Malware Analysis Report

2025-04-03 15:32

Sample ID 241110-mn432ayjgj
Target 3816cbaa1211f7bf2613db6206b0d6b28186e8d713a23795ae0f497e7e7b881fN
SHA256 3816cbaa1211f7bf2613db6206b0d6b28186e8d713a23795ae0f497e7e7b881f
Tags
berbew backdoor discovery persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3816cbaa1211f7bf2613db6206b0d6b28186e8d713a23795ae0f497e7e7b881f

Threat Level: Known bad

The file 3816cbaa1211f7bf2613db6206b0d6b28186e8d713a23795ae0f497e7e7b881fN was found to be: Known bad.

Malicious Activity Summary

berbew backdoor discovery persistence

Berbew family

Adds autorun key to be loaded by Explorer.exe on startup

Berbew

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

System Location Discovery: System Language Discovery

Program crash

Unsigned PE

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 10:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 10:37

Reported

2024-11-10 10:39

Platform

win7-20240903-en

Max time kernel

117s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3816cbaa1211f7bf2613db6206b0d6b28186e8d713a23795ae0f497e7e7b881fN.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ibacbcgg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jllqplnp.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kdbepm32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gkgoff32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hjfnnajl.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kambcbhb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Klcgpkhh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ghdiokbq.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Goqnae32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kmimcbja.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kdbepm32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kpieengb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gaojnq32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Iclbpj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Iocgfhhc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Inhdgdmk.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kdnkdmec.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Goldfelp.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hdbpekam.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Inhdgdmk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jfaeme32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kmfpmc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kfodfh32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ghdiokbq.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jikhnaao.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kambcbhb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kjhcag32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kkjpggkn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gecpnp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jpbcek32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kipmhc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kmkihbho.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hcgmfgfd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ifolhann.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hgeelf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hqnjek32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Iclbpj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jikhnaao.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jefbnacn.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kidjdpie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gcedad32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gkcekfad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Llpfjomf.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kenhopmf.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kfodfh32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jhenjmbb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kidjdpie.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jjhgbd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jhenjmbb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jfjolf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jjhgbd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kjhcag32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gaojnq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ibfmmb32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Iegeonpc.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kekkiq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ibacbcgg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Iakino32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Iamfdo32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gcedad32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gnfkba32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jfaeme32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kipmhc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kdnkdmec.exe N/A

Berbew

backdoor berbew

Berbew family

berbew

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Gcedad32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gecpnp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Goldfelp.exe N/A
N/A N/A C:\Windows\SysWOW64\Ghdiokbq.exe N/A
N/A N/A C:\Windows\SysWOW64\Gkcekfad.exe N/A
N/A N/A C:\Windows\SysWOW64\Goqnae32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gaojnq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gkgoff32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gnfkba32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hgnokgcc.exe N/A
N/A N/A C:\Windows\SysWOW64\Hnhgha32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hdbpekam.exe N/A
N/A N/A C:\Windows\SysWOW64\Hklhae32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hqiqjlga.exe N/A
N/A N/A C:\Windows\SysWOW64\Hcgmfgfd.exe N/A
N/A N/A C:\Windows\SysWOW64\Honnki32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hgeelf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hqnjek32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hoqjqhjf.exe N/A
N/A N/A C:\Windows\SysWOW64\Hjfnnajl.exe N/A
N/A N/A C:\Windows\SysWOW64\Hmdkjmip.exe N/A
N/A N/A C:\Windows\SysWOW64\Iocgfhhc.exe N/A
N/A N/A C:\Windows\SysWOW64\Ibacbcgg.exe N/A
N/A N/A C:\Windows\SysWOW64\Ikjhki32.exe N/A
N/A N/A C:\Windows\SysWOW64\Inhdgdmk.exe N/A
N/A N/A C:\Windows\SysWOW64\Ifolhann.exe N/A
N/A N/A C:\Windows\SysWOW64\Igqhpj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ibfmmb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Iaimipjl.exe N/A
N/A N/A C:\Windows\SysWOW64\Iakino32.exe N/A
N/A N/A C:\Windows\SysWOW64\Iegeonpc.exe N/A
N/A N/A C:\Windows\SysWOW64\Iamfdo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Iclbpj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jfjolf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jpbcek32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jjhgbd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jikhnaao.exe N/A
N/A N/A C:\Windows\SysWOW64\Jbclgf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jjjdhc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jllqplnp.exe N/A
N/A N/A C:\Windows\SysWOW64\Jfaeme32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jbhebfck.exe N/A
N/A N/A C:\Windows\SysWOW64\Jefbnacn.exe N/A
N/A N/A C:\Windows\SysWOW64\Jhenjmbb.exe N/A
N/A N/A C:\Windows\SysWOW64\Kbjbge32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kambcbhb.exe N/A
N/A N/A C:\Windows\SysWOW64\Keioca32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kidjdpie.exe N/A
N/A N/A C:\Windows\SysWOW64\Klcgpkhh.exe N/A
N/A N/A C:\Windows\SysWOW64\Kbmome32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kekkiq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kdnkdmec.exe N/A
N/A N/A C:\Windows\SysWOW64\Khjgel32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kjhcag32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kmfpmc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kenhopmf.exe N/A
N/A N/A C:\Windows\SysWOW64\Kfodfh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kkjpggkn.exe N/A
N/A N/A C:\Windows\SysWOW64\Kmimcbja.exe N/A
N/A N/A C:\Windows\SysWOW64\Kpgionie.exe N/A
N/A N/A C:\Windows\SysWOW64\Kdbepm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kfaalh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kipmhc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kmkihbho.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3816cbaa1211f7bf2613db6206b0d6b28186e8d713a23795ae0f497e7e7b881fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3816cbaa1211f7bf2613db6206b0d6b28186e8d713a23795ae0f497e7e7b881fN.exe N/A
N/A N/A C:\Windows\SysWOW64\Gcedad32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gcedad32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gecpnp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gecpnp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Goldfelp.exe N/A
N/A N/A C:\Windows\SysWOW64\Goldfelp.exe N/A
N/A N/A C:\Windows\SysWOW64\Ghdiokbq.exe N/A
N/A N/A C:\Windows\SysWOW64\Ghdiokbq.exe N/A
N/A N/A C:\Windows\SysWOW64\Gkcekfad.exe N/A
N/A N/A C:\Windows\SysWOW64\Gkcekfad.exe N/A
N/A N/A C:\Windows\SysWOW64\Goqnae32.exe N/A
N/A N/A C:\Windows\SysWOW64\Goqnae32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gaojnq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gaojnq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gkgoff32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gkgoff32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gnfkba32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gnfkba32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hgnokgcc.exe N/A
N/A N/A C:\Windows\SysWOW64\Hgnokgcc.exe N/A
N/A N/A C:\Windows\SysWOW64\Hnhgha32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hnhgha32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hdbpekam.exe N/A
N/A N/A C:\Windows\SysWOW64\Hdbpekam.exe N/A
N/A N/A C:\Windows\SysWOW64\Hklhae32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hklhae32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hqiqjlga.exe N/A
N/A N/A C:\Windows\SysWOW64\Hqiqjlga.exe N/A
N/A N/A C:\Windows\SysWOW64\Hcgmfgfd.exe N/A
N/A N/A C:\Windows\SysWOW64\Hcgmfgfd.exe N/A
N/A N/A C:\Windows\SysWOW64\Honnki32.exe N/A
N/A N/A C:\Windows\SysWOW64\Honnki32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hgeelf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hgeelf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hqnjek32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hqnjek32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hoqjqhjf.exe N/A
N/A N/A C:\Windows\SysWOW64\Hoqjqhjf.exe N/A
N/A N/A C:\Windows\SysWOW64\Hjfnnajl.exe N/A
N/A N/A C:\Windows\SysWOW64\Hjfnnajl.exe N/A
N/A N/A C:\Windows\SysWOW64\Hmdkjmip.exe N/A
N/A N/A C:\Windows\SysWOW64\Hmdkjmip.exe N/A
N/A N/A C:\Windows\SysWOW64\Iocgfhhc.exe N/A
N/A N/A C:\Windows\SysWOW64\Iocgfhhc.exe N/A
N/A N/A C:\Windows\SysWOW64\Ibacbcgg.exe N/A
N/A N/A C:\Windows\SysWOW64\Ibacbcgg.exe N/A
N/A N/A C:\Windows\SysWOW64\Ikjhki32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ikjhki32.exe N/A
N/A N/A C:\Windows\SysWOW64\Inhdgdmk.exe N/A
N/A N/A C:\Windows\SysWOW64\Inhdgdmk.exe N/A
N/A N/A C:\Windows\SysWOW64\Ifolhann.exe N/A
N/A N/A C:\Windows\SysWOW64\Ifolhann.exe N/A
N/A N/A C:\Windows\SysWOW64\Igqhpj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Igqhpj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ibfmmb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ibfmmb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Iaimipjl.exe N/A
N/A N/A C:\Windows\SysWOW64\Iaimipjl.exe N/A
N/A N/A C:\Windows\SysWOW64\Iakino32.exe N/A
N/A N/A C:\Windows\SysWOW64\Iakino32.exe N/A
N/A N/A C:\Windows\SysWOW64\Iegeonpc.exe N/A
N/A N/A C:\Windows\SysWOW64\Iegeonpc.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Hqmkfaia.dll C:\Windows\SysWOW64\Gecpnp32.exe N/A
File created C:\Windows\SysWOW64\Dfcllk32.dll C:\Windows\SysWOW64\Hmdkjmip.exe N/A
File created C:\Windows\SysWOW64\Iclbpj32.exe C:\Windows\SysWOW64\Iamfdo32.exe N/A
File created C:\Windows\SysWOW64\Mobafhlg.dll C:\Windows\SysWOW64\Jhenjmbb.exe N/A
File created C:\Windows\SysWOW64\Kambcbhb.exe C:\Windows\SysWOW64\Kbjbge32.exe N/A
File opened for modification C:\Windows\SysWOW64\Kbmome32.exe C:\Windows\SysWOW64\Klcgpkhh.exe N/A
File created C:\Windows\SysWOW64\Goldfelp.exe C:\Windows\SysWOW64\Gecpnp32.exe N/A
File created C:\Windows\SysWOW64\Efdmgc32.dll C:\Windows\SysWOW64\Goldfelp.exe N/A
File opened for modification C:\Windows\SysWOW64\Hnhgha32.exe C:\Windows\SysWOW64\Hgnokgcc.exe N/A
File opened for modification C:\Windows\SysWOW64\Ibfmmb32.exe C:\Windows\SysWOW64\Igqhpj32.exe N/A
File created C:\Windows\SysWOW64\Kobgmfjh.dll C:\Windows\SysWOW64\Iamfdo32.exe N/A
File created C:\Windows\SysWOW64\Hmdkjmip.exe C:\Windows\SysWOW64\Hjfnnajl.exe N/A
File created C:\Windows\SysWOW64\Ccmkid32.dll C:\Windows\SysWOW64\Jikhnaao.exe N/A
File created C:\Windows\SysWOW64\Jefbnacn.exe C:\Windows\SysWOW64\Jbhebfck.exe N/A
File opened for modification C:\Windows\SysWOW64\Kmimcbja.exe C:\Windows\SysWOW64\Kkjpggkn.exe N/A
File created C:\Windows\SysWOW64\Bodilc32.dll C:\Windows\SysWOW64\Kkjpggkn.exe N/A
File opened for modification C:\Windows\SysWOW64\Kipmhc32.exe C:\Windows\SysWOW64\Kfaalh32.exe N/A
File opened for modification C:\Windows\SysWOW64\Gnfkba32.exe C:\Windows\SysWOW64\Gkgoff32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hqiqjlga.exe C:\Windows\SysWOW64\Hklhae32.exe N/A
File created C:\Windows\SysWOW64\Pbonaedo.dll C:\Windows\SysWOW64\Hcgmfgfd.exe N/A
File created C:\Windows\SysWOW64\Iocgfhhc.exe C:\Windows\SysWOW64\Hmdkjmip.exe N/A
File opened for modification C:\Windows\SysWOW64\Inhdgdmk.exe C:\Windows\SysWOW64\Ikjhki32.exe N/A
File created C:\Windows\SysWOW64\Caejbmia.dll C:\Windows\SysWOW64\Igqhpj32.exe N/A
File created C:\Windows\SysWOW64\Jjhgbd32.exe C:\Windows\SysWOW64\Jpbcek32.exe N/A
File created C:\Windows\SysWOW64\Jfaeme32.exe C:\Windows\SysWOW64\Jllqplnp.exe N/A
File opened for modification C:\Windows\SysWOW64\Hgnokgcc.exe C:\Windows\SysWOW64\Gnfkba32.exe N/A
File created C:\Windows\SysWOW64\Flpkcb32.dll C:\Windows\SysWOW64\Hnhgha32.exe N/A
File created C:\Windows\SysWOW64\Pbpifm32.dll C:\Windows\SysWOW64\Iclbpj32.exe N/A
File created C:\Windows\SysWOW64\Hcgmfgfd.exe C:\Windows\SysWOW64\Hqiqjlga.exe N/A
File opened for modification C:\Windows\SysWOW64\Jbclgf32.exe C:\Windows\SysWOW64\Jikhnaao.exe N/A
File created C:\Windows\SysWOW64\Gffdobll.dll C:\Windows\SysWOW64\Kpieengb.exe N/A
File created C:\Windows\SysWOW64\Ipafocdg.dll C:\Windows\SysWOW64\Llpfjomf.exe N/A
File created C:\Windows\SysWOW64\Piaoqi32.dll C:\Users\Admin\AppData\Local\Temp\3816cbaa1211f7bf2613db6206b0d6b28186e8d713a23795ae0f497e7e7b881fN.exe N/A
File created C:\Windows\SysWOW64\Gecpnp32.exe C:\Windows\SysWOW64\Gcedad32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ikjhki32.exe C:\Windows\SysWOW64\Ibacbcgg.exe N/A
File created C:\Windows\SysWOW64\Jikhnaao.exe C:\Windows\SysWOW64\Jjhgbd32.exe N/A
File created C:\Windows\SysWOW64\Kmfpmc32.exe C:\Windows\SysWOW64\Kjhcag32.exe N/A
File opened for modification C:\Windows\SysWOW64\Kkjpggkn.exe C:\Windows\SysWOW64\Kfodfh32.exe N/A
File opened for modification C:\Windows\SysWOW64\Gkgoff32.exe C:\Windows\SysWOW64\Gaojnq32.exe N/A
File created C:\Windows\SysWOW64\Ffbpca32.dll C:\Windows\SysWOW64\Iocgfhhc.exe N/A
File opened for modification C:\Windows\SysWOW64\Iegeonpc.exe C:\Windows\SysWOW64\Iakino32.exe N/A
File opened for modification C:\Windows\SysWOW64\Jefbnacn.exe C:\Windows\SysWOW64\Jbhebfck.exe N/A
File created C:\Windows\SysWOW64\Agioom32.dll C:\Windows\SysWOW64\Kbmome32.exe N/A
File created C:\Windows\SysWOW64\Ijjnkj32.dll C:\Windows\SysWOW64\Kdnkdmec.exe N/A
File created C:\Windows\SysWOW64\Kpieengb.exe C:\Windows\SysWOW64\Kmkihbho.exe N/A
File opened for modification C:\Windows\SysWOW64\Hgeelf32.exe C:\Windows\SysWOW64\Honnki32.exe N/A
File created C:\Windows\SysWOW64\Ghdiokbq.exe C:\Windows\SysWOW64\Goldfelp.exe N/A
File opened for modification C:\Windows\SysWOW64\Hklhae32.exe C:\Windows\SysWOW64\Hdbpekam.exe N/A
File opened for modification C:\Windows\SysWOW64\Hqnjek32.exe C:\Windows\SysWOW64\Hgeelf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Iocgfhhc.exe C:\Windows\SysWOW64\Hmdkjmip.exe N/A
File opened for modification C:\Windows\SysWOW64\Iamfdo32.exe C:\Windows\SysWOW64\Iegeonpc.exe N/A
File created C:\Windows\SysWOW64\Jhenjmbb.exe C:\Windows\SysWOW64\Jefbnacn.exe N/A
File opened for modification C:\Windows\SysWOW64\Kidjdpie.exe C:\Windows\SysWOW64\Keioca32.exe N/A
File created C:\Windows\SysWOW64\Kekkiq32.exe C:\Windows\SysWOW64\Kbmome32.exe N/A
File opened for modification C:\Windows\SysWOW64\Kfodfh32.exe C:\Windows\SysWOW64\Kenhopmf.exe N/A
File created C:\Windows\SysWOW64\Kpgionie.exe C:\Windows\SysWOW64\Kmimcbja.exe N/A
File created C:\Windows\SysWOW64\Kfaalh32.exe C:\Windows\SysWOW64\Kdbepm32.exe N/A
File created C:\Windows\SysWOW64\Llpfjomf.exe C:\Windows\SysWOW64\Libjncnc.exe N/A
File created C:\Windows\SysWOW64\Qfomeb32.dll C:\Windows\SysWOW64\Gcedad32.exe N/A
File opened for modification C:\Windows\SysWOW64\Goqnae32.exe C:\Windows\SysWOW64\Gkcekfad.exe N/A
File created C:\Windows\SysWOW64\Hnhgha32.exe C:\Windows\SysWOW64\Hgnokgcc.exe N/A
File created C:\Windows\SysWOW64\Ibfmmb32.exe C:\Windows\SysWOW64\Igqhpj32.exe N/A
File created C:\Windows\SysWOW64\Kbjbge32.exe C:\Windows\SysWOW64\Jhenjmbb.exe N/A
File opened for modification C:\Windows\SysWOW64\Kfaalh32.exe C:\Windows\SysWOW64\Kdbepm32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Lbjofi32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gaojnq32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gnfkba32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jbhebfck.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Klcgpkhh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jikhnaao.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jefbnacn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kpieengb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gkgoff32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hklhae32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hcgmfgfd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hgeelf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Iegeonpc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kkjpggkn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hgnokgcc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hmdkjmip.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Iaimipjl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kidjdpie.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kmfpmc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jpbcek32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jllqplnp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Keioca32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kekkiq32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kfodfh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gecpnp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ibacbcgg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kbmome32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kmkihbho.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Llpfjomf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gcedad32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Goldfelp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jjhgbd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hnhgha32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Iclbpj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jbclgf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jhenjmbb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hdbpekam.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kambcbhb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kdbepm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kfaalh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kipmhc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lbjofi32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hqiqjlga.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ikjhki32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kbjbge32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3816cbaa1211f7bf2613db6206b0d6b28186e8d713a23795ae0f497e7e7b881fN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ghdiokbq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Iocgfhhc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jjjdhc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kkojbf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Libjncnc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Igqhpj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Iamfdo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kjhcag32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Goqnae32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Iakino32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jfaeme32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Khjgel32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kenhopmf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hqnjek32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ifolhann.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kdnkdmec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kmimcbja.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gkcekfad.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Honnki32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Klcgpkhh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jjjdhc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kmfpmc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlekjpbi.dll" C:\Windows\SysWOW64\Kfodfh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aiomcb32.dll" C:\Windows\SysWOW64\Keioca32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\3816cbaa1211f7bf2613db6206b0d6b28186e8d713a23795ae0f497e7e7b881fN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Honnki32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Iegeonpc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kkojbf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gkcekfad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkbnjifp.dll" C:\Windows\SysWOW64\Gkgoff32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hcgmfgfd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kkjpggkn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kambcbhb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kidjdpie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agioom32.dll" C:\Windows\SysWOW64\Kbmome32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ghdiokbq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbonaedo.dll" C:\Windows\SysWOW64\Hcgmfgfd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ifolhann.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kkjpggkn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipdbellh.dll" C:\Windows\SysWOW64\Ibacbcgg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Iamfdo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kekkiq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omfpmb32.dll" C:\Windows\SysWOW64\Jfjolf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caefjg32.dll" C:\Windows\SysWOW64\Kekkiq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkpnde32.dll" C:\Windows\SysWOW64\Kfaalh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kdnkdmec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node C:\Users\Admin\AppData\Local\Temp\3816cbaa1211f7bf2613db6206b0d6b28186e8d713a23795ae0f497e7e7b881fN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jbhebfck.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gffdobll.dll" C:\Windows\SysWOW64\Kpieengb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Gaojnq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gaojnq32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hjfnnajl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ibfmmb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Keioca32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mebgijei.dll" C:\Windows\SysWOW64\Jbclgf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faibdo32.dll" C:\Windows\SysWOW64\Hklhae32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mobafhlg.dll" C:\Windows\SysWOW64\Jhenjmbb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kfaalh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efdmgc32.dll" C:\Windows\SysWOW64\Goldfelp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Iocgfhhc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kidjdpie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijjnkj32.dll" C:\Windows\SysWOW64\Kdnkdmec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hoqjqhjf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkaamgeg.dll" C:\Windows\SysWOW64\Ibfmmb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Gecpnp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dllmckbg.dll" C:\Windows\SysWOW64\Hgeelf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jfaeme32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcadppco.dll" C:\Windows\SysWOW64\Kjhcag32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\3816cbaa1211f7bf2613db6206b0d6b28186e8d713a23795ae0f497e7e7b881fN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hklhae32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hmdkjmip.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffdmihcc.dll" C:\Windows\SysWOW64\Inhdgdmk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbdofg32.dll" C:\Windows\SysWOW64\Hgnokgcc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hqnjek32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqgpml32.dll" C:\Windows\SysWOW64\Hjfnnajl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bodilc32.dll" C:\Windows\SysWOW64\Kkjpggkn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjbpqjma.dll" C:\Windows\SysWOW64\Ghdiokbq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncbdnb32.dll" C:\Windows\SysWOW64\Ikjhki32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnhanebc.dll" C:\Windows\SysWOW64\Jjjdhc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Gkgoff32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kjhcag32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmofpf32.dll" C:\Windows\SysWOW64\Kidjdpie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aijpfppe.dll" C:\Windows\SysWOW64\Hdbpekam.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2092 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\3816cbaa1211f7bf2613db6206b0d6b28186e8d713a23795ae0f497e7e7b881fN.exe C:\Windows\SysWOW64\Gcedad32.exe
PID 2092 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\3816cbaa1211f7bf2613db6206b0d6b28186e8d713a23795ae0f497e7e7b881fN.exe C:\Windows\SysWOW64\Gcedad32.exe
PID 2092 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\3816cbaa1211f7bf2613db6206b0d6b28186e8d713a23795ae0f497e7e7b881fN.exe C:\Windows\SysWOW64\Gcedad32.exe
PID 2092 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\3816cbaa1211f7bf2613db6206b0d6b28186e8d713a23795ae0f497e7e7b881fN.exe C:\Windows\SysWOW64\Gcedad32.exe
PID 2712 wrote to memory of 2724 N/A C:\Windows\SysWOW64\Gcedad32.exe C:\Windows\SysWOW64\Gecpnp32.exe
PID 2712 wrote to memory of 2724 N/A C:\Windows\SysWOW64\Gcedad32.exe C:\Windows\SysWOW64\Gecpnp32.exe
PID 2712 wrote to memory of 2724 N/A C:\Windows\SysWOW64\Gcedad32.exe C:\Windows\SysWOW64\Gecpnp32.exe
PID 2712 wrote to memory of 2724 N/A C:\Windows\SysWOW64\Gcedad32.exe C:\Windows\SysWOW64\Gecpnp32.exe
PID 2724 wrote to memory of 3000 N/A C:\Windows\SysWOW64\Gecpnp32.exe C:\Windows\SysWOW64\Goldfelp.exe
PID 2724 wrote to memory of 3000 N/A C:\Windows\SysWOW64\Gecpnp32.exe C:\Windows\SysWOW64\Goldfelp.exe
PID 2724 wrote to memory of 3000 N/A C:\Windows\SysWOW64\Gecpnp32.exe C:\Windows\SysWOW64\Goldfelp.exe
PID 2724 wrote to memory of 3000 N/A C:\Windows\SysWOW64\Gecpnp32.exe C:\Windows\SysWOW64\Goldfelp.exe
PID 3000 wrote to memory of 2740 N/A C:\Windows\SysWOW64\Goldfelp.exe C:\Windows\SysWOW64\Ghdiokbq.exe
PID 3000 wrote to memory of 2740 N/A C:\Windows\SysWOW64\Goldfelp.exe C:\Windows\SysWOW64\Ghdiokbq.exe
PID 3000 wrote to memory of 2740 N/A C:\Windows\SysWOW64\Goldfelp.exe C:\Windows\SysWOW64\Ghdiokbq.exe
PID 3000 wrote to memory of 2740 N/A C:\Windows\SysWOW64\Goldfelp.exe C:\Windows\SysWOW64\Ghdiokbq.exe
PID 2740 wrote to memory of 2648 N/A C:\Windows\SysWOW64\Ghdiokbq.exe C:\Windows\SysWOW64\Gkcekfad.exe
PID 2740 wrote to memory of 2648 N/A C:\Windows\SysWOW64\Ghdiokbq.exe C:\Windows\SysWOW64\Gkcekfad.exe
PID 2740 wrote to memory of 2648 N/A C:\Windows\SysWOW64\Ghdiokbq.exe C:\Windows\SysWOW64\Gkcekfad.exe
PID 2740 wrote to memory of 2648 N/A C:\Windows\SysWOW64\Ghdiokbq.exe C:\Windows\SysWOW64\Gkcekfad.exe
PID 2648 wrote to memory of 1232 N/A C:\Windows\SysWOW64\Gkcekfad.exe C:\Windows\SysWOW64\Goqnae32.exe
PID 2648 wrote to memory of 1232 N/A C:\Windows\SysWOW64\Gkcekfad.exe C:\Windows\SysWOW64\Goqnae32.exe
PID 2648 wrote to memory of 1232 N/A C:\Windows\SysWOW64\Gkcekfad.exe C:\Windows\SysWOW64\Goqnae32.exe
PID 2648 wrote to memory of 1232 N/A C:\Windows\SysWOW64\Gkcekfad.exe C:\Windows\SysWOW64\Goqnae32.exe
PID 1232 wrote to memory of 1296 N/A C:\Windows\SysWOW64\Goqnae32.exe C:\Windows\SysWOW64\Gaojnq32.exe
PID 1232 wrote to memory of 1296 N/A C:\Windows\SysWOW64\Goqnae32.exe C:\Windows\SysWOW64\Gaojnq32.exe
PID 1232 wrote to memory of 1296 N/A C:\Windows\SysWOW64\Goqnae32.exe C:\Windows\SysWOW64\Gaojnq32.exe
PID 1232 wrote to memory of 1296 N/A C:\Windows\SysWOW64\Goqnae32.exe C:\Windows\SysWOW64\Gaojnq32.exe
PID 1296 wrote to memory of 1692 N/A C:\Windows\SysWOW64\Gaojnq32.exe C:\Windows\SysWOW64\Gkgoff32.exe
PID 1296 wrote to memory of 1692 N/A C:\Windows\SysWOW64\Gaojnq32.exe C:\Windows\SysWOW64\Gkgoff32.exe
PID 1296 wrote to memory of 1692 N/A C:\Windows\SysWOW64\Gaojnq32.exe C:\Windows\SysWOW64\Gkgoff32.exe
PID 1296 wrote to memory of 1692 N/A C:\Windows\SysWOW64\Gaojnq32.exe C:\Windows\SysWOW64\Gkgoff32.exe
PID 1692 wrote to memory of 2056 N/A C:\Windows\SysWOW64\Gkgoff32.exe C:\Windows\SysWOW64\Gnfkba32.exe
PID 1692 wrote to memory of 2056 N/A C:\Windows\SysWOW64\Gkgoff32.exe C:\Windows\SysWOW64\Gnfkba32.exe
PID 1692 wrote to memory of 2056 N/A C:\Windows\SysWOW64\Gkgoff32.exe C:\Windows\SysWOW64\Gnfkba32.exe
PID 1692 wrote to memory of 2056 N/A C:\Windows\SysWOW64\Gkgoff32.exe C:\Windows\SysWOW64\Gnfkba32.exe
PID 2056 wrote to memory of 1732 N/A C:\Windows\SysWOW64\Gnfkba32.exe C:\Windows\SysWOW64\Hgnokgcc.exe
PID 2056 wrote to memory of 1732 N/A C:\Windows\SysWOW64\Gnfkba32.exe C:\Windows\SysWOW64\Hgnokgcc.exe
PID 2056 wrote to memory of 1732 N/A C:\Windows\SysWOW64\Gnfkba32.exe C:\Windows\SysWOW64\Hgnokgcc.exe
PID 2056 wrote to memory of 1732 N/A C:\Windows\SysWOW64\Gnfkba32.exe C:\Windows\SysWOW64\Hgnokgcc.exe
PID 1732 wrote to memory of 2020 N/A C:\Windows\SysWOW64\Hgnokgcc.exe C:\Windows\SysWOW64\Hnhgha32.exe
PID 1732 wrote to memory of 2020 N/A C:\Windows\SysWOW64\Hgnokgcc.exe C:\Windows\SysWOW64\Hnhgha32.exe
PID 1732 wrote to memory of 2020 N/A C:\Windows\SysWOW64\Hgnokgcc.exe C:\Windows\SysWOW64\Hnhgha32.exe
PID 1732 wrote to memory of 2020 N/A C:\Windows\SysWOW64\Hgnokgcc.exe C:\Windows\SysWOW64\Hnhgha32.exe
PID 2020 wrote to memory of 1128 N/A C:\Windows\SysWOW64\Hnhgha32.exe C:\Windows\SysWOW64\Hdbpekam.exe
PID 2020 wrote to memory of 1128 N/A C:\Windows\SysWOW64\Hnhgha32.exe C:\Windows\SysWOW64\Hdbpekam.exe
PID 2020 wrote to memory of 1128 N/A C:\Windows\SysWOW64\Hnhgha32.exe C:\Windows\SysWOW64\Hdbpekam.exe
PID 2020 wrote to memory of 1128 N/A C:\Windows\SysWOW64\Hnhgha32.exe C:\Windows\SysWOW64\Hdbpekam.exe
PID 1128 wrote to memory of 316 N/A C:\Windows\SysWOW64\Hdbpekam.exe C:\Windows\SysWOW64\Hklhae32.exe
PID 1128 wrote to memory of 316 N/A C:\Windows\SysWOW64\Hdbpekam.exe C:\Windows\SysWOW64\Hklhae32.exe
PID 1128 wrote to memory of 316 N/A C:\Windows\SysWOW64\Hdbpekam.exe C:\Windows\SysWOW64\Hklhae32.exe
PID 1128 wrote to memory of 316 N/A C:\Windows\SysWOW64\Hdbpekam.exe C:\Windows\SysWOW64\Hklhae32.exe
PID 316 wrote to memory of 2176 N/A C:\Windows\SysWOW64\Hklhae32.exe C:\Windows\SysWOW64\Hqiqjlga.exe
PID 316 wrote to memory of 2176 N/A C:\Windows\SysWOW64\Hklhae32.exe C:\Windows\SysWOW64\Hqiqjlga.exe
PID 316 wrote to memory of 2176 N/A C:\Windows\SysWOW64\Hklhae32.exe C:\Windows\SysWOW64\Hqiqjlga.exe
PID 316 wrote to memory of 2176 N/A C:\Windows\SysWOW64\Hklhae32.exe C:\Windows\SysWOW64\Hqiqjlga.exe
PID 2176 wrote to memory of 2364 N/A C:\Windows\SysWOW64\Hqiqjlga.exe C:\Windows\SysWOW64\Hcgmfgfd.exe
PID 2176 wrote to memory of 2364 N/A C:\Windows\SysWOW64\Hqiqjlga.exe C:\Windows\SysWOW64\Hcgmfgfd.exe
PID 2176 wrote to memory of 2364 N/A C:\Windows\SysWOW64\Hqiqjlga.exe C:\Windows\SysWOW64\Hcgmfgfd.exe
PID 2176 wrote to memory of 2364 N/A C:\Windows\SysWOW64\Hqiqjlga.exe C:\Windows\SysWOW64\Hcgmfgfd.exe
PID 2364 wrote to memory of 836 N/A C:\Windows\SysWOW64\Hcgmfgfd.exe C:\Windows\SysWOW64\Honnki32.exe
PID 2364 wrote to memory of 836 N/A C:\Windows\SysWOW64\Hcgmfgfd.exe C:\Windows\SysWOW64\Honnki32.exe
PID 2364 wrote to memory of 836 N/A C:\Windows\SysWOW64\Hcgmfgfd.exe C:\Windows\SysWOW64\Honnki32.exe
PID 2364 wrote to memory of 836 N/A C:\Windows\SysWOW64\Hcgmfgfd.exe C:\Windows\SysWOW64\Honnki32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3816cbaa1211f7bf2613db6206b0d6b28186e8d713a23795ae0f497e7e7b881fN.exe

