Malware Analysis Report

2024-12-06 03:28

Sample ID 241110-dvb66axqgz
Target 3b8a13d4d4e65f27ec11ad436ab6f4dbc80ea88a5ac583b43ecad08c02e8cedcN
SHA256 3b8a13d4d4e65f27ec11ad436ab6f4dbc80ea88a5ac583b43ecad08c02e8cedc
Tags
berbew backdoor discovery persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3b8a13d4d4e65f27ec11ad436ab6f4dbc80ea88a5ac583b43ecad08c02e8cedc

Threat Level: Known bad

The file 3b8a13d4d4e65f27ec11ad436ab6f4dbc80ea88a5ac583b43ecad08c02e8cedcN was found to be: Known bad.

Malicious Activity Summary

berbew backdoor discovery persistence

Berbew family

Adds autorun key to be loaded by Explorer.exe on startup

Berbew

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Program crash

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 03:19

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 03:19

Reported

2024-11-10 03:21

Platform

win7-20240903-en

Max time kernel

73s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3b8a13d4d4e65f27ec11ad436ab6f4dbc80ea88a5ac583b43ecad08c02e8cedcN.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Users\Admin\AppData\Local\Temp\3b8a13d4d4e65f27ec11ad436ab6f4dbc80ea88a5ac583b43ecad08c02e8cedcN.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aohdmdoh.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aoagccfn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Aoagccfn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Users\Admin\AppData\Local\Temp\3b8a13d4d4e65f27ec11ad436ab6f4dbc80ea88a5ac583b43ecad08c02e8cedcN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Aohdmdoh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bfioia32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cgoelh32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Akabgebj.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bnknoogp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cfhkhd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bnknoogp.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cgoelh32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cfhkhd32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Alihaioe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Abpcooea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bkhhhd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ciihklpj.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cagienkb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Akabgebj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Aakjdo32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ciihklpj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cagienkb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cmpgpond.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bjdkjpkb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cmpgpond.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qjklenpa.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aakjdo32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bkhhhd32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bfioia32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bjdkjpkb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qjklenpa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Alihaioe.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Abpcooea.exe N/A

Berbew

backdoor berbew

Berbew family

berbew

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3b8a13d4d4e65f27ec11ad436ab6f4dbc80ea88a5ac583b43ecad08c02e8cedcN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3b8a13d4d4e65f27ec11ad436ab6f4dbc80ea88a5ac583b43ecad08c02e8cedcN.exe N/A
N/A N/A C:\Windows\SysWOW64\Qjklenpa.exe N/A
N/A N/A C:\Windows\SysWOW64\Qjklenpa.exe N/A
N/A N/A C:\Windows\SysWOW64\Alihaioe.exe N/A
N/A N/A C:\Windows\SysWOW64\Alihaioe.exe N/A
N/A N/A C:\Windows\SysWOW64\Aohdmdoh.exe N/A
N/A N/A C:\Windows\SysWOW64\Aohdmdoh.exe N/A
N/A N/A C:\Windows\SysWOW64\Akabgebj.exe N/A
N/A N/A C:\Windows\SysWOW64\Akabgebj.exe N/A
N/A N/A C:\Windows\SysWOW64\Aakjdo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aakjdo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aoagccfn.exe N/A
N/A N/A C:\Windows\SysWOW64\Aoagccfn.exe N/A
N/A N/A C:\Windows\SysWOW64\Abpcooea.exe N/A
N/A N/A C:\Windows\SysWOW64\Abpcooea.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkhhhd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkhhhd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bnknoogp.exe N/A
N/A N/A C:\Windows\SysWOW64\Bnknoogp.exe N/A
N/A N/A C:\Windows\SysWOW64\Bfioia32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bfioia32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bjdkjpkb.exe N/A
N/A N/A C:\Windows\SysWOW64\Bjdkjpkb.exe N/A
N/A N/A C:\Windows\SysWOW64\Ciihklpj.exe N/A
N/A N/A C:\Windows\SysWOW64\Ciihklpj.exe N/A
N/A N/A C:\Windows\SysWOW64\Cgoelh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cgoelh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cagienkb.exe N/A
N/A N/A C:\Windows\SysWOW64\Cagienkb.exe N/A
N/A N/A C:\Windows\SysWOW64\Cmpgpond.exe N/A
N/A N/A C:\Windows\SysWOW64\Cmpgpond.exe N/A
N/A N/A C:\Windows\SysWOW64\Cfhkhd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cfhkhd32.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Bfioia32.exe C:\Windows\SysWOW64\Bnknoogp.exe N/A
File opened for modification C:\Windows\SysWOW64\Cfhkhd32.exe C:\Windows\SysWOW64\Cmpgpond.exe N/A
File opened for modification C:\Windows\SysWOW64\Dpapaj32.exe C:\Windows\SysWOW64\Cfhkhd32.exe N/A
File opened for modification C:\Windows\SysWOW64\ÿs.e¢e C:\Windows\SysWOW64\Dpapaj32.exe N/A
File created C:\Windows\SysWOW64\Cceell32.dll C:\Users\Admin\AppData\Local\Temp\3b8a13d4d4e65f27ec11ad436ab6f4dbc80ea88a5ac583b43ecad08c02e8cedcN.exe N/A
File created C:\Windows\SysWOW64\Ckndebll.dll C:\Windows\SysWOW64\Bkhhhd32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ciihklpj.exe C:\Windows\SysWOW64\Bjdkjpkb.exe N/A
File created C:\Windows\SysWOW64\Cmpgpond.exe C:\Windows\SysWOW64\Cagienkb.exe N/A
File opened for modification C:\Windows\SysWOW64\Qjklenpa.exe C:\Users\Admin\AppData\Local\Temp\3b8a13d4d4e65f27ec11ad436ab6f4dbc80ea88a5ac583b43ecad08c02e8cedcN.exe N/A
File created C:\Windows\SysWOW64\Abpcooea.exe C:\Windows\SysWOW64\Aoagccfn.exe N/A
File created C:\Windows\SysWOW64\Bfioia32.exe C:\Windows\SysWOW64\Bnknoogp.exe N/A
File created C:\Windows\SysWOW64\Aohdmdoh.exe C:\Windows\SysWOW64\Alihaioe.exe N/A
File created C:\Windows\SysWOW64\Aoagccfn.exe C:\Windows\SysWOW64\Aakjdo32.exe N/A
File created C:\Windows\SysWOW64\ÿs.e¢e C:\Windows\SysWOW64\Dpapaj32.exe N/A
File created C:\Windows\SysWOW64\Qjklenpa.exe C:\Users\Admin\AppData\Local\Temp\3b8a13d4d4e65f27ec11ad436ab6f4dbc80ea88a5ac583b43ecad08c02e8cedcN.exe N/A
File opened for modification C:\Windows\SysWOW64\Bjdkjpkb.exe C:\Windows\SysWOW64\Bfioia32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cagienkb.exe C:\Windows\SysWOW64\Cgoelh32.exe N/A
File created C:\Windows\SysWOW64\Aakjdo32.exe C:\Windows\SysWOW64\Akabgebj.exe N/A
File created C:\Windows\SysWOW64\Hbcfdk32.dll C:\Windows\SysWOW64\Cgoelh32.exe N/A
File created C:\Windows\SysWOW64\Pdkefp32.dll C:\Windows\SysWOW64\Cfhkhd32.exe N/A
File created C:\Windows\SysWOW64\Bjdkjpkb.exe C:\Windows\SysWOW64\Bfioia32.exe N/A
File created C:\Windows\SysWOW64\Lbmnig32.dll C:\Windows\SysWOW64\Bfioia32.exe N/A
File created C:\Windows\SysWOW64\Qcamkjba.dll C:\Windows\SysWOW64\Abpcooea.exe N/A
File created C:\Windows\SysWOW64\Gjhmge32.dll C:\Windows\SysWOW64\Bjdkjpkb.exe N/A
File created C:\Windows\SysWOW64\Cgoelh32.exe C:\Windows\SysWOW64\Ciihklpj.exe N/A
File created C:\Windows\SysWOW64\Cfhkhd32.exe C:\Windows\SysWOW64\Cmpgpond.exe N/A
File created C:\Windows\SysWOW64\Alihaioe.exe C:\Windows\SysWOW64\Qjklenpa.exe N/A
File opened for modification C:\Windows\SysWOW64\Aoagccfn.exe C:\Windows\SysWOW64\Aakjdo32.exe N/A
File created C:\Windows\SysWOW64\Adpqglen.dll C:\Windows\SysWOW64\Aohdmdoh.exe N/A
File created C:\Windows\SysWOW64\Imafcg32.dll C:\Windows\SysWOW64\Alihaioe.exe N/A
File created C:\Windows\SysWOW64\Dqaegjop.dll C:\Windows\SysWOW64\Aakjdo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cgoelh32.exe C:\Windows\SysWOW64\Ciihklpj.exe N/A
File created C:\Windows\SysWOW64\Pcaibd32.dll C:\Windows\SysWOW64\Cagienkb.exe N/A
File opened for modification C:\Windows\SysWOW64\Alihaioe.exe C:\Windows\SysWOW64\Qjklenpa.exe N/A
File opened for modification C:\Windows\SysWOW64\Aakjdo32.exe C:\Windows\SysWOW64\Akabgebj.exe N/A
File created C:\Windows\SysWOW64\Lloeec32.dll C:\Windows\SysWOW64\Bnknoogp.exe N/A
File created C:\Windows\SysWOW64\Cagienkb.exe C:\Windows\SysWOW64\Cgoelh32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cmpgpond.exe C:\Windows\SysWOW64\Cagienkb.exe N/A
File opened for modification C:\Windows\SysWOW64\Akabgebj.exe C:\Windows\SysWOW64\Aohdmdoh.exe N/A
File created C:\Windows\SysWOW64\Bbjclbek.dll C:\Windows\SysWOW64\Akabgebj.exe N/A
File created C:\Windows\SysWOW64\Gfnafi32.dll C:\Windows\SysWOW64\Aoagccfn.exe N/A
File created C:\Windows\SysWOW64\Bkhhhd32.exe C:\Windows\SysWOW64\Abpcooea.exe N/A
File opened for modification C:\Windows\SysWOW64\Bkhhhd32.exe C:\Windows\SysWOW64\Abpcooea.exe N/A
File opened for modification C:\Windows\SysWOW64\Bnknoogp.exe C:\Windows\SysWOW64\Bkhhhd32.exe N/A
File created C:\Windows\SysWOW64\Dpapaj32.exe C:\Windows\SysWOW64\Cfhkhd32.exe N/A
File created C:\Windows\SysWOW64\Dicdjqhf.dll C:\Windows\SysWOW64\Qjklenpa.exe N/A
File created C:\Windows\SysWOW64\Bnknoogp.exe C:\Windows\SysWOW64\Bkhhhd32.exe N/A
File created C:\Windows\SysWOW64\Ciihklpj.exe C:\Windows\SysWOW64\Bjdkjpkb.exe N/A
File created C:\Windows\SysWOW64\Fkdqjn32.dll C:\Windows\SysWOW64\Cmpgpond.exe N/A
File opened for modification C:\Windows\SysWOW64\Aohdmdoh.exe C:\Windows\SysWOW64\Alihaioe.exe N/A
File created C:\Windows\SysWOW64\Jidmcq32.dll C:\Windows\SysWOW64\Ciihklpj.exe N/A
File opened for modification C:\Windows\SysWOW64\Abpcooea.exe C:\Windows\SysWOW64\Aoagccfn.exe N/A
File created C:\Windows\SysWOW64\Akabgebj.exe C:\Windows\SysWOW64\Aohdmdoh.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Dpapaj32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cagienkb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aakjdo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aoagccfn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bkhhhd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cmpgpond.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dpapaj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Abpcooea.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bnknoogp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bjdkjpkb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ciihklpj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cgoelh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cfhkhd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3b8a13d4d4e65f27ec11ad436ab6f4dbc80ea88a5ac583b43ecad08c02e8cedcN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qjklenpa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Alihaioe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aohdmdoh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Akabgebj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bfioia32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imafcg32.dll" C:\Windows\SysWOW64\Alihaioe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bnknoogp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bfioia32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbmnig32.dll" C:\Windows\SysWOW64\Bfioia32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbcfdk32.dll" C:\Windows\SysWOW64\Cgoelh32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} C:\Users\Admin\AppData\Local\Temp\3b8a13d4d4e65f27ec11ad436ab6f4dbc80ea88a5ac583b43ecad08c02e8cedcN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bfioia32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cgoelh32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Aohdmdoh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfnafi32.dll" C:\Windows\SysWOW64\Aoagccfn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbjclbek.dll" C:\Windows\SysWOW64\Akabgebj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Abpcooea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jidmcq32.dll" C:\Windows\SysWOW64\Ciihklpj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\3b8a13d4d4e65f27ec11ad436ab6f4dbc80ea88a5ac583b43ecad08c02e8cedcN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qjklenpa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lloeec32.dll" C:\Windows\SysWOW64\Bnknoogp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcaibd32.dll" C:\Windows\SysWOW64\Cagienkb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Qjklenpa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcamkjba.dll" C:\Windows\SysWOW64\Abpcooea.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ciihklpj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll" C:\Windows\SysWOW64\Cfhkhd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bnknoogp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cfhkhd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cceell32.dll" C:\Users\Admin\AppData\Local\Temp\3b8a13d4d4e65f27ec11ad436ab6f4dbc80ea88a5ac583b43ecad08c02e8cedcN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dicdjqhf.dll" C:\Windows\SysWOW64\Qjklenpa.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Aoagccfn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bjdkjpkb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node C:\Users\Admin\AppData\Local\Temp\3b8a13d4d4e65f27ec11ad436ab6f4dbc80ea88a5ac583b43ecad08c02e8cedcN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Alihaioe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cagienkb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cagienkb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cmpgpond.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aoagccfn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Abpcooea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ciihklpj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cfhkhd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Akabgebj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Aakjdo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cmpgpond.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Alihaioe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bkhhhd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkdqjn32.dll" C:\Windows\SysWOW64\Cmpgpond.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cgoelh32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\3b8a13d4d4e65f27ec11ad436ab6f4dbc80ea88a5ac583b43ecad08c02e8cedcN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\3b8a13d4d4e65f27ec11ad436ab6f4dbc80ea88a5ac583b43ecad08c02e8cedcN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adpqglen.dll" C:\Windows\SysWOW64\Aohdmdoh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Akabgebj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aakjdo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bjdkjpkb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aohdmdoh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqaegjop.dll" C:\Windows\SysWOW64\Aakjdo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bkhhhd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckndebll.dll" C:\Windows\SysWOW64\Bkhhhd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjhmge32.dll" C:\Windows\SysWOW64\Bjdkjpkb.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 628 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\3b8a13d4d4e65f27ec11ad436ab6f4dbc80ea88a5ac583b43ecad08c02e8cedcN.exe C:\Windows\SysWOW64\Qjklenpa.exe
PID 628 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\3b8a13d4d4e65f27ec11ad436ab6f4dbc80ea88a5ac583b43ecad08c02e8cedcN.exe C:\Windows\SysWOW64\Qjklenpa.exe
PID 628 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\3b8a13d4d4e65f27ec11ad436ab6f4dbc80ea88a5ac583b43ecad08c02e8cedcN.exe C:\Windows\SysWOW64\Qjklenpa.exe
PID 628 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\3b8a13d4d4e65f27ec11ad436ab6f4dbc80ea88a5ac583b43ecad08c02e8cedcN.exe C:\Windows\SysWOW64\Qjklenpa.exe
PID 2408 wrote to memory of 2784 N/A C:\Windows\SysWOW64\Qjklenpa.exe C:\Windows\SysWOW64\Alihaioe.exe
PID 2408 wrote to memory of 2784 N/A C:\Windows\SysWOW64\Qjklenpa.exe C:\Windows\SysWOW64\Alihaioe.exe
PID 2408 wrote to memory of 2784 N/A C:\Windows\SysWOW64\Qjklenpa.exe C:\Windows\SysWOW64\Alihaioe.exe
PID 2408 wrote to memory of 2784 N/A C:\Windows\SysWOW64\Qjklenpa.exe C:\Windows\SysWOW64\Alihaioe.exe
PID 2784 wrote to memory of 2940 N/A C:\Windows\SysWOW64\Alihaioe.exe C:\Windows\SysWOW64\Aohdmdoh.exe
PID 2784 wrote to memory of 2940 N/A C:\Windows\SysWOW64\Alihaioe.exe C:\Windows\SysWOW64\Aohdmdoh.exe
PID 2784 wrote to memory of 2940 N/A C:\Windows\SysWOW64\Alihaioe.exe C:\Windows\SysWOW64\Aohdmdoh.exe
PID 2784 wrote to memory of 2940 N/A C:\Windows\SysWOW64\Alihaioe.exe C:\Windows\SysWOW64\Aohdmdoh.exe
PID 2940 wrote to memory of 2692 N/A C:\Windows\SysWOW64\Aohdmdoh.exe C:\Windows\SysWOW64\Akabgebj.exe
PID 2940 wrote to memory of 2692 N/A C:\Windows\SysWOW64\Aohdmdoh.exe C:\Windows\SysWOW64\Akabgebj.exe
PID 2940 wrote to memory of 2692 N/A C:\Windows\SysWOW64\Aohdmdoh.exe C:\Windows\SysWOW64\Akabgebj.exe
PID 2940 wrote to memory of 2692 N/A C:\Windows\SysWOW64\Aohdmdoh.exe C:\Windows\SysWOW64\Akabgebj.exe
PID 2692 wrote to memory of 2588 N/A C:\Windows\SysWOW64\Akabgebj.exe C:\Windows\SysWOW64\Aakjdo32.exe
PID 2692 wrote to memory of 2588 N/A C:\Windows\SysWOW64\Akabgebj.exe C:\Windows\SysWOW64\Aakjdo32.exe
PID 2692 wrote to memory of 2588 N/A C:\Windows\SysWOW64\Akabgebj.exe C:\Windows\SysWOW64\Aakjdo32.exe
PID 2692 wrote to memory of 2588 N/A C:\Windows\SysWOW64\Akabgebj.exe C:\Windows\SysWOW64\Aakjdo32.exe
PID 2588 wrote to memory of 3040 N/A C:\Windows\SysWOW64\Aakjdo32.exe C:\Windows\SysWOW64\Aoagccfn.exe
PID 2588 wrote to memory of 3040 N/A C:\Windows\SysWOW64\Aakjdo32.exe C:\Windows\SysWOW64\Aoagccfn.exe
PID 2588 wrote to memory of 3040 N/A C:\Windows\SysWOW64\Aakjdo32.exe C:\Windows\SysWOW64\Aoagccfn.exe
PID 2588 wrote to memory of 3040 N/A C:\Windows\SysWOW64\Aakjdo32.exe C:\Windows\SysWOW64\Aoagccfn.exe
PID 3040 wrote to memory of 2880 N/A C:\Windows\SysWOW64\Aoagccfn.exe C:\Windows\SysWOW64\Abpcooea.exe
PID 3040 wrote to memory of 2880 N/A C:\Windows\SysWOW64\Aoagccfn.exe C:\Windows\SysWOW64\Abpcooea.exe
PID 3040 wrote to memory of 2880 N/A C:\Windows\SysWOW64\Aoagccfn.exe C:\Windows\SysWOW64\Abpcooea.exe
PID 3040 wrote to memory of 2880 N/A C:\Windows\SysWOW64\Aoagccfn.exe C:\Windows\SysWOW64\Abpcooea.exe
PID 2880 wrote to memory of 3056 N/A C:\Windows\SysWOW64\Abpcooea.exe C:\Windows\SysWOW64\Bkhhhd32.exe
PID 2880 wrote to memory of 3056 N/A C:\Windows\SysWOW64\Abpcooea.exe C:\Windows\SysWOW64\Bkhhhd32.exe
PID 2880 wrote to memory of 3056 N/A C:\Windows\SysWOW64\Abpcooea.exe C:\Windows\SysWOW64\Bkhhhd32.exe
PID 2880 wrote to memory of 3056 N/A C:\Windows\SysWOW64\Abpcooea.exe C:\Windows\SysWOW64\Bkhhhd32.exe
PID 3056 wrote to memory of 1956 N/A C:\Windows\SysWOW64\Bkhhhd32.exe C:\Windows\SysWOW64\Bnknoogp.exe
PID 3056 wrote to memory of 1956 N/A C:\Windows\SysWOW64\Bkhhhd32.exe C:\Windows\SysWOW64\Bnknoogp.exe
PID 3056 wrote to memory of 1956 N/A C:\Windows\SysWOW64\Bkhhhd32.exe C:\Windows\SysWOW64\Bnknoogp.exe
PID 3056 wrote to memory of 1956 N/A C:\Windows\SysWOW64\Bkhhhd32.exe C:\Windows\SysWOW64\Bnknoogp.exe
PID 1956 wrote to memory of 1764 N/A C:\Windows\SysWOW64\Bnknoogp.exe C:\Windows\SysWOW64\Bfioia32.exe
PID 1956 wrote to memory of 1764 N/A C:\Windows\SysWOW64\Bnknoogp.exe C:\Windows\SysWOW64\Bfioia32.exe
PID 1956 wrote to memory of 1764 N/A C:\Windows\SysWOW64\Bnknoogp.exe C:\Windows\SysWOW64\Bfioia32.exe
PID 1956 wrote to memory of 1764 N/A C:\Windows\SysWOW64\Bnknoogp.exe C:\Windows\SysWOW64\Bfioia32.exe
PID 1764 wrote to memory of 1452 N/A C:\Windows\SysWOW64\Bfioia32.exe C:\Windows\SysWOW64\Bjdkjpkb.exe
PID 1764 wrote to memory of 1452 N/A C:\Windows\SysWOW64\Bfioia32.exe C:\Windows\SysWOW64\Bjdkjpkb.exe
PID 1764 wrote to memory of 1452 N/A C:\Windows\SysWOW64\Bfioia32.exe C:\Windows\SysWOW64\Bjdkjpkb.exe
PID 1764 wrote to memory of 1452 N/A C:\Windows\SysWOW64\Bfioia32.exe C:\Windows\SysWOW64\Bjdkjpkb.exe
PID 1452 wrote to memory of 2260 N/A C:\Windows\SysWOW64\Bjdkjpkb.exe C:\Windows\SysWOW64\Ciihklpj.exe
PID 1452 wrote to memory of 2260 N/A C:\Windows\SysWOW64\Bjdkjpkb.exe C:\Windows\SysWOW64\Ciihklpj.exe
PID 1452 wrote to memory of 2260 N/A C:\Windows\SysWOW64\Bjdkjpkb.exe C:\Windows\SysWOW64\Ciihklpj.exe
PID 1452 wrote to memory of 2260 N/A C:\Windows\SysWOW64\Bjdkjpkb.exe C:\Windows\SysWOW64\Ciihklpj.exe
PID 2260 wrote to memory of 2208 N/A C:\Windows\SysWOW64\Ciihklpj.exe C:\Windows\SysWOW64\Cgoelh32.exe
PID 2260 wrote to memory of 2208 N/A C:\Windows\SysWOW64\Ciihklpj.exe C:\Windows\SysWOW64\Cgoelh32.exe
PID 2260 wrote to memory of 2208 N/A C:\Windows\SysWOW64\Ciihklpj.exe C:\Windows\SysWOW64\Cgoelh32.exe
PID 2260 wrote to memory of 2208 N/A C:\Windows\SysWOW64\Ciihklpj.exe C:\Windows\SysWOW64\Cgoelh32.exe
PID 2208 wrote to memory of 2164 N/A C:\Windows\SysWOW64\Cgoelh32.exe C:\Windows\SysWOW64\Cagienkb.exe
PID 2208 wrote to memory of 2164 N/A C:\Windows\SysWOW64\Cgoelh32.exe C:\Windows\SysWOW64\Cagienkb.exe
PID 2208 wrote to memory of 2164 N/A C:\Windows\SysWOW64\Cgoelh32.exe C:\Windows\SysWOW64\Cagienkb.exe
PID 2208 wrote to memory of 2164 N/A C:\Windows\SysWOW64\Cgoelh32.exe C:\Windows\SysWOW64\Cagienkb.exe
PID 2164 wrote to memory of 2248 N/A C:\Windows\SysWOW64\Cagienkb.exe C:\Windows\SysWOW64\Cmpgpond.exe
PID 2164 wrote to memory of 2248 N/A C:\Windows\SysWOW64\Cagienkb.exe C:\Windows\SysWOW64\Cmpgpond.exe
PID 2164 wrote to memory of 2248 N/A C:\Windows\SysWOW64\Cagienkb.exe C:\Windows\SysWOW64\Cmpgpond.exe
PID 2164 wrote to memory of 2248 N/A C:\Windows\SysWOW64\Cagienkb.exe C:\Windows\SysWOW64\Cmpgpond.exe
PID 2248 wrote to memory of 672 N/A C:\Windows\SysWOW64\Cmpgpond.exe C:\Windows\SysWOW64\Cfhkhd32.exe
PID 2248 wrote to memory of 672 N/A C:\Windows\SysWOW64\Cmpgpond.exe C:\Windows\SysWOW64\Cfhkhd32.exe
PID 2248 wrote to memory of 672 N/A C:\Windows\SysWOW64\Cmpgpond.exe C:\Windows\SysWOW64\Cfhkhd32.exe
PID 2248 wrote to memory of 672 N/A C:\Windows\SysWOW64\Cmpgpond.exe C:\Windows\SysWOW64\Cfhkhd32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3b8a13d4d4e65f27ec11ad436ab6f4dbc80ea88a5ac583b43ecad08c02e8cedcN.exe

