Malware Analysis Report

2025-06-15 22:55

Sample ID 241109-gpyprayhlq
Target 44666a663169d3e9ae81f8999d3d3ceb00ac3399f49b3c8c6f91d57a1714dac5N
SHA256 44666a663169d3e9ae81f8999d3d3ceb00ac3399f49b3c8c6f91d57a1714dac5
Tags
berbew backdoor discovery persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

44666a663169d3e9ae81f8999d3d3ceb00ac3399f49b3c8c6f91d57a1714dac5

Threat Level: Known bad

The file 44666a663169d3e9ae81f8999d3d3ceb00ac3399f49b3c8c6f91d57a1714dac5N was found to be: Known bad.

Malicious Activity Summary

berbew backdoor discovery persistence

Adds autorun key to be loaded by Explorer.exe on startup

Berbew

Berbew family

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

System Location Discovery: System Language Discovery

Program crash

Unsigned PE

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 05:59

Signatures

Berbew family

berbew

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 05:59

Reported

2024-11-09 06:01

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\44666a663169d3e9ae81f8999d3d3ceb00ac3399f49b3c8c6f91d57a1714dac5N.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Bagflcje.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cfpnph32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ojoign32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Pmannhhj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pcncpbmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Qqfmde32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Aeniabfd.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ogkcpbam.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ojoign32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pjhlml32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Qgqeappe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Pqpgdfnp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Aqkgpedc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Agglboim.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Afhohlbj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Bjagjhnc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Cajlhqjp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Calhnpgn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Pjcbbmif.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Pgnilpah.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Cnkplejl.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Daconoae.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ceehho32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Opdghh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Bgcknmop.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bjagjhnc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ceckcp32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Accfbokl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Bfabnjjp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aqncedbp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bnhjohkb.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Beeoaapl.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ocnjidkf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ojgbfocc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Odapnf32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qcgffqei.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dfnjafap.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dogogcpo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Cndikf32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cfdhkhjj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Cmnpgb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ceehho32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ocnjidkf.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pmidog32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qjoankoi.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ajanck32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Npmagine.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pmannhhj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Pfolbmje.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Cfdhkhjj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Dfnjafap.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Amddjegd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Cdabcm32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cmqmma32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Dfknkg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Dmcibama.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Onhhamgg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ogpmjb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Qqijje32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ajkaii32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Njefqo32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ajkaii32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bfdodjhm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Beeoaapl.exe N/A

Berbew

backdoor berbew

Berbew family

berbew

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Npmagine.exe N/A
N/A N/A C:\Windows\SysWOW64\Nggjdc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Njefqo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Olcbmj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ocnjidkf.exe N/A
N/A N/A C:\Windows\SysWOW64\Oflgep32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ojgbfocc.exe N/A
N/A N/A C:\Windows\SysWOW64\Opakbi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ogkcpbam.exe N/A
N/A N/A C:\Windows\SysWOW64\Ofnckp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oneklm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Opdghh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ognpebpj.exe N/A
N/A N/A C:\Windows\SysWOW64\Onhhamgg.exe N/A
N/A N/A C:\Windows\SysWOW64\Odapnf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ogpmjb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ojoign32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oqhacgdh.exe N/A
N/A N/A C:\Windows\SysWOW64\Ogbipa32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ojaelm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pnlaml32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pqknig32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pfhfan32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pjcbbmif.exe N/A
N/A N/A C:\Windows\SysWOW64\Pmannhhj.exe N/A
N/A N/A C:\Windows\SysWOW64\Pggbkagp.exe N/A
N/A N/A C:\Windows\SysWOW64\Pjeoglgc.exe N/A
N/A N/A C:\Windows\SysWOW64\Pqpgdfnp.exe N/A
N/A N/A C:\Windows\SysWOW64\Pcncpbmd.exe N/A
N/A N/A C:\Windows\SysWOW64\Pjhlml32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pqbdjfln.exe N/A
N/A N/A C:\Windows\SysWOW64\Pdmpje32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pfolbmje.exe N/A
N/A N/A C:\Windows\SysWOW64\Pjjhbl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pmidog32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pdpmpdbd.exe N/A
N/A N/A C:\Windows\SysWOW64\Pgnilpah.exe N/A
N/A N/A C:\Windows\SysWOW64\Pfaigm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qmkadgpo.exe N/A
N/A N/A C:\Windows\SysWOW64\Qqfmde32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qceiaa32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qgqeappe.exe N/A
N/A N/A C:\Windows\SysWOW64\Qjoankoi.exe N/A
N/A N/A C:\Windows\SysWOW64\Qnjnnj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qqijje32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qcgffqei.exe N/A
N/A N/A C:\Windows\SysWOW64\Qffbbldm.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajanck32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ampkof32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aqkgpedc.exe N/A
N/A N/A C:\Windows\SysWOW64\Acjclpcf.exe N/A
N/A N/A C:\Windows\SysWOW64\Afhohlbj.exe N/A
N/A N/A C:\Windows\SysWOW64\Anogiicl.exe N/A
N/A N/A C:\Windows\SysWOW64\Aqncedbp.exe N/A
N/A N/A C:\Windows\SysWOW64\Aeiofcji.exe N/A
N/A N/A C:\Windows\SysWOW64\Agglboim.exe N/A
N/A N/A C:\Windows\SysWOW64\Afjlnk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Anadoi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Amddjegd.exe N/A
N/A N/A C:\Windows\SysWOW64\Acnlgp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajhddjfn.exe N/A
N/A N/A C:\Windows\SysWOW64\Amgapeea.exe N/A
N/A N/A C:\Windows\SysWOW64\Aeniabfd.exe N/A
N/A N/A C:\Windows\SysWOW64\Aglemn32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Cnkplejl.exe C:\Windows\SysWOW64\Cfdhkhjj.exe N/A
File opened for modification C:\Windows\SysWOW64\Pmannhhj.exe C:\Windows\SysWOW64\Pjcbbmif.exe N/A
File opened for modification C:\Windows\SysWOW64\Qjoankoi.exe C:\Windows\SysWOW64\Qgqeappe.exe N/A
File created C:\Windows\SysWOW64\Afhohlbj.exe C:\Windows\SysWOW64\Acjclpcf.exe N/A
File opened for modification C:\Windows\SysWOW64\Acnlgp32.exe C:\Windows\SysWOW64\Amddjegd.exe N/A
File created C:\Windows\SysWOW64\Cmiflbel.exe C:\Windows\SysWOW64\Cjkjpgfi.exe N/A
File opened for modification C:\Windows\SysWOW64\Cmiflbel.exe C:\Windows\SysWOW64\Cjkjpgfi.exe N/A
File created C:\Windows\SysWOW64\Dejacond.exe C:\Windows\SysWOW64\Dmcibama.exe N/A
File created C:\Windows\SysWOW64\Dhmgki32.exe C:\Windows\SysWOW64\Deokon32.exe N/A
File opened for modification C:\Windows\SysWOW64\Pqpgdfnp.exe C:\Windows\SysWOW64\Pjeoglgc.exe N/A
File opened for modification C:\Windows\SysWOW64\Acjclpcf.exe C:\Windows\SysWOW64\Aqkgpedc.exe N/A
File created C:\Windows\SysWOW64\Aeniabfd.exe C:\Windows\SysWOW64\Amgapeea.exe N/A
File created C:\Windows\SysWOW64\Aglemn32.exe C:\Windows\SysWOW64\Aeniabfd.exe N/A
File created C:\Windows\SysWOW64\Elkadb32.dll C:\Windows\SysWOW64\Deagdn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bjddphlq.exe C:\Windows\SysWOW64\Beglgani.exe N/A
File created C:\Windows\SysWOW64\Cdabcm32.exe C:\Windows\SysWOW64\Cabfga32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ceqnmpfo.exe C:\Windows\SysWOW64\Cmiflbel.exe N/A
File created C:\Windows\SysWOW64\Clghpklj.dll C:\Windows\SysWOW64\Cmnpgb32.exe N/A
File created C:\Windows\SysWOW64\Pmannhhj.exe C:\Windows\SysWOW64\Pjcbbmif.exe N/A
File created C:\Windows\SysWOW64\Aoqimi32.dll C:\Windows\SysWOW64\Qcgffqei.exe N/A
File created C:\Windows\SysWOW64\Acjclpcf.exe C:\Windows\SysWOW64\Aqkgpedc.exe N/A
File created C:\Windows\SysWOW64\Hjlena32.dll C:\Windows\SysWOW64\Amgapeea.exe N/A
File opened for modification C:\Windows\SysWOW64\Dhmgki32.exe C:\Windows\SysWOW64\Deokon32.exe N/A
File created C:\Windows\SysWOW64\Nokpao32.dll C:\Windows\SysWOW64\Dgbdlf32.exe N/A
File created C:\Windows\SysWOW64\Cfdhkhjj.exe C:\Windows\SysWOW64\Chagok32.exe N/A
File created C:\Windows\SysWOW64\Jgilhm32.dll C:\Windows\SysWOW64\Chcddk32.exe N/A
File created C:\Windows\SysWOW64\Ingfla32.dll C:\Windows\SysWOW64\Cjbpaf32.exe N/A
File created C:\Windows\SysWOW64\Poahbe32.dll C:\Windows\SysWOW64\Ddonekbl.exe N/A
File opened for modification C:\Windows\SysWOW64\Aqkgpedc.exe C:\Windows\SysWOW64\Ampkof32.exe N/A
File created C:\Windows\SysWOW64\Ljbncc32.dll C:\Windows\SysWOW64\Ajkaii32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bfdodjhm.exe C:\Windows\SysWOW64\Bganhm32.exe N/A
File created C:\Windows\SysWOW64\Jhbffb32.dll C:\Windows\SysWOW64\Bfkedibe.exe N/A
File created C:\Windows\SysWOW64\Kdqjac32.dll C:\Windows\SysWOW64\Cmiflbel.exe N/A
File opened for modification C:\Windows\SysWOW64\Pqknig32.exe C:\Windows\SysWOW64\Pnlaml32.exe N/A
File opened for modification C:\Windows\SysWOW64\Aeiofcji.exe C:\Windows\SysWOW64\Aqncedbp.exe N/A
File created C:\Windows\SysWOW64\Mgbpghdn.dll C:\Windows\SysWOW64\Aadifclh.exe N/A
File opened for modification C:\Windows\SysWOW64\Bmpcfdmg.exe C:\Windows\SysWOW64\Bjagjhnc.exe N/A
File created C:\Windows\SysWOW64\Fnmnbf32.dll C:\Windows\SysWOW64\Dfnjafap.exe N/A
File created C:\Windows\SysWOW64\Dmllipeg.exe C:\Windows\SysWOW64\Dknpmdfc.exe N/A
File opened for modification C:\Windows\SysWOW64\Ojaelm32.exe C:\Windows\SysWOW64\Ogbipa32.exe N/A
File created C:\Windows\SysWOW64\Aqncedbp.exe C:\Windows\SysWOW64\Anogiicl.exe N/A
File opened for modification C:\Windows\SysWOW64\Cfpnph32.exe C:\Windows\SysWOW64\Cdabcm32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cnkplejl.exe C:\Windows\SysWOW64\Cfdhkhjj.exe N/A
File created C:\Windows\SysWOW64\Jmmmebhb.dll C:\Windows\SysWOW64\Agglboim.exe N/A
File created C:\Windows\SysWOW64\Bagflcje.exe C:\Windows\SysWOW64\Bnhjohkb.exe N/A
File opened for modification C:\Windows\SysWOW64\Cmqmma32.exe C:\Windows\SysWOW64\Cnnlaehj.exe N/A
File created C:\Windows\SysWOW64\Dgbdlf32.exe C:\Windows\SysWOW64\Dhocqigp.exe N/A
File opened for modification C:\Windows\SysWOW64\Chagok32.exe C:\Windows\SysWOW64\Ceckcp32.exe N/A
File created C:\Windows\SysWOW64\Okgoadbf.dll C:\Windows\SysWOW64\Cnnlaehj.exe N/A
File opened for modification C:\Windows\SysWOW64\Dmcibama.exe C:\Windows\SysWOW64\Djdmffnn.exe N/A
File created C:\Windows\SysWOW64\Booogccm.dll C:\Windows\SysWOW64\Ogkcpbam.exe N/A
File opened for modification C:\Windows\SysWOW64\Ogbipa32.exe C:\Windows\SysWOW64\Oqhacgdh.exe N/A
File opened for modification C:\Windows\SysWOW64\Pfaigm32.exe C:\Windows\SysWOW64\Pgnilpah.exe N/A
File opened for modification C:\Windows\SysWOW64\Cfmajipb.exe C:\Windows\SysWOW64\Belebq32.exe N/A
File created C:\Windows\SysWOW64\Npmagine.exe C:\Users\Admin\AppData\Local\Temp\44666a663169d3e9ae81f8999d3d3ceb00ac3399f49b3c8c6f91d57a1714dac5N.exe N/A
File created C:\Windows\SysWOW64\Qfbgbeai.dll C:\Windows\SysWOW64\Odapnf32.exe N/A
File created C:\Windows\SysWOW64\Nlaqpipg.dll C:\Windows\SysWOW64\Pcncpbmd.exe N/A
File created C:\Windows\SysWOW64\Ceehho32.exe C:\Windows\SysWOW64\Cajlhqjp.exe N/A
File created C:\Windows\SysWOW64\Gfnphnen.dll C:\Windows\SysWOW64\Afjlnk32.exe N/A
File created C:\Windows\SysWOW64\Ghilmi32.dll C:\Windows\SysWOW64\Chagok32.exe N/A
File created C:\Windows\SysWOW64\Cajlhqjp.exe C:\Windows\SysWOW64\Cmnpgb32.exe N/A
File created C:\Windows\SysWOW64\Deagdn32.exe C:\Windows\SysWOW64\Daekdooc.exe N/A
File created C:\Windows\SysWOW64\Mbpfgbfp.dll C:\Windows\SysWOW64\Anadoi32.exe N/A
File created C:\Windows\SysWOW64\Ladjgikj.dll C:\Windows\SysWOW64\Ofnckp32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Dmllipeg.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Njefqo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Opdghh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ognpebpj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pfhfan32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pfolbmje.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qqijje32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Onhhamgg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pgnilpah.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qgqeappe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dhocqigp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pjhlml32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qffbbldm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ajhddjfn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Calhnpgn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pcncpbmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pdmpje32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Amddjegd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aglemn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cnnlaehj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Delnin32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dgbdlf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ojgbfocc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bhhdil32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cfmajipb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Daconoae.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Daekdooc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pqknig32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aadifclh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Beglgani.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ceehho32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dknpmdfc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oneklm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pqbdjfln.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pdpmpdbd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Djdmffnn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\44666a663169d3e9ae81f8999d3d3ceb00ac3399f49b3c8c6f91d57a1714dac5N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Afhohlbj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Anadoi32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bapiabak.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cjkjpgfi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Chokikeb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Deokon32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pfaigm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ajkaii32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bebblb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ceqnmpfo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oflgep32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Beihma32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cagobalc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dfknkg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pmidog32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ampkof32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ogkcpbam.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pmannhhj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qcgffqei.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Accfbokl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dhmgki32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aeiofcji.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cmiflbel.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dfnjafap.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aqncedbp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Beeoaapl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qmkadgpo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bfabnjjp.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll" C:\Windows\SysWOW64\Daekdooc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll" C:\Windows\SysWOW64\Dhocqigp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Njefqo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Odapnf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clncadfb.dll" C:\Windows\SysWOW64\Ogpmjb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Accfbokl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Delnin32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ogkcpbam.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Opdghh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qjoankoi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ojgbfocc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Oneklm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll" C:\Windows\SysWOW64\Belebq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cndikf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Dmcibama.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qceiaa32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkejdahi.dll" C:\Windows\SysWOW64\Anogiicl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Amgapeea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dfknkg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Anogiicl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ajhddjfn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll" C:\Windows\SysWOW64\Ceehho32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Olcbmj32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Pjcbbmif.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pqpgdfnp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Pfolbmje.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Qmkadgpo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll" C:\Windows\SysWOW64\Dfnjafap.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Chcddk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Cjbpaf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Qqfmde32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Qnjnnj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehfnmfki.dll" C:\Windows\SysWOW64\Ampkof32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aeiofcji.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Aadifclh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Calhnpgn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dfiafg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Dfknkg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdeflhhf.dll" C:\Windows\SysWOW64\Nggjdc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlaqpipg.dll" C:\Windows\SysWOW64\Pcncpbmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ajanck32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maghgl32.dll" C:\Windows\SysWOW64\Amddjegd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgbpghdn.dll" C:\Windows\SysWOW64\Aadifclh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Belebq32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Cjkjpgfi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Qgqeappe.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Qjoankoi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aqncedbp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbodfcj.dll" C:\Windows\SysWOW64\Accfbokl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Bfdodjhm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dknpmdfc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Popodg32.dll" C:\Windows\SysWOW64\Pmannhhj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pfaigm32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ajanck32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Aeniabfd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dmcibama.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cfpnph32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll" C:\Windows\SysWOW64\Cjkjpgfi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll" C:\Windows\SysWOW64\Dfiafg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Opakbi32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Odapnf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jocbigff.dll" C:\Windows\SysWOW64\Pjeoglgc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Anadoi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qopkop32.dll" C:\Windows\SysWOW64\Bebblb32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4000 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\44666a663169d3e9ae81f8999d3d3ceb00ac3399f49b3c8c6f91d57a1714dac5N.exe C:\Windows\SysWOW64\Npmagine.exe
PID 4000 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\44666a663169d3e9ae81f8999d3d3ceb00ac3399f49b3c8c6f91d57a1714dac5N.exe C:\Windows\SysWOW64\Npmagine.exe
PID 4000 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\44666a663169d3e9ae81f8999d3d3ceb00ac3399f49b3c8c6f91d57a1714dac5N.exe C:\Windows\SysWOW64\Npmagine.exe
PID 3600 wrote to memory of 3440 N/A C:\Windows\SysWOW64\Npmagine.exe C:\Windows\SysWOW64\Nggjdc32.exe
PID 3600 wrote to memory of 3440 N/A C:\Windows\SysWOW64\Npmagine.exe C:\Windows\SysWOW64\Nggjdc32.exe
PID 3600 wrote to memory of 3440 N/A C:\Windows\SysWOW64\Npmagine.exe C:\Windows\SysWOW64\Nggjdc32.exe
PID 3440 wrote to memory of 2440 N/A C:\Windows\SysWOW64\Nggjdc32.exe C:\Windows\SysWOW64\Njefqo32.exe
PID 3440 wrote to memory of 2440 N/A C:\Windows\SysWOW64\Nggjdc32.exe C:\Windows\SysWOW64\Njefqo32.exe
PID 3440 wrote to memory of 2440 N/A C:\Windows\SysWOW64\Nggjdc32.exe C:\Windows\SysWOW64\Njefqo32.exe
PID 2440 wrote to memory of 4828 N/A C:\Windows\SysWOW64\Njefqo32.exe C:\Windows\SysWOW64\Olcbmj32.exe
PID 2440 wrote to memory of 4828 N/A C:\Windows\SysWOW64\Njefqo32.exe C:\Windows\SysWOW64\Olcbmj32.exe
PID 2440 wrote to memory of 4828 N/A C:\Windows\SysWOW64\Njefqo32.exe C:\Windows\SysWOW64\Olcbmj32.exe
PID 4828 wrote to memory of 1264 N/A C:\Windows\SysWOW64\Olcbmj32.exe C:\Windows\SysWOW64\Ocnjidkf.exe
PID 4828 wrote to memory of 1264 N/A C:\Windows\SysWOW64\Olcbmj32.exe C:\Windows\SysWOW64\Ocnjidkf.exe
PID 4828 wrote to memory of 1264 N/A C:\Windows\SysWOW64\Olcbmj32.exe C:\Windows\SysWOW64\Ocnjidkf.exe
PID 1264 wrote to memory of 4984 N/A C:\Windows\SysWOW64\Ocnjidkf.exe C:\Windows\SysWOW64\Oflgep32.exe
PID 1264 wrote to memory of 4984 N/A C:\Windows\SysWOW64\Ocnjidkf.exe C:\Windows\SysWOW64\Oflgep32.exe
PID 1264 wrote to memory of 4984 N/A C:\Windows\SysWOW64\Ocnjidkf.exe C:\Windows\SysWOW64\Oflgep32.exe
PID 4984 wrote to memory of 864 N/A C:\Windows\SysWOW64\Oflgep32.exe C:\Windows\SysWOW64\Ojgbfocc.exe
PID 4984 wrote to memory of 864 N/A C:\Windows\SysWOW64\Oflgep32.exe C:\Windows\SysWOW64\Ojgbfocc.exe
PID 4984 wrote to memory of 864 N/A C:\Windows\SysWOW64\Oflgep32.exe C:\Windows\SysWOW64\Ojgbfocc.exe
PID 864 wrote to memory of 2552 N/A C:\Windows\SysWOW64\Ojgbfocc.exe C:\Windows\SysWOW64\Opakbi32.exe
PID 864 wrote to memory of 2552 N/A C:\Windows\SysWOW64\Ojgbfocc.exe C:\Windows\SysWOW64\Opakbi32.exe
PID 864 wrote to memory of 2552 N/A C:\Windows\SysWOW64\Ojgbfocc.exe C:\Windows\SysWOW64\Opakbi32.exe
PID 2552 wrote to memory of 4776 N/A C:\Windows\SysWOW64\Opakbi32.exe C:\Windows\SysWOW64\Ogkcpbam.exe
PID 2552 wrote to memory of 4776 N/A C:\Windows\SysWOW64\Opakbi32.exe C:\Windows\SysWOW64\Ogkcpbam.exe
PID 2552 wrote to memory of 4776 N/A C:\Windows\SysWOW64\Opakbi32.exe C:\Windows\SysWOW64\Ogkcpbam.exe
PID 4776 wrote to memory of 3888 N/A C:\Windows\SysWOW64\Ogkcpbam.exe C:\Windows\SysWOW64\Ofnckp32.exe
PID 4776 wrote to memory of 3888 N/A C:\Windows\SysWOW64\Ogkcpbam.exe C:\Windows\SysWOW64\Ofnckp32.exe
PID 4776 wrote to memory of 3888 N/A C:\Windows\SysWOW64\Ogkcpbam.exe C:\Windows\SysWOW64\Ofnckp32.exe
PID 3888 wrote to memory of 4044 N/A C:\Windows\SysWOW64\Ofnckp32.exe C:\Windows\SysWOW64\Oneklm32.exe
PID 3888 wrote to memory of 4044 N/A C:\Windows\SysWOW64\Ofnckp32.exe C:\Windows\SysWOW64\Oneklm32.exe
PID 3888 wrote to memory of 4044 N/A C:\Windows\SysWOW64\Ofnckp32.exe C:\Windows\SysWOW64\Oneklm32.exe
PID 4044 wrote to memory of 3356 N/A C:\Windows\SysWOW64\Oneklm32.exe C:\Windows\SysWOW64\Opdghh32.exe
PID 4044 wrote to memory of 3356 N/A C:\Windows\SysWOW64\Oneklm32.exe C:\Windows\SysWOW64\Opdghh32.exe
PID 4044 wrote to memory of 3356 N/A C:\Windows\SysWOW64\Oneklm32.exe C:\Windows\SysWOW64\Opdghh32.exe
PID 3356 wrote to memory of 400 N/A C:\Windows\SysWOW64\Opdghh32.exe C:\Windows\SysWOW64\Ognpebpj.exe
PID 3356 wrote to memory of 400 N/A C:\Windows\SysWOW64\Opdghh32.exe C:\Windows\SysWOW64\Ognpebpj.exe
PID 3356 wrote to memory of 400 N/A C:\Windows\SysWOW64\Opdghh32.exe C:\Windows\SysWOW64\Ognpebpj.exe
PID 400 wrote to memory of 412 N/A C:\Windows\SysWOW64\Ognpebpj.exe C:\Windows\SysWOW64\Onhhamgg.exe
PID 400 wrote to memory of 412 N/A C:\Windows\SysWOW64\Ognpebpj.exe C:\Windows\SysWOW64\Onhhamgg.exe
PID 400 wrote to memory of 412 N/A C:\Windows\SysWOW64\Ognpebpj.exe C:\Windows\SysWOW64\Onhhamgg.exe
PID 412 wrote to memory of 876 N/A C:\Windows\SysWOW64\Onhhamgg.exe C:\Windows\SysWOW64\Odapnf32.exe
PID 412 wrote to memory of 876 N/A C:\Windows\SysWOW64\Onhhamgg.exe C:\Windows\SysWOW64\Odapnf32.exe
PID 412 wrote to memory of 876 N/A C:\Windows\SysWOW64\Onhhamgg.exe C:\Windows\SysWOW64\Odapnf32.exe
PID 876 wrote to memory of 5028 N/A C:\Windows\SysWOW64\Odapnf32.exe C:\Windows\SysWOW64\Ogpmjb32.exe
PID 876 wrote to memory of 5028 N/A C:\Windows\SysWOW64\Odapnf32.exe C:\Windows\SysWOW64\Ogpmjb32.exe
PID 876 wrote to memory of 5028 N/A C:\Windows\SysWOW64\Odapnf32.exe C:\Windows\SysWOW64\Ogpmjb32.exe
PID 5028 wrote to memory of 3280 N/A C:\Windows\SysWOW64\Ogpmjb32.exe C:\Windows\SysWOW64\Ojoign32.exe
PID 5028 wrote to memory of 3280 N/A C:\Windows\SysWOW64\Ogpmjb32.exe C:\Windows\SysWOW64\Ojoign32.exe
PID 5028 wrote to memory of 3280 N/A C:\Windows\SysWOW64\Ogpmjb32.exe C:\Windows\SysWOW64\Ojoign32.exe
PID 3280 wrote to memory of 1772 N/A C:\Windows\SysWOW64\Ojoign32.exe C:\Windows\SysWOW64\Oqhacgdh.exe
PID 3280 wrote to memory of 1772 N/A C:\Windows\SysWOW64\Ojoign32.exe C:\Windows\SysWOW64\Oqhacgdh.exe
PID 3280 wrote to memory of 1772 N/A C:\Windows\SysWOW64\Ojoign32.exe C:\Windows\SysWOW64\Oqhacgdh.exe
PID 1772 wrote to memory of 2548 N/A C:\Windows\SysWOW64\Oqhacgdh.exe C:\Windows\SysWOW64\Ogbipa32.exe
PID 1772 wrote to memory of 2548 N/A C:\Windows\SysWOW64\Oqhacgdh.exe C:\Windows\SysWOW64\Ogbipa32.exe
PID 1772 wrote to memory of 2548 N/A C:\Windows\SysWOW64\Oqhacgdh.exe C:\Windows\SysWOW64\Ogbipa32.exe
PID 2548 wrote to memory of 2956 N/A C:\Windows\SysWOW64\Ogbipa32.exe C:\Windows\SysWOW64\Ojaelm32.exe
PID 2548 wrote to memory of 2956 N/A C:\Windows\SysWOW64\Ogbipa32.exe C:\Windows\SysWOW64\Ojaelm32.exe
PID 2548 wrote to memory of 2956 N/A C:\Windows\SysWOW64\Ogbipa32.exe C:\Windows\SysWOW64\Ojaelm32.exe
PID 2956 wrote to memory of 1944 N/A C:\Windows\SysWOW64\Ojaelm32.exe C:\Windows\SysWOW64\Pnlaml32.exe
PID 2956 wrote to memory of 1944 N/A C:\Windows\SysWOW64\Ojaelm32.exe C:\Windows\SysWOW64\Pnlaml32.exe
PID 2956 wrote to memory of 1944 N/A C:\Windows\SysWOW64\Ojaelm32.exe C:\Windows\SysWOW64\Pnlaml32.exe
PID 1944 wrote to memory of 2128 N/A C:\Windows\SysWOW64\Pnlaml32.exe C:\Windows\SysWOW64\Pqknig32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\44666a663169d3e9ae81f8999d3d3ceb00ac3399f49b3c8c6f91d57a1714dac5N.exe

