory/1132-250-0x0000000000310000-0x0000000000352000-memory.dmp

memory/1664-251-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1132-249-0x0000000000310000-0x0000000000352000-memory.dmp

C:\Windows\SysWOW64\Ghfbqn32.exe

MD5 2bd6ac70323f6fde738045f456a489dd
SHA1 fd02e140d14dd0ca22dcc7e6c4dd59e1c0e7848b
SHA256 bc90b5041576f777ad515ed65135925410d68199a5f5a732a3a10975113b4328
SHA512 0cf8410ee5ad5bd0d23da0fa5959f0871af416fb8589cc187a9d82ad61de08f30e798cfc72e603cdf24c3cbc09f9aa1746ea62bf0712711aae3adcd5f8d5a1ce

memory/1664-261-0x0000000000250000-0x0000000000292000-memory.dmp

memory/1664-260-0x0000000000250000-0x0000000000292000-memory.dmp

C:\Windows\SysWOW64\Gejcjbah.exe

MD5 7554e85128d92cc0e7fe75cd35a19967
SHA1 15b9e4e700355f5096a45a92505e889cbc0aaef2
SHA256 584e2f8dfb20bb1d0c202348f6e8a3b585cc67d6921d0d39d64b122049c78eff
SHA512 05020778baf5e947a56d7fdca51215cdb7cb68a9e10f77f3aad0f67c4bd52882d88218e976d0de669e7d6e3ddbf5b3ff77ce6df7b07eb5b13e3ab656bb247644

memory/1584-262-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Gobgcg32.exe

MD5 fc908fa46430d46c5549ef9a0ae44c12
SHA1 2a8ff80985785efa94eebd1497c053ca36188e56
SHA256 0b5a7beb2e5f334d1f6ed8f086c2ab51bde7f2072ea03f8485c52dfa5bd47170
SHA512 921d0ef16c21acdee904bc72f3631b20af56e7a86f958281700ffc6f0fe5bce14a915d5264ccc4cbfb09404e5c108d6ffd61d4c98abf4071dfd5a30c72ceaa26

memory/1584-272-0x0000000000360000-0x00000000003A2000-memory.dmp

memory/1584-271-0x0000000000360000-0x00000000003A2000-memory.dmp

memory/1820-273-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Gelppaof.exe

MD5 2a4c3050f04ab85edaeb68db81b70438
SHA1 9a6105ef81356d1f32e3919d8e7a1f5594e20806
SHA256 8b38c3fd8df1b79364438a35be7fdd8ff2ef9545346fdb72c0a9fae46b504725
SHA512 73df98cdf39937fc700540a89db391a02405686e05c7940d97b73a9c10517982d2bb6953c2cc3b01be83bf24f789f6e51e7a05250f58fc272d31c8cd16e51121

memory/2392-290-0x00000000002E0000-0x0000000000322000-memory.dmp

memory/2392-284-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1820-283-0x0000000000270000-0x00000000002B2000-memory.dmp

memory/1820-282-0x0000000000270000-0x00000000002B2000-memory.dmp

C:\Windows\SysWOW64\Ghkllmoi.exe

MD5 319b6d72a3cc6006883ba8475e7e4c98
SHA1 a648e7c6d01969583f8b8b30f1497eaa85310d2f
SHA256 0b92931fefec83cbf5ab7976a0db4258c522e5197ff3776480ca9ee0e311c8bd
SHA512 0733c0238661cae7a6de748bd79dfd05baac5b7d241542200bc43d1e169bf50392988712a5fd5f38650120f5165ac2f3e69fcb577ea2f99239bb56679292fdff

memory/1152-299-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2392-296-0x00000000002E0000-0x0000000000322000-memory.dmp

memory/1152-301-0x0000000000250000-0x0000000000292000-memory.dmp

C:\Windows\SysWOW64\Gacpdbej.exe

MD5 09c9626cd1a6cf2b71ae84d208251326
SHA1 f43b41769c76e3f8115f5f3edc6f5cd87f4a0128
SHA256 7745ff8fcfa9762cdae7dfb1d4e90da86acb4b62586d7f69a57e03b1c739c75b
SHA512 1aa3881d4aec6ee6741b4b76173fbbfe53477f4e63c920ec1c12adab45445ab99e4cf4984679a2082cd429ac32b59b7705366c4493c6067af474564aee635547

memory/1152-305-0x0000000000250000-0x0000000000292000-memory.dmp

memory/1740-306-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Ggpimica.exe

