Malware Analysis Report

2025-06-15 22:57

Sample ID 241109-gttllayhqq
Target afeef5104f433178d65285b0ce9afd5984226a9270bf5eb7150e0ff33adea5deN
SHA256 afeef5104f433178d65285b0ce9afd5984226a9270bf5eb7150e0ff33adea5de
Tags
berbew backdoor discovery persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

afeef5104f433178d65285b0ce9afd5984226a9270bf5eb7150e0ff33adea5de

Threat Level: Known bad

The file afeef5104f433178d65285b0ce9afd5984226a9270bf5eb7150e0ff33adea5deN was found to be: Known bad.

Malicious Activity Summary

berbew backdoor discovery persistence

Berbew family

Adds autorun key to be loaded by Explorer.exe on startup

Berbew

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

System Location Discovery: System Language Discovery

Program crash

Unsigned PE

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 06:06

Signatures

Berbew family

berbew

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 06:06

Reported

2024-11-09 06:08

Platform

win7-20241023-en

Max time kernel

119s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\afeef5104f433178d65285b0ce9afd5984226a9270bf5eb7150e0ff33adea5deN.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Folfoj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Mjcaimgg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Phnpagdp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ajpepm32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bqlfaj32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ecploipa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Jajcdjca.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pgfjhcge.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Abpcooea.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eppcmncq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Kkjnnn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Hboddk32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pkoicb32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bmlael32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bfioia32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Knfndjdp.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Agolnbok.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aohdmdoh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Cfhkhd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Pkcbnanl.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lbafdlod.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ndqkleln.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ajpepm32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bigkel32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ceebklai.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ihbcmaje.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ljddjj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Omklkkpl.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ofcqcp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Hihlqeib.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mjkgjl32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qeppdo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Bffbdadk.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cbppnbhm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Jehlkhig.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mmgfqh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Kklkcn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Mnaiol32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Qeppdo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Kjahej32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Iihiphln.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Lnhgim32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nbmaon32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pkcbnanl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Bgaebe32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Users\Admin\AppData\Local\Temp\afeef5104f433178d65285b0ce9afd5984226a9270bf5eb7150e0ff33adea5deN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Nnoiio32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Nlnpgd32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Klngkfge.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ljddjj32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lpnmgdli.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Nlcibc32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Phnpagdp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Akabgebj.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bkhhhd32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hakkgc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Coacbfii.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Cbppnbhm.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cmedlk32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hidcef32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fpmbfbgo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ndqkleln.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Odchbe32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pmkhjncg.exe N/A

Berbew

backdoor berbew

Berbew family

berbew

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Eppcmncq.exe N/A
N/A N/A C:\Windows\SysWOW64\Egikjh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ehkhaqpk.exe N/A
N/A N/A C:\Windows\SysWOW64\Ecploipa.exe N/A
N/A N/A C:\Windows\SysWOW64\Eacljf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Elipgofb.exe N/A
N/A N/A C:\Windows\SysWOW64\Ecbhdi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eddeladm.exe N/A
N/A N/A C:\Windows\SysWOW64\Eoiiijcc.exe N/A
N/A N/A C:\Windows\SysWOW64\Edfbaabj.exe N/A
N/A N/A C:\Windows\SysWOW64\Folfoj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fpmbfbgo.exe N/A
N/A N/A C:\Windows\SysWOW64\Fkbgckgd.exe N/A
N/A N/A C:\Windows\SysWOW64\Famope32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ggkqmoma.exe N/A
N/A N/A C:\Windows\SysWOW64\Hmkeke32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hidcef32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hakkgc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hfhcoj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hmalldcn.exe N/A
N/A N/A C:\Windows\SysWOW64\Hboddk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hihlqeib.exe N/A
N/A N/A C:\Windows\SysWOW64\Ihniaa32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ipeaco32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ibejdjln.exe N/A
N/A N/A C:\Windows\SysWOW64\Ihbcmaje.exe N/A
N/A N/A C:\Windows\SysWOW64\Ijclol32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ioohokoo.exe N/A
N/A N/A C:\Windows\SysWOW64\Idkpganf.exe N/A
N/A N/A C:\Windows\SysWOW64\Iihiphln.exe N/A
N/A N/A C:\Windows\SysWOW64\Jkhejkcq.exe N/A
N/A N/A C:\Windows\SysWOW64\Jmfafgbd.exe N/A
N/A N/A C:\Windows\SysWOW64\Jlkngc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jbefcm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jolghndm.exe N/A
N/A N/A C:\Windows\SysWOW64\Jajcdjca.exe N/A
N/A N/A C:\Windows\SysWOW64\Jbjpom32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jehlkhig.exe N/A
N/A N/A C:\Windows\SysWOW64\Kaompi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Knfndjdp.exe N/A
N/A N/A C:\Windows\SysWOW64\Kaajei32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kpdjaecc.exe N/A
N/A N/A C:\Windows\SysWOW64\Kkjnnn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Knhjjj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kadfkhkf.exe N/A
N/A N/A C:\Windows\SysWOW64\Kpgffe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kklkcn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Klngkfge.exe N/A
N/A N/A C:\Windows\SysWOW64\Kjahej32.exe N/A
N/A N/A C:\Windows\SysWOW64\Klpdaf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lonpma32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lfhhjklc.exe N/A
N/A N/A C:\Windows\SysWOW64\Ljddjj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lpnmgdli.exe N/A
N/A N/A C:\Windows\SysWOW64\Lhiakf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Locjhqpa.exe N/A
N/A N/A C:\Windows\SysWOW64\Lbafdlod.exe N/A
N/A N/A C:\Windows\SysWOW64\Lhknaf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lkjjma32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lnhgim32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lgqkbb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lohccp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lhpglecl.exe N/A
N/A N/A C:\Windows\SysWOW64\Lgchgb32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\afeef5104f433178d65285b0ce9afd5984226a9270bf5eb7150e0ff33adea5deN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afeef5104f433178d65285b0ce9afd5984226a9270bf5eb7150e0ff33adea5deN.exe N/A
N/A N/A C:\Windows\SysWOW64\Eppcmncq.exe N/A
N/A N/A C:\Windows\SysWOW64\Eppcmncq.exe N/A
N/A N/A C:\Windows\SysWOW64\Egikjh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Egikjh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ehkhaqpk.exe N/A
N/A N/A C:\Windows\SysWOW64\Ehkhaqpk.exe N/A
N/A N/A C:\Windows\SysWOW64\Ecploipa.exe N/A
N/A N/A C:\Windows\SysWOW64\Ecploipa.exe N/A
N/A N/A C:\Windows\SysWOW64\Eacljf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eacljf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Elipgofb.exe N/A
N/A N/A C:\Windows\SysWOW64\Elipgofb.exe N/A
N/A N/A C:\Windows\SysWOW64\Ecbhdi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ecbhdi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eddeladm.exe N/A
N/A N/A C:\Windows\SysWOW64\Eddeladm.exe N/A
N/A N/A C:\Windows\SysWOW64\Eoiiijcc.exe N/A
N/A N/A C:\Windows\SysWOW64\Eoiiijcc.exe N/A
N/A N/A C:\Windows\SysWOW64\Edfbaabj.exe N/A
N/A N/A C:\Windows\SysWOW64\Edfbaabj.exe N/A
N/A N/A C:\Windows\SysWOW64\Folfoj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Folfoj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fpmbfbgo.exe N/A
N/A N/A C:\Windows\SysWOW64\Fpmbfbgo.exe N/A
N/A N/A C:\Windows\SysWOW64\Fkbgckgd.exe N/A
N/A N/A C:\Windows\SysWOW64\Fkbgckgd.exe N/A
N/A N/A C:\Windows\SysWOW64\Famope32.exe N/A
N/A N/A C:\Windows\SysWOW64\Famope32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ggkqmoma.exe N/A
N/A N/A C:\Windows\SysWOW64\Ggkqmoma.exe N/A
N/A N/A C:\Windows\SysWOW64\Hmkeke32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hmkeke32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hidcef32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hidcef32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hakkgc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hakkgc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hfhcoj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hfhcoj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hmalldcn.exe N/A
N/A N/A C:\Windows\SysWOW64\Hmalldcn.exe N/A
N/A N/A C:\Windows\SysWOW64\Hboddk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hboddk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hihlqeib.exe N/A
N/A N/A C:\Windows\SysWOW64\Hihlqeib.exe N/A
N/A N/A C:\Windows\SysWOW64\Ihniaa32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ihniaa32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ipeaco32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ipeaco32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ibejdjln.exe N/A
N/A N/A C:\Windows\SysWOW64\Ibejdjln.exe N/A
N/A N/A C:\Windows\SysWOW64\Ihbcmaje.exe N/A
N/A N/A C:\Windows\SysWOW64\Ihbcmaje.exe N/A
N/A N/A C:\Windows\SysWOW64\Ijclol32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ijclol32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ioohokoo.exe N/A
N/A N/A C:\Windows\SysWOW64\Ioohokoo.exe N/A
N/A N/A C:\Windows\SysWOW64\Idkpganf.exe N/A
N/A N/A C:\Windows\SysWOW64\Idkpganf.exe N/A
N/A N/A C:\Windows\SysWOW64\Iihiphln.exe N/A
N/A N/A C:\Windows\SysWOW64\Iihiphln.exe N/A
N/A N/A C:\Windows\SysWOW64\Jkhejkcq.exe N/A
N/A N/A C:\Windows\SysWOW64\Jkhejkcq.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Mnaiol32.exe C:\Windows\SysWOW64\Mggabaea.exe N/A
File created C:\Windows\SysWOW64\Qqmfpqmc.dll C:\Windows\SysWOW64\Pmkhjncg.exe N/A
File created C:\Windows\SysWOW64\Fkbgckgd.exe C:\Windows\SysWOW64\Fpmbfbgo.exe N/A
File created C:\Windows\SysWOW64\Ioohokoo.exe C:\Windows\SysWOW64\Ijclol32.exe N/A
File created C:\Windows\SysWOW64\Pmkhjncg.exe C:\Windows\SysWOW64\Phnpagdp.exe N/A
File opened for modification C:\Windows\SysWOW64\Aqbdkk32.exe C:\Windows\SysWOW64\Abpcooea.exe N/A
File created C:\Windows\SysWOW64\Cbehjc32.dll C:\Windows\SysWOW64\Djdgic32.exe N/A
File created C:\Windows\SysWOW64\Famope32.exe C:\Windows\SysWOW64\Fkbgckgd.exe N/A
File created C:\Windows\SysWOW64\Hidcef32.exe C:\Windows\SysWOW64\Hmkeke32.exe N/A
File created C:\Windows\SysWOW64\Hmalldcn.exe C:\Windows\SysWOW64\Hfhcoj32.exe N/A
File created C:\Windows\SysWOW64\Nameek32.exe C:\Windows\SysWOW64\Nnoiio32.exe N/A
File opened for modification C:\Windows\SysWOW64\Nfoghakb.exe C:\Windows\SysWOW64\Ndqkleln.exe N/A
File created C:\Windows\SysWOW64\Ajcbch32.dll C:\Windows\SysWOW64\Hakkgc32.exe N/A
File created C:\Windows\SysWOW64\Cgknkqan.dll C:\Windows\SysWOW64\Lbafdlod.exe N/A
File opened for modification C:\Windows\SysWOW64\Mpebmc32.exe C:\Windows\SysWOW64\Mmgfqh32.exe N/A
File created C:\Windows\SysWOW64\Jmgnph32.dll C:\Windows\SysWOW64\Kadfkhkf.exe N/A
File created C:\Windows\SysWOW64\Nnoiio32.exe C:\Windows\SysWOW64\Ngealejo.exe N/A
File created C:\Windows\SysWOW64\Ofcqcp32.exe C:\Windows\SysWOW64\Omklkkpl.exe N/A
File created C:\Windows\SysWOW64\Ojomdoof.exe C:\Windows\SysWOW64\Ofcqcp32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bnfddp32.exe C:\Windows\SysWOW64\Bkhhhd32.exe N/A
File opened for modification C:\Windows\SysWOW64\Folfoj32.exe C:\Windows\SysWOW64\Edfbaabj.exe N/A
File opened for modification C:\Windows\SysWOW64\Famope32.exe C:\Windows\SysWOW64\Fkbgckgd.exe N/A
File opened for modification C:\Windows\SysWOW64\Klpdaf32.exe C:\Windows\SysWOW64\Kjahej32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ahbekjcf.exe C:\Windows\SysWOW64\Ajpepm32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cnkjnb32.exe C:\Windows\SysWOW64\Cjonncab.exe N/A
File created C:\Windows\SysWOW64\Enmkijgm.dll C:\Windows\SysWOW64\Jbjpom32.exe N/A
File created C:\Windows\SysWOW64\Lhknaf32.exe C:\Windows\SysWOW64\Lbafdlod.exe N/A
File created C:\Windows\SysWOW64\Mpebmc32.exe C:\Windows\SysWOW64\Mmgfqh32.exe N/A
File created C:\Windows\SysWOW64\Qlfgce32.dll C:\Windows\SysWOW64\Mcckcbgp.exe N/A
File created C:\Windows\SysWOW64\Pidfdofi.exe C:\Windows\SysWOW64\Pgfjhcge.exe N/A
File created C:\Windows\SysWOW64\Kmhnlgkg.dll C:\Windows\SysWOW64\Abpcooea.exe N/A
File opened for modification C:\Windows\SysWOW64\Calcpm32.exe C:\Windows\SysWOW64\Cmpgpond.exe N/A
File opened for modification C:\Windows\SysWOW64\Eddeladm.exe C:\Windows\SysWOW64\Ecbhdi32.exe N/A
File opened for modification C:\Windows\SysWOW64\Edfbaabj.exe C:\Windows\SysWOW64\Eoiiijcc.exe N/A
File opened for modification C:\Windows\SysWOW64\Kkjnnn32.exe C:\Windows\SysWOW64\Kpdjaecc.exe N/A
File opened for modification C:\Windows\SysWOW64\Nabopjmj.exe C:\Windows\SysWOW64\Njhfcp32.exe N/A
File created C:\Windows\SysWOW64\Kaaded32.dll C:\Windows\SysWOW64\Pgfjhcge.exe N/A
File created C:\Windows\SysWOW64\Bieopm32.exe C:\Windows\SysWOW64\Bffbdadk.exe N/A
File created C:\Windows\SysWOW64\Jpebhied.dll C:\Windows\SysWOW64\Bffbdadk.exe N/A
File opened for modification C:\Windows\SysWOW64\ÿs.e¢e C:\Windows\SysWOW64\Dpapaj32.exe N/A
File created C:\Windows\SysWOW64\Qeeheknp.dll C:\Windows\SysWOW64\Nipdkieg.exe N/A
File opened for modification C:\Windows\SysWOW64\Pebpkk32.exe C:\Windows\SysWOW64\Pmkhjncg.exe N/A
File created C:\Windows\SysWOW64\Ahbekjcf.exe C:\Windows\SysWOW64\Ajpepm32.exe N/A
File created C:\Windows\SysWOW64\Pdkefp32.dll C:\Windows\SysWOW64\Danpemej.exe N/A
File created C:\Windows\SysWOW64\Lkjjma32.exe C:\Windows\SysWOW64\Lhknaf32.exe N/A
File created C:\Windows\SysWOW64\Qdlggg32.exe C:\Windows\SysWOW64\Qppkfhlc.exe N/A
File opened for modification C:\Windows\SysWOW64\Cfhkhd32.exe C:\Windows\SysWOW64\Calcpm32.exe N/A
File created C:\Windows\SysWOW64\Pplncj32.dll C:\Windows\SysWOW64\Kaompi32.exe N/A
File created C:\Windows\SysWOW64\Andpoahc.dll C:\Windows\SysWOW64\Kpgffe32.exe N/A
File opened for modification C:\Windows\SysWOW64\Nefdpjkl.exe C:\Windows\SysWOW64\Nlnpgd32.exe N/A
File created C:\Windows\SysWOW64\Lgchgb32.exe C:\Windows\SysWOW64\Lhpglecl.exe N/A
File created C:\Windows\SysWOW64\Hmkeke32.exe C:\Windows\SysWOW64\Ggkqmoma.exe N/A
File opened for modification C:\Windows\SysWOW64\Njhfcp32.exe C:\Windows\SysWOW64\Nlefhcnc.exe N/A