"C:\Users\Admin\AppData\Local\Temp\44666a663169d3e9ae81f8999d3d3ceb00ac3399f49b3c8c6f91d57a1714dac5N.exe"

C:\Windows\SysWOW64\Npmagine.exe

C:\Windows\system32\Npmagine.exe

C:\Windows\SysWOW64\Nggjdc32.exe

C:\Windows\system32\Nggjdc32.exe

C:\Windows\SysWOW64\Njefqo32.exe

C:\Windows\system32\Njefqo32.exe

C:\Windows\SysWOW64\Olcbmj32.exe

C:\Windows\system32\Olcbmj32.exe

C:\Windows\SysWOW64\Ocnjidkf.exe

C:\Windows\system32\Ocnjidkf.exe

C:\Windows\SysWOW64\Oflgep32.exe

C:\Windows\system32\Oflgep32.exe

C:\Windows\SysWOW64\Ojgbfocc.exe

C:\Windows\system32\Ojgbfocc.exe

C:\Windows\SysWOW64\Opakbi32.exe

C:\Windows\system32\Opakbi32.exe

C:\Windows\SysWOW64\Ogkcpbam.exe

C:\Windows\system32\Ogkcpbam.exe

C:\Windows\SysWOW64\Ofnckp32.exe

C:\Windows\system32\Ofnckp32.exe

C:\Windows\SysWOW64\Oneklm32.exe

C:\Windows\system32\Oneklm32.exe

C:\Windows\SysWOW64\Opdghh32.exe

C:\Windows\system32\Opdghh32.exe

C:\Windows\SysWOW64\Ognpebpj.exe

C:\Windows\system32\Ognpebpj.exe

C:\Windows\SysWOW64\Onhhamgg.exe

C:\Windows\system32\Onhhamgg.exe

C:\Windows\SysWOW64\Odapnf32.exe

C:\Windows\system32\Odapnf32.exe

C:\Windows\SysWOW64\Ogpmjb32.exe

C:\Windows\system32\Ogpmjb32.exe

C:\Windows\SysWOW64\Ojoign32.exe

C:\Windows\system32\Ojoign32.exe

C:\Windows\SysWOW64\Oqhacgdh.exe

C:\Windows\system32\Oqhacgdh.exe

C:\Windows\SysWOW64\Ogbipa32.exe

C:\Windows\system32\Ogbipa32.exe

C:\Windows\SysWOW64\Ojaelm32.exe

C:\Windows\system32\Ojaelm32.exe

C:\Windows\SysWOW64\Pnlaml32.exe

C:\Windows\system32\Pnlaml32.exe

C:\Windows\SysWOW64\Pqknig32.exe

C:\Windows\system32\Pqknig32.exe

C:\Windows\SysWOW64\Pfhfan32.exe

C:\Windows\system32\Pfhfan32.exe

C:\Windows\SysWOW64\Pjcbbmif.exe

C:\Windows\system32\Pjcbbmif.exe

C:\Windows\SysWOW64\Pmannhhj.exe

C:\Windows\system32\Pmannhhj.exe

C:\Windows\SysWOW64\Pggbkagp.exe

C:\Windows\system32\Pggbkagp.exe

C:\Windows\SysWOW64\Pjeoglgc.exe

C:\Windows\system32\Pjeoglgc.exe

C:\Windows\SysWOW64\Pqpgdfnp.exe

C:\Windows\system32\Pqpgdfnp.exe

C:\Windows\SysWOW64\Pcncpbmd.exe

C:\Windows\system32\Pcncpbmd.exe

C:\Windows\SysWOW64\Pjhlml32.exe

C:\Windows\system32\Pjhlml32.exe

C:\Windows\SysWOW64\Pqbdjfln.exe

C:\Windows\system32\Pqbdjfln.exe

C:\Windows\SysWOW64\Pdmpje32.exe

C:\Windows\system32\Pdmpje32.exe

C:\Windows\SysWOW64\Pfolbmje.exe

C:\Windows\system32\Pfolbmje.exe

C:\Windows\SysWOW64\Pjjhbl32.exe

C:\Windows\system32\Pjjhbl32.exe

C:\Windows\SysWOW64\Pmidog32.exe

C:\Windows\system32\Pmidog32.exe

C:\Windows\SysWOW64\Pdpmpdbd.exe

C:\Windows\system32\Pdpmpdbd.exe

C:\Windows\SysWOW64\Pgnilpah.exe

C:\Windows\system32\Pgnilpah.exe

C:\Windows\SysWOW64\Pfaigm32.exe

C:\Windows\system32\Pfaigm32.exe

C:\Windows\SysWOW64\Qmkadgpo.exe

C:\Windows\system32\Qmkadgpo.exe

C:\Windows\SysWOW64\Qqfmde32.exe

C:\Windows\system32\Qqfmde32.exe

C:\Windows\SysWOW64\Qceiaa32.exe

C:\Windows\system32\Qceiaa32.exe

C:\Windows\SysWOW64\Qgqeappe.exe

C:\Windows\system32\Qgqeappe.exe

C:\Windows\SysWOW64\Qjoankoi.exe

C:\Windows\system32\Qjoankoi.exe

C:\Windows\SysWOW64\Qnjnnj32.exe

C:\Windows\system32\Qnjnnj32.exe

C:\Windows\SysWOW64\Qqijje32.exe

C:\Windows\system32\Qqijje32.exe

C:\Windows\SysWOW64\Qcgffqei.exe

C:\Windows\system32\Qcgffqei.exe

C:\Windows\SysWOW64\Qffbbldm.exe

C:\Windows\system32\Qffbbldm.exe

C:\Windows\SysWOW64\Ajanck32.exe

C:\Windows\system32\Ajanck32.exe

C:\Windows\SysWOW64\Ampkof32.exe

C:\Windows\system32\Ampkof32.exe

C:\Windows\SysWOW64\Aqkgpedc.exe

C:\Windows\system32\Aqkgpedc.exe

C:\Windows\SysWOW64\Acjclpcf.exe

C:\Windows\system32\Acjclpcf.exe

C:\Windows\SysWOW64\Afhohlbj.exe

C:\Windows\system32\Afhohlbj.exe

C:\Windows\SysWOW64\Anogiicl.exe

C:\Windows\system32\Anogiicl.exe

C:\Windows\SysWOW64\Aqncedbp.exe

C:\Windows\system32\Aqncedbp.exe

C:\Windows\SysWOW64\Aeiofcji.exe

C:\Windows\system32\Aeiofcji.exe

C:\Windows\SysWOW64\Agglboim.exe

C:\Windows\system32\Agglboim.exe

C:\Windows\SysWOW64\Afjlnk32.exe

C:\Windows\system32\Afjlnk32.exe

C:\Windows\SysWOW64\Anadoi32.exe

C:\Windows\system32\Anadoi32.exe

C:\Windows\SysWOW64\Amddjegd.exe

C:\Windows\system32\Amddjegd.exe

C:\Windows\SysWOW64\Acnlgp32.exe

C:\Windows\system32\Acnlgp32.exe

C:\Windows\SysWOW64\Ajhddjfn.exe

C:\Windows\system32\Ajhddjfn.exe

C:\Windows\SysWOW64\Amgapeea.exe

C:\Windows\system32\Amgapeea.exe

C:\Windows\SysWOW64\Aeniabfd.exe

C:\Windows\system32\Aeniabfd.exe

C:\Windows\SysWOW64\Aglemn32.exe

C:\Windows\system32\Aglemn32.exe

C:\Windows\SysWOW64\Ajkaii32.exe

C:\Windows\system32\Ajkaii32.exe

C:\Windows\SysWOW64\Anfmjhmd.exe

C:\Windows\system32\Anfmjhmd.exe

C:\Windows\SysWOW64\Aadifclh.exe

C:\Windows\system32\Aadifclh.exe

C:\Windows\SysWOW64\Accfbokl.exe

C:\Windows\system32\Accfbokl.exe

C:\Windows\SysWOW64\Bfabnjjp.exe

C:\Windows\system32\Bfabnjjp.exe

C:\Windows\SysWOW64\Bnhjohkb.exe

C:\Windows\system32\Bnhjohkb.exe

C:\Windows\SysWOW64\Bagflcje.exe

C:\Windows\system32\Bagflcje.exe

C:\Windows\SysWOW64\Bebblb32.exe

C:\Windows\system32\Bebblb32.exe

C:\Windows\SysWOW64\Bganhm32.exe

C:\Windows\system32\Bganhm32.exe

C:\Windows\SysWOW64\Bfdodjhm.exe

C:\Windows\system32\Bfdodjhm.exe

C:\Windows\SysWOW64\Beeoaapl.exe

C:\Windows\system32\Beeoaapl.exe

C:\Windows\SysWOW64\Bgcknmop.exe

C:\Windows\system32\Bgcknmop.exe

C:\Windows\SysWOW64\Bjagjhnc.exe

C:\Windows\system32\Bjagjhnc.exe

C:\Windows\SysWOW64\Bmpcfdmg.exe

C:\Windows\system32\Bmpcfdmg.exe

C:\Windows\SysWOW64\Beglgani.exe

C:\Windows\system32\Beglgani.exe

C:\Windows\SysWOW64\Bjddphlq.exe

C:\Windows\system32\Bjddphlq.exe

C:\Windows\SysWOW64\Beihma32.exe

C:\Windows\system32\Beihma32.exe

C:\Windows\SysWOW64\Bhhdil32.exe

C:\Windows\system32\Bhhdil32.exe

C:\Windows\SysWOW64\Bfkedibe.exe

C:\Windows\system32\Bfkedibe.exe

C:\Windows\SysWOW64\Bapiabak.exe

C:\Windows\system32\Bapiabak.exe

C:\Windows\SysWOW64\Belebq32.exe

C:\Windows\system32\Belebq32.exe

C:\Windows\SysWOW64\Cfmajipb.exe

C:\Windows\system32\Cfmajipb.exe

C:\Windows\SysWOW64\Cndikf32.exe

C:\Windows\system32\Cndikf32.exe

C:\Windows\SysWOW64\Cabfga32.exe

C:\Windows\system32\Cabfga32.exe

C:\Windows\SysWOW64\Cdabcm32.exe

C:\Windows\system32\Cdabcm32.exe

C:\Windows\SysWOW64\Cfpnph32.exe

C:\Windows\system32\Cfpnph32.exe

C:\Windows\SysWOW64\Cjkjpgfi.exe

C:\Windows\system32\Cjkjpgfi.exe

C:\Windows\SysWOW64\Cmiflbel.exe

C:\Windows\system32\Cmiflbel.exe

C:\Windows\SysWOW64\Ceqnmpfo.exe

C:\Windows\system32\Ceqnmpfo.exe

C:\Windows\SysWOW64\Chokikeb.exe

C:\Windows\system32\Chokikeb.exe

C:\Windows\SysWOW64\Cjmgfgdf.exe

C:\Windows\system32\Cjmgfgdf.exe

C:\Windows\SysWOW64\Cnicfe32.exe

C:\Windows\system32\Cnicfe32.exe

C:\Windows\SysWOW64\Cagobalc.exe

C:\Windows\system32\Cagobalc.exe

C:\Windows\SysWOW64\Ceckcp32.exe

C:\Windows\system32\Ceckcp32.exe

C:\Windows\SysWOW64\Chagok32.exe

C:\Windows\system32\Chagok32.exe

C:\Windows\SysWOW64\Cfdhkhjj.exe

C:\Windows\system32\Cfdhkhjj.exe

C:\Windows\SysWOW64\Cnkplejl.exe

C:\Windows\system32\Cnkplejl.exe

C:\Windows\SysWOW64\Cmnpgb32.exe

C:\Windows\system32\Cmnpgb32.exe

C:\Windows\SysWOW64\Cajlhqjp.exe

C:\Windows\system32\Cajlhqjp.exe

C:\Windows\SysWOW64\Ceehho32.exe

C:\Windows\system32\Ceehho32.exe

C:\Windows\SysWOW64\Chcddk32.exe

C:\Windows\system32\Chcddk32.exe

C:\Windows\SysWOW64\Cjbpaf32.exe

C:\Windows\system32\Cjbpaf32.exe

C:\Windows\SysWOW64\Cnnlaehj.exe

C:\Windows\system32\Cnnlaehj.exe

C:\Windows\SysWOW64\Cmqmma32.exe

C:\Windows\system32\Cmqmma32.exe

C:\Windows\SysWOW64\Calhnpgn.exe

C:\Windows\system32\Calhnpgn.exe

C:\Windows\SysWOW64\Ddjejl32.exe

C:\Windows\system32\Ddjejl32.exe

C:\Windows\SysWOW64\Dfiafg32.exe

C:\Windows\system32\Dfiafg32.exe

C:\Windows\SysWOW64\Djdmffnn.exe

C:\Windows\system32\Djdmffnn.exe

C:\Windows\SysWOW64\Dmcibama.exe

C:\Windows\system32\Dmcibama.exe

C:\Windows\SysWOW64\Dejacond.exe

C:\Windows\system32\Dejacond.exe

C:\Windows\SysWOW64\Dfknkg32.exe

C:\Windows\system32\Dfknkg32.exe

C:\Windows\SysWOW64\Delnin32.exe

C:\Windows\system32\Delnin32.exe

C:\Windows\SysWOW64\Ddonekbl.exe

C:\Windows\system32\Ddonekbl.exe

C:\Windows\SysWOW64\Dfnjafap.exe

C:\Windows\system32\Dfnjafap.exe

C:\Windows\SysWOW64\Dodbbdbb.exe

C:\Windows\system32\Dodbbdbb.exe

C:\Windows\SysWOW64\Daconoae.exe

C:\Windows\system32\Daconoae.exe

C:\Windows\SysWOW64\Deokon32.exe

C:\Windows\system32\Deokon32.exe

C:\Windows\SysWOW64\Dhmgki32.exe

C:\Windows\system32\Dhmgki32.exe

C:\Windows\SysWOW64\Dkkcge32.exe

C:\Windows\system32\Dkkcge32.exe

C:\Windows\SysWOW64\Dogogcpo.exe

C:\Windows\system32\Dogogcpo.exe

C:\Windows\SysWOW64\Daekdooc.exe

C:\Windows\system32\Daekdooc.exe

C:\Windows\SysWOW64\Deagdn32.exe

C:\Windows\system32\Deagdn32.exe

C:\Windows\SysWOW64\Dhocqigp.exe

C:\Windows\system32\Dhocqigp.exe

C:\Windows\SysWOW64\Dgbdlf32.exe

C:\Windows\system32\Dgbdlf32.exe

C:\Windows\SysWOW64\Dknpmdfc.exe

C:\Windows\system32\Dknpmdfc.exe

C:\Windows\SysWOW64\Dmllipeg.exe

C:\Windows\system32\Dmllipeg.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5476 -ip 5476

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5476 -s 408

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/4000-0-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Npmagine.exe

MD5 cb3d837744a3fe3be4d22011c49c40dc
SHA1 cc24a1eed959ed0c6c66e42f602d6117b2936887
SHA256 6575a7a9a7e72607ba1d47e4c1c0e7024db6fd01c6ecdd871ab715a0925aadb9
SHA512 170194a1856fc04e9d807043f2f0bf9984eb24c0399d7f73fff288a7abfbc076f67a7c54489a451a2b27b27a0563a157a75c90d9cddeacc699f81c3a8b33b746

memory/3600-7-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Nggjdc32.exe

MD5 f0b9c0297c93884a1e1b9aef9ff77ccd
SHA1 3385bb8eb73bbebe825fffb5e83733b3d5505723
SHA256 65bfd4788de5a22a0125fe9ad2b7481622250192baee0dfc47e030389b5a216d
SHA512 1598b9303c3ab45fbc3fccc045b4f56b6d8172a957513a8a6fffa3440213c1373bc9feefd6f8e92ebe517f16476b8a755e5972d5687ea1e0e1e92d448a84d2c7

memory/3440-15-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2440-23-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Njefqo32.exe

MD5 916623f72a23d6e340b8cf7901992550
SHA1 643ff4d46aee74fa052f2c37eae43c8b03694d05
SHA256 63d11557f18f580c5a11b7a2c5c3a093351d62bd6bbf306e1bbf2f79dcad3a7a
SHA512 81273f6af2fd8f3646f4c983753b9478e08f54d2e0d6627f6760bd4dde1549294fa5d4f566eb4dc792756b3cabb0510e10973253cdc5f89c88e94c6106a64469

C:\Windows\SysWOW64\Olcbmj32.exe

MD5 6c146bd7d7093d41ba8e9377a6908013
SHA1 5d56535a362dcf582c8556a2e52c6efd0123e3d5
SHA256 56fd0e22a41eee7462f14dc93d27ec062b7181b4618accae6fe7ef4d6047a991
SHA512 49097d93e54d0a800f77478136ed23f3e8a1139782880fa6a4fdf1fb6d98a9e2f5893c76ff6988170b50c7970a4816eea7ed5f6a9cbe612612333d12a54a4e3d

memory/4828-31-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Najmlf32.dll

MD5 9441693bf2248387e5441883a0762ccf
SHA1 7f78d889ce71c9769a5c488df28cc93a05048959
SHA256 edc60f45fdfd6737584448afb32b5cd9a3c07fd1eef779f8a41d3a49c4376485
SHA512 f4184cb5f22f5a27a79c35a733ac9d7561e24dcee589c6a62d5b2f5cf7f5cc60d4709b1372785629ebd0fe19f820e1f03c94c04d638a87701fff6769e5d43f3e

C:\Windows\SysWOW64\Ocnjidkf.exe

MD5 602add5dbce47072df8a2d5112e4fb2f
SHA1 2467e2f90d4d7522837aa2a839bc865c6e0f4874
SHA256 4595bd92ae509b1f3690ec067bfcf0239aab7591aad158647ec3f9729bd738f4
SHA512 89c61487ea6361f06a33957f473f6374ea64f7bc359db907bdf8fb8acdf84d65a891953196b81e00f410c0523969e9c24bc98bd7d6bb1d8f4c5da69b160c7933

memory/1264-39-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4984-47-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Oflgep32.exe

MD5 f6f08a8b7d3013468141a8785b8acca5
SHA1 313708e17767be453b41c45ea8a72637388dd3e3
SHA256 f267496e7a5918b31230253d2db9f8096633584d6870451e0281b8ef17259036
SHA512 9d6ba0327e1a640d4cc40b586fcacd97104dea7f72a569af3c373b09ab44a3d0a16c0a9a2314953326f31fa4748b94e8d58aa91e149a1c41fcee5fa3c0472e02

C:\Windows\SysWOW64\Ojgbfocc.exe

MD5 128b02c1c66a8af113f5d17506d5c093
SHA1 f733695d766da32a00e645bcfb54c1859623a487
SHA256 0a5d90951606d98f958b6f733835df83b6e7946cc674de0054d1a2990bfcfcad
SHA512 4679b4365d37137614f04e1b28a3e8ea411a780d6b561db3b1e933080f52552bc127fdb14275bdf7a75837a989115d7553e0be616577559e52a44913840d2726

memory/864-55-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Opakbi32.exe

MD5 078645dc59959e9a0052e5b9abeb1b85
SHA1 5a430e622b577ac2dc761aa4a0ff67c7979f59fa
SHA256 258fa9d26d43d1850ff0d952a927860586579dc62c7fc974b9493086e9c4ab8c
SHA512 38f354605efd0d2cce4745995b5fefe7db5662c800af2423d5ede5807c7e1ff7f0fd51e07647300fd479b18790603d88b7f00339e92350839dd6718e52a221c2

memory/2552-63-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Ogkcpbam.exe

MD5 3a111cb16bd058ebec820dde81acb3cc
SHA1 f384f040920caec73b3ff7e0618246e08aebfe0f
SHA256 d517f59a012babd5a96b64d8b933b71a438c6b49a38c6db357409b486131c712
SHA512 d3ee48057bfa10a1c6f0e7536d3a6b03ea43b0c3a6cc93dfb744aba277f5a4bffbc6963d9c8fe933b7e4365d2a9aaeb7c7927d1b1c9a3ae993cc1bf73494451f

memory/4776-72-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Ofnckp32.exe

MD5 545416bad0ee07ac87f4a4d2c2d9294b
SHA1 f42d4d6cf9947798591f224e7c17dc673237b66a
SHA256 3aef2d385612fb86b5a622803c337de5d6f41ab47fb9d0ce1555678266b943f4
SHA512 0e54c712580a57be90a1a1ce2a82fdda63279010a639a7d59b2d8221c5d48aabb9e8e48425637b8dc41c800a6381f67014ddf49ac265c4edd544bed11df41f86

memory/3888-80-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Oneklm32.exe

MD5 90d77ecfbe65506e03297cff7dde1c54
SHA1 66845398836f9d29dd51d69944c6ef22e9236ce3
SHA256 2342ac7f85d0a90a351d19861cbba6725dda41553ff0936743ac559c9ea23824
SHA512 2dc24563947fdf004671b39f8e6e985df68d12d9314c6c8b36aeab9c4f16cbc6f9284b32342b031accb2fad89ca02647f8b005ddd63be2a112a13273babaf225

memory/4044-87-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Opdghh32.exe

MD5 7b1947cbf69c6f10dd955a0a481d570b
SHA1 86f85aac5d1f3e34cfd0e64d60e47c3e36b1d1a7
SHA256 30e7a60b0c310665194e6b35fcb56f3ce716b1c6a54bfbfad4c4a0655e37ab8d
SHA512 b6a190d4fdc9ef54c16c05a233c05d746759f0063f180d1d22d00828f7750108cc67c6f0f0e687bf30be8ca9501179a387a0951f77e9b35e430c14a1446acb5a

C:\Windows\SysWOW64\Opdghh32.exe

MD5 c7cc828a80b7d9ad320b77871dd3ab9e
SHA1 1d2f5602bab4db04cd36de347102538be8f0b6c9
SHA256 3bbd3d33637e0d4041384d5ade11212f7828cae97c7abaf0d9d4e3252d87c3b4
SHA512 e03295f5c06510373da2c2397686df37b6b5d4c96af1734135c08491ade8275002081c4eca5e238dd88630231d7948ccaa776af31d28c9eefe9c6f6e038f8bb0

memory/3356-95-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Ognpebpj.exe

MD5 37cc4914973dec42bb240e8f5a317516
SHA1 51c1bd9c3e8e649500816fc99a5ae8ac761a5f92
SHA256 5105d75335034259c9a0e18163e063b9f833b9d977fb4127512d94679ee4d63b
SHA512 b1576c6d730ad83fb044fd5fcce344c7369db7aae1167faf8f87f550ffc4d84c5842feefcec9b658863b16fb018e223e5b6981d1856d238340bded41c874b466

memory/400-104-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Onhhamgg.exe

MD5 6b744544ad3b0493dad58b5b86979211
SHA1 5caf468c468017cf7459f076f45b8599bf227483
SHA256 ebbf215ef44c32de345a22ee5a7341958eaf53193b97540e50de5d1b5f1a6bab
SHA512 fe1cca51df22a165e6b57574169ac36324fe146afb894349fd606dd761c228792aa7d553c77c1950cfcebd72d69640bc05ffbc58f10bdbbcbb38f815961b3d49

memory/412-111-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Odapnf32.exe

MD5 789661ab73b35852676fb7b2b88a45d0
SHA1 9bb2eebe0bc5a19ac65ed1a1d7be9a0df84138b4
SHA256 311ff168cad561caec984a0a01a6bdf824c1f3279d281107fb26be5e7b6d0425
SHA512 efdfd755d7d0eb6dea78b3563672faba52c0ac4d1a26d6a05a58fe1ec9b773f129e34a9170532d4f558abf56c189a43d1b4d73e18421484996605cf4d46e4b54

memory/876-119-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Ogpmjb32.exe

MD5 c4086f4c9d2e0de2b1a5f53b1756bec8
SHA1 26c64b687d8972005fb5e599aea7a223510a7cbc
SHA256 0894cf68bb39041cb9f44a88ae19d7c0cef8a3444bd760f85cc97390ef0b808f
SHA512 b062f91fe4cbcd42bcc1cd8fff9cb2bc4e7b0ecef32b50e931d490b7c1f1373cbe499bdd5e5799218ef74253e0336aee493df32dced4894283e7862516b09fdf

memory/5028-128-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Ojoign32.exe

MD5 964be48adac9a434c8b201d771c3619b
SHA1 a64eefdcdeb9af0e45a64ac2f93b9e4ea10d674c
SHA256 080ccda0de042075f40771bc98eb0118b34cda86fb214a737b8b4eb83418a9b2
SHA512 a88e8ee596c9cd5a077cfd9e2e084a9dcfb4d261369bbf65a3970396745578ea0c7a96b909faab9397404a5f0c5c4cd95d1a3fa86eeef0721713a0a5d35a9cda

memory/3280-135-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Oqhacgdh.exe

MD5 20dd796cd7169cd0d6e72206f86e10a9
SHA1 d5039305c2ebb674165231750503527de6846067
SHA256 2bc0231eead45e93c293cd034c391f3917a88b4ec0fcd56a4f68231064056d3b
SHA512 17af8f64c7bb0eb7bcddb79fba7e5354092471c956795a15af713e11d0d62060ed1bdc59ae020f423441882fe023934b642120515c69eee231af54afcd81d0c4

memory/1772-143-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2548-151-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Ogbipa32.exe

