Malware Analysis Report

2025-08-06 01:12

Sample ID 241107-hzsf6axkgv
Target 1b145dd518b7fd782a2a1c408bd191244e8f136fd6ad442545f4c2d9fb7d59f2N
SHA256 1b145dd518b7fd782a2a1c408bd191244e8f136fd6ad442545f4c2d9fb7d59f2
Tags
berbew backdoor discovery persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1b145dd518b7fd782a2a1c408bd191244e8f136fd6ad442545f4c2d9fb7d59f2

Threat Level: Known bad

The file 1b145dd518b7fd782a2a1c408bd191244e8f136fd6ad442545f4c2d9fb7d59f2N was found to be: Known bad.

Malicious Activity Summary

berbew backdoor discovery persistence

Adds autorun key to be loaded by Explorer.exe on startup

Berbew family

Berbew

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Program crash

System Location Discovery: System Language Discovery

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-07 07:10

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-07 07:10

Reported

2024-11-07 07:12

Platform

win7-20241010-en

Max time kernel

119s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1b145dd518b7fd782a2a1c408bd191244e8f136fd6ad442545f4c2d9fb7d59f2N.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cileqlmg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cileqlmg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cchbgi32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Users\Admin\AppData\Local\Temp\1b145dd518b7fd782a2a1c408bd191244e8f136fd6ad442545f4c2d9fb7d59f2N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Users\Admin\AppData\Local\Temp\1b145dd518b7fd782a2a1c408bd191244e8f136fd6ad442545f4c2d9fb7d59f2N.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cchbgi32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cfhkhd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cfhkhd32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cnimiblo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cnimiblo.exe N/A

Berbew

backdoor berbew

Berbew family

berbew

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Cileqlmg.exe N/A
N/A N/A C:\Windows\SysWOW64\Cnimiblo.exe N/A
N/A N/A C:\Windows\SysWOW64\Cchbgi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cfhkhd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dpapaj32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Cnimiblo.exe C:\Windows\SysWOW64\Cileqlmg.exe N/A
File opened for modification C:\Windows\SysWOW64\Cfhkhd32.exe C:\Windows\SysWOW64\Cchbgi32.exe N/A
File created C:\Windows\SysWOW64\Dpapaj32.exe C:\Windows\SysWOW64\Cfhkhd32.exe N/A
File created C:\Windows\SysWOW64\Pdkefp32.dll C:\Windows\SysWOW64\Cfhkhd32.exe N/A
File created C:\Windows\SysWOW64\Cmbfdl32.dll C:\Users\Admin\AppData\Local\Temp\1b145dd518b7fd782a2a1c408bd191244e8f136fd6ad442545f4c2d9fb7d59f2N.exe N/A
File created C:\Windows\SysWOW64\Cchbgi32.exe C:\Windows\SysWOW64\Cnimiblo.exe N/A
File created C:\Windows\SysWOW64\Fkdqjn32.dll C:\Windows\SysWOW64\Cchbgi32.exe N/A
File created C:\Windows\SysWOW64\ÿs.e¢e C:\Windows\SysWOW64\Dpapaj32.exe N/A
File created C:\Windows\SysWOW64\Cileqlmg.exe C:\Users\Admin\AppData\Local\Temp\1b145dd518b7fd782a2a1c408bd191244e8f136fd6ad442545f4c2d9fb7d59f2N.exe N/A
File created C:\Windows\SysWOW64\Pobghn32.dll C:\Windows\SysWOW64\Cileqlmg.exe N/A
File opened for modification C:\Windows\SysWOW64\Cchbgi32.exe C:\Windows\SysWOW64\Cnimiblo.exe N/A
File opened for modification C:\Windows\SysWOW64\Dpapaj32.exe C:\Windows\SysWOW64\Cfhkhd32.exe N/A
File opened for modification C:\Windows\SysWOW64\ÿs.e¢e C:\Windows\SysWOW64\Dpapaj32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cileqlmg.exe C:\Users\Admin\AppData\Local\Temp\1b145dd518b7fd782a2a1c408bd191244e8f136fd6ad442545f4c2d9fb7d59f2N.exe N/A
File created C:\Windows\SysWOW64\Cnimiblo.exe C:\Windows\SysWOW64\Cileqlmg.exe N/A
File created C:\Windows\SysWOW64\Acnenl32.dll C:\Windows\SysWOW64\Cnimiblo.exe N/A
File created C:\Windows\SysWOW64\Cfhkhd32.exe C:\Windows\SysWOW64\Cchbgi32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cfhkhd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dpapaj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1b145dd518b7fd782a2a1c408bd191244e8f136fd6ad442545f4c2d9fb7d59f2N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cileqlmg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cnimiblo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cchbgi32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} C:\Users\Admin\AppData\Local\Temp\1b145dd518b7fd782a2a1c408bd191244e8f136fd6ad442545f4c2d9fb7d59f2N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\1b145dd518b7fd782a2a1c408bd191244e8f136fd6ad442545f4c2d9fb7d59f2N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pobghn32.dll" C:\Windows\SysWOW64\Cileqlmg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkdqjn32.dll" C:\Windows\SysWOW64\Cchbgi32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node C:\Users\Admin\AppData\Local\Temp\1b145dd518b7fd782a2a1c408bd191244e8f136fd6ad442545f4c2d9fb7d59f2N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmbfdl32.dll" C:\Users\Admin\AppData\Local\Temp\1b145dd518b7fd782a2a1c408bd191244e8f136fd6ad442545f4c2d9fb7d59f2N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll" C:\Windows\SysWOW64\Cfhkhd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cchbgi32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\1b145dd518b7fd782a2a1c408bd191244e8f136fd6ad442545f4c2d9fb7d59f2N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cileqlmg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cileqlmg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acnenl32.dll" C:\Windows\SysWOW64\Cnimiblo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cchbgi32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\1b145dd518b7fd782a2a1c408bd191244e8f136fd6ad442545f4c2d9fb7d59f2N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cnimiblo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cnimiblo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cfhkhd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cfhkhd32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1832 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\1b145dd518b7fd782a2a1c408bd191244e8f136fd6ad442545f4c2d9fb7d59f2N.exe C:\Windows\SysWOW64\Cileqlmg.exe
PID 1832 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\1b145dd518b7fd782a2a1c408bd191244e8f136fd6ad442545f4c2d9fb7d59f2N.exe C:\Windows\SysWOW64\Cileqlmg.exe
PID 1832 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\1b145dd518b7fd782a2a1c408bd191244e8f136fd6ad442545f4c2d9fb7d59f2N.exe C:\Windows\SysWOW64\Cileqlmg.exe
PID 1832 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\1b145dd518b7fd782a2a1c408bd191244e8f136fd6ad442545f4c2d9fb7d59f2N.exe C:\Windows\SysWOW64\Cileqlmg.exe
PID 2556 wrote to memory of 524 N/A C:\Windows\SysWOW64\Cileqlmg.exe C:\Windows\SysWOW64\Cnimiblo.exe
PID 2556 wrote to memory of 524 N/A C:\Windows\SysWOW64\Cileqlmg.exe C:\Windows\SysWOW64\Cnimiblo.exe
PID 2556 wrote to memory of 524 N/A C:\Windows\SysWOW64\Cileqlmg.exe C:\Windows\SysWOW64\Cnimiblo.exe
PID 2556 wrote to memory of 524 N/A C:\Windows\SysWOW64\Cileqlmg.exe C:\Windows\SysWOW64\Cnimiblo.exe
PID 524 wrote to memory of 2780 N/A C:\Windows\SysWOW64\Cnimiblo.exe C:\Windows\SysWOW64\Cchbgi32.exe
PID 524 wrote to memory of 2780 N/A C:\Windows\SysWOW64\Cnimiblo.exe C:\Windows\SysWOW64\Cchbgi32.exe
PID 524 wrote to memory of 2780 N/A C:\Windows\SysWOW64\Cnimiblo.exe C:\Windows\SysWOW64\Cchbgi32.exe
PID 524 wrote to memory of 2780 N/A C:\Windows\SysWOW64\Cnimiblo.exe C:\Windows\SysWOW64\Cchbgi32.exe
PID 2780 wrote to memory of 2380 N/A C:\Windows\SysWOW64\Cchbgi32.exe C:\Windows\SysWOW64\Cfhkhd32.exe
PID 2780 wrote to memory of 2380 N/A C:\Windows\SysWOW64\Cchbgi32.exe C:\Windows\SysWOW64\Cfhkhd32.exe
PID 2780 wrote to memory of 2380 N/A C:\Windows\SysWOW64\Cchbgi32.exe C:\Windows\SysWOW64\Cfhkhd32.exe
PID 2780 wrote to memory of 2380 N/A C:\Windows\SysWOW64\Cchbgi32.exe C:\Windows\SysWOW64\Cfhkhd32.exe
PID 2380 wrote to memory of 2828 N/A C:\Windows\SysWOW64\Cfhkhd32.exe C:\Windows\SysWOW64\Dpapaj32.exe
PID 2380 wrote to memory of 2828 N/A C:\Windows\SysWOW64\Cfhkhd32.exe C:\Windows\SysWOW64\Dpapaj32.exe
PID 2380 wrote to memory of 2828 N/A C:\Windows\SysWOW64\Cfhkhd32.exe C:\Windows\SysWOW64\Dpapaj32.exe
PID 2380 wrote to memory of 2828 N/A C:\Windows\SysWOW64\Cfhkhd32.exe C:\Windows\SysWOW64\Dpapaj32.exe
PID 2828 wrote to memory of 2796 N/A C:\Windows\SysWOW64\Dpapaj32.exe C:\Windows\SysWOW64\WerFault.exe
PID 2828 wrote to memory of 2796 N/A C:\Windows\SysWOW64\Dpapaj32.exe C:\Windows\SysWOW64\WerFault.exe
PID 2828 wrote to memory of 2796 N/A C:\Windows\SysWOW64\Dpapaj32.exe C:\Windows\SysWOW64\WerFault.exe
PID 2828 wrote to memory of 2796 N/A C:\Windows\SysWOW64\Dpapaj32.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1b145dd518b7fd782a2a1c408bd191244e8f136fd6ad442545f4c2d9fb7d59f2N.exe

"C:\Users\Admin\AppData\Local\Temp\1b145dd518b7fd782a2a1c408bd191244e8f136fd6ad442545f4c2d9fb7d59f2N.exe"

C:\Windows\SysWOW64\Cileqlmg.exe

C:\Windows\system32\Cileqlmg.exe

C:\Windows\SysWOW64\Cnimiblo.exe

C:\Windows\system32\Cnimiblo.exe

C:\Windows\SysWOW64\Cchbgi32.exe

C:\Windows\system32\Cchbgi32.exe

C:\Windows\SysWOW64\Cfhkhd32.exe

C:\Windows\system32\Cfhkhd32.exe

C:\Windows\SysWOW64\Dpapaj32.exe

C:\Windows\system32\Dpapaj32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2828 -s 144

Network

N/A

Files

\Windows\SysWOW64\Dpapaj32.exe

MD5 39f0173cc8efa4c07889f42587015b21
SHA1 6037ec6eb207e75705ecd056bb90fd54a4635176
SHA256 f8a4522e4032b2c706fed5a29535078706555fc066422d4d9209c9770e2ea15e
SHA512 9e9baa3a91cffa4c8853be511395722f97348e539e1953e41968f456a1c8e185d6c2dc497b24c6f7411fe5a0ff58adf38f3b12b404f1fcc8f26cfa10bbd0340a

memory/2828-70-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2380-69-0x0000000000220000-0x000000000025C000-memory.dmp

C:\Windows\SysWOW64\Cfhkhd32.exe

MD5 466f826c69c047f01870c4f6133a98fc
SHA1 b52c55ca4f7dac1f70fa2539084629ef4fe0562e
SHA256 f90d1120fa84744029d30224e278d26cc68baf3665f3ce5ba5828ae193439d8c
SHA512 3d2444d6ab71a45afd7cccffbe87e68f29624523ae0381dd8e91b92642a6979e43afe6db67a17d7adf8c3833a338ce205659e70ecb27def00f92ee2a6adbc82a

memory/2380-56-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2780-49-0x00000000003C0000-0x00000000003FC000-memory.dmp