File created C:\Windows\SysWOW64\Paiaplin.exe C:\Windows\SysWOW64\Pkoicb32.exe N/A
File created C:\Windows\SysWOW64\Liempneg.dll C:\Windows\SysWOW64\Cjonncab.exe N/A
File created C:\Windows\SysWOW64\Hboddk32.exe C:\Windows\SysWOW64\Hmalldcn.exe N/A
File created C:\Windows\SysWOW64\Kkjnnn32.exe C:\Windows\SysWOW64\Kpdjaecc.exe N/A
File created C:\Windows\SysWOW64\Lonpma32.exe C:\Windows\SysWOW64\Klpdaf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Qeppdo32.exe C:\Windows\SysWOW64\Qndkpmkm.exe N/A
File created C:\Windows\SysWOW64\Fffgkhmc.dll C:\Windows\SysWOW64\Mqklqhpg.exe N/A
File opened for modification C:\Windows\SysWOW64\Alqnah32.exe C:\Windows\SysWOW64\Adifpk32.exe N/A
File created C:\Windows\SysWOW64\Danpemej.exe C:\Windows\SysWOW64\Djdgic32.exe N/A
File created C:\Windows\SysWOW64\Oeeikk32.dll C:\Windows\SysWOW64\Mmicfh32.exe N/A
File created C:\Windows\SysWOW64\Alihaioe.exe C:\Windows\SysWOW64\Qeppdo32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Dpapaj32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ecploipa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mcckcbgp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Njhfcp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Obmnna32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ceebklai.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Famope32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lfhhjklc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pidfdofi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ahbekjcf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bqijljfd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cmedlk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cebeem32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ecbhdi32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lonpma32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mqklqhpg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Odchbe32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oeindm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aomnhd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ahgofi32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ggkqmoma.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mgjnhaco.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nnoiio32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qndkpmkm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Boogmgkl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ipeaco32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kaompi32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kkjnnn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Klngkfge.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ljddjj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lbafdlod.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mpebmc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ihbcmaje.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mjkgjl32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ndqkleln.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oidiekdn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qdlggg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cepipm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mnaiol32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pgfjhcge.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Eacljf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hmkeke32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lgchgb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dpapaj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kjahej32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Odgamdef.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qppkfhlc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bffbdadk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cmpgpond.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Calcpm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kklkcn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Djdgic32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fpmbfbgo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Knfndjdp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Olpilg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Boljgg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cjonncab.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Eddeladm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hakkgc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hmalldcn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Iihiphln.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jajcdjca.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kpdjaecc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pkoicb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Elipgofb.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aebmjo32.dll" C:\Windows\SysWOW64\Hidcef32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hfhcoj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ngealejo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Coacbfii.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeeikk32.dll" C:\Windows\SysWOW64\Mmicfh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfqgfg32.dll" C:\Windows\SysWOW64\Qdlggg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pclmghko.dll" C:\Windows\SysWOW64\Ioohokoo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Iihiphln.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Jkhejkcq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohbamn32.dll" C:\Windows\SysWOW64\Jolghndm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kaompi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nidmfh32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Mqnifg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlemad32.dll" C:\Windows\SysWOW64\Mqnifg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Mjkgjl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naejdn32.dll" C:\Windows\SysWOW64\Njhfcp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ioohokoo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmdlck32.dll" C:\Windows\SysWOW64\Bnfddp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\afeef5104f433178d65285b0ce9afd5984226a9270bf5eb7150e0ff33adea5deN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfebgn32.dll" C:\Windows\SysWOW64\Egikjh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ggkqmoma.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ibejdjln.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bnfddp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bdqlajbb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dahapj32.dll" C:\Windows\SysWOW64\Pkoicb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qeppdo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdclnelo.dll" C:\Windows\SysWOW64\Nabopjmj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Bnfddp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nlcibc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ajpepm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeopijom.dll" C:\Windows\SysWOW64\Cebeem32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Cmpgpond.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cafngogd.dll" C:\Windows\SysWOW64\Eddeladm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihkcje32.dll" C:\Windows\SysWOW64\Folfoj32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Paiaplin.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ihbcmaje.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lbafdlod.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Mcckcbgp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jbjpom32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljlmgnqj.dll" C:\Windows\SysWOW64\Lhknaf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oomgdcce.dll" C:\Windows\SysWOW64\Nfoghakb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofaejacl.dll" C:\Windows\SysWOW64\Cmpgpond.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Jajcdjca.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Mmgfqh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnfnae32.dll" C:\Windows\SysWOW64\Mmgfqh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oabhggjd.dll" C:\Windows\SysWOW64\Bmlael32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Calcpm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llechb32.dll" C:\Windows\SysWOW64\Lpnmgdli.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlfgce32.dll" C:\Windows\SysWOW64\Mcckcbgp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cnkjnb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ceebklai.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maanne32.dll" C:\Windows\SysWOW64\Ajpepm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjehmbkc.dll" C:\Windows\SysWOW64\Hmalldcn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Lgchgb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfcakjoj.dll" C:\Windows\SysWOW64\Nefdpjkl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nabopjmj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Giddhc32.dll" C:\Windows\SysWOW64\Odchbe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cmpgpond.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ndqkleln.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fpmbfbgo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ijclol32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbellj32.dll" C:\Windows\SysWOW64\Jehlkhig.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnjeilhc.dll" C:\Windows\SysWOW64\Lfhhjklc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lfhhjklc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2396 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\afeef5104f433178d65285b0ce9afd5984226a9270bf5eb7150e0ff33adea5deN.exe C:\Windows\SysWOW64\Eppcmncq.exe
PID 2396 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\afeef5104f433178d65285b0ce9afd5984226a9270bf5eb7150e0ff33adea5deN.exe C:\Windows\SysWOW64\Eppcmncq.exe
PID 2396 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\afeef5104f433178d65285b0ce9afd5984226a9270bf5eb7150e0ff33adea5deN.exe C:\Windows\SysWOW64\Eppcmncq.exe
PID 2396 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\afeef5104f433178d65285b0ce9afd5984226a9270bf5eb7150e0ff33adea5deN.exe C:\Windows\SysWOW64\Eppcmncq.exe
PID 1256 wrote to memory of 2560 N/A C:\Windows\SysWOW64\Eppcmncq.exe C:\Windows\SysWOW64\Egikjh32.exe
PID 1256 wrote to memory of 2560 N/A C:\Windows\SysWOW64\Eppcmncq.exe C:\Windows\SysWOW64\Egikjh32.exe
PID 1256 wrote to memory of 2560 N/A C:\Windows\SysWOW64\Eppcmncq.exe C:\Windows\SysWOW64\Egikjh32.exe
PID 1256 wrote to memory of 2560 N/A C:\Windows\SysWOW64\Eppcmncq.exe C:\Windows\SysWOW64\Egikjh32.exe
PID 2560 wrote to memory of 2544 N/A C:\Windows\SysWOW64\Egikjh32.exe C:\Windows\SysWOW64\Ehkhaqpk.exe
PID 2560 wrote to memory of 2544 N/A C:\Windows\SysWOW64\Egikjh32.exe C:\Windows\SysWOW64\Ehkhaqpk.exe
PID 2560 wrote to memory of 2544 N/A C:\Windows\SysWOW64\Egikjh32.exe C:\Windows\SysWOW64\Ehkhaqpk.exe
PID 2560 wrote to memory of 2544 N/A C:\Windows\SysWOW64\Egikjh32.exe C:\Windows\SysWOW64\Ehkhaqpk.exe
PID 2544 wrote to memory of 2840 N/A C:\Windows\SysWOW64\Ehkhaqpk.exe C:\Windows\SysWOW64\Ecploipa.exe
PID 2544 wrote to memory of 2840 N/A C:\Windows\SysWOW64\Ehkhaqpk.exe C:\Windows\SysWOW64\Ecploipa.exe
PID 2544 wrote to memory of 2840 N/A C:\Windows\SysWOW64\Ehkhaqpk.exe C:\Windows\SysWOW64\Ecploipa.exe
PID 2544 wrote to memory of 2840 N/A C:\Windows\SysWOW64\Ehkhaqpk.exe C:\Windows\SysWOW64\Ecploipa.exe
PID 2840 wrote to memory of 2268 N/A C:\Windows\SysWOW64\Ecploipa.exe C:\Windows\SysWOW64\Eacljf32.exe
PID 2840 wrote to memory of 2268 N/A C:\Windows\SysWOW64\Ecploipa.exe C:\Windows\SysWOW64\Eacljf32.exe
PID 2840 wrote to memory of 2268 N/A C:\Windows\SysWOW64\Ecploipa.exe C:\Windows\SysWOW64\Eacljf32.exe
PID 2840 wrote to memory of 2268 N/A C:\Windows\SysWOW64\Ecploipa.exe C:\Windows\SysWOW64\Eacljf32.exe
PID 2268 wrote to memory of 2852 N/A C:\Windows\SysWOW64\Eacljf32.exe C:\Windows\SysWOW64\Elipgofb.exe
PID 2268 wrote to memory of 2852 N/A C:\Windows\SysWOW64\Eacljf32.exe C:\Windows\SysWOW64\Elipgofb.exe
PID 2268 wrote to memory of 2852 N/A C:\Windows\SysWOW64\Eacljf32.exe C:\Windows\SysWOW64\Elipgofb.exe
PID 2268 wrote to memory of 2852 N/A C:\Windows\SysWOW64\Eacljf32.exe C:\Windows\SysWOW64\Elipgofb.exe
PID 2852 wrote to memory of 2740 N/A C:\Windows\SysWOW64\Elipgofb.exe C:\Windows\SysWOW64\Ecbhdi32.exe
PID 2852 wrote to memory of 2740 N/A C:\Windows\SysWOW64\Elipgofb.exe C:\Windows\SysWOW64\Ecbhdi32.exe
PID 2852 wrote to memory of 2740 N/A C:\Windows\SysWOW64\Elipgofb.exe C:\Windows\SysWOW64\Ecbhdi32.exe
PID 2852 wrote to memory of 2740 N/A C:\Windows\SysWOW64\Elipgofb.exe C:\Windows\SysWOW64\Ecbhdi32.exe
PID 2740 wrote to memory of 2812 N/A C:\Windows\SysWOW64\Ecbhdi32.exe C:\Windows\SysWOW64\Eddeladm.exe
PID 2740 wrote to memory of 2812 N/A C:\Windows\SysWOW64\Ecbhdi32.exe C:\Windows\SysWOW64\Eddeladm.exe
PID 2740 wrote to memory of 2812 N/A C:\Windows\SysWOW64\Ecbhdi32.exe C:\Windows\SysWOW64\Eddeladm.exe
PID 2740 wrote to memory of 2812 N/A C:\Windows\SysWOW64\Ecbhdi32.exe C:\Windows\SysWOW64\Eddeladm.exe
PID 2812 wrote to memory of 1204 N/A C:\Windows\SysWOW64\Eddeladm.exe C:\Windows\SysWOW64\Eoiiijcc.exe
PID 2812 wrote to memory of 1204 N/A C:\Windows\SysWOW64\Eddeladm.exe C:\Windows\SysWOW64\Eoiiijcc.exe
PID 2812 wrote to memory of 1204 N/A C:\Windows\SysWOW64\Eddeladm.exe C:\Windows\SysWOW64\Eoiiijcc.exe
PID 2812 wrote to memory of 1204 N/A C:\Windows\SysWOW64\Eddeladm.exe C:\Windows\SysWOW64\Eoiiijcc.exe
PID 1204 wrote to memory of 2008 N/A C:\Windows\SysWOW64\Eoiiijcc.exe C:\Windows\SysWOW64\Edfbaabj.exe
PID 1204 wrote to memory of 2008 N/A C:\Windows\SysWOW64\Eoiiijcc.exe C:\Windows\SysWOW64\Edfbaabj.exe
PID 1204 wrote to memory of 2008 N/A C:\Windows\SysWOW64\Eoiiijcc.exe C:\Windows\SysWOW64\Edfbaabj.exe
PID 1204 wrote to memory of 2008 N/A C:\Windows\SysWOW64\Eoiiijcc.exe C:\Windows\SysWOW64\Edfbaabj.exe
PID 2008 wrote to memory of 2040 N/A C:\Windows\SysWOW64\Edfbaabj.exe C:\Windows\SysWOW64\Folfoj32.exe
PID 2008 wrote to memory of 2040 N/A C:\Windows\SysWOW64\Edfbaabj.exe C:\Windows\SysWOW64\Folfoj32.exe
PID 2008 wrote to memory of 2040 N/A C:\Windows\SysWOW64\Edfbaabj.exe C:\Windows\SysWOW64\Folfoj32.exe
PID 2008 wrote to memory of 2040 N/A C:\Windows\SysWOW64\Edfbaabj.exe C:\Windows\SysWOW64\Folfoj32.exe
PID 2040 wrote to memory of 1700 N/A C:\Windows\SysWOW64\Folfoj32.exe C:\Windows\SysWOW64\Fpmbfbgo.exe
PID 2040 wrote to memory of 1700 N/A C:\Windows\SysWOW64\Folfoj32.exe C:\Windows\SysWOW64\Fpmbfbgo.exe
PID 2040 wrote to memory of 1700 N/A C:\Windows\SysWOW64\Folfoj32.exe C:\Windows\SysWOW64\Fpmbfbgo.exe
PID 2040 wrote to memory of 1700 N/A C:\Windows\SysWOW64\Folfoj32.exe C:\Windows\SysWOW64\Fpmbfbgo.exe
PID 1700 wrote to memory of 872 N/A C:\Windows\SysWOW64\Fpmbfbgo.exe C:\Windows\SysWOW64\Fkbgckgd.exe
PID 1700 wrote to memory of 872 N/A C:\Windows\SysWOW64\Fpmbfbgo.exe C:\Windows\SysWOW64\Fkbgckgd.exe
PID 1700 wrote to memory of 872 N/A C:\Windows\SysWOW64\Fpmbfbgo.exe C:\Windows\SysWOW64\Fkbgckgd.exe
PID 1700 wrote to memory of 872 N/A C:\Windows\SysWOW64\Fpmbfbgo.exe C:\Windows\SysWOW64\Fkbgckgd.exe
PID 872 wrote to memory of 2208 N/A C:\Windows\SysWOW64\Fkbgckgd.exe C:\Windows\SysWOW64\Famope32.exe
PID 872 wrote to memory of 2208 N/A C:\Windows\SysWOW64\Fkbgckgd.exe C:\Windows\SysWOW64\Famope32.exe
PID 872 wrote to memory of 2208 N/A C:\Windows\SysWOW64\Fkbgckgd.exe C:\Windows\SysWOW64\Famope32.exe
PID 872 wrote to memory of 2208 N/A C:\Windows\SysWOW64\Fkbgckgd.exe C:\Windows\SysWOW64\Famope32.exe
PID 2208 wrote to memory of 1040 N/A C:\Windows\SysWOW64\Famope32.exe C:\Windows\SysWOW64\Ggkqmoma.exe
PID 2208 wrote to memory of 1040 N/A C:\Windows\SysWOW64\Famope32.exe C:\Windows\SysWOW64\Ggkqmoma.exe
PID 2208 wrote to memory of 1040 N/A C:\Windows\SysWOW64\Famope32.exe C:\Windows\SysWOW64\Ggkqmoma.exe
PID 2208 wrote to memory of 1040 N/A C:\Windows\SysWOW64\Famope32.exe C:\Windows\SysWOW64\Ggkqmoma.exe
PID 1040 wrote to memory of 972 N/A C:\Windows\SysWOW64\Ggkqmoma.exe C:\Windows\SysWOW64\Hmkeke32.exe
PID 1040 wrote to memory of 972 N/A C:\Windows\SysWOW64\Ggkqmoma.exe C:\Windows\SysWOW64\Hmkeke32.exe
PID 1040 wrote to memory of 972 N/A C:\Windows\SysWOW64\Ggkqmoma.exe C:\Windows\SysWOW64\Hmkeke32.exe
PID 1040 wrote to memory of 972 N/A C:\Windows\SysWOW64\Ggkqmoma.exe C:\Windows\SysWOW64\Hmkeke32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\afeef5104f433178d65285b0ce9afd5984226a9270bf5eb7150e0ff33adea5deN.exe

