Malware Analysis Report

2025-04-03 18:01

Sample ID 241109-s6qw1sxejn
Target e0e564152103ccc6baa8ee750788b444287ecb56489cb7bfa0317bad93a1a5cbN
SHA256 e0e564152103ccc6baa8ee750788b444287ecb56489cb7bfa0317bad93a1a5cb
Tags
berbew backdoor discovery persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e0e564152103ccc6baa8ee750788b444287ecb56489cb7bfa0317bad93a1a5cb

Threat Level: Known bad

The file e0e564152103ccc6baa8ee750788b444287ecb56489cb7bfa0317bad93a1a5cbN was found to be: Known bad.

Malicious Activity Summary

berbew backdoor discovery persistence

Berbew

Berbew family

Adds autorun key to be loaded by Explorer.exe on startup

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Program crash

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 15:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 15:44

Reported

2024-11-09 15:46

Platform

win7-20240903-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e0e564152103ccc6baa8ee750788b444287ecb56489cb7bfa0317bad93a1a5cbN.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cpfmmf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cnmfdb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jondnnbk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lclicpkm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kklkcn32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lbafdlod.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bqgmfkhg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Clojhf32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Iliebpfc.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jondnnbk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ljfapjbi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pkcbnanl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Akcomepg.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cgaaah32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cmpgpond.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Users\Admin\AppData\Local\Temp\e0e564152103ccc6baa8ee750788b444287ecb56489cb7bfa0317bad93a1a5cbN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Iliebpfc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lhknaf32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pkcbnanl.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Abpcooea.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bmbgfkje.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cbblda32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cbblda32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Knmdeioh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lbafdlod.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cpfmmf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cgaaah32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Apgagg32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bkjdndjo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bfioia32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lonpma32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Locjhqpa.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lfhhjklc.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Locjhqpa.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kpgffe32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kklkcn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lkjjma32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Acfmcc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Acfmcc32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Adnpkjde.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bfioia32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eecafd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fkpjnkig.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bchfhfeh.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hpnkbpdd.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Apgagg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Coacbfii.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jimbkh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Adnpkjde.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Coacbfii.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cnmfdb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ghdgfbkl.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bchfhfeh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Abpcooea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Knmdeioh.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ljfapjbi.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Clojhf32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kcgphp32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Akcomepg.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lhknaf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qpbglhjq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ahebaiac.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bniajoic.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ieomef32.exe N/A

Berbew

backdoor berbew

Berbew family

berbew

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Eecafd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fgdnnl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fkpjnkig.exe N/A
N/A N/A C:\Windows\SysWOW64\Ghdgfbkl.exe N/A
N/A N/A C:\Windows\SysWOW64\Hpnkbpdd.exe N/A
N/A N/A C:\Windows\SysWOW64\Ieomef32.exe N/A
N/A N/A C:\Windows\SysWOW64\Iliebpfc.exe N/A
N/A N/A C:\Windows\SysWOW64\Jimbkh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jondnnbk.exe N/A
N/A N/A C:\Windows\SysWOW64\Kpgffe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kklkcn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kcgphp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Knmdeioh.exe N/A
N/A N/A C:\Windows\SysWOW64\Lonpma32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lfhhjklc.exe N/A
N/A N/A C:\Windows\SysWOW64\Lhfefgkg.exe N/A
N/A N/A C:\Windows\SysWOW64\Lclicpkm.exe N/A
N/A N/A C:\Windows\SysWOW64\Ljfapjbi.exe N/A
N/A N/A C:\Windows\SysWOW64\Locjhqpa.exe N/A
N/A N/A C:\Windows\SysWOW64\Lbafdlod.exe N/A
N/A N/A C:\Windows\SysWOW64\Lhknaf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lkjjma32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pkcbnanl.exe N/A
N/A N/A C:\Windows\SysWOW64\Pleofj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qpbglhjq.exe N/A
N/A N/A C:\Windows\SysWOW64\Apgagg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Acfmcc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ahebaiac.exe N/A
N/A N/A C:\Windows\SysWOW64\Akcomepg.exe N/A
N/A N/A C:\Windows\SysWOW64\Abpcooea.exe N/A
N/A N/A C:\Windows\SysWOW64\Adnpkjde.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkjdndjo.exe N/A
N/A N/A C:\Windows\SysWOW64\Bniajoic.exe N/A
N/A N/A C:\Windows\SysWOW64\Bqgmfkhg.exe N/A
N/A N/A C:\Windows\SysWOW64\Bchfhfeh.exe N/A
N/A N/A C:\Windows\SysWOW64\Bfioia32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bmbgfkje.exe N/A
N/A N/A C:\Windows\SysWOW64\Coacbfii.exe N/A
N/A N/A C:\Windows\SysWOW64\Cbblda32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cpfmmf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cgaaah32.exe N/A
N/A N/A C:\Windows\SysWOW64\Clojhf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cnmfdb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cmpgpond.exe N/A
N/A N/A C:\Windows\SysWOW64\Dpapaj32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0e564152103ccc6baa8ee750788b444287ecb56489cb7bfa0317bad93a1a5cbN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e0e564152103ccc6baa8ee750788b444287ecb56489cb7bfa0317bad93a1a5cbN.exe N/A
N/A N/A C:\Windows\SysWOW64\Eecafd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eecafd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fgdnnl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fgdnnl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fkpjnkig.exe N/A
N/A N/A C:\Windows\SysWOW64\Fkpjnkig.exe N/A
N/A N/A C:\Windows\SysWOW64\Ghdgfbkl.exe N/A
N/A N/A C:\Windows\SysWOW64\Ghdgfbkl.exe N/A
N/A N/A C:\Windows\SysWOW64\Hpnkbpdd.exe N/A
N/A N/A C:\Windows\SysWOW64\Hpnkbpdd.exe N/A
N/A N/A C:\Windows\SysWOW64\Ieomef32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ieomef32.exe N/A
N/A N/A C:\Windows\SysWOW64\Iliebpfc.exe N/A
N/A N/A C:\Windows\SysWOW64\Iliebpfc.exe N/A
N/A N/A C:\Windows\SysWOW64\Jimbkh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jimbkh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jondnnbk.exe N/A
N/A N/A C:\Windows\SysWOW64\Jondnnbk.exe N/A
N/A N/A C:\Windows\SysWOW64\Kpgffe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kpgffe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kklkcn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kklkcn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kcgphp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kcgphp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Knmdeioh.exe N/A
N/A N/A C:\Windows\SysWOW64\Knmdeioh.exe N/A
N/A N/A C:\Windows\SysWOW64\Lonpma32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lonpma32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lfhhjklc.exe N/A
N/A N/A C:\Windows\SysWOW64\Lfhhjklc.exe N/A
N/A N/A C:\Windows\SysWOW64\Lhfefgkg.exe N/A
N/A N/A C:\Windows\SysWOW64\Lhfefgkg.exe N/A
N/A N/A C:\Windows\SysWOW64\Lclicpkm.exe N/A
N/A N/A C:\Windows\SysWOW64\Lclicpkm.exe N/A
N/A N/A C:\Windows\SysWOW64\Ljfapjbi.exe N/A
N/A N/A C:\Windows\SysWOW64\Ljfapjbi.exe N/A
N/A N/A C:\Windows\SysWOW64\Locjhqpa.exe N/A
N/A N/A C:\Windows\SysWOW64\Locjhqpa.exe N/A
N/A N/A C:\Windows\SysWOW64\Lbafdlod.exe N/A
N/A N/A C:\Windows\SysWOW64\Lbafdlod.exe N/A
N/A N/A C:\Windows\SysWOW64\Lhknaf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lhknaf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lkjjma32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lkjjma32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pkcbnanl.exe N/A
N/A N/A C:\Windows\SysWOW64\Pkcbnanl.exe N/A
N/A N/A C:\Windows\SysWOW64\Pleofj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pleofj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qpbglhjq.exe N/A
N/A N/A C:\Windows\SysWOW64\Qpbglhjq.exe N/A
N/A N/A C:\Windows\SysWOW64\Apgagg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Apgagg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Acfmcc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Acfmcc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ahebaiac.exe N/A
N/A N/A C:\Windows\SysWOW64\Ahebaiac.exe N/A
N/A N/A C:\Windows\SysWOW64\Akcomepg.exe N/A
N/A N/A C:\Windows\SysWOW64\Akcomepg.exe N/A
N/A N/A C:\Windows\SysWOW64\Abpcooea.exe N/A
N/A N/A C:\Windows\SysWOW64\Abpcooea.exe N/A
N/A N/A C:\Windows\SysWOW64\Adnpkjde.exe N/A
N/A N/A C:\Windows\SysWOW64\Adnpkjde.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Kpgffe32.exe C:\Windows\SysWOW64\Jondnnbk.exe N/A
File created C:\Windows\SysWOW64\Nhfpnk32.dll C:\Windows\SysWOW64\Kcgphp32.exe N/A
File opened for modification C:\Windows\SysWOW64\Lonpma32.exe C:\Windows\SysWOW64\Knmdeioh.exe N/A
File created C:\Windows\SysWOW64\Gfnafi32.dll C:\Windows\SysWOW64\Akcomepg.exe N/A
File created C:\Windows\SysWOW64\Ihkhkcdl.dll C:\Windows\SysWOW64\Bniajoic.exe N/A
File opened for modification C:\Windows\SysWOW64\Clojhf32.exe C:\Windows\SysWOW64\Cgaaah32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cnmfdb32.exe C:\Windows\SysWOW64\Clojhf32.exe N/A
File created C:\Windows\SysWOW64\Jendoajo.dll C:\Windows\SysWOW64\Acfmcc32.exe N/A
File created C:\Windows\SysWOW64\Coacbfii.exe C:\Windows\SysWOW64\Bmbgfkje.exe N/A
File created C:\Windows\SysWOW64\Cefkjiak.dll C:\Windows\SysWOW64\Fkpjnkig.exe N/A
File created C:\Windows\SysWOW64\Bjlkhpje.dll C:\Windows\SysWOW64\Lfhhjklc.exe N/A
File opened for modification C:\Windows\SysWOW64\Lbafdlod.exe C:\Windows\SysWOW64\Locjhqpa.exe N/A
File created C:\Windows\SysWOW64\Ckmcef32.dll C:\Windows\SysWOW64\Pleofj32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bmbgfkje.exe C:\Windows\SysWOW64\Bfioia32.exe N/A
File created C:\Windows\SysWOW64\Pcaibd32.dll C:\Windows\SysWOW64\Cnmfdb32.exe N/A
File created C:\Windows\SysWOW64\Dejdjfjb.dll C:\Windows\SysWOW64\Hpnkbpdd.exe N/A
File opened for modification C:\Windows\SysWOW64\Lclicpkm.exe C:\Windows\SysWOW64\Lhfefgkg.exe N/A
File created C:\Windows\SysWOW64\Locjhqpa.exe C:\Windows\SysWOW64\Ljfapjbi.exe N/A
File created C:\Windows\SysWOW64\Cofdbf32.dll C:\Windows\SysWOW64\Lkjjma32.exe N/A
File created C:\Windows\SysWOW64\Kklkcn32.exe C:\Windows\SysWOW64\Kpgffe32.exe N/A
File opened for modification C:\Windows\SysWOW64\Knmdeioh.exe C:\Windows\SysWOW64\Kcgphp32.exe N/A
File created C:\Windows\SysWOW64\Efeckm32.dll C:\Windows\SysWOW64\Cgaaah32.exe N/A
File opened for modification C:\Windows\SysWOW64\Kcgphp32.exe C:\Windows\SysWOW64\Kklkcn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ljfapjbi.exe C:\Windows\SysWOW64\Lclicpkm.exe N/A
File created C:\Windows\SysWOW64\Binbknik.dll C:\Windows\SysWOW64\Ahebaiac.exe N/A
File opened for modification C:\Windows\SysWOW64\Bkjdndjo.exe C:\Windows\SysWOW64\Adnpkjde.exe N/A
File created C:\Windows\SysWOW64\Aacinhhc.dll C:\Windows\SysWOW64\Apgagg32.exe N/A
File created C:\Windows\SysWOW64\Clojhf32.exe C:\Windows\SysWOW64\Cgaaah32.exe N/A
File opened for modification C:\Windows\SysWOW64\Fgdnnl32.exe C:\Windows\SysWOW64\Eecafd32.exe N/A
File created C:\Windows\SysWOW64\Fkpjnkig.exe C:\Windows\SysWOW64\Fgdnnl32.exe N/A
File created C:\Windows\SysWOW64\Iliebpfc.exe C:\Windows\SysWOW64\Ieomef32.exe N/A
File created C:\Windows\SysWOW64\Kcacjhob.dll C:\Windows\SysWOW64\Lhfefgkg.exe N/A
File created C:\Windows\SysWOW64\Ljfapjbi.exe C:\Windows\SysWOW64\Lclicpkm.exe N/A
File created C:\Windows\SysWOW64\Abpcooea.exe C:\Windows\SysWOW64\Akcomepg.exe N/A
File opened for modification C:\Windows\SysWOW64\Adnpkjde.exe C:\Windows\SysWOW64\Abpcooea.exe N/A
File created C:\Windows\SysWOW64\Aglfmjon.dll C:\Windows\SysWOW64\Abpcooea.exe N/A
File created C:\Windows\SysWOW64\Bniajoic.exe C:\Windows\SysWOW64\Bkjdndjo.exe N/A
File opened for modification C:\Windows\SysWOW64\Eecafd32.exe C:\Users\Admin\AppData\Local\Temp\e0e564152103ccc6baa8ee750788b444287ecb56489cb7bfa0317bad93a1a5cbN.exe N/A
File created C:\Windows\SysWOW64\Hpnkbpdd.exe C:\Windows\SysWOW64\Ghdgfbkl.exe N/A
File opened for modification C:\Windows\SysWOW64\Qpbglhjq.exe C:\Windows\SysWOW64\Pleofj32.exe N/A
File created C:\Windows\SysWOW64\Kaqnpc32.dll C:\Windows\SysWOW64\Cpfmmf32.exe N/A
File created C:\Windows\SysWOW64\Niebgj32.dll C:\Windows\SysWOW64\Clojhf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Fkpjnkig.exe C:\Windows\SysWOW64\Fgdnnl32.exe N/A
File created C:\Windows\SysWOW64\Jmgnph32.dll C:\Windows\SysWOW64\Jondnnbk.exe N/A
File opened for modification C:\Windows\SysWOW64\Pleofj32.exe C:\Windows\SysWOW64\Pkcbnanl.exe N/A
File created C:\Windows\SysWOW64\Acfmcc32.exe C:\Windows\SysWOW64\Apgagg32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ahebaiac.exe C:\Windows\SysWOW64\Acfmcc32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cgaaah32.exe C:\Windows\SysWOW64\Cpfmmf32.exe N/A
File created C:\Windows\SysWOW64\Ahebaiac.exe C:\Windows\SysWOW64\Acfmcc32.exe N/A
File created C:\Windows\SysWOW64\Cmpgpond.exe C:\Windows\SysWOW64\Cnmfdb32.exe N/A
File created C:\Windows\SysWOW64\Gbdcic32.dll C:\Windows\SysWOW64\Ghdgfbkl.exe N/A
File created C:\Windows\SysWOW64\Lfhhjklc.exe C:\Windows\SysWOW64\Lonpma32.exe N/A
File created C:\Windows\SysWOW64\Apgagg32.exe C:\Windows\SysWOW64\Qpbglhjq.exe N/A
File created C:\Windows\SysWOW64\Mhniklfm.dll C:\Windows\SysWOW64\Kklkcn32.exe N/A
File created C:\Windows\SysWOW64\Djmlem32.dll C:\Windows\SysWOW64\Ljfapjbi.exe N/A
File created C:\Windows\SysWOW64\Ogdjhp32.dll C:\Windows\SysWOW64\Bmbgfkje.exe N/A
File created C:\Windows\SysWOW64\Ghdgfbkl.exe C:\Windows\SysWOW64\Fkpjnkig.exe N/A
File created C:\Windows\SysWOW64\Lhfefgkg.exe C:\Windows\SysWOW64\Lfhhjklc.exe N/A
File created C:\Windows\SysWOW64\Lloeec32.dll C:\Windows\SysWOW64\Bchfhfeh.exe N/A
File opened for modification C:\Windows\SysWOW64\Coacbfii.exe C:\Windows\SysWOW64\Bmbgfkje.exe N/A
File created C:\Windows\SysWOW64\Cnmfdb32.exe C:\Windows\SysWOW64\Clojhf32.exe N/A
File created C:\Windows\SysWOW64\Andpoahc.dll C:\Windows\SysWOW64\Kpgffe32.exe N/A
File created C:\Windows\SysWOW64\Nlbjim32.dll C:\Windows\SysWOW64\Pkcbnanl.exe N/A
File created C:\Windows\SysWOW64\Cgaaah32.exe C:\Windows\SysWOW64\Cpfmmf32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Dpapaj32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bqgmfkhg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bchfhfeh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bmbgfkje.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cpfmmf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cnmfdb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cmpgpond.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Abpcooea.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jimbkh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pkcbnanl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Acfmcc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Adnpkjde.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fgdnnl32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hpnkbpdd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ieomef32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Locjhqpa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bkjdndjo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Eecafd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lonpma32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lkjjma32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qpbglhjq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Coacbfii.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Clojhf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kklkcn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pleofj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ahebaiac.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Akcomepg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bniajoic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cgaaah32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fkpjnkig.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lhfefgkg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ljfapjbi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lbafdlod.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bfioia32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dpapaj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lfhhjklc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kpgffe32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Apgagg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jondnnbk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ghdgfbkl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Iliebpfc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kcgphp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Knmdeioh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lclicpkm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lhknaf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cbblda32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e0e564152103ccc6baa8ee750788b444287ecb56489cb7bfa0317bad93a1a5cbN.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kpgffe32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kcgphp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lfhhjklc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Akcomepg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Binbknik.dll" C:\Windows\SysWOW64\Ahebaiac.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cgaaah32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\e0e564152103ccc6baa8ee750788b444287ecb56489cb7bfa0317bad93a1a5cbN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cefkjiak.dll" C:\Windows\SysWOW64\Fkpjnkig.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ieomef32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ljfapjbi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Acfmcc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efeckm32.dll" C:\Windows\SysWOW64\Cgaaah32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} C:\Users\Admin\AppData\Local\Temp\e0e564152103ccc6baa8ee750788b444287ecb56489cb7bfa0317bad93a1a5cbN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lhfefgkg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bkjdndjo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bchfhfeh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bfioia32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjlkhpje.dll" C:\Windows\SysWOW64\Lfhhjklc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cmpgpond.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll" C:\Windows\SysWOW64\Cmpgpond.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Fkpjnkig.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbdcic32.dll" C:\Windows\SysWOW64\Ghdgfbkl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Abpcooea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nefamd32.dll" C:\Windows\SysWOW64\Cbblda32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cpfmmf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmaibil.dll" C:\Windows\SysWOW64\Eecafd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kcgphp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Apgagg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Abpcooea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebaijflc.dll" C:\Windows\SysWOW64\Fgdnnl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hofpgamj.dll" C:\Windows\SysWOW64\Ieomef32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Iliebpfc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jimbkh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kpgffe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Adnpkjde.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bkjdndjo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bniajoic.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbhnia32.dll" C:\Windows\SysWOW64\Bfioia32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Clojhf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgfeei32.dll" C:\Windows\SysWOW64\Jimbkh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lhfefgkg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlbjim32.dll" C:\Windows\SysWOW64\Pkcbnanl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cbblda32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bchfhfeh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lloeec32.dll" C:\Windows\SysWOW64\Bchfhfeh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hpnkbpdd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hpnkbpdd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lonpma32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pleofj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ahebaiac.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Clojhf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcaibd32.dll" C:\Windows\SysWOW64\Cnmfdb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\e0e564152103ccc6baa8ee750788b444287ecb56489cb7bfa0317bad93a1a5cbN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ghdgfbkl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jondnnbk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Andpoahc.dll" C:\Windows\SysWOW64\Kpgffe32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lfhhjklc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lhknaf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Adnpkjde.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bniajoic.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bmbgfkje.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lkjjma32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pleofj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Acfmcc32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3008 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\e0e564152103ccc6baa8ee750788b444287ecb56489cb7bfa0317bad93a1a5cbN.exe C:\Windows\SysWOW64\Eecafd32.exe
PID 3008 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\e0e564152103ccc6baa8ee750788b444287ecb56489cb7bfa0317bad93a1a5cbN.exe C:\Windows\SysWOW64\Eecafd32.exe
PID 3008 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\e0e564152103ccc6baa8ee750788b444287ecb56489cb7bfa0317bad93a1a5cbN.exe C:\Windows\SysWOW64\Eecafd32.exe
PID 3008 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\e0e564152103ccc6baa8ee750788b444287ecb56489cb7bfa0317bad93a1a5cbN.exe C:\Windows\SysWOW64\Eecafd32.exe
PID 816 wrote to memory of 2096 N/A C:\Windows\SysWOW64\Eecafd32.exe C:\Windows\SysWOW64\Fgdnnl32.exe
PID 816 wrote to memory of 2096 N/A C:\Windows\SysWOW64\Eecafd32.exe C:\Windows\SysWOW64\Fgdnnl32.exe
PID 816 wrote to memory of 2096 N/A C:\Windows\SysWOW64\Eecafd32.exe C:\Windows\SysWOW64\Fgdnnl32.exe
PID 816 wrote to memory of 2096 N/A C:\Windows\SysWOW64\Eecafd32.exe C:\Windows\SysWOW64\Fgdnnl32.exe
PID 2096 wrote to memory of 1912 N/A C:\Windows\SysWOW64\Fgdnnl32.exe C:\Windows\SysWOW64\Fkpjnkig.exe
PID 2096 wrote to memory of 1912 N/A C:\Windows\SysWOW64\Fgdnnl32.exe C:\Windows\SysWOW64\Fkpjnkig.exe
PID 2096 wrote to memory of 1912 N/A C:\Windows\SysWOW64\Fgdnnl32.exe C:\Windows\SysWOW64\Fkpjnkig.exe
PID 2096 wrote to memory of 1912 N/A C:\Windows\SysWOW64\Fgdnnl32.exe C:\Windows\SysWOW64\Fkpjnkig.exe
PID 1912 wrote to memory of 2820 N/A C:\Windows\SysWOW64\Fkpjnkig.exe C:\Windows\SysWOW64\Ghdgfbkl.exe
PID 1912 wrote to memory of 2820 N/A C:\Windows\SysWOW64\Fkpjnkig.exe C:\Windows\SysWOW64\Ghdgfbkl.exe
PID 1912 wrote to memory of 2820 N/A C:\Windows\SysWOW64\Fkpjnkig.exe C:\Windows\SysWOW64\Ghdgfbkl.exe
PID 1912 wrote to memory of 2820 N/A C:\Windows\SysWOW64\Fkpjnkig.exe C:\Windows\SysWOW64\Ghdgfbkl.exe
PID 2820 wrote to memory of 2848 N/A C:\Windows\SysWOW64\Ghdgfbkl.exe C:\Windows\SysWOW64\Hpnkbpdd.exe
PID 2820 wrote to memory of 2848 N/A C:\Windows\SysWOW64\Ghdgfbkl.exe C:\Windows\SysWOW64\Hpnkbpdd.exe
PID 2820 wrote to memory of 2848 N/A C:\Windows\SysWOW64\Ghdgfbkl.exe C:\Windows\SysWOW64\Hpnkbpdd.exe
PID 2820 wrote to memory of 2848 N/A C:\Windows\SysWOW64\Ghdgfbkl.exe C:\Windows\SysWOW64\Hpnkbpdd.exe
PID 2848 wrote to memory of 1804 N/A C:\Windows\SysWOW64\Hpnkbpdd.exe C:\Windows\SysWOW64\Ieomef32.exe
PID 2848 wrote to memory of 1804 N/A C:\Windows\SysWOW64\Hpnkbpdd.exe C:\Windows\SysWOW64\Ieomef32.exe
PID 2848 wrote to memory of 1804 N/A C:\Windows\SysWOW64\Hpnkbpdd.exe C:\Windows\SysWOW64\Ieomef32.exe
PID 2848 wrote to memory of 1804 N/A C:\Windows\SysWOW64\Hpnkbpdd.exe C:\Windows\SysWOW64\Ieomef32.exe
PID 1804 wrote to memory of 2628 N/A C:\Windows\SysWOW64\Ieomef32.exe C:\Windows\SysWOW64\Iliebpfc.exe
PID 1804 wrote to memory of 2628 N/A C:\Windows\SysWOW64\Ieomef32.exe C:\Windows\SysWOW64\Iliebpfc.exe
PID 1804 wrote to memory of 2628 N/A C:\Windows\SysWOW64\Ieomef32.exe C:\Windows\SysWOW64\Iliebpfc.exe
PID 1804 wrote to memory of 2628 N/A C:\Windows\SysWOW64\Ieomef32.exe C:\Windows\SysWOW64\Iliebpfc.exe
PID 2628 wrote to memory of 1712 N/A C:\Windows\SysWOW64\Iliebpfc.exe C:\Windows\SysWOW64\Jimbkh32.exe
PID 2628 wrote to memory of 1712 N/A C:\Windows\SysWOW64\Iliebpfc.exe C:\Windows\SysWOW64\Jimbkh32.exe
PID 2628 wrote to memory of 1712 N/A C:\Windows\SysWOW64\Iliebpfc.exe C:\Windows\SysWOW64\Jimbkh32.exe
PID 2628 wrote to memory of 1712 N/A C:\Windows\SysWOW64\Iliebpfc.exe C:\Windows\SysWOW64\Jimbkh32.exe
PID 1712 wrote to memory of 2468 N/A C:\Windows\SysWOW64\Jimbkh32.exe C:\Windows\SysWOW64\Jondnnbk.exe
PID 1712 wrote to memory of 2468 N/A C:\Windows\SysWOW64\Jimbkh32.exe C:\Windows\SysWOW64\Jondnnbk.exe
PID 1712 wrote to memory of 2468 N/A C:\Windows\SysWOW64\Jimbkh32.exe C:\Windows\SysWOW64\Jondnnbk.exe
PID 1712 wrote to memory of 2468 N/A C:\Windows\SysWOW64\Jimbkh32.exe C:\Windows\SysWOW64\Jondnnbk.exe
PID 2468 wrote to memory of 808 N/A C:\Windows\SysWOW64\Jondnnbk.exe C:\Windows\SysWOW64\Kpgffe32.exe
PID 2468 wrote to memory of 808 N/A C:\Windows\SysWOW64\Jondnnbk.exe C:\Windows\SysWOW64\Kpgffe32.exe
PID 2468 wrote to memory of 808 N/A C:\Windows\SysWOW64\Jondnnbk.exe C:\Windows\SysWOW64\Kpgffe32.exe
PID 2468 wrote to memory of 808 N/A C:\Windows\SysWOW64\Jondnnbk.exe C:\Windows\SysWOW64\Kpgffe32.exe
PID 808 wrote to memory of 2476 N/A C:\Windows\SysWOW64\Kpgffe32.exe C:\Windows\SysWOW64\Kklkcn32.exe
PID 808 wrote to memory of 2476 N/A C:\Windows\SysWOW64\Kpgffe32.exe C:\Windows\SysWOW64\Kklkcn32.exe
PID 808 wrote to memory of 2476 N/A C:\Windows\SysWOW64\Kpgffe32.exe C:\Windows\SysWOW64\Kklkcn32.exe
PID 808 wrote to memory of 2476 N/A C:\Windows\SysWOW64\Kpgffe32.exe C:\Windows\SysWOW64\Kklkcn32.exe
PID 2476 wrote to memory of 1168 N/A C:\Windows\SysWOW64\Kklkcn32.exe C:\Windows\SysWOW64\Kcgphp32.exe
PID 2476 wrote to memory of 1168 N/A C:\Windows\SysWOW64\Kklkcn32.exe C:\Windows\SysWOW64\Kcgphp32.exe
PID 2476 wrote to memory of 1168 N/A C:\Windows\SysWOW64\Kklkcn32.exe C:\Windows\SysWOW64\Kcgphp32.exe
PID 2476 wrote to memory of 1168 N/A C:\Windows\SysWOW64\Kklkcn32.exe C:\Windows\SysWOW64\Kcgphp32.exe
PID 1168 wrote to memory of 2448 N/A C:\Windows\SysWOW64\Kcgphp32.exe C:\Windows\SysWOW64\Knmdeioh.exe
PID 1168 wrote to memory of 2448 N/A C:\Windows\SysWOW64\Kcgphp32.exe C:\Windows\SysWOW64\Knmdeioh.exe
PID 1168 wrote to memory of 2448 N/A C:\Windows\SysWOW64\Kcgphp32.exe C:\Windows\SysWOW64\Knmdeioh.exe
PID 1168 wrote to memory of 2448 N/A C:\Windows\SysWOW64\Kcgphp32.exe C:\Windows\SysWOW64\Knmdeioh.exe
PID 2448 wrote to memory of 2388 N/A C:\Windows\SysWOW64\Knmdeioh.exe C:\Windows\SysWOW64\Lonpma32.exe
PID 2448 wrote to memory of 2388 N/A C:\Windows\SysWOW64\Knmdeioh.exe C:\Windows\SysWOW64\Lonpma32.exe
PID 2448 wrote to memory of 2388 N/A C:\Windows\SysWOW64\Knmdeioh.exe C:\Windows\SysWOW64\Lonpma32.exe
PID 2448 wrote to memory of 2388 N/A C:\Windows\SysWOW64\Knmdeioh.exe C:\Windows\SysWOW64\Lonpma32.exe
PID 2388 wrote to memory of 1704 N/A C:\Windows\SysWOW64\Lonpma32.exe C:\Windows\SysWOW64\Lfhhjklc.exe
PID 2388 wrote to memory of 1704 N/A C:\Windows\SysWOW64\Lonpma32.exe C:\Windows\SysWOW64\Lfhhjklc.exe
PID 2388 wrote to memory of 1704 N/A C:\Windows\SysWOW64\Lonpma32.exe C:\Windows\SysWOW64\Lfhhjklc.exe
PID 2388 wrote to memory of 1704 N/A C:\Windows\SysWOW64\Lonpma32.exe C:\Windows\SysWOW64\Lfhhjklc.exe
PID 1704 wrote to memory of 2136 N/A C:\Windows\SysWOW64\Lfhhjklc.exe C:\Windows\SysWOW64\Lhfefgkg.exe
PID 1704 wrote to memory of 2136 N/A C:\Windows\SysWOW64\Lfhhjklc.exe C:\Windows\SysWOW64\Lhfefgkg.exe
PID 1704 wrote to memory of 2136 N/A C:\Windows\SysWOW64\Lfhhjklc.exe C:\Windows\SysWOW64\Lhfefgkg.exe
PID 1704 wrote to memory of 2136 N/A C:\Windows\SysWOW64\Lfhhjklc.exe C:\Windows\SysWOW64\Lhfefgkg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e0e564152103ccc6baa8ee750788b444287ecb56489cb7bfa0317bad93a1a5cbN.exe

