Analysis Overview
SHA256
3b8a13d4d4e65f27ec11ad436ab6f4dbc80ea88a5ac583b43ecad08c02e8cedc
Threat Level: Known bad
The file 3b8a13d4d4e65f27ec11ad436ab6f4dbc80ea88a5ac583b43ecad08c02e8cedcN was found to be: Known bad.
Malicious Activity Summary
Berbew family
Adds autorun key to be loaded by Explorer.exe on startup
Berbew
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Program crash
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 03:19
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 03:19
Reported
2024-11-10 03:21
Platform
win7-20240903-en
Max time kernel
73s
Max time network
16s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Users\Admin\AppData\Local\Temp\3b8a13d4d4e65f27ec11ad436ab6f4dbc80ea88a5ac583b43ecad08c02e8cedcN.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Aohdmdoh.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Aoagccfn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Aoagccfn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Users\Admin\AppData\Local\Temp\3b8a13d4d4e65f27ec11ad436ab6f4dbc80ea88a5ac583b43ecad08c02e8cedcN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Aohdmdoh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bfioia32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cgoelh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Akabgebj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bnknoogp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cfhkhd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bnknoogp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cgoelh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cfhkhd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Alihaioe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Abpcooea.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bkhhhd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ciihklpj.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cagienkb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Akabgebj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Aakjdo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ciihklpj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cagienkb.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cmpgpond.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bjdkjpkb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cmpgpond.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Qjklenpa.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Aakjdo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bkhhhd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bfioia32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bjdkjpkb.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Qjklenpa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Alihaioe.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Abpcooea.exe | N/A |
Berbew
Berbew family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\Qjklenpa.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Alihaioe.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Aohdmdoh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Akabgebj.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Aakjdo32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Aoagccfn.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Abpcooea.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Bkhhhd32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Bnknoogp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Bfioia32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Bjdkjpkb.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Ciihklpj.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Cgoelh32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Cagienkb.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Cmpgpond.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Cfhkhd32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Dpapaj32.exe | N/A |
Loads dropped DLL
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\Bfioia32.exe | C:\Windows\SysWOW64\Bnknoogp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cfhkhd32.exe | C:\Windows\SysWOW64\Cmpgpond.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dpapaj32.exe | C:\Windows\SysWOW64\Cfhkhd32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ÿs.e¢e | C:\Windows\SysWOW64\Dpapaj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cceell32.dll | C:\Users\Admin\AppData\Local\Temp\3b8a13d4d4e65f27ec11ad436ab6f4dbc80ea88a5ac583b43ecad08c02e8cedcN.exe | N/A |
| File created | C:\Windows\SysWOW64\Ckndebll.dll | C:\Windows\SysWOW64\Bkhhhd32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ciihklpj.exe | C:\Windows\SysWOW64\Bjdkjpkb.exe | N/A |
| File created | C:\Windows\SysWOW64\Cmpgpond.exe | C:\Windows\SysWOW64\Cagienkb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Qjklenpa.exe | C:\Users\Admin\AppData\Local\Temp\3b8a13d4d4e65f27ec11ad436ab6f4dbc80ea88a5ac583b43ecad08c02e8cedcN.exe | N/A |
| File created | C:\Windows\SysWOW64\Abpcooea.exe | C:\Windows\SysWOW64\Aoagccfn.exe | N/A |
| File created | C:\Windows\SysWOW64\Bfioia32.exe | C:\Windows\SysWOW64\Bnknoogp.exe | N/A |
| File created | C:\Windows\SysWOW64\Aohdmdoh.exe | C:\Windows\SysWOW64\Alihaioe.exe | N/A |
| File created | C:\Windows\SysWOW64\Aoagccfn.exe | C:\Windows\SysWOW64\Aakjdo32.exe | N/A |
| File created | C:\Windows\SysWOW64\ÿs.e¢e | C:\Windows\SysWOW64\Dpapaj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Qjklenpa.exe | C:\Users\Admin\AppData\Local\Temp\3b8a13d4d4e65f27ec11ad436ab6f4dbc80ea88a5ac583b43ecad08c02e8cedcN.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bjdkjpkb.exe | C:\Windows\SysWOW64\Bfioia32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cagienkb.exe | C:\Windows\SysWOW64\Cgoelh32.exe | N/A |
| File created | C:\Windows\SysWOW64\Aakjdo32.exe | C:\Windows\SysWOW64\Akabgebj.exe | N/A |
| File created | C:\Windows\SysWOW64\Hbcfdk32.dll | C:\Windows\SysWOW64\Cgoelh32.exe | N/A |
| File created | C:\Windows\SysWOW64\Pdkefp32.dll | C:\Windows\SysWOW64\Cfhkhd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bjdkjpkb.exe | C:\Windows\SysWOW64\Bfioia32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lbmnig32.dll | C:\Windows\SysWOW64\Bfioia32.exe | N/A |
| File created | C:\Windows\SysWOW64\Qcamkjba.dll | C:\Windows\SysWOW64\Abpcooea.exe | N/A |
| File created | C:\Windows\SysWOW64\Gjhmge32.dll | C:\Windows\SysWOW64\Bjdkjpkb.exe | N/A |
| File created | C:\Windows\SysWOW64\Cgoelh32.exe | C:\Windows\SysWOW64\Ciihklpj.exe | N/A |
| File created | C:\Windows\SysWOW64\Cfhkhd32.exe | C:\Windows\SysWOW64\Cmpgpond.exe | N/A |
| File created | C:\Windows\SysWOW64\Alihaioe.exe | C:\Windows\SysWOW64\Qjklenpa.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Aoagccfn.exe | C:\Windows\SysWOW64\Aakjdo32.exe | N/A |
| File created | C:\Windows\SysWOW64\Adpqglen.dll | C:\Windows\SysWOW64\Aohdmdoh.exe | N/A |
| File created | C:\Windows\SysWOW64\Imafcg32.dll | C:\Windows\SysWOW64\Alihaioe.exe | N/A |
| File created | C:\Windows\SysWOW64\Dqaegjop.dll | C:\Windows\SysWOW64\Aakjdo32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cgoelh32.exe | C:\Windows\SysWOW64\Ciihklpj.exe | N/A |
| File created | C:\Windows\SysWOW64\Pcaibd32.dll | C:\Windows\SysWOW64\Cagienkb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Alihaioe.exe | C:\Windows\SysWOW64\Qjklenpa.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Aakjdo32.exe | C:\Windows\SysWOW64\Akabgebj.exe | N/A |
| File created | C:\Windows\SysWOW64\Lloeec32.dll | C:\Windows\SysWOW64\Bnknoogp.exe | N/A |
| File created | C:\Windows\SysWOW64\Cagienkb.exe | C:\Windows\SysWOW64\Cgoelh32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cmpgpond.exe | C:\Windows\SysWOW64\Cagienkb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Akabgebj.exe | C:\Windows\SysWOW64\Aohdmdoh.exe | N/A |
| File created | C:\Windows\SysWOW64\Bbjclbek.dll | C:\Windows\SysWOW64\Akabgebj.exe | N/A |
| File created | C:\Windows\SysWOW64\Gfnafi32.dll | C:\Windows\SysWOW64\Aoagccfn.exe | N/A |
| File created | C:\Windows\SysWOW64\Bkhhhd32.exe | C:\Windows\SysWOW64\Abpcooea.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bkhhhd32.exe | C:\Windows\SysWOW64\Abpcooea.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Bnknoogp.exe | C:\Windows\SysWOW64\Bkhhhd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dpapaj32.exe | C:\Windows\SysWOW64\Cfhkhd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Dicdjqhf.dll | C:\Windows\SysWOW64\Qjklenpa.exe | N/A |
| File created | C:\Windows\SysWOW64\Bnknoogp.exe | C:\Windows\SysWOW64\Bkhhhd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ciihklpj.exe | C:\Windows\SysWOW64\Bjdkjpkb.exe | N/A |
| File created | C:\Windows\SysWOW64\Fkdqjn32.dll | C:\Windows\SysWOW64\Cmpgpond.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Aohdmdoh.exe | C:\Windows\SysWOW64\Alihaioe.exe | N/A |
| File created | C:\Windows\SysWOW64\Jidmcq32.dll | C:\Windows\SysWOW64\Ciihklpj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Abpcooea.exe | C:\Windows\SysWOW64\Aoagccfn.exe | N/A |
| File created | C:\Windows\SysWOW64\Akabgebj.exe | C:\Windows\SysWOW64\Aohdmdoh.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Dpapaj32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cagienkb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Aakjdo32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Aoagccfn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bkhhhd32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cmpgpond.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dpapaj32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Abpcooea.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bnknoogp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bjdkjpkb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ciihklpj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cgoelh32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cfhkhd32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3b8a13d4d4e65f27ec11ad436ab6f4dbc80ea88a5ac583b43ecad08c02e8cedcN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Qjklenpa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Alihaioe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Aohdmdoh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Akabgebj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bfioia32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imafcg32.dll" | C:\Windows\SysWOW64\Alihaioe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bnknoogp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bfioia32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbmnig32.dll" | C:\Windows\SysWOW64\Bfioia32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbcfdk32.dll" | C:\Windows\SysWOW64\Cgoelh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} | C:\Users\Admin\AppData\Local\Temp\3b8a13d4d4e65f27ec11ad436ab6f4dbc80ea88a5ac583b43ecad08c02e8cedcN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bfioia32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cgoelh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Aohdmdoh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfnafi32.dll" | C:\Windows\SysWOW64\Aoagccfn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbjclbek.dll" | C:\Windows\SysWOW64\Akabgebj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Abpcooea.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jidmcq32.dll" | C:\Windows\SysWOW64\Ciihklpj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\3b8a13d4d4e65f27ec11ad436ab6f4dbc80ea88a5ac583b43ecad08c02e8cedcN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Qjklenpa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lloeec32.dll" | C:\Windows\SysWOW64\Bnknoogp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcaibd32.dll" | C:\Windows\SysWOW64\Cagienkb.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Qjklenpa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcamkjba.dll" | C:\Windows\SysWOW64\Abpcooea.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ciihklpj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll" | C:\Windows\SysWOW64\Cfhkhd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bnknoogp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cfhkhd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cceell32.dll" | C:\Users\Admin\AppData\Local\Temp\3b8a13d4d4e65f27ec11ad436ab6f4dbc80ea88a5ac583b43ecad08c02e8cedcN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dicdjqhf.dll" | C:\Windows\SysWOW64\Qjklenpa.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Aoagccfn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bjdkjpkb.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node | C:\Users\Admin\AppData\Local\Temp\3b8a13d4d4e65f27ec11ad436ab6f4dbc80ea88a5ac583b43ecad08c02e8cedcN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Alihaioe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cagienkb.