C:\Windows\SysWOW64\Cchbgi32.exe

MD5 6acef5715cd83bc6f2c85c339e968b6a
SHA1 cbfa06333ae21e4c4035b6829d16f40f22f328c7
SHA256 efb9429d9c5bcc52d53972fa38bd598347e9cca5c0b60723a7c3d2d2548e95fa
SHA512 b6e4fbd2e2668e1abd77d6d5ab89b9cc6bec04d9b24ad67299447da6c1d9a100ae1d0936095b7980de8519d2d155ecb88cd0e0cf7e235ef5294ea8ab96307124

memory/2780-42-0x0000000000400000-0x000000000043C000-memory.dmp

memory/524-40-0x00000000002B0000-0x00000000002EC000-memory.dmp

memory/524-39-0x00000000002B0000-0x00000000002EC000-memory.dmp

C:\Windows\SysWOW64\Cnimiblo.exe

MD5 c8f1c8d30f7aa9715f7ba172836d9e3a
SHA1 b077d13a498aea94a81fe600e7abd7ca17435b59
SHA256 0c7d5ad3d9e133dfe60b4f99e612d497977ee1b01b2fdd0cc7768d2976359f91
SHA512 f09a843f70d1d55f210c7d4aec59ad5327d340ea8a7e1bf8199fdcb2d40258bf05257587738e5e6552191c1c18c829bb389ef6696a89163b1e7a8870bf0fff9f

C:\Windows\SysWOW64\Cileqlmg.exe

MD5 6a56979a9e4284ce9f4118c00a8e5306
SHA1 8aeb25fdda0ac065243c3ec374a03bd04d42ba26
SHA256 deddffeca64caec623d0f134cac0418b27787c17c01b350bc906de33560b586e
SHA512 b77685948c71c9287560832e2d350df9e8dcfee6d9c19dade4bb94d3a11e5089ad809db882291f5807f5cae166a4f61553e170372ca65a07bed91c51744d1ac2

memory/2556-14-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1832-13-0x0000000000220000-0x000000000025C000-memory.dmp

memory/2556-22-0x00000000003C0000-0x00000000003FC000-memory.dmp

memory/1832-12-0x0000000000220000-0x000000000025C000-memory.dmp

memory/1832-0-0x0000000000400000-0x000000000043C000-memory.dmp

memory/524-82-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2780-81-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1832-80-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2556-79-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2828-77-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2380-78-0x0000000000400000-0x000000000043C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-07 07:10

Reported

2024-11-07 07:12

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

101s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1b145dd518b7fd782a2a1c408bd191244e8f136fd6ad442545f4c2d9fb7d59f2N.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fbpchb32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Iliinc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Onocomdo.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Apodoq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bdojjo32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bgelgi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Chfegk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dngjff32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Emanjldl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jilfifme.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Klahfp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kgflcifg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ljceqb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Coqncejg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ckjknfnh.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dpiplm32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fmcjpl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hifcgion.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ibaeen32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mogcihaj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Chkobkod.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Users\Admin\AppData\Local\Temp\1b145dd518b7fd782a2a1c408bd191244e8f136fd6ad442545f4c2d9fb7d59f2N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Eehicoel.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gncchb32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hehkajig.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hfjdqmng.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kpoalo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mfqlfb32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nqbpojnp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Adhdjpjf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ebnfbcbc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mcpcdg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mcpcdg32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mgbefe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bkphhgfc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cacckp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Llodgnja.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Njfkmphe.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Boihcf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Emhkdmlg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eehicoel.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hfaajnfb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nopfpgip.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Onmfimga.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hpqldc32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lfjfecno.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ojdgnn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ojdgnn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ocaebc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gpbpbecj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gfodeohd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gojiiafp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hbhboolf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ngjkfd32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nnhmnn32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eblimcdf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hoobdp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Onmfimga.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pfoann32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pmiikh32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ennqfenp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ebnfbcbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fiaael32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hplbickp.exe N/A