"C:\Users\Admin\AppData\Local\Temp\afeef5104f433178d65285b0ce9afd5984226a9270bf5eb7150e0ff33adea5deN.exe"

C:\Windows\SysWOW64\Eppcmncq.exe

C:\Windows\system32\Eppcmncq.exe

C:\Windows\SysWOW64\Egikjh32.exe

C:\Windows\system32\Egikjh32.exe

C:\Windows\SysWOW64\Ehkhaqpk.exe

C:\Windows\system32\Ehkhaqpk.exe

C:\Windows\SysWOW64\Ecploipa.exe

C:\Windows\system32\Ecploipa.exe

C:\Windows\SysWOW64\Eacljf32.exe

C:\Windows\system32\Eacljf32.exe

C:\Windows\SysWOW64\Elipgofb.exe

C:\Windows\system32\Elipgofb.exe

C:\Windows\SysWOW64\Ecbhdi32.exe

C:\Windows\system32\Ecbhdi32.exe

C:\Windows\SysWOW64\Eddeladm.exe

C:\Windows\system32\Eddeladm.exe

C:\Windows\SysWOW64\Eoiiijcc.exe

C:\Windows\system32\Eoiiijcc.exe

C:\Windows\SysWOW64\Edfbaabj.exe

C:\Windows\system32\Edfbaabj.exe

C:\Windows\SysWOW64\Folfoj32.exe

C:\Windows\system32\Folfoj32.exe

C:\Windows\SysWOW64\Fpmbfbgo.exe

C:\Windows\system32\Fpmbfbgo.exe

C:\Windows\SysWOW64\Fkbgckgd.exe

C:\Windows\system32\Fkbgckgd.exe

C:\Windows\SysWOW64\Famope32.exe

C:\Windows\system32\Famope32.exe

C:\Windows\SysWOW64\Ggkqmoma.exe

C:\Windows\system32\Ggkqmoma.exe

C:\Windows\SysWOW64\Hmkeke32.exe

C:\Windows\system32\Hmkeke32.exe

C:\Windows\SysWOW64\Hidcef32.exe

C:\Windows\system32\Hidcef32.exe

C:\Windows\SysWOW64\Hakkgc32.exe

C:\Windows\system32\Hakkgc32.exe

C:\Windows\SysWOW64\Hfhcoj32.exe

C:\Windows\system32\Hfhcoj32.exe

C:\Windows\SysWOW64\Hmalldcn.exe

C:\Windows\system32\Hmalldcn.exe

C:\Windows\SysWOW64\Hboddk32.exe

C:\Windows\system32\Hboddk32.exe

C:\Windows\SysWOW64\Hihlqeib.exe

C:\Windows\system32\Hihlqeib.exe

C:\Windows\SysWOW64\Ihniaa32.exe

C:\Windows\system32\Ihniaa32.exe

C:\Windows\SysWOW64\Ipeaco32.exe

C:\Windows\system32\Ipeaco32.exe

C:\Windows\SysWOW64\Ibejdjln.exe

C:\Windows\system32\Ibejdjln.exe

C:\Windows\SysWOW64\Ihbcmaje.exe

C:\Windows\system32\Ihbcmaje.exe

C:\Windows\SysWOW64\Ijclol32.exe

C:\Windows\system32\Ijclol32.exe

C:\Windows\SysWOW64\Ioohokoo.exe

C:\Windows\system32\Ioohokoo.exe

C:\Windows\SysWOW64\Idkpganf.exe

C:\Windows\system32\Idkpganf.exe

C:\Windows\SysWOW64\Iihiphln.exe

C:\Windows\system32\Iihiphln.exe

C:\Windows\SysWOW64\Jkhejkcq.exe

C:\Windows\system32\Jkhejkcq.exe

C:\Windows\SysWOW64\Jmfafgbd.exe

C:\Windows\system32\Jmfafgbd.exe

C:\Windows\SysWOW64\Jlkngc32.exe

C:\Windows\system32\Jlkngc32.exe

C:\Windows\SysWOW64\Jbefcm32.exe

C:\Windows\system32\Jbefcm32.exe

C:\Windows\SysWOW64\Jolghndm.exe

C:\Windows\system32\Jolghndm.exe

C:\Windows\SysWOW64\Jajcdjca.exe

C:\Windows\system32\Jajcdjca.exe

C:\Windows\SysWOW64\Jbjpom32.exe

C:\Windows\system32\Jbjpom32.exe

C:\Windows\SysWOW64\Jehlkhig.exe

C:\Windows\system32\Jehlkhig.exe

C:\Windows\SysWOW64\Kaompi32.exe

C:\Windows\system32\Kaompi32.exe

C:\Windows\SysWOW64\Knfndjdp.exe

C:\Windows\system32\Knfndjdp.exe

C:\Windows\SysWOW64\Kaajei32.exe

C:\Windows\system32\Kaajei32.exe

C:\Windows\SysWOW64\Kpdjaecc.exe

C:\Windows\system32\Kpdjaecc.exe

C:\Windows\SysWOW64\Kkjnnn32.exe

C:\Windows\system32\Kkjnnn32.exe

C:\Windows\SysWOW64\Knhjjj32.exe

C:\Windows\system32\Knhjjj32.exe

C:\Windows\SysWOW64\Kadfkhkf.exe

C:\Windows\system32\Kadfkhkf.exe

C:\Windows\SysWOW64\Kpgffe32.exe

C:\Windows\system32\Kpgffe32.exe

C:\Windows\SysWOW64\Kklkcn32.exe

C:\Windows\system32\Kklkcn32.exe

C:\Windows\SysWOW64\Klngkfge.exe

C:\Windows\system32\Klngkfge.exe

C:\Windows\SysWOW64\Kjahej32.exe

C:\Windows\system32\Kjahej32.exe

C:\Windows\SysWOW64\Klpdaf32.exe

C:\Windows\system32\Klpdaf32.exe

C:\Windows\SysWOW64\Lonpma32.exe

C:\Windows\system32\Lonpma32.exe

C:\Windows\SysWOW64\Lfhhjklc.exe

C:\Windows\system32\Lfhhjklc.exe

C:\Windows\SysWOW64\Ljddjj32.exe

C:\Windows\system32\Ljddjj32.exe

C:\Windows\SysWOW64\Lpnmgdli.exe

C:\Windows\system32\Lpnmgdli.exe

C:\Windows\SysWOW64\Lhiakf32.exe

C:\Windows\system32\Lhiakf32.exe

C:\Windows\SysWOW64\Locjhqpa.exe

C:\Windows\system32\Locjhqpa.exe

C:\Windows\SysWOW64\Lbafdlod.exe

C:\Windows\system32\Lbafdlod.exe

C:\Windows\SysWOW64\Lhknaf32.exe

C:\Windows\system32\Lhknaf32.exe

C:\Windows\SysWOW64\Lkjjma32.exe

C:\Windows\system32\Lkjjma32.exe

C:\Windows\SysWOW64\Lnhgim32.exe

C:\Windows\system32\Lnhgim32.exe

C:\Windows\SysWOW64\Lgqkbb32.exe

C:\Windows\system32\Lgqkbb32.exe

C:\Windows\SysWOW64\Lohccp32.exe

C:\Windows\system32\Lohccp32.exe

C:\Windows\SysWOW64\Lhpglecl.exe

C:\Windows\system32\Lhpglecl.exe

C:\Windows\SysWOW64\Lgchgb32.exe

C:\Windows\system32\Lgchgb32.exe

C:\Windows\SysWOW64\Mqklqhpg.exe

C:\Windows\system32\Mqklqhpg.exe

C:\Windows\SysWOW64\Mcjhmcok.exe

C:\Windows\system32\Mcjhmcok.exe

C:\Windows\SysWOW64\Mjcaimgg.exe

C:\Windows\system32\Mjcaimgg.exe

C:\Windows\SysWOW64\Mqnifg32.exe

C:\Windows\system32\Mqnifg32.exe

C:\Windows\SysWOW64\Mggabaea.exe

C:\Windows\system32\Mggabaea.exe

C:\Windows\SysWOW64\Mnaiol32.exe

C:\Windows\system32\Mnaiol32.exe

C:\Windows\SysWOW64\Mgjnhaco.exe

C:\Windows\system32\Mgjnhaco.exe

C:\Windows\SysWOW64\Mmgfqh32.exe

C:\Windows\system32\Mmgfqh32.exe

C:\Windows\SysWOW64\Mpebmc32.exe

C:\Windows\system32\Mpebmc32.exe

C:\Windows\SysWOW64\Mjkgjl32.exe

C:\Windows\system32\Mjkgjl32.exe

C:\Windows\SysWOW64\Mmicfh32.exe

C:\Windows\system32\Mmicfh32.exe

C:\Windows\SysWOW64\Mcckcbgp.exe

C:\Windows\system32\Mcckcbgp.exe

C:\Windows\SysWOW64\Nipdkieg.exe

C:\Windows\system32\Nipdkieg.exe

C:\Windows\SysWOW64\Nlnpgd32.exe

C:\Windows\system32\Nlnpgd32.exe

C:\Windows\SysWOW64\Nefdpjkl.exe

C:\Windows\system32\Nefdpjkl.exe

C:\Windows\SysWOW64\Ngealejo.exe

C:\Windows\system32\Ngealejo.exe

C:\Windows\SysWOW64\Nnoiio32.exe

C:\Windows\system32\Nnoiio32.exe

C:\Windows\SysWOW64\Nameek32.exe

C:\Windows\system32\Nameek32.exe

C:\Windows\SysWOW64\Nidmfh32.exe

C:\Windows\system32\Nidmfh32.exe

C:\Windows\SysWOW64\Nlcibc32.exe

C:\Windows\system32\Nlcibc32.exe

C:\Windows\SysWOW64\Nbmaon32.exe

C:\Windows\system32\Nbmaon32.exe

C:\Windows\SysWOW64\Neknki32.exe

C:\Windows\system32\Neknki32.exe

C:\Windows\SysWOW64\Ncnngfna.exe

C:\Windows\system32\Ncnngfna.exe

C:\Windows\SysWOW64\Nlefhcnc.exe

C:\Windows\system32\Nlefhcnc.exe

C:\Windows\SysWOW64\Njhfcp32.exe

C:\Windows\system32\Njhfcp32.exe

C:\Windows\SysWOW64\Nabopjmj.exe

C:\Windows\system32\Nabopjmj.exe

C:\Windows\SysWOW64\Ndqkleln.exe

C:\Windows\system32\Ndqkleln.exe

C:\Windows\SysWOW64\Nfoghakb.exe

C:\Windows\system32\Nfoghakb.exe

C:\Windows\SysWOW64\Odchbe32.exe

C:\Windows\system32\Odchbe32.exe

C:\Windows\SysWOW64\Omklkkpl.exe

C:\Windows\system32\Omklkkpl.exe

C:\Windows\SysWOW64\Ofcqcp32.exe

C:\Windows\system32\Ofcqcp32.exe

C:\Windows\SysWOW64\Ojomdoof.exe

C:\Windows\system32\Ojomdoof.exe

C:\Windows\SysWOW64\Olpilg32.exe

C:\Windows\system32\Olpilg32.exe

C:\Windows\SysWOW64\Odgamdef.exe

C:\Windows\system32\Odgamdef.exe

C:\Windows\SysWOW64\Oeindm32.exe

C:\Windows\system32\Oeindm32.exe

C:\Windows\SysWOW64\Oidiekdn.exe

C:\Windows\system32\Oidiekdn.exe

C:\Windows\SysWOW64\Obmnna32.exe

C:\Windows\system32\Obmnna32.exe

C:\Windows\SysWOW64\Oekjjl32.exe

C:\Windows\system32\Oekjjl32.exe

C:\Windows\SysWOW64\Oococb32.exe

C:\Windows\system32\Oococb32.exe

C:\Windows\SysWOW64\Oemgplgo.exe

C:\Windows\system32\Oemgplgo.exe

C:\Windows\SysWOW64\Pepcelel.exe

C:\Windows\system32\Pepcelel.exe

C:\Windows\SysWOW64\Phnpagdp.exe

C:\Windows\system32\Phnpagdp.exe

C:\Windows\SysWOW64\Pmkhjncg.exe

C:\Windows\system32\Pmkhjncg.exe

C:\Windows\SysWOW64\Pebpkk32.exe

C:\Windows\system32\Pebpkk32.exe

C:\Windows\SysWOW64\Pkoicb32.exe

C:\Windows\system32\Pkoicb32.exe

C:\Windows\SysWOW64\Paiaplin.exe

C:\Windows\system32\Paiaplin.exe

C:\Windows\SysWOW64\Pgfjhcge.exe

C:\Windows\system32\Pgfjhcge.exe

C:\Windows\SysWOW64\Pidfdofi.exe

C:\Windows\system32\Pidfdofi.exe

C:\Windows\SysWOW64\Pcljmdmj.exe

C:\Windows\system32\Pcljmdmj.exe

C:\Windows\SysWOW64\Pkcbnanl.exe

C:\Windows\system32\Pkcbnanl.exe

C:\Windows\SysWOW64\Qppkfhlc.exe

C:\Windows\system32\Qppkfhlc.exe

C:\Windows\SysWOW64\Qdlggg32.exe

C:\Windows\system32\Qdlggg32.exe

C:\Windows\SysWOW64\Qndkpmkm.exe

C:\Windows\system32\Qndkpmkm.exe

C:\Windows\SysWOW64\Qeppdo32.exe

C:\Windows\system32\Qeppdo32.exe

C:\Windows\SysWOW64\Alihaioe.exe

C:\Windows\system32\Alihaioe.exe

C:\Windows\SysWOW64\Aohdmdoh.exe

C:\Windows\system32\Aohdmdoh.exe

C:\Windows\SysWOW64\Agolnbok.exe

C:\Windows\system32\Agolnbok.exe

C:\Windows\SysWOW64\Ahpifj32.exe

C:\Windows\system32\Ahpifj32.exe

C:\Windows\SysWOW64\Ajpepm32.exe

C:\Windows\system32\Ajpepm32.exe

C:\Windows\SysWOW64\Ahbekjcf.exe

C:\Windows\system32\Ahbekjcf.exe

C:\Windows\SysWOW64\Akabgebj.exe

C:\Windows\system32\Akabgebj.exe

C:\Windows\SysWOW64\Aomnhd32.exe

C:\Windows\system32\Aomnhd32.exe

C:\Windows\SysWOW64\Adifpk32.exe

C:\Windows\system32\Adifpk32.exe

C:\Windows\SysWOW64\Alqnah32.exe

C:\Windows\system32\Alqnah32.exe

C:\Windows\SysWOW64\Abmgjo32.exe

C:\Windows\system32\Abmgjo32.exe

C:\Windows\SysWOW64\Ahgofi32.exe

C:\Windows\system32\Ahgofi32.exe

C:\Windows\SysWOW64\Abpcooea.exe

C:\Windows\system32\Abpcooea.exe

C:\Windows\SysWOW64\Aqbdkk32.exe

C:\Windows\system32\Aqbdkk32.exe

C:\Windows\SysWOW64\Bkhhhd32.exe

C:\Windows\system32\Bkhhhd32.exe

C:\Windows\SysWOW64\Bnfddp32.exe

C:\Windows\system32\Bnfddp32.exe

C:\Windows\SysWOW64\Bdqlajbb.exe

C:\Windows\system32\Bdqlajbb.exe

C:\Windows\SysWOW64\Bmlael32.exe

C:\Windows\system32\Bmlael32.exe

C:\Windows\SysWOW64\Bgaebe32.exe

C:\Windows\system32\Bgaebe32.exe

C:\Windows\SysWOW64\Bjpaop32.exe

C:\Windows\system32\Bjpaop32.exe

C:\Windows\SysWOW64\Bqijljfd.exe

C:\Windows\system32\Bqijljfd.exe

C:\Windows\SysWOW64\Boljgg32.exe

C:\Windows\system32\Boljgg32.exe

C:\Windows\SysWOW64\Bffbdadk.exe

C:\Windows\system32\Bffbdadk.exe

C:\Windows\SysWOW64\Bieopm32.exe

C:\Windows\system32\Bieopm32.exe

C:\Windows\SysWOW64\Bqlfaj32.exe

C:\Windows\system32\Bqlfaj32.exe

C:\Windows\SysWOW64\Boogmgkl.exe

C:\Windows\system32\Boogmgkl.exe

C:\Windows\SysWOW64\Bfioia32.exe

C:\Windows\system32\Bfioia32.exe

C:\Windows\SysWOW64\Bigkel32.exe

C:\Windows\system32\Bigkel32.exe

C:\Windows\SysWOW64\Coacbfii.exe

C:\Windows\system32\Coacbfii.exe

C:\Windows\SysWOW64\Cbppnbhm.exe

C:\Windows\system32\Cbppnbhm.exe

C:\Windows\SysWOW64\Cmedlk32.exe

C:\Windows\system32\Cmedlk32.exe

C:\Windows\SysWOW64\Cocphf32.exe

C:\Windows\system32\Cocphf32.exe

C:\Windows\SysWOW64\Cepipm32.exe

C:\Windows\system32\Cepipm32.exe

C:\Windows\SysWOW64\Cgoelh32.exe

C:\Windows\system32\Cgoelh32.exe

C:\Windows\SysWOW64\Cagienkb.exe

C:\Windows\system32\Cagienkb.exe

C:\Windows\SysWOW64\Cebeem32.exe

C:\Windows\system32\Cebeem32.exe

C:\Windows\SysWOW64\Cjonncab.exe

C:\Windows\system32\Cjonncab.exe

C:\Windows\SysWOW64\Cnkjnb32.exe

C:\Windows\system32\Cnkjnb32.exe

C:\Windows\SysWOW64\Ceebklai.exe

C:\Windows\system32\Ceebklai.exe

C:\Windows\SysWOW64\Cgcnghpl.exe

C:\Windows\system32\Cgcnghpl.exe

C:\Windows\SysWOW64\Cmpgpond.exe

C:\Windows\system32\Cmpgpond.exe

C:\Windows\SysWOW64\Calcpm32.exe

C:\Windows\system32\Calcpm32.exe

C:\Windows\SysWOW64\Cfhkhd32.exe

C:\Windows\system32\Cfhkhd32.exe

C:\Windows\SysWOW64\Djdgic32.exe

C:\Windows\system32\Djdgic32.exe

C:\Windows\SysWOW64\Danpemej.exe

C:\Windows\system32\Danpemej.exe

C:\Windows\SysWOW64\Dpapaj32.exe

C:\Windows\system32\Dpapaj32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 144

Network

N/A

Files

memory/2396-0-0x0000000000400000-0x0000000000442000-memory.dmp

\Windows\SysWOW64\Eppcmncq.exe

MD5 e015081dfa136aa0d8decf84efee5673
SHA1 322c4604ee35d74991ae552e18735ac63a45bbfe
SHA256 ac6ed895c907c6d39640adafeaa68475b581e2d3c54a2afb23c2f84d98c4bd11
SHA512 b5229f8ea79344d15e645efb3d1235d9956677c22b97dfe677834c52d1e6632383f3890170e4df8e8aa16c964d784fc4edca81e9758519dd9279d1bb4f4f6fa6

memory/1256-14-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2396-13-0x0000000000250000-0x0000000000292000-memory.dmp

memory/2396-12-0x0000000000250000-0x0000000000292000-memory.dmp

C:\Windows\SysWOW64\Egikjh32.exe

MD5 a128377016301576c0bab5fa9a90c140
SHA1 994ee3d59b5ceb86c4167ff9c8f6b565ca704133
SHA256 9a809a254ca4974ca9b4c1e67c086f77a47b6c6739c1e2842c3bb51ba6abe3ad
SHA512 f7f762535e1b6fb1a7185157cba6f4c486baee5f8352760ad7d516e96fa095822dd20c8978668a4d5cb80dae7141e3aecf5b7dc9de72fe8112ff3ea65f3f03be

memory/2560-32-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Ehkhaqpk.exe

MD5 135b232433c6b82dc0327939b76df996
SHA1 c870d48974b1f25d809d2c62fdf321452cbbab1e
SHA256 864b95ca9cf831c1a50c858e01d3c7d6ebf81855d8f096af1d94ab592710dd22
SHA512 eca1e83e7f90a92fc5251c1a089073e4b0c11c9e1c1a1ea80533f7cf58d3612299ae48c5a73c4d22f32fa51dafae0c1045647dd9ea5d9f29e4ea89f74710723a

C:\Windows\SysWOW64\Pfhmhm32.dll

MD5 a7cd5922ecaabf7270caffacbf1bf942
SHA1 efb04876381b8766fe3dcf52ab1142fff34e7cdc
SHA256 e9d75297edeea5a2fc78c9c37d3ff941d319fd128dde781d603add84551c6c99
SHA512 7f320bc08b67b871b7afe97343cc1ab87f68f59c3216e5c5b5067b302450ac4bc5d329d7cab043d72184ef02d64529d611efd98994c84b06ddcdb7b9acf44012

