Malware Analysis Report

2025-08-05 10:28

Sample ID 241107-jl9zqa1len
Target ef9e3b30f58b6c19aa42bc39dac0685f15cc52e71608bd2e45114c77b961ef50N
SHA256 ef9e3b30f58b6c19aa42bc39dac0685f15cc52e71608bd2e45114c77b961ef50
Tags
berbew backdoor discovery persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ef9e3b30f58b6c19aa42bc39dac0685f15cc52e71608bd2e45114c77b961ef50

Threat Level: Known bad

The file ef9e3b30f58b6c19aa42bc39dac0685f15cc52e71608bd2e45114c77b961ef50N was found to be: Known bad.

Malicious Activity Summary

berbew backdoor discovery persistence

Berbew

Berbew family

Adds autorun key to be loaded by Explorer.exe on startup

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Program crash

System Location Discovery: System Language Discovery

Unsigned PE

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-07 07:46

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-07 07:46

Reported

2024-11-07 07:48

Platform

win7-20240729-en

Max time kernel

62s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ef9e3b30f58b6c19aa42bc39dac0685f15cc52e71608bd2e45114c77b961ef50N.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kfodfh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kageia32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jfcabd32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Khgkpl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Koaclfgl.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kbhbai32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jgjkfi32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jpepkk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jpepkk32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Klecfkff.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Khgkpl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kocpbfei.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jllqplnp.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jfcabd32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kdphjm32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kageia32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Users\Admin\AppData\Local\Temp\ef9e3b30f58b6c19aa42bc39dac0685f15cc52e71608bd2e45114c77b961ef50N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kdphjm32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Libjncnc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jnofgg32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kfodfh32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jbclgf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Klecfkff.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lplbjm32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jpjifjdg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Libjncnc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jgjkfi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jbclgf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jjjdhc32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jllqplnp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jbfilffm.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kmimcbja.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jbfilffm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jipaip32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kekkiq32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Koaclfgl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jpjifjdg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jhenjmbb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Keioca32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kmimcbja.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kbhbai32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jjjdhc32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jipaip32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jikhnaao.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Keioca32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kekkiq32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jikhnaao.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jhenjmbb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lplbjm32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Users\Admin\AppData\Local\Temp\ef9e3b30f58b6c19aa42bc39dac0685f15cc52e71608bd2e45114c77b961ef50N.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jnofgg32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kocpbfei.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kdbepm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kdbepm32.exe N/A

Berbew

backdoor berbew

Berbew family

berbew

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef9e3b30f58b6c19aa42bc39dac0685f15cc52e71608bd2e45114c77b961ef50N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef9e3b30f58b6c19aa42bc39dac0685f15cc52e71608bd2e45114c77b961ef50N.exe N/A
N/A N/A C:\Windows\SysWOW64\Jgjkfi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jgjkfi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jikhnaao.exe N/A
N/A N/A C:\Windows\SysWOW64\Jikhnaao.exe N/A
N/A N/A C:\Windows\SysWOW64\Jpepkk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jpepkk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jbclgf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jbclgf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jjjdhc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jjjdhc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jllqplnp.exe N/A
N/A N/A C:\Windows\SysWOW64\Jllqplnp.exe N/A
N/A N/A C:\Windows\SysWOW64\Jbfilffm.exe N/A
N/A N/A C:\Windows\SysWOW64\Jbfilffm.exe N/A
N/A N/A C:\Windows\SysWOW64\Jipaip32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jipaip32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jpjifjdg.exe N/A
N/A N/A C:\Windows\SysWOW64\Jpjifjdg.exe N/A
N/A N/A C:\Windows\SysWOW64\Jfcabd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jfcabd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jhenjmbb.exe N/A
N/A N/A C:\Windows\SysWOW64\Jhenjmbb.exe N/A
N/A N/A C:\Windows\SysWOW64\Jnofgg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jnofgg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Keioca32.exe N/A
N/A N/A C:\Windows\SysWOW64\Keioca32.exe N/A
N/A N/A C:\Windows\SysWOW64\Khgkpl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Khgkpl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Koaclfgl.exe N/A
N/A N/A C:\Windows\SysWOW64\Koaclfgl.exe N/A
N/A N/A C:\Windows\SysWOW64\Kekkiq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kekkiq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Klecfkff.exe N/A
N/A N/A C:\Windows\SysWOW64\Klecfkff.exe N/A
N/A N/A C:\Windows\SysWOW64\Kocpbfei.exe N/A
N/A N/A C:\Windows\SysWOW64\Kocpbfei.exe N/A
N/A N/A C:\Windows\SysWOW64\Kdphjm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kdphjm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kfodfh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kfodfh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kmimcbja.exe N/A
N/A N/A C:\Windows\SysWOW64\Kmimcbja.exe N/A
N/A N/A C:\Windows\SysWOW64\Kdbepm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kdbepm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kageia32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kageia32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kbhbai32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kbhbai32.exe N/A
N/A N/A C:\Windows\SysWOW64\Libjncnc.exe N/A
N/A N/A C:\Windows\SysWOW64\Libjncnc.exe N/A
N/A N/A C:\Windows\SysWOW64\Lplbjm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lplbjm32.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Jbfilffm.exe C:\Windows\SysWOW64\Jllqplnp.exe N/A
File created C:\Windows\SysWOW64\Jipaip32.exe C:\Windows\SysWOW64\Jbfilffm.exe N/A
File created C:\Windows\SysWOW64\Ebenek32.dll C:\Windows\SysWOW64\Jipaip32.exe N/A
File created C:\Windows\SysWOW64\Kdphjm32.exe C:\Windows\SysWOW64\Kocpbfei.exe N/A
File created C:\Windows\SysWOW64\Ccmkid32.dll C:\Windows\SysWOW64\Jpepkk32.exe N/A
File created C:\Windows\SysWOW64\Lpgcln32.dll C:\Windows\SysWOW64\Jfcabd32.exe N/A
File created C:\Windows\SysWOW64\Jnofgg32.exe C:\Windows\SysWOW64\Jhenjmbb.exe N/A
File created C:\Windows\SysWOW64\Jlflfm32.dll C:\Windows\SysWOW64\Kdbepm32.exe N/A
File created C:\Windows\SysWOW64\Jgjkfi32.exe C:\Users\Admin\AppData\Local\Temp\ef9e3b30f58b6c19aa42bc39dac0685f15cc52e71608bd2e45114c77b961ef50N.exe N/A
File opened for modification C:\Windows\SysWOW64\Jpepkk32.exe C:\Windows\SysWOW64\Jikhnaao.exe N/A
File created C:\Windows\SysWOW64\Jbclgf32.exe C:\Windows\SysWOW64\Jpepkk32.exe N/A
File created C:\Windows\SysWOW64\Jjjdhc32.exe C:\Windows\SysWOW64\Jbclgf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Jbfilffm.exe C:\Windows\SysWOW64\Jllqplnp.exe N/A
File opened for modification C:\Windows\SysWOW64\Jjjdhc32.exe C:\Windows\SysWOW64\Jbclgf32.exe N/A
File created C:\Windows\SysWOW64\Dnhanebc.dll C:\Windows\SysWOW64\Jjjdhc32.exe N/A
File opened for modification C:\Windows\SysWOW64\Lplbjm32.exe C:\Windows\SysWOW64\Libjncnc.exe N/A
File opened for modification C:\Windows\SysWOW64\Lbjofi32.exe C:\Windows\SysWOW64\Lplbjm32.exe N/A
File created C:\Windows\SysWOW64\Jpjifjdg.exe C:\Windows\SysWOW64\Jipaip32.exe N/A
File created C:\Windows\SysWOW64\Jfcabd32.exe C:\Windows\SysWOW64\Jpjifjdg.exe N/A
File opened for modification C:\Windows\SysWOW64\Keioca32.exe C:\Windows\SysWOW64\Jnofgg32.exe N/A
File created C:\Windows\SysWOW64\Abqcpo32.dll C:\Windows\SysWOW64\Jnofgg32.exe N/A
File opened for modification C:\Windows\SysWOW64\Khgkpl32.exe C:\Windows\SysWOW64\Keioca32.exe N/A
File opened for modification C:\Windows\SysWOW64\Jfcabd32.exe C:\Windows\SysWOW64\Jpjifjdg.exe N/A
File created C:\Windows\SysWOW64\Keioca32.exe C:\Windows\SysWOW64\Jnofgg32.exe N/A
File created C:\Windows\SysWOW64\Khgkpl32.exe C:\Windows\SysWOW64\Keioca32.exe N/A
File opened for modification C:\Windows\SysWOW64\Kocpbfei.exe C:\Windows\SysWOW64\Klecfkff.exe N/A
File created C:\Windows\SysWOW64\Pbkboega.dll C:\Windows\SysWOW64\Khgkpl32.exe N/A
File created C:\Windows\SysWOW64\Klecfkff.exe C:\Windows\SysWOW64\Kekkiq32.exe N/A
File opened for modification C:\Windows\SysWOW64\Jpjifjdg.exe C:\Windows\SysWOW64\Jipaip32.exe N/A
File opened for modification C:\Windows\SysWOW64\Kfodfh32.exe C:\Windows\SysWOW64\Kdphjm32.exe N/A
File opened for modification C:\Windows\SysWOW64\Kbhbai32.exe C:\Windows\SysWOW64\Kageia32.exe N/A
File created C:\Windows\SysWOW64\Dlcdel32.dll C:\Windows\SysWOW64\Libjncnc.exe N/A
File created C:\Windows\SysWOW64\Jllqplnp.exe C:\Windows\SysWOW64\Jjjdhc32.exe N/A
File opened for modification C:\Windows\SysWOW64\Jhenjmbb.exe C:\Windows\SysWOW64\Jfcabd32.exe N/A
File created C:\Windows\SysWOW64\Kmkkio32.dll C:\Windows\SysWOW64\Jhenjmbb.exe N/A
File opened for modification C:\Windows\SysWOW64\Koaclfgl.exe C:\Windows\SysWOW64\Khgkpl32.exe N/A
File opened for modification C:\Windows\SysWOW64\Kdbepm32.exe C:\Windows\SysWOW64\Kmimcbja.exe N/A
File created C:\Windows\SysWOW64\Jikhnaao.exe C:\Windows\SysWOW64\Jgjkfi32.exe N/A
File opened for modification C:\Windows\SysWOW64\Klecfkff.exe C:\Windows\SysWOW64\Kekkiq32.exe N/A
File created C:\Windows\SysWOW64\Hnnikfij.dll C:\Windows\SysWOW64\Kocpbfei.exe N/A
File created C:\Windows\SysWOW64\Ipafocdg.dll C:\Windows\SysWOW64\Lplbjm32.exe N/A
File created C:\Windows\SysWOW64\Mebgijei.dll C:\Windows\SysWOW64\Jbclgf32.exe N/A
File created C:\Windows\SysWOW64\Eplpdepa.dll C:\Windows\SysWOW64\Jpjifjdg.exe N/A
File created C:\Windows\SysWOW64\Kmimcbja.exe C:\Windows\SysWOW64\Kfodfh32.exe N/A
File opened for modification C:\Windows\SysWOW64\Kmimcbja.exe C:\Windows\SysWOW64\Kfodfh32.exe N/A
File created C:\Windows\SysWOW64\Lplbjm32.exe C:\Windows\SysWOW64\Libjncnc.exe N/A
File created C:\Windows\SysWOW64\Ffakjm32.dll C:\Windows\SysWOW64\Klecfkff.exe N/A
File opened for modification C:\Windows\SysWOW64\Libjncnc.exe C:\Windows\SysWOW64\Kbhbai32.exe N/A
File created C:\Windows\SysWOW64\Jpbpbbdb.dll C:\Users\Admin\AppData\Local\Temp\ef9e3b30f58b6c19aa42bc39dac0685f15cc52e71608bd2e45114c77b961ef50N.exe N/A
File created C:\Windows\SysWOW64\Dfaaak32.dll C:\Windows\SysWOW64\Jikhnaao.exe N/A
File opened for modification C:\Windows\SysWOW64\Jbclgf32.exe C:\Windows\SysWOW64\Jpepkk32.exe N/A
File created C:\Windows\SysWOW64\Ckmhkeef.dll C:\Windows\SysWOW64\Jllqplnp.exe N/A
File created C:\Windows\SysWOW64\Agioom32.dll C:\Windows\SysWOW64\Koaclfgl.exe N/A
File created C:\Windows\SysWOW64\Kbhbai32.exe C:\Windows\SysWOW64\Kageia32.exe N/A
File created C:\Windows\SysWOW64\Bndneq32.dll C:\Windows\SysWOW64\Kageia32.exe N/A
File created C:\Windows\SysWOW64\Qmeedp32.dll C:\Windows\SysWOW64\Jgjkfi32.exe N/A
File opened for modification C:\Windows\SysWOW64\Jipaip32.exe C:\Windows\SysWOW64\Jbfilffm.exe N/A
File created C:\Windows\SysWOW64\Kocpbfei.exe C:\Windows\SysWOW64\Klecfkff.exe N/A
File created C:\Windows\SysWOW64\Kdbepm32.exe C:\Windows\SysWOW64\Kmimcbja.exe N/A
File opened for modification C:\Windows\SysWOW64\Kageia32.exe C:\Windows\SysWOW64\Kdbepm32.exe N/A
File created C:\Windows\SysWOW64\Libjncnc.exe C:\Windows\SysWOW64\Kbhbai32.exe N/A
File created C:\Windows\SysWOW64\Lbjofi32.exe C:\Windows\SysWOW64\Lplbjm32.exe N/A
File opened for modification C:\Windows\SysWOW64\Jnofgg32.exe C:\Windows\SysWOW64\Jhenjmbb.exe N/A
File created C:\Windows\SysWOW64\Kekkiq32.exe C:\Windows\SysWOW64\Koaclfgl.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jgjkfi32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Khgkpl32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kekkiq32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kbhbai32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kdbepm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ef9e3b30f58b6c19aa42bc39dac0685f15cc52e71608bd2e45114c77b961ef50N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jjjdhc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jllqplnp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jfcabd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jhenjmbb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Keioca32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Koaclfgl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lbjofi32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jpepkk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kdphjm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kfodfh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jpjifjdg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kmimcbja.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kageia32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jbfilffm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jipaip32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Libjncnc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lplbjm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jikhnaao.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jbclgf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jnofgg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Klecfkff.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kocpbfei.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jjjdhc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kfodfh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipafocdg.dll" C:\Windows\SysWOW64\Lplbjm32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jgjkfi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jpepkk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jbclgf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jhenjmbb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Keioca32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kekkiq32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Libjncnc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlcdel32.dll" C:\Windows\SysWOW64\Libjncnc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpbpbbdb.dll" C:\Users\Admin\AppData\Local\Temp\ef9e3b30f58b6c19aa42bc39dac0685f15cc52e71608bd2e45114c77b961ef50N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpgcln32.dll" C:\Windows\SysWOW64\Jfcabd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Koaclfgl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kdbepm32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} C:\Users\Admin\AppData\Local\Temp\ef9e3b30f58b6c19aa42bc39dac0685f15cc52e71608bd2e45114c77b961ef50N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jipaip32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Koaclfgl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kdbepm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikbilijo.dll" C:\Windows\SysWOW64\Jbfilffm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jbfilffm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffakjm32.dll" C:\Windows\SysWOW64\Klecfkff.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kocpbfei.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kfodfh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bodilc32.dll" C:\Windows\SysWOW64\Kfodfh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bndneq32.dll" C:\Windows\SysWOW64\Kageia32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jllqplnp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmhkeef.dll" C:\Windows\SysWOW64\Jllqplnp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jbfilffm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmkkio32.dll" C:\Windows\SysWOW64\Jhenjmbb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\ef9e3b30f58b6c19aa42bc39dac0685f15cc52e71608bd2e45114c77b961ef50N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jpepkk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mebgijei.dll" C:\Windows\SysWOW64\Jbclgf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kekkiq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kdphjm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\ef9e3b30f58b6c19aa42bc39dac0685f15cc52e71608bd2e45114c77b961ef50N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agioom32.dll" C:\Windows\SysWOW64\Koaclfgl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipbkjl32.dll" C:\Windows\SysWOW64\Kbhbai32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node C:\Users\Admin\AppData\Local\Temp\ef9e3b30f58b6c19aa42bc39dac0685f15cc52e71608bd2e45114c77b961ef50N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmeedp32.dll" C:\Windows\SysWOW64\Jgjkfi32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jikhnaao.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jnofgg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcjeje32.dll" C:\Windows\SysWOW64\Kdphjm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lplbjm32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\ef9e3b30f58b6c19aa42bc39dac0685f15cc52e71608bd2e45114c77b961ef50N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jjjdhc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jpjifjdg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kocpbfei.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lplbjm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jikhnaao.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kmimcbja.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Libjncnc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Keioca32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jfcabd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbkboega.dll" C:\Windows\SysWOW64\Khgkpl32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jllqplnp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jbclgf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jfcabd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcdapknb.dll" C:\Windows\SysWOW64\Keioca32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alhpic32.dll" C:\Windows\SysWOW64\Kmimcbja.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kbhbai32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfaaak32.dll" C:\Windows\SysWOW64\Jikhnaao.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eplpdepa.dll" C:\Windows\SysWOW64\Jpjifjdg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jnofgg32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2188 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\ef9e3b30f58b6c19aa42bc39dac0685f15cc52e71608bd2e45114c77b961ef50N.exe C:\Windows\SysWOW64\Jgjkfi32.exe
PID 2188 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\ef9e3b30f58b6c19aa42bc39dac0685f15cc52e71608bd2e45114c77b961ef50N.exe C:\Windows\SysWOW64\Jgjkfi32.exe
PID 2188 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\ef9e3b30f58b6c19aa42bc39dac0685f15cc52e71608bd2e45114c77b961ef50N.exe C:\Windows\SysWOW64\Jgjkfi32.exe
PID 2188 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\ef9e3b30f58b6c19aa42bc39dac0685f15cc52e71608bd2e45114c77b961ef50N.exe C:\Windows\SysWOW64\Jgjkfi32.exe
PID 2376 wrote to memory of 2776 N/A C:\Windows\SysWOW64\Jgjkfi32.exe C:\Windows\SysWOW64\Jikhnaao.exe
PID 2376 wrote to memory of 2776 N/A C:\Windows\SysWOW64\Jgjkfi32.exe C:\Windows\SysWOW64\Jikhnaao.exe
PID 2376 wrote to memory of 2776 N/A C:\Windows\SysWOW64\Jgjkfi32.exe C:\Windows\SysWOW64\Jikhnaao.exe
PID 2376 wrote to memory of 2776 N/A C:\Windows\SysWOW64\Jgjkfi32.exe C:\Windows\SysWOW64\Jikhnaao.exe
PID 2776 wrote to memory of 2724 N/A C:\Windows\SysWOW64\Jikhnaao.exe C:\Windows\SysWOW64\Jpepkk32.exe
PID 2776 wrote to memory of 2724 N/A C:\Windows\SysWOW64\Jikhnaao.exe C:\Windows\SysWOW64\Jpepkk32.exe
PID 2776 wrote to memory of 2724 N/A C:\Windows\SysWOW64\Jikhnaao.exe C:\Windows\SysWOW64\Jpepkk32.exe
PID 2776 wrote to memory of 2724 N/A C:\Windows\SysWOW64\Jikhnaao.exe C:\Windows\SysWOW64\Jpepkk32.exe
PID 2724 wrote to memory of 2720 N/A C:\Windows\SysWOW64\Jpepkk32.exe C:\Windows\SysWOW64\Jbclgf32.exe
PID 2724 wrote to memory of 2720 N/A C:\Windows\SysWOW64\Jpepkk32.exe C:\Windows\SysWOW64\Jbclgf32.exe
PID 2724 wrote to memory of 2720 N/A C:\Windows\SysWOW64\Jpepkk32.exe C:\Windows\SysWOW64\Jbclgf32.exe
PID 2724 wrote to memory of 2720 N/A C:\Windows\SysWOW64\Jpepkk32.exe C:\Windows\SysWOW64\Jbclgf32.exe
PID 2720 wrote to memory of 2596 N/A C:\Windows\SysWOW64\Jbclgf32.exe C:\Windows\SysWOW64\Jjjdhc32.exe
PID 2720 wrote to memory of 2596 N/A C:\Windows\SysWOW64\Jbclgf32.exe C:\Windows\SysWOW64\Jjjdhc32.exe
PID 2720 wrote to memory of 2596 N/A C:\Windows\SysWOW64\Jbclgf32.exe C:\Windows\SysWOW64\Jjjdhc32.exe
PID 2720 wrote to memory of 2596 N/A C:\Windows\SysWOW64\Jbclgf32.exe C:\Windows\SysWOW64\Jjjdhc32.exe
PID 2596 wrote to memory of 1776 N/A C:\Windows\SysWOW64\Jjjdhc32.exe C:\Windows\SysWOW64\Jllqplnp.exe
PID 2596 wrote to memory of 1776 N/A C:\Windows\SysWOW64\Jjjdhc32.exe C:\Windows\SysWOW64\Jllqplnp.exe
PID 2596 wrote to memory of 1776 N/A C:\Windows\SysWOW64\Jjjdhc32.exe C:\Windows\SysWOW64\Jllqplnp.exe
PID 2596 wrote to memory of 1776 N/A C:\Windows\SysWOW64\Jjjdhc32.exe C:\Windows\SysWOW64\Jllqplnp.exe
PID 1776 wrote to memory of 2440 N/A C:\Windows\SysWOW64\Jllqplnp.exe C:\Windows\SysWOW64\Jbfilffm.exe
PID 1776 wrote to memory of 2440 N/A C:\Windows\SysWOW64\Jllqplnp.exe C:\Windows\SysWOW64\Jbfilffm.exe
PID 1776 wrote to memory of 2440 N/A C:\Windows\SysWOW64\Jllqplnp.exe C:\Windows\SysWOW64\Jbfilffm.exe
PID 1776 wrote to memory of 2440 N/A C:\Windows\SysWOW64\Jllqplnp.exe C:\Windows\SysWOW64\Jbfilffm.exe
PID 2440 wrote to memory of 3056 N/A C:\Windows\SysWOW64\Jbfilffm.exe C:\Windows\SysWOW64\Jipaip32.exe
PID 2440 wrote to memory of 3056 N/A C:\Windows\SysWOW64\Jbfilffm.exe C:\Windows\SysWOW64\Jipaip32.exe
PID 2440 wrote to memory of 3056 N/A C:\Windows\SysWOW64\Jbfilffm.exe C:\Windows\SysWOW64\Jipaip32.exe
PID 2440 wrote to memory of 3056 N/A C:\Windows\SysWOW64\Jbfilffm.exe C:\Windows\SysWOW64\Jipaip32.exe
PID 3056 wrote to memory of 2052 N/A C:\Windows\SysWOW64\Jipaip32.exe C:\Windows\SysWOW64\Jpjifjdg.exe
PID 3056 wrote to memory of 2052 N/A C:\Windows\SysWOW64\Jipaip32.exe C:\Windows\SysWOW64\Jpjifjdg.exe
PID 3056 wrote to memory of 2052 N/A C:\Windows\SysWOW64\Jipaip32.exe C:\Windows\SysWOW64\Jpjifjdg.exe
PID 3056 wrote to memory of 2052 N/A C:\Windows\SysWOW64\Jipaip32.exe C:\Windows\SysWOW64\Jpjifjdg.exe
PID 2052 wrote to memory of 2824 N/A C:\Windows\SysWOW64\Jpjifjdg.exe C:\Windows\SysWOW64\Jfcabd32.exe
PID 2052 wrote to memory of 2824 N/A C:\Windows\SysWOW64\Jpjifjdg.exe C:\Windows\SysWOW64\Jfcabd32.exe
PID 2052 wrote to memory of 2824 N/A C:\Windows\SysWOW64\Jpjifjdg.exe C:\Windows\SysWOW64\Jfcabd32.exe
PID 2052 wrote to memory of 2824 N/A C:\Windows\SysWOW64\Jpjifjdg.exe C:\Windows\SysWOW64\Jfcabd32.exe
PID 2824 wrote to memory of 2620 N/A C:\Windows\SysWOW64\Jfcabd32.exe C:\Windows\SysWOW64\Jhenjmbb.exe
PID 2824 wrote to memory of 2620 N/A C:\Windows\SysWOW64\Jfcabd32.exe C:\Windows\SysWOW64\Jhenjmbb.exe
PID 2824 wrote to memory of 2620 N/A C:\Windows\SysWOW64\Jfcabd32.exe C:\Windows\SysWOW64\Jhenjmbb.exe
PID 2824 wrote to memory of 2620 N/A C:\Windows\SysWOW64\Jfcabd32.exe C:\Windows\SysWOW64\Jhenjmbb.exe
PID 2620 wrote to memory of 2932 N/A C:\Windows\SysWOW64\Jhenjmbb.exe C:\Windows\SysWOW64\Jnofgg32.exe
PID 2620 wrote to memory of 2932 N/A C:\Windows\SysWOW64\Jhenjmbb.exe C:\Windows\SysWOW64\Jnofgg32.exe
PID 2620 wrote to memory of 2932 N/A C:\Windows\SysWOW64\Jhenjmbb.exe C:\Windows\SysWOW64\Jnofgg32.exe
PID 2620 wrote to memory of 2932 N/A C:\Windows\SysWOW64\Jhenjmbb.exe C:\Windows\SysWOW64\Jnofgg32.exe
PID 2932 wrote to memory of 484 N/A C:\Windows\SysWOW64\Jnofgg32.exe C:\Windows\SysWOW64\Keioca32.exe
PID 2932 wrote to memory of 484 N/A C:\Windows\SysWOW64\Jnofgg32.exe C:\Windows\SysWOW64\Keioca32.exe
PID 2932 wrote to memory of 484 N/A C:\Windows\SysWOW64\Jnofgg32.exe C:\Windows\SysWOW64\Keioca32.exe
PID 2932 wrote to memory of 484 N/A C:\Windows\SysWOW64\Jnofgg32.exe C:\Windows\SysWOW64\Keioca32.exe
PID 484 wrote to memory of 2340 N/A C:\Windows\SysWOW64\Keioca32.exe C:\Windows\SysWOW64\Khgkpl32.exe
PID 484 wrote to memory of 2340 N/A C:\Windows\SysWOW64\Keioca32.exe C:\Windows\SysWOW64\Khgkpl32.exe
PID 484 wrote to memory of 2340 N/A C:\Windows\SysWOW64\Keioca32.exe C:\Windows\SysWOW64\Khgkpl32.exe
PID 484 wrote to memory of 2340 N/A C:\Windows\SysWOW64\Keioca32.exe C:\Windows\SysWOW64\Khgkpl32.exe
PID 2340 wrote to memory of 848 N/A C:\Windows\SysWOW64\Khgkpl32.exe C:\Windows\SysWOW64\Koaclfgl.exe
PID 2340 wrote to memory of 848 N/A C:\Windows\SysWOW64\Khgkpl32.exe C:\Windows\SysWOW64\Koaclfgl.exe
PID 2340 wrote to memory of 848 N/A C:\Windows\SysWOW64\Khgkpl32.exe C:\Windows\SysWOW64\Koaclfgl.exe
PID 2340 wrote to memory of 848 N/A C:\Windows\SysWOW64\Khgkpl32.exe C:\Windows\SysWOW64\Koaclfgl.exe
PID 848 wrote to memory of 1164 N/A C:\Windows\SysWOW64\Koaclfgl.exe C:\Windows\SysWOW64\Kekkiq32.exe
PID 848 wrote to memory of 1164 N/A C:\Windows\SysWOW64\Koaclfgl.exe C:\Windows\SysWOW64\Kekkiq32.exe
PID 848 wrote to memory of 1164 N/A C:\Windows\SysWOW64\Koaclfgl.exe C:\Windows\SysWOW64\Kekkiq32.exe
PID 848 wrote to memory of 1164 N/A C:\Windows\SysWOW64\Koaclfgl.exe C:\Windows\SysWOW64\Kekkiq32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ef9e3b30f58b6c19aa42bc39dac0685f15cc52e71608bd2e45114c77b961ef50N.exe