MD5 fdadef518040448a2dc320edf55ca9d3
SHA1 49e9f7976491490fd190c1d7fdac4fc7c4453189
SHA256 66173599b406698831054205506b185e53a17f5a7c6f347124084aa70ff64730
SHA512 40a3855b82384889ca36aa29cdc58887ffae63c42f2c49739fe8f139f640cbe9092e283b7685d1d8664b6c9e517f50e7702c9f3bf40151c5e7e63afdd2cbb400

memory/2956-159-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Ojaelm32.exe

MD5 c90530f1728d6277dddad0bece6ca204
SHA1 3c69ddfe756462613bfd7426864e5c84506a1be6
SHA256 4ddfc2dc89a8e13c4759f55e84a98b1b0e890a1e46347c4a9f3ba1739f62665e
SHA512 cd359a75f98b63a9d24b6808d44b7d3c9a8d08644543973543354fcce26885510c0e6c037ad83792cc4a444d301566e352a53e01929005aeae116b4ae52d41ba

C:\Windows\SysWOW64\Pnlaml32.exe

MD5 3e2b535b707e82fc1ea6fde204b3d207
SHA1 72f242191b860662eaa4e397ae233558c3eea518
SHA256 82b5a1e7c2eb2233bf14f0d6a77075c45c511d5893bc8972f69446c5f8964244
SHA512 8c8c38f9aa2324d1e3b3468a04cfc795dba23ed62cefa54ab08ec706b881815e611b97e728e2397b6613db5f071579e73da196d2b973c569e1e68418a0e9fb50

memory/1944-167-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Pqknig32.exe

MD5 02aed331bfa8d65c9241d817ca18164b
SHA1 d7737c41c026848e444c3af4f156f3a517adf206
SHA256 56236c0c5cb2dfb443b66505956b7260129872b20c4a44acf007228da6b0debb
SHA512 4f812fb7f3c8b5b5ca8431d0230a61ea80e1528c82e44e9d0ca9c1f92199140988191e29971a0475ce8ad8443010904952b23408971ba9093ee971276def0736

memory/2128-175-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Pfhfan32.exe

MD5 f9ea3ad4533d9b8ebce47f8e6865ad0d
SHA1 b24b051f6fdfa1791b2f2538d18955c07f209563
SHA256 d1ee57f47e5043f48abf8591d2d7199d7681bd883951bbce2129d0dc462b309a
SHA512 1e61bcdb550a435c143bb949ec3190229dbe321eb45376563aa3e9a2316c6c147370042b3b83604d26a6be60e005f2be5348d79b98547130759c74a4fd45efe8

memory/3348-188-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Pjcbbmif.exe

MD5 e60c8d9701575292507440c6bb04e5ae
SHA1 9569cc4f4885da20057a867d231903852490e111
SHA256 c403dcc2619d856d0fedc3b1e10f7a7af71501813004378a55a5eb3b01030aa2
SHA512 6356bbc8f3d00d348b2f289802a40dd9c7a94acf588738f43eb59d486cf67d51faf55985019872ec8a4eb368f82c41b7a099056dff61245f8f8594fa4ff1d75d

memory/408-191-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Pmannhhj.exe

MD5 a7d79c6d43d7b74d8b49d4b03f7961a5
SHA1 0f7208fcd506c58c6808e31e602b748f7301c38f
SHA256 d82b3282f24ab8c70d944b639d8bb08b5f3a7102a523ce49743e51b1f1f424a1
SHA512 3c3a828ba33e8ef439c47cc20dfe2e307d417015822a519cd162e06bc1faebff0903e294c83108e402a513de35ef7f895e96f80fac34b12f96a395f4c3a4d4d1

memory/4328-199-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Pggbkagp.exe

MD5 6f7a7f81c8f83cda7d4f599e5d2b2eea
SHA1 7ec3ea17d6359b8f4275bee16a103c77b943ab5d
SHA256 c94cc63f58e4dc221057d0f3081def0eeca1f57467171b0f24beeb9c683d33ac
SHA512 5a0c9a537136b47f6d9e412f56becdc60ad09f8493b47e9597328650d7aa22730f4d40292187e58a5605298545e33f3e2d443dc4c02f4b26f5aaef802b1f97c7

memory/3036-208-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Pjeoglgc.exe

MD5 e45709eb2a06843498b3e55d8084caef
SHA1 bb3824d090119ac4415bff0290f4e2d96e3c339f
SHA256 a051f931875f7e863aeb2b701f537994ef902d72c164a5eb4c015c23f7bc6006
SHA512 b84fe58b28fe3741ac9e142f4f922d1e688687eb6901571f28a5536a092f12d6032131178e86df139e4bce76fceceb19a06bd9d4b19424ab33c054e132bf96aa

memory/2556-215-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Pqpgdfnp.exe

MD5 b9fe460d5d1974a40db2bc5d6648af0b
SHA1 9f97afa54b5e89405e5362efdadc1324d6172670
SHA256 759fc9747427326efa64d1247af82e37b3eab83dbc67ac6e81c98d83c245806e
SHA512 9021100ad0d2d0e94b8299db8a0fa37bf7bc3033e9b6e693a194cd28133e4d8dba89e5f8b435dc64bb83713b274090ed56c27294d326b0314664f4dd76b80fe1

memory/2800-224-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Pcncpbmd.exe

MD5 d511f0db342fabe234b629dc40d383ab
SHA1 bfc9d33f0eaa93aa8dbf6ce84d8ee33876d23de9
SHA256 a0cb5eb4da7cfce49508c9e1eaff47acaef3a87a9cd61a47c01db63804c2d086
SHA512 d962bc269284014d5d1a83812a2cda00c020107e52508e58b7755d27d64a6033d6ffca730b9a36d020f3feaf7637423fa4abfd5ecdf4488866209ed7367488da

memory/2516-232-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Pjhlml32.exe

MD5 1280453208c37d2229b97b36ae7bd16e
SHA1 3843ffd365203b99cdb1e99b5c722e9b556925a5
SHA256 9b3895d89fd053a74c7f88b756f67d87673c2b970110aba93ae5f913055cbaf2
SHA512 2a8f3ec0eedf44fe369e083929b656788326bfdbb6744c8193d70c8822d8df612a8bbc2c4836c8efe467ba4cc97a686e766a49cc59928288ad64cda0e86d98cd

memory/3964-239-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Pqbdjfln.exe

MD5 2d068f01966f79f12f613c4eba0b6a30
SHA1 588b5dd9e7115764b4d4625d529bbb41db084071
SHA256 bde6df6ce3fc968da6d674a0affada916a9aa833b8f85590f46c9edd1effce42
SHA512 233986719984e13890fb7942b5b925972c10ef1d8ee895f3788390d3786c7e97a4d554ac4b83364828d9880c767fcb7311bdd5bb4e1993b11ee57531448d25b2

memory/676-248-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Pdmpje32.exe

MD5 87b9bee38704a3b3f46c333b9125ffc5
SHA1 87cba30544cd61ac405abf7ce286445e0cac395d
SHA256 48f4eae6481ecaaf03668b9261dd554c460bdbd0d7c807c5f767d0044da2a0bb
SHA512 d00df448f9ea11c08851e4206f3ba0b8f2c0a3adf60d5546d25dc937d5c2b2f7c977ecd74807ecae7ea411c9891dd7800f2addb6207da9f7d1c7546e089e417c

memory/4860-256-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4988-262-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2264-268-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5008-274-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1784-280-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3164-286-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4224-292-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1812-298-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1012-304-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2520-310-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3996-316-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2072-322-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1192-328-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2660-334-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5016-340-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4120-346-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3304-352-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4052-358-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4752-364-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4420-370-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3060-376-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4660-382-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2044-388-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1084-394-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1996-402-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5068-406-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4792-412-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Amddjegd.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1580-418-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3244-424-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3004-430-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1956-436-0x0000000000400000-0x0000000000434000-memory.dmp

memory/628-442-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4992-448-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4960-454-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5104-460-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5032-466-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4164-472-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2168-478-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3364-484-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4824-490-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4728-496-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2040-502-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2096-508-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5056-514-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Bgcknmop.exe

MD5 a70e10a3ba605c1745eddd84b19a4a74
SHA1 c584a84463fb5d29ae27d77c7398b090362f0f07
SHA256 9689da7d3a0bf1ef8a1a58f9b2bc403aa25b7b7574b23f72d02922c057b7da42
SHA512 19f8cab1301cbeec5cc191780d10862de1e2d2da9616818765e9093ffdcb779252f39bc7a6b2765ad953b5e1999dad192e2fc0eafc6618c67c1cda1369d26c2a

memory/2088-520-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3664-526-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3624-532-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4304-538-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Bjddphlq.exe

MD5 1dbcc0e566118d805f6cdc678917fcea
SHA1 573c7f2d04167d9cd1aea822bea2b9f231f1735c
SHA256 3be8fb1907816eea61f11e27c6b3aa488ce84a1ab5e286606db3062abfb80210
SHA512 ce1ba5cfbfef5a748704a627241ec832ad14297ac0ad4ec6ed2c2a247e7f5cf469f9c3ea142ebc9c9f4c124a6c209dfbe8e97928f860cadcf01f52ca67c4ebfd

memory/4000-544-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1296-545-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3600-551-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4736-552-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2156-559-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3440-558-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1020-566-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2440-565-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4828-572-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2960-573-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1264-579-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5132-580-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5176-587-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4984-586-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5220-597-0x0000000000400000-0x0000000000434000-memory.dmp

memory/864-593-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Dmcibama.exe

MD5 2bc28bbb5fe112da5f062d4ef7599d69
SHA1 6e9d0b5dbced0e5a27b85cecae06cd90668a5924
SHA256 031288b94d0d993863a14b69d630161e45df4fd29baf46d15ba49be8e9367ec9
SHA512 8045dc2ba247e63c03d9d1f4d7ffe015b0e3f9204761a7535387d079107c1ca9139d3a3df8a69d73a21b2f37b7ea13be6429ae64e79c9caabeaf044888bee962

C:\Windows\SysWOW64\Dmllipeg.exe

MD5 77f9c4ec6e3bfddab7df50eee4217834
SHA1 1fee3f1c040b643e061a580192ef1b23913bbe52
SHA256 0f52bbfdae865fce7fd7c4d850d0f6b5fbb1e2bb5e15eefcb8c3b28a9e16356a
SHA512 bcfaad10c2db954f6c0770f8af6a8d09c895813b801347a3b48cd58ec04d331b4fd793fb22e074436ac85373b8b0564bc7c04b12933e21fd62c5b9dded23362a

memory/5476-896-0x0000000000400000-0x0000000000434000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 05:59

Reported

2024-11-09 06:01

Platform

win7-20240903-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\44666a663169d3e9ae81f8999d3d3ceb00ac3399f49b3c8c6f91d57a1714dac5N.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ckmnbg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Kgqocoin.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Piicpk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Qgjccb32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bmlael32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bchfhfeh.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qgmpibam.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Bgoime32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cbppnbhm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Kaajei32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Njjcip32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Obhdcanc.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ooabmbbe.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Oiffkkbk.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qiioon32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bjmeiq32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cgoelh32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kaajei32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mjaddn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Odchbe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Pdeqfhjd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Pgfjhcge.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ldpbpgoh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Coacbfii.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Anbkipok.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bqlfaj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Agjobffl.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aqbdkk32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kaompi32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mmicfh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ppnnai32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Aakjdo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Akcomepg.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Omklkkpl.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Oemgplgo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Adlcfjgh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Bjpaop32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Pdjjag32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kgqocoin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Oiffkkbk.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bqgmfkhg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Pohhna32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qdncmgbj.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Users\Admin\AppData\Local\Temp\44666a663169d3e9ae81f8999d3d3ceb00ac3399f49b3c8c6f91d57a1714dac5N.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cileqlmg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Cjakccop.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kdbbgdjj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Nameek32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Napbjjom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Akfkbd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Bqlfaj32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aakjdo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ciihklpj.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cnimiblo.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mcckcbgp.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Olebgfao.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pdbdqh32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pljlbf32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aohdmdoh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Bjkhdacm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Cbblda32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Dmbcen32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nlefhcnc.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Oeindm32.exe N/A