Berbew

backdoor berbew

Berbew family

berbew

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Dngjff32.exe N/A
N/A N/A C:\Windows\SysWOW64\Emhkdmlg.exe N/A
N/A N/A C:\Windows\SysWOW64\Eofgpikj.exe N/A
N/A N/A C:\Windows\SysWOW64\Eiokinbk.exe N/A
N/A N/A C:\Windows\SysWOW64\Ekmhejao.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebgpad32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ekodjiol.exe N/A
N/A N/A C:\Windows\SysWOW64\Ennqfenp.exe N/A
N/A N/A C:\Windows\SysWOW64\Eehicoel.exe N/A
N/A N/A C:\Windows\SysWOW64\Epmmqheb.exe N/A
N/A N/A C:\Windows\SysWOW64\Eblimcdf.exe N/A
N/A N/A C:\Windows\SysWOW64\Emanjldl.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebnfbcbc.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmcjpl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fbpchb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fijkdmhn.exe N/A
N/A N/A C:\Windows\SysWOW64\Fpdcag32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fealin32.exe N/A
N/A N/A C:\Windows\SysWOW64\Flkdfh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fpgpgfmh.exe N/A
N/A N/A C:\Windows\SysWOW64\Fiodpl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fpimlfke.exe N/A
N/A N/A C:\Windows\SysWOW64\Fefedmil.exe N/A
N/A N/A C:\Windows\SysWOW64\Fiaael32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fpkibf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gfeaopqo.exe N/A
N/A N/A C:\Windows\SysWOW64\Gmojkj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gblbca32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gmafajfi.exe N/A
N/A N/A C:\Windows\SysWOW64\Gncchb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gemkelcd.exe N/A
N/A N/A C:\Windows\SysWOW64\Gpbpbecj.exe N/A
N/A N/A C:\Windows\SysWOW64\Gbalopbn.exe N/A
N/A N/A C:\Windows\SysWOW64\Glipgf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gfodeohd.exe N/A
N/A N/A C:\Windows\SysWOW64\Gojiiafp.exe N/A
N/A N/A C:\Windows\SysWOW64\Hfaajnfb.exe N/A
N/A N/A C:\Windows\SysWOW64\Hlnjbedi.exe N/A
N/A N/A C:\Windows\SysWOW64\Hbhboolf.exe N/A
N/A N/A C:\Windows\SysWOW64\Hibjli32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hplbickp.exe N/A
N/A N/A C:\Windows\SysWOW64\Hoobdp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hehkajig.exe N/A
N/A N/A C:\Windows\SysWOW64\Hpnoncim.exe N/A
N/A N/A C:\Windows\SysWOW64\Hblkjo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hifcgion.exe N/A
N/A N/A C:\Windows\SysWOW64\Hpqldc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hfjdqmng.exe N/A
N/A N/A C:\Windows\SysWOW64\Hiipmhmk.exe N/A
N/A N/A C:\Windows\SysWOW64\Hpchib32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ibaeen32.exe N/A
N/A N/A C:\Windows\SysWOW64\Iliinc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Iebngial.exe N/A
N/A N/A C:\Windows\SysWOW64\Illfdc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ipgbdbqb.exe N/A
N/A N/A C:\Windows\SysWOW64\Iipfmggc.exe N/A
N/A N/A C:\Windows\SysWOW64\Ilnbicff.exe N/A
N/A N/A C:\Windows\SysWOW64\Ibhkfm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Iefgbh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Imnocf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ioolkncg.exe N/A
N/A N/A C:\Windows\SysWOW64\Ieidhh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Iidphgcn.exe N/A
N/A N/A C:\Windows\SysWOW64\Ipoheakj.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Ngjkfd32.exe C:\Windows\SysWOW64\Nqpcjj32.exe N/A
File opened for modification C:\Windows\SysWOW64\Pfiddm32.exe C:\Windows\SysWOW64\Phcgcqab.exe N/A
File opened for modification C:\Windows\SysWOW64\Eblimcdf.exe C:\Windows\SysWOW64\Epmmqheb.exe N/A
File created C:\Windows\SysWOW64\Ilmjim32.dll C:\Windows\SysWOW64\Gncchb32.exe N/A
File created C:\Windows\SysWOW64\Afeknhab.dll C:\Windows\SysWOW64\Hehkajig.exe N/A
File opened for modification C:\Windows\SysWOW64\Hpchib32.exe C:\Windows\SysWOW64\Hiipmhmk.exe N/A
File created C:\Windows\SysWOW64\Ibaeen32.exe C:\Windows\SysWOW64\Hpchib32.exe N/A
File created C:\Windows\SysWOW64\Fihgkk32.dll C:\Windows\SysWOW64\Lnangaoa.exe N/A
File opened for modification C:\Windows\SysWOW64\Ckbemgcp.exe C:\Windows\SysWOW64\Chdialdl.exe N/A
File created C:\Windows\SysWOW64\Illfdc32.exe C:\Windows\SysWOW64\Iebngial.exe N/A
File created C:\Windows\SysWOW64\Qjiipk32.exe C:\Windows\SysWOW64\Pdmdnadc.exe N/A
File created C:\Windows\SysWOW64\Bajqda32.exe C:\Windows\SysWOW64\Bkphhgfc.exe N/A
File opened for modification C:\Windows\SysWOW64\Emanjldl.exe C:\Windows\SysWOW64\Eblimcdf.exe N/A
File created C:\Windows\SysWOW64\Nkbjmj32.dll C:\Windows\SysWOW64\Kgflcifg.exe N/A
File created C:\Windows\SysWOW64\Boihcf32.exe C:\Windows\SysWOW64\Bgbpaipl.exe N/A
File created C:\Windows\SysWOW64\Pjpbba32.dll C:\Windows\SysWOW64\Eehicoel.exe N/A
File created C:\Windows\SysWOW64\Hehkajig.exe C:\Windows\SysWOW64\Hoobdp32.exe N/A
File created C:\Windows\SysWOW64\Hifcgion.exe C:\Windows\SysWOW64\Hblkjo32.exe N/A
File created C:\Windows\SysWOW64\Accimdgp.dll C:\Windows\SysWOW64\Jcmdaljn.exe N/A
File created C:\Windows\SysWOW64\Mfcjqc32.dll C:\Windows\SysWOW64\Kcidmkpq.exe N/A
File created C:\Windows\SysWOW64\Ojnkocdc.dll C:\Windows\SysWOW64\Mogcihaj.exe N/A
File created C:\Windows\SysWOW64\Pmcckk32.dll C:\Windows\SysWOW64\Jocefm32.exe N/A
File opened for modification C:\Windows\SysWOW64\Jcdjbk32.exe C:\Windows\SysWOW64\Jilfifme.exe N/A
File created C:\Windows\SysWOW64\Mqafhl32.exe C:\Windows\SysWOW64\Ljhnlb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Pplobcpp.exe C:\Windows\SysWOW64\Pfdjinjo.exe N/A
File opened for modification C:\Windows\SysWOW64\Bmjkic32.exe C:\Windows\SysWOW64\Bacjdbch.exe N/A
File created C:\Windows\SysWOW64\Mbkkam32.dll C:\Windows\SysWOW64\Cpdgqmnb.exe N/A
File created C:\Windows\SysWOW64\Fiaael32.exe C:\Windows\SysWOW64\Fefedmil.exe N/A
File created C:\Windows\SysWOW64\Lcimdh32.exe C:\Windows\SysWOW64\Llodgnja.exe N/A
File created C:\Windows\SysWOW64\Kibohd32.dll C:\Windows\SysWOW64\Oghghb32.exe N/A
File created C:\Windows\SysWOW64\Jnfpnk32.dll C:\Windows\SysWOW64\Pfandnla.exe N/A
File created C:\Windows\SysWOW64\Pdmdnadc.exe C:\Windows\SysWOW64\Ppahmb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cdmfllhn.exe C:\Windows\SysWOW64\Caojpaij.exe N/A
File opened for modification C:\Windows\SysWOW64\Kgnbdh32.exe C:\Windows\SysWOW64\Kfnfjehl.exe N/A
File opened for modification C:\Windows\SysWOW64\Llodgnja.exe C:\Windows\SysWOW64\Ljqhkckn.exe N/A
File created C:\Windows\SysWOW64\Dannpknl.dll C:\Windows\SysWOW64\Njjdho32.exe N/A
File opened for modification C:\Windows\SysWOW64\Aknbkjfh.exe C:\Windows\SysWOW64\Aogbfi32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bkphhgfc.exe C:\Windows\SysWOW64\Bgelgi32.exe N/A
File created C:\Windows\SysWOW64\Hnflfgji.dll C:\Windows\SysWOW64\Cammjakm.exe N/A
File created C:\Windows\SysWOW64\Cdbpgl32.exe C:\Windows\SysWOW64\Cacckp32.exe N/A
File created C:\Windows\SysWOW64\Dpkmal32.exe C:\Windows\SysWOW64\Dahmfpap.exe N/A
File created C:\Windows\SysWOW64\Fqibbo32.dll C:\Windows\SysWOW64\Jokkgl32.exe N/A
File created C:\Windows\SysWOW64\Lpfgmnfp.exe C:\Windows\SysWOW64\Kgnbdh32.exe N/A
File created C:\Windows\SysWOW64\Onmfimga.exe C:\Windows\SysWOW64\Nfcabp32.exe N/A
File created C:\Windows\SysWOW64\Akkffkhk.exe C:\Windows\SysWOW64\Qdaniq32.exe N/A
File created C:\Windows\SysWOW64\Bgbpaipl.exe C:\Windows\SysWOW64\Bmjkic32.exe N/A
File created C:\Windows\SysWOW64\Ckebcg32.exe C:\Windows\SysWOW64\Chfegk32.exe N/A
File opened for modification C:\Windows\SysWOW64\Fiaael32.exe C:\Windows\SysWOW64\Fefedmil.exe N/A
File created C:\Windows\SysWOW64\Hfaajnfb.exe C:\Windows\SysWOW64\Gojiiafp.exe N/A
File created C:\Windows\SysWOW64\Jgkmgk32.exe C:\Windows\SysWOW64\Jocefm32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ojdgnn32.exe C:\Windows\SysWOW64\Onmfimga.exe N/A
File created C:\Windows\SysWOW64\Mmihfl32.dll C:\Windows\SysWOW64\Cnaaib32.exe N/A
File opened for modification C:\Windows\SysWOW64\Fmcjpl32.exe C:\Windows\SysWOW64\Ebnfbcbc.exe N/A
File opened for modification C:\Windows\SysWOW64\Fefedmil.exe C:\Windows\SysWOW64\Fpimlfke.exe N/A
File created C:\Windows\SysWOW64\Bdifpa32.dll C:\Windows\SysWOW64\Gblbca32.exe N/A
File created C:\Windows\SysWOW64\Ioolkncg.exe C:\Windows\SysWOW64\Imnocf32.exe N/A
File created C:\Windows\SysWOW64\Hplbickp.exe C:\Windows\SysWOW64\Hibjli32.exe N/A
File created C:\Windows\SysWOW64\Ipgijcij.dll C:\Windows\SysWOW64\Lpfgmnfp.exe N/A
File created C:\Windows\SysWOW64\Npgmpf32.exe C:\Windows\SysWOW64\Njjdho32.exe N/A
File created C:\Windows\SysWOW64\Dddjmo32.dll C:\Windows\SysWOW64\Ppahmb32.exe N/A
File created C:\Windows\SysWOW64\Aokkahlo.exe C:\Windows\SysWOW64\Agdcpkll.exe N/A
File created C:\Windows\SysWOW64\Fenpmnno.dll C:\Windows\SysWOW64\Nfcabp32.exe N/A
File opened for modification C:\Windows\SysWOW64\Gbalopbn.exe C:\Windows\SysWOW64\Gpbpbecj.exe N/A
File created C:\Windows\SysWOW64\Gfodeohd.exe C:\Windows\SysWOW64\Glipgf32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Dkqaoe32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Eblimcdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hpnoncim.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mqafhl32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nggnadib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bkphhgfc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ekmhejao.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gfeaopqo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jokkgl32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ljceqb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ofmdio32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ekodjiol.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fijkdmhn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kjeiodek.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ljqhkckn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lcimdh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qdaniq32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aopemh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cgqlcg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Emanjldl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fpgpgfmh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hibjli32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jnlkedai.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Phonha32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bgelgi32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ebnfbcbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Iipfmggc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Iidphgcn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jilfifme.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Onmfimga.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aagkhd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dpkmal32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gblbca32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Illfdc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kgiiiidd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Onapdl32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ocaebc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qjiipk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fpdcag32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Glipgf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oghghb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Akdilipp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ckbemgcp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ennqfenp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Eiokinbk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Eehicoel.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ipgbdbqb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jleijb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Njfkmphe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nqbpojnp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Npgmpf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Emhkdmlg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dahmfpap.