"C:\Users\Admin\AppData\Local\Temp\e0e564152103ccc6baa8ee750788b444287ecb56489cb7bfa0317bad93a1a5cbN.exe"

C:\Windows\SysWOW64\Eecafd32.exe

C:\Windows\system32\Eecafd32.exe

C:\Windows\SysWOW64\Fgdnnl32.exe

C:\Windows\system32\Fgdnnl32.exe

C:\Windows\SysWOW64\Fkpjnkig.exe

C:\Windows\system32\Fkpjnkig.exe

C:\Windows\SysWOW64\Ghdgfbkl.exe

C:\Windows\system32\Ghdgfbkl.exe

C:\Windows\SysWOW64\Hpnkbpdd.exe

C:\Windows\system32\Hpnkbpdd.exe

C:\Windows\SysWOW64\Ieomef32.exe

C:\Windows\system32\Ieomef32.exe

C:\Windows\SysWOW64\Iliebpfc.exe

C:\Windows\system32\Iliebpfc.exe

C:\Windows\SysWOW64\Jimbkh32.exe

C:\Windows\system32\Jimbkh32.exe

C:\Windows\SysWOW64\Jondnnbk.exe

C:\Windows\system32\Jondnnbk.exe

C:\Windows\SysWOW64\Kpgffe32.exe

C:\Windows\system32\Kpgffe32.exe

C:\Windows\SysWOW64\Kklkcn32.exe

C:\Windows\system32\Kklkcn32.exe

C:\Windows\SysWOW64\Kcgphp32.exe

C:\Windows\system32\Kcgphp32.exe

C:\Windows\SysWOW64\Knmdeioh.exe

C:\Windows\system32\Knmdeioh.exe

C:\Windows\SysWOW64\Lonpma32.exe

C:\Windows\system32\Lonpma32.exe

C:\Windows\SysWOW64\Lfhhjklc.exe

C:\Windows\system32\Lfhhjklc.exe

C:\Windows\SysWOW64\Lhfefgkg.exe

C:\Windows\system32\Lhfefgkg.exe

C:\Windows\SysWOW64\Lclicpkm.exe

C:\Windows\system32\Lclicpkm.exe

C:\Windows\SysWOW64\Ljfapjbi.exe

C:\Windows\system32\Ljfapjbi.exe

C:\Windows\SysWOW64\Locjhqpa.exe

C:\Windows\system32\Locjhqpa.exe

C:\Windows\SysWOW64\Lbafdlod.exe

C:\Windows\system32\Lbafdlod.exe

C:\Windows\SysWOW64\Lhknaf32.exe

C:\Windows\system32\Lhknaf32.exe

C:\Windows\SysWOW64\Lkjjma32.exe

C:\Windows\system32\Lkjjma32.exe

C:\Windows\SysWOW64\Pkcbnanl.exe

C:\Windows\system32\Pkcbnanl.exe

C:\Windows\SysWOW64\Pleofj32.exe

C:\Windows\system32\Pleofj32.exe

C:\Windows\SysWOW64\Qpbglhjq.exe

C:\Windows\system32\Qpbglhjq.exe

C:\Windows\SysWOW64\Apgagg32.exe

C:\Windows\system32\Apgagg32.exe

C:\Windows\SysWOW64\Acfmcc32.exe

C:\Windows\system32\Acfmcc32.exe

C:\Windows\SysWOW64\Ahebaiac.exe

C:\Windows\system32\Ahebaiac.exe

C:\Windows\SysWOW64\Akcomepg.exe

C:\Windows\system32\Akcomepg.exe

C:\Windows\SysWOW64\Abpcooea.exe

C:\Windows\system32\Abpcooea.exe

C:\Windows\SysWOW64\Adnpkjde.exe

C:\Windows\system32\Adnpkjde.exe

C:\Windows\SysWOW64\Bkjdndjo.exe

C:\Windows\system32\Bkjdndjo.exe

C:\Windows\SysWOW64\Bniajoic.exe

C:\Windows\system32\Bniajoic.exe

C:\Windows\SysWOW64\Bqgmfkhg.exe

C:\Windows\system32\Bqgmfkhg.exe

C:\Windows\SysWOW64\Bchfhfeh.exe

C:\Windows\system32\Bchfhfeh.exe

C:\Windows\SysWOW64\Bfioia32.exe

C:\Windows\system32\Bfioia32.exe

C:\Windows\SysWOW64\Bmbgfkje.exe

C:\Windows\system32\Bmbgfkje.exe

C:\Windows\SysWOW64\Coacbfii.exe

C:\Windows\system32\Coacbfii.exe

C:\Windows\SysWOW64\Cbblda32.exe

C:\Windows\system32\Cbblda32.exe

C:\Windows\SysWOW64\Cpfmmf32.exe

C:\Windows\system32\Cpfmmf32.exe

C:\Windows\SysWOW64\Cgaaah32.exe

C:\Windows\system32\Cgaaah32.exe

C:\Windows\SysWOW64\Clojhf32.exe

C:\Windows\system32\Clojhf32.exe

C:\Windows\SysWOW64\Cnmfdb32.exe

C:\Windows\system32\Cnmfdb32.exe

C:\Windows\SysWOW64\Cmpgpond.exe

C:\Windows\system32\Cmpgpond.exe

C:\Windows\SysWOW64\Dpapaj32.exe

C:\Windows\system32\Dpapaj32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 144

Network

N/A

Files

memory/3008-0-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Eecafd32.exe

MD5 0fdc8d38d19240c3b24764e440695927
SHA1 4de7e9157cd45a6e8887d28a4c880b7fea42cb8f
SHA256 5ece827dfd8b862f2b2b6f22c48a2ab60cb0f6d17d986a12a03e97b3c6856d08
SHA512 e93d57910ea148b97255d303ecbe6929c621475b033df3717dcc6c9bb580216a29a284aee68d6d6e2f9f2a1324bf97cd450d7b443a03661df8597268885753d2

memory/3008-17-0x00000000002D0000-0x0000000000303000-memory.dmp

C:\Windows\SysWOW64\Fgdnnl32.exe

MD5 482d7275a5d5a69f0e76a463fe8baf7f
SHA1 5e217d91c3199d767e2de25be520d597a4b013be
SHA256 414665a2b6bf60e862b26d9dbe6636cafba68379d44bc0e64474632be89047a0
SHA512 6380371c317974c604df71aa23e1a0c8d9164156d349b760d259b830922f245b07267f5e630c3593d42c0bc842aae0356c51082360cf129ee139e274f9ecfdc0

memory/816-31-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3008-30-0x00000000002D0000-0x0000000000303000-memory.dmp

memory/816-34-0x0000000000290000-0x00000000002C3000-memory.dmp

memory/2096-33-0x0000000000400000-0x0000000000433000-memory.dmp

memory/816-32-0x0000000000290000-0x00000000002C3000-memory.dmp

\Windows\SysWOW64\Fkpjnkig.exe

MD5 40b8c22717a7a843cd1e73ff0a54ffff
SHA1 3c3b1f30bac197eb8781272d44ebdb2f3048253f
SHA256 798d89e4c2cbea1afeb57b863b5264384d6642824843e9d1165f6e8524522e1f
SHA512 9398e62f9ae36f62128f1e694016400028fd1948657160c3c030ff26f0187058743f9dce8e1ec03d3f7a07b4e0e0d165b987d12a15974e5354bbab1f93f67348

memory/1912-49-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2096-42-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2096-41-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2820-59-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ghdgfbkl.exe

MD5 010f0d2d6e6253f36797ed2239f40f05
SHA1 0863b91a8a7fdcdd41c17d92a7394dd038000265
SHA256 ab849f96e65b7258372e6d187bb51461caf380492df516ce5561e4e83474d9a7
SHA512 bfe0c076c1550d1598317203de1ce307e9acbf1203c5193d0766acda3311ce0426f85470dc497b893c7f3602d87489554d6c8baaf5bdf90d4a9fd3caef376598

memory/1912-57-0x0000000000440000-0x0000000000473000-memory.dmp

memory/1912-56-0x0000000000440000-0x0000000000473000-memory.dmp

memory/2820-67-0x0000000000250000-0x0000000000283000-memory.dmp

\Windows\SysWOW64\Hpnkbpdd.exe

MD5 2ae95c72ae988262ff3352547561f4fe
SHA1 dcf9d0a5293af82026746472cdf76f7f16b551ee
SHA256 9fc23b6777fdf66d23c6b1ed4186dc71b492c45ca7d77bb66a5d4928f6edc4fb
SHA512 2570632ca688e9ccc516408000a1f656bc358a0f7d29c5cc807a8ee5d44fe664ad5f98950b81eed4b18bfd95be362860018571325dc3b9805acc45bdd9d290ba

memory/2848-73-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ieomef32.exe

MD5 6692043edcedcc154f742f287b5f9314
SHA1 579031405960870a00b6658ab8eb837ffe45a4e2
SHA256 67db99742181a4eeccc820ec8f381825b7047982155f616b6aed3c571bbdd970
SHA512 8f61b3825c2ab522e2cd4170b93c8791cd23aa9767dad4153706cec02e3d65058240d963b124e93197e5923c796d29262714543b4c09187c99590ff2d48c8e58

memory/1804-87-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2848-86-0x0000000000440000-0x0000000000473000-memory.dmp

\Windows\SysWOW64\Iliebpfc.exe

MD5 4729cf49041da07e766b9595f45465a6
SHA1 a5354f46d336bfb5895b9d436e22bd88069dd5d1
SHA256 bb85cab8757cdabcabce5a9c3d66f3e1d6b88140e21e434f3d21b801398863ff
SHA512 445b490fdc2ebbb798e3f43a599084a4ad50731f772268fea966f7bf7617e6b8db3579551565144a9e15263f57f653a9c3f17e39c8a67e57ab98ca866bc04eac

memory/2628-100-0x0000000000400000-0x0000000000433000-memory.dmp

\Windows\SysWOW64\Jimbkh32.exe

MD5 21dba74cc998e2f8013470b93340e6d3
SHA1 ca962902b490c9adadd5c6694f6dec06501c716b
SHA256 7e22c7d29f6fa5744a9dd2bdb70974a7cf8bd5b7ec4b7c257b3be0d135e701a6
SHA512 822f74610bddc36ecdd7f24f2672e5289004236046126ff3f03b6b68b252dd62d625347fb1ed169380d10d110f484e9b9984fb97e4e2d44bc6acd6d6f74ba92d

memory/2628-108-0x00000000002D0000-0x0000000000303000-memory.dmp

memory/1712-114-0x0000000000400000-0x0000000000433000-memory.dmp

\Windows\SysWOW64\Jondnnbk.exe

MD5 bc6aad0506f5116c63eac60948b5bd9d
SHA1 f2c0fbb56fc327bddcc974f91950d6e378581abe
SHA256 0493d4a582f066a35c9153604efaf4f6c746f3bb6e7a8678bad9cd5df861cfa3
SHA512 1c9e1eece5b307a7c8a364975ed779616c5ea0b87c40c372f04ff7d00b8167b5392201779f92f50a63bfd5272afac4b618222c64b9dec6ceb6cb8e97c586cfc4

memory/2468-129-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1712-127-0x0000000000440000-0x0000000000473000-memory.dmp

memory/1712-126-0x0000000000440000-0x0000000000473000-memory.dmp

\Windows\SysWOW64\Kpgffe32.exe

MD5 9390fe35e4ff15368b10d1ff8b0ef502
SHA1 c6e0c55d462b3ea019b47d7a0140b9e69d75a39c
SHA256 e712c445adca16813f877bcfcc444c3491a9518b1fc80b6b5df0470375f25376
SHA512 a1c85004e5ff23a7d59a7672a3db1e77e7d2eed9a4cc7460f884cad8d7954ca0d196a08ac0bd169771275bef9200913e2a815195e9676d4d1f16e7587897f3be

memory/808-143-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Kklkcn32.exe

MD5 85d9fe2ca79244aac59425940b3f5767
SHA1 1d7f83002ea42377eb0898344625679f2f5dc784
SHA256 45140c0613e3e5a304d1abcc9b8ee6ec98d54b487a29f083c3ed388b60d103e7
SHA512 31686817a9c272b68adcfb82b79b0b97aaf721e5afd79687fd4ea4658c770bf724a456be761ca43929b8696adead01642f752af88b38e12a2df2b398ef0cce71

memory/2476-155-0x0000000000400000-0x0000000000433000-memory.dmp

\Windows\SysWOW64\Kcgphp32.exe

MD5 decf640c03339f5eaa1fada0c683d029
SHA1 44813d8b87c9e01e4b0865ba77ad9efe20d7efeb
SHA256 0e61bd48404ca5e19e4c79957b39ebfd92ef9c3c7e44fcffa2436e700f6ba0c6
SHA512 0eece59a07eace99e825ea214f5863023018320f531356fb85901e8bc7481d83873db33b6081eb5d815eadc05702b9dc5e6537e3fbae1363c72563605ffd5872

memory/1168-168-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2448-181-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Lonpma32.exe

MD5 5ffcf4e23394828dbee7e7add964fab5
SHA1 0a2573bcf0f4d0eba72f4b63dd7c4982f6067c0f
SHA256 2ae0d2f5ca6a3fe55ea948524e4a35a50400ac5ac860efba875bcb791a9c3d4a
SHA512 40535a1522d46de50813355cb7d3fa6353c3b3fcfbdc282e6ac37359097aa8a6e67387df25cca9cd7dc76d9b3c0ca6ded204a40d932b5a27ac7e99c48d9f3010

C:\Windows\SysWOW64\Lfhhjklc.exe

MD5 c38f2c2020f840f447dabdc0ff4afbef
SHA1 037a5d164b1f1bd13ac0ed67f267a8bfb68bbb94
SHA256 2bace8706f380c7c5151e5712bda2de8f979bde1eaa4d6fcc1a8224020271bee
SHA512 01c9080dd87d7459a79d561273222e678178dad6ca7d36dcbbdae8231f47c95fc2ef4ab0ff18499436f287e65811c9fe619319b16c054abe8a88cfdc4c80749a

C:\Windows\SysWOW64\Lhfefgkg.exe

MD5 956cd896ee61d22d6b63e1994f5ef598
SHA1 ba80e6f8c003309a4bbb188e6510a74229c68159
SHA256 ba31eb788804d232b3a4ae72a8f5e1d83b527846ae459c78d99a48c1e69ebb31
SHA512 368225b0f65a224f4da07d932f0b508d5da792fe0608d8ae6468b2e738760e63dc6c5cb3b8e335363c1c6782113403e58a733e167360809ce09a115ec7d37536

memory/2136-220-0x0000000000400000-0x0000000000433000-memory.dmp

memory/284-230-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1924-249-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1772-271-0x0000000000400000-0x0000000000433000-memory.dmp

memory/956-270-0x0000000000290000-0x00000000002C3000-memory.dmp

memory/956-269-0x0000000000290000-0x00000000002C3000-memory.dmp

C:\Windows\SysWOW64\Lhknaf32.exe

MD5 7f6178c242c2cfb3d457bc65d17ba18a
SHA1 d3fd9d8af20579ef689a585dc4e0725384242226
SHA256 c45c09fd6e9ebbba52a051fb21f2b73d311ad9f6ef3e2660458839d48d8569e7
SHA512 0b8d13d89b7ff94f3ddba0588eae249ea4bda249087ea838d852ed8ce2568852212f99a4cd61574efb1ce5ef7a614c0222ea73616da118b70bfb3be66106e031

memory/956-260-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1924-259-0x0000000000280000-0x00000000002B3000-memory.dmp

C:\Windows\SysWOW64\Lbafdlod.exe

MD5 c3a6ed79c1df462280c17f9537a52c4e
SHA1 4f2e83aa1ac01ba84013be26a19f0598d2e712a3
SHA256 9e7cf521cb73a7195133603ac95694ee31de10439d1e7728d45d5e73ea1e1af8
SHA512 33ae7e5041baee20f4665bca7bde79a33c12681fbeba9c8de77fdf7724a8dc14090fb08422e792174538b32aac24337a8ddec8269a56246358c681e885844400

memory/1924-255-0x0000000000280000-0x00000000002B3000-memory.dmp

memory/1868-248-0x00000000002F0000-0x0000000000323000-memory.dmp

C:\Windows\SysWOW64\Locjhqpa.exe

MD5 479637fd53f2033e4b0e7ec63ff44480
SHA1 9a76b539002c818ef874abe36358c66c6a56e34b
SHA256 e0afe0025629085dc794bc054b7ab7c3abe0f8f6648bf593a819cab95bde2ec6
SHA512 50c1d5b4e87ef1773748c7e27498b9f60af8509dc4c3e54f892c8d58768fa6b5d2f7002b81f51a038bbf0313164c7f8afc21de8ff20e2aea7da73b0f9039ecbb

memory/1868-239-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ljfapjbi.exe