"C:\Users\Admin\AppData\Local\Temp\ef9e3b30f58b6c19aa42bc39dac0685f15cc52e71608bd2e45114c77b961ef50N.exe"

C:\Windows\SysWOW64\Jgjkfi32.exe

C:\Windows\system32\Jgjkfi32.exe

C:\Windows\SysWOW64\Jikhnaao.exe

C:\Windows\system32\Jikhnaao.exe

C:\Windows\SysWOW64\Jpepkk32.exe

C:\Windows\system32\Jpepkk32.exe

C:\Windows\SysWOW64\Jbclgf32.exe

C:\Windows\system32\Jbclgf32.exe

C:\Windows\SysWOW64\Jjjdhc32.exe

C:\Windows\system32\Jjjdhc32.exe

C:\Windows\SysWOW64\Jllqplnp.exe

C:\Windows\system32\Jllqplnp.exe

C:\Windows\SysWOW64\Jbfilffm.exe

C:\Windows\system32\Jbfilffm.exe

C:\Windows\SysWOW64\Jipaip32.exe

C:\Windows\system32\Jipaip32.exe

C:\Windows\SysWOW64\Jpjifjdg.exe

C:\Windows\system32\Jpjifjdg.exe

C:\Windows\SysWOW64\Jfcabd32.exe

C:\Windows\system32\Jfcabd32.exe

C:\Windows\SysWOW64\Jhenjmbb.exe

C:\Windows\system32\Jhenjmbb.exe

C:\Windows\SysWOW64\Jnofgg32.exe

C:\Windows\system32\Jnofgg32.exe

C:\Windows\SysWOW64\Keioca32.exe

C:\Windows\system32\Keioca32.exe

C:\Windows\SysWOW64\Khgkpl32.exe

C:\Windows\system32\Khgkpl32.exe

C:\Windows\SysWOW64\Koaclfgl.exe

C:\Windows\system32\Koaclfgl.exe

C:\Windows\SysWOW64\Kekkiq32.exe

C:\Windows\system32\Kekkiq32.exe

C:\Windows\SysWOW64\Klecfkff.exe

C:\Windows\system32\Klecfkff.exe

C:\Windows\SysWOW64\Kocpbfei.exe

C:\Windows\system32\Kocpbfei.exe

C:\Windows\SysWOW64\Kdphjm32.exe

C:\Windows\system32\Kdphjm32.exe

C:\Windows\SysWOW64\Kfodfh32.exe

C:\Windows\system32\Kfodfh32.exe

C:\Windows\SysWOW64\Kmimcbja.exe

C:\Windows\system32\Kmimcbja.exe

C:\Windows\SysWOW64\Kdbepm32.exe

C:\Windows\system32\Kdbepm32.exe

C:\Windows\SysWOW64\Kageia32.exe

C:\Windows\system32\Kageia32.exe

C:\Windows\SysWOW64\Kbhbai32.exe

C:\Windows\system32\Kbhbai32.exe

C:\Windows\SysWOW64\Libjncnc.exe

C:\Windows\system32\Libjncnc.exe

C:\Windows\SysWOW64\Lplbjm32.exe

C:\Windows\system32\Lplbjm32.exe

C:\Windows\SysWOW64\Lbjofi32.exe

C:\Windows\system32\Lbjofi32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2800 -s 140

Network

N/A

Files

memory/2188-0-0x0000000000400000-0x000000000043F000-memory.dmp

\Windows\SysWOW64\Jgjkfi32.exe

MD5 ed2f8e62c46228749a45086266100062
SHA1 4d39896697547a482f71aa4aa5d6348ce2cba307
SHA256 ddbe2a8c86ae6e3a30b90bac934a3dd9aaec97903aba08e9e101022795088e1c
SHA512 ab70198f46ef1df7c5d5d1edded3d152ad48372bff31a4ce55348d4e929582268c39e3d700203c4338bd79ff9c06e7e508fc8623b5beeb4628341622838d128f

memory/2376-14-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Jikhnaao.exe

MD5 e495583774bd14c6e4e74ad384dfabd8
SHA1 af766670f5247eca215aacac558017b5f64275d4
SHA256 377ec12481f13faa6b3b437e872ddc58055705d8354beb093c7efb3acaf97842
SHA512 4751a09e91ca86537213b64c1796e2f352c08a5173f8dc2c8e9cf46468c93cdb5b131130126925ffa75ca8dd52f7cc1349bf781d2dbf191ab744b82b786a8921

memory/2776-32-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Jpepkk32.exe

MD5 5cd198d00558ca06e0c7eb941a616b7f
SHA1 43cd8b1fc1425b80ab3ea227a1c7f247b97a5044
SHA256 489213aecc60de3b2162aaa28767a7c93965c0def799662bdafde14bbfaf8411
SHA512 1e67664621e7f3f2fb2915f47ce5c6d8e78f013034abfb8378202d1c8a8a59e774365b1030b04f0e8355cf4b95d851e0a681c0a022290605c055c6bbf574920d

memory/2720-57-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1776-84-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3056-112-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2052-126-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2824-141-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2620-151-0x0000000000400000-0x000000000043F000-memory.dmp

memory/484-180-0x0000000000400000-0x000000000043F000-memory.dmp

memory/848-209-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2468-235-0x0000000000400000-0x000000000043F000-memory.dmp

memory/796-256-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1664-300-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2860-331-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2800-338-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2860-337-0x0000000000250000-0x000000000028F000-memory.dmp

memory/2860-336-0x0000000000250000-0x000000000028F000-memory.dmp

C:\Windows\SysWOW64\Lbjofi32.exe

MD5 acfdabdfaefa381167f9f19c4ff426cd
SHA1 03e0f31d6c98b063fb1cde6207fe8c366e0e26e8
SHA256 091fd505ccb7a36d0557c7a58d7d07d379a4603331ed2397e30ea1ce8c1f7ffe
SHA512 45d8edd72f2e23e574f004ab3d0c129497800f1b2acc235cc3f579ee7509b989a5487133b93681ed63ed412c363ee62808de2eea8be45eabfb8a37fa66de4535

memory/1480-330-0x0000000000260000-0x000000000029F000-memory.dmp

memory/1480-329-0x0000000000260000-0x000000000029F000-memory.dmp

C:\Windows\SysWOW64\Lplbjm32.exe

MD5 aa1060c69c9536f08f31c3e935f42681
SHA1 66ff608fea548a029b8769c4f0a625b08f47a877
SHA256 5543cd9e2e3fb64397d3be719d8546baef296dfc8c30e6b5e5300443bbd2104a
SHA512 da5e1a0c1038fb6bc6f1a95ea2c0d0678f21993ec2e8cb60042e05a58defad13582c825fa792997ab65d8791d7a00d3c1b479f9e17dbb33f7b29fd80b6aa0d7e

memory/1480-319-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2520-318-0x0000000000280000-0x00000000002BF000-memory.dmp

C:\Windows\SysWOW64\Libjncnc.exe

MD5 92cc718f390ca2b2b4acdccc15593ee4
SHA1 ee5178793e6673fbae57484e96ab0efc16392cfe
SHA256 10c0300e90797121aecb3d683d1fbfe1392c53943b39116076d57b75f0a1e282
SHA512 584bf3cd6b2e1d8803422f99a65293f1b92a2d808d6fc8d55c1b4142b8a822e67452a24950448dfedb1b5b1b802ee7a2998c4d4add88d414124e7d4af2b1111f

memory/2520-309-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Kbhbai32.exe

MD5 9f53b13a7612ca308dbad27326662bfe
SHA1 844f40c6b764e6926285f4bc78f18357a197eb8c
SHA256 074c2971a6d86e9c1233315212b40ad5e2d21e3552ebf5a68fc8bd008bb896ec
SHA512 1267e37f5144aaf38c55e8a9002a2f67202fa0beabe590f57f9434e403a35c5ed1f85eb5bfc5146213083bc2a7d356c1fff8a9f45afa35a6a404f4e67743a7b8

memory/2304-299-0x0000000000250000-0x000000000028F000-memory.dmp

C:\Windows\SysWOW64\Kageia32.exe

MD5 e4b6a530b1112a07eefcf3226e6f36ac
SHA1 18bf710eddb1b87c7f9b478cf1cf1676bcf31498
SHA256 dcaeb30a72fe276b36d881283025759751dc562df0273630bdc83f26243a6e85
SHA512 4e95ab434b8ff88fd82adf9f52da7d7a450261de24b50a88cca6aa675cc4bf5cb32539163b41c52290881e615894cd25856280695d6deff0e98d242394a02c74

memory/2304-290-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2104-289-0x00000000002D0000-0x000000000030F000-memory.dmp