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bkgeainn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fefedmil.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fiaael32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gfodeohd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hifcgion.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mfnoqc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mogcihaj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nfaemp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Flkdfh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pfoann32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bdojjo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bgbpaipl.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaofbcjo.dll" C:\Windows\SysWOW64\Ebgpad32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jiiicf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kpoalo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ojdgnn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmhkafda.dll" C:\Windows\SysWOW64\Illfdc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kcidmkpq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifaohg32.dll" C:\Windows\SysWOW64\Apaadpng.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Emanjldl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogjembbd.dll" C:\Windows\SysWOW64\Llodgnja.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ngjkfd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmephjke.dll" C:\Windows\SysWOW64\Pplobcpp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bacjdbch.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Chkobkod.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gemkelcd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Iebngial.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mnegbp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjqlnnkp.dll" C:\Windows\SysWOW64\Emhkdmlg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eodolnaf.dll" C:\Windows\SysWOW64\Fbpchb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qikoka32.dll" C:\Windows\SysWOW64\Gfodeohd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgjamboa.dll" C:\Windows\SysWOW64\Iebngial.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lfbped32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lciibdmj.dll" C:\Windows\SysWOW64\Hpchib32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Klfaapbl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Amqhbe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dpkmal32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hbhboolf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjgjmg32.dll" C:\Windows\SysWOW64\Hibjli32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jocefm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdmlme32.dll" C:\Windows\SysWOW64\Mjodla32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Njjdho32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbobifpp.dll" C:\Windows\SysWOW64\Ckebcg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ibaeen32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Iefgbh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhegobpi.dll" C:\Windows\SysWOW64\Imnocf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Imnocf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kcidmkpq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ljqhkckn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cdmfllhn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hbhboolf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cnaaib32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dgcihgaj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Emanjldl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Iipfmggc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nopfpgip.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nqpcjj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fijkdmhn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ficlfj32.dll" C:\Windows\SysWOW64\Gojiiafp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kgiiiidd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ofmdio32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Iipfmggc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcghdkpf.dll" C:\Windows\SysWOW64\Iidphgcn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lobjni32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckkpjkai.dll" C:\Windows\SysWOW64\Npgmpf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Phonha32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qjiipk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqhejb32.dll" C:\Windows\SysWOW64\Gbalopbn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ibhkfm32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ieidhh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fpgpgfmh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kibohd32.dll" C:\Windows\SysWOW64\Oghghb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdlfcb32.dll" C:\Windows\SysWOW64\Akdilipp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ekmhejao.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjpbba32.dll" C:\Windows\SysWOW64\Eehicoel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gblbca32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2256 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\1b145dd518b7fd782a2a1c408bd191244e8f136fd6ad442545f4c2d9fb7d59f2N.exe C:\Windows\SysWOW64\Dngjff32.exe
PID 2256 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\1b145dd518b7fd782a2a1c408bd191244e8f136fd6ad442545f4c2d9fb7d59f2N.exe C:\Windows\SysWOW64\Dngjff32.exe
PID 2256 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\1b145dd518b7fd782a2a1c408bd191244e8f136fd6ad442545f4c2d9fb7d59f2N.exe C:\Windows\SysWOW64\Dngjff32.exe
PID 4432 wrote to memory of 692 N/A C:\Windows\SysWOW64\Dngjff32.exe C:\Windows\SysWOW64\Emhkdmlg.exe
PID 4432 wrote to memory of 692 N/A C:\Windows\SysWOW64\Dngjff32.exe C:\Windows\SysWOW64\Emhkdmlg.exe
PID 4432 wrote to memory of 692 N/A C:\Windows\SysWOW64\Dngjff32.exe C:\Windows\SysWOW64\Emhkdmlg.exe
PID 692 wrote to memory of 4884 N/A C:\Windows\SysWOW64\Emhkdmlg.exe C:\Windows\SysWOW64\Eofgpikj.exe
PID 692 wrote to memory of 4884 N/A C:\Windows\SysWOW64\Emhkdmlg.exe C:\Windows\SysWOW64\Eofgpikj.exe
PID 692 wrote to memory of 4884 N/A C:\Windows\SysWOW64\Emhkdmlg.exe C:\Windows\SysWOW64\Eofgpikj.exe
PID 4884 wrote to memory of 4744 N/A C:\Windows\SysWOW64\Eofgpikj.exe C:\Windows\SysWOW64\Eiokinbk.exe
PID 4884 wrote to memory of 4744 N/A C:\Windows\SysWOW64\Eofgpikj.exe C:\Windows\SysWOW64\Eiokinbk.exe
PID 4884 wrote to memory of 4744 N/A C:\Windows\SysWOW64\Eofgpikj.exe C:\Windows\SysWOW64\Eiokinbk.exe
PID 4744 wrote to memory of 3040 N/A C:\Windows\SysWOW64\Eiokinbk.exe C:\Windows\SysWOW64\Ekmhejao.exe
PID 4744 wrote to memory of 3040 N/A C:\Windows\SysWOW64\Eiokinbk.exe C:\Windows\SysWOW64\Ekmhejao.exe
PID 4744 wrote to memory of 3040 N/A C:\Windows\SysWOW64\Eiokinbk.exe C:\Windows\SysWOW64\Ekmhejao.exe
PID 3040 wrote to memory of 3668 N/A C:\Windows\SysWOW64\Ekmhejao.exe C:\Windows\SysWOW64\Ebgpad32.exe
PID 3040 wrote to memory of 3668 N/A C:\Windows\SysWOW64\Ekmhejao.exe C:\Windows\SysWOW64\Ebgpad32.exe
PID 3040 wrote to memory of 3668 N/A C:\Windows\SysWOW64\Ekmhejao.exe C:\Windows\SysWOW64\Ebgpad32.exe
PID 3668 wrote to memory of 2396 N/A C:\Windows\SysWOW64\Ebgpad32.exe C:\Windows\SysWOW64\Ekodjiol.exe
PID 3668 wrote to memory of 2396 N/A C:\Windows\SysWOW64\Ebgpad32.exe C:\Windows\SysWOW64\Ekodjiol.exe
PID 3668 wrote to memory of 2396 N/A C:\Windows\SysWOW64\Ebgpad32.exe C:\Windows\SysWOW64\Ekodjiol.exe
PID 2396 wrote to memory of 2464 N/A C:\Windows\SysWOW64\Ekodjiol.exe C:\Windows\SysWOW64\Ennqfenp.exe
PID 2396 wrote to memory of 2464 N/A C:\Windows\SysWOW64\Ekodjiol.exe C:\Windows\SysWOW64\Ennqfenp.exe
PID 2396 wrote to memory of 2464 N/A C:\Windows\SysWOW64\Ekodjiol.exe C:\Windows\SysWOW64\Ennqfenp.exe
PID 2464 wrote to memory of 416 N/A C:\Windows\SysWOW64\Ennqfenp.exe C:\Windows\SysWOW64\Eehicoel.exe
PID 2464 wrote to memory of 416 N/A C:\Windows\SysWOW64\Ennqfenp.exe C:\Windows\SysWOW64\Eehicoel.exe
PID 2464 wrote to memory of 416 N/A C:\Windows\SysWOW64\Ennqfenp.exe C:\Windows\SysWOW64\Eehicoel.exe
PID 416 wrote to memory of 2300 N/A C:\Windows\SysWOW64\Eehicoel.exe C:\Windows\SysWOW64\Epmmqheb.exe
PID 416 wrote to memory of 2300 N/A C:\Windows\SysWOW64\Eehicoel.exe C:\Windows\SysWOW64\Epmmqheb.exe
PID 416 wrote to memory of 2300 N/A C:\Windows\SysWOW64\Eehicoel.exe C:\Windows\SysWOW64\Epmmqheb.exe
PID 2300 wrote to memory of 5076 N/A C:\Windows\SysWOW64\Epmmqheb.exe C:\Windows\SysWOW64\Eblimcdf.exe
PID 2300 wrote to memory of 5076 N/A C:\Windows\SysWOW64\Epmmqheb.exe C:\Windows\SysWOW64\Eblimcdf.exe
PID 2300 wrote to memory of 5076 N/A C:\Windows\SysWOW64\Epmmqheb.exe C:\Windows\SysWOW64\Eblimcdf.exe
PID 5076 wrote to memory of 1652 N/A C:\Windows\SysWOW64\Eblimcdf.exe C:\Windows\SysWOW64\Emanjldl.exe
PID 5076 wrote to memory of 1652 N/A C:\Windows\SysWOW64\Eblimcdf.exe C:\Windows\SysWOW64\Emanjldl.exe
PID 5076 wrote to memory of 1652 N/A C:\Windows\SysWOW64\Eblimcdf.exe C:\Windows\SysWOW64\Emanjldl.exe
PID 1652 wrote to memory of 4996 N/A C:\Windows\SysWOW64\Emanjldl.exe C:\Windows\SysWOW64\Ebnfbcbc.exe
PID 1652 wrote to memory of 4996 N/A C:\Windows\SysWOW64\Emanjldl.exe C:\Windows\SysWOW64\Ebnfbcbc.exe
PID 1652 wrote to memory of 4996 N/A C:\Windows\SysWOW64\Emanjldl.exe C:\Windows\SysWOW64\Ebnfbcbc.exe
PID 4996 wrote to memory of 4004 N/A C:\Windows\SysWOW64\Ebnfbcbc.exe C:\Windows\SysWOW64\Fmcjpl32.exe
PID 4996 wrote to memory of 4004 N/A C:\Windows\SysWOW64\Ebnfbcbc.exe C:\Windows\SysWOW64\Fmcjpl32.exe
PID 4996 wrote to memory of 4004 N/A C:\Windows\SysWOW64\Ebnfbcbc.exe C:\Windows\SysWOW64\Fmcjpl32.exe
PID 4004 wrote to memory of 4808 N/A C:\Windows\SysWOW64\Fmcjpl32.exe C:\Windows\SysWOW64\Fbpchb32.exe
PID 4004 wrote to memory of 4808 N/A C:\Windows\SysWOW64\Fmcjpl32.exe C:\Windows\SysWOW64\Fbpchb32.exe
PID 4004 wrote to memory of 4808 N/A C:\Windows\SysWOW64\Fmcjpl32.exe C:\Windows\SysWOW64\Fbpchb32.exe
PID 4808 wrote to memory of 3756 N/A C:\Windows\SysWOW64\Fbpchb32.exe C:\Windows\SysWOW64\Fijkdmhn.exe
PID 4808 wrote to memory of 3756 N/A C:\Windows\SysWOW64\Fbpchb32.exe C:\Windows\SysWOW64\Fijkdmhn.exe
PID 4808 wrote to memory of 3756 N/A C:\Windows\SysWOW64\Fbpchb32.exe C:\Windows\SysWOW64\Fijkdmhn.exe
PID 3756 wrote to memory of 1520 N/A C:\Windows\SysWOW64\Fijkdmhn.exe C:\Windows\SysWOW64\Fpdcag32.exe
PID 3756 wrote to memory of 1520 N/A C:\Windows\SysWOW64\Fijkdmhn.exe C:\Windows\SysWOW64\Fpdcag32.exe
PID 3756 wrote to memory of 1520 N/A C:\Windows\SysWOW64\Fijkdmhn.exe C:\Windows\SysWOW64\Fpdcag32.exe
PID 1520 wrote to memory of 1148 N/A C:\Windows\SysWOW64\Fpdcag32.exe C:\Windows\SysWOW64\Fealin32.exe
PID 1520 wrote to memory of 1148 N/A C:\Windows\SysWOW64\Fpdcag32.exe C:\Windows\SysWOW64\Fealin32.exe
PID 1520 wrote to memory of 1148 N/A C:\Windows\SysWOW64\Fpdcag32.exe C:\Windows\SysWOW64\Fealin32.exe
PID 1148 wrote to memory of 100 N/A C:\Windows\SysWOW64\Fealin32.exe C:\Windows\SysWOW64\Flkdfh32.exe
PID 1148 wrote to memory of 100 N/A C:\Windows\SysWOW64\Fealin32.exe C:\Windows\SysWOW64\Flkdfh32.exe
PID 1148 wrote to memory of 100 N/A C:\Windows\SysWOW64\Fealin32.exe C:\Windows\SysWOW64\Flkdfh32.exe
PID 100 wrote to memory of 928 N/A C:\Windows\SysWOW64\Flkdfh32.exe C:\Windows\SysWOW64\Fpgpgfmh.exe
PID 100 wrote to memory of 928 N/A C:\Windows\SysWOW64\Flkdfh32.exe C:\Windows\SysWOW64\Fpgpgfmh.exe
PID 100 wrote to memory of 928 N/A C:\Windows\SysWOW64\Flkdfh32.exe C:\Windows\SysWOW64\Fpgpgfmh.exe
PID 928 wrote to memory of 3580 N/A C:\Windows\SysWOW64\Fpgpgfmh.exe C:\Windows\SysWOW64\Fiodpl32.exe
PID 928 wrote to memory of 3580 N/A C:\Windows\SysWOW64\Fpgpgfmh.exe C:\Windows\SysWOW64\Fiodpl32.exe
PID 928 wrote to memory of 3580 N/A C:\Windows\SysWOW64\Fpgpgfmh.exe C:\Windows\SysWOW64\Fiodpl32.exe
PID 3580 wrote to memory of 3124 N/A C:\Windows\SysWOW64\Fiodpl32.exe C:\Windows\SysWOW64\Fpimlfke.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1b145dd518b7fd782a2a1c408bd191244e8f136fd6ad442545f4c2d9fb7d59f2N.exe