"C:\Users\Admin\AppData\Local\Temp\3816cbaa1211f7bf2613db6206b0d6b28186e8d713a23795ae0f497e7e7b881fN.exe"

C:\Windows\SysWOW64\Gcedad32.exe

C:\Windows\system32\Gcedad32.exe

C:\Windows\SysWOW64\Gecpnp32.exe

C:\Windows\system32\Gecpnp32.exe

C:\Windows\SysWOW64\Goldfelp.exe

C:\Windows\system32\Goldfelp.exe

C:\Windows\SysWOW64\Ghdiokbq.exe

C:\Windows\system32\Ghdiokbq.exe

C:\Windows\SysWOW64\Gkcekfad.exe

C:\Windows\system32\Gkcekfad.exe

C:\Windows\SysWOW64\Goqnae32.exe

C:\Windows\system32\Goqnae32.exe

C:\Windows\SysWOW64\Gaojnq32.exe

C:\Windows\system32\Gaojnq32.exe

C:\Windows\SysWOW64\Gkgoff32.exe

C:\Windows\system32\Gkgoff32.exe

C:\Windows\SysWOW64\Gnfkba32.exe

C:\Windows\system32\Gnfkba32.exe

C:\Windows\SysWOW64\Hgnokgcc.exe

C:\Windows\system32\Hgnokgcc.exe

C:\Windows\SysWOW64\Hnhgha32.exe

C:\Windows\system32\Hnhgha32.exe

C:\Windows\SysWOW64\Hdbpekam.exe

C:\Windows\system32\Hdbpekam.exe

C:\Windows\SysWOW64\Hklhae32.exe

C:\Windows\system32\Hklhae32.exe

C:\Windows\SysWOW64\Hqiqjlga.exe

C:\Windows\system32\Hqiqjlga.exe

C:\Windows\SysWOW64\Hcgmfgfd.exe

C:\Windows\system32\Hcgmfgfd.exe

C:\Windows\SysWOW64\Honnki32.exe

C:\Windows\system32\Honnki32.exe

C:\Windows\SysWOW64\Hgeelf32.exe

C:\Windows\system32\Hgeelf32.exe

C:\Windows\SysWOW64\Hqnjek32.exe

C:\Windows\system32\Hqnjek32.exe

C:\Windows\SysWOW64\Hoqjqhjf.exe

C:\Windows\system32\Hoqjqhjf.exe

C:\Windows\SysWOW64\Hjfnnajl.exe

C:\Windows\system32\Hjfnnajl.exe

C:\Windows\SysWOW64\Hmdkjmip.exe

C:\Windows\system32\Hmdkjmip.exe

C:\Windows\SysWOW64\Iocgfhhc.exe

C:\Windows\system32\Iocgfhhc.exe

C:\Windows\SysWOW64\Ibacbcgg.exe

C:\Windows\system32\Ibacbcgg.exe

C:\Windows\SysWOW64\Ikjhki32.exe

C:\Windows\system32\Ikjhki32.exe

C:\Windows\SysWOW64\Inhdgdmk.exe

C:\Windows\system32\Inhdgdmk.exe

C:\Windows\SysWOW64\Ifolhann.exe

C:\Windows\system32\Ifolhann.exe

C:\Windows\SysWOW64\Igqhpj32.exe

C:\Windows\system32\Igqhpj32.exe

C:\Windows\SysWOW64\Ibfmmb32.exe

C:\Windows\system32\Ibfmmb32.exe

C:\Windows\SysWOW64\Iaimipjl.exe

C:\Windows\system32\Iaimipjl.exe

C:\Windows\SysWOW64\Iakino32.exe

C:\Windows\system32\Iakino32.exe

C:\Windows\SysWOW64\Iegeonpc.exe

C:\Windows\system32\Iegeonpc.exe

C:\Windows\SysWOW64\Iamfdo32.exe

C:\Windows\system32\Iamfdo32.exe

C:\Windows\SysWOW64\Iclbpj32.exe

C:\Windows\system32\Iclbpj32.exe

C:\Windows\SysWOW64\Jfjolf32.exe

C:\Windows\system32\Jfjolf32.exe

C:\Windows\SysWOW64\Jpbcek32.exe

C:\Windows\system32\Jpbcek32.exe

C:\Windows\SysWOW64\Jjhgbd32.exe

C:\Windows\system32\Jjhgbd32.exe

C:\Windows\SysWOW64\Jikhnaao.exe

C:\Windows\system32\Jikhnaao.exe

C:\Windows\SysWOW64\Jbclgf32.exe

C:\Windows\system32\Jbclgf32.exe

C:\Windows\SysWOW64\Jjjdhc32.exe

C:\Windows\system32\Jjjdhc32.exe

C:\Windows\SysWOW64\Jllqplnp.exe

C:\Windows\system32\Jllqplnp.exe

C:\Windows\SysWOW64\Jfaeme32.exe

C:\Windows\system32\Jfaeme32.exe

C:\Windows\SysWOW64\Jbhebfck.exe

C:\Windows\system32\Jbhebfck.exe

C:\Windows\SysWOW64\Jefbnacn.exe

C:\Windows\system32\Jefbnacn.exe

C:\Windows\SysWOW64\Jhenjmbb.exe

C:\Windows\system32\Jhenjmbb.exe

C:\Windows\SysWOW64\Kbjbge32.exe

C:\Windows\system32\Kbjbge32.exe

C:\Windows\SysWOW64\Kambcbhb.exe

C:\Windows\system32\Kambcbhb.exe

C:\Windows\SysWOW64\Keioca32.exe

C:\Windows\system32\Keioca32.exe

C:\Windows\SysWOW64\Kidjdpie.exe

C:\Windows\system32\Kidjdpie.exe

C:\Windows\SysWOW64\Klcgpkhh.exe

C:\Windows\system32\Klcgpkhh.exe

C:\Windows\SysWOW64\Kbmome32.exe

C:\Windows\system32\Kbmome32.exe

C:\Windows\SysWOW64\Kekkiq32.exe

C:\Windows\system32\Kekkiq32.exe

C:\Windows\SysWOW64\Kdnkdmec.exe

C:\Windows\system32\Kdnkdmec.exe

C:\Windows\SysWOW64\Khjgel32.exe

C:\Windows\system32\Khjgel32.exe

C:\Windows\SysWOW64\Kjhcag32.exe

C:\Windows\system32\Kjhcag32.exe

C:\Windows\SysWOW64\Kmfpmc32.exe

C:\Windows\system32\Kmfpmc32.exe

C:\Windows\SysWOW64\Kenhopmf.exe

C:\Windows\system32\Kenhopmf.exe

C:\Windows\SysWOW64\Kfodfh32.exe

C:\Windows\system32\Kfodfh32.exe

C:\Windows\SysWOW64\Kkjpggkn.exe

C:\Windows\system32\Kkjpggkn.exe

C:\Windows\SysWOW64\Kmimcbja.exe

C:\Windows\system32\Kmimcbja.exe

C:\Windows\SysWOW64\Kpgionie.exe

C:\Windows\system32\Kpgionie.exe

C:\Windows\SysWOW64\Kdbepm32.exe

C:\Windows\system32\Kdbepm32.exe

C:\Windows\SysWOW64\Kfaalh32.exe

C:\Windows\system32\Kfaalh32.exe

C:\Windows\SysWOW64\Kipmhc32.exe

C:\Windows\system32\Kipmhc32.exe

C:\Windows\SysWOW64\Kmkihbho.exe

C:\Windows\system32\Kmkihbho.exe

C:\Windows\SysWOW64\Kpieengb.exe

C:\Windows\system32\Kpieengb.exe

C:\Windows\SysWOW64\Kkojbf32.exe

C:\Windows\system32\Kkojbf32.exe

C:\Windows\SysWOW64\Libjncnc.exe

C:\Windows\system32\Libjncnc.exe

C:\Windows\SysWOW64\Llpfjomf.exe

C:\Windows\system32\Llpfjomf.exe

C:\Windows\SysWOW64\Lbjofi32.exe

C:\Windows\system32\Lbjofi32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1744 -s 140

Network

N/A

Files

memory/2092-0-0x0000000000400000-0x000000000042F000-memory.dmp

\Windows\SysWOW64\Gcedad32.exe

MD5 b77497d0f4d4bb5530d5a91715cb7285
SHA1 0fd5695f2f4636dcacf0b3955d591bc4410e8899
SHA256 f9dc8c9bd92f7cabedb826bb5e7adb588289d3754ba88067c2174a9db16267c4
SHA512 6bf6b0dd1426edd1ccba71e2d3df1b6434c218996782df477da12b69f456a3d57057de147f66c38f5ffd8408dce4fd85ddec8f72d81edb0eb30f72268dbaa615

memory/2712-14-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2092-13-0x0000000000280000-0x00000000002AF000-memory.dmp

memory/2092-12-0x0000000000280000-0x00000000002AF000-memory.dmp

C:\Windows\SysWOW64\Gecpnp32.exe

MD5 74faa206af9103dfc62a2514f384c8ce
SHA1 150548209feb3c4a242f9137507c4ff0fa7f7ffc
SHA256 3c0ead17b1e2ad38cb9f8bc0d630cdb1838aef5ad3677e58a47c94e6b393be47
SHA512 d8705daccff4d4a8c039a1c6d6ddba9d3dcfb91604ac8b869ef381f5e8c21318a05fb1e787379a815ed8f59a04731f276c224f82a8a0bc280d1f0bbd2d05eae1

memory/2712-27-0x00000000002D0000-0x00000000002FF000-memory.dmp

\Windows\SysWOW64\Goldfelp.exe

MD5 0476f68cc961709a59cfc6674ff3981c
SHA1 ad908d282abc8b5ac3eeaffdc43fdb3f767e6eec
SHA256 c5c988abb1b5474c0309d942def17cf97d3dcbd538354178e14520f3a015c686
SHA512 91d01f4492a9c9ad32a5caf3b4102f10c75fdc859e01ac1b3dc8d8d729b44ca66d553f7b3b6cb2eac7a319235ff736c63c50d1ba13c746872e5a82dbc3c78ead

memory/2724-36-0x00000000002D0000-0x00000000002FF000-memory.dmp

memory/2724-34-0x0000000000400000-0x000000000042F000-memory.dmp

\Windows\SysWOW64\Ghdiokbq.exe

MD5 50eb269aa1e6b03bf77d5b440c5b58f5
SHA1 c94c33f44ee28b45d61d688a29e72da2b8eb342e
SHA256 f3ce1f1abe858d35a79e23ae7d49352f0e0fcc2040471c476be1d8afbae944d1
SHA512 9d0535ac19f59892d988849547ac72cb413c18cdf0cf9315c9ddb539cef619451055e77a42d9f6076f410be560e9467816d0daa223e4b348613f28c9adef1bf4

memory/2648-68-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Gkcekfad.exe

MD5 6727a375ae028f5434f7cbf26004d0dd
SHA1 d7ad394fedc9ae625be71de12b7ee61517eac762
SHA256 21af2283bf4b1f75369cee01975cc229893a317e1eb69cea68da9f63477476c0
SHA512 23d523560d01eef2a42f59ce8138e6f00bf4d901a48a5f5291081d2aa0dc16be9b9b00cfde9bd17bc45849d95a37d1c4e3111211be5037bf8c1ca21fb0d53ebb

memory/2740-60-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3000-59-0x0000000000250000-0x000000000027F000-memory.dmp

memory/2648-75-0x0000000000260000-0x000000000028F000-memory.dmp

\Windows\SysWOW64\Goqnae32.exe

MD5 a787d0a6da87e421ff74bc9fa548cc24
SHA1 40fd0d81d0350a65b1870b5ac911e04ebe4898c9
SHA256 ca761384cbd9ecd66c42ebe3a2f93b4c2257f3e8791d0141962f87e49321c9eb
SHA512 627ceade0739cd8b7c2b7decbb15697b7b6bbe7598ed6d680d646e939d5ae4a5d191513208048b29ca315cb387ae87c3642344ef2b6f04a608ccd1acdae3a823

\Windows\SysWOW64\Gaojnq32.exe

MD5 9efea6b8256886b8814c68d70a60d7de
SHA1 148eba736e173df43dde86f768b10232dd7e5171
SHA256 508e35926aeb72f020c54d97a115052a9051ea05d04443704df4f3e95ed4c8ff
SHA512 dd8a97b38139ebd63dd3c8be2c0375e033c6920e95227c4ebec38a650526825c04ebb3671a1e3bb5b6918b9134f93a084b97aad35df4f3f21b14bec48170f587

memory/1232-89-0x0000000001F40000-0x0000000001F6F000-memory.dmp

\Windows\SysWOW64\Gkgoff32.exe

MD5 47edc1ebcd73de57dbe40266b019cf39
SHA1 99fcc9ae7b861a89d61657c7db8e2994999037ab
SHA256 318179f042f321ebd029b33853e57f87c56c8bd067e322946da101cc37d02c5c
SHA512 5c5be13d4cf6da8dbf4c886b112f43ce037b6fdd089b74aae6caccb25793c449781cae614ef23ee0f097d24ae5bbad0608853845e2430f24b098e03c6b096121

memory/1296-102-0x0000000000250000-0x000000000027F000-memory.dmp

memory/1692-108-0x0000000000400000-0x000000000042F000-memory.dmp

\Windows\SysWOW64\Gnfkba32.exe

MD5 8e95511cbaf0b08a74f16ae8db430358
SHA1 bc811a2ca1e67618ea4d281d282bc55056be4600
SHA256 8d3292435b6d0b382e64d89e99ef182dccf140ef1a39c9cd2c04ef96fa04c556
SHA512 337002f206ddc5e84c40373008dbe140e937c4a4619778af4a4362f5fd6ce42b8b17ae29f7cf98b00c6e11bdc9c316789598d02998af8845c07567838fed35e4

memory/2056-121-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2056-129-0x0000000000250000-0x000000000027F000-memory.dmp

\Windows\SysWOW64\Hgnokgcc.exe

MD5 f02440126329e5ac85a059758cbd3acf
SHA1 ed5f579f43566a345ebea4a51619db55cfd56a6f
SHA256 a2af0c849e5b72c7a9a8e7f694bddd3c3e675591c76ecf2ae078fa68a62fc91b
SHA512 5658039ff2a624d6d22f2687f524fa05a74086925cf6beb59d7249df5ae8ffba71553130a69009b0714fffcf414b6f84720c9981d7fc7863ee1515a53353b23a