C:\Windows\SysWOW64\Kdbepm32.exe

MD5 694b3ad2cdc100e39ef568175de75834
SHA1 569886a656767b662f774135a69e4af848588fd9
SHA256 500454c1e160873338834ae8ceee2d6d8e5d58b4b4de02216a54b6af70717b44
SHA512 57c26b3f08284a087b6307a6dc0725d9d857185d8677153b4c89e85bc155f6b4b1d871ac0efe9cdce1505f3650c5692295fc1b1a650540201495e36efbe17a0f

memory/2104-277-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1888-276-0x0000000000250000-0x000000000028F000-memory.dmp

memory/1888-275-0x0000000000250000-0x000000000028F000-memory.dmp

C:\Windows\SysWOW64\Kmimcbja.exe

MD5 87f29e43c9ba7148e59e0587449ee78c
SHA1 7e9fd895e292a3d2261e2f1797d4d0610fda1ef3
SHA256 7096d8ae03f131a3f4b0afdffa63f0e5357c784fb882880d248a1a3fc59eee5e
SHA512 32380bd6d3c5fdd677d8b3ed77fe7f9eb4510f5ac0e19bb3fab343193423db42c598b40f4d56e802c43f96dee8d440de1c1e38f626ae46139aac04f493c2adb2

memory/1888-270-0x0000000000400000-0x000000000043F000-memory.dmp

memory/796-269-0x0000000000250000-0x000000000028F000-memory.dmp

memory/1016-255-0x00000000002E0000-0x000000000031F000-memory.dmp

memory/1016-254-0x00000000002E0000-0x000000000031F000-memory.dmp

C:\Windows\SysWOW64\Kfodfh32.exe

MD5 df5367e5a4a81797aaa4329cf1ccffc9
SHA1 b0076f0b45a780a35b7450d8157693bae168a70b
SHA256 ddfb6b38d8c4931f3343074aa25aab7d57ab684cf1e9e3ea61425c9e741fa60c
SHA512 aa7dafdfd16c614c34d51a0f2882488112cc8dec485e012e96210e5c7571fc983395f19a821a7dbbdf3acb29d7fcd5b30d22c6a304571d8ea69bf8bbea980770

C:\Windows\SysWOW64\Kdphjm32.exe

MD5 7701a5f47eb26881870132810743dee5
SHA1 3cb6d824d76038f11dc69986bac66be6dc76bd9b
SHA256 09982e9c23f6d1e244857c83ad6947a83a276a98e41184888465a337118d80ce
SHA512 b630eebfd20f5c55ffe84e4c1dd15905bc2b511668a9280a5456d6faf51aaac9deb19a4c1ceccad5043ac2fd16f45bae88e59120bf2ba97de62be59bc1f69720

memory/1016-249-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2468-248-0x00000000002E0000-0x000000000031F000-memory.dmp

C:\Windows\SysWOW64\Kocpbfei.exe

MD5 df33a2ec047fea81ec05cad95daeb86c
SHA1 eb564740f4dfb3e86652663906ec2badcaa6a0d0
SHA256 dc84ad496a70f866aa36b4a665b6fc6712c94cde1ef6f4fcebf2ce9d6807f7d3
SHA512 09f7423c3b1e04dfbcb768bfde1768ac128b699368dffb1f433da9a3c72b7492402d6c18db4cfe061f63f7955f3245ed111041e9966f950f2e03c7f13109aac6

memory/1164-234-0x0000000000250000-0x000000000028F000-memory.dmp

memory/1164-233-0x0000000000250000-0x000000000028F000-memory.dmp

C:\Windows\SysWOW64\Klecfkff.exe

MD5 b6b34af828c70506bb95a0b88017ce8f
SHA1 9004b0441d002731487d740b2e4fd920d461e750
SHA256 df61acce046f1f80c477c824a7b96afc9b5a6ed2628cf00bce5ac018094f9803
SHA512 4e800161bccc48cce788826f38838c000f75b934eb0c8c7ebd86a68c0bb4e78fe268641317550aac95b11a170213e0562d02f39013fa6a80c2585834654bfe2f

memory/1164-228-0x0000000000400000-0x000000000043F000-memory.dmp

memory/848-227-0x0000000000250000-0x000000000028F000-memory.dmp

memory/848-222-0x0000000000250000-0x000000000028F000-memory.dmp

C:\Windows\SysWOW64\Kekkiq32.exe

MD5 cc735360f30b810a477416b7136163a8
SHA1 b11f664e9672aca0baf17d503369006e27139c22
SHA256 bd5a0012ef3fd6ce18d3ff31d25f8fa38ef5e586923eee228a47f5c3d7203b29
SHA512 65d02655f9cc13da99e776cded736c8865caf8fb433813819e049b72c0fd38fe233bc442067c04b71a00f85cdf4e38e9c1f9deec53ab2ce2cfdfbb907005c929

memory/2340-208-0x00000000002D0000-0x000000000030F000-memory.dmp

memory/2340-207-0x00000000002D0000-0x000000000030F000-memory.dmp

C:\Windows\SysWOW64\Koaclfgl.exe

MD5 9e72902778473be743411574027647bc
SHA1 66331d1e174036261647822785186f345c03e106
SHA256 710b8afb8fde400d605bd0f0a0f245fcfe9da97590ef8931c58554e4f6087c9c
SHA512 9b29dd9191daeac1f97ec05b1c55b11d681dafe201801af24eab56c3c3144f96e824a7d0ea88dd5327b63d08685f973dfbb78dd664d10ba8463a76c50404b8fe

memory/2340-198-0x0000000000400000-0x000000000043F000-memory.dmp

memory/484-193-0x0000000000250000-0x000000000028F000-memory.dmp

C:\Windows\SysWOW64\Khgkpl32.exe

MD5 5781c4654ef7e7045d027c2d7f7186e4
SHA1 a04a0408a533d2fc295b420beeac37ee0c91e876
SHA256 80c88635a1036a0c8cba2306285292f8d65ca7a6aae75a7da01f68146c3027af
SHA512 bb7ecc90c721248bff9b8acc80fb46cecd24c223566966a30f8002cd829b562ae4dbba20b9e4a3483e15cdbf8cc821c84b2b8246e633e59332e17b2554f8ca3d

memory/2932-179-0x0000000000250000-0x000000000028F000-memory.dmp

memory/2932-178-0x0000000000250000-0x000000000028F000-memory.dmp

C:\Windows\SysWOW64\Keioca32.exe

MD5 adb710cfbaeb124ed2071abdc83c060d
SHA1 34032627f26b73218effd890d5262c1365939a20
SHA256 52533e7b2c20e12de4a4914c45b982c9262a79737b0c69cf6e011d452ecac770
SHA512 52bf812b0b8a57320d179d077e0fe1ffb63342b3ea0e1506484aad0b4c1b3379b775c39827e5fee2d1b11b96d6692cec58a080de6d01ab69431bcfdec8558c92

memory/2932-169-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2620-164-0x0000000000250000-0x000000000028F000-memory.dmp

C:\Windows\SysWOW64\Jnofgg32.exe

MD5 d0fcf82fd1945fc48fc00209074a7b20
SHA1 dd3329490f7a94d0a392b78706ab886e7d1b94e6
SHA256 1211e9cd701605deb587a7c4041df87744becb3d3255c43c2df6141ebb2335c5
SHA512 e6b86bb3fbed9d8ffe9612317cba46b289165b0786c34cb87b7fc600fccd9e2ec4a739b532e3df979bc71f3f7557910bd2a8b64ab42d5ed0cbdc5cd5365c10df

memory/2824-150-0x0000000000330000-0x000000000036F000-memory.dmp

C:\Windows\SysWOW64\Jhenjmbb.exe

MD5 51e565ef54320e4bc66bb1289f53ce18
SHA1 b3d238378962d9b2344bcc64831348d839af3819
SHA256 f63d4d06a5affc1a8104af71b6064cbc62fe88a0b5adc8b11e596477e1d07857
SHA512 a9638c4bb71a34a2039ae8af0d9f192269befac9bf0bb2dc74c0bc1190bf20629ca3008ab6021462cf64efa68fe363d4cede05b284a413a7b03c11e4575e9599

memory/2052-139-0x0000000000250000-0x000000000028F000-memory.dmp

C:\Windows\SysWOW64\Jfcabd32.exe

MD5 8285dbb155d844f9ecf7bac1427de000
SHA1 40938b7409244b3be920086151dea73486d4715f
SHA256 d9ca62b9b96648eba89f13bd37aae8abd92f4333d270ffe25ec0d5f0c4f82c1a
SHA512 2d5e848e933d75a30e18cc720ab7cd48f0417cf46890eeabe1cbe3d93c0d91e652b0a5a088af777f0591dc0d3a714739f070ea6b363c6171f14a6f551bb216e0

memory/3056-125-0x0000000000250000-0x000000000028F000-memory.dmp

C:\Windows\SysWOW64\Jpjifjdg.exe

MD5 465691b6c4b680d8c72d51c381a09989
SHA1 fd9f3da357707a17fcda1dc132c79d340a7680f9
SHA256 16bc869b6e653942e0772135d0d5c938f1560aea64f96abff3af2995cb1cca32
SHA512 423db92c5b4c14df2e73d7dabe186cc6b36985d37d4664ddcdad96b4cc78aec25727c354c4379ea8d60d30da4757e29b1f52390192d49cd0d320e8df5a0b323e

memory/2440-111-0x0000000000440000-0x000000000047F000-memory.dmp

C:\Windows\SysWOW64\Jipaip32.exe

MD5 4a018d725a330c396449eb18e23277c5
SHA1 7ad4222cfaeff40da4a9b979c9c69547103011ea
SHA256 fb16e6b23db1c49ba1bc0889770a778fa3171d52e9e05c4fbad00fca999c7f90
SHA512 097c6174c7fc9b796722a00a1476aef4e5a82ac19e859a54f8ee782715d148f30e6e35d8c5ec33686db11e9cc9981ec206dbb30ffc7bb71e1f2fa4e1a81da0f1

memory/2440-95-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1776-94-0x0000000000250000-0x000000000028F000-memory.dmp

C:\Windows\SysWOW64\Jbfilffm.exe

MD5 8716ee7716309a0c0e0427c83826a480
SHA1 449160263efb63dd184949694063d6a2f583d717
SHA256 ef52f4163b9b176b6ee28de85986f923e29cab8266c26742d71225226f989ed6
SHA512 280877230abadec40d21148a62386c0b01e845e9e1f962020c556fee9995344ffb19459674c7fa1a5b0d148ba8f6743263019c3ed9315c5d4547273209d8498f

C:\Windows\SysWOW64\Jllqplnp.exe

MD5 1a5803752d62b77c30618f9e2174affe
SHA1 52299255e3ef72f7707b6afd38d814e841dcbbeb
SHA256 6c1a65cb4fa01d2debfefcee5dd796468f447a90eeead70fbc0a4ff6873fb9ee
SHA512 5416b8723f4a588881328809c5017fd12a39513d32ab51f613d1f8b238f94d0c3f9fc301f816675c4e502ef4dc76bce58c7c53e80bf81d0f929bb1faf0c147c0

memory/2596-68-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2720-67-0x0000000000440000-0x000000000047F000-memory.dmp

C:\Windows\SysWOW64\Jjjdhc32.exe

MD5 493c2ed7cc133e9a58585d2b21bcd972
SHA1 f3f0b2f70e15723695421a2ac08a2796a6682967
SHA256 12c18817f0be0c4e2937d973cddc6cd9e1ff27bce8e2607185fabbe86aa6b41c
SHA512 17e943fe5061a7f58b4cd7388d6faec113673cb2ddcfa3cbe45076b6b12275275d7b27da04f4f79feea2800fbeb0dda59da5116b745f2a7e6dc4c9bc0eec67c1

C:\Windows\SysWOW64\Jbclgf32.exe

MD5 51b95a834fa64cd7d0a158c7239dd4ea
SHA1 799e9c78bdb50021fe17ce893ec319ffe855f9ef
SHA256 61075458009c401d4acd830edb64da5f5a149229234cc5fce52251ba00912690
SHA512 7b2f21e1f110607efa6c98621dfc8e1f97fed760fb7b70100764b451cc55d0a9bc0fad6867d211df7d4ef12e7c34639f8fd9b8f062fb0d4b39c1e47b329b4124

memory/2724-45-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2188-13-0x0000000000440000-0x000000000047F000-memory.dmp

memory/2188-12-0x0000000000440000-0x000000000047F000-memory.dmp

memory/2720-356-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2376-355-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2188-354-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2596-353-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3056-352-0x0000000000400000-0x000000000043F000-memory.dmp

memory/484-351-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2440-350-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1776-349-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2052-348-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2620-347-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2468-346-0x0000000000400000-0x000000000043F000-memory.dmp

memory/848-345-0x0000000000400000-0x000000000043F000-memory.dmp

memory/796-344-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2104-343-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2304-342-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1664-341-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2520-340-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1480-339-0x0000000000400000-0x000000000043F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-07 07:46

Reported

2024-11-07 07:48

Platform

win10v2004-20241007-en

Max time kernel

91s

Max time network

92s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ef9e3b30f58b6c19aa42bc39dac0685f15cc52e71608bd2e45114c77b961ef50N.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Iikhfg32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pnonbk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hkikkeeo.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lpqiemge.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mmlpoqpg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fhqcam32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hkmefd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jehokgge.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dobfld32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fojlngce.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ifgbnlmj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Imdgqfbd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lgokmgjm.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Miifeq32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cffdpghg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kedoge32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lbjlfi32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ojaelm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ojaelm32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pqmjog32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ceqnmpfo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cdfkolkf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ikpaldog.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pjeoglgc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pcncpbmd.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Belebq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dopigd32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ndcdmikd.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pfhfan32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hecmijim.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Imoneg32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pgllfp32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ngpccdlj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nfgmjqop.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pfhfan32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bffkij32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cmgjgcgo.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Npmagine.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pgioqq32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dopigd32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lmppcbjd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pmoahijl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nckndeni.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pdpmpdbd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cjpckf32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fhgjblfq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Likjcbkc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ceqnmpfo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nnlhfn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Afhohlbj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hiefcj32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mgddhf32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pjeoglgc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Glhonj32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gfembo32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mnebeogl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ocbddc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Flnlhk32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ildkgc32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ncdgcf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pdmpje32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Npfkgjdn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ncianepl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qmmnjfnl.exe N/A