"C:\Users\Admin\AppData\Local\Temp\3b8a13d4d4e65f27ec11ad436ab6f4dbc80ea88a5ac583b43ecad08c02e8cedcN.exe"

C:\Windows\SysWOW64\Qjklenpa.exe

C:\Windows\system32\Qjklenpa.exe

C:\Windows\SysWOW64\Alihaioe.exe

C:\Windows\system32\Alihaioe.exe

C:\Windows\SysWOW64\Aohdmdoh.exe

C:\Windows\system32\Aohdmdoh.exe

C:\Windows\SysWOW64\Akabgebj.exe

C:\Windows\system32\Akabgebj.exe

C:\Windows\SysWOW64\Aakjdo32.exe

C:\Windows\system32\Aakjdo32.exe

C:\Windows\SysWOW64\Aoagccfn.exe

C:\Windows\system32\Aoagccfn.exe

C:\Windows\SysWOW64\Abpcooea.exe

C:\Windows\system32\Abpcooea.exe

C:\Windows\SysWOW64\Bkhhhd32.exe

C:\Windows\system32\Bkhhhd32.exe

C:\Windows\SysWOW64\Bnknoogp.exe

C:\Windows\system32\Bnknoogp.exe

C:\Windows\SysWOW64\Bfioia32.exe

C:\Windows\system32\Bfioia32.exe

C:\Windows\SysWOW64\Bjdkjpkb.exe

C:\Windows\system32\Bjdkjpkb.exe

C:\Windows\SysWOW64\Ciihklpj.exe

C:\Windows\system32\Ciihklpj.exe

C:\Windows\SysWOW64\Cgoelh32.exe

C:\Windows\system32\Cgoelh32.exe

C:\Windows\SysWOW64\Cagienkb.exe

C:\Windows\system32\Cagienkb.exe

C:\Windows\SysWOW64\Cmpgpond.exe

C:\Windows\system32\Cmpgpond.exe

C:\Windows\SysWOW64\Cfhkhd32.exe

C:\Windows\system32\Cfhkhd32.exe

C:\Windows\SysWOW64\Dpapaj32.exe

C:\Windows\system32\Dpapaj32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 144

Network

N/A

Files

memory/628-0-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Qjklenpa.exe

MD5 57ae8f1ba7cea1f4dfc11a9820d06499
SHA1 1df3c28d010770b5b85c6cdd34de1429096f53cd
SHA256 ec17a1482e3f76b65bc7df9875f1ed93dac3f3114568de79696beeea5daadf41
SHA512 e6b553aa3b3e1f9224300c47af492379f3c499e026cc2e1b9dabcca22eea422b120a48fbc0ae96d9d54a1d8c25904b26faa3e481e45467e98f3d174ca24a53b7

memory/2408-14-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Alihaioe.exe

MD5 7add387e26b33b23cac1de6791a78ad8
SHA1 f4086b436210a68432a7ec1d18dddc5638c5bfad
SHA256 07a52a2307003d2c533841baf35e58a81176dfec8753642131b65ff7dd541b20
SHA512 a9d48cf5d17afa6b973b32d9126721807060e19c7f027c6d112e9b1c091aabd5426e9627f00488d13ff3e9fbf635b5f0b72e830f0b1195080a7cf445fe5954eb

memory/2784-34-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2408-33-0x00000000002D0000-0x0000000000303000-memory.dmp

\Windows\SysWOW64\Aohdmdoh.exe

MD5 959d232401b07e7083e6003268994583
SHA1 9cd6ba451293ee3f796a4e24d3dcd154725d7f8f
SHA256 48c567fec97bdf680a5531364a9c6a9911ce369fa5c8130592bb6616da7815e1
SHA512 992438a358ffcf03da9d1d88f9181bd4e0c243de045fc61140e971ea90dfac8dc4b2dd16cb46cfc0dbb7353040492706507eacd5fabd5dec7196551477ff9f30

memory/2940-43-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2784-42-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2408-32-0x00000000002D0000-0x0000000000303000-memory.dmp

memory/628-13-0x0000000000250000-0x0000000000283000-memory.dmp

memory/628-12-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2940-51-0x0000000000290000-0x00000000002C3000-memory.dmp

\Windows\SysWOW64\Akabgebj.exe

MD5 69930055fa88a501594593e470d52c8b
SHA1 e219dab2a4617353b120b75c2bab557322c2e1ca
SHA256 c9f89fc8dd5071c68c672aecad88708e607f2a2f377480bbe4a5846be70622d3
SHA512 fd992f25a5bc1ac19f7651d316c5c3aa8ac8da3b5b98a1d745684d16562bca54e4be9ff3857e58cae3562f914f1458f5d2fdd748a833da5cc27d01c1824b6c06

memory/2940-57-0x0000000000290000-0x00000000002C3000-memory.dmp

memory/2692-65-0x00000000002F0000-0x0000000000323000-memory.dmp

\Windows\SysWOW64\Aakjdo32.exe

MD5 879df363169cc130d41c1a40203a718e
SHA1 da583bf44d5f772b2b21aea3ecbc3e7975b6dbc4
SHA256 0168600670c6dd1f314d226c9b5abf0b0c627d3639db300b1665fb06783622fd
SHA512 add3699b86c8dbe02b536db5f283f90813214609d745d9764641c74b4a7607f715b5e8e942b95669bdfe48853039d7b26d19fdb74de3c311c941453527130f7e

memory/2588-72-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2692-71-0x00000000002F0000-0x0000000000323000-memory.dmp

memory/2588-90-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2880-100-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Abpcooea.exe

MD5 3331e14f4cfd0aae4f88f6a4df28eadc
SHA1 d6b51c04dd825e583720082e06a28acf41627453
SHA256 0a510e0a83339db0546d9dfaaf19c69537b19867c0a09756d836bba36a58d258
SHA512 85bfc0ef88b3cf07ac30e6dceb5e8bb8c276f74f4b142d232bc67ef824727533bda2ba9a0912e1c8abd3568c7f82b9fa02f8a99567605dcd88b0c3d55077af94

\Windows\SysWOW64\Bkhhhd32.exe

MD5 4137c09891bb28c817c96c54fcf07fcc
SHA1 00611909078ecd6015d6f0ed2559ed733192c3d4
SHA256 ea1dc72f280b996205324d61614490ac3fb25fff89682a11fa3d26556af61570
SHA512 7034aca494b55764db278a42604f86626177d3c0be95ceffdb3fd0972ba4c468bdafbd690e8900404befa1276539536da78141eaa17c87fc699aa2f10c2e841c

memory/3040-92-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2588-91-0x0000000000250000-0x0000000000283000-memory.dmp

C:\Windows\SysWOW64\Aoagccfn.exe

MD5 af61a10327fe528e6dbc586ede9840fd
SHA1 ba550340209e05ab627edd106c7a97b7a706e009
SHA256 160e288c554e39eca75a7459cb8fddde6236920cb94e0c2eeebb925970a85a61
SHA512 89531e705f1118316eea22874a5f8554a52a47cc976f54e7e0e986adbd3ecf71b65d8f88aa2e4e004dcd7b998776ec8c50d6384c2f6b2b50da4546d0c156f670

memory/3056-113-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Bnknoogp.exe

MD5 2a47f5ef897390fd5546d0f4d8be470f
SHA1 e1d27a0f4fb4ba3490cd848b614883509662eb56
SHA256 1114d46d0cd027f28383b86da97baede9c30d075250b5750e1b4fd7b11ccc933
SHA512 3c538864a5c1d45f438cde6cba437e3697bbd28963a381c6dc750f58b327fa4ace74d03f57f405b859a383a21cfe70546ee30d395c54e089f378e8859e23db4d

memory/3056-121-0x0000000000250000-0x0000000000283000-memory.dmp

C:\Windows\SysWOW64\Bfioia32.exe

MD5 071c4f18d162b993642e3bba7e71eac8
SHA1 641b75330c5c49721381f5430857b738c438744e
SHA256 a20a9ba8339503bd33608c807cfa56b6ecdb088c79ebd7adcc77218e809b0287
SHA512 1baa231aa0c4a3bd85a906c439331907456685a2bde798f1edd6efab17a37f9a0d61eda9b5b71686777026f160653d7810d49263bf7a7c452e61b9bad73958f3

\Windows\SysWOW64\Bjdkjpkb.exe

MD5 f6cff479e84c41d3a15df97a47bbcf4a
SHA1 0e520039c361edcd5496cae703167ef6d3b67722
SHA256 d66f9cbb8e3bc58714cf8686d08ace2ec12c53ea7317719f70e8d1bbd3f92cfa
SHA512 0f4b04918bf9c545cbfa8f5fea8047baedc379409f119ede25737ef36207d51805bbf5cf512b69d3e9b88bc9071559970f059e7b35af3b3756bf6fd81565cb25

memory/1956-134-0x00000000002E0000-0x0000000000313000-memory.dmp

memory/1452-160-0x0000000000250000-0x0000000000283000-memory.dmp

\Windows\SysWOW64\Ciihklpj.exe

MD5 d1ca946c67930980652dd06dacaaeae8
SHA1 886b77f165ce43a7e2fad99476388e6be4540276
SHA256 3e75c21b7b2c116792b8f453f31172b8050a4acac7717d8caad0628c4ba3af40
SHA512 8cffaea68accab0d051a8fda058a7be77c54be5fdb9b76d0629f250b1739bf91975c39d97338c48f3fa1e7eabd971c3c1284620e935c81fa29e4dbf36e5b3457

memory/1452-152-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Cgoelh32.exe

MD5 2069839e7f50000aa0b4afd6ee212e49
SHA1 9a738b461da31d4b2ceaa1ea1c16189964791d05
SHA256 2ff071f3fe2ae24b1561481ce6e316888afe297744dda3e4090ae9ad35d7a56e
SHA512 b6cbec81b1153f7e39e4587ae4febae51d8d301285a49ec26e47cf28b5ee7f71e83d19a24a5532a12740082dd7b0c4dda3f67781116a97ad6a7e061512e7801a

memory/2260-177-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2164-193-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Cagienkb.exe

MD5 297a6e677df9d1fa0afcd9acd34e08d8
SHA1 6a6451c38f8a2ed4a8fb676c9eb13d7ae7dc806d
SHA256 e668609fe2a93ed01f14c355f64da3abbc98861a52d7919feaaae84829fb1117
SHA512 b97ccb0e2db06285291821f753c4be73caa7ca811e5a91525396336b888570df484c280941bd4a5a4c2e16aa2a9fe24124346bfa09baac5d3f69bb3d92797486

C:\Windows\SysWOW64\Cmpgpond.exe

MD5 8d8dce26e05b28504bd1e4d0076908e8
SHA1 ff0fa02b640d43662ab8d26064cb1ef82356d080
SHA256 06acfe06fe89f2703729dff2273538dc33c2858a02a203bf7a20d68b779ec7ce
SHA512 b36d1d70efb5b33a41f7c66fc9bffb397dc225139540ef854bc85ecc66159f54ca58792dfdccf4a3f59ba8323e0c00072e0124a4f227ab99c9f51418c075bf4a

memory/2248-207-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Cfhkhd32.exe

MD5 c68e141ed4eb5b58a343d4671b849975
SHA1 ef698b19a548bdde31c7c123187311d9c3e04b5c
SHA256 e85559c9c29e34fbfd7c6dc403d896ff6c49aa9afa812ec1578c5629afa76384
SHA512 c778e89cdbdf30fa59d0f74abcd3365a895d6c78b8e49fce808fc4c9fde122ff5b7208fa52176537847276a9dfa24a69820e692eea21038893e4bdbddbf9add2

memory/672-220-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2956-230-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Dpapaj32.exe

MD5 6fd2b06b37ff1753cdf22d1f65a54e3c
SHA1 39e2383a1cbdb13b72dfe2f06dfbd305709bdb39
SHA256 e7c65aea20530f991be557120991ac7d383c2eb0eddaab0f8e8e5600cd921ae5
SHA512 7fd767b1560d0887c74da2712bb0905e1564e51240312f4d8da42a6c486a03963da83653046bc722e475e31c02097ba2142acc11f97f5bcfe552be4388cf13f3

memory/2164-205-0x0000000000440000-0x0000000000473000-memory.dmp

memory/2208-191-0x0000000000440000-0x0000000000473000-memory.dmp

memory/2208-186-0x0000000000440000-0x0000000000473000-memory.dmp

memory/1452-244-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2940-256-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2588-255-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2692-254-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2408-253-0x0000000000400000-0x0000000000433000-memory.dmp

memory/628-252-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1956-251-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2880-250-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3056-249-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2164-246-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1764-245-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2260-241-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2208-240-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2248-237-0x0000000000400000-0x0000000000433000-memory.dmp

memory/672-236-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2956-233-0x0000000000400000-0x0000000000433000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 03:19