MD5 05b59cbb284e34af82f853ba61e09ae2
SHA1 7faaec953d0b81db14a1bf49face4f493a8583c4
SHA256 6a33490b41c51b1784f47b8fcc8256ae7c2fec4103b79c05d69d86e7a5ac1cc0
SHA512 5595805bc29353b9b985e5db940d2a477f99b329f0a482bd13356387cc372888c3223dee0e530d8469387e96ebaf3cf045f3bb413100cf6194ba6488c9a4b8b2

memory/2892-317-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1740-316-0x0000000000250000-0x0000000000292000-memory.dmp

memory/1740-315-0x0000000000250000-0x0000000000292000-memory.dmp

C:\Windows\SysWOW64\Gaemjbcg.exe

MD5 2a5f211e4c2de322bb9f0a0bf6c7a50c
SHA1 583d94d4101287dca04cc25e2adf923b0c46988b
SHA256 763083467132e2f3959db9f9d22aac2d8f0f2568ec12bfd0ced664cff1785989
SHA512 7b6798af7dc14b9ef1af10c5b9fffabf329594ad8bba52ba78aa5131dbbaa4c7febba34b1b7ffdd2d2490beca4932f9bef129ae6ba3e855d64eb62a6304e0962

memory/2892-327-0x0000000000260000-0x00000000002A2000-memory.dmp

memory/1692-328-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2892-326-0x0000000000260000-0x00000000002A2000-memory.dmp

memory/1692-338-0x00000000002D0000-0x0000000000312000-memory.dmp

memory/812-339-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1692-337-0x00000000002D0000-0x0000000000312000-memory.dmp

C:\Windows\SysWOW64\Hgbebiao.exe

MD5 a9b3e5faa7d8df56fa872e7f05b5701e
SHA1 1698e0c7d8d979f34dfefc33bf0f70d2717431d6
SHA256 3949de0ae7505bb4adc1855f5f98c50421a1884363621929d082970412a61669
SHA512 accc3f7e2334ed3d58576bb91926a581cb21b20594430d024374b7244bf4dfd883d808f6a6610be46e9ae007895803d2bd535a4fb18b171320a65a71ec22c0c9

memory/2148-350-0x0000000000400000-0x0000000000442000-memory.dmp

memory/812-349-0x0000000000280000-0x00000000002C2000-memory.dmp

memory/812-348-0x0000000000280000-0x00000000002C2000-memory.dmp

C:\Windows\SysWOW64\Hiqbndpb.exe

MD5 d465ad8f1c2d303d921928585e41d427
SHA1 b83779e4417324a4a45ac4bd473b3a86e43538bf
SHA256 2761c3e2ab4ba252c555aa26667a6920403e1c1e8f13ee7c14a1cebd1ae5a8cf
SHA512 49bf0a27123d23a5053e9e1adfb97708dea3f8f98a3da742f6ad720f222d1f2bae13468ca1f2f71b07e544451b526bed3f6570b0f2f89a0f4f908a216eaf3336

C:\Windows\SysWOW64\Hkpnhgge.exe

MD5 e913050ffe1320e7cb88217330bf8adf
SHA1 434798b609101f1ad99d8aeec5383a6cd4d3b3b2
SHA256 ca11edaee6e685a1ea833b232b7b6299d8f84c23e99e516b66f7cb5f9fb0180b
SHA512 957f889b00a655940e247339bbf49a34dc5c4ec54ea5c22d0ca61183b83d871ffdd5270d7ac96978e91e4563e3988ab704231376c4deff9987cb6debdc2aa14d

memory/2148-356-0x00000000002A0000-0x00000000002E2000-memory.dmp

memory/2800-361-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2148-360-0x00000000002A0000-0x00000000002E2000-memory.dmp