"C:\Users\Admin\AppData\Local\Temp\1b145dd518b7fd782a2a1c408bd191244e8f136fd6ad442545f4c2d9fb7d59f2N.exe"

C:\Windows\SysWOW64\Dngjff32.exe

C:\Windows\system32\Dngjff32.exe

C:\Windows\SysWOW64\Emhkdmlg.exe

C:\Windows\system32\Emhkdmlg.exe

C:\Windows\SysWOW64\Eofgpikj.exe

C:\Windows\system32\Eofgpikj.exe

C:\Windows\SysWOW64\Eiokinbk.exe

C:\Windows\system32\Eiokinbk.exe

C:\Windows\SysWOW64\Ekmhejao.exe

C:\Windows\system32\Ekmhejao.exe

C:\Windows\SysWOW64\Ebgpad32.exe

C:\Windows\system32\Ebgpad32.exe

C:\Windows\SysWOW64\Ekodjiol.exe

C:\Windows\system32\Ekodjiol.exe

C:\Windows\SysWOW64\Ennqfenp.exe

C:\Windows\system32\Ennqfenp.exe

C:\Windows\SysWOW64\Eehicoel.exe

C:\Windows\system32\Eehicoel.exe

C:\Windows\SysWOW64\Epmmqheb.exe

C:\Windows\system32\Epmmqheb.exe

C:\Windows\SysWOW64\Eblimcdf.exe

C:\Windows\system32\Eblimcdf.exe

C:\Windows\SysWOW64\Emanjldl.exe

C:\Windows\system32\Emanjldl.exe

C:\Windows\SysWOW64\Ebnfbcbc.exe

C:\Windows\system32\Ebnfbcbc.exe

C:\Windows\SysWOW64\Fmcjpl32.exe

C:\Windows\system32\Fmcjpl32.exe

C:\Windows\SysWOW64\Fbpchb32.exe

C:\Windows\system32\Fbpchb32.exe

C:\Windows\SysWOW64\Fijkdmhn.exe

C:\Windows\system32\Fijkdmhn.exe

C:\Windows\SysWOW64\Fpdcag32.exe

C:\Windows\system32\Fpdcag32.exe

C:\Windows\SysWOW64\Fealin32.exe

C:\Windows\system32\Fealin32.exe

C:\Windows\SysWOW64\Flkdfh32.exe

C:\Windows\system32\Flkdfh32.exe

C:\Windows\SysWOW64\Fpgpgfmh.exe

C:\Windows\system32\Fpgpgfmh.exe

C:\Windows\SysWOW64\Fiodpl32.exe

C:\Windows\system32\Fiodpl32.exe

C:\Windows\SysWOW64\Fpimlfke.exe

C:\Windows\system32\Fpimlfke.exe

C:\Windows\SysWOW64\Fefedmil.exe

C:\Windows\system32\Fefedmil.exe

C:\Windows\SysWOW64\Fiaael32.exe

C:\Windows\system32\Fiaael32.exe

C:\Windows\SysWOW64\Fpkibf32.exe

C:\Windows\system32\Fpkibf32.exe

C:\Windows\SysWOW64\Gfeaopqo.exe

C:\Windows\system32\Gfeaopqo.exe

C:\Windows\SysWOW64\Gmojkj32.exe

C:\Windows\system32\Gmojkj32.exe

C:\Windows\SysWOW64\Gblbca32.exe

C:\Windows\system32\Gblbca32.exe

C:\Windows\SysWOW64\Gmafajfi.exe

C:\Windows\system32\Gmafajfi.exe

C:\Windows\SysWOW64\Gncchb32.exe

C:\Windows\system32\Gncchb32.exe

C:\Windows\SysWOW64\Gemkelcd.exe

C:\Windows\system32\Gemkelcd.exe

C:\Windows\SysWOW64\Gpbpbecj.exe

C:\Windows\system32\Gpbpbecj.exe

C:\Windows\SysWOW64\Gbalopbn.exe

C:\Windows\system32\Gbalopbn.exe

C:\Windows\SysWOW64\Glipgf32.exe

C:\Windows\system32\Glipgf32.exe

C:\Windows\SysWOW64\Gfodeohd.exe

C:\Windows\system32\Gfodeohd.exe

C:\Windows\SysWOW64\Gojiiafp.exe

C:\Windows\system32\Gojiiafp.exe

C:\Windows\SysWOW64\Hfaajnfb.exe

C:\Windows\system32\Hfaajnfb.exe

C:\Windows\SysWOW64\Hlnjbedi.exe

C:\Windows\system32\Hlnjbedi.exe

C:\Windows\SysWOW64\Hbhboolf.exe

C:\Windows\system32\Hbhboolf.exe

C:\Windows\SysWOW64\Hibjli32.exe

C:\Windows\system32\Hibjli32.exe

C:\Windows\SysWOW64\Hplbickp.exe

C:\Windows\system32\Hplbickp.exe

C:\Windows\SysWOW64\Hoobdp32.exe

C:\Windows\system32\Hoobdp32.exe

C:\Windows\SysWOW64\Hehkajig.exe

C:\Windows\system32\Hehkajig.exe

C:\Windows\SysWOW64\Hpnoncim.exe

C:\Windows\system32\Hpnoncim.exe

C:\Windows\SysWOW64\Hblkjo32.exe

C:\Windows\system32\Hblkjo32.exe

C:\Windows\SysWOW64\Hifcgion.exe

C:\Windows\system32\Hifcgion.exe

C:\Windows\SysWOW64\Hpqldc32.exe

C:\Windows\system32\Hpqldc32.exe

C:\Windows\SysWOW64\Hfjdqmng.exe

C:\Windows\system32\Hfjdqmng.exe

C:\Windows\SysWOW64\Hiipmhmk.exe

C:\Windows\system32\Hiipmhmk.exe

C:\Windows\SysWOW64\Hpchib32.exe

C:\Windows\system32\Hpchib32.exe

C:\Windows\SysWOW64\Ibaeen32.exe

C:\Windows\system32\Ibaeen32.exe

C:\Windows\SysWOW64\Iliinc32.exe

C:\Windows\system32\Iliinc32.exe

C:\Windows\SysWOW64\Iebngial.exe

C:\Windows\system32\Iebngial.exe

C:\Windows\SysWOW64\Illfdc32.exe

C:\Windows\system32\Illfdc32.exe

C:\Windows\SysWOW64\Ipgbdbqb.exe

C:\Windows\system32\Ipgbdbqb.exe

C:\Windows\SysWOW64\Iipfmggc.exe

C:\Windows\system32\Iipfmggc.exe

C:\Windows\SysWOW64\Ilnbicff.exe

C:\Windows\system32\Ilnbicff.exe

C:\Windows\SysWOW64\Ibhkfm32.exe

C:\Windows\system32\Ibhkfm32.exe

C:\Windows\SysWOW64\Iefgbh32.exe

C:\Windows\system32\Iefgbh32.exe

C:\Windows\SysWOW64\Imnocf32.exe

C:\Windows\system32\Imnocf32.exe

C:\Windows\SysWOW64\Ioolkncg.exe

C:\Windows\system32\Ioolkncg.exe

C:\Windows\SysWOW64\Ieidhh32.exe

C:\Windows\system32\Ieidhh32.exe

C:\Windows\SysWOW64\Iidphgcn.exe

C:\Windows\system32\Iidphgcn.exe

C:\Windows\SysWOW64\Ipoheakj.exe

C:\Windows\system32\Ipoheakj.exe

C:\Windows\SysWOW64\Jcmdaljn.exe

C:\Windows\system32\Jcmdaljn.exe

C:\Windows\SysWOW64\Jleijb32.exe

C:\Windows\system32\Jleijb32.exe

C:\Windows\SysWOW64\Jocefm32.exe

C:\Windows\system32\Jocefm32.exe

C:\Windows\SysWOW64\Jgkmgk32.exe

C:\Windows\system32\Jgkmgk32.exe

C:\Windows\SysWOW64\Jiiicf32.exe

C:\Windows\system32\Jiiicf32.exe

C:\Windows\SysWOW64\Jilfifme.exe

C:\Windows\system32\Jilfifme.exe

C:\Windows\SysWOW64\Jcdjbk32.exe

C:\Windows\system32\Jcdjbk32.exe

C:\Windows\SysWOW64\Jinboekc.exe

C:\Windows\system32\Jinboekc.exe

C:\Windows\SysWOW64\Jokkgl32.exe

C:\Windows\system32\Jokkgl32.exe

C:\Windows\SysWOW64\Jnlkedai.exe

C:\Windows\system32\Jnlkedai.exe

C:\Windows\SysWOW64\Kcidmkpq.exe

C:\Windows\system32\Kcidmkpq.exe

C:\Windows\SysWOW64\Klahfp32.exe

C:\Windows\system32\Klahfp32.exe

C:\Windows\SysWOW64\Kgflcifg.exe

C:\Windows\system32\Kgflcifg.exe

C:\Windows\SysWOW64\Kjeiodek.exe

C:\Windows\system32\Kjeiodek.exe

C:\Windows\SysWOW64\Kpoalo32.exe

C:\Windows\system32\Kpoalo32.exe

C:\Windows\SysWOW64\Kgiiiidd.exe

C:\Windows\system32\Kgiiiidd.exe

C:\Windows\SysWOW64\Klfaapbl.exe

C:\Windows\system32\Klfaapbl.exe

C:\Windows\SysWOW64\Kfnfjehl.exe

C:\Windows\system32\Kfnfjehl.exe

C:\Windows\SysWOW64\Kgnbdh32.exe

C:\Windows\system32\Kgnbdh32.exe

C:\Windows\SysWOW64\Lpfgmnfp.exe

C:\Windows\system32\Lpfgmnfp.exe

C:\Windows\SysWOW64\Lfbped32.exe

C:\Windows\system32\Lfbped32.exe

C:\Windows\SysWOW64\Lcgpni32.exe

C:\Windows\system32\Lcgpni32.exe

C:\Windows\SysWOW64\Ljqhkckn.exe

C:\Windows\system32\Ljqhkckn.exe

C:\Windows\SysWOW64\Llodgnja.exe

C:\Windows\system32\Llodgnja.exe

C:\Windows\SysWOW64\Lcimdh32.exe

C:\Windows\system32\Lcimdh32.exe

C:\Windows\SysWOW64\Ljceqb32.exe

C:\Windows\system32\Ljceqb32.exe

C:\Windows\SysWOW64\Lfjfecno.exe

C:\Windows\system32\Lfjfecno.exe

C:\Windows\SysWOW64\Lnangaoa.exe

C:\Windows\system32\Lnangaoa.exe

C:\Windows\SysWOW64\Lobjni32.exe

C:\Windows\system32\Lobjni32.exe

C:\Windows\SysWOW64\Lflbkcll.exe

C:\Windows\system32\Lflbkcll.exe

C:\Windows\SysWOW64\Ljhnlb32.exe

C:\Windows\system32\Ljhnlb32.exe

C:\Windows\SysWOW64\Mqafhl32.exe

C:\Windows\system32\Mqafhl32.exe

C:\Windows\SysWOW64\Mcpcdg32.exe

C:\Windows\system32\Mcpcdg32.exe

C:\Windows\SysWOW64\Mfnoqc32.exe

C:\Windows\system32\Mfnoqc32.exe

C:\Windows\SysWOW64\Mnegbp32.exe

C:\Windows\system32\Mnegbp32.exe

C:\Windows\SysWOW64\Mogcihaj.exe

C:\Windows\system32\Mogcihaj.exe

C:\Windows\SysWOW64\Mfqlfb32.exe

C:\Windows\system32\Mfqlfb32.exe

C:\Windows\SysWOW64\Mjodla32.exe

C:\Windows\system32\Mjodla32.exe

C:\Windows\SysWOW64\Mcgiefen.exe

C:\Windows\system32\Mcgiefen.exe

C:\Windows\SysWOW64\Mgbefe32.exe

C:\Windows\system32\Mgbefe32.exe

C:\Windows\SysWOW64\Mnmmboed.exe

C:\Windows\system32\Mnmmboed.exe

C:\Windows\SysWOW64\Nopfpgip.exe

C:\Windows\system32\Nopfpgip.exe

C:\Windows\SysWOW64\Nggnadib.exe

C:\Windows\system32\Nggnadib.exe

C:\Windows\SysWOW64\Njfkmphe.exe

C:\Windows\system32\Njfkmphe.exe

C:\Windows\SysWOW64\Nqpcjj32.exe

C:\Windows\system32\Nqpcjj32.exe

C:\Windows\SysWOW64\Ngjkfd32.exe

C:\Windows\system32\Ngjkfd32.exe

C:\Windows\SysWOW64\Nqbpojnp.exe

C:\Windows\system32\Nqbpojnp.exe

C:\Windows\SysWOW64\Njjdho32.exe

C:\Windows\system32\Njjdho32.exe

C:\Windows\SysWOW64\Npgmpf32.exe

C:\Windows\system32\Npgmpf32.exe

C:\Windows\SysWOW64\Nfaemp32.exe

C:\Windows\system32\Nfaemp32.exe

C:\Windows\SysWOW64\Nnhmnn32.exe

C:\Windows\system32\Nnhmnn32.exe

C:\Windows\SysWOW64\Nfcabp32.exe

C:\Windows\system32\Nfcabp32.exe

C:\Windows\SysWOW64\Onmfimga.exe

C:\Windows\system32\Onmfimga.exe

C:\Windows\SysWOW64\Ojdgnn32.exe

C:\Windows\system32\Ojdgnn32.exe

C:\Windows\SysWOW64\Onocomdo.exe

C:\Windows\system32\Onocomdo.exe

C:\Windows\SysWOW64\Oghghb32.exe

C:\Windows\system32\Oghghb32.exe

C:\Windows\SysWOW64\Onapdl32.exe

C:\Windows\system32\Onapdl32.exe

C:\Windows\SysWOW64\Ofmdio32.exe

C:\Windows\system32\Ofmdio32.exe

C:\Windows\SysWOW64\Opeiadfg.exe

C:\Windows\system32\Opeiadfg.exe

C:\Windows\SysWOW64\Ocaebc32.exe

C:\Windows\system32\Ocaebc32.exe

C:\Windows\SysWOW64\Pfoann32.exe

C:\Windows\system32\Pfoann32.exe

C:\Windows\SysWOW64\Pmiikh32.exe

C:\Windows\system32\Pmiikh32.exe

C:\Windows\SysWOW64\Phonha32.exe

C:\Windows\system32\Phonha32.exe

C:\Windows\SysWOW64\Pfandnla.exe

C:\Windows\system32\Pfandnla.exe

C:\Windows\SysWOW64\Pfdjinjo.exe

C:\Windows\system32\Pfdjinjo.exe

C:\Windows\SysWOW64\Pplobcpp.exe

C:\Windows\system32\Pplobcpp.exe

C:\Windows\SysWOW64\Phcgcqab.exe

C:\Windows\system32\Phcgcqab.exe

C:\Windows\SysWOW64\Pfiddm32.exe

C:\Windows\system32\Pfiddm32.exe

C:\Windows\SysWOW64\Ppahmb32.exe

C:\Windows\system32\Ppahmb32.exe

C:\Windows\SysWOW64\Pdmdnadc.exe

C:\Windows\system32\Pdmdnadc.exe

C:\Windows\SysWOW64\Qjiipk32.exe

C:\Windows\system32\Qjiipk32.exe

C:\Windows\SysWOW64\Qdaniq32.exe