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cagienkb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cmpgpond.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Aoagccfn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Abpcooea.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ciihklpj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cfhkhd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Akabgebj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Aakjdo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cmpgpond.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Alihaioe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Bkhhhd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkdqjn32.dll" | C:\Windows\SysWOW64\Cmpgpond.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cgoelh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\3b8a13d4d4e65f27ec11ad436ab6f4dbc80ea88a5ac583b43ecad08c02e8cedcN.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID | C:\Users\Admin\AppData\Local\Temp\3b8a13d4d4e65f27ec11ad436ab6f4dbc80ea88a5ac583b43ecad08c02e8cedcN.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adpqglen.dll" | C:\Windows\SysWOW64\Aohdmdoh.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Akabgebj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Aakjdo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bjdkjpkb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Aohdmdoh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqaegjop.dll" | C:\Windows\SysWOW64\Aakjdo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bkhhhd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckndebll.dll" | C:\Windows\SysWOW64\Bkhhhd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjhmge32.dll" | C:\Windows\SysWOW64\Bjdkjpkb.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3b8a13d4d4e65f27ec11ad436ab6f4dbc80ea88a5ac583b43ecad08c02e8cedcN.exe
"C:\Users\Admin\AppData\Local\Temp\3b8a13d4d4e65f27ec11ad436ab6f4dbc80ea88a5ac583b43ecad08c02e8cedcN.exe"
C:\Windows\SysWOW64\Qjklenpa.exe
C:\Windows\system32\Qjklenpa.exe
C:\Windows\SysWOW64\Alihaioe.exe
C:\Windows\system32\Alihaioe.exe
C:\Windows\SysWOW64\Aohdmdoh.exe
C:\Windows\system32\Aohdmdoh.exe
C:\Windows\SysWOW64\Akabgebj.exe
C:\Windows\system32\Akabgebj.exe
C:\Windows\SysWOW64\Aakjdo32.exe
C:\Windows\system32\Aakjdo32.exe
C:\Windows\SysWOW64\Aoagccfn.exe
C:\Windows\system32\Aoagccfn.exe
C:\Windows\SysWOW64\Abpcooea.exe
C:\Windows\system32\Abpcooea.exe
C:\Windows\SysWOW64\Bkhhhd32.exe
C:\Windows\system32\Bkhhhd32.exe
C:\Windows\SysWOW64\Bnknoogp.exe
C:\Windows\system32\Bnknoogp.exe
C:\Windows\SysWOW64\Bfioia32.exe
C:\Windows\system32\Bfioia32.exe
C:\Windows\SysWOW64\Bjdkjpkb.exe
C:\Windows\system32\Bjdkjpkb.exe
C:\Windows\SysWOW64\Ciihklpj.exe
C:\Windows\system32\Ciihklpj.exe
C:\Windows\SysWOW64\Cgoelh32.exe
C:\Windows\system32\Cgoelh32.exe
C:\Windows\SysWOW64\Cagienkb.exe
C:\Windows\system32\Cagienkb.exe
C:\Windows\SysWOW64\Cmpgpond.exe
C:\Windows\system32\Cmpgpond.exe
C:\Windows\SysWOW64\Cfhkhd32.exe
C:\Windows\system32\Cfhkhd32.exe
C:\Windows\SysWOW64\Dpapaj32.exe
C:\Windows\system32\Dpapaj32.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 144
Network
Files
memory/628-0-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Qjklenpa.exe
| MD5 | 57ae8f1ba7cea1f4dfc11a9820d06499 |
| SHA1 | 1df3c28d010770b5b85c6cdd34de1429096f53cd |
| SHA256 | ec17a1482e3f76b65bc7df9875f1ed93dac3f3114568de79696beeea5daadf41 |
| SHA512 | e6b553aa3b3e1f9224300c47af492379f3c499e026cc2e1b9dabcca22eea422b120a48fbc0ae96d9d54a1d8c25904b26faa3e481e45467e98f3d174ca24a53b7 |
memory/2408-14-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Alihaioe.exe
| MD5 | 7add387e26b33b23cac1de6791a78ad8 |
| SHA1 | f4086b436210a68432a7ec1d18dddc5638c5bfad |
| SHA256 | 07a52a2307003d2c533841baf35e58a81176dfec8753642131b65ff7dd541b20 |
| SHA512 | a9d48cf5d17afa6b973b32d9126721807060e19c7f027c6d112e9b1c091aabd5426e9627f00488d13ff3e9fbf635b5f0b72e830f0b1195080a7cf445fe5954eb |
memory/2784-34-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2408-33-0x00000000002D0000-0x0000000000303000-memory.dmp
\Windows\SysWOW64\Aohdmdoh.exe
| MD5 | 959d232401b07e7083e6003268994583 |
| SHA1 | 9cd6ba451293ee3f796a4e24d3dcd154725d7f8f |
| SHA256 | 48c567fec97bdf680a5531364a9c6a9911ce369fa5c8130592bb6616da7815e1 |
| SHA512 | 992438a358ffcf03da9d1d88f9181bd4e0c243de045fc61140e971ea90dfac8dc4b2dd16cb46cfc0dbb7353040492706507eacd5fabd5dec7196551477ff9f30 |
memory/2940-43-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2784-42-0x0000000000250000-0x0000000000283000-memory.dmp
memory/2408-32-0x00000000002D0000-0x0000000000303000-memory.dmp
memory/628-13-0x0000000000250000-0x0000000000283000-memory.dmp
memory/628-12-0x0000000000250000-0x0000000000283000-memory.dmp
memory/2940-51-0x0000000000290000-0x00000000002C3000-memory.dmp
\Windows\SysWOW64\Akabgebj.exe
| MD5 | 69930055fa88a501594593e470d52c8b |
| SHA1 | e219dab2a4617353b120b75c2bab557322c2e1ca |
| SHA256 | c9f89fc8dd5071c68c672aecad88708e607f2a2f377480bbe4a5846be70622d3 |
| SHA512 | fd992f25a5bc1ac19f7651d316c5c3aa8ac8da3b5b98a1d745684d16562bca54e4be9ff3857e58cae3562f914f1458f5d2fdd748a833da5cc27d01c1824b6c06 |
memory/2940-57-0x0000000000290000-0x00000000002C3000-memory.dmp
memory/2692-65-0x00000000002F0000-0x0000000000323000-memory.dmp
\Windows\SysWOW64\Aakjdo32.exe
| MD5 | 879df363169cc130d41c1a40203a718e |
| SHA1 | da583bf44d5f772b2b21aea3ecbc3e7975b6dbc4 |
| SHA256 | 0168600670c6dd1f314d226c9b5abf0b0c627d3639db300b1665fb06783622fd |
| SHA512 | add3699b86c8dbe02b536db5f283f90813214609d745d9764641c74b4a7607f715b5e8e942b95669bdfe48853039d7b26d19fdb74de3c311c941453527130f7e |
memory/2588-72-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2692-71-0x00000000002F0000-0x0000000000323000-memory.dmp
memory/2588-90-0x0000000000250000-0x0000000000283000-memory.dmp
memory/2880-100-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Abpcooea.exe
| MD5 | 3331e14f4cfd0aae4f88f6a4df28eadc |
| SHA1 | d6b51c04dd825e583720082e06a28acf41627453 |
| SHA256 | 0a510e0a83339db0546d9dfaaf19c69537b19867c0a09756d836bba36a58d258 |
| SHA512 | 85bfc0ef88b3cf07ac30e6dceb5e8bb8c276f74f4b142d232bc67ef824727533bda2ba9a0912e1c8abd3568c7f82b9fa02f8a99567605dcd88b0c3d55077af94 |
\Windows\SysWOW64\Bkhhhd32.exe
| MD5 | 4137c09891bb28c817c96c54fcf07fcc |
| SHA1 | 00611909078ecd6015d6f0ed2559ed733192c3d4 |
| SHA256 | ea1dc72f280b996205324d61614490ac3fb25fff89682a11fa3d26556af61570 |
| SHA512 | 7034aca494b55764db278a42604f86626177d3c0be95ceffdb3fd0972ba4c468bdafbd690e8900404befa1276539536da78141eaa17c87fc699aa2f10c2e841c |
memory/3040-92-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2588-91-0x0000000000250000-0x0000000000283000-memory.dmp
C:\Windows\SysWOW64\Aoagccfn.exe
| MD5 | af61a10327fe528e6dbc586ede9840fd |
| SHA1 | ba550340209e05ab627edd106c7a97b7a706e009 |
| SHA256 | 160e288c554e39eca75a7459cb8fddde6236920cb94e0c2eeebb925970a85a61 |
| SHA512 | 89531e705f1118316eea22874a5f8554a52a47cc976f54e7e0e986adbd3ecf71b65d8f88aa2e4e004dcd7b998776ec8c50d6384c2f6b2b50da4546d0c156f670 |
memory/3056-113-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Bnknoogp.exe
| MD5 | 2a47f5ef897390fd5546d0f4d8be470f |
| SHA1 | e1d27a0f4fb4ba3490cd848b614883509662eb56 |
| SHA256 | 1114d46d0cd027f28383b86da97baede9c30d075250b5750e1b4fd7b11ccc933 |
| SHA512 | 3c538864a5c1d45f438cde6cba437e3697bbd28963a381c6dc750f58b327fa4ace74d03f57f405b859a383a21cfe70546ee30d395c54e089f378e8859e23db4d |
memory/3056-121-0x0000000000250000-0x0000000000283000-memory.dmp
C:\Windows\SysWOW64\Bfioia32.exe
| MD5 | 071c4f18d162b993642e3bba7e71eac8 |
| SHA1 | 641b75330c5c49721381f5430857b738c438744e |
| SHA256 | a20a9ba8339503bd33608c807cfa56b6ecdb088c79ebd7adcc77218e809b0287 |
| SHA512 | 1baa231aa0c4a3bd85a906c439331907456685a2bde798f1edd6efab17a37f9a0d61eda9b5b71686777026f160653d7810d49263bf7a7c452e61b9bad73958f3 |
\Windows\SysWOW64\Bjdkjpkb.exe
| MD5 | f6cff479e84c41d3a15df97a47bbcf4a |
| SHA1 | 0e520039c361edcd5496cae703167ef6d3b67722 |
| SHA256 | d66f9cbb8e3bc58714cf8686d08ace2ec12c53ea7317719f70e8d1bbd3f92cfa |
| SHA512 | 0f4b04918bf9c545cbfa8f5fea8047baedc379409f119ede25737ef36207d51805bbf5cf512b69d3e9b88bc9071559970f059e7b35af3b3756bf6fd81565cb25 |
memory/1956-134-0x00000000002E0000-0x0000000000313000-memory.dmp
memory/1452-160-0x0000000000250000-0x0000000000283000-memory.dmp
\Windows\SysWOW64\Ciihklpj.exe
| MD5 | d1ca946c67930980652dd06dacaaeae8 |
| SHA1 | 886b77f165ce43a7e2fad99476388e6be4540276 |
| SHA256 | 3e75c21b7b2c116792b8f453f31172b8050a4acac7717d8caad0628c4ba3af40 |
| SHA512 | 8cffaea68accab0d051a8fda058a7be77c54be5fdb9b76d0629f250b1739bf91975c39d97338c48f3fa1e7eabd971c3c1284620e935c81fa29e4dbf36e5b3457 |
memory/1452-152-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Cgoelh32.exe
| MD5 | 2069839e7f50000aa0b4afd6ee212e49 |
| SHA1 | 9a738b461da31d4b2ceaa1ea1c16189964791d05 |
| SHA256 | 2ff071f3fe2ae24b1561481ce6e316888afe297744dda3e4090ae9ad35d7a56e |
| SHA512 | b6cbec81b1153f7e39e4587ae4febae51d8d301285a49ec26e47cf28b5ee7f71e83d19a24a5532a12740082dd7b0c4dda3f67781116a97ad6a7e061512e7801a |
memory/2260-177-0x0000000000250000-0x0000000000283000-memory.dmp
memory/2164-193-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Cagienkb.exe
| MD5 | 297a6e677df9d1fa0afcd9acd34e08d8 |
| SHA1 | 6a6451c38f8a2ed4a8fb676c9eb13d7ae7dc806d |
| SHA256 | e668609fe2a93ed01f14c355f64da3abbc98861a52d7919feaaae84829fb1117 |
| SHA512 | b97ccb0e2db06285291821f753c4be73caa7ca811e5a91525396336b888570df484c280941bd4a5a4c2e16aa2a9fe24124346bfa09baac5d3f69bb3d92797486 |
C:\Windows\SysWOW64\Cmpgpond.exe
| MD5 | 8d8dce26e05b28504bd1e4d0076908e8 |
| SHA1 | ff0fa02b640d43662ab8d26064cb1ef82356d080 |
| SHA256 | 06acfe06fe89f2703729dff2273538dc33c2858a02a203bf7a20d68b779ec7ce |
| SHA512 | b36d1d70efb5b33a41f7c66fc9bffb397dc225139540ef854bc85ecc66159f54ca58792dfdccf4a3f59ba8323e0c00072e0124a4f227ab99c9f51418c075bf4a |
memory/2248-207-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Cfhkhd32.exe
| MD5 | c68e141ed4eb5b58a343d4671b849975 |
| SHA1 | ef698b19a548bdde31c7c123187311d9c3e04b5c |
| SHA256 | e85559c9c29e34fbfd7c6dc403d896ff6c49aa9afa812ec1578c5629afa76384 |
| SHA512 | c778e89cdbdf30fa59d0f74abcd3365a895d6c78b8e49fce808fc4c9fde122ff5b7208fa52176537847276a9dfa24a69820e692eea21038893e4bdbddbf9add2 |
memory/672-220-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2956-230-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Dpapaj32.exe
| MD5 | 6fd2b06b37ff1753cdf22d1f65a54e3c |
| SHA1 | 39e2383a1cbdb13b72dfe2f06dfbd305709bdb39 |
| SHA256 | e7c65aea20530f991be557120991ac7d383c2eb0eddaab0f8e8e5600cd921ae5 |
| SHA512 | 7fd767b1560d0887c74da2712bb0905e1564e51240312f4d8da42a6c486a03963da83653046bc722e475e31c02097ba2142acc11f97f5bcfe552be4388cf13f3 |
memory/2164-205-0x0000000000440000-0x0000000000473000-memory.dmp
memory/2208-191-0x0000000000440000-0x0000000000473000-memory.dmp
memory/2208-186-0x0000000000440000-0x0000000000473000-memory.dmp
memory/1452-244-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2940-256-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2588-255-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2692-254-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2408-253-0x0000000000400000-0x0000000000433000-memory.dmp
memory/628-252-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1956-251-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2880-250-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3056-249-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2164-246-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1764-245-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2260-241-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2208-240-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2248-237-0x0000000000400000-0x0000000000433000-memory.dmp
memory/672-236-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2956-233-0x0000000000400000-0x0000000000433000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-10 03:19
Reported
2024-11-10 03:21
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