C:\Windows\SysWOW64\Eacljf32.exe

MD5 9a4cf35cbdfbd3b005b2ad84403ba19a
SHA1 265b2b2607b133ba4daf9117e9e25e5776273120
SHA256 f863ec82dbe8ae442d5105d0341e0fa015de0886031202959ebbfed48a927484
SHA512 7539a3b71297f41c72b191d7686b9e8ea80d6e6696aafe39d0cd535735d24d6bd3344df5dda0f716a7645df78d8cd2f674181623703addd27ffccce331ea8321

memory/2852-87-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Ecbhdi32.exe

MD5 367ee791c25d1d43b2dfe7945a7c70b2
SHA1 df4ab27cf1762bf0a3a3c170cf2f2b910100114f
SHA256 6ce0f46d326bbfa5d0c9a56b10e7fd4d4f6c99bf397c2651e2758afcbaa48c2e
SHA512 f579e32427fe6d335317e36899db1a62edd1e0dc3399e64e561b940189723443ccbcee64c0b78c4c43e4593ae9dda20b74bae726c740257a7a1abb996a66a4e0

memory/2812-114-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Eoiiijcc.exe

MD5 60e1a43762fb2815ba7bc5d2a2bed99c
SHA1 e81e799f443cd08a0995c13612b09e59c68cd98f
SHA256 7c02c5592caebf58ff6985b576862faf8e40d4a546ec8036029976a77e84c9f8
SHA512 c79d98ec48874f395b27deaecacf4f6864519b04d285a29ccb060bf708dcbf64c64e9cd2ec42a8dfcaac5360ced07b5016e53de660cfb24bde8a3ff35db95e52

memory/2008-143-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2040-153-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1700-170-0x0000000000400000-0x0000000000442000-memory.dmp

memory/872-185-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2812-184-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Fkbgckgd.exe

MD5 4809e061f5855a51e3ab838e6a9ff487
SHA1 d1ee8daf4db180320fb45b364826c71fa60936e5
SHA256 4df44599ff93f457e4eb0461c5f07673a67a6b3d00e78383fc255f8783354563
SHA512 fdc693f190da5aa33860ab70b7123d48c1a4264d5c4770fe4bccff33b08e2916cb4b322e257fa244c43a3aadada93f1171be0197a6dc0d92d02a3211e2ab663b

memory/2740-169-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Fpmbfbgo.exe

MD5 d0235ad341a8889cfe5eee2d04c26cba
SHA1 253312245073a73c87b176e5e35b39dceef32e3d
SHA256 c3258b35d85c3027a3f2cd7e4ea4efaa4b45b57aed8de6e01dffe6c3cb25b569
SHA512 7acc643e9183596a23450f8eeb27aa96548b75267e56caff8c135ad17d4ef1e89961e547647469feadf476486dc1a6ff29236c4db1db871f40dfa4307829d706

memory/2852-152-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Folfoj32.exe

MD5 ea65479cae4bfcb82d47d6f0b34006a6
SHA1 75ea6c506b2a1d821fc9c3b85f2f3430a369fe43
SHA256 441d3f30eef461067f468200fcb9a69e6f24c2e353e501837cf18ba0b1596010
SHA512 835e8cd186e7eb4afc2b7fdbe2d279b1b97c97db4162f59db0a969addda1bb8c5740a6723c5bc53a3fd8f34ff2dcb95f46a13fa95dbea8717ff9f63ffdaac750

memory/2268-141-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2840-137-0x0000000000450000-0x0000000000492000-memory.dmp

C:\Windows\SysWOW64\Edfbaabj.exe

MD5 d2f127bc8387c0efc1a18a7bb9214808
SHA1 63ab984472e73ab3890b99d56dfe16c126017520
SHA256 c3021d9c30a39643a4c2be4edf387c17dabebafcaa87e5d9221f9eb5604d66c2
SHA512 a111b6357d54d46753bd0c052b41e8c8d8b86df3511fd79b8c1ad092728f4d4c717688be7f7a85c76377174f63c4437836e6528cc06fc41274b1fa2365bea79e

memory/1204-124-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2840-123-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Eddeladm.exe

MD5 4414760983689350017b37e1a732befb
SHA1 b1c75a5dd2b6118b008cd051d23f777c1a6fd59e
SHA256 2cd8d81416e1141a9bc16407d6894c1316327ba75244efb224caa6ec328bf585
SHA512 a4506fb61a7b4dc11a6921a8cd6a621f9aaaa850f336ee5a996d81a0a20d8ddcb4f66811c4f650e35b71b1bfae0350cd5c0a58acf430e3fbfb858294f21ef5ea

memory/2740-97-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1256-83-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2396-82-0x0000000000250000-0x0000000000292000-memory.dmp

C:\Windows\SysWOW64\Elipgofb.exe

MD5 0175f89031fcef85a6641a232b7e67f7
SHA1 894562c1959a62ce872622765d3b5d1504728c30
SHA256 1a48d0e09c508928ac5f99d8fd64502e2b53184b08b4e6f5d62ad1dd1f00593c
SHA512 d320774b795016e489b52afc5556ff212ba6093d48eee60be372adb881070e6fd30a34653a63d4ec4b252772a85fecd6756a3eb351a8251b0195dc02d7619f35

memory/2396-69-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2268-68-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2840-67-0x0000000000450000-0x0000000000492000-memory.dmp

memory/2840-57-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Ecploipa.exe

MD5 f8930cc5da5fc60946199c79101310c6
SHA1 4ca8f79e8edcb02e8acbb3d894b7c9fbda17ba1b
SHA256 e6b99f1fb94abbc75a80ca7e1bf045e44d33038b30aad87250fa7e9ebf5b0541
SHA512 963476fa8a497c21cada7881caec85e5dcd0cfa486b7952d23885deea017d68b6510013d43e26a6cdb305e721cff2b5208a20da1121bd499c178136f20a8ec3b

memory/2544-45-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Famope32.exe

MD5 345314d6bee6ace3605fdc8404d97a86
SHA1 1bd79f5d3e00cefb78e476ece0a15680da93a85a
SHA256 6451bf9e88933b1e7739105ceed463d37652c649194b48f7612ec07f39983caa
SHA512 e560854b520e47946ff6650e8f68aaa3d8c1f4c5c5f88fa70262fe46fbcd6b82498f3798d06050e3f178ee6befe4114cc1ae2043181e222473e48b3750c7a442

memory/1204-193-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2208-200-0x0000000000400000-0x0000000000442000-memory.dmp

memory/872-199-0x00000000003B0000-0x00000000003F2000-memory.dmp

\Windows\SysWOW64\Ggkqmoma.exe

MD5 ff5df0e3aa2af090a1de0ed5ae37e608
SHA1 88055aa40789ffa86ceab439bbc8d6b8b709ac6d
SHA256 e7ff6325c2db0112cab584f86cc356ded9a1dcf88772d1e348d40928cef608a6
SHA512 fe4d9184a4872d36869fd4ee4ac2e0e81abe31b9c3bac3ab89717cbd4d6c7b5be92707f5c506c1eefe58c2bdf684fe170e9ae912f0215a301410a9b136d20df1

memory/2208-203-0x00000000002B0000-0x00000000002F2000-memory.dmp

memory/1040-212-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2040-210-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2208-208-0x00000000002B0000-0x00000000002F2000-memory.dmp

C:\Windows\SysWOW64\Hmkeke32.exe

MD5 4b5157ad06d1010bcd328117678c569a
SHA1 669f3a35148dc6b17dfcddcefc2783e751da0132
SHA256 86b7545a25ec59a32c68f4e09c9ba6593109bd96d5b1ed64a01227cb8f1d7c62
SHA512 a318dd1e06e76d51f6bddaff47b013ea37a18c941338ef01bccaf998ceb470e585f00052108ff9308ba81248a90cf24761d5934a0eb3b65abed1ef5697f9bca0

memory/1040-223-0x00000000002D0000-0x0000000000312000-memory.dmp

memory/1700-222-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1040-219-0x00000000002D0000-0x0000000000312000-memory.dmp

C:\Windows\SysWOW64\Hidcef32.exe

MD5 ff5506833901b3cc1414700f3283e0df
SHA1 4d2c4baeef87df23cb8021c2e7e603183cff5c65
SHA256 8b63f29a7eb0dfb5a243ddd66febf36873c91c4fe7fc40e96e0ced0d482cde67
SHA512 2cfadd925869226c9953f3c699d832ce1c26997d62eb077a510a4906e04c581c7cba7826028191d4b3241f45621881f387961bfe36f8dd60eb43e9fd807fe81b

memory/624-237-0x0000000000400000-0x0000000000442000-memory.dmp

memory/972-236-0x0000000000350000-0x0000000000392000-memory.dmp

memory/920-247-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Hakkgc32.exe

MD5 71f0b570aacf8146c99999f0115562bd
SHA1 64bc50aa58c7670fcd78cf838df48338d32d1f11
SHA256 08cce22499612935f096d7869a44ff00488bec9f452bbf6e02ac1b5094fca16e
SHA512 938e6e42861d2a0207bde00e37a581ef82fea2c957b0968d69232c952e73132e026e930cc472416714bcf471d36daa6fd6d516c16d40912711c0388888fd6a21

memory/872-243-0x00000000003B0000-0x00000000003F2000-memory.dmp

memory/1040-258-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1536-257-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2208-256-0x00000000002B0000-0x00000000002F2000-memory.dmp

C:\Windows\SysWOW64\Hfhcoj32.exe

MD5 ba5c232d3b72e034abda6947330ea204
SHA1 337e351d684f51ed22ada5fb93a7e58069922d19
SHA256 199ee4a57c1dcd83977729e9cf118f947cc07c2ad87e244b1d85f353c3e0ea1c
SHA512 95452f675a7a720388b809c5bd845936abcea76729c05d6f11ab44ef79fdbe28bad1763168824c051c675e34054e75da7b172a774cc1acaa57c09a6f21b0f9dc

C:\Windows\SysWOW64\Hmalldcn.exe

MD5 4903a0139b18e4b6fc8503ee3ccf05e4
SHA1 77a3124823e631620640dd7465385dbf612a18b1
SHA256 050b4c983d2dd86b60575f80a8b07907e6cb798ae7bd09a81c0be36358b57c14
SHA512 9ded0190d56ada33e03d75596de8cbacac75facfbb3b9cb7063bd56481fe2660ba44e47dda1caf2955486d300d06d318f13c41f8e7996f6c7e5c0c716b7571e9

C:\Windows\SysWOW64\Hboddk32.exe

MD5 ab0ff2101884b05f2a26d4aa95394e9d
SHA1 e25d004dbd0ef0d71ee9f54bd50e5cf6493ddb47
SHA256 13ad2f0df4db06eef0dd3396fe4b34fb24aaa7099175e13c287add6616bce215
SHA512 c368d17fac212d97f03f6ed4ffe4eacc7fb99bfbac26f4b1229ece6c317aeb1430cd15f2114a4a7d002cf6905033354cc99da2053dd6d0d924f65762f9f26225

memory/716-268-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1536-267-0x0000000000250000-0x0000000000292000-memory.dmp

memory/624-283-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2656-282-0x0000000000400000-0x0000000000442000-memory.dmp

memory/972-281-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2600-289-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2656-288-0x0000000000250000-0x0000000000292000-memory.dmp

C:\Windows\SysWOW64\Hihlqeib.exe

MD5 b5fc9ee64ce252f31c290834ae3cea2b
SHA1 8dd1a767098d851b8047b963d38a7608fae94e5e
SHA256 694fdf864e3844ac9fd8a532647470d658fe7b36b39debaae2d5aec8cea9801d
SHA512 1204c24c0d0f0c2601ee9dcc8350f1ef620cfb2b49376cc0429a7aa87dc35649e1c37b4429586b819f65978666e5bab6ad49b596900369ebb674779d0c55ba9e

memory/2600-295-0x0000000000450000-0x0000000000492000-memory.dmp

memory/1636-300-0x0000000000400000-0x0000000000442000-memory.dmp

memory/920-299-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Ihniaa32.exe

MD5 eb228851b86f1f759ed27142ccfe5c9a
SHA1 089386d3227f15a9aed25fb225b0ccaf29cb95c0
SHA256 70f8de15ee6f47f3c352bf3c3c214d6936fbd0472d37f729f71ce2829bd0abc6
SHA512 a8586d28d8db8e8c4844f6805f15d4b9fd3c985212466b776343706e276c114d457823d6b889b6973b1a1b4dd351d051b586a4bfd16525a3911e30162a8ded86

memory/1536-305-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Ipeaco32.exe

MD5 8b81692693bb0982bde450e12823df6c
SHA1 72da38ba5bd7e95aad68a3b3a2a1259b858bcb7b
SHA256 d84f452151bddd5e9ceda92f442e53bb3aa7f7076240252fee20fc05b316847e
SHA512 fb21cb0b2c63583df596f720923a06f63315dcb8d96b8d657980a392d9413eae36c8ee4bafc157b4d64701fc136b327f24d2415c8e64a5e24b86acbca0a4d82e

memory/716-312-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1636-308-0x0000000000280000-0x00000000002C2000-memory.dmp

memory/1536-306-0x0000000000250000-0x0000000000292000-memory.dmp

memory/716-318-0x00000000002D0000-0x0000000000312000-memory.dmp

memory/2160-322-0x0000000000450000-0x0000000000492000-memory.dmp

C:\Windows\SysWOW64\Ibejdjln.exe

MD5 e2004e55eb1dab5029efa26e707c09d1
SHA1 bf631c991a2619de8d16e18b4122fe0d47ba4fbd
SHA256 a1bc14255cd0de13b324ae7dbc887ef69cd9837675e65ffaee5265e4d87f02bf
SHA512 5c823156283c14fbf58cec1ada9b921262e381c2d793cfe9de776021b2d32030a42e7068f6e8f4da999c2c42b21c0e9f820c334eae7e3a9640c4ef8704c3d7ca

memory/2832-335-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1704-334-0x0000000000450000-0x0000000000492000-memory.dmp

memory/1704-333-0x0000000000450000-0x0000000000492000-memory.dmp

C:\Windows\SysWOW64\Ihbcmaje.exe

MD5 6c2c5a172cf3b670666f4cc88e4a91ee
SHA1 de8bfd7fcfb938f532019330304e8f6056a0e735
SHA256 c8db7ba51b7b934df062e44c23feddcbd14397081d05d27721221b04483adee3
SHA512 8ecca1032307b989fce3381239c994e24d2580d27f34b62f6a4ed5fe7e7df629b031753dd2cdd4047bb39f8edb646d32424c11f15438729f20ba3bca302fa695

memory/1704-328-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2600-326-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1992-345-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1636-344-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Ijclol32.exe

MD5 cc5a7421f4cb87b2cb723ea2356058d6
SHA1 638d67e7e0da04c7007f96203b14f8aebfd3c94e
SHA256 834db39786c1d02248fde036c9a2d4c2f8f82d0f3437fc0a242da8c5b49a2482
SHA512 596ece987005df5fe32ffd1f8419b1b659a852494fb07bee0b8b6d65560c0af553414e65ace6f5f720315da7b9d96723be8c61a959437586516d816f3441c5c7

memory/2808-356-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2160-355-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Ioohokoo.exe

MD5 8eae8a30c8ade42895fc56bad141090c
SHA1 cdd592f7308c58ce9f99103699eaab9063cf72b0
SHA256 ee0c551d6379d2aa7a47307d153ce7609fccda34ea0d92f3b1ebd35a4773cf3d
SHA512 77c7f410f34c0cabe27bafbf503d2703310805ac966d9708a9cccefe9f49ad6e5d120ced3632571a39e8c2dd5d09cfec3d772dd25aca47fec25f5f32d7db60e4

memory/1636-354-0x0000000000280000-0x00000000002C2000-memory.dmp

C:\Windows\SysWOW64\Idkpganf.exe

MD5 801bb025126fb1e2d8cf8ac4d51f6a99
SHA1 2cb54d700e29748589a842ac1896fbb05ea4b09e
SHA256 8cc8e5644860d8a6d8bd51be5d1adb0d45b196a22e088bf5ed28c5ff3ecfe9dc
SHA512 bc166b10fe3bef2c41d6c105dc5de0bc478d0cbe66aa28c84ff146d872e66c050ff22c1b99aa10150e38fce7acfcbeedee6b62aa896faf791b738b2cdd7ef54d

memory/2700-365-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2832-371-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2700-375-0x0000000000350000-0x0000000000392000-memory.dmp

C:\Windows\SysWOW64\Iihiphln.exe

MD5 9019728f4aedcf67e1004710dc6b914f
SHA1 f48cc5c72a3539e131d9abaa79edb8b1902c5d52
SHA256 de1694c218b20065225678758afef80bbfcdc3b642aff37410f8b2ffbc64fa76
SHA512 4e80fc16be8b7a564954f900156d96ceddcbabf85bdad80750184f08b2e2c6d0c2b143754bed40711065ddef546cebb6b7e033032002ae731f6d4f6339810163

memory/2488-381-0x00000000003B0000-0x00000000003F2000-memory.dmp

C:\Windows\SysWOW64\Jkhejkcq.exe

MD5 48bbedc4c6464336f623979812c11fa8
SHA1 6498183d6c1011e7c0bb43e150df6e61f66e687a
SHA256 5c55c423835f651312385d7644cde9948615f886586f3121beba1f22f1866fc3
SHA512 77e38038834256039e2e676bc5682df1fb249a0747e22161f85828bf08617f9e6e3f9332034145c418d9e4ade9c03df89b91925303e453d6815642f611b0fdbd

memory/2808-391-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2584-390-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2808-397-0x00000000002D0000-0x0000000000312000-memory.dmp

memory/2032-396-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Jmfafgbd.exe

MD5 99f8b8a6e4626ac91163c33bf93bd9d3
SHA1 c5bedf6230561824860a8f243a58293d0757f792
SHA256 b999c85c1361a52149d1d0f8337f4ae66327b67ddc221cf64a1cd89a1a491d81
SHA512 3d9241312ec74c52d23b67d3a5d87d6729af7509386e64e4a01ccb5057f45702ca8ef8ac2b52e78aeafef08111a8716515edce56113c7ffe44594287f3021a4b

memory/1992-389-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2032-402-0x0000000000250000-0x0000000000292000-memory.dmp