Berbew

backdoor berbew

Berbew family

berbew

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Eadopc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Edbklofb.exe N/A
N/A N/A C:\Windows\SysWOW64\Fohoigfh.exe N/A
N/A N/A C:\Windows\SysWOW64\Fhqcam32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fojlngce.exe N/A
N/A N/A C:\Windows\SysWOW64\Flnlhk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ffgqqaip.exe N/A
N/A N/A C:\Windows\SysWOW64\Fkciihgg.exe N/A
N/A N/A C:\Windows\SysWOW64\Fckajehi.exe N/A
N/A N/A C:\Windows\SysWOW64\Fhgjblfq.exe N/A
N/A N/A C:\Windows\SysWOW64\Fkffog32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ffkjlp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fhjfhl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gbbkaako.exe N/A
N/A N/A C:\Windows\SysWOW64\Glhonj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gcagkdba.exe N/A
N/A N/A C:\Windows\SysWOW64\Gdcdbl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gbgdlq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gfbploob.exe N/A
N/A N/A C:\Windows\SysWOW64\Gdeqhl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gcfqfc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gfembo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gkaejf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gblngpbd.exe N/A
N/A N/A C:\Windows\SysWOW64\Hiefcj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hopnqdan.exe N/A
N/A N/A C:\Windows\SysWOW64\Hckjacjg.exe N/A
N/A N/A C:\Windows\SysWOW64\Hbpgbo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hmfkoh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hkikkeeo.exe N/A
N/A N/A C:\Windows\SysWOW64\Himldi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hkkhqd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hecmijim.exe N/A
N/A N/A C:\Windows\SysWOW64\Hkmefd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hbgmcnhf.exe N/A
N/A N/A C:\Windows\SysWOW64\Iefioj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ikpaldog.exe N/A
N/A N/A C:\Windows\SysWOW64\Icgjmapi.exe N/A
N/A N/A C:\Windows\SysWOW64\Iehfdi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Imoneg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Icifbang.exe N/A
N/A N/A C:\Windows\SysWOW64\Ifgbnlmj.exe N/A
N/A N/A C:\Windows\SysWOW64\Iifokh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ildkgc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ibnccmbo.exe N/A
N/A N/A C:\Windows\SysWOW64\Iemppiab.exe N/A
N/A N/A C:\Windows\SysWOW64\Imdgqfbd.exe N/A
N/A N/A C:\Windows\SysWOW64\Ilghlc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ibqpimpl.exe N/A
N/A N/A C:\Windows\SysWOW64\Iikhfg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ilidbbgl.exe N/A
N/A N/A C:\Windows\SysWOW64\Ibcmom32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jfoiokfb.exe N/A
N/A N/A C:\Windows\SysWOW64\Jimekgff.exe N/A
N/A N/A C:\Windows\SysWOW64\Jlkagbej.exe N/A
N/A N/A C:\Windows\SysWOW64\Jfaedkdp.exe N/A
N/A N/A C:\Windows\SysWOW64\Jmknaell.exe N/A
N/A N/A C:\Windows\SysWOW64\Jbhfjljd.exe N/A
N/A N/A C:\Windows\SysWOW64\Jefbfgig.exe N/A
N/A N/A C:\Windows\SysWOW64\Jmmjgejj.exe N/A
N/A N/A C:\Windows\SysWOW64\Jplfcpin.exe N/A
N/A N/A C:\Windows\SysWOW64\Jehokgge.exe N/A
N/A N/A C:\Windows\SysWOW64\Jlbgha32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jcioiood.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Hopnqdan.exe C:\Windows\SysWOW64\Hiefcj32.exe N/A
File opened for modification C:\Windows\SysWOW64\Odkjng32.exe C:\Windows\SysWOW64\Olcbmj32.exe N/A
File created C:\Windows\SysWOW64\Lnlden32.dll C:\Windows\SysWOW64\Pgllfp32.exe N/A
File created C:\Windows\SysWOW64\Bcebhoii.exe C:\Windows\SysWOW64\Bebblb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Belebq32.exe C:\Windows\SysWOW64\Bmemac32.exe N/A
File created C:\Windows\SysWOW64\Oijgnaaa.dll C:\Windows\SysWOW64\Fckajehi.exe N/A
File created C:\Windows\SysWOW64\Mgddhf32.exe C:\Windows\SysWOW64\Mdehlk32.exe N/A
File opened for modification C:\Windows\SysWOW64\Pncgmkmj.exe C:\Windows\SysWOW64\Pgioqq32.exe N/A
File created C:\Windows\SysWOW64\Acjclpcf.exe C:\Windows\SysWOW64\Ampkof32.exe N/A
File created C:\Windows\SysWOW64\Bmngqdpj.exe C:\Windows\SysWOW64\Bfdodjhm.exe N/A
File opened for modification C:\Windows\SysWOW64\Bfkedibe.exe C:\Windows\SysWOW64\Beihma32.exe N/A
File created C:\Windows\SysWOW64\Eheqhpfp.dll C:\Windows\SysWOW64\Iefioj32.exe N/A
File created C:\Windows\SysWOW64\Aminee32.exe C:\Windows\SysWOW64\Ajkaii32.exe N/A
File created C:\Windows\SysWOW64\Fpdaoioe.dll C:\Windows\SysWOW64\Daconoae.exe N/A
File opened for modification C:\Windows\SysWOW64\Ildkgc32.exe C:\Windows\SysWOW64\Iifokh32.exe N/A
File created C:\Windows\SysWOW64\Nnlhfn32.exe C:\Windows\SysWOW64\Ngbpidjh.exe N/A
File created C:\Windows\SysWOW64\Nckndeni.exe C:\Windows\SysWOW64\Npmagine.exe N/A
File opened for modification C:\Windows\SysWOW64\Oqfdnhfk.exe C:\Windows\SysWOW64\Onhhamgg.exe N/A
File created C:\Windows\SysWOW64\Hpoddikd.dll C:\Windows\SysWOW64\Acnlgp32.exe N/A
File created C:\Windows\SysWOW64\Fhjfhl32.exe C:\Windows\SysWOW64\Ffkjlp32.exe N/A
File created C:\Windows\SysWOW64\Iccbgbmg.dll C:\Windows\SysWOW64\Ifgbnlmj.exe N/A
File opened for modification C:\Windows\SysWOW64\Jmmjgejj.exe C:\Windows\SysWOW64\Jefbfgig.exe N/A
File created C:\Windows\SysWOW64\Djkahqga.dll C:\Windows\SysWOW64\Klgqcqkl.exe N/A
File created C:\Windows\SysWOW64\Mdjagjco.exe C:\Windows\SysWOW64\Mpoefk32.exe N/A
File created C:\Windows\SysWOW64\Ofqpqo32.exe C:\Windows\SysWOW64\Ocbddc32.exe N/A
File created C:\Windows\SysWOW64\Ojaelm32.exe C:\Windows\SysWOW64\Ogbipa32.exe N/A
File created C:\Windows\SysWOW64\Kgngca32.dll C:\Windows\SysWOW64\Qfcfml32.exe N/A
File created C:\Windows\SysWOW64\Fohoigfh.exe C:\Windows\SysWOW64\Edbklofb.exe N/A
File opened for modification C:\Windows\SysWOW64\Cegdnopg.exe C:\Windows\SysWOW64\Calhnpgn.exe N/A
File created C:\Windows\SysWOW64\Hhqeiena.dll C:\Windows\SysWOW64\Bcjlcn32.exe N/A
File created C:\Windows\SysWOW64\Oomibind.dll C:\Windows\SysWOW64\Pmdkch32.exe N/A
File created C:\Windows\SysWOW64\Lbkdpj32.dll C:\Windows\SysWOW64\Gdcdbl32.exe N/A
File created C:\Windows\SysWOW64\Gnchkk32.dll C:\Windows\SysWOW64\Iemppiab.exe N/A
File created C:\Windows\SysWOW64\Likjcbkc.exe C:\Windows\SysWOW64\Lpcfkm32.exe N/A
File created C:\Windows\SysWOW64\Miemjaci.exe C:\Windows\SysWOW64\Mckemg32.exe N/A
File created C:\Windows\SysWOW64\Qjkmdp32.dll C:\Windows\SysWOW64\Ncdgcf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dobfld32.exe C:\Windows\SysWOW64\Ddmaok32.exe N/A
File created C:\Windows\SysWOW64\Flnlhk32.exe C:\Windows\SysWOW64\Fojlngce.exe N/A
File created C:\Windows\SysWOW64\Nffbangm.dll C:\Windows\SysWOW64\Jplfcpin.exe N/A
File created C:\Windows\SysWOW64\Nfgmjqop.exe C:\Windows\SysWOW64\Ncianepl.exe N/A
File created C:\Windows\SysWOW64\Qgqeappe.exe C:\Windows\SysWOW64\Qceiaa32.exe N/A
File opened for modification C:\Windows\SysWOW64\Fkffog32.exe C:\Windows\SysWOW64\Fhgjblfq.exe N/A
File opened for modification C:\Windows\SysWOW64\Lmppcbjd.exe C:\Windows\SysWOW64\Leihbeib.exe N/A
File created C:\Windows\SysWOW64\Gbmgladp.dll C:\Windows\SysWOW64\Ngpccdlj.exe N/A
File opened for modification C:\Windows\SysWOW64\Pcncpbmd.exe C:\Windows\SysWOW64\Pmdkch32.exe N/A
File opened for modification C:\Windows\SysWOW64\Acjclpcf.exe C:\Windows\SysWOW64\Ampkof32.exe N/A
File created C:\Windows\SysWOW64\Agoabn32.exe C:\Windows\SysWOW64\Aepefb32.exe N/A
File created C:\Windows\SysWOW64\Agjbpg32.dll C:\Windows\SysWOW64\Dopigd32.exe N/A
File created C:\Windows\SysWOW64\Ildkgc32.exe C:\Windows\SysWOW64\Iifokh32.exe N/A
File created C:\Windows\SysWOW64\Klimip32.exe C:\Windows\SysWOW64\Klgqcqkl.exe N/A
File opened for modification C:\Windows\SysWOW64\Npjebj32.exe C:\Windows\SysWOW64\Nnlhfn32.exe N/A
File created C:\Windows\SysWOW64\Imoneg32.exe C:\Windows\SysWOW64\Iehfdi32.exe N/A
File opened for modification C:\Windows\SysWOW64\Gdcdbl32.exe C:\Windows\SysWOW64\Gcagkdba.exe N/A
File opened for modification C:\Windows\SysWOW64\Hbgmcnhf.exe C:\Windows\SysWOW64\Hkmefd32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ibcmom32.exe C:\Windows\SysWOW64\Ilidbbgl.exe N/A
File created C:\Windows\SysWOW64\Knkffk32.dll C:\Windows\SysWOW64\Flnlhk32.exe N/A
File created C:\Windows\SysWOW64\Mfadpi32.dll C:\Windows\SysWOW64\Iifokh32.exe N/A
File created C:\Windows\SysWOW64\Coffpf32.dll C:\Windows\SysWOW64\Ndcdmikd.exe N/A
File created C:\Windows\SysWOW64\Llmglb32.dll C:\Windows\SysWOW64\Opdghh32.exe N/A
File created C:\Windows\SysWOW64\Cffdpghg.exe C:\Windows\SysWOW64\Ceehho32.exe N/A
File created C:\Windows\SysWOW64\Dddhpjof.exe C:\Windows\SysWOW64\Daekdooc.exe N/A
File opened for modification C:\Windows\SysWOW64\Fkciihgg.exe C:\Windows\SysWOW64\Ffgqqaip.exe N/A
File created C:\Windows\SysWOW64\Ogibpb32.dll C:\Windows\SysWOW64\Likjcbkc.exe N/A
File opened for modification C:\Windows\SysWOW64\Mgkjhe32.exe C:\Windows\SysWOW64\Mcpnhfhf.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Dmllipeg.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Klimip32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ngbpidjh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Anogiicl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Onhhamgg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bmngqdpj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gbgdlq32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Imdgqfbd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jfoiokfb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jmknaell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ncdgcf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pfhfan32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qceiaa32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Daconoae.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lmdina32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mmbfpp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ofqpqo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qgcbgo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aminee32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hkikkeeo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ogkcpbam.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pjeoglgc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cdabcm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Odkjng32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Opakbi32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dfiafg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gkaejf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ilghlc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lpcfkm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mmlpoqpg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Opdghh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fckajehi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gcfqfc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Olcbmj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pcncpbmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bcebhoii.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Iefioj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Miifeq32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ampkof32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Beeoaapl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Glhonj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ikpaldog.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Iifokh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Iikhfg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jlkagbej.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dobfld32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fhgjblfq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gdeqhl32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Himldi32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Klqcioba.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bebblb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fojlngce.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nphhmj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qqfmde32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dfpgffpm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pnfdcjkg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Olmeci32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pdfjifjo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pgllfp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fohoigfh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fhjfhl32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jlbgha32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Leihbeib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nfgmjqop.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aqppkd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jbhfjljd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qmmnjfnl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gdeqhl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adecfl32.dll" C:\Windows\SysWOW64\Icifbang.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ildkgc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ibnccmbo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flakmgga.dll" C:\Windows\SysWOW64\Ibcmom32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingapb32.dll" C:\Windows\SysWOW64\Jlbgha32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oadacmff.dll" C:\Windows\SysWOW64\Ojgbfocc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmmebhb.dll" C:\Windows\SysWOW64\Aqncedbp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ajkaii32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll" C:\Windows\SysWOW64\Cnffqf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ceqnmpfo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fohoigfh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihoofe32.dll" C:\Windows\SysWOW64\Imdgqfbd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ibqpimpl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mgddhf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnodjf32.dll" C:\Windows\SysWOW64\Ogifjcdp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Afhohlbj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll" C:\Windows\SysWOW64\Cndikf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hmfkoh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djoeni32.dll" C:\Windows\SysWOW64\Odkjng32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ibnccmbo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jlbgha32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lbjlfi32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Aepefb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll" C:\Windows\SysWOW64\Dddhpjof.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deeiam32.dll" C:\Windows\SysWOW64\Pgioqq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fhqcam32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jlkagbej.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lmiciaaj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lphoelqn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgepdkpo.dll" C:\Windows\SysWOW64\Npmagine.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ogkcpbam.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pjeoglgc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Agoabn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Beeoaapl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll" C:\Windows\SysWOW64\Cnnlaehj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naoncahj.dll" C:\Windows\SysWOW64\Hkikkeeo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hkmefd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ikpaldog.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ilidbbgl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jholncde.dll" C:\Windows\SysWOW64\Mckemg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nnjlpo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pemfincl.dll" C:\Windows\SysWOW64\Nnjlpo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpaekf32.dll" C:\Windows\SysWOW64\Onhhamgg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmgabj32.dll" C:\Windows\SysWOW64\Oqfdnhfk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Afmhck32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bcjlcn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nffbangm.dll" C:\Windows\SysWOW64\Jplfcpin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Njefqo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Opdghh32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pgllfp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Gkaejf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgnkd32.dll" C:\Windows\SysWOW64\Nnneknob.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ojoign32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gokgpogl.dll" C:\Windows\SysWOW64\Qgqeappe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Afmhck32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cndikf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibbmq32.dll" C:\Windows\SysWOW64\Ngbpidjh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ocdqjceo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ampkof32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cmnpgb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lmdina32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3392 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\ef9e3b30f58b6c19aa42bc39dac0685f15cc52e71608bd2e45114c77b961ef50N.exe C:\Windows\SysWOW64\Eadopc32.exe
PID 3392 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\ef9e3b30f58b6c19aa42bc39dac0685f15cc52e71608bd2e45114c77b961ef50N.exe C:\Windows\SysWOW64\Eadopc32.exe
PID 3392 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\ef9e3b30f58b6c19aa42bc39dac0685f15cc52e71608bd2e45114c77b961ef50N.exe C:\Windows\SysWOW64\Eadopc32.exe
PID 1144 wrote to memory of 3480 N/A C:\Windows\SysWOW64\Eadopc32.exe C:\Windows\SysWOW64\Edbklofb.exe
PID 1144 wrote to memory of 3480 N/A C:\Windows\SysWOW64\Eadopc32.exe C:\Windows\SysWOW64\Edbklofb.exe
PID 1144 wrote to memory of 3480 N/A C:\Windows\SysWOW64\Eadopc32.exe C:\Windows\SysWOW64\Edbklofb.exe
PID 3480 wrote to memory of 4876 N/A C:\Windows\SysWOW64\Edbklofb.exe C:\Windows\SysWOW64\Fohoigfh.exe
PID 3480 wrote to memory of 4876 N/A C:\Windows\SysWOW64\Edbklofb.exe C:\Windows\SysWOW64\Fohoigfh.exe
PID 3480 wrote to memory of 4876 N/A C:\Windows\SysWOW64\Edbklofb.exe C:\Windows\SysWOW64\Fohoigfh.exe
PID 4876 wrote to memory of 3500 N/A C:\Windows\SysWOW64\Fohoigfh.exe C:\Windows\SysWOW64\Fhqcam32.exe
PID 4876 wrote to memory of 3500 N/A C:\Windows\SysWOW64\Fohoigfh.exe C:\Windows\SysWOW64\Fhqcam32.exe
PID 4876 wrote to memory of 3500 N/A C:\Windows\SysWOW64\Fohoigfh.exe C:\Windows\SysWOW64\Fhqcam32.exe
PID 3500 wrote to memory of 1972 N/A C:\Windows\SysWOW64\Fhqcam32.exe C:\Windows\SysWOW64\Fojlngce.exe
PID 3500 wrote to memory of 1972 N/A C:\Windows\SysWOW64\Fhqcam32.exe C:\Windows\SysWOW64\Fojlngce.exe
PID 3500 wrote to memory of 1972 N/A C:\Windows\SysWOW64\Fhqcam32.exe C:\Windows\SysWOW64\Fojlngce.exe
PID 1972 wrote to memory of 3516 N/A C:\Windows\SysWOW64\Fojlngce.exe C:\Windows\SysWOW64\Flnlhk32.exe
PID 1972 wrote to memory of 3516 N/A C:\Windows\SysWOW64\Fojlngce.exe C:\Windows\SysWOW64\Flnlhk32.exe
PID 1972 wrote to memory of 3516 N/A C:\Windows\SysWOW64\Fojlngce.exe C:\Windows\SysWOW64\Flnlhk32.exe
PID 3516 wrote to memory of 4204 N/A C:\Windows\SysWOW64\Flnlhk32.exe C:\Windows\SysWOW64\Ffgqqaip.exe
PID 3516 wrote to memory of 4204 N/A C:\Windows\SysWOW64\Flnlhk32.exe C:\Windows\SysWOW64\Ffgqqaip.exe
PID 3516 wrote to memory of 4204 N/A C:\Windows\SysWOW64\Flnlhk32.exe C:\Windows\SysWOW64\Ffgqqaip.exe
PID 4204 wrote to memory of 4912 N/A C:\Windows\SysWOW64\Ffgqqaip.exe C:\Windows\SysWOW64\Fkciihgg.exe
PID 4204 wrote to memory of 4912 N/A C:\Windows\SysWOW64\Ffgqqaip.exe C:\Windows\SysWOW64\Fkciihgg.exe
PID 4204 wrote to memory of 4912 N/A C:\Windows\SysWOW64\Ffgqqaip.exe C:\Windows\SysWOW64\Fkciihgg.exe
PID 4912 wrote to memory of 4992 N/A C:\Windows\SysWOW64\Fkciihgg.exe C:\Windows\SysWOW64\Fckajehi.exe
PID 4912 wrote to memory of 4992 N/A C:\Windows\SysWOW64\Fkciihgg.exe C:\Windows\SysWOW64\Fckajehi.exe
PID 4912 wrote to memory of 4992 N/A C:\Windows\SysWOW64\Fkciihgg.exe C:\Windows\SysWOW64\Fckajehi.exe
PID 4992 wrote to memory of 3460 N/A C:\Windows\SysWOW64\Fckajehi.exe C:\Windows\SysWOW64\Fhgjblfq.exe
PID 4992 wrote to memory of 3460 N/A C:\Windows\SysWOW64\Fckajehi.exe C:\Windows\SysWOW64\Fhgjblfq.exe
PID 4992 wrote to memory of 3460 N/A C:\Windows\SysWOW64\Fckajehi.exe C:\Windows\SysWOW64\Fhgjblfq.exe
PID 3460 wrote to memory of 4700 N/A C:\Windows\SysWOW64\Fhgjblfq.exe C:\Windows\SysWOW64\Fkffog32.exe
PID 3460 wrote to memory of 4700 N/A C:\Windows\SysWOW64\Fhgjblfq.exe C:\Windows\SysWOW64\Fkffog32.exe
PID 3460 wrote to memory of 4700 N/A C:\Windows\SysWOW64\Fhgjblfq.exe C:\Windows\SysWOW64\Fkffog32.exe
PID 4700 wrote to memory of 4516 N/A C:\Windows\SysWOW64\Fkffog32.exe C:\Windows\SysWOW64\Ffkjlp32.exe
PID 4700 wrote to memory of 4516 N/A C:\Windows\SysWOW64\Fkffog32.exe C:\Windows\SysWOW64\Ffkjlp32.exe
PID 4700 wrote to memory of 4516 N/A C:\Windows\SysWOW64\Fkffog32.exe C:\Windows\SysWOW64\Ffkjlp32.exe
PID 4516 wrote to memory of 2464 N/A C:\Windows\SysWOW64\Ffkjlp32.exe C:\Windows\SysWOW64\Fhjfhl32.exe
PID 4516 wrote to memory of 2464 N/A C:\Windows\SysWOW64\Ffkjlp32.exe C:\Windows\SysWOW64\Fhjfhl32.exe
PID 4516 wrote to memory of 2464 N/A C:\Windows\SysWOW64\Ffkjlp32.exe C:\Windows\SysWOW64\Fhjfhl32.exe
PID 2464 wrote to memory of 2184 N/A C:\Windows\SysWOW64\Fhjfhl32.exe C:\Windows\SysWOW64\Gbbkaako.exe
PID 2464 wrote to memory of 2184 N/A C:\Windows\SysWOW64\Fhjfhl32.exe C:\Windows\SysWOW64\Gbbkaako.exe
PID 2464 wrote to memory of 2184 N/A C:\Windows\SysWOW64\Fhjfhl32.exe C:\Windows\SysWOW64\Gbbkaako.exe
PID 2184 wrote to memory of 1820 N/A C:\Windows\SysWOW64\Gbbkaako.exe C:\Windows\SysWOW64\Glhonj32.exe
PID 2184 wrote to memory of 1820 N/A C:\Windows\SysWOW64\Gbbkaako.exe C:\Windows\SysWOW64\Glhonj32.exe
PID 2184 wrote to memory of 1820 N/A C:\Windows\SysWOW64\Gbbkaako.exe C:\Windows\SysWOW64\Glhonj32.exe
PID 1820 wrote to memory of 4176 N/A C:\Windows\SysWOW64\Glhonj32.exe C:\Windows\SysWOW64\Gcagkdba.exe
PID 1820 wrote to memory of 4176 N/A C:\Windows\SysWOW64\Glhonj32.exe C:\Windows\SysWOW64\Gcagkdba.exe
PID 1820 wrote to memory of 4176 N/A C:\Windows\SysWOW64\Glhonj32.exe C:\Windows\SysWOW64\Gcagkdba.exe
PID 4176 wrote to memory of 3576 N/A C:\Windows\SysWOW64\Gcagkdba.exe C:\Windows\SysWOW64\Gdcdbl32.exe
PID 4176 wrote to memory of 3576 N/A C:\Windows\SysWOW64\Gcagkdba.exe C:\Windows\SysWOW64\Gdcdbl32.exe
PID 4176 wrote to memory of 3576 N/A C:\Windows\SysWOW64\Gcagkdba.exe C:\Windows\SysWOW64\Gdcdbl32.exe
PID 3576 wrote to memory of 3380 N/A C:\Windows\SysWOW64\Gdcdbl32.exe C:\Windows\SysWOW64\Gbgdlq32.exe
PID 3576 wrote to memory of 3380 N/A C:\Windows\SysWOW64\Gdcdbl32.exe C:\Windows\SysWOW64\Gbgdlq32.exe
PID 3576 wrote to memory of 3380 N/A C:\Windows\SysWOW64\Gdcdbl32.exe C:\Windows\SysWOW64\Gbgdlq32.exe
PID 3380 wrote to memory of 1448 N/A C:\Windows\SysWOW64\Gbgdlq32.exe C:\Windows\SysWOW64\Gfbploob.exe
PID 3380 wrote to memory of 1448 N/A C:\Windows\SysWOW64\Gbgdlq32.exe C:\Windows\SysWOW64\Gfbploob.exe
PID 3380 wrote to memory of 1448 N/A C:\Windows\SysWOW64\Gbgdlq32.exe C:\Windows\SysWOW64\Gfbploob.exe
PID 1448 wrote to memory of 2020 N/A C:\Windows\SysWOW64\Gfbploob.exe C:\Windows\SysWOW64\Gdeqhl32.exe
PID 1448 wrote to memory of 2020 N/A C:\Windows\SysWOW64\Gfbploob.exe C:\Windows\SysWOW64\Gdeqhl32.exe
PID 1448 wrote to memory of 2020 N/A C:\Windows\SysWOW64\Gfbploob.exe C:\Windows\SysWOW64\Gdeqhl32.exe
PID 2020 wrote to memory of 2956 N/A C:\Windows\SysWOW64\Gdeqhl32.exe C:\Windows\SysWOW64\Gcfqfc32.exe
PID 2020 wrote to memory of 2956 N/A C:\Windows\SysWOW64\Gdeqhl32.exe C:\Windows\SysWOW64\Gcfqfc32.exe
PID 2020 wrote to memory of 2956 N/A C:\Windows\SysWOW64\Gdeqhl32.exe C:\Windows\SysWOW64\Gcfqfc32.exe
PID 2956 wrote to memory of 4768 N/A C:\Windows\SysWOW64\Gcfqfc32.exe C:\Windows\SysWOW64\Gfembo32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ef9e3b30f58b6c19aa42bc39dac0685f15cc52e71608bd2e45114c77b961ef50N.exe