Berbew

backdoor berbew

Berbew family

berbew

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Kkeecogo.exe N/A
N/A N/A C:\Windows\SysWOW64\Kaompi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kglehp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Knfndjdp.exe N/A
N/A N/A C:\Windows\SysWOW64\Kaajei32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kkjnnn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kadfkhkf.exe N/A
N/A N/A C:\Windows\SysWOW64\Kdbbgdjj.exe N/A
N/A N/A C:\Windows\SysWOW64\Kgqocoin.exe N/A
N/A N/A C:\Windows\SysWOW64\Kddomchg.exe N/A
N/A N/A C:\Windows\SysWOW64\Kcgphp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kpkpadnl.exe N/A
N/A N/A C:\Windows\SysWOW64\Lgehno32.exe N/A
N/A N/A C:\Windows\SysWOW64\Llbqfe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Loqmba32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lhiakf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lldmleam.exe N/A
N/A N/A C:\Windows\SysWOW64\Lbafdlod.exe N/A
N/A N/A C:\Windows\SysWOW64\Ldpbpgoh.exe N/A
N/A N/A C:\Windows\SysWOW64\Llgjaeoj.exe N/A
N/A N/A C:\Windows\SysWOW64\Loefnpnn.exe N/A
N/A N/A C:\Windows\SysWOW64\Lfoojj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ldbofgme.exe N/A
N/A N/A C:\Windows\SysWOW64\Lohccp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lbfook32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lddlkg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lgchgb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mjaddn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mcjhmcok.exe N/A
N/A N/A C:\Windows\SysWOW64\Mqnifg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mclebc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mjfnomde.exe N/A
N/A N/A C:\Windows\SysWOW64\Mobfgdcl.exe N/A
N/A N/A C:\Windows\SysWOW64\Mikjpiim.exe N/A
N/A N/A C:\Windows\SysWOW64\Mqbbagjo.exe N/A
N/A N/A C:\Windows\SysWOW64\Mbcoio32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mmicfh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mcckcbgp.exe N/A
N/A N/A C:\Windows\SysWOW64\Nbflno32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nedhjj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nnmlcp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nefdpjkl.exe N/A
N/A N/A C:\Windows\SysWOW64\Nlqmmd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nbjeinje.exe N/A
N/A N/A C:\Windows\SysWOW64\Nameek32.exe N/A
N/A N/A C:\Windows\SysWOW64\Njfjnpgp.exe N/A
N/A N/A C:\Windows\SysWOW64\Nnafnopi.exe N/A
N/A N/A C:\Windows\SysWOW64\Napbjjom.exe N/A
N/A N/A C:\Windows\SysWOW64\Ncnngfna.exe N/A
N/A N/A C:\Windows\SysWOW64\Nhjjgd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nlefhcnc.exe N/A
N/A N/A C:\Windows\SysWOW64\Nncbdomg.exe N/A
N/A N/A C:\Windows\SysWOW64\Nmfbpk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nenkqi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nhlgmd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Njjcip32.exe N/A
N/A N/A C:\Windows\SysWOW64\Omioekbo.exe N/A
N/A N/A C:\Windows\SysWOW64\Opglafab.exe N/A
N/A N/A C:\Windows\SysWOW64\Odchbe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ojmpooah.exe N/A
N/A N/A C:\Windows\SysWOW64\Omklkkpl.exe N/A
N/A N/A C:\Windows\SysWOW64\Oaghki32.exe N/A
N/A N/A C:\Windows\SysWOW64\Opihgfop.exe N/A
N/A N/A C:\Windows\SysWOW64\Obhdcanc.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\44666a663169d3e9ae81f8999d3d3ceb00ac3399f49b3c8c6f91d57a1714dac5N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44666a663169d3e9ae81f8999d3d3ceb00ac3399f49b3c8c6f91d57a1714dac5N.exe N/A
N/A N/A C:\Windows\SysWOW64\Kkeecogo.exe N/A
N/A N/A C:\Windows\SysWOW64\Kkeecogo.exe N/A
N/A N/A C:\Windows\SysWOW64\Kaompi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kaompi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kglehp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kglehp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Knfndjdp.exe N/A
N/A N/A C:\Windows\SysWOW64\Knfndjdp.exe N/A
N/A N/A C:\Windows\SysWOW64\Kaajei32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kaajei32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kkjnnn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kkjnnn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kadfkhkf.exe N/A
N/A N/A C:\Windows\SysWOW64\Kadfkhkf.exe N/A
N/A N/A C:\Windows\SysWOW64\Kdbbgdjj.exe N/A
N/A N/A C:\Windows\SysWOW64\Kdbbgdjj.exe N/A
N/A N/A C:\Windows\SysWOW64\Kgqocoin.exe N/A
N/A N/A C:\Windows\SysWOW64\Kgqocoin.exe N/A
N/A N/A C:\Windows\SysWOW64\Kddomchg.exe N/A
N/A N/A C:\Windows\SysWOW64\Kddomchg.exe N/A
N/A N/A C:\Windows\SysWOW64\Kcgphp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kcgphp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kpkpadnl.exe N/A
N/A N/A C:\Windows\SysWOW64\Kpkpadnl.exe N/A
N/A N/A C:\Windows\SysWOW64\Lgehno32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lgehno32.exe N/A
N/A N/A C:\Windows\SysWOW64\Llbqfe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Llbqfe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Loqmba32.exe N/A
N/A N/A C:\Windows\SysWOW64\Loqmba32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lhiakf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lhiakf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lldmleam.exe N/A
N/A N/A C:\Windows\SysWOW64\Lldmleam.exe N/A
N/A N/A C:\Windows\SysWOW64\Lbafdlod.exe N/A
N/A N/A C:\Windows\SysWOW64\Lbafdlod.exe N/A
N/A N/A C:\Windows\SysWOW64\Ldpbpgoh.exe N/A
N/A N/A C:\Windows\SysWOW64\Ldpbpgoh.exe N/A
N/A N/A C:\Windows\SysWOW64\Llgjaeoj.exe N/A
N/A N/A C:\Windows\SysWOW64\Llgjaeoj.exe N/A
N/A N/A C:\Windows\SysWOW64\Loefnpnn.exe N/A
N/A N/A C:\Windows\SysWOW64\Loefnpnn.exe N/A
N/A N/A C:\Windows\SysWOW64\Lfoojj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lfoojj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ldbofgme.exe N/A
N/A N/A C:\Windows\SysWOW64\Ldbofgme.exe N/A
N/A N/A C:\Windows\SysWOW64\Lohccp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lohccp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lbfook32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lbfook32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lddlkg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lddlkg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lgchgb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lgchgb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mjaddn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mjaddn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mcjhmcok.exe N/A
N/A N/A C:\Windows\SysWOW64\Mcjhmcok.exe N/A
N/A N/A C:\Windows\SysWOW64\Mqnifg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mqnifg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mclebc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mclebc32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Bgoime32.exe C:\Windows\SysWOW64\Bdqlajbb.exe N/A
File created C:\Windows\SysWOW64\Fnbkfl32.dll C:\Windows\SysWOW64\Cbdiia32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ajpepm32.exe C:\Windows\SysWOW64\Afdiondb.exe N/A
File created C:\Windows\SysWOW64\Jbglcb32.dll C:\Windows\SysWOW64\Lgchgb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Oeindm32.exe C:\Windows\SysWOW64\Objaha32.exe N/A
File created C:\Windows\SysWOW64\Incleo32.dll C:\Windows\SysWOW64\Aojabdlf.exe N/A
File created C:\Windows\SysWOW64\Bjkhdacm.exe C:\Windows\SysWOW64\Bgllgedi.exe N/A
File created C:\Windows\SysWOW64\Knbbpakg.dll C:\Windows\SysWOW64\Kgqocoin.exe N/A
File created C:\Windows\SysWOW64\Ldbofgme.exe C:\Windows\SysWOW64\Lfoojj32.exe N/A
File created C:\Windows\SysWOW64\Mbcoio32.exe C:\Windows\SysWOW64\Mqbbagjo.exe N/A
File created C:\Windows\SysWOW64\Qpbglhjq.exe C:\Windows\SysWOW64\Qiioon32.exe N/A
File opened for modification C:\Windows\SysWOW64\Lbafdlod.exe C:\Windows\SysWOW64\Lldmleam.exe N/A
File opened for modification C:\Windows\SysWOW64\Andgop32.exe C:\Windows\SysWOW64\Akfkbd32.exe N/A
File created C:\Windows\SysWOW64\Ckmnbg32.exe C:\Windows\SysWOW64\Cinafkkd.exe N/A
File created C:\Windows\SysWOW64\Pplncj32.dll C:\Windows\SysWOW64\Kglehp32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bmlael32.exe C:\Windows\SysWOW64\Bjmeiq32.exe N/A
File created C:\Windows\SysWOW64\Pdeqfhjd.exe C:\Windows\SysWOW64\Pdeqfhjd.exe N/A
File opened for modification C:\Windows\SysWOW64\Lddlkg32.exe C:\Windows\SysWOW64\Lbfook32.exe N/A
File created C:\Windows\SysWOW64\Mclebc32.exe C:\Windows\SysWOW64\Mqnifg32.exe N/A
File created C:\Windows\SysWOW64\Ooabmbbe.exe C:\Windows\SysWOW64\Opnbbe32.exe N/A
File created C:\Windows\SysWOW64\Bjbndpmd.exe C:\Windows\SysWOW64\Bgcbhd32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cinafkkd.exe C:\Windows\SysWOW64\Cebeem32.exe N/A
File opened for modification C:\Windows\SysWOW64\Kddomchg.exe C:\Windows\SysWOW64\Kgqocoin.exe N/A
File opened for modification C:\Windows\SysWOW64\Mjaddn32.exe C:\Windows\SysWOW64\Lgchgb32.exe N/A
File created C:\Windows\SysWOW64\Fffgkhmc.dll C:\Windows\SysWOW64\Mjaddn32.exe N/A
File created C:\Windows\SysWOW64\Nlefhcnc.exe C:\Windows\SysWOW64\Nhjjgd32.exe N/A
File created C:\Windows\SysWOW64\Pofkha32.exe C:\Windows\SysWOW64\Pkjphcff.exe N/A
File created C:\Windows\SysWOW64\Aebfidim.dll C:\Windows\SysWOW64\Anbkipok.exe N/A
File opened for modification C:\Windows\SysWOW64\Aqbdkk32.exe C:\Windows\SysWOW64\Andgop32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cchbgi32.exe C:\Windows\SysWOW64\Caifjn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Lfoojj32.exe C:\Windows\SysWOW64\Loefnpnn.exe N/A
File created C:\Windows\SysWOW64\Piicpk32.exe C:\Windows\SysWOW64\Oemgplgo.exe N/A
File created C:\Windows\SysWOW64\Jpefpo32.dll C:\Windows\SysWOW64\Qdncmgbj.exe N/A
File created C:\Windows\SysWOW64\Bdqlajbb.exe C:\Windows\SysWOW64\Bbbpenco.exe N/A
File opened for modification C:\Windows\SysWOW64\Cfhkhd32.exe C:\Windows\SysWOW64\Cegoqlof.exe N/A
File opened for modification C:\Windows\SysWOW64\Kgqocoin.exe C:\Windows\SysWOW64\Kdbbgdjj.exe N/A
File created C:\Windows\SysWOW64\Accqnc32.exe C:\Windows\SysWOW64\Aohdmdoh.exe N/A
File created C:\Windows\SysWOW64\Cdpkangm.dll C:\Windows\SysWOW64\Bgaebe32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dpapaj32.exe C:\Windows\SysWOW64\Dmbcen32.exe N/A
File opened for modification C:\Windows\SysWOW64\Omklkkpl.exe C:\Windows\SysWOW64\Ojmpooah.exe N/A
File created C:\Windows\SysWOW64\Ladpkl32.dll C:\Windows\SysWOW64\Mqbbagjo.exe N/A
File created C:\Windows\SysWOW64\Kagflkia.dll C:\Windows\SysWOW64\Nnmlcp32.exe N/A
File created C:\Windows\SysWOW64\Aldhcb32.dll C:\Windows\SysWOW64\Qpbglhjq.exe N/A
File created C:\Windows\SysWOW64\Bqlfaj32.exe C:\Windows\SysWOW64\Bjbndpmd.exe N/A
File opened for modification C:\Windows\SysWOW64\Bcjcme32.exe C:\Windows\SysWOW64\Bqlfaj32.exe N/A
File created C:\Windows\SysWOW64\Mikjpiim.exe C:\Windows\SysWOW64\Mobfgdcl.exe N/A
File created C:\Windows\SysWOW64\Blangfdh.dll C:\Windows\SysWOW64\Nnafnopi.exe N/A
File created C:\Windows\SysWOW64\Ieocod32.dll C:\Windows\SysWOW64\Nncbdomg.exe N/A
File created C:\Windows\SysWOW64\Binbknik.dll C:\Windows\SysWOW64\Adifpk32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bjkhdacm.exe C:\Windows\SysWOW64\Bgllgedi.exe N/A
File opened for modification C:\Windows\SysWOW64\Ccmpce32.exe C:\Windows\SysWOW64\Coacbfii.exe N/A
File created C:\Windows\SysWOW64\Jbbobb32.dll C:\Windows\SysWOW64\Nbflno32.exe N/A
File opened for modification C:\Windows\SysWOW64\Pdjjag32.exe C:\Windows\SysWOW64\Ppnnai32.exe N/A
File created C:\Windows\SysWOW64\Qgmpibam.exe C:\Windows\SysWOW64\Qdncmgbj.exe N/A
File created C:\Windows\SysWOW64\Anbkipok.exe C:\Windows\SysWOW64\Akcomepg.exe N/A
File created C:\Windows\SysWOW64\Cmedlk32.exe C:\Windows\SysWOW64\Ciihklpj.exe N/A
File created C:\Windows\SysWOW64\Hopbda32.dll C:\Windows\SysWOW64\Oemgplgo.exe N/A
File created C:\Windows\SysWOW64\Qeppdo32.exe C:\Windows\SysWOW64\Qgmpibam.exe N/A
File created C:\Windows\SysWOW64\Bcjcme32.exe C:\Windows\SysWOW64\Bqlfaj32.exe N/A
File created C:\Windows\SysWOW64\Nbklpemb.dll C:\Windows\SysWOW64\Ohiffh32.exe N/A
File opened for modification C:\Windows\SysWOW64\Abmgjo32.exe C:\Windows\SysWOW64\Anbkipok.exe N/A
File created C:\Windows\SysWOW64\Lddlkg32.exe C:\Windows\SysWOW64\Lbfook32.exe N/A
File opened for modification C:\Windows\SysWOW64\Oiffkkbk.exe C:\Windows\SysWOW64\Ofhjopbg.exe N/A
File created C:\Windows\SysWOW64\Pdgmlhha.exe C:\Windows\SysWOW64\Pplaki32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Dpapaj32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Omklkkpl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oemgplgo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Phqmgg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cnkjnb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ojmpooah.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nhlgmd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bjpaop32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cocphf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cjakccop.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dpapaj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mqnifg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nhjjgd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aohdmdoh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aojabdlf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lhiakf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bgllgedi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bjkhdacm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bdcifi32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ldbofgme.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lgehno32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lfoojj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lgchgb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mmicfh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\44666a663169d3e9ae81f8999d3d3ceb00ac3399f49b3c8c6f91d57a1714dac5N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qiioon32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Abmgjo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bdqlajbb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oidiekdn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nnafnopi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Opglafab.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ojomdoof.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Opnbbe32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Piicpk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qppkfhlc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Coacbfii.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kaompi32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nbjeinje.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nenkqi32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Apgagg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bcjcme32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Llbqfe32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oeindm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Opqoge32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aqbdkk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bchfhfeh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cegoqlof.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kgqocoin.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mbcoio32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pkmlmbcd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Adifpk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Akcomepg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bgoime32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kcgphp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pofkha32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pohhna32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ppnnai32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pifbjn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bgaebe32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bgcbhd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bqlfaj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mcckcbgp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cmpgpond.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ciihklpj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nnmlcp32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node C:\Users\Admin\AppData\Local\Temp\44666a663169d3e9ae81f8999d3d3ceb00ac3399f49b3c8c6f91d57a1714dac5N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Nlqmmd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Pdeqfhjd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Cnimiblo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Caifjn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmgbdm32.dll" C:\Windows\SysWOW64\Pkoicb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqpflded.dll" C:\Windows\SysWOW64\Ldpbpgoh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ldpbpgoh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lddlkg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kongke32.dll" C:\Windows\SysWOW64\Nefdpjkl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhcmgmam.dll" C:\Windows\SysWOW64\Nhjjgd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkclcjqj.dll" C:\Windows\SysWOW64\Nlefhcnc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdpkangm.dll" C:\Windows\SysWOW64\Bgaebe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Objaha32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apqcdckf.dll" C:\Windows\SysWOW64\Pohhna32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhiejpim.dll" C:\Windows\SysWOW64\Pgfjhcge.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Pghfnc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Apedah32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmlfpfpl.dll" C:\Windows\SysWOW64\Ajmijmnn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kcgphp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpdokkbh.dll" C:\Windows\SysWOW64\Mclebc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gncakm32.dll" C:\Windows\SysWOW64\Pdgmlhha.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olpecfkn.dll" C:\Windows\SysWOW64\Qppkfhlc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcopgk32.dll" C:\Windows\SysWOW64\Aohdmdoh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Bnknoogp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lldmleam.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Bjkhdacm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bqlfaj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejemnf.dll" C:\Windows\SysWOW64\Cbblda32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pobghn32.dll" C:\Windows\SysWOW64\Ckjamgmk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nefdpjkl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qgmpibam.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fiqhbk32.dll" C:\Windows\SysWOW64\Abmgjo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kkjnnn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Phqmgg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmhnlgkg.dll" C:\Windows\SysWOW64\Andgop32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bqgmfkhg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cbblda32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Lldmleam.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Opihgfop.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enjmdhnf.dll" C:\Windows\SysWOW64\Ofhjopbg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmoloenf.dll" C:\Windows\SysWOW64\Pdeqfhjd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdjhp32.dll" C:\Windows\SysWOW64\Bfioia32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Cebeem32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacldi32.dll" C:\Windows\SysWOW64\Mobfgdcl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Pljlbf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ajmijmnn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Mikjpiim.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpioba32.dll" C:\Windows\SysWOW64\Padhdm32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ajmijmnn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Andgop32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Cileqlmg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liempneg.dll" C:\Windows\SysWOW64\Ckmnbg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhniklfm.dll" C:\Windows\SysWOW64\Kddomchg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Opglafab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlbakl32.dll" C:\Windows\SysWOW64\Pkmlmbcd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmoloenf.dll" C:\Windows\SysWOW64\Pafdjmkq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdhpmg32.dll" C:\Windows\SysWOW64\Pplaki32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgmdailj.dll" C:\Windows\SysWOW64\Bgoime32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dombicdm.dll" C:\Windows\SysWOW64\Ooabmbbe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qnghel32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Komjgdhc.dll" C:\Windows\SysWOW64\Adlcfjgh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ckjamgmk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mobfgdcl.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2056 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\44666a663169d3e9ae81f8999d3d3ceb00ac3399f49b3c8c6f91d57a1714dac5N.exe C:\Windows\SysWOW64\Kkeecogo.exe
PID 2056 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\44666a663169d3e9ae81f8999d3d3ceb00ac3399f49b3c8c6f91d57a1714dac5N.exe C:\Windows\SysWOW64\Kkeecogo.exe
PID 2056 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\44666a663169d3e9ae81f8999d3d3ceb00ac3399f49b3c8c6f91d57a1714dac5N.exe C:\Windows\SysWOW64\Kkeecogo.exe
PID 2056 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\44666a663169d3e9ae81f8999d3d3ceb00ac3399f49b3c8c6f91d57a1714dac5N.exe C:\Windows\SysWOW64\Kkeecogo.exe
PID 2696 wrote to memory of 1636 N/A C:\Windows\SysWOW64\Kkeecogo.exe C:\Windows\SysWOW64\Kaompi32.exe
PID 2696 wrote to memory of 1636 N/A C:\Windows\SysWOW64\Kkeecogo.exe C:\Windows\SysWOW64\Kaompi32.exe
PID 2696 wrote to memory of 1636 N/A C:\Windows\SysWOW64\Kkeecogo.exe C:\Windows\SysWOW64\Kaompi32.exe
PID 2696 wrote to memory of 1636 N/A C:\Windows\SysWOW64\Kkeecogo.exe C:\Windows\SysWOW64\Kaompi32.exe
PID 1636 wrote to memory of 2704 N/A C:\Windows\SysWOW64\Kaompi32.exe C:\Windows\SysWOW64\Kglehp32.exe
PID 1636 wrote to memory of 2704 N/A C:\Windows\SysWOW64\Kaompi32.exe C:\Windows\SysWOW64\Kglehp32.exe
PID 1636 wrote to memory of 2704 N/A C:\Windows\SysWOW64\Kaompi32.exe C:\Windows\SysWOW64\Kglehp32.exe
PID 1636 wrote to memory of 2704 N/A C:\Windows\SysWOW64\Kaompi32.exe C:\Windows\SysWOW64\Kglehp32.exe
PID 2704 wrote to memory of 2808 N/A C:\Windows\SysWOW64\Kglehp32.exe C:\Windows\SysWOW64\Knfndjdp.exe
PID 2704 wrote to memory of 2808 N/A C:\Windows\SysWOW64\Kglehp32.exe C:\Windows\SysWOW64\Knfndjdp.exe
PID 2704 wrote to memory of 2808 N/A C:\Windows\SysWOW64\Kglehp32.exe C:\Windows\SysWOW64\Knfndjdp.exe
PID 2704 wrote to memory of 2808 N/A C:\Windows\SysWOW64\Kglehp32.exe C:\Windows\SysWOW64\Knfndjdp.exe
PID 2808 wrote to memory of 2896 N/A C:\Windows\SysWOW64\Knfndjdp.exe C:\Windows\SysWOW64\Kaajei32.exe
PID 2808 wrote to memory of 2896 N/A C:\Windows\SysWOW64\Knfndjdp.exe C:\Windows\SysWOW64\Kaajei32.exe
PID 2808 wrote to memory of 2896 N/A C:\Windows\SysWOW64\Knfndjdp.exe C:\Windows\SysWOW64\Kaajei32.exe
PID 2808 wrote to memory of 2896 N/A C:\Windows\SysWOW64\Knfndjdp.exe C:\Windows\SysWOW64\Kaajei32.exe
PID 2896 wrote to memory of 2960 N/A C:\Windows\SysWOW64\Kaajei32.exe C:\Windows\SysWOW64\Kkjnnn32.exe
PID 2896 wrote to memory of 2960 N/A C:\Windows\SysWOW64\Kaajei32.exe C:\Windows\SysWOW64\Kkjnnn32.exe
PID 2896 wrote to memory of 2960 N/A C:\Windows\SysWOW64\Kaajei32.exe C:\Windows\SysWOW64\Kkjnnn32.exe
PID 2896 wrote to memory of 2960 N/A C:\Windows\SysWOW64\Kaajei32.exe C:\Windows\SysWOW64\Kkjnnn32.exe
PID 2960 wrote to memory of 2608 N/A C:\Windows\SysWOW64\Kkjnnn32.exe C:\Windows\SysWOW64\Kadfkhkf.exe
PID 2960 wrote to memory of 2608 N/A C:\Windows\SysWOW64\Kkjnnn32.exe C:\Windows\SysWOW64\Kadfkhkf.exe
PID 2960 wrote to memory of 2608 N/A C:\Windows\SysWOW64\Kkjnnn32.exe C:\Windows\SysWOW64\Kadfkhkf.exe
PID 2960 wrote to memory of 2608 N/A C:\Windows\SysWOW64\Kkjnnn32.exe C:\Windows\SysWOW64\Kadfkhkf.exe
PID 2608 wrote to memory of 276 N/A C:\Windows\SysWOW64\Kadfkhkf.exe C:\Windows\SysWOW64\Kdbbgdjj.exe
PID 2608 wrote to memory of 276 N/A C:\Windows\SysWOW64\Kadfkhkf.exe C:\Windows\SysWOW64\Kdbbgdjj.exe
PID 2608 wrote to memory of 276 N/A C:\Windows\SysWOW64\Kadfkhkf.exe C:\Windows\SysWOW64\Kdbbgdjj.exe
PID 2608 wrote to memory of 276 N/A C:\Windows\SysWOW64\Kadfkhkf.exe C:\Windows\SysWOW64\Kdbbgdjj.exe
PID 276 wrote to memory of 2036 N/A C:\Windows\SysWOW64\Kdbbgdjj.exe C:\Windows\SysWOW64\Kgqocoin.exe
PID 276 wrote to memory of 2036 N/A C:\Windows\SysWOW64\Kdbbgdjj.exe C:\Windows\SysWOW64\Kgqocoin.exe
PID 276 wrote to memory of 2036 N/A C:\Windows\SysWOW64\Kdbbgdjj.exe C:\Windows\SysWOW64\Kgqocoin.exe
PID 276 wrote to memory of 2036 N/A C:\Windows\SysWOW64\Kdbbgdjj.exe C:\Windows\SysWOW64\Kgqocoin.exe
PID 2036 wrote to memory of 2964 N/A C:\Windows\SysWOW64\Kgqocoin.exe C:\Windows\SysWOW64\Kddomchg.exe
PID 2036 wrote to memory of 2964 N/A C:\Windows\SysWOW64\Kgqocoin.exe C:\Windows\SysWOW64\Kddomchg.exe
PID 2036 wrote to memory of 2964 N/A C:\Windows\SysWOW64\Kgqocoin.exe C:\Windows\SysWOW64\Kddomchg.exe
PID 2036 wrote to memory of 2964 N/A C:\Windows\SysWOW64\Kgqocoin.exe C:\Windows\SysWOW64\Kddomchg.exe
PID 2964 wrote to memory of 2796 N/A C:\Windows\SysWOW64\Kddomchg.exe C:\Windows\SysWOW64\Kcgphp32.exe
PID 2964 wrote to memory of 2796 N/A C:\Windows\SysWOW64\Kddomchg.exe C:\Windows\SysWOW64\Kcgphp32.exe
PID 2964 wrote to memory of 2796 N/A C:\Windows\SysWOW64\Kddomchg.exe C:\Windows\SysWOW64\Kcgphp32.exe
PID 2964 wrote to memory of 2796 N/A C:\Windows\SysWOW64\Kddomchg.exe C:\Windows\SysWOW64\Kcgphp32.exe
PID 2796 wrote to memory of 2936 N/A C:\Windows\SysWOW64\Kcgphp32.exe C:\Windows\SysWOW64\Kpkpadnl.exe
PID 2796 wrote to memory of 2936 N/A C:\Windows\SysWOW64\Kcgphp32.exe C:\Windows\SysWOW64\Kpkpadnl.exe
PID 2796 wrote to memory of 2936 N/A C:\Windows\SysWOW64\Kcgphp32.exe C:\Windows\SysWOW64\Kpkpadnl.exe
PID 2796 wrote to memory of 2936 N/A C:\Windows\SysWOW64\Kcgphp32.exe C:\Windows\SysWOW64\Kpkpadnl.exe
PID 2936 wrote to memory of 2152 N/A C:\Windows\SysWOW64\Kpkpadnl.exe C:\Windows\SysWOW64\Lgehno32.exe
PID 2936 wrote to memory of 2152 N/A C:\Windows\SysWOW64\Kpkpadnl.exe C:\Windows\SysWOW64\Lgehno32.exe
PID 2936 wrote to memory of 2152 N/A C:\Windows\SysWOW64\Kpkpadnl.exe C:\Windows\SysWOW64\Lgehno32.exe
PID 2936 wrote to memory of 2152 N/A C:\Windows\SysWOW64\Kpkpadnl.exe C:\Windows\SysWOW64\Lgehno32.exe
PID 2152 wrote to memory of 1680 N/A C:\Windows\SysWOW64\Lgehno32.exe C:\Windows\SysWOW64\Llbqfe32.exe
PID 2152 wrote to memory of 1680 N/A C:\Windows\SysWOW64\Lgehno32.exe C:\Windows\SysWOW64\Llbqfe32.exe
PID 2152 wrote to memory of 1680 N/A C:\Windows\SysWOW64\Lgehno32.exe C:\Windows\SysWOW64\Llbqfe32.exe
PID 2152 wrote to memory of 1680 N/A C:\Windows\SysWOW64\Lgehno32.exe C:\Windows\SysWOW64\Llbqfe32.exe
PID 1680 wrote to memory of 2116 N/A C:\Windows\SysWOW64\Llbqfe32.exe C:\Windows\SysWOW64\Loqmba32.exe
PID 1680 wrote to memory of 2116 N/A C:\Windows\SysWOW64\Llbqfe32.exe C:\Windows\SysWOW64\Loqmba32.exe
PID 1680 wrote to memory of 2116 N/A C:\Windows\SysWOW64\Llbqfe32.exe C:\Windows\SysWOW64\Loqmba32.exe
PID 1680 wrote to memory of 2116 N/A C:\Windows\SysWOW64\Llbqfe32.exe C:\Windows\SysWOW64\Loqmba32.exe
PID 2116 wrote to memory of 2092 N/A C:\Windows\SysWOW64\Loqmba32.exe C:\Windows\SysWOW64\Lhiakf32.exe
PID 2116 wrote to memory of 2092 N/A C:\Windows\SysWOW64\Loqmba32.exe C:\Windows\SysWOW64\Lhiakf32.exe
PID 2116 wrote to memory of 2092 N/A C:\Windows\SysWOW64\Loqmba32.exe C:\Windows\SysWOW64\Lhiakf32.exe
PID 2116 wrote to memory of 2092 N/A C:\Windows\SysWOW64\Loqmba32.exe C:\Windows\SysWOW64\Lhiakf32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\44666a663169d3e9ae81f8999d3d3ceb00ac3399f49b3c8c6f91d57a1714dac5N.exe

"C:\Users\Admin\AppData\Local\Temp\44666a663169d3e9ae81f8999d3d3ceb00ac3399f49b3c8c6f91d57a1714dac5N.exe"