95s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dfjpfj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Gjfnedho.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hibafp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cammjakm.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ecbjkngo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ijqmhnko.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ipeeobbe.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jcdala32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mkohaj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Bdbnjdfg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Fealin32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pmblagmf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Emdajb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ibcaknbi.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Lflbkcll.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Fideeaco.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jnjejjgh.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Knchpiom.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mjdebfnd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Fijkdmhn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jgeghp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Lmdemd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ebimgcfi.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Njhgbp32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Mchppmij.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Domdjj32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Maggnali.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Mnmdme32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bdbnjdfg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Cdmfllhn.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Embddb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ilccoh32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jcphab32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Kkconn32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pmpolgoi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Eppqqn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Jgbjbp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Njfagf32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pefabkej.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pjmjdm32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Icdheded.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Pocpfphe.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Kngkqbgl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dlieda32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Glldgljg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Qeodhjmo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Dbcmakpl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Gbabigfj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pmoiqneg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Dooaoj32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ompfej32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Glcaambb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Ojgjndno.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Omjpeo32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Eiokinbk.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ngjkfd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Bgkiaj32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Hkbmqb32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Knalji32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Pefabkej.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Ckebcg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" | C:\Windows\SysWOW64\Jgkmgk32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Cklhcfle.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\SysWOW64\Igbalblk.exe | N/A |
Berbew
Berbew family
Executes dropped EXE
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\Hbjoeojc.exe | C:\Windows\SysWOW64\Hibjli32.exe | N/A |
| File created | C:\Windows\SysWOW64\Kcpahpmd.exe | C:\Windows\SysWOW64\Kqbdldnq.exe | N/A |
| File created | C:\Windows\SysWOW64\Paoollik.exe | C:\Windows\SysWOW64\Popbpqjh.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Pdmkhgho.exe | C:\Windows\SysWOW64\Paoollik.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Deqcbpld.exe | C:\Windows\SysWOW64\Dbbffdlq.exe | N/A |
| File created | C:\Windows\SysWOW64\Fenhjedb.dll | C:\Windows\SysWOW64\Hmkigh32.exe | N/A |
| File created | C:\Windows\SysWOW64\Plbhknkl.dll | C:\Windows\SysWOW64\Hmpjmn32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ijegcm32.exe | C:\Windows\SysWOW64\Iggjga32.exe | N/A |
| File created | C:\Windows\SysWOW64\Anaemfem.dll | C:\Windows\SysWOW64\Jddnfd32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kqdaadln.exe | C:\Windows\SysWOW64\Knfeeimj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cnindhpg.exe | C:\Windows\SysWOW64\Cofnik32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Phaahggp.exe | C:\Windows\SysWOW64\Poimpapp.exe | N/A |
| File created | C:\Windows\SysWOW64\Cocopa32.dll | C:\Windows\SysWOW64\Eppjfgcp.exe | N/A |
| File created | C:\Windows\SysWOW64\Opcefi32.dll | C:\Windows\SysWOW64\Ompfej32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bgkiaj32.exe | C:\Windows\SysWOW64\Apodoq32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dcpmen32.exe | C:\Windows\SysWOW64\Dlieda32.exe | N/A |
| File created | C:\Windows\SysWOW64\Lmbhgd32.exe | C:\Windows\SysWOW64\Ljclki32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mmbanbmg.exe | C:\Windows\SysWOW64\Mjdebfnd.exe | N/A |
| File created | C:\Windows\SysWOW64\Ocoaob32.dll | C:\Windows\SysWOW64\Gfeaopqo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Lnldla32.exe | C:\Windows\SysWOW64\Lpfgmnfp.exe | N/A |
| File created | C:\Windows\SysWOW64\Pmoiqneg.exe | C:\Windows\SysWOW64\Pkpmdbfd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dfglfdkb.exe | C:\Windows\SysWOW64\Dnpdegjp.exe | N/A |
| File created | C:\Windows\SysWOW64\Adfonlkp.dll | C:\Windows\SysWOW64\Jlgepanl.exe | N/A |
| File created | C:\Windows\SysWOW64\Dmalne32.exe | C:\Windows\SysWOW64\Dblgpl32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dlkbjqgm.exe | C:\Windows\SysWOW64\Dimenegi.exe | N/A |
| File created | C:\Windows\SysWOW64\Hildmn32.exe | C:\Windows\SysWOW64\Hgmgqc32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Idfaefkd.exe | C:\Windows\SysWOW64\Iloidijb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ljclki32.exe | C:\Windows\SysWOW64\Lgepom32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mfeeabda.exe | C:\Windows\SysWOW64\Mokmdh32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Cglbhhga.exe | C:\Windows\SysWOW64\Cdmfllhn.exe | N/A |
| File created | C:\Windows\SysWOW64\Jcfggkac.exe | C:\Windows\SysWOW64\Jniood32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bnffda32.dll | C:\Windows\SysWOW64\Dblgpl32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Meiioonj.exe | C:\Windows\SysWOW64\Mmbanbmg.exe | N/A |
| File created | C:\Windows\SysWOW64\Ohkkhhmh.exe | C:\Windows\SysWOW64\Oelolmnd.exe | N/A |
| File created | C:\Windows\SysWOW64\Eoaedogc.dll | C:\Windows\SysWOW64\Popbpqjh.exe | N/A |
| File created | C:\Windows\SysWOW64\Eoideh32.exe | C:\Windows\SysWOW64\Eiokinbk.exe | N/A |
| File created | C:\Windows\SysWOW64\Cnindhpg.exe | C:\Windows\SysWOW64\Cofnik32.exe | N/A |
| File created | C:\Windows\SysWOW64\Peaggfjj.dll | C:\Windows\SysWOW64\Lflbkcll.exe | N/A |
| File created | C:\Windows\SysWOW64\Lngqkhda.dll | C:\Windows\SysWOW64\Pjbcplpe.exe | N/A |
| File created | C:\Windows\SysWOW64\Eghghj32.dll | C:\Windows\SysWOW64\Lklbdm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ldipha32.exe | C:\Windows\SysWOW64\Lmbhgd32.exe | N/A |
| File created | C:\Windows\SysWOW64\Fnipgg32.dll | C:\Windows\SysWOW64\Mebcop32.exe | N/A |
| File created | C:\Windows\SysWOW64\Bfkegm32.dll | C:\Windows\SysWOW64\Mkohaj32.exe | N/A |
| File created | C:\Windows\SysWOW64\Omgcpokp.exe | C:\Windows\SysWOW64\Ojigdcll.exe | N/A |
| File created | C:\Windows\SysWOW64\Ckbemgcp.exe | C:\Windows\SysWOW64\Chdialdl.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Qkipkani.exe | C:\Windows\SysWOW64\Qdphngfl.exe | N/A |
| File created | C:\Windows\SysWOW64\Dnmhpg32.exe | C:\Windows\SysWOW64\Dkokcl32.exe | N/A |
| File created | C:\Windows\SysWOW64\Eemnff32.dll | C:\Windows\SysWOW64\Jgpfbjlo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Hlegnjbm.exe | C:\Windows\SysWOW64\Higjaoci.exe | N/A |
| File created | C:\Windows\SysWOW64\Hgkkkcbc.exe | C:\Windows\SysWOW64\Hdmoohbo.exe | N/A |
| File created | C:\Windows\SysWOW64\Ikkpgafg.exe | C:\Windows\SysWOW64\Icdheded.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Knalji32.exe | C:\Windows\SysWOW64\Kkconn32.exe | N/A |
| File created | C:\Windows\SysWOW64\Jocgnlha.dll | C:\Windows\SysWOW64\Pocpfphe.exe | N/A |
| File created | C:\Windows\SysWOW64\Bcjfln32.dll | C:\Windows\SysWOW64\Mgloefco.exe | N/A |
| File created | C:\Windows\SysWOW64\Qlejfm32.dll | C:\Windows\SysWOW64\Dcnqpo32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ljfhqh32.exe | C:\Windows\SysWOW64\Lggldm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Mebcop32.exe | C:\Windows\SysWOW64\Maggnali.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Mebcop32.exe | C:\Windows\SysWOW64\Maggnali.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Kgflcifg.exe | C:\Windows\SysWOW64\Klahfp32.exe | N/A |
| File created | C:\Windows\SysWOW64\Ecefqnel.exe | C:\Windows\SysWOW64\Epikpo32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Ljfhqh32.exe | C:\Windows\SysWOW64\Lggldm32.exe | N/A |
| File created | C:\Windows\SysWOW64\Cfpffeaj.exe | C:\Windows\SysWOW64\Cnindhpg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dmadco32.exe | C:\Windows\SysWOW64\Dfglfdkb.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Klahfp32.exe | C:\Windows\SysWOW64\Kjblje32.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Dkqaoe32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lekmnajj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cnjdpaki.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nghekkmn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Qdphngfl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Bkaobnio.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ofkgcobj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Fmndpq32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mnhkbfme.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jlobkg32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dihlbf32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Gblbca32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lflbkcll.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Aekddhcb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Hbhboolf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Hgmgqc32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kkgiimng.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ohkkhhmh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dooaoj32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dfiildio.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jljbeali.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nclbpf32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Fpejlmcf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Hdhedh32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nnafno32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ppolhcnm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lmpkadnm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kpjgaoqm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Fpggamqc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jncoikmp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kdigadjo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lggldm32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mccfdmmo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mkjnfkma.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dcnqpo32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dpgnjo32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Aggpfkjj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cpfcfmlp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Lqikmc32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Fealin32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nmfcok32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Cnfkdb32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Gpqjglii.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Idhnkf32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Hibjli32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kqbdldnq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dmadco32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jcfggkac.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Oeheqm32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Eblimcdf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Hmkigh32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Iebngial.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Fbfcmhpg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Mgehfkop.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Hlambk32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Pdenmbkk.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Emdajb32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ffmfchle.