"C:\Users\Admin\AppData\Local\Temp\ef9e3b30f58b6c19aa42bc39dac0685f15cc52e71608bd2e45114c77b961ef50N.exe"

C:\Windows\SysWOW64\Eadopc32.exe

C:\Windows\system32\Eadopc32.exe

C:\Windows\SysWOW64\Edbklofb.exe

C:\Windows\system32\Edbklofb.exe

C:\Windows\SysWOW64\Fohoigfh.exe

C:\Windows\system32\Fohoigfh.exe

C:\Windows\SysWOW64\Fhqcam32.exe

C:\Windows\system32\Fhqcam32.exe

C:\Windows\SysWOW64\Fojlngce.exe

C:\Windows\system32\Fojlngce.exe

C:\Windows\SysWOW64\Flnlhk32.exe

C:\Windows\system32\Flnlhk32.exe

C:\Windows\SysWOW64\Ffgqqaip.exe

C:\Windows\system32\Ffgqqaip.exe

C:\Windows\SysWOW64\Fkciihgg.exe

C:\Windows\system32\Fkciihgg.exe

C:\Windows\SysWOW64\Fckajehi.exe

C:\Windows\system32\Fckajehi.exe

C:\Windows\SysWOW64\Fhgjblfq.exe

C:\Windows\system32\Fhgjblfq.exe

C:\Windows\SysWOW64\Fkffog32.exe

C:\Windows\system32\Fkffog32.exe

C:\Windows\SysWOW64\Ffkjlp32.exe

C:\Windows\system32\Ffkjlp32.exe

C:\Windows\SysWOW64\Fhjfhl32.exe

C:\Windows\system32\Fhjfhl32.exe

C:\Windows\SysWOW64\Gbbkaako.exe

C:\Windows\system32\Gbbkaako.exe

C:\Windows\SysWOW64\Glhonj32.exe

C:\Windows\system32\Glhonj32.exe

C:\Windows\SysWOW64\Gcagkdba.exe

C:\Windows\system32\Gcagkdba.exe

C:\Windows\SysWOW64\Gdcdbl32.exe

C:\Windows\system32\Gdcdbl32.exe

C:\Windows\SysWOW64\Gbgdlq32.exe

C:\Windows\system32\Gbgdlq32.exe

C:\Windows\SysWOW64\Gfbploob.exe

C:\Windows\system32\Gfbploob.exe

C:\Windows\SysWOW64\Gdeqhl32.exe

C:\Windows\system32\Gdeqhl32.exe

C:\Windows\SysWOW64\Gcfqfc32.exe

C:\Windows\system32\Gcfqfc32.exe

C:\Windows\SysWOW64\Gfembo32.exe

C:\Windows\system32\Gfembo32.exe

C:\Windows\SysWOW64\Gkaejf32.exe

C:\Windows\system32\Gkaejf32.exe

C:\Windows\SysWOW64\Gblngpbd.exe

C:\Windows\system32\Gblngpbd.exe

C:\Windows\SysWOW64\Hiefcj32.exe

C:\Windows\system32\Hiefcj32.exe

C:\Windows\SysWOW64\Hopnqdan.exe

C:\Windows\system32\Hopnqdan.exe

C:\Windows\SysWOW64\Hckjacjg.exe

C:\Windows\system32\Hckjacjg.exe

C:\Windows\SysWOW64\Hbpgbo32.exe

C:\Windows\system32\Hbpgbo32.exe

C:\Windows\SysWOW64\Hmfkoh32.exe

C:\Windows\system32\Hmfkoh32.exe

C:\Windows\SysWOW64\Hkikkeeo.exe

C:\Windows\system32\Hkikkeeo.exe

C:\Windows\SysWOW64\Himldi32.exe

C:\Windows\system32\Himldi32.exe

C:\Windows\SysWOW64\Hkkhqd32.exe

C:\Windows\system32\Hkkhqd32.exe

C:\Windows\SysWOW64\Hecmijim.exe

C:\Windows\system32\Hecmijim.exe

C:\Windows\SysWOW64\Hkmefd32.exe

C:\Windows\system32\Hkmefd32.exe

C:\Windows\SysWOW64\Hbgmcnhf.exe

C:\Windows\system32\Hbgmcnhf.exe

C:\Windows\SysWOW64\Iefioj32.exe

C:\Windows\system32\Iefioj32.exe

C:\Windows\SysWOW64\Ikpaldog.exe

C:\Windows\system32\Ikpaldog.exe

C:\Windows\SysWOW64\Icgjmapi.exe

C:\Windows\system32\Icgjmapi.exe

C:\Windows\SysWOW64\Iehfdi32.exe

C:\Windows\system32\Iehfdi32.exe

C:\Windows\SysWOW64\Imoneg32.exe

C:\Windows\system32\Imoneg32.exe

C:\Windows\SysWOW64\Icifbang.exe

C:\Windows\system32\Icifbang.exe

C:\Windows\SysWOW64\Ifgbnlmj.exe

C:\Windows\system32\Ifgbnlmj.exe

C:\Windows\SysWOW64\Iifokh32.exe

C:\Windows\system32\Iifokh32.exe

C:\Windows\SysWOW64\Ildkgc32.exe

C:\Windows\system32\Ildkgc32.exe

C:\Windows\SysWOW64\Ibnccmbo.exe

C:\Windows\system32\Ibnccmbo.exe

C:\Windows\SysWOW64\Iemppiab.exe

C:\Windows\system32\Iemppiab.exe

C:\Windows\SysWOW64\Imdgqfbd.exe

C:\Windows\system32\Imdgqfbd.exe

C:\Windows\SysWOW64\Ilghlc32.exe

C:\Windows\system32\Ilghlc32.exe

C:\Windows\SysWOW64\Ibqpimpl.exe

C:\Windows\system32\Ibqpimpl.exe

C:\Windows\SysWOW64\Iikhfg32.exe

C:\Windows\system32\Iikhfg32.exe

C:\Windows\SysWOW64\Ilidbbgl.exe

C:\Windows\system32\Ilidbbgl.exe

C:\Windows\SysWOW64\Ibcmom32.exe

C:\Windows\system32\Ibcmom32.exe

C:\Windows\SysWOW64\Jfoiokfb.exe

C:\Windows\system32\Jfoiokfb.exe

C:\Windows\SysWOW64\Jimekgff.exe

C:\Windows\system32\Jimekgff.exe

C:\Windows\SysWOW64\Jlkagbej.exe

C:\Windows\system32\Jlkagbej.exe

C:\Windows\SysWOW64\Jfaedkdp.exe

C:\Windows\system32\Jfaedkdp.exe

C:\Windows\SysWOW64\Jmknaell.exe

C:\Windows\system32\Jmknaell.exe

C:\Windows\SysWOW64\Jbhfjljd.exe

C:\Windows\system32\Jbhfjljd.exe

C:\Windows\SysWOW64\Jefbfgig.exe

C:\Windows\system32\Jefbfgig.exe

C:\Windows\SysWOW64\Jmmjgejj.exe

C:\Windows\system32\Jmmjgejj.exe

C:\Windows\SysWOW64\Jplfcpin.exe

C:\Windows\system32\Jplfcpin.exe

C:\Windows\SysWOW64\Jehokgge.exe

C:\Windows\system32\Jehokgge.exe

C:\Windows\SysWOW64\Jlbgha32.exe

C:\Windows\system32\Jlbgha32.exe

C:\Windows\SysWOW64\Jcioiood.exe

C:\Windows\system32\Jcioiood.exe

C:\Windows\SysWOW64\Jifhaenk.exe

C:\Windows\system32\Jifhaenk.exe

C:\Windows\SysWOW64\Jcllonma.exe

C:\Windows\system32\Jcllonma.exe

C:\Windows\SysWOW64\Klgqcqkl.exe

C:\Windows\system32\Klgqcqkl.exe

C:\Windows\SysWOW64\Klimip32.exe

C:\Windows\system32\Klimip32.exe

C:\Windows\SysWOW64\Klljnp32.exe

C:\Windows\system32\Klljnp32.exe

C:\Windows\SysWOW64\Kedoge32.exe

C:\Windows\system32\Kedoge32.exe

C:\Windows\SysWOW64\Kmkfhc32.exe

C:\Windows\system32\Kmkfhc32.exe

C:\Windows\SysWOW64\Kfckahdj.exe

C:\Windows\system32\Kfckahdj.exe

C:\Windows\SysWOW64\Klqcioba.exe

C:\Windows\system32\Klqcioba.exe

C:\Windows\SysWOW64\Lbjlfi32.exe

C:\Windows\system32\Lbjlfi32.exe

C:\Windows\SysWOW64\Leihbeib.exe

C:\Windows\system32\Leihbeib.exe

C:\Windows\SysWOW64\Lmppcbjd.exe

C:\Windows\system32\Lmppcbjd.exe

C:\Windows\SysWOW64\Lbmhlihl.exe

C:\Windows\system32\Lbmhlihl.exe

C:\Windows\SysWOW64\Lekehdgp.exe

C:\Windows\system32\Lekehdgp.exe

C:\Windows\SysWOW64\Lmbmibhb.exe

C:\Windows\system32\Lmbmibhb.exe

C:\Windows\SysWOW64\Lpqiemge.exe

C:\Windows\system32\Lpqiemge.exe

C:\Windows\SysWOW64\Lboeaifi.exe

C:\Windows\system32\Lboeaifi.exe

C:\Windows\SysWOW64\Lenamdem.exe

C:\Windows\system32\Lenamdem.exe

C:\Windows\SysWOW64\Lmdina32.exe

C:\Windows\system32\Lmdina32.exe

C:\Windows\SysWOW64\Lpcfkm32.exe

C:\Windows\system32\Lpcfkm32.exe

C:\Windows\SysWOW64\Likjcbkc.exe

C:\Windows\system32\Likjcbkc.exe

C:\Windows\SysWOW64\Lljfpnjg.exe

C:\Windows\system32\Lljfpnjg.exe

C:\Windows\SysWOW64\Lgokmgjm.exe

C:\Windows\system32\Lgokmgjm.exe

C:\Windows\SysWOW64\Lmiciaaj.exe

C:\Windows\system32\Lmiciaaj.exe

C:\Windows\SysWOW64\Lphoelqn.exe

C:\Windows\system32\Lphoelqn.exe

C:\Windows\SysWOW64\Mdckfk32.exe

C:\Windows\system32\Mdckfk32.exe

C:\Windows\SysWOW64\Mgagbf32.exe

C:\Windows\system32\Mgagbf32.exe

C:\Windows\SysWOW64\Medgncoe.exe

C:\Windows\system32\Medgncoe.exe

C:\Windows\SysWOW64\Mmlpoqpg.exe

C:\Windows\system32\Mmlpoqpg.exe

C:\Windows\SysWOW64\Mpjlklok.exe

C:\Windows\system32\Mpjlklok.exe

C:\Windows\SysWOW64\Mdehlk32.exe

C:\Windows\system32\Mdehlk32.exe

C:\Windows\SysWOW64\Mgddhf32.exe

C:\Windows\system32\Mgddhf32.exe

C:\Windows\SysWOW64\Mlampmdo.exe

C:\Windows\system32\Mlampmdo.exe

C:\Windows\SysWOW64\Mckemg32.exe

C:\Windows\system32\Mckemg32.exe

C:\Windows\SysWOW64\Miemjaci.exe

C:\Windows\system32\Miemjaci.exe

C:\Windows\SysWOW64\Mpoefk32.exe

C:\Windows\system32\Mpoefk32.exe

C:\Windows\SysWOW64\Mdjagjco.exe

C:\Windows\system32\Mdjagjco.exe

C:\Windows\SysWOW64\Mmbfpp32.exe

C:\Windows\system32\Mmbfpp32.exe

C:\Windows\SysWOW64\Mpablkhc.exe

C:\Windows\system32\Mpablkhc.exe

C:\Windows\SysWOW64\Mcpnhfhf.exe

C:\Windows\system32\Mcpnhfhf.exe

C:\Windows\SysWOW64\Mgkjhe32.exe

C:\Windows\system32\Mgkjhe32.exe

C:\Windows\SysWOW64\Miifeq32.exe

C:\Windows\system32\Miifeq32.exe

C:\Windows\SysWOW64\Mnebeogl.exe

C:\Windows\system32\Mnebeogl.exe

C:\Windows\SysWOW64\Ndokbi32.exe

C:\Windows\system32\Ndokbi32.exe

C:\Windows\SysWOW64\Ngmgne32.exe

C:\Windows\system32\Ngmgne32.exe

C:\Windows\SysWOW64\Nngokoej.exe

C:\Windows\system32\Nngokoej.exe

C:\Windows\SysWOW64\Npfkgjdn.exe

C:\Windows\system32\Npfkgjdn.exe

C:\Windows\SysWOW64\Ncdgcf32.exe

C:\Windows\system32\Ncdgcf32.exe

C:\Windows\SysWOW64\Ngpccdlj.exe

C:\Windows\system32\Ngpccdlj.exe

C:\Windows\SysWOW64\Nnjlpo32.exe

C:\Windows\system32\Nnjlpo32.exe

C:\Windows\SysWOW64\Nphhmj32.exe

C:\Windows\system32\Nphhmj32.exe

C:\Windows\SysWOW64\Ndcdmikd.exe

C:\Windows\system32\Ndcdmikd.exe

C:\Windows\SysWOW64\Ngbpidjh.exe

C:\Windows\system32\Ngbpidjh.exe

C:\Windows\SysWOW64\Nnlhfn32.exe

C:\Windows\system32\Nnlhfn32.exe

C:\Windows\SysWOW64\Npjebj32.exe

C:\Windows\system32\Npjebj32.exe

C:\Windows\SysWOW64\Ncianepl.exe

C:\Windows\system32\Ncianepl.exe

C:\Windows\SysWOW64\Nfgmjqop.exe

C:\Windows\system32\Nfgmjqop.exe

C:\Windows\SysWOW64\Nnneknob.exe

C:\Windows\system32\Nnneknob.exe

C:\Windows\SysWOW64\Npmagine.exe

C:\Windows\system32\Npmagine.exe

C:\Windows\SysWOW64\Nckndeni.exe

C:\Windows\system32\Nckndeni.exe

C:\Windows\SysWOW64\Nggjdc32.exe

C:\Windows\system32\Nggjdc32.exe

C:\Windows\SysWOW64\Njefqo32.exe

C:\Windows\system32\Njefqo32.exe

C:\Windows\SysWOW64\Olcbmj32.exe

C:\Windows\system32\Olcbmj32.exe

C:\Windows\SysWOW64\Odkjng32.exe

C:\Windows\system32\Odkjng32.exe

C:\Windows\SysWOW64\Ogifjcdp.exe

C:\Windows\system32\Ogifjcdp.exe

C:\Windows\SysWOW64\Ojgbfocc.exe

C:\Windows\system32\Ojgbfocc.exe

C:\Windows\SysWOW64\Opakbi32.exe

C:\Windows\system32\Opakbi32.exe

C:\Windows\SysWOW64\Ogkcpbam.exe

C:\Windows\system32\Ogkcpbam.exe

C:\Windows\SysWOW64\Oneklm32.exe

C:\Windows\system32\Oneklm32.exe

C:\Windows\SysWOW64\Opdghh32.exe

C:\Windows\system32\Opdghh32.exe

C:\Windows\SysWOW64\Ocbddc32.exe

C:\Windows\system32\Ocbddc32.exe

C:\Windows\SysWOW64\Ofqpqo32.exe

C:\Windows\system32\Ofqpqo32.exe

C:\Windows\SysWOW64\Onhhamgg.exe

C:\Windows\system32\Onhhamgg.exe

C:\Windows\SysWOW64\Oqfdnhfk.exe

C:\Windows\system32\Oqfdnhfk.exe

C:\Windows\SysWOW64\Ocdqjceo.exe

C:\Windows\system32\Ocdqjceo.exe

C:\Windows\SysWOW64\Ojoign32.exe

C:\Windows\system32\Ojoign32.exe

C:\Windows\SysWOW64\Olmeci32.exe

C:\Windows\system32\Olmeci32.exe

C:\Windows\SysWOW64\Ocgmpccl.exe

C:\Windows\system32\Ocgmpccl.exe

C:\Windows\SysWOW64\Ogbipa32.exe

C:\Windows\system32\Ogbipa32.exe

C:\Windows\SysWOW64\Ojaelm32.exe

C:\Windows\system32\Ojaelm32.exe

C:\Windows\SysWOW64\Pmoahijl.exe

C:\Windows\system32\Pmoahijl.exe

C:\Windows\SysWOW64\Pdfjifjo.exe

C:\Windows\system32\Pdfjifjo.exe

C:\Windows\SysWOW64\Pfhfan32.exe

C:\Windows\system32\Pfhfan32.exe

C:\Windows\SysWOW64\Pnonbk32.exe

C:\Windows\system32\Pnonbk32.exe

C:\Windows\SysWOW64\Pqmjog32.exe

C:\Windows\system32\Pqmjog32.exe

C:\Windows\SysWOW64\Pggbkagp.exe

C:\Windows\system32\Pggbkagp.exe

C:\Windows\SysWOW64\Pjeoglgc.exe

C:\Windows\system32\Pjeoglgc.exe

C:\Windows\SysWOW64\Pmdkch32.exe

C:\Windows\system32\Pmdkch32.exe

C:\Windows\SysWOW64\Pcncpbmd.exe

C:\Windows\system32\Pcncpbmd.exe

C:\Windows\SysWOW64\Pgioqq32.exe

C:\Windows\system32\Pgioqq32.exe

C:\Windows\SysWOW64\Pncgmkmj.exe

C:\Windows\system32\Pncgmkmj.exe

C:\Windows\SysWOW64\Pdmpje32.exe

C:\Windows\system32\Pdmpje32.exe

C:\Windows\SysWOW64\Pgllfp32.exe

C:\Windows\system32\Pgllfp32.exe

C:\Windows\SysWOW64\Pnfdcjkg.exe

C:\Windows\system32\Pnfdcjkg.exe