C:\Windows\SysWOW64\Jlkngc32.exe

MD5 0edfd3cc314fbf51e152630e353fd01a
SHA1 e13bc96ca94454234c1af00064d9be9bb2793e0f
SHA256 757e0e811f8f574b5461db8513f72ec92762b2da340ec17d979a68aa85944890
SHA512 02babee41f9b6c732fb0b3b1d8b6d3e382d3ae4938107baee3d4924fc55cc80bc9f79ee7351d73ed6fa8c8afb301083392801f34ca102b7b56c1122b1ed693c5

memory/1620-412-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2488-419-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2884-418-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1620-417-0x0000000000250000-0x0000000000292000-memory.dmp

C:\Windows\SysWOW64\Jbefcm32.exe

MD5 c7a27a9cdea7cb71e4499c530a41a071
SHA1 7822abf128122537677f3d3732a0392ca5f4bca6
SHA256 1e2be13ceb6202862a070c5691588e3e0122ebd4ff56e60f95102d204b87bedc
SHA512 f8bf2a8afc42ca25f7f10f6d6dbec00b60207727635e2afcdffbc3acaffaf7e5664d4d647aa2acea2f742a72f5385cee1afde0dd852a6220cee7ce524f56cf06

memory/2700-411-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2884-428-0x00000000002D0000-0x0000000000312000-memory.dmp

C:\Windows\SysWOW64\Jolghndm.exe

MD5 80fe861f4176b5617171d232be4dadfd
SHA1 66a58eb97794fa6b4027211aa0488438625e9bb4
SHA256 ce70089191db5f4eaac5d2453ab259c1406dd2b633e57a87b96ac9cc3881a526
SHA512 7673b4de35f7d0c46891aad6eb80ce5d151796381679bd972a748009d6b4373c2425446b0a7ecdf9fb4ab7263ae96c41fdd8a23b784be718d2c26f2a1ad4213c

C:\Windows\SysWOW64\Jajcdjca.exe

MD5 c5bba36255cd742a646abf0a56cf59a1
SHA1 21038a28a5388550657ce51882a317b5a5f156ca
SHA256 454de6ae40ee632963369e650d14bb02c2c8e78cafbda758bbf17dfa4d4f62dc
SHA512 33ce80fd275afc4c35c18a67f2acee0dcf872a0b14c3306424da79c507aeca79c0438a5c5e710a3b9b746b8d5bf201ac22c527cd0d0f7a2b743627d170f404c1

memory/2032-437-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1156-438-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1156-447-0x0000000000450000-0x0000000000492000-memory.dmp

C:\Windows\SysWOW64\Jbjpom32.exe

MD5 23f113c989bbbc080900e047004cd767
SHA1 d4ce1873d6f8c457ca93a78a860810a41fac6880
SHA256 c665c6a8a3d8138b3e3fe34f7f52568a8c225ce24b9b84dcb44b3b2ca7198a46
SHA512 341ceee5da3e97d50afab303cc1c1916fcd4d84c81a5a409d7502160f91d74c566f4d882b622025e0b89e310c92f81fae4131f195d919da90561c86e9c59eb06

memory/2148-452-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2884-448-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Jehlkhig.exe

MD5 6bba6fdd72196183398a4f0e2e4d702f
SHA1 bd6563e12768404a39e7a4101b84bbe178679350
SHA256 73677adec00d97771d7a46135566f1fde1bb4373642e1e864ce4cc4028ab858a
SHA512 fb2c3bf5ef427ada771a30fd0819fc05da46a3d8ea24b217bb387950ca2b1fbcc8b45611749fc907cd586259bf31ecbd86616e212dc6b23358e0bfe40c149227

memory/2148-458-0x00000000006B0000-0x00000000006F2000-memory.dmp

memory/1944-459-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1944-465-0x0000000000300000-0x0000000000342000-memory.dmp

C:\Windows\SysWOW64\Kaompi32.exe

MD5 ccc60953375da9f230f67739ce947427
SHA1 2532c9542033af829acc265989a486da11f0aada
SHA256 394fa69385a5974a68fce32cc7a2d611aced4b3693f34a0230138d969cd75bd1
SHA512 eb570633ed3b00fcbfd4be9ea4a89993450a127d1e4921d822e1f39da1516281b7ba354f1f26bc378f2f92e6f198f789cced75c4e7842b3eeacc9e0a8468980b

memory/2704-469-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2996-471-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2704-470-0x0000000000280000-0x00000000002C2000-memory.dmp

C:\Windows\SysWOW64\Knfndjdp.exe

MD5 727d9665a68445b7858b66c042c89d0a
SHA1 e6a6af43f03c7944685320fc364b1c25b011ea98
SHA256 eb95d25f2c8a628e00af3c52be04ab8ab2a416f84eebff28a89ed356ef89bfc7
SHA512 f42a39b2fcc121d0f90594402ca8c8bf91e10c1981e6879ea0e3a913744e4d93c613ff35740f9200d211a24d9f19921ddd8a761e188b67d3d765a39b18d6cff3

C:\Windows\SysWOW64\Kaajei32.exe

MD5 ec5d3046867b6b7f2550813935f72854
SHA1 94fbc979fc54405aaead1c1f40886463e9281517
SHA256 25ecaf71d6725e5d9ea91f20172d5f2d793eab2f5c52465a2317ad1d35b8906d
SHA512 c5bd5966be4b1ade24331c56ba23ac867cef80e438c8c5629390772f125b3fd530c5ecbe5d883ad2b041a927701856d6b3faee3d0d3f1135641bdd93fc34cc6a

C:\Windows\SysWOW64\Kpdjaecc.exe

MD5 7318a98cb32e179b7347df086df64b35
SHA1 5acf9a54bf1b063e9e179cbb860b6cc24faaaef9
SHA256 464649083235e6e3df2ba5084354ae11fd32b9ce3996432c74b4898d6462d422
SHA512 7c021815c3e1318c35e1ab94ccd96a7591c17cacfba9cf14404424be3cce95bb2952a06c6995276f91edeca1ecd421592cbc12a88abd8aea325326810cebd160

C:\Windows\SysWOW64\Kkjnnn32.exe

MD5 738c06631ea14be86831115ed8eb4ccf
SHA1 b4fb4f452b39fcbe57efa425dbb7ce016286e715
SHA256 22a67ab96cf105938ab13e4eb49014a4d2ceff79d53d6352b0829550911ff398
SHA512 3a3d9386fd26cae4be24184a7811d584d9b6d1624f46636d9847f475920df34c40c5413baa8f8f4c6674252e2886bf81c2a8ba080f02f6704a5e0caa0677326b

C:\Windows\SysWOW64\Knhjjj32.exe

MD5 f1d294fa53068fac226d2463cd055723
SHA1 cc20e8e300211cebeeef3467509087de1da41067
SHA256 aa22613d4264804d4cdd3af3f82647fb05855f2cdb01acbce7ee5ac26e8bba6d
SHA512 ec6b3e1f48c7d1bf0124d663be67a7c6f89936f6a87b68b629685fce9f124aba0272f46e166b233ce29da28323746036da27bbe2e2289463558ab0f715a2969a

C:\Windows\SysWOW64\Kadfkhkf.exe

MD5 1f00f80d309f287f9c66a0d705778bd9
SHA1 1856749976b0b67f01e5c5ec9d768feafb26eef9
SHA256 bf46f63848e97beef2f1d9db109f36561e5177e5a5a5d11f32ad770218d216a8
SHA512 684f5684694d3662faeacfb6bf03fb7900a5a7b8a026e17d234e20fdbdf662c5d78a532d53037243573d5e0847cd653f641c9ea157ed19f7ef92b221c936b96f

C:\Windows\SysWOW64\Kpgffe32.exe

MD5 b46996dc9c8506c6a031f6374787e8d6
SHA1 67472e0f2e72813e76cf1ee08e54371771fecc7d
SHA256 80d949a6aa6795ad2c4aeb04db9dd8b5124ba6b50a8fec4e0bc1093690be410a
SHA512 ce553a24a5cd7539e532fb9e07b212dd10c7be95027de395bfda09da1575effb23a5ee62209d1876814a5fdcec868f82038422b1b13a519dc0ae7cbca348dea9

C:\Windows\SysWOW64\Kklkcn32.exe

MD5 46254e4fafcb37809cd4a68e6cc58b49
SHA1 ef3da3afd64942e006bf30a26a59f7f49ebd9c00
SHA256 7053de92fedb5f55cc24533980f49d34541381501356fe8e20542747c401956b
SHA512 fc455233fc011fb28ab54d44f882cd003ef132586a61f91f499936ecd5d499633138789f55044a4d0599e70c033a4a60d9752187ae9e760da0a90ba72856053e

C:\Windows\SysWOW64\Klngkfge.exe

MD5 24f8291a1132cb49ec447a20710f66fb
SHA1 6c873cb3550f994560673b7855b78a3ab41fab3f
SHA256 bebaeff7641852cf41b32fa6c571e3510b68b16688f5d3c27b26182804b6f7f5
SHA512 4bdddbfdc9ff164737f1d52013b997cdfe3cc62f66d839491c16a2357ecb97464f0d69c0da32d6a69419138b3a6710d381659684675c7bc80cdec50e0f6ebfa4

C:\Windows\SysWOW64\Kjahej32.exe

MD5 6d9bf8d88fc449f37e6634a8df343db5
SHA1 790e2b780a8c43faa0fffc129b1d7060ff54b9ad
SHA256 6ac9cbedd76f09764a789f70387123e1a28ca2ecfba9c5657b9eb183013c3088
SHA512 caf85dcf78a87f2bab69cd382b1c9bcad273f56120fd051eaf366a3d2e2be64c546bb91ff1432408cde9f0c5094f852d475d68335de2718f58950cd74e9be09a

C:\Windows\SysWOW64\Klpdaf32.exe

MD5 bb66a7d62724191cc9fdbbc93d0e598f
SHA1 e80683227f8c4b51658f4bb30cfef3e3d109eaf8
SHA256 b2fd639eee46c3cfef54e76cd022a525ef6f30d1292ad97cf3c73d34eb541616
SHA512 025c8071c2c01dd7e6e28c30ea06983e39ec482aa939245cb0704d3dca896aa70bfdf5cbba041a9e17f39288413d92861b93b24483af0abff8f787ec9a5cd541

C:\Windows\SysWOW64\Lonpma32.exe

MD5 0ee61503f9fb2637eb0880d3cb9b6590
SHA1 fd3e246b4a227bc7a388a738e0359455d1d9ec3d
SHA256 993a604929e5fd6cb768f750f4ecd4cfd6169a705a4b6c00c5066d70eff9a93d
SHA512 597b7297cebeac71f9dd60447dc6183e9c0352bdd28ae2d5d09ae335a106d826c588a34d717017b27f76f16b7e47494b111f16ee570d4f0b94db372f7b7a01ec

C:\Windows\SysWOW64\Lfhhjklc.exe

MD5 b49b9e7157501a4b83596d23c621e8d0
SHA1 93ea3c7d4bbb6a05c587843eea90cf13590ebb5e
SHA256 3211d08e0c89156c317a4f63c517260ec1d9a6cadf0eafea6ca7dee9b8fff689
SHA512 e7c6db2e15fe2059346fdbfb416e66c2a66209ac8c3308c4889259267abb2d06a48be154e3deb90ecfcb17d68ead57cb09f5bbefbba12b889b1f5971e003bc7a

C:\Windows\SysWOW64\Ljddjj32.exe

MD5 2e4301654c531276acf69874698de71a
SHA1 c4392502cecd793d456a6d7f4842fd910eafd075
SHA256 3f5014e8a333e1231ed3c0a93403928e48e5d4169effcdb53c475e5670336109
SHA512 a8968f7742a377402232827b38eb99dc766848a048aaca2322043cd45c1b6fc82685a923209af86894489ecb862302f5b90c36813ae2fb7611a69f6aa81a0b94

C:\Windows\SysWOW64\Lpnmgdli.exe

MD5 3d9799a5599f7eb0a6afcf566b5c67a3
SHA1 175229a3767d640bcae3e755d5eb6499c8f48073
SHA256 4a4e128f637761f6658a71802b7fb33e075727c9a732b21b19c0240d2f53795b
SHA512 dface1940c544d2a48bc5e367b3352bbd78665c282ffd31c8540c3ceaf273eff0331cd8f94718b5050af86201b31c5ac1a34d928a11bd3d1c65a68345c5147ce

C:\Windows\SysWOW64\Lhiakf32.exe

MD5 75412dfa0b1d2bdb06de92bb7c2c8e95
SHA1 3f7d56df33298d4d176321622a2c6e7045b7e904
SHA256 60c83cb424c0d6164545a2ac26d5dc8cf9fc2941894c21911bb2ae0a512af445
SHA512 978b20ac74b5c2b6945972ce82437ed221cbd3853e648a9653b88e5ab01154f17b406087717adaaf0ffa09b08fe3d034554eb37e26e3fb320f507b33f574c394

C:\Windows\SysWOW64\Locjhqpa.exe

MD5 8cc507f44213fa51b37e1d35e77fb7c1
SHA1 36619cd7288a8ad35ce89e9d48df90acd84bfb1f
SHA256 03d250c378704cad377e215eaac307697c161c1aa3c0999dc0274317dfdc41ce
SHA512 f025cb8ed424205af8bdbf715c62e60136111fe25ba1113c82362c47cc1198b2b81507a899c4397747e700c90280c747f08392c336f29cd6dbb054f87aa8fff3

C:\Windows\SysWOW64\Lbafdlod.exe

MD5 f20c9ced33e8f9c82ffb329be043a09d
SHA1 3e3ac592ed30d476a5aa5ab034baa3aa160eca3f
SHA256 0405944996b10135f0f2e6681dc328a61885b86bb9c0ea8b6e91b02268bfe555
SHA512 16c256036eec3f56ca28f2ccca4f84b80766b0d9aaacc6ae4ea06cdfd1d8b755864922047a7ef69ade07ae66cf56eedc1e1f21c0a81eab82b4fc5ba37e7262d7

C:\Windows\SysWOW64\Lhknaf32.exe

MD5 2e7f7edb3abb77654cc67dd5649d1a70
SHA1 d04a2126fdf5cb490bc9aa248e354a10b0124378
SHA256 44ec4062c030c769fe7db77a18daa6172514a3cbadeb785e035fd75daa399474
SHA512 65f52b3aa7090e32e0fd77ad1bc3198f39ed7529d387ce2720a5aef885a1f818f3dd6e127675ddfc05665c89a862b6db7e7e42d1dc414353719ff50ebcc30ae1

C:\Windows\SysWOW64\Lkjjma32.exe

MD5 ec609b2d09d67363eacb7529e60cfb5c
SHA1 90c389488df21acf7fb451d8d5d0df6479b79727
SHA256 b1238843bf0c80cbf2055f02d134e18543a29c53a175dfd525c1eb24eafdc352
SHA512 409da71cd25d2ba7f8960948f11b3de0422cef7f2cbd065f9dbb127082d990f316d5f39cd242771579204a7b1a6257b6ab3c0b210c64c0e5d1208aacd7dfc060

C:\Windows\SysWOW64\Lnhgim32.exe

MD5 167a23d271c54d75ba2cc4161fc62a15
SHA1 1072c19455c41997693622af16f60f96f93732a1
SHA256 c1bac6248572748e46718731d52a2cb754222f5e0b8e76e1a48650c35aba434d
SHA512 d87e46519f1255634568031c68a93e2db2bff90c54009e2100290fcffd77fe925d29913fda54e2bdeae6b0b6c2aaa356a1a6feaa888ed2ce7cc7a46b771eaa89

C:\Windows\SysWOW64\Lgqkbb32.exe

MD5 5f7c5ccce200c55465857f3ee1fdd2ec
SHA1 6704c7f2f84f7c4a5eadbd49bdc7551f19a35704
SHA256 13aa6bebaa89206607e61ac38ebb5038a3bb58f12ffd58e03a23a8a6dd53d363
SHA512 ac9f19553b12c6b92e1d5a86762f181f1815efdc0beac15f62d260989560fbcc40f80d2f66a2515997887453517b3c04b794bd7a555a737f85e9d56a609e6dfd

C:\Windows\SysWOW64\Lohccp32.exe

MD5 41ec33f220d469e91288ca3eff9d89ba
SHA1 a2ccd460d7cad5e80dde63e8be1e7e25bda4138b
SHA256 3e1d3981d48e9b55d5dec8af650073215a09ed5ddb37863e3328d249160e5d03
SHA512 f1dfbb41ae8d9eea0e5d5a741808125b266a3d9c2b0de38d05af0a0bcb9d27a0aec3826d3abbd06af95a9259173636d7b40f97742f65156b5432401f96bc251c

C:\Windows\SysWOW64\Lhpglecl.exe

MD5 e79ba0e1859562f3906fc1604035d181
SHA1 635e52c98cc83318d8e6fee1595da5caedc0412c
SHA256 3cf0aba74f2f82e8d1c62d542fec3b9182ee9210238f160c7f08cdb087786ce3
SHA512 de5a284edd292755d151f2dd73756a2179926211a17f174d178ac06f52328a4b76fa83fcef25c170377d6a62ba8c5e8abb6d16bbe03cd5372ab9e99db453c0df

C:\Windows\SysWOW64\Lgchgb32.exe

MD5 8448ccc718126ad7ff43c3ad976e6435
SHA1 b92410b32edfc9a0ebcf3686b3a1f34c125a0548
SHA256 3552430cefad62e00d002e7cc2754658d972ff80ead4802b570e7f0cfd38ea8a
SHA512 2506e4da00d115970da59c791661b0940becfb3c507414643f649f6279cf8d4fc18c4edd2ee3e207ce9905abe82b638c5e279d4b28160ca4091c9b4dec7d0c53

C:\Windows\SysWOW64\Mqklqhpg.exe

MD5 ee965985490c7ae15460667847fb5d02
SHA1 d2b0f2e94c6a86bb8364b36504cdcd165d93d39d
SHA256 fbe2a06fbb82a54831d570f73eec8da4f2837e4142b2a33b39dfa79c5fff973f
SHA512 3842324f94a5d6e9ea2b7c2837a0e0f186d12028e056f7013ff7854b5124f08090461ab1f9881baee204befaa1f08aa0cc4e25170c79a57c00a8dbbc6da3753e