Reported

2024-11-10 03:21

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3b8a13d4d4e65f27ec11ad436ab6f4dbc80ea88a5ac583b43ecad08c02e8cedcN.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dfjpfj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gjfnedho.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hibafp32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cammjakm.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ecbjkngo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ijqmhnko.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ipeeobbe.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jcdala32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mkohaj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bdbnjdfg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fealin32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pmblagmf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Emdajb32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ibcaknbi.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lflbkcll.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fideeaco.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jnjejjgh.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Knchpiom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mjdebfnd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fijkdmhn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jgeghp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lmdemd32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ebimgcfi.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Njhgbp32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mchppmij.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Domdjj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Maggnali.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mnmdme32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bdbnjdfg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cdmfllhn.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Embddb32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ilccoh32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jcphab32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kkconn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pmpolgoi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Eppqqn32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jgbjbp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Njfagf32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pefabkej.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pjmjdm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Icdheded.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pocpfphe.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kngkqbgl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dlieda32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Glldgljg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qeodhjmo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dbcmakpl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gbabigfj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pmoiqneg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dooaoj32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ompfej32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Glcaambb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ojgjndno.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Omjpeo32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eiokinbk.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ngjkfd32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bgkiaj32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hkbmqb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Knalji32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pefabkej.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ckebcg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jgkmgk32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cklhcfle.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Igbalblk.exe N/A

Berbew

backdoor berbew

Berbew family

berbew

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Ccbadp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cioilg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dkbocbog.exe N/A
N/A N/A C:\Windows\SysWOW64\Dblgpl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dmalne32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dpphjp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dbndfl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dfjpfj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dihlbf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dmdhcddh.exe N/A
N/A N/A C:\Windows\SysWOW64\Dpbdopck.exe N/A
N/A N/A C:\Windows\SysWOW64\Dcnqpo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dflmlj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Djhimica.exe N/A
N/A N/A C:\Windows\SysWOW64\Dmfeidbe.exe N/A
N/A N/A C:\Windows\SysWOW64\Dlieda32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dcpmen32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dbcmakpl.exe N/A
N/A N/A C:\Windows\SysWOW64\Djjebh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dimenegi.exe N/A
N/A N/A C:\Windows\SysWOW64\Dlkbjqgm.exe N/A
N/A N/A C:\Windows\SysWOW64\Dpgnjo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ecbjkngo.exe N/A
N/A N/A C:\Windows\SysWOW64\Efafgifc.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejlbhh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Emkndc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Epikpo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ecefqnel.exe N/A
N/A N/A C:\Windows\SysWOW64\Efccmidp.exe N/A
N/A N/A C:\Windows\SysWOW64\Eiaoid32.exe N/A
N/A N/A C:\Windows\SysWOW64\Emmkiclm.exe N/A
N/A N/A C:\Windows\SysWOW64\Eplgeokq.exe N/A
N/A N/A C:\Windows\SysWOW64\Ecgcfm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Efepbi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eidlnd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Elbhjp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eciplm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eblpgjha.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejchhgid.exe N/A
N/A N/A C:\Windows\SysWOW64\Embddb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eppqqn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebommi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejfeng32.exe N/A
N/A N/A C:\Windows\SysWOW64\Emdajb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fpbmfn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fbajbi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ffmfchle.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmfnpa32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fpejlmcf.exe N/A
N/A N/A C:\Windows\SysWOW64\Fdqfll32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ffobhg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmikeaap.exe N/A
N/A N/A C:\Windows\SysWOW64\Fpggamqc.exe N/A
N/A N/A C:\Windows\SysWOW64\Fbfcmhpg.exe N/A
N/A N/A C:\Windows\SysWOW64\Fjmkoeqi.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmkgkapm.exe N/A
N/A N/A C:\Windows\SysWOW64\Fpjcgm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fbhpch32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fjohde32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmndpq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fplpll32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fbjmhh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fideeaco.exe N/A
N/A N/A C:\Windows\SysWOW64\Glcaambb.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Hbjoeojc.exe C:\Windows\SysWOW64\Hibjli32.exe N/A
File created C:\Windows\SysWOW64\Kcpahpmd.exe C:\Windows\SysWOW64\Kqbdldnq.exe N/A
File created C:\Windows\SysWOW64\Paoollik.exe C:\Windows\SysWOW64\Popbpqjh.exe N/A
File opened for modification C:\Windows\SysWOW64\Pdmkhgho.exe C:\Windows\SysWOW64\Paoollik.exe N/A
File opened for modification C:\Windows\SysWOW64\Deqcbpld.exe C:\Windows\SysWOW64\Dbbffdlq.exe N/A
File created C:\Windows\SysWOW64\Fenhjedb.dll C:\Windows\SysWOW64\Hmkigh32.exe N/A
File created C:\Windows\SysWOW64\Plbhknkl.dll C:\Windows\SysWOW64\Hmpjmn32.exe N/A
File created C:\Windows\SysWOW64\Ijegcm32.exe C:\Windows\SysWOW64\Iggjga32.exe N/A
File created C:\Windows\SysWOW64\Anaemfem.dll C:\Windows\SysWOW64\Jddnfd32.exe N/A
File opened for modification C:\Windows\SysWOW64\Kqdaadln.exe C:\Windows\SysWOW64\Knfeeimj.exe N/A
File opened for modification C:\Windows\SysWOW64\Cnindhpg.exe C:\Windows\SysWOW64\Cofnik32.exe N/A
File opened for modification C:\Windows\SysWOW64\Phaahggp.exe C:\Windows\SysWOW64\Poimpapp.exe N/A
File created C:\Windows\SysWOW64\Cocopa32.dll C:\Windows\SysWOW64\Eppjfgcp.exe N/A
File created C:\Windows\SysWOW64\Opcefi32.dll C:\Windows\SysWOW64\Ompfej32.exe N/A
File created C:\Windows\SysWOW64\Bgkiaj32.exe C:\Windows\SysWOW64\Apodoq32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dcpmen32.exe C:\Windows\SysWOW64\Dlieda32.exe N/A
File created C:\Windows\SysWOW64\Lmbhgd32.exe C:\Windows\SysWOW64\Ljclki32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mmbanbmg.exe C:\Windows\SysWOW64\Mjdebfnd.exe N/A
File created C:\Windows\SysWOW64\Ocoaob32.dll C:\Windows\SysWOW64\Gfeaopqo.exe N/A
File opened for modification C:\Windows\SysWOW64\Lnldla32.exe C:\Windows\SysWOW64\Lpfgmnfp.exe N/A
File created C:\Windows\SysWOW64\Pmoiqneg.exe C:\Windows\SysWOW64\Pkpmdbfd.exe N/A
File opened for modification C:\Windows\SysWOW64\Dfglfdkb.exe C:\Windows\SysWOW64\Dnpdegjp.exe N/A
File created C:\Windows\SysWOW64\Adfonlkp.dll C:\Windows\SysWOW64\Jlgepanl.exe N/A
File created C:\Windows\SysWOW64\Dmalne32.exe C:\Windows\SysWOW64\Dblgpl32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dlkbjqgm.exe C:\Windows\SysWOW64\Dimenegi.exe N/A
File created C:\Windows\SysWOW64\Hildmn32.exe C:\Windows\SysWOW64\Hgmgqc32.exe N/A
File opened for modification C:\Windows\SysWOW64\Idfaefkd.exe C:\Windows\SysWOW64\Iloidijb.exe N/A
File opened for modification C:\Windows\SysWOW64\Ljclki32.exe C:\Windows\SysWOW64\Lgepom32.exe N/A
File created C:\Windows\SysWOW64\Mfeeabda.exe C:\Windows\SysWOW64\Mokmdh32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cglbhhga.exe C:\Windows\SysWOW64\Cdmfllhn.exe N/A
File created C:\Windows\SysWOW64\Jcfggkac.exe C:\Windows\SysWOW64\Jniood32.exe N/A
File created C:\Windows\SysWOW64\Bnffda32.dll C:\Windows\SysWOW64\Dblgpl32.exe N/A
File opened for modification C:\Windows\SysWOW64\Meiioonj.exe C:\Windows\SysWOW64\Mmbanbmg.exe N/A
File created C:\Windows\SysWOW64\Ohkkhhmh.exe C:\Windows\SysWOW64\Oelolmnd.exe N/A
File created C:\Windows\SysWOW64\Eoaedogc.dll C:\Windows\SysWOW64\Popbpqjh.exe N/A
File created C:\Windows\SysWOW64\Eoideh32.exe C:\Windows\SysWOW64\Eiokinbk.exe N/A
File created C:\Windows\SysWOW64\Cnindhpg.exe C:\Windows\SysWOW64\Cofnik32.exe N/A
File created C:\Windows\SysWOW64\Peaggfjj.dll C:\Windows\SysWOW64\Lflbkcll.exe N/A
File created C:\Windows\SysWOW64\Lngqkhda.dll C:\Windows\SysWOW64\Pjbcplpe.exe N/A
File created C:\Windows\SysWOW64\Eghghj32.dll C:\Windows\SysWOW64\Lklbdm32.exe N/A
File created C:\Windows\SysWOW64\Ldipha32.exe C:\Windows\SysWOW64\Lmbhgd32.exe N/A
File created C:\Windows\SysWOW64\Fnipgg32.dll C:\Windows\SysWOW64\Mebcop32.exe N/A
File created C:\Windows\SysWOW64\Bfkegm32.dll C:\Windows\SysWOW64\Mkohaj32.exe N/A
File created C:\Windows\SysWOW64\Omgcpokp.exe C:\Windows\SysWOW64\Ojigdcll.exe N/A
File created C:\Windows\SysWOW64\Ckbemgcp.exe C:\Windows\SysWOW64\Chdialdl.exe N/A
File opened for modification C:\Windows\SysWOW64\Qkipkani.exe C:\Windows\SysWOW64\Qdphngfl.exe N/A
File created C:\Windows\SysWOW64\Dnmhpg32.exe C:\Windows\SysWOW64\Dkokcl32.exe N/A
File created C:\Windows\SysWOW64\Eemnff32.dll C:\Windows\SysWOW64\Jgpfbjlo.exe N/A
File opened for modification C:\Windows\SysWOW64\Hlegnjbm.exe C:\Windows\SysWOW64\Higjaoci.exe N/A
File created C:\Windows\SysWOW64\Hgkkkcbc.exe C:\Windows\SysWOW64\Hdmoohbo.exe N/A
File created C:\Windows\SysWOW64\Ikkpgafg.exe C:\Windows\SysWOW64\Icdheded.exe N/A
File opened for modification C:\Windows\SysWOW64\Knalji32.exe C:\Windows\SysWOW64\Kkconn32.exe N/A
File created C:\Windows\SysWOW64\Jocgnlha.dll C:\Windows\SysWOW64\Pocpfphe.exe N/A
File created C:\Windows\SysWOW64\Bcjfln32.dll C:\Windows\SysWOW64\Mgloefco.exe N/A
File created C:\Windows\SysWOW64\Qlejfm32.dll C:\Windows\SysWOW64\Dcnqpo32.exe N/A
File created C:\Windows\SysWOW64\Ljfhqh32.exe C:\Windows\SysWOW64\Lggldm32.exe N/A
File created C:\Windows\SysWOW64\Mebcop32.exe C:\Windows\SysWOW64\Maggnali.exe N/A
File opened for modification C:\Windows\SysWOW64\Mebcop32.exe C:\Windows\SysWOW64\Maggnali.exe N/A
File opened for modification C:\Windows\SysWOW64\Kgflcifg.exe C:\Windows\SysWOW64\Klahfp32.exe N/A
File created C:\Windows\SysWOW64\Ecefqnel.exe C:\Windows\SysWOW64\Epikpo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ljfhqh32.exe C:\Windows\SysWOW64\Lggldm32.exe N/A
File created C:\Windows\SysWOW64\Cfpffeaj.exe C:\Windows\SysWOW64\Cnindhpg.exe N/A
File opened for modification C:\Windows\SysWOW64\Dmadco32.exe C:\Windows\SysWOW64\Dfglfdkb.exe N/A
File opened for modification C:\Windows\SysWOW64\Klahfp32.exe C:\Windows\SysWOW64\Kjblje32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Dkqaoe32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lekmnajj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cnjdpaki.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nghekkmn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qdphngfl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bkaobnio.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ofkgcobj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fmndpq32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mnhkbfme.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jlobkg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dihlbf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gblbca32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lflbkcll.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aekddhcb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hbhboolf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hgmgqc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kkgiimng.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ohkkhhmh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dooaoj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dfiildio.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jljbeali.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nclbpf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fpejlmcf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hdhedh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nnafno32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ppolhcnm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lmpkadnm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kpjgaoqm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fpggamqc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jncoikmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kdigadjo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lggldm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mccfdmmo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mkjnfkma.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dcnqpo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dpgnjo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aggpfkjj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cpfcfmlp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lqikmc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fealin32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nmfcok32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cnfkdb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gpqjglii.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Idhnkf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hibjli32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kqbdldnq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dmadco32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jcfggkac.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oeheqm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Eblimcdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hmkigh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Iebngial.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fbfcmhpg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mgehfkop.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hlambk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pdenmbkk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Emdajb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ffmfchle.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kkconn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dmfeidbe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fpbmfn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ipflihfq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nqmfdj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Maggnali.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jcanll32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaakdpkj.dll" C:\Windows\SysWOW64\Ohfami32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppioondd.dll" C:\Windows\SysWOW64\Dfdpad32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cocopa32.dll" C:\Windows\SysWOW64\Eppjfgcp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmqmbmdf.dll" C:\Windows\SysWOW64\Fmcjpl32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Fdqfll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npodfe32.dll" C:\Windows\SysWOW64\Ffobhg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbkfjo32.dll" C:\Windows\SysWOW64\Mchppmij.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ojdnid32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ahippdbe.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Fmfnpa32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keaebdpc.dll" C:\Windows\SysWOW64\Ingpmmgm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Maiccajf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Fpggamqc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ojgjndno.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Aednci32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Fpejlmcf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gceegdko.dll" C:\Windows\SysWOW64\Cfipef32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Emmdom32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fealin32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hgdejd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Oloahhki.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfohjf32.dll" C:\Windows\SysWOW64\Qaalblgi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afnqfkij.dll" C:\Windows\SysWOW64\Dkokcl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fimhbfpl.dll" C:\Windows\SysWOW64\Fijkdmhn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fomnhddq.dll" C:\Windows\SysWOW64\Cnfkdb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Gbofcghl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ilafiihp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kqfngd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdpmoppk.dll" C:\Windows\SysWOW64\Pkbjjbda.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Alkijdci.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaabap32.dll" C:\Windows\SysWOW64\Ipeeobbe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mokmdh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dmfeidbe.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Efafgifc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jdfjld32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkajlm32.dll" C:\Windows\SysWOW64\Addaif32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Albpkc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjjhhfnd.dll" C:\Windows\SysWOW64\Bkaobnio.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bnoknihb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Igfclkdj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfmioc32.dll" C:\Windows\SysWOW64\Elbhjp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gigaka32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Palbgl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndqojdee.dll" C:\Windows\SysWOW64\Nclbpf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgnddp32.dll" C:\Windows\SysWOW64\Cpbjkn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jnhidk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joicekop.dll" C:\Windows\SysWOW64\Lgjijmin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Blqllqqa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oidalg32.dll" C:\Windows\SysWOW64\Dkfadkgf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lobjni32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcgbdc32.dll" C:\Windows\SysWOW64\Gpecbk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhlgfb32.dll" C:\Windows\SysWOW64\Hdokdg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gapjhc32.dll" C:\Windows\SysWOW64\Icdheded.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cnindhpg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Gojiiafp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcpeei32.dll" C:\Windows\SysWOW64\Dpphjp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ebommi32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mnmdme32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Eeelnp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fmcjpl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fihgkk32.dll" C:\Windows\SysWOW64\Lggejg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ecbjkngo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Igdnabjh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cofnik32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3788 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\3b8a13d4d4e65f27ec11ad436ab6f4dbc80ea88a5ac583b43ecad08c02e8cedcN.exe C:\Windows\SysWOW64\Ccbadp32.exe
PID 3788 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\3b8a13d4d4e65f27ec11ad436ab6f4dbc80ea88a5ac583b43ecad08c02e8cedcN.exe C:\Windows\SysWOW64\Ccbadp32.exe
PID 3788 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\3b8a13d4d4e65f27ec11ad436ab6f4dbc80ea88a5ac583b43ecad08c02e8cedcN.exe C:\Windows\SysWOW64\Ccbadp32.exe
PID 3748 wrote to memory of 4432 N/A C:\Windows\SysWOW64\Ccbadp32.exe C:\Windows\SysWOW64\Cioilg32.exe
PID 3748 wrote to memory of 4432 N/A C:\Windows\SysWOW64\Ccbadp32.exe C:\Windows\SysWOW64\Cioilg32.exe
PID 3748 wrote to memory of 4432 N/A C:\Windows\SysWOW64\Ccbadp32.exe C:\Windows\SysWOW64\Cioilg32.exe
PID 4432 wrote to memory of 2604 N/A C:\Windows\SysWOW64\Cioilg32.exe C:\Windows\SysWOW64\Dkbocbog.exe
PID 4432 wrote to memory of 2604 N/A C:\Windows\SysWOW64\Cioilg32.exe C:\Windows\SysWOW64\Dkbocbog.exe
PID 4432 wrote to memory of 2604 N/A C:\Windows\SysWOW64\Cioilg32.exe C:\Windows\SysWOW64\Dkbocbog.exe
PID 2604 wrote to memory of 4880 N/A C:\Windows\SysWOW64\Dkbocbog.exe C:\Windows\SysWOW64\Dblgpl32.exe
PID 2604 wrote to memory of 4880 N/A C:\Windows\SysWOW64\Dkbocbog.exe C:\Windows\SysWOW64\Dblgpl32.exe
PID 2604 wrote to memory of 4880 N/A C:\Windows\SysWOW64\Dkbocbog.exe C:\Windows\SysWOW64\Dblgpl32.exe
PID 4880 wrote to memory of 2188 N/A C:\Windows\SysWOW64\Dblgpl32.exe C:\Windows\SysWOW64\Dmalne32.exe
PID 4880 wrote to memory of 2188 N/A C:\Windows\SysWOW64\Dblgpl32.exe C:\Windows\SysWOW64\Dmalne32.exe
PID 4880 wrote to memory of 2188 N/A C:\Windows\SysWOW64\Dblgpl32.exe C:\Windows\SysWOW64\Dmalne32.exe
PID 2188 wrote to memory of 2952 N/A C:\Windows\SysWOW64\Dmalne32.exe C:\Windows\SysWOW64\Dpphjp32.exe
PID 2188 wrote to memory of 2952 N/A C:\Windows\SysWOW64\Dmalne32.exe C:\Windows\SysWOW64\Dpphjp32.exe
PID 2188 wrote to memory of 2952 N/A C:\Windows\SysWOW64\Dmalne32.exe C:\Windows\SysWOW64\Dpphjp32.exe
PID 2952 wrote to memory of 2720 N/A C:\Windows\SysWOW64\Dpphjp32.exe C:\Windows\SysWOW64\Dbndfl32.exe
PID 2952 wrote to memory of 2720 N/A C:\Windows\SysWOW64\Dpphjp32.exe C:\Windows\SysWOW64\Dbndfl32.exe
PID 2952 wrote to memory of 2720 N/A C:\Windows\SysWOW64\Dpphjp32.exe C:\Windows\SysWOW64\Dbndfl32.exe
PID 2720 wrote to memory of 5092 N/A C:\Windows\SysWOW64\Dbndfl32.exe C:\Windows\SysWOW64\Dfjpfj32.exe
PID 2720 wrote to memory of 5092 N/A C:\Windows\SysWOW64\Dbndfl32.exe C:\Windows\SysWOW64\Dfjpfj32.exe
PID 2720 wrote to memory of 5092 N/A C:\Windows\SysWOW64\Dbndfl32.exe C:\Windows\SysWOW64\Dfjpfj32.exe
PID 5092 wrote to memory of 4508 N/A C:\Windows\SysWOW64\Dfjpfj32.exe C:\Windows\SysWOW64\Dihlbf32.exe
PID 5092 wrote to memory of 4508 N/A C:\Windows\SysWOW64\Dfjpfj32.exe C:\Windows\SysWOW64\Dihlbf32.exe
PID 5092 wrote to memory of 4508 N/A C:\Windows\SysWOW64\Dfjpfj32.exe C:\Windows\SysWOW64\Dihlbf32.exe
PID 4508 wrote to memory of 3808 N/A C:\Windows\SysWOW64\Dihlbf32.exe C:\Windows\SysWOW64\Dmdhcddh.exe
PID 4508 wrote to memory of 3808 N/A C:\Windows\SysWOW64\Dihlbf32.exe C:\Windows\SysWOW64\Dmdhcddh.exe
PID 4508 wrote to memory of 3808 N/A C:\Windows\SysWOW64\Dihlbf32.exe C:\Windows\SysWOW64\Dmdhcddh.exe
PID 3808 wrote to memory of 1776 N/A C:\Windows\SysWOW64\Dmdhcddh.exe C:\Windows\SysWOW64\Dpbdopck.exe
PID 3808 wrote to memory of 1776 N/A C:\Windows\SysWOW64\Dmdhcddh.exe C:\Windows\SysWOW64\Dpbdopck.exe
PID 3808 wrote to memory of 1776 N/A C:\Windows\SysWOW64\Dmdhcddh.exe C:\Windows\SysWOW64\Dpbdopck.exe
PID 1776 wrote to memory of 4208 N/A C:\Windows\SysWOW64\Dpbdopck.exe C:\Windows\SysWOW64\Dcnqpo32.exe
PID 1776 wrote to memory of 4208 N/A C:\Windows\SysWOW64\Dpbdopck.exe C:\Windows\SysWOW64\Dcnqpo32.exe
PID 1776 wrote to memory of 4208 N/A C:\Windows\SysWOW64\Dpbdopck.exe C:\Windows\SysWOW64\Dcnqpo32.exe
PID 4208 wrote to memory of 4232 N/A C:\Windows\SysWOW64\Dcnqpo32.exe C:\Windows\SysWOW64\Dflmlj32.exe
PID 4208 wrote to memory of 4232 N/A C:\Windows\SysWOW64\Dcnqpo32.exe C:\Windows\SysWOW64\Dflmlj32.exe
PID 4208 wrote to memory of 4232 N/A C:\Windows\SysWOW64\Dcnqpo32.exe C:\Windows\SysWOW64\Dflmlj32.exe
PID 4232 wrote to memory of 1736 N/A C:\Windows\SysWOW64\Dflmlj32.exe C:\Windows\SysWOW64\Djhimica.exe
PID 4232 wrote to memory of 1736 N/A C:\Windows\SysWOW64\Dflmlj32.exe C:\Windows\SysWOW64\Djhimica.exe
PID 4232 wrote to memory of 1736 N/A C:\Windows\SysWOW64\Dflmlj32.exe C:\Windows\SysWOW64\Djhimica.exe
PID 1736 wrote to memory of 2456 N/A C:\Windows\SysWOW64\Djhimica.exe C:\Windows\SysWOW64\Dmfeidbe.exe
PID 1736 wrote to memory of 2456 N/A C:\Windows\SysWOW64\Djhimica.exe C:\Windows\SysWOW64\Dmfeidbe.exe
PID 1736 wrote to memory of 2456 N/A C:\Windows\SysWOW64\Djhimica.exe C:\Windows\SysWOW64\Dmfeidbe.exe
PID 2456 wrote to memory of 4720 N/A C:\Windows\SysWOW64\Dmfeidbe.exe C:\Windows\SysWOW64\Dlieda32.exe
PID 2456 wrote to memory of 4720 N/A C:\Windows\SysWOW64\Dmfeidbe.exe C:\Windows\SysWOW64\Dlieda32.exe
PID 2456 wrote to memory of 4720 N/A C:\Windows\SysWOW64\Dmfeidbe.exe C:\Windows\SysWOW64\Dlieda32.exe
PID 4720 wrote to memory of 3544 N/A C:\Windows\SysWOW64\Dlieda32.exe C:\Windows\SysWOW64\Dcpmen32.exe
PID 4720 wrote to memory of 3544 N/A C:\Windows\SysWOW64\Dlieda32.exe C:\Windows\SysWOW64\Dcpmen32.exe
PID 4720 wrote to memory of 3544 N/A C:\Windows\SysWOW64\Dlieda32.exe C:\Windows\SysWOW64\Dcpmen32.exe
PID 3544 wrote to memory of 1344 N/A C:\Windows\SysWOW64\Dcpmen32.exe C:\Windows\SysWOW64\Dbcmakpl.exe
PID 3544 wrote to memory of 1344 N/A C:\Windows\SysWOW64\Dcpmen32.exe C:\Windows\SysWOW64\Dbcmakpl.exe
PID 3544 wrote to memory of 1344 N/A C:\Windows\SysWOW64\Dcpmen32.exe C:\Windows\SysWOW64\Dbcmakpl.exe
PID 1344 wrote to memory of 4764 N/A C:\Windows\SysWOW64\Dbcmakpl.exe C:\Windows\SysWOW64\Djjebh32.exe
PID 1344 wrote to memory of 4764 N/A C:\Windows\SysWOW64\Dbcmakpl.exe C:\Windows\SysWOW64\Djjebh32.exe
PID 1344 wrote to memory of 4764 N/A C:\Windows\SysWOW64\Dbcmakpl.exe C:\Windows\SysWOW64\Djjebh32.exe
PID 4764 wrote to memory of 4928 N/A C:\Windows\SysWOW64\Djjebh32.exe C:\Windows\SysWOW64\Dimenegi.exe
PID 4764 wrote to memory of 4928 N/A C:\Windows\SysWOW64\Djjebh32.exe C:\Windows\SysWOW64\Dimenegi.exe
PID 4764 wrote to memory of 4928 N/A C:\Windows\SysWOW64\Djjebh32.exe C:\Windows\SysWOW64\Dimenegi.exe
PID 4928 wrote to memory of 32 N/A C:\Windows\SysWOW64\Dimenegi.exe C:\Windows\SysWOW64\Dlkbjqgm.exe
PID 4928 wrote to memory of 32 N/A C:\Windows\SysWOW64\Dimenegi.exe C:\Windows\SysWOW64\Dlkbjqgm.exe
PID 4928 wrote to memory of 32 N/A C:\Windows\SysWOW64\Dimenegi.exe C:\Windows\SysWOW64\Dlkbjqgm.exe
PID 32 wrote to memory of 4100 N/A C:\Windows\SysWOW64\Dlkbjqgm.exe C:\Windows\SysWOW64\Dpgnjo32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3b8a13d4d4e65f27ec11ad436ab6f4dbc80ea88a5ac583b43ecad08c02e8cedcN.exe