C:\Windows\SysWOW64\Pdpmpdbd.exe

C:\Windows\system32\Pdpmpdbd.exe

C:\Windows\SysWOW64\Qnhahj32.exe

C:\Windows\system32\Qnhahj32.exe

C:\Windows\SysWOW64\Qqfmde32.exe

C:\Windows\system32\Qqfmde32.exe

C:\Windows\SysWOW64\Qceiaa32.exe

C:\Windows\system32\Qceiaa32.exe

C:\Windows\SysWOW64\Qgqeappe.exe

C:\Windows\system32\Qgqeappe.exe

C:\Windows\SysWOW64\Qfcfml32.exe

C:\Windows\system32\Qfcfml32.exe

C:\Windows\SysWOW64\Qmmnjfnl.exe

C:\Windows\system32\Qmmnjfnl.exe

C:\Windows\SysWOW64\Qqijje32.exe

C:\Windows\system32\Qqijje32.exe

C:\Windows\SysWOW64\Qgcbgo32.exe

C:\Windows\system32\Qgcbgo32.exe

C:\Windows\SysWOW64\Ajanck32.exe

C:\Windows\system32\Ajanck32.exe

C:\Windows\SysWOW64\Ampkof32.exe

C:\Windows\system32\Ampkof32.exe

C:\Windows\SysWOW64\Acjclpcf.exe

C:\Windows\system32\Acjclpcf.exe

C:\Windows\SysWOW64\Afhohlbj.exe

C:\Windows\system32\Afhohlbj.exe

C:\Windows\SysWOW64\Anogiicl.exe

C:\Windows\system32\Anogiicl.exe

C:\Windows\SysWOW64\Aqncedbp.exe

C:\Windows\system32\Aqncedbp.exe

C:\Windows\SysWOW64\Afjlnk32.exe

C:\Windows\system32\Afjlnk32.exe

C:\Windows\SysWOW64\Ajfhnjhq.exe

C:\Windows\system32\Ajfhnjhq.exe

C:\Windows\SysWOW64\Aqppkd32.exe

C:\Windows\system32\Aqppkd32.exe

C:\Windows\SysWOW64\Acnlgp32.exe

C:\Windows\system32\Acnlgp32.exe

C:\Windows\SysWOW64\Afmhck32.exe

C:\Windows\system32\Afmhck32.exe

C:\Windows\SysWOW64\Andqdh32.exe

C:\Windows\system32\Andqdh32.exe

C:\Windows\SysWOW64\Aabmqd32.exe

C:\Windows\system32\Aabmqd32.exe

C:\Windows\SysWOW64\Acqimo32.exe

C:\Windows\system32\Acqimo32.exe

C:\Windows\SysWOW64\Ajkaii32.exe

C:\Windows\system32\Ajkaii32.exe

C:\Windows\SysWOW64\Aminee32.exe

C:\Windows\system32\Aminee32.exe

C:\Windows\SysWOW64\Aepefb32.exe

C:\Windows\system32\Aepefb32.exe

C:\Windows\SysWOW64\Agoabn32.exe

C:\Windows\system32\Agoabn32.exe

C:\Windows\SysWOW64\Bjmnoi32.exe

C:\Windows\system32\Bjmnoi32.exe

C:\Windows\SysWOW64\Bebblb32.exe

C:\Windows\system32\Bebblb32.exe

C:\Windows\SysWOW64\Bcebhoii.exe

C:\Windows\system32\Bcebhoii.exe

C:\Windows\SysWOW64\Bfdodjhm.exe

C:\Windows\system32\Bfdodjhm.exe

C:\Windows\SysWOW64\Bmngqdpj.exe

C:\Windows\system32\Bmngqdpj.exe

C:\Windows\SysWOW64\Beeoaapl.exe

C:\Windows\system32\Beeoaapl.exe

C:\Windows\SysWOW64\Bffkij32.exe

C:\Windows\system32\Bffkij32.exe

C:\Windows\SysWOW64\Bjagjhnc.exe

C:\Windows\system32\Bjagjhnc.exe

C:\Windows\SysWOW64\Balpgb32.exe

C:\Windows\system32\Balpgb32.exe

C:\Windows\SysWOW64\Bcjlcn32.exe

C:\Windows\system32\Bcjlcn32.exe

C:\Windows\SysWOW64\Bjddphlq.exe

C:\Windows\system32\Bjddphlq.exe

C:\Windows\SysWOW64\Bmbplc32.exe

C:\Windows\system32\Bmbplc32.exe

C:\Windows\SysWOW64\Beihma32.exe

C:\Windows\system32\Beihma32.exe

C:\Windows\SysWOW64\Bfkedibe.exe

C:\Windows\system32\Bfkedibe.exe

C:\Windows\SysWOW64\Bmemac32.exe

C:\Windows\system32\Bmemac32.exe

C:\Windows\SysWOW64\Belebq32.exe

C:\Windows\system32\Belebq32.exe

C:\Windows\SysWOW64\Chjaol32.exe

C:\Windows\system32\Chjaol32.exe

C:\Windows\SysWOW64\Cndikf32.exe

C:\Windows\system32\Cndikf32.exe

C:\Windows\SysWOW64\Cmgjgcgo.exe

C:\Windows\system32\Cmgjgcgo.exe

C:\Windows\SysWOW64\Cdabcm32.exe

C:\Windows\system32\Cdabcm32.exe

C:\Windows\SysWOW64\Cfpnph32.exe

C:\Windows\system32\Cfpnph32.exe

C:\Windows\SysWOW64\Cnffqf32.exe

C:\Windows\system32\Cnffqf32.exe

C:\Windows\SysWOW64\Ceqnmpfo.exe

C:\Windows\system32\Ceqnmpfo.exe

C:\Windows\SysWOW64\Chokikeb.exe

C:\Windows\system32\Chokikeb.exe

C:\Windows\SysWOW64\Cfbkeh32.exe

C:\Windows\system32\Cfbkeh32.exe

C:\Windows\SysWOW64\Cagobalc.exe

C:\Windows\system32\Cagobalc.exe

C:\Windows\SysWOW64\Cdfkolkf.exe

C:\Windows\system32\Cdfkolkf.exe

C:\Windows\SysWOW64\Cjpckf32.exe

C:\Windows\system32\Cjpckf32.exe

C:\Windows\SysWOW64\Cmnpgb32.exe

C:\Windows\system32\Cmnpgb32.exe

C:\Windows\SysWOW64\Ceehho32.exe

C:\Windows\system32\Ceehho32.exe

C:\Windows\SysWOW64\Cffdpghg.exe

C:\Windows\system32\Cffdpghg.exe

C:\Windows\SysWOW64\Cnnlaehj.exe

C:\Windows\system32\Cnnlaehj.exe

C:\Windows\SysWOW64\Calhnpgn.exe

C:\Windows\system32\Calhnpgn.exe

C:\Windows\SysWOW64\Cegdnopg.exe

C:\Windows\system32\Cegdnopg.exe

C:\Windows\SysWOW64\Dfiafg32.exe

C:\Windows\system32\Dfiafg32.exe

C:\Windows\SysWOW64\Dopigd32.exe

C:\Windows\system32\Dopigd32.exe

C:\Windows\SysWOW64\Danecp32.exe

C:\Windows\system32\Danecp32.exe

C:\Windows\SysWOW64\Ddmaok32.exe

C:\Windows\system32\Ddmaok32.exe

C:\Windows\SysWOW64\Dobfld32.exe

C:\Windows\system32\Dobfld32.exe

C:\Windows\SysWOW64\Dmefhako.exe

C:\Windows\system32\Dmefhako.exe

C:\Windows\SysWOW64\Ddonekbl.exe

C:\Windows\system32\Ddonekbl.exe

C:\Windows\SysWOW64\Dfnjafap.exe

C:\Windows\system32\Dfnjafap.exe

C:\Windows\SysWOW64\Dodbbdbb.exe

C:\Windows\system32\Dodbbdbb.exe

C:\Windows\SysWOW64\Daconoae.exe

C:\Windows\system32\Daconoae.exe

C:\Windows\SysWOW64\Dhmgki32.exe

C:\Windows\system32\Dhmgki32.exe

C:\Windows\SysWOW64\Dfpgffpm.exe

C:\Windows\system32\Dfpgffpm.exe

C:\Windows\SysWOW64\Daekdooc.exe

C:\Windows\system32\Daekdooc.exe

C:\Windows\SysWOW64\Dddhpjof.exe

C:\Windows\system32\Dddhpjof.exe

C:\Windows\SysWOW64\Dknpmdfc.exe

C:\Windows\system32\Dknpmdfc.exe

C:\Windows\SysWOW64\Dmllipeg.exe

C:\Windows\system32\Dmllipeg.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 7196 -ip 7196

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 7196 -s 396

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 100.209.201.84.in-addr.arpa udp

Files

memory/3392-0-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3392-1-0x0000000000431000-0x0000000000432000-memory.dmp

C:\Windows\SysWOW64\Eadopc32.exe

MD5 6f68b2a8067e77974a19449803cee807
SHA1 a06bfbf3ff41f20484ff854eb690d48792134da6
SHA256 9cb13a39666539b432c0c63f7a5f48d27de8f29e5c3b60a3e53a5c0e7053a9ea
SHA512 5492431917dcbc0dd7a01424a5b8e088924949a0a4db52c69aea7403c2735402855e8505383ab1f50410aeec057962a6cbefb3dbbec145ca53b34e816ea8e8fa

memory/1144-9-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Edbklofb.exe

MD5 676be99b208fba1e8301a96001368a08
SHA1 bd162562f0235ff7e587c6395fd33dc146c53e6e
SHA256 95958191114570269bdd0c4d0d9991b400dd2c679d64065c3072a3c4fd51415f
SHA512 e10640ffb3565e4575d69dcfa968520564b9c0b7ead87feda1c13cafeec28e2a9634fc3a778ef38628dc82cafaee1691c1e2200ca3cf875101d7bb8c6220d9ae

memory/3480-17-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4876-24-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Fohoigfh.exe

MD5 3f82126e7256572919bd6f754cfe560e
SHA1 0ee2a41c884ae15389481b64b57362076b1faf68
SHA256 ef3eef3ece666cb7bc21ae8a40d61771deb289d398bb3044a709a97f36d0130b
SHA512 3be60849e1668063bda0288acb893367b33a9eb1620294ad691baa09c5488f6340c8638d83096f6384f51d354043d1f7c15989c625f8434785878ecf41822f5e

memory/3500-32-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Fhqcam32.exe

MD5 8d2fa03e544f3ac81ded574273819b8e
SHA1 ff12df5135066f3080a5bba82bca9dfeaf094df7
SHA256 a51525fa09f4ae5aaa1adcf822acb9949996e8e219a37370aa12a766d60a3b6d
SHA512 915fd89cdd31cffc8efdeb6f175fd94d92dbe9b85003e0fd1e2f511b45d727ada5620467ed466cd113cf7d45ef6dc17235e2d3360c0f70ec90e9943ff5dbdf11

memory/1972-41-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Fojlngce.exe

MD5 a43b1cbefaa5b80de730260bc408c612
SHA1 41c3bace33dce97cf780cab19e94c8ec2f3223fe
SHA256 3b9c49249adb239c2bf8702934abaee5bac4ef54a4054a6bc0cd595b5309c9bf
SHA512 8591c76ff5d57bca2046cd3415176446022bcfc5f81fe8879c2b87e7948603eb8f22a6aeaa328e6ea396522c787b7ea18ef1bdfaff15056fcffb969275709990

C:\Windows\SysWOW64\Flnlhk32.exe

MD5 aa2e74df596738f506aaa59c959abe52
SHA1 1f7bbc178142e5201eb59765e2eb9d82aebaeffa
SHA256 0d27411cea19d8128ce5d85d276c777ca3d5cfae64531279820d4ed9d458fd16
SHA512 cc9860ab4cefa9d0461280133d6e87696f02983af51ce38316afd76961ea798f38956c1a04b66fd002dd14f8245c67de8c20976284aef553e2d28f9c9d307eda

memory/3516-49-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Ffgqqaip.exe

MD5 f8c5716975c5fcb6a60633f70f792e47
SHA1 3e3c19d41005b906f9ca0b87c09c491a40480430
SHA256 f8032128f31cee79cd60926a1505ac1586f1c99fdd62bd00d74fc8a14cc93fb9
SHA512 666745f093080c4dfb80a1680e925bd39f6850f51b61a308c41dbd9cf82cb3ea9d1b5c847e4d20e37b47de0a5f9762a711e7e89a7cdc7b42aecce47dcb6ddab8

memory/4204-56-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Fkciihgg.exe

MD5 e27a7c91d92beaebf1a7ce8cf9f500a8
SHA1 7b7053b61642ab173cc091fe5271b022e266cc47
SHA256 97f144c9d0a72b9c8c4525bc604118c9091aa035add6dd6369b08daa7be4659b
SHA512 b1f24cfc953913132369802986d2fc6af5251c9d604ea015709b1f8aa870bcda832c071d275a831e4e7e6d31ffae5007502572aeed33c0e3f6822cd365d04e67

C:\Windows\SysWOW64\Fkciihgg.exe

MD5 df8655adbdbd15198257fa93ed7fb066
SHA1 9c7fd85816a1fcbe3d377e1a5b332f5fdac1f73d
SHA256 98ad03ee495c72d47b7c7d45f7314b8066fd13319ab45e2a1a3934d26161d9d2
SHA512 57307860f5a7fbf7d5ad3a2ced218b10eb15eb1b4fc72bf5dd9a5446bff29c6456a1b45fc54a05c3642517da51d8197ae9b89a24cb7f22c9bd6f86be0ca2c2ec

memory/4912-65-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Fckajehi.exe

MD5 1b0b50f63ed5405cba87b8b65d6f1f47
SHA1 10c73b25075571384c1ac0aef65da382a62ec166
SHA256 daa82f724fa7f83e17591f0e7b63e90fa3ea23b1016c4dfbe7fef19d4ac24017
SHA512 4051dc9743920e2a293a66b07999b0e8b6d4ab6510748e842c0e0b2791e6fa04d4982cc8fc203a9aea977cc562e1896cc1091c4a012431d0c6ac004afc0d4e78

memory/4992-72-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Fhgjblfq.exe

MD5 33a90afc899c4c19386b659d71a9cdc6
SHA1 1d8e12fa5868a66202ba554e9be517665522e3ec
SHA256 3bf845a4d0b15caab12248babf396424fa7687817439de384011df953d436fe8
SHA512 5a1f48dd0422fcb896cb8dfbecf13b641ca705a6f5476f15a02f7f416916ae32d2fe37089d31ec3bcf27797bbc4e600367bece7b8ddaf79eaa0e886a963b32ad

memory/3460-81-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Fkffog32.exe

MD5 62bb07eb0ee3f748b82fd200722b49f9
SHA1 6835bd57dd625f0b23cb611c7c62ff1b5655c7e7
SHA256 f7e89ca64a0370821e447c1e76e026801227556687d371deb4235fa03e4f38cc
SHA512 6a2a21a515b793c365f02b9ff2d566f22182bb17ef771acd83a30bbba0248cb8c43bc6fd0690f921ff30c5202f36b747c396a3dbe2f7f60bd2f7fffd6436730d

memory/4700-88-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Ffkjlp32.exe

MD5 fe0178f2ca8b305ea69b26f34fe54a6c
SHA1 ff9ad02840a1d37ccbed729b41315b29c024bda4
SHA256 8f51bfe69db5d904d4e31171e700a4c513b90fd07f0fd51d0b83ae5d28f3cda6
SHA512 8a6d40675c3afc5bb737839e2b0f676506571e2786aad4bf3c83bbcf25193ce3e311590c833c246001deb5972c84530fa103d4c040ba76be8afd9e0d2794516c

memory/4516-99-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Fhjfhl32.exe

MD5 156911e102ce9f46679caa9ffa860a1f
SHA1 03f9bb3afbf8df88b30bbfc54085865a1fd9df7a
SHA256 0e6944e37731ed6b2a6ef826adf7718192234ff39591e3076d92900f69e9e35b
SHA512 2fc9b52ff7d4730286227538f25363436612b9d9f371c64b4cf004842d0de61cb4c781c45087b41b04a97fc55016bbefa89e246ceac87bebbee78d43c741cf88

memory/2464-104-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Gbbkaako.exe