MD5 01dc966e10f802d5b221e0d4eaed3647
SHA1 471a92caea8a5b777676ab8c5c42d51bf8171c97
SHA256 3de1c5251cc3c159a90b1bd99618a9e4543d4cec717c17facab417c29ff1bd9f
SHA512 159590f81a6b0ba77c13a0d1f578042f7a199c0485bea2868c16c532e5016cd1575733bfbee881c5f776fc21d7dce0b0fd3f2f888ef49f26d331ea8e9e688632

C:\Windows\SysWOW64\Lclicpkm.exe

MD5 cf9b5c391cd531a73f14978604421d5e
SHA1 31c200e6cc2a388a1678fae0a34d4160c7c3eeba
SHA256 e5f84b74436a59e58fc8a4bf3aaa7fc8bb8683d7c1ee9b6aed78b0d618456337
SHA512 8763423ff2a76425ecab2395189b57050a23ff8ac8894344c9f7f4425c3f6182cbedeab65fdf7ec15fa58e8a3bb027b7ad8c1402fa8ec29f12662542a9e503b0

memory/1704-207-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2388-194-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Knmdeioh.exe

MD5 27cc267c2601bc91474e9835663d9217
SHA1 a5e5fe5354325c14baf5abe08034e42d8fbc771c
SHA256 3c06eec864fc1decec70d8820a848c249c08f3418e47a2d87b56842edda83a50
SHA512 0290ff9a6e88a99be240fc6e7b8d27c0ad40c8c87e1ddb213261d99f232f8d87c8de91ff0276a82e3f484368febbc0a358eed38e4719b71093e94f433554f46f

memory/1772-277-0x0000000000440000-0x0000000000473000-memory.dmp

memory/1772-281-0x0000000000440000-0x0000000000473000-memory.dmp

C:\Windows\SysWOW64\Lkjjma32.exe

MD5 daa138dea2bc42e89d91927878cae202
SHA1 7382c32aa097a7855388fea7b06158fbeca678dd
SHA256 d32c648e31b94a8cc559b1cebb0a01ddf4cfbfc7af2b01158a023e06138c7e60
SHA512 14dc5e5d873445141279c91d3d941e926f9634f2fe65a4eea261b53c609477cf16e8d14868d3a1b50f5ca0516d87f79ddcc2fd7b9d0a75dcd69109ca849c18de

memory/316-282-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Pkcbnanl.exe

MD5 21ed197d1a360de97feecaeecddfc716
SHA1 421505837c636f1bdc3ad2b377065779fac18914
SHA256 0937e5f9a04811ea2560b65be2a181e06a469719f8565d0a9ad5ea49801dd88f
SHA512 9f313f7aea09c2879437fefb9458abdc02cb3cb0782336867b6c6a3a5bead0a6c3552a746dc31e7b75ee4f4bc0176293206ebac0f8718a9e32cf0eef3ac98f67

memory/2172-292-0x0000000000400000-0x0000000000433000-memory.dmp

memory/316-291-0x00000000002D0000-0x0000000000303000-memory.dmp

C:\Windows\SysWOW64\Pleofj32.exe

MD5 d274dc34b588b8114e56c066b02a4304
SHA1 fb3f4a896326cf9ae89cd046176c3c4e85b18ef9
SHA256 c44ff7d563fccfe6858a1da50a79e94ef75491dc6ba1cc317b835ed9a4e0437d
SHA512 58972ddbe4d4e2109efddea4f01a31d4fa08b928c50221314543a3980946b20c1cb81a6112679a8c96594377957997ed77e33c622a5d37bc68d042de9880bd7a

memory/2172-301-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2172-303-0x0000000000250000-0x0000000000283000-memory.dmp

memory/1740-302-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2148-314-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1740-313-0x0000000000250000-0x0000000000283000-memory.dmp

memory/1740-312-0x0000000000250000-0x0000000000283000-memory.dmp

C:\Windows\SysWOW64\Qpbglhjq.exe

MD5 11ceff3fa4d2a321c50d410360b1f69e
SHA1 be44cdb215464d379ec1ff29121aaf2912ff8c52
SHA256 c1130a78901fc6fa7d6d082917f956b0287ee2fcc4e8e0fc4e58d336eceda0ba
SHA512 d6b0e74e15ed4907053135c4b9cea21901b226e0eeb0ce1a567b41bf71b599d661130b69bf301b6e1b832c89f5efa4b5a0974627a410e2c4de11cad7c9ff5043

memory/2148-320-0x0000000000440000-0x0000000000473000-memory.dmp

C:\Windows\SysWOW64\Apgagg32.exe

MD5 269eac0419f7abb3b03b00aa906cf140
SHA1 9f378b5b1460a129af4461c20dcb089be6ffa9d1
SHA256 495f558b9a0b135dbf126376089df68ae3b7cb95a69a0037b52cc6b079ad026e
SHA512 820611a640252e71adf41dee04f95c48b5941a36bbc7a0b4a7eeeeaa7a3d4824e30fd4718bdcd4dd7c6b3c87e4e46ea9337c7f7226a1d9a7e7065bb3a4b02bc0

memory/2244-328-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2380-334-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2244-333-0x00000000002D0000-0x0000000000303000-memory.dmp

C:\Windows\SysWOW64\Acfmcc32.exe

MD5 3e9c18b630cc4bcdcb33e1bb9d6144bf
SHA1 61a13bf1920aead19eb23434e9b6497875b1f3fe
SHA256 205e4ff38a2cf70a293276fecba261378e2b6e37b2c84348844f2513ffa87f4f
SHA512 a3e043459a26a1dabf88c1c978403f017576d56c636d7484ba3755f833de49245c28a1cc437abf70488f4c2a6ba40b52bcb4236c761f17375c8373c7508fc95c

memory/2380-340-0x0000000000250000-0x0000000000283000-memory.dmp

C:\Windows\SysWOW64\Ahebaiac.exe

MD5 150a83b19438ac9c4fd73dd977d66ece
SHA1 13f2f0ca85c8f0e8f6acabbafb4687077e7e4495
SHA256 f481d89aaece33e181034a0af138cc4c392e474e104efa1fe14dee3a0942bfc5
SHA512 75c945b2c957364a03e6332403d04acf6c2fb3543acca2e48476a70820879f53a6a0fcc78a64e79ee2e8f5910f606a292b4ceac7c1bab2d467458de6a7cb63f8

memory/2380-344-0x0000000000250000-0x0000000000283000-memory.dmp

C:\Windows\SysWOW64\Akcomepg.exe

MD5 f2c40919b4bc2d77e0cd5dded07a955f
SHA1 12a83a02af19fb041ba1ecdb35f08fb41eefa873
SHA256 07bfe91e789340ab396e5b099ca8f6c28609b471c4c7c8978f07dff521927c56
SHA512 c46a543be7ed72fe0b5d519c140c9f1f94152c86dd8f4e0bca20344b8d14ee749b3db3fc42c3d45a687eb3e5edade9c031a7c9fdf58ae65c6e4dcba8cbb24f7d

memory/3008-350-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2792-356-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2096-355-0x0000000000250000-0x0000000000283000-memory.dmp

memory/3008-354-0x00000000002D0000-0x0000000000303000-memory.dmp

C:\Windows\SysWOW64\Abpcooea.exe

MD5 3585148723f7c8ca817f9e97e5885300
SHA1 636cbcd9f8806ecc9b786c7200a9713a06abaa92
SHA256 6fdadba398872d92ab968b80198f5c3a32be6c50f70e10d74253c86d7e9f9e5e
SHA512 4328cc132c07127f20838863637302c45733998e0f6b910168853b4b93bbd797fc8fc11b2159f46826751f5672f44518b4964156da8ae65b89dd8b42e3af7ff2

memory/2096-365-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2868-370-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1912-371-0x0000000000440000-0x0000000000473000-memory.dmp

memory/2868-373-0x0000000000270000-0x00000000002A3000-memory.dmp

C:\Windows\SysWOW64\Adnpkjde.exe

MD5 84c475666bd5ecf41fec82912edb2ffd
SHA1 87490d250a08a0f58bf268669c7ef800d2a7c024
SHA256 6e77d9a38c257c3c6ab3487d448a60d081254dbf05c3cdcfc6aa0246da1e5040
SHA512 3e5cb0691216e389423a2cc55096b6c9707209aa78842bfc738363ac33c88645ce37d21bccfda34d705e88a589ece617d296a6207e2f51b414c08ee1ff0b7f77

memory/2820-377-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2848-386-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Bkjdndjo.exe

MD5 632476521d9a4eca96617f4dbc49ab66
SHA1 160c600f43441beea80d6b7e4513eb2e2f1b17b9
SHA256 9d8a5471688d5aff686d369ae5d438e3a4cdd7fad97ae7c7618800f7040e0b19
SHA512 bc2ab2a3877ee285599785af1d8f2e5ba238b7573329d7dea409e007f8d5a83844ffb8ce66649eed49717e2b03659b6159b7d4ad5d6f7d7ec1d75faa76efda81

memory/2908-392-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2616-398-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1804-397-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2848-395-0x0000000000440000-0x0000000000473000-memory.dmp

C:\Windows\SysWOW64\Bniajoic.exe

MD5 622eec769006e4a0a9f66f9ad54af0fd
SHA1 c16ac64328f20bfce63a91e18483bf88eb0aa7ae
SHA256 33d60fe12bd7b6e37c9b9e3128f427f0543b5bdc57667495dd1bdc60b165eb8d
SHA512 1d1e18a28a5695c511a58f0967c76fd8430bb94cb98eadc55125f7e46ec1d6865929a6185c860455d02291d67372746180d2b9ace713f3effa4d59e35476f931

C:\Windows\SysWOW64\Bqgmfkhg.exe

MD5 4a1a039a53e08076215fde12d59a9088
SHA1 91e343223023406afae9b36a228d6bb5f04561cf
SHA256 85fdd03b2592c332cfb97ddf6f64808934627f902a03eaf830cab5c99202f440
SHA512 00097caec469df1372a5d7266589706d70613758d4753e5b55cb912ac97a23ed0e46ab3df1ac347d582fcd8d86e4910334377b39fb73b5d2d69357bb078fdcb5

memory/2628-407-0x0000000000400000-0x0000000000433000-memory.dmp

memory/940-412-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Bchfhfeh.exe

MD5 8095d7aad82abc15e7b9372dd0c16e2e
SHA1 42c4378619a8852fa1cc3e7d522ae262b4a30df0
SHA256 8e96a51f8e4a6b2ba9ec70aa2a6ad8090b5eb4b7bba6aec0d139eff1d2412913
SHA512 f6593eafa034a7f0182c9ff2c5a730e1b1269e9c316f1bd327471001423f4a126597559de748cb3888d3ca05500351f7316734c486d940fb81ace1a95c9af6d0

memory/1848-419-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1712-418-0x0000000000400000-0x0000000000433000-memory.dmp

memory/940-417-0x0000000000440000-0x0000000000473000-memory.dmp

memory/1712-424-0x0000000000440000-0x0000000000473000-memory.dmp

memory/1848-426-0x00000000002D0000-0x0000000000303000-memory.dmp

C:\Windows\SysWOW64\Bfioia32.exe

MD5 f10da8d3cec921f47041cb87f381e83b
SHA1 c60387ebea1b3ccb27ffbf96c6d6a1854ba42d59
SHA256 4546dbe38a09a064088cdb9cac99364bb0ed8b504d739ed436c17cb24e7771ad
SHA512 121c5a5fc536e00c402bf5a2d2adbdb90c0ecddf29492aa17053b39e09eb463d990513717c0b25a1f84637c6a135a99b1cc84fc0c1bd8c61924afa4aa13dc511

memory/2468-431-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1712-430-0x0000000000440000-0x0000000000473000-memory.dmp

C:\Windows\SysWOW64\Bmbgfkje.exe

MD5 19d7d61ab125e114c65e6348f67799c4
SHA1 c3309cc378bb64b7a482fcc098f75d34611260c7
SHA256 118efa532ef3c4b51a85a5ede6e619cd76f4c9931147685ec8833a0d080f5595
SHA512 7e333a482d82d6a4475b4813a8c1f4a0a9514fa5a5b9349d21b7dd41f4d28401c031786f19b6b85985f54cc6d8be81593d65cf48280a117778327f4aaa8a1bdc

memory/1596-443-0x0000000000400000-0x0000000000433000-memory.dmp

memory/808-442-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2468-441-0x0000000000260000-0x0000000000293000-memory.dmp

memory/1956-440-0x0000000000250000-0x0000000000283000-memory.dmp

memory/1596-449-0x0000000000250000-0x0000000000283000-memory.dmp

C:\Windows\SysWOW64\Coacbfii.exe

MD5 ef6f96fc40c24b86f8ad8902c6d72ba3
SHA1 b6a614f5d40210308bb356543f841694b19318c0
SHA256 81224311dc7b438d78d70064a00915696ae0a1dd83fea1ad5ebe7d1aa9260130
SHA512 de4fb4fbdf567a25269a47220026742738ee70879b63075683e21355988f1192a2841214b3369203bdd96f7282fbf7a8106242bcdb316c036893c222d07cd04a

memory/2260-460-0x0000000000250000-0x0000000000283000-memory.dmp

C:\Windows\SysWOW64\Cbblda32.exe

MD5 7b84ec50580e8c61340ceff0c2b586b7
SHA1 07880892ec3a4b0a1c3da39dd1233ed59d0f56e0
SHA256 44da0b70b69a7b379543dc1640446a9972af4bdc5ad91599090d7f7c5d76545a
SHA512 ff2abfe84166e78ced1bd597518451449042e1346f72054ffb72b8a273f8e6d39c1b11c782dc9ec8f92f4fbbc58e632c8f086ef06977585e7ec53a0123b74545

memory/1168-465-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2260-464-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2260-459-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2476-458-0x0000000000400000-0x0000000000433000-memory.dmp

memory/572-471-0x00000000005D0000-0x0000000000603000-memory.dmp

C:\Windows\SysWOW64\Cpfmmf32.exe

MD5 a1649293337b22c11f4788be665ec02b
SHA1 ac9ec408df5ae70f2f889c4edf2f51c359b89419
SHA256 462063dcd908b8fce0347bb4deafad63010bbe2218597c13f815a505a9c6ce54
SHA512 c724d630c1fd81d1f42920a60b8fa789de74fd6f4302c1414ee9fa695aae9139cad9fd70175b5cf65cacdab8584773397d008cb1bdd067cc032468fc747f07cf

memory/2448-475-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1480-480-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Cgaaah32.exe

MD5 69ff62a1e0ea4a85904f5cb57bb93b57
SHA1 61ec6c68276c9a961750ea8a15c2f29356ba6f4b
SHA256 20b9e051a9c07305416468d415e157f054b6183ee7d5524ac0736b5df84c5c59
SHA512 98f9ebe19e719a1576a2cf805e8e450ff33b12e46065a18f1593eaf206aa45ae5b6b499f9d0a0945724ee2a5cfb83da345c54fb13413aff2a663cd277eff719c

memory/2388-486-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1480-485-0x0000000000440000-0x0000000000473000-memory.dmp

C:\Windows\SysWOW64\Clojhf32.exe

MD5 0bfd93d38cfb52835c2671c16035add9
SHA1 10d701a1286f8bfd6c42d8884c543e684035d489
SHA256 a150a0a4e0109480ed0b4b96b74cb4f721fe4b149f3b5d83111d4b506e9ec4d3
SHA512 b64c6ce2d8f823ab94f6dcf89be80fbd476edf71248ea51ce426618310062ac66d42aa79125ff0e408d77855cc36ef2fbd8fd43cf94275d217ca3d71b32dce65

memory/1704-503-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Cnmfdb32.exe

MD5 f205d7e193e34f9cdac4c4941f3b8e21
SHA1 cbf1e4da90146ca28d775e2a93dc9e0ab1c60689
SHA256 b412f0a3597b1ef3767fcf626b84380f1193c44a8411f867a566b7de396949be
SHA512 cb000676bf1f29aa7b0f2948b1e3eaacc9d32b499ea8fc786b62e8fc883b30da819fa3d391d86356c14a2b317260817d471cead4e4507af2723d055c77836b16

C:\Windows\SysWOW64\Cmpgpond.exe

MD5 7585a80da377fdb3271a8d9d2002bdfc
SHA1 e090d497fb5bb77562d509792a7f823f58b16fd7
SHA256 cfb7a47785d462e30be937cad8c6351de725048425ddb8e9cc90c41548e269fb
SHA512 a277429c99f5f1bce6f77996a5bf56009d4c27a6178888da5fd881294ada9574d549737cf079098584db05983ef62318d0379922740cfcb9b970fca619e48ce8

C:\Windows\SysWOW64\Dpapaj32.exe

MD5 398fcd29167d0f43e5eb43b13d57565f
SHA1 af6eaec2a836cbce9d52bb33601902ed85af03ef
SHA256 1907738b1ea35eb30c8fccd1de7be0ef9f21b565197cdf9419fe89d0e0a0b24a
SHA512 006f1fcec674b6c86db0a097c49c725a2b282db3e029c7b7328b2116a9360bb413b4a06b0bf0ebde28734ae28efed1a1b7daa0fb8d75c3607d3e94fb5a6a86df

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 15:44

Reported

2024-11-09 15:46

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e0e564152103ccc6baa8ee750788b444287ecb56489cb7bfa0317bad93a1a5cbN.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mnnkgl32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jgeghp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ldipha32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bdpaeehj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dkceokii.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lqmmmmph.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jgkdbacp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lcggio32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gmojkj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jcfggkac.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pccahbmn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ahofoogd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mahnhhod.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pahpfc32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jleijb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Knenkbio.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ljceqb32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Agdcpkll.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mnnkgl32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gigaka32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jgkdbacp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pkegpb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Aefjii32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hoobdp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mgnlkfal.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hpabni32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Inlihl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Albpkc32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dmohno32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Glgcbf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qjfmkk32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Okgaijaj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Olanmgig.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aolblopj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bnoddcef.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fijkdmhn.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lcimdh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pdmdnadc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kdigadjo.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mjokgg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bebjdgmj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Clchbqoo.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fpdcag32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kgipcogp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hbhboolf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nfaemp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bkphhgfc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Boeebnhp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ebimgcfi.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Glgcbf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mmfkhmdi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kmaopfjm.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aogiap32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gmojkj32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mmhgmmbf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mjlhgaqp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Alqjpi32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Idfaefkd.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mccfdmmo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mccfdmmo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hlbcnd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Amcehdod.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Akamff32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kdmqmc32.exe N/A