C:\Windows\system32\Qdaniq32.exe

C:\Windows\SysWOW64\Akkffkhk.exe

C:\Windows\system32\Akkffkhk.exe

C:\Windows\SysWOW64\Aogbfi32.exe

C:\Windows\system32\Aogbfi32.exe

C:\Windows\SysWOW64\Aknbkjfh.exe

C:\Windows\system32\Aknbkjfh.exe

C:\Windows\SysWOW64\Aagkhd32.exe

C:\Windows\system32\Aagkhd32.exe

C:\Windows\SysWOW64\Agdcpkll.exe

C:\Windows\system32\Agdcpkll.exe

C:\Windows\SysWOW64\Aokkahlo.exe

C:\Windows\system32\Aokkahlo.exe

C:\Windows\SysWOW64\Adhdjpjf.exe

C:\Windows\system32\Adhdjpjf.exe

C:\Windows\SysWOW64\Akblfj32.exe

C:\Windows\system32\Akblfj32.exe

C:\Windows\SysWOW64\Amqhbe32.exe

C:\Windows\system32\Amqhbe32.exe

C:\Windows\SysWOW64\Apodoq32.exe

C:\Windows\system32\Apodoq32.exe

C:\Windows\SysWOW64\Akdilipp.exe

C:\Windows\system32\Akdilipp.exe

C:\Windows\SysWOW64\Aopemh32.exe

C:\Windows\system32\Aopemh32.exe

C:\Windows\SysWOW64\Apaadpng.exe

C:\Windows\system32\Apaadpng.exe

C:\Windows\SysWOW64\Bdmmeo32.exe

C:\Windows\system32\Bdmmeo32.exe

C:\Windows\SysWOW64\Bkgeainn.exe

C:\Windows\system32\Bkgeainn.exe

C:\Windows\SysWOW64\Bdojjo32.exe

C:\Windows\system32\Bdojjo32.exe

C:\Windows\SysWOW64\Bacjdbch.exe

C:\Windows\system32\Bacjdbch.exe

C:\Windows\SysWOW64\Bmjkic32.exe

C:\Windows\system32\Bmjkic32.exe

C:\Windows\SysWOW64\Bgbpaipl.exe

C:\Windows\system32\Bgbpaipl.exe

C:\Windows\SysWOW64\Boihcf32.exe

C:\Windows\system32\Boihcf32.exe

C:\Windows\SysWOW64\Bgelgi32.exe

C:\Windows\system32\Bgelgi32.exe

C:\Windows\SysWOW64\Bkphhgfc.exe

C:\Windows\system32\Bkphhgfc.exe

C:\Windows\SysWOW64\Bajqda32.exe

C:\Windows\system32\Bajqda32.exe

C:\Windows\SysWOW64\Chdialdl.exe

C:\Windows\system32\Chdialdl.exe

C:\Windows\SysWOW64\Ckbemgcp.exe

C:\Windows\system32\Ckbemgcp.exe

C:\Windows\SysWOW64\Cnaaib32.exe

C:\Windows\system32\Cnaaib32.exe

C:\Windows\SysWOW64\Cammjakm.exe

C:\Windows\system32\Cammjakm.exe

C:\Windows\SysWOW64\Chfegk32.exe

C:\Windows\system32\Chfegk32.exe

C:\Windows\SysWOW64\Ckebcg32.exe

C:\Windows\system32\Ckebcg32.exe

C:\Windows\SysWOW64\Coqncejg.exe

C:\Windows\system32\Coqncejg.exe

C:\Windows\SysWOW64\Caojpaij.exe

C:\Windows\system32\Caojpaij.exe

C:\Windows\SysWOW64\Cdmfllhn.exe

C:\Windows\system32\Cdmfllhn.exe

C:\Windows\SysWOW64\Chiblk32.exe

C:\Windows\system32\Chiblk32.exe

C:\Windows\SysWOW64\Cglbhhga.exe

C:\Windows\system32\Cglbhhga.exe

C:\Windows\SysWOW64\Cnfkdb32.exe

C:\Windows\system32\Cnfkdb32.exe

C:\Windows\SysWOW64\Caageq32.exe

C:\Windows\system32\Caageq32.exe

C:\Windows\SysWOW64\Cpdgqmnb.exe

C:\Windows\system32\Cpdgqmnb.exe

C:\Windows\SysWOW64\Chkobkod.exe

C:\Windows\system32\Chkobkod.exe

C:\Windows\SysWOW64\Ckjknfnh.exe

C:\Windows\system32\Ckjknfnh.exe

C:\Windows\SysWOW64\Cnhgjaml.exe

C:\Windows\system32\Cnhgjaml.exe

C:\Windows\SysWOW64\Cacckp32.exe

C:\Windows\system32\Cacckp32.exe

C:\Windows\SysWOW64\Cdbpgl32.exe

C:\Windows\system32\Cdbpgl32.exe

C:\Windows\SysWOW64\Cgqlcg32.exe

C:\Windows\system32\Cgqlcg32.exe

C:\Windows\SysWOW64\Cnjdpaki.exe

C:\Windows\system32\Cnjdpaki.exe

C:\Windows\SysWOW64\Dpiplm32.exe

C:\Windows\system32\Dpiplm32.exe

C:\Windows\SysWOW64\Dgcihgaj.exe

C:\Windows\system32\Dgcihgaj.exe

C:\Windows\SysWOW64\Dahmfpap.exe

C:\Windows\system32\Dahmfpap.exe

C:\Windows\SysWOW64\Dpkmal32.exe

C:\Windows\system32\Dpkmal32.exe

C:\Windows\SysWOW64\Dkqaoe32.exe

C:\Windows\system32\Dkqaoe32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6748 -ip 6748

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6748 -s 400

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

memory/2256-0-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2256-1-0x0000000000432000-0x0000000000433000-memory.dmp

memory/4432-8-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Dngjff32.exe

MD5 b92871a76c23ca473f84f84c0fa70075
SHA1 067cc9233637a4dd3c79f4cc350e87ba99dab30b
SHA256 9fc85e74da1e269eff3e181e43426e7e5ccd6b22d829734e883628860cce2167
SHA512 e5ca9b75e9fb862e3fded58ca049dfef7f1d0fb065c81341b949c95b907fd3deccef31113f784ba200c33e24b0c943978d50d053cd0168c65b8a7254ae686f3c

C:\Windows\SysWOW64\Emhkdmlg.exe

MD5 00a62288f67cd361475621efcac31576
SHA1 4cec5b1979da124de6eccb38872bdc81a310bc83
SHA256 e35c4f787ebcb8a2a1267d0281eb8f831d2f74271199a09b7e3e96f32ad65e37
SHA512 6c69d4a03e2e847ee7071c445e2be3699a95e45b238be1da6ac10df2a73b55981e1117536fbf1d4ee1d7077e7b2519d298099ef7976bdcdbd5e98fee13fc9e95

memory/692-16-0x0000000000400000-0x000000000043C000-memory.dmp

memory/4884-24-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Eofgpikj.exe

MD5 9403072b7aca77996ba5299968cb7018
SHA1 d0ac54f53373b98c63c31a1b089c0a1cb407ec9b
SHA256 e9fd60c95799ba341f939032a1768d64139bd373cc9811fca74d46a435c090bb
SHA512 68a89f97addb4a4716e726bfa113eaf1e274f93ae9090bd69060c2602c830c61fe02c35f62ca8cc97dd2c378fdf94bba88b7dff721d7e63fc8a7d1376d680ecf

C:\Windows\SysWOW64\Eiokinbk.exe

MD5 5601489a0d12a22e458f5a32c4bb373e
SHA1 87e04a2bd71a086fdf8527aa646dbc9d1b1c998c
SHA256 138d5d4c3807a4d626f757a2989b1771401a5e41e6e7d7fb39821481ad6f0f80
SHA512 b573365ba6149bfe06f564457d2dfb951b966ee211c0aa66f7bbf8cc8ee4d4b09ce9c864a529cb39255e3df065fad9164a58ad20082f41add12c0ce0aedeb0e6

memory/4744-32-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Ekmhejao.exe

MD5 2a90a8d7a6954b3077baa68b0d71ac5e
SHA1 76c6cd6bb8656f75af882586332c124f64bedc83
SHA256 1b78460dc5c387324658e45bda9afc81d7b871d5be55fbb0754b7974c32b976b
SHA512 dce4428db95ec724d5f97dfbe20d046e49453653fd6480cff8cb3763fe351e7b5a3033347be389beca23702d7a731597bb5cffca092fbeb903d4279939639681

memory/3040-41-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Ebgpad32.exe

MD5 7036ef883ccb774c370ad4b2d637d3c7
SHA1 9288c9f99cd84e2d8083d4c8e95a06027116208c
SHA256 3cf239b83150792f5894fc7a987a405e83772cced92192adb3c982865bcf459f
SHA512 ff9b490cb0e62307958c4d37be5b1dc7b4909a1ad2ebd5d62d64f5c20586f19ace2f8762a0461b0eff8fa13444ff1946b14228523b48a93bfd9486ab9a3df399

memory/3668-48-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Ekodjiol.exe

MD5 a2ba619c4133c8e75dadceaa955b1661
SHA1 1906cf09845cd20e33313960a6549d1ad72ee5ff
SHA256 c86e5881c3e6758cd77a2860c73309614556126a5162c0e17f2275e1014a6121
SHA512 f76ceaaf61926b4892745ab1040329358302dc8c5bf22859c728b117e8359425fb934539287c29453eee96e3a24019acac79a0f34239c482bb85ae9e901e8e5a

memory/2396-57-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Ennqfenp.exe

MD5 bacd3c7ef75b35a256d6c322947295c2
SHA1 d205e71577d76f7e426e0e033e584d063355eb99
SHA256 cb783b1e7c3315d54d48b822e3273b36a716cc451d25162805aa603247e355b7
SHA512 d22709145436662abe23101d0a7a0839284eb6eb2df40cd49c9693558532ab8fed629d58ff34c042685af898c77aee89b2f6e305f68a825d26986d004549c65d

memory/2464-64-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Eehicoel.exe

MD5 1032b4c043477786ff46d97e9d9af953
SHA1 bea5a40f243eea6190e64d027ace81dcb37ab884
SHA256 afc5d8d1042730dbbfeb9651ba94f1f659a8d38d5d86ff8e2a89daa643d3ed56
SHA512 0a728430d7149f9a40bff03ca32a8a4cae3ad0637ab95d7d190367ec3aee023780812668b27e565cbf643958da373ac49645420eadaa3d8768220ebae0299e6b

memory/416-72-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Epmmqheb.exe

MD5 8a672754219a0bb58d5a00c190af3872
SHA1 224bebb9f0b2e892adb24f1876844f7a6f5754d6
SHA256 14210450589094ce9482887c14a868d3e93295f26b5e51de8278bc615d5ece45
SHA512 7c96166fe0e8181ad4c042256a3b2bc5ba19352905944e6378e8702002851f056709a19c45c1f2d821a980fd2e988b4ce59caa350f15fb587e058de47b897fe0

memory/2300-80-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Eblimcdf.exe

MD5 aae86053fae24136b398591f5c4f592e
SHA1 07b554a95594f3a68ff66a6a80b0b8dc75ec78b2
SHA256 24ca2819ce728ea9b36cb5c3f401881e731c5888ade45272ce8afceb16c5e124
SHA512 4a459d09c408a48b2fb80903657473501b4a96606435daa54cde1f2a03eba18efce235e539efb5fb8dc888a13c9e7744a7832c98e8f4140c8dac75f440acb00b

memory/5076-88-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Emanjldl.exe

MD5 2100fcabfb7a89a304f16d409325b19b
SHA1 f4601e8d33e0b1dee9e4be5772f455195299546d
SHA256 804486efd4ffdb87fa5b17d313686c5930f8e42df32e4aca4ef5779579459358
SHA512 25042b5d43e63bdf63567acfb5539cf93100b6dfe5bc027fdcd175763b49eeef0b666feccc9f6330f7f081106caaecc2b7955f0da72a8c189f08db76034a6fdb

memory/1652-97-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Ebnfbcbc.exe

MD5 278b1fc4db9794875fb4d9e6300b1548
SHA1 ca1b583ace3e12b6a9c4f4f650d0767e70c09186
SHA256 e0e53cc481ea779fa2df53aa1dcf0195a777cb8f64c299624f1505330df70f77
SHA512 e7d9afa9e79e36e5e03019388e9c11856682bae1bdb9a0680ab62cb858afcc9d1478689a80126dd4493d41763314739cfe936829859cc45ac4bee59ce7286c61

memory/4996-104-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Fmcjpl32.exe

MD5 acaf84a9db980e12c7ee3c570a24dd09
SHA1 fbe1ac1d2a6698ef0f7e752eb68a4e887a9dcd27
SHA256 9c080468545e40d862816a2cc6df4995d1a564217e92bbc56f25af15b77d7d3b
SHA512 048104e4848cf25c50898a86cfded57492d3ba3c842363dfa608fdad4b3f9a184e6484a4025b57a50e841a17a53a6cfd076871d4f418fe28609bf72340b49edf

memory/4004-113-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Fbpchb32.exe

MD5 717ac58b2ffe6533f33a551471027c8b
SHA1 4ad9c4619bd9f426e08b400ec1926f0eb2b07bde
SHA256 bb9c178e07e3bee96dcde4e278f5343bb38f9debea0fbaf0eb806b6c831041a9
SHA512 2bbe1d02ed23cb751e675c39b746bd2cf1346569f1f8f8ebd554be65758f4676a82b03a13716b91b22ad191ae8361e443354e8bd7d3494b3d07d702f03c60b4a

memory/4808-121-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Fijkdmhn.exe