C:\Windows\SysWOW64\Mcjhmcok.exe

MD5 0698cc03af1b11a9da02f64b820693f1
SHA1 0a5093cd09bfb06d2712dbb9758a45c38756c59d
SHA256 c32a6e61aa297f154379c9a1154ff714e74ea4968583b9659c309b6b6bbd185e
SHA512 7e905ed54c74149376dba77af367289ac584cf38df5392106d9437373176c0a5bc4b9ed2517c348e2db867f7472a1b10e1009403003c00304deb9a69f17517e1

C:\Windows\SysWOW64\Mjcaimgg.exe

MD5 15e17731ad2ab025314403e9d611ad5b
SHA1 4357918bd1489d16797ae389aebad51ecb63d5d6
SHA256 cc20e3e4c8dd7899fb56251600893eb7ede04c2c97c70ac1277af58d5ea3b5eb
SHA512 afd9c271b0bee91113a80c74fb59f505bcab104f24dc043c7cd944cb634855b28eebdc1efb630be6367340604b717f712b54e4ba55bbeb765ae9b7ea3a5c899b

C:\Windows\SysWOW64\Mqnifg32.exe

MD5 7b8540e4d31ed550171e87a13fc76085
SHA1 0a4b17e8fe312a4200ac724ed3fd21545d4e8135
SHA256 5a72f0008d57cb18f93ff2d8cb35bbea451114894e125d468bc48e28f728552c
SHA512 b188f3fbce1a177c7934d9de664c14fe8266e610ca9c32dd7d46f1f3207c74a969c18c2e0909237f5bdc2e2f9014571bc806d53ce17615a0e9e83d0bb8665705

C:\Windows\SysWOW64\Mggabaea.exe

MD5 e84658fff0ebfeaf327f709341980e63
SHA1 6888c56533966d03c696fc6edeeba3fa2c59a784
SHA256 15214098050964643b9905067a36b442e1b158d2a855821368e813b43156a3be
SHA512 a580550560a9723c3fbab6a31e95de33fd1433de1c686dea96e5950c20d196e9589dc7860b721babbc3d64ad52457f6a8ee3a8389de83203378120cd3dffa6c7

C:\Windows\SysWOW64\Mnaiol32.exe

MD5 611827420a5e607269ff1b94948bf24f
SHA1 5734e018dd0ff4c73e34a36c70c2570528315768
SHA256 2a08e4949433fe865be0d4a6a2f5804c2bf995751c5a9ce0ef370924429c5549
SHA512 ac26ff60dd6de6934056fd4b9e3cd306c77716b35710048cd0e3021c902e1c942f4dd4281a6190a1d3ca4ffa9cadb2618e126ed6bdfd753b069280a49a7e255e

C:\Windows\SysWOW64\Mgjnhaco.exe

MD5 7873ef28c10f2ea2c5f55abbb406c56e
SHA1 19a8685728f89172a9175c9df4379a24e389b747
SHA256 24f0c80b8c7d32b411cb095327df051bc320b44f6adda6b2f53abe5fc8baefb6
SHA512 bdbaa186da86442a450333b9d37648638c579655d654c65ab7f4412e0a8896c958c9490df557cd2a9369c2948c3920bc2e4d4e388629326fe3a2306ebb4d844a

C:\Windows\SysWOW64\Mmgfqh32.exe

MD5 1a32af0b65d1555d40c2fb4a276c7298
SHA1 c96e91a35d564f88db627e78b255f2b5d2f442d4
SHA256 b6262c5968e03bfdd81eff896b61736dbdff59678ff14d4ebb2c7b82ab6e7a9a
SHA512 981bbcc99ece1458cb96378b869faa8ec06a1ffc4702a09c9198c00456d624e387aef61358e3e9bef6e3c8b894dc5a5ce59374af6d9a031d551fc79a140786d2

C:\Windows\SysWOW64\Mpebmc32.exe

MD5 414f1a358536e99c609079ddc2c59ca6
SHA1 846f5448d20dc599deaa7a619af4c8e7fb0ef875
SHA256 704599c859a7a887f2ae4a528e293a59dd53ad26cebeb662942b5aacc94d2588
SHA512 4310739b9ff3d7b629ef6b9723542b1ba1dcf3e02f82d66babb3b0b8c7f995e296fb1f01107234dfc0e28634128022554329ee51071b963f2cb44b9822024866

C:\Windows\SysWOW64\Mjkgjl32.exe

MD5 0e950faa883447100f3cb206a9b87d21
SHA1 fcfac533fa0fc84304417ed237c3fb7578e65b23
SHA256 5385c4a82ae8e28278a3ddf1c9f8eca4675cacb62794a6b4a6947008a4e1d005
SHA512 b0e8083160c5baa26cecaf3b3fa0a3567615da65c238f7ab6c1931f687267f1aeb99e96b51d60c97b9feb7b326b98f4406e2eab0b5cb489ab9a852083e1e080e

C:\Windows\SysWOW64\Mmicfh32.exe

MD5 05e7286b3080fae14979d15eb06cb356
SHA1 927e8273dd9d8ecde90792112398a5e5d6e8b4a2
SHA256 99fdc736a133f63d641106d321b348b189b4604779233c064f826597c509ef9b
SHA512 615d4a974229049e9d1d9ef204f1743096d701b61b4c880a9c4a8ef18d6ade964488713360d5758df7f7a1d083ed6742fed52f0e03663ccbbfe7bef1aabc0548

C:\Windows\SysWOW64\Mcckcbgp.exe

MD5 98166476569bf496097ab39fe238aa84
SHA1 ffad840ff401eeff39a77771e0b7856d6afdeaa2
SHA256 9cc15060391500cfb9e1ec978c74c5ab00508cee579dd686a16257862a45c4bc
SHA512 4d1a54cf23a7aaae685cc38da1637348281a288a82df22b4c64f248a6fa1f015b0b5e1f2b4dc71e4a2a6f6e6ab614e94ea46d5cb390a863dca8aff1d814c5379

C:\Windows\SysWOW64\Nipdkieg.exe

MD5 65f0da0ac64de9f44f7a216852d1d0ee
SHA1 36bc7173b555ba9b25971d2b7587a0f980d8977e
SHA256 325c7c1c20f0895a99eef30040810704250460126878ed602ed67b017332372d
SHA512 c38b14dfb4b40673ab169876982970a89c91c02c30e03c619602211aa62651a5e165c65304f8c30b41a01ccd6562d5e3a5a9ae9e4d505d57d923330e69912ac6

C:\Windows\SysWOW64\Nlnpgd32.exe

MD5 db2159bf9bc67cd1342ff63b2f3f0ded
SHA1 941c105a444ebdd13110d1403191215506c606b6
SHA256 03a2725e213a5ae9d3f3155c5dea69fe51c4f2c66fd707ea7fa0dc709b45c8b1
SHA512 a7fab1214095038f23b86807e43d9c37225b484899756c9f675be0eb6b90e1e9389ca6f98a448808f326d7bb34cc345a7c1681f214226001ad1247b71168dbe8

C:\Windows\SysWOW64\Nefdpjkl.exe

MD5 1b4f4cee732d7f078fbc4f6804f68cbb
SHA1 61fbae9b804e3dccaed8a6e211ec8e68de8a5be3
SHA256 9aadbad97abcdba0b1269477aae99d45a0195a6f8dda8ae661fd1435c39885ef
SHA512 2957ab878fb4c2df796acac621f774954c394db485209df89ec32b1a3373cc7e80fc9260a9104ab1e2809b77b6be3102bed3baee673b721dea370e7eb7632405

C:\Windows\SysWOW64\Ngealejo.exe

MD5 33c0686ccaaac7500b1062dee940276c
SHA1 993322df0249a252f21514117fa7758a54f91ced
SHA256 ebd7036d2cb4f2ac1b6292bb638b04dd7b7d6123de76b2c5007110308612b061
SHA512 43cafaec93935c21bcc0ebee4e3631432de4fe620ec8a0cd2ba9938cf6be52ce16051fc79a035f1674623c51f089a282a9ec8ca0efa4411f09f3c9173842268f

C:\Windows\SysWOW64\Nnoiio32.exe

MD5 93726c4488cf74137b5864c6afedd7ce
SHA1 492a77be023b6bf1e9a33517504f95fee8978e9c
SHA256 3bb352b185f44a17cc5a8bf02f8e07b80fed9b0e7258f6a7d185d8f176bb0631
SHA512 89cce222adf1831b4cfd5eccd4502b351d72ed73702130e0898cc1bc5a32118e6cfc2e482819e80cefdd69c9207f593c5b6cb50318aee6ee8c5014688b45f888

C:\Windows\SysWOW64\Nameek32.exe

MD5 edc9479fe097729e1078ed17dac344b6
SHA1 b0988c1b1aadd61b2e67b1a06de3b863bebfcea6
SHA256 247422b4ba0cb5277cf44ac98b5dfa0911dd305abd7310b0bdf0bc3744c8c916
SHA512 17e96dd8fee9c03d878bfa0761e39789f2fe26aee591b6cd90006a24220c1a23f58c0ba4f1461ed660a33514b46be83836f6e66a35bfdf3868dfa10c74cc62a2

C:\Windows\SysWOW64\Nidmfh32.exe

MD5 46ac4ad0dd5810ddf9fd34c7a9f23f8b
SHA1 9ac7f1b46e53d518300e27a92fc3738630b93c45
SHA256 53de6dc420849c66c73c4ae29489673815a5959474135d04631f8a172d7c791c
SHA512 6e14ae92d574daaafb06ae715f189246c8536efc49c9d3fa2d294ff3ce29324f3880b3f6409da3087a985128d4f35566aec30df55d2ee0877f3990e235e24e39

C:\Windows\SysWOW64\Nlcibc32.exe

MD5 e9d1b1e71e7491a19076dafe15ed1c68
SHA1 f16643497a1b53cf5214dad481bab6dd9236bd5f
SHA256 3df5b45c0e47f33036c58c0f5ddcc9212d9619c86ca403ebbbcf1009f5886646
SHA512 6df57051a528acef0eb0a7e953b11a1b07530c69cbec23876d2eadcd997b603271b9beb2cd7d2dba6e55cce11089786f9d0396308b127f5edcad6ea8b93a719b

C:\Windows\SysWOW64\Nbmaon32.exe

MD5 7c01d01e86b7c322907a86e53a38b158
SHA1 91738d762e7f29198bc6fb745a5180e0f3d2efcc
SHA256 9daa14594e02d249aca8116813158715aff5b220100e35f2b1d3875b84e059a4
SHA512 9ed3571844dd85f2f80413cf8eee620883d7e1710f43a10c38b3e44a46a34b754f4b977931e866e61709ebc55c09e41892bc72871e368be77e6b12b83e848247

C:\Windows\SysWOW64\Neknki32.exe

MD5 8383c261b813cffbdd84d526f9ef9257
SHA1 b8d6c4db08fc98a9567bd23d45db559848840ad4
SHA256 34dac70a5336335f30ff0c0a5f38d4237e74f55dbcd1678e573a9f4cc8be8ecb
SHA512 4d784fcb4e303233ecf84bbae782cfa7ec9d25c72d06dd76f338c6eb7ff70d48a9827a899c232ccafd504a77a9ce2d61a921165fdfcfbbe23d34c01fed8313ee

C:\Windows\SysWOW64\Nlefhcnc.exe

MD5 00a485812c0d94362b9b4ebf410208e5
SHA1 6548dc5f99ebac5322db73ad6214c396bd7a7b6b
SHA256 cf5626981c5ccefb03cf3ab1ce28b02eee7a868c749972b8f54737c5b2eb08ec
SHA512 b7899b42b9e99da7f69a94b940d91e0b394264e9c83c6dd084da21b386f7ddc288708cf639ef62115c7d4727544b06e67d16b8bfb4768852c518f10b4e325e36

C:\Windows\SysWOW64\Njhfcp32.exe

MD5 24e5d57f82107b34840c05032a18d3bc
SHA1 5c74d94c47a2fb66ba826dcbdd0ed04feee0c21e
SHA256 f5ab95c8b5e61deeb6b231acce5073317e0135fdd02fe960481fbcb795286622
SHA512 619509ea5b91a38e11cd7be0da00cccd9866ca9a1f0c1fbb18f3d17d7d8a205da5e6752b92701a6d1acaa8034731199784b78844bd9135c31464d26e12e2d2d0

C:\Windows\SysWOW64\Nabopjmj.exe

MD5 a392e151c9de58b247f758aac119cdcf
SHA1 63e271f26a34b8713e8d6dc5099ca59b2ff9f1eb
SHA256 7a47c7e14b822623eb99b067ab7d493028ca8a77490d2ae29db7bc541e5d8c1f
SHA512 0cf5faeffb47b0a48ba8582b4f2fad66e81b995ada7b1a04d87d4da3398851b591db8830a3c7ef1091e1d12e7fd5ffb174a6da784cfd4b58f454a8b938bcf9e2

C:\Windows\SysWOW64\Ndqkleln.exe

MD5 6ab2e2e903aa0100716024ef96374409
SHA1 a0b6f763f2cd4ce7dc61c965992a341c4ba9efa2
SHA256 e106b41bc582e77a357adb2c5f831639a41929b5de259535ab515e90daac8cc2
SHA512 8a894d6ba1f3964e46bc1c525c4c14fdf4a7f8721f6a0a8e7e84b2cb554293281d53ed550cd0a7d7dd0f20cdc101bea498bceea0c8b1a1c624ca34f544576d72

C:\Windows\SysWOW64\Nfoghakb.exe

MD5 5f258d6afdeb27570008de8d08e071df
SHA1 0de0a87886da35a9be4053cf68565dba6cbfb2f0
SHA256 613fd8bf89d62238c314bc73ac4e38b8692202e8e5f6f21bba9effec8ab5dcea
SHA512 e49da172ada4c6b58d5f13a5e9501f1980c39c00142da542da242b8587bb456b69f3be64638665dbc716ce505bf6354d844ea2838cba9f7342c97fa97cb7d85f

C:\Windows\SysWOW64\Odchbe32.exe

MD5 5e82ac0c2a5a7a864af6b4650d560a0f
SHA1 b67cfd3c23df562561b50fca1631a6c65c99c9e0
SHA256 65ab832a3d19844ca76281efb38a928177906e95b906661086098b97abbaeab4
SHA512 bbd5b7c6ba61477cb4d5150dbecdc31e0aef0b31322e5802fa32974eace9f889dad66f85fc7422afdae6922d0db075476fe95dced6092bcdf932dec2b2f05fa9

C:\Windows\SysWOW64\Omklkkpl.exe

MD5 af474918e09234fc5251d1aec9945e54
SHA1 3e92ccb61a6dc99dfc034263b9b0c501339ff174
SHA256 338b35086bfa2213537b7679206da3ff5d0252d9bcc033952126c08353a5e666
SHA512 1dc1d42ac2b0368129b67f560f24ebda8e888b25f3c8b99cfb7af6419339ea6e1d8153f4153288fe1c434a39818273753a5302ec899fb94ebb1acb654ea5d766

C:\Windows\SysWOW64\Ofcqcp32.exe

MD5 be21f3c27b37289e6b12de4ba2e9a08e
SHA1 343457c4b84bd166d8428213d496379f9e6c1881
SHA256 35d1c12a05b97761186abc2e727c2e926899ac45bc5eeda961cd07d6db442e8d
SHA512 4dd83bf7fb6fccbfd53820303397029dfa9b68b65557fb43bef8e716c554b98063e0ead8ea21d2913c6d66ff8cb9e1064f62859f238c2f6dfbaa55a579730196

C:\Windows\SysWOW64\Ojomdoof.exe

MD5 ca8199cf274e2aa9ce8cd37d59c9d445
SHA1 9fb6ba80409b89e5e0bc0bb102cc24292ab71616
SHA256 6df46adf2941ab528db4ca4b1cec37f94936d361a41dc476af38aa64e80bc9e8
SHA512 e95e463b1169f6b2444331804bcc0ab7788c189f8901bd2774cbd13cfbac149d143f7ad522b48a8788f6a77b975ddc3ea0c888f84f500e966017127f221048d5

C:\Windows\SysWOW64\Olpilg32.exe

MD5 737401123525e10a8a6c888aec7eceb4
SHA1 9f77864d0b0fe7eb7641d1131f9f97327f15198f
SHA256 bd75df034445bb61ff8cec09283f55b0db74d2242b25db17759f065390277e6d
SHA512 af415848c75dcde46c8106e49ceb1cce16573e4835a7daa506783a9e8410d217ebfa7226d81881d0f49bb3d2936907c2d4d67b98fa0afbc914bb62410df7a0c1

C:\Windows\SysWOW64\Odgamdef.exe

MD5 8f005c9c918c7891bc3fb14e772dfa55
SHA1 5d03803fdff89f4056b922a1d5c6f35be3d8922a
SHA256 bea8ec8914b00cdd5a995ed57a7ce76125e31ca30bd3bcfd610906e5a03a4495
SHA512 76e014e9d6ff1016f53e85396274e5f8c286530d4df90d316f5077198bfd7ade68bf95901d724973caf6bcffbdaca7cc269ab2251894e1151ec78a82a9e326de

C:\Windows\SysWOW64\Oeindm32.exe

MD5 d47591d872b8674d24e5acac9d298c10
SHA1 d4342ae47a413de6a7ef943cebbb7c32c4758b4b
SHA256 86ad9d0b4c2cc28895d6e9d01e4c98a6894c9449c1fbb792117333a663b24458
SHA512 7e9e2416a0211f2214956c8dfe3f7354d2e89cff41dd69b0a68f01a9271265e14196ae889104d92b8e8957ef0c2a27e247c4383182d5208b7ce45e39c22efa34