\Windows\SysWOW64\Hnhgha32.exe

MD5 d22a9e425d2148086072869eaa0b28dd
SHA1 d32afd0035694417e9e14d95f590c5885ae6cb4e
SHA256 39332346fb4b85968a7b2c4055960b15a66b89214a669f9b06fbe2cbedf134b1
SHA512 53556485f75d4ca8864102a55d69076b1d14309675acbefd67e2ae6eb69637d3a7f599a6b6cb24dae20646efcf187464f3384bb2e5aceac2eccfdbc3dbe639c6

memory/2020-147-0x0000000000400000-0x000000000042F000-memory.dmp

\Windows\SysWOW64\Hdbpekam.exe

MD5 58eed5289e4215f1afe2b01094f30d52
SHA1 48d112ba1fc3a72cda748f3b4b161dd2d73504a3
SHA256 f2dff69884a792839fa30257327e78840b4a37e168775a26cebbc19ddc88c8ea
SHA512 52c288f576db6785c39e2c0cf19727492b7f77ae2394758925199decedfb66228979844305b77700ce8f688ffa081cd2e5e4154ca748c91110f388b256612ce4

memory/2020-155-0x0000000000250000-0x000000000027F000-memory.dmp

memory/1128-161-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Hklhae32.exe

MD5 d851c1622739f02bef28a8c4aa347350
SHA1 03c82ae917ad6888eadb3c481b5ce68ac21a5e1f
SHA256 f8dff4af504e1f39b4e7520d26afcc1c417cd8d91f95d482d2621b7b3afe6005
SHA512 0b6a4ba58fe5592df82ccf89fc26fddb12434da9342da170565859c0e08e2f6d54fda15b0afff5b84f71aaa7ae2ed663e510f5219b526b08dc3544694db1bb13

memory/316-174-0x0000000000400000-0x000000000042F000-memory.dmp

\Windows\SysWOW64\Hqiqjlga.exe

MD5 039adaed827095c00e1ee4d9b6dc7a7b
SHA1 a514205443573925524b8b9d7d65aad03aed3344
SHA256 2985ac5bbdb866fe7ad122908ca9858dbebcd7dd6d7f71ed7d46a601fa4d63e2
SHA512 b007c8abdfef6bec48bba3f3d2cdb6dbfe087740a53903d33620c2cd2631310c155a9c8e131ad18c60757232d3ae8232bda885ce61230a9cb7a71cef0cd1b73c

memory/316-186-0x0000000000250000-0x000000000027F000-memory.dmp

memory/2176-199-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Hcgmfgfd.exe

MD5 a6ed8df6f099f40ca67cb3bfca6e33b7
SHA1 93132497d569103e88d119a7246ce305b6bd9c7c
SHA256 9b8f55286b0170587ee36cbe69517986e6c20b74cbefe857ade6eb336cfc2850
SHA512 a802e32768c815320dbd731487696d88ea05a1d946d101d83da60dc6a82194c9fbfc340497c814a2f5bf8d86665df7b35de173a1fe45ac6b6abe4841e3b3c2b4

memory/2364-201-0x0000000000400000-0x000000000042F000-memory.dmp

\Windows\SysWOW64\Honnki32.exe

MD5 c682a09e2fc7b362ec8ca33230724208
SHA1 91eb8851fb0544d427a00e8edef4d544c20c8db6
SHA256 0a4028b3732163132ad311ade31fd28f9081ddaf4308d10d4a19c385fe22a339
SHA512 381a05ca77338c31ec3f58ef7b797e713c13f22ed8dfd669411de88102e925ec0281ed01d0f31c4fb26c1d9a0552bebead45c9fd455bf06b7207ef3264b203af

memory/2364-214-0x0000000001F20000-0x0000000001F4F000-memory.dmp

memory/2364-209-0x0000000001F20000-0x0000000001F4F000-memory.dmp

memory/2960-226-0x0000000000400000-0x000000000042F000-memory.dmp

memory/836-225-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Hgeelf32.exe

MD5 8319bcf42ae788392f033846dab86263
SHA1 18a0f2df1d2af2b8cfbd095b44f4bb19fa295f11
SHA256 7d56aaf31e71260551b378b8512e30cbfb87101fc7c59010b0012e4f9c9192c6
SHA512 1acd66ab06246ad7f3137d3a71b8008f2941b78f6b958bd60fcbc26e3cbd8562c2cee6fae80bed8cd8d6018e24fba5a70e47468368fe1241dc73609f0fa0ab89

memory/2960-232-0x00000000002D0000-0x00000000002FF000-memory.dmp

memory/1512-236-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Hqnjek32.exe

MD5 fdece6c07dca7eeeac14b371ab6fa689
SHA1 08e62a3bf1d73c0108386d093f7fc55b99c8096d
SHA256 1aae038d1a2d6f566cbeb40b1eaac05f4e7ad132fbe7631a31e23c4d8b4bfa4d
SHA512 7ae58dea90ef08a1754d985d00d02503f46a584f519c36cde991530403a8852aa95c0a2c742abed99dd5f0caa33a05ab309d02824385cbd1808d1db927b7f3b2

C:\Windows\SysWOW64\Hoqjqhjf.exe

MD5 38cbaa8d7232d8795d3ab0d2a7df4d19
SHA1 b450bc1674203f2bd97817c82ed6fcf97e9ea075
SHA256 9e81e6e3722e468367a3b72354cf2d04692db96c66d3001be22c37bdd10f52d1
SHA512 512476c55090e745881e4951c93517a92da3a24ec3162f9f19275b3419b2a6920fcfbb8cc19a3ed70582fa7efcf86d41438510bdd10e26917048fd23e9514e5a

memory/1940-245-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1636-255-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1940-254-0x00000000002F0000-0x000000000031F000-memory.dmp

C:\Windows\SysWOW64\Hjfnnajl.exe

MD5 44ec76dfd34c7fe994babb28cfb43d6f
SHA1 01c2bdd5518f81c1cf92111ca186c339b161a35b
SHA256 5b787b0d98e3b2aca0cfadd05b89f3009c489de858a1f6ceaeca71dac4a2859d
SHA512 9844c3fb7bda63e1a41ff39b04769f6de593847f5fa0226eff82e5cd417ca11e426146c67da9a743713c655b19f2032f2635ee31f537b8e548d8d7ec4bb3023b

C:\Windows\SysWOW64\Hmdkjmip.exe

MD5 a37363673b76c777f401782c4181e593
SHA1 eed46682ef1413cc1fd35f5460a119ec1220eec2
SHA256 c4cf14b140a3109827cd9da3015a607be9db99c90fef19e5de3ca60aeaba7324
SHA512 e0d2baba15c53bc10bfb419541487426b0c4023a6967ff7d5e2dcdd109b554731a66c77da00446b58f1c3868523406df1fe10a320299023c2167e935fcd56f99

memory/3036-268-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1636-264-0x0000000000250000-0x000000000027F000-memory.dmp

C:\Windows\SysWOW64\Iocgfhhc.exe

MD5 3662d4a6ed71e5af72345238414ba277
SHA1 3106295c86ebd05e2fe8632e52f0d24980fc9850
SHA256 3d3ddbcd76016b2d430336e973cb3cb40ac0b4d589e2096fc5e472ad268577c8
SHA512 8626d38c234375659dcd2183a4bc66da800ecfd133db1ed85437f2a10f1ecd263e2cc7e9f3aa5b91f8a7cc3bfa2e0ee09934109d8e5b1e23bee21ccd7b1f25ca

memory/2552-274-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Ibacbcgg.exe

MD5 c62a776c124bd56b9bd4077565165a47
SHA1 7e96d3cf0fecf8fc370abb148a342db320ec7943
SHA256 11bb862f330ce2533e24c3874af139cf5d1cbb785cfe70908096ffc100e5b387
SHA512 e95392d155fe5273c0fa3385e9940023c3a6f812ff193461d2935e844061d3ce31894dff030359843cf211f7ed570435df50fccc84a7941fe6849ffda72725b6

memory/2552-283-0x0000000001F20000-0x0000000001F4F000-memory.dmp

memory/1736-284-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Ikjhki32.exe

MD5 47485c737641f3af5af4b74ce2f582bf
SHA1 1afd23eb0fc05cb98618f8ddfc9c61ad01e0d11c
SHA256 7b5e200f66ebb2e1c475e0704d031b1b589fbbc7a8b4e609d86c61bb7c13c4f3
SHA512 445a497a86e351e0878e4ee3db7c56f3df69b42664b3d5e7edc6be881e4a379f770b6c0fd92ed07c474f13e3ed1fd66fd81d6a93f05c88ff5b97550e17cf9ee9

memory/980-294-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1736-293-0x0000000000250000-0x000000000027F000-memory.dmp

C:\Windows\SysWOW64\Inhdgdmk.exe

MD5 53f8f00ebae727984185858ac29a008c
SHA1 c9af75c174f12b16b643a72cbd589f2f3920fcef
SHA256 81a0f9ed5813b902fd3f3c23b2358afb4303aaf69156c244321e0b6242b8df34
SHA512 99682b937523dd7855ec5e2a4a276fc7a4f4c1947b03d656c161fb7f4e12d113c000b6842875f2114e2942aff04c797490dc5ffa258abcace848c94e61188765

memory/880-303-0x0000000000400000-0x000000000042F000-memory.dmp

memory/880-309-0x0000000000250000-0x000000000027F000-memory.dmp

memory/1800-314-0x0000000000400000-0x000000000042F000-memory.dmp

memory/880-313-0x0000000000250000-0x000000000027F000-memory.dmp

C:\Windows\SysWOW64\Ifolhann.exe

MD5 03953a095bf0bd90219b1dedde3bbfc9
SHA1 3b977d807cad5f1faefc51bf3361c1d6b4b376f9
SHA256 c6c3a2f39bbdbbfd42350e99c7c3dda788a2698ac8a68864be09952f19e90dde
SHA512 3fdbe0cf6b4fb309b218825156e04f513d310f06f00dbdc873d33614f41cb2b073cacb39bf06d40b78e29c64b630a763806b0e43a52af91bbcef855fe20baedc

C:\Windows\SysWOW64\Igqhpj32.exe

MD5 860161a5e754507d2811d1cabb54c1d7
SHA1 92d95b2452f0b9b821e90dc60f463066e75f466d
SHA256 99e86b3c209ea6b5cf755087c4bf1267e54f7efb79184f813bcbd82285a1772c
SHA512 e27b03709a4bba7ea8600142e4c715598dbb0af292db0713dd200c9f933c703dd2a78e81e2c9d2fbd289e87d929f4a334d1ff408820f4322d5c1a650cb922819

memory/1568-325-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1800-324-0x00000000002D0000-0x00000000002FF000-memory.dmp

memory/1800-323-0x00000000002D0000-0x00000000002FF000-memory.dmp

memory/2820-347-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2864-346-0x0000000000250000-0x000000000027F000-memory.dmp

memory/2864-345-0x0000000000250000-0x000000000027F000-memory.dmp

C:\Windows\SysWOW64\Iaimipjl.exe

MD5 45db9b8587e8419496ba84a1a12f38d2
SHA1 40ead0f74fda9bc75a79bc37fd2af688e34a3bde
SHA256 3495b04d03580b8f85856ce1b97b3f1ac700bf68a3ba4b61a664159e80a2b9c8
SHA512 46d7d51fbfc35af0eb4cb4c0cb316ad558b29133e8a11b75bd6491430c15af0855ca78e14d57b77b3103645adabef50e8777f32d08551ea0e05624c26339668d

memory/2864-336-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1568-335-0x00000000005C0000-0x00000000005EF000-memory.dmp

memory/1568-334-0x00000000005C0000-0x00000000005EF000-memory.dmp

C:\Windows\SysWOW64\Ibfmmb32.exe

MD5 8337db57c07f6b0711881402a1ec9140
SHA1 0848dafbae2f7351052f33d3fdaeba795be156c6
SHA256 fec8dc59d764a9a4bc66767fe920947629347eb102df34aed3a60b75c03aa074
SHA512 de9800ba2df1e8d7918b81111df9a1b8a803b135e36608815905fa0fb22c54debe58d3bc0a6cd84a3b9e7695193af6dee3079a0dc28197c5c06628bc6a85d3fa

memory/1328-358-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2820-357-0x0000000000250000-0x000000000027F000-memory.dmp

memory/2820-356-0x0000000000250000-0x000000000027F000-memory.dmp

C:\Windows\SysWOW64\Iakino32.exe

MD5 ca65047fed5ce582bb9083ff70f19063
SHA1 502b3b6e3cec2701abc67671286bc303413595d0
SHA256 77ccbec8f0893c2a8916187e62092d2fdeef052f33317663b78fa1e95eb9044f
SHA512 2281348c2b985f1651c8660bf63ed9ca6cf1f4f17c76445e067714b28dc0a907ce395a6f72239692b0bbc2d29b213aee99a163efa237d008633f0792fc299657

memory/1592-369-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1328-368-0x0000000000250000-0x000000000027F000-memory.dmp

memory/1328-367-0x0000000000250000-0x000000000027F000-memory.dmp

C:\Windows\SysWOW64\Iegeonpc.exe

MD5 5b3df152ceb8e29a48b969369e1b68f5
SHA1 e1c0b32eb249572f2614f1fce546e9765b140958
SHA256 53cbcb01ae6765e0824e3ca9d700de165f53af5272e9232da687c5cdbd31f4f1
SHA512 73cf823fc74c44ae88e29fb9cc4698da5b14d7e0741b8d487be601f5459098dd8a56f8703c2aef710facce682d78ce94536d1a1d00e14f947b9c592e3d85d69b

memory/1592-379-0x0000000000280000-0x00000000002AF000-memory.dmp

C:\Windows\SysWOW64\Iamfdo32.exe

MD5 df605ffdf2bd0cf629d3454993822013
SHA1 6e33e7eca06e529ccb75aa8b6e83ba3527337ab7
SHA256 1145eb578e85cfa014e632d2fee93b084459fd6771670aac8bdb31e40f9c702b
SHA512 c3589ae7cd14851946cdd6165f458ab852eb95a8de51fecd2a512471d58c8c0bfdebb4279184df4f625dd942e1b9621f3d2c7f44723a0cfb1f54000625f20754

memory/1592-377-0x0000000000280000-0x00000000002AF000-memory.dmp

memory/1920-380-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1476-391-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1920-390-0x0000000000280000-0x00000000002AF000-memory.dmp

memory/1920-389-0x0000000000280000-0x00000000002AF000-memory.dmp

C:\Windows\SysWOW64\Iclbpj32.exe

MD5 5b8e27b6142e1fdfa287b3ca8e6704f6
SHA1 918a4f9c16c1806584622ca9af619b6a0eb17983
SHA256 cfe44913ce4420741336634ea3ed6f0c1aa887d60515ed62c0c86c2ec7f62f9e
SHA512 325c34f653bd74c2324c32f4b843459cde1c4dc7ccdbde2a472f6ba169169a0b58efb2e837cced8769c83e0bb7d5dc0c564ad933be9f3e2284622553af303744

memory/2712-404-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2092-403-0x0000000000280000-0x00000000002AF000-memory.dmp

memory/2092-402-0x0000000000280000-0x00000000002AF000-memory.dmp

memory/1476-401-0x0000000000280000-0x00000000002AF000-memory.dmp

C:\Windows\SysWOW64\Jfjolf32.exe

MD5 d9c329c42c0ab8be5621f725466b4b41
SHA1 55a699d04720a9df98a353dd0c74eb2fb4221f3d
SHA256 ef1809d240ad86e97964193b35b5b0653c5167418005b2d4883d76b001468139
SHA512 614cbd52418c6beff17a6bce5662dca1aa5a799caeb492534d7cf0f3f3bf68be0c6d2e50a45943a256b50ffa0eb7e1c8961be002b5b4a2708775496f0aaa3329

memory/2092-397-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Jpbcek32.exe

MD5 3d419dfd7987fd3f22fc68d5e55a2f30
SHA1 0ece5466691988700367b08169ba253c5fff47b1
SHA256 6b48013e2d41158f406883ef546c7b8edd61195a71ec21059c3f4ffaf23f6a7b
SHA512 a34098760bdf475e7d81a78908b6d7a472d01086ebad79cd12d93b8818a8af8c56c72d3ee337b62dd8653fd37e3a62139190ff69b92a2f9b0f69b6c514939ae0

memory/2408-419-0x0000000000250000-0x000000000027F000-memory.dmp

memory/2640-430-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1740-425-0x0000000000250000-0x000000000027F000-memory.dmp

C:\Windows\SysWOW64\Jikhnaao.exe

MD5 52ff10ec7328f02d53358abb281713f5
SHA1 608d664dc78f02294504eafbf62b3ad32d8611f2
SHA256 b3736c8182ce4a3cc754c4137f332b63c5bf6b3db93f8adc2d192c43b8779af1
SHA512 7e8bddf9a57fc05ca43706a0bdc956fb8ecd6f18468578185dbeabb1238b7d4a0b627fb268f288433ea13a27ed9dc034eaca313a49b8a3ad0c215ebda2f130e6

memory/3000-437-0x0000000000250000-0x000000000027F000-memory.dmp

memory/1000-436-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3000-435-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Jjhgbd32.exe

MD5 a57a92c83edccf85316b42a707a8d9ad
SHA1 38b3c1b7393f06d276d64f8696d92f50985c544a
SHA256 c5d8e9a5462ddd25173bec3a135cea256ea7e6a472b99e2f3a0e13882d2a48f6
SHA512 e8d742936ef8cdce1f5cfaa98bd79b70013c2ce6e15b690e2aa36578b6bbcfd35543d96547176f0be01e70adeebef258f1725e4abfcdd383ce417d9e257accb6

memory/1740-415-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2408-414-0x0000000000250000-0x000000000027F000-memory.dmp

memory/2408-413-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1496-449-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1000-448-0x0000000000250000-0x000000000027F000-memory.dmp

memory/2648-447-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Jbclgf32.exe

MD5 a157d86f440fec9ea9bd9c8899b77d55
SHA1 7050afbf6bb26dbeffffcf8ffda0de89c93ecc67
SHA256 da866cd9a3c3e850255004857a8d73d24c203f9a511a4f0a5bc0b8f8c2ccd61f
SHA512 093826a1ca8b024c33451c5a3097f6b8a075ac5f8f22e2faeac5d23d7c231287bc0699b7163ece382c94e355f1ceca1365bafee5d677a3963d8d8ff424dc8832

C:\Windows\SysWOW64\Jjjdhc32.exe

MD5 ba7427e87e172ea0e7fff2f47398e53f
SHA1 305a2a6c76f86e103d37df4fc108d9a5d9ad54f6
SHA256 74fdc52d90547ab319aa8c625a5e3baab3a71f75658a8974b805ae4eef76b8d4
SHA512 b8adbb89b1957dd977fa65bc39e8bf5ace0089da8c4e0994640835ba1411516741c15187aa02ff0324d0c7d7eaeb2123f7cf433e76ab4f9c138a689608356a70

memory/1000-443-0x0000000000250000-0x000000000027F000-memory.dmp

memory/1500-459-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1496-458-0x00000000002D0000-0x00000000002FF000-memory.dmp

memory/1232-464-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1500-469-0x0000000000280000-0x00000000002AF000-memory.dmp

C:\Windows\SysWOW64\Jllqplnp.exe

MD5 beebcc690bd3b0136904782d04cf64ca
SHA1 cdb5e4d9802bf54964c531ad4dc305e94bb3bcc0
SHA256 4c5e6d3c613492dd3dfc5f7da550537cae24edc92a0a9d64f59cf0ca3801e13e
SHA512 dec87b430f5fe03bfb936c3fa7df3b2ec4b2591583cef3dcda5174a93e1e5dc961889a24bea0c9c4c49d995517f96ed2acd899cc17564ebebf96037d3b55965b

memory/2368-481-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1296-480-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1764-479-0x00000000002F0000-0x000000000031F000-memory.dmp

C:\Windows\SysWOW64\Jfaeme32.exe

MD5 9662dca5bb2fee02f60ea16ac2df4c9d
SHA1 05a68099ebea84ee4394a77cb42415ca8eeec726
SHA256 266701a7608b474eefbaadd36703f16df7109a02725dabc7609e745efb1b7d7c
SHA512 e52f298e180c3eae819109493dddafe2a64b4218015699410b655d5665fcac4fb336911ebf09bf69086f7841fe39b4798a9e54a56148b59d90453cd5d72c7c84

memory/1764-474-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1692-491-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2368-489-0x0000000000250000-0x000000000027F000-memory.dmp

C:\Windows\SysWOW64\Jbhebfck.exe

MD5 bb89a28a8dca1bc2f1089300393f1bcd
SHA1 e3d985e4926e031ebfa591f74490e4b9e2fae20c
SHA256 1ac745b696b84608f19791961f722731ae4ffdf8380da446885a3aed6e561de9
SHA512 f01ffb667b0a873bc6e92648a3624a91de2cffadce41866c168ceea3a57273e10dc34bb47a466056e3c6e8c565d1775d7c3af2af39441317cdc9df16bb6ebe35

memory/2056-493-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1692-492-0x00000000001E0000-0x000000000020F000-memory.dmp

memory/1356-503-0x0000000000260000-0x000000000028F000-memory.dmp

memory/1356-502-0x0000000000260000-0x000000000028F000-memory.dmp

C:\Windows\SysWOW64\Jefbnacn.exe

MD5 e5bb0404b9b756f6cd7e8c0f612a6f7b
SHA1 e99c5559fdea06b9a30a7bdc43a682d6c06153df
SHA256 088d239248b92e53564ecae5febfa26d6b303be68662011b5b907468b9f8c049
SHA512 d61a528aa3a09c2237654aefa2288fe03852f8db348c6383c3af6e46db1a19e6c2a760e593d93720a4bc93816e9729774f3889ebbe6b695cf05bf67580a084cd

C:\Windows\SysWOW64\Jhenjmbb.exe

MD5 fb687b30c3256e08229275b7f6082cc8
SHA1 3df77f9906ddee0df41297b7db689b5fa3293ebc
SHA256 1cb85a4990b811fe9c8143f91aa95f1ec496d6ca5cbca921082ae02ff8bd35df
SHA512 644fd04809842244887075ba41e5e4235d0b63f108798f48e2da6704d30df7c596cfdf4a84dcfc54e014be773df775848a1d882239ebf57471de3f2f8ff5046f

C:\Windows\SysWOW64\Kbjbge32.exe

MD5 df939b1ad7814ba395c816de8809ba8c
SHA1 0484abf7359468faab908e91c4333c73f8725306
SHA256 3a06abe3afb442405c110c28c98b7526648eef5afa54883d6a4be5ae6edaedfa
SHA512 a413bb163868188a377e06889201cc2bd7d9491ab803bc7b6a894a87457b0e7e1aee2cda929b3aec9cbd1521ab1a25069cb1139eb48a9059472fca6cfe17a3b0

C:\Windows\SysWOW64\Kambcbhb.exe

MD5 d2db96c6bb842e67a02306d99c305191
SHA1 3f568a0aa2a757569d327161b90cdbeaa5121b2c
SHA256 bae9fb61c9457b4010ee639aae7333daa7c4ff3c5609164a235c134cc60cae23
SHA512 9c9eab3f12016acdc9d6c26524101bdabe689d6f2bae50986a0db81ea10fa4ee5011b961e399bd33869703d0b62a997c2345261eefcb0260fedf53e1b506dce5

C:\Windows\SysWOW64\Keioca32.exe

MD5 5d005134109454291eb1f20f28f5f7dd
SHA1 48d21828ef6b37d097979f82ad0810c5a8d0f7c1
SHA256 10901fc1728db59360203cad19eca5614b016d0ec988fd3304c1dfc43c109e03
SHA512 d914605dc3edd60977dce4251100099adbb6623c685eb55174d82b5833f3947277cf3364598057cc04c6df7d6b04b974307f0aac23f2c97b1e1cb22e7ecc067a