"C:\Users\Admin\AppData\Local\Temp\3b8a13d4d4e65f27ec11ad436ab6f4dbc80ea88a5ac583b43ecad08c02e8cedcN.exe"

C:\Windows\SysWOW64\Ccbadp32.exe

C:\Windows\system32\Ccbadp32.exe

C:\Windows\SysWOW64\Cioilg32.exe

C:\Windows\system32\Cioilg32.exe

C:\Windows\SysWOW64\Dkbocbog.exe

C:\Windows\system32\Dkbocbog.exe

C:\Windows\SysWOW64\Dblgpl32.exe

C:\Windows\system32\Dblgpl32.exe

C:\Windows\SysWOW64\Dmalne32.exe

C:\Windows\system32\Dmalne32.exe

C:\Windows\SysWOW64\Dpphjp32.exe

C:\Windows\system32\Dpphjp32.exe

C:\Windows\SysWOW64\Dbndfl32.exe

C:\Windows\system32\Dbndfl32.exe

C:\Windows\SysWOW64\Dfjpfj32.exe

C:\Windows\system32\Dfjpfj32.exe

C:\Windows\SysWOW64\Dihlbf32.exe

C:\Windows\system32\Dihlbf32.exe

C:\Windows\SysWOW64\Dmdhcddh.exe

C:\Windows\system32\Dmdhcddh.exe

C:\Windows\SysWOW64\Dpbdopck.exe

C:\Windows\system32\Dpbdopck.exe

C:\Windows\SysWOW64\Dcnqpo32.exe

C:\Windows\system32\Dcnqpo32.exe

C:\Windows\SysWOW64\Dflmlj32.exe

C:\Windows\system32\Dflmlj32.exe

C:\Windows\SysWOW64\Djhimica.exe

C:\Windows\system32\Djhimica.exe

C:\Windows\SysWOW64\Dmfeidbe.exe

C:\Windows\system32\Dmfeidbe.exe

C:\Windows\SysWOW64\Dlieda32.exe

C:\Windows\system32\Dlieda32.exe

C:\Windows\SysWOW64\Dcpmen32.exe

C:\Windows\system32\Dcpmen32.exe

C:\Windows\SysWOW64\Dbcmakpl.exe

C:\Windows\system32\Dbcmakpl.exe

C:\Windows\SysWOW64\Djjebh32.exe

C:\Windows\system32\Djjebh32.exe

C:\Windows\SysWOW64\Dimenegi.exe

C:\Windows\system32\Dimenegi.exe

C:\Windows\SysWOW64\Dlkbjqgm.exe

C:\Windows\system32\Dlkbjqgm.exe

C:\Windows\SysWOW64\Dpgnjo32.exe

C:\Windows\system32\Dpgnjo32.exe

C:\Windows\SysWOW64\Ecbjkngo.exe

C:\Windows\system32\Ecbjkngo.exe

C:\Windows\SysWOW64\Efafgifc.exe

C:\Windows\system32\Efafgifc.exe

C:\Windows\SysWOW64\Ejlbhh32.exe

C:\Windows\system32\Ejlbhh32.exe

C:\Windows\SysWOW64\Emkndc32.exe

C:\Windows\system32\Emkndc32.exe

C:\Windows\SysWOW64\Epikpo32.exe

C:\Windows\system32\Epikpo32.exe

C:\Windows\SysWOW64\Ecefqnel.exe

C:\Windows\system32\Ecefqnel.exe

C:\Windows\SysWOW64\Efccmidp.exe

C:\Windows\system32\Efccmidp.exe

C:\Windows\SysWOW64\Eiaoid32.exe

C:\Windows\system32\Eiaoid32.exe

C:\Windows\SysWOW64\Emmkiclm.exe

C:\Windows\system32\Emmkiclm.exe

C:\Windows\SysWOW64\Eplgeokq.exe

C:\Windows\system32\Eplgeokq.exe

C:\Windows\SysWOW64\Ecgcfm32.exe

C:\Windows\system32\Ecgcfm32.exe

C:\Windows\SysWOW64\Efepbi32.exe

C:\Windows\system32\Efepbi32.exe

C:\Windows\SysWOW64\Eidlnd32.exe

C:\Windows\system32\Eidlnd32.exe

C:\Windows\SysWOW64\Elbhjp32.exe

C:\Windows\system32\Elbhjp32.exe

C:\Windows\SysWOW64\Eciplm32.exe

C:\Windows\system32\Eciplm32.exe

C:\Windows\SysWOW64\Eblpgjha.exe

C:\Windows\system32\Eblpgjha.exe

C:\Windows\SysWOW64\Ejchhgid.exe

C:\Windows\system32\Ejchhgid.exe

C:\Windows\SysWOW64\Embddb32.exe

C:\Windows\system32\Embddb32.exe

C:\Windows\SysWOW64\Eppqqn32.exe

C:\Windows\system32\Eppqqn32.exe

C:\Windows\SysWOW64\Ebommi32.exe

C:\Windows\system32\Ebommi32.exe

C:\Windows\SysWOW64\Ejfeng32.exe

C:\Windows\system32\Ejfeng32.exe

C:\Windows\SysWOW64\Emdajb32.exe

C:\Windows\system32\Emdajb32.exe

C:\Windows\SysWOW64\Fpbmfn32.exe

C:\Windows\system32\Fpbmfn32.exe

C:\Windows\SysWOW64\Fbajbi32.exe

C:\Windows\system32\Fbajbi32.exe

C:\Windows\SysWOW64\Ffmfchle.exe

C:\Windows\system32\Ffmfchle.exe

C:\Windows\SysWOW64\Fmfnpa32.exe

C:\Windows\system32\Fmfnpa32.exe

C:\Windows\SysWOW64\Fpejlmcf.exe

C:\Windows\system32\Fpejlmcf.exe

C:\Windows\SysWOW64\Fdqfll32.exe

C:\Windows\system32\Fdqfll32.exe

C:\Windows\SysWOW64\Ffobhg32.exe

C:\Windows\system32\Ffobhg32.exe

C:\Windows\SysWOW64\Fmikeaap.exe

C:\Windows\system32\Fmikeaap.exe

C:\Windows\SysWOW64\Fpggamqc.exe

C:\Windows\system32\Fpggamqc.exe

C:\Windows\SysWOW64\Fbfcmhpg.exe

C:\Windows\system32\Fbfcmhpg.exe

C:\Windows\SysWOW64\Fjmkoeqi.exe

C:\Windows\system32\Fjmkoeqi.exe

C:\Windows\SysWOW64\Fmkgkapm.exe

C:\Windows\system32\Fmkgkapm.exe

C:\Windows\SysWOW64\Fpjcgm32.exe

C:\Windows\system32\Fpjcgm32.exe

C:\Windows\SysWOW64\Fbhpch32.exe

C:\Windows\system32\Fbhpch32.exe

C:\Windows\SysWOW64\Fjohde32.exe

C:\Windows\system32\Fjohde32.exe

C:\Windows\SysWOW64\Fmndpq32.exe

C:\Windows\system32\Fmndpq32.exe

C:\Windows\SysWOW64\Fplpll32.exe

C:\Windows\system32\Fplpll32.exe

C:\Windows\SysWOW64\Fbjmhh32.exe

C:\Windows\system32\Fbjmhh32.exe

C:\Windows\SysWOW64\Fideeaco.exe

C:\Windows\system32\Fideeaco.exe

C:\Windows\SysWOW64\Glcaambb.exe

C:\Windows\system32\Glcaambb.exe

C:\Windows\SysWOW64\Gigaka32.exe

C:\Windows\system32\Gigaka32.exe

C:\Windows\SysWOW64\Gpqjglii.exe

C:\Windows\system32\Gpqjglii.exe

C:\Windows\SysWOW64\Gbofcghl.exe

C:\Windows\system32\Gbofcghl.exe

C:\Windows\SysWOW64\Gjfnedho.exe

C:\Windows\system32\Gjfnedho.exe

C:\Windows\SysWOW64\Gmdjapgb.exe

C:\Windows\system32\Gmdjapgb.exe

C:\Windows\SysWOW64\Gpcfmkff.exe

C:\Windows\system32\Gpcfmkff.exe

C:\Windows\SysWOW64\Gbabigfj.exe

C:\Windows\system32\Gbabigfj.exe

C:\Windows\SysWOW64\Gkhkjd32.exe

C:\Windows\system32\Gkhkjd32.exe

C:\Windows\SysWOW64\Gmggfp32.exe

C:\Windows\system32\Gmggfp32.exe

C:\Windows\SysWOW64\Gpecbk32.exe

C:\Windows\system32\Gpecbk32.exe

C:\Windows\SysWOW64\Gbdoof32.exe

C:\Windows\system32\Gbdoof32.exe

C:\Windows\SysWOW64\Gkkgpc32.exe

C:\Windows\system32\Gkkgpc32.exe

C:\Windows\SysWOW64\Glldgljg.exe

C:\Windows\system32\Glldgljg.exe

C:\Windows\SysWOW64\Gdcliikj.exe

C:\Windows\system32\Gdcliikj.exe

C:\Windows\SysWOW64\Ggahedjn.exe

C:\Windows\system32\Ggahedjn.exe

C:\Windows\SysWOW64\Gipdap32.exe

C:\Windows\system32\Gipdap32.exe

C:\Windows\SysWOW64\Hloqml32.exe

C:\Windows\system32\Hloqml32.exe

C:\Windows\SysWOW64\Hdehni32.exe

C:\Windows\system32\Hdehni32.exe

C:\Windows\SysWOW64\Hgdejd32.exe

C:\Windows\system32\Hgdejd32.exe

C:\Windows\SysWOW64\Hibafp32.exe

C:\Windows\system32\Hibafp32.exe

C:\Windows\SysWOW64\Hlambk32.exe

C:\Windows\system32\Hlambk32.exe

C:\Windows\SysWOW64\Hdhedh32.exe

C:\Windows\system32\Hdhedh32.exe

C:\Windows\SysWOW64\Hkbmqb32.exe

C:\Windows\system32\Hkbmqb32.exe

C:\Windows\SysWOW64\Hmpjmn32.exe

C:\Windows\system32\Hmpjmn32.exe

C:\Windows\SysWOW64\Hpofii32.exe

C:\Windows\system32\Hpofii32.exe

C:\Windows\SysWOW64\Hcmbee32.exe

C:\Windows\system32\Hcmbee32.exe

C:\Windows\SysWOW64\Higjaoci.exe

C:\Windows\system32\Higjaoci.exe

C:\Windows\SysWOW64\Hlegnjbm.exe

C:\Windows\system32\Hlegnjbm.exe

C:\Windows\SysWOW64\Hdmoohbo.exe

C:\Windows\system32\Hdmoohbo.exe

C:\Windows\SysWOW64\Hgkkkcbc.exe

C:\Windows\system32\Hgkkkcbc.exe

C:\Windows\SysWOW64\Hiiggoaf.exe

C:\Windows\system32\Hiiggoaf.exe

C:\Windows\SysWOW64\Hlhccj32.exe

C:\Windows\system32\Hlhccj32.exe

C:\Windows\SysWOW64\Hdokdg32.exe

C:\Windows\system32\Hdokdg32.exe

C:\Windows\SysWOW64\Hgmgqc32.exe

C:\Windows\system32\Hgmgqc32.exe

C:\Windows\SysWOW64\Hildmn32.exe

C:\Windows\system32\Hildmn32.exe

C:\Windows\SysWOW64\Ingpmmgm.exe

C:\Windows\system32\Ingpmmgm.exe

C:\Windows\SysWOW64\Ipflihfq.exe

C:\Windows\system32\Ipflihfq.exe

C:\Windows\SysWOW64\Icdheded.exe

C:\Windows\system32\Icdheded.exe

C:\Windows\SysWOW64\Ikkpgafg.exe

C:\Windows\system32\Ikkpgafg.exe

C:\Windows\SysWOW64\Injmcmej.exe

C:\Windows\system32\Injmcmej.exe

C:\Windows\SysWOW64\Iphioh32.exe

C:\Windows\system32\Iphioh32.exe

C:\Windows\SysWOW64\Icfekc32.exe

C:\Windows\system32\Icfekc32.exe

C:\Windows\SysWOW64\Igbalblk.exe

C:\Windows\system32\Igbalblk.exe

C:\Windows\SysWOW64\Ijqmhnko.exe

C:\Windows\system32\Ijqmhnko.exe

C:\Windows\SysWOW64\Iloidijb.exe

C:\Windows\system32\Iloidijb.exe

C:\Windows\SysWOW64\Idfaefkd.exe

C:\Windows\system32\Idfaefkd.exe

C:\Windows\SysWOW64\Igdnabjh.exe

C:\Windows\system32\Igdnabjh.exe

C:\Windows\SysWOW64\Ijcjmmil.exe

C:\Windows\system32\Ijcjmmil.exe

C:\Windows\SysWOW64\Ilafiihp.exe

C:\Windows\system32\Ilafiihp.exe

C:\Windows\SysWOW64\Idhnkf32.exe

C:\Windows\system32\Idhnkf32.exe

C:\Windows\SysWOW64\Iggjga32.exe

C:\Windows\system32\Iggjga32.exe

C:\Windows\SysWOW64\Ijegcm32.exe

C:\Windows\system32\Ijegcm32.exe

C:\Windows\SysWOW64\Ilccoh32.exe

C:\Windows\system32\Ilccoh32.exe

C:\Windows\SysWOW64\Idkkpf32.exe

C:\Windows\system32\Idkkpf32.exe

C:\Windows\SysWOW64\Igigla32.exe

C:\Windows\system32\Igigla32.exe

C:\Windows\SysWOW64\Jjgchm32.exe

C:\Windows\system32\Jjgchm32.exe

C:\Windows\SysWOW64\Jncoikmp.exe

C:\Windows\system32\Jncoikmp.exe

C:\Windows\SysWOW64\Jpaleglc.exe

C:\Windows\system32\Jpaleglc.exe

C:\Windows\SysWOW64\Jcphab32.exe

C:\Windows\system32\Jcphab32.exe

C:\Windows\SysWOW64\Jjjpnlbd.exe

C:\Windows\system32\Jjjpnlbd.exe

C:\Windows\SysWOW64\Jlhljhbg.exe

C:\Windows\system32\Jlhljhbg.exe

C:\Windows\SysWOW64\Jdodkebj.exe

C:\Windows\system32\Jdodkebj.exe

C:\Windows\SysWOW64\Jgnqgqan.exe

C:\Windows\system32\Jgnqgqan.exe

C:\Windows\SysWOW64\Jkimho32.exe

C:\Windows\system32\Jkimho32.exe

C:\Windows\SysWOW64\Jnhidk32.exe

C:\Windows\system32\Jnhidk32.exe

C:\Windows\SysWOW64\Jpfepf32.exe

C:\Windows\system32\Jpfepf32.exe

C:\Windows\SysWOW64\Jcdala32.exe

C:\Windows\system32\Jcdala32.exe

C:\Windows\SysWOW64\Jklinohd.exe

C:\Windows\system32\Jklinohd.exe

C:\Windows\SysWOW64\Jnjejjgh.exe

C:\Windows\system32\Jnjejjgh.exe

C:\Windows\SysWOW64\Jqhafffk.exe

C:\Windows\system32\Jqhafffk.exe

C:\Windows\SysWOW64\Jddnfd32.exe

C:\Windows\system32\Jddnfd32.exe

C:\Windows\SysWOW64\Jgbjbp32.exe

C:\Windows\system32\Jgbjbp32.exe

C:\Windows\SysWOW64\Jjafok32.exe

C:\Windows\system32\Jjafok32.exe

C:\Windows\SysWOW64\Jlobkg32.exe

C:\Windows\system32\Jlobkg32.exe

C:\Windows\SysWOW64\Jdfjld32.exe

C:\Windows\system32\Jdfjld32.exe

C:\Windows\SysWOW64\Jgeghp32.exe

C:\Windows\system32\Jgeghp32.exe

C:\Windows\SysWOW64\Kjccdkki.exe

C:\Windows\system32\Kjccdkki.exe

C:\Windows\SysWOW64\Kmaopfjm.exe

C:\Windows\system32\Kmaopfjm.exe

C:\Windows\SysWOW64\Kdigadjo.exe

C:\Windows\system32\Kdigadjo.exe

C:\Windows\SysWOW64\Kggcnoic.exe

C:\Windows\system32\Kggcnoic.exe

C:\Windows\SysWOW64\Kkconn32.exe

C:\Windows\system32\Kkconn32.exe

C:\Windows\SysWOW64\Knalji32.exe

C:\Windows\system32\Knalji32.exe

C:\Windows\SysWOW64\Kqphfe32.exe