Berbew

backdoor berbew

Berbew family

berbew

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Llflea32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lacdmh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mahnhhod.exe N/A
N/A N/A C:\Windows\SysWOW64\Mnnkgl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mjellmbp.exe N/A
N/A N/A C:\Windows\SysWOW64\Nknobkje.exe N/A
N/A N/A C:\Windows\SysWOW64\Nahgoe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Okchnk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Okgaijaj.exe N/A
N/A N/A C:\Windows\SysWOW64\Oaajed32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oklkdi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pllgnl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pahpfc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Phganm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qhlkilba.exe N/A
N/A N/A C:\Windows\SysWOW64\Qaflgago.exe N/A
N/A N/A C:\Windows\SysWOW64\Akoqpg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Akamff32.exe N/A
N/A N/A C:\Windows\SysWOW64\Alqjpi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bcddcbab.exe N/A
N/A N/A C:\Windows\SysWOW64\Bblnindg.exe N/A
N/A N/A C:\Windows\SysWOW64\Cmcolgbj.exe N/A
N/A N/A C:\Windows\SysWOW64\Cimmggfl.exe N/A
N/A N/A C:\Windows\SysWOW64\Ccbadp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cmjemflb.exe N/A
N/A N/A C:\Windows\SysWOW64\Dckdjomg.exe N/A
N/A N/A C:\Windows\SysWOW64\Dihlbf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Efafgifc.exe N/A
N/A N/A C:\Windows\SysWOW64\Emphocjj.exe N/A
N/A N/A C:\Windows\SysWOW64\Eiieicml.exe N/A
N/A N/A C:\Windows\SysWOW64\Fpbmfn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fbhpch32.exe N/A
N/A N/A C:\Windows\SysWOW64\Flqdlnde.exe N/A
N/A N/A C:\Windows\SysWOW64\Gbmingjo.exe N/A
N/A N/A C:\Windows\SysWOW64\Gigaka32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gmdjapgb.exe N/A
N/A N/A C:\Windows\SysWOW64\Gkhkjd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gfokoelp.exe N/A
N/A N/A C:\Windows\SysWOW64\Gphphj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hloqml32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hgdejd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hdhedh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hpofii32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hginecde.exe N/A
N/A N/A C:\Windows\SysWOW64\Hpabni32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hlhccj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hgmgqc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ingpmmgm.exe N/A
N/A N/A C:\Windows\SysWOW64\Icdheded.exe N/A
N/A N/A C:\Windows\SysWOW64\Injmcmej.exe N/A
N/A N/A C:\Windows\SysWOW64\Icfekc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Inlihl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Idfaefkd.exe N/A
N/A N/A C:\Windows\SysWOW64\Ikpjbq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ipmbjgpi.exe N/A
N/A N/A C:\Windows\SysWOW64\Iggjga32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ipoopgnf.exe N/A
N/A N/A C:\Windows\SysWOW64\Ikdcmpnl.exe N/A
N/A N/A C:\Windows\SysWOW64\Jlfpdh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jgkdbacp.exe N/A
N/A N/A C:\Windows\SysWOW64\Jlhljhbg.exe N/A
N/A N/A C:\Windows\SysWOW64\Jdodkebj.exe N/A
N/A N/A C:\Windows\SysWOW64\Jjlmclqa.exe N/A
N/A N/A C:\Windows\SysWOW64\Jpfepf32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Bdbnjdfg.exe C:\Windows\SysWOW64\Boeebnhp.exe N/A
File created C:\Windows\SysWOW64\Hiaafn32.dll C:\Windows\SysWOW64\Gemkelcd.exe N/A
File opened for modification C:\Windows\SysWOW64\Klcekpdo.exe C:\Windows\SysWOW64\Keimof32.exe N/A
File created C:\Windows\SysWOW64\Efeichoo.dll C:\Windows\SysWOW64\Cimmggfl.exe N/A
File created C:\Windows\SysWOW64\Gologg32.dll C:\Windows\SysWOW64\Ikdcmpnl.exe N/A
File created C:\Windows\SysWOW64\Hehkga32.dll C:\Windows\SysWOW64\Nabfjpak.exe N/A
File opened for modification C:\Windows\SysWOW64\Gncchb32.exe C:\Windows\SysWOW64\Gnqfcbnj.exe N/A
File created C:\Windows\SysWOW64\Jenmcggo.exe C:\Windows\SysWOW64\Jleijb32.exe N/A
File created C:\Windows\SysWOW64\Chfegk32.exe C:\Windows\SysWOW64\Ckbemgcp.exe N/A
File created C:\Windows\SysWOW64\Jofill32.dll C:\Windows\SysWOW64\Flqdlnde.exe N/A
File created C:\Windows\SysWOW64\Fgaemg32.dll C:\Windows\SysWOW64\Kgninn32.exe N/A
File created C:\Windows\SysWOW64\Cndeii32.exe C:\Windows\SysWOW64\Clchbqoo.exe N/A
File created C:\Windows\SysWOW64\Pagbaglh.exe C:\Windows\SysWOW64\Pfandnla.exe N/A
File opened for modification C:\Windows\SysWOW64\Pdmdnadc.exe C:\Windows\SysWOW64\Phfcipoo.exe N/A
File created C:\Windows\SysWOW64\Fihnomjp.exe C:\Windows\SysWOW64\Enbjad32.exe N/A
File created C:\Windows\SysWOW64\Fboqkn32.dll C:\Windows\SysWOW64\Lnangaoa.exe N/A
File created C:\Windows\SysWOW64\Pdbeojmh.dll C:\Windows\SysWOW64\Moipoh32.exe N/A
File created C:\Windows\SysWOW64\Nknobkje.exe C:\Windows\SysWOW64\Mjellmbp.exe N/A
File created C:\Windows\SysWOW64\Lmpkadnm.exe C:\Windows\SysWOW64\Lcggio32.exe N/A
File created C:\Windows\SysWOW64\Aogiap32.exe C:\Windows\SysWOW64\Qhmqdemc.exe N/A
File opened for modification C:\Windows\SysWOW64\Aefjii32.exe C:\Windows\SysWOW64\Aolblopj.exe N/A
File created C:\Windows\SysWOW64\Bdgged32.exe C:\Windows\SysWOW64\Bnmoijje.exe N/A
File opened for modification C:\Windows\SysWOW64\Boenhgdd.exe C:\Windows\SysWOW64\Baannc32.exe N/A
File opened for modification C:\Windows\SysWOW64\Eiieicml.exe C:\Windows\SysWOW64\Emphocjj.exe N/A
File opened for modification C:\Windows\SysWOW64\Jklinohd.exe C:\Windows\SysWOW64\Jpfepf32.exe N/A
File created C:\Windows\SysWOW64\Ncdmbe32.dll C:\Windows\SysWOW64\Mmpdhboj.exe N/A
File opened for modification C:\Windows\SysWOW64\Ncnofeof.exe C:\Windows\SysWOW64\Nnafno32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mgnlkfal.exe C:\Windows\SysWOW64\Mmhgmmbf.exe N/A
File opened for modification C:\Windows\SysWOW64\Boihcf32.exe C:\Windows\SysWOW64\Bphgeo32.exe N/A
File created C:\Windows\SysWOW64\Cacckp32.exe C:\Windows\SysWOW64\Ckjknfnh.exe N/A
File created C:\Windows\SysWOW64\Hdhedh32.exe C:\Windows\SysWOW64\Hgdejd32.exe N/A
File opened for modification C:\Windows\SysWOW64\Aogiap32.exe C:\Windows\SysWOW64\Qhmqdemc.exe N/A
File created C:\Windows\SysWOW64\Aamknj32.exe C:\Windows\SysWOW64\Aefjii32.exe N/A
File created C:\Windows\SysWOW64\Bdcebook.dll C:\Windows\SysWOW64\Albpkc32.exe N/A
File opened for modification C:\Windows\SysWOW64\Enigke32.exe C:\Windows\SysWOW64\Emhkdmlg.exe N/A
File created C:\Windows\SysWOW64\Jencdebl.dll C:\Windows\SysWOW64\Ljhnlb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Nfaemp32.exe C:\Windows\SysWOW64\Npgmpf32.exe N/A
File created C:\Windows\SysWOW64\Bphgeo32.exe C:\Windows\SysWOW64\Bogkmgba.exe N/A
File created C:\Windows\SysWOW64\Jleijb32.exe C:\Windows\SysWOW64\Jekqmhia.exe N/A
File created C:\Windows\SysWOW64\Bjbmjjno.dll C:\Windows\SysWOW64\Klahfp32.exe N/A
File created C:\Windows\SysWOW64\Dddjmo32.dll C:\Windows\SysWOW64\Phfcipoo.exe N/A
File created C:\Windows\SysWOW64\Bghgmioe.dll C:\Windows\SysWOW64\Cogddd32.exe N/A
File created C:\Windows\SysWOW64\Agdcpkll.exe C:\Windows\SysWOW64\Aoioli32.exe N/A
File created C:\Windows\SysWOW64\Qcanijap.dll C:\Windows\SysWOW64\Akamff32.exe N/A
File created C:\Windows\SysWOW64\Ccbadp32.exe C:\Windows\SysWOW64\Cimmggfl.exe N/A
File opened for modification C:\Windows\SysWOW64\Ipmbjgpi.exe C:\Windows\SysWOW64\Ikpjbq32.exe N/A
File created C:\Windows\SysWOW64\Clchbqoo.exe C:\Windows\SysWOW64\Cfipef32.exe N/A
File created C:\Windows\SysWOW64\Iinjhh32.exe C:\Windows\SysWOW64\Imgicgca.exe N/A
File created C:\Windows\SysWOW64\Dafipibl.dll C:\Windows\SysWOW64\Jklinohd.exe N/A
File created C:\Windows\SysWOW64\Ejljgqdp.dll C:\Windows\SysWOW64\Jqknkedi.exe N/A
File created C:\Windows\SysWOW64\Lajlbmed.dll C:\Windows\SysWOW64\Kjjiej32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mnpabe32.exe C:\Windows\SysWOW64\Mkadfj32.exe N/A
File opened for modification C:\Windows\SysWOW64\Pagbaglh.exe C:\Windows\SysWOW64\Pfandnla.exe N/A
File opened for modification C:\Windows\SysWOW64\Bkphhgfc.exe C:\Windows\SysWOW64\Bdfpkm32.exe N/A
File opened for modification C:\Windows\SysWOW64\Emphocjj.exe C:\Windows\SysWOW64\Efafgifc.exe N/A
File created C:\Windows\SysWOW64\Jdodkebj.exe C:\Windows\SysWOW64\Jlhljhbg.exe N/A
File opened for modification C:\Windows\SysWOW64\Jjlmclqa.exe C:\Windows\SysWOW64\Jdodkebj.exe N/A
File created C:\Windows\SysWOW64\Dnpdegjp.exe C:\Windows\SysWOW64\Dmohno32.exe N/A
File created C:\Windows\SysWOW64\Migmpjdh.dll C:\Windows\SysWOW64\Iidphgcn.exe N/A
File created C:\Windows\SysWOW64\Ljhpog32.dll C:\Windows\SysWOW64\Nnfgcd32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cfbcke32.exe C:\Windows\SysWOW64\Cohkokgj.exe N/A
File opened for modification C:\Windows\SysWOW64\Eoideh32.exe C:\Windows\SysWOW64\Enigke32.exe N/A
File created C:\Windows\SysWOW64\Phganm32.exe C:\Windows\SysWOW64\Pahpfc32.exe N/A
File created C:\Windows\SysWOW64\Idfaefkd.exe C:\Windows\SysWOW64\Inlihl32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Dkqaoe32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gikdkj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Iinjhh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Klahfp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kjlopc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nahgoe32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Flqdlnde.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Enigke32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hpofii32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Efblbbqd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Chfegk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ofmdio32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pccahbmn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ebimgcfi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Emoadlfo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nqbpojnp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nabfjpak.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fihnomjp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hpqldc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ilqoobdd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kncaec32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ipmbjgpi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kdmqmc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kdbjhbbd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Njhgbp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pdhkcb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Offnhpfo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oghghb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Inlihl32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dfnbgc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fmkqpkla.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oakbehfe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bdfpkm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Injmcmej.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mcecjmkl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Boeebnhp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Olanmgig.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mmhgmmbf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kmkbfeab.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mmpdhboj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aefjii32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Chnbbqpn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cohkokgj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hlhccj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Iggjga32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jgeghp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nqmfdj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Imgicgca.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jjpode32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kpanan32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pagbaglh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e0e564152103ccc6baa8ee750788b444287ecb56489cb7bfa0317bad93a1a5cbN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hblkjo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jenmcggo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bnfihkqm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pdmdnadc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gfokoelp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lmpkadnm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ncabfkqo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qaqegecm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Enbjad32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fpkibf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jleijb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Clchbqoo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dijbno32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mgnlkfal.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmocfo32.dll" C:\Windows\SysWOW64\Pdmdnadc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Emphocjj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Enigke32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpmhce32.dll" C:\Windows\SysWOW64\Enigke32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jcfggkac.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkoaeldi.dll" C:\Windows\SysWOW64\Bphgeo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cnfkdb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ccbadp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dfdpad32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cdmfllhn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoaedogc.dll" C:\Windows\SysWOW64\Pkegpb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bkgeainn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kdmqmc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cndeii32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjjfon32.dll" C:\Windows\SysWOW64\Kmkbfeab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgmioggn.dll" C:\Windows\SysWOW64\Fihnomjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eodolnaf.dll" C:\Windows\SysWOW64\Fflohaij.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Fbelcblk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dafppp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Llflea32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jpfepf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhfgeigk.dll" C:\Windows\SysWOW64\Olanmgig.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aekddhcb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bkgeainn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glfdiedd.dll" C:\Windows\SysWOW64\Dpkmal32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hlbcnd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaagdbfm.dll" C:\Windows\SysWOW64\Ocohmc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aamebb32.dll" C:\Windows\SysWOW64\Ckjknfnh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Chnlgjlb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leifdf32.dll" C:\Windows\SysWOW64\Aolblopj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Amcehdod.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lenicahg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pefabkej.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bdgged32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cobhcgin.dll" C:\Windows\SysWOW64\Lacdmh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kdbjhbbd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ocaebc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chkolm32.dll" C:\Windows\SysWOW64\Mmnhcb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jefjbddd.dll" C:\Windows\SysWOW64\Jenmcggo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdflmg32.dll" C:\Windows\SysWOW64\Pddhbipj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiaafn32.dll" C:\Windows\SysWOW64\Gemkelcd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ibfnqmpf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hlhccj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kgninn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qhmqdemc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jekqmhia.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mmnhcb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Omegjomb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Oplfkeob.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cmjemflb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eleeje32.dll" C:\Windows\SysWOW64\Lmpkadnm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Backpf32.dll" C:\Windows\SysWOW64\Hloqml32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bnfihkqm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdjljdk.dll" C:\Windows\SysWOW64\Lckiihok.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbiipkjk.dll" C:\Windows\SysWOW64\Mmkkmc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kjlopc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lihcbd32.dll" C:\Windows\SysWOW64\Oplfkeob.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghdief32.dll" C:\Windows\SysWOW64\Lcnmin32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abklmb32.dll" C:\Windows\SysWOW64\Chnbbqpn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Glgcbf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ibfnqmpf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbmock32.dll" C:\Windows\SysWOW64\Jpfepf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbgbpn32.dll" C:\Windows\SysWOW64\Mcecjmkl.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4812 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\e0e564152103ccc6baa8ee750788b444287ecb56489cb7bfa0317bad93a1a5cbN.exe C:\Windows\SysWOW64\Llflea32.exe
PID 4812 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\e0e564152103ccc6baa8ee750788b444287ecb56489cb7bfa0317bad93a1a5cbN.exe C:\Windows\SysWOW64\Llflea32.exe
PID 4812 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\e0e564152103ccc6baa8ee750788b444287ecb56489cb7bfa0317bad93a1a5cbN.exe C:\Windows\SysWOW64\Llflea32.exe
PID 3672 wrote to memory of 2640 N/A C:\Windows\SysWOW64\Llflea32.exe C:\Windows\SysWOW64\Lacdmh32.exe
PID 3672 wrote to memory of 2640 N/A C:\Windows\SysWOW64\Llflea32.exe C:\Windows\SysWOW64\Lacdmh32.exe
PID 3672 wrote to memory of 2640 N/A C:\Windows\SysWOW64\Llflea32.exe C:\Windows\SysWOW64\Lacdmh32.exe
PID 2640 wrote to memory of 2544 N/A C:\Windows\SysWOW64\Lacdmh32.exe C:\Windows\SysWOW64\Mahnhhod.exe
PID 2640 wrote to memory of 2544 N/A C:\Windows\SysWOW64\Lacdmh32.exe C:\Windows\SysWOW64\Mahnhhod.exe
PID 2640 wrote to memory of 2544 N/A C:\Windows\SysWOW64\Lacdmh32.exe C:\Windows\SysWOW64\Mahnhhod.exe
PID 2544 wrote to memory of 3060 N/A C:\Windows\SysWOW64\Mahnhhod.exe C:\Windows\SysWOW64\Mnnkgl32.exe
PID 2544 wrote to memory of 3060 N/A C:\Windows\SysWOW64\Mahnhhod.exe C:\Windows\SysWOW64\Mnnkgl32.exe
PID 2544 wrote to memory of 3060 N/A C:\Windows\SysWOW64\Mahnhhod.exe C:\Windows\SysWOW64\Mnnkgl32.exe
PID 3060 wrote to memory of 1848 N/A C:\Windows\SysWOW64\Mnnkgl32.exe C:\Windows\SysWOW64\Mjellmbp.exe
PID 3060 wrote to memory of 1848 N/A C:\Windows\SysWOW64\Mnnkgl32.exe C:\Windows\SysWOW64\Mjellmbp.exe
PID 3060 wrote to memory of 1848 N/A C:\Windows\SysWOW64\Mnnkgl32.exe C:\Windows\SysWOW64\Mjellmbp.exe
PID 1848 wrote to memory of 752 N/A C:\Windows\SysWOW64\Mjellmbp.exe C:\Windows\SysWOW64\Nknobkje.exe
PID 1848 wrote to memory of 752 N/A C:\Windows\SysWOW64\Mjellmbp.exe C:\Windows\SysWOW64\Nknobkje.exe
PID 1848 wrote to memory of 752 N/A C:\Windows\SysWOW64\Mjellmbp.exe C:\Windows\SysWOW64\Nknobkje.exe
PID 752 wrote to memory of 3644 N/A C:\Windows\SysWOW64\Nknobkje.exe C:\Windows\SysWOW64\Nahgoe32.exe
PID 752 wrote to memory of 3644 N/A C:\Windows\SysWOW64\Nknobkje.exe C:\Windows\SysWOW64\Nahgoe32.exe
PID 752 wrote to memory of 3644 N/A C:\Windows\SysWOW64\Nknobkje.exe C:\Windows\SysWOW64\Nahgoe32.exe
PID 3644 wrote to memory of 4916 N/A C:\Windows\SysWOW64\Nahgoe32.exe C:\Windows\SysWOW64\Okchnk32.exe
PID 3644 wrote to memory of 4916 N/A C:\Windows\SysWOW64\Nahgoe32.exe C:\Windows\SysWOW64\Okchnk32.exe
PID 3644 wrote to memory of 4916 N/A C:\Windows\SysWOW64\Nahgoe32.exe C:\Windows\SysWOW64\Okchnk32.exe
PID 4916 wrote to memory of 312 N/A C:\Windows\SysWOW64\Okchnk32.exe C:\Windows\SysWOW64\Okgaijaj.exe
PID 4916 wrote to memory of 312 N/A C:\Windows\SysWOW64\Okchnk32.exe C:\Windows\SysWOW64\Okgaijaj.exe
PID 4916 wrote to memory of 312 N/A C:\Windows\SysWOW64\Okchnk32.exe C:\Windows\SysWOW64\Okgaijaj.exe
PID 312 wrote to memory of 1216 N/A C:\Windows\SysWOW64\Okgaijaj.exe C:\Windows\SysWOW64\Oaajed32.exe
PID 312 wrote to memory of 1216 N/A C:\Windows\SysWOW64\Okgaijaj.exe C:\Windows\SysWOW64\Oaajed32.exe
PID 312 wrote to memory of 1216 N/A C:\Windows\SysWOW64\Okgaijaj.exe C:\Windows\SysWOW64\Oaajed32.exe
PID 1216 wrote to memory of 5060 N/A C:\Windows\SysWOW64\Oaajed32.exe C:\Windows\SysWOW64\Oklkdi32.exe
PID 1216 wrote to memory of 5060 N/A C:\Windows\SysWOW64\Oaajed32.exe C:\Windows\SysWOW64\Oklkdi32.exe
PID 1216 wrote to memory of 5060 N/A C:\Windows\SysWOW64\Oaajed32.exe C:\Windows\SysWOW64\Oklkdi32.exe
PID 5060 wrote to memory of 220 N/A C:\Windows\SysWOW64\Oklkdi32.exe C:\Windows\SysWOW64\Pllgnl32.exe
PID 5060 wrote to memory of 220 N/A C:\Windows\SysWOW64\Oklkdi32.exe C:\Windows\SysWOW64\Pllgnl32.exe
PID 5060 wrote to memory of 220 N/A C:\Windows\SysWOW64\Oklkdi32.exe C:\Windows\SysWOW64\Pllgnl32.exe
PID 220 wrote to memory of 1524 N/A C:\Windows\SysWOW64\Pllgnl32.exe C:\Windows\SysWOW64\Pahpfc32.exe
PID 220 wrote to memory of 1524 N/A C:\Windows\SysWOW64\Pllgnl32.exe C:\Windows\SysWOW64\Pahpfc32.exe
PID 220 wrote to memory of 1524 N/A C:\Windows\SysWOW64\Pllgnl32.exe C:\Windows\SysWOW64\Pahpfc32.exe
PID 1524 wrote to memory of 4652 N/A C:\Windows\SysWOW64\Pahpfc32.exe C:\Windows\SysWOW64\Phganm32.exe
PID 1524 wrote to memory of 4652 N/A C:\Windows\SysWOW64\Pahpfc32.exe C:\Windows\SysWOW64\Phganm32.exe
PID 1524 wrote to memory of 4652 N/A C:\Windows\SysWOW64\Pahpfc32.exe C:\Windows\SysWOW64\Phganm32.exe
PID 4652 wrote to memory of 1340 N/A C:\Windows\SysWOW64\Phganm32.exe C:\Windows\SysWOW64\Qhlkilba.exe
PID 4652 wrote to memory of 1340 N/A C:\Windows\SysWOW64\Phganm32.exe C:\Windows\SysWOW64\Qhlkilba.exe
PID 4652 wrote to memory of 1340 N/A C:\Windows\SysWOW64\Phganm32.exe C:\Windows\SysWOW64\Qhlkilba.exe
PID 1340 wrote to memory of 4472 N/A C:\Windows\SysWOW64\Qhlkilba.exe C:\Windows\SysWOW64\Qaflgago.exe
PID 1340 wrote to memory of 4472 N/A C:\Windows\SysWOW64\Qhlkilba.exe C:\Windows\SysWOW64\Qaflgago.exe
PID 1340 wrote to memory of 4472 N/A C:\Windows\SysWOW64\Qhlkilba.exe C:\Windows\SysWOW64\Qaflgago.exe
PID 4472 wrote to memory of 4588 N/A C:\Windows\SysWOW64\Qaflgago.exe C:\Windows\SysWOW64\Akoqpg32.exe
PID 4472 wrote to memory of 4588 N/A C:\Windows\SysWOW64\Qaflgago.exe C:\Windows\SysWOW64\Akoqpg32.exe
PID 4472 wrote to memory of 4588 N/A C:\Windows\SysWOW64\Qaflgago.exe C:\Windows\SysWOW64\Akoqpg32.exe
PID 4588 wrote to memory of 2952 N/A C:\Windows\SysWOW64\Akoqpg32.exe C:\Windows\SysWOW64\Akamff32.exe
PID 4588 wrote to memory of 2952 N/A C:\Windows\SysWOW64\Akoqpg32.exe C:\Windows\SysWOW64\Akamff32.exe
PID 4588 wrote to memory of 2952 N/A C:\Windows\SysWOW64\Akoqpg32.exe C:\Windows\SysWOW64\Akamff32.exe
PID 2952 wrote to memory of 2524 N/A C:\Windows\SysWOW64\Akamff32.exe C:\Windows\SysWOW64\Alqjpi32.exe
PID 2952 wrote to memory of 2524 N/A C:\Windows\SysWOW64\Akamff32.exe C:\Windows\SysWOW64\Alqjpi32.exe
PID 2952 wrote to memory of 2524 N/A C:\Windows\SysWOW64\Akamff32.exe C:\Windows\SysWOW64\Alqjpi32.exe
PID 2524 wrote to memory of 4952 N/A C:\Windows\SysWOW64\Alqjpi32.exe C:\Windows\SysWOW64\Bcddcbab.exe
PID 2524 wrote to memory of 4952 N/A C:\Windows\SysWOW64\Alqjpi32.exe C:\Windows\SysWOW64\Bcddcbab.exe
PID 2524 wrote to memory of 4952 N/A C:\Windows\SysWOW64\Alqjpi32.exe C:\Windows\SysWOW64\Bcddcbab.exe
PID 4952 wrote to memory of 756 N/A C:\Windows\SysWOW64\Bcddcbab.exe C:\Windows\SysWOW64\Bblnindg.exe
PID 4952 wrote to memory of 756 N/A C:\Windows\SysWOW64\Bcddcbab.exe C:\Windows\SysWOW64\Bblnindg.exe
PID 4952 wrote to memory of 756 N/A C:\Windows\SysWOW64\Bcddcbab.exe C:\Windows\SysWOW64\Bblnindg.exe
PID 756 wrote to memory of 1572 N/A C:\Windows\SysWOW64\Bblnindg.exe C:\Windows\SysWOW64\Cmcolgbj.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e0e564152103ccc6baa8ee750788b444287ecb56489cb7bfa0317bad93a1a5cbN.exe

"C:\Users\Admin\AppData\Local\Temp\e0e564152103ccc6baa8ee750788b444287ecb56489cb7bfa0317bad93a1a5cbN.exe"