C:\Windows\SysWOW64\Oidiekdn.exe

MD5 f6f819838da44139658320790f7ffd75
SHA1 f8813e978bc5f637ef0db45361f8fef4c6d34ab7
SHA256 6a3945223cfb8227f44431ba34ab1f866468244bc4566f0d72b08506cf982e6a
SHA512 6349c101fa1c8295d5f28cffa4665265059439905dddd412c3f64d53899db58a3d1504f280fed35e9851c37c98c750dda97df8828111efce7482c9299f90bb44

C:\Windows\SysWOW64\Obmnna32.exe

MD5 6bd9339485533380586d952fcccbecac
SHA1 8d1481608aa9c7cbfe9018f7069a44a377301ff9
SHA256 dc1a57be279c6763583653c3f7d2cb39627fa604483f4b971d4cc4916ff35f65
SHA512 bab0ae956fe69aec36466826f5f6b7e272f58d6bd9c2ef4c3ffde3979fce25936a4d4b8507ecfd5d18139b881bb2c3f5d9557643627bef7b4adc35602f126008

C:\Windows\SysWOW64\Oekjjl32.exe

MD5 392f5725df1dc9dbbb649ee3f8aeb8ce
SHA1 e4a32c14356f8cd17908535f2a88075b99b2efd4
SHA256 f6914d5bcfa5618736cfd88c2d87a5a22782dbc23b025a7acba4c37be1ac8f6d
SHA512 51c8b036a1917f4f2c596e94fe242bf3e6249304091e44d79004bcf7e0567c86c0fd14910235594b28f17e64437ceb42f82277a0233593557bf37e9e31f8483d

C:\Windows\SysWOW64\Oococb32.exe

MD5 3d6553f993da5709ed3c1d4172e501bc
SHA1 fcc2b579d89d9ea737e6f64a7f2cc5cb7ea7e750
SHA256 af4c0c31c27daed9571f79b95b4d72d1d7a4d0848efb7d0d2f66d1cfc039e170
SHA512 299fe8df345abb9de1552344b5828776af6ad4f50f340bc442f7baa96f8a5eec5e825791255b0e8f68bdd58344d2524423722c1c30144f638b84316118c162ff

C:\Windows\SysWOW64\Oemgplgo.exe

MD5 a0e01ebe0805395505565f2d2a8a972b
SHA1 a5fbc78a54ee4ed7163a031d563d2826a79d41b0
SHA256 be1a70b2bae1dbbeced9f340c713db51f874e627a475a98cf4ec1a6b7adb0020
SHA512 0b873488d85b3e664b745222668e73a7cb5c1bd32aefa03e605d8b53521fc5f9387e7027e2f66679ddd0cf91771baf605f729f4bde76b1170e8fa0e19e4d7ec8

C:\Windows\SysWOW64\Pepcelel.exe

MD5 1576e26830325b4a624a9121f1829930
SHA1 746dfa0f28594420ab527af48985570fcefef61b
SHA256 2741eb21849e790be5e026e2bb50f997a3a75156055461ac0f69a682f3c46491
SHA512 63f2b345d3c152a58653399e2437a17ecf31d2b838a8aa8017e98f1dc475030c6b822ea39098cc0f5b47544d504035c4a9c5d28bfdc39eadd79b1054e5b3da33

C:\Windows\SysWOW64\Phnpagdp.exe

MD5 ba421dbbd0e16f3f9fd091415e12e0f1
SHA1 ff6adc2436aadc6942f9f7902459621161c852ec
SHA256 1ec051e6b6c31be8f10392b7f6118f058ec1a511ebfadf91f9768a1088a557b7
SHA512 cdb67963d817b5c4d4da1ec5ef7cc22477b3865886c31b37616787b13cf3a4b4b91497c3a18819c2e4d1c610d1b3b815de21282ccf3ccb199df754a7e06b4972

C:\Windows\SysWOW64\Pmkhjncg.exe

MD5 6a998a153b0ff0bcea6aa3c709183749
SHA1 1c09cde5d722a1f0a9d9b9f065a6a4e34b38a492
SHA256 3197554d79e1601a1ad9696c78d670d04f2da3eb1060273bd6706d9d27c77746
SHA512 0c3b222b262e1341de5699a13cd68580f993c064d79097b744f0a5718a3bae110605161231d28fe3c53d0478f25fd8fef8d5b2d33c2aed07454d580a22cfd540

C:\Windows\SysWOW64\Pebpkk32.exe

MD5 6c0c56c2e29b25bb18351d207a70529f
SHA1 152ee637c39bc3a821b415780db49c0ea679b39b
SHA256 a307053b3684bb13bef57ad51aeac2b96987b5b04164ae5f982b953a15c70133
SHA512 bfecfe1dedecd04b94c19c3a8b58bf3280d9ffbb1bab8d2c7ae213cf4d0cf44f38047700c14e9792a6cdc6454fd300a4183338c48596fa65930351ac2bbdbf6a

C:\Windows\SysWOW64\Pkoicb32.exe

MD5 a86e5ff152c8cc972fb0edbf02ee49ca
SHA1 7e6574e229e2a2f498f228813fa0d99e4548e2bc
SHA256 bee576d273561a6f52a59d738119a573b6472baf47fdac9ab3e85d90cbd1b424
SHA512 434ede4d98278686bc5e008a5023904fa31046dda5bb46a3b5d0c442942eed14661bcb488c3f98c9834e141d19bbbc0542bac3cae468c02a85501d9eea357ad4

C:\Windows\SysWOW64\Paiaplin.exe

MD5 aeba8798c07fa311bf05de9e87db9d46
SHA1 c9fc5f9d0a2b25a78e8241fce2d4af90f9068388
SHA256 bd61011277a05f0052e31179c1f86aad3316d61399a6f8e7bcd0c794cd8042fb
SHA512 ff4e1329776736dc93fc3fe4187e14f6843d4610244259dfd625f7db253d285008cdfde5599719837c3cf20c125f8dcf7fb54c406ca9340cdcc2ce9b09d67adb

C:\Windows\SysWOW64\Pgfjhcge.exe

MD5 33c5a13148dea11967a9d7fbdaee262f
SHA1 5672834851636d7aa5c743448a0ef467ede1a8e5
SHA256 eeb4faca96b4839fd0e4d17aa989a2bd96b698d7e77ee60b54c5377b2320ceff
SHA512 f3b6daf46d353497811fca78025725a8110df9c3572c21fcf0e10f413896c6543036b927872017b72fb019d15a741e0427c1b7a3d3e5e151e249f7e1876eef7e

C:\Windows\SysWOW64\Pidfdofi.exe

MD5 c3481a0bc61c5d0139da23288b0c66bb
SHA1 a267c195c8cc4305b186954c799b7b88b667b9ef
SHA256 06cf2a891200bab56845dfb9aa0a478f7057ef3a09da4ac46c595fe92fec1a2b
SHA512 f2cc406b847b2a573fde69148d13afc19221cc0516767332733b1a8a7845c8d765e61f98368107c90b098a05a2276a0f2222610a2714afd46d2fa25a35211981

C:\Windows\SysWOW64\Pcljmdmj.exe

MD5 3315f04e1a84c6d23e163235addf0589
SHA1 e7eaab6d4c18dd2470e52b2d26193d7cfec04095
SHA256 ce4047be2a06b95886164cb5f3efcdd3f98f68e8b482d002be6a46ddfd761495
SHA512 857f5977bd290f10b43d02b28ebccc8c2f1ca7227bfce4ba7ff3c86e8d3a1261f5fc6bcef06d1bc6eb5e537c669ab27d9e141aa637970613bdb7a34f1bb4bd21

C:\Windows\SysWOW64\Pkcbnanl.exe

MD5 5ae3d2719aeaf673165d9c150bd4a94d
SHA1 369cf3a611529b235d13b72a7f2f872b07212b6d
SHA256 c48f334720eddd87934f1c444c6b03faec9f8c229145725611d5d6a63f461af7
SHA512 b6590266046c99d35488f3ec3c9e60c83c9a75bbc30de0620e424fd04577202c5109c2837ad7dec29bfdf5f83969e89be8eb69fa141083bf9f49cd4063838bbe

C:\Windows\SysWOW64\Qppkfhlc.exe

MD5 959f467abedbd3e6fc36bff60a07e8ef
SHA1 2e930473c9b770003a6b6dd0969d45284f0ddc33
SHA256 60339a602849e24ececb5ccebed4d4814071b153f1fa3ccd473ebcf70b7dee1d
SHA512 f0ff3db8ef11f693ad03a1ee7ad0e6a45dcd8d175f351585934fe2997920551e80db356360803255a9b49afe977a4e72d2a6bcb0a40e80a25c1871fa28b8fdec

C:\Windows\SysWOW64\Qdlggg32.exe

MD5 0ef677dc2b04654e93b5ea811900980b
SHA1 6b3cc42da8bb8df0ba9da330ab271fad508852e2
SHA256 2ae093aa89d09993783335888927b12fa077ed912fb8452cf501b382855bec7a
SHA512 2a14beca3a63b72ba83c9364adc03948d3a421c7729e36b48c01d39ef303aeedc9610ceea3ed22a847766f61e6bcac6f3811cd862d6c856de0be633ceb6ad91d

C:\Windows\SysWOW64\Qndkpmkm.exe

MD5 f06cca700fccc8f5d8940f06841750aa
SHA1 a3fb9f1a8a6802479c136ddb9b19b09aa8b06293
SHA256 6445d7447bc556a1c6f38799ffe1f54c4142fd0961743a05ed4a2050d6ac2d59
SHA512 91522788df4e5ef1ce6fddf9910b7a1c491ef707da9b7cd60893b2846e9c7067b3df1a2f8b643d7340f08ff648eb173a437259703337e9a3a9c5467298aaa8f3

C:\Windows\SysWOW64\Qeppdo32.exe

MD5 566e9761fac9a25e4ca855d1da8a9f8e
SHA1 2a80c1e64050f724ae4dfafb966c70a9beaa8e8f
SHA256 48a7f09cfb33be9833ba65b8603b3ecd20d1cf151f6d3c68b23bfba235cdca1c
SHA512 f547cfaa58b1c2a0835b4ce4dc70415666c6c5fd0fdcc67e6651e5b5d610bce6c5e2ee6e561cc25c44f7f19935b3a52dd88e1e7ba2f99a81a992327440272e4d

C:\Windows\SysWOW64\Alihaioe.exe

MD5 309663a95f763516662b7182e577c203
SHA1 6250e8e7d4b26576244322e1f876b9a27b622174
SHA256 1aa5e944541f8238f51388090db779c4c40a8b42e50df359b8352f97e05b20a0
SHA512 8b7856102c4c206b937cd4f9118b325208976802d5a6fa6d7b444b20d6059d8b3b2ab85b1d04b754541534b3ca1a355ac9edb4603cbc708f7a63cf5caa385f8a

C:\Windows\SysWOW64\Aohdmdoh.exe

MD5 68ec85ddd17806cbb0f7372623354b86
SHA1 4e7f3121a6c6a3fcac0be347ab8466508e6b72e7
SHA256 eb13a6400daf37733bfd69392c538d292bac2ee011d555292112452bea962e70
SHA512 e276a31b9d85eb45c39501be1f583bd0c90f671b045cbc7e528990940581c8cf5c8fb627c8c52f8a0e7b74d127d460d9114a880aa1b75b02a3708380b4123fa8

C:\Windows\SysWOW64\Agolnbok.exe

MD5 e29822f92672a1edeb77eb7e47511da7
SHA1 3900d3d16ff0c299d5478f71e30bf5ea11d1b2ff
SHA256 16daec90b89bff7c4ef9941a654e10809b08a71a194e077225dc1b62ca14b523
SHA512 7a87b1200b07d0c18fca9b7a556a337c7cd33f2805bbcb5317b08ec7a7ac813bfe9eb803064751c8f6d5c5a962481a63794807917c4d29e459381095b384a6c9

C:\Windows\SysWOW64\Ahpifj32.exe

MD5 348d98b792ddf63fadc0683d4d383835
SHA1 74ab0cb02e99c8bc9c2525e9c61607c2c48dfd9e
SHA256 85edeefe17be9b7017ae851a462f1d3d963e755442c98060b88d5cebc37753a3
SHA512 e8ef8da4bfa0368e2190b16f7c0a8d5a176414b5174fcea7beaf750f6bd01df13f00a3176de2aeef7a3cb96a44c4a2a0996ca1f2cec1d4157f1f4f105eba07c4

C:\Windows\SysWOW64\Ajpepm32.exe

MD5 675266cb38bbdf76270588a00badb79d
SHA1 b48705c2e38972b92e18bcb2bcf62c69974e5d9c
SHA256 c7bfd3e9c1b1752ecc00b2ad1cfceef7e015eb67983aab0e59549d06c6994564
SHA512 730b54ba905b3e35832c2f781934be00cac95cf7db879cead1a157940e1ef7f0eff56d2951dbebe17e4f5b13f41653ee488c4e7595dbf7f79f864cb710521d03

C:\Windows\SysWOW64\Ahbekjcf.exe

MD5 b102e5960cc867c0c142555e9dde6d3b
SHA1 26be7c4b0b8e45235218fa5fadb2298abd05cec1
SHA256 68857537bca7a94f4c1b95157a3efffd066029aeb1e0cd84d9a78f2fa7067f8a
SHA512 a09a6e95efe072d68e223e9fdff5170506d0b5dc112d46056767646a4c0b270a6008c3fdbebf70aeaac0cd020629ea9d2f272e835c7366db394b490b880952b8

C:\Windows\SysWOW64\Akabgebj.exe

MD5 acba474988078bcb1dea8587dd9b8ad7
SHA1 684a5b214162a8546df705afe66edf3fbad161fc
SHA256 8fd0ec26e705755fb2271f0272da60d2a4975b75d885c94e4cb1e80ba264d7a7
SHA512 02013ca6ff03190e611f7e3d78d684736fe33f25f43b1636a27e85f5944696fa50a3d7d426d96ebbc395427b5a58d5615ed079f3271be3ec34e8ecd6043e81c3

C:\Windows\SysWOW64\Aomnhd32.exe

MD5 ff8c7b55cf6aa88f92cf91aec87631d6
SHA1 6460d2b3a35f68b8843c89767769f475c5d2fa8c
SHA256 6cd15844c98db5e3634f201a380a1aab684ad6174a25735e954be9973a7dc4db
SHA512 15afe248eb3d32584077048b29937a15636598dc1bacacebf657161041e323052a370a5e2a41261c5bbb6a06d223abab474be54076573c3a496a67938ea44043

C:\Windows\SysWOW64\Adifpk32.exe

MD5 fcfd0efa17de4b69487aa0ac917b1c87
SHA1 ba7a0b1979cfd77afbd7642c85079c433a551795
SHA256 1d4e8202fde44b24f286ddf8506d35eac4cb67b592642eeab5e243f8a63b18e1
SHA512 0e522e163352200ed8f162786f42580a83c60b037cecce8fd507dcf58fe4a9b75a1048fa3a4b8abb861893161b0a0646f871620bf94e1c075bf021e65cc23d98

C:\Windows\SysWOW64\Alqnah32.exe

MD5 2f3c6dca7845a88364b0b2cf2188d5fe
SHA1 25dff71927e1d4f11333f3f7fb717d6638dd1c68
SHA256 a7bc4077705bcb67caf5a3ea0c826b85fa92cf2fbbdca1d67e8ccad0448abdaf
SHA512 672ab7966c48bad0838fdd5453245a1ba998643d7cc6df5aba0c307997b96fe6917ca17c06447f5d8b570d66650324c5625fe2ede95f3e8b206bb2fe2da7d131

C:\Windows\SysWOW64\Abmgjo32.exe

MD5 6f84a9c22985e9cda741e66783e58f38
SHA1 9a805fc1dc43fdfcad5f57adb9dd1a531863f7ae
SHA256 36c146c492c246d8fc32b8b1e546ad319ca5f5a3d8263e0b285d460bdbc0f3cf
SHA512 43ad660d9268255fc1432061170d5da4034404d0b3b2cc093b0dae2b57932b5b302bda567ce5417a3d99b20d5a999c9b6798d528e0469963f4439ff026a099d1

C:\Windows\SysWOW64\Ahgofi32.exe

MD5 07ba568b7321a00e01809f3be51e861d
SHA1 c53ef5433b96cbec01b081ef84b945c008143f02
SHA256 d5234006e18cbb14932cedddfde6334279efe67ef2674eb5c97906bdb99d5fe8
SHA512 d2d5824c336e7b18b7939f35606310927d8bc3d1aa883e4e6dfdaaca17969fdf482c4174ea801521aad3c96c51a15c7deee889debd6b261a2a82c43aa05e9034

C:\Windows\SysWOW64\Abpcooea.exe

MD5 cf9dfae4d118888c5d32c9e1363da283
SHA1 8fa9636168e9558e8a3a724654d83e00cd4ee4cd
SHA256 d713066cd89db7c3521b1f5a57b95a3d0254a514b2ca6c51b10154fa00104f68
SHA512 154821e92a8d699233713bc1fcd16f6bbcbd3f3176d4d9cf7b4c551f71c807607bdc940efb7fa0583ab722ff08a00b568a5327454763d205e53b3dbe90953ad2

C:\Windows\SysWOW64\Aqbdkk32.exe

MD5 9a92c079253bb9add6db602e5c26ea04
SHA1 b05cae779c19cd48559cd72653308261bec57c1d
SHA256 72aceb09057c7ce7877489699d5ed541a03635584f3f0e225933e396c283802e
SHA512 6ed86860b1e7179f28b89909729cca872ca56b46700d9a950913cf0fd6ef34dc01b4a8e0cadc71f9cd245bc087f6dcedf7bf87da21cf2d832fb7ea2fa66de1f5