C:\Windows\system32\Kqphfe32.exe

C:\Windows\SysWOW64\Kcndbp32.exe

C:\Windows\system32\Kcndbp32.exe

C:\Windows\SysWOW64\Kkeldnpi.exe

C:\Windows\system32\Kkeldnpi.exe

C:\Windows\SysWOW64\Knchpiom.exe

C:\Windows\system32\Knchpiom.exe

C:\Windows\SysWOW64\Kqbdldnq.exe

C:\Windows\system32\Kqbdldnq.exe

C:\Windows\SysWOW64\Kcpahpmd.exe

C:\Windows\system32\Kcpahpmd.exe

C:\Windows\SysWOW64\Kkgiimng.exe

C:\Windows\system32\Kkgiimng.exe

C:\Windows\SysWOW64\Knfeeimj.exe

C:\Windows\system32\Knfeeimj.exe

C:\Windows\SysWOW64\Kqdaadln.exe

C:\Windows\system32\Kqdaadln.exe

C:\Windows\SysWOW64\Kcbnnpka.exe

C:\Windows\system32\Kcbnnpka.exe

C:\Windows\SysWOW64\Kjmfjj32.exe

C:\Windows\system32\Kjmfjj32.exe

C:\Windows\SysWOW64\Kmkbfeab.exe

C:\Windows\system32\Kmkbfeab.exe

C:\Windows\SysWOW64\Kqfngd32.exe

C:\Windows\system32\Kqfngd32.exe

C:\Windows\SysWOW64\Kcejco32.exe

C:\Windows\system32\Kcejco32.exe

C:\Windows\SysWOW64\Lklbdm32.exe

C:\Windows\system32\Lklbdm32.exe

C:\Windows\SysWOW64\Lnjnqh32.exe

C:\Windows\system32\Lnjnqh32.exe

C:\Windows\SysWOW64\Lqikmc32.exe

C:\Windows\system32\Lqikmc32.exe

C:\Windows\SysWOW64\Lcggio32.exe

C:\Windows\system32\Lcggio32.exe

C:\Windows\SysWOW64\Lknojl32.exe

C:\Windows\system32\Lknojl32.exe

C:\Windows\SysWOW64\Lnmkfh32.exe

C:\Windows\system32\Lnmkfh32.exe

C:\Windows\SysWOW64\Lmpkadnm.exe

C:\Windows\system32\Lmpkadnm.exe

C:\Windows\SysWOW64\Ldgccb32.exe

C:\Windows\system32\Ldgccb32.exe

C:\Windows\SysWOW64\Lgepom32.exe

C:\Windows\system32\Lgepom32.exe

C:\Windows\SysWOW64\Ljclki32.exe

C:\Windows\system32\Ljclki32.exe

C:\Windows\SysWOW64\Lmbhgd32.exe

C:\Windows\system32\Lmbhgd32.exe

C:\Windows\SysWOW64\Ldipha32.exe

C:\Windows\system32\Ldipha32.exe

C:\Windows\SysWOW64\Lggldm32.exe

C:\Windows\system32\Lggldm32.exe

C:\Windows\SysWOW64\Ljfhqh32.exe

C:\Windows\system32\Ljfhqh32.exe

C:\Windows\SysWOW64\Lmdemd32.exe

C:\Windows\system32\Lmdemd32.exe

C:\Windows\SysWOW64\Lekmnajj.exe

C:\Windows\system32\Lekmnajj.exe

C:\Windows\SysWOW64\Lgjijmin.exe

C:\Windows\system32\Lgjijmin.exe

C:\Windows\SysWOW64\Ljhefhha.exe

C:\Windows\system32\Ljhefhha.exe

C:\Windows\SysWOW64\Lndagg32.exe

C:\Windows\system32\Lndagg32.exe

C:\Windows\SysWOW64\Lqbncb32.exe

C:\Windows\system32\Lqbncb32.exe

C:\Windows\SysWOW64\Mcqjon32.exe

C:\Windows\system32\Mcqjon32.exe

C:\Windows\SysWOW64\Mkhapk32.exe

C:\Windows\system32\Mkhapk32.exe

C:\Windows\SysWOW64\Mnfnlf32.exe

C:\Windows\system32\Mnfnlf32.exe

C:\Windows\SysWOW64\Madjhb32.exe

C:\Windows\system32\Madjhb32.exe

C:\Windows\SysWOW64\Mccfdmmo.exe

C:\Windows\system32\Mccfdmmo.exe

C:\Windows\SysWOW64\Mkjnfkma.exe

C:\Windows\system32\Mkjnfkma.exe

C:\Windows\SysWOW64\Mnhkbfme.exe

C:\Windows\system32\Mnhkbfme.exe

C:\Windows\SysWOW64\Maggnali.exe

C:\Windows\system32\Maggnali.exe

C:\Windows\SysWOW64\Mebcop32.exe

C:\Windows\system32\Mebcop32.exe

C:\Windows\SysWOW64\Mgaokl32.exe

C:\Windows\system32\Mgaokl32.exe

C:\Windows\SysWOW64\Mnkggfkb.exe

C:\Windows\system32\Mnkggfkb.exe

C:\Windows\SysWOW64\Maiccajf.exe

C:\Windows\system32\Maiccajf.exe

C:\Windows\SysWOW64\Mchppmij.exe

C:\Windows\system32\Mchppmij.exe

C:\Windows\SysWOW64\Mkohaj32.exe

C:\Windows\system32\Mkohaj32.exe

C:\Windows\SysWOW64\Mnmdme32.exe

C:\Windows\system32\Mnmdme32.exe

C:\Windows\SysWOW64\Malpia32.exe

C:\Windows\system32\Malpia32.exe

C:\Windows\SysWOW64\Megljppl.exe

C:\Windows\system32\Megljppl.exe

C:\Windows\SysWOW64\Mgehfkop.exe

C:\Windows\system32\Mgehfkop.exe

C:\Windows\SysWOW64\Mjdebfnd.exe

C:\Windows\system32\Mjdebfnd.exe

C:\Windows\SysWOW64\Mmbanbmg.exe

C:\Windows\system32\Mmbanbmg.exe

C:\Windows\SysWOW64\Meiioonj.exe

C:\Windows\system32\Meiioonj.exe

C:\Windows\SysWOW64\Nghekkmn.exe

C:\Windows\system32\Nghekkmn.exe

C:\Windows\SysWOW64\Njfagf32.exe

C:\Windows\system32\Njfagf32.exe

C:\Windows\SysWOW64\Naecop32.exe

C:\Windows\system32\Naecop32.exe

C:\Windows\SysWOW64\Nccokk32.exe

C:\Windows\system32\Nccokk32.exe

C:\Windows\SysWOW64\Nagpeo32.exe

C:\Windows\system32\Nagpeo32.exe

C:\Windows\SysWOW64\Nnkpnclp.exe

C:\Windows\system32\Nnkpnclp.exe

C:\Windows\SysWOW64\Najmjokc.exe

C:\Windows\system32\Najmjokc.exe

C:\Windows\SysWOW64\Odhifjkg.exe

C:\Windows\system32\Odhifjkg.exe

C:\Windows\SysWOW64\Oloahhki.exe

C:\Windows\system32\Oloahhki.exe

C:\Windows\SysWOW64\Omqmop32.exe

C:\Windows\system32\Omqmop32.exe

C:\Windows\SysWOW64\Oeheqm32.exe

C:\Windows\system32\Oeheqm32.exe

C:\Windows\SysWOW64\Ohfami32.exe

C:\Windows\system32\Ohfami32.exe

C:\Windows\SysWOW64\Ojdnid32.exe

C:\Windows\system32\Ojdnid32.exe

C:\Windows\SysWOW64\Oanfen32.exe

C:\Windows\system32\Oanfen32.exe

C:\Windows\SysWOW64\Odmbaj32.exe

C:\Windows\system32\Odmbaj32.exe

C:\Windows\SysWOW64\Ohhnbhok.exe

C:\Windows\system32\Ohhnbhok.exe

C:\Windows\SysWOW64\Ojgjndno.exe

C:\Windows\system32\Ojgjndno.exe

C:\Windows\SysWOW64\Oelolmnd.exe

C:\Windows\system32\Oelolmnd.exe

C:\Windows\SysWOW64\Ohkkhhmh.exe

C:\Windows\system32\Ohkkhhmh.exe

C:\Windows\SysWOW64\Ojigdcll.exe

C:\Windows\system32\Ojigdcll.exe

C:\Windows\SysWOW64\Omgcpokp.exe

C:\Windows\system32\Omgcpokp.exe

C:\Windows\SysWOW64\Odalmibl.exe

C:\Windows\system32\Odalmibl.exe

C:\Windows\SysWOW64\Olicnfco.exe

C:\Windows\system32\Olicnfco.exe

C:\Windows\SysWOW64\Omjpeo32.exe

C:\Windows\system32\Omjpeo32.exe

C:\Windows\SysWOW64\Pddhbipj.exe

C:\Windows\system32\Pddhbipj.exe

C:\Windows\SysWOW64\Plkpcfal.exe

C:\Windows\system32\Plkpcfal.exe

C:\Windows\SysWOW64\Poimpapp.exe

C:\Windows\system32\Poimpapp.exe

C:\Windows\SysWOW64\Phaahggp.exe

C:\Windows\system32\Phaahggp.exe

C:\Windows\SysWOW64\Pkpmdbfd.exe

C:\Windows\system32\Pkpmdbfd.exe

C:\Windows\SysWOW64\Pmoiqneg.exe

C:\Windows\system32\Pmoiqneg.exe

C:\Windows\SysWOW64\Pefabkej.exe

C:\Windows\system32\Pefabkej.exe

C:\Windows\SysWOW64\Phdnngdn.exe

C:\Windows\system32\Phdnngdn.exe

C:\Windows\SysWOW64\Pkbjjbda.exe

C:\Windows\system32\Pkbjjbda.exe

C:\Windows\SysWOW64\Palbgl32.exe

C:\Windows\system32\Palbgl32.exe

C:\Windows\SysWOW64\Pdkoch32.exe

C:\Windows\system32\Pdkoch32.exe

C:\Windows\SysWOW64\Plbfdekd.exe

C:\Windows\system32\Plbfdekd.exe

C:\Windows\SysWOW64\Popbpqjh.exe

C:\Windows\system32\Popbpqjh.exe

C:\Windows\SysWOW64\Paoollik.exe

C:\Windows\system32\Paoollik.exe

C:\Windows\SysWOW64\Pdmkhgho.exe

C:\Windows\system32\Pdmkhgho.exe

C:\Windows\SysWOW64\Pldcjeia.exe

C:\Windows\system32\Pldcjeia.exe

C:\Windows\SysWOW64\Pocpfphe.exe

C:\Windows\system32\Pocpfphe.exe

C:\Windows\SysWOW64\Qaalblgi.exe

C:\Windows\system32\Qaalblgi.exe

C:\Windows\SysWOW64\Qdphngfl.exe

C:\Windows\system32\Qdphngfl.exe

C:\Windows\SysWOW64\Qkipkani.exe

C:\Windows\system32\Qkipkani.exe

C:\Windows\SysWOW64\Qmhlgmmm.exe

C:\Windows\system32\Qmhlgmmm.exe

C:\Windows\SysWOW64\Qeodhjmo.exe

C:\Windows\system32\Qeodhjmo.exe

C:\Windows\SysWOW64\Aafemk32.exe

C:\Windows\system32\Aafemk32.exe

C:\Windows\SysWOW64\Addaif32.exe

C:\Windows\system32\Addaif32.exe

C:\Windows\SysWOW64\Alkijdci.exe

C:\Windows\system32\Alkijdci.exe

C:\Windows\SysWOW64\Aojefobm.exe

C:\Windows\system32\Aojefobm.exe

C:\Windows\SysWOW64\Aednci32.exe

C:\Windows\system32\Aednci32.exe

C:\Windows\SysWOW64\Aolblopj.exe

C:\Windows\system32\Aolblopj.exe

C:\Windows\SysWOW64\Aefjii32.exe

C:\Windows\system32\Aefjii32.exe

C:\Windows\SysWOW64\Ahdged32.exe

C:\Windows\system32\Ahdged32.exe

C:\Windows\SysWOW64\Akccap32.exe

C:\Windows\system32\Akccap32.exe

C:\Windows\SysWOW64\Albpkc32.exe

C:\Windows\system32\Albpkc32.exe

C:\Windows\SysWOW64\Akepfpcl.exe

C:\Windows\system32\Akepfpcl.exe

C:\Windows\SysWOW64\Aekddhcb.exe

C:\Windows\system32\Aekddhcb.exe

C:\Windows\SysWOW64\Ahippdbe.exe

C:\Windows\system32\Ahippdbe.exe

C:\Windows\SysWOW64\Blgifbil.exe

C:\Windows\system32\Blgifbil.exe

C:\Windows\SysWOW64\Bdbnjdfg.exe

C:\Windows\system32\Bdbnjdfg.exe

C:\Windows\SysWOW64\Bklfgo32.exe

C:\Windows\system32\Bklfgo32.exe

C:\Windows\SysWOW64\Bafndi32.exe

C:\Windows\system32\Bafndi32.exe

C:\Windows\SysWOW64\Bojomm32.exe

C:\Windows\system32\Bojomm32.exe

C:\Windows\SysWOW64\Bahkih32.exe

C:\Windows\system32\Bahkih32.exe

C:\Windows\SysWOW64\Bhbcfbjk.exe

C:\Windows\system32\Bhbcfbjk.exe

C:\Windows\SysWOW64\Bkaobnio.exe

C:\Windows\system32\Bkaobnio.exe

C:\Windows\SysWOW64\Bnoknihb.exe

C:\Windows\system32\Bnoknihb.exe

C:\Windows\SysWOW64\Blqllqqa.exe

C:\Windows\system32\Blqllqqa.exe

C:\Windows\SysWOW64\Coohhlpe.exe

C:\Windows\system32\Coohhlpe.exe

C:\Windows\SysWOW64\Cfipef32.exe

C:\Windows\system32\Cfipef32.exe

C:\Windows\SysWOW64\Cdlqqcnl.exe

C:\Windows\system32\Cdlqqcnl.exe

C:\Windows\SysWOW64\Ckeimm32.exe

C:\Windows\system32\Ckeimm32.exe

C:\Windows\SysWOW64\Cndeii32.exe

C:\Windows\system32\Cndeii32.exe

C:\Windows\SysWOW64\Cbpajgmf.exe

C:\Windows\system32\Cbpajgmf.exe

C:\Windows\SysWOW64\Cdnmfclj.exe

C:\Windows\system32\Cdnmfclj.exe

C:\Windows\SysWOW64\Cleegp32.exe

C:\Windows\system32\Cleegp32.exe

C:\Windows\SysWOW64\Cfnjpfcl.exe

C:\Windows\system32\Cfnjpfcl.exe

C:\Windows\SysWOW64\Cofnik32.exe

C:\Windows\system32\Cofnik32.exe

C:\Windows\SysWOW64\Cnindhpg.exe

C:\Windows\system32\Cnindhpg.exe

C:\Windows\SysWOW64\Cfpffeaj.exe

C:\Windows\system32\Cfpffeaj.exe

C:\Windows\SysWOW64\Chnbbqpn.exe

C:\Windows\system32\Chnbbqpn.exe

C:\Windows\SysWOW64\Ckmonl32.exe

C:\Windows\system32\Ckmonl32.exe

C:\Windows\SysWOW64\Cnkkjh32.exe

C:\Windows\system32\Cnkkjh32.exe

C:\Windows\SysWOW64\Cfbcke32.exe

C:\Windows\system32\Cfbcke32.exe

C:\Windows\SysWOW64\Chqogq32.exe

C:\Windows\system32\Chqogq32.exe

C:\Windows\SysWOW64\Dkokcl32.exe

C:\Windows\system32\Dkokcl32.exe

C:\Windows\SysWOW64\Dnmhpg32.exe

C:\Windows\system32\Dnmhpg32.exe

C:\Windows\SysWOW64\Dfdpad32.exe

C:\Windows\system32\Dfdpad32.exe

C:\Windows\SysWOW64\Dhclmp32.exe

C:\Windows\system32\Dhclmp32.exe

C:\Windows\SysWOW64\Domdjj32.exe

C:\Windows\system32\Domdjj32.exe

C:\Windows\SysWOW64\Dnpdegjp.exe

C:\Windows\system32\Dnpdegjp.exe

C:\Windows\SysWOW64\Dfglfdkb.exe

C:\Windows\system32\Dfglfdkb.exe

C:\Windows\SysWOW64\Dmadco32.exe