MD5 27bd85f0fefe07654467ccf3c6ca9654
SHA1 62be8a13a816afca975edd2e54e0af2a80c0f06f
SHA256 2babf865389077219c0a5501916ce439971e0f5c9575d2200f7faf5a5f1dcd81
SHA512 a41fcf9b8f2c732e1d4c4e62734c2f82322cec254d4e7e2917dc5baadaaead66a3d81ac857a9528963aa1fe7342ba945903df20a9653f7fce3634a2c27f80dc3

memory/3756-128-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Fpdcag32.exe

MD5 5d423c2bd8d539d0cbec985667f678e0
SHA1 55ee70a2a08876a8912a39ccb26531f5325366eb
SHA256 c74a8e1571cf02280a96c562e05237ae33b991daafe76d00f7d0fde8a69568d0
SHA512 344f587e64e0873b45ebae0b95339918e10ace1e3ce1bb584ab770765320e7c2c3a88b4d25db4147faff73a3dca0b6f3abaf6a6cd73540a0c3ed76aebda9d801

memory/1520-136-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Fealin32.exe

MD5 ac31e9f2c6397d72100a4ac448358e62
SHA1 ee04c479df36321344d30830101e8f23bd14b28e
SHA256 0aa884a40f8c1d4ff102b09dfbaf48f183245862c3540f7f11f7a459c611c22a
SHA512 1dd7a21eafadb22d0c6c17a620902d338a047001a704abf42bf8ebbf12d3b2b94991fc1fd465847e98d912960472d7e9dc8550eea590a9057ffdff2b34dc0c06

memory/1148-144-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Flkdfh32.exe

MD5 a3c8e9993399789faf618822b28254a7
SHA1 54e5266e940c295deb11b7b8aebb840f613d2700
SHA256 7d8ce99651609a3d828c364483e0c80c780bf1b06f95182b2bbe199819afad1c
SHA512 71b432dc0fd08267884870bff083696d89e6f271b383c3575ca56506b80f764162b0ccd8cabd9588d4e46ea15b7c93b7c63ab6b92fa152bc45516d973e3f9217

memory/100-152-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Fpgpgfmh.exe

MD5 2b632aafefdd40c954987f8b8f0cd659
SHA1 2447bdd9631df16cd2e88742dbff85a003c4041d
SHA256 aa1e7178c753ea14fdfe0a66b36fc9cfbc4c78be596598f2d80e567ea4719ca6
SHA512 f8ba1f5965d2c69bb3c2f8af5d44026e5a4b9e3f5cd5479484c14da02faadeedabb5bf39813d89ae64c790d5c3f0bfac7197dcb20b938384b6d15827b7b31e35

memory/928-160-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Fiodpl32.exe

MD5 f0535e4085abe28bebf99a88550fcf29
SHA1 b73beac867d028d8e06568de98d7e9ce9ffceb62
SHA256 7501a12ceb2796d7d2f50c4511e1a515f89c516cd9e6c4f6283aad242a1141bf
SHA512 35758509b7c36323b49265848ac9311d2d657cb5e5413e9a2c94f57460a5fdf3f663792d0de56c8d64b1b42d9735870fd046d078d83bb8aaa55ce03de51b3495

memory/3580-168-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Fpimlfke.exe

MD5 6b1813853213e0546e550f74b851557e
SHA1 17352b5c3d295c9cfcf665e6c7356c2362621d10
SHA256 c587b8ba88a1bf0f9e94e7e3fb9549027c89fa55eff7911199242d934973740e
SHA512 e1ca70bfbef8d983fc27055c15db296c8583a36d496dc5305834bb68ab622d75d6726e32bc1fe8b9f904538b28ad0abf293abdceee683db224ff935fa34b3b12

memory/3124-176-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Fefedmil.exe

MD5 c9914be64939bdf821d25ca83727aff1
SHA1 c50d980f76d2309e33210b0e8e466974d6e2c3eb
SHA256 22c0a0ec5f6b32b6be35345059e722a5d2345fdf5532c72f2c5e6a9b72355fde
SHA512 9b10871fdb3d3a46d54c04dc0f6540d2548f917063e260329356e8852efbf890716f9bbedcfb90051a612c9a4a939f6db30621d82763217ea6805f0aad45f5a7

memory/4960-189-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Fiaael32.exe

MD5 efe88204e1049521aac1397b3e1cdd7b
SHA1 6cca1f564bda13449c9eae63d1650518c46b82f6
SHA256 bd3db379618ddb5e7c6650a31be1b992cd0d0c54b4b03dfce0446d3d25cbe5d4
SHA512 c2b6cd4ac0489652472c976a133e14635c26d895f5e1de850c12ad2e0913c19815895122d7b194ca33571808e204abd065d81df36fa2a0c3f8d62eed255ef04a

memory/1716-193-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Fpkibf32.exe

MD5 defd6e950d571b6b0e72736038bb340f
SHA1 9cd594cf690410764c20fb760eb0bea9dfc752c7
SHA256 52a1f7e5f29b25d9690d58110b18b7c6c8b71a2f5f0c1bb17fc467e8e4590570
SHA512 a6971ad7f64a4a3fefe263b2f8dc913941b7b729c08dc071143f6590be8942cc5d5b883b4ad2fab66f5f3a274c16eeb819f09bdc8e3db505f066a55f59cceaf9

memory/1104-200-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Gfeaopqo.exe

MD5 d333c52cd587e69caa87201f9fd40a5a
SHA1 ac90e1165967e654de99738c4b6e54c78bbca3b2
SHA256 cd682e14761874498de3b7fee2f19bfc14d3474007aa12e49030b6fe6c38850d
SHA512 f30bd6cfc455ff0c4111bee65560c244dc8f72653fa5958a16fff92a04466d87b0dc753edd7363157dc01eaaa0b68d6c27152db0c848c902b99ff814ab7e91f4

memory/4072-208-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2860-216-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Gmojkj32.exe

MD5 941d020360cea83331936a31617cc9bb
SHA1 bdb925533316f867d31b34be76410de9dac53452
SHA256 bcae265648c38e8dec5ec3014426c3eea6ed943086772d2b7377746b8b4489e5
SHA512 20bacf23b659f83884d5fc9a397d50e410ca6fef40f01502cfa108e38c37036135992b996fb3d8b15d1a7d551db82999e512c5679e4b2a054a1b8703d86936c1

C:\Windows\SysWOW64\Gblbca32.exe

MD5 e1ae2ec13d6c9a5818badc0279f7cbea
SHA1 9a83ff54951e5a3b8bf7a2096d83ed77113c71db
SHA256 cf75ac3959973545b004cd8cb79a8ad8eeb8b7c720c94a418fa05651e761ae51
SHA512 4ecd1957ad6ec99dc119b215b83502dd935108042b3ea9ecd1b227f6ee1729fb0eaace2537a904c62591547d6a297ee89fa1a0a87e36f2bbd1646c5513757b6e

memory/432-225-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Gmafajfi.exe

MD5 1df0d1be4afbbae1285a321454d8b1be
SHA1 435f36197a951008524ddcfd8e28822b530d5717
SHA256 7ef333a9b6e7054aa1323a3aeea6b9f59f3772a47582719f4913c13225c15b7e
SHA512 c084d6fe9c5371eac430accfa6f2e66912d75a31d17977f4c30ef85a5e397aed17c90d2ec72764346f5679806fa9fd8c84caf241af91b9371889967b3da3cfb6

memory/5112-232-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Gncchb32.exe

MD5 a27bc3994f0dfe2bd6346ebe7795ac95
SHA1 a3b881eb58bbbdd885b967049af2be3329d00087
SHA256 90e4f030e50a624aba62a28061dc93199e77f10f9eba8f7dd35fea520a53bb83
SHA512 dd10b443c18795ec9a588981d9485b10aa391b2c6aed7e1f464700d15e0e6b90414cd512722315388bb7e183a769ccd26447fd6006d268d57e49b8fb9b16cbf7

memory/2040-240-0x0000000000400000-0x000000000043C000-memory.dmp

memory/620-248-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Gemkelcd.exe

MD5 26101c7997cbdd0a32e42c20c8456f76
SHA1 d8a1e1b591c1b16689bea474f48d06245e4cdfae
SHA256 f6290ff8e74aa0d6f2edaa5d54fdd4876f98e6ec0b6e09c28eb1f48a82f93373
SHA512 1741c806fa7615b26a64516d0348f2b91ce2984f53b0397e1473c275c9e10409ae9104643ce6b6fda4cd866c4c7edb211cd0d1617f0288c469f446283db54f5f

C:\Windows\SysWOW64\Gpbpbecj.exe

MD5 4f48b3dc6f37d4d9565a16ea10315316
SHA1 eb19f8ef89f54f02e40dc1acc10cc495836209b3
SHA256 14bf895d2208f975ea727d1280b1aa820b0ade4fe7f174549ac05dd22417e3bf
SHA512 2cbbbe6cfd5342b78ca40f736350f79cd75b5bc96f5f98479a19b5ece2704a3fc373e231793795de836999a8b8d49794de30bc3cfd10df564dda3a9458d89ff8

memory/1684-257-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2752-263-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1160-269-0x0000000000400000-0x000000000043C000-memory.dmp

memory/3504-275-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1168-281-0x0000000000400000-0x000000000043C000-memory.dmp

memory/4848-287-0x0000000000400000-0x000000000043C000-memory.dmp

memory/4632-293-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1580-299-0x0000000000400000-0x000000000043C000-memory.dmp

memory/3232-305-0x0000000000400000-0x000000000043C000-memory.dmp

memory/3620-311-0x0000000000400000-0x000000000043C000-memory.dmp

memory/3256-317-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Hehkajig.exe

MD5 0e1fa4190db6f88d9bacb9eabcd761bc
SHA1 4c2ca9b20967357419a083fddfe1fb5ef95b57e3
SHA256 27e2d83313d047299165cfec62a9a8b1d139548d692f390658261273b0cbbe52
SHA512 2ca1e292d1ad2a15b578dbdd4e911774e95b6133a094c7913800f101613906d3b6cb5f5d956dbaa668a1b0e51e6f014709cdc252513e9c367536dd1efb2ce4aa

memory/4596-323-0x0000000000400000-0x000000000043C000-memory.dmp

memory/536-329-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2652-335-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2920-341-0x0000000000400000-0x000000000043C000-memory.dmp

memory/4896-347-0x0000000000400000-0x000000000043C000-memory.dmp

memory/772-353-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1108-359-0x0000000000400000-0x000000000043C000-memory.dmp

memory/3156-365-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Ibaeen32.exe

MD5 1593ae616f1a3241880b6f01051a8c6e
SHA1 eeb1ebd033e9759d6cc54cf3ede5233c1534ed1a
SHA256 7dec76757673f03bd0d1368faeedd8ee82b22e7323e0b9c0a788b4094ca4b9d3
SHA512 9bf558ee8fb52554b0e84bb24bc524f781d8e287994666eba892aa9b5229f5274075477cc03ce12b885e12802407661a082ffb87a26ec1bd38e46080a9958488

memory/2716-371-0x0000000000400000-0x000000000043C000-memory.dmp

memory/372-377-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2180-383-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1256-393-0x0000000000400000-0x000000000043C000-memory.dmp

memory/4112-395-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1812-401-0x0000000000400000-0x000000000043C000-memory.dmp

memory/824-407-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2348-413-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2640-419-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1820-425-0x0000000000400000-0x000000000043C000-memory.dmp

memory/4068-431-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Ieidhh32.exe

MD5 8aba61a0f19dc8b9a64eb5fcdf426820
SHA1 64dd206f15a3e5842de425d717f04072bc126c77
SHA256 d34bb1b123037b29bc56b04a87ed7cf9cd89310143d34e157ebb5e7d2c0f656f
SHA512 8186d41ce74afa5fbb4b863720b4f388c2e869b716097845005075c379a318415b0fed2e3fe4bb746e3bd6cef3ac65704e08124d63c38838de3d48fae761add4

memory/4608-437-0x0000000000400000-0x000000000043C000-memory.dmp

memory/4460-443-0x0000000000400000-0x000000000043C000-memory.dmp

memory/4536-449-0x0000000000400000-0x000000000043C000-memory.dmp

memory/4916-455-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2472-461-0x0000000000400000-0x000000000043C000-memory.dmp

memory/4864-467-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2252-473-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1548-479-0x0000000000400000-0x000000000043C000-memory.dmp

memory/848-485-0x0000000000400000-0x000000000043C000-memory.dmp

memory/3612-491-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Jinboekc.exe