C:\Windows\SysWOW64\Hdhbam32.exe

MD5 fe26b4780767ce064bb397af3ea02b75
SHA1 d6f720823ebd457a11191ee576bbcea877895453
SHA256 394ef4fd5d65c9e9e78e0e549c79b2cbdd976755bc8c55d43aaacd93d228570d
SHA512 d7876dc522ec126adf8468edf3ca6f7a5fd61f241458d622ce190e78740368f572618b51444c636200d2956d248751bacdddd99108cea87831167905098d3840

memory/2824-378-0x0000000000250000-0x0000000000292000-memory.dmp

memory/2824-372-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2800-371-0x00000000002F0000-0x0000000000332000-memory.dmp

memory/2800-370-0x00000000002F0000-0x0000000000332000-memory.dmp

C:\Windows\SysWOW64\Hggomh32.exe

MD5 a314fdba2771f49b851c98c87d1957c8
SHA1 fb310e946ea0a8c834047fe7c745ec17e587b86f
SHA256 7e1258a4c308d23f1f76095d89095d87ca23b9a8d6fe6015848cee7248c8c0ed
SHA512 f5751baac65cfd5e92f0fe695d2e17b0574d1607dd275e766f99d22fed32a3ef2cecfe531ea864001fb2bb49c369a148f7540b05a145e6ed7d255d9005a8a0ab

memory/2824-382-0x0000000000250000-0x0000000000292000-memory.dmp

memory/2860-387-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Hlcgeo32.exe

MD5 220091645ced115c0ddfc55142f099d6
SHA1 f54c0ae4f1e50682266762db12dc2b2648aa3344
SHA256 fdad149c981c143af2625054222a6291b980c3ce51b39d9f06f7cc180096014b
SHA512 f2fd30665f2640f2cb14b3fde3d2fbbef2aed3dc28fb2ef6309add7dd4a43d838e026a99ee939e82dfa0b8665d61be1c9ccde88abcec4de110d2bfbb0852677b

memory/2860-392-0x00000000002D0000-0x0000000000312000-memory.dmp

memory/2860-393-0x00000000002D0000-0x0000000000312000-memory.dmp

memory/2524-394-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2524-404-0x00000000002D0000-0x0000000000312000-memory.dmp

memory/2524-403-0x00000000002D0000-0x0000000000312000-memory.dmp

C:\Windows\SysWOW64\Hcnpbi32.exe

MD5 0c479cec3aa73470949e14523986b992
SHA1 ee2b0177cf97e13e2317f7c4504d55ebc0fdbc78
SHA256 8e4ec3b5eda3da426502a04695ecbce4a70b3dc0c303164422a223955ea4fc02
SHA512 3dbf601f9b8bc75546c23f9c51c68d9bfa90b06e8d001bcae149dfad08c9327d88f83788b7388b283ebc860aaf4e54d786500f1c6356d6d9e0c88381322f02e6

memory/3044-405-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3044-411-0x00000000002D0000-0x0000000000312000-memory.dmp

C:\Windows\SysWOW64\Hodpgjha.exe

MD5 bd925788b458ec2bbe549b939f5b3dd3
SHA1 47737c5ae45f403e9ae8c5dc055faf96518b1821
SHA256 9a61e7e0daca3e1446fc57530daacba16dbe22960afddb24d04b6435df22a6fc
SHA512 dce048f528603a090c5776eecab37f04afcd97f8113d25bd2cac75c425c91e3cfee7dfa8e8bcd3abc24d6d44b11c2d3c3e3b12c678b7dbb882d8c81d1597cc4a