C:\Windows\system32\Dmadco32.exe

C:\Windows\SysWOW64\Dooaoj32.exe

C:\Windows\system32\Dooaoj32.exe

C:\Windows\SysWOW64\Dfiildio.exe

C:\Windows\system32\Dfiildio.exe

C:\Windows\SysWOW64\Digehphc.exe

C:\Windows\system32\Digehphc.exe

C:\Windows\SysWOW64\Dkfadkgf.exe

C:\Windows\system32\Dkfadkgf.exe

C:\Windows\SysWOW64\Dndnpf32.exe

C:\Windows\system32\Dndnpf32.exe

C:\Windows\SysWOW64\Dflfac32.exe

C:\Windows\system32\Dflfac32.exe

C:\Windows\SysWOW64\Dijbno32.exe

C:\Windows\system32\Dijbno32.exe

C:\Windows\SysWOW64\Dkhnjk32.exe

C:\Windows\system32\Dkhnjk32.exe

C:\Windows\SysWOW64\Dbbffdlq.exe

C:\Windows\system32\Dbbffdlq.exe

C:\Windows\SysWOW64\Deqcbpld.exe

C:\Windows\system32\Deqcbpld.exe

C:\Windows\SysWOW64\Ebdcld32.exe

C:\Windows\system32\Ebdcld32.exe

C:\Windows\SysWOW64\Eiokinbk.exe

C:\Windows\system32\Eiokinbk.exe

C:\Windows\SysWOW64\Eoideh32.exe

C:\Windows\system32\Eoideh32.exe

C:\Windows\SysWOW64\Eeelnp32.exe

C:\Windows\system32\Eeelnp32.exe

C:\Windows\SysWOW64\Emmdom32.exe

C:\Windows\system32\Emmdom32.exe

C:\Windows\SysWOW64\Eokqkh32.exe

C:\Windows\system32\Eokqkh32.exe

C:\Windows\SysWOW64\Ebimgcfi.exe

C:\Windows\system32\Ebimgcfi.exe

C:\Windows\SysWOW64\Eicedn32.exe

C:\Windows\system32\Eicedn32.exe

C:\Windows\SysWOW64\Ekaapi32.exe

C:\Windows\system32\Ekaapi32.exe

C:\Windows\SysWOW64\Epmmqheb.exe

C:\Windows\system32\Epmmqheb.exe

C:\Windows\SysWOW64\Eblimcdf.exe

C:\Windows\system32\Eblimcdf.exe

C:\Windows\SysWOW64\Eejeiocj.exe

C:\Windows\system32\Eejeiocj.exe

C:\Windows\SysWOW64\Eifaim32.exe

C:\Windows\system32\Eifaim32.exe

C:\Windows\SysWOW64\Eppjfgcp.exe

C:\Windows\system32\Eppjfgcp.exe

C:\Windows\SysWOW64\Ebnfbcbc.exe

C:\Windows\system32\Ebnfbcbc.exe

C:\Windows\SysWOW64\Fmcjpl32.exe

C:\Windows\system32\Fmcjpl32.exe

C:\Windows\SysWOW64\Fpbflg32.exe

C:\Windows\system32\Fpbflg32.exe

C:\Windows\SysWOW64\Fbpchb32.exe

C:\Windows\system32\Fbpchb32.exe

C:\Windows\SysWOW64\Fijkdmhn.exe

C:\Windows\system32\Fijkdmhn.exe

C:\Windows\SysWOW64\Fealin32.exe

C:\Windows\system32\Fealin32.exe

C:\Windows\SysWOW64\Fiodpl32.exe

C:\Windows\system32\Fiodpl32.exe

C:\Windows\SysWOW64\Gfeaopqo.exe

C:\Windows\system32\Gfeaopqo.exe

C:\Windows\SysWOW64\Gblbca32.exe

C:\Windows\system32\Gblbca32.exe

C:\Windows\SysWOW64\Gemkelcd.exe

C:\Windows\system32\Gemkelcd.exe

C:\Windows\SysWOW64\Gihgfk32.exe

C:\Windows\system32\Gihgfk32.exe

C:\Windows\SysWOW64\Glgcbf32.exe

C:\Windows\system32\Glgcbf32.exe

C:\Windows\SysWOW64\Gnepna32.exe

C:\Windows\system32\Gnepna32.exe

C:\Windows\SysWOW64\Geohklaa.exe

C:\Windows\system32\Geohklaa.exe

C:\Windows\SysWOW64\Gmfplibd.exe

C:\Windows\system32\Gmfplibd.exe

C:\Windows\SysWOW64\Gpelhd32.exe

C:\Windows\system32\Gpelhd32.exe

C:\Windows\SysWOW64\Glkmmefl.exe

C:\Windows\system32\Glkmmefl.exe

C:\Windows\SysWOW64\Gojiiafp.exe

C:\Windows\system32\Gojiiafp.exe

C:\Windows\SysWOW64\Hmkigh32.exe

C:\Windows\system32\Hmkigh32.exe

C:\Windows\SysWOW64\Holfoqcm.exe

C:\Windows\system32\Holfoqcm.exe

C:\Windows\SysWOW64\Hbhboolf.exe

C:\Windows\system32\Hbhboolf.exe

C:\Windows\SysWOW64\Hibjli32.exe

C:\Windows\system32\Hibjli32.exe

C:\Windows\SysWOW64\Hbjoeojc.exe

C:\Windows\system32\Hbjoeojc.exe

C:\Windows\SysWOW64\Hidgai32.exe

C:\Windows\system32\Hidgai32.exe

C:\Windows\SysWOW64\Hmpcbhji.exe

C:\Windows\system32\Hmpcbhji.exe

C:\Windows\SysWOW64\Hpnoncim.exe

C:\Windows\system32\Hpnoncim.exe

C:\Windows\SysWOW64\Hfhgkmpj.exe

C:\Windows\system32\Hfhgkmpj.exe

C:\Windows\SysWOW64\Hpqldc32.exe

C:\Windows\system32\Hpqldc32.exe

C:\Windows\SysWOW64\Hiipmhmk.exe

C:\Windows\system32\Hiipmhmk.exe

C:\Windows\SysWOW64\Iepaaico.exe

C:\Windows\system32\Iepaaico.exe

C:\Windows\SysWOW64\Ipeeobbe.exe

C:\Windows\system32\Ipeeobbe.exe

C:\Windows\SysWOW64\Ibcaknbi.exe

C:\Windows\system32\Ibcaknbi.exe

C:\Windows\SysWOW64\Iebngial.exe

C:\Windows\system32\Iebngial.exe

C:\Windows\SysWOW64\Iojbpo32.exe

C:\Windows\system32\Iojbpo32.exe

C:\Windows\SysWOW64\Imkbnf32.exe

C:\Windows\system32\Imkbnf32.exe

C:\Windows\SysWOW64\Imnocf32.exe

C:\Windows\system32\Imnocf32.exe

C:\Windows\SysWOW64\Igfclkdj.exe

C:\Windows\system32\Igfclkdj.exe

C:\Windows\SysWOW64\Ilcldb32.exe

C:\Windows\system32\Ilcldb32.exe

C:\Windows\SysWOW64\Jmbhoeid.exe

C:\Windows\system32\Jmbhoeid.exe

C:\Windows\SysWOW64\Jgkmgk32.exe

C:\Windows\system32\Jgkmgk32.exe

C:\Windows\SysWOW64\Jlgepanl.exe

C:\Windows\system32\Jlgepanl.exe

C:\Windows\SysWOW64\Jcanll32.exe

C:\Windows\system32\Jcanll32.exe

C:\Windows\SysWOW64\Jepjhg32.exe

C:\Windows\system32\Jepjhg32.exe

C:\Windows\SysWOW64\Jljbeali.exe

C:\Windows\system32\Jljbeali.exe

C:\Windows\SysWOW64\Johnamkm.exe

C:\Windows\system32\Johnamkm.exe

C:\Windows\SysWOW64\Jgpfbjlo.exe

C:\Windows\system32\Jgpfbjlo.exe

C:\Windows\SysWOW64\Jniood32.exe

C:\Windows\system32\Jniood32.exe

C:\Windows\SysWOW64\Jcfggkac.exe

C:\Windows\system32\Jcfggkac.exe

C:\Windows\SysWOW64\Kpjgaoqm.exe

C:\Windows\system32\Kpjgaoqm.exe

C:\Windows\SysWOW64\Kjblje32.exe

C:\Windows\system32\Kjblje32.exe

C:\Windows\SysWOW64\Klahfp32.exe

C:\Windows\system32\Klahfp32.exe

C:\Windows\SysWOW64\Kgflcifg.exe

C:\Windows\system32\Kgflcifg.exe

C:\Windows\SysWOW64\Klcekpdo.exe

C:\Windows\system32\Klcekpdo.exe

C:\Windows\SysWOW64\Knenkbio.exe

C:\Windows\system32\Knenkbio.exe

C:\Windows\SysWOW64\Kngkqbgl.exe

C:\Windows\system32\Kngkqbgl.exe

C:\Windows\SysWOW64\Lpfgmnfp.exe

C:\Windows\system32\Lpfgmnfp.exe

C:\Windows\SysWOW64\Lnldla32.exe

C:\Windows\system32\Lnldla32.exe

C:\Windows\SysWOW64\Lggejg32.exe

C:\Windows\system32\Lggejg32.exe

C:\Windows\SysWOW64\Lobjni32.exe

C:\Windows\system32\Lobjni32.exe

C:\Windows\SysWOW64\Lflbkcll.exe

C:\Windows\system32\Lflbkcll.exe

C:\Windows\SysWOW64\Mgloefco.exe

C:\Windows\system32\Mgloefco.exe

C:\Windows\SysWOW64\Mmkdcm32.exe

C:\Windows\system32\Mmkdcm32.exe

C:\Windows\SysWOW64\Mokmdh32.exe

C:\Windows\system32\Mokmdh32.exe

C:\Windows\SysWOW64\Mfeeabda.exe

C:\Windows\system32\Mfeeabda.exe

C:\Windows\SysWOW64\Mqkiok32.exe

C:\Windows\system32\Mqkiok32.exe

C:\Windows\SysWOW64\Nqmfdj32.exe

C:\Windows\system32\Nqmfdj32.exe

C:\Windows\SysWOW64\Nclbpf32.exe

C:\Windows\system32\Nclbpf32.exe

C:\Windows\SysWOW64\Njfkmphe.exe

C:\Windows\system32\Njfkmphe.exe

C:\Windows\SysWOW64\Nnafno32.exe

C:\Windows\system32\Nnafno32.exe

C:\Windows\SysWOW64\Npbceggm.exe

C:\Windows\system32\Npbceggm.exe

C:\Windows\SysWOW64\Ngjkfd32.exe

C:\Windows\system32\Ngjkfd32.exe

C:\Windows\SysWOW64\Njhgbp32.exe

C:\Windows\system32\Njhgbp32.exe

C:\Windows\SysWOW64\Nmfcok32.exe

C:\Windows\system32\Nmfcok32.exe

C:\Windows\SysWOW64\Njjdho32.exe

C:\Windows\system32\Njjdho32.exe

C:\Windows\SysWOW64\Nmipdk32.exe

C:\Windows\system32\Nmipdk32.exe

C:\Windows\SysWOW64\Onkidm32.exe

C:\Windows\system32\Onkidm32.exe

C:\Windows\SysWOW64\Ompfej32.exe

C:\Windows\system32\Ompfej32.exe

C:\Windows\SysWOW64\Ojdgnn32.exe

C:\Windows\system32\Ojdgnn32.exe

C:\Windows\SysWOW64\Ombcji32.exe

C:\Windows\system32\Ombcji32.exe

C:\Windows\SysWOW64\Ofkgcobj.exe

C:\Windows\system32\Ofkgcobj.exe

C:\Windows\SysWOW64\Ocohmc32.exe

C:\Windows\system32\Ocohmc32.exe

C:\Windows\SysWOW64\Phonha32.exe

C:\Windows\system32\Phonha32.exe

C:\Windows\SysWOW64\Pjmjdm32.exe

C:\Windows\system32\Pjmjdm32.exe

C:\Windows\SysWOW64\Pdenmbkk.exe

C:\Windows\system32\Pdenmbkk.exe

C:\Windows\SysWOW64\Pjbcplpe.exe

C:\Windows\system32\Pjbcplpe.exe

C:\Windows\SysWOW64\Pmpolgoi.exe

C:\Windows\system32\Pmpolgoi.exe

C:\Windows\SysWOW64\Ppolhcnm.exe

C:\Windows\system32\Ppolhcnm.exe

C:\Windows\SysWOW64\Pmblagmf.exe

C:\Windows\system32\Pmblagmf.exe

C:\Windows\SysWOW64\Qaqegecm.exe

C:\Windows\system32\Qaqegecm.exe

C:\Windows\SysWOW64\Qpeahb32.exe

C:\Windows\system32\Qpeahb32.exe

C:\Windows\SysWOW64\Adcjop32.exe

C:\Windows\system32\Adcjop32.exe

C:\Windows\SysWOW64\Adhdjpjf.exe

C:\Windows\system32\Adhdjpjf.exe

C:\Windows\SysWOW64\Aggpfkjj.exe

C:\Windows\system32\Aggpfkjj.exe

C:\Windows\SysWOW64\Apodoq32.exe

C:\Windows\system32\Apodoq32.exe

C:\Windows\SysWOW64\Bgkiaj32.exe

C:\Windows\system32\Bgkiaj32.exe

C:\Windows\SysWOW64\Bkibgh32.exe

C:\Windows\system32\Bkibgh32.exe

C:\Windows\SysWOW64\Bgpcliao.exe

C:\Windows\system32\Bgpcliao.exe

C:\Windows\SysWOW64\Boihcf32.exe

C:\Windows\system32\Boihcf32.exe

C:\Windows\SysWOW64\Bahdob32.exe

C:\Windows\system32\Bahdob32.exe

C:\Windows\SysWOW64\Bdfpkm32.exe

C:\Windows\system32\Bdfpkm32.exe

C:\Windows\SysWOW64\Bgelgi32.exe

C:\Windows\system32\Bgelgi32.exe

C:\Windows\SysWOW64\Boldhf32.exe

C:\Windows\system32\Boldhf32.exe

C:\Windows\SysWOW64\Bajqda32.exe

C:\Windows\system32\Bajqda32.exe

C:\Windows\SysWOW64\Chdialdl.exe

C:\Windows\system32\Chdialdl.exe

C:\Windows\SysWOW64\Ckbemgcp.exe

C:\Windows\system32\Ckbemgcp.exe

C:\Windows\SysWOW64\Cammjakm.exe

C:\Windows\system32\Cammjakm.exe

C:\Windows\SysWOW64\Chfegk32.exe

C:\Windows\system32\Chfegk32.exe

C:\Windows\SysWOW64\Ckebcg32.exe

C:\Windows\system32\Ckebcg32.exe

C:\Windows\SysWOW64\Cncnob32.exe

C:\Windows\system32\Cncnob32.exe

C:\Windows\SysWOW64\Cpbjkn32.exe

C:\Windows\system32\Cpbjkn32.exe

C:\Windows\SysWOW64\Cdmfllhn.exe

C:\Windows\system32\Cdmfllhn.exe

C:\Windows\SysWOW64\Cglbhhga.exe

C:\Windows\system32\Cglbhhga.exe

C:\Windows\SysWOW64\Cnfkdb32.exe

C:\Windows\system32\Cnfkdb32.exe

C:\Windows\SysWOW64\Cpfcfmlp.exe

C:\Windows\system32\Cpfcfmlp.exe

C:\Windows\SysWOW64\Chnlgjlb.exe

C:\Windows\system32\Chnlgjlb.exe

C:\Windows\SysWOW64\Cklhcfle.exe

C:\Windows\system32\Cklhcfle.exe

C:\Windows\SysWOW64\Cnjdpaki.exe

C:\Windows\system32\Cnjdpaki.exe

C:\Windows\SysWOW64\Dojqjdbl.exe

C:\Windows\system32\Dojqjdbl.exe

C:\Windows\SysWOW64\Dkqaoe32.exe

C:\Windows\system32\Dkqaoe32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 10444 -ip 10444

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 10444 -s 400

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/3788-0-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3788-1-0x0000000000431000-0x0000000000432000-memory.dmp