MD5 873f28dfffe3e8b2a0ddf8781b8d7b95
SHA1 7e8e09f7ff742bc582fc35a82732a2043aefb612
SHA256 0707a0ac01fde30b4baf1f5c9e1f34fa6afe2c494bbc4af6dd21297d566383dc
SHA512 7b2c0bbc498e2babf659ae24eff8b10bb0dd45a44842c98c1d4abee9920a615a2fdbad17ebfecba52f713ebd43ff757dc29bb73b5b317b866ae19122b6b5cbaf

memory/2184-113-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Glhonj32.exe

MD5 a581581db78092e2b5bafc58a8fe031d
SHA1 1d5debbe0206291e330246887ec03c50612c3239
SHA256 c19b38c03b91f0fdf557081c8e765da54f55123f5b2e9f0e5cfc10adc378d0df
SHA512 b26ccedda05f1243de311599bd416d041bf4422a8faf50277048bda53ead8077707d10ff7ccc536f16ecef3f18fcb2fc5bcea1a49f9dda4b200baa8c8622c56f

memory/1820-121-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Gcagkdba.exe

MD5 bd3b22a4b3e2666d811f4884d3b13ade
SHA1 f2f107d7af1d74e4d0c2fdbc06fa9fc4fa689446
SHA256 df8fd630c6c8397bf0099ca37e56e7f9861ac0901508fb318fe749cce69011ba
SHA512 60b912f04ac1a54c967aa79b580a88ceb1c541288b9c4c4d5c1d17d965521bc91fea78e1f475b8a663d49da27cf88cf618bbb3be1ac244812ed12ce72c7ac54b

memory/4176-128-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Gdcdbl32.exe

MD5 a0df73ba2352361ee47d69911c92a777
SHA1 8020be7f87131dbbec9590058f2e9ccd37e5a221
SHA256 0c4dfcb662db4721be851fcb5ad9f46f94593f23b54f8bdfe3ee193cb097a125
SHA512 09c9075ef0172e10117b51f8d6266ddb15f2036ad0b3f1fd6e792a3ba3c3e59a7b4c92bc3b42a89c820bda58b204326587472f98ee24d66fb9c83ad156869dbb

memory/3576-137-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Gbgdlq32.exe

MD5 7ff836a8ee8778c55db3a42489cd52f7
SHA1 9331ca9502722f6797ccf9df911bf6012d03838d
SHA256 c874c967fd5368550643594deb4893b83558b8d3f948a84cc2a54921c19a33fb
SHA512 794a12c8b78b17ede6a159cb7827dd853a75495185e9184e5bf27be85a38182d9b1e4c07bac57d4ac65d66b1234c5d2e32e3783c5d099fcc4336ca77ba9f0b76

memory/3380-144-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Gfbploob.exe

MD5 dd8e6e8c09fe9446c76b064591cc0d53
SHA1 dfdbf30bb84bfe77c358513ad8c19e5c8174f2ae
SHA256 0b923203e4db7cfcc36b9fd91f5e31436b936b9eafad54929642c5dd1588615b
SHA512 9aac19e323c22a65a7778f5c43458623a5a7f74e3fed2035caadeaae766db23656366e4409cee479e578ea18552c0cdbaa6163f78f1d4c2cae18dec0f863d9ad

memory/1448-153-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Gdeqhl32.exe

MD5 bb2b4f6e109903df2e721c913cea6d0e
SHA1 95adb5218020f853c9304ccc81391557b98ff3bb
SHA256 0acbcb1fbda76c6a853db242249a058387f0145519482347568870fe6d486f6b
SHA512 c57fa7282a85cda5c728f17249d4f003ed50c229b2f1ae27dd30d0de802d735edbc57b308b1a112257f080dcb8424324a27d17672b280b2012458cc8c82b3999

memory/2020-161-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Gcfqfc32.exe

MD5 071944288f56e871b3df28b88e3a8367
SHA1 cd1bbdd9f88e76ae804a23a129867ee6789edeec
SHA256 2b8ffa94314e73a7ac85832da8af58658fa05dea063f55e09227076691df471e
SHA512 c600ceca540c1dc88a575f04d35e4f129c46369c8d6b8c78cd072a93aec68661271e5689af76edf1970ca1cddd112d65d9d0a5d92d8f136e2706358cf1797b9a

memory/2956-174-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Gfembo32.exe

MD5 2fdc8dac3860441799689783cd61ebbb
SHA1 2ac275b9d65d02ac8758dc4d14ff1bb5b9550dfa
SHA256 3b6b7a355d0c669ec0d137754a9359488ad76167895df46b6af4191dece47823
SHA512 ab7a9158eb9f3fb1593287b72ecc8bf112675b68d25a714fde2d16b7b31a2080a51eb822150cb09b09a83be1181658a8160a7e45224a4858873d8d1028ed5012

C:\Windows\SysWOW64\Gkaejf32.exe

MD5 5a6e64138c7e348a3705d9f39cebaa59
SHA1 d484d12113802c8b9a8cd1e92caf65bdf99807bb
SHA256 17c137c83d807f4bf59e86e83231ccd80c73058da7459f0b5b3f68df9a85cdfb
SHA512 5cbb5a8573ef2014a85f900dd4ba0dcec8da38fac889640683e6976152b84c6a46d18652f7ca08245a4d4e7e77842888f4446b7b8379ec7a23316a81fa44cefe

memory/4540-184-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4768-181-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Gblngpbd.exe

MD5 f7e7116386e2c8c0502f11e581547698
SHA1 244f71bdd3c5c5ab3f32e84b7f0b6f3a62c232fe
SHA256 5cd8a921ec37922bc7f772911ce396105b0baf891c22af7c09a843a1cb097920
SHA512 c5cafe34221f71b4b897a2c36b82aa4f36717d9824535323dd02f54690e2aa22abd457a22abeffaf8d7254dbc1920dcf424cd69524dc376ba9e3a765963aca02

memory/1860-193-0x0000000000400000-0x000000000043F000-memory.dmp

memory/892-200-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Hiefcj32.exe

MD5 7e3e4adbbc0dd69d2961fa090dab0ecc
SHA1 df296ec700e2ee50d23488c8e0edef9cb0041a40
SHA256 8186cef5fcadc663c1819d3fe76ca846022706dc7901ffb51f7b6a0bcd815453
SHA512 7668a3309408c143390acf68a6cdc8081c495d5cd994d4e5fd9e99ae26374f9ee64a700472256789d7dfe0b1835644c0e92d6cfe3d09cf172692272eb097df37

C:\Windows\SysWOW64\Hopnqdan.exe

MD5 d5cefa70ca47eec400a5609d97c91a2c
SHA1 a1b38cc1f19552c3c08ab9ea296343a2153ce6bc
SHA256 58b17da854aeb32f547ea7ab1aee1a65c94a8d65a6c7670ce9e96f7e35f9de20
SHA512 bfc5b545ff91587191ee122f0c68025e246b752f3de47621e3e678fb3bf5d24fc14421b3e307fc9223450b36af7608a33970636b84ac872edf24596055c0ef6b

memory/1096-213-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Hckjacjg.exe

MD5 1d877ea1e13a684d5a833de5384703e4
SHA1 40a75d7e0c6b3e41361d1f78d1ab921d1764fdb5
SHA256 544f174aec04ef0d613e770b71df81ede3845b25d7bf174650ff02c2e158896e
SHA512 a0ef368892f3be890d6771033345bcbfc72e05c2a85ed019e019d45e77cff1d57b2fc56899c47a8ab74a19afd6ffbcf0048ca76caaacfdd6561b65681c885592

memory/1432-217-0x0000000000400000-0x000000000043F000-memory.dmp

memory/552-224-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Hbpgbo32.exe

MD5 990e7bd7a01180797b1a0df3c5c7b939
SHA1 3917f7c712bc990d8cd46b5bfb20816d8a0b51d1
SHA256 db2739219d00dd5dea7a7a30fe905e8360bd1c1e4179b589fa490ea65d6e6969
SHA512 688c94b1771f89faa4f09f1c3930239d521842ca91088e5c7dfa9023b17f13e3e88af68fb408009e3fec0e2c1984be2a2bc7604fcd1ef611c48d0a1b42e79a7e

C:\Windows\SysWOW64\Hmfkoh32.exe

MD5 7bcebfeb175aac463c6f95a7e661d884
SHA1 8b43b9a1a8015c500a4b2f88d91b39006898ac12
SHA256 0dbdc81f7e1f0080099242487c050561732bfda014d2057313141ba8ffb04f98
SHA512 fba8a903daa25657d150e9a5cc11f13881c06e1fc8ce900991956cd80448da6e08ecd802ec285098c7ec163336975cd66a4ac96d36f518eefd16f2e2649f5e9b

memory/4980-233-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Hkikkeeo.exe

MD5 3133d7acae1baf5f506f23310a7f3069
SHA1 07f9ccf0b68e72d129a527c2db185eb08582ce72
SHA256 1cc5378f1ef8ffd5a11994fa1261123f81f0f2b3cf6c00ff64ef9e761637df35
SHA512 7175be2a285ff47360555249735abc4443d6c7dde18f42e05b78001669ee44a621942d3374efa2d6e7903603cba44425a4eec3451a9cc4aebd35e363c2923e02

memory/4592-240-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Himldi32.exe

MD5 035d3c2d1fd256452cde5a9e527491d0
SHA1 d21b61468fd1af58b5bef8e052acaaabdcc41e4d
SHA256 05293551f51106d3e626bb5499c6d85632db7ade9c35c8e14df31dab09721b69
SHA512 73882cf8b5af1126f0725932b12011df6e076d954c905ecfa093426367a703d013864cb06e17e0bd020f76c312fd4d6975f59cf8c5e3d4dc82f9b0616cffe0a4

memory/1008-248-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Hkkhqd32.exe

MD5 f23e56a3c838ae65dff60df8b7147869
SHA1 71f23701f909485a9e8cb127734c0c094087d552
SHA256 0ca563a8575bfadeb5d8d3340984d418075f5cf2d53dd70ccb06fd56704c4cd6
SHA512 905a65e2e9eb16545ce2cc0e732da6bf39c53773bbe908eda5703bc7dd5f66a7dcb988ddbc5506c25f87370830df3244274b2865262588364767e1da0d14f910

memory/3832-257-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Hecmijim.exe

MD5 9a567c3d1a8763e414c891a37648166f
SHA1 39531d5761b852b92df37027ae7df13253d77631
SHA256 26dbeff3293058748834078ecf5ed2a991ac6df9cda2ad1df03b6442abde11ee
SHA512 49f03e5783a4553fad9ad87e4d42d5b69d62c1ba034431255fc3962bb902f92c3969759f414a3adf71ab524e10936683d04c61090aae172abae8fd93d37690ea

memory/1572-263-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4988-269-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2712-275-0x0000000000400000-0x000000000043F000-memory.dmp

memory/8-281-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1788-287-0x0000000000400000-0x000000000043F000-memory.dmp

memory/428-293-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2400-299-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4784-305-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1172-311-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1844-317-0x0000000000400000-0x000000000043F000-memory.dmp

memory/876-323-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3944-329-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3772-335-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4764-341-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3512-347-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Ilghlc32.exe

MD5 faeb7039f8f3a7d85bc91aaf930f7436
SHA1 9fbd83c37f59e4d362f7457f13ddbf7d57dc42a0
SHA256 887efb1ab2b5242b3675a77addea01c52a6251522490b543b3ca524c40075506
SHA512 6da8cc607ff82f0b8a092e44c061daec63cc753ba12328792a2719a51300547715f5c982e43b1dc58d94656add5e1b3254fdfb03fabf7fd3f7ee20b04d253df6

memory/3304-353-0x0000000000400000-0x000000000043F000-memory.dmp

memory/380-359-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4548-365-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2996-371-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1320-378-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Jfoiokfb.exe

MD5 b791e579788e6e8d854ec0ade7910dcd
SHA1 c89bb7002788c40d451287860407fce8ca216d18
SHA256 6f15d3d493ac427bc658c4c9b0b9acb5b5d6621f7f813592b0c49efdc52fb4a5
SHA512 43c01ca33472889200e58635da63f6b7cdde18524d9d33dd8e24255bde7ecf5eb559b8bcf0802caba2c2e59805b54a6aa37e87530e96bb22b92582e412946a0c

memory/2032-387-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4740-389-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Jlkagbej.exe

MD5 2a9b6171b1536ae3381c1cbf5b2c4367
SHA1 571cdeeeb6c85d13e393328f8968e0ea662ffa31
SHA256 1c024db875a74c9c2c1d358c01615e7ae43ef6d5672921733742c55ec27f4581
SHA512 2e83e5c688c9b39e14f816de34279b86e650682878dea128bc09c8897e97f0c981d55ecea4f055a5aeb6ce8a1fe78bb7edb1c6dab434e222af80bdaa18136803

memory/1608-395-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4720-401-0x0000000000400000-0x000000000043F000-memory.dmp

memory/5004-407-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2920-413-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4804-419-0x0000000000400000-0x000000000043F000-memory.dmp

memory/768-425-0x0000000000400000-0x000000000043F000-memory.dmp

memory/5052-431-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Jehokgge.exe

MD5 cd66f37b9868db618d5581204daf07bd
SHA1 08012e1d6088bd52106065623ca6c8a7a22d27c8
SHA256 b6658b514617a527b817edaa6c2e7f6eb1bfa73c270825c4b9ec21ff3e7e45c8
SHA512 e556f90fd0c34c389e2bb579a63a3e1d975c8fc9d88de998801d856dbc5bcac6c90901501a795e3861ed50065cdc78b30fcdd3ad439e655ed4145ccc1d97a3de

memory/2644-437-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1668-443-0x0000000000400000-0x000000000043F000-memory.dmp

memory/5116-449-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4800-455-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2880-461-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2168-467-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1344-473-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Klljnp32.exe

MD5 7d9eb30d68ed847de0d019340d255034
SHA1 94eb17f1d71245463621044872b99baa3062d781
SHA256 c2f1063d674a0665da903cc4da801c82651affba56071d28985f64f9d93e41ff
SHA512 b28a02bd3c68be4902ba0064f6bf881e095d4b33d98a9c53737451f205a28877810bcfe62dd76e4a52d0ca0362fe8eb21d494c216868d405967c4353b89e6244

memory/4760-479-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4380-485-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Kmkfhc32.exe

MD5 0bfe8f190636ddcd231f135a82a5977c
SHA1 eb6702ece56b9c9258f6700b15aa4faba798922f
SHA256 529cf10c8d8eb9c600e62431ea26e789415593de56f5d7b49c75eee86d8b082b
SHA512 f5d88cbe398abefe2d0386eabeb255b721d49a7b1393eccab9c991649a01b6dc82db90ee1cc5c28bfbd72967a0de9d98efa34ed3d4b5289d8ead3edfb9cc46f3

memory/756-491-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2108-497-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2984-503-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Lbjlfi32.exe

MD5 dbac07c51afd3d91a24216847fb680d4
SHA1 1a42e2ae30b90652e844dc8f4e3857362aa15108
SHA256 0a4bc5c4ce8ab8387443f94320bbebeea4db353d6ed60fedfcb1ecb5975d698c
SHA512 efcc3264f53810d8a46b6fbcd5608c467e4cf33538a08bbfa0e4916a4c286449500a2576d640b34ff45eea621f6ca082b7c291897b7f4880f4f58746f272fdff

memory/532-509-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1620-515-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Lmppcbjd.exe

MD5 30d60edf503bef263db31c6ebbcedd9d
SHA1 392f9a48859a01e159531b18d256a0ac8103145f
SHA256 d6dd001790c90c09456624fcfe84474756476b12e4ad5c2c30a07b88b30680b9
SHA512 a9a87600d4c7c1d2c19b1c82e4c1e062a669538d3db4b0b3b4520ef4c9aa3c26cb87a39b182c461fe96291aa893ae617dcf15627408f4ccf168c1b3b67ccaede

memory/2544-521-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Lbmhlihl.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/4324-527-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3424-533-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3392-539-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3536-540-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2788-546-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1144-552-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3704-553-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1032-562-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3480-559-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4876-566-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3644-567-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3500-573-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3984-575-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1972-580-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1336-585-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4408-588-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3516-587-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4204-594-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Mlampmdo.exe

MD5 6b74f408371402b13738026203e65e35
SHA1 6448477206de1083c8d30a673669859c2f244229
SHA256 af420c2c679ac888bd09b93f94d02a6cfae2645f65f69f49bda4929cca375bd0
SHA512 dd69358795e44ab3ee68f931728821623cfefc690b85ca48862f4582e4cd62587f8308ed7db819aafda8ff80477ec183fa564e117498ecae8e4aad3535e8b6dd

C:\Windows\SysWOW64\Mmbfpp32.exe

MD5 d925eecd03e2b686bcca2f95692d569d
SHA1 addd5fa5d8614e370acbb51418f5e31c307b29ef
SHA256 2eb2d4ca80d37bf0cbbc4fdce289da5e8a8c580b2a9ec7667d1243a216eca224
SHA512 770c5a04caab39f2df76acca04e90c72acb434166ce3f361fc4bb0443632806a5b3a20c1e33fa42ca5ebf4c317b576066231e6b1b0090f1dbb7f03446ddddca3

C:\Windows\SysWOW64\Ndokbi32.exe

MD5 341939d7608a61c955145090df739d29
SHA1 42b181cfac6674568c8d8193bdb09db3e03a5e26
SHA256 50d5a888b068033d8242c5ba0c3450e778c1041a55ce44218d9df54f0624366e
SHA512 a14bd07c4a4d49cfd10a45e1bbd38cc5f5b37e7e7b491761fcb6cedf2b1066b5270c966ed4eb197151e0819be4dfedd86abce7d84d7d2fdb7ec9f1561ab89be4