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Kkconn32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Dmfeidbe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Fpbmfn32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Ipflihfq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Nqmfdj32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Maggnali.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jcanll32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaakdpkj.dll" | C:\Windows\SysWOW64\Ohfami32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppioondd.dll" | C:\Windows\SysWOW64\Dfdpad32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cocopa32.dll" | C:\Windows\SysWOW64\Eppjfgcp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmqmbmdf.dll" | C:\Windows\SysWOW64\Fmcjpl32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Fdqfll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npodfe32.dll" | C:\Windows\SysWOW64\Ffobhg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbkfjo32.dll" | C:\Windows\SysWOW64\Mchppmij.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ojdnid32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ahippdbe.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Fmfnpa32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keaebdpc.dll" | C:\Windows\SysWOW64\Ingpmmgm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Maiccajf.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Fpggamqc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ojgjndno.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Aednci32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Fpejlmcf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gceegdko.dll" | C:\Windows\SysWOW64\Cfipef32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Emmdom32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Fealin32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Hgdejd32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Oloahhki.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfohjf32.dll" | C:\Windows\SysWOW64\Qaalblgi.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afnqfkij.dll" | C:\Windows\SysWOW64\Dkokcl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fimhbfpl.dll" | C:\Windows\SysWOW64\Fijkdmhn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fomnhddq.dll" | C:\Windows\SysWOW64\Cnfkdb32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Gbofcghl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ilafiihp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Kqfngd32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdpmoppk.dll" | C:\Windows\SysWOW64\Pkbjjbda.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Alkijdci.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaabap32.dll" | C:\Windows\SysWOW64\Ipeeobbe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Mokmdh32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Dmfeidbe.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Efafgifc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Jdfjld32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkajlm32.dll" | C:\Windows\SysWOW64\Addaif32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Albpkc32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjjhhfnd.dll" | C:\Windows\SysWOW64\Bkaobnio.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Bnoknihb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Igfclkdj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfmioc32.dll" | C:\Windows\SysWOW64\Elbhjp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Gigaka32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Palbgl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndqojdee.dll" | C:\Windows\SysWOW64\Nclbpf32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgnddp32.dll" | C:\Windows\SysWOW64\Cpbjkn32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Jnhidk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joicekop.dll" | C:\Windows\SysWOW64\Lgjijmin.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Blqllqqa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oidalg32.dll" | C:\Windows\SysWOW64\Dkfadkgf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Lobjni32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcgbdc32.dll" | C:\Windows\SysWOW64\Gpecbk32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhlgfb32.dll" | C:\Windows\SysWOW64\Hdokdg32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gapjhc32.dll" | C:\Windows\SysWOW64\Icdheded.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Cnindhpg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Gojiiafp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcpeei32.dll" | C:\Windows\SysWOW64\Dpphjp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Ebommi32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Mnmdme32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Eeelnp32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Fmcjpl32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fihgkk32.dll" | C:\Windows\SysWOW64\Lggejg32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Ecbjkngo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 | C:\Windows\SysWOW64\Igdnabjh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\Cofnik32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3b8a13d4d4e65f27ec11ad436ab6f4dbc80ea88a5ac583b43ecad08c02e8cedcN.exe
"C:\Users\Admin\AppData\Local\Temp\3b8a13d4d4e65f27ec11ad436ab6f4dbc80ea88a5ac583b43ecad08c02e8cedcN.exe"
C:\Windows\SysWOW64\Ccbadp32.exe
C:\Windows\system32\Ccbadp32.exe
C:\Windows\SysWOW64\Cioilg32.exe
C:\Windows\system32\Cioilg32.exe
C:\Windows\SysWOW64\Dkbocbog.exe
C:\Windows\system32\Dkbocbog.exe
C:\Windows\SysWOW64\Dblgpl32.exe
C:\Windows\system32\Dblgpl32.exe
C:\Windows\SysWOW64\Dmalne32.exe
C:\Windows\system32\Dmalne32.exe
C:\Windows\SysWOW64\Dpphjp32.exe
C:\Windows\system32\Dpphjp32.exe
C:\Windows\SysWOW64\Dbndfl32.exe
C:\Windows\system32\Dbndfl32.exe
C:\Windows\SysWOW64\Dfjpfj32.exe
C:\Windows\system32\Dfjpfj32.exe
C:\Windows\SysWOW64\Dihlbf32.exe
C:\Windows\system32\Dihlbf32.exe
C:\Windows\SysWOW64\Dmdhcddh.exe
C:\Windows\system32\Dmdhcddh.exe
C:\Windows\SysWOW64\Dpbdopck.exe
C:\Windows\system32\Dpbdopck.exe
C:\Windows\SysWOW64\Dcnqpo32.exe
C:\Windows\system32\Dcnqpo32.exe
C:\Windows\SysWOW64\Dflmlj32.exe
C:\Windows\system32\Dflmlj32.exe
C:\Windows\SysWOW64\Djhimica.exe
C:\Windows\system32\Djhimica.exe
C:\Windows\SysWOW64\Dmfeidbe.exe
C:\Windows\system32\Dmfeidbe.exe
C:\Windows\SysWOW64\Dlieda32.exe
C:\Windows\system32\Dlieda32.exe
C:\Windows\SysWOW64\Dcpmen32.exe
C:\Windows\system32\Dcpmen32.exe
C:\Windows\SysWOW64\Dbcmakpl.exe
C:\Windows\system32\Dbcmakpl.exe
C:\Windows\SysWOW64\Djjebh32.exe
C:\Windows\system32\Djjebh32.exe
C:\Windows\SysWOW64\Dimenegi.exe
C:\Windows\system32\Dimenegi.exe
C:\Windows\SysWOW64\Dlkbjqgm.exe
C:\Windows\system32\Dlkbjqgm.exe
C:\Windows\SysWOW64\Dpgnjo32.exe
C:\Windows\system32\Dpgnjo32.exe
C:\Windows\SysWOW64\Ecbjkngo.exe
C:\Windows\system32\Ecbjkngo.exe
C:\Windows\SysWOW64\Efafgifc.exe
C:\Windows\system32\Efafgifc.exe
C:\Windows\SysWOW64\Ejlbhh32.exe
C:\Windows\system32\Ejlbhh32.exe
C:\Windows\SysWOW64\Emkndc32.exe
C:\Windows\system32\Emkndc32.exe
C:\Windows\SysWOW64\Epikpo32.exe
C:\Windows\system32\Epikpo32.exe
C:\Windows\SysWOW64\Ecefqnel.exe
C:\Windows\system32\Ecefqnel.exe
C:\Windows\SysWOW64\Efccmidp.exe
C:\Windows\system32\Efccmidp.exe
C:\Windows\SysWOW64\Eiaoid32.exe
C:\Windows\system32\Eiaoid32.exe
C:\Windows\SysWOW64\Emmkiclm.exe
C:\Windows\system32\Emmkiclm.exe
C:\Windows\SysWOW64\Eplgeokq.exe
C:\Windows\system32\Eplgeokq.exe
C:\Windows\SysWOW64\Ecgcfm32.exe
C:\Windows\system32\Ecgcfm32.exe
C:\Windows\SysWOW64\Efepbi32.exe
C:\Windows\system32\Efepbi32.exe
C:\Windows\SysWOW64\Eidlnd32.exe
C:\Windows\system32\Eidlnd32.exe
C:\Windows\SysWOW64\Elbhjp32.exe
C:\Windows\system32\Elbhjp32.exe
C:\Windows\SysWOW64\Eciplm32.exe
C:\Windows\system32\Eciplm32.exe
C:\Windows\SysWOW64\Eblpgjha.exe
C:\Windows\system32\Eblpgjha.exe
C:\Windows\SysWOW64\Ejchhgid.exe
C:\Windows\system32\Ejchhgid.exe
C:\Windows\SysWOW64\Embddb32.exe
C:\Windows\system32\Embddb32.exe
C:\Windows\SysWOW64\Eppqqn32.exe
C:\Windows\system32\Eppqqn32.exe
C:\Windows\SysWOW64\Ebommi32.exe
C:\Windows\system32\Ebommi32.exe
C:\Windows\SysWOW64\Ejfeng32.exe
C:\Windows\system32\Ejfeng32.exe
C:\Windows\SysWOW64\Emdajb32.exe
C:\Windows\system32\Emdajb32.exe
C:\Windows\SysWOW64\Fpbmfn32.exe
C:\Windows\system32\Fpbmfn32.exe
C:\Windows\SysWOW64\Fbajbi32.exe
C:\Windows\system32\Fbajbi32.exe
C:\Windows\SysWOW64\Ffmfchle.exe
C:\Windows\system32\Ffmfchle.exe
C:\Windows\SysWOW64\Fmfnpa32.exe
C:\Windows\system32\Fmfnpa32.exe
C:\Windows\SysWOW64\Fpejlmcf.exe
C:\Windows\system32\Fpejlmcf.exe
C:\Windows\SysWOW64\Fdqfll32.exe
C:\Windows\system32\Fdqfll32.exe
C:\Windows\SysWOW64\Ffobhg32.exe
C:\Windows\system32\Ffobhg32.exe
C:\Windows\SysWOW64\Fmikeaap.exe
C:\Windows\system32\Fmikeaap.exe
C:\Windows\SysWOW64\Fpggamqc.exe
C:\Windows\system32\Fpggamqc.exe
C:\Windows\SysWOW64\Fbfcmhpg.exe
C:\Windows\system32\Fbfcmhpg.exe
C:\Windows\SysWOW64\Fjmkoeqi.exe
C:\Windows\system32\Fjmkoeqi.exe
C:\Windows\SysWOW64\Fmkgkapm.exe
C:\Windows\system32\Fmkgkapm.exe
C:\Windows\SysWOW64\Fpjcgm32.exe
C:\Windows\system32\Fpjcgm32.exe
C:\Windows\SysWOW64\Fbhpch32.exe
C:\Windows\system32\Fbhpch32.exe
C:\Windows\SysWOW64\Fjohde32.exe
C:\Windows\system32\Fjohde32.exe
C:\Windows\SysWOW64\Fmndpq32.exe
C:\Windows\system32\Fmndpq32.exe
C:\Windows\SysWOW64\Fplpll32.exe
C:\Windows\system32\Fplpll32.exe
C:\Windows\SysWOW64\Fbjmhh32.exe
C:\Windows\system32\Fbjmhh32.exe
C:\Windows\SysWOW64\Fideeaco.exe
C:\Windows\system32\Fideeaco.exe
C:\Windows\SysWOW64\Glcaambb.exe
C:\Windows\system32\Glcaambb.exe
C:\Windows\SysWOW64\Gigaka32.exe
C:\Windows\system32\Gigaka32.exe
C:\Windows\SysWOW64\Gpqjglii.exe
C:\Windows\system32\Gpqjglii.exe
C:\Windows\SysWOW64\Gbofcghl.exe
C:\Windows\system32\Gbofcghl.exe
C:\Windows\SysWOW64\Gjfnedho.exe
C:\Windows\system32\Gjfnedho.exe
C:\Windows\SysWOW64\Gmdjapgb.exe
C:\Windows\system32\Gmdjapgb.exe
C:\Windows\SysWOW64\Gpcfmkff.exe
C:\Windows\system32\Gpcfmkff.exe
C:\Windows\SysWOW64\Gbabigfj.exe
C:\Windows\system32\Gbabigfj.exe
C:\Windows\SysWOW64\Gkhkjd32.exe
C:\Windows\system32\Gkhkjd32.exe
C:\Windows\SysWOW64\Gmggfp32.exe
C:\Windows\system32\Gmggfp32.exe
C:\Windows\SysWOW64\Gpecbk32.exe
C:\Windows\system32\Gpecbk32.exe
C:\Windows\SysWOW64\Gbdoof32.exe
C:\Windows\system32\Gbdoof32.exe
C:\Windows\SysWOW64\Gkkgpc32.exe
C:\Windows\system32\Gkkgpc32.exe
C:\Windows\SysWOW64\Glldgljg.exe
C:\Windows\system32\Glldgljg.exe
C:\Windows\SysWOW64\Gdcliikj.exe
C:\Windows\system32\Gdcliikj.exe
C:\Windows\SysWOW64\Ggahedjn.exe
C:\Windows\system32\Ggahedjn.exe
C:\Windows\SysWOW64\Gipdap32.exe
C:\Windows\system32\Gipdap32.exe
C:\Windows\SysWOW64\Hloqml32.exe
C:\Windows\system32\Hloqml32.exe
C:\Windows\SysWOW64\Hdehni32.exe
C:\Windows\system32\Hdehni32.exe
C:\Windows\SysWOW64\Hgdejd32.exe
C:\Windows\system32\Hgdejd32.exe
C:\Windows\SysWOW64\Hibafp32.exe
C:\Windows\system32\Hibafp32.exe
C:\Windows\SysWOW64\Hlambk32.exe
C:\Windows\system32\Hlambk32.exe
C:\Windows\SysWOW64\Hdhedh32.exe
C:\Windows\system32\Hdhedh32.exe
C:\Windows\SysWOW64\Hkbmqb32.exe
C:\Windows\system32\Hkbmqb32.exe
C:\Windows\SysWOW64\Hmpjmn32.exe
C:\Windows\system32\Hmpjmn32.exe
C:\Windows\SysWOW64\Hpofii32.exe
C:\Windows\system32\Hpofii32.exe
C:\Windows\SysWOW64\Hcmbee32.exe
C:\Windows\system32\Hcmbee32.exe
C:\Windows\SysWOW64\Higjaoci.exe
C:\Windows\system32\Higjaoci.exe
C:\Windows\SysWOW64\Hlegnjbm.exe
C:\Windows\system32\Hlegnjbm.exe
C:\Windows\SysWOW64\Hdmoohbo.exe
C:\Windows\system32\Hdmoohbo.exe
C:\Windows\SysWOW64\Hgkkkcbc.exe
C:\Windows\system32\Hgkkkcbc.exe
C:\Windows\SysWOW64\Hiiggoaf.exe
C:\Windows\system32\Hiiggoaf.exe
C:\Windows\SysWOW64\Hlhccj32.exe
C:\Windows\system32\Hlhccj32.exe
C:\Windows\SysWOW64\Hdokdg32.exe
C:\Windows\system32\Hdokdg32.exe
C:\Windows\SysWOW64\Hgmgqc32.exe
C:\Windows\system32\Hgmgqc32.exe
C:\Windows\SysWOW64\Hildmn32.exe
C:\Windows\system32\Hildmn32.exe
C:\Windows\SysWOW64\Ingpmmgm.exe
C:\Windows\system32\Ingpmmgm.exe
C:\Windows\SysWOW64\Ipflihfq.exe
C:\Windows\system32\Ipflihfq.exe
C:\Windows\SysWOW64\Icdheded.exe
C:\Windows\system32\Icdheded.exe
C:\Windows\SysWOW64\Ikkpgafg.exe
C:\Windows\system32\Ikkpgafg.exe
C:\Windows\SysWOW64\Injmcmej.exe
C:\Windows\system32\Injmcmej.exe
C:\Windows\SysWOW64\Iphioh32.exe
C:\Windows\system32\Iphioh32.exe
C:\Windows\SysWOW64\Icfekc32.exe
C:\Windows\system32\Icfekc32.exe
C:\Windows\SysWOW64\Igbalblk.exe
C:\Windows\system32\Igbalblk.exe
C:\Windows\SysWOW64\Ijqmhnko.exe
C:\Windows\system32\Ijqmhnko.exe
C:\Windows\SysWOW64\Iloidijb.exe
C:\Windows\system32\Iloidijb.exe
C:\Windows\SysWOW64\Idfaefkd.exe
C:\Windows\system32\Idfaefkd.exe
C:\Windows\SysWOW64\Igdnabjh.exe