C:\Windows\SysWOW64\Ccbadp32.exe

MD5 b77c6a6fc509a2c49130e70a135ec8b6
SHA1 15416035c4d845d5ef5f1ac413ba15a4f5eacfc7
SHA256 5dbea6dd69831127f0b070de4e165341f0bcaa31b5fcd1d3da31f3d0e2586848
SHA512 7821c983e3b2b2cb6ef9501c07fb40471bbe609cd416a6a605f84c877f2d7e7354825ee626ffd553901f7eed9bb1c79b72572e084caa94c61b4ae0597cb67938

memory/3748-8-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Cioilg32.exe

MD5 b08772e3043c348d9029610e83c81f1b
SHA1 4ef5bd10ee9ac492b34d11414c4efd56e59c9237
SHA256 704e4bdb083e714950d136d1589aaea84895f1d4925fe15d5f756111b8dc6639
SHA512 51838adbfe087bf488f264dbeae601677b1ba30aa2e4daaf68fe0068c80294de6e90c8dcbe0c7395b7a3bc66326601e2fa0ebfd9e9c77738c2736a98408b405c

memory/4432-17-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Dkbocbog.exe

MD5 71701bcc9655abe8bfa9ab3167692cd2
SHA1 46e64c0587658cec0e7d9297f49e0f42365c1338
SHA256 bbf8be57f4f7fe87541f7623ef4dd36e30161af185947e081fcc7d7ed91bb778
SHA512 17fa53dde196ef6aba6aa2f331259b2f108310a63313bb8f3fac92ec98c3acea8320b7ad765e149b78eea79756e897f5faa5977008e8ddb28b8af27d57404095

memory/2604-24-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Dblgpl32.exe

MD5 df7e862c1a60e4a16ecbb129c0a46131
SHA1 80340aadb5fa8a058c560ed0970cb305895dccb1
SHA256 14f8fb0cd95c3900bcf76a87020681e1db4c91ffc50b9325ef409ad2172c56be
SHA512 a74bfc83e47daccb1f281060641af1c25eac8842d37047efa6cc864070493b7583cc86002b8d9a932020e42b645fafa6c3464374417699603c94986bdca64397

memory/4880-33-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2952-49-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1776-93-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Djhimica.exe

MD5 ad1bad5f28f3fa2fb33ace0462750a63
SHA1 a7bde4b9662c5a845498ca275087fd1ca355c676
SHA256 b95c0f61bc5d80e179ca12dbf475d5d12f20379c1fd64fd1b6ea4721da6ab414
SHA512 458decf36307682cbf6ba678ea7ec030d8c1c954d9c6e0577a398cae11f0167677952c9a93d858c46be3bea90087e338614d321c8102cb9a60b46a00a6584e40

C:\Windows\SysWOW64\Dcpmen32.exe

MD5 dd1ee6f8e2a4d240e8326feb528d2a77
SHA1 885cfec5b5fc2614023d7535ce28248ab6b3cba0
SHA256 5dab6502a0ab948190fffe1ac6a758dd4e333d02d745ceca83bbc379e8e79f7e
SHA512 0ec69a1aef46ad1e1f349530aacd5ea0cb2ce7438c8b960870961816f7058fde63b4d4ebaa291f305b89d6c6124813905e52f5bd07337430610877b908e6eadd

C:\Windows\SysWOW64\Dpgnjo32.exe

MD5 0335ca234448efb7a9783ee9345a4614
SHA1 4f3d8c8a73ba9ca6796beac83c6ca6784be0d1bb
SHA256 6acce8b8835d1df1c0659227e8e2e61e302ca8a6338314160ecdd992927f76d7
SHA512 d92ffca77097735f649640f31fed2a2a76485b86759e508752296b3a228792cf0eab7b63abd764d3bfb30e4dd7ff763bbeec5c384e51bd2836454107a8a919d6

C:\Windows\SysWOW64\Epikpo32.exe

MD5 2490ae3221d9ce45e9b868ff89c68de8
SHA1 743b1b1962f97aab6d0daf8271cb2a38b2baea5e
SHA256 9897c8ce797e32ea14180f03dd7f7d03d70bc1c7824a9c44b8432b62c683d144
SHA512 31e49f25ebe39cc23017201ca9335667514dd8d5a31f69884ff9a92680c2955497ff9f8910ee081f6598673857f258781af93ed6d59f8143a14b1ba14a3bf1bb

memory/3580-261-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1608-340-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5132-436-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2964-599-0x0000000000400000-0x0000000000433000-memory.dmp

memory/432-593-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2952-592-0x0000000000400000-0x0000000000433000-memory.dmp

memory/6108-586-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2188-585-0x0000000000400000-0x0000000000433000-memory.dmp

memory/6064-584-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4880-578-0x0000000000400000-0x0000000000433000-memory.dmp

memory/6020-572-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2604-571-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5976-565-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4432-564-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5936-558-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3748-557-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5892-551-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5852-545-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3788-544-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5812-538-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5772-532-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5732-526-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5692-520-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5652-514-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5612-508-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5572-502-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5532-496-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5492-490-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5452-484-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5412-478-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5372-472-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5332-466-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5292-460-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5260-454-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5212-447-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5172-442-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5084-430-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2480-424-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3596-418-0x0000000000400000-0x0000000000433000-memory.dmp

memory/640-412-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4368-406-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4716-400-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2896-394-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1644-388-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4616-382-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2444-376-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4516-370-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4004-364-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4024-358-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4704-352-0x0000000000400000-0x0000000000433000-memory.dmp

memory/904-346-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4348-334-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4464-328-0x0000000000400000-0x0000000000433000-memory.dmp

memory/752-321-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3300-316-0x0000000000400000-0x0000000000433000-memory.dmp

memory/740-310-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2288-304-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2788-297-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2220-292-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3576-285-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4308-280-0x0000000000400000-0x0000000000433000-memory.dmp

memory/532-274-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3288-267-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Eplgeokq.exe

MD5 dc91beb00b35f51bb35261f1fbc37662
SHA1 911cd9aea8916351511bd2ac4c452d62af1a72e0
SHA256 054439d9c33bc7e14777a1f9a96274136c90088bcc143f79367d8b82087be187
SHA512 7d4406cc1fd6e9e0ed97ae2cc04c390ddcb5f32f93d4d20e349af231a635510b69227da0dee67984e09f3dd1d4ac2ac266c4bcd3300c07f08df0712092669e51

memory/3600-253-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Emmkiclm.exe

MD5 372c99ed8cda0cae7d8ffbd0cc9020a6
SHA1 f335414b698b63fc199f862a190fb95d0872adfe
SHA256 690abf92a05fe2f6884e85f26163842e1fb75f1d21ba04cb18589b0505d56371
SHA512 424d713936f43d3d6866c393cbe2f1e34eca95bdf979b878a07dd21584d11946e8945cd67fd28df27f0c166086c84c6b24effe360f8127412816d8cbe809b2da

memory/3232-245-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Eiaoid32.exe

MD5 8f97e02f662b8b5b72692ddb28dbba0e
SHA1 af1520ad95558e82616425e47d2756d569339ddc
SHA256 e5d580a030d2659e48e0b40aab02523857a9ba0fbd41efd2d1b5d76ed9b9f788
SHA512 26dba361f88032dd112a4f9d06d6e198667816c2fa86e8b630b7bb83111050fad0942a5e0975b55a7fa30393c5e35896e1a06acdfd9d717e43f44f8499e8b99b

memory/3460-238-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Efccmidp.exe

MD5 db8f8ad02608daab4515470eed4ed88b
SHA1 e387ccb8f5cf7a0a6990edb889148688892c7745
SHA256 75d86dd855e9a6fe444e68e27ad5820d9f1b2a9f8bbd1f1c84cb32f7054bae17
SHA512 c390f57a76e53184d15540d2b04d7e2d3c9039e411c7ea8065e736e889b1640f9a170b05f79bf160a8821e1c7f990012b853c5a735d8193972c9f127f174e79c

memory/2616-229-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ecefqnel.exe

MD5 07854c56f4d64550164ea797238fdb6b
SHA1 f78792f7378a78b8793d11f8bb4347d8b0f02aeb
SHA256 428ad4b51d4909b8c2eb157e3707b5c79e7f8ec8073e994cc416d8425ea82ce3
SHA512 8f8efe18d6dbd57f6505d291b8f35b5d025e260feb9ece1b031b6c86df9c4292930d38d65734688a1b2a5e14a662c32a6784865bfae278bc3edfcf7b9c7c067b

memory/3636-222-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4992-213-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Emkndc32.exe

MD5 332ba425fcbe50dbb649908f3d154388
SHA1 3a4cf2c7d03132f9d1991655fbc668cf2e30027b
SHA256 4c408dec27bed861e8fde57b836b77727578a52b68f0162527b35ec5ec18f054
SHA512 d12d5b706dfa617652676a2b4754daa3c4c4e6f1246611f7bf898e723a7277fcf33910ce4f7088b5790ccb1e5dc1bcca91d54addd7b0ee5382db4a8a8f2cb75b

memory/2076-205-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ejlbhh32.exe

MD5 24e57c5c807ac580a7eb90b6f8d1e0fa
SHA1 37dfa3f69ad233db781a9b8dcff0c8320d4781ee
SHA256 c353019bc21b3f5b66efbe7a1712e25fd083978e8a329974ced99d0372b19aed
SHA512 64cf07a7c7fe43fca92f06bd5d8ec2e3a8daae14205ca0e02cceb880d12d93b260c0d4e444c1fd01f54ab23deed64156c7a6f243f75db8f744848ce24cb22d7a

memory/3152-197-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Efafgifc.exe

MD5 d873e7ea446c720a91f9028bb9a0d8c1
SHA1 1e44b2290684656326befd69af5ff501cd7e8ba9
SHA256 438874a2ef5b85340eb2f402f679104bbddf752749651b6b548cbe7e098b0335
SHA512 1c20e7f3dfab9b2dc542802bbb92bb1ae27fdeee2e0028ca6582121f0061284e38a68ebfb28df84fb49c6c871ba482d5e3c44601f839c1b835490776c5ca5731

memory/3612-189-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ecbjkngo.exe

MD5 bdbb98ceff30bfec167da3046859881b
SHA1 64f3cb67ac66741fe33a8ae0349075ea223d4f3f
SHA256 a6305bcafc39c8f7ea61855ffdf64692f042d1d9bdd663e2826097e5fc1a63a6
SHA512 c31c0ffaeb8d0110ebff8c7d64060d9bcd9711fc24bd6af09a5bf6f1ed0fb5ff2f865e4d025d626253d9d57c885b306c3719c9fe98837c24be0c998913697ddd

memory/4100-181-0x0000000000400000-0x0000000000433000-memory.dmp

memory/32-173-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Dlkbjqgm.exe

MD5 7783088925a0bff37f6b131b927ff05c
SHA1 56e033bbc3318819ae0f9af9361402b930fa68aa
SHA256 84cfae9f26ffdc1693729c5349177ff940d261c612e36dc10ddcd1d817db2b1e
SHA512 49207ae475dd6725bce14a3e8ea1dd033be8329b8741fc9f964df6458b2d842d1efe28e2645d0e28fc80257af0dbcac1fed96608c9fb7a7f372eeeb98d6b55d7

memory/4928-165-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Dimenegi.exe

MD5 befae05bb3bf12c700ad05716b57cafc
SHA1 ec53dcc8bb681cf75ca94e3d4dc62c85f1979c89
SHA256 10de0fa4729e73d181e1f54210ec2fbe493344f19746fff51b8a9528401319e2
SHA512 8daf3877c2c0647717e4a3b69175afa65c36b08e1b7d5ee30b9b4326a65e57343ddcb9702ad57a24bbb872076aaba447f4a40d8ed2b879d944db7770d1dc8e69

memory/4764-157-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Djjebh32.exe

MD5 58076ddf4d9f0daa76148b0ad738f022
SHA1 efbf9d763ca4d7303a9124f0681d1b952bb4e803
SHA256 13b707b1bd3877e2afeb2c00cb8403b07dc044d1c9eaa36239536db525082399
SHA512 8e2026b048ff993f138c2e5c7de6212bfd930d71debc67a5ea1a9078238ad15f4bb2482f58be062c086cd470f1d59dcd533d70b188376600865d70236870b446

memory/1344-149-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Dbcmakpl.exe

MD5 a2ce5956b011be7a2a5abaa41e71e638
SHA1 7366aff6bd554fa5ec1034cc0151b4ed0975aee5
SHA256 ccddd3fc48c29dd7e7562638e9ea6efe7a35681592a13a36e5f881ef63b8cd4f
SHA512 f9a06a6b48c2394de4cd633ba49d07f01111144a7c3d4cc32605c285a3d0d57694f215ba976b26bc8f6be75fbaec1f42d001e90949e965b7ca6900541c6341be

memory/3544-141-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4720-133-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Dlieda32.exe

MD5 a79142e678a477060473467af1b0ca38
SHA1 dbaf250c9cd18ec38522b6a5be325d5d840e9365
SHA256 ae1646c8f8548e258ad9ff995ad501d0f9042d0c7ffb75588d0f6b5f0835614a
SHA512 ca5dc659e6386126dd992df129013a72c96ae7ed5ebfc59b902cccb7b3a937e389a95741a10a08b6369d744891839f38041a12c5bd1be77f6aea0f965a8b09da

memory/2456-125-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Dmfeidbe.exe

MD5 3a11e6d70702fcfdfd2f9aa93fe152b5
SHA1 aa8e841ebd1f2c43d9b87e8efc003334aa169a95
SHA256 4895868ac4fe646e49199d04723228afe56958027547d644436b6eb0f70255d4
SHA512 28369100a1cb14509ea8127490b0ea0a9e1b3b3b1ed645c26f4f676b828019d33d320747be0b13d29a23c0487cb5d64af55f336ca6dda02c2f9d1240050adadd

memory/1736-117-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4232-109-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Dflmlj32.exe

MD5 0c9da19fa61af73811355d26f628bbe1
SHA1 34f59df0fab5e799eb4430cd37d6e057f8b531e6
SHA256 71be2052d2d6a73d9d2807dd4f82c17318c4c9cb53e90c9931a039051b22fc8e
SHA512 0d389504e4c4009167e8efb9256001e716a859749c745f2937471ff05268b74a02abe1345eed2d4db388f99c535c5e68b8e3fb187eee89f56ab8b6239fe390f2

memory/4208-101-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Dcnqpo32.exe

MD5 2ae16fd84695a22f8a185d028c2f8c9c
SHA1 addaea61a29b5b3eb91e4250b98bc063c773f06c
SHA256 b4aba935e85a8d65a2b60a8469711c8ce3cc11d7c78bb2be383a193642b21d56
SHA512 d69c27aa0edf45a8e882d5a431802e5289829133a817b9ef816c24bcbdb70ecf47bf475b58cc423dcc2c1e85c590be8c6a1cd67a7d6e38d094a2242563eb5185

C:\Windows\SysWOW64\Dpbdopck.exe

MD5 fe7d48a412f62814f45c38e786f84439
SHA1 0e79043f5359b4f3a28883f44270b79c6e87bce6
SHA256 4b7442c9ee757cb396cbeb1874c06cca88dbf40f10903f29e76a108fe39c9fde
SHA512 c44dbb803eb543e9562a2e75b4c2fd78ff09097668de8e2e458ca513ad8f94cde067c6b369c603061ebab522f297afdfdc8ef12451b21c6ef30b02930e904cc1

memory/3808-85-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Dmdhcddh.exe

MD5 35d13472ca8b19d2d7523bae432fa254
SHA1 4a5572cf42ac591b09f83ee0f9c2a060a1173bc3
SHA256 0420ebc87b358870ec5e74b7d3c5b2f94c2ba6aec8c12da16a2b65270f2d0842
SHA512 17db34b28709807ef7ee35300992e8f0cbc5918573eba3cdfda227522d0ace864039abf8fbd1e29e445ff9689e4221004aaa769c3377555b5f71548234fd0788

memory/4508-77-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Dihlbf32.exe

MD5 df59c93f59a1260565eeaba91315b5eb
SHA1 e9b077f4fc2e28ddf1eaa18d9b759e6e567d9292
SHA256 36dd66315ea0cf844071a1ab27bfc1deeebe188a1eb416a48b9f7416457b3504
SHA512 ba39b6ff526cfdcb3d4642f223c9d071b13e005494b2a4580591a762503f32fcc28966059dc0365133764fbe781fe44722624d952f80389248781b17fe1b6ccf

memory/5092-69-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Dfjpfj32.exe

MD5 c13afd5f6e573894c6c50cac7eea24c3
SHA1 617fd725b9b94d3cf32539090d52733b2305fcad
SHA256 01225394ed91e6f7dcc7fd7ae0684f0dd4870255269ab824cbf9bf912f0b4ab1
SHA512 4de901b869f7a0ce34504bcd28a0307f621ac60cd57732e23c3d28b72e29b3ed1c1ca15d6c0c358dccb66340d2a6b6e95bcba4d1af95e274880c650bb5d26418

memory/2720-61-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Dbndfl32.exe

MD5 1946539f5810aaa808466f1b8301863a
SHA1 beba4a857cf1421798cc0bf899ff27f881842522
SHA256 8e76c811b986f5347cd892493b954f8be6f82b362b55833c4dbb82b01f816e8b
SHA512 f24b42ea4fe1cabeb27304f0b36d5a8c41a0c12d550d076afe4a331ea84252e65ea25f21a66554e0538155df8c6fc8817fc3fb682c85eb18509e4a33d601d9ea

C:\Windows\SysWOW64\Dpphjp32.exe

MD5 d6f84b627215b466f5cbe26d11300dcf
SHA1 da5ad49bce3decce6ce6124f4ef18daf32ebc14b
SHA256 92677399a297cfefc0ca7ea0bcf5c941120b3646616d638c3264e5d3d83e29f6
SHA512 a3b0318860f07acba7e57528eb82e77947dd0033e6d1de25e4482f694202490c891264e52cd1586053cb2c392d67315a979c5a829573b2af24b77f3b9b8bba1e

C:\Windows\SysWOW64\Dmalne32.exe

MD5 344d4e15400945a82bd28fa793123aea
SHA1 c2a54c496b7feb250ec6701feeaf70bc2f8b097e
SHA256 a49935a2d10d18dc75371f388d5be4a67eb7951568297c8fd700a1f246fab45f
SHA512 848758e49643de3894902a9add148d878d37065fb388caaaec0482e9079c6e948f8158d82e704596a5aa5c0b052eeadde74098c4cfe12523ccca7bcb242427e3

memory/2188-40-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Nccokk32.exe

MD5 870aeee3f54a6df6968427b9027803d6
SHA1 db472c9d18b4193ce6ca0f4db6d1e23585bdef41
SHA256 34c97309f81d557fb99172f3ff28f6fb001602cddf4e5f25ae860b941e17cb26
SHA512 2d30c1684baacb878aee6c5a8434a1265082208b5d04ede4ad6adf9996329f0c7cb9379c91ac2bf43eb345323ef834ea5f4ac0c740c60ca6e8082e628c93a5d0