C:\Windows\SysWOW64\Kkeecogo.exe

C:\Windows\system32\Kkeecogo.exe

C:\Windows\SysWOW64\Kaompi32.exe

C:\Windows\system32\Kaompi32.exe

C:\Windows\SysWOW64\Kglehp32.exe

C:\Windows\system32\Kglehp32.exe

C:\Windows\SysWOW64\Knfndjdp.exe

C:\Windows\system32\Knfndjdp.exe

C:\Windows\SysWOW64\Kaajei32.exe

C:\Windows\system32\Kaajei32.exe

C:\Windows\SysWOW64\Kkjnnn32.exe

C:\Windows\system32\Kkjnnn32.exe

C:\Windows\SysWOW64\Kadfkhkf.exe

C:\Windows\system32\Kadfkhkf.exe

C:\Windows\SysWOW64\Kdbbgdjj.exe

C:\Windows\system32\Kdbbgdjj.exe

C:\Windows\SysWOW64\Kgqocoin.exe

C:\Windows\system32\Kgqocoin.exe

C:\Windows\SysWOW64\Kddomchg.exe

C:\Windows\system32\Kddomchg.exe

C:\Windows\SysWOW64\Kcgphp32.exe

C:\Windows\system32\Kcgphp32.exe

C:\Windows\SysWOW64\Kpkpadnl.exe

C:\Windows\system32\Kpkpadnl.exe

C:\Windows\SysWOW64\Lgehno32.exe

C:\Windows\system32\Lgehno32.exe

C:\Windows\SysWOW64\Llbqfe32.exe

C:\Windows\system32\Llbqfe32.exe

C:\Windows\SysWOW64\Loqmba32.exe

C:\Windows\system32\Loqmba32.exe

C:\Windows\SysWOW64\Lhiakf32.exe

C:\Windows\system32\Lhiakf32.exe

C:\Windows\SysWOW64\Lldmleam.exe

C:\Windows\system32\Lldmleam.exe

C:\Windows\SysWOW64\Lbafdlod.exe

C:\Windows\system32\Lbafdlod.exe

C:\Windows\SysWOW64\Ldpbpgoh.exe

C:\Windows\system32\Ldpbpgoh.exe

C:\Windows\SysWOW64\Llgjaeoj.exe

C:\Windows\system32\Llgjaeoj.exe

C:\Windows\SysWOW64\Loefnpnn.exe

C:\Windows\system32\Loefnpnn.exe

C:\Windows\SysWOW64\Lfoojj32.exe

C:\Windows\system32\Lfoojj32.exe

C:\Windows\SysWOW64\Ldbofgme.exe

C:\Windows\system32\Ldbofgme.exe

C:\Windows\SysWOW64\Lohccp32.exe

C:\Windows\system32\Lohccp32.exe

C:\Windows\SysWOW64\Lbfook32.exe

C:\Windows\system32\Lbfook32.exe

C:\Windows\SysWOW64\Lddlkg32.exe

C:\Windows\system32\Lddlkg32.exe

C:\Windows\SysWOW64\Lgchgb32.exe

C:\Windows\system32\Lgchgb32.exe

C:\Windows\SysWOW64\Mjaddn32.exe

C:\Windows\system32\Mjaddn32.exe

C:\Windows\SysWOW64\Mcjhmcok.exe

C:\Windows\system32\Mcjhmcok.exe

C:\Windows\SysWOW64\Mqnifg32.exe

C:\Windows\system32\Mqnifg32.exe

C:\Windows\SysWOW64\Mclebc32.exe

C:\Windows\system32\Mclebc32.exe

C:\Windows\SysWOW64\Mjfnomde.exe

C:\Windows\system32\Mjfnomde.exe

C:\Windows\SysWOW64\Mobfgdcl.exe

C:\Windows\system32\Mobfgdcl.exe

C:\Windows\SysWOW64\Mikjpiim.exe

C:\Windows\system32\Mikjpiim.exe

C:\Windows\SysWOW64\Mqbbagjo.exe

C:\Windows\system32\Mqbbagjo.exe

C:\Windows\SysWOW64\Mbcoio32.exe

C:\Windows\system32\Mbcoio32.exe

C:\Windows\SysWOW64\Mmicfh32.exe

C:\Windows\system32\Mmicfh32.exe

C:\Windows\SysWOW64\Mcckcbgp.exe

C:\Windows\system32\Mcckcbgp.exe

C:\Windows\SysWOW64\Nbflno32.exe

C:\Windows\system32\Nbflno32.exe

C:\Windows\SysWOW64\Nedhjj32.exe

C:\Windows\system32\Nedhjj32.exe

C:\Windows\SysWOW64\Nnmlcp32.exe

C:\Windows\system32\Nnmlcp32.exe

C:\Windows\SysWOW64\Nefdpjkl.exe

C:\Windows\system32\Nefdpjkl.exe

C:\Windows\SysWOW64\Nlqmmd32.exe

C:\Windows\system32\Nlqmmd32.exe

C:\Windows\SysWOW64\Nbjeinje.exe

C:\Windows\system32\Nbjeinje.exe

C:\Windows\SysWOW64\Nameek32.exe

C:\Windows\system32\Nameek32.exe

C:\Windows\SysWOW64\Njfjnpgp.exe

C:\Windows\system32\Njfjnpgp.exe

C:\Windows\SysWOW64\Nnafnopi.exe

C:\Windows\system32\Nnafnopi.exe

C:\Windows\SysWOW64\Napbjjom.exe

C:\Windows\system32\Napbjjom.exe

C:\Windows\SysWOW64\Ncnngfna.exe

C:\Windows\system32\Ncnngfna.exe

C:\Windows\SysWOW64\Nhjjgd32.exe

C:\Windows\system32\Nhjjgd32.exe

C:\Windows\SysWOW64\Nlefhcnc.exe

C:\Windows\system32\Nlefhcnc.exe

C:\Windows\SysWOW64\Nncbdomg.exe

C:\Windows\system32\Nncbdomg.exe

C:\Windows\SysWOW64\Nmfbpk32.exe

C:\Windows\system32\Nmfbpk32.exe

C:\Windows\SysWOW64\Nenkqi32.exe

C:\Windows\system32\Nenkqi32.exe

C:\Windows\SysWOW64\Nhlgmd32.exe

C:\Windows\system32\Nhlgmd32.exe

C:\Windows\SysWOW64\Njjcip32.exe

C:\Windows\system32\Njjcip32.exe

C:\Windows\SysWOW64\Omioekbo.exe

C:\Windows\system32\Omioekbo.exe

C:\Windows\SysWOW64\Opglafab.exe

C:\Windows\system32\Opglafab.exe

C:\Windows\SysWOW64\Odchbe32.exe

C:\Windows\system32\Odchbe32.exe

C:\Windows\SysWOW64\Ojmpooah.exe

C:\Windows\system32\Ojmpooah.exe

C:\Windows\SysWOW64\Omklkkpl.exe

C:\Windows\system32\Omklkkpl.exe

C:\Windows\SysWOW64\Oaghki32.exe

C:\Windows\system32\Oaghki32.exe

C:\Windows\SysWOW64\Opihgfop.exe

C:\Windows\system32\Opihgfop.exe

C:\Windows\SysWOW64\Obhdcanc.exe

C:\Windows\system32\Obhdcanc.exe

C:\Windows\SysWOW64\Ojomdoof.exe

C:\Windows\system32\Ojomdoof.exe

C:\Windows\SysWOW64\Olpilg32.exe

C:\Windows\system32\Olpilg32.exe

C:\Windows\SysWOW64\Odgamdef.exe

C:\Windows\system32\Odgamdef.exe

C:\Windows\SysWOW64\Objaha32.exe

C:\Windows\system32\Objaha32.exe

C:\Windows\SysWOW64\Oeindm32.exe

C:\Windows\system32\Oeindm32.exe

C:\Windows\SysWOW64\Oidiekdn.exe

C:\Windows\system32\Oidiekdn.exe

C:\Windows\SysWOW64\Olbfagca.exe

C:\Windows\system32\Olbfagca.exe

C:\Windows\SysWOW64\Opnbbe32.exe

C:\Windows\system32\Opnbbe32.exe

C:\Windows\SysWOW64\Ooabmbbe.exe

C:\Windows\system32\Ooabmbbe.exe

C:\Windows\SysWOW64\Ofhjopbg.exe

C:\Windows\system32\Ofhjopbg.exe

C:\Windows\SysWOW64\Oiffkkbk.exe

C:\Windows\system32\Oiffkkbk.exe

C:\Windows\SysWOW64\Ohiffh32.exe

C:\Windows\system32\Ohiffh32.exe

C:\Windows\SysWOW64\Olebgfao.exe

C:\Windows\system32\Olebgfao.exe

C:\Windows\SysWOW64\Opqoge32.exe

C:\Windows\system32\Opqoge32.exe

C:\Windows\SysWOW64\Obokcqhk.exe

C:\Windows\system32\Obokcqhk.exe

C:\Windows\SysWOW64\Oemgplgo.exe

C:\Windows\system32\Oemgplgo.exe

C:\Windows\SysWOW64\Piicpk32.exe

C:\Windows\system32\Piicpk32.exe

C:\Windows\SysWOW64\Pkjphcff.exe

C:\Windows\system32\Pkjphcff.exe

C:\Windows\SysWOW64\Pofkha32.exe

C:\Windows\system32\Pofkha32.exe

C:\Windows\SysWOW64\Padhdm32.exe

C:\Windows\system32\Padhdm32.exe

C:\Windows\SysWOW64\Pepcelel.exe

C:\Windows\system32\Pepcelel.exe

C:\Windows\SysWOW64\Pdbdqh32.exe

C:\Windows\system32\Pdbdqh32.exe

C:\Windows\SysWOW64\Pljlbf32.exe

C:\Windows\system32\Pljlbf32.exe

C:\Windows\SysWOW64\Pkmlmbcd.exe

C:\Windows\system32\Pkmlmbcd.exe

C:\Windows\SysWOW64\Pohhna32.exe

C:\Windows\system32\Pohhna32.exe

C:\Windows\SysWOW64\Pafdjmkq.exe

C:\Windows\system32\Pafdjmkq.exe

C:\Windows\SysWOW64\Pdeqfhjd.exe

C:\Windows\system32\Pdeqfhjd.exe

C:\Windows\SysWOW64\Pdeqfhjd.exe

C:\Windows\system32\Pdeqfhjd.exe

C:\Windows\SysWOW64\Phqmgg32.exe

C:\Windows\system32\Phqmgg32.exe

C:\Windows\SysWOW64\Pkoicb32.exe

C:\Windows\system32\Pkoicb32.exe

C:\Windows\SysWOW64\Pojecajj.exe

C:\Windows\system32\Pojecajj.exe

C:\Windows\SysWOW64\Paiaplin.exe

C:\Windows\system32\Paiaplin.exe

C:\Windows\SysWOW64\Pplaki32.exe

C:\Windows\system32\Pplaki32.exe

C:\Windows\SysWOW64\Pdgmlhha.exe

C:\Windows\system32\Pdgmlhha.exe

C:\Windows\SysWOW64\Pgfjhcge.exe

C:\Windows\system32\Pgfjhcge.exe

C:\Windows\SysWOW64\Ppnnai32.exe

C:\Windows\system32\Ppnnai32.exe

C:\Windows\SysWOW64\Pdjjag32.exe

C:\Windows\system32\Pdjjag32.exe

C:\Windows\SysWOW64\Pghfnc32.exe

C:\Windows\system32\Pghfnc32.exe

C:\Windows\SysWOW64\Pifbjn32.exe

C:\Windows\system32\Pifbjn32.exe

C:\Windows\SysWOW64\Qppkfhlc.exe

C:\Windows\system32\Qppkfhlc.exe

C:\Windows\SysWOW64\Qgjccb32.exe

C:\Windows\system32\Qgjccb32.exe

C:\Windows\SysWOW64\Qiioon32.exe

C:\Windows\system32\Qiioon32.exe

C:\Windows\SysWOW64\Qpbglhjq.exe

C:\Windows\system32\Qpbglhjq.exe

C:\Windows\SysWOW64\Qdncmgbj.exe

C:\Windows\system32\Qdncmgbj.exe

C:\Windows\SysWOW64\Qgmpibam.exe

C:\Windows\system32\Qgmpibam.exe

C:\Windows\SysWOW64\Qeppdo32.exe

C:\Windows\system32\Qeppdo32.exe

C:\Windows\SysWOW64\Qnghel32.exe

C:\Windows\system32\Qnghel32.exe

C:\Windows\SysWOW64\Apedah32.exe

C:\Windows\system32\Apedah32.exe

C:\Windows\SysWOW64\Aohdmdoh.exe

C:\Windows\system32\Aohdmdoh.exe

C:\Windows\SysWOW64\Accqnc32.exe

C:\Windows\system32\Accqnc32.exe

C:\Windows\SysWOW64\Ajmijmnn.exe

C:\Windows\system32\Ajmijmnn.exe

C:\Windows\SysWOW64\Ahpifj32.exe

C:\Windows\system32\Ahpifj32.exe

C:\Windows\SysWOW64\Apgagg32.exe

C:\Windows\system32\Apgagg32.exe

C:\Windows\SysWOW64\Aojabdlf.exe

C:\Windows\system32\Aojabdlf.exe

C:\Windows\SysWOW64\Afdiondb.exe

C:\Windows\system32\Afdiondb.exe

C:\Windows\SysWOW64\Ajpepm32.exe

C:\Windows\system32\Ajpepm32.exe

C:\Windows\SysWOW64\Akabgebj.exe

C:\Windows\system32\Akabgebj.exe

C:\Windows\SysWOW64\Achjibcl.exe

C:\Windows\system32\Achjibcl.exe

C:\Windows\SysWOW64\Aakjdo32.exe

C:\Windows\system32\Aakjdo32.exe

C:\Windows\SysWOW64\Adifpk32.exe

C:\Windows\system32\Adifpk32.exe

C:\Windows\SysWOW64\Akcomepg.exe

C:\Windows\system32\Akcomepg.exe

C:\Windows\SysWOW64\Anbkipok.exe

C:\Windows\system32\Anbkipok.exe

C:\Windows\SysWOW64\Abmgjo32.exe

C:\Windows\system32\Abmgjo32.exe

C:\Windows\SysWOW64\Adlcfjgh.exe

C:\Windows\system32\Adlcfjgh.exe

C:\Windows\SysWOW64\Agjobffl.exe

C:\Windows\system32\Agjobffl.exe

C:\Windows\SysWOW64\Akfkbd32.exe

C:\Windows\system32\Akfkbd32.exe

C:\Windows\SysWOW64\Andgop32.exe

C:\Windows\system32\Andgop32.exe

C:\Windows\SysWOW64\Aqbdkk32.exe

C:\Windows\system32\Aqbdkk32.exe

C:\Windows\SysWOW64\Bgllgedi.exe

C:\Windows\system32\Bgllgedi.exe

C:\Windows\SysWOW64\Bjkhdacm.exe

C:\Windows\system32\Bjkhdacm.exe

C:\Windows\SysWOW64\Bbbpenco.exe

C:\Windows\system32\Bbbpenco.exe

C:\Windows\SysWOW64\Bdqlajbb.exe

C:\Windows\system32\Bdqlajbb.exe

C:\Windows\SysWOW64\Bgoime32.exe

C:\Windows\system32\Bgoime32.exe

C:\Windows\SysWOW64\Bjmeiq32.exe

C:\Windows\system32\Bjmeiq32.exe

C:\Windows\SysWOW64\Bmlael32.exe

C:\Windows\system32\Bmlael32.exe

C:\Windows\SysWOW64\Bqgmfkhg.exe

C:\Windows\system32\Bqgmfkhg.exe

C:\Windows\SysWOW64\Bdcifi32.exe

C:\Windows\system32\Bdcifi32.exe

C:\Windows\SysWOW64\Bgaebe32.exe

C:\Windows\system32\Bgaebe32.exe

C:\Windows\SysWOW64\Bjpaop32.exe

C:\Windows\system32\Bjpaop32.exe

C:\Windows\SysWOW64\Bnknoogp.exe

C:\Windows\system32\Bnknoogp.exe

C:\Windows\SysWOW64\Bmnnkl32.exe

C:\Windows\system32\Bmnnkl32.exe

C:\Windows\SysWOW64\Bchfhfeh.exe

C:\Windows\system32\Bchfhfeh.exe

C:\Windows\SysWOW64\Bgcbhd32.exe

C:\Windows\system32\Bgcbhd32.exe

C:\Windows\SysWOW64\Bjbndpmd.exe

C:\Windows\system32\Bjbndpmd.exe

C:\Windows\SysWOW64\Bqlfaj32.exe

C:\Windows\system32\Bqlfaj32.exe

C:\Windows\SysWOW64\Bcjcme32.exe

C:\Windows\system32\Bcjcme32.exe

C:\Windows\SysWOW64\Bfioia32.exe

C:\Windows\system32\Bfioia32.exe

C:\Windows\SysWOW64\Coacbfii.exe

C:\Windows\system32\Coacbfii.exe

C:\Windows\SysWOW64\Ccmpce32.exe

C:\Windows\system32\Ccmpce32.exe

C:\Windows\SysWOW64\Cbppnbhm.exe

C:\Windows\system32\Cbppnbhm.exe

C:\Windows\SysWOW64\Ciihklpj.exe

C:\Windows\system32\Ciihklpj.exe

C:\Windows\SysWOW64\Cmedlk32.exe

C:\Windows\system32\Cmedlk32.exe

C:\Windows\SysWOW64\Cocphf32.exe

C:\Windows\system32\Cocphf32.exe

C:\Windows\SysWOW64\Cbblda32.exe

C:\Windows\system32\Cbblda32.exe

C:\Windows\SysWOW64\Cfmhdpnc.exe

C:\Windows\system32\Cfmhdpnc.exe

C:\Windows\SysWOW64\Cileqlmg.exe

C:\Windows\system32\Cileqlmg.exe

C:\Windows\SysWOW64\Cgoelh32.exe

C:\Windows\system32\Cgoelh32.exe

C:\Windows\SysWOW64\Ckjamgmk.exe

C:\Windows\system32\Ckjamgmk.exe

C:\Windows\SysWOW64\Cnimiblo.exe

C:\Windows\system32\Cnimiblo.exe

C:\Windows\SysWOW64\Cbdiia32.exe

C:\Windows\system32\Cbdiia32.exe

C:\Windows\SysWOW64\Cebeem32.exe

C:\Windows\system32\Cebeem32.exe

C:\Windows\SysWOW64\Cinafkkd.exe

C:\Windows\system32\Cinafkkd.exe

C:\Windows\SysWOW64\Ckmnbg32.exe

C:\Windows\system32\Ckmnbg32.exe

C:\Windows\SysWOW64\Cnkjnb32.exe

C:\Windows\system32\Cnkjnb32.exe

C:\Windows\SysWOW64\Caifjn32.exe

C:\Windows\system32\Caifjn32.exe

C:\Windows\SysWOW64\Cchbgi32.exe

C:\Windows\system32\Cchbgi32.exe

C:\Windows\SysWOW64\Cjakccop.exe

C:\Windows\system32\Cjakccop.exe

C:\Windows\SysWOW64\Cmpgpond.exe

C:\Windows\system32\Cmpgpond.exe

C:\Windows\SysWOW64\Cegoqlof.exe

C:\Windows\system32\Cegoqlof.exe

C:\Windows\SysWOW64\Cfhkhd32.exe

C:\Windows\system32\Cfhkhd32.exe

C:\Windows\SysWOW64\Dmbcen32.exe

C:\Windows\system32\Dmbcen32.exe

C:\Windows\SysWOW64\Dpapaj32.exe

C:\Windows\system32\Dpapaj32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 144

Network

N/A

Files

memory/2056-0-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2056-7-0x00000000002D0000-0x0000000000304000-memory.dmp

\Windows\SysWOW64\Kkeecogo.exe

MD5 12865f5fbe2db4b8b83cc051795bc544
SHA1 557f30bf87a375aa657b19aa231d89d4e5947850
SHA256 b14eb691e1b12fa68ec0f7bd40ff6d3ed1f5760d864055009726471e4356da31
SHA512 c987823163726d3794b7576501f24ba7667fc9b6c1131c2c43f2ebb6ef05592f10833cb631c3698613b88f78a588ab0e94dfff1e74b0f2643a7d1b2fe3f38794

\Windows\SysWOW64\Kaompi32.exe

MD5 ec0da11931eb323ea61a2de7831b5362
SHA1 5685be61a38651cee2c143fb1f449e86de317275
SHA256 053d3dcf49ff58dddc0c51cb8c724722e7c185d91100f1ec7b84754116df81c3
SHA512 aacbda853b6ffb837aacbe20699a929f2af3fb2b8a19633f06719536f8abcd6c1560f0fc2334a66742c9fd8691ea133586023f227e2dfabbcef6da6975d10ed9

memory/1636-26-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2696-18-0x0000000000400000-0x0000000000434000-memory.dmp

\Windows\SysWOW64\Kglehp32.exe

MD5 442eddafe7d21a77ff130e25cb108ecb
SHA1 bf3428f6ce1f0d15976539550935cd6fe9ae3503
SHA256 dd1f1adc6731a6fd59aa76644c0075fa5a0b0d316a8cf4bad8ee57de94e8dc19
SHA512 61f29062a5e3390f96691894202baf20ef937d865725758ca93c6f21793cc6b700f831788067f8511f8551fa731d82bf7b4f12a1ef8cb9fdc7a9120a9744709c

memory/2704-39-0x0000000000400000-0x0000000000434000-memory.dmp

\Windows\SysWOW64\Knfndjdp.exe

MD5 343e2fa4637636c210d38a5f290ae436
SHA1 bb8ea3b67e0fbe66858b7d4fbaf8c5db25d5a9d1
SHA256 74edd440be9423680b6f5efcc492911ea7cc129d2c342476a4966179e77afe50
SHA512 e551629a46937adef4aee1866771bc6a04ab381634b266a03a9db341de73ff45103d0da68d0d69bb31a78fead04919426e0dbaa92febf2dce04ac21fa4f072a6

memory/2896-66-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Kaajei32.exe

MD5 d7c8d7ac6e7287806c23a89702c9185c
SHA1 838d7f56d758ada3c349a921acfdc41ec939e562
SHA256 92ee6af3146a63eb7e8bbc4e7d081db046378cbd710ef19b1674bd53a05a4690
SHA512 0ba78ca159479758c5027e17bb294d5f9bfc2f2ab5ac31f227933af9cc43e2aeb31d751efeb80fece1beefe27bca17bc31ea3161f27b9dc08dce056378ac0323

memory/2808-64-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Lhgccebd.dll

MD5 7b53cecd81c626a45ea653da141f606f
SHA1 b1deb100632138d8e9504d331deca66006cca08a
SHA256 4274f2f504bbe4358c869bc6dafc8252a24d2c5c876da78016a0900c5b5ce25c
SHA512 7bdbc4f4289e144bfba2ed9f14a5aedb02d15b8d9a37f8f372405418cac0861c53c52fe8f16458f01e5173cfa91a5c6a2ac87a587aba8805112caa0de2e14f80

memory/2704-53-0x0000000000280000-0x00000000002B4000-memory.dmp

\Windows\SysWOW64\Kkjnnn32.exe

MD5 ca95ecf67dbe6e8b0bf6662154bcb670
SHA1 7a98754f735358ffca100f02e87ebd03282aa21e
SHA256 c44883a1970fdac245805742cf85a522184fae6c002d5f367b682ebe5cc3ab6b
SHA512 44a222c44652c7dbafed334dc346d2dc2b3f73971148f10c4b75522b9ed20b1696b53f4256e9bb4efa50fc9987ac08a005387d017dcfa7a72463a0ff40abf2ba

memory/2960-80-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2896-78-0x0000000000250000-0x0000000000284000-memory.dmp

\Windows\SysWOW64\Kadfkhkf.exe

MD5 366b4ae0468158a0c623374e4741fdcf
SHA1 ade88e70d4cfd01ab50c12ba6d6f88d600eab222
SHA256 bb94cfcce67a0791f7393bfbf9b0d55568dac4663c8970e1a6973bf7536abc03
SHA512 51e44b644c072d0e1f09f50918d0c5cb60ad4d5d5e2eb1ac754df3c8690940d38d9d8e51327f1df8af923e42f32d8d2b1af42d8157a276fa3273ce904eb8b3ef

memory/2608-93-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2608-101-0x0000000000260000-0x0000000000294000-memory.dmp

\Windows\SysWOW64\Kdbbgdjj.exe

MD5 f514cef44a9678bf81422b35552535ee
SHA1 1633e097168342a97c8649534b901deb5ee38ab5
SHA256 6f1dd41391c0f192f450d2b6a577c7eb3ccd5f582ea9f940ce149981130f58ef
SHA512 29d320e4d16f6eabb6932361651bd1ff9852e8641a650d5985f2cd4ca6a18a9532caff09756e38a5badc94b6888e1fba406ed9d988ae2ff145cc34f3e7ca3b9a

memory/276-113-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Kgqocoin.exe

MD5 f251b79db82187ff07119d8e243e2ab8
SHA1 269861df66fbeee39a48504c11921fe433a9b28f
SHA256 7b919de3bde62822b372385befa0cb4021a6a38fc0ae72beaa10f93547348d19
SHA512 8900c4e1a3b404e43a03abcafcf7db8da924e44c716a9f538674d447ef962de8a64267218d91fb2049c607571aeced2a001f8462b11cb1ba153ec50bcd5a9db1

memory/2036-121-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2608-112-0x0000000000260000-0x0000000000294000-memory.dmp

\Windows\SysWOW64\Kddomchg.exe

MD5 67189bfac70b1afbb0623bec7d197b30
SHA1 ed0767199c7658c5a7d3a67522dcf2b994fc75fa
SHA256 d06569f62cf6229425748c5fcd503968d09965f565bb918f1a9fa312e4552cc1
SHA512 b002595a0c5589ba7fb2493d8635b5dd4cb5e5a50c4bc201b5796f2bf78d6906959b3cf8279618fa22fbe525a751407b19a37c67b8d685ec250b98ad49070fad

memory/2796-148-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Kcgphp32.exe

MD5 75d39f1becedbc2751651614cba4affb
SHA1 b0de63dc33af645a8f67e89b277b8514a93216c6
SHA256 da5e2d2202986b4608c369622776f1a22e53965d4a4e82fe050a7216175086a1
SHA512 db5cad02272da507f84c4df1e10af6abbe33ce1386c8e7793226eed72eb11b16798f4b502dcc09ab3e4e99b4eab790b9f1c25a8d8c0e82c9af00e27881065252

memory/2964-140-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2036-133-0x0000000000250000-0x0000000000284000-memory.dmp

memory/2796-156-0x0000000000250000-0x0000000000284000-memory.dmp

\Windows\SysWOW64\Kpkpadnl.exe

MD5 aaf2ddb45be6b10a137db5f35246777c
SHA1 9ab66aaab51722d65a2f867cf94e1f904674809f
SHA256 1810d6e9ab4f6a37d049427ef77a6f5e4c10405d0d3fc6e5e47bb375afbe832a
SHA512 f440dd106dbb8b7ee6b4eb342e4786102a95b687eea7591168a2f9ea963f2953b0db323ec1a6a54c225578c5fec76f8b0cf34329eeca9d4149e4fd80322e77b1

memory/2152-175-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Lgehno32.exe

MD5 ecef93584007725e49f979fb7915313b
SHA1 7db21099b920d77ca560e919586eeb37deb92342
SHA256 fb26a36673e29a4f77c1045e3e61cbb39dc0f3a78cc845104959d6918cb39ede
SHA512 6e8f2e39cec84ebe1647ec78ac5573490db2aff089c6ddc6942c62b050c53707ea0884a4015322599724e215b81765e725086eb4b40c410c752af5e93f959a62

memory/2936-167-0x0000000000400000-0x0000000000434000-memory.dmp

\Windows\SysWOW64\Llbqfe32.exe

MD5 ad1b229b96efc90ed07aa59e59daf4cc
SHA1 6eadf6d70af742854d76ca1d7efba9fdd40fd41f
SHA256 b4b6dfcb81e931ff8f0505f56137018e30819f39bda6784c25b7a0eb76007b95
SHA512 48f8d33e0cf12acec33dbe64cc4592b02639fe34f102584fa5f0e6b9dc80e543b75fc6824bfa782917d77c399b52ebdd8c188c4f308b114d68bbf23ed88f95c3

\Windows\SysWOW64\Loqmba32.exe

MD5 aae7d46de6bd4f115d7203d3c94db250
SHA1 11685db0fd18a59de50581baa64bfad5a9bb4f7d
SHA256 250b757aa453faf748e466180f4c6d126b09f4ce5921aeab17f6a9912d466398
SHA512 91934357b561ec6f16597c6bf948742f9a8884916545ce2daaa136bd052ad6ae0025b48f08c688ee952c7fc266a84db8c86cfaa5b22e5bdc89cb3cb493b2125d

memory/2116-201-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1680-193-0x0000000000400000-0x0000000000434000-memory.dmp

\Windows\SysWOW64\Lhiakf32.exe

MD5 7b1513addc605afa4fc167860fae9574
SHA1 3916e3484fe491127170aa02e55f8d3345064485
SHA256 5f210c78d70033f8cf5d77fea99f9b8cbd735b166d4b93330e788599c6740a59
SHA512 141d75c2792aac005f507e9f04cf7de0e591bbcb2d9e041c3b289e9bef60c3deca92904510ad7880cfda1e4093608269f1744393601bfc704a0f58a93199eccd

memory/2092-219-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3056-224-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Lldmleam.exe

MD5 b8932acb0885f5a846365eec9be329c2
SHA1 9c4af13342a905957bc8efcda6c0d7d6aed6e71b
SHA256 fa094ea199d53cb4a6f7898d5a3e3659029bf8f7b8cfdef31da246b0644c8f81
SHA512 5a9089d29505389032cdb8ebdbadd3d5c098c06291c0cce93d5ba5ab252a179fa44c16b83ea0a49b642f97c312a28fbda2f899a2ddccb36b401a753a34777ece

memory/3056-230-0x0000000000250000-0x0000000000284000-memory.dmp

C:\Windows\SysWOW64\Lbafdlod.exe

MD5 b03b29affd274a1a0a197713083c927c
SHA1 c0f4dbddcd4712a1edc77d7ec36c82ebac2b46c5
SHA256 6d114f95cebf9446058056af762b51536976cabc37dd9afdc46bd2a93d4ddd1b
SHA512 413e0fd278a4c109a0c303804f608196fa7587dea6a393f06c0d52d613299eeaf9dd7d3c92cb24a18d1e580876e2f5855a30cef43a7990d8e960ccf29a7cdb42

C:\Windows\SysWOW64\Ldpbpgoh.exe

MD5 d1a57571f568cb7a70be6d7f8265bb06
SHA1 0d3502dc8a099df01021b9ddc0c286165b40be51
SHA256 b0520ed3f86ff47c178824b30b8cb9d428abdf9be8858270c36d6535e30b88e6
SHA512 c4f4212431561528a10a9073d929ab9b9c31ecd1026673e7b754830d32de9dd6c614be021faa3b5cf9210aa9acfd4dfa2b648420b159833fe8a24cbc08505181

memory/1724-238-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1724-243-0x00000000002B0000-0x00000000002E4000-memory.dmp

C:\Windows\SysWOW64\Llgjaeoj.exe

MD5 3c5ebd6d834ae9a3a72b82db5119fa77
SHA1 acac195d8d550db9bd3bf06ec9c0e1756ee41bf2
SHA256 3649e94777a72f331b182aa32c276428e84b1529e9e07432cf7ee1c316e5099c
SHA512 5edd2fda17ec5b9bb64dbf5543ad7acc9253c33af5c566d27b8fce8d6423b8ae9bbcd18207676bd0f3a169605f685a763a7baa2e7a079b0255790388785357fb

memory/2128-255-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Loefnpnn.exe

MD5 5380656386198714aa049c9c9b328f20
SHA1 fac4e120dd4694a01edff06c46a32c8e51b58675
SHA256 966cc917c7d8b7209aef194f3f4f0d3b71ae9ae6393bac82674b5c5fcd1dfc92
SHA512 83531e0b2ff6231ec85cac815bcd23f3a2c3a7a8573d708b5db601cf11213a3aef7bd95d892d8a6ae0df85099cd12a10a130cd6f318e7074bb170585219ac28d

memory/2312-261-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Lfoojj32.exe

MD5 79b9162628394974b8fed82daee58a8c
SHA1 c1ff77b12ff9a275139584f89f65cad48091168e
SHA256 a31528f7d95d9da3dec7ffc46fca4815757b72fc1a3b0fdbb71fccebb6040627
SHA512 98ee01593f22c0d562a769ee8ea135269fd12a6e1b6754a1e596e77874513ef681f3eda88a4dad2111bb88068329b4d61fe8b020c16ca62472d47f4ba5212403

memory/1052-280-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1696-279-0x0000000000250000-0x0000000000284000-memory.dmp

C:\Windows\SysWOW64\Ldbofgme.exe

MD5 26d2653bae05899faa769d9814027348
SHA1 c3c0413bd51e7b38991fe45e90f784cd2090abd2
SHA256 e6d7914d3e65c3cc47d0abea1b392e19430b7353503aec203be023228a8e3de9
SHA512 29c59d4ab420e95b1e825a59daeeb85bf10508e796ae1661e3faf44c9e4b1ad3759c06187660f09273a3fbe6527ccab58ae5df18f110d7926aeada379045c2e5

memory/1696-274-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1240-291-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1052-290-0x00000000002E0000-0x0000000000314000-memory.dmp

memory/1052-289-0x00000000002E0000-0x0000000000314000-memory.dmp

memory/1240-301-0x0000000000280000-0x00000000002B4000-memory.dmp

memory/2444-312-0x0000000000250000-0x0000000000284000-memory.dmp

memory/2444-311-0x0000000000250000-0x0000000000284000-memory.dmp

memory/1504-313-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Lddlkg32.exe

MD5 bfbc1b114a654a536f728bf905941ad4
SHA1 5ec3602ac614ebc55634da7e80b343099bbdb24d
SHA256 b24b00e1f01602b619258f811200ff02f8b3d387a4563fd10f538e91bb8bb938
SHA512 6f40a1cb7f8ed0d0073948454d662d375fd9d65872c15a1c46d9ff3ea9ea374c6a98ba10349ad7f55b209dbfd37891ad2e5fda53883589f1960c59c75369118c

memory/2444-302-0x0000000000400000-0x0000000000434000-memory.dmp

memory/264-324-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1504-323-0x0000000000250000-0x0000000000284000-memory.dmp

memory/1504-322-0x0000000000250000-0x0000000000284000-memory.dmp

C:\Windows\SysWOW64\Lgchgb32.exe

MD5 f4d117e2f7781b8b85b5fb0726d12a55
SHA1 1d8471433fde7a9396f6018ad66f7aa99ce638c3
SHA256 2f6183db1bbfb4aceae7ba5eae808cd789d05143dc4d7bc10bb35ca61a6e749c
SHA512 e90d91c60c6610f8986113f26aa921d00468fe024f973a781ac56841a663d813e73e5587c3680fb392e1c7ffb3f6c81f50d371afa489b439024112add9791698

memory/1240-300-0x0000000000280000-0x00000000002B4000-memory.dmp

C:\Windows\SysWOW64\Lbfook32.exe

MD5 0c05ff949affdf2502ebd7edb4456438
SHA1 35ddc4e28e0002ec834e38ac99c31f5d07561547
SHA256 5abc8c5ca14f15c9b0f0c1808c7c4140e6f58b8423efe65dff38c2ed132db685
SHA512 58d88f385870162370c91f34353dc28fa0b09c9dc1c81d8802d9a97967501b6e1d1fcfaff3737370ddaba641871b10f0bbacdffd4adabb366db48db15f8b39bc

C:\Windows\SysWOW64\Lohccp32.exe

MD5 f7a53a814af5fcdd5b7345fb4077fef4
SHA1 eb81af97807a1081466897294fad213bcf2dc851
SHA256 5d526c3ec359cec2457ca5e5e83770e80be27cdbcb9281d44458f0a63ec95f8f
SHA512 1ff5c9999151c555dca68118c5e39b407b2e28b4dacc2217a5c7d325b0b0d2998056fafabfa0ab39094bb8ce4977e8d45c863bdade1d6b513fc36bd94feb7fb9

memory/264-334-0x00000000002E0000-0x0000000000314000-memory.dmp

memory/264-333-0x00000000002E0000-0x0000000000314000-memory.dmp

C:\Windows\SysWOW64\Mjaddn32.exe

MD5 f7e0a40c2145de27bcbaf6cb59c1ebc1
SHA1 43c1c486e322da1601ff110db67b4a75ecf010d8
SHA256 eff4ab200f66ac27811e113232eebdf5e7d0c3fe90aed9d11f88682ff31fe29d
SHA512 0b27b76857ab6db88e4a26be391a8812f54a8808bf657372b5ba1ede5278473683ba646b7ef99f2dc71efb003918873b4bc11f6df077a5089a99d16216652fa9

memory/2208-346-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1644-345-0x0000000000250000-0x0000000000284000-memory.dmp

memory/1644-344-0x0000000000250000-0x0000000000284000-memory.dmp

C:\Windows\SysWOW64\Mcjhmcok.exe

MD5 4455d99e3a75c9d0e7769250690d89d6
SHA1 85bda169706e61b18fd62da40da412a0c2fbba09
SHA256 3881303d5cd147d3a12486125e1d10572212ad1531461f787cd38ea5d7f3dd24
SHA512 9228f01ead82504d2f2c3179c1f263ebf8108a90e3641f65534d9664abaf5c828ed37429e3feaa63e650f784baf02f71840c540277e754fd67a8fab65d6b8e92

memory/1644-339-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2764-357-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2208-356-0x0000000000250000-0x0000000000284000-memory.dmp

memory/2208-355-0x0000000000250000-0x0000000000284000-memory.dmp

C:\Windows\SysWOW64\Mqnifg32.exe

MD5 0f9f934c01cc353bb955cac431b2fc50
SHA1 6416c2b84f2dbee6f987fdf173af7f094fbe222a
SHA256 05d74f2dd4fd711ca0f9b081257de2d73a00121fa1705cc871cc6826f5ac7bb7
SHA512 9b4f211b22d2b62d2c4ef679e515c212c635100c9e30226f0c9f8c07a7379ecd0ac955f42ccc6e55a2a08933b5cd5bf5e5d8538d25f90927ae5af9e3f375d826

memory/3036-368-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2764-367-0x0000000000250000-0x0000000000284000-memory.dmp

memory/2764-366-0x0000000000250000-0x0000000000284000-memory.dmp

C:\Windows\SysWOW64\Mclebc32.exe

MD5 4fd2c664b6feb489abef60eb0ffeeb01
SHA1 4a56952d25abb1fcd787fa1d351ecdea79c1bf20
SHA256 e2dee05928e698899d1b9e45c326097afffb0fefcd6af0f3947ea2f133ada048
SHA512 cd505b41abe8856ee420bf653427d10b5166e9ebf118416011ae003d57842f393516dbf337e0900e124a9d0adce57c592d5a34d4bb09ada917082909651a022b

memory/3036-373-0x0000000000250000-0x0000000000284000-memory.dmp

memory/3036-378-0x0000000000250000-0x0000000000284000-memory.dmp

C:\Windows\SysWOW64\Mjfnomde.exe

MD5 5d5e71b8faab4bb0addb164f56d07447
SHA1 be58d04037fd52ccd93bbb1b8751bf78bc07ffdc
SHA256 e02f9678124e2ff7d184c2c38c11e63393ac46bef0193d654ccee7b18ff8c859
SHA512 f90bd0329dbaaea7c287484981fdc2a370276336e9b6483ba4750a5f551fcdae089ada97b7fa40605d0a938b2073c621c0942bbd45b81e0d98eb08d95b52f486

memory/2660-384-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2056-383-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Mobfgdcl.exe