C:\Windows\SysWOW64\Kidjdpie.exe

MD5 ced11b4dfe05c9a3788e745a393a2454
SHA1 fa6abc503f5844467d34c9991d9b457869750211
SHA256 5b29fb69bddfda18495de68a184c2149a570dfe41eea524d10cb62cbdc9e0378
SHA512 06a314e0e8bb4573316eab0883d889d11359f4d63708df23ffe5924bf503b4d40b4d96e2ae22e51ef6c3e1a6b9a6c83b6c7655e254a0b6254268d7e06f8a41c2

C:\Windows\SysWOW64\Klcgpkhh.exe

MD5 57c9394a84685606ac757ee86cfd8c41
SHA1 b9d080079271f5c956bd57c847ca8be773cb6260
SHA256 b721b2b093caca64e924be144cb818fabde78672241777c416d21c408ada619a
SHA512 5aefc992af29c0e768a5c9771219c1eeb4cb137d8970825c04e35ae5afcade522229ad77100f9ec4d54d216405c6cf2a770f5ddc07e4e3fc3a92611e06a8f5d7

C:\Windows\SysWOW64\Kbmome32.exe

MD5 32b847722f920de6bd49b31278302ce7
SHA1 695518db93a85a4cd8c0a04e229315035a796c7d
SHA256 3809c2c5ce8ef3a29e24bed9258d569a8118539c156827f8dd66a17f291a2155
SHA512 af680dbe76425c6e565b224709d4d9a906211cd494828fb3a4e65e4a163b38462b6b5e9a3b5fae62f2b4f684ec25be5b49e5bd14d65af7913089fd2a80a0ac57

C:\Windows\SysWOW64\Kdnkdmec.exe

MD5 71177e3889f0989b19408b2970e62711
SHA1 aca78cdc6818fe5224a663c7d85fcdc8fcce94fe
SHA256 0874338b3dd774081ab1eb709367c6561e89430b4d9873703d74071c47cca24b
SHA512 57c20ef13ddb309e010383099b2573ec4b428b288f176f11e64948e8e9622222555fcf249a1fe21b54e22a3ce877515bf5bb2e94d8c9034cfa5e751ba7328199

C:\Windows\SysWOW64\Khjgel32.exe

MD5 436bf0277fcb5b205efa618574044f1b
SHA1 40bd52fb38b5a195586d1e08a2677eeb093db37b
SHA256 6381ff86f90b07b19e5f64ce1680ac2fb56ab71f090b873bde40f6689f380b3d
SHA512 2d4be526f27b15e297a289c1a1b1c9cbc3201d591c0cdb60a6670e4e989cecf055eed908cd0a31dac243189846962814e2becc324596e543c9dd28604ce0353a

C:\Windows\SysWOW64\Kekkiq32.exe

MD5 c1339a141844a14db34cf98794057beb
SHA1 c15beff5bbd7da5cdea4bf3d247b3469ad48e1f4
SHA256 ae2f01a2d7b0393a2bdfd95843f15a3ca330af805223a0bf500d54a875eaae45
SHA512 f5459f37b351ac287275339bdc58691dc03f30113a11791b63aaa151e4c0b7075d34643be70151e8bf6b3fd52055dd3da9c91cc1dcdcfe32bf18a20d800ca63c

C:\Windows\SysWOW64\Kjhcag32.exe

MD5 a5fabaee4e8bd965a821df10288b677f
SHA1 0e8a38df39d37902a7ef119163e88a28432baec3
SHA256 05fd7492621e4637e3aeaaf8e4963070c8a3f0314e448b703316fc452554ee08
SHA512 74d999654ea6261f4b37eed7dc71d44d960bf47cd5eae66cee0a3cbd91015c838e3ba1f117240d46c0326239c7456627ea686377974ef880e88e033cbb7e8ecb

C:\Windows\SysWOW64\Kmfpmc32.exe

MD5 79a66df2cc75434c392f27a502e76168
SHA1 8f32fbe1bfc8ee078228e95d0df71f199f7f6ee8
SHA256 882e477a067d5c1407c5edf1535686a70378bcebc1d7c3aba440bfc2328970a7
SHA512 598d301ed3c1271755d3a5cc5405b881ef09596c641efad91a050f01ffc96b434aead02d61db4eab5d5e617f44fd70155c77a07b575c82a42897ab20c3d2594e

C:\Windows\SysWOW64\Kenhopmf.exe

MD5 ee867b803e0b34b3178a0fde711a0e57
SHA1 3b62b41bb499c8788ea2e23581dafc2f50b14ce5
SHA256 d6c9f760427d552e7c9710fc5c937d6c23b5ac14f85cb804d2b8b8025fbf07a0
SHA512 b463d329f055c00414a73afb46724ca1a13ff8c5e1cb84708911b2d32df87bb3752a5b0eb6d1be0f478dfb2dd76b1fb4c680c5abf0ac841974cc7f2ed8e09692

C:\Windows\SysWOW64\Kfodfh32.exe

MD5 76e556f982301e707161e68c1f1d1591
SHA1 5a45594e433c5f9c8ef5cc9f2c500fde5a864c92
SHA256 2c735fa716cd726a73f38f06a898768284723e3df922a86eb731f98e87c8e415
SHA512 82f794c8fc41d88272341032a671272fb3707703b6b03e208477bfbaf7600ccc4fcd724f33359a7dbe08fe124b0a57001403727b160e05340d9fa4cc0dbceed8

C:\Windows\SysWOW64\Kkjpggkn.exe

MD5 086fd1bd9bdf306812a62af26f92ce48
SHA1 1504119c5ec54dd0c52f97cad5bd09457011d26c
SHA256 99e0621c26d4a2326931dbb8c79a1b541153b8dd47101eb201c8a34eb4d9ae62
SHA512 1b75cbe99d6379b230ca1dff401a0aed93b8056f0fdae8d65cc042b247f0bd904224f3a3800c357f42853620d4d5640f7da9ac2567012e4204fdd940b54d3bf0

C:\Windows\SysWOW64\Kmimcbja.exe

MD5 a138929085589243c5bd28fc12bef570
SHA1 7b20dc56c531dbe82d108126b42bbc5ef0f14fc3
SHA256 693e7dc592555052f9331d2888d7a6e25e3dfaec2d8ddd9f13161a65699d1efd
SHA512 be78664451b4be6beb79a288b33bcef2c00a6661f3da1759adff3e55496e9c37308bf009fd967708dc7d20ccdf97facae3a580bfcc44eb11fe7609a3b22de29b

C:\Windows\SysWOW64\Kpgionie.exe

MD5 fc1e309ded03c095acf619450af7ae50
SHA1 3bd1a9b094fecafb48d94de8ce7bbb929f49b39d
SHA256 15704ba52c852dbc35f2ffb31f7b4756ba471238943ea6a6f3c0f7eba9a63415
SHA512 2a1f0e4cf3b392ff731d88adb276b10799e3b0ed99a57534e8a9c69098221ade3796a919fa4c14225a0fa92215d42fea7111379430c4d3aef28a0c2784142dc7

C:\Windows\SysWOW64\Kdbepm32.exe

MD5 f3fc47b9b4c3d798206a305ca6336a07
SHA1 df35c7669ee54a948282a7ee59429c9c5600fba9
SHA256 99ded7a739c146731c2feda35b8b3da0df6613b178615e768a1e9167bfc6517a
SHA512 b61ed2522862ddcf864f40569e2a2e7bd844e5793219f2bd86b88a2b7317fb31d9e0fc130729262e46db1fba5dcb902aca711e36b60b5b859fe94fa77d52921b

C:\Windows\SysWOW64\Kfaalh32.exe

MD5 0dd435306fadcb66b1b6a579aa85139a
SHA1 c26da9a42e598ed8ddfbf3acf8dbe18749095ea4
SHA256 af371a2fbb8091ef23cdfe4541855f67c5b2e542ade9c8521bd4ca794ddd3e33
SHA512 0788061287ffd016e56f60677811da7e27ab78824d89c62086db826e1951a56f96e75ad7a5d93cb025e5dd81ec604d3032784c6006e0d88ee21be0428be6a210

C:\Windows\SysWOW64\Kipmhc32.exe

MD5 d9b977896525a241a09ce99af08aeafd
SHA1 f93aae6b9d11378420f254a6268b7800984f4582
SHA256 62b53621d50f72a9d1451e7d9af99a0a0be6e3e7984ea8828f5a2a3feac41d9c
SHA512 da52faef9436c495a70cf9a251125349b0374db94a43400a37193fdd1cbec6f3b3fc91dfb2ca924267f49f6895061a214933678e3297396ffaa65779cd22ba1c

C:\Windows\SysWOW64\Kpieengb.exe

MD5 b3138153c4f403e9b1281b84306eb600
SHA1 c01315747a3778cb8ca17ee02ec06fed967817b1
SHA256 b3404a24bfc14b9b7273850c3f95ac00e10faec696be55734cf81ed2bff8fa7a
SHA512 1c77bce4e06c31de093ce0dad4298751b90e2192ebd9499daee674a3c1bf9dd8f38238c18dfa081060eb6da78402babbffe1d2d72451435fc167b156cecd886c

C:\Windows\SysWOW64\Kmkihbho.exe

MD5 b762051ae2e8da38a381b2e8bddb31e4
SHA1 1b61b5b85e65188beee246e534ef31b98a31e11e
SHA256 fdaaa1d071cab14caa52d32d606551abe34b9f4a34a15037bfe02099ffd00ca0
SHA512 64632bda5476d059896e22c0e978f9c83aa3cd00e5799c96cd19634fa879d9d2c32e51df35744af56ca7034f7c08fa9ea4e1a001e4f233346613e33b574494ff

C:\Windows\SysWOW64\Kkojbf32.exe

MD5 a65ac9c11b2b0be2d8e040c1f8e7087a
SHA1 4cec8f75718ba4767029e2de745b673b06ab27a9
SHA256 7249c0d9f66cf07e42b33d80b32d595f2d150c38d020ee86802e89d3e6d1d02f
SHA512 a9f9943a6d7d7d86d819f1474143833e1dd561d91e0ec25e274756e7a730c6f4151c914e2dfe91970e5d89ca28a0fe4e0b2ac8f51dd020310c4320750cc0cef1

C:\Windows\SysWOW64\Libjncnc.exe

MD5 007f4bd18196680a058c02852481f35a
SHA1 76cf9535f8b14e22ce98feeeee90505c818a6104
SHA256 4439c64101b67ca15a6b023def0524d01990046bbb893700b516e50042e881fc
SHA512 a27366d9df013ca28ed31168edf4ca3f4bce13aae3dc4353e9f8962dee83b1cfee454474f054d3da648944caf59e96ddab421547903444ec9cc08e1d2fe6d921

C:\Windows\SysWOW64\Llpfjomf.exe

MD5 1538d0fc00f4fbb7cc4c023e4006f123
SHA1 d47c22664b6a74288ed3d8bec763588d551d3193
SHA256 f08e1556fc7de55eb5fc6377a6c0ba29e38953f2effd061bc7061208c664e31d
SHA512 289efea3a309a1f01dbe88d01f12ba9f2dfa84eca4ae944545c6e651a88c6dab94ccb86d7df2efef5c0092f71ea2b81cbf24fcb502993202362d2e2d0d9f5bfd

C:\Windows\SysWOW64\Lbjofi32.exe

MD5 6e167cada7ae6d51d166228bc9cfdef7
SHA1 9b9a6a7fd631675bbf753bb27ed4392acf25c9bd
SHA256 4b2f870b01f0771ef44a00acc98d3d90e00c05fdf78e30f473a1c44a04d0cc35
SHA512 4e485a9396ac38d4ad8c1f3a5cb8c2c2bbc06edba1d6380e6fe1238cbd515a399c1de323c4001fda773ad0b12f424c0e1dd19365682c67effbed1400acaf8c6d

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 10:37

Reported

2024-11-10 10:39

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3816cbaa1211f7bf2613db6206b0d6b28186e8d713a23795ae0f497e7e7b881fN.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Digehphc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kngkqbgl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qpeahb32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hhaggp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jbojlfdp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jeocna32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ddgplado.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hoclopne.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nfcabp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Enmjlojd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ebifmm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Feenjgfq.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nmhijd32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gbchdp32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Caojpaij.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pfepdg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pfepdg32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nmdgikhi.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Iikmbh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ifomll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ondljl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ppnenlka.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hedafk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lnjgfb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lmdnbn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pfoann32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bdmmeo32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hlppno32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ickglm32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fpgpgfmh.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Iefgbh32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kpanan32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aagkhd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ehpadhll.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fganqbgg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gaebef32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Doaneiop.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lpjjmg32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lckboblp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jhkbdmbg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fealin32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lfgipd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fnbcgn32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nblolm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ebdcld32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gehbjm32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Loighj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ekajec32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ojqcnhkl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fmmmfj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pfiddm32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pcpnhl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pcpnhl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Deqcbpld.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Figgdg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Likhem32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Llnnmhfe.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mhanngbl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nhhdnf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Klahfp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Iipfmggc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kofkbk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dhikci32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nqaiecjd.exe N/A