C:\Windows\system32\Igdnabjh.exe
C:\Windows\SysWOW64\Ijcjmmil.exe
C:\Windows\system32\Ijcjmmil.exe
C:\Windows\SysWOW64\Ilafiihp.exe
C:\Windows\system32\Ilafiihp.exe
C:\Windows\SysWOW64\Idhnkf32.exe
C:\Windows\system32\Idhnkf32.exe
C:\Windows\SysWOW64\Iggjga32.exe
C:\Windows\system32\Iggjga32.exe
C:\Windows\SysWOW64\Ijegcm32.exe
C:\Windows\system32\Ijegcm32.exe
C:\Windows\SysWOW64\Ilccoh32.exe
C:\Windows\system32\Ilccoh32.exe
C:\Windows\SysWOW64\Idkkpf32.exe
C:\Windows\system32\Idkkpf32.exe
C:\Windows\SysWOW64\Igigla32.exe
C:\Windows\system32\Igigla32.exe
C:\Windows\SysWOW64\Jjgchm32.exe
C:\Windows\system32\Jjgchm32.exe
C:\Windows\SysWOW64\Jncoikmp.exe
C:\Windows\system32\Jncoikmp.exe
C:\Windows\SysWOW64\Jpaleglc.exe
C:\Windows\system32\Jpaleglc.exe
C:\Windows\SysWOW64\Jcphab32.exe
C:\Windows\system32\Jcphab32.exe
C:\Windows\SysWOW64\Jjjpnlbd.exe
C:\Windows\system32\Jjjpnlbd.exe
C:\Windows\SysWOW64\Jlhljhbg.exe
C:\Windows\system32\Jlhljhbg.exe
C:\Windows\SysWOW64\Jdodkebj.exe
C:\Windows\system32\Jdodkebj.exe
C:\Windows\SysWOW64\Jgnqgqan.exe
C:\Windows\system32\Jgnqgqan.exe
C:\Windows\SysWOW64\Jkimho32.exe
C:\Windows\system32\Jkimho32.exe
C:\Windows\SysWOW64\Jnhidk32.exe
C:\Windows\system32\Jnhidk32.exe
C:\Windows\SysWOW64\Jpfepf32.exe
C:\Windows\system32\Jpfepf32.exe
C:\Windows\SysWOW64\Jcdala32.exe
C:\Windows\system32\Jcdala32.exe
C:\Windows\SysWOW64\Jklinohd.exe
C:\Windows\system32\Jklinohd.exe
C:\Windows\SysWOW64\Jnjejjgh.exe
C:\Windows\system32\Jnjejjgh.exe
C:\Windows\SysWOW64\Jqhafffk.exe
C:\Windows\system32\Jqhafffk.exe
C:\Windows\SysWOW64\Jddnfd32.exe
C:\Windows\system32\Jddnfd32.exe
C:\Windows\SysWOW64\Jgbjbp32.exe
C:\Windows\system32\Jgbjbp32.exe
C:\Windows\SysWOW64\Jjafok32.exe
C:\Windows\system32\Jjafok32.exe
C:\Windows\SysWOW64\Jlobkg32.exe
C:\Windows\system32\Jlobkg32.exe
C:\Windows\SysWOW64\Jdfjld32.exe
C:\Windows\system32\Jdfjld32.exe
C:\Windows\SysWOW64\Jgeghp32.exe
C:\Windows\system32\Jgeghp32.exe
C:\Windows\SysWOW64\Kjccdkki.exe
C:\Windows\system32\Kjccdkki.exe
C:\Windows\SysWOW64\Kmaopfjm.exe
C:\Windows\system32\Kmaopfjm.exe
C:\Windows\SysWOW64\Kdigadjo.exe
C:\Windows\system32\Kdigadjo.exe
C:\Windows\SysWOW64\Kggcnoic.exe
C:\Windows\system32\Kggcnoic.exe
C:\Windows\SysWOW64\Kkconn32.exe
C:\Windows\system32\Kkconn32.exe
C:\Windows\SysWOW64\Knalji32.exe
C:\Windows\system32\Knalji32.exe
C:\Windows\SysWOW64\Kqphfe32.exe
C:\Windows\system32\Kqphfe32.exe
C:\Windows\SysWOW64\Kcndbp32.exe
C:\Windows\system32\Kcndbp32.exe
C:\Windows\SysWOW64\Kkeldnpi.exe
C:\Windows\system32\Kkeldnpi.exe
C:\Windows\SysWOW64\Knchpiom.exe
C:\Windows\system32\Knchpiom.exe
C:\Windows\SysWOW64\Kqbdldnq.exe
C:\Windows\system32\Kqbdldnq.exe
C:\Windows\SysWOW64\Kcpahpmd.exe
C:\Windows\system32\Kcpahpmd.exe
C:\Windows\SysWOW64\Kkgiimng.exe
C:\Windows\system32\Kkgiimng.exe
C:\Windows\SysWOW64\Knfeeimj.exe
C:\Windows\system32\Knfeeimj.exe
C:\Windows\SysWOW64\Kqdaadln.exe
C:\Windows\system32\Kqdaadln.exe
C:\Windows\SysWOW64\Kcbnnpka.exe
C:\Windows\system32\Kcbnnpka.exe
C:\Windows\SysWOW64\Kjmfjj32.exe
C:\Windows\system32\Kjmfjj32.exe
C:\Windows\SysWOW64\Kmkbfeab.exe
C:\Windows\system32\Kmkbfeab.exe
C:\Windows\SysWOW64\Kqfngd32.exe
C:\Windows\system32\Kqfngd32.exe
C:\Windows\SysWOW64\Kcejco32.exe
C:\Windows\system32\Kcejco32.exe
C:\Windows\SysWOW64\Lklbdm32.exe
C:\Windows\system32\Lklbdm32.exe
C:\Windows\SysWOW64\Lnjnqh32.exe
C:\Windows\system32\Lnjnqh32.exe
C:\Windows\SysWOW64\Lqikmc32.exe
C:\Windows\system32\Lqikmc32.exe
C:\Windows\SysWOW64\Lcggio32.exe
C:\Windows\system32\Lcggio32.exe
C:\Windows\SysWOW64\Lknojl32.exe
C:\Windows\system32\Lknojl32.exe
C:\Windows\SysWOW64\Lnmkfh32.exe
C:\Windows\system32\Lnmkfh32.exe
C:\Windows\SysWOW64\Lmpkadnm.exe
C:\Windows\system32\Lmpkadnm.exe
C:\Windows\SysWOW64\Ldgccb32.exe
C:\Windows\system32\Ldgccb32.exe
C:\Windows\SysWOW64\Lgepom32.exe
C:\Windows\system32\Lgepom32.exe
C:\Windows\SysWOW64\Ljclki32.exe
C:\Windows\system32\Ljclki32.exe
C:\Windows\SysWOW64\Lmbhgd32.exe
C:\Windows\system32\Lmbhgd32.exe
C:\Windows\SysWOW64\Ldipha32.exe
C:\Windows\system32\Ldipha32.exe
C:\Windows\SysWOW64\Lggldm32.exe
C:\Windows\system32\Lggldm32.exe
C:\Windows\SysWOW64\Ljfhqh32.exe
C:\Windows\system32\Ljfhqh32.exe
C:\Windows\SysWOW64\Lmdemd32.exe
C:\Windows\system32\Lmdemd32.exe
C:\Windows\SysWOW64\Lekmnajj.exe
C:\Windows\system32\Lekmnajj.exe
C:\Windows\SysWOW64\Lgjijmin.exe
C:\Windows\system32\Lgjijmin.exe
C:\Windows\SysWOW64\Ljhefhha.exe
C:\Windows\system32\Ljhefhha.exe
C:\Windows\SysWOW64\Lndagg32.exe
C:\Windows\system32\Lndagg32.exe
C:\Windows\SysWOW64\Lqbncb32.exe
C:\Windows\system32\Lqbncb32.exe
C:\Windows\SysWOW64\Mcqjon32.exe
C:\Windows\system32\Mcqjon32.exe
C:\Windows\SysWOW64\Mkhapk32.exe
C:\Windows\system32\Mkhapk32.exe
C:\Windows\SysWOW64\Mnfnlf32.exe
C:\Windows\system32\Mnfnlf32.exe
C:\Windows\SysWOW64\Madjhb32.exe
C:\Windows\system32\Madjhb32.exe
C:\Windows\SysWOW64\Mccfdmmo.exe
C:\Windows\system32\Mccfdmmo.exe
C:\Windows\SysWOW64\Mkjnfkma.exe
C:\Windows\system32\Mkjnfkma.exe
C:\Windows\SysWOW64\Mnhkbfme.exe
C:\Windows\system32\Mnhkbfme.exe
C:\Windows\SysWOW64\Maggnali.exe
C:\Windows\system32\Maggnali.exe
C:\Windows\SysWOW64\Mebcop32.exe
C:\Windows\system32\Mebcop32.exe
C:\Windows\SysWOW64\Mgaokl32.exe
C:\Windows\system32\Mgaokl32.exe
C:\Windows\SysWOW64\Mnkggfkb.exe
C:\Windows\system32\Mnkggfkb.exe
C:\Windows\SysWOW64\Maiccajf.exe
C:\Windows\system32\Maiccajf.exe
C:\Windows\SysWOW64\Mchppmij.exe
C:\Windows\system32\Mchppmij.exe
C:\Windows\SysWOW64\Mkohaj32.exe
C:\Windows\system32\Mkohaj32.exe
C:\Windows\SysWOW64\Mnmdme32.exe
C:\Windows\system32\Mnmdme32.exe
C:\Windows\SysWOW64\Malpia32.exe
C:\Windows\system32\Malpia32.exe
C:\Windows\SysWOW64\Megljppl.exe
C:\Windows\system32\Megljppl.exe
C:\Windows\SysWOW64\Mgehfkop.exe
C:\Windows\system32\Mgehfkop.exe
C:\Windows\SysWOW64\Mjdebfnd.exe
C:\Windows\system32\Mjdebfnd.exe
C:\Windows\SysWOW64\Mmbanbmg.exe
C:\Windows\system32\Mmbanbmg.exe
C:\Windows\SysWOW64\Meiioonj.exe
C:\Windows\system32\Meiioonj.exe
C:\Windows\SysWOW64\Nghekkmn.exe
C:\Windows\system32\Nghekkmn.exe
C:\Windows\SysWOW64\Njfagf32.exe
C:\Windows\system32\Njfagf32.exe
C:\Windows\SysWOW64\Naecop32.exe
C:\Windows\system32\Naecop32.exe
C:\Windows\SysWOW64\Nccokk32.exe
C:\Windows\system32\Nccokk32.exe
C:\Windows\SysWOW64\Nagpeo32.exe
C:\Windows\system32\Nagpeo32.exe
C:\Windows\SysWOW64\Nnkpnclp.exe
C:\Windows\system32\Nnkpnclp.exe
C:\Windows\SysWOW64\Najmjokc.exe
C:\Windows\system32\Najmjokc.exe
C:\Windows\SysWOW64\Odhifjkg.exe
C:\Windows\system32\Odhifjkg.exe
C:\Windows\SysWOW64\Oloahhki.exe
C:\Windows\system32\Oloahhki.exe
C:\Windows\SysWOW64\Omqmop32.exe
C:\Windows\system32\Omqmop32.exe
C:\Windows\SysWOW64\Oeheqm32.exe
C:\Windows\system32\Oeheqm32.exe
C:\Windows\SysWOW64\Ohfami32.exe
C:\Windows\system32\Ohfami32.exe
C:\Windows\SysWOW64\Ojdnid32.exe
C:\Windows\system32\Ojdnid32.exe
C:\Windows\SysWOW64\Oanfen32.exe
C:\Windows\system32\Oanfen32.exe
C:\Windows\SysWOW64\Odmbaj32.exe
C:\Windows\system32\Odmbaj32.exe
C:\Windows\SysWOW64\Ohhnbhok.exe
C:\Windows\system32\Ohhnbhok.exe
C:\Windows\SysWOW64\Ojgjndno.exe
C:\Windows\system32\Ojgjndno.exe
C:\Windows\SysWOW64\Oelolmnd.exe
C:\Windows\system32\Oelolmnd.exe
C:\Windows\SysWOW64\Ohkkhhmh.exe
C:\Windows\system32\Ohkkhhmh.exe
C:\Windows\SysWOW64\Ojigdcll.exe
C:\Windows\system32\Ojigdcll.exe
C:\Windows\SysWOW64\Omgcpokp.exe
C:\Windows\system32\Omgcpokp.exe
C:\Windows\SysWOW64\Odalmibl.exe
C:\Windows\system32\Odalmibl.exe
C:\Windows\SysWOW64\Olicnfco.exe
C:\Windows\system32\Olicnfco.exe
C:\Windows\SysWOW64\Omjpeo32.exe
C:\Windows\system32\Omjpeo32.exe
C:\Windows\SysWOW64\Pddhbipj.exe
C:\Windows\system32\Pddhbipj.exe
C:\Windows\SysWOW64\Plkpcfal.exe
C:\Windows\system32\Plkpcfal.exe
C:\Windows\SysWOW64\Poimpapp.exe
C:\Windows\system32\Poimpapp.exe
C:\Windows\SysWOW64\Phaahggp.exe
C:\Windows\system32\Phaahggp.exe
C:\Windows\SysWOW64\Pkpmdbfd.exe
C:\Windows\system32\Pkpmdbfd.exe
C:\Windows\SysWOW64\Pmoiqneg.exe
C:\Windows\system32\Pmoiqneg.exe
C:\Windows\SysWOW64\Pefabkej.exe
C:\Windows\system32\Pefabkej.exe
C:\Windows\SysWOW64\Phdnngdn.exe
C:\Windows\system32\Phdnngdn.exe
C:\Windows\SysWOW64\Pkbjjbda.exe
C:\Windows\system32\Pkbjjbda.exe
C:\Windows\SysWOW64\Palbgl32.exe
C:\Windows\system32\Palbgl32.exe
C:\Windows\SysWOW64\Pdkoch32.exe
C:\Windows\system32\Pdkoch32.exe
C:\Windows\SysWOW64\Plbfdekd.exe
C:\Windows\system32\Plbfdekd.exe
C:\Windows\SysWOW64\Popbpqjh.exe
C:\Windows\system32\Popbpqjh.exe
C:\Windows\SysWOW64\Paoollik.exe
C:\Windows\system32\Paoollik.exe
C:\Windows\SysWOW64\Pdmkhgho.exe
C:\Windows\system32\Pdmkhgho.exe
C:\Windows\SysWOW64\Pldcjeia.exe
C:\Windows\system32\Pldcjeia.exe
C:\Windows\SysWOW64\Pocpfphe.exe
C:\Windows\system32\Pocpfphe.exe
C:\Windows\SysWOW64\Qaalblgi.exe
C:\Windows\system32\Qaalblgi.exe
C:\Windows\SysWOW64\Qdphngfl.exe
C:\Windows\system32\Qdphngfl.exe
C:\Windows\SysWOW64\Qkipkani.exe
C:\Windows\system32\Qkipkani.exe
C:\Windows\SysWOW64\Qmhlgmmm.exe
C:\Windows\system32\Qmhlgmmm.exe
C:\Windows\SysWOW64\Qeodhjmo.exe
C:\Windows\system32\Qeodhjmo.exe
C:\Windows\SysWOW64\Aafemk32.exe
C:\Windows\system32\Aafemk32.exe
C:\Windows\SysWOW64\Addaif32.exe
C:\Windows\system32\Addaif32.exe
C:\Windows\SysWOW64\Alkijdci.exe
C:\Windows\system32\Alkijdci.exe
C:\Windows\SysWOW64\Aojefobm.exe
C:\Windows\system32\Aojefobm.exe
C:\Windows\SysWOW64\Aednci32.exe
C:\Windows\system32\Aednci32.exe
C:\Windows\SysWOW64\Aolblopj.exe
C:\Windows\system32\Aolblopj.exe
C:\Windows\SysWOW64\Aefjii32.exe
C:\Windows\system32\Aefjii32.exe
C:\Windows\SysWOW64\Ahdged32.exe
C:\Windows\system32\Ahdged32.exe
C:\Windows\SysWOW64\Akccap32.exe
C:\Windows\system32\Akccap32.exe
C:\Windows\SysWOW64\Albpkc32.exe
C:\Windows\system32\Albpkc32.exe
C:\Windows\SysWOW64\Akepfpcl.exe
C:\Windows\system32\Akepfpcl.exe
C:\Windows\SysWOW64\Aekddhcb.exe
C:\Windows\system32\Aekddhcb.exe
C:\Windows\SysWOW64\Ahippdbe.exe
C:\Windows\system32\Ahippdbe.exe
C:\Windows\SysWOW64\Blgifbil.exe
C:\Windows\system32\Blgifbil.exe
C:\Windows\SysWOW64\Bdbnjdfg.exe
C:\Windows\system32\Bdbnjdfg.exe
C:\Windows\SysWOW64\Bklfgo32.exe
C:\Windows\system32\Bklfgo32.exe
C:\Windows\SysWOW64\Bafndi32.exe
C:\Windows\system32\Bafndi32.exe
C:\Windows\SysWOW64\Bojomm32.exe
C:\Windows\system32\Bojomm32.exe
C:\Windows\SysWOW64\Bahkih32.exe
C:\Windows\system32\Bahkih32.exe
C:\Windows\SysWOW64\Bhbcfbjk.exe
C:\Windows\system32\Bhbcfbjk.exe
C:\Windows\SysWOW64\Bkaobnio.exe
C:\Windows\system32\Bkaobnio.exe
C:\Windows\SysWOW64\Bnoknihb.exe
C:\Windows\system32\Bnoknihb.exe
C:\Windows\SysWOW64\Blqllqqa.exe
C:\Windows\system32\Blqllqqa.exe
C:\Windows\SysWOW64\Coohhlpe.exe
C:\Windows\system32\Coohhlpe.exe
C:\Windows\SysWOW64\Cfipef32.exe
C:\Windows\system32\Cfipef32.exe
C:\Windows\SysWOW64\Cdlqqcnl.exe
C:\Windows\system32\Cdlqqcnl.exe
C:\Windows\SysWOW64\Ckeimm32.exe
C:\Windows\system32\Ckeimm32.exe
C:\Windows\SysWOW64\Cndeii32.exe
C:\Windows\system32\Cndeii32.exe
C:\Windows\SysWOW64\Cbpajgmf.exe
C:\Windows\system32\Cbpajgmf.exe
C:\Windows\SysWOW64\Cdnmfclj.exe
C:\Windows\system32\Cdnmfclj.exe
C:\Windows\SysWOW64\Cleegp32.exe
C:\Windows\system32\Cleegp32.exe
C:\Windows\SysWOW64\Cfnjpfcl.exe
C:\Windows\system32\Cfnjpfcl.exe
C:\Windows\SysWOW64\Cofnik32.exe
C:\Windows\system32\Cofnik32.exe
C:\Windows\SysWOW64\Cnindhpg.exe
C:\Windows\system32\Cnindhpg.exe
C:\Windows\SysWOW64\Cfpffeaj.exe
C:\Windows\system32\Cfpffeaj.exe
C:\Windows\SysWOW64\Chnbbqpn.exe
C:\Windows\system32\Chnbbqpn.exe
C:\Windows\SysWOW64\Ckmonl32.exe
C:\Windows\system32\Ckmonl32.exe
C:\Windows\SysWOW64\Cnkkjh32.exe
C:\Windows\system32\Cnkkjh32.exe
C:\Windows\SysWOW64\Cfbcke32.exe
C:\Windows\system32\Cfbcke32.exe
C:\Windows\SysWOW64\Chqogq32.exe
C:\Windows\system32\Chqogq32.exe
C:\Windows\SysWOW64\Dkokcl32.exe
C:\Windows\system32\Dkokcl32.exe
C:\Windows\SysWOW64\Dnmhpg32.exe
C:\Windows\system32\Dnmhpg32.exe
C:\Windows\SysWOW64\Dfdpad32.exe
C:\Windows\system32\Dfdpad32.exe
C:\Windows\SysWOW64\Dhclmp32.exe
C:\Windows\system32\Dhclmp32.exe
C:\Windows\SysWOW64\Domdjj32.exe
C:\Windows\system32\Domdjj32.exe
C:\Windows\SysWOW64\Dnpdegjp.exe
C:\Windows\system32\Dnpdegjp.exe
C:\Windows\SysWOW64\Dfglfdkb.exe
C:\Windows\system32\Dfglfdkb.exe
C:\Windows\SysWOW64\Dmadco32.exe
C:\Windows\system32\Dmadco32.exe
C:\Windows\SysWOW64\Dooaoj32.exe
C:\Windows\system32\Dooaoj32.exe
C:\Windows\SysWOW64\Dfiildio.exe
C:\Windows\system32\Dfiildio.exe
C:\Windows\SysWOW64\Digehphc.exe
C:\Windows\system32\Digehphc.exe
C:\Windows\SysWOW64\Dkfadkgf.exe
C:\Windows\system32\Dkfadkgf.exe
C:\Windows\SysWOW64\Dndnpf32.exe
C:\Windows\system32\Dndnpf32.exe
C:\Windows\SysWOW64\Dflfac32.exe
C:\Windows\system32\Dflfac32.exe
C:\Windows\SysWOW64\Dijbno32.exe
C:\Windows\system32\Dijbno32.exe
C:\Windows\SysWOW64\Dkhnjk32.exe
C:\Windows\system32\Dkhnjk32.exe
C:\Windows\SysWOW64\Dbbffdlq.exe
C:\Windows\system32\Dbbffdlq.exe
C:\Windows\SysWOW64\Deqcbpld.exe
C:\Windows\system32\Deqcbpld.exe
C:\Windows\SysWOW64\Ebdcld32.exe