C:\Windows\SysWOW64\Bkhhhd32.exe

MD5 923e16084fd4659a725db03e64d50b56
SHA1 52e61bd59dc4e7535eecc244d41f98e3f61f91b7
SHA256 dbd7f9a81a61b4155271cf7747df15f9f7e3e81f05601b10e022a099135879b4
SHA512 638a42084b74a3ffece6e6818cecb40aea438819a36997bd470983047c4c690f26e71bbb0b6af0078a5315b70425f4b1113279217648df1aa9e99bc4ab2ffb8e

C:\Windows\SysWOW64\Bnfddp32.exe

MD5 45ca94bb4d8532ee91090138ae3754d3
SHA1 2801e4fb3713e67b3a2118bf8131c2794acfc474
SHA256 360bb6fd4b5800d47bc50f9680a46c154751b5edaf3ae56b4e366200dac39116
SHA512 af4e38b929262b0b03c94a86dd0a36a98ae306b7cf95950bf9ca9a5f44e1e960a79a606d65c761d226d8646a59bbebd1ab55fb6cc3dcce2cc1b369677a6c5ef5

C:\Windows\SysWOW64\Bdqlajbb.exe

MD5 251861be64f0132a7e08fa02e173a183
SHA1 12c977ef0adfb0d113c46f5c556d5b3b83ea2e1b
SHA256 f34808e9bc7e9f18d6bcb68ac19a6ff9b55caddb0a023caba4a5129dac8b0bd9
SHA512 b1ec1b6e0077d47c2bc742452f71806b5342304b104adc578c84d15bd891f26d65c935d7ae9ec257fb6d5b0797de115b1c6bc262cb75c095a2723461a93b5b30

C:\Windows\SysWOW64\Bmlael32.exe

MD5 a683ab0e5aab504ca4f998623109bd4c
SHA1 faa596acb4c46e3d9e057d293a48b4a45172431f
SHA256 48cfd4e1ad7902816e7904ce5d824c071f1de0c85c10398f70d029af254d7647
SHA512 ce2e42120a2a6c96708710bb35acca349bda2ce41dadbf256643b47661afc34d58e1456517bb2d0c6e22ef3ad1c2f9fe4c0b0e1e2014f93d080365c960832928

C:\Windows\SysWOW64\Bgaebe32.exe

MD5 932a71bd78e9b911935c5ca4a8dde1a3
SHA1 6571e5157ebe93cf18e48c6293943a30f911ac76
SHA256 c826f1c8e92a3753f57a40b845fafaed2f3e54b0b7b6c1fabc2f548e2763362e
SHA512 5cf82f7392a9423fda31531d59883c61733f90b80bfbbcce0fd7f28b32fbf16f365d429ced02fc1890804511d6f3889b904e7fbc1f595833a7757ca4b583673d

C:\Windows\SysWOW64\Bjpaop32.exe

MD5 fab3885db09ee701feb27ec4d5708d1a
SHA1 f4142fd2106cadf8de3d321accb4f340e662a935
SHA256 c08483ce666c8da64f11e6b7d22d467b92c35a91311de34d288a1e7612ed9bda
SHA512 9407d85390c50ec873aaf53312a3fdcb9ccf20063b31da805da27efe29856db2b0932cb1be0bb8518504ba8aa9fdf667170a60e95b739326bcdca05a81407287

C:\Windows\SysWOW64\Bqijljfd.exe

MD5 b727953ae8897adf93d31c658de74688
SHA1 97cd7db4464fac760e2c10aed9ef3bbb0a8c2231
SHA256 93201a4d1ad69cb3e69993520520c08e979939ab016604ad19e7f18366bc3c82
SHA512 7489e9eeb6ff81662712289419538aafcd71286c2b10b35c3b25922da9036543f9302c4d454706c88b2f47e56526985972f4fafaaed81f5c5a70a2225018c04e

C:\Windows\SysWOW64\Boljgg32.exe

MD5 cc5b0a24ed7e6d4d37e078537395357e
SHA1 b9bd3c34fefef0706e6d5b12e0004e010b4941da
SHA256 e2990c64dc360cce57cb2964c763cee736effc6938d3fefd6bb45444e4550154
SHA512 afbf68d87dc8f06e8da6218c11ca09e6d83bd81271c83abd21499e25ad79240992750218d32a4b55d634d7459e9fadd9a7d5f4dc7a9a230104dd4a2c90e545e5

C:\Windows\SysWOW64\Bffbdadk.exe

MD5 a37e6d3fdde908d8f384895477dd7c32
SHA1 70984a11201ee43d78a2616b36a917d74d06c186
SHA256 d43b1ebe23c5606897647691cf1f0191f085f0a801a5536f6e4f074edfe42873
SHA512 7fe67ab643255274015910e6c2961ea059ef6fb45ecb0bfedceee1b30b952e0f3a2aba6c54695827e33e0e5b3e6b7b420b20a5bfe31ee8addfc2fa83c6504961

C:\Windows\SysWOW64\Bieopm32.exe

MD5 64f424e969daee4468e07a8c7f56d9ff
SHA1 7eb34d261093b794e48a82cf2f1cffa43c095529
SHA256 e8710f2c06882fdfc5733720c3fc15a069e95a89f6aed7df1cb8cda7895c9bc1
SHA512 3d8cebfa55fa5d4098fc63108693d7ceb5e0933004ef4c618134fd8f0e01ad858a28deafe4880bc402c89bee1520c7ce7dbb05d49196b519426a8b6c5c350f3e

C:\Windows\SysWOW64\Bqlfaj32.exe

MD5 cda19b90caa099acb92b6de8cbd088e0
SHA1 aba85f5005a542a0906c54ab1f40176ba402da88
SHA256 69783eacefda7efc6a9a73cace47302802a9bcfb696bfcf9448dbe56f876c522
SHA512 3b949704f89fc0da4d01d54bcc2d7acbd6f5ddaf4f5a63dd2c851b24e56de1c26cea10ac06e364d2c0f7ecafaab728ab9202c266ef85729ecafd6f303b4cce7f

C:\Windows\SysWOW64\Boogmgkl.exe

MD5 f971dbd17f4e8cae425313c8f92f8d3b
SHA1 b044557a95975ed1ae2520aaa3322b096b45b42f
SHA256 8770a112a384b5e60cf572b2a599dd0fde26c554091c73d58fa597b0ec18dcab
SHA512 57863d880c996c4826fe176bd0370c5c2b321ad30996b16b46dc10e38a70232b3e86cf74d010648433a22040d21375b87b7868210860c22835c8f8620327f698

C:\Windows\SysWOW64\Bfioia32.exe

MD5 00a84859da3265abfeb4bcf81b8a2c3a
SHA1 e11403992f60cc0cdf38e032b614e6840da6d81b
SHA256 c869fc7410588254dfe2193794623cfb994bc25902435766e32c4138fabe3f24
SHA512 926a69fa77c62c7b63d2e1df688872b21467472265882817e210448f149c7890143870de53073c4f0d822ae695fd003d0c7dbb423ab4b3e5a338a8fb0521407c

C:\Windows\SysWOW64\Bigkel32.exe

MD5 bd1efcdfa935a6c6f0c5cf86930f34ae
SHA1 09ded5aa4d51827000b97c8cfe115436e2492eb1
SHA256 bf8d90ca24e66899bf3cd1dc98ef3926d9e9e845ff20467fa02a36fc108ea750
SHA512 4d0e87fefa06d3fe616a9de387b8151f234279b2c012df389f756ebb29a6330100e47cd6e468532bfc6b961d245d763c6bd9e110dff62c1263a19fb0e88b8ebe

C:\Windows\SysWOW64\Coacbfii.exe

MD5 8b8d864807c04b065500a60194c4f5b0
SHA1 a2472a7f4473f37a16e0b25ed2d159820d1e38b2
SHA256 07ef10a69229605ef18edad1a0e3d73676d52c61133155d076a2634c44d9be7c
SHA512 794ae06be13f6187ff4566106fa17f293cbf106fa02e004c26a5349b6a71e61180c379350655bc948b5453cb0b8d6dcaa5eec6fd41fc15fb6ba6756dea01a9fc

C:\Windows\SysWOW64\Cbppnbhm.exe

MD5 8f795ea348539eb12a3a477b1af0e867
SHA1 9929648138a53502bd719bcef27d65423ee40a8e
SHA256 755ecaceb0879635d13ca9555bbfa7248ea63d532dd139328e944aee69762451
SHA512 b97dcd3f916d362381d50c555c94e4cfb6f179eabe3b2db1238b5f3a90140bd47859eac3805d7c7599d20b9efc98b0cb3ce033c7ca37f86a88b9eb8835785e16

C:\Windows\SysWOW64\Cmedlk32.exe

MD5 b9e0c9af9e215b25f8e2c3bb1f559aff
SHA1 331c6b9283e67d2b4fa583c8d9d774ce1ae08a88
SHA256 a053de2e7706569c7d24f1edfec0ca1361401a82ec51cc939ea42e3ee5a293d7
SHA512 76b17e7e1d705fab84a405163962c5cfa080e603470e98627803090140ef63a4390fcd51fe9c6c3bdb66fe6e5fa32b614453e7bbfb938da56be878aaece6b297

C:\Windows\SysWOW64\Cocphf32.exe

MD5 4a03050908b1ed275f7334794c436cab
SHA1 680de6a498fca9d2b2ab2758c4914355f2f85dad
SHA256 031c55c4ae7088cf1887ba4865fea2200cea79e4ddec1629d22811c4f16fca16
SHA512 a50740be6726794ab471b1791977501c0fdeb0ab5e872b322e991bbed373e4ab9af3237bd0647c6a5e7d95a8733fa43d135ee7c66a2d5b02821c6a35894326e5

C:\Windows\SysWOW64\Cepipm32.exe

MD5 4bd79c53106cb4385a0eb45a609dd8a6
SHA1 2517cf8f05dd35e9801ed70bb929ed8b791e018a
SHA256 e59891edf7d225c7fbbc9af410e9aaa4064424548d7a5f49d650fd49a8538ac9
SHA512 b462796cef1af319daa96e53bb54929debc570bd39cd4f3cd2b51a817f930daf77594c3a978270f1f950c12070f35f559ffe1ce538a972fa6c9cb3d7c407df7c

C:\Windows\SysWOW64\Cgoelh32.exe

MD5 35d98ceacb7bfd9664abe8c756c56428
SHA1 3c6c49fc16819ee8e768fdba4a90e27c8424929c
SHA256 d757bfa0b51130155625ae9f9805e39d6386e953eb0a5b8c9228ee0dd8a5296a
SHA512 ac921ac69dcbc61971198cc36e6477f4e4edf3aa39c2d05f1b445834fc69c025cde766ecf561848245582b062ceb65287f84a18e7bac5665a4ccb632f42cecd2

C:\Windows\SysWOW64\Cagienkb.exe

MD5 a428b51c3762656509cd8bc3dc66113f
SHA1 2e16982fdc3558ae4107a2e4397cf30e823ce7fe
SHA256 2e49b872cdfb9f6657f91eaaff869587acb48fb79229cff3420009e390679553
SHA512 d65fbc9ee1996e3c47ce3b2d0e405d8ea0e625ac68441ca7621273f2decafab19f5fc9cd594e9ce9ae747309736680b48b064f5aac4c9d309b22b4b9fedcb9cc

C:\Windows\SysWOW64\Cebeem32.exe

MD5 260cf5c7a8c0930d149861cdaf20cdaf
SHA1 35091bbafc78bda21f269efab5a43eb401c2816b
SHA256 3195d9e35ff10de1cd10a2139a347d80336727ed2d6fb03e4dfd147cbc7d4650
SHA512 e90a2d938f42602f946721c7d3a37cc950d9eab0367200ae18595a7bc54c4a3c841eee504fcacf59f8eab95aebec6b825b9b321831ffc4d3d6105c7afb5f1d66

C:\Windows\SysWOW64\Cjonncab.exe

MD5 66e20a7ca4990e81afc67c74524d0d89
SHA1 5858ff3bb323a460a6b300e4a3ba31c768f0fbf0
SHA256 bc29a764cca129fda3de39875d93db82013075fab040c1b4c3d1741af1bd13d8
SHA512 a4c99bd502ed59c8937c9f63d1fd61d7fb7c4ed9248567c2830757111f9a48ed86c0854fe25f817135c0605c6ad442b9024bd8e3254454be776bc630088f8d23

C:\Windows\SysWOW64\Cnkjnb32.exe

MD5 d0acf85f1a5a3374b05fad8375d61f98
SHA1 d0d5e83d8dca7b56604102673078c833b4b77df7
SHA256 b1337630a92e5a6a9366f34cbb6e2a89834771c19170ab401f3b35558337ad90
SHA512 011f320860ce64ca807c63e19cfb0ced763ca8733ff4710ae17138c3d1e180b20dbd3c0aaa59fd1aaed0296439b02151ac7d5cff563d142433de1501ea34e628

C:\Windows\SysWOW64\Ceebklai.exe

MD5 57af9f202e1e1fe8c7500c1cd7de6491
SHA1 4de05527de8c0ed2258a2fb7ad55d3f37cf42c6e
SHA256 2df6b288c1c856f0fac22363f51f66d3a4701021f76b5787da10780a928ef869
SHA512 d8d3904886ffb9be0815a35f4db95be9498b650c462977b12a9ca811381b6926c7fe23ecbb23e4643dcafe64a2c1d53568050f5f9e39cf5221bac94f6746ff5b

C:\Windows\SysWOW64\Cgcnghpl.exe

MD5 7df35e34e6b953713aaaa1b44bccf28c
SHA1 f6dd8a288460ed778be274ecbd6bf13987c9c597
SHA256 554803cbb4da1d1eafde7f9935adcb12a62c315f702b29b7edaf857e6d710c45
SHA512 07488f2c1cda075fa6d4b31fca2613ed195c18306ce252efd946f5a14e62d8041a89922711383c74387c189c51c69e91ce3ddeffc2cef175b67eff79300925e6

C:\Windows\SysWOW64\Cmpgpond.exe

MD5 cbcdaafc802cce33a80017015c40625b
SHA1 e6cfe39d0fbcd8b0556663884ff744e7f28c2f63
SHA256 b4c111a518f3facdc78f10b141523191a9be760e9263539c4a2d24c5ec99db55
SHA512 283b9e9b50d2f1f88cf144cfe2ebb0407796dec03537d74fdf98d065eac15684fe1caf98de39f5ef6120ed5abb24b0edf30569b25a438fe80a1ad5c87c4b87d9

C:\Windows\SysWOW64\Calcpm32.exe

MD5 6bb20b140c796ed8b95292c235e19db9
SHA1 cc9d277cc207a930c24c41eac7c9120bb1c887dd
SHA256 b43bd84b0a8200b28e30596b7f3604197f02b87cc8b039f67d248ce022192dd9
SHA512 ab63ca4d15533f362f16be6ceb8cfdc89c770a5c7540648569e624aadd8d633dc2c24389a04d3f8a3b3a661dc9d7d37ac8d8a3dd8896fec73277461db9f05ed1

C:\Windows\SysWOW64\Cfhkhd32.exe

MD5 629f496fbc5f4d0a9a4ecdc24ef80194
SHA1 51af01b01461a56731958b080b3ed4f6ca3de2ce
SHA256 a560374bf954d438ef653b862fbd40a4cff3d91b2358e85e9bf9cf2e2365b50b
SHA512 2fb7e766971085f1dd60ba5e0514fe78d36e45bfdd6cfa797a95ebe0ec8c4e35bbcf3390ea054656678eef77b3420522d454470da57346871f7e280771f180e1

C:\Windows\SysWOW64\Djdgic32.exe

MD5 81b906ffab5043a7cc54bb52a8eb1179
SHA1 dac6b6d5d0597ae62cbf62d09ea78eb1639d14e8
SHA256 1eb9336f100fd20be2ba6d530d4b70693b499649ab6cc77ac735659d3904fed5
SHA512 64195f77460599dc823a731ec06a077cea1e4ade100b7d5be1a75fc2b2620e74b2c114e2085ffa9b1c448248bacf960297665e7352731cd43e57b9a2d2efd670

C:\Windows\SysWOW64\Danpemej.exe

MD5 84716e5e7012d9e0838f857e1c17a53d
SHA1 15867ac03ace06f869541f36140d5337acff6571
SHA256 f5443b6a2adc11827c7bcf5af257a34c3544490fceb3853d359ef53d140e897d
SHA512 2cc2dbd5c2bbb62e82889818d76c1afc49e794b270de68f49febc4b4d2ea5e31fe1b2b858128fed5a86f7d3bf603896a4ce56ca85daf071ede52eece5cc1077b

C:\Windows\SysWOW64\Dpapaj32.exe

MD5 685bb291ff53dd13470143bce487a823
SHA1 b77587fe81596fbe17d0552174d18512cb2cee4f
SHA256 bef8d2be5080e690d9fbf2a957f8d631a3b47ba1707e0daf2770ffe12d26dcce
SHA512 153727ae92a32ac390ed7a30b975b0d674dc5547493669c820a954ad213e8a01620d1beecbd9efd2a513021ad6092499bdf2b7d4aed4a38f058b251aa5b30b43

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 06:06

Reported

2024-11-09 06:08

Platform

win10v2004-20241007-en

Max time kernel

96s

Max time network

97s

Command Line

"C:\Users\Admin\AppData\Local\Temp\afeef5104f433178d65285b0ce9afd5984226a9270bf5eb7150e0ff33adea5deN.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pqbdjfln.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Afhohlbj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Lbmhlihl.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Migjoaaf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Anogiicl.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Miemjaci.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nloiakho.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Deagdn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Dddhpjof.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Lgmngglp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Nebdoa32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ofqpqo32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cjmgfgdf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Miifeq32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Olhlhjpd.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aeklkchg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Bchomn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Bapiabak.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ngbpidjh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ogkcpbam.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pggbkagp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Pqmjog32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lfkaag32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mmpijp32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nljofl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ojgbfocc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pqmjog32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Acjclpcf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Lljfpnjg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mmlpoqpg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mgfqmfde.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pqdqof32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Qjoankoi.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ndhmhh32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bchomn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Nilcjp32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Odocigqg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Pjjhbl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