C:\Windows\SysWOW64\Llflea32.exe

C:\Windows\system32\Llflea32.exe

C:\Windows\SysWOW64\Lacdmh32.exe

C:\Windows\system32\Lacdmh32.exe

C:\Windows\SysWOW64\Mahnhhod.exe

C:\Windows\system32\Mahnhhod.exe

C:\Windows\SysWOW64\Mnnkgl32.exe

C:\Windows\system32\Mnnkgl32.exe

C:\Windows\SysWOW64\Mjellmbp.exe

C:\Windows\system32\Mjellmbp.exe

C:\Windows\SysWOW64\Nknobkje.exe

C:\Windows\system32\Nknobkje.exe

C:\Windows\SysWOW64\Nahgoe32.exe

C:\Windows\system32\Nahgoe32.exe

C:\Windows\SysWOW64\Okchnk32.exe

C:\Windows\system32\Okchnk32.exe

C:\Windows\SysWOW64\Okgaijaj.exe

C:\Windows\system32\Okgaijaj.exe

C:\Windows\SysWOW64\Oaajed32.exe

C:\Windows\system32\Oaajed32.exe

C:\Windows\SysWOW64\Oklkdi32.exe

C:\Windows\system32\Oklkdi32.exe

C:\Windows\SysWOW64\Pllgnl32.exe

C:\Windows\system32\Pllgnl32.exe

C:\Windows\SysWOW64\Pahpfc32.exe

C:\Windows\system32\Pahpfc32.exe

C:\Windows\SysWOW64\Phganm32.exe

C:\Windows\system32\Phganm32.exe

C:\Windows\SysWOW64\Qhlkilba.exe

C:\Windows\system32\Qhlkilba.exe

C:\Windows\SysWOW64\Qaflgago.exe

C:\Windows\system32\Qaflgago.exe

C:\Windows\SysWOW64\Akoqpg32.exe

C:\Windows\system32\Akoqpg32.exe

C:\Windows\SysWOW64\Akamff32.exe

C:\Windows\system32\Akamff32.exe

C:\Windows\SysWOW64\Alqjpi32.exe

C:\Windows\system32\Alqjpi32.exe

C:\Windows\SysWOW64\Bcddcbab.exe

C:\Windows\system32\Bcddcbab.exe

C:\Windows\SysWOW64\Bblnindg.exe

C:\Windows\system32\Bblnindg.exe

C:\Windows\SysWOW64\Cmcolgbj.exe

C:\Windows\system32\Cmcolgbj.exe

C:\Windows\SysWOW64\Cimmggfl.exe

C:\Windows\system32\Cimmggfl.exe

C:\Windows\SysWOW64\Ccbadp32.exe

C:\Windows\system32\Ccbadp32.exe

C:\Windows\SysWOW64\Cmjemflb.exe

C:\Windows\system32\Cmjemflb.exe

C:\Windows\SysWOW64\Dckdjomg.exe

C:\Windows\system32\Dckdjomg.exe

C:\Windows\SysWOW64\Dihlbf32.exe

C:\Windows\system32\Dihlbf32.exe

C:\Windows\SysWOW64\Efafgifc.exe

C:\Windows\system32\Efafgifc.exe

C:\Windows\SysWOW64\Emphocjj.exe

C:\Windows\system32\Emphocjj.exe

C:\Windows\SysWOW64\Eiieicml.exe

C:\Windows\system32\Eiieicml.exe

C:\Windows\SysWOW64\Fpbmfn32.exe

C:\Windows\system32\Fpbmfn32.exe

C:\Windows\SysWOW64\Fbhpch32.exe

C:\Windows\system32\Fbhpch32.exe

C:\Windows\SysWOW64\Flqdlnde.exe

C:\Windows\system32\Flqdlnde.exe

C:\Windows\SysWOW64\Gbmingjo.exe

C:\Windows\system32\Gbmingjo.exe

C:\Windows\SysWOW64\Gigaka32.exe

C:\Windows\system32\Gigaka32.exe

C:\Windows\SysWOW64\Gmdjapgb.exe

C:\Windows\system32\Gmdjapgb.exe

C:\Windows\SysWOW64\Gkhkjd32.exe

C:\Windows\system32\Gkhkjd32.exe

C:\Windows\SysWOW64\Gfokoelp.exe

C:\Windows\system32\Gfokoelp.exe

C:\Windows\SysWOW64\Gphphj32.exe

C:\Windows\system32\Gphphj32.exe

C:\Windows\SysWOW64\Hloqml32.exe

C:\Windows\system32\Hloqml32.exe

C:\Windows\SysWOW64\Hgdejd32.exe

C:\Windows\system32\Hgdejd32.exe

C:\Windows\SysWOW64\Hdhedh32.exe

C:\Windows\system32\Hdhedh32.exe

C:\Windows\SysWOW64\Hpofii32.exe

C:\Windows\system32\Hpofii32.exe

C:\Windows\SysWOW64\Hginecde.exe

C:\Windows\system32\Hginecde.exe

C:\Windows\SysWOW64\Hpabni32.exe

C:\Windows\system32\Hpabni32.exe

C:\Windows\SysWOW64\Hlhccj32.exe

C:\Windows\system32\Hlhccj32.exe

C:\Windows\SysWOW64\Hgmgqc32.exe

C:\Windows\system32\Hgmgqc32.exe

C:\Windows\SysWOW64\Ingpmmgm.exe

C:\Windows\system32\Ingpmmgm.exe

C:\Windows\SysWOW64\Icdheded.exe

C:\Windows\system32\Icdheded.exe

C:\Windows\SysWOW64\Injmcmej.exe

C:\Windows\system32\Injmcmej.exe

C:\Windows\SysWOW64\Icfekc32.exe

C:\Windows\system32\Icfekc32.exe

C:\Windows\SysWOW64\Inlihl32.exe

C:\Windows\system32\Inlihl32.exe

C:\Windows\SysWOW64\Idfaefkd.exe

C:\Windows\system32\Idfaefkd.exe

C:\Windows\SysWOW64\Ikpjbq32.exe

C:\Windows\system32\Ikpjbq32.exe

C:\Windows\SysWOW64\Ipmbjgpi.exe

C:\Windows\system32\Ipmbjgpi.exe

C:\Windows\SysWOW64\Iggjga32.exe

C:\Windows\system32\Iggjga32.exe

C:\Windows\SysWOW64\Ipoopgnf.exe

C:\Windows\system32\Ipoopgnf.exe

C:\Windows\SysWOW64\Ikdcmpnl.exe

C:\Windows\system32\Ikdcmpnl.exe

C:\Windows\SysWOW64\Jlfpdh32.exe

C:\Windows\system32\Jlfpdh32.exe

C:\Windows\SysWOW64\Jgkdbacp.exe

C:\Windows\system32\Jgkdbacp.exe

C:\Windows\SysWOW64\Jlhljhbg.exe

C:\Windows\system32\Jlhljhbg.exe

C:\Windows\SysWOW64\Jdodkebj.exe

C:\Windows\system32\Jdodkebj.exe

C:\Windows\SysWOW64\Jjlmclqa.exe

C:\Windows\system32\Jjlmclqa.exe

C:\Windows\SysWOW64\Jpfepf32.exe

C:\Windows\system32\Jpfepf32.exe

C:\Windows\SysWOW64\Jklinohd.exe

C:\Windows\system32\Jklinohd.exe

C:\Windows\SysWOW64\Jlmfeg32.exe

C:\Windows\system32\Jlmfeg32.exe

C:\Windows\SysWOW64\Jcgnbaeo.exe

C:\Windows\system32\Jcgnbaeo.exe

C:\Windows\SysWOW64\Jqknkedi.exe

C:\Windows\system32\Jqknkedi.exe

C:\Windows\SysWOW64\Jgeghp32.exe

C:\Windows\system32\Jgeghp32.exe

C:\Windows\SysWOW64\Kmaopfjm.exe

C:\Windows\system32\Kmaopfjm.exe

C:\Windows\SysWOW64\Kdigadjo.exe

C:\Windows\system32\Kdigadjo.exe

C:\Windows\SysWOW64\Kkconn32.exe

C:\Windows\system32\Kkconn32.exe

C:\Windows\SysWOW64\Kmdlffhj.exe

C:\Windows\system32\Kmdlffhj.exe

C:\Windows\SysWOW64\Kgipcogp.exe

C:\Windows\system32\Kgipcogp.exe

C:\Windows\SysWOW64\Kdmqmc32.exe

C:\Windows\system32\Kdmqmc32.exe

C:\Windows\SysWOW64\Kjjiej32.exe

C:\Windows\system32\Kjjiej32.exe

C:\Windows\SysWOW64\Kgninn32.exe

C:\Windows\system32\Kgninn32.exe

C:\Windows\SysWOW64\Kmkbfeab.exe

C:\Windows\system32\Kmkbfeab.exe

C:\Windows\SysWOW64\Kdbjhbbd.exe

C:\Windows\system32\Kdbjhbbd.exe

C:\Windows\SysWOW64\Lklbdm32.exe

C:\Windows\system32\Lklbdm32.exe

C:\Windows\SysWOW64\Lmmolepp.exe

C:\Windows\system32\Lmmolepp.exe

C:\Windows\SysWOW64\Lcggio32.exe

C:\Windows\system32\Lcggio32.exe

C:\Windows\SysWOW64\Lmpkadnm.exe

C:\Windows\system32\Lmpkadnm.exe

C:\Windows\SysWOW64\Ljclki32.exe

C:\Windows\system32\Ljclki32.exe

C:\Windows\SysWOW64\Ldipha32.exe

C:\Windows\system32\Ldipha32.exe

C:\Windows\SysWOW64\Ljfhqh32.exe

C:\Windows\system32\Ljfhqh32.exe

C:\Windows\SysWOW64\Lcnmin32.exe

C:\Windows\system32\Lcnmin32.exe

C:\Windows\SysWOW64\Lndagg32.exe

C:\Windows\system32\Lndagg32.exe

C:\Windows\SysWOW64\Lenicahg.exe

C:\Windows\system32\Lenicahg.exe

C:\Windows\SysWOW64\Mminhceb.exe

C:\Windows\system32\Mminhceb.exe

C:\Windows\SysWOW64\Mccfdmmo.exe

C:\Windows\system32\Mccfdmmo.exe

C:\Windows\SysWOW64\Mmkkmc32.exe

C:\Windows\system32\Mmkkmc32.exe

C:\Windows\SysWOW64\Mcecjmkl.exe

C:\Windows\system32\Mcecjmkl.exe

C:\Windows\SysWOW64\Mjokgg32.exe

C:\Windows\system32\Mjokgg32.exe

C:\Windows\SysWOW64\Mmnhcb32.exe

C:\Windows\system32\Mmnhcb32.exe

C:\Windows\SysWOW64\Mchppmij.exe

C:\Windows\system32\Mchppmij.exe

C:\Windows\SysWOW64\Mmpdhboj.exe

C:\Windows\system32\Mmpdhboj.exe

C:\Windows\SysWOW64\Mkadfj32.exe

C:\Windows\system32\Mkadfj32.exe

C:\Windows\SysWOW64\Mnpabe32.exe

C:\Windows\system32\Mnpabe32.exe

C:\Windows\SysWOW64\Nclikl32.exe

C:\Windows\system32\Nclikl32.exe

C:\Windows\SysWOW64\Nlfnaicd.exe

C:\Windows\system32\Nlfnaicd.exe

C:\Windows\SysWOW64\Nabfjpak.exe

C:\Windows\system32\Nabfjpak.exe

C:\Windows\SysWOW64\Ncabfkqo.exe

C:\Windows\system32\Ncabfkqo.exe

C:\Windows\SysWOW64\Nnfgcd32.exe

C:\Windows\system32\Nnfgcd32.exe

C:\Windows\SysWOW64\Nhokljge.exe

C:\Windows\system32\Nhokljge.exe

C:\Windows\SysWOW64\Nnicid32.exe

C:\Windows\system32\Nnicid32.exe

C:\Windows\SysWOW64\Njpdnedf.exe

C:\Windows\system32\Njpdnedf.exe

C:\Windows\SysWOW64\Najmjokc.exe

C:\Windows\system32\Najmjokc.exe

C:\Windows\SysWOW64\Onnmdcjm.exe

C:\Windows\system32\Onnmdcjm.exe

C:\Windows\SysWOW64\Odjeljhd.exe

C:\Windows\system32\Odjeljhd.exe

C:\Windows\SysWOW64\Olanmgig.exe

C:\Windows\system32\Olanmgig.exe

C:\Windows\SysWOW64\Odmbaj32.exe

C:\Windows\system32\Odmbaj32.exe

C:\Windows\SysWOW64\Oldjcg32.exe

C:\Windows\system32\Oldjcg32.exe

C:\Windows\SysWOW64\Omegjomb.exe

C:\Windows\system32\Omegjomb.exe

C:\Windows\SysWOW64\Ojigdcll.exe

C:\Windows\system32\Ojigdcll.exe

C:\Windows\SysWOW64\Oeokal32.exe

C:\Windows\system32\Oeokal32.exe

C:\Windows\SysWOW64\Omjpeo32.exe

C:\Windows\system32\Omjpeo32.exe

C:\Windows\SysWOW64\Pddhbipj.exe

C:\Windows\system32\Pddhbipj.exe

C:\Windows\SysWOW64\Poimpapp.exe

C:\Windows\system32\Poimpapp.exe

C:\Windows\SysWOW64\Phaahggp.exe

C:\Windows\system32\Phaahggp.exe

C:\Windows\SysWOW64\Poliea32.exe

C:\Windows\system32\Poliea32.exe

C:\Windows\SysWOW64\Pefabkej.exe

C:\Windows\system32\Pefabkej.exe

C:\Windows\SysWOW64\Pdkoch32.exe

C:\Windows\system32\Pdkoch32.exe

C:\Windows\SysWOW64\Pkegpb32.exe

C:\Windows\system32\Pkegpb32.exe

C:\Windows\SysWOW64\Paoollik.exe

C:\Windows\system32\Paoollik.exe

C:\Windows\SysWOW64\Pldcjeia.exe

C:\Windows\system32\Pldcjeia.exe

C:\Windows\SysWOW64\Qmepam32.exe

C:\Windows\system32\Qmepam32.exe

C:\Windows\SysWOW64\Qemhbj32.exe

C:\Windows\system32\Qemhbj32.exe

C:\Windows\SysWOW64\Qmhlgmmm.exe

C:\Windows\system32\Qmhlgmmm.exe

C:\Windows\SysWOW64\Qhmqdemc.exe

C:\Windows\system32\Qhmqdemc.exe

C:\Windows\SysWOW64\Aogiap32.exe

C:\Windows\system32\Aogiap32.exe

C:\Windows\SysWOW64\Aeaanjkl.exe

C:\Windows\system32\Aeaanjkl.exe

C:\Windows\SysWOW64\Aknifq32.exe

C:\Windows\system32\Aknifq32.exe

C:\Windows\SysWOW64\Aahbbkaq.exe

C:\Windows\system32\Aahbbkaq.exe

C:\Windows\SysWOW64\Aolblopj.exe

C:\Windows\system32\Aolblopj.exe

C:\Windows\SysWOW64\Aefjii32.exe

C:\Windows\system32\Aefjii32.exe

C:\Windows\SysWOW64\Aamknj32.exe

C:\Windows\system32\Aamknj32.exe

C:\Windows\SysWOW64\Albpkc32.exe

C:\Windows\system32\Albpkc32.exe

C:\Windows\SysWOW64\Aekddhcb.exe

C:\Windows\system32\Aekddhcb.exe

C:\Windows\SysWOW64\Bnfihkqm.exe

C:\Windows\system32\Bnfihkqm.exe

C:\Windows\SysWOW64\Bdpaeehj.exe

C:\Windows\system32\Bdpaeehj.exe

C:\Windows\SysWOW64\Boeebnhp.exe

C:\Windows\system32\Boeebnhp.exe

C:\Windows\SysWOW64\Bdbnjdfg.exe

C:\Windows\system32\Bdbnjdfg.exe

C:\Windows\SysWOW64\Bohbhmfm.exe

C:\Windows\system32\Bohbhmfm.exe

C:\Windows\SysWOW64\Bebjdgmj.exe

C:\Windows\system32\Bebjdgmj.exe

C:\Windows\SysWOW64\Bllbaa32.exe

C:\Windows\system32\Bllbaa32.exe

C:\Windows\SysWOW64\Bnmoijje.exe

C:\Windows\system32\Bnmoijje.exe

C:\Windows\SysWOW64\Bdgged32.exe

C:\Windows\system32\Bdgged32.exe

C:\Windows\SysWOW64\Bnoknihb.exe

C:\Windows\system32\Bnoknihb.exe

C:\Windows\SysWOW64\Bheplb32.exe

C:\Windows\system32\Bheplb32.exe

C:\Windows\SysWOW64\Cfipef32.exe

C:\Windows\system32\Cfipef32.exe

C:\Windows\SysWOW64\Clchbqoo.exe

C:\Windows\system32\Clchbqoo.exe

C:\Windows\SysWOW64\Cndeii32.exe

C:\Windows\system32\Cndeii32.exe

C:\Windows\SysWOW64\Cdnmfclj.exe

C:\Windows\system32\Cdnmfclj.exe

C:\Windows\SysWOW64\Cocacl32.exe

C:\Windows\system32\Cocacl32.exe

C:\Windows\SysWOW64\Cdpjlb32.exe

C:\Windows\system32\Cdpjlb32.exe

C:\Windows\SysWOW64\Cnindhpg.exe

C:\Windows\system32\Cnindhpg.exe

C:\Windows\SysWOW64\Chnbbqpn.exe

C:\Windows\system32\Chnbbqpn.exe

C:\Windows\SysWOW64\Cohkokgj.exe

C:\Windows\system32\Cohkokgj.exe

C:\Windows\SysWOW64\Cfbcke32.exe

C:\Windows\system32\Cfbcke32.exe

C:\Windows\SysWOW64\Dokgdkeh.exe

C:\Windows\system32\Dokgdkeh.exe

C:\Windows\SysWOW64\Dfdpad32.exe

C:\Windows\system32\Dfdpad32.exe

C:\Windows\SysWOW64\Dmohno32.exe

C:\Windows\system32\Dmohno32.exe

C:\Windows\SysWOW64\Dnpdegjp.exe

C:\Windows\system32\Dnpdegjp.exe

C:\Windows\SysWOW64\Dkceokii.exe

C:\Windows\system32\Dkceokii.exe

C:\Windows\SysWOW64\Dfiildio.exe

C:\Windows\system32\Dfiildio.exe

C:\Windows\SysWOW64\Dbpjaeoc.exe

C:\Windows\system32\Dbpjaeoc.exe

C:\Windows\SysWOW64\Dijbno32.exe

C:\Windows\system32\Dijbno32.exe

C:\Windows\SysWOW64\Dfnbgc32.exe

C:\Windows\system32\Dfnbgc32.exe

C:\Windows\SysWOW64\Emhkdmlg.exe

C:\Windows\system32\Emhkdmlg.exe

C:\Windows\SysWOW64\Enigke32.exe

C:\Windows\system32\Enigke32.exe

C:\Windows\SysWOW64\Eoideh32.exe

C:\Windows\system32\Eoideh32.exe

C:\Windows\SysWOW64\Efblbbqd.exe

C:\Windows\system32\Efblbbqd.exe

C:\Windows\SysWOW64\Ebimgcfi.exe

C:\Windows\system32\Ebimgcfi.exe

C:\Windows\SysWOW64\Eehicoel.exe

C:\Windows\system32\Eehicoel.exe

C:\Windows\SysWOW64\Emoadlfo.exe

C:\Windows\system32\Emoadlfo.exe

C:\Windows\SysWOW64\Efgemb32.exe

C:\Windows\system32\Efgemb32.exe

C:\Windows\SysWOW64\Enbjad32.exe

C:\Windows\system32\Enbjad32.exe

C:\Windows\SysWOW64\Fihnomjp.exe

C:\Windows\system32\Fihnomjp.exe

C:\Windows\SysWOW64\Fflohaij.exe

C:\Windows\system32\Fflohaij.exe

C:\Windows\SysWOW64\Fijkdmhn.exe

C:\Windows\system32\Fijkdmhn.exe

C:\Windows\SysWOW64\Fpdcag32.exe

C:\Windows\system32\Fpdcag32.exe

C:\Windows\SysWOW64\Ffnknafg.exe

C:\Windows\system32\Ffnknafg.exe

C:\Windows\SysWOW64\Fbelcblk.exe

C:\Windows\system32\Fbelcblk.exe

C:\Windows\SysWOW64\Fechomko.exe

C:\Windows\system32\Fechomko.exe

C:\Windows\SysWOW64\Fmkqpkla.exe

C:\Windows\system32\Fmkqpkla.exe

C:\Windows\SysWOW64\Fpkibf32.exe

C:\Windows\system32\Fpkibf32.exe

C:\Windows\SysWOW64\Gehbjm32.exe

C:\Windows\system32\Gehbjm32.exe

C:\Windows\SysWOW64\Gmojkj32.exe

C:\Windows\system32\Gmojkj32.exe

C:\Windows\SysWOW64\Gnqfcbnj.exe

C:\Windows\system32\Gnqfcbnj.exe

C:\Windows\SysWOW64\Gncchb32.exe

C:\Windows\system32\Gncchb32.exe

C:\Windows\SysWOW64\Gemkelcd.exe

C:\Windows\system32\Gemkelcd.exe

C:\Windows\SysWOW64\Glgcbf32.exe

C:\Windows\system32\Glgcbf32.exe

C:\Windows\SysWOW64\Gbalopbn.exe

C:\Windows\system32\Gbalopbn.exe

C:\Windows\SysWOW64\Gikdkj32.exe

C:\Windows\system32\Gikdkj32.exe

C:\Windows\SysWOW64\Gpelhd32.exe

C:\Windows\system32\Gpelhd32.exe

C:\Windows\SysWOW64\Gmimai32.exe

C:\Windows\system32\Gmimai32.exe

C:\Windows\SysWOW64\Gojiiafp.exe

C:\Windows\system32\Gojiiafp.exe

C:\Windows\SysWOW64\Hpiecd32.exe

C:\Windows\system32\Hpiecd32.exe

C:\Windows\SysWOW64\Hbhboolf.exe

C:\Windows\system32\Hbhboolf.exe

C:\Windows\SysWOW64\Hoobdp32.exe

C:\Windows\system32\Hoobdp32.exe

C:\Windows\SysWOW64\Hehkajig.exe

C:\Windows\system32\Hehkajig.exe

C:\Windows\SysWOW64\Hlbcnd32.exe

C:\Windows\system32\Hlbcnd32.exe

C:\Windows\SysWOW64\Hblkjo32.exe

C:\Windows\system32\Hblkjo32.exe

C:\Windows\SysWOW64\Hpqldc32.exe

C:\Windows\system32\Hpqldc32.exe

C:\Windows\SysWOW64\Hfjdqmng.exe

C:\Windows\system32\Hfjdqmng.exe

C:\Windows\SysWOW64\Hmdlmg32.exe

C:\Windows\system32\Hmdlmg32.exe

C:\Windows\SysWOW64\Imgicgca.exe

C:\Windows\system32\Imgicgca.exe

C:\Windows\SysWOW64\Iinjhh32.exe

C:\Windows\system32\Iinjhh32.exe

C:\Windows\SysWOW64\Ipgbdbqb.exe

C:\Windows\system32\Ipgbdbqb.exe

C:\Windows\SysWOW64\Ibfnqmpf.exe

C:\Windows\system32\Ibfnqmpf.exe

C:\Windows\SysWOW64\Iipfmggc.exe

C:\Windows\system32\Iipfmggc.exe

C:\Windows\SysWOW64\Iefgbh32.exe

C:\Windows\system32\Iefgbh32.exe

C:\Windows\SysWOW64\Ilqoobdd.exe

C:\Windows\system32\Ilqoobdd.exe

C:\Windows\SysWOW64\Ickglm32.exe

C:\Windows\system32\Ickglm32.exe

C:\Windows\SysWOW64\Iidphgcn.exe

C:\Windows\system32\Iidphgcn.exe

C:\Windows\SysWOW64\Jekqmhia.exe

C:\Windows\system32\Jekqmhia.exe

C:\Windows\SysWOW64\Jleijb32.exe

C:\Windows\system32\Jleijb32.exe

C:\Windows\SysWOW64\Jenmcggo.exe

C:\Windows\system32\Jenmcggo.exe

C:\Windows\SysWOW64\Jlgepanl.exe

C:\Windows\system32\Jlgepanl.exe

C:\Windows\SysWOW64\Jilfifme.exe

C:\Windows\system32\Jilfifme.exe

C:\Windows\SysWOW64\Jpenfp32.exe

C:\Windows\system32\Jpenfp32.exe

C:\Windows\SysWOW64\Jllokajf.exe

C:\Windows\system32\Jllokajf.exe

C:\Windows\SysWOW64\Jcfggkac.exe

C:\Windows\system32\Jcfggkac.exe

C:\Windows\SysWOW64\Jjpode32.exe

C:\Windows\system32\Jjpode32.exe

C:\Windows\SysWOW64\Komhll32.exe

C:\Windows\system32\Komhll32.exe

C:\Windows\SysWOW64\Klahfp32.exe

C:\Windows\system32\Klahfp32.exe

C:\Windows\SysWOW64\Koodbl32.exe

C:\Windows\system32\Koodbl32.exe

C:\Windows\SysWOW64\Keimof32.exe

C:\Windows\system32\Keimof32.exe

C:\Windows\SysWOW64\Klcekpdo.exe

C:\Windows\system32\Klcekpdo.exe

C:\Windows\SysWOW64\Kncaec32.exe

C:\Windows\system32\Kncaec32.exe

C:\Windows\SysWOW64\Kpanan32.exe

C:\Windows\system32\Kpanan32.exe

C:\Windows\SysWOW64\Kgkfnh32.exe

C:\Windows\system32\Kgkfnh32.exe

C:\Windows\SysWOW64\Knenkbio.exe

C:\Windows\system32\Knenkbio.exe

C:\Windows\SysWOW64\Kjlopc32.exe

C:\Windows\system32\Kjlopc32.exe

C:\Windows\SysWOW64\Lgpoihnl.exe

C:\Windows\system32\Lgpoihnl.exe

C:\Windows\SysWOW64\Lnjgfb32.exe

C:\Windows\system32\Lnjgfb32.exe

C:\Windows\SysWOW64\Ljqhkckn.exe

C:\Windows\system32\Ljqhkckn.exe

C:\Windows\SysWOW64\Lqkqhm32.exe