Berbew

backdoor berbew

Berbew family

berbew

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Dokgdkeh.exe N/A
N/A N/A C:\Windows\SysWOW64\Ddgplado.exe N/A
N/A N/A C:\Windows\SysWOW64\Dkahilkl.exe N/A
N/A N/A C:\Windows\SysWOW64\Dfglfdkb.exe N/A
N/A N/A C:\Windows\SysWOW64\Dmadco32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dnbakghm.exe N/A
N/A N/A C:\Windows\SysWOW64\Digehphc.exe N/A
N/A N/A C:\Windows\SysWOW64\Doaneiop.exe N/A
N/A N/A C:\Windows\SysWOW64\Ddnfmqng.exe N/A
N/A N/A C:\Windows\SysWOW64\Dodjjimm.exe N/A
N/A N/A C:\Windows\SysWOW64\Deqcbpld.exe N/A
N/A N/A C:\Windows\SysWOW64\Ekkkoj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebdcld32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ekmhejao.exe N/A
N/A N/A C:\Windows\SysWOW64\Enkdaepb.exe N/A
N/A N/A C:\Windows\SysWOW64\Eeelnp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eokqkh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebimgcfi.exe N/A
N/A N/A C:\Windows\SysWOW64\Emoadlfo.exe N/A
N/A N/A C:\Windows\SysWOW64\Enpmld32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eifaim32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ekdnei32.exe N/A
N/A N/A C:\Windows\SysWOW64\Enbjad32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fihnomjp.exe N/A
N/A N/A C:\Windows\SysWOW64\Flfkkhid.exe N/A
N/A N/A C:\Windows\SysWOW64\Fneggdhg.exe N/A
N/A N/A C:\Windows\SysWOW64\Fijkdmhn.exe N/A
N/A N/A C:\Windows\SysWOW64\Fligqhga.exe N/A
N/A N/A C:\Windows\SysWOW64\Fbbpmb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fealin32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fpgpgfmh.exe N/A
N/A N/A C:\Windows\SysWOW64\Fiodpl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fnlmhc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fefedmil.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmmmfj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fnnjmbpm.exe N/A
N/A N/A C:\Windows\SysWOW64\Gehbjm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Glbjggof.exe N/A
N/A N/A C:\Windows\SysWOW64\Gblbca32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gejopl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gmafajfi.exe N/A
N/A N/A C:\Windows\SysWOW64\Gfjkjo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gihgfk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Glgcbf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gbalopbn.exe N/A
N/A N/A C:\Windows\SysWOW64\Gikdkj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Glipgf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gbchdp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gmimai32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gojiiafp.exe N/A
N/A N/A C:\Windows\SysWOW64\Hedafk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hmkigh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Holfoqcm.exe N/A
N/A N/A C:\Windows\SysWOW64\Hfcnpn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hibjli32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hplbickp.exe N/A
N/A N/A C:\Windows\SysWOW64\Hffken32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hidgai32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hpnoncim.exe N/A
N/A N/A C:\Windows\SysWOW64\Hblkjo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hekgfj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hlepcdoa.exe N/A
N/A N/A C:\Windows\SysWOW64\Hoclopne.exe N/A
N/A N/A C:\Windows\SysWOW64\Hiipmhmk.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Ibaeen32.exe C:\Windows\SysWOW64\Hlglidlo.exe N/A
File created C:\Windows\SysWOW64\Mnknop32.dll C:\Windows\SysWOW64\Jadgnb32.exe N/A
File created C:\Windows\SysWOW64\Galdglpd.dll C:\Windows\SysWOW64\Glgcbf32.exe N/A
File created C:\Windows\SysWOW64\Pmpockdl.dll C:\Windows\SysWOW64\Adcjop32.exe N/A
File created C:\Windows\SysWOW64\Mljmhflh.exe C:\Windows\SysWOW64\Mcaipa32.exe N/A
File opened for modification C:\Windows\SysWOW64\Omfekbdh.exe C:\Windows\SysWOW64\Ojhiogdd.exe N/A
File created C:\Windows\SysWOW64\Ibqnkh32.exe C:\Windows\SysWOW64\Ilfennic.exe N/A
File created C:\Windows\SysWOW64\Nbphglbe.exe C:\Windows\SysWOW64\Nhhdnf32.exe N/A
File created C:\Windows\SysWOW64\Dnbjkgmg.dll C:\Windows\SysWOW64\Jcanll32.exe N/A
File created C:\Windows\SysWOW64\Cfiedd32.dll C:\Windows\SysWOW64\Klhnfo32.exe N/A
File created C:\Windows\SysWOW64\Jpbhgp32.dll C:\Windows\SysWOW64\Ebifmm32.exe N/A
File opened for modification C:\Windows\SysWOW64\Halhfe32.exe C:\Windows\SysWOW64\Hnnljj32.exe N/A
File created C:\Windows\SysWOW64\Mmmqhl32.exe C:\Windows\SysWOW64\Mgphpe32.exe N/A
File opened for modification C:\Windows\SysWOW64\Nfqnbjfi.exe C:\Windows\SysWOW64\Nmhijd32.exe N/A
File opened for modification C:\Windows\SysWOW64\Jjpode32.exe C:\Windows\SysWOW64\Jcfggkac.exe N/A
File created C:\Windows\SysWOW64\Bdmmeo32.exe C:\Windows\SysWOW64\Apaadpng.exe N/A
File created C:\Windows\SysWOW64\Qdhlclpe.dll C:\Windows\SysWOW64\Kiphjo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Llqjbhdc.exe C:\Windows\SysWOW64\Legben32.exe N/A
File opened for modification C:\Windows\SysWOW64\Nqaiecjd.exe C:\Windows\SysWOW64\Nbphglbe.exe N/A
File opened for modification C:\Windows\SysWOW64\Oiagde32.exe C:\Windows\SysWOW64\Nfqnbjfi.exe N/A
File opened for modification C:\Windows\SysWOW64\Kpmdfonj.exe C:\Windows\SysWOW64\Klahfp32.exe N/A
File created C:\Windows\SysWOW64\Iocedcbl.dll C:\Windows\SysWOW64\Akdilipp.exe N/A
File opened for modification C:\Windows\SysWOW64\Edbiniff.exe C:\Windows\SysWOW64\Eoepebho.exe N/A
File created C:\Windows\SysWOW64\Gkaclqkk.exe C:\Windows\SysWOW64\Ggfglb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Lcnfohmi.exe C:\Windows\SysWOW64\Lmdnbn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Pnifekmd.exe C:\Windows\SysWOW64\Ppgegd32.exe N/A
File created C:\Windows\SysWOW64\Bpfkpp32.exe C:\Windows\SysWOW64\Bhkfkmmg.exe N/A
File created C:\Windows\SysWOW64\Jadgnb32.exe C:\Windows\SysWOW64\Jpbjfjci.exe N/A
File created C:\Windows\SysWOW64\Fgmdec32.exe C:\Windows\SysWOW64\Fdnhih32.exe N/A
File opened for modification C:\Windows\SysWOW64\Glhimp32.exe C:\Windows\SysWOW64\Gnblnlhl.exe N/A
File opened for modification C:\Windows\SysWOW64\Hlppno32.exe C:\Windows\SysWOW64\Hajkqfoe.exe N/A
File opened for modification C:\Windows\SysWOW64\Lcclncbh.exe C:\Windows\SysWOW64\Lpepbgbd.exe N/A
File created C:\Windows\SysWOW64\Fhhfif32.dll C:\Windows\SysWOW64\Jljbeali.exe N/A
File created C:\Windows\SysWOW64\Klhnfo32.exe C:\Windows\SysWOW64\Kjjbjd32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mnegbp32.exe C:\Windows\SysWOW64\Mjjkaabc.exe N/A
File opened for modification C:\Windows\SysWOW64\Aagkhd32.exe C:\Windows\SysWOW64\Adcjop32.exe N/A
File created C:\Windows\SysWOW64\Gblbca32.exe C:\Windows\SysWOW64\Glbjggof.exe N/A
File opened for modification C:\Windows\SysWOW64\Iipfmggc.exe C:\Windows\SysWOW64\Ibfnqmpf.exe N/A
File created C:\Windows\SysWOW64\Hnbeeiji.exe C:\Windows\SysWOW64\Haodle32.exe N/A
File opened for modification C:\Windows\SysWOW64\Pjoppf32.exe C:\Windows\SysWOW64\Pcegclgp.exe N/A
File opened for modification C:\Windows\SysWOW64\Dkahilkl.exe C:\Windows\SysWOW64\Ddgplado.exe N/A
File created C:\Windows\SysWOW64\Aajhndkb.exe C:\Windows\SysWOW64\Ahaceo32.exe N/A
File created C:\Windows\SysWOW64\Ifaohg32.dll C:\Windows\SysWOW64\Apaadpng.exe N/A
File created C:\Windows\SysWOW64\Dmncdk32.dll C:\Windows\SysWOW64\Bklomh32.exe N/A
File created C:\Windows\SysWOW64\Ddgplado.exe C:\Windows\SysWOW64\Dokgdkeh.exe N/A
File created C:\Windows\SysWOW64\Plmell32.dll C:\Windows\SysWOW64\Gaebef32.exe N/A
File created C:\Windows\SysWOW64\Nhhdnf32.exe C:\Windows\SysWOW64\Nhegig32.exe N/A
File opened for modification C:\Windows\SysWOW64\Fiodpl32.exe C:\Windows\SysWOW64\Fpgpgfmh.exe N/A
File created C:\Windows\SysWOW64\Hpnoncim.exe C:\Windows\SysWOW64\Hidgai32.exe N/A
File created C:\Windows\SysWOW64\Qfoaecol.dll C:\Windows\SysWOW64\Cgifbhid.exe N/A
File created C:\Windows\SysWOW64\Ekonpckp.exe C:\Windows\SysWOW64\Ehpadhll.exe N/A
File created C:\Windows\SysWOW64\Qjfmkk32.exe C:\Windows\SysWOW64\Qhhpop32.exe N/A
File created C:\Windows\SysWOW64\Lckggdbo.dll C:\Windows\SysWOW64\Ipgkjlmg.exe N/A
File created C:\Windows\SysWOW64\Lphdhn32.dll C:\Windows\SysWOW64\Jpegkj32.exe N/A
File created C:\Windows\SysWOW64\Kolabf32.exe C:\Windows\SysWOW64\Klndfj32.exe N/A
File created C:\Windows\SysWOW64\Kfbdfl32.dll C:\Windows\SysWOW64\Eeelnp32.exe N/A
File created C:\Windows\SysWOW64\Enpmld32.exe C:\Windows\SysWOW64\Emoadlfo.exe N/A
File created C:\Windows\SysWOW64\Glgcbf32.exe C:\Windows\SysWOW64\Gihgfk32.exe N/A
File created C:\Windows\SysWOW64\Obqhpfck.dll C:\Windows\SysWOW64\Mqkiok32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hidgai32.exe C:\Windows\SysWOW64\Hffken32.exe N/A
File opened for modification C:\Windows\SysWOW64\Jljbeali.exe C:\Windows\SysWOW64\Jilfifme.exe N/A
File created C:\Windows\SysWOW64\Lfebfnqn.dll C:\Windows\SysWOW64\Gojiiafp.exe N/A
File created C:\Windows\SysWOW64\Qdaniq32.exe C:\Windows\SysWOW64\Qpeahb32.exe N/A
File created C:\Windows\SysWOW64\Lcdciiec.exe C:\Windows\SysWOW64\Loighj32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Pififb32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gehbjm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Egaejeej.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Filapfbo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dmadco32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Iinjhh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kfpcoefj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gegkpf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nhegig32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hibjli32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nflkbanj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aagkhd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Apaadpng.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fdnhih32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ggfglb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jeapcq32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lojmcdgl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hekgfj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jilfifme.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lcnfohmi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qpeahb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Eoepebho.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fqgedh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jadgnb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nqaiecjd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ojhiogdd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mhanngbl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fneggdhg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gbchdp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Iikmbh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jgkmgk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Npiiffqe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Klndfj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Klggli32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Padnaq32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dnbakghm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lfbped32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nqbpojnp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qhhpop32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lpjjmg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Omfekbdh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jjpode32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hecjke32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jaonbc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Eklajcmc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ilnlom32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pafkgphl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ekdnei32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gmafajfi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Enkmfolf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jikoopij.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lchfib32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Glbjggof.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dkhgod32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fndpmndl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hoclopne.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pfoann32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cpmapodj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Halhfe32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pbekii32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hedafk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jniood32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Klahfp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kngkqbgl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Moipoh32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbmolo32.dll" C:\Windows\SysWOW64\Lmdnbn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nfcabp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pnifekmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hedafk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Likhem32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eklikcef.dll" C:\Windows\SysWOW64\Gbalopbn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lgbloglj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hlkfbocp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkbcikkp.dll" C:\Windows\SysWOW64\Mjggal32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pbekii32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fiboaq32.dll" C:\Windows\SysWOW64\Dmadco32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Iinjhh32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ppgegd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Enkdaepb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hffken32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfebfnqn.dll" C:\Windows\SysWOW64\Gojiiafp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fbdehlip.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Gmimai32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lokdnjkg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hpnoncim.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ibaeen32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eecgicmp.dll" C:\Windows\SysWOW64\Fnkfmm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjpdeo32.dll" C:\Windows\SysWOW64\Gkaclqkk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kolabf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lcclncbh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojgljk32.dll" C:\Windows\SysWOW64\Pcpnhl32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lfgipd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfgomdnj.dll" C:\Windows\SysWOW64\Akkffkhk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ehlhih32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kldjcoje.dll" C:\Windows\SysWOW64\Fnbcgn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Gaebef32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fiodpl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfipab32.dll" C:\Windows\SysWOW64\Ebdcld32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmdkcj32.dll" C:\Windows\SysWOW64\Lckboblp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iheocj32.dll" C:\Windows\SysWOW64\Pbekii32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dhgonidg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfmpaf32.dll" C:\Windows\SysWOW64\Obnehj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cikamapb.dll" C:\Windows\SysWOW64\Hekgfj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgnpek32.dll" C:\Windows\SysWOW64\Lpgmhg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mjggal32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nblolm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkncfepb.dll" C:\Windows\SysWOW64\Mcpcdg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jadgnb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Gbiockdj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Fijkdmhn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Fnkfmm32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dodjjimm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pcpnhl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fenhjedb.dll" C:\Windows\SysWOW64\Hmkigh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Glbjggof.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hehhjm32.dll" C:\Windows\SysWOW64\Pmpolgoi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmijpchc.dll" C:\Windows\SysWOW64\Ahaceo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfhmgagf.dll" C:\Windows\SysWOW64\Eoepebho.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Filapfbo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fknofqcc.dll" C:\Windows\SysWOW64\Piocecgj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dnbakghm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jgpfbjlo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Feqeog32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Feenjgfq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mljmhflh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehmjob32.dll" C:\Windows\SysWOW64\Lcnfohmi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ibfnqmpf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mjcngpjh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cpmapodj.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4908 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\3816cbaa1211f7bf2613db6206b0d6b28186e8d713a23795ae0f497e7e7b881fN.exe C:\Windows\SysWOW64\Dokgdkeh.exe
PID 4908 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\3816cbaa1211f7bf2613db6206b0d6b28186e8d713a23795ae0f497e7e7b881fN.exe C:\Windows\SysWOW64\Dokgdkeh.exe
PID 4908 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\3816cbaa1211f7bf2613db6206b0d6b28186e8d713a23795ae0f497e7e7b881fN.exe C:\Windows\SysWOW64\Dokgdkeh.exe
PID 4852 wrote to memory of 2272 N/A C:\Windows\SysWOW64\Dokgdkeh.exe C:\Windows\SysWOW64\Ddgplado.exe
PID 4852 wrote to memory of 2272 N/A C:\Windows\SysWOW64\Dokgdkeh.exe C:\Windows\SysWOW64\Ddgplado.exe
PID 4852 wrote to memory of 2272 N/A C:\Windows\SysWOW64\Dokgdkeh.exe C:\Windows\SysWOW64\Ddgplado.exe
PID 2272 wrote to memory of 1384 N/A C:\Windows\SysWOW64\Ddgplado.exe C:\Windows\SysWOW64\Dkahilkl.exe
PID 2272 wrote to memory of 1384 N/A C:\Windows\SysWOW64\Ddgplado.exe C:\Windows\SysWOW64\Dkahilkl.exe
PID 2272 wrote to memory of 1384 N/A C:\Windows\SysWOW64\Ddgplado.exe C:\Windows\SysWOW64\Dkahilkl.exe
PID 1384 wrote to memory of 3484 N/A C:\Windows\SysWOW64\Dkahilkl.exe C:\Windows\SysWOW64\Dfglfdkb.exe
PID 1384 wrote to memory of 3484 N/A C:\Windows\SysWOW64\Dkahilkl.exe C:\Windows\SysWOW64\Dfglfdkb.exe
PID 1384 wrote to memory of 3484 N/A C:\Windows\SysWOW64\Dkahilkl.exe C:\Windows\SysWOW64\Dfglfdkb.exe
PID 3484 wrote to memory of 2932 N/A C:\Windows\SysWOW64\Dfglfdkb.exe C:\Windows\SysWOW64\Dmadco32.exe
PID 3484 wrote to memory of 2932 N/A C:\Windows\SysWOW64\Dfglfdkb.exe C:\Windows\SysWOW64\Dmadco32.exe
PID 3484 wrote to memory of 2932 N/A C:\Windows\SysWOW64\Dfglfdkb.exe C:\Windows\SysWOW64\Dmadco32.exe
PID 2932 wrote to memory of 3940 N/A C:\Windows\SysWOW64\Dmadco32.exe C:\Windows\SysWOW64\Dnbakghm.exe
PID 2932 wrote to memory of 3940 N/A C:\Windows\SysWOW64\Dmadco32.exe C:\Windows\SysWOW64\Dnbakghm.exe
PID 2932 wrote to memory of 3940 N/A C:\Windows\SysWOW64\Dmadco32.exe C:\Windows\SysWOW64\Dnbakghm.exe
PID 3940 wrote to memory of 4324 N/A C:\Windows\SysWOW64\Dnbakghm.exe C:\Windows\SysWOW64\Digehphc.exe
PID 3940 wrote to memory of 4324 N/A C:\Windows\SysWOW64\Dnbakghm.exe C:\Windows\SysWOW64\Digehphc.exe
PID 3940 wrote to memory of 4324 N/A C:\Windows\SysWOW64\Dnbakghm.exe C:\Windows\SysWOW64\Digehphc.exe
PID 4324 wrote to memory of 2532 N/A C:\Windows\SysWOW64\Digehphc.exe C:\Windows\SysWOW64\Doaneiop.exe
PID 4324 wrote to memory of 2532 N/A C:\Windows\SysWOW64\Digehphc.exe C:\Windows\SysWOW64\Doaneiop.exe
PID 4324 wrote to memory of 2532 N/A C:\Windows\SysWOW64\Digehphc.exe C:\Windows\SysWOW64\Doaneiop.exe
PID 2532 wrote to memory of 4848 N/A C:\Windows\SysWOW64\Doaneiop.exe C:\Windows\SysWOW64\Ddnfmqng.exe
PID 2532 wrote to memory of 4848 N/A C:\Windows\SysWOW64\Doaneiop.exe C:\Windows\SysWOW64\Ddnfmqng.exe
PID 2532 wrote to memory of 4848 N/A C:\Windows\SysWOW64\Doaneiop.exe C:\Windows\SysWOW64\Ddnfmqng.exe
PID 4848 wrote to memory of 4148 N/A C:\Windows\SysWOW64\Ddnfmqng.exe C:\Windows\SysWOW64\Dodjjimm.exe
PID 4848 wrote to memory of 4148 N/A C:\Windows\SysWOW64\Ddnfmqng.exe C:\Windows\SysWOW64\Dodjjimm.exe
PID 4848 wrote to memory of 4148 N/A C:\Windows\SysWOW64\Ddnfmqng.exe C:\Windows\SysWOW64\Dodjjimm.exe
PID 4148 wrote to memory of 2108 N/A C:\Windows\SysWOW64\Dodjjimm.exe C:\Windows\SysWOW64\Deqcbpld.exe
PID 4148 wrote to memory of 2108 N/A C:\Windows\SysWOW64\Dodjjimm.exe C:\Windows\SysWOW64\Deqcbpld.exe
PID 4148 wrote to memory of 2108 N/A C:\Windows\SysWOW64\Dodjjimm.exe C:\Windows\SysWOW64\Deqcbpld.exe
PID 2108 wrote to memory of 1956 N/A C:\Windows\SysWOW64\Deqcbpld.exe C:\Windows\SysWOW64\Ekkkoj32.exe
PID 2108 wrote to memory of 1956 N/A C:\Windows\SysWOW64\Deqcbpld.exe C:\Windows\SysWOW64\Ekkkoj32.exe
PID 2108 wrote to memory of 1956 N/A C:\Windows\SysWOW64\Deqcbpld.exe C:\Windows\SysWOW64\Ekkkoj32.exe
PID 1956 wrote to memory of 844 N/A C:\Windows\SysWOW64\Ekkkoj32.exe C:\Windows\SysWOW64\Ebdcld32.exe
PID 1956 wrote to memory of 844 N/A C:\Windows\SysWOW64\Ekkkoj32.exe C:\Windows\SysWOW64\Ebdcld32.exe
PID 1956 wrote to memory of 844 N/A C:\Windows\SysWOW64\Ekkkoj32.exe C:\Windows\SysWOW64\Ebdcld32.exe
PID 844 wrote to memory of 3316 N/A C:\Windows\SysWOW64\Ebdcld32.exe C:\Windows\SysWOW64\Ekmhejao.exe
PID 844 wrote to memory of 3316 N/A C:\Windows\SysWOW64\Ebdcld32.exe C:\Windows\SysWOW64\Ekmhejao.exe
PID 844 wrote to memory of 3316 N/A C:\Windows\SysWOW64\Ebdcld32.exe C:\Windows\SysWOW64\Ekmhejao.exe
PID 3316 wrote to memory of 4416 N/A C:\Windows\SysWOW64\Ekmhejao.exe C:\Windows\SysWOW64\Enkdaepb.exe
PID 3316 wrote to memory of 4416 N/A C:\Windows\SysWOW64\Ekmhejao.exe C:\Windows\SysWOW64\Enkdaepb.exe
PID 3316 wrote to memory of 4416 N/A C:\Windows\SysWOW64\Ekmhejao.exe C:\Windows\SysWOW64\Enkdaepb.exe
PID 4416 wrote to memory of 5112 N/A C:\Windows\SysWOW64\Enkdaepb.exe C:\Windows\SysWOW64\Eeelnp32.exe
PID 4416 wrote to memory of 5112 N/A C:\Windows\SysWOW64\Enkdaepb.exe C:\Windows\SysWOW64\Eeelnp32.exe
PID 4416 wrote to memory of 5112 N/A C:\Windows\SysWOW64\Enkdaepb.exe C:\Windows\SysWOW64\Eeelnp32.exe
PID 5112 wrote to memory of 928 N/A C:\Windows\SysWOW64\Eeelnp32.exe C:\Windows\SysWOW64\Eokqkh32.exe
PID 5112 wrote to memory of 928 N/A C:\Windows\SysWOW64\Eeelnp32.exe C:\Windows\SysWOW64\Eokqkh32.exe
PID 5112 wrote to memory of 928 N/A C:\Windows\SysWOW64\Eeelnp32.exe C:\Windows\SysWOW64\Eokqkh32.exe
PID 928 wrote to memory of 4712 N/A C:\Windows\SysWOW64\Eokqkh32.exe C:\Windows\SysWOW64\Ebimgcfi.exe
PID 928 wrote to memory of 4712 N/A C:\Windows\SysWOW64\Eokqkh32.exe C:\Windows\SysWOW64\Ebimgcfi.exe
PID 928 wrote to memory of 4712 N/A C:\Windows\SysWOW64\Eokqkh32.exe C:\Windows\SysWOW64\Ebimgcfi.exe
PID 4712 wrote to memory of 1116 N/A C:\Windows\SysWOW64\Ebimgcfi.exe C:\Windows\SysWOW64\Emoadlfo.exe
PID 4712 wrote to memory of 1116 N/A C:\Windows\SysWOW64\Ebimgcfi.exe C:\Windows\SysWOW64\Emoadlfo.exe
PID 4712 wrote to memory of 1116 N/A C:\Windows\SysWOW64\Ebimgcfi.exe C:\Windows\SysWOW64\Emoadlfo.exe
PID 1116 wrote to memory of 3004 N/A C:\Windows\SysWOW64\Emoadlfo.exe C:\Windows\SysWOW64\Enpmld32.exe
PID 1116 wrote to memory of 3004 N/A C:\Windows\SysWOW64\Emoadlfo.exe C:\Windows\SysWOW64\Enpmld32.exe
PID 1116 wrote to memory of 3004 N/A C:\Windows\SysWOW64\Emoadlfo.exe C:\Windows\SysWOW64\Enpmld32.exe
PID 3004 wrote to memory of 1896 N/A C:\Windows\SysWOW64\Enpmld32.exe C:\Windows\SysWOW64\Eifaim32.exe
PID 3004 wrote to memory of 1896 N/A C:\Windows\SysWOW64\Enpmld32.exe C:\Windows\SysWOW64\Eifaim32.exe
PID 3004 wrote to memory of 1896 N/A C:\Windows\SysWOW64\Enpmld32.exe C:\Windows\SysWOW64\Eifaim32.exe
PID 1896 wrote to memory of 2404 N/A C:\Windows\SysWOW64\Eifaim32.exe C:\Windows\SysWOW64\Ekdnei32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3816cbaa1211f7bf2613db6206b0d6b28186e8d713a23795ae0f497e7e7b881fN.exe

"C:\Users\Admin\AppData\Local\Temp\3816cbaa1211f7bf2613db6206b0d6b28186e8d713a23795ae0f497e7e7b881fN.exe"