C:\Windows\SysWOW64\Nagpeo32.exe

MD5 df7d9f7b64221b7bf370024ccdfd254d
SHA1 d637b0c8014c20f8b80d881270a0186261957e1c
SHA256 5d86cd6e6ab65ed9148e459c59517e7c3478c25cddd1ac934572e4c7258ea954
SHA512 4e8ca116a0b465d29533d7b4c483f4b81092aec0a51e9a397974b949e93b0565b648a113436509c3903ccab1b41ca516a0529c512f331b77d5a70b3f082e8ff0

C:\Windows\SysWOW64\Poimpapp.exe

MD5 c8087b070114afb804cfa0b52ee5cca1
SHA1 e3cd3163644f4fbc344c606f55ee616d74e10856
SHA256 bccb77b24dba2d5a49800dcbf94566abbaf49fcba83e137f0296bec3517ef072
SHA512 3578031d011798ef3823de447e2730e6f235ad78defab27e00c9b21bd5ba880a35a62377e0d91beb89223996bb680178424c163f05454201172d699d5f4a90f1

C:\Windows\SysWOW64\Qeodhjmo.exe

MD5 d6c48852d4344fdacb9580e30605e5ac
SHA1 95c59e5a9b0c9bb111eb3538efd8711fe6523db4
SHA256 772d2cb5df18ed6150577e17f312e1fbbaf4deb197150e82d86e1449e54a5def
SHA512 6fd768f76563929f5e583d5292da9469cb5a07e85ca96c2ac27d3e24984d8806214ecc3fcab3dd7b174271fe498eae863bdc47c505adbacb261ba8319754a262

C:\Windows\SysWOW64\Aednci32.exe

MD5 05c3649f190885361c5375aa243e1d5f
SHA1 62c5da2d50a7de4d6c61e5a02da2b8aa25104944
SHA256 3552499f6f4d18c049d9ea0942df6fa466a0033b3d4d59ffcdc2c8037cd7c37d
SHA512 dc7d6b44268f6165bf4fe519786c8eb5d4e2db0d037a5291db4c30b4a2a15032a336ec7851d3b28cc42ce3ee8327c66fc4fa6584b70e68470cd55df5bb17ceb9

C:\Windows\SysWOW64\Akccap32.exe

MD5 f49a9c9047dec15090101ed34e0b75ae
SHA1 51dcc666a6116ff59b148cbebf11f23e1084fa21
SHA256 30bfe6f3cbe0dc9e239260ce903a223fb12f30c99c5e8ea8bda3670364732ae2
SHA512 a2e6acb78a4af2fb64b675195bee780bfba101b8df2b8146b48c32c7a53e0333307413c59e77f8d237548f8400df1848e6a3d5b177ff5dc7446be9883b60bb6e

C:\Windows\SysWOW64\Blgifbil.exe

MD5 33cbdc7a54ac90b433a775be763ab170
SHA1 b01f0419d2360f157baa36578e4d7c06e72cf6bc
SHA256 62752296ba4400489e7ac496725c15e722cbc8bd6a145252baf87a73af580fd3
SHA512 198980c8a4bde829d4c97af6e30296a973062482c78da28160921c52e1c282888d03fa8b6a940727d517fdb2af92930d85dd573960eb11f2ca5d9307324773f0

C:\Windows\SysWOW64\Bafndi32.exe

MD5 f39344407bc3580a1c96e4ff73911a85
SHA1 e5c28609b6cf788567ebff6f5f072134d736bfec
SHA256 2eb939de989365f1efa1681bf8b0f6b0629d52b3c59f5f16b836025a3dca72c3
SHA512 88410f632907d009bfe0a0dbb8a09a9f1aed9b292f979ee3c272e2da32877a9f9ed907eb4f37a736e958f0a5d58669100841aadec2f9c309eed78c2f92c0c9ea

C:\Windows\SysWOW64\Cdnmfclj.exe

MD5 2bf5fded5917e431bfe7e57cdc2dfb2f
SHA1 619ecaeef0ddbc318f5884118e01d068e984e456
SHA256 5c0fded1c475c7dfe0b2607f177519b64c4fd13664c696b86d547db0f93f537d
SHA512 dca84a1e31f0ff1222483c7b7a6da571d03a169f71a46802928cc01197d21b2bf5e8c9aa4d8791d73d68219994222d6ce211628d94456c0c9f8ad97fc1f295b1

C:\Windows\SysWOW64\Cfnjpfcl.exe

MD5 99bd132541278b595ba19ce3e8449811
SHA1 1479026fda64bf43c1852fd1ea203a270222c0c3
SHA256 853a751b7e3f4971f20b0c4d5a0ad3b6eb44d96ae46b4420fa15800a25e1de2a
SHA512 e26b00d3ae4727241eb5cb0c2b1ceba57c47a849b331119d42352bdafa1980532173acbe9a6605be0e3ea6ca95d74c25a10546990c56dc78cbcc8e341c5cf168

C:\Windows\SysWOW64\Dfglfdkb.exe

MD5 5a16073487eda8223cd56399ac107b2d
SHA1 17dfceb22b26ce5934b2c9d7a8e14b5dd1638c4b
SHA256 e365bb2349addcfedf35da28f7720f2798a3018d8885279199ba9594d44baaec
SHA512 ae2ef957d753f9d2f93bfeb61f6d28a070defda88b6cd387445d1789fb02cd04d4cf90eb08e8e06ecc4e1840a8b3997d3136f8b2c17217468ca1d9ad0bfa777a

C:\Windows\SysWOW64\Deqcbpld.exe

MD5 f2f0a4f6f2e68025a8c9744bbc2d73e1
SHA1 8ef97d6483ef5c5806dd76f47073832ef9a56b38
SHA256 3c700c2d85786f9468958f6eff2c6339ab0ca04efd8f590486eaadc59b0fd19f
SHA512 034e41dee1758a19466793af87e9fcf6a51187944b08543376a091a332cdf4898eb5ab0a9b9abf5ac04c3c0d98c4ae928ae9e3defded51e4e22ed98d883717b8

C:\Windows\SysWOW64\Fiodpl32.exe

MD5 759621e3861c09e4ce965a0c8391f088
SHA1 d55f5d4db7f6b75a58352a3b9ddf2d41ba3b25f2
SHA256 55909e6275d50e1964bb8a4adef4f02713092ffe9e743c6f3628fb6192a8dab2
SHA512 6ec8013f4da4137e66901ab6d79bf718ad14427d52de2026096fb7c5f31bd4214fec7f93706099fa51ac2db9f01d88ae38def82a023a3851355a72e90bd5fc34

C:\Windows\SysWOW64\Gblbca32.exe

MD5 60869ef78f135490800ae2d52266e3cd
SHA1 de1f33d893f8b1a511a16340c1fa7f288423e13d
SHA256 ba652288623e8465960e89997a9fd023a7df84a78284208b0b347d3f0ebaaf02
SHA512 aac2b8743060e8eeb903fd4d2a7e7a889723a02491caedf6101ad889b156e365d8cc125ea636b9b9fcd7dc3d5367ec5f629ab40607a86bc5c6f961f7a2b5939b

C:\Windows\SysWOW64\Gpelhd32.exe

MD5 586f4fdfd64e89ecbae2382ce560bb15
SHA1 93085de00f256a53748264df0d76bd7f280015fc
SHA256 8110de72021830ee3305698272fa4c134eb32dd6c7193cc024b33e753a01397e
SHA512 0ea3ef1155475a9f2138a8dc2686eb5218d552d02e41296b071737b8a854d04d49dc925b12189a37e7606c66e509b4b03c835f02d4a252a20c629e0dc1fee41b

C:\Windows\SysWOW64\Gojiiafp.exe

MD5 9143394f18bc7a1529466dd9ba7d8dc4
SHA1 1447444dbf14f0817e69edced985b41715c0f77f
SHA256 79c78ffde0d9577b81581fd27172a4438517602a621af2b297ab6315f870abfd
SHA512 68018a021d44913e590b28e167f1a99a091d9b99498e6de4f20e59962d9fb300745ca3f789feebe78099c861fc656d6889e106477ca670bfb1b6c0f85d9de992

C:\Windows\SysWOW64\Hibjli32.exe

MD5 c7a3547c75f62e8fa1bbafff1302274c
SHA1 abc55ebcd72d1b1e247b4ee3ca14d492102b493e
SHA256 ed53a9424d94739c07e68983a24e12c6a04e68cbf570d03cbc381f3658d07c00
SHA512 4eeb4efa1f4a509a7c3f0ae0a46a4891986c66f62d3d9f937eceaeb28f855b9ddd98a1436e1c7fc0ee1b646d7edce654c8f9d78e72d25b46bbf6ffc455b1d3b1

C:\Windows\SysWOW64\Imkbnf32.exe

MD5 7b1665b9aad52f2d4607234c55170135
SHA1 c39490f59f3998d13899423b7861f36576ca5ddc
SHA256 8221ec369c9f85ab6b93b9589e49bae9735ef072eca79516cb90eb11aac82b04
SHA512 292d11e1176da29795c5d4ca6fa66a4da3adb297a2875bd3dac5b128ae1b67eb02b4e7d7e907152b3b6cfd528ed8df2d8efc2adc6e865e386ad86f07c369c37c

C:\Windows\SysWOW64\Klcekpdo.exe

MD5 d932c6a18152b67761165fe0f0eff062
SHA1 1caff255020bb97ae44a9c33d58255af0d8252b0
SHA256 8d4d052aaa3099d72a99e76bdfc9ba197702c7621b299a785568e6f47deceeed
SHA512 f7c09a227d204b1c9839caa673d9447ee11286f0215ee6356ccc6e2943a62cb65f4468de7bef6480972b5190c79329715098168f70bea96e95abdee4f1ed020a

C:\Windows\SysWOW64\Lnldla32.exe

MD5 77c966b283103bd8ac0fe2bd179cd0d8
SHA1 abf4598fae0205674a7c8738cb0c29bd4b9f529d
SHA256 aa518639cf5bffbfdbd123d6dab242badc3370e8609d707c64124aefa0d4839d
SHA512 c85b02a3a53bb31871eb6135562a1f99fc3916c619df79bfdc33cbd27dbac306f837744dbebb79a7c52254433899f723cc88cb658bc1547a8f2f0ade92fc50f8

C:\Windows\SysWOW64\Mgloefco.exe

MD5 2ac39c5b1a89e98ea3fa032cb997b7d0
SHA1 a4245ae4b6f13a7459b4ea90f0283f2021f2a4b8
SHA256 278297ffd60661eaa2554b5e43728e9a22741a2205d99dae8ba78aedd1540355
SHA512 fcd8b4fe4a548bec7e59688bd0da4c30a091bc6c534b831d77a47a3660fbf7c3c9a1c385f5f61d5b5591687da77c38ad222361c72c47df45399a9060849fb329

C:\Windows\SysWOW64\Mqkiok32.exe

MD5 1355614f7ea297921ac18dc534d143cf
SHA1 94c42636f650a72e47bb34b346ae96f191510747
SHA256 2dd070e0f0645881eecc8584cbb36046affacfb3642ef02e86256f0ec92dfc6e
SHA512 8179405017e694b4ebf6a15b85a8a7c357ed55887cda6c8e49590015e705a67dde2fb897c7d40cf0dc4b67012e5e6d00d19440e47d4567a6df5b0504e08199a9

C:\Windows\SysWOW64\Nmfcok32.exe

MD5 637cbc03450cc0dc586927894a6deebe
SHA1 44ca8a6009dcdecd229e2a5db4de859d99fea1d5
SHA256 afc8c64fac10ede44be3ff22f4fea30cfb4f37dfaa38848b61e8dadeb1c99b3d
SHA512 f27375c1d42d58e95ffbffe66a13fa13d358a94f09c028158f0fc3d8877b250e5a7cb5d8daf67aacca12f1bcc0d05a0fa6ffcf2b96b5226409f6887642a88903

C:\Windows\SysWOW64\Nmipdk32.exe

MD5 a22c25b5c39c1066062524b6ac9d74ef
SHA1 6f3d0c0da1b4a95c3e343668dafeca708ec2c976
SHA256 a4224ec036f0d61929c7f4935565c1ef0179f3dbdded888c9402da8b707ba11f
SHA512 7a15401b4c876c71edc963df36fa08af11fb2efca1db5ddd956dc38d14e4f53075b73099cd23daa6b12d0df42890fc00a386c3db40e00d05f70a06123ae73ecb

C:\Windows\SysWOW64\Ompfej32.exe

MD5 2d1c91bbd87dbe1f3e56f842f94ac551
SHA1 0c98412cc6751af0875c25516a8f542bcd273c9b
SHA256 7498593333a0e26a9ed4674670ebe41c446bf4ecbc90727c91c173b919f47026
SHA512 d77bda5710d49834e5846f7a908a5884a2320dc5d6c89a78520720719342e474b4e5c3e9b4d706e11f4ddb35decfbd1afff4668bb57632d6b78f868d8097034f

C:\Windows\SysWOW64\Ombcji32.exe

MD5 3849bcf0c6399edf71e89b468b668baa
SHA1 05475769b98eeea950b2340991a2915c41206042
SHA256 7ab4f4019f2fe6de7bb82d94de5c51f47a628b949c248cfe422e8f807b9a17d0
SHA512 6b4c335834a45193cfb8f57162dcf8317fb3973ee0bdc321ef5c4e7408dfa1dabca75abe12ab0a8d4710c095f07b830c90638b079dd09bbfd438ea1852045d27

C:\Windows\SysWOW64\Ocohmc32.exe

MD5 3e8cb14d23e05663443aab9c28335ef2
SHA1 ccbbbf65180d75e055ae75caac59a700e71c53c8
SHA256 663007f0eba7737dedc785bcdbdfad6b145824168217fc1b98111a8c92f20638
SHA512 77d176a17eaa492948b58aab7f69f0e92089c3e7e6eb97d5fb6f2a0ae69f1459ec6f748a93be3d7d4b5c1b11900a7c5e9a6fe8984d1376dcc817b718d1a5583c

C:\Windows\SysWOW64\Pjmjdm32.exe

MD5 22d8d1bab01b7a05d7695f5a55943405
SHA1 c0ddc165341983092723743514d6462b0c5c8c18
SHA256 56158d9530862c600b5b17d77a39aac94a721fe19776a62d838163c552cd9af2
SHA512 36b6197364b14d1d160e7907076e92f064171ac4f727e238e25ccf557e7ee83373a89ba79113589c267385cf5032f6432f7509ac903118acde4e83fdc52ad4b1

C:\Windows\SysWOW64\Pdenmbkk.exe

MD5 03e6ca6194a854d5154fa617414fb06f
SHA1 504b777fcf9803c36fea7c7ff6d59ba93e7f3d8a
SHA256 7e1e892c00dc0a58586007ac3612e27621c03b82eb49c25d46887e8f5744ea6e
SHA512 036a45c5ea303e477ae6bb2bfd5e062beed9de76aef6cc4580d0bea7547b3a0a07c385b4b752b0d378b5dcbb5ea2fdf2cad37ded4eb7e769510687160946e97d

C:\Windows\SysWOW64\Ppolhcnm.exe

MD5 1e4f7f424ede0e9879b47cbbd449194a
SHA1 bae1da317c30ea1c377034fe15c734ca3d1a03cf
SHA256 afc7308bbead2933525ade15ca2ebf5a12fa105683168a36bc3d0dcda9d043c6
SHA512 3feb59733278bbd14d15246e925a99248a16fab5cd2a99fdfa9d8fadc29de89c9f0d0f67afd3cd8dc46c451165d9d899a3fb35c7f286dd8ac36da96477a0b163

C:\Windows\SysWOW64\Qaqegecm.exe

MD5 c3f2c997b23c06fad97f3b53285b3308
SHA1 ff7c3d197a70ca10606b5559dbea2edc78fdf7c4
SHA256 e703970f367c6b29e241fe63933ecc0cab088a4e00e7dcf0468d44e4edb7357b
SHA512 2d6fb27505e6685fc6c7c8a777598b5c68a317eeed2e023a2daa7ce15fd8a5e142651660b20e436e3727d76438b8efbda8f1d81898c213667640dd74a4351a98

C:\Windows\SysWOW64\Qpeahb32.exe

MD5 4156f6efa9af9a7525b10c6500fdb014
SHA1 1a72092d5e99b787b69d739f938158b4dd3357c6
SHA256 e6c8fe97cc861dbd23b22bca90c3e83d60f3b9c23fc0fc16c1b98c67f439932e
SHA512 52b80e586df5ad5fb9e52e10355cd9f67f13b001ff0044b7f0cffc123338bdbcac92166344caa4d6b55d97184cb0cc8cb99456edaaf628a223d646b5efac0742

C:\Windows\SysWOW64\Apodoq32.exe

MD5 e7042ad8a369b25b4e451f62a76b79aa
SHA1 1219abd0574592c5ef28c7273ac24589c9a31350
SHA256 ed041d9ce097e494ba18125c2d0f29e9a613388940040035b95ca8f9bacc94dc
SHA512 ab35458ce6fedcd5a9bb88763a635344708b24a95023a639b804c7b99ef228178a7b82dbb417cef61e4f2a131ced56f79c695d894e2959acc5cb6cd0b65d7727

C:\Windows\SysWOW64\Bgkiaj32.exe

MD5 8de6d025f2d25d1718bb896f3b080cae
SHA1 036db0560530dc0275aac7867a30add65f4c4110
SHA256 431ad4be8773d5399dacb8e197409425ac276852ef0834668dc1d14fad23d565
SHA512 971523d1444c6fd6d505465be024d67754fdad1082f3eaa33131c92bcbc6c6cb04107265e456343bdba0a31fdb5b163f13509e03bd7140cf0176bf7b0a8909da

C:\Windows\SysWOW64\Bgelgi32.exe

MD5 f91ecaf484fe93e3e5f7dd1c3bcd688c
SHA1 7efc1683ffbce4ba22065f813ababc0920774dd7
SHA256 b054e6c26fe9e5af6f7d8e7b0b34080e77484c7a70ad65cfb1fb4de9778341ac
SHA512 91fd2d920afc4bb61f41e63a6808dae1170702722b4ff796592928e12ebab4026f6e067d544f2b966c06e98ed0f15cf499b40ef6661043d91585ba0b71b3316b

C:\Windows\SysWOW64\Cnfkdb32.exe

MD5 76596ed9e8f8d340b1f6d278c5e6e0a0
SHA1 717583ca8ca71da533b452ee59234dab5c614317
SHA256 2d3f3f3bae2194d6fb84a526521e05915c9b3c24a2f9fd85080ac08bd3fabe37
SHA512 f5ee272187a81c0aa25a019f4e1d85c2c71d726045da880f8b4a0384e8148494f29b9961987fa5bba4305ad0ef148159e59807b93be056ea99b61d3f1c873c81

C:\Windows\SysWOW64\Dojqjdbl.exe

MD5 463bfec7c2764a60eb9fa21da1f876c6
SHA1 c4fcdb51a864b190755ddf17ed12b27ad5b71e15
SHA256 1fd03a5903bc7d780a32b77e5dd030dce25f8f84dc41331aedb5f056a0becb92
SHA512 1af84a8a37238fe30d23a934152750e9f3e58a0afdbefe7555ea382dc6ae6a66641664297442e3d3f64d876c360607d18111b2acd5701b4c6d3a7de9674cbd18