C:\Windows\SysWOW64\Hacmcfge.exe

MD5 657a1d75b1c388b09d4674c7d377457b
SHA1 2c807e8f2d752cd8acd38594b6276f3fe6b24796
SHA256 d998a186c3a76288e381c27ba2c5ebd0850aa8f220e35079f61d11c393fa7dd6
SHA512 90e02acf29d42739d5d4e15831b48154eca3f70670768ce257e34f08e8935110c2c68181ba1df1f2dce93ce5aac135777f9b44664711e67d5d0423693c6ca0ff

memory/2852-421-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3044-419-0x00000000002D0000-0x0000000000312000-memory.dmp

memory/2852-426-0x0000000000250000-0x0000000000292000-memory.dmp

memory/2980-427-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2852-425-0x0000000000250000-0x0000000000292000-memory.dmp

C:\Windows\SysWOW64\Hkkalk32.exe

MD5 504913f2999f72d2bb3636374069ec68
SHA1 886dc40a3177b6f381278ce6e9a2f4a4c39933ba
SHA256 4f8c0af090bed5c374a2b69692208a66fa07ea91be63e55f844dadd5516c08ff
SHA512 c20234df2af534bd81bb6bd1077c5cbbbc574f14adf41bbe97e1dfca2d6ca9cfa5cda624101171215d5e7f644b40be55c38c291c38c6c54f82cc17fd4e444f92

memory/2980-433-0x0000000000280000-0x00000000002C2000-memory.dmp

memory/2980-437-0x0000000000280000-0x00000000002C2000-memory.dmp

memory/1360-442-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1360-446-0x00000000002D0000-0x0000000000312000-memory.dmp

C:\Windows\SysWOW64\Icbimi32.exe

MD5 76c0cbbd329066fce0b099bf9f377e95
SHA1 8c9543909c755cba6b47209bc960611b44d18e53
SHA256 4e5ef4c6f4332e1938ed9ca10413c60a4261795db0ec9a382e3ab4b507a4fcf3
SHA512 132f7c7f6d8f1c0f5ddf0f67b4b3fa9ee0d9a345c5f9c9e99e2482d910a3973f299fa857928e05dc6d413d94246fae286f511f97f356b7225601d4f2940baaa3

memory/1548-448-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1360-452-0x00000000002D0000-0x0000000000312000-memory.dmp

memory/1108-460-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1548-459-0x0000000000320000-0x0000000000362000-memory.dmp

memory/1548-458-0x0000000000320000-0x0000000000362000-memory.dmp

C:\Windows\SysWOW64\Idceea32.exe

MD5 4d1359aa65aa83a766004f9467c27075
SHA1 ecfaddec7f6229e37a8d7791fe1be189ac70635e
SHA256 9fc31addeb263e6f29b5bb18cc46b7611e991fcb1cd50bc21db7dfa819e8c9ab
SHA512 a61fa966d7be1e60f88ac49552e47ff8e6d5fd4faab2c1a6e596322e6271504262d778c52fa849a5929fa2605febadab8ae33ea6c14b4460e6d573d454425de4

C:\Windows\SysWOW64\Iagfoe32.exe

MD5 716cf3e24cc5b19fbc019d3b9d64bbba
SHA1 8d0e58db0a6e6e983bf553ecfa7dad4c3100b880
SHA256 85b0f725a8f0bfd4072dc0907d84b67fddfaa37129f4a73532e6e9898960deec
SHA512 087cb88bdeb10afd7cdcbd6db7e322baf6cc3a8b4b59fd417696b8b063d78168050459357fdb8b61946c0cce200e1a7cc5df8132ecf1c36cb48388a0e1cbda6d

memory/1916-471-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1108-470-0x00000000002E0000-0x0000000000322000-memory.dmp

memory/1108-469-0x00000000002E0000-0x0000000000322000-memory.dmp

memory/3056-472-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1952-473-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2844-474-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2672-475-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2720-476-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2648-477-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2668-478-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2592-479-0x0000000000400000-0x0000000000442000-memory.dmp