C:\Windows\SysWOW64\Dokgdkeh.exe

C:\Windows\system32\Dokgdkeh.exe

C:\Windows\SysWOW64\Ddgplado.exe

C:\Windows\system32\Ddgplado.exe

C:\Windows\SysWOW64\Dkahilkl.exe

C:\Windows\system32\Dkahilkl.exe

C:\Windows\SysWOW64\Dfglfdkb.exe

C:\Windows\system32\Dfglfdkb.exe

C:\Windows\SysWOW64\Dmadco32.exe

C:\Windows\system32\Dmadco32.exe

C:\Windows\SysWOW64\Dnbakghm.exe

C:\Windows\system32\Dnbakghm.exe

C:\Windows\SysWOW64\Digehphc.exe

C:\Windows\system32\Digehphc.exe

C:\Windows\SysWOW64\Doaneiop.exe

C:\Windows\system32\Doaneiop.exe

C:\Windows\SysWOW64\Ddnfmqng.exe

C:\Windows\system32\Ddnfmqng.exe

C:\Windows\SysWOW64\Dodjjimm.exe

C:\Windows\system32\Dodjjimm.exe

C:\Windows\SysWOW64\Deqcbpld.exe

C:\Windows\system32\Deqcbpld.exe

C:\Windows\SysWOW64\Ekkkoj32.exe

C:\Windows\system32\Ekkkoj32.exe

C:\Windows\SysWOW64\Ebdcld32.exe

C:\Windows\system32\Ebdcld32.exe

C:\Windows\SysWOW64\Ekmhejao.exe

C:\Windows\system32\Ekmhejao.exe

C:\Windows\SysWOW64\Enkdaepb.exe

C:\Windows\system32\Enkdaepb.exe

C:\Windows\SysWOW64\Eeelnp32.exe

C:\Windows\system32\Eeelnp32.exe

C:\Windows\SysWOW64\Eokqkh32.exe

C:\Windows\system32\Eokqkh32.exe

C:\Windows\SysWOW64\Ebimgcfi.exe

C:\Windows\system32\Ebimgcfi.exe

C:\Windows\SysWOW64\Emoadlfo.exe

C:\Windows\system32\Emoadlfo.exe

C:\Windows\SysWOW64\Enpmld32.exe

C:\Windows\system32\Enpmld32.exe

C:\Windows\SysWOW64\Eifaim32.exe

C:\Windows\system32\Eifaim32.exe

C:\Windows\SysWOW64\Ekdnei32.exe

C:\Windows\system32\Ekdnei32.exe

C:\Windows\SysWOW64\Enbjad32.exe

C:\Windows\system32\Enbjad32.exe

C:\Windows\SysWOW64\Fihnomjp.exe

C:\Windows\system32\Fihnomjp.exe

C:\Windows\SysWOW64\Flfkkhid.exe

C:\Windows\system32\Flfkkhid.exe

C:\Windows\SysWOW64\Fneggdhg.exe

C:\Windows\system32\Fneggdhg.exe

C:\Windows\SysWOW64\Fijkdmhn.exe

C:\Windows\system32\Fijkdmhn.exe

C:\Windows\SysWOW64\Fligqhga.exe

C:\Windows\system32\Fligqhga.exe

C:\Windows\SysWOW64\Fbbpmb32.exe

C:\Windows\system32\Fbbpmb32.exe

C:\Windows\SysWOW64\Fealin32.exe

C:\Windows\system32\Fealin32.exe

C:\Windows\SysWOW64\Fpgpgfmh.exe

C:\Windows\system32\Fpgpgfmh.exe

C:\Windows\SysWOW64\Fiodpl32.exe

C:\Windows\system32\Fiodpl32.exe

C:\Windows\SysWOW64\Fnlmhc32.exe

C:\Windows\system32\Fnlmhc32.exe

C:\Windows\SysWOW64\Fefedmil.exe

C:\Windows\system32\Fefedmil.exe

C:\Windows\SysWOW64\Fmmmfj32.exe

C:\Windows\system32\Fmmmfj32.exe

C:\Windows\SysWOW64\Fnnjmbpm.exe

C:\Windows\system32\Fnnjmbpm.exe

C:\Windows\SysWOW64\Gehbjm32.exe

C:\Windows\system32\Gehbjm32.exe

C:\Windows\SysWOW64\Glbjggof.exe

C:\Windows\system32\Glbjggof.exe

C:\Windows\SysWOW64\Gblbca32.exe

C:\Windows\system32\Gblbca32.exe

C:\Windows\SysWOW64\Gejopl32.exe

C:\Windows\system32\Gejopl32.exe

C:\Windows\SysWOW64\Gmafajfi.exe

C:\Windows\system32\Gmafajfi.exe

C:\Windows\SysWOW64\Gfjkjo32.exe

C:\Windows\system32\Gfjkjo32.exe

C:\Windows\SysWOW64\Gihgfk32.exe

C:\Windows\system32\Gihgfk32.exe

C:\Windows\SysWOW64\Glgcbf32.exe

C:\Windows\system32\Glgcbf32.exe

C:\Windows\SysWOW64\Gbalopbn.exe

C:\Windows\system32\Gbalopbn.exe

C:\Windows\SysWOW64\Gikdkj32.exe

C:\Windows\system32\Gikdkj32.exe

C:\Windows\SysWOW64\Glipgf32.exe

C:\Windows\system32\Glipgf32.exe

C:\Windows\SysWOW64\Gbchdp32.exe

C:\Windows\system32\Gbchdp32.exe

C:\Windows\SysWOW64\Gmimai32.exe

C:\Windows\system32\Gmimai32.exe

C:\Windows\SysWOW64\Gojiiafp.exe

C:\Windows\system32\Gojiiafp.exe

C:\Windows\SysWOW64\Hedafk32.exe

C:\Windows\system32\Hedafk32.exe

C:\Windows\SysWOW64\Hmkigh32.exe

C:\Windows\system32\Hmkigh32.exe

C:\Windows\SysWOW64\Holfoqcm.exe

C:\Windows\system32\Holfoqcm.exe

C:\Windows\SysWOW64\Hfcnpn32.exe

C:\Windows\system32\Hfcnpn32.exe

C:\Windows\SysWOW64\Hibjli32.exe

C:\Windows\system32\Hibjli32.exe

C:\Windows\SysWOW64\Hplbickp.exe

C:\Windows\system32\Hplbickp.exe

C:\Windows\SysWOW64\Hffken32.exe

C:\Windows\system32\Hffken32.exe

C:\Windows\SysWOW64\Hidgai32.exe

C:\Windows\system32\Hidgai32.exe

C:\Windows\SysWOW64\Hpnoncim.exe

C:\Windows\system32\Hpnoncim.exe

C:\Windows\SysWOW64\Hblkjo32.exe

C:\Windows\system32\Hblkjo32.exe

C:\Windows\SysWOW64\Hekgfj32.exe

C:\Windows\system32\Hekgfj32.exe

C:\Windows\SysWOW64\Hlepcdoa.exe

C:\Windows\system32\Hlepcdoa.exe

C:\Windows\SysWOW64\Hoclopne.exe

C:\Windows\system32\Hoclopne.exe

C:\Windows\SysWOW64\Hiipmhmk.exe

C:\Windows\system32\Hiipmhmk.exe

C:\Windows\SysWOW64\Hlglidlo.exe

C:\Windows\system32\Hlglidlo.exe

C:\Windows\SysWOW64\Ibaeen32.exe

C:\Windows\system32\Ibaeen32.exe

C:\Windows\SysWOW64\Iikmbh32.exe

C:\Windows\system32\Iikmbh32.exe

C:\Windows\SysWOW64\Iliinc32.exe

C:\Windows\system32\Iliinc32.exe

C:\Windows\SysWOW64\Ifomll32.exe

C:\Windows\system32\Ifomll32.exe

C:\Windows\SysWOW64\Iinjhh32.exe

C:\Windows\system32\Iinjhh32.exe

C:\Windows\SysWOW64\Illfdc32.exe

C:\Windows\system32\Illfdc32.exe

C:\Windows\SysWOW64\Ibfnqmpf.exe

C:\Windows\system32\Ibfnqmpf.exe

C:\Windows\SysWOW64\Iipfmggc.exe

C:\Windows\system32\Iipfmggc.exe

C:\Windows\SysWOW64\Iefgbh32.exe

C:\Windows\system32\Iefgbh32.exe

C:\Windows\SysWOW64\Ickglm32.exe

C:\Windows\system32\Ickglm32.exe

C:\Windows\SysWOW64\Ilcldb32.exe

C:\Windows\system32\Ilcldb32.exe

C:\Windows\SysWOW64\Joahqn32.exe

C:\Windows\system32\Joahqn32.exe

C:\Windows\SysWOW64\Jmbhoeid.exe

C:\Windows\system32\Jmbhoeid.exe

C:\Windows\SysWOW64\Jocefm32.exe

C:\Windows\system32\Jocefm32.exe

C:\Windows\SysWOW64\Jgkmgk32.exe

C:\Windows\system32\Jgkmgk32.exe

C:\Windows\SysWOW64\Jlgepanl.exe

C:\Windows\system32\Jlgepanl.exe

C:\Windows\SysWOW64\Jcanll32.exe

C:\Windows\system32\Jcanll32.exe

C:\Windows\SysWOW64\Jilfifme.exe

C:\Windows\system32\Jilfifme.exe

C:\Windows\SysWOW64\Jljbeali.exe

C:\Windows\system32\Jljbeali.exe

C:\Windows\SysWOW64\Jgpfbjlo.exe

C:\Windows\system32\Jgpfbjlo.exe

C:\Windows\SysWOW64\Jniood32.exe

C:\Windows\system32\Jniood32.exe

C:\Windows\SysWOW64\Jcfggkac.exe

C:\Windows\system32\Jcfggkac.exe

C:\Windows\SysWOW64\Jjpode32.exe

C:\Windows\system32\Jjpode32.exe

C:\Windows\SysWOW64\Komhll32.exe

C:\Windows\system32\Komhll32.exe

C:\Windows\SysWOW64\Kjblje32.exe

C:\Windows\system32\Kjblje32.exe

C:\Windows\SysWOW64\Klahfp32.exe

C:\Windows\system32\Klahfp32.exe

C:\Windows\SysWOW64\Kpmdfonj.exe

C:\Windows\system32\Kpmdfonj.exe

C:\Windows\SysWOW64\Koaagkcb.exe

C:\Windows\system32\Koaagkcb.exe

C:\Windows\SysWOW64\Kpanan32.exe

C:\Windows\system32\Kpanan32.exe

C:\Windows\SysWOW64\Kgkfnh32.exe

C:\Windows\system32\Kgkfnh32.exe

C:\Windows\SysWOW64\Kjjbjd32.exe

C:\Windows\system32\Kjjbjd32.exe

C:\Windows\SysWOW64\Klhnfo32.exe

C:\Windows\system32\Klhnfo32.exe

C:\Windows\SysWOW64\Kofkbk32.exe

C:\Windows\system32\Kofkbk32.exe

C:\Windows\SysWOW64\Kfpcoefj.exe

C:\Windows\system32\Kfpcoefj.exe

C:\Windows\SysWOW64\Kngkqbgl.exe

C:\Windows\system32\Kngkqbgl.exe

C:\Windows\SysWOW64\Loighj32.exe

C:\Windows\system32\Loighj32.exe

C:\Windows\SysWOW64\Lcdciiec.exe

C:\Windows\system32\Lcdciiec.exe

C:\Windows\SysWOW64\Lfbped32.exe

C:\Windows\system32\Lfbped32.exe

C:\Windows\SysWOW64\Lnjgfb32.exe

C:\Windows\system32\Lnjgfb32.exe

C:\Windows\SysWOW64\Lokdnjkg.exe

C:\Windows\system32\Lokdnjkg.exe

C:\Windows\SysWOW64\Lgbloglj.exe

C:\Windows\system32\Lgbloglj.exe

C:\Windows\SysWOW64\Lfeljd32.exe

C:\Windows\system32\Lfeljd32.exe

C:\Windows\SysWOW64\Llodgnja.exe

C:\Windows\system32\Llodgnja.exe

C:\Windows\SysWOW64\Lfgipd32.exe

C:\Windows\system32\Lfgipd32.exe

C:\Windows\SysWOW64\Lopmii32.exe

C:\Windows\system32\Lopmii32.exe

C:\Windows\SysWOW64\Lmdnbn32.exe

C:\Windows\system32\Lmdnbn32.exe

C:\Windows\SysWOW64\Lcnfohmi.exe

C:\Windows\system32\Lcnfohmi.exe

C:\Windows\SysWOW64\Lncjlq32.exe

C:\Windows\system32\Lncjlq32.exe

C:\Windows\SysWOW64\Mcpcdg32.exe

C:\Windows\system32\Mcpcdg32.exe

C:\Windows\SysWOW64\Mjjkaabc.exe

C:\Windows\system32\Mjjkaabc.exe

C:\Windows\SysWOW64\Mnegbp32.exe

C:\Windows\system32\Mnegbp32.exe

C:\Windows\SysWOW64\Mjlhgaqp.exe

C:\Windows\system32\Mjlhgaqp.exe

C:\Windows\SysWOW64\Mmkdcm32.exe

C:\Windows\system32\Mmkdcm32.exe

C:\Windows\SysWOW64\Moipoh32.exe

C:\Windows\system32\Moipoh32.exe

C:\Windows\SysWOW64\Mgphpe32.exe

C:\Windows\system32\Mgphpe32.exe

C:\Windows\SysWOW64\Mmmqhl32.exe

C:\Windows\system32\Mmmqhl32.exe

C:\Windows\SysWOW64\Mcgiefen.exe

C:\Windows\system32\Mcgiefen.exe

C:\Windows\SysWOW64\Mnmmboed.exe

C:\Windows\system32\Mnmmboed.exe

C:\Windows\SysWOW64\Mqkiok32.exe

C:\Windows\system32\Mqkiok32.exe

C:\Windows\SysWOW64\Mjcngpjh.exe

C:\Windows\system32\Mjcngpjh.exe

C:\Windows\SysWOW64\Nfjola32.exe

C:\Windows\system32\Nfjola32.exe

C:\Windows\SysWOW64\Nmdgikhi.exe

C:\Windows\system32\Nmdgikhi.exe

C:\Windows\SysWOW64\Nflkbanj.exe

C:\Windows\system32\Nflkbanj.exe

C:\Windows\SysWOW64\Nqbpojnp.exe

C:\Windows\system32\Nqbpojnp.exe

C:\Windows\SysWOW64\Npepkf32.exe

C:\Windows\system32\Npepkf32.exe

C:\Windows\SysWOW64\Nnfpinmi.exe

C:\Windows\system32\Nnfpinmi.exe

C:\Windows\SysWOW64\Ncchae32.exe

C:\Windows\system32\Ncchae32.exe

C:\Windows\SysWOW64\Npiiffqe.exe

C:\Windows\system32\Npiiffqe.exe

C:\Windows\SysWOW64\Nfcabp32.exe

C:\Windows\system32\Nfcabp32.exe

C:\Windows\SysWOW64\Omnjojpo.exe

C:\Windows\system32\Omnjojpo.exe

C:\Windows\SysWOW64\Ocgbld32.exe

C:\Windows\system32\Ocgbld32.exe

C:\Windows\SysWOW64\Ombcji32.exe

C:\Windows\system32\Ombcji32.exe

C:\Windows\SysWOW64\Ojfcdnjc.exe

C:\Windows\system32\Ojfcdnjc.exe

C:\Windows\SysWOW64\Ocohmc32.exe

C:\Windows\system32\Ocohmc32.exe

C:\Windows\SysWOW64\Ondljl32.exe

C:\Windows\system32\Ondljl32.exe

C:\Windows\SysWOW64\Pfoann32.exe

C:\Windows\system32\Pfoann32.exe

C:\Windows\SysWOW64\Ppgegd32.exe

C:\Windows\system32\Ppgegd32.exe

C:\Windows\SysWOW64\Pnifekmd.exe

C:\Windows\system32\Pnifekmd.exe

C:\Windows\SysWOW64\Pjpfjl32.exe

C:\Windows\system32\Pjpfjl32.exe

C:\Windows\SysWOW64\Pmpolgoi.exe

C:\Windows\system32\Pmpolgoi.exe

C:\Windows\SysWOW64\Phfcipoo.exe

C:\Windows\system32\Phfcipoo.exe

C:\Windows\SysWOW64\Pfiddm32.exe

C:\Windows\system32\Pfiddm32.exe

C:\Windows\SysWOW64\Pnplfj32.exe

C:\Windows\system32\Pnplfj32.exe

C:\Windows\SysWOW64\Panhbfep.exe

C:\Windows\system32\Panhbfep.exe

C:\Windows\SysWOW64\Qhhpop32.exe

C:\Windows\system32\Qhhpop32.exe

C:\Windows\SysWOW64\Qjfmkk32.exe

C:\Windows\system32\Qjfmkk32.exe

C:\Windows\SysWOW64\Qobhkjdi.exe

C:\Windows\system32\Qobhkjdi.exe

C:\Windows\SysWOW64\Qdoacabq.exe

C:\Windows\system32\Qdoacabq.exe

C:\Windows\SysWOW64\Qjiipk32.exe

C:\Windows\system32\Qjiipk32.exe

C:\Windows\SysWOW64\Qpeahb32.exe

C:\Windows\system32\Qpeahb32.exe

C:\Windows\SysWOW64\Qdaniq32.exe

C:\Windows\system32\Qdaniq32.exe

C:\Windows\SysWOW64\Akkffkhk.exe

C:\Windows\system32\Akkffkhk.exe

C:\Windows\SysWOW64\Adcjop32.exe

C:\Windows\system32\Adcjop32.exe

C:\Windows\SysWOW64\Aagkhd32.exe

C:\Windows\system32\Aagkhd32.exe

C:\Windows\SysWOW64\Ahaceo32.exe

C:\Windows\system32\Ahaceo32.exe

C:\Windows\SysWOW64\Aajhndkb.exe

C:\Windows\system32\Aajhndkb.exe

C:\Windows\SysWOW64\Apmhiq32.exe

C:\Windows\system32\Apmhiq32.exe

C:\Windows\SysWOW64\Aggpfkjj.exe

C:\Windows\system32\Aggpfkjj.exe

C:\Windows\SysWOW64\Aonhghjl.exe

C:\Windows\system32\Aonhghjl.exe

C:\Windows\SysWOW64\Akdilipp.exe

C:\Windows\system32\Akdilipp.exe

C:\Windows\SysWOW64\Apaadpng.exe

C:\Windows\system32\Apaadpng.exe

C:\Windows\SysWOW64\Bdmmeo32.exe

C:\Windows\system32\Bdmmeo32.exe

C:\Windows\SysWOW64\Bobabg32.exe

C:\Windows\system32\Bobabg32.exe

C:\Windows\SysWOW64\Bhkfkmmg.exe

C:\Windows\system32\Bhkfkmmg.exe

C:\Windows\SysWOW64\Bpfkpp32.exe

C:\Windows\system32\Bpfkpp32.exe

C:\Windows\SysWOW64\Bhmbqm32.exe

C:\Windows\system32\Bhmbqm32.exe

C:\Windows\SysWOW64\Bklomh32.exe

C:\Windows\system32\Bklomh32.exe

C:\Windows\SysWOW64\Bhpofl32.exe

C:\Windows\system32\Bhpofl32.exe

C:\Windows\SysWOW64\Bahdob32.exe

C:\Windows\system32\Bahdob32.exe

C:\Windows\SysWOW64\Cpmapodj.exe

C:\Windows\system32\Cpmapodj.exe

C:\Windows\SysWOW64\Cgifbhid.exe

C:\Windows\system32\Cgifbhid.exe

C:\Windows\SysWOW64\Caojpaij.exe

C:\Windows\system32\Caojpaij.exe

C:\Windows\SysWOW64\Chkobkod.exe

C:\Windows\system32\Chkobkod.exe

C:\Windows\SysWOW64\Chnlgjlb.exe

C:\Windows\system32\Chnlgjlb.exe

C:\Windows\SysWOW64\Dddllkbf.exe

C:\Windows\system32\Dddllkbf.exe

C:\Windows\SysWOW64\Dnmaea32.exe

C:\Windows\system32\Dnmaea32.exe

C:\Windows\SysWOW64\Dhbebj32.exe

C:\Windows\system32\Dhbebj32.exe

C:\Windows\SysWOW64\Dkcndeen.exe

C:\Windows\system32\Dkcndeen.exe

C:\Windows\SysWOW64\Dhgonidg.exe

C:\Windows\system32\Dhgonidg.exe

C:\Windows\SysWOW64\Dhikci32.exe

C:\Windows\system32\Dhikci32.exe

C:\Windows\SysWOW64\Dkhgod32.exe

C:\Windows\system32\Dkhgod32.exe

C:\Windows\SysWOW64\Ehlhih32.exe

C:\Windows\system32\Ehlhih32.exe

C:\Windows\SysWOW64\Eoepebho.exe

C:\Windows\system32\Eoepebho.exe

C:\Windows\SysWOW64\Edbiniff.exe

C:\Windows\system32\Edbiniff.exe

C:\Windows\SysWOW64\Egaejeej.exe

C:\Windows\system32\Egaejeej.exe

C:\Windows\SysWOW64\Eklajcmc.exe

C:\Windows\system32\Eklajcmc.exe

C:\Windows\SysWOW64\Enkmfolf.exe

C:\Windows\system32\Enkmfolf.exe

C:\Windows\SysWOW64\Ehpadhll.exe

C:\Windows\system32\Ehpadhll.exe

C:\Windows\SysWOW64\Ekonpckp.exe

C:\Windows\system32\Ekonpckp.exe

C:\Windows\SysWOW64\Enmjlojd.exe

C:\Windows\system32\Enmjlojd.exe

C:\Windows\SysWOW64\Ebifmm32.exe

C:\Windows\system32\Ebifmm32.exe

C:\Windows\SysWOW64\Egened32.exe

C:\Windows\system32\Egened32.exe

C:\Windows\SysWOW64\Ekajec32.exe

C:\Windows\system32\Ekajec32.exe

C:\Windows\SysWOW64\Enpfan32.exe

C:\Windows\system32\Enpfan32.exe

C:\Windows\SysWOW64\Edionhpn.exe

C:\Windows\system32\Edionhpn.exe

C:\Windows\SysWOW64\Eghkjdoa.exe

C:\Windows\system32\Eghkjdoa.exe

C:\Windows\SysWOW64\Fnbcgn32.exe

C:\Windows\system32\Fnbcgn32.exe

C:\Windows\SysWOW64\Fqppci32.exe

C:\Windows\system32\Fqppci32.exe

C:\Windows\SysWOW64\Figgdg32.exe

C:\Windows\system32\Figgdg32.exe

C:\Windows\SysWOW64\Fndpmndl.exe

C:\Windows\system32\Fndpmndl.exe

C:\Windows\SysWOW64\Fdnhih32.exe

C:\Windows\system32\Fdnhih32.exe

C:\Windows\SysWOW64\Fgmdec32.exe

C:\Windows\system32\Fgmdec32.exe

C:\Windows\SysWOW64\Feqeog32.exe

C:\Windows\system32\Feqeog32.exe

C:\Windows\SysWOW64\Filapfbo.exe

C:\Windows\system32\Filapfbo.exe

C:\Windows\SysWOW64\Fkjmlaac.exe

C:\Windows\system32\Fkjmlaac.exe

C:\Windows\SysWOW64\Fbdehlip.exe

C:\Windows\system32\Fbdehlip.exe

C:\Windows\SysWOW64\Fqgedh32.exe

C:\Windows\system32\Fqgedh32.exe

C:\Windows\SysWOW64\Finnef32.exe

C:\Windows\system32\Finnef32.exe

C:\Windows\SysWOW64\Fganqbgg.exe

C:\Windows\system32\Fganqbgg.exe

C:\Windows\SysWOW64\Fkmjaa32.exe

C:\Windows\system32\Fkmjaa32.exe

C:\Windows\SysWOW64\Fnkfmm32.exe

C:\Windows\system32\Fnkfmm32.exe

C:\Windows\SysWOW64\Feenjgfq.exe

C:\Windows\system32\Feenjgfq.exe

C:\Windows\SysWOW64\Gokbgpeg.exe

C:\Windows\system32\Gokbgpeg.exe

C:\Windows\SysWOW64\Gbiockdj.exe

C:\Windows\system32\Gbiockdj.exe

C:\Windows\SysWOW64\Gegkpf32.exe

C:\Windows\system32\Gegkpf32.exe

C:\Windows\SysWOW64\Ggfglb32.exe

C:\Windows\system32\Ggfglb32.exe

C:\Windows\SysWOW64\Gkaclqkk.exe

C:\Windows\system32\Gkaclqkk.exe

C:\Windows\SysWOW64\Gnpphljo.exe

C:\Windows\system32\Gnpphljo.exe

C:\Windows\SysWOW64\Giecfejd.exe

C:\Windows\system32\Giecfejd.exe

C:\Windows\SysWOW64\Gnblnlhl.exe

C:\Windows\system32\Gnblnlhl.exe

C:\Windows\SysWOW64\Glhimp32.exe

C:\Windows\system32\Glhimp32.exe

C:\Windows\SysWOW64\Gaebef32.exe

C:\Windows\system32\Gaebef32.exe

C:\Windows\SysWOW64\Hlkfbocp.exe

C:\Windows\system32\Hlkfbocp.exe

C:\Windows\SysWOW64\Hbenoi32.exe

C:\Windows\system32\Hbenoi32.exe

C:\Windows\SysWOW64\Hecjke32.exe

C:\Windows\system32\Hecjke32.exe

C:\Windows\SysWOW64\Hhaggp32.exe

C:\Windows\system32\Hhaggp32.exe

C:\Windows\SysWOW64\Hajkqfoe.exe

C:\Windows\system32\Hajkqfoe.exe

C:\Windows\SysWOW64\Hlppno32.exe

C:\Windows\system32\Hlppno32.exe

C:\Windows\SysWOW64\Hnnljj32.exe

C:\Windows\system32\Hnnljj32.exe

C:\Windows\SysWOW64\Halhfe32.exe

C:\Windows\system32\Halhfe32.exe

C:\Windows\SysWOW64\Hehdfdek.exe

C:\Windows\system32\Hehdfdek.exe

C:\Windows\SysWOW64\Haodle32.exe

C:\Windows\system32\Haodle32.exe

C:\Windows\SysWOW64\Hnbeeiji.exe

C:\Windows\system32\Hnbeeiji.exe

C:\Windows\SysWOW64\Ilfennic.exe

C:\Windows\system32\Ilfennic.exe

C:\Windows\SysWOW64\Ibqnkh32.exe

C:\Windows\system32\Ibqnkh32.exe

C:\Windows\SysWOW64\Iogopi32.exe

C:\Windows\system32\Iogopi32.exe

C:\Windows\SysWOW64\Ipgkjlmg.exe

C:\Windows\system32\Ipgkjlmg.exe

C:\Windows\SysWOW64\Ilnlom32.exe

C:\Windows\system32\Ilnlom32.exe

C:\Windows\SysWOW64\Ilphdlqh.exe

C:\Windows\system32\Ilphdlqh.exe

C:\Windows\SysWOW64\Iehmmb32.exe

C:\Windows\system32\Iehmmb32.exe

C:\Windows\SysWOW64\Jaonbc32.exe

C:\Windows\system32\Jaonbc32.exe

C:\Windows\SysWOW64\Jbojlfdp.exe

C:\Windows\system32\Jbojlfdp.exe

C:\Windows\SysWOW64\Jhkbdmbg.exe

C:\Windows\system32\Jhkbdmbg.exe

C:\Windows\SysWOW64\Jpbjfjci.exe

C:\Windows\system32\Jpbjfjci.exe

C:\Windows\SysWOW64\Jadgnb32.exe

C:\Windows\system32\Jadgnb32.exe

C:\Windows\SysWOW64\Jeocna32.exe

C:\Windows\system32\Jeocna32.exe

C:\Windows\SysWOW64\Jikoopij.exe

C:\Windows\system32\Jikoopij.exe

C:\Windows\SysWOW64\Jpegkj32.exe

C:\Windows\system32\Jpegkj32.exe

C:\Windows\SysWOW64\Jbccge32.exe

C:\Windows\system32\Jbccge32.exe

C:\Windows\SysWOW64\Jeapcq32.exe

C:\Windows\system32\Jeapcq32.exe

C:\Windows\SysWOW64\Kiphjo32.exe

C:\Windows\system32\Kiphjo32.exe

C:\Windows\SysWOW64\Klndfj32.exe

C:\Windows\system32\Klndfj32.exe

C:\Windows\SysWOW64\Kolabf32.exe

C:\Windows\system32\Kolabf32.exe

C:\Windows\SysWOW64\Kplmliko.exe

C:\Windows\system32\Kplmliko.exe

C:\Windows\SysWOW64\Kpnjah32.exe

C:\Windows\system32\Kpnjah32.exe

C:\Windows\SysWOW64\Kifojnol.exe

C:\Windows\system32\Kifojnol.exe

C:\Windows\SysWOW64\Klekfinp.exe

C:\Windows\system32\Klekfinp.exe

C:\Windows\SysWOW64\Klggli32.exe

C:\Windows\system32\Klggli32.exe

C:\Windows\SysWOW64\Likhem32.exe

C:\Windows\system32\Likhem32.exe

C:\Windows\SysWOW64\Lpepbgbd.exe

C:\Windows\system32\Lpepbgbd.exe

C:\Windows\SysWOW64\Lcclncbh.exe

C:\Windows\system32\Lcclncbh.exe

C:\Windows\SysWOW64\Lebijnak.exe

C:\Windows\system32\Lebijnak.exe

C:\Windows\SysWOW64\Lindkm32.exe

C:\Windows\system32\Lindkm32.exe

C:\Windows\SysWOW64\Lpgmhg32.exe

C:\Windows\system32\Lpgmhg32.exe

C:\Windows\SysWOW64\Lojmcdgl.exe

C:\Windows\system32\Lojmcdgl.exe

C:\Windows\SysWOW64\Ledepn32.exe

C:\Windows\system32\Ledepn32.exe

C:\Windows\SysWOW64\Llnnmhfe.exe

C:\Windows\system32\Llnnmhfe.exe

C:\Windows\SysWOW64\Lpjjmg32.exe

C:\Windows\system32\Lpjjmg32.exe

C:\Windows\SysWOW64\Lchfib32.exe

C:\Windows\system32\Lchfib32.exe

C:\Windows\SysWOW64\Legben32.exe

C:\Windows\system32\Legben32.exe

C:\Windows\SysWOW64\Llqjbhdc.exe

C:\Windows\system32\Llqjbhdc.exe

C:\Windows\SysWOW64\Lckboblp.exe

C:\Windows\system32\Lckboblp.exe

C:\Windows\SysWOW64\Lhgkgijg.exe

C:\Windows\system32\Lhgkgijg.exe

C:\Windows\SysWOW64\Loacdc32.exe

C:\Windows\system32\Loacdc32.exe

C:\Windows\SysWOW64\Lcmodajm.exe

C:\Windows\system32\Lcmodajm.exe

C:\Windows\SysWOW64\Mjggal32.exe

C:\Windows\system32\Mjggal32.exe

C:\Windows\SysWOW64\Mledmg32.exe

C:\Windows\system32\Mledmg32.exe

C:\Windows\SysWOW64\Mablfnne.exe

C:\Windows\system32\Mablfnne.exe

C:\Windows\SysWOW64\Mhldbh32.exe

C:\Windows\system32\Mhldbh32.exe

C:\Windows\SysWOW64\Mpclce32.exe

C:\Windows\system32\Mpclce32.exe

C:\Windows\SysWOW64\Mcaipa32.exe

C:\Windows\system32\Mcaipa32.exe

C:\Windows\SysWOW64\Mljmhflh.exe

C:\Windows\system32\Mljmhflh.exe

C:\Windows\SysWOW64\Mcdeeq32.exe

C:\Windows\system32\Mcdeeq32.exe

C:\Windows\SysWOW64\Mfbaalbi.exe

C:\Windows\system32\Mfbaalbi.exe

C:\Windows\SysWOW64\Mhanngbl.exe

C:\Windows\system32\Mhanngbl.exe

C:\Windows\SysWOW64\Mbibfm32.exe

C:\Windows\system32\Mbibfm32.exe

C:\Windows\SysWOW64\Nblolm32.exe

C:\Windows\system32\Nblolm32.exe

C:\Windows\SysWOW64\Nhegig32.exe

C:\Windows\system32\Nhegig32.exe

C:\Windows\SysWOW64\Nhhdnf32.exe

C:\Windows\system32\Nhhdnf32.exe

C:\Windows\SysWOW64\Nbphglbe.exe

C:\Windows\system32\Nbphglbe.exe

C:\Windows\SysWOW64\Nqaiecjd.exe

C:\Windows\system32\Nqaiecjd.exe

C:\Windows\SysWOW64\Nmhijd32.exe

C:\Windows\system32\Nmhijd32.exe

C:\Windows\SysWOW64\Nfqnbjfi.exe

C:\Windows\system32\Nfqnbjfi.exe

C:\Windows\SysWOW64\Oiagde32.exe

C:\Windows\system32\Oiagde32.exe

C:\Windows\SysWOW64\Ojqcnhkl.exe

C:\Windows\system32\Ojqcnhkl.exe

C:\Windows\SysWOW64\Oqmhqapg.exe

C:\Windows\system32\Oqmhqapg.exe

C:\Windows\SysWOW64\Obnehj32.exe

C:\Windows\system32\Obnehj32.exe

C:\Windows\SysWOW64\Ojemig32.exe

C:\Windows\system32\Ojemig32.exe

C:\Windows\SysWOW64\Opbean32.exe

C:\Windows\system32\Opbean32.exe

C:\Windows\SysWOW64\Ojhiogdd.exe

C:\Windows\system32\Ojhiogdd.exe

C:\Windows\SysWOW64\Omfekbdh.exe

C:\Windows\system32\Omfekbdh.exe

C:\Windows\SysWOW64\Pcpnhl32.exe

C:\Windows\system32\Pcpnhl32.exe

C:\Windows\SysWOW64\Padnaq32.exe

C:\Windows\system32\Padnaq32.exe

C:\Windows\SysWOW64\Pbekii32.exe

C:\Windows\system32\Pbekii32.exe

C:\Windows\SysWOW64\Piocecgj.exe

C:\Windows\system32\Piocecgj.exe

C:\Windows\SysWOW64\Pafkgphl.exe

C:\Windows\system32\Pafkgphl.exe

C:\Windows\SysWOW64\Pcegclgp.exe

C:\Windows\system32\Pcegclgp.exe

C:\Windows\SysWOW64\Pjoppf32.exe

C:\Windows\system32\Pjoppf32.exe

C:\Windows\SysWOW64\Pcgdhkem.exe

C:\Windows\system32\Pcgdhkem.exe

C:\Windows\SysWOW64\Pfepdg32.exe

C:\Windows\system32\Pfepdg32.exe

C:\Windows\SysWOW64\Ppnenlka.exe

C:\Windows\system32\Ppnenlka.exe

C:\Windows\SysWOW64\Pblajhje.exe

C:\Windows\system32\Pblajhje.exe

C:\Windows\SysWOW64\Pififb32.exe

C:\Windows\system32\Pififb32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 8964 -ip 8964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 8964 -s 400