MD5 fd2990124f684132d797c6654125259c
SHA1 a910ad329fd869551b8314035265d73257329667
SHA256 1197d4fa5f4150ae849d6de954de0610c6ba380c5760dd6eb8dd66b887aa6203
SHA512 60552d4bf0efdb339577e26e69ad2dc2eaac2a190e08e4ce53f376098813ebe90d79d36c2d8905d9fd389d28bb5bd0a5b44c84ea243095eac14a7f65a1511de5

memory/2660-389-0x00000000002D0000-0x0000000000304000-memory.dmp

memory/2676-390-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2704-401-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2676-400-0x0000000000280000-0x00000000002B4000-memory.dmp

memory/1636-399-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Mikjpiim.exe

MD5 dfdc54cd965f0ff58e0bf891b3f3e92b
SHA1 817098da0e63914ff54f82bb8a235d0aacfde9b2
SHA256 f043aaad967ea8ea455848870cb9d07f676bbff59249786cf6f6b27e214bc218
SHA512 84518f6310343362b97416fdff65f3b1234041c6c5388ecbfdb6267ec035125299287a8c3ee76869c2551f906ed54b528c25b6501c0f9f89ee4a8cbb767a5a0e

C:\Windows\SysWOW64\Mqbbagjo.exe

MD5 02da538995bffcce351c2e22d7bc41c1
SHA1 36dc5d99ae40dd7da460d75e3d0ba84c7755a936
SHA256 74640d744ec087bec53c10eeae38214110cc7f40ee1d95542ab993562a9a802c
SHA512 381036ea60c211d9458f6088bf5cc896fd5d0bf4be4d9355cc22b781006798ebd13e2c641a98f5292952642140c554d0bf503bc71b77a0b742b78b45b349a900

memory/344-412-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2328-411-0x0000000000280000-0x00000000002B4000-memory.dmp

memory/2328-410-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2328-413-0x0000000000280000-0x00000000002B4000-memory.dmp

memory/1420-424-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2704-423-0x0000000000280000-0x00000000002B4000-memory.dmp

memory/344-422-0x0000000000440000-0x0000000000474000-memory.dmp

C:\Windows\SysWOW64\Mbcoio32.exe

MD5 2bac5aab2008679fdffe939ef36d0ff5
SHA1 d413901ab67f121ce5e464385093c5b0103ac66f
SHA256 56e01f4aab1cf84d722f60fc1af7922d0efe6e8954eea749a2579533477562a2
SHA512 b410bfd7cc97de92f250e9a9c94c9f84b1af29744b9cdfc7d77aadc2ad51a6116ef6dcb89f3e514da3f3a8b3c26c0fe2a71b9f1dd6582d35d67f22bb0b4e2735

memory/1180-438-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2960-451-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1148-455-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2608-454-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2968-453-0x0000000000250000-0x0000000000284000-memory.dmp

memory/2968-452-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Nbflno32.exe

MD5 8114ce540974e8ede6a4074602c38841
SHA1 63221c5ec2250b6273c1d92d0bb095eefe74919d
SHA256 f1592ed738421a02022bb1ed32da2d4d03095d8fc551490c838733a9160ad971
SHA512 c1166fd0c505191956555d8976c06bfa08ad453f07f761f6fb9b3e63c9513e7cdf1df108dad441a8118a3e8aa9b8ff945f9585c256850228092179463058cab3

C:\Windows\SysWOW64\Mcckcbgp.exe

MD5 41ba695edaf767f1c0da38198406afd3
SHA1 8d2af6dfcd271186bfdad50c5cefc9595e3860fd
SHA256 6b3ade92a5358126c1dcef0ba616f81fd58633f1f675602c54fdd9acc7a65775
SHA512 c4c6563f3bdf5dcc3a9c41cfd866e3db8656f0777af62e240c6ffd28ae26b9fd54ce9649e8647f6fe41496d4566840761cf9122d3c8f0514c4ef0c4b3bfb7a51

memory/2896-433-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Mmicfh32.exe

MD5 4f74ed1093103df0f1c00704431fecd9
SHA1 bae873d83e5ecb5713fc6c17241873c197166763
SHA256 fb2325afafed6e9056f79a19064a42c62cd0e76763211a459162e2de113d02ed
SHA512 a570ebd6accd52ec4faa5afc527a192775581717d67a761063560dcfbcad8bd33189f8b1eae3dd6699c57410785461229d036f47234a78c0adf54e83c297aac3

memory/1148-464-0x0000000000290000-0x00000000002C4000-memory.dmp

C:\Windows\SysWOW64\Nedhjj32.exe

MD5 88af1431647b2ea7de9e17abab3b6775
SHA1 f815b294f2a9f5da0f33df3c4a4329ba163019f0
SHA256 e374d1b4a7585827c8ca7f1c7f67df4d2514fdf21b1c764a6c02403208677cf0
SHA512 81f7af227c81928de5073c2fe81e8a91a8134a7f810720c2700ae6dbef42f629d7a2f3bd0b87240dc72d291162b79bb298c9019324821e188b6c991bca14cfc2

memory/1736-469-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Nnmlcp32.exe

MD5 ed1af8d7de0bab3f6f46731dcdeaf631
SHA1 7ca63d5db2c9fd1769d3721d46c5b699dd04d587
SHA256 8dd4050903e786b5e313d16ea1dbed474e044c83921f2e9c9bfae8affd8089be
SHA512 acf20ba60cd1451cd95f20bc505f119e1f32cbc33b730c67cc088a6eba7464257f734ad7bb834c3cd72f5f6ddb6fb4c46222c4f9a9716fea36dfc1a43a18dda9

memory/2036-479-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2104-474-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Nefdpjkl.exe

MD5 5b6fb45c0c68919d6ae3e70b968a6cce
SHA1 12fc59ac04fec6b658ab3ce0fb2d299fb091ebef
SHA256 07db7aec5e0d93fce9621159cbaee725267cb95f535709f2dc82804a710adbdd
SHA512 9ca4221aa8550397e71282500abcb97eac3006bfa58cccf337cce6ff372f3e4b8e92dd7e97e3972fe20cff2837f992ae85ae25653796d9f472565ef24e9fa900

memory/2036-482-0x0000000000250000-0x0000000000284000-memory.dmp

memory/916-490-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2964-489-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1116-496-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2796-495-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Nlqmmd32.exe

MD5 e48f4c445ea8da73d48846c6caf28b65
SHA1 3324b4df9ce048b3627a311b4236baedd01301a3
SHA256 0f8119dcf6fe85dd9f4a11599e132f434263d5b1082c26edb333c95314f075ae
SHA512 995116d9c05c9399561181cd3ce4e0ab71b7b62bafdd26653f3402eab13b99201e81a4988522b322a244d6ac304673b2ba29707fdd919eac79ed1d84f43b9e2d

C:\Windows\SysWOW64\Nbjeinje.exe

MD5 077e1b040801a1f3481992bcc0873933
SHA1 a4338e4bf3c5a58d0f053f776f9a51941dedfd51
SHA256 c7c8840ada05ecc017ba4b33f388c1e236166b33c5de016aaa82b0949b32c1d7
SHA512 4f5107d29d0f30dffdd9a578ae66e1d9036e2e2a05c6ed6cedbcc4e81927745e965c7325f8c09b1db0b0ed01df27ede5e27c0a20dd30b98a1b37951bf2610161

memory/1860-506-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1116-505-0x00000000002F0000-0x0000000000324000-memory.dmp

memory/1860-515-0x0000000000250000-0x0000000000284000-memory.dmp

memory/2152-516-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1660-517-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Nameek32.exe

MD5 8867f3a193ad4b667ae2c9b6eec49141
SHA1 b595368909b993a9eb53cbc7383c15fe18f56904
SHA256 2d252f5a483a6b6ff9bc3596e93a536c88c2aa51ba5b862ba3512817fc46e26b
SHA512 c53b2422d66a0f8c6de4790c52258a298ef544815394f327c7f3e7be32bdd90b958747b2745149abe93866b51b020ce5f7bccfcef05779676b5954c4e35e5736

C:\Windows\SysWOW64\Njfjnpgp.exe

MD5 678860eaccd1fe8eb16ee57aa6a90827
SHA1 7f7653a985d160ee33b3154b6b4812cfeef5038d
SHA256 030a2439bb777399c109921f2be5bc6063327b07a83f934ceb4d9486fa5711f5
SHA512 99b1cdc39a76fc8c9ea54795eeedcd6c5964ef67caf5a66b67ee5474cfe43e73d32d85dd7657780c079dc7d8b7a84c912960b9aa88d9d13b036b476e6edd6d7b

memory/1776-529-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2284-536-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Napbjjom.exe

MD5 b3ec606385295d9ba72f2e573c2c1d4a
SHA1 aa13bcd600f5d3c210ecd9ad906ad5b3af5da2ab
SHA256 bf9b1d71d68edeba56772b60ded033fbbd602188318887e4652fb8c24883301c
SHA512 c20a333ed1e3c487ae1807a4ebda3089dbca1aedfe36a6e0465b1313d39b844e9c3cb890e37cfd3ad1be87eb68aa77b01985aa163cc87648b2a719e1868365cd

C:\Windows\SysWOW64\Nnafnopi.exe

MD5 affa7333dba66f41c736dff371eb5c4a
SHA1 ef2b2f9b4b5b83cd9020d86692f726d980fadb49
SHA256 173dd6559ef51c627fe160bbdcd77eb9ba99cbb6884f78080ffbdda3282bae5f
SHA512 9a5a556fca1e6701131be1dda99d7051bba597519c020e22ad692f08f679b9282f6171066544699a893142a918a7befcc81ce7cc3717adc8ad8174ae2da203a5

C:\Windows\SysWOW64\Ncnngfna.exe

MD5 ff4a3a1de02551c5358a63e8383e194c
SHA1 291eb5289626bb53dc701bd2e1e1d176c2e861c0
SHA256 01137a0b549241cc2a4244fcd9dc38d6ad49d208f4b4c0bfd0ec7cfb1029199e
SHA512 887a1e905c3e65ab49ea096f260dbb04eb3c371e666a964d1cc3cb594d5735378546e6d51ca0d0831932534b5e0d061d4b3c984f567ce376e66913603d2773b6

C:\Windows\SysWOW64\Nhjjgd32.exe

MD5 b6ee54d17ca7e72d96ccc8ca1f457aed
SHA1 cd5b62658ecec482afc2fb788057b218981c15a4
SHA256 ca273fe05b2dc0811c88ee7f349102189bf4f98d4a9203e67ae21a900c423057
SHA512 674337909feb21fbcf5ba201607015a6c8b94a628ad0e19c9398d94f18b7f5ac8ba0ba9f1fcee6f7e9b012c257c1d14b2ddc2d00bce152b72adddbe1b8998c0a

C:\Windows\SysWOW64\Nlefhcnc.exe

MD5 87cdc9df07dc114382dc4f1a88ec08c2
SHA1 bc23010158976a567c665f764c1fed224963816c
SHA256 e24e2f8663fbe93704ebb1318b697408f08e200355dc468e7021537cfe631621
SHA512 86488436cce673c565166ee1562bed444de8eb0e57b676eb346708eee762162eb94c76c6d69acd912e097021bd17ab5bf5f86e3ac34b1051a76c7149af57c01b

C:\Windows\SysWOW64\Nncbdomg.exe

MD5 95bf9c20e419f474ae72f9844ef7c5d9
SHA1 4e2c200a75e38121077a8e2b492ee23e831a5981
SHA256 48e3e29db7da356d4faa00e7d1244075fa55abd890efe05b58a6552e5bf9e903
SHA512 766547c5583d37963e7fc8c4ad992ed59acf04f709ee2718f99929418417e4598bc4fff5258e121be64aba3a6a4e1a22d03e451d9e5d460e045db4373aef44a8

C:\Windows\SysWOW64\Nmfbpk32.exe

MD5 9864421c9bc269592fe7568e0ffd649f
SHA1 5654f1cde8d479ac28f8c4753d8fd6e3722404ab
SHA256 753c19e0fbf38562244ab32261e1b26bdcfac6fdb10ac95bfc3e745b6eaae837
SHA512 fcecb3da55fb253ea8a897bea22b5c6c3f8906cbbf737599e181172fbc680cd8c61d481e859c20c150cf11fcece94898ba0e20ca2322d735f542ef6a2aa2b4e0

C:\Windows\SysWOW64\Nenkqi32.exe

MD5 d889e8c31c2466b918ac00424e9aa2e8
SHA1 4402f86b178df67631c9d0211fa32646c3ea94f3
SHA256 0d69d9f68ae4dd8f88c5ae3498068fb20cad1ffab314c040faf7dc522ad3a06e
SHA512 958e6415c707e1ed00cab013b6f2ae0997ce1e1bc0e5beded466fbcef2a6318dc9645dceca062e27454258cc9d53c2b63980fd6f3e850acbb15689acbdb8d25a

C:\Windows\SysWOW64\Nhlgmd32.exe

MD5 4939d0e89c24c0dad747eb56cf538884
SHA1 2dce72ea70a355cac7e2ee6345328f22cfb0d705
SHA256 298372c0ffaf97b85a49b1426402e73dfe2b9600322dc230047b5ad088902a66
SHA512 5c6a9c897487d92d29605c51e0901cbd510579044a09f6b0f2ec1d395429a33143871d16dfb5b2f3c0e21b64feb288f320a22854acf37a526245ed38c437646e

C:\Windows\SysWOW64\Njjcip32.exe

MD5 96aabe1303a3356dc4d314f850c485aa
SHA1 0a87f723b0593b5b9f6c0d649e6f4f86ed470272
SHA256 b73ecb038c6ac7e03b1d0e49c92e4dfcb461d98dbce6ceeabe3eba4744e639b2
SHA512 e5f255b876e6b2397074fc602c14981b675be4827f9f6688165cbf034a4f40c467043bade550b4f4bc08252dfae9248a072cee5d32af9aa2ea45efbc8e174d0f

C:\Windows\SysWOW64\Omioekbo.exe

MD5 289a330ba8080b42f757ac3bf3b880c2
SHA1 1745be269b15a53f8809268abdbd809d1514b36f
SHA256 37d70a81c8cd11235ac1d9359e9b5bc86b04cc31f831cad8595924530436b69e
SHA512 739f7161006cbddb7e4107603ed1fcffaf712fea45875d2fd85601000e1ed33d6e8529503519ebe9c85c082bf7d51266f3d126679cd75a41d798f853a369d361

C:\Windows\SysWOW64\Opglafab.exe

MD5 096114447d584e60cc228b00cdc1cd31
SHA1 975ff815dff0685903c63e9ad381ec0244e8791f
SHA256 aaf6c8aeebcc1797737e788d8ce7a3c67c88da0c24f1ad4f9fd5b59e5c55a27a
SHA512 8c6e3281ee61978caf4defb5f1fc7a3ede8581efdc859f1527c13fa22018036aa051b336ebfb2217c9f2332906f969ac312c562d32b155861220a662b34970f5

C:\Windows\SysWOW64\Odchbe32.exe

MD5 7dabb9e3873bfb2339e131f269235d12
SHA1 b9edda8ce4d75540e7347e9d6e69fcf2c29035cd
SHA256 3fbcaa9922d4e02eb8cdfd77461e12a4c57683db6e70e08c774a791c57831a58
SHA512 454e3b610db131ef83cdfa61e98718510cec8520a88896b6f326b5c9c9a51d7f30f679d07a965712e145d21633323f279a86e4602b81f01ec9ef0f294907f57b

C:\Windows\SysWOW64\Ojmpooah.exe

MD5 90d3216256f2cb534385c06dfbdcf74d
SHA1 343286015381fdd2f2ccee77887e770c91c0919e
SHA256 078a491af35ed926525651bc8dcec6cdd685c8196aa893172bb8d940cf556c3d
SHA512 e706465b017814794fe80b23ee05afd6d230e89f2a2368d7a45b484b8878f39e0f0d175851631077826e7fb610841e594a5ef2b1a5bdf8aa827fc63bff99093c

C:\Windows\SysWOW64\Omklkkpl.exe

MD5 c3a69e03f3ab2b8a80e85865a765dbff
SHA1 3619f80f5be47d8fe558bcc9470770231aaaf2bf
SHA256 1b882f9ff7fc84ed48aa49cf6bedf35c7dc03b5b1537187f394330868472b1d8
SHA512 6841766dbcbd29ba98523f613bc973711332a3a3740d8425431644a7086dfcfe3e5cd836caf4a62eadabb9bc93c7cdfb54899396d72c8f912ff469e8bd04e149

C:\Windows\SysWOW64\Oaghki32.exe

MD5 3046d35019c4e0e9c115e46ede61184c
SHA1 fbad37de59d89613ad3adb1f080b65559ae5d96b
SHA256 793a36cb5cf544530f878d167fe43c5bfb469627a5d13b73d8ea69a172f354e6
SHA512 161540d9f191c11e858624b2c34136e5b53bd9b55f70e51f7fd6dcb775e75340df108d4fd3206e54ac8cffab1aa0387b553686c67e1ae25bfd7fc2266efc23bb

C:\Windows\SysWOW64\Opihgfop.exe

MD5 1031491c154b2824e995cb71256b2c08
SHA1 ec5f07a7a3e53346a3b351671c0a87bdad6680f2
SHA256 94f124c11509a9dd786d4719ba3d787a67a721fe126f30d93faf7b6a4de0e3cb
SHA512 bf5bf4f4621c20de85f1bf284bce0aeee31f2c339fedf09454ea337944d65723ff987317c41a5fe7369889c19d29af83c36f1fb26cce735a415197f93ac52a86

C:\Windows\SysWOW64\Obhdcanc.exe

MD5 53dee30b902a7761ef2249a177127fa6
SHA1 74593667f038065bf6b003c364095be8d433192a
SHA256 6e977ac003af3c168a5b1f8801ae9cd358a10f1a35a80d0431f3c4b571130ffe
SHA512 8b30d458aa9d4c71b8540462a06e31913ef0f58c0ebc0bd4f00b03b7ae99dd15e0cdae4a04183279c26c6a60bb4d371eadc5c8e0adea99ff8cbb9012084b2078

C:\Windows\SysWOW64\Ojomdoof.exe

MD5 a5b3dfc30f0709a4785e995e52a25c4b
SHA1 0e53b0efa769e0657a5db856dbd870e844393b1a
SHA256 7d04439a23cc937374c7c830461eeb36dff51709656bc239f3b3e965f2e0c408
SHA512 3cb726761fa14b73ccb947ca02e46b22411507a063ebac54934056f594e5d28e87facd068b9172c27045fdef7cbbd0de68fdd2c7fb2b39cbc5366514aab2e172

C:\Windows\SysWOW64\Olpilg32.exe

MD5 a63ef90c6df1593e44121c35dce51f33
SHA1 538f6b6b859b378ae7b858a5701402446f4c54c0
SHA256 4e922a8f36ab47d746777dda92ffab1a7805d1aa7dacd3dc773eab2555d2fa32
SHA512 3a7f0b4cbb6221064e7f3d5a3ee6229474e08bf854ca5f13a93af44ec01802a0a874f9289f44b528ea2a7231bbecb8e808ad1f33171f98ec22c80dcf41ed698e

C:\Windows\SysWOW64\Odgamdef.exe

MD5 6d21e3f1b2f99387493b0609900e29dd
SHA1 10ea8ebf08ff657e5b16e86ea22d3c5db0db10b2
SHA256 0d403246d6c0d070d09f1c2ab5bbf4080a680ac81719df82080b78df53c622d2
SHA512 cd036ad222efe8f5b561aef779097038da41b30af769e870e2f69b7eed3ae6cb115f30995bc58a979645940dfccf38cdb2a64ee69fd3def567dc34514dca4e84

C:\Windows\SysWOW64\Objaha32.exe

MD5 a14d4467da81dd380c0ec926313db92b
SHA1 54f1b5d019b778eb12b3d3388e1af750312bdc80
SHA256 be4bdc641c3eeef8d778984a8f04ca01c9263ed677142beed5fd88b1da21480f
SHA512 6948f32d53b1d21b97ebc206803431d310a288bc4a284808e7b539a7109150f163d036295fd82ce641747ba132e8bbf87a7d978e62e5217a881286bbb10d6471

C:\Windows\SysWOW64\Oeindm32.exe

MD5 a4764749e7f1ea825b7f1da24afcb9ee
SHA1 fe7ad612c3dfee8275e8158c2e39c49e6e716a3b
SHA256 127b35167e228d56f0c95572f1f95dbae921bbfdbec3f3320cdaf8762139ea9b
SHA512 666742dce407d094b3d0c907e51300a3da07833191e62ce630000d1316e6945604a40e5035c9bb68612e9970c702b57dc9625fb073ad952ba8f36c4d2e370985

C:\Windows\SysWOW64\Oidiekdn.exe

MD5 6578dfe2a8c49df24057ce624beac1c2
SHA1 0508e8f4d1aefe9a359c2c0effbf8f4ab7a84e3d
SHA256 6ed616b0331abd08a57f31c8d205948ef8f038797ec0de32867f638654ea4e4a
SHA512 3fd6d7a775a1be2dcf5e5380db60e691993aa553f3013ac54faa1175142bcc214c795d5dd90530c84ac99447ee4b22446f7d348081a41d30fea43de8695e8ecf

C:\Windows\SysWOW64\Olbfagca.exe

MD5 f9e7ba3ced014f9026e2710441013eb1
SHA1 dbe72e0f128894ab068ec15ace847a9b4480f631
SHA256 84dabf36fa8034b292618431a37ae220b9c4da49634af1660fca41700c37a9c0
SHA512 509bea10a9de05761a5d45745a3029199d45bfe8d6ebc93522f5f5367a6853fbae9bd7d58f886bfaa0c5c449a8b87649ff39eab753457decca3c03c2e5f009b5

C:\Windows\SysWOW64\Opnbbe32.exe

MD5 6d3445bc4c096347a400111f44c1d3f4
SHA1 feda832adeca69843b667e438835a7e4011d212c
SHA256 27064e1382fd8d1c4cbdeb0aacf2d1223ea7189275ebec5e9b4ced3041df275f
SHA512 eb23b60ccb845e1a53f4ccce7850cf1f2ba31249370a34f01bd45fdab5d83d27dd0c72c0485a2c9d039a9b030c1a375585aa910d09d376c41a82ee4c54d4eb7c

C:\Windows\SysWOW64\Ooabmbbe.exe

MD5 f4d4aa519162c7154cc271005563a915
SHA1 6f16e3959c4aecc300fa5631aea553c3001be0ac
SHA256 74c7b7f859608190f4be7856bd92979574b42ac2098cfffc556ceba2cf5b3e32
SHA512 63f3fe2b56eb7f484913393c617215087572196078946f10b90389a10da34a12ac817c3a6706fcc89bd9840e4cd98e773c64439a5c85999d9cf69458b415b72a

C:\Windows\SysWOW64\Ofhjopbg.exe

MD5 67eece6e54ef50d7092218e81d4e5e21
SHA1 eee32e926a07d750334781cd245a77f2c51e784a
SHA256 ffbf2cbbe1b2afc35d76a6a9d91787828f014533271c651e50c3ba5b4eb59910
SHA512 9e6a4a216cc6b48051011668d54941574c7ac7c5b95bb5d5b2949545d8eff574acf20d82f2c3456e82b87c82c6ab8dce7d8e3da8b72b69991a4fe5566f0584ee

C:\Windows\SysWOW64\Ohiffh32.exe

MD5 926caaa3b16435dc2b4ecd3bb5669a37
SHA1 c75c23ba143dcbaadcb27966c7627c2c024cb0dd
SHA256 7bc2f8932e1eb17ca8a1099d628513120bc0c59d9c737f61d67438e763d01fbd
SHA512 10d6d85e3c8a938ee4079d19db31bca756c964d6c5f51694939a86b342da3d5a73caa2fb64bf24a9a7e1e4be315de642d8fae5c22119613f0132b4676f96f5af

C:\Windows\SysWOW64\Oiffkkbk.exe

MD5 1ba913867d1811d640e8929b78cd25e4
SHA1 6e7e2088cc97f54fac664c683da0a3f595cee169
SHA256 b3b205032200193e4badd76b0a0decd3f1437ccbbb96aaa4194b6a1bd5d703a7
SHA512 8c5ff832473266bc2485647adebe528542a23ce8c88c2aaeedb5a44aa62d8dd2c273b6ccfd0f6538c09d671cd0c8ea4f1178c87da22848110bcb93f6e6f22fbb

C:\Windows\SysWOW64\Olebgfao.exe

MD5 af3eabacd76e031af2ded594a453aaea
SHA1 63a04e7675df40acfa824fc40bf0e661e71299f3
SHA256 1d88dfb22e90ab7d84ccaabe84a58296e659d795f5a9cc16eda7b40505bbde75
SHA512 8bbaa730215f80c51575f0ac6da5ca8ba8c056871a6944625f1e799d22e56c80fde955850dc776a1587cbbcfa8f467046533b66e49fd80ab2d8867672f583cef