MD5 308d5216569c3df91198a6d1097f054e
SHA1 ee7455640800a6f6140ce285c5a41a23ab52e402
SHA256 87db6f79b39e97b750c72e9ec52f423005fe6c7ad337ce459105f189b1024668
SHA512 a16521e63c2f2f9cd5199d23e553270e4c9f3b17a884474c143aefb9c74f9ff87097ef5faf16e04c5b370eaab0057a25d7a6e4f31fcc631dac66a06479f2a118

memory/4636-497-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1472-503-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2384-509-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1616-515-0x0000000000400000-0x000000000043C000-memory.dmp

memory/3920-521-0x0000000000400000-0x000000000043C000-memory.dmp

memory/5004-527-0x0000000000400000-0x000000000043C000-memory.dmp

memory/4876-533-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Kpoalo32.exe

MD5 3f1d2f327dee6168589cecae9b747d33
SHA1 3bcb2843a7e8f5fef10dc8b2e747c4224fdea046
SHA256 a82de4721fe43715dd4cb25e81808c12df23e6ac23bcea3a80e67ddc1eb0542d
SHA512 f38e1fef3836f1b0ce6a765a0556418849011c35508d672dc17ecf2e5fc04ad98c9a39b82f21b98f50e5f0f77f284cb62a7766803816cc30ea8d725a4cc90cb6

memory/2256-539-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2188-540-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1052-546-0x0000000000400000-0x000000000043C000-memory.dmp

memory/4432-552-0x0000000000400000-0x000000000043C000-memory.dmp

memory/5096-553-0x0000000000400000-0x000000000043C000-memory.dmp

memory/692-559-0x0000000000400000-0x000000000043C000-memory.dmp

memory/4856-560-0x0000000000400000-0x000000000043C000-memory.dmp

memory/4884-566-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1300-567-0x0000000000400000-0x000000000043C000-memory.dmp

memory/4744-573-0x0000000000400000-0x000000000043C000-memory.dmp

memory/3652-574-0x0000000000400000-0x000000000043C000-memory.dmp

memory/3560-581-0x0000000000400000-0x000000000043C000-memory.dmp

memory/3040-580-0x0000000000400000-0x000000000043C000-memory.dmp

memory/3668-587-0x0000000000400000-0x000000000043C000-memory.dmp

memory/3128-588-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Lcgpni32.exe

MD5 295111f1c737e199188a5036c8d4a70d
SHA1 72b94f300efb0b067d8bb63ee548cd9f2f62b63e
SHA256 7d5ddb6e31c221a1dfb28ec96e7c818b1bb33e79bbe690e97fd4c94bdd27b151
SHA512 c1d7002d1d45aa49035ed84aad1751302cea5c38c55f9d7a05fae3e4644f9a7f02a9a93dded14574865b67c1cb367bd155df9f73bc38fea56c393a5fa8b53545

memory/2396-594-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Windows\SysWOW64\Mfnoqc32.exe

MD5 12287ff9cc63421ec9461420ccfd4c93
SHA1 e08538901d1f17353a2a6c0424cc8858546a343d
SHA256 1c567bce9f06b8f9c04ddbf1d895192c833a26daf56f5477cb73a4a1ecb75ce9
SHA512 02ed4c40fe78934d8c18fb18e6b41354daab601bf1791e9ea8b8027ddc0471939203483e52e6ac5d21fcd487993846b6b08db8d20a7654ebf92ad4ba634ca8a2

C:\Windows\SysWOW64\Mjodla32.exe

MD5 4498deee25e8868fb84da4a13a6de13f
SHA1 18ae9bbd6d346ad2fce7103bfe4c0fcf7a2926db
SHA256 e48460d42b3db010fa6f749bc571ebd1fdef3ca3e8d0f11ff9c8d29e34bc2165
SHA512 462839af6735249b7bee657fd6636f15f79e6f99cff11d9da0e8f21f03be0922c30dfe2e9501c7615be28baf258d96ab084951b18b4e656127d56797ec29f012

C:\Windows\SysWOW64\Nopfpgip.exe

MD5 3004eac2f31e5902d74a84078518db0d
SHA1 b3c9a3790d183307073c49374eab3346d9df1070
SHA256 de0745e246ef0b53f32eade3469aa26fdae4f497576df1142d7f52dc6524dd35
SHA512 e20340e7756faafba9fed4c5bfb12e7f89ef37677c14c57e0e0f6d4869eacd226141fc14b82fde009c09fd4b24c60154bf188a37548fbc09ca2bf885225304fa

C:\Windows\SysWOW64\Njfkmphe.exe

MD5 5f2998154866cdb61dbc3e28916faf67
SHA1 0a5275044ba4a86d6ea66a3f0f377b6064a9ef9e
SHA256 cdac5d9d5ad8a164da495e5b0767430d953b76264912d6dca1ec13d892c082db
SHA512 efbcd76bc8920a5c3698c507ec74e3624b8ac6d4e7ad7831e6a989d2e978adab8e1f0d276e3f96957fa61d406f072206616125412ff01b18ffaf370d8196744d

C:\Windows\SysWOW64\Njjdho32.exe

MD5 bade15f7d4b73a5e4ace752c81d3968a
SHA1 eb939df35fdcb14aa68c1f088cd4c8770d237fa3
SHA256 a6bd49ae1d4139d4105fd992cc644c56fcf0460cd2441bf7589b9190e4bcd3a8
SHA512 8ee7cbf9fa0c976f5115befe0d7fa1938d10ea220ad2de0358a5d95ef19f44b618ef91d1ec93785d8c41434f3206e86dfa066610babb3307862ee117b5eef5c9

C:\Windows\SysWOW64\Nfaemp32.exe

MD5 9cd4db02068cfff39a842d2f6ce80faa
SHA1 ac283018efb1477162902eb888b4115cd0760cab
SHA256 bc10724a7adcfafe2e66f1606a6d30cfa641e1a6593f40ea96e3133438de912c
SHA512 2ff907565d94b228d5e2e10bb6dba9a81d44553da3f3ae08cf4d26a2ead6d177bbfa3b07d69ff1e146d82e991312310bf5da9cf85e2308a6e9d222f4dd4c6977

C:\Windows\SysWOW64\Nfcabp32.exe

MD5 1ef7c0e9ad6ea9ea8411d3903f192e39
SHA1 e1acd57cadb0a1bbbcab272f18d6a975c16984c5
SHA256 dd0041f65c82699b739d70e74b070445d56b737903550caa580b0c99107d1f64
SHA512 8fe8074ee92fb63f03b01068c7a7f9bd066d02fa659f30bfc89b775e7613b3db2bffe05863b96a303d495add672e2f47b9b59b904e61c10491abdbd8abe98963

C:\Windows\SysWOW64\Oghghb32.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\SysWOW64\Ocaebc32.exe

MD5 6d18c61a574f1f4f7d996051269a4ff5
SHA1 5fff63670a577cdbef70358e9f2b4a2595694b2f
SHA256 1e1d54da10a043a6b7c9a206e2eb0944ac3c4744aa10fef504dbc25a9b8f846a
SHA512 f7eeddf4d6eafb750aab73bcada813ba066fcd3f7c5e7b3ae0e15776fe59410b8b95dd5a1d1914571ff6014ab1688f2d954446214d83e54617d013e00ca858ba

C:\Windows\SysWOW64\Pplobcpp.exe

MD5 413b8da953ec885374ca691b8994a609
SHA1 809f24ac6e02da53ac6ba194a186a422db6e532f
SHA256 8bdac71b04e5d44df72b378c39390f945e6c002909c98cba35e25a2cd8a47714
SHA512 e262188817807c4da0bdb30156f1dbdf2fdb8719aa5cec100acb37c352abb622e79b5aa38856120eb8ce51a826ab8f19d7e640b22f546d29ee1cb6008522b8c1

C:\Windows\SysWOW64\Pdmdnadc.exe

MD5 8492e881c91ad8a2064b9cb894bd03be
SHA1 7375a9623abf66de864a31cf65b035dc8b5020a5
SHA256 ac71c90f43214a80f405ff0d6cb5b550633fc9856f03234422cc4a42a7c684e4
SHA512 856728e923d5a5e11748d6cd0cc3bda0adef3eb35d954b651901c5941c1e7af54927a0d828373b213b7ddddb34522d9978e6347c361d155591af0f54fd3d78a3

C:\Windows\SysWOW64\Qdaniq32.exe

MD5 e9aba5c7583a618a4c60bbc113ec3feb
SHA1 944155ed7ef945d130939d233d47cfe6b8b2a854
SHA256 e6d8ccb9b476c3c59e1cec30c27d8f2ce4736671b0437d02738bf3b965d3782a
SHA512 81e87973b7a8e6f8a4881213ef795843c8af025993115664668418d521182b062ec5aea41c4486feb45469643c9e5f4f2e66d3736a18437eba001721aed589fc

C:\Windows\SysWOW64\Aokkahlo.exe

MD5 139d1f3a1478c7c98b207dcabf89ef26
SHA1 71d959924f1e4a71d8fb7313fe5f54d6924cc72f
SHA256 39015591229d3426398e479acaaf096d99b1533c57055017c0c62c480820afc5
SHA512 5542cf8fed1b4cfe6da74ffc10b724d520fb10fa1b43b740a5209cbf497f6ee89f9a1072f8c8bc56b84ba6603799acbbeab7f775450b3971f3ef52cabb3813ea

C:\Windows\SysWOW64\Akblfj32.exe

MD5 f44071d77c9fa5f4fc887ba39c1b29ea
SHA1 7e8f089b0b5914adb7ec8ef5f962b6cde2cfd213
SHA256 08ceb7f6bc06e1115bfdfd8f9315585f53a2f9af3a53b92dd166e4604da02359
SHA512 45476af99701e8f8beafec6b3f0095b1471f1418dd20b84febfedf90479c129e7c8b538b249860333ad19446d888d7e1a00def5c88849c109e395e452240c576

C:\Windows\SysWOW64\Aopemh32.exe

MD5 2c7a1561e1cb90aa84bc9f4afcb9d329
SHA1 e48aa8bdcbec7f4b0b2f0c90f8dcf75b9a8bedb8
SHA256 491344ec6bd8a3b4f197d69b0aade4cd143ec56c8935fc5b8611e5e40db9dcd7
SHA512 379afcdca1e30d7593b8b4ce4a476f65dc0ad8a66eeabf26b537acba2a539db2a791f5edad0f2d236da09ea2c01cb202803778cbad302f53fa6c4c6c63d87505

C:\Windows\SysWOW64\Bgbpaipl.exe

MD5 f24434e082baa748c3f27ad4704ffaaa
SHA1 40ce0d6f72cb20e0f2553a50a477ea85873f7641
SHA256 ad64545ace8c7d0d61f5f287f7647820e4f0b065a8abe7503503c685763ecdc1
SHA512 6c3ff81cec6c80c9b0abde8e025ffc80569fef7c86cf22bb6e4179a0f0e688c278d8e419e659a1b20eba7ccb4948cb4b7af52613661832c01556970d5b09acc3

C:\Windows\SysWOW64\Dgcihgaj.exe

MD5 0ffa6a36f953bd6dee2b30e0eec97605
SHA1 a1f80a7113f4c68a029aa4ee6828a5d857365d42
SHA256 6dd5c97528353fd51267429f25e415fed491735773fbf4cfd6574bd73f1e2ee7
SHA512 cf82cec5c42c9e1b99d0965a05b9e7a7a8042638263a12f2a0e2471a372c298bc6ba8092f095868285b4c1465c3649ecdfed1c7edbc6ce73c9b1288dabd50807