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 104.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/4908-0-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Dokgdkeh.exe

MD5 24aaa9fb0b4110ed9520a3cd5eb57f35
SHA1 469d41b62379c643ca68cca2ee5b079bb67222df
SHA256 2cf293bb800a3167c34792a8ceeb0907c1dd89d78c56defc7c68ac2cb64dd723
SHA512 ca58cd462b8fb64daad22d19cc46e66042ce76332e3fea3f3dccc1225e103a9ac8d0025382fd577a1c397d9421e616f49c7b5df2c87da03dfbff806fd4190fd6

memory/4852-7-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Ddgplado.exe

MD5 1d0f297013ba160f3c0659ad8edaaf54
SHA1 7633eb86529a3537583ff91cddf1d083d97567b4
SHA256 fd9bf0ce707c62a7a796807ea72fb5e86c0daaa497be294b40898a974ee5ec49
SHA512 46b09aeaa476f9a542c1e48237b2cd8991c9105f0e13f8bfeeef9f8af9c484f347b0e658132a521f2031b149431039dd7d33acf11026e145de509d2bdc5a41a3

memory/2272-15-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Dkahilkl.exe

MD5 f044adfbc00aad01e579c2317e9570a3
SHA1 a6ddf91037001e05e1aa2b412c588f2380e7f0da
SHA256 876a1606cf2ebfe18836343aef2c96bb0a78edc4591c1cc53e924403de1c43b2
SHA512 7bd931b6dfdb6455b6c4df4fb24c46c1fc7c0a54b4ffa927197b967e847e08fd1af51214760a711bc9177d77edaa66759d5406791a00599a8abf3ac76822de2d

memory/1384-23-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Dfglfdkb.exe

MD5 0c27396e9614e5b3b5d6821bf89278be
SHA1 ca656bb1456998f7d8730f707acd2131828da600
SHA256 c6acc16a6def64441b09d44b1db7a40f4f50743e0cf49a5a75555b49f6ff80f7
SHA512 ec50074d90b1c4f8bac98afd3aa7ed8e2efc48320828a440c14801a36ce82b6eba3655dbb641fbf2e52190049c717d691d7fa146d78f10cc08ce5a4784a69893

memory/3484-31-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Dmadco32.exe

MD5 c223e9d5a6a544e0a9e316f1887d36a0
SHA1 f7aa1c4800e601b2abb1f0fb5ec5223d9bc5472a
SHA256 3584bc5cf3e2f62569c4c58d998dc1c751736325a5122be93e27fe46e5c68fb9
SHA512 4652ddeeacb99640963f116a0fdb6b4ba46d1ed33773e7b400f1797554a19ad7714c0fa68d01a218b3d43bbe2a5e13cd65f768e0365e2ee3a28405b5eaac9c7a

memory/2932-39-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Dnbakghm.exe

MD5 5d52f02595dfea1287ea10ca22410577
SHA1 6cc00b05f375c6e737e577944e471532f6607744
SHA256 500819f18f15d64078c53d01856c926abf8fc9dd1bba316675f3a88d01e2bd37
SHA512 df2c9c8bc74247a9cd4d3d794be091c7b8837ffb3fb7eddb7593a4957e69475c4b587b5b841b44003864ac32ab30c3635fc8dd52e08fd7d81d1c76ad5e48b389

memory/3940-47-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Digehphc.exe

MD5 9d4661dd29313e9a2ced44a03bccbf9f
SHA1 a9e6fd780b6713c6f8bc7a21874fca75455484fe
SHA256 7e076dcf8d7efca3d074588065fb5debbae885ec36c7514a5e1a463aae2a6375
SHA512 d634cb2f57b5713e57a6473d43777e5d12004029a4e7e6af18e2283689fd60c9ea638f129194edba74a6894283ea69aab87a74f386a4e913e746292b1231d450

memory/4324-55-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Doaneiop.exe

MD5 e9cc9c047cb26b5317145fb4aa5a0fca
SHA1 940696c16b7a01838c91f21d229c837c8b07523b
SHA256 2361b23397f778fcbd2bd3e191c49b038a8459bf4a11c5ecb903573d03c4ae63
SHA512 910ff18f4fddbd932444aa8ef34f18bc7f017b56d96bfc6e03054a7c27fd8bd6582500587b0e1b0a3a76ee6a70fc86e1a998342a178ef9c2ca3c088f28302e9f

memory/2532-63-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Ddnfmqng.exe

MD5 39af695fe90276ad7e7a522c0a579fec
SHA1 3569b94eabf1e5eb65f41be8c137cebcb12f07b1
SHA256 2ee37fc90c22c91d94c80bdb4a6ea0ba2c8ea6a5504012322b7b5c455d9e9333
SHA512 e6a77706dd7257d0a748f977899ffd3cbf5c972ae7fd67e0cc6078ca64a17526b62c1eb54d7398ce14bef28a4c6f6bc90183bcd0861a324325a118606dcfe8cf

memory/4848-71-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Dodjjimm.exe

MD5 15749e9d789cc61a9d5a055b4bac6523
SHA1 3b5a934bb22ce969fdd7f97c91cc216b4fd171a2
SHA256 468a1bc70319181ca4c1ad8e19145cfdffe0002f0b12a507c55f4da583a7d66f
SHA512 fd0b0c0269a463c54f009e8bdbebb9f3821146259d7e28b606eb3dc8a6e73d9e53d31d0c499f53b457d369f6d1aa4d2b4a37d425771162ff2268211a8e5cfa2a

memory/4148-79-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Deqcbpld.exe

MD5 80d6057d59e07d69262327cec0ca25c2
SHA1 5c8c462a2e934333a208765ea2aa93790d3b15aa
SHA256 651a3b005c62c62aded37a9f2ffb67538948a022e281dac2415de6f332fcb07e
SHA512 eb62e226f750c4501847d68340edc16e4d2828466bb77f07c4631e28b53f14666b22ea631efb35c4f19bdfc1e9c42e02743c58542f899e165650b75a89040847

memory/2108-87-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Ekkkoj32.exe

MD5 dd5275ccd78a1641cf8cee90c54085ae
SHA1 b7e1f80003cafc536f63a2f38d8d75e4bfd1915a
SHA256 e34180ec8c7b3dbbdfa17911ac1b04e54f8f07be5a10ce124c00f5f42986fef2
SHA512 5ea7f218da0bd7bcd8ef7bfa9ffd9df6cebbb82525fe7f71f17aa9775ec9f2d6257aa9b95a625a6d8e4fdb1e7852bc3cf12c121d62626c7008d4704b234922ab

memory/1956-95-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Ebdcld32.exe

MD5 65e5c19122648e6f4378d1aa92bae063
SHA1 08e31e6c4362f706bf67c36ab02a1090dd14b93f
SHA256 e09b4604fa84ea6274cfa9dde084b415fe60b6de7a1b8b0fc37e3e976a1ea8b9
SHA512 319fabc49ec015262905e1678d4ca80457a8978a1d4984a8c2ca8ff1407520eb9fbf681e8c3f71f413a2a3f8f7ff03b6288bc81f044ac408f160bdebdc6178d3

memory/844-103-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Ekmhejao.exe

MD5 57e252e45c23bc6e0403aaf980538dc5
SHA1 1f425db790143c1a58d48bf49ab4a39535592c72
SHA256 fd75b0c42f12e814086187949b9a646cad5101c8a382335fdb8c7d152f08dcfd
SHA512 85de555228673465a04f9d2cb0b7034e28bd5ae212f90b8ed3c8214141c474bfd4cacfc58e636abfeb44bc2efb2b5b79360d49b64d6256f6ce3369de5c01ae24

memory/3316-111-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4416-119-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Enkdaepb.exe

MD5 113d1f5a557283171848ccc405fbf666
SHA1 b9e7457068877dc1fb414c9660da242f5e1dc2f1
SHA256 c3c2163dca6a4fe78b00804818803d9f3a261e9ecb6036131e1720ddf6264950
SHA512 87dd53ad18caa80ac323d254fc20081da3368d7231c98955d6725d1d5ba61be0a626a48159f03e58c07a56ab0ed5acf57ad9afcd70ba73bf203f0fc18d7763d8

C:\Windows\SysWOW64\Eeelnp32.exe

MD5 25681094b8bb96af39a0d34eceb2a0f1
SHA1 e079b75f4e95a7ce979b2b36ed2db33c3015ecf1
SHA256 d351bce45bad25d0a9b066822f39c95fbc48c838c94dce2a2b374bdfb52f2150
SHA512 3ad564c2f66c5cb1e8e5f98f4fd1a2fe253466e0af13bf7c8c7313cb7415be7bd3e0f8176b198043569d28540855f223cda87a0883ce50b843adf50fa8e9873f

memory/5112-127-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Eokqkh32.exe

MD5 a1a91df8b6a95821f6d046d96153adfa
SHA1 83130e37af403581bc719e7da6113b903a3e6f5d
SHA256 a0b52182c1c172fc9d99aac20ffb2a1ae88dc167392a6040369fefb897659ed2
SHA512 f56a568649b745d2bea82701d7db53724137bf6d2afd5ce8067f8bfe0c5cc36cec3d852386cbe5befa7f6c65460cd999cd15744055996a4e64d692ef0eb1cafa

memory/928-136-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4712-144-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Ebimgcfi.exe

MD5 4c044b0ef30dbc8ba247ebe5f9b4994c
SHA1 07acf49017f0bf4c7daedb860a1f708849663dd5
SHA256 5115023eb1ad362abe782570401cce49fb5de3f05b93bde803ba606e48677008
SHA512 7f5bcb467bd911f03a7fd8bf9859c62026d4c65023477814e4baa418be434dfa1f72ec7c272048627a972b8eca4dd309ca32898f56f66a29fce1be3805028925

C:\Windows\SysWOW64\Emoadlfo.exe

MD5 e1d3530fa45566ef49ae16434b29ab06
SHA1 4192f45a9aeda285a3e041140c98075148341b69
SHA256 752d076a9e578cccc0c4f1dc52078d442483034a0e5cd178029bc6d98c52cf80
SHA512 fc524804f2e7c037cc4f23ab4b0a2bbc00bed0123ade887bbe75908c261454a128db0468fb6652ff15369f3ed70f26a66cc408f53677cad14a414d0f4ded73f7

memory/1116-151-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Enpmld32.exe

MD5 3b29f360cdfc7fc1e33b5944744a8342
SHA1 9e3508594bcb5dcae53b58ee3d882e0acb832893
SHA256 b6ccf16f040918a51e5f96da7a57fad5f1df4614dac592ff72040ab01a6d240f
SHA512 8b23867b3fb3146dcd586b4d10aa82ad57b8c60fa5511df7c715d1c002215aa5a4c4205d21e2953adfe0c9f2763ca59c44e0fdd433b5a9e0d621ad151b37c088

memory/3004-159-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Eifaim32.exe

MD5 2b98cb3304609e47920a2e32ad750917
SHA1 9a39415bfb7c60b1b18fb698d48da088ee27c3bf
SHA256 faaed9f6a4bc3e4635e20056d36dfd3369e33ba940483338dbf1757a88820a3a
SHA512 1d0796ed1e31c3d1091b2d603bc2636b2a70b14bd6c3fe51170cf5024967e2d0bd5fc8ffd20b2303e5c10e155c09a08610fce40dae4e5cb617078d55506b439c

memory/1896-168-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Ekdnei32.exe

MD5 880d83ced1a1dee47bee649e63fa897f
SHA1 355f00c59d27b7acaac9d8146ce41bd4ff477645
SHA256 483ff68f7a4c49a94123be9eda0029f95bd9700027c9c4bc817dbc66579a9414
SHA512 6dcefc14f065d2c1d8629d5ff1d48cd2b3e5b25dc726f4e1e87797bc689a214ae4b616788e2bbc1d4ad3592fe3dcfc4e6bedfb3d7892ad12350dc38e7e2d5223

memory/2404-180-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2008-184-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Enbjad32.exe

MD5 184fd8b2f709aecb123ff533abc0f61e
SHA1 9e2a6f10afc999c642fac4442c0c86b97308d2b0
SHA256 2b09ff9b8a14e854f26473204a0affc1bd2378264376916e8bc946b1ca88d393
SHA512 5598ba4a3ab50ef83dfe069b4ea8f727ddaa43ed4e3f7d02da0ed346a93f33e2583a07d38eef742ba4c21ffd13c07fdcd6345817f2205f2c2f931081b3c88ab7

C:\Windows\SysWOW64\Fihnomjp.exe

MD5 82bb1137b3980583316fa1254602cfda
SHA1 d2c24760b96efd4913bef24850723272c85bef1e
SHA256 efb6a5159aa5495cdeebb3ff72866c8fd32a9675c393261042c48c01530b2ed2
SHA512 8d1db79ea2a22dc35c5da0b8fefc48e5d6fd9bdee96b493ab927eaf61bdc1f69d865e86d0b510953accec58f4d1ed60516d2ec624c98ea715834a86c92993bc9

C:\Windows\SysWOW64\Flfkkhid.exe

MD5 0cf84b77868b878b95f47d1f80875130
SHA1 f14b77f17a43ed197c29b2ef8ce5db829bb58841
SHA256 6f53ad9e56a67f715d505bdc9adf53e8e97c38a28ab186adcd92c19172063c45
SHA512 9d81f3ced687242c4166e8fe425caeb5905840e3cdeac44bb17531b52a240a722cd656ef5df4349456982c20346f33b46be94a09915d76da52a968e01280a418

memory/748-204-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Fneggdhg.exe

MD5 c149eca1717be38d98b702fc4626d5e8
SHA1 48e3d4efcd1287f629e7db1f55ed0971541fee4f
SHA256 6ff232d317169e883b3aaa1ea9e281c5bd6df432508afb5a83346ef342a16dcb
SHA512 36f64b879631306aceaae59b9ec417272e4d3f094cf9fd440edf832c593e61ddc5f26f6d5fc171d5d0749e3ee564c0b7e6a6cd29c85acc030fc8afa12f17b465

memory/1904-196-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4088-207-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Fijkdmhn.exe

MD5 d62a7afb5703dc5660dfca27f08ff418
SHA1 2e9271928b36fd1261bb4e3955714fc6af7eeb6b
SHA256 ce9b33bfd2796ba48ef832651effbd0e88bd458227ee63da9ed4d06bdbd45087
SHA512 53876db574f22722d594bf95a496336cfb6d65c03eb32532cdcae789f7907e1aa45236d3ba58e0e82821e2404c8944073ab68dba007994d5efe9025baad8284b

memory/1840-220-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1140-224-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Fligqhga.exe

MD5 dcb5e1b004284b8d87659b3d9d9f8e6d
SHA1 54589c321c3920edd0bda7432c4ae990a2327f10
SHA256 7527905c8771df421aeb7e51a7f7afed46ad14d0dd49411422c10028b24d398a
SHA512 832f4ea7a85fb0833beb5a527caec665fe5b64e69412727d443b8fd5ea63fcfc1c1efe535083afe39713c67ca096adad29e941efb5728c96d858f50e8cdacdae

C:\Windows\SysWOW64\Fbbpmb32.exe

MD5 ea03aca7d8f8ee86b3a27f674e0573e1
SHA1 49b9021b4a649a509f90b944bc0d705fa6aace57
SHA256 294d19bfc3a0e4f555df43538a317b009aac2bf05446acb3e2a505419cf23eeb
SHA512 5ac4573a5a72bd6c52c8d888cf5f36416f50e69adefb58ac8bfc0dd3d8e49ae6ae7a9288b8882ece6e9c0cf4cc5c8e68aaf02ed1d780a69134925d1af67e246f

memory/2492-236-0x0000000000400000-0x000000000042F000-memory.dmp

memory/400-239-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Fealin32.exe

MD5 9585e6666bf9b6f9e945baf32c71f620
SHA1 5e4c84e26aacef1fb5a4b0c417bd3944d4d99bf9
SHA256 438f1a5adb9370b63d6f5a6949f94fa1bbb50e6faef4374d6358fa0d8439c2f1
SHA512 f7d8059970a5b129241679eda32f8775a8856530d5c3d654c4d44dddff87da3c9d00654a59c2f8e3e9b9361bf8c21cd1fa1d88b3642e182d32515f23beb687e9

C:\Windows\SysWOW64\Fpgpgfmh.exe

MD5 f8324a4b0bbe0a69457d30d0e9d114db
SHA1 29095e3a034c293c76d6d15b377613f1418c7314
SHA256 b1b0567f4ed90291bc939555c7192eb789b976f6a04cfbb8d46be91d9dbb8985
SHA512 96da30079327db054eb70659d02b5423ef385c971218b519f9287b154e3a6f8521756538883210ab6bc96b13c1662c02c9f1455373e75baeed4548020539cea2

memory/852-247-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Fiodpl32.exe

MD5 0f475dfc06b7a27640c6e1fde25e9544
SHA1 dc587dbd4197f467cc295c640520ab1d553fd1fe
SHA256 67ca08463ef8c3d71723876b8b7028f5bb260561a6efb511d43586aa0d6f9dea
SHA512 b66033b8cd15a3ba75b4c56122cd12848a0a02ddcb2a553714fa730ab810a4fc36a30d9c40d1a65014ac44ff9dcad9609ed69913f0ca634f7ba1bcbff892bc95

memory/4520-255-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4964-262-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2320-268-0x0000000000400000-0x000000000042F000-memory.dmp

memory/464-274-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3508-280-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4176-286-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4804-292-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3848-298-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4156-304-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1908-310-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2760-316-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1912-322-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4756-328-0x0000000000400000-0x000000000042F000-memory.dmp

memory/5080-334-0x0000000000400000-0x000000000042F000-memory.dmp

memory/316-340-0x0000000000400000-0x000000000042F000-memory.dmp

memory/5104-346-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3144-352-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1496-358-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1752-364-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4040-370-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1920-376-0x0000000000400000-0x000000000042F000-memory.dmp

memory/644-382-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4784-388-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4164-394-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1188-400-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2368-406-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4856-412-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2156-418-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4388-424-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3972-430-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3668-439-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4128-442-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2224-448-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4464-454-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2348-460-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4092-466-0x0000000000400000-0x000000000042F000-memory.dmp

memory/220-472-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2284-478-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2316-488-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2948-490-0x0000000000400000-0x000000000042F000-memory.dmp

memory/5008-496-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Iipfmggc.exe

MD5 0c6c0a9334bc0a11be5d9ca8f50f88a8
SHA1 5f8f9256976057db37db5655a8f47ef44d2b5ac6
SHA256 e4ec613cbe9f8e21d3bb3bed9eff55ba8b651dfe8ad0cd2c359f24b0e666dc0e
SHA512 60b26ec36cecb04bc525dd7f8c63b1cba1318ba66a0fe6fb74697377839cd6b2714a0fcfb28a9c43b1c47b8a975d21249fe148a2bb34d33f547b9381671f32dd

memory/2972-502-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2468-508-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3956-514-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Ilcldb32.exe

MD5 885be907f6717999aeafb83e905dbcdc
SHA1 7cba8934cf288d439455b9dc353d16855c22090f
SHA256 0c13182d9f6dca24c5d997d6a3d0b00cd006247d0fe951f97187c50f347b674b
SHA512 839c992eb4ca91a489507f4f85f241f8783c6445ed8b0a7cfbe0205e02ef7e7a8db03a1fcbf886cee703786a6ca909bfbe892886c9c4c7db0e68b5f1fce5c533

memory/984-520-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4344-526-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Jmbhoeid.exe

MD5 2631a08fceb0c69b5736d886a7c3e3dc
SHA1 c7e847e254f826e7636e6d86b4a4a470509eb67c
SHA256 4056ab8baa8ff7fc5443d589ec091f8f9cbfa9d0fe519e3247fbf17b13ea2b4c
SHA512 9fd1f8521420b1cfa94525cebba2015c3755a92854669e5bfbbc35455c30ea7ec35d35b5ef034ea5c51afa12dc15a82c4be3ce0736cca1b781c60be74695ab03

memory/3500-532-0x0000000000400000-0x000000000042F000-memory.dmp

memory/452-538-0x0000000000400000-0x000000000042F000-memory.dmp

memory/804-545-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4908-544-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4012-552-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4852-551-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2272-558-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2400-559-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1384-565-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4504-566-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4588-573-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3484-572-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2932-579-0x0000000000400000-0x000000000042F000-memory.dmp

memory/5036-580-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4204-587-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3940-586-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4324-593-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4752-594-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Komhll32.exe