C:\Windows\SysWOW64\Opqoge32.exe

MD5 54b40124bd81c5e00284e5d3bf1927c1
SHA1 b6a87b7818f18f8ad06577701032e5f3c950fc1a
SHA256 b7adcad2d068b7d99cf842a591b7778bdb6fc4335fdbc7d98c62e96c92987293
SHA512 cd3d81a3af95df8cd0b61bfc0bc464ffe49cac0e0343403efc8381c3d5fe9891e20a051ac4e64e6e1b4ce38912f8785d079a48421cd245401fe8b045c71df7a4

C:\Windows\SysWOW64\Obokcqhk.exe

MD5 9a93b315cbe797ea7af05a30839a8074
SHA1 e591dcd82dc97573ef4a45a0fce94e7dc2d7c908
SHA256 2cbd36abcf681c3da087daf8fc099ed858769e1580bc36b4f03fe9a04d970a79
SHA512 9ef31bda9a1310364cb09a9044195dbd5c8783ae9748f876b2cf6e788bdbbd12fb7b2c48f86c1fe29739b9785cb09e05552b66a2624590e4d67802b8d8bb6df3

C:\Windows\SysWOW64\Oemgplgo.exe

MD5 57f63ecdded76a3863897e078f99dc71
SHA1 fc43d1a208a99ce9ed047cf350dae7146ed4e8db
SHA256 c9d2241792d68c688c8cf3ed2fc3fd468a533c9906e8f0c9a8d49ab9cee3c5e5
SHA512 17ec3669c091e4bcd37c1c200e657b00611ef17ce2cae760eda03051a583118e7b623102fa1bead5ae0ec7bae8d0d9fd4b145a556d74eba9c532aa3794455a37

C:\Windows\SysWOW64\Piicpk32.exe

MD5 8bf8bc9d197bcddae631d165dcc448cf
SHA1 7fdc7d94e44393990a12fa81a3301d203ca3922b
SHA256 969019cd3b0a4d5c764911b8ba5ceb20a6fbf719f7d6b296025a2685e69a5506
SHA512 64f7ad77232deb42b3fa65c5bb27d3a6bc9bc2bb985358970acc06c51530c48e67974e15d96b9e08c6b25e86ff9d6bade1c1dc25b65b9b8841a83fe367af7cb4

C:\Windows\SysWOW64\Pkjphcff.exe

MD5 bf01ea5bf8ca5953de94d7be2bb1ba59
SHA1 b4e450c0dd20dc451edcf32972ae944ec6071af0
SHA256 c1d691d45174d5e2c00f02993b64817dbc041ede103e6dacb6d0caea3a672912
SHA512 59f79bd4a046c420b3e814bccad3365f0abc57aa7c4118c30d897a47b9055aedba04013f969097ef406a228fc88d717e3aa96c816fd0ca6a2da0f5dc8dbbc858

C:\Windows\SysWOW64\Pofkha32.exe

MD5 7ccc0bc367fb86adeb8e59572b5ff71b
SHA1 7343cbbbf48bc7e00fdf6745bfcea54d9a59758e
SHA256 6d23c003fb7781ab09f28401ebd62e057ddc215bbd4de8eba1995827362c2442
SHA512 3bca37d760c61c29011fb2dcf81f30a0274f39786b3aa91fcf4c2eb0e7a3e1f8987d480d42e2859f1849fc45d53265688c5b2b3bf8a9bea6279d986cc3e1da55

C:\Windows\SysWOW64\Padhdm32.exe

MD5 71a78ff0f5368a75c6721c0b08fe7722
SHA1 b6ba74c7f562a471a401238f810fc233fecb6808
SHA256 21b785af4d57b8ab1cbdaade1c887df43a238be1ed15830c30fed91413d2256d
SHA512 15e71a3cfd5aa2ba75387692f66da0a0cedd99e223bc70c6531ddfe47fa8ae0af2f3fa8d16ab5c9f48fd8f2001847fde6976bafc4dda8f09bc42590c8200e648

C:\Windows\SysWOW64\Pepcelel.exe

MD5 63e036df184946cc2bff5ee2106953a7
SHA1 91c93abc1c8378a0e5a3cf44b8d9378f0df3f24c
SHA256 9ada8132bec97c6da46da7c83df349bbff4faf2ec2451479987071d31b0e9975
SHA512 09456908e89ec86d11e6c352d70504f7d22efc553f502f2ca530a432d52523f6e7b10b8839ec5dfa87e47b92f5efe4245d83d25d70410a454b7869909a93105d

C:\Windows\SysWOW64\Pdbdqh32.exe

MD5 58b218a2bb1dfbf8e4ca3daeca785e71
SHA1 0dcb4de59dbc768feb8a481b6b43288b79a82912
SHA256 6b8998e10fb35e4006c37d2b13143d5902c6419c8e3899ebc4adf383299138e2
SHA512 cf27aa251f7b7e9a0b7340104618454fead040f0c8c1aa143b86942c17c31986bdc759386189af62491211ae9da85a59f0b1439a4cc5a1d578c7d3764cc9de80

C:\Windows\SysWOW64\Pljlbf32.exe

MD5 f95a5cce57c833c3fbeebc48f8af2dc7
SHA1 06ee2e11679f546889789a8e1018c06a23b6a296
SHA256 c29e20ccef500174030411e30e8fbb42dcd9873d30b282edf801048a41450f7f
SHA512 3eb549506132b6447e2c3b7ceaf05537ddd120a9d620fd7e9ea9d7c1c77809a0186e9f8bea92ac121746c5c9c858e795bd788b71265a201f702f164eb26d6c97

C:\Windows\SysWOW64\Pkmlmbcd.exe

MD5 fd4f5bfa082416d9efc54c735dbbab89
SHA1 750b5dc1184eed4485c381c57f5ea404443c67fc
SHA256 fa350aa9e8fa949ba224c66bd217ffe159ec9860ee86dd7cc844f033c09a3188
SHA512 cd984ce75da11ac60a9d933fa972a0405ded2df85b35f600f53c156cffb4f42d179620cf88b4c03e28cf9a8ce3900bd469cccd05557e2c7b33a9b6f576fd54a7

C:\Windows\SysWOW64\Pohhna32.exe

MD5 71322c9f358f30a052f13763f50214a1
SHA1 d2c93e0b266b340d030b653d068f4dbf96dece86
SHA256 48da98e947035d475cf2d9dae2ef77446b857d538ba6fabc3b681cbb8f4b4125
SHA512 4689176c982eb87fa4f51937278f95860d17e4813d9354c9feee337d787dbd158dfbd1e9b6b6adaf8dafe3ad6f095843e5714062c4d377366db7223e564430a8

C:\Windows\SysWOW64\Pafdjmkq.exe

MD5 aa13eb24ae9bdb22cd08c987deff104f
SHA1 4ddb814b49b2ad0d57245ea671d9fd4c07e737b5
SHA256 bf30551fd31e73bd0dba99f13d5143ac6e49a426cfcf19dc5b6074219c65c0f4
SHA512 6ed5d1a4cccd9496c2cf4495da10a51a27af7c4a331bde5d89c83380f6adb5c9383b34892b25c31313f6f5209beb257f3ed7fc7c5bf9e81c343ea6970688477a

C:\Windows\SysWOW64\Pdeqfhjd.exe

MD5 d181f71cc0540d8d5c4a56e7a8e1a31e
SHA1 48d8aed5374c52328f438073b31cba4ec0069438
SHA256 7c7d1c56df7d227ed4b4ee613ce197e4eb74712156899b1fd44970d369137ab2
SHA512 7d62c641607c156654c721b2ce9c906294f38f8e5114fc839eb34c56d92cbe538b49c0b1dd058deb567d3cae29a6afcee205b2b60653492632506750cbcac82f

C:\Windows\SysWOW64\Phqmgg32.exe

MD5 3b08b2380b65fc6cee6d52c06afe2be6
SHA1 9b0ab7ff5eed954fdce07d5af9ff60dc78139739
SHA256 dfb0aa4b5a6d338a3bb247e263ad28441826ccd62e7514ffe148a5ec6bf4d30b
SHA512 5688f8a2b316919a59d28fca8ec8329beae78e9197eef25ec5672a2200b6ef34983e2ad54d5a23c3737acf0ac786620eff837506a793095f78364cc81bd1b5e5

C:\Windows\SysWOW64\Pkoicb32.exe

MD5 1c713a3ef7c582603a8b773dc7f8d527
SHA1 da764c06b11635e5363a5d260709bdcbe0a18900
SHA256 4aa75b32968eed6cdf872e2690f5adfa5dfdb862dcd756504be78a3da4f6db50
SHA512 fe40e97f999e2c79448396f25700726b57a0b8a09f903913405f317cdd639d149e8290a88e5b182030660dbf5bb22c03b5180cf7820eda59fb39575c2287570f

C:\Windows\SysWOW64\Pojecajj.exe

MD5 eac25e34a495600a0fad0c25d2355750
SHA1 528d0ebb80084e6523834ea17f8fa2d7065d247b
SHA256 94b365682aa70df4a81b00caca61e28f6d5354cc88a3933cb3e07f83be06c7c2
SHA512 071ac389afa4221e3322956d8d43075f069443c7b90b2b7d03222a34536f816ec9adde8981bc8c481597dc13105649f5aba66436af5fbb43f847c0085bc85655

C:\Windows\SysWOW64\Paiaplin.exe

MD5 32c8a67f007a529de9b24c4f12ee37a7
SHA1 39837c5d4445ef9c2a0fb67d9e8e7911d791b216
SHA256 34c45357ffa86d4e8a6b5ce816b4352747aa92002d57010c51a32472ffac84d9
SHA512 0e688ad7c603086ef43ad9ba5e9b3510b91f6361243909dfdbb0633128007861483f219a9fb308ffdf2277ced539a7bbd5f06660f7a933e69b27e3f023036b27

C:\Windows\SysWOW64\Pplaki32.exe

MD5 08f0fef3c3f9c36d2480372840cc217e
SHA1 4bbdae4133fa433d822ebbe1ef54786f65e0faf1
SHA256 b97132a873509bff8f8d990f31817352f199e65a18fab23078995cea366805bc
SHA512 30e2c3a9dd7f569760667742848c074f3885e26b8c43ff7306cd077c4844a7ceb2085d88760977b86782d014865602109b78671015c5bd02021ef0ecea9cdf89

C:\Windows\SysWOW64\Pdgmlhha.exe

MD5 8192bcfe648d323ab56de4499b7273f6
SHA1 636ab0068a249531e4bc73a8ec0ed9ab379d93b3
SHA256 1286781c7a4f8f858f03008c1e98879d11cee65fc2f82a8e691f7534813d22df
SHA512 238e9c502ede81eedabc5444fc82ce09e2370e890372923b248c6c29cbf44f65868e9c149c6a31823a2318b1e3db6b99c9b60a8af2fffbbf17a3027b751a6e42

C:\Windows\SysWOW64\Pgfjhcge.exe

MD5 e8a77420c9294ec6c323a7c92b3d10e0
SHA1 f32c65b93ccae6fe9a144bf29e6e6514a5f2c7a7
SHA256 4fe05f24c59a9de8a0c849c30ec2c5a0e90adbef7e8e4cfec1522fb9d1b15a59
SHA512 e2bcf85126dd8f1974ddc94e104b20b6fac125554784d7d5269e59e7bf829db6c9f324c52967a9d84985f1119bf03a38c7254fa48be7c7e4a438c09450691e36

C:\Windows\SysWOW64\Ppnnai32.exe

MD5 5b319a1c2da63d3947b334a2753254c1
SHA1 26941a22977f0f7323fca159133a3814bc638544
SHA256 22f86679900358f0b8f65f4584869b19587099027aff725535d157793a158077
SHA512 30a6330ac414f58ae77a0dd288d0a400aa794c559a2c2c971db330a01605a6a826b5278f05da0bfe4e6c4376549882eb67ce7867bcd5a2cae625dfb8ab4f0fdc

C:\Windows\SysWOW64\Pghfnc32.exe

MD5 1a78b0f0c5d9415a67e41ed2d513544d
SHA1 d15cfa4389edacb60144daf0284e0a7c555ba977
SHA256 8113cb4440344149aca17698613363e5ae3adf3dd3f44c07b14f8a1dad626993
SHA512 bb512edfd598de3bb10eaaaa9de458f76b98951bec4d4167fbdab7baca69875b9293776ab9a8a06b340e582fab71ea084686d361b902c137cc51f6a008c3f287

C:\Windows\SysWOW64\Pdjjag32.exe

MD5 0b44127f7e35b4791281184ec573f2cc
SHA1 d9b51e9ce609c867c537cd06aed393a0ff50a1a9
SHA256 5fdfe451fe81d65050ff564373c3982585e7021b361290bcd2c8d9ce4822d791
SHA512 db91dd7aef0877df6eda6bbc51998f6a6cd4fcb2c8046d2708d907bece4a1af874a6bc45f8c390aa104efdd79031c0283bf997d531981c62a564fbe09be7d863

C:\Windows\SysWOW64\Pifbjn32.exe

MD5 c82ee4782bef7d64dc3122a41b0dff0d
SHA1 d4b2a723f8593dc182300cd07116e0a2e1034973
SHA256 fb5c123572e8ecc4e35c4ddecb7536029bbc44ca66a447489a20c9a915045ac6
SHA512 7ee9777deaa11b6fdac160d0ce23b9daef795a445ac3e09a1e3d1959a78744dbbdc06d4d8f5e063675592b0dd01342cb0b45fd70ab38343180f494686859d762

C:\Windows\SysWOW64\Qppkfhlc.exe

MD5 1ed71ec21caee626fba7be0d9b418cfa
SHA1 edf4e0d2d177409fed35dd3a4f1adde12fd36886
SHA256 e22e5ae677ddf7c11d1a67d973e0bcc6022ba021d4900cc27a08ef7d23f1f044
SHA512 225677f6044d9c6b4a9e1e9e264a30e7868d5fb5b185117a5bffaf37514773286a4ffb10322e85dddd31b99b41f2e46cd855ef3dfc29e637d94190c9e17d7d1e

C:\Windows\SysWOW64\Qgjccb32.exe

MD5 7d6deaf076b548c6a0a03888e7db86d3
SHA1 cb7ca99415d94317cf37e2474969e5e6b5e7390d
SHA256 310c383a6b99c970f5068c0e967fdffeaf55ecfbf28961a81fe554ba2c417bad
SHA512 f35d133c368e5d185a566f6f170e8bb6cd1d2e5bea76eff771b80f9a07e5019a6ef403ef3a80affcfe07447ee9638d8472f01691211733d25eb260372b226953

C:\Windows\SysWOW64\Qiioon32.exe

MD5 35d17d5947676ec6186e0947dc176907
SHA1 a152d79882dc8e3b21ecf92f21cf4add375efe0d
SHA256 f617f9454d11583578a9b3a4d3a83b886427edb9965bf94bff2b717be0f7645e
SHA512 a7495cba9c4cc79b47be312d4df4e028b9ad634876c6a73755b7531eb94143489492fbf36ea3529e9e01834ebfaae255080b8273dc419265d8e12c93c1fc3cff

C:\Windows\SysWOW64\Qpbglhjq.exe

MD5 f3dacbcffe66dc8b5fb9c60d88d7c26f
SHA1 783666426c7b88f2d1a8f7e53d18cb706d0e804d
SHA256 8e66f73d79789bb010ba86e367d9afcdab74ad0b5dcdde50034bbbe55bb8bdf9
SHA512 b305611b1bd10de5fa1ab2bd9e3790db67c2dd5aa87a3534d8e9599bdeb32c63f85e1135cedba8d448e8afc9cacc9ef2eef8b72484f9b7c0aed6c91551b0b34d

C:\Windows\SysWOW64\Qdncmgbj.exe

MD5 33aae88029741fefe97b56816d04aaa3
SHA1 6ee31d9417ffb884d9e2e14a17a4f52b90ded2c1
SHA256 250a54bf1c4905a7f7beb803ea389739f778dfdb6be59be3cbe8ef5370d9ad1f
SHA512 17ba50e3935e4f329ffab792ed71c26fc22e72be24578e8a0579124ff234ba0e60334d2d2fdddbbd0bc8f96fdeb583276de6625e2c40286dde3eb77319e1cf6d

C:\Windows\SysWOW64\Qgmpibam.exe

MD5 42e7376ce7ab384ffe3dbdb25a6587de
SHA1 563b0163448cce58aef3c473c2b8ce6129fd3e38
SHA256 bf65035fc58b92f93a336ce0d6dc954f87ae059fee1b6dc46af3a61d0019b947
SHA512 d086c6d0e7708a2bddca2b442d84854abde9387d32c38a7271ddb008bd265d64983abed70c02e83ed6ff5c155cb65053aec09e2e020257682c92e87381581450

C:\Windows\SysWOW64\Qeppdo32.exe

MD5 91333b1e1733e2858a30fef461524fd8
SHA1 911293bab85143c34aa7bd91168e72e947cdef5e
SHA256 457eef540a6b13675ef5b3deb526a1a6a72314215f89dfc36014b77c4a2497eb
SHA512 989b11d1bf823406bb1000ccb48895d396a8d1590e97e70730a9df0285010b97b1b0fdb88ad43830410f360bc39e73858f8188653327a8d15735b4e7a1fa2119

C:\Windows\SysWOW64\Qnghel32.exe

MD5 7fec937c33362614899a61d43b5d515d
SHA1 2dc99f2bce0219ed5ed49ec72f265351faf93597
SHA256 c586deba08ca3be154e28e3bbea94cd9dcc7e20a5cfe297cd63dd4680aab8383
SHA512 7d6088b0ff1e67502b32dba884157712c48e6b721578120ceee2cf2733a306a2eec4a683e814c0384698b9ac8c8491a5bbd76590a80cd3b1e96a9bb7d5dce076

C:\Windows\SysWOW64\Apedah32.exe

MD5 8eea94bbf97d084c9c1e2488b9223d11
SHA1 42cd1e691dee807d02b4c95558a5be08991013e1
SHA256 6c7b7a2ade94da1003537342bec85d0b0b0aeb4cca0daa0e25dbb3d777031c39
SHA512 5159e7b14a9e445d26f5086dd6d720b7e42b08f25d51a537f083e47bd12b6cf0035830760b352fab329c972c5dcd4105b47a0511c24b25b426091afe2ace2f73

C:\Windows\SysWOW64\Aohdmdoh.exe

MD5 1aeaf2405337cd057f4955e6e1b1646a
SHA1 d7cbc9e8361cf3e425a5cbc88f91d4fc7a504c07
SHA256 64b5d90e0b031f70d7866a45f75d366a6993c9751bb84abc42d8c067ad49abc2
SHA512 0b0aac8c7d25a89f4bdc6abbb0ba5ec862148421040cb06ae5c67ee033607471713a82226b511fbacdf7832d08435aa470873f1806a68e56598fe18c3b06697a

C:\Windows\SysWOW64\Accqnc32.exe

MD5 fb7e211c697308b75dba778b7a1f7eda
SHA1 186ba19ce510799b0191ef3f70cb683590a4ccf2
SHA256 e910522f0febe002336d9519a2f4ba05704bf3c33ffda6b6f6a29afa771f44d7
SHA512 d8d2c9d42e0366553742f15360a35f56a039787c3a42f43787f0f02843d171c1da72644232386b69304f9bfd909c89a4e661e748e8f0b7f53042b45b075a96bd

C:\Windows\SysWOW64\Ajmijmnn.exe

MD5 590333c11ba4188657aa1753ae5ffa42
SHA1 c78cc783e2d69b8bc7b430245663d976e2e7e99e
SHA256 4487f8a53f40062d0d587e240a621bec6164cbc833837b166e706f28ff1ec5cd
SHA512 995d8e8dd65f5866d84c18770925e5426c97fd1bede76acb1d87ae60631ca6df1d7fae4145e0601ae37c5043588c1721f85c5454a011f54a92b2d970cd908421

C:\Windows\SysWOW64\Ahpifj32.exe

MD5 6a7cf060443ce07478bca9169907724f
SHA1 48289e6f27c2893a7bee0e02484d39343f4a0bf6
SHA256 64a100a11d9d1f0bcff037fd16f18667c7a2591846f0e1c72e38650e30ab2fa4
SHA512 f0d07483731d1d31782be4a4e3e363d23aaff85b297aebb32a4118136055db76d5d59fe20145827fc951b1bd5b99b0d0e0c603469078780fad7e0e9695ec8fd2

C:\Windows\SysWOW64\Apgagg32.exe

MD5 87f3e13f6a93e4eeb9da22e881c498c3
SHA1 53630e06d2aea6f40db1808e709e6d3417f03d92
SHA256 d2d148b5c77b3ad6c9d370f96d9fd7ec731e5eb811244934fa4136f2fb588be5
SHA512 7879f6586aeb6bccdc804fa432aa6963558643c0baa8d625de20ccd558a5cae604bf9c299b25f98159308355f9998e9e1df69cb313dffbc199841eea7fb48aab

C:\Windows\SysWOW64\Aojabdlf.exe

MD5 25ebebe31c29f7e3ec93c9d0979a127b
SHA1 c9611db4148539694b22d8fcd247a402834fee5f
SHA256 8fb33a8e2478d6849e78b0465fe0d826472efbd06e351e44cd4f20203087ae5e
SHA512 3f9d28d2706e1babf7b66bd8ffb09a0b99bfa154107bdac9e1555e74dd1bd708d3327c2e2051533c4fd46d6e48ce6b699b28b4802ee54ea60b04d42d0c661c40

C:\Windows\SysWOW64\Afdiondb.exe

MD5 8ec73f42b5af779e14c669bff6f76513
SHA1 c72bf0445cb02e8177f342c8d31328183081f2c1
SHA256 7d6e4123537838aeff6e0e3013b7bb242225ac4dc90a989b1b3602564f8331e1
SHA512 e4c9827510c5b6bda3dfaf43901f888618f7e411d66489abea7659f269853b5094cdac54f6a8b9f79254871764256940d9776ac2023f3ec8f60d7328fc600050

C:\Windows\SysWOW64\Ajpepm32.exe

MD5 4edde0eb6fd0268c6755f9fa603db813
SHA1 d32605af6024242580c45db0382ea90a6f8ef303
SHA256 25a6106eb25f4178b770e95091a8d26698b39c72f10b424ea3de75cdac8cedb3
SHA512 414dbd0f14a968da3da84ce4e0c9a5a92a0ee5d1f89e44470d44ca053d554d8d8826bb64853ff54acc9641d87b70196c940c350d3c59b9fd09d92ef5f81ba403

C:\Windows\SysWOW64\Akabgebj.exe

MD5 e051ba467580870a809d3e7a0cd08acd
SHA1 a7d29b64966447bf6ad3195010b657e09964a722
SHA256 f53118ab74358d94591a67521debccf62c32936df93837a726e2dba564688655
SHA512 9ade6c16c9cfcc98eec98d496d2c0b4bc1e35d18146074c7ce29d8a77d028ea6fa2f6d276a0c700400fbf6b01b85f07a0387df40927b3be91eac0b99b1e3e183

C:\Windows\SysWOW64\Achjibcl.exe

MD5 0573338a46db8342d44cd9b26833723c
SHA1 3035ab60c026d5211622121dbf5b3b2fd2978536
SHA256 4e042be750a2b1675dd9ffc2aa8568f7fc4d553e361682d5cb3b0c07e9957d8b
SHA512 9425167b2d42daa2e6427cd511b5e5a6c85f6bcb1921f124a124c6af3516687eed6f3409be9ec9aec67150e8ec1bffd9e77a1bee0eb7378344036d801f2edd86

C:\Windows\SysWOW64\Aakjdo32.exe

MD5 d85aa051b552169975cf0c4639e2b1ac
SHA1 7d16968d85697bd9e01b4a628908af395979d40d
SHA256 90c5983c26bb676e641cc8ccf772af83d6341c2d958fd25a32fc50f48926a0f2
SHA512 9564795957c1386a09a2b69d908ae5f3bcf74ea68b52d21ed475acc1b5686569b1424f4c3a7e9d3f77757af6e1b72a971f655410d8ad8075a488a7942ece38e6

C:\Windows\SysWOW64\Adifpk32.exe

MD5 df8bbea945af248a4bb5d204f25df9fc
SHA1 4ba312848562a72ae5dd40c7311dc759b865908c
SHA256 8af35bebcb3fe8843f3fcd0103a6a422eb91fe342e5386906e7b7e8505341ff3
SHA512 10fb03c016cbd62cc390cbc0d5aa027fb9988ea84a5de6ae82374254c6ce368a65fc09e5f3e8fa033ce0aeead950d1cdef95f826d62377ba74429869669c36c6

C:\Windows\SysWOW64\Akcomepg.exe

MD5 9793eff8faf928883568e8b9eafe0f2b
SHA1 741986bcc2c7175ad6bbf2168a5749a866bbe215
SHA256 a5ef6902b673a720e169d0b7e5cd0d7a7db0f4cbd97a4e7d272e3fdc6bdda2ba
SHA512 5c8ad3dbb384a40a674e376487e7ec11f4e0df13bf9315eb7bddbb863befadda33de1c150d278fd08a5b489caff6b3ef2a2650e185a209822704dd9e1607b767

C:\Windows\SysWOW64\Anbkipok.exe

MD5 db54d9d1ecc0202fe55577cb7a838c93
SHA1 104dd3b266c802012a8e081cd5f63fa6388144ee
SHA256 91a733c158d811fd162bc62825a01d897041b7de1ef14204c6778fa39ff2dabf
SHA512 92a84d43057cbf2cee1df321d77e7e4cb94eb9c6cd81de789e2d88a9ad7f95ed3bf5208e564fdcb1d89d0225a12a0b1b97237efd8548a42a23612e4cc5982b4a

C:\Windows\SysWOW64\Abmgjo32.exe

MD5 25131071130ad2ea610b8ddc856e34c4
SHA1 da92c373efeec30f48986bd0013e8882f7606f05
SHA256 2f2e8508e154924014178799d53004f5709acfbf2ae32317e12299b31e8e8913
SHA512 fb84f9115821a1f1b62be0cc2120a177c19ec2edbb1ead52292fd65c0a4a9164a9ebdc97e9eb2661aeae3ea0d1d1aca010ff36b28b1746471672426c445d2884