C:\Windows\system32\Ebdcld32.exe
C:\Windows\SysWOW64\Eiokinbk.exe
C:\Windows\system32\Eiokinbk.exe
C:\Windows\SysWOW64\Eoideh32.exe
C:\Windows\system32\Eoideh32.exe
C:\Windows\SysWOW64\Eeelnp32.exe
C:\Windows\system32\Eeelnp32.exe
C:\Windows\SysWOW64\Emmdom32.exe
C:\Windows\system32\Emmdom32.exe
C:\Windows\SysWOW64\Eokqkh32.exe
C:\Windows\system32\Eokqkh32.exe
C:\Windows\SysWOW64\Ebimgcfi.exe
C:\Windows\system32\Ebimgcfi.exe
C:\Windows\SysWOW64\Eicedn32.exe
C:\Windows\system32\Eicedn32.exe
C:\Windows\SysWOW64\Ekaapi32.exe
C:\Windows\system32\Ekaapi32.exe
C:\Windows\SysWOW64\Epmmqheb.exe
C:\Windows\system32\Epmmqheb.exe
C:\Windows\SysWOW64\Eblimcdf.exe
C:\Windows\system32\Eblimcdf.exe
C:\Windows\SysWOW64\Eejeiocj.exe
C:\Windows\system32\Eejeiocj.exe
C:\Windows\SysWOW64\Eifaim32.exe
C:\Windows\system32\Eifaim32.exe
C:\Windows\SysWOW64\Eppjfgcp.exe
C:\Windows\system32\Eppjfgcp.exe
C:\Windows\SysWOW64\Ebnfbcbc.exe
C:\Windows\system32\Ebnfbcbc.exe
C:\Windows\SysWOW64\Fmcjpl32.exe
C:\Windows\system32\Fmcjpl32.exe
C:\Windows\SysWOW64\Fpbflg32.exe
C:\Windows\system32\Fpbflg32.exe
C:\Windows\SysWOW64\Fbpchb32.exe
C:\Windows\system32\Fbpchb32.exe
C:\Windows\SysWOW64\Fijkdmhn.exe
C:\Windows\system32\Fijkdmhn.exe
C:\Windows\SysWOW64\Fealin32.exe
C:\Windows\system32\Fealin32.exe
C:\Windows\SysWOW64\Fiodpl32.exe
C:\Windows\system32\Fiodpl32.exe
C:\Windows\SysWOW64\Gfeaopqo.exe
C:\Windows\system32\Gfeaopqo.exe
C:\Windows\SysWOW64\Gblbca32.exe
C:\Windows\system32\Gblbca32.exe
C:\Windows\SysWOW64\Gemkelcd.exe
C:\Windows\system32\Gemkelcd.exe
C:\Windows\SysWOW64\Gihgfk32.exe
C:\Windows\system32\Gihgfk32.exe
C:\Windows\SysWOW64\Glgcbf32.exe
C:\Windows\system32\Glgcbf32.exe
C:\Windows\SysWOW64\Gnepna32.exe
C:\Windows\system32\Gnepna32.exe
C:\Windows\SysWOW64\Geohklaa.exe
C:\Windows\system32\Geohklaa.exe
C:\Windows\SysWOW64\Gmfplibd.exe
C:\Windows\system32\Gmfplibd.exe
C:\Windows\SysWOW64\Gpelhd32.exe
C:\Windows\system32\Gpelhd32.exe
C:\Windows\SysWOW64\Glkmmefl.exe
C:\Windows\system32\Glkmmefl.exe
C:\Windows\SysWOW64\Gojiiafp.exe
C:\Windows\system32\Gojiiafp.exe
C:\Windows\SysWOW64\Hmkigh32.exe
C:\Windows\system32\Hmkigh32.exe
C:\Windows\SysWOW64\Holfoqcm.exe
C:\Windows\system32\Holfoqcm.exe
C:\Windows\SysWOW64\Hbhboolf.exe
C:\Windows\system32\Hbhboolf.exe
C:\Windows\SysWOW64\Hibjli32.exe
C:\Windows\system32\Hibjli32.exe
C:\Windows\SysWOW64\Hbjoeojc.exe
C:\Windows\system32\Hbjoeojc.exe
C:\Windows\SysWOW64\Hidgai32.exe
C:\Windows\system32\Hidgai32.exe
C:\Windows\SysWOW64\Hmpcbhji.exe
C:\Windows\system32\Hmpcbhji.exe
C:\Windows\SysWOW64\Hpnoncim.exe
C:\Windows\system32\Hpnoncim.exe
C:\Windows\SysWOW64\Hfhgkmpj.exe
C:\Windows\system32\Hfhgkmpj.exe
C:\Windows\SysWOW64\Hpqldc32.exe
C:\Windows\system32\Hpqldc32.exe
C:\Windows\SysWOW64\Hiipmhmk.exe
C:\Windows\system32\Hiipmhmk.exe
C:\Windows\SysWOW64\Iepaaico.exe
C:\Windows\system32\Iepaaico.exe
C:\Windows\SysWOW64\Ipeeobbe.exe
C:\Windows\system32\Ipeeobbe.exe
C:\Windows\SysWOW64\Ibcaknbi.exe
C:\Windows\system32\Ibcaknbi.exe
C:\Windows\SysWOW64\Iebngial.exe
C:\Windows\system32\Iebngial.exe
C:\Windows\SysWOW64\Iojbpo32.exe
C:\Windows\system32\Iojbpo32.exe
C:\Windows\SysWOW64\Imkbnf32.exe
C:\Windows\system32\Imkbnf32.exe
C:\Windows\SysWOW64\Imnocf32.exe
C:\Windows\system32\Imnocf32.exe
C:\Windows\SysWOW64\Igfclkdj.exe
C:\Windows\system32\Igfclkdj.exe
C:\Windows\SysWOW64\Ilcldb32.exe
C:\Windows\system32\Ilcldb32.exe
C:\Windows\SysWOW64\Jmbhoeid.exe
C:\Windows\system32\Jmbhoeid.exe
C:\Windows\SysWOW64\Jgkmgk32.exe
C:\Windows\system32\Jgkmgk32.exe
C:\Windows\SysWOW64\Jlgepanl.exe
C:\Windows\system32\Jlgepanl.exe
C:\Windows\SysWOW64\Jcanll32.exe
C:\Windows\system32\Jcanll32.exe
C:\Windows\SysWOW64\Jepjhg32.exe
C:\Windows\system32\Jepjhg32.exe
C:\Windows\SysWOW64\Jljbeali.exe
C:\Windows\system32\Jljbeali.exe
C:\Windows\SysWOW64\Johnamkm.exe
C:\Windows\system32\Johnamkm.exe
C:\Windows\SysWOW64\Jgpfbjlo.exe
C:\Windows\system32\Jgpfbjlo.exe
C:\Windows\SysWOW64\Jniood32.exe
C:\Windows\system32\Jniood32.exe
C:\Windows\SysWOW64\Jcfggkac.exe
C:\Windows\system32\Jcfggkac.exe
C:\Windows\SysWOW64\Kpjgaoqm.exe
C:\Windows\system32\Kpjgaoqm.exe
C:\Windows\SysWOW64\Kjblje32.exe
C:\Windows\system32\Kjblje32.exe
C:\Windows\SysWOW64\Klahfp32.exe
C:\Windows\system32\Klahfp32.exe
C:\Windows\SysWOW64\Kgflcifg.exe
C:\Windows\system32\Kgflcifg.exe
C:\Windows\SysWOW64\Klcekpdo.exe
C:\Windows\system32\Klcekpdo.exe
C:\Windows\SysWOW64\Knenkbio.exe
C:\Windows\system32\Knenkbio.exe
C:\Windows\SysWOW64\Kngkqbgl.exe
C:\Windows\system32\Kngkqbgl.exe
C:\Windows\SysWOW64\Lpfgmnfp.exe
C:\Windows\system32\Lpfgmnfp.exe
C:\Windows\SysWOW64\Lnldla32.exe
C:\Windows\system32\Lnldla32.exe
C:\Windows\SysWOW64\Lggejg32.exe
C:\Windows\system32\Lggejg32.exe
C:\Windows\SysWOW64\Lobjni32.exe
C:\Windows\system32\Lobjni32.exe
C:\Windows\SysWOW64\Lflbkcll.exe
C:\Windows\system32\Lflbkcll.exe
C:\Windows\SysWOW64\Mgloefco.exe
C:\Windows\system32\Mgloefco.exe
C:\Windows\SysWOW64\Mmkdcm32.exe
C:\Windows\system32\Mmkdcm32.exe
C:\Windows\SysWOW64\Mokmdh32.exe
C:\Windows\system32\Mokmdh32.exe
C:\Windows\SysWOW64\Mfeeabda.exe
C:\Windows\system32\Mfeeabda.exe
C:\Windows\SysWOW64\Mqkiok32.exe
C:\Windows\system32\Mqkiok32.exe
C:\Windows\SysWOW64\Nqmfdj32.exe
C:\Windows\system32\Nqmfdj32.exe
C:\Windows\SysWOW64\Nclbpf32.exe
C:\Windows\system32\Nclbpf32.exe
C:\Windows\SysWOW64\Njfkmphe.exe
C:\Windows\system32\Njfkmphe.exe
C:\Windows\SysWOW64\Nnafno32.exe
C:\Windows\system32\Nnafno32.exe
C:\Windows\SysWOW64\Npbceggm.exe
C:\Windows\system32\Npbceggm.exe
C:\Windows\SysWOW64\Ngjkfd32.exe
C:\Windows\system32\Ngjkfd32.exe
C:\Windows\SysWOW64\Njhgbp32.exe
C:\Windows\system32\Njhgbp32.exe
C:\Windows\SysWOW64\Nmfcok32.exe
C:\Windows\system32\Nmfcok32.exe
C:\Windows\SysWOW64\Njjdho32.exe
C:\Windows\system32\Njjdho32.exe
C:\Windows\SysWOW64\Nmipdk32.exe
C:\Windows\system32\Nmipdk32.exe
C:\Windows\SysWOW64\Onkidm32.exe
C:\Windows\system32\Onkidm32.exe
C:\Windows\SysWOW64\Ompfej32.exe
C:\Windows\system32\Ompfej32.exe
C:\Windows\SysWOW64\Ojdgnn32.exe
C:\Windows\system32\Ojdgnn32.exe
C:\Windows\SysWOW64\Ombcji32.exe
C:\Windows\system32\Ombcji32.exe
C:\Windows\SysWOW64\Ofkgcobj.exe
C:\Windows\system32\Ofkgcobj.exe
C:\Windows\SysWOW64\Ocohmc32.exe
C:\Windows\system32\Ocohmc32.exe
C:\Windows\SysWOW64\Phonha32.exe
C:\Windows\system32\Phonha32.exe
C:\Windows\SysWOW64\Pjmjdm32.exe
C:\Windows\system32\Pjmjdm32.exe
C:\Windows\SysWOW64\Pdenmbkk.exe
C:\Windows\system32\Pdenmbkk.exe
C:\Windows\SysWOW64\Pjbcplpe.exe
C:\Windows\system32\Pjbcplpe.exe
C:\Windows\SysWOW64\Pmpolgoi.exe
C:\Windows\system32\Pmpolgoi.exe
C:\Windows\SysWOW64\Ppolhcnm.exe
C:\Windows\system32\Ppolhcnm.exe
C:\Windows\SysWOW64\Pmblagmf.exe
C:\Windows\system32\Pmblagmf.exe
C:\Windows\SysWOW64\Qaqegecm.exe
C:\Windows\system32\Qaqegecm.exe
C:\Windows\SysWOW64\Qpeahb32.exe
C:\Windows\system32\Qpeahb32.exe
C:\Windows\SysWOW64\Adcjop32.exe
C:\Windows\system32\Adcjop32.exe
C:\Windows\SysWOW64\Adhdjpjf.exe
C:\Windows\system32\Adhdjpjf.exe
C:\Windows\SysWOW64\Aggpfkjj.exe
C:\Windows\system32\Aggpfkjj.exe
C:\Windows\SysWOW64\Apodoq32.exe
C:\Windows\system32\Apodoq32.exe
C:\Windows\SysWOW64\Bgkiaj32.exe
C:\Windows\system32\Bgkiaj32.exe
C:\Windows\SysWOW64\Bkibgh32.exe
C:\Windows\system32\Bkibgh32.exe
C:\Windows\SysWOW64\Bgpcliao.exe
C:\Windows\system32\Bgpcliao.exe
C:\Windows\SysWOW64\Boihcf32.exe
C:\Windows\system32\Boihcf32.exe
C:\Windows\SysWOW64\Bahdob32.exe
C:\Windows\system32\Bahdob32.exe
C:\Windows\SysWOW64\Bdfpkm32.exe
C:\Windows\system32\Bdfpkm32.exe
C:\Windows\SysWOW64\Bgelgi32.exe
C:\Windows\system32\Bgelgi32.exe
C:\Windows\SysWOW64\Boldhf32.exe
C:\Windows\system32\Boldhf32.exe
C:\Windows\SysWOW64\Bajqda32.exe
C:\Windows\system32\Bajqda32.exe
C:\Windows\SysWOW64\Chdialdl.exe
C:\Windows\system32\Chdialdl.exe
C:\Windows\SysWOW64\Ckbemgcp.exe
C:\Windows\system32\Ckbemgcp.exe
C:\Windows\SysWOW64\Cammjakm.exe
C:\Windows\system32\Cammjakm.exe
C:\Windows\SysWOW64\Chfegk32.exe
C:\Windows\system32\Chfegk32.exe
C:\Windows\SysWOW64\Ckebcg32.exe
C:\Windows\system32\Ckebcg32.exe
C:\Windows\SysWOW64\Cncnob32.exe
C:\Windows\system32\Cncnob32.exe
C:\Windows\SysWOW64\Cpbjkn32.exe
C:\Windows\system32\Cpbjkn32.exe
C:\Windows\SysWOW64\Cdmfllhn.exe
C:\Windows\system32\Cdmfllhn.exe
C:\Windows\SysWOW64\Cglbhhga.exe
C:\Windows\system32\Cglbhhga.exe
C:\Windows\SysWOW64\Cnfkdb32.exe
C:\Windows\system32\Cnfkdb32.exe
C:\Windows\SysWOW64\Cpfcfmlp.exe
C:\Windows\system32\Cpfcfmlp.exe
C:\Windows\SysWOW64\Chnlgjlb.exe
C:\Windows\system32\Chnlgjlb.exe
C:\Windows\SysWOW64\Cklhcfle.exe
C:\Windows\system32\Cklhcfle.exe
C:\Windows\SysWOW64\Cnjdpaki.exe
C:\Windows\system32\Cnjdpaki.exe
C:\Windows\SysWOW64\Dojqjdbl.exe
C:\Windows\system32\Dojqjdbl.exe
C:\Windows\SysWOW64\Dkqaoe32.exe
C:\Windows\system32\Dkqaoe32.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 10444 -ip 10444
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 10444 -s 400
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
memory/3788-0-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3788-1-0x0000000000431000-0x0000000000432000-memory.dmp
C:\Windows\SysWOW64\Ccbadp32.exe
| MD5 | b77c6a6fc509a2c49130e70a135ec8b6 |
| SHA1 | 15416035c4d845d5ef5f1ac413ba15a4f5eacfc7 |
| SHA256 | 5dbea6dd69831127f0b070de4e165341f0bcaa31b5fcd1d3da31f3d0e2586848 |
| SHA512 | 7821c983e3b2b2cb6ef9501c07fb40471bbe609cd416a6a605f84c877f2d7e7354825ee626ffd553901f7eed9bb1c79b72572e084caa94c61b4ae0597cb67938 |
memory/3748-8-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Cioilg32.exe
| MD5 | b08772e3043c348d9029610e83c81f1b |
| SHA1 | 4ef5bd10ee9ac492b34d11414c4efd56e59c9237 |
| SHA256 | 704e4bdb083e714950d136d1589aaea84895f1d4925fe15d5f756111b8dc6639 |
| SHA512 | 51838adbfe087bf488f264dbeae601677b1ba30aa2e4daaf68fe0068c80294de6e90c8dcbe0c7395b7a3bc66326601e2fa0ebfd9e9c77738c2736a98408b405c |
memory/4432-17-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Dkbocbog.exe
| MD5 | 71701bcc9655abe8bfa9ab3167692cd2 |
| SHA1 | 46e64c0587658cec0e7d9297f49e0f42365c1338 |
| SHA256 | bbf8be57f4f7fe87541f7623ef4dd36e30161af185947e081fcc7d7ed91bb778 |
| SHA512 | 17fa53dde196ef6aba6aa2f331259b2f108310a63313bb8f3fac92ec98c3acea8320b7ad765e149b78eea79756e897f5faa5977008e8ddb28b8af27d57404095 |
memory/2604-24-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Dblgpl32.exe
| MD5 | df7e862c1a60e4a16ecbb129c0a46131 |
| SHA1 | 80340aadb5fa8a058c560ed0970cb305895dccb1 |
| SHA256 | 14f8fb0cd95c3900bcf76a87020681e1db4c91ffc50b9325ef409ad2172c56be |
| SHA512 | a74bfc83e47daccb1f281060641af1c25eac8842d37047efa6cc864070493b7583cc86002b8d9a932020e42b645fafa6c3464374417699603c94986bdca64397 |
memory/4880-33-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2952-49-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1776-93-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Djhimica.exe
| MD5 | ad1bad5f28f3fa2fb33ace0462750a63 |
| SHA1 | a7bde4b9662c5a845498ca275087fd1ca355c676 |
| SHA256 | b95c0f61bc5d80e179ca12dbf475d5d12f20379c1fd64fd1b6ea4721da6ab414 |
| SHA512 | 458decf36307682cbf6ba678ea7ec030d8c1c954d9c6e0577a398cae11f0167677952c9a93d858c46be3bea90087e338614d321c8102cb9a60b46a00a6584e40 |
C:\Windows\SysWOW64\Dcpmen32.exe
| MD5 | dd1ee6f8e2a4d240e8326feb528d2a77 |
| SHA1 | 885cfec5b5fc2614023d7535ce28248ab6b3cba0 |
| SHA256 | 5dab6502a0ab948190fffe1ac6a758dd4e333d02d745ceca83bbc379e8e79f7e |
| SHA512 | 0ec69a1aef46ad1e1f349530aacd5ea0cb2ce7438c8b960870961816f7058fde63b4d4ebaa291f305b89d6c6124813905e52f5bd07337430610877b908e6eadd |
C:\Windows\SysWOW64\Dpgnjo32.exe
| MD5 | 0335ca234448efb7a9783ee9345a4614 |
| SHA1 | 4f3d8c8a73ba9ca6796beac83c6ca6784be0d1bb |
| SHA256 | 6acce8b8835d1df1c0659227e8e2e61e302ca8a6338314160ecdd992927f76d7 |
| SHA512 | d92ffca77097735f649640f31fed2a2a76485b86759e508752296b3a228792cf0eab7b63abd764d3bfb30e4dd7ff763bbeec5c384e51bd2836454107a8a919d6 |
C:\Windows\SysWOW64\Epikpo32.exe
| MD5 | 2490ae3221d9ce45e9b868ff89c68de8 |
| SHA1 | 743b1b1962f97aab6d0daf8271cb2a38b2baea5e |
| SHA256 | 9897c8ce797e32ea14180f03dd7f7d03d70bc1c7824a9c44b8432b62c683d144 |
| SHA512 | 31e49f25ebe39cc23017201ca9335667514dd8d5a31f69884ff9a92680c2955497ff9f8910ee081f6598673857f258781af93ed6d59f8143a14b1ba14a3bf1bb |
memory/3580-261-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1608-340-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5132-436-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2964-599-0x0000000000400000-0x0000000000433000-memory.dmp
memory/432-593-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2952-592-0x0000000000400000-0x0000000000433000-memory.dmp
memory/6108-586-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2188-585-0x0000000000400000-0x0000000000433000-memory.dmp
memory/6064-584-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4880-578-0x0000000000400000-0x0000000000433000-memory.dmp