C:\Windows\SysWOW64\Nngokoej.exe

MD5 8c88ea395763c708701051035179bf21
SHA1 b3c63142425c2ad386dcf4416b28e52aa1af6ba7
SHA256 00f7890ab1fa5eb38765c0b536c807243acb714aef4817374db2dc73894b815a
SHA512 2bace306efe64b579dac80bc642a9c354d562c4498857e5fabf047aaf987a165dabedb23f1ff370ce32f31117c834296464ac66fcdaa058a6f7300e2914ab487

C:\Windows\SysWOW64\Ngbpidjh.exe

MD5 4ebe225222eee1b6eda6e915c49ee8f8
SHA1 826b4dcdb4da26f249c25cc1419d7845a168d055
SHA256 4c2b337769548215f1625444eb0a2a01c884d8d19e43f33c3a4ccc175364dc72
SHA512 9e23a757e3cb8a2b21adbfb7cddfe3405d598d75ae820d737ca9494bdde51076ae0e0a3932d76adab373298739632a82a353ac9062287651672334f8bdb3d749

C:\Windows\SysWOW64\Npjebj32.exe

MD5 b3409cc7cec6f997d433b579c60c03bd
SHA1 60a831f524562170acabdbb4542f68830ed33865
SHA256 f3aca966e3f4342233efed6e3fd5f08761dded3823c2a54bbbae6051605e0109
SHA512 8015010ba1cbbf4ec9a519738667c1e7028fd4530062dfbfd5eec4292c767e07fe4babede3e8d5f325f962144503276f8eb2984f28c92c899056e5573a4f0c4e

C:\Windows\SysWOW64\Nfgmjqop.exe

MD5 8ecb632e6a2f08a5e10423fa1c8ae0a9
SHA1 b9dcf83858180953715cfa344a947ddebb2abee2
SHA256 4a3880677bab5986b831a907bed9c8de1212ea4cc5e8e4ea708ff14da9410a83
SHA512 16b66fe4bbf3c5e0df792d33063871f623759ed0142ae66c842baff5346b1281172ec8ebfcd8cfe8f4deb6b0c7f4c1325f8b771ca98765ecec78b976eeaeb33d

C:\Windows\SysWOW64\Odkjng32.exe

MD5 01d16e9ac60ecdb144ee4f28c660a5fb
SHA1 d67c92678bca7802104b63a020d95fa10b7ddc2d
SHA256 23fc33fe1fa4a5dff1f85cbf919c27b32aa83cd2e4243e9199b6770c9c57267e
SHA512 750bd21336e3492839d6abe11de742aacc1114ffad8d9aa3ce229e1ce32df19840d73fae2069d59f5ce3c7efec1ad76689c1467a6b04d7515d305d0dd7062bf4

C:\Windows\SysWOW64\Ogkcpbam.exe

MD5 71a5575d77a6a4898168e3e6bb95ff1c
SHA1 c763587436a548feb0955d30b616edc22c433c1c
SHA256 dd77bc5210cbb81dec734aa7155596310490ce6c0f3b078477b63cdb1c8f27e6
SHA512 9eb0e42262eca9ea361502f89dc71982250915365f3e994086252c8d0de827e2982e6a323529f4ac4a13d84726206c5d2c85e149035fb55a662114cdbfe6a7e4

C:\Windows\SysWOW64\Ocdqjceo.exe

MD5 e84ce40dcfa25807f4653573f74c5fce
SHA1 6f586873bac620c48b3fb8d262640a920817ff77
SHA256 7efd54bf37a573996115ae3d011b4a646768ca4d8aca61f0e15063e7435b718a
SHA512 f34537394b0b210052cfadb7f38a47cf84db77d25c8b86c95a16b8821b9b70a1e95d07357bb0ef52cbc87b8c5e60f5bbd1da5f4eea2e23afae72a6e149130b09

C:\Windows\SysWOW64\Pdfjifjo.exe

MD5 17f7d6622814e3e2c8637465c6e901ae
SHA1 0e0df2d64181def5637a64c8702e20c4c4ba4615
SHA256 23bf85d343940336f570b6a130106d1865f209ad4b10210a0e82b1a50dd9e895
SHA512 0af388fd41bbf1705c56e79f7c3cf49433858bf97b3e3d78b31609e690446c4f1692149138d4f76291b7c14ddb260363045b5ab27dac6002c8893a944f6c090f

C:\Windows\SysWOW64\Pqmjog32.exe

MD5 3e51f9dd787dda3f6fad9cd452c2cf77
SHA1 c1e72d796cf24ec168efd3b64f0744c99caaaa22
SHA256 776203e823d8b2054710f50eeb295c6939f00f41d0ce67a0e41a57a73ee2f258
SHA512 ee3d60b479adcdf5a194c42b5221daafe9c528c04e76fba871b835e5486ba6388aabaa98dd50e4a40b1d129f374f00d2a4e3379dbe1f36e02c13c9ee245764c7

C:\Windows\SysWOW64\Pncgmkmj.exe

MD5 92a46eb8b197f8729afda764248f414a
SHA1 d57c36c349a31423adaa1f93963053f444209067
SHA256 bde3785e17fb9c36a2a3615c85e22b40a14ab45078cae6940df439b64b8d27df
SHA512 051b1c1c32a373a7e9b476b3b6ef38a20b8177a7eef19b455a6c673eeb129eac7063827ab51bee1c402050f06182a0232a95bcf71c4031f7968aa94a6a26a820

C:\Windows\SysWOW64\Pgllfp32.exe

MD5 fdb1f54d521f453bcb98009804315311
SHA1 a69d08750aecab8a3df4d6e95d683baf3f09bbdb
SHA256 945c958e941139ac3c6581d835e95bb455f05484f38de8f13437bd7f5da4a8bd
SHA512 e4c755485f3206f18118ab3774cf782dc78a9a48769cf9d561a1819c58f767fec6fd7f8779e732d208ef4c7af5240ef8185df2349a90d8b00e762c9b89194943

C:\Windows\SysWOW64\Qgcbgo32.exe

MD5 b5801de0c3c756c599fcbcb91af94836
SHA1 e380883920dd55bc494d17729ab63aa03ef8b846
SHA256 d93f05ad90945f4d4a91d7ea2639bc711122e56ae6b051f0a53e73fbd84a43e3
SHA512 cd91e291e6bb295f2aa45a4bd8096dab887605d81f60a8abd949d66db260e5b8235e1d783e193530a6f89c425a9d1c5a84dcfc6ecde8b1358b76ac0f105a9020

C:\Windows\SysWOW64\Ampkof32.exe

MD5 54968be3fcf6243cf660bf339808aa2d
SHA1 748bbb78b9ed84a301259ce6d45beacfe7368747
SHA256 3686aeb862f4d5a3dd68c7e9ea52d3de75d5684c8ea1bfd2e4da90013039ee3c
SHA512 bdfc8888c18e6f07b0ab60b6bec2162eea89d59d37c5cced6bb4acffc902279f314afba68d49d97b07ff1c676d5bda56e75c2789819775565cad89a80ba072e3

C:\Windows\SysWOW64\Afhohlbj.exe

MD5 deb7cd25071bb204ec25e16f3b71ad5e
SHA1 2097fd474b046317d6b600066172390f4439557e
SHA256 c9acfdb704e12678ebe90264ea5c80b65bd4c776aca185cdaa6c922c4b4fdba2
SHA512 31cdc336f00473e8285d88a94fbdcdedfd6fca9a59a36210e50ca4ca7f4066ce994a93af7765dbf976ed9b5cb41171c46dd300655b8b768aeec437fc06c6d9db

C:\Windows\SysWOW64\Aqncedbp.exe

MD5 0f73c643a718a8ef10a4ab984827c4f1
SHA1 2646488e461722c59f08a86d9b406485e758661a
SHA256 97efa16875bff0f2ff768e9271bf40c96e1993ed4def052d34d76f920dd9a514
SHA512 5dbb87e49e082927a0f5b1306b4db6cf73735797b8bce831643e84e1c2fa44781bb6ab8b8dc838defacacdf24d2c064998cccba8ea1bd7d474a61bcb65b5e161

C:\Windows\SysWOW64\Aqppkd32.exe

MD5 e23ac8b86af3726714c4513ead7d2697
SHA1 50b00ec9ff17621f54de2da5c02f1f737cb3018d
SHA256 1ca12cd9658f298d65e73b938efa797d032f757c7186c0251c35ba70250180c4
SHA512 6ebf0857614cc665e352211e6ead71c7cdd6c09b9dca5ed06e792b3b59925972b03f55094905991c74bf6927cc48ba7891d005a99f5eb0d1ad7fd5f125da6259

C:\Windows\SysWOW64\Aabmqd32.exe

MD5 878d2a1e6a23d7af288481a5385a3ea2
SHA1 936535c475b3557a1cf586a7877e931688f1b8a8
SHA256 87596fed718fbbf427ff8381900dbf9a552bd89a2d972312e76316fcf9c64db9
SHA512 ba645957522f1b205ebc9ba726a2983450de3cb15eec365a1c4694776670aae05b4cabeecad5eed34c8e8437d2984316053b8ec6d8e08f33210ea95fc922e89c

C:\Windows\SysWOW64\Ajkaii32.exe

MD5 7283a6b6b60879dbd064c8dfb73c9317
SHA1 783bb9c4365e1d48eb2588b52e4fdc4fc52919e0
SHA256 9b60868f7a5398946f9e7b8e8451617584c2a968a7a8c00b530791e99c7e794a
SHA512 eb9eea789103dde8240f3f75ca231ce99903ae1523147f7a3e959d58fd834858c7846b0e3336862532ce1f2c3658d64a0038c41fcac1f4d44b500a3586df7cb1

C:\Windows\SysWOW64\Bjmnoi32.exe

MD5 57d87e34d69309d5d71c760adf30ede1
SHA1 6cb8355559536f3c48e1aff79e3fc3b71c45ead0
SHA256 1562c7e2cb96397ad00a5231fdb32b0ec3f540b605885d660485526911f9f921
SHA512 b6e30bc53ea97218233c8c14cc5169c4009f4531d5dc0dfcd6c9f622cf2e1b74fdd5b2fd8a462bc2edf6839ab39a7fbdebe94fb1090250e7e1fae5b027adce64

C:\Windows\SysWOW64\Bfdodjhm.exe

MD5 cf9a56ab8fe115f1208d6aff4c2fa524
SHA1 8fe554730812bb68808d6b07d7c89f548981c643
SHA256 fba722294baf35506b7bb8322eec80ae85c17505297583748d98142aca878b8d
SHA512 91f9bc928a15c5f9d3095393802aa3694317dd9aee7e980d996e3322a216c040063255095c606631ad181112e6f67d1fb6b3aea4ba8e471ce0a207ed372d287c

C:\Windows\SysWOW64\Balpgb32.exe

MD5 0abb7e5222d75f67902d4abb60d2ef2c
SHA1 13bc743c45ab8d7ea06fe19c5a47d2a7a458c4af
SHA256 4a6ee712bff0679883a1f80b457ce50414a9de5aa73d99646ddec1aa828f55de
SHA512 ada59e1456643a8675b724c1a25f378ec405a89371f5b6341b6a550079a8e3a924a835d12b18a1b1e2b8fc8350464bc58c1b3eb08671ab1456f5d90266376f2d

C:\Windows\SysWOW64\Bjddphlq.exe

MD5 c914b8b9e13ad04ec03cc6a13292e00a
SHA1 f24420e5ebcc682dcdc51b3b0269f478ada3ccbb
SHA256 1f151c616b21a5844b677bd99bc99703f11ec98c281777f360e7b70178857e55
SHA512 51ebc1a3d3bfc9ffd3cbd16e63aa2b65302597def959cb64d80fe863fe056318b1ff3f461fda3421d8053e9151e65fb6ead2bfda240374ab9664aa6a2d900312

C:\Windows\SysWOW64\Bfkedibe.exe

MD5 4587dbc533e23b3c45b5777db26a0040
SHA1 6ca3a5cafa7c9a27c8d7670156cc277b0f33714b
SHA256 f6c92dfa618a9413423f86d9dcfa4f799cb00c2bc8ca661a3e8e2052ee6db655
SHA512 62ec981fc0df4f2e9cef704c474db90a0a4d9705e0bbccafa86a328672776538bf5ea9ec359838c0bb442b5d02503af3b8c4e169063879003724357a912bf21c

C:\Windows\SysWOW64\Belebq32.exe

MD5 cab0cce764685b73d82457c1b278bdcf
SHA1 9533fa3586f82cab7ce151a65ee098659d63053f
SHA256 b44437a080f544292707c9d3e330ddd58a644ffc6e91027b3cf4433be32522f6
SHA512 430dcab75d846586e79b33954907ee6bbc78c73369aaa27a613d0888c42930e87115640d915c1fa0aaca4bc186d4abb18b817078707be476420762bf02d5b4d7

C:\Windows\SysWOW64\Cmgjgcgo.exe

MD5 188d20f46cc47a8bff55a7b00bb4e200
SHA1 cde0f43aeca969d63fc893f6c7410dfd57d9a482
SHA256 a6b332f628bacd5e6b9a291586c1c29066bde7ab07e061c46675fd9ec8d6f23c
SHA512 d8a14c8ba744eb0c14fc72aef6cfcde289d5fecdf90d8188a07e865945f66bec759c1473540af04b0a0a7a82a2f0ea42ae236cbfdf1d4a9411bb556acc14282d

C:\Windows\SysWOW64\Cnffqf32.exe

MD5 33f18d0aeda1b705f7b6f55cea034363
SHA1 11d01f26f3931a9816317135ff31dba7558b8e71
SHA256 ca62fa11ac73ec4076de3bc561441e30938df015c0c44340c80ad31ccdc90fdd
SHA512 b62f3517bff2635a58d750d17ad51f14cfe836b073ce3aed93ad28d2f1cd42c7e1d7d70c8ea99854a36fe0ffd2d863825301c43711f96296d960984a90c6bfff

C:\Windows\SysWOW64\Cfbkeh32.exe

MD5 2421c7a2416452e04d20cfc261ba25d0
SHA1 8fb5810afd854010b66cbbaa5883f6190fd03583
SHA256 8fe246bcd26f874fed9ecc6422724fce476108ac0a2422faff378a0c773f2c51
SHA512 b5c07c4ebc1eb6f15d3aa709fcc253f51a9065e2e9455a1c1b1f59df58392b63643bf1ae5053e13fa2ad82401e28949b26b8bd78a8247b1cc217756bfb542130

C:\Windows\SysWOW64\Cagobalc.exe

MD5 0b33816efd27b35eef9939de31f22c9d
SHA1 e8fb05d0802275b957dfdfb00a91561b4a7cff71
SHA256 5e2eff3414831b3ac8a40f0947968cfcba4e6ab0c079f6698230e4fdb0307e97
SHA512 b68b7448cacbabe77ec9fa09947ed6dbbdc8e4d4ac99a907848e3c8a6ab8da4488f20f880d253940605d41c8b95598edc1834f13caea1722f014365fc19f2a31

C:\Windows\SysWOW64\Dfiafg32.exe

MD5 dfe21269a32ef45ffdb7be81be07d6af
SHA1 627e023522194aa86d237e626e721611767a8b7d
SHA256 4fb3c755d782bc5e1e1d2e724c1bed931a506e7f6d3ab6bdf1f1b8d1fe4ae3f7
SHA512 bbf0a4dffcf892500a6eb5401948a60779a5dec24e90ac69b3050d49566aacee0aff1e8d1fb537733d8345ff4331c963971708ccc843c99d4e3f6b02ec46b4ee

C:\Windows\SysWOW64\Ddmaok32.exe

MD5 5cd152f8fd62f0ddf3afb0603ed741d6
SHA1 958842f742a22cd88efd44f89100acb284034015
SHA256 b0e9bb1fcce5cd9e4260c5d8548dd3e5416eaddbfb4b32deffad83dc3b0c7b7b
SHA512 7762233f68aac729a3a0d456c7db9f78744c768e66df9ddc1ec9975c0e40a598a90403f0a87c6c81073bc3f3680f51973bb7c43a40071fa6a5e61e0a03b369e5

C:\Windows\SysWOW64\Dfnjafap.exe

MD5 7487a5a4c7b0d7c8f494eb8b5718e753
SHA1 104707b4b56659cdb3211bb3480c85bd77c5d54a
SHA256 8708da03231557e9db5239de15ab21a2c4ab1ef2ca453b0f619854768793f5bc
SHA512 77edf18c8b5981c8ce2fcb6ea26f5b14d168ec1b5edea2304f4133e0236d41857a3a3b347eba96f2d1e6beb647af265fc9967dcac88cb9b18058e6c1dcca1278

C:\Windows\SysWOW64\Dfpgffpm.exe

MD5 8ed0b0099010f03092bae1911ebe4e0f
SHA1 79484ddf4e856626152b8cc33fff356ddb56475c
SHA256 3c0ea18e51ed65a06bf219df2e51fb6303e5389e1f5e43536495179430be248e
SHA512 3a4ff8d91054653f53e9fee47a5bab879388b2149b586e04dfadf8ed00dfb39281e4cea20ccb17847252081eacbbcd3d67b6589197a2af8a87566d34d2314b26

C:\Windows\SysWOW64\Dddhpjof.exe

MD5 619f2a13b22ac9a78a96d57f6da47ba0
SHA1 6be4b17480bb617f8d59ce0088544399cac75fc6
SHA256 fd30df947ac8fdeac80693a09da9fcde7688b8eb742ce02ed48e1f4b59a485bc
SHA512 79ee81e9cafc8b1b237363bac369ade6f18284648d5493a4a29ff82b5ba4c6fd34c510f89a683e8cd1d6d1dc89421459e6f787870043e42b5da156f5c201d370

C:\Windows\SysWOW64\Dmllipeg.exe

MD5 8ccfb4f758ea0d17f7d34e5aa0bb938f
SHA1 61d4d990450e5b6fe8ad772692374f089af7f189
SHA256 b689a71a5b75d694f4777f73a4470b1a23f2b260f7716abb6d53f7d77a08fcd1
SHA512 32caee9059c98f4b3b71518c182541626dd5e86ab6e75e9e360e3b469970e430046a98df39ddeaa3088cf1fa3df6b1d75f47e2fff6476ac885a57113f32e46c5