MD5 59c822594e8616fcbfeada3cf46f1ea0
SHA1 64359599f659a74f9ce24f905fcaa10c4ffe006f
SHA256 55b7c4dbc75e36a70b27a396c5bbc88cc1f4196c5e05ce013b7d92e68c3809ad
SHA512 c9ab20490a3e366f50791b1b76791e87d30d9d5ee87e3f30b917a0bc7e818f117d44586ed5a88670fa878d9a36ec95015f8cc9410d87ab0f4ea90a780b465541

C:\Windows\SysWOW64\Lfbped32.exe

MD5 6924d57734c34aba169a78028e7d99e0
SHA1 13537b66a14f67a9b99276a61eb0f2d14afbdd45
SHA256 d5d36bfe1eb83a4505798ef6402f820c08b2626fc4d50665a56e98d80117d9d1
SHA512 260c6c95196ae34f48627acd03491cda37f9f02cc3a1a492077331ef09167c5def072a4028d602fc0d2ca4dbfa5b2ed24f50a2db38235bfa9c026b8b154146e5

C:\Windows\SysWOW64\Llodgnja.exe

MD5 90374bf59c21c453b549903ebd1c2ed6
SHA1 fb370807c6a7f73cf06bc0292943a4836f671f60
SHA256 a919f51d19eab7ed4f1ab3bb610b41d627c294d0f1b3e1df545d9e7d6c437d74
SHA512 7d670ca9bf6c72f84e8ea46f8f5ad27bd45c070a5bdef4090999cd71bd20249b56b17ba737931a35c2aae51f35439ceaeba7500ce4faa43d062d4e2381a5f9f7

C:\Windows\SysWOW64\Lcnfohmi.exe

MD5 9405fedf94c998f534714db48d9f330d
SHA1 9a4bf00ae60e73ccbebcf7d35bf0c09dfc80ea4f
SHA256 53a5434112aee970fa28deee736d5efb04a023bf9554e073bdc73ba2f33765e6
SHA512 2baf41899a16124feaad7e0a6a5c9518541e50f72e90a575d60df84559a495c0279c2c968c98d9083f451756182b12969b61a82cf57965abbe7a5d3b25009be5

C:\Windows\SysWOW64\Mnegbp32.exe

MD5 814c4de2003ea5f222583e26785666dc
SHA1 4ba72f502c9e4b9f5b2ea5f2abdf89194b3e319c
SHA256 2867bad32f59420095bd7651b8bf636325c8c32817015e70e3b71b36ae5ac9c4
SHA512 b84f05b017ec04d53d55c93489b776ee1f4ff96e39dda67f092f13d2a56c5ed4e59a5863e250af3b8d1ff9a062015bd85d6b55edaa2f509bf6d9adbc78ab1b17

C:\Windows\SysWOW64\Mmkdcm32.exe

MD5 a8353f100606c558c06393319181374a
SHA1 760fd2fc7ec8cc996177b0c4c928a128fe1f1e40
SHA256 cc2474a98b237fe04ed2361dc6a2a7c25a39522795ee3911ff7f3040c12868f9
SHA512 f8459e68816a6cc78e9c74d5768520d39e2af6462ef313db80b867ca3eccc207b6e694e38759829a582bf699e82750589f4a89f179c62f88d5a5e67b6fc85d57

C:\Windows\SysWOW64\Mcgiefen.exe

MD5 4fd467e3790d6a36ff36caf17171ebbb
SHA1 16b35df5f2535c4bc2a9b731deea9c0887fd4b1a
SHA256 51c66eb0e5f74cd9b81fd5706865176a2896bdff2a54bfea7fd40153733e0e52
SHA512 db685ec73931f02083f95636e85fed7f5018d7050a3827c5cb56b89d28b472717b9e008229a7a5eba91bfd8d529cec679fde3bbe6a5967403cd67baa8a86ed17

C:\Windows\SysWOW64\Mjcngpjh.exe

MD5 d0338577b9f34814085f2b13b43dc8e8
SHA1 03fd5bcac2a0bbe8e4f2d67ca4169d60e6ec2fda
SHA256 3dc6160285a42145dd644254dd73e76e601cd426dd5015865dc7ec10985ce39d
SHA512 8acbce52a77f24984cb1726856d4225c91ef96aada77875bdb7b63b1f7205d17750eedd5e3d952f5f9621c6fc1977e2d2d8d6c30c5d201618dd6e1137677efd3

C:\Windows\SysWOW64\Ocgbld32.exe

MD5 b193bc421e5c07d735dab1cb07e72bf8
SHA1 58d0b6a43492210aeef14ccc32cd85c587d0ecbc
SHA256 03e8448b4ad8ad0b336b2ed96e25bae8bb2dc50908d5ba8cfcb34d067903b2a3
SHA512 58c438b8f9a1bf11497eb892158eaf20340adaad3678202e944760438d2786c958d16d37f71917180cf5bfb075fac4f73f7f8724ec100a7f725271eca36e32ae

C:\Windows\SysWOW64\Ondljl32.exe

MD5 e2330e07b115258b6520346547b396d5
SHA1 06cca66348ec5a4f600bdd8d5e3c31b09f80107d
SHA256 1c8181c2dedf1d9c448199731bb877ef3050226f584cb6733a06a459b9f6bb91
SHA512 7c928f665ea630083299db494864c047997644d79feb82b25e2d57f5a85cce910a3090c171fcd05ba2b496f33219bf802907795513f39af10794cbcde16baa0e

C:\Windows\SysWOW64\Qdoacabq.exe

MD5 849ff43eec6e68eacfa4727f58fd40a4
SHA1 11eee87f248ef757d222bd8dc29fae33d6c6bcbb
SHA256 8b3ff3d5e791ae79642fad0016560bcea98ecc842d1e0aab1b040c006a1cf75b
SHA512 69a08785fc04fe0a4c10c8f4582d5e646cf6d5e2a27c266b5764728a3fe5ab98a2c87f67e984902796c01b516328594f684b16f780602d6c018db40f8581e996

C:\Windows\SysWOW64\Akkffkhk.exe

MD5 30e575ce8f69bdb1a7a14dce74aa226a
SHA1 52e79344e3b77e099e4b48d4b3125395719332c6
SHA256 cd4f8abbe39bfcaf2eac70e3cbeb0ac066257092faee5b291cc0fecfbafee7e9
SHA512 ab8ed688754f8baa2f286a3f2e73bd9f7f1027e149b626961b9cf6cc62e25f81b0a680dad8dc41ecb74b9e82b2ec85d1af4f1260644d9c7c35e9ffdcf3d4f4a0

C:\Windows\SysWOW64\Ahaceo32.exe

MD5 7731eb83066e3350da9047608511e70f
SHA1 284fc26d72af88893cf97a972b2f35882762dc94
SHA256 d97c0f21a750dcdab9bf4f8ed8435407a0f9cee7ad1d9075c1e526fee29f1bd5
SHA512 9b54f66191f634bfadb091709e970714edef532ebea6d239232131334c3d84e15a5c35f82b68df7d2a19bce820bf07baf45ef014cd593349b1d9e9fd716e9c32

C:\Windows\SysWOW64\Aggpfkjj.exe

MD5 6514472b2af4631937cf7e5243e6dafd
SHA1 14279cf15c5d914cd3685b44b6195fc5af787912
SHA256 ab5391ce25af97ea2dae6fe823ae1b53d30dc4e543ec5e413c9eee0b8d76f6c2
SHA512 6216beaf82458bc09508c696b563b613571227cb83c0c3b13d793503263e6bc7d627ce7883623e81b3faf309dc365577b0f0d8dcddcc184f25307d0cac2c592e

C:\Windows\SysWOW64\Akdilipp.exe

MD5 3ab7a2073a95a9b32fe6221385378fa0
SHA1 d2dba69881c92ccb98ea98f0ed2060a171b62124
SHA256 deb0fe6e3e2e063f5b1a2d2964ef4d34b4a3a7ab51ce8c3846031812b0f6065a
SHA512 4edefb871a571a3fca74dbe1eeffaacdcff8cc47c60fe30633297f9109df4dd172026db9437e38adfb9fb9384653c7404a5db54e09dfbd6d37ffe645c4439b3e

C:\Windows\SysWOW64\Bobabg32.exe

MD5 694d54ef00481e1309e5f8449f69de00
SHA1 045fd8a5bd3ff64ff7714b6c498b418cdc53bbac
SHA256 befdd8f888049f824f53c502b7f9f4d366f77d1342b0ec81a0ffe1e02666c114
SHA512 9b2441f76aa6779a4f71112cef59e8af590f8c4a589ec3ac47ca9f3042cc49da8d8d905b455bb6516c0669dc50553ce19a5875242c4e089ecf2ab6521f745718

C:\Windows\SysWOW64\Bklomh32.exe

MD5 7680232e07befdb8904642b8769e923e
SHA1 0699896a276d0e0ba0610e0587ab1c081bd49ded
SHA256 d8b5663b314d08f6526aff787cb951cd53280171efad1499a53ea0a09b25833a
SHA512 de23e5e4ec5bd8dbc99b66f7125d6ab89c23d7fb997db6387c98dd35ee352953a5c493012d6fd5f592e630efa61420d4d65384c6fcecb3bcef3aeb9abe7b5e49

C:\Windows\SysWOW64\Cgifbhid.exe

MD5 dbcf27f16dfa1ed0f10a909853a07210
SHA1 617fdf08221a3eed221240058a1492f480c0c8c6
SHA256 de63fc101237025309aa987a797c4b87d6f3344353dc89a4a37169c1e21cc77d
SHA512 4b94169cc3e58430c0e0265bbef306629846a61373c11dfde14bbebd6e1c396ae1f9baa6ecf8d8c1a89dfb9170d0e4f35313ba0cb1934ded2131891c964daf46

C:\Windows\SysWOW64\Chkobkod.exe

MD5 f8bcc1c0c0d73cd47f0fad579786253d
SHA1 29a617e51fcc1f1331bd408523d7b8258acefae4
SHA256 704fc27d7a6ddd79e0f6f0da7575264130714a3dc13d5783cb3f3d2ec3295b77
SHA512 ad5c850d65110e6d0ce70dcc97190b18062392994492861707d6469d59131d484035262acaa4f74595c2bff5ae175abed74142a07388f883bfbbcf318b8baf79

C:\Windows\SysWOW64\Dhbebj32.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\SysWOW64\Dhikci32.exe

MD5 f95d6e3de6b9744b9a06261389864bfd
SHA1 d40e20e4ba07c9fbc38dc4880635061bc8a428ac
SHA256 faaf6da8a2c45fa57f456955af924b22a44198e7fa33df52d722a4e7c57cbe08
SHA512 7e5892d58f9efcd8abd00c921808c77eb22c5f579857c7cb0f4647ef02bd2739b21bd2950a4e09906758a9fa175593a25852227562c22001c60f1840d94c3609

C:\Windows\SysWOW64\Eoepebho.exe

MD5 2a8ea2c137d5ecb31587fcb08e3a002f
SHA1 fe4aa22f29a148ce9a94d9584ecb6e927716940c
SHA256 ed2ce9585ac005db6ace69a7dd912fb816c65158ba2b615ebdeeaeff1fdd5d17
SHA512 2cca8c15b0e8c65fa416c14fafc20538cac81dec26a5175bea1c0a36a68ff4beb0bfbd27289fecab23545f6bcec32142f88138aaaf3ea402a5a51fc331ee3a29

C:\Windows\SysWOW64\Gbiockdj.exe

MD5 e04a7f66b5281babe403b74ea05dca33
SHA1 d23c2d4ca23ab2df59605f773af68c5ebd66305e
SHA256 286c9178a7ef01ea619c1b6c6e8245ac590a4257aeb3cc530fc71dba42ce3335
SHA512 af857aec27fce5523461b3dc5a061b38762b53da7a3d94e9cac50835a283b433d9b29e659305697e1ebab5109f896f08dd483e60e59b23d45245a0f2b1988e71

C:\Windows\SysWOW64\Gnpphljo.exe

MD5 6e79fcdf51be06580c9f524d5baca2de
SHA1 ab64349b3426e5d49558c0943d0f4b408df31d26
SHA256 de525b7ff99505ec509853728c331619f13fd17438623dd5484bf656ef2dd426
SHA512 ec886d9d5f461b669949a51cc367ac3c1353296ac3621f68ca479e227c36920145780b46d33e448446734de4bf60ea47109ef8c77cd5d6a7e112787a0eb5e075

C:\Windows\SysWOW64\Glhimp32.exe

MD5 de28251952e861a5edc4978edc68b267
SHA1 c4963bd2f0c1cdfb038a05fcdb3d18c5834782f2
SHA256 86b617bb9b02a7566dd47f25e730562ff3f3fb5103310e6f8087cf27f9601e3f
SHA512 ef7cea795fd74eb3a6575fd704ee8e530116028d39879c7f189f9ba8f342766eb92607febe7b5c8164863cd2fd90943b76163219a2f6deda5eb331d23c968b8a

C:\Windows\SysWOW64\Hlkfbocp.exe

MD5 d96549f533519242af86d1f3d772d89c
SHA1 17c658ff620b6ef3e1e8b2f1669bb4641aa030f0
SHA256 636f6ce6d509f513cfa65aeb0457771859d78c684889aa6e5609e09962d05fc4
SHA512 42430cbff32a559220a5a522c32248e41ab403ab7283dd73cfbf79326782f3a92734143bba4fd7754907b102043d07ef8960d02914db7d13b30c750e2798f24a

C:\Windows\SysWOW64\Hecjke32.exe

MD5 908923603dd084664254a5de9a1c17ff
SHA1 3c43c523689c501b0b667ec065be99ac0a1d3c56
SHA256 769e85880f20249a695f9836ed5ad504c797700363764e32b88f1f592e681f43
SHA512 34e78e9c353a255b4adbcc34b98e8cd0e2baaebb2a000a7b56ebfcf673bd49c07310e1034f69a3f2e6704cd13dad0f3cc23945af091457ab80e1510eecaa4cfa

C:\Windows\SysWOW64\Hajkqfoe.exe

MD5 cb1221d765f7ef4312677770b4f80b1e
SHA1 6645e4cd167f4381207938dc0ce4f8782a2b7b6f
SHA256 15f66b9f3897293baa48e74c92ceaa28657b666268b81dc45aa19804106e9554
SHA512 1397b471e026991d397e21e0483deaf1b4b9abeac67a3a67bac41e1d7b592e007e437224aac93c6ac6effac09100982391a6e3207e922ee711e0ef64593c7e3a

C:\Windows\SysWOW64\Hnnljj32.exe

MD5 8a5dd308194c419bd3e32c4a302c447e
SHA1 7a4b3a8cecad617a5f9664fd66574c548804f037
SHA256 41c6e19eaf7cd593a3570d2ec4e6a4cc47f0d0a0b47104e7bcac3cf19a34faac
SHA512 111618e01b945dc2489cb759c12608426f24b7eac0bb97ca4040aca2079660a37e8e28bc05ada4fff5371cbe35a33a0e0239f5598a8679202cd1b7f791236be7

C:\Windows\SysWOW64\Iogopi32.exe

MD5 01419bb206fc812c7183fad0d255e36e
SHA1 766dc91f055380e29aed09582f9c55ee16d0eaf1
SHA256 f217a39698585f3daad4286b67246a71d795cdf492acef9ede02b3c4b0020269
SHA512 38433dccca0121586f949a9bc51ce1373a05665ae6a16be3f894af15f3638d0c6b27310f10739ba6be7aa8324b6ec1c12b3ccc7a6a04dfc36f3da44f13619ba2

C:\Windows\SysWOW64\Ilnlom32.exe

MD5 61cc0e215b9259911522c1e69ca15b46
SHA1 5b5a5873cbac01fedd006b948595750ba538aac4
SHA256 aa6a1d25c1e564468fe7221bfe0aa1b1ac7ee5adf04587043f13790446fc5ac6
SHA512 8d4fa9c27c8865263e381ae84d27a3f39d88c8aa29317b7979664ce00979875483267d3b188688528a2950c583a7ccc4385387f350d1f47dfb55f235269f93d7

C:\Windows\SysWOW64\Iehmmb32.exe

MD5 c77e803789c59d13125c0e0d91092f64
SHA1 1b8554df9aff2095fa55858e393c31a0e18f62f8
SHA256 048c3f1d8cf75c15258a4101f110845356f1bc4ab717af77b58f9e107ec06487
SHA512 28aa9036fd944c82eb5f818cffd9950494486339dcb9f25c5b5f37cc9a8e649037c37fefcd4bceef10b8eabea0f33a5a01bfe7fd7351bd3d67df47160bc2772f

C:\Windows\SysWOW64\Jeapcq32.exe

MD5 85c4d6b6727bd77e8859ecb3a1f1a5e8
SHA1 298637045e769bd0fb7662710b8692240455aa97
SHA256 0e60e045661d46a1e151ca697dc6a9063046bf3baeb2b867a2bdb7f502a3ca1c
SHA512 ab59798436fe742daf3a9422d2090d029482f3b8ac18b93222e00671d10b6b8e732c59671c56273efd63aae491ef30b4f6c9efbf1fedf80fff3bf419b660cb5f

C:\Windows\SysWOW64\Kolabf32.exe

MD5 1dc985c56037a17f8eee716b135fb126
SHA1 2049a788ba3903843844390de86a228429806f68
SHA256 c329dda46576b9957bf7775943985499e0bbf6b7ca9fe8f9cd642856a2b738e6
SHA512 023f5ffca20b2d1a711b0e58fd007d497a235c6912b56bbc4639b137755332a709b52beca21ca37399c866354b1b91ab8bee4ad3c633c707173413e0b95f2602

C:\Windows\SysWOW64\Kpnjah32.exe

MD5 8db1eca3380bec1d776b3d7f2d257a30
SHA1 1cedbfe240e3e1b2e68ef11a36b18048e0a10e70
SHA256 815747f7f5e62240f0f2cd6966e453e78825bf8db039ead9a0344f14851e5cb7
SHA512 888403f87c66569f70636d3592acf888dec12c5a445d289fbc6ca61d167c2b30282c07488de97d9af1d3a450895f41ad46e7b2a7e012884394794485616cbae9

C:\Windows\SysWOW64\Lckboblp.exe

MD5 13ec7d91d9a1e0c37405302bc513b3e3
SHA1 e1be407e0b6ad34afcce68aea43c67419a5d2326
SHA256 77529bc0438a2569857e682f8ed4ca3897a1cb92d9840c3371b9ee742c7ab40a
SHA512 cc976abfa09977f51b0ed6749a0fb5a26df7fddec345b5aa9035c65065fdd4a0f57b1ac624c7a08759e03572dce5d765cc0927af928a34c37449c3bf0eaab4c1

C:\Windows\SysWOW64\Mjggal32.exe

MD5 9b0fe2fba0e9677d6c3f2ff96504a464
SHA1 0c99a34051b30e6d889bcca892db8b6b36a7a0ea
SHA256 d68802aadef3f408077fa7fd07174afda54506b931449d4de33b4881780170d8
SHA512 eba2b3ed768125fa89f9d542581132434e588f0bcada775b70f7437470d404d8eebc604b29a4c69374837960ebaf1fcd2b2b6fc9586d61497671124619459217

C:\Windows\SysWOW64\Nhhdnf32.exe

MD5 55e98d952bca70cf08ea45e5711abede
SHA1 08e9a0f3342878d0f7aa8ac3403536c9f14365fc
SHA256 09054c1ee4da55918bad01d4ada2899f9c59c0fa7df82318a5fd1762531fd6d2
SHA512 f3b1e629904eac1c4817a2cd2b4c17ecad08d300566cdecfd1e9bfdfcc71e604c0e628f4773ce2ae6adc67664ddbc7cc1c74472f6968cb1fbcb01b6fe9455e5c

C:\Windows\SysWOW64\Oiagde32.exe

MD5 0c3a7acc1b3da1ed50f6de116da73e68
SHA1 78caaf0dfd4428b6160bd648c02a2e5b42e63205
SHA256 6056ba49cd5ebc9ecc29ef83945e3041d632f22393800d7a19590f1a6314ed05
SHA512 8781108f7603e436ee42454bcaf30fd1971e6615c195b57d83f30c245a8bcc2aedeb59be81c50b428e39cbd56bd5bb294fca0e1df61815a30a1df1607b42fad1

C:\Windows\SysWOW64\Ojqcnhkl.exe

MD5 334b32981f78b408ca17983fc92fad2e
SHA1 306d953aa687a3481e3f6d394a4848239b4d1cfb
SHA256 4ff6d1a07b09c25640c21d5c542ccf38a2f1fe3a283fda6ec001a666dceb7fcd
SHA512 37f7425c2dd4e47b9e007e995f65d46616bff55d8d916829914291162da4afe1d977164a187cdcbbe37792c8bbb557cdcd6c5baa477c8231083cca3121b339f1

C:\Windows\SysWOW64\Ojhiogdd.exe

MD5 12d37c3bda8bd67fe137379f8b301381
SHA1 26b5f9420815fc8c115493d83ff295f1ee83f962
SHA256 8ddbd12e5e302119ae72c4cc187397c2cea3f27e1c56026a343e432ef421d0d3
SHA512 3ee577a8cff074d4be0ebc12a7defb8e572d596a499cda5dcd8f7d1b8e5f7cf1002f5c8295a45605c598fce6b249d9ed0ea10a8c5886e7768b3bcb69758e22b5

C:\Windows\SysWOW64\Padnaq32.exe

MD5 438da3aba5bd7c95f4a616579523d7cd
SHA1 186c7d22865df7869420973ff25c6b2b8b7f770a
SHA256 917d32fd1cf6371a956205b88234ade8890aefa1e6363a846d0bae817e5833f9
SHA512 e89bda123641b5de0ce1b961255de527a382647d68a122fb62b992b15ae16410eca18f8915d29f7ca7402a8dcc182b90b192f72b5d46f60120b0ef62b5d7001c

C:\Windows\SysWOW64\Pjoppf32.exe

MD5 1bc46ce7071767be24bc19f9d87abd79
SHA1 7dafec8fcbef32f470dcc5ed91478540215c0ad4
SHA256 3e4014f2e216421bc24aa0a072666c08616c029676e743787a07aced277cd37f
SHA512 82333f4e220baa4c80da0060d41ae8bf4acb28376ad2d74435c1cf34abf88fee918796c41292f86dd74ce5da91ce0f540a4b223cac5175322922afb6d6899d32

C:\Windows\SysWOW64\Ppnenlka.exe

MD5 6c4501affe71b39cb6da8503f9ca364e
SHA1 879557260fd5ad1123a7573cf2de08be89aa977c
SHA256 46351cebb16031b55b80d89d0bfde13b3ebc4fff63473b1fd2da4c2c6ce65e3d
SHA512 f98b7a190d9c92e2f54bb95bdb25e01f60d17afe4cc02920b1d09b41a061b23fe22afefc1fad125ec23b8ec5edd3fdc681ee26d36efe4e07081ca6ac85961c33

C:\Windows\SysWOW64\Pififb32.exe

MD5 a3a515045d7a373d09e588df51d73697
SHA1 eca5a9708e83861d92872b84dee515cdcf7d0ce6
SHA256 d15d9720d607486e606cfdcc4e80d52a7c510663dd8b0331ab44cdc2cffa8864
SHA512 a5a9a58a35ac8771bc1e2497a087be64d6c532dc14bcbabdd67525a67b718f338350369de9e1a1ec728b18b9236819560b712ad272064ebfd94fbb3931108cce