memory/6020-572-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2604-571-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5976-565-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4432-564-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5936-558-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3748-557-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5892-551-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5852-545-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3788-544-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5812-538-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5772-532-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5732-526-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5692-520-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5652-514-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5612-508-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5572-502-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5532-496-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5492-490-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5452-484-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5412-478-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5372-472-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5332-466-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5292-460-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5260-454-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5212-447-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5172-442-0x0000000000400000-0x0000000000433000-memory.dmp
memory/5084-430-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2480-424-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3596-418-0x0000000000400000-0x0000000000433000-memory.dmp
memory/640-412-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4368-406-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4716-400-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2896-394-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1644-388-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4616-382-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2444-376-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4516-370-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4004-364-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4024-358-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4704-352-0x0000000000400000-0x0000000000433000-memory.dmp
memory/904-346-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4348-334-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4464-328-0x0000000000400000-0x0000000000433000-memory.dmp
memory/752-321-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3300-316-0x0000000000400000-0x0000000000433000-memory.dmp
memory/740-310-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2288-304-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2788-297-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2220-292-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3576-285-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4308-280-0x0000000000400000-0x0000000000433000-memory.dmp
memory/532-274-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3288-267-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Eplgeokq.exe
| MD5 | dc91beb00b35f51bb35261f1fbc37662 |
| SHA1 | 911cd9aea8916351511bd2ac4c452d62af1a72e0 |
| SHA256 | 054439d9c33bc7e14777a1f9a96274136c90088bcc143f79367d8b82087be187 |
| SHA512 | 7d4406cc1fd6e9e0ed97ae2cc04c390ddcb5f32f93d4d20e349af231a635510b69227da0dee67984e09f3dd1d4ac2ac266c4bcd3300c07f08df0712092669e51 |
memory/3600-253-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Emmkiclm.exe
| MD5 | 372c99ed8cda0cae7d8ffbd0cc9020a6 |
| SHA1 | f335414b698b63fc199f862a190fb95d0872adfe |
| SHA256 | 690abf92a05fe2f6884e85f26163842e1fb75f1d21ba04cb18589b0505d56371 |
| SHA512 | 424d713936f43d3d6866c393cbe2f1e34eca95bdf979b878a07dd21584d11946e8945cd67fd28df27f0c166086c84c6b24effe360f8127412816d8cbe809b2da |
memory/3232-245-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Eiaoid32.exe
| MD5 | 8f97e02f662b8b5b72692ddb28dbba0e |
| SHA1 | af1520ad95558e82616425e47d2756d569339ddc |
| SHA256 | e5d580a030d2659e48e0b40aab02523857a9ba0fbd41efd2d1b5d76ed9b9f788 |
| SHA512 | 26dba361f88032dd112a4f9d06d6e198667816c2fa86e8b630b7bb83111050fad0942a5e0975b55a7fa30393c5e35896e1a06acdfd9d717e43f44f8499e8b99b |
memory/3460-238-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Efccmidp.exe
| MD5 | db8f8ad02608daab4515470eed4ed88b |
| SHA1 | e387ccb8f5cf7a0a6990edb889148688892c7745 |
| SHA256 | 75d86dd855e9a6fe444e68e27ad5820d9f1b2a9f8bbd1f1c84cb32f7054bae17 |
| SHA512 | c390f57a76e53184d15540d2b04d7e2d3c9039e411c7ea8065e736e889b1640f9a170b05f79bf160a8821e1c7f990012b853c5a735d8193972c9f127f174e79c |
memory/2616-229-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Ecefqnel.exe
| MD5 | 07854c56f4d64550164ea797238fdb6b |
| SHA1 | f78792f7378a78b8793d11f8bb4347d8b0f02aeb |
| SHA256 | 428ad4b51d4909b8c2eb157e3707b5c79e7f8ec8073e994cc416d8425ea82ce3 |
| SHA512 | 8f8efe18d6dbd57f6505d291b8f35b5d025e260feb9ece1b031b6c86df9c4292930d38d65734688a1b2a5e14a662c32a6784865bfae278bc3edfcf7b9c7c067b |
memory/3636-222-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4992-213-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Emkndc32.exe
| MD5 | 332ba425fcbe50dbb649908f3d154388 |
| SHA1 | 3a4cf2c7d03132f9d1991655fbc668cf2e30027b |
| SHA256 | 4c408dec27bed861e8fde57b836b77727578a52b68f0162527b35ec5ec18f054 |
| SHA512 | d12d5b706dfa617652676a2b4754daa3c4c4e6f1246611f7bf898e723a7277fcf33910ce4f7088b5790ccb1e5dc1bcca91d54addd7b0ee5382db4a8a8f2cb75b |
memory/2076-205-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Ejlbhh32.exe
| MD5 | 24e57c5c807ac580a7eb90b6f8d1e0fa |
| SHA1 | 37dfa3f69ad233db781a9b8dcff0c8320d4781ee |
| SHA256 | c353019bc21b3f5b66efbe7a1712e25fd083978e8a329974ced99d0372b19aed |
| SHA512 | 64cf07a7c7fe43fca92f06bd5d8ec2e3a8daae14205ca0e02cceb880d12d93b260c0d4e444c1fd01f54ab23deed64156c7a6f243f75db8f744848ce24cb22d7a |
memory/3152-197-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Efafgifc.exe
| MD5 | d873e7ea446c720a91f9028bb9a0d8c1 |
| SHA1 | 1e44b2290684656326befd69af5ff501cd7e8ba9 |
| SHA256 | 438874a2ef5b85340eb2f402f679104bbddf752749651b6b548cbe7e098b0335 |
| SHA512 | 1c20e7f3dfab9b2dc542802bbb92bb1ae27fdeee2e0028ca6582121f0061284e38a68ebfb28df84fb49c6c871ba482d5e3c44601f839c1b835490776c5ca5731 |
memory/3612-189-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Ecbjkngo.exe
| MD5 | bdbb98ceff30bfec167da3046859881b |
| SHA1 | 64f3cb67ac66741fe33a8ae0349075ea223d4f3f |
| SHA256 | a6305bcafc39c8f7ea61855ffdf64692f042d1d9bdd663e2826097e5fc1a63a6 |
| SHA512 | c31c0ffaeb8d0110ebff8c7d64060d9bcd9711fc24bd6af09a5bf6f1ed0fb5ff2f865e4d025d626253d9d57c885b306c3719c9fe98837c24be0c998913697ddd |
memory/4100-181-0x0000000000400000-0x0000000000433000-memory.dmp
memory/32-173-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Dlkbjqgm.exe
| MD5 | 7783088925a0bff37f6b131b927ff05c |
| SHA1 | 56e033bbc3318819ae0f9af9361402b930fa68aa |
| SHA256 | 84cfae9f26ffdc1693729c5349177ff940d261c612e36dc10ddcd1d817db2b1e |
| SHA512 | 49207ae475dd6725bce14a3e8ea1dd033be8329b8741fc9f964df6458b2d842d1efe28e2645d0e28fc80257af0dbcac1fed96608c9fb7a7f372eeeb98d6b55d7 |
memory/4928-165-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Dimenegi.exe
| MD5 | befae05bb3bf12c700ad05716b57cafc |
| SHA1 | ec53dcc8bb681cf75ca94e3d4dc62c85f1979c89 |
| SHA256 | 10de0fa4729e73d181e1f54210ec2fbe493344f19746fff51b8a9528401319e2 |
| SHA512 | 8daf3877c2c0647717e4a3b69175afa65c36b08e1b7d5ee30b9b4326a65e57343ddcb9702ad57a24bbb872076aaba447f4a40d8ed2b879d944db7770d1dc8e69 |
memory/4764-157-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Djjebh32.exe
| MD5 | 58076ddf4d9f0daa76148b0ad738f022 |
| SHA1 | efbf9d763ca4d7303a9124f0681d1b952bb4e803 |
| SHA256 | 13b707b1bd3877e2afeb2c00cb8403b07dc044d1c9eaa36239536db525082399 |
| SHA512 | 8e2026b048ff993f138c2e5c7de6212bfd930d71debc67a5ea1a9078238ad15f4bb2482f58be062c086cd470f1d59dcd533d70b188376600865d70236870b446 |
memory/1344-149-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Dbcmakpl.exe
| MD5 | a2ce5956b011be7a2a5abaa41e71e638 |
| SHA1 | 7366aff6bd554fa5ec1034cc0151b4ed0975aee5 |
| SHA256 | ccddd3fc48c29dd7e7562638e9ea6efe7a35681592a13a36e5f881ef63b8cd4f |
| SHA512 | f9a06a6b48c2394de4cd633ba49d07f01111144a7c3d4cc32605c285a3d0d57694f215ba976b26bc8f6be75fbaec1f42d001e90949e965b7ca6900541c6341be |
memory/3544-141-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4720-133-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Dlieda32.exe
| MD5 | a79142e678a477060473467af1b0ca38 |
| SHA1 | dbaf250c9cd18ec38522b6a5be325d5d840e9365 |
| SHA256 | ae1646c8f8548e258ad9ff995ad501d0f9042d0c7ffb75588d0f6b5f0835614a |
| SHA512 | ca5dc659e6386126dd992df129013a72c96ae7ed5ebfc59b902cccb7b3a937e389a95741a10a08b6369d744891839f38041a12c5bd1be77f6aea0f965a8b09da |
memory/2456-125-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Dmfeidbe.exe
| MD5 | 3a11e6d70702fcfdfd2f9aa93fe152b5 |
| SHA1 | aa8e841ebd1f2c43d9b87e8efc003334aa169a95 |
| SHA256 | 4895868ac4fe646e49199d04723228afe56958027547d644436b6eb0f70255d4 |
| SHA512 | 28369100a1cb14509ea8127490b0ea0a9e1b3b3b1ed645c26f4f676b828019d33d320747be0b13d29a23c0487cb5d64af55f336ca6dda02c2f9d1240050adadd |
memory/1736-117-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4232-109-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Dflmlj32.exe
| MD5 | 0c9da19fa61af73811355d26f628bbe1 |
| SHA1 | 34f59df0fab5e799eb4430cd37d6e057f8b531e6 |
| SHA256 | 71be2052d2d6a73d9d2807dd4f82c17318c4c9cb53e90c9931a039051b22fc8e |
| SHA512 | 0d389504e4c4009167e8efb9256001e716a859749c745f2937471ff05268b74a02abe1345eed2d4db388f99c535c5e68b8e3fb187eee89f56ab8b6239fe390f2 |
memory/4208-101-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Dcnqpo32.exe
| MD5 | 2ae16fd84695a22f8a185d028c2f8c9c |
| SHA1 | addaea61a29b5b3eb91e4250b98bc063c773f06c |
| SHA256 | b4aba935e85a8d65a2b60a8469711c8ce3cc11d7c78bb2be383a193642b21d56 |
| SHA512 | d69c27aa0edf45a8e882d5a431802e5289829133a817b9ef816c24bcbdb70ecf47bf475b58cc423dcc2c1e85c590be8c6a1cd67a7d6e38d094a2242563eb5185 |
C:\Windows\SysWOW64\Dpbdopck.exe
| MD5 | fe7d48a412f62814f45c38e786f84439 |
| SHA1 | 0e79043f5359b4f3a28883f44270b79c6e87bce6 |
| SHA256 | 4b7442c9ee757cb396cbeb1874c06cca88dbf40f10903f29e76a108fe39c9fde |
| SHA512 | c44dbb803eb543e9562a2e75b4c2fd78ff09097668de8e2e458ca513ad8f94cde067c6b369c603061ebab522f297afdfdc8ef12451b21c6ef30b02930e904cc1 |
memory/3808-85-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Dmdhcddh.exe
| MD5 | 35d13472ca8b19d2d7523bae432fa254 |
| SHA1 | 4a5572cf42ac591b09f83ee0f9c2a060a1173bc3 |
| SHA256 | 0420ebc87b358870ec5e74b7d3c5b2f94c2ba6aec8c12da16a2b65270f2d0842 |
| SHA512 | 17db34b28709807ef7ee35300992e8f0cbc5918573eba3cdfda227522d0ace864039abf8fbd1e29e445ff9689e4221004aaa769c3377555b5f71548234fd0788 |
memory/4508-77-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Dihlbf32.exe
| MD5 | df59c93f59a1260565eeaba91315b5eb |
| SHA1 | e9b077f4fc2e28ddf1eaa18d9b759e6e567d9292 |
| SHA256 | 36dd66315ea0cf844071a1ab27bfc1deeebe188a1eb416a48b9f7416457b3504 |
| SHA512 | ba39b6ff526cfdcb3d4642f223c9d071b13e005494b2a4580591a762503f32fcc28966059dc0365133764fbe781fe44722624d952f80389248781b17fe1b6ccf |
memory/5092-69-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Dfjpfj32.exe
| MD5 | c13afd5f6e573894c6c50cac7eea24c3 |
| SHA1 | 617fd725b9b94d3cf32539090d52733b2305fcad |
| SHA256 | 01225394ed91e6f7dcc7fd7ae0684f0dd4870255269ab824cbf9bf912f0b4ab1 |
| SHA512 | 4de901b869f7a0ce34504bcd28a0307f621ac60cd57732e23c3d28b72e29b3ed1c1ca15d6c0c358dccb66340d2a6b6e95bcba4d1af95e274880c650bb5d26418 |
memory/2720-61-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Dbndfl32.exe
| MD5 | 1946539f5810aaa808466f1b8301863a |
| SHA1 | beba4a857cf1421798cc0bf899ff27f881842522 |
| SHA256 | 8e76c811b986f5347cd892493b954f8be6f82b362b55833c4dbb82b01f816e8b |
| SHA512 | f24b42ea4fe1cabeb27304f0b36d5a8c41a0c12d550d076afe4a331ea84252e65ea25f21a66554e0538155df8c6fc8817fc3fb682c85eb18509e4a33d601d9ea |
C:\Windows\SysWOW64\Dpphjp32.exe
| MD5 | d6f84b627215b466f5cbe26d11300dcf |
| SHA1 | da5ad49bce3decce6ce6124f4ef18daf32ebc14b |
| SHA256 | 92677399a297cfefc0ca7ea0bcf5c941120b3646616d638c3264e5d3d83e29f6 |
| SHA512 | a3b0318860f07acba7e57528eb82e77947dd0033e6d1de25e4482f694202490c891264e52cd1586053cb2c392d67315a979c5a829573b2af24b77f3b9b8bba1e |
C:\Windows\SysWOW64\Dmalne32.exe
| MD5 | 344d4e15400945a82bd28fa793123aea |
| SHA1 | c2a54c496b7feb250ec6701feeaf70bc2f8b097e |
| SHA256 | a49935a2d10d18dc75371f388d5be4a67eb7951568297c8fd700a1f246fab45f |
| SHA512 | 848758e49643de3894902a9add148d878d37065fb388caaaec0482e9079c6e948f8158d82e704596a5aa5c0b052eeadde74098c4cfe12523ccca7bcb242427e3 |
memory/2188-40-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Windows\SysWOW64\Nccokk32.exe