C:\Windows\system32\Lqkqhm32.exe

C:\Windows\SysWOW64\Lcimdh32.exe

C:\Windows\system32\Lcimdh32.exe

C:\Windows\SysWOW64\Ljceqb32.exe

C:\Windows\system32\Ljceqb32.exe

C:\Windows\SysWOW64\Lqmmmmph.exe

C:\Windows\system32\Lqmmmmph.exe

C:\Windows\SysWOW64\Lckiihok.exe

C:\Windows\system32\Lckiihok.exe

C:\Windows\SysWOW64\Lnangaoa.exe

C:\Windows\system32\Lnangaoa.exe

C:\Windows\SysWOW64\Ljhnlb32.exe

C:\Windows\system32\Ljhnlb32.exe

C:\Windows\SysWOW64\Mmfkhmdi.exe

C:\Windows\system32\Mmfkhmdi.exe

C:\Windows\SysWOW64\Modgdicm.exe

C:\Windows\system32\Modgdicm.exe

C:\Windows\SysWOW64\Mmhgmmbf.exe

C:\Windows\system32\Mmhgmmbf.exe

C:\Windows\SysWOW64\Mgnlkfal.exe

C:\Windows\system32\Mgnlkfal.exe

C:\Windows\SysWOW64\Mjlhgaqp.exe

C:\Windows\system32\Mjlhgaqp.exe

C:\Windows\SysWOW64\Moipoh32.exe

C:\Windows\system32\Moipoh32.exe

C:\Windows\SysWOW64\Mqimikfj.exe

C:\Windows\system32\Mqimikfj.exe

C:\Windows\SysWOW64\Mcgiefen.exe

C:\Windows\system32\Mcgiefen.exe

C:\Windows\SysWOW64\Mjaabq32.exe

C:\Windows\system32\Mjaabq32.exe

C:\Windows\SysWOW64\Mqkiok32.exe

C:\Windows\system32\Mqkiok32.exe

C:\Windows\SysWOW64\Nqmfdj32.exe

C:\Windows\system32\Nqmfdj32.exe

C:\Windows\SysWOW64\Nnafno32.exe

C:\Windows\system32\Nnafno32.exe

C:\Windows\SysWOW64\Ncnofeof.exe

C:\Windows\system32\Ncnofeof.exe

C:\Windows\SysWOW64\Njhgbp32.exe

C:\Windows\system32\Njhgbp32.exe

C:\Windows\SysWOW64\Nqbpojnp.exe

C:\Windows\system32\Nqbpojnp.exe

C:\Windows\SysWOW64\Ncqlkemc.exe

C:\Windows\system32\Ncqlkemc.exe

C:\Windows\SysWOW64\Nnfpinmi.exe

C:\Windows\system32\Nnfpinmi.exe

C:\Windows\SysWOW64\Npgmpf32.exe

C:\Windows\system32\Npgmpf32.exe

C:\Windows\SysWOW64\Nfaemp32.exe

C:\Windows\system32\Nfaemp32.exe

C:\Windows\SysWOW64\Ngqagcag.exe

C:\Windows\system32\Ngqagcag.exe

C:\Windows\SysWOW64\Omnjojpo.exe

C:\Windows\system32\Omnjojpo.exe

C:\Windows\SysWOW64\Oplfkeob.exe

C:\Windows\system32\Oplfkeob.exe

C:\Windows\SysWOW64\Offnhpfo.exe

C:\Windows\system32\Offnhpfo.exe

C:\Windows\SysWOW64\Oakbehfe.exe

C:\Windows\system32\Oakbehfe.exe

C:\Windows\SysWOW64\Onocomdo.exe

C:\Windows\system32\Onocomdo.exe

C:\Windows\SysWOW64\Oghghb32.exe

C:\Windows\system32\Oghghb32.exe

C:\Windows\SysWOW64\Ocohmc32.exe

C:\Windows\system32\Ocohmc32.exe

C:\Windows\SysWOW64\Ofmdio32.exe

C:\Windows\system32\Ofmdio32.exe

C:\Windows\SysWOW64\Ocaebc32.exe

C:\Windows\system32\Ocaebc32.exe

C:\Windows\SysWOW64\Pfoann32.exe

C:\Windows\system32\Pfoann32.exe

C:\Windows\SysWOW64\Pmiikh32.exe

C:\Windows\system32\Pmiikh32.exe

C:\Windows\SysWOW64\Pccahbmn.exe

C:\Windows\system32\Pccahbmn.exe

C:\Windows\SysWOW64\Pfandnla.exe

C:\Windows\system32\Pfandnla.exe

C:\Windows\SysWOW64\Pagbaglh.exe

C:\Windows\system32\Pagbaglh.exe

C:\Windows\SysWOW64\Pjpfjl32.exe

C:\Windows\system32\Pjpfjl32.exe

C:\Windows\SysWOW64\Pdhkcb32.exe

C:\Windows\system32\Pdhkcb32.exe

C:\Windows\SysWOW64\Pjbcplpe.exe

C:\Windows\system32\Pjbcplpe.exe

C:\Windows\SysWOW64\Palklf32.exe

C:\Windows\system32\Palklf32.exe

C:\Windows\SysWOW64\Phfcipoo.exe

C:\Windows\system32\Phfcipoo.exe

C:\Windows\SysWOW64\Pdmdnadc.exe

C:\Windows\system32\Pdmdnadc.exe

C:\Windows\SysWOW64\Qjfmkk32.exe

C:\Windows\system32\Qjfmkk32.exe

C:\Windows\SysWOW64\Qaqegecm.exe

C:\Windows\system32\Qaqegecm.exe

C:\Windows\SysWOW64\Qhjmdp32.exe

C:\Windows\system32\Qhjmdp32.exe

C:\Windows\SysWOW64\Qdaniq32.exe

C:\Windows\system32\Qdaniq32.exe

C:\Windows\SysWOW64\Afpjel32.exe

C:\Windows\system32\Afpjel32.exe

C:\Windows\SysWOW64\Ahofoogd.exe

C:\Windows\system32\Ahofoogd.exe

C:\Windows\SysWOW64\Aoioli32.exe

C:\Windows\system32\Aoioli32.exe

C:\Windows\SysWOW64\Agdcpkll.exe

C:\Windows\system32\Agdcpkll.exe

C:\Windows\SysWOW64\Adhdjpjf.exe

C:\Windows\system32\Adhdjpjf.exe

C:\Windows\SysWOW64\Amcehdod.exe

C:\Windows\system32\Amcehdod.exe

C:\Windows\SysWOW64\Bdmmeo32.exe

C:\Windows\system32\Bdmmeo32.exe

C:\Windows\SysWOW64\Bkgeainn.exe

C:\Windows\system32\Bkgeainn.exe

C:\Windows\SysWOW64\Baannc32.exe

C:\Windows\system32\Baannc32.exe

C:\Windows\SysWOW64\Boenhgdd.exe

C:\Windows\system32\Boenhgdd.exe

C:\Windows\SysWOW64\Bgpcliao.exe

C:\Windows\system32\Bgpcliao.exe

C:\Windows\SysWOW64\Bogkmgba.exe

C:\Windows\system32\Bogkmgba.exe

C:\Windows\SysWOW64\Bphgeo32.exe

C:\Windows\system32\Bphgeo32.exe

C:\Windows\SysWOW64\Boihcf32.exe

C:\Windows\system32\Boihcf32.exe

C:\Windows\SysWOW64\Bdfpkm32.exe

C:\Windows\system32\Bdfpkm32.exe

C:\Windows\SysWOW64\Bkphhgfc.exe

C:\Windows\system32\Bkphhgfc.exe

C:\Windows\SysWOW64\Bnoddcef.exe

C:\Windows\system32\Bnoddcef.exe

C:\Windows\SysWOW64\Cdimqm32.exe

C:\Windows\system32\Cdimqm32.exe

C:\Windows\SysWOW64\Ckbemgcp.exe

C:\Windows\system32\Ckbemgcp.exe

C:\Windows\SysWOW64\Chfegk32.exe

C:\Windows\system32\Chfegk32.exe

C:\Windows\SysWOW64\Coqncejg.exe

C:\Windows\system32\Coqncejg.exe

C:\Windows\SysWOW64\Cdmfllhn.exe

C:\Windows\system32\Cdmfllhn.exe

C:\Windows\SysWOW64\Ckgohf32.exe

C:\Windows\system32\Ckgohf32.exe

C:\Windows\SysWOW64\Cnfkdb32.exe

C:\Windows\system32\Cnfkdb32.exe

C:\Windows\SysWOW64\Cdpcal32.exe

C:\Windows\system32\Cdpcal32.exe

C:\Windows\SysWOW64\Ckjknfnh.exe

C:\Windows\system32\Ckjknfnh.exe

C:\Windows\SysWOW64\Cacckp32.exe

C:\Windows\system32\Cacckp32.exe

C:\Windows\SysWOW64\Chnlgjlb.exe

C:\Windows\system32\Chnlgjlb.exe

C:\Windows\SysWOW64\Cogddd32.exe

C:\Windows\system32\Cogddd32.exe

C:\Windows\SysWOW64\Dafppp32.exe

C:\Windows\system32\Dafppp32.exe

C:\Windows\SysWOW64\Dgcihgaj.exe

C:\Windows\system32\Dgcihgaj.exe

C:\Windows\SysWOW64\Dpkmal32.exe

C:\Windows\system32\Dpkmal32.exe

C:\Windows\SysWOW64\Dkqaoe32.exe

C:\Windows\system32\Dkqaoe32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 9208 -ip 9208

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 9208 -s 400

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 72.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

memory/4812-0-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4812-1-0x0000000000431000-0x0000000000432000-memory.dmp

C:\Windows\SysWOW64\Llflea32.exe

MD5 db6a77fb84325b4b66f75fdfa08e6220
SHA1 41e1e99d628c1ce17a5dc296d5b55de739950947
SHA256 affb03f46fc0eb380ee782f7f23a58e10859ebd78d56a20911e0413c7a9e74d4
SHA512 57413b94128ccea204290eafbdd1fd361a3aa36e64d7c2251e8eeb81d1cfd88290b1e9cbf04cf47954aec64b4d5a789b92e3f89bf28369db5e03dbd939257246

memory/3672-9-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Lacdmh32.exe

MD5 9e4e5d86d49e90c84ce253793cab638f
SHA1 1a304dc905ad0befd1a8d7662ba4ddc1a9e6dc7a
SHA256 e9c4b338b35f854a64d2020fe70a3e953ce7903d67a8e96939c1d9513db914dc
SHA512 ba8d9757dcd466ee69e3699ac191b3e1e5a854389c95e5a59f6085d49d130c979865dde4434e371bea71177fe14b8ea23a5e5ea2a6c6b336ec153d61258e6947

memory/2640-16-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Mahnhhod.exe

MD5 c487a2fa5d5ecc399e084e84846b082b
SHA1 abb5bc9a2eba1513f28d92ace094bf8a524b278a
SHA256 49933b2ff9dcda00208acb0f9b27faa233bae6f32c952d4d4b97853fa97d3f2e
SHA512 337eaeac8fa150217fe2661b27063f0bd7efe90ac25f2a636eaf34df446352f77e455500f39d887095a2f05e03883f221ada0f9c71c88c726f71c347ced08c5b

memory/2544-24-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Mnnkgl32.exe

MD5 01bf03de436c6038236e35ed64a77a13
SHA1 b9e5d5b8b1ce014aab04674081e5b963b82c8be7
SHA256 2b8a79f207e061c53dd9a910141b5ce0ca9defab733e7ec0fa0ed2ed88322301
SHA512 86836f43f3e807743c9f216957059a4aa223286a545bd70d34ed5124daae1f00865c5c4026d6157b41aed00bffa0c538a8c1b3c9739d47d7817ee0eee164b791

memory/3060-33-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Mjellmbp.exe

MD5 1ae5cfbdf07b353f6e549fa308437008
SHA1 122d77ca3423e7cee1fc1fa1a47054b057a01be7
SHA256 eeed1c4ec79a2ec702c640d31f93036dfaa658277831be7e4c52d2d7f3ce15f5
SHA512 6cf6c211324a142644823970f6f346b0f14c8032bbd7a3776cbe5fb9517614818ced66351fa243c6831ba54496f4bc843c1dcc5ee01871f24a4ae935276da5b9

memory/1848-40-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Nknobkje.exe

MD5 287268a0436b01c182176064cd482101
SHA1 3b38a46f1a12a93218aeb48a81beab883218e436
SHA256 06fae4c14f80aa2c1ed7afe860ad602ee14f44d2901b15039bef09985e5320d4
SHA512 95816feab72378881d330a63d1a35a11a1a33bae9e814bc7974e58460623f33631065519c1db24f63bf27e1ed0d315f9cf56babea597e16b5878eb6e26b18b15

memory/752-53-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Nahgoe32.exe

MD5 847a7d90dc415ee3f89fdeee4f92f71f
SHA1 513bd215b8820a760baed5601d9381075b923293
SHA256 a54e59cdc9430edd44446beba896ee34d7f3a0c5e1198ea84a91f65a9233d2bf
SHA512 6dd820983bc906bbc0ff19a93066ab9330a82eb59b866500d492735083d5aec2cc768d11feac0c88f7acd177fa44ad84bdc2558a5188cff2340b124f7f71dc88

memory/3644-57-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Okchnk32.exe

MD5 85c668b61938b542604088b73c5c9ae1
SHA1 3de80498fbe10de689179d3e6255d184ecc7b7a4
SHA256 0eb14a71fe42e895ce150113576fe6fc41355b5e77fd1caa63ed2b9dc5e39835
SHA512 b0f3919c9a33fc253dc760ca3dd2727c30e3065af54368441ea3644fbc1c1507bc3c3a1540a58ef840e24218cf5f227ded68137154e857eafd6ae0fa6f20f95c

memory/4916-64-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Okgaijaj.exe

MD5 fbac5e62fdcf705f2d08e4d36fd38cdb
SHA1 c1d3a23435694f9153619f8fe978fc177500d6a1
SHA256 9446555a4da999a19c5eb4ab8ce500a1fe875b0de6017f8e4ec13e1b3ac1235a
SHA512 d29db5ce6fa14b296ce19427237224098d6f510ce2405b3de5956c637e567784a9d52d6c8924d420ad497aa6789ea95095bec2ef140e4724058095382d1a05ef

memory/312-73-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Oaajed32.exe

MD5 83d1914a3b89f39f9a235fe6a456a53a
SHA1 19377d10a932341938a7ffbb7d358d459c5c4aa7
SHA256 d60b243ad9c2755dda9002177ce2f4b52547f46273e781dc340b4855a6cf9b0b
SHA512 9b094c1d77525805659944c755568a40b334b2ae1bb8c6614746f505fd2280b108784dac8647ceb4998427031a5bf1adf2a6654e414379bf8040e166094478fd

memory/1216-80-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Oklkdi32.exe

MD5 153d29b7a68dfcc255045fd7fbc00fc5
SHA1 fb79c7d96faf3dded080997e6f4905a971a17357
SHA256 6b4766909d647055494d4b1b32e3381c8291288098667e959a38df58f4e65f6d
SHA512 964c6e90b52844d97b0b4b652ee1ff07b49efbe04d9aa491a2ffe5baf50b24abab501df070f9895d128a281092cce0e9557fb41a288d93282948690abd4086df

memory/5060-89-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Pllgnl32.exe

MD5 36c9befa186eb2d5b0fc20a7afea669f
SHA1 d86e03ba3ac8208603be709fe1a3a87f3f1e3545
SHA256 a1e59b6b2c78364e97c96070a6ec8d5b684359bdd966197be21ad696003b12f5
SHA512 be7ba557542f243e92b9e73d4130b1526473ed889c8122477718b62636b08c31e2f075e4f2573d6994cc70f676f75a7820475f82a9d2542040a67b6a5b1e1e6b

memory/220-101-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Pahpfc32.exe

MD5 6c9715ef6ecad352aee0330fc9e40124
SHA1 c2dac21abf9cf5226596f0851a625492a71db7f9
SHA256 64e53bfce73f61def3b73e03d71f2fb749dc76e4d207d1a2daadf6ee97ecb8f3
SHA512 c0369c5d5293ad65d25f4db69b0a99e64fc4b10621380651b18f474177c01184c3e5566b8c78eb2a484931bcfbfee46a4111bda0d57524cd2abd55ff03e0685f

memory/1524-105-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Phganm32.exe

MD5 7a1cc3a6bbc142d8ffa92363e7695ec9
SHA1 8ca49a3c398244bd0b18f20ef29ec73d6214bfd4
SHA256 3c796d93e6859d1499d74450af9fcdb2f69ac6764c22a35a897fdd0a09f598c9
SHA512 18f195809e45a3c4e963682ab92f62c2f314703772d4957ebe73ae42547396704ff374cebe215697700831c7db555924c9df8e4248079f2d2a75857b49567558

memory/4652-113-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Qhlkilba.exe

MD5 e8a658901d2b6f3fa8b656e8b8253a33
SHA1 7c1f66cbc41be1d66a78ef3dc2bd4b74ddc721ce
SHA256 264967448ff53464a67b03b45cb565e9ec0e74337db9b3133c2b01a85c826075
SHA512 3d072f1f64c7f59e225f07389f9125f6833677528505672ffe3e6b832c82d29afef1712984c213898b10cf06ad3cef14ff44c90ae11ab0fc8a06d9c20a69888c

memory/1340-120-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Qaflgago.exe

MD5 e649f4ac16754cf6f87a0e0d8ce5269a
SHA1 b0480d704b1bce3e045d1a0575ccb74e24aea4c1
SHA256 e111a168358e46723e8f79ce061db54fbdb931f36f9745e212c9e26947a2ba0c
SHA512 7ee0d19c6b05e9f55b9a3fff1b2ea88da1d7a88cd7bcec9162355c64c634b482451d1a7b0c9dcc0e661f0677593f64013b4b8ffabd729d51a00a5108dd977548

memory/4472-128-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Akoqpg32.exe

MD5 71ad7349c80d1eccc14e518efae0a10c
SHA1 22f6a06804fa602333f24403f9644f329c714db0
SHA256 bcb0ea85b1cde71d71839f39e3b581f0a384dfa664f2c60daf148463b03c9e19
SHA512 a820bce4eb97920ac2ec37bfbc716d182f218c6675360e749ee84554cfab6539eef3fe24226ea8280854f82719dab648a78ff10251e8eb0870c66b9c16b4b95d

memory/4588-136-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Akamff32.exe

MD5 1072716113099847d8af7ceef2276a8f
SHA1 efb1bcbce28709147a0bacc453fec82121b108ee
SHA256 5a0ba6d6d974ea2393aab0abbb0465c5e7a7220ab676a50ae249ed1c23a8b4aa
SHA512 22343043ec7c49f6a0c1cb1c4f1d73eb07cd15f3fbb7658460c117e8cfa3c3663106e51964c2bc7679a6afaaed7b6be3b7c9e65604d5acdd0b507e7c1794b88e

memory/2952-145-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Alqjpi32.exe

MD5 d2c579cb6df26ebd09045bb6cdfa27e4
SHA1 68f19e810326449a67ccec7f07303146f37fc09a
SHA256 ab7dc1cca4067bf5a45362645722ed991a26a3473ff509385ea17fb77d5c2385
SHA512 fd6719503cd5b978e8f124472e527acf326f2dca7421782ad2627280c9e51bcf30db25bf616752547192268b687a82acd84c64a06878b7fd0044834ba776c916

memory/2524-153-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4952-160-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Bcddcbab.exe

MD5 284e0aaecc8948165031297bc06a2c53
SHA1 0e364024ff852dd541e987cd4224ec2b39fb9794
SHA256 a1bd7f07e18a1dd4ed363f15c5d17d935b8019cd0f97a5844e00cb2e517bb34d
SHA512 95deffbcb57288873204fd52a7deafce3651592e9ec9cee39a65062826fbedb028abf667cfdd9d6a6948af1118da1598fb3447fe8efa3b4857d614a36040f3fb

C:\Windows\SysWOW64\Bblnindg.exe

MD5 06bbfe3e1f0e7146744210c0846e4ebb
SHA1 cefc9f2a12e0c460b11c26d80c1508a1608b3472
SHA256 c79b4e15334c20c102ddab75408d0da27d897abedfb02f706cfe18e0715ba49c
SHA512 762dc765fda6eb692d72f57f2cade47c3c3f8c3ec6535c00f76c67feb62934572eae604729c169bbbc5188501e0fc707f89decc83a6639c84986a10b9cb0e558

memory/756-168-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Cmcolgbj.exe

MD5 812e8696844f57d82865bee9b41f7bfd
SHA1 17dfd1ad8f25c02a9f0a22485b9736491e677800
SHA256 aeaf62556cf28140f0c7cbca1c16ea88781ff24175ad0ee324c3f9ac66763730
SHA512 bc7040c15ba330b6ce356696f5dde451d6ceb889fa8059382598ad2adb3e1d931ecb19e85a86e44b35ff71fd41ca0c007c6307b755405be6115d235bfd6d1fa2

memory/1572-177-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Cimmggfl.exe

MD5 56691832a2a010a849855d86dc34c7d4
SHA1 afabe92efc5c5ee0619248af803f89da6eed87e4
SHA256 9358a39dedcc31e5ba9babac815a1992385fa0de0a3da88c82797d235b0ffcd7
SHA512 dd2cd2b17b996af64d4fb25247994a92d8561c93391dd96fefa0d3941745599b49bed92b0fcee4d8186868df7b671313c0161b632a4ebe5cbf008d9156e3e20e

memory/2648-184-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3756-193-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ccbadp32.exe

MD5 dc5982c6167114e793e3a18ae2ff0de2
SHA1 fb424e7ca733684e4469f8a75495b730fcc947da
SHA256 37ee6f5ac56033400a6166f60a5794796887d95b37175d6d6d52aa6224e9d386
SHA512 047494ace68ffb171c7c146360474186512c978a465ec572447e5cfb779c4f8af40ae3e642fd384236fb41ea833e6457c4d2b0656440ac81b2a45232a113b633

C:\Windows\SysWOW64\Cmjemflb.exe

MD5 5de69376de11968ea18860542c92ef6c
SHA1 a773b34ed48bfc5c1c57b759ffeb1e3d2dd6b9bf
SHA256 4bfc86199734d99cee603f4a83fb93306fd1bbae7a673706e1042b4d7d88909a
SHA512 c0ac499733fc2134ee8075e83078e29ca65f2e0158d9c70bfdd3c70d18d4041387e350f4ccca47f92ac60c581fb54025e7609de7f667bda32d01966f2769339b

memory/1944-201-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Dckdjomg.exe

MD5 7a8e7a3072a44385ec336a22b3912897
SHA1 6e924c2ab5c2f55a4951fdf9aafe691ba43597ef
SHA256 366fa31ef643ad3026e86e61155d1df34a875b1a09ac893b9384fd8f615aeb8b
SHA512 336c1eaa48e26b22d357b46b2026ecc16435b8fe1b3bec87423aac974e075f964a7723543f1f34cf9e47ad972bb346ca8a040ee6d94a252b7a882e9331d46cd2

memory/2752-208-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Dihlbf32.exe

MD5 bf1e5c836dd0a3ba36a01284912682b5
SHA1 ad26e447b48886a996cd0d81f9e25ff7495c604e
SHA256 abd3a3c9d8c9f618e50aedb7af40cff511f4db313c2f1d7cf39fd39c4ad5606e
SHA512 66da6982af0475357da5cc6ac0dad419b5372f98e8fea7c7d9b7a7e8428ad46eff6acdc79a8c7a92c3b77bd8827d54ccae2b12b18419905748df807b833deb7e

memory/4336-217-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Efafgifc.exe