C:\Windows\SysWOW64\Adlcfjgh.exe

MD5 253ea45b086bc845aa308db81f59ac58
SHA1 011b4acdb69168db2d236515a6df716fd344c3d6
SHA256 9bda875b1e9c7e63a692e1008cc377cdf55313810d9522001ce3ef21c9570d1f
SHA512 d587fe27686112b8f329542e5d012c72e7d1d35d9e5a69a8d9c540389e59b8ebabe3e3d9f2706130bb7e3994ae4f3be6bbd5911c71509d6ff39e4f9ac6096c09

C:\Windows\SysWOW64\Agjobffl.exe

MD5 153bba8a08d01f24f2e2d434d7f4ddff
SHA1 19f9284ef9fdd7c511b69bce2bfb846187fab4ca
SHA256 20c7a1f67b9cef136168f8ab91dbd1a9d48992c0500526f693c3334ed1cb27ec
SHA512 3816c692df4a6437d2e70df7a05e0a146b509e918b37cddc079492ea7c7cae7ed9cc99a85829283b572aff589e4bad3f51429f2c6beee75b1dd9d4debbd022d5

C:\Windows\SysWOW64\Akfkbd32.exe

MD5 d3977d2c1d6049451a2456cc014f27cd
SHA1 5b13f56c14d978105c9a5e8892643b36fd1868b1
SHA256 9b3d3944176952aba57e81d88cc86552870b99a9d31a1fed26b8575063815d6b
SHA512 86c39b9172bce9964666ab81e4010d669b656bc4668efa429e501a70bb5fb6e8890a7a6277be6dd02becd0f8c795e0435f81cbca293c59dd888670b7e6a8f4a4

C:\Windows\SysWOW64\Andgop32.exe

MD5 9c5c0a53e91f32a759f1167d871df5c9
SHA1 bdbec891fa4a9d93835fde46820f192dbc7d8e05
SHA256 8bf4d90943198546a999affb3ec4983aa45ce98d4405a8f6a28bf563727c07a3
SHA512 10d03e0f95a8cb0adc2e56e21fc2e8e18b138689b3c1383c9c6707d318a367efd8c0da38a01ab8aa60d62ab3bf55302277f7f4ced284be0b83d178a699724a03

C:\Windows\SysWOW64\Aqbdkk32.exe

MD5 7083624a05896f528256738dad998ebc
SHA1 8f24498b00e3e56b1eea2550d3b3702fe2db119e
SHA256 169ab12dc2f18c5823eaaaaafbfbb0922dc0ce1529c4dccf5fd716ea8881c547
SHA512 d01014c570e0e4afd968b88b8caa9778fb12790a5ce0cfe3b0292ef7fd6ebd744c58c8c78967301e1a89d69ea3a521829e1954e37c925d2d917f4307cbca9b11

C:\Windows\SysWOW64\Bgllgedi.exe

MD5 e2bcffca98aef238f9a134b2758eda60
SHA1 d30202bb5f99098821a60543e0fd7f327cda9357
SHA256 c5232b1108dbbb7b7b1b5e8c40c1143555c60b08b58308569c644df3890eb59e
SHA512 0bc496db834320eaaa53ebd06940574b1b4cb3b9c3cb061a64baa9dc37b9f467f900861085d2d6f2ac4861703d23dbef4ee9e7b4c89f74cb777237cfd180a416

C:\Windows\SysWOW64\Bjkhdacm.exe

MD5 ca16bc10bce9848f7ac4e4a87ac3d6a4
SHA1 6e6925f92ca988d52b87ab6c5a12eadd6df3501e
SHA256 08596ccb59791159457236932093084335f3d4eeacd216fa2844616baeb03f69
SHA512 1ec4c5fa6df325a8a8a561bda0e3a1f0a8092043651232258e81568104348ed90ffd2c766aa12acbffd01dd584da2b6d68f795da285fe5dceedda8972aad18dc

C:\Windows\SysWOW64\Bbbpenco.exe

MD5 e8024d1db640e3794c159c9a806ce318
SHA1 d2cefd1270501dc40745824c76f79f15af8444e8
SHA256 26fff4c5faec07bf816375a34a301fe8809f1debee1f77798fea97efc42aa012
SHA512 60c085305623d91e42f382e0e9a203791a1765e1b14a825d7d693fd6d9d3e00edd442c75ec19311192758e0e0063d2e75a62febd58acf14faaf268ef35d477e5

C:\Windows\SysWOW64\Bdqlajbb.exe

MD5 4b365fab75b761ec01914a5491b058e3
SHA1 355d7396fa694f81bcdb5c66418ed2de95693eaf
SHA256 bf4b57adf0d3c66ff4ebae425d6087db6b10c233ddce42ad178b339cb66459c6
SHA512 b59fc3990d149ce8fa6117e680f17ae946fe3e491ddf14e5370aa68d5078d23c52cf290a3fc9983fedc55d6098464197aa828080356af9ed840bfb606c39bdb6

C:\Windows\SysWOW64\Bgoime32.exe

MD5 c9b1a42744ef0e28d722a11e35684ccf
SHA1 87fb2f82bb3736fefbf8f7898716be0605d3385a
SHA256 301c554f6883797c14dd7da84dfdd182c0f316b8396d4796c74b7efd5c4164c8
SHA512 152c0930938155fc67b0e8f8362cf26bb7d40a64adc36b952f2d10b6749fcbf8f0618bf6c1baa4f5161ad83d1cccc58af8ec09a3ad8914666a8ecbe6e2193d8b

C:\Windows\SysWOW64\Bjmeiq32.exe

MD5 820fc172069f609b31fedbb2dd32da96
SHA1 345af013d833c3ab49b91c4bd9f9670dd73acede
SHA256 f66290f4ded06e9ff4902fe8f5670bd1fc6af862b39ae0681366035e4810d1e4
SHA512 ffb96f23bce5fb5f416220784987c8bd09ec6355bb5a54d7f12d80cef7bb0f29e467c584944c18b5ec67626851a479e79a22facf9d0d2e55216e537f24153b7e

C:\Windows\SysWOW64\Bmlael32.exe

MD5 168719b7631b57157fc54d1b9a7741e0
SHA1 4243809547016f989405f2ffd995a37b3c7c9fa8
SHA256 962793c83839969481169198badf1a92f86ce95cdaf5030119dd9e20314f805d
SHA512 b4e959ca0a6611b7d1114e6822280959e1648c89321494e11ad14a5fc9001a088caa088acb5e760855bd930405865ee4d62b94570f80c22a16d7a0480e3ecafe

C:\Windows\SysWOW64\Bqgmfkhg.exe

MD5 ee5399d1163212f635426a716a54b4cb
SHA1 3d11d0970406bfbfdf41aea6ded0b5e5c67662d4
SHA256 23adcafd0c6b34e09dc77f3ec918c2856131fd0dd13c88d109a159a91d4198d2
SHA512 da20cfdebbf7338ca22d1316b5dddf6142bf27528806c317fe6557dd8384b30415a6e6a8c9ee23a85813cf8bb25685fbe989f92a85990f38dd31c729e80f13fd

C:\Windows\SysWOW64\Bdcifi32.exe

MD5 7c37151ff904596e198d196882adb0e3
SHA1 526bb582594092d88615db9869cdcb5cbaa7bcf5
SHA256 aa8e3be45bb868967aff52518cd41f526bd4b54fea214d4197f449ce122e6c0e
SHA512 cb7b31df660247f3901823e93171cdb706b986a4e287f77f9f6f092db76fe762f04b2012e7dcba238d93420b8f056013d170b8d76f3a4949993b06bea1376ead

C:\Windows\SysWOW64\Bgaebe32.exe

MD5 233c1cdcb2aa62f6320cf8a287870de6
SHA1 a7467f9ce24f2ac785a354ede94a5fed09786a82
SHA256 f0531e965b9c2fd1de224135625178a8d847407000eca30e1bf1eb556bfeb1e3
SHA512 0ec7b9c4092a6c037de34ca877b090460aecfae0762fc910782233efa3013943cf72d4aa948e83fb0e83d6a87ae58e01f5fac31f1800803b090fddaf9f9f5f5d

C:\Windows\SysWOW64\Bjpaop32.exe

MD5 d8d48716c056163ddcb55dd29a14e2c0
SHA1 2dcbf8a398953e68cb4c9e057abe4a42c27814f3
SHA256 db8335745561a8c0492bfabf1858b39423423890a5320c409ed5d3fc175330c6
SHA512 92083ed55445452d12c6ec0dd7b85d81708398f5e2ccea7d67f755ae4b05b8e751018872b6b34d13ffa0f71cecdfb520cc4595f90afb22aa081568a1daa33b86

C:\Windows\SysWOW64\Bnknoogp.exe

MD5 87f4b24a7975e66c494761404856d3a3
SHA1 7a505613ed9d57036566955a627b21aca99ff64c
SHA256 a2e6eda8493b41c0a5fba56bf4633a4a5c4d8b5668ab1e82bf3101403bfd11ea
SHA512 55233bba8365fba7b38d02b15dc4980e6686571cf3f60d947ae00bbd24687b3b1ab9244ad5574a44651a8661272abeaed2326841ed1f2a99a5c389201bf0dc58

C:\Windows\SysWOW64\Bmnnkl32.exe

MD5 580d7e7d3975331b9a629594d1a30af8
SHA1 a8aa0b1206f74820eda2d4d6f8071a506c84839c
SHA256 347491a4cdf4c77be30b0310f4bf40bc99f9590181f8c27ff9a139f4ace639bb
SHA512 73fee27e3c17c12de894b727ad543f506908c2510baf680eca10a0d2f8ee92e84cbd8c9868fc03f3be54e98558d110bbd0d6c0c79e70c6b7d553308bcd7104f1

C:\Windows\SysWOW64\Bchfhfeh.exe

MD5 aca62cb82cf72d80783839ba510dcf4e
SHA1 0b6238171193bb166b4848aeb10bae260b1e725e
SHA256 82e3664186f66953a380b1e65854218fc70fcf1d46fef7b551a2c1e4b1725d55
SHA512 b4142e1442404b0a41d155811188dac20cd31c88c1fdaacad05b6b55e5a70bbd55d9b5761748630f3166d2fa80e3b43eb4c34dc4d88c21887a7563af47b09224

C:\Windows\SysWOW64\Bgcbhd32.exe

MD5 0e086bf1daa2b60b0c9e16465f06febd
SHA1 161e371e6d3eca711ae044a3d441dfd3ea512fdd
SHA256 de03b9305420b58fd785099c34e2b43532b5fa1044b6044e35c20d7b4f383770
SHA512 49fc1693a045227e7a4fabb3955106646efa4ef161cac5411997f1cd23f9ef4564c72f7560db399575dce0366690a86e9f76150954b43178a4a1a429883da048

C:\Windows\SysWOW64\Bjbndpmd.exe

MD5 358ab0dc32d2c8b048083146de61e466
SHA1 cf3a8378c405a0f5ace3378b994ff561283a6a97
SHA256 9eedc67ae3a0ea72fe15c8b7e81b9d83e92a8bc4ea6d04915c73247c82e822f0
SHA512 4dd6c38b7984833fda0f74fb6a41bac2f800c0b7859356694c06d71e20a1d8fbc2e64918e7a146d37aa07e190de9e1b3475c0a8a53e294713d2ea918d9142cda

C:\Windows\SysWOW64\Bqlfaj32.exe

MD5 220906d286d3027286df871872246dbd
SHA1 8076b9f058bb580fea752d875f5fdccb253748d3
SHA256 9d364b29c1a14c2842c5b617e8562fbad07c34ad11b7de1a49dfa4f783bf62d4
SHA512 1c123e646d4fc505aca4488e0227fac23c58ad3e6589c35e9dabda0b677ab668278ec10f0fd5b18842ef0ebfeaf17fc370381840f0b2081255b765aa3daceaa5

C:\Windows\SysWOW64\Bcjcme32.exe

MD5 2d9687613072469eca96dd9047065375
SHA1 99e5bdb8d98c17c53d0c911d495c1cc778e64f44
SHA256 9ad87ac0c324bf0560ef45abbf9506cb0e1e3e7d0da73be43251cd0fd3cdb41c
SHA512 8ed670cdeb2dc95eac0230c334c89433d524d4facfe17eeb8dbe0a6eb032829b090c111b6a97144d85f0cc101ece9c542622290f5a785f59f30d8098911fe1dc

C:\Windows\SysWOW64\Bfioia32.exe

MD5 19eb87c4ba307c61ec596796fa560c19
SHA1 7496671b4ad15d8f2def77a666cb3db5685ff0aa
SHA256 65e6a42904e785660ed908abadb7580990d457058555e57a127bd47f7b79bf01
SHA512 2118f5e2d1245e8eb2f2d8a92621e246ab27927c05b063ce6857ded83a45bcbaaaad487e5dc32bfb3cc2f62094f2a68fac9d52ff24178d0898770e29c93fdd05

C:\Windows\SysWOW64\Coacbfii.exe

MD5 5cda2637037304be7a421fea96bf288c
SHA1 a1241482095fea4d5958907ec1262f9f06301a7e
SHA256 ad4601c1b31401d88e1f9ec0833d145e0de192e2f4ee39fad956f510d5129bd3
SHA512 9a152c25ac9940857ed566a4a65716f19c24eea56b49f515acf8fe45be0b0139ef9ef666669cd6fb7b69f2e05c8dcddbc564adbabc4f6f25fc84d0fb3ef7f42c

C:\Windows\SysWOW64\Ccmpce32.exe

MD5 8d932d3805d3b6bb982104b08ea91ece
SHA1 093cb5ee06bb472394d026f4fa5dc2dea2c77335
SHA256 4903042735bc761b6752071b5ce0e8e749b665aeddd1da85589c3924eef2d879
SHA512 f33f3ed54c7999aa8e26340a23f2315a548fcef6dbeeaec5d54b9da80e9083b50541a44cc508ebc5f138723f29b504d8ec6e1e2c14b1a20c0667b88c68b2c3af

C:\Windows\SysWOW64\Cbppnbhm.exe

MD5 39bcc638e970ae13430425d88b2bc3b0
SHA1 5ba7982efb924d8c291c9e4250c979492eae8a77
SHA256 2027f6a6f39528fc75bc0e5dc81b1de3b282e88f381d3147abae44bad1463e25
SHA512 d83b029c27bcd883485a31a4c7f7cb927bb07b61616ffd99ccd59e6463637e015cc6f0079639cc7435e83bc7ef9d0e77f7bf4b45602a6672aee127ebc1378e23

C:\Windows\SysWOW64\Ciihklpj.exe

MD5 ebccde8d03024a1ce29e7f9753c837d7
SHA1 d2eab4c5115631c51163217fa07c0f3115bd7a2f
SHA256 e3e6fb3a9dcec1c91f07b7e3a2f92328591625c8b4cf8a3e9262b4b971cd4e37
SHA512 1484a05e223878f8ea43bef40b4ea05ceb2bb6ff95679a2becfff406488b587b328f14898741a72343916af7a3bfe2a823e9b9059b06f50a3d2d847e0774b80d

C:\Windows\SysWOW64\Cmedlk32.exe

MD5 1253ec5d71895c82d3867c38f34c7198
SHA1 983e2b0b9f721cbedbd2adf48c3eab863ee2efab
SHA256 def4e350ae2e46160a5ffbb462c3b69fdbd24d5c253dbe242498645e80092df7
SHA512 53b94953b0bce466ee5ddce2c4c4626c6dae580c9e009129f5f34fe57009c8c8e3d64201b1961d3af7c6a9bcae6c097990440c28baf7ce32d59a0133be249785

C:\Windows\SysWOW64\Cocphf32.exe

MD5 bc451a00ed4be75abbf4e34902c82fd1
SHA1 15b631d79084cacd0bed7a1fa4ce813dcc1cb950
SHA256 51a561ba689669c13bee7e6190219f2f49a26f3999c24e50ce93af0ce05f0136
SHA512 ea9bb1cbccf3527f6ff0a35d6cb0bd4361c64aa8e0a5ee4aa01a6cee8cb46c1c80939223f126ff7319b40df48efde15e4a8403ff852c3aef645d0b85b7bddd21

C:\Windows\SysWOW64\Cbblda32.exe

MD5 194efad797f664d450cc1df9dda62060
SHA1 b04f8fa9b93b9e0c3d4bfc6a80e18ddcdd3a0ac0
SHA256 160256eb735429662518d0f18c0126fc9988367f01920f77ceca86885e117f3b
SHA512 c413c50093ae19b4cde3ad859590b1a6e5a83d5143ba57bde5bb63dceab2a8fbcdedca6ff3983e00a1c0949b14ff40dd4426bb20290ec5135fe4c2d2dee2e913

C:\Windows\SysWOW64\Cfmhdpnc.exe

MD5 d9acca3fe5099c5413ca14412116c4d6
SHA1 df3556cad98735afc06078fece3157394072eb3a
SHA256 ab3c06d61cc4f9776547981e295fe2a327f3da1bc4118a5037f59d5ba7d75d1f
SHA512 a614d328905d0882c7b301f3119e1bd12557f52de284680ed83c2d8b7d448ec32ce323624293cd140de4daef791cb5d020aefc412401786a52ebd47d33841456

C:\Windows\SysWOW64\Cileqlmg.exe

MD5 e536277a80c8f73380ca3be1064b0466
SHA1 8918e3de3a9bb84adef23eb9776caee5a9b07fb1
SHA256 7e153c4b505e10c2fd9cbc233ebe7f830bfe075d1ddb64717209f230f9859dbf
SHA512 7c31262cd37df1869e66dfa0ca3dc6b9cc813d15961bd5ae3d17f229f35223aa9189f0d0ec4a936b9f7c8a24049bb7e9fa0c68343c7df897326e28b49a12f594

C:\Windows\SysWOW64\Cgoelh32.exe

MD5 6572f55f89c5f59d4295c202d4d55cd4
SHA1 ca4aa271c39b118bf96e5c85b1aff93aff600ea4
SHA256 55ec0e99003b17c79e952f66e5cb7616f5adf3855f40e0a277da9c2c3f3475c0
SHA512 911797e1265e4da3e6c33bfb959d000a1eb215bff0219810489d162f9c4cbb1b4e4646dc05d104995763cb842fcf3846d7fc902b92c0cff00316ec5e1c3351d5

C:\Windows\SysWOW64\Cnimiblo.exe

MD5 e398102ef810301db9df9ea7fe2d5fc9
SHA1 701af2236f5847de2bec23461dcf5c4c2e10658b
SHA256 e3bf090f26b1c6388c1e2031865590b4fa6775d5fc1a66ea63adb2a01a99320d
SHA512 74d72e76ddc1c4cf59ae7334c15346666bd196e696d43b57a4848fc09fc2c48784613fd2224636b83c68cd83055c93376e6de9e2536034bdebdde623fd93ad49

C:\Windows\SysWOW64\Ckjamgmk.exe

MD5 5c3e18293df71fb6c9f99d649d8ecc27
SHA1 6c21b30ff443932d8b66c6aad6311ba574ce3552
SHA256 208aa8ec46ce435a472aef90f7d00c391e55ba660b416fc0c824462348bfb1c3
SHA512 3663fbfd81044c658972ab706c110c39c964b96547e443d9786e43e6e7c2f2ed410c5ee71344fe293f8a46dab65cb454f7841d734d692f4072cc3d3e6f7d4abd

C:\Windows\SysWOW64\Cbdiia32.exe

MD5 4f4a711a024bb079fea75a9923a02f82
SHA1 c462a885aa5e5ab74c4fbd130eb73b6ea88d1b98
SHA256 2b10634c0a2effac87a4e552bf16ca5b5058784539d39d3796a5f9e5f0cc1b58
SHA512 dfb0ceb2a59b37a068357d4e37fef58566dd45abb85ffae7ac491394bf9605a45658422b6046d1185b4488085a8e586fb9552baaa893acb11a24d6316fc0b45a

C:\Windows\SysWOW64\Cebeem32.exe

MD5 d9f276b518c474c5f6c834dfe90edc98
SHA1 795b661d4a52d08fcc875329942bfab039e55f90
SHA256 a6007cbf4069af2e105ff960333106cec3b8b78f5786024b6dafe80991456030
SHA512 dc14693a0b163a89414d2f1975fe5a4ba063cfac01e11ea1eb0f13cae9cc5b6cc9625aade174c3b049e3c416716eb52b049630c98ccad091b445493baf169abf

C:\Windows\SysWOW64\Cinafkkd.exe

MD5 630d6524391c005b1af56f811b4dcc38
SHA1 06fb21180cf419f5377d4611d056fa9a816ac035
SHA256 43ce4591ce12a73e60030e10c9c460ece827b705b02423cca4e9e10d4754a8ec
SHA512 1cfef3ef12f792e6a8ea818a5d6a5935eacc13f804d8d4c875517e26b69305bbfc32b1a1fc20005ff71479da4ef7a4f17403c099091a1ffff50b0e34dba61104

C:\Windows\SysWOW64\Ckmnbg32.exe

MD5 973ad4fa3bb3de44657f0fb1d24f064b
SHA1 d9be85871a0f02cc32c06cdce99954236f71075c
SHA256 e40cad95157baa5089a4ce6cfea65d961c2f829bb284fb0ace3b0acf1363ff8b
SHA512 e174ef9621bc6a2dc640bdfa375a7b24c1db01b409c8963d49f96fe9fd4e6e17835774a308a660c4880da597638a5717650acad94512cd4c6b5e15fb3c8c774c

C:\Windows\SysWOW64\Cnkjnb32.exe

MD5 92df47842f53acffc5ac4d7ffef611e9
SHA1 41638c3660b5b9ddb12a75f955aa5c7162e3e531
SHA256 f0b5bd0374bae1fcdc8c6f189b0f8a3f719e0aad03c3d1fa3d1b4bfbd6e48bc2
SHA512 dba7b5b9421bf32fedcc1e73b7be7c67e623282266c19ff89ffe666ab86d6de30e70528b3ac390c35b0ab68fc734111c7fab9b67095b8f6936e71404b6ebc6bc

C:\Windows\SysWOW64\Caifjn32.exe

MD5 55d3b08027dafc729630a975e61586a6
SHA1 c432b0d768c068b500392313f4795ae3163b6bc3
SHA256 ab18199f460b4172bb41f90d237a3816d4e91bda741dc9b91f52e7dc2781db56
SHA512 a2c09663832770acba70306f906c6a62e2c030861a6c905bfb042d765678113cbb02e31881bc69f3bbe79a35954902305b17d60ef3706ad4bc944c262670a751

C:\Windows\SysWOW64\Cchbgi32.exe

MD5 6a06069c8bf4b654b5d96973413f1f3e
SHA1 8219e1807bfba938ae6259c6de4772c08549f575
SHA256 674a73d3258b9253e2940d26fed444e5d1d81d1b0bf16e96a29f453e935b042d
SHA512 a4bc85ae0496ab25713197c57af17466c6b03399be8d4d6623a777a09b88c78c007f52b90369f6c75733525fe5e36cc960ff8c26dadbdad65e4dad0bec8da3fc

C:\Windows\SysWOW64\Cjakccop.exe

MD5 7c9b811947ce55db677c6dbd37858ade
SHA1 8e36329e324ad2e18240df1aecf376c3270d8566
SHA256 27a821017d1793df1e27eaaf30d774246841ab21328c795831211cbe0f1ea3cd
SHA512 b0e1d248d0f21855b51248b8b058d414168ff84d6c83bc9b2356a1aef10b2082f8210fdbbfdfcbc9f223ec7289f79450c4bc89df7cf7a0ca6fd07201aaa5f8e6

C:\Windows\SysWOW64\Cmpgpond.exe

MD5 2b898a4a1195965f93761d03fc5386f0
SHA1 d5dd35f7151ef8a9ff21b8e5e5a82ba9759e734f
SHA256 f703c3eee589eb8ac444cce8025a59fb9fbbd297bf80dd8d222b07bc012a7e5e
SHA512 f9aa7dd15c4d424ef0d047295aab81a0ccb1bc47baa7c9edbfc1c996061336d6a9c121fd4f4db8b90e8491e64060040a7ec83593fa1e152cbd85719d1b6ee070

C:\Windows\SysWOW64\Cegoqlof.exe

MD5 16318ed77292b9e45b6806930739818e
SHA1 58eebe7e8e348e00e78d21cad1b9ab178ed92f23
SHA256 5107f6657895fca0674526fbe890fd554d179cb884fdb4542a143aa809ddf614
SHA512 e97484f172b582299574b5eb81c87bfd8e707212ad033f4786a1d7ec93409252529715bda35ac0c2185395c6c449557d3ad660c67272ad45c496e7fc44aad8b5

C:\Windows\SysWOW64\Cfhkhd32.exe

MD5 a2b01944d017ac1cc11c3f5c66cf5eda
SHA1 4b2da2613dbb30650304f7a07222adec1b35be15
SHA256 7722c693a5e082dd4f78e85496e4a35d6b7890b6f2bb54cafc8f391a2f914c84
SHA512 28542a57db972b30a2eec7f2ecab70bfa987aa896ecae6d40c8901a03c206df3866075787a91ed849332c60f98e997c2f6b00d5bbb31f90bd927b0e441dba2c1

C:\Windows\SysWOW64\Dmbcen32.exe

MD5 b0cf1554e0a0d776799ebc6a984479f3
SHA1 bc5ef55dc2d4f6a480cac2ad1cd5f49fa641c2c6
SHA256 f6140f427a04fa5c7c9242cc362462db07d16ad0aa8622e4f764752c1ae3dacc
SHA512 278f2e17cf005472c17292422c49688e57895c96de15bd3008a862ef166f04fbb2bd0b02e4ac03853b481a89e09fd09f537262b4ce4a783deff3f2ff56f4ba19

C:\Windows\SysWOW64\Dpapaj32.exe

MD5 fa99f008e5f1540231bc81b1b8fec37d
SHA1 6f50ed47759de601b4ab0dda5eac385ec21fdb4a
SHA256 fac46568513677c7db9696ba6b41c51422923c993b32e88e21d44a600050b2c2
SHA512 c5333bb89b985d4373214dce4c7351755a949938aef05409c496255f84026c0e04d2d6623b83b2ba499dc47946707a8d17c3c3c79098f4e46f550be24389a094

memory/2372-2028-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1508-2027-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1916-2026-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1964-2025-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2156-2024-0x0000000000400000-0x0000000000434000-memory.dmp

memory/844-2022-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1628-2021-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3236-2019-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2296-2018-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3296-2014-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3456-2013-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3416-2012-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3336-2011-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3376-2010-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3616-2009-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3496-2008-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3536-2007-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3576-2006-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3656-2015-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2784-2050-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1576-2049-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1884-2048-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2544-2047-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2744-2046-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2160-2044-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1128-2042-0x0000000000400000-0x0000000000434000-memory.dmp

memory/600-2043-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3068-2060-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2316-2057-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2756-2056-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2908-2055-0x0000000000400000-0x0000000000434000-memory.dmp