| MD5 | 870aeee3f54a6df6968427b9027803d6 |
| SHA1 | db472c9d18b4193ce6ca0f4db6d1e23585bdef41 |
| SHA256 | 34c97309f81d557fb99172f3ff28f6fb001602cddf4e5f25ae860b941e17cb26 |
| SHA512 | 2d30c1684baacb878aee6c5a8434a1265082208b5d04ede4ad6adf9996329f0c7cb9379c91ac2bf43eb345323ef834ea5f4ac0c740c60ca6e8082e628c93a5d0 |
C:\Windows\SysWOW64\Nagpeo32.exe
| MD5 | df7d9f7b64221b7bf370024ccdfd254d |
| SHA1 | d637b0c8014c20f8b80d881270a0186261957e1c |
| SHA256 | 5d86cd6e6ab65ed9148e459c59517e7c3478c25cddd1ac934572e4c7258ea954 |
| SHA512 | 4e8ca116a0b465d29533d7b4c483f4b81092aec0a51e9a397974b949e93b0565b648a113436509c3903ccab1b41ca516a0529c512f331b77d5a70b3f082e8ff0 |
C:\Windows\SysWOW64\Poimpapp.exe
| MD5 | c8087b070114afb804cfa0b52ee5cca1 |
| SHA1 | e3cd3163644f4fbc344c606f55ee616d74e10856 |
| SHA256 | bccb77b24dba2d5a49800dcbf94566abbaf49fcba83e137f0296bec3517ef072 |
| SHA512 | 3578031d011798ef3823de447e2730e6f235ad78defab27e00c9b21bd5ba880a35a62377e0d91beb89223996bb680178424c163f05454201172d699d5f4a90f1 |
C:\Windows\SysWOW64\Qeodhjmo.exe
| MD5 | d6c48852d4344fdacb9580e30605e5ac |
| SHA1 | 95c59e5a9b0c9bb111eb3538efd8711fe6523db4 |
| SHA256 | 772d2cb5df18ed6150577e17f312e1fbbaf4deb197150e82d86e1449e54a5def |
| SHA512 | 6fd768f76563929f5e583d5292da9469cb5a07e85ca96c2ac27d3e24984d8806214ecc3fcab3dd7b174271fe498eae863bdc47c505adbacb261ba8319754a262 |
C:\Windows\SysWOW64\Aednci32.exe
| MD5 | 05c3649f190885361c5375aa243e1d5f |
| SHA1 | 62c5da2d50a7de4d6c61e5a02da2b8aa25104944 |
| SHA256 | 3552499f6f4d18c049d9ea0942df6fa466a0033b3d4d59ffcdc2c8037cd7c37d |
| SHA512 | dc7d6b44268f6165bf4fe519786c8eb5d4e2db0d037a5291db4c30b4a2a15032a336ec7851d3b28cc42ce3ee8327c66fc4fa6584b70e68470cd55df5bb17ceb9 |
C:\Windows\SysWOW64\Akccap32.exe
| MD5 | f49a9c9047dec15090101ed34e0b75ae |
| SHA1 | 51dcc666a6116ff59b148cbebf11f23e1084fa21 |
| SHA256 | 30bfe6f3cbe0dc9e239260ce903a223fb12f30c99c5e8ea8bda3670364732ae2 |
| SHA512 | a2e6acb78a4af2fb64b675195bee780bfba101b8df2b8146b48c32c7a53e0333307413c59e77f8d237548f8400df1848e6a3d5b177ff5dc7446be9883b60bb6e |
C:\Windows\SysWOW64\Blgifbil.exe
| MD5 | 33cbdc7a54ac90b433a775be763ab170 |
| SHA1 | b01f0419d2360f157baa36578e4d7c06e72cf6bc |
| SHA256 | 62752296ba4400489e7ac496725c15e722cbc8bd6a145252baf87a73af580fd3 |
| SHA512 | 198980c8a4bde829d4c97af6e30296a973062482c78da28160921c52e1c282888d03fa8b6a940727d517fdb2af92930d85dd573960eb11f2ca5d9307324773f0 |
C:\Windows\SysWOW64\Bafndi32.exe
| MD5 | f39344407bc3580a1c96e4ff73911a85 |
| SHA1 | e5c28609b6cf788567ebff6f5f072134d736bfec |
| SHA256 | 2eb939de989365f1efa1681bf8b0f6b0629d52b3c59f5f16b836025a3dca72c3 |
| SHA512 | 88410f632907d009bfe0a0dbb8a09a9f1aed9b292f979ee3c272e2da32877a9f9ed907eb4f37a736e958f0a5d58669100841aadec2f9c309eed78c2f92c0c9ea |
C:\Windows\SysWOW64\Cdnmfclj.exe
| MD5 | 2bf5fded5917e431bfe7e57cdc2dfb2f |
| SHA1 | 619ecaeef0ddbc318f5884118e01d068e984e456 |
| SHA256 | 5c0fded1c475c7dfe0b2607f177519b64c4fd13664c696b86d547db0f93f537d |
| SHA512 | dca84a1e31f0ff1222483c7b7a6da571d03a169f71a46802928cc01197d21b2bf5e8c9aa4d8791d73d68219994222d6ce211628d94456c0c9f8ad97fc1f295b1 |
C:\Windows\SysWOW64\Cfnjpfcl.exe
| MD5 | 99bd132541278b595ba19ce3e8449811 |
| SHA1 | 1479026fda64bf43c1852fd1ea203a270222c0c3 |
| SHA256 | 853a751b7e3f4971f20b0c4d5a0ad3b6eb44d96ae46b4420fa15800a25e1de2a |
| SHA512 | e26b00d3ae4727241eb5cb0c2b1ceba57c47a849b331119d42352bdafa1980532173acbe9a6605be0e3ea6ca95d74c25a10546990c56dc78cbcc8e341c5cf168 |
C:\Windows\SysWOW64\Dfglfdkb.exe
| MD5 | 5a16073487eda8223cd56399ac107b2d |
| SHA1 | 17dfceb22b26ce5934b2c9d7a8e14b5dd1638c4b |
| SHA256 | e365bb2349addcfedf35da28f7720f2798a3018d8885279199ba9594d44baaec |
| SHA512 | ae2ef957d753f9d2f93bfeb61f6d28a070defda88b6cd387445d1789fb02cd04d4cf90eb08e8e06ecc4e1840a8b3997d3136f8b2c17217468ca1d9ad0bfa777a |
C:\Windows\SysWOW64\Deqcbpld.exe
| MD5 | f2f0a4f6f2e68025a8c9744bbc2d73e1 |
| SHA1 | 8ef97d6483ef5c5806dd76f47073832ef9a56b38 |
| SHA256 | 3c700c2d85786f9468958f6eff2c6339ab0ca04efd8f590486eaadc59b0fd19f |
| SHA512 | 034e41dee1758a19466793af87e9fcf6a51187944b08543376a091a332cdf4898eb5ab0a9b9abf5ac04c3c0d98c4ae928ae9e3defded51e4e22ed98d883717b8 |
C:\Windows\SysWOW64\Fiodpl32.exe
| MD5 | 759621e3861c09e4ce965a0c8391f088 |
| SHA1 | d55f5d4db7f6b75a58352a3b9ddf2d41ba3b25f2 |
| SHA256 | 55909e6275d50e1964bb8a4adef4f02713092ffe9e743c6f3628fb6192a8dab2 |
| SHA512 | 6ec8013f4da4137e66901ab6d79bf718ad14427d52de2026096fb7c5f31bd4214fec7f93706099fa51ac2db9f01d88ae38def82a023a3851355a72e90bd5fc34 |
C:\Windows\SysWOW64\Gblbca32.exe
| MD5 | 60869ef78f135490800ae2d52266e3cd |
| SHA1 | de1f33d893f8b1a511a16340c1fa7f288423e13d |
| SHA256 | ba652288623e8465960e89997a9fd023a7df84a78284208b0b347d3f0ebaaf02 |
| SHA512 | aac2b8743060e8eeb903fd4d2a7e7a889723a02491caedf6101ad889b156e365d8cc125ea636b9b9fcd7dc3d5367ec5f629ab40607a86bc5c6f961f7a2b5939b |
C:\Windows\SysWOW64\Gpelhd32.exe
| MD5 | 586f4fdfd64e89ecbae2382ce560bb15 |
| SHA1 | 93085de00f256a53748264df0d76bd7f280015fc |
| SHA256 | 8110de72021830ee3305698272fa4c134eb32dd6c7193cc024b33e753a01397e |
| SHA512 | 0ea3ef1155475a9f2138a8dc2686eb5218d552d02e41296b071737b8a854d04d49dc925b12189a37e7606c66e509b4b03c835f02d4a252a20c629e0dc1fee41b |
C:\Windows\SysWOW64\Gojiiafp.exe
| MD5 | 9143394f18bc7a1529466dd9ba7d8dc4 |
| SHA1 | 1447444dbf14f0817e69edced985b41715c0f77f |
| SHA256 | 79c78ffde0d9577b81581fd27172a4438517602a621af2b297ab6315f870abfd |
| SHA512 | 68018a021d44913e590b28e167f1a99a091d9b99498e6de4f20e59962d9fb300745ca3f789feebe78099c861fc656d6889e106477ca670bfb1b6c0f85d9de992 |
C:\Windows\SysWOW64\Hibjli32.exe
| MD5 | c7a3547c75f62e8fa1bbafff1302274c |
| SHA1 | abc55ebcd72d1b1e247b4ee3ca14d492102b493e |
| SHA256 | ed53a9424d94739c07e68983a24e12c6a04e68cbf570d03cbc381f3658d07c00 |
| SHA512 | 4eeb4efa1f4a509a7c3f0ae0a46a4891986c66f62d3d9f937eceaeb28f855b9ddd98a1436e1c7fc0ee1b646d7edce654c8f9d78e72d25b46bbf6ffc455b1d3b1 |
C:\Windows\SysWOW64\Imkbnf32.exe
| MD5 | 7b1665b9aad52f2d4607234c55170135 |
| SHA1 | c39490f59f3998d13899423b7861f36576ca5ddc |
| SHA256 | 8221ec369c9f85ab6b93b9589e49bae9735ef072eca79516cb90eb11aac82b04 |
| SHA512 | 292d11e1176da29795c5d4ca6fa66a4da3adb297a2875bd3dac5b128ae1b67eb02b4e7d7e907152b3b6cfd528ed8df2d8efc2adc6e865e386ad86f07c369c37c |
C:\Windows\SysWOW64\Klcekpdo.exe
| MD5 | d932c6a18152b67761165fe0f0eff062 |
| SHA1 | 1caff255020bb97ae44a9c33d58255af0d8252b0 |
| SHA256 | 8d4d052aaa3099d72a99e76bdfc9ba197702c7621b299a785568e6f47deceeed |
| SHA512 | f7c09a227d204b1c9839caa673d9447ee11286f0215ee6356ccc6e2943a62cb65f4468de7bef6480972b5190c79329715098168f70bea96e95abdee4f1ed020a |
C:\Windows\SysWOW64\Lnldla32.exe
| MD5 | 77c966b283103bd8ac0fe2bd179cd0d8 |
| SHA1 | abf4598fae0205674a7c8738cb0c29bd4b9f529d |
| SHA256 | aa518639cf5bffbfdbd123d6dab242badc3370e8609d707c64124aefa0d4839d |
| SHA512 | c85b02a3a53bb31871eb6135562a1f99fc3916c619df79bfdc33cbd27dbac306f837744dbebb79a7c52254433899f723cc88cb658bc1547a8f2f0ade92fc50f8 |
C:\Windows\SysWOW64\Mgloefco.exe
| MD5 | 2ac39c5b1a89e98ea3fa032cb997b7d0 |
| SHA1 | a4245ae4b6f13a7459b4ea90f0283f2021f2a4b8 |
| SHA256 | 278297ffd60661eaa2554b5e43728e9a22741a2205d99dae8ba78aedd1540355 |
| SHA512 | fcd8b4fe4a548bec7e59688bd0da4c30a091bc6c534b831d77a47a3660fbf7c3c9a1c385f5f61d5b5591687da77c38ad222361c72c47df45399a9060849fb329 |
C:\Windows\SysWOW64\Mqkiok32.exe
| MD5 | 1355614f7ea297921ac18dc534d143cf |
| SHA1 | 94c42636f650a72e47bb34b346ae96f191510747 |
| SHA256 | 2dd070e0f0645881eecc8584cbb36046affacfb3642ef02e86256f0ec92dfc6e |
| SHA512 | 8179405017e694b4ebf6a15b85a8a7c357ed55887cda6c8e49590015e705a67dde2fb897c7d40cf0dc4b67012e5e6d00d19440e47d4567a6df5b0504e08199a9 |
C:\Windows\SysWOW64\Nmfcok32.exe
| MD5 | 637cbc03450cc0dc586927894a6deebe |
| SHA1 | 44ca8a6009dcdecd229e2a5db4de859d99fea1d5 |
| SHA256 | afc8c64fac10ede44be3ff22f4fea30cfb4f37dfaa38848b61e8dadeb1c99b3d |
| SHA512 | f27375c1d42d58e95ffbffe66a13fa13d358a94f09c028158f0fc3d8877b250e5a7cb5d8daf67aacca12f1bcc0d05a0fa6ffcf2b96b5226409f6887642a88903 |
C:\Windows\SysWOW64\Nmipdk32.exe
| MD5 | a22c25b5c39c1066062524b6ac9d74ef |
| SHA1 | 6f3d0c0da1b4a95c3e343668dafeca708ec2c976 |
| SHA256 | a4224ec036f0d61929c7f4935565c1ef0179f3dbdded888c9402da8b707ba11f |
| SHA512 | 7a15401b4c876c71edc963df36fa08af11fb2efca1db5ddd956dc38d14e4f53075b73099cd23daa6b12d0df42890fc00a386c3db40e00d05f70a06123ae73ecb |
C:\Windows\SysWOW64\Ompfej32.exe
| MD5 | 2d1c91bbd87dbe1f3e56f842f94ac551 |
| SHA1 | 0c98412cc6751af0875c25516a8f542bcd273c9b |
| SHA256 | 7498593333a0e26a9ed4674670ebe41c446bf4ecbc90727c91c173b919f47026 |
| SHA512 | d77bda5710d49834e5846f7a908a5884a2320dc5d6c89a78520720719342e474b4e5c3e9b4d706e11f4ddb35decfbd1afff4668bb57632d6b78f868d8097034f |
C:\Windows\SysWOW64\Ombcji32.exe
| MD5 | 3849bcf0c6399edf71e89b468b668baa |
| SHA1 | 05475769b98eeea950b2340991a2915c41206042 |
| SHA256 | 7ab4f4019f2fe6de7bb82d94de5c51f47a628b949c248cfe422e8f807b9a17d0 |
| SHA512 | 6b4c335834a45193cfb8f57162dcf8317fb3973ee0bdc321ef5c4e7408dfa1dabca75abe12ab0a8d4710c095f07b830c90638b079dd09bbfd438ea1852045d27 |
C:\Windows\SysWOW64\Ocohmc32.exe
| MD5 | 3e8cb14d23e05663443aab9c28335ef2 |
| SHA1 | ccbbbf65180d75e055ae75caac59a700e71c53c8 |
| SHA256 | 663007f0eba7737dedc785bcdbdfad6b145824168217fc1b98111a8c92f20638 |
| SHA512 | 77d176a17eaa492948b58aab7f69f0e92089c3e7e6eb97d5fb6f2a0ae69f1459ec6f748a93be3d7d4b5c1b11900a7c5e9a6fe8984d1376dcc817b718d1a5583c |
C:\Windows\SysWOW64\Pjmjdm32.exe
| MD5 | 22d8d1bab01b7a05d7695f5a55943405 |
| SHA1 | c0ddc165341983092723743514d6462b0c5c8c18 |
| SHA256 | 56158d9530862c600b5b17d77a39aac94a721fe19776a62d838163c552cd9af2 |
| SHA512 | 36b6197364b14d1d160e7907076e92f064171ac4f727e238e25ccf557e7ee83373a89ba79113589c267385cf5032f6432f7509ac903118acde4e83fdc52ad4b1 |
C:\Windows\SysWOW64\Pdenmbkk.exe
| MD5 | 03e6ca6194a854d5154fa617414fb06f |
| SHA1 | 504b777fcf9803c36fea7c7ff6d59ba93e7f3d8a |
| SHA256 | 7e1e892c00dc0a58586007ac3612e27621c03b82eb49c25d46887e8f5744ea6e |
| SHA512 | 036a45c5ea303e477ae6bb2bfd5e062beed9de76aef6cc4580d0bea7547b3a0a07c385b4b752b0d378b5dcbb5ea2fdf2cad37ded4eb7e769510687160946e97d |
C:\Windows\SysWOW64\Ppolhcnm.exe
| MD5 | 1e4f7f424ede0e9879b47cbbd449194a |
| SHA1 | bae1da317c30ea1c377034fe15c734ca3d1a03cf |
| SHA256 | afc7308bbead2933525ade15ca2ebf5a12fa105683168a36bc3d0dcda9d043c6 |
| SHA512 | 3feb59733278bbd14d15246e925a99248a16fab5cd2a99fdfa9d8fadc29de89c9f0d0f67afd3cd8dc46c451165d9d899a3fb35c7f286dd8ac36da96477a0b163 |
C:\Windows\SysWOW64\Qaqegecm.exe
| MD5 | c3f2c997b23c06fad97f3b53285b3308 |
| SHA1 | ff7c3d197a70ca10606b5559dbea2edc78fdf7c4 |
| SHA256 | e703970f367c6b29e241fe63933ecc0cab088a4e00e7dcf0468d44e4edb7357b |
| SHA512 | 2d6fb27505e6685fc6c7c8a777598b5c68a317eeed2e023a2daa7ce15fd8a5e142651660b20e436e3727d76438b8efbda8f1d81898c213667640dd74a4351a98 |
C:\Windows\SysWOW64\Qpeahb32.exe
| MD5 | 4156f6efa9af9a7525b10c6500fdb014 |
| SHA1 | 1a72092d5e99b787b69d739f938158b4dd3357c6 |
| SHA256 | e6c8fe97cc861dbd23b22bca90c3e83d60f3b9c23fc0fc16c1b98c67f439932e |
| SHA512 | 52b80e586df5ad5fb9e52e10355cd9f67f13b001ff0044b7f0cffc123338bdbcac92166344caa4d6b55d97184cb0cc8cb99456edaaf628a223d646b5efac0742 |
C:\Windows\SysWOW64\Apodoq32.exe
| MD5 | e7042ad8a369b25b4e451f62a76b79aa |
| SHA1 | 1219abd0574592c5ef28c7273ac24589c9a31350 |
| SHA256 | ed041d9ce097e494ba18125c2d0f29e9a613388940040035b95ca8f9bacc94dc |
| SHA512 | ab35458ce6fedcd5a9bb88763a635344708b24a95023a639b804c7b99ef228178a7b82dbb417cef61e4f2a131ced56f79c695d894e2959acc5cb6cd0b65d7727 |
C:\Windows\SysWOW64\Bgkiaj32.exe
| MD5 | 8de6d025f2d25d1718bb896f3b080cae |
| SHA1 | 036db0560530dc0275aac7867a30add65f4c4110 |
| SHA256 | 431ad4be8773d5399dacb8e197409425ac276852ef0834668dc1d14fad23d565 |
| SHA512 | 971523d1444c6fd6d505465be024d67754fdad1082f3eaa33131c92bcbc6c6cb04107265e456343bdba0a31fdb5b163f13509e03bd7140cf0176bf7b0a8909da |
C:\Windows\SysWOW64\Bgelgi32.exe
| MD5 | f91ecaf484fe93e3e5f7dd1c3bcd688c |
| SHA1 | 7efc1683ffbce4ba22065f813ababc0920774dd7 |
| SHA256 | b054e6c26fe9e5af6f7d8e7b0b34080e77484c7a70ad65cfb1fb4de9778341ac |
| SHA512 | 91fd2d920afc4bb61f41e63a6808dae1170702722b4ff796592928e12ebab4026f6e067d544f2b966c06e98ed0f15cf499b40ef6661043d91585ba0b71b3316b |
C:\Windows\SysWOW64\Cnfkdb32.exe
| MD5 | 76596ed9e8f8d340b1f6d278c5e6e0a0 |
| SHA1 | 717583ca8ca71da533b452ee59234dab5c614317 |
| SHA256 | 2d3f3f3bae2194d6fb84a526521e05915c9b3c24a2f9fd85080ac08bd3fabe37 |
| SHA512 | f5ee272187a81c0aa25a019f4e1d85c2c71d726045da880f8b4a0384e8148494f29b9961987fa5bba4305ad0ef148159e59807b93be056ea99b61d3f1c873c81 |
C:\Windows\SysWOW64\Dojqjdbl.exe
| MD5 | 463bfec7c2764a60eb9fa21da1f876c6 |
| SHA1 | c4fcdb51a864b190755ddf17ed12b27ad5b71e15 |
| SHA256 | 1fd03a5903bc7d780a32b77e5dd030dce25f8f84dc41331aedb5f056a0becb92 |
| SHA512 | 1af84a8a37238fe30d23a934152750e9f3e58a0afdbefe7555ea382dc6ae6a66641664297442e3d3f64d876c360607d18111b2acd5701b4c6d3a7de9674cbd18 |