MD5 c0daa3f24828b6d51e3149051ff79320
SHA1 9af917b3994f0dd3b259a81676427ca523f081f0
SHA256 484ecd2fe82f0ea48e5cf1a0202c90031199af9d0b4df23419b48ef73a7328c2
SHA512 2b6cfe6516bd84dfaa60d14ff7e8966d3b9784f8527144996ed1ef6d76435883bfd062b9fbb83988e51ded1a733768c5f703970f92d1301074215472fad7bff8

memory/3304-224-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Emphocjj.exe

MD5 1e228d2101f3d516bc19a6d2584a8040
SHA1 5ef78618e8c51b8ba4d02e4355d9ac2630cfd410
SHA256 7c7e542505a4bda06e446aebb0364d9a97a6936353a576df4a089d12ea1d7116
SHA512 8c829a8c866834982d9782e709ba77ba6bccc59cb6f96ca9643b6567e52d504dc083c25058e144579050d65909eae2d18d0bd393c2cb7ff99d34b93c46e6c611

memory/468-232-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Eiieicml.exe

MD5 3f87122be8f84cf84ecc89d8881630e7
SHA1 42a20fb527d8701460937bc0704a6857541c9a55
SHA256 a69eb62a3339685e6a5ff34c00e1beed79e3ca1fb04f82880bbe337f591c423f
SHA512 bbb42511ff3fe0d647237ef44351d249807a706f2b808a0e7a4d6c6d07f59a24e481484669b4a211c66ca551f45c4a166c117a8d5770b0a2be4aa96cb736bbbd

memory/2320-241-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Fpbmfn32.exe

MD5 aaf5e1887ed765908f2de28c0a7df370
SHA1 0f4d3c65f1163e6096a3412600b6e9bd91012054
SHA256 a8dd1ad9d861df74e0b93eb096899c310d8619336f5a22a3fb83f582b91cd0ec
SHA512 427cc5da287b70ffc365f5f27f63a42103ed9fb3e01a9f8b05db5b3fabe7c753da137630857acf291df832baacfc3c5c121532fbd50e44cf084d94406cebfa20

memory/2892-249-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Fbhpch32.exe

MD5 217197b47fc9f16c1601c1fd79d1879f
SHA1 e14ce057936d53f258ae26b6b3b4e00a0c374394
SHA256 ca31578e16300959494077f50ecdfad171b4894595b000a316742723e4b714c8
SHA512 d25a9ae0e78d3f5db1f38c8ffcaabec606c00938936f6cad08c16243eaed03dc23e78e737f10d17cb2e72860980975ab1db86eccf818b364c9805a21496a287d

memory/5052-256-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1120-263-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1780-269-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Gigaka32.exe

MD5 e8c86ba7946d2cfe2ba4b05b2abd6281
SHA1 d07bfe1ef276cd0f467b096e5a135bf6e9b12419
SHA256 41783003fc33a6605f7db24afc355c226403c3b242df2fb4b226bd8be0e0211a
SHA512 62263c2f9863bf30a817f6014cbec18e445d1758014aff3b03b47aa84635875e99f272e232717d855d3e7de297acebe09b4282d33332255e0f7b575048be34a5

memory/396-275-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Gmdjapgb.exe

MD5 fded890382d47902ad58d1a1830b29a3
SHA1 d89ebb75aedfa86cfd9b12a478c056c675d48d3d
SHA256 f9d8333c013a2114ad35e40b605a59ca9fc977f4b739adb30fddb5e357954a8b
SHA512 361a1db36042936b243d34bb44359de26ad9e5284c1835200ea1dd4f3052bead9153fe6955bdaff88df7d74b58ac4da1352e7895d61765457160e6531cc50671

memory/1980-281-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1468-287-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3056-293-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Gphphj32.exe

MD5 49a58afa0e6741329d4cf44ae6ad98e8
SHA1 34cccd8eb386f3f9775b21f4e86b4efc3e031b57
SHA256 85233086ef0ac972e743ab048e36b31f8ea5d31eaceec3a552d9bb538eadb6e3
SHA512 e41d302c01645cc00fe0adce11bf4826cd4e717d687fc13d9a6c12606a729a9fbd6e4cbb9de7f07a5f5cb34dbabdefa5cab22e201a38c88de403b336509b016f

memory/2340-299-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1956-305-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Hgdejd32.exe

MD5 121e0c185b249d48fc8775f47607c272
SHA1 928ef59bd696ef8e5e92399a01e4b7e40b64798f
SHA256 36915ca98b0edf6da497633c23acc017e8cb063e52aa53b429813f4696a2a80e
SHA512 966961018c9a03ba5a9cfd7ae7c475da6b649bffc5d51861a2cbf5baa85515c05a8684d1c80be1e934c7deb7634fd5e627f5a4bfb9d74ef96cca7e55cf62dbc6

memory/2156-311-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Hdhedh32.exe

MD5 e9227653eb0b5b4d0d652902bf50eab0
SHA1 cb42ea0a30300d1058a6cc7ac0995d4ab0be5303
SHA256 014aa9c8e44ea9eef6f5c41e9f5e9e5b3313bef2d3dae69a38e86262927f071e
SHA512 f72f47dbb3da14f094957fb2e0bd05a6e978378fa15c82d470e3fe023f85e6f3e1d9ad96531af08ca5a6bccf53f4cd4038c66ba309f43dbed3739332f0cc3e57

memory/5048-317-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4760-323-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3988-329-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Hpabni32.exe

MD5 181a1aa1ffcf87611bfe870ec1e29254
SHA1 49f2459a3b741ca6b257b9460dd75c10e6bb3a6e
SHA256 6500685364995e22fc808613c4a7b5ca3da9c84acab3a106e3a7b98f54a00759
SHA512 75cbcf71144f38da341553b969812e5698ca14f98c8b4281e772e593bf13e8c61e9f060bc5d67e21ae6b22750c7c42b5b5ae084b0f0b26b2e9246f1a51a4a922

memory/1040-335-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Hlhccj32.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/208-341-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2404-347-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3732-353-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1756-359-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1984-365-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3388-371-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1632-377-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4380-383-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4488-389-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3980-395-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4800-401-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1672-407-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3456-413-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3592-419-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4004-425-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2368-431-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1456-437-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1656-443-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3196-449-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4328-455-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3804-461-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Jcgnbaeo.exe

MD5 2cc5916d613d293402839145e6228499
SHA1 54f35c02fb4222023ebca90c0ae0c3560b31f7fa
SHA256 40fd06755326d067a2e62ca8a2915e400d6d784acc37c8a102a1d9b6421ea64a
SHA512 24d4c918c221005151e67c5ccc7dd8400ce8a8b4f4b46edce8c1fc9319c3b5b651cd53c4bf9d61fe86c3661d619e9ce684b3282f714b2ce00c0c2663689832c1

memory/3572-467-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4872-473-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4528-479-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1476-489-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1816-491-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2456-497-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4888-503-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Kgipcogp.exe

MD5 641dfae1dd35ae8ec9d400e256829000
SHA1 47d682b3982112a8a50595239700c79835731d72
SHA256 d9a5fc431c6b473eda560273eb2fe3d07ed4ffef7695a0dc4ba6cab1eed6622f
SHA512 4c80a90765da27494eb2b6249e0d2226a4b7d88d0ef0fbd58a9bb15d1526472111b4683d0b84c736835bb9e8ec33b31725804273fb2d537efbdfaae0053cc179

memory/5028-509-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4348-515-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Kjjiej32.exe

MD5 f70ca5502173a72042c4e9ab46216c81
SHA1 ff87a276af013f5db897dd9d3c630d504fa25b7f
SHA256 50386e80e022231235437c1bb389e75897d11d3ba157513e72e284c03d442806
SHA512 3bf47eca606d92e80d5a7ba73f194ffe3bdca20036d4b6375a0fd3b9f3aa9a64f8cdd06b9760f371aba8a8e2f3929fd0f5462cd58903b2833d57dc36e522a41b

memory/1496-521-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3820-527-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4160-533-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5012-540-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4812-539-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4512-546-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4948-557-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3672-552-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1528-560-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2640-559-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Lmpkadnm.exe

MD5 207ecf1f073eda689cd7a33013fb1ba0
SHA1 73325cb37f6b089d93ef556edb17d4c2e55b1b4d
SHA256 829b70a6511d3e6920827bbebf38e6a8af216d091222a9f6fa6ab0f88594ffde
SHA512 052d7b577e081a0d7233dab416e9aa6365465997cc444123fb4d68b907f779932c490360efb755fd51d6a4f84f6fff4d42153f4c625b7f3e7765a4c4e4a56c91

memory/2544-566-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3560-571-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3060-574-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2948-575-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ldipha32.exe

MD5 5a48164f2407a48a4c1194fbe70dc09c
SHA1 c9791cc05d1567b866a807065fbbd9b082d96682
SHA256 0eaa9ffcf0b4c0c8a550ecb4d5524ccd41627ec330c1f49424919cc0fd56e8e3
SHA512 8f0ab60275b298b237267e7a4725fe4509afe85ee55bcdc9a30c8da4c12e0d7414ee3d3bf041fe6ad4b43215a2b77897f6b9cfc6982cd8e61fb3806518a2b590

memory/1848-581-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4764-582-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4680-589-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1648-597-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3644-596-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Lenicahg.exe

MD5 9658338864c643f1af3f6f1ee7794b78
SHA1 65b066e7caf78b307503ecf1ec581a87007ed0c2
SHA256 93412212dcc8e5bb17cc1da2e69002c8cb4f27ad3ba4f727569765ed1544ffcd
SHA512 40e03f6b2e6ec1bc570e2b8138f55f6c1b537d913f5b336cf0a8c8b9876ce55068584cbab8501dabc508c91b71c12bc6feaf83eb25cf0739b5df51dbefafe744

C:\Windows\SysWOW64\Mccfdmmo.exe

MD5 fc2bb89944751b88dadbfadf607c803e
SHA1 ca6eba70e5a6325f63233540bc03b61b30067c14
SHA256 16e76b6772005ed37157802f0ebdabf45ce0782078bd8a36364228419d5865e3
SHA512 0c98fdb55a30ad56c7f45ff027a388ff81d8170a01ab9dfc31626ba9c40754f9c4606c6ed79fb0116eb7d693568fce7a586731582ae595b5ffc50d130eab2f21

C:\Windows\SysWOW64\Mchppmij.exe

MD5 535d7b01ad45bd97942c5e66b26af2af
SHA1 923bce2576221dd1f397c3ad63f404b25098fda1
SHA256 42d2eff665a4c3f054f43ee0b0f80642b5f4cdf5aec3852e9ff5050116701818
SHA512 58e4c15303a3bb81886bc0caa6256af9ce295cbff3561d2d6215844a9d7e410dac2aa9060c6dc79da6fe00a3aba2270a794a4f1828aa2a5e1fc9ffb7212ddbbb

C:\Windows\SysWOW64\Nclikl32.exe

MD5 38f6950d02af57ecb268b791da84ef87
SHA1 1530720a3e09bb5bb9aa3065ba97cf41f4f3b124
SHA256 a164004573c67116bd05c3be07dbccdfedbcfe595f7819875fd4068e9e3267bf
SHA512 a013ef1306d30973189b7fb862d9122b93d480d783e2f778b2bf962fffe83e088f7df3e892ded728e6b96331996d475dac93d56e02cb2271c0c2041c3534ecc0

C:\Windows\SysWOW64\Nnfgcd32.exe

MD5 c6d20c0cb9bb0d47a2a2313372b5f96e
SHA1 c1ce72b6e25865855ee39d8a6a2018d5f9647b8c
SHA256 b251758c85f349eefd248bba6c14a0366fbadaff8fe501928440215c50d7653d
SHA512 eb3dc18e1f30f4cb9db2b0273534dd613dd53e96bf16bd9d77edf29a2e5e2637766343291c20d852909f9d7e5e9d986ece5a2a0a5d2c4abcba414600848bf337

C:\Windows\SysWOW64\Nnicid32.exe

MD5 7fdca4df9ef81f49f6089fef6982aad0
SHA1 be319c953bc05a8e2aa9c260a8c9afa70b103f7a
SHA256 b7de423e78d65a182af04f5bcb5ec1d0e70c9730e5b4c12459e415ce87b90cfe
SHA512 6019e9795863364b4a6361487f4128734672e6dd75a2f8362cabaf4858dab6b122eef23c6ed0af40d8b6a4e862c8b05e7b4f9d211dc984d74f88dee600845e79

C:\Windows\SysWOW64\Najmjokc.exe

MD5 396ee3b73049ae63e692503c82bff477
SHA1 3970b865a8c376b7060a6ef9dffddbce8c691a13
SHA256 d5c8daf24a5b9219dc59c6859f127ce7d48665ca5b8da19b404178ba99c9c12b
SHA512 eb18af07aee15040fe62f9b7ea8e220e25773914a01b3feb019def859bdaf72b33d8500e31595bf6843fe5b00440a0958e0a1298ed553cb4539119bf8d6bf723

C:\Windows\SysWOW64\Odjeljhd.exe

MD5 6ea98b622f494c75ac64aa9c7b059ee7
SHA1 a555c8422a2c77134dd6b044390407821f4b8564
SHA256 b2403d28a5ece1ba083a91fb3787617a772dbd68f37ede14aa2af492cdf0d277
SHA512 5a62cf062bb7f50bbc6b9fd0e4cf1dea825be6dd3b4ac93612e373470ba2556c7f366edddad4fc151810cabe66ba97984bb7d07f21bb753ae5ce9684e9ba616a

C:\Windows\SysWOW64\Omegjomb.exe

MD5 4d8e3859749cecb54a5b05e806115c61
SHA1 05303e174b4ab6b2119033454144c32fd89b0fa2
SHA256 c176985b1ac3ae149787982e234b5f601dc50ec0222c266e097060b7d2303e24
SHA512 dc251ab606e92e1126ff422451bbf0ab656cf52e17ce0f66ab6825a9ed7b799d13e464ab5fdf70dfcc81db407756c9eeb3c66d4d322e71fd78040bac27c6b705

C:\Windows\SysWOW64\Oeokal32.exe

MD5 b32ab180317b7455174578352afcdc31
SHA1 82e3671481eafc87122ec9a921233d4572d22cbc
SHA256 5c9a5fc7fcc6449008958dae03840fd073b819cd0264c12a2e004dbef51a2281
SHA512 3f6d3199d7b27df36000a56d96c1e46ee68e8f6947a3be3c83432dd564adf27efada34458e604684f12e3d5cc5a50c90e11f3f91cf2f5c25756071edb6ae6b0f

C:\Windows\SysWOW64\Pddhbipj.exe

MD5 b0b1d225f0056df663b4d368b0aca8a4
SHA1 16b21f3430203f75500d5d9100ded57f369f127f
SHA256 24d2fec9bbaf760d7fc2336d965ad8ad4eeba4b8b444b94c1bcdca0a70372586
SHA512 1978b7952fcb9df8013d8e2254fef527c6bc78eeb332350bb7b4cbb14b67147cd0dfeb79fa6cef6858a6f5bcc525ff834f6d039ad873302b6a5c6ec9f468d969

C:\Windows\SysWOW64\Paoollik.exe

MD5 a445001b8dcaace14b4da42371bc99cc
SHA1 7d9205b0acc7984e227860e35aa767259ef2d216
SHA256 ef148f434ac8a0416f67a261d3c78938ddfd9f66f16e233457aaecec7a7febbf
SHA512 af3453a0a414fef5a6b8b0fb2a9ec3de1b5b4600e3a747facb4a1f5f121cfae97cf99dd733019402aa920184625e951e1f16596e69c4e3c25766c1a602f98468

C:\Windows\SysWOW64\Qemhbj32.exe

MD5 8979b37eaba29b238493e1a8f45b067b
SHA1 87286bc3a3c8370197364344593f0b4cca61e008
SHA256 05343cd27a72d458782969230af350a930ae7cd71678b94de8cabb762b4d64c5
SHA512 726057ed8f3c58ca47c101dff49aee5703d54057ab05e322f8fc06c788783552bf4dac2f7316fc8af5e092bd633188fe8f740f6c7009782791488218ed713cfa

C:\Windows\SysWOW64\Aahbbkaq.exe

MD5 161fac8fa0d7905708a346a548a023af
SHA1 ce93c32f6e1115f2bf30ef3d7183aac40f4e8d3f
SHA256 77b328edad21ae8e864436bd76c3a3b396982cddb570d175aaa1e3276b8fc564
SHA512 ce3d6cb8c629098734e24c7df9d63179fcd379a280611b3dcfdda5f75371b4fd1abe6fdce94bbad0b7baf52c310efc26c0247447e1bb72eb0dce0acd92f57e4c

C:\Windows\SysWOW64\Aefjii32.exe

MD5 c660aebf094b2d0cb153f68f42f26607
SHA1 5d5356508d337ac488c941d51721ea93f50ec9f3
SHA256 3dee9c5eca8d9bad866a538e10361855c8ff4255f2a40f241bd789c48e2420f3
SHA512 dc0ba56ce625381fbc4fd79e73c92fba6b7c578e77f0c27cd0845cb4518c06175e546569df3225c2a47ee0f52c628c2926a315f7ca27ad00fbbce9b93b322955

C:\Windows\SysWOW64\Albpkc32.exe

MD5 3de5e37570c8a505b6257645a36d664c
SHA1 bd77b5300d33f9f6e6cd04ac58249afdca7827d6
SHA256 27b091d0289f0f6b5f1cce3081363fc0d709a5fe3dbaa5bd6357043b975429a0
SHA512 3c6e00e2fbd74d0abb51d899ffb1359eebc5f55cf85f652e846a45cb9732c158458f46124de1573a60051faea0de202e8e56367e9a34bd77a052d4b76178cb3d

C:\Windows\SysWOW64\Aekddhcb.exe

MD5 13dd90a3d7c8be73ced2e97a49be9aa8
SHA1 5563af1da61ab8e95f8a07b0fa184673c5f05a19
SHA256 d9e9f487a7a8db2a92fb8df83c2e2958f768219f0072ca2ae3e201622cf7c0d6
SHA512 e5440352d629d6e3a27fac9a7c77e56f354ee5fdd73270fb1ef661066788d46bddb3c40b29c14061472e3d2055ef5aeead19eca7e55a6e1236d5fe734271db4a

C:\Windows\SysWOW64\Bdpaeehj.exe

MD5 3a9033ac92c2724509293bf5f5b283f5
SHA1 943b9c499476d44422651f0f725617a21b92ac45
SHA256 7336bf6eefc8fdef14fa48d68f77187132cc3a2a743c919729cb63b2d8c16392
SHA512 bd5fd546963f43962a9ab1ffd4c0f5b47f541463be50c0cbcc9bc7806bd35e891cb3e0afbee2d45373c90afce2d26071c2d1379a2a0c0c6542b150eb3e09b967

C:\Windows\SysWOW64\Bebjdgmj.exe

MD5 4974e85cc1b83b2cad4860d5b7313a58
SHA1 c0ed7e07854edad605e7de987d587ae0005dcae6
SHA256 e589e7a974e4355943d6c670fb6cdc1cd11d1ecc23a96d02526ac9559957aab0
SHA512 3916bd85721128a0f2b4ebab4d626ca306721842bcd127db8d67f2887017f9628b52fe55bf1d06857d06cf0c770b438db9119d4f7c64d409222fa27cb687d593

C:\Windows\SysWOW64\Bdgged32.exe

MD5 33b4d0135d07c593ead1d7d950c55746
SHA1 2ea07fc7bda9cd8cf9a244ea2de3898d013a6299
SHA256 940f630488c02e12afa900a5de670e878f97e07b0e51c26c84702ddad0367589
SHA512 9b33901de4f2c9469667690c0c2bd4d3f8ca15b582cf8e13fb5e20583d925497aa381901eb8ea8801b4073b974dd2bf5d6af88fae03d1cbc64a72fdebcec4416

C:\Windows\SysWOW64\Bheplb32.exe

MD5 3aca9b36d36efd247bac2243894848ad
SHA1 12617692a5ed2411b39f2d3d9a4fb467f1300b66
SHA256 0774bd1d8c4169c1158db3d23ca21dbd3794f3672993e50615c51a0e0369fbd0
SHA512 592cfc9f66f31215ae3813018db12424156135d5130d3c4595c05fcdd837360d60132510be3146638c860ff365512d0fbc0c064cd3d79a2cbcbc6f588a9e0b0b

C:\Windows\SysWOW64\Cdpjlb32.exe

MD5 8e25ffd0513579f2c3bb1bfed33b7928
SHA1 5ee20a85eb53141c594b2ce18e2f2cb5bab7cbd6
SHA256 182ed48f59cb79fabe12d60b91907ef85ebff69bf64aff478c5abc09cdd5fc9d
SHA512 4d38359dfb0d1056a5d8d2d473d9ef66361b49b8e5a1caa49ee5bd0f460128d5e13e5c9831af23db59633ff64d46778588943fceb592cba33c2dc288de95e18e

C:\Windows\SysWOW64\Cfbcke32.exe

MD5 39037a1fd96f0bc490cc012ad568800a
SHA1 cab8ea06c7af1e04096772051d6aea0f81d767ae
SHA256 c5adbd5269a3817b962f1532bb79204ed7422a1f677cc660911e66e39ae488ab
SHA512 6e59f90d2b588b9c4fab192356a05037bec815f30e069c583946175d205064c11196a7ff6f54a2d49348d1b3d7f7184803c6d634bb79a505f1bbfc780a24b785

C:\Windows\SysWOW64\Dnpdegjp.exe

MD5 3cdcc9c41999e0cf3b14af5600e1acc1
SHA1 1a1699400fadc6bd0d5ea7e0b25d6b8758d0c628
SHA256 0bfe00b495a6a34a72d623165df92db4446a8712e4fde2686857a1b6e090a4ba
SHA512 ab7377f42add3ba641841de7dc51bf69abaf55f4738961c4aa440d6e9d9e45399e15962a566c7b017bd9583282c7d93af0af2a847835976b13668e1c50a7da31

C:\Windows\SysWOW64\Dfiildio.exe

MD5 d8880b760da5deb92d44ab9f40d7b33a
SHA1 fabd80fee53110d6a400efbfcb22132aa26617ea
SHA256 709a7caf62d5ea8cbcea306f49a31a3462f39550e7431b497470f9846d900461
SHA512 9df7700f225b24210c41e754541f32284f914f1d4c832589bad7241f7aff9ec95285f140d34f7fddbd7a2077141bb35004014ce2c87df42b2237c061c993e559

C:\Windows\SysWOW64\Dijbno32.exe

MD5 10abb36eb9450423edb53077c8257aac
SHA1 428a36c531392873b09fa3024e4ca59ab2c70571
SHA256 6a5e1d746a553be24437d96fe83463a075880976251871d39bd91e8563808e30
SHA512 570168284a0235a0c14bcc553505a24b0e633f755452540f58afc20e50a8742faa6e7ec9db42999fef4422a2fd48f25731fe764985d79b9b34c46d9c1da92618

C:\Windows\SysWOW64\Enigke32.exe

MD5 39ea8187505f0383cc91c7834597395d
SHA1 36ac58bc7d77ae00716b4ec6f0f4b34623e9e45c
SHA256 26d2d8004385e25dd91a5f5ddb1eb6d13b11d58ea7e9448a14239baa32651489
SHA512 0fe2da837a28e3e0c4f533a223c539bdda64d2f51c0cb10467d8e7591a1be0d62af6e5967cc5639c75a45fe092b8dd83acf0391106999d449a38b493b42aa139

C:\Windows\SysWOW64\Efblbbqd.exe

MD5 fee254069f4bc4b87250eb3df54d6d65
SHA1 006246a8ea4e121825d51b0b5763f46cbdaf2605
SHA256 06d221e3796218e945d26272b62e33245ff0ec8e130bf8ec108350f7beb8e4ba
SHA512 5f2d097f2ca816b086e2b214c6bf225562abeff524a991f058caeb747d232d0a09b32c9e43c4947f9c1b9285da79a7eca9da744733846cdea18d8f98d379e717

C:\Windows\SysWOW64\Efgemb32.exe

MD5 25707e2883276b484951975c2fb28bea
SHA1 9ff9c4fd4d8c75a7ef00fdb1d2e502c02bd38f72
SHA256 d04f76aec9268c1efcc445c3c1c848e8867fb0b7eb18aeaaf6e6bf8888718a11
SHA512 8c45ddf1f9accd3cb7d49e82ba72c19861e503bfa34d7b949f4371a3d729de1e3a20b58d50017c0db53034a56bdcacfcfa6d6efac16aa215a25dfb888003b690

C:\Windows\SysWOW64\Fihnomjp.exe

MD5 15f998383fe2dc4fea1edeea7afa3fad
SHA1 920a28aa8505b3f670b108e2529f23c3b9d3e7c8
SHA256 f25ff6ffe894a2b8b151e24e8922cc3a92217603ee687310386722856234b84e
SHA512 1feae274ecedd836441d50d0c2f38a5b01d4d232ae82a25c85550d887a3e48a96666021dad20eded067602fd091522d21a5b9592b4e82516de05ccc62c68738b

C:\Windows\SysWOW64\Ffnknafg.exe

MD5 17232e849059a3d1f4abe2e1c671484f
SHA1 fba17052822ac4b7faf65fd1fa535bfe4a9c47b9
SHA256 e91f18af775dec87ee0b47e6426f48781e3ec6e8b833a358d42b455c18e12529
SHA512 d10d501751af24f8507435ba5f9475d799754bd76a65b5b55473c30621aada0849df4229c6910d269455ef21e9a119fccdcc88f69c6be969881b3ef4bee69aa6

C:\Windows\SysWOW64\Fmkqpkla.exe

MD5 adf45d194f590ce2a3e1a3adc08722b1
SHA1 1eea575231a353674cb1c121f93db05efcda7aba
SHA256 85ae03702a82ef0d0b170438be0610bca0fa3e2c60ec06565f98883dde1634f4
SHA512 f0df7ff89396550f45eef74d614c122fa60a7dcc43ce20887d00c72176807f7d48da0c5dd8d0da9f3950f0e53c1e1576fd63c24667f4392379edda821c54f20f

C:\Windows\SysWOW64\Gnqfcbnj.exe

MD5 45d27cbacd5398ac42f64756e361b448
SHA1 742378cfc81d44472673bcb8c3d3b44794a53942
SHA256 70906fa8b6edabd898309bd0870fa07ccc3897ab4529bd3287c8d62bd7fb3d14
SHA512 ed1164696df9453dbfa7934b340a4a00500611b7404eaefd6c8e90d8a7f7857ae5b09f3b734d80243158f720a3dc566a9c645a384589647f49e847e8e548a810

C:\Windows\SysWOW64\Gpelhd32.exe

MD5 3869314ba7ccff9d06d6e8b02b11bd58
SHA1 a4d17a3a5994aff160ab9941541bf70dfba7a24d
SHA256 6b6a66c2daac0689a6ca7cc16978c8f5ed6df361210a961fb651aaaa9160d05f
SHA512 41f40a14b56d45d3b0187aafa9a24f5d43d38b681f79e35ad125f413c88588059f48685e547f38d10a0d367359758db4d62c4fdcf0324e69e3dad6f9ae075e12

C:\Windows\SysWOW64\Gojiiafp.exe

MD5 b433b46f433845a47e1989c3d9584842
SHA1 8262cf5918325fee6c16e59a185f9905e9724421
SHA256 2672548071fbccd9da84fe605a58dc84ec6328f39a7b425b62e85e0ff5c5981b
SHA512 56c720b975eb006ffbb517162646b09beccbf0a05b2ad8b73b104900500edf4e9cde7e2324f8f57d89cfc846d517e4a3b8738fd760aa84157be009af4a135df6

C:\Windows\SysWOW64\Hbhboolf.exe

MD5 065aab9dcfe6b88051bf15e362cbbcfe
SHA1 3d60762e16904b84a748d13262d8c5d44fab2001
SHA256 207e808d357e8393f59963a9b4cd96bdb8a98d454fbad9163f549450c297ad90
SHA512 27cff16ac7528c161f05d3ce1d6ad8786851d786d745d9196a10f12975cde36c1f22a2c75212f659d1d41c12868bdd05b66dae27581060b218b004cbdf807417

C:\Windows\SysWOW64\Hblkjo32.exe

MD5 5ab8fffca587fe3cf3d292accc64d2db
SHA1 92f2df420d38f71f6b5196eff8adfb884ff599f0
SHA256 1b601ecc7fa34967468ff7c9720c22aa8e4e81fce505baf3d979e858767d1e5e
SHA512 12b3d0ab51d461cadcb7f410e66222c6c408a5756c12048c4e1bdbd870db36bbabc4f5d32abc8de5cca58785f6427a8a46f5dc0396d461cdf6658eb5e395478b

C:\Windows\SysWOW64\Hmdlmg32.exe

MD5 1616840668d496feee4d144ef381c989
SHA1 c656fb9042a183bbc087394913af56d44a4fbdc5
SHA256 75f75072d8fa3045ac891247d4a73eaad881833b849a0f4fa1af62286993597a
SHA512 1027715cefdc30e962cdb8a542190de3f226b10c7fc924580a259740187277d3d1be5c1e0815ab76376246d93fba0b1525b020365639d39026112241a8ac93c2

C:\Windows\SysWOW64\Imgicgca.exe

MD5 9ccf9da557ad878ea25259a0c41eebc3
SHA1 15be3482ce1cd24f6b580257239c2bd4e7aa6933
SHA256 cc272aca0ccc8cc235cd4baf5f528ea78bf2710a1e979e4609b10483ae0d1c04
SHA512 2d4501ba43e21e3df8bd156dc183b231b2b34ce630226cc61fb24656e4d41114d35c60cad12d71f1bb7ffec94d7e3342cefed2bdc1994ffbd88e87068445647b

C:\Windows\SysWOW64\Iipfmggc.exe

MD5 1c4d5bcba33b9c563ae26689f504505e
SHA1 887dc3b683f0e774c21de10ea18be796cc98f0a9
SHA256 78b7c357dbdba4375af117c527e923e82b8161216db0e6ee4cf22a596ad284b3
SHA512 5570597246f398b16be612cf8260a796794272a878d2c2bd53d0c9e3305ec3ca77ee5b649fedbf05262670c0d00e6649b6d5447aeddb01bf8c640b1481f70b8a

C:\Windows\SysWOW64\Iidphgcn.exe

MD5 8e050b888c485fff2ce60bb95a19a91b
SHA1 e15d596df46aa4f6ce0db335210adbd4395d4659
SHA256 0d766c1019162354043b2990f3a2f4a93e94dd7fa4a65a668138bfc3c5109e42
SHA512 aa7a9e25cded8568e1dc30ece17b709e7e9939f00f04984c41159e2813a66f19e7c1c3629e3e6f32f91a0bddca4a9e5de07e117d8c6bbaa081856beee9a61f0e

C:\Windows\SysWOW64\Jleijb32.exe

MD5 8e7dcc23e5edfd54fca1271ff7791e7f
SHA1 29d5c099999fe9f98cb70de76a7ed32a9cefcc27
SHA256 8a06343b5a5bf26c868b2612570a80bc2b9e6033933df64fc11767fd2bef7a7a
SHA512 994ae850d508d1bc3a69136e66a5134d9e3ce3b612b5b0cb6c50331aa1ea1a47edd37ec59eb0b1fdfc995310300bf448260132233b46acd64e39ed1b23d5a95b

C:\Windows\SysWOW64\Jlgepanl.exe

MD5 3ced29c8b19867ba68503346fa73d94d
SHA1 9a033c1655d7c5104433c5e027311d9abaa2b24e
SHA256 bd9465d28b534fb5f7734ed06327d2dcd64177ebb3f0f41d062d596831117019
SHA512 242446d20e67cb569e93395d61571d3b7d1681681440235e72c752c8b744b2f994b6855327bfc2162c602c63fa04bc63377d52d5cd75c01d59f344d299b169b9

C:\Windows\SysWOW64\Jpenfp32.exe

MD5 cde10f2026a9b5e72a1f738127c021ee
SHA1 cf2a774df19a7fe0e9fceb19804d01b004f1a612
SHA256 d53bd1684237820af119ff8e02842ef2c280c4dac79a31628771e9ae04556db8
SHA512 3882db7c8ffbb78d38d6d61a92d7a478f64bdb31df499439789c4e73b873703e3c5423858a0ecb2dbb707926a173364c78792a488e57111d8cbecb351ded56f2

C:\Windows\SysWOW64\Komhll32.exe

MD5 f56b1cea3ee6c6ab4f553210d479a5b5
SHA1 20c438d0b46ddd15a59b680c6a581bca6207351b
SHA256 174fa1abc1ebddbfdc2653514aeb994b1058b22b1412d1b30e16517ca6e2383b
SHA512 df9b73cdfead0a6bd828f77d18b061fccace868e1ed4fc7e0ec9d181fa2ff5e01c1b6d74048de2cc5d6398c97d325add370e0350e088954075bae673b1a6ebb6

C:\Windows\SysWOW64\Klcekpdo.exe

MD5 18d3f5de4e4c4fd3ead6757883da82bc
SHA1 f6140d2e1f7f5a2de86bce1e546b62de6f11a461
SHA256 72e2da61acf6198371be776e56b89bc4a8c6ce243f31e7564f32c759dfb81946
SHA512 437a8a15f80a57eb7452f57d059bc607ca25b9540e4260238813a71524120d6b62e5d1916df65295f0c871fd604f49614c54a987dcf606422cf4643b4d934e64

C:\Windows\SysWOW64\Knenkbio.exe

MD5 ca33211cd5ccf86a6c4d6099a0d79b37
SHA1 45383c361bcce38bcc36770e61feab5cecb9ef3b
SHA256 6e62cefc10dfc45c4176a031560fd2245090c37f5ec02819d98d72d1e5ff317b
SHA512 4e0065066bb2e2bd3795211dccf516a5b2b2a4803f9ba561d5623839187c3a0dfbe296171d3b41566545fb1b0aa61beaf907aaf7ca973322f69f064c93c18ef9

C:\Windows\SysWOW64\Kjlopc32.exe

MD5 71037a9194117d000985e7075a9e2e6d
SHA1 af0a4f44e2d26b2c0b631edf4f2064025ddc0394
SHA256 bba195fefd16c7233e68e99e6c819d172f8c2edd50534838fd4ff1305976e732
SHA512 a4311c3e4bc475f96f8d5256073267d7c8c6413d5c2f2e4a724dc757f504507797b4842a3874c3c8f658c0536d7cc9f7e2d3195b228727da7e17c6e27403adee

C:\Windows\SysWOW64\Lnjgfb32.exe

MD5 45bb68684c82fb3f9977c1762378a4b7
SHA1 2db640ade862d4285a5959c07e7bc8f166e593ac
SHA256 d485433f4e83f065cf9eda13c07b4c87a55818d84dab054a7ea4dc34da6e5a45
SHA512 c668589853d2afefdefeb7a652bbde4907a9a495b9e90dbd53fc09fdb2ab5591c034d0f1fbc57b4035e61ced34760b38e34022042ddff8eb38e59f120fb18849

C:\Windows\SysWOW64\Lnangaoa.exe

MD5 e1b9a53e83ed8ec8f4110234dc391bab
SHA1 de187950bdf5874a5cb51e4bcd0f626d5400339f
SHA256 a5bc592767b8b5e2deeea2114c6e7a4e33416fa15511508d47a389f0071d38f2
SHA512 c24b7d079835affd25b70a35f053e0b8c841e599511a920a629138777f5324d302a995fb7a092b875d97b1ff7740b9c3b7e46c9326c66f1f1833fdf212c4817b

C:\Windows\SysWOW64\Modgdicm.exe

MD5 0e3d0ff15df52d8842e377ae254edd27
SHA1 93d722644b8d299c000399fa118e4071a28ebc59
SHA256 c009823d98d2a609f35062986d5a66438e6c57b1e6c814b0d46cb2ec879d35b3
SHA512 be3d0cdaf5a56276c7b82a19c5d510227dc845ac34162e571c67a09859739a28f0e4bcbb917806647c1c68b26813f39c68d0b0c134ea2ebaba24646e7ec1ce51

C:\Windows\SysWOW64\Moipoh32.exe

MD5 1bd0ce90bdca7635fc416fdabd6d7bbb
SHA1 46453fb3a17d8aa5e1a46f8fa1a17a55271a74de
SHA256 acd4134cb0e512039a33780bcc74c0f7cbc11ff1bc64414704b5268b7e4dcf6f
SHA512 22ef1fa744a3f09c549f0931f67fc48ff493982fc4327fdb7b89d8377f7a2aaf03625de5d88ac604b1ab298122cb623ed2c2da9059a8229a589fa5fbb4dd2054

C:\Windows\SysWOW64\Mqkiok32.exe

MD5 25a46198e018712f8742606378c48299
SHA1 585134123a69e5b7a08a8d0f60234b14c1e3aaa0
SHA256 3778890a9072b9205163d3788e99bbcf9b6dfd96dd5aadcf6ebb95a1854668e3
SHA512 b7d345b53216461c87d0d4261349de4c90fae3d43a362b5be102187bab805a8a0574762282f1adb85098e374734cc507ed1ae6d5eb14518b93b00d3201d59ebb

C:\Windows\SysWOW64\Nqmfdj32.exe

MD5 a1a61c376a238ab1401c681961866785
SHA1 3d97d2edb1acadd0c462b78bfded0d247a1ef90b
SHA256 477b8c07d14ad47670264bb0d30bc53f91a37f715c0a206755920ce306ff03ed
SHA512 f462a8c39981ec0c7b9d15189ae94c74d53529b5494aa675f86e2e3cb0ea7dde868b0e8e85c10f4515f251bc81b446e68650348b1fd9a69db415ff3d76860df8

C:\Windows\SysWOW64\Nnfpinmi.exe

MD5 bab881359077487355f74225682c01ec
SHA1 3ecee7716eb9e610bda443ae963139218c3016da
SHA256 306418f95626be9109542ffbec0c85cb04ed2721112ebcad378f2a07b36967ee
SHA512 dc61c96a308ea3b9b3dfedba2e9f2f89854276bfce4ee37d7904198b008fa78280348b6c6cde3cebeb92b52c316de876eb36d74f8d4f775c160c6e9dcc2eca8e

C:\Windows\SysWOW64\Nfaemp32.exe

MD5 f31ddbb78d60e94d287959ce50f74ea2
SHA1 8c189f4cbb1ef94affa6716df2cc60e059bc0a4d
SHA256 360d4ddd2b4447cf008148c651c22cf10330dcea9652224ad69be23e536928eb
SHA512 32362d37de9bc9ded967deb29b4685b57dc94ec0c720d1ba53b0b433c9efeef1e917b4423b72cf8dca5d1c69fafc63af1ee481eb38102379a36d7b1c8ef87ff4

C:\Windows\SysWOW64\Oakbehfe.exe

MD5 af9b5e98e3d5da4cef31b34781f03cbe
SHA1 998f58e20eba6f101cbc1b41f36a8b5934612474
SHA256 013b2dbed26d5dd46914b83923fb325d5b903e17d1846c3f8928927812f28ff1
SHA512 f08229b9ad856efce6fbfb01108ae85315610edabdd193393cc165b2fc79a2032453f0cc06d4cad446149935dbeda3437deef86fc7c7eb3ffe72cf232edf0f1e

C:\Windows\SysWOW64\Oghghb32.exe

MD5 75ee040a21cbca8b2dad54a61ac2b640
SHA1 feb496bfefcdd537f9d6f23aa4f8320675aa9f54
SHA256 f50c012ec300d5aef11d03e245a8d6f6a2f6338f8db35c39eeb433b13ee07cd8
SHA512 199a605e810f7e4c1dee077756054a277795b6c10889ea776aa8a0d4d5a7e3a777052bc059cd8d213fd0fd31353d24a086343a38ee0f633bea417710f2ae2764

C:\Windows\SysWOW64\Ofmdio32.exe

MD5 f2243c197976696e80edc54adec0306a
SHA1 279610e5fcbfa3cc7a4e03c2945b99fdbe6449ea
SHA256 ef5caaafc7eaf1718d786a288b5e583b0a32d48b20cd0cc0e52f92e40d3fb9b8
SHA512 66f4b6f3e5afaded6ee7d53c8525e7bc40ed4a58cc2cebf5b93077ef144837cd3f45c950cc651de4d39aba1d031dc2763b9c7e44fe164d9fa8589373c9fbf95e

C:\Windows\SysWOW64\Pagbaglh.exe

MD5 888f90dd80c08673d80d5d01a9d55b6d
SHA1 838f8db8f3f3475c54213d0403f41aa67a0805ef
SHA256 89a6f66df9842c7fd8a6117488ffc6aeeb68aac1f4b6580b026c486615e49be6
SHA512 047e3b7b18c0c490e156b3f80086d0d55d42e43b343b0ac82326d1ae51df36c089fa2a22878a8edcbfd9d99a4f6a0520d7ce0dc07299206c2536e5055b5fcc0b

C:\Windows\SysWOW64\Pjpfjl32.exe

MD5 232d4b445e54833a0714ec17e8c0e84e
SHA1 97eadabadb1997d0a22e8ded34f819d8b5d13801
SHA256 5b9d474e704b5739c44cd3942c5b5a35d736001d23efcedb8c686445196cbb89
SHA512 928e280fab992a32677198494d0bcfdf70342abe6f69dfbe733a4caf1d783def4379c8d7b1ec2fddfb3672e57b6aaefc2bb358f963010dbd33b18bfe8de70c01

C:\Windows\SysWOW64\Phfcipoo.exe

MD5 680226a96f4831574465a8c145c2954c
SHA1 1455f2776b3237c43628325a3d7d902071e7267b
SHA256 7d90529f295879aaa73397a28a5bb86a312e1ffab5fec8c2f687f892d38a7e21
SHA512 335f4948ed2a5b8c94b9be493f3871c4498b52b46b3cb453717dee7e2915fe7c0be69444ca23f5dd59bd588f7c8a4270a29f25ea884fba3d88e1652abf24b53e

C:\Windows\SysWOW64\Qhjmdp32.exe

MD5 a9c33f6fab58d06d5764bec6f9c7461e
SHA1 7b2063ef21549b358465e4ea30cf4f946d6431b9
SHA256 567b3af8ee70d42b1f9f402ff908096f382b5202413b86ea6dae7c4c18a4a1f0
SHA512 b31591106242d323f98e74b5df289a4b10edfdcc34d06f8045160c2ff92e73f7367f2a9e07eca1b4758d0e2c15e535e4d85c523e4531ccce11df0a180b70cc6a

C:\Windows\SysWOW64\Afpjel32.exe

MD5 41d793a52ddf2f06c84f968ecb60dc67
SHA1 7d7a0e521c1c6ce8e09fa599dabca79049f1889f
SHA256 e54310d14da3315b2e86ea5a4c949d1e5a8294ddb67baf80324be57cc59d9648
SHA512 e508bb3baead4f814d818eeda3b6ff20cc6800c36e92b74802f806b1822f2e59d8255f3bfc56d98a751a4220c86aae35b2a451cb28e48654ecf43ba2e5ad6ac6

C:\Windows\SysWOW64\Aoioli32.exe

MD5 6d09b117157afa69836091a8224add59
SHA1 9059d37ecf375143fd1b6af6417020d4fe3402bf
SHA256 e14b503e1168db335e58934a46847bdba055ecbf9fc9bc4c3cf6746c87d8d9b9
SHA512 ebd2919e02f83fccee7e50d02319eea0ac6d22f04840a22209dda1a5873f0f9b9a660cea9e2056382de241c35edf3ebac4ff14a1bc4c1f11fcc3df7cf2fc00e6

C:\Windows\SysWOW64\Agdcpkll.exe

MD5 f817ede8a0bebccf2d1125532d6973cd
SHA1 ac8241ab3c38a244113e28b4cb7a5dcf308c72ab
SHA256 b3b0d7087f034659e725e6f64763e020dcee7979e7937811f9effe99387065d4
SHA512 48836002e87cfaedbb6f79cd55a8ab0c43b6f82b7c0107de2fbe36b4527f2d816b9dd63529e3fc56a6d6494980a36576fe08f3a61bd4245b7f77db1f797f7628

C:\Windows\SysWOW64\Baannc32.exe

MD5 aab176a635a1b730758fe7e7236a2dc8
SHA1 6794a8effb4fa0970d49c87e008db9c681940e6a
SHA256 79aeb267f11f9d3b8dcc1d2a19dbe44c7604994371508e665cbf2384e6789724
SHA512 3bdef1371bab44929e22aa1bf8c6e620bb2cd0b4a15d268fb6af4d0447a3c3593ba36386d65fe5c16a37f40ffef415e56c1994afbd0c82bcfd5802add43f1b2f

C:\Windows\SysWOW64\Boenhgdd.exe

MD5 b4b6021a9f9c33c6efd7adc16a687948
SHA1 18cce2e7cb9364cc2ab9e041d1555c126b1b967b
SHA256 d6a6f895de440de67e25336bb65c72209ad01268188028c5fa3ac0e1e2a94675
SHA512 abf5e40fac52c08c9f75cac37397d443a1bb052e7983c87e3e4573bb66ee719429385c92b56504ffd1efd1ce641bbc6ab083468b9035e56d50e6628bc81f28d8

C:\Windows\SysWOW64\Bphgeo32.exe

MD5 86b97821b88c233b64b490fc618652d2
SHA1 389c032d943aa676bf32d1b1d1311c5a1bddff98
SHA256 b5e60abbf9d67afb5bfe59194cf88b3e59adcedb134edd073bec65b3579831b8
SHA512 b1f4f0d4c0e2ffc112835034cf51d4e735eb833b7fc3333680ac2c25f5fb9a98634febd0dc899654e7207d7397c7510e986a4808782e1ac678e75f684a6d594a

C:\Windows\SysWOW64\Ckbemgcp.exe

MD5 536a019588a9448b86395d8ce6de659b
SHA1 a1163ad2bc894b1745fdee5b0d01e1a0fc47afd2
SHA256 86811d8b4f4edd760bd716264969c550d17e1932416f46d528d1aa12c427d3cb
SHA512 6248cda95609d608d8e8a3e567febdbb671c11abee32a92c8225add46513be8e157ca0b4912e1eb661ea0810d2e804cca2033a302539355273076885bab61ef5

C:\Windows\SysWOW64\Dgcihgaj.exe

MD5 ee3c0b929051bf6fd7f84a83db181095
SHA1 5285776e4644563b83760c7c0fbe720fb4671e1e
SHA256 75c8e3f1c7ca6e5b0e161f345a95db39135bd23e81f1c5ac393f3e6c8145b597
SHA512 ba1115f93f19f09521fb49f0bc8ea9e8181690d6f8eee5f167aa897e5b8711ac2ad4c7126e0ea6c2603c0b474f4cccbccf5de5d896423a2efb6e57e77aa5ab08

C:\Windows\SysWOW64\Dkqaoe32.exe

MD5 3673967332850f685b70fbdb654c1e65
SHA1 49b1c918ab8e0d32e244622f01af1428ff479e0c
SHA256 a56053abee4ea4c875b85dd3c4735a5ff5ec101aafdee485be2be45cd4f7b59b
SHA512 6689ec89e451e302b23de07663f69b96361845bee0ff1f6f80372f62a0c28d467d2ac4a6b3274d8a2d54d3ab3bdadb49d8c47852a864a9afd4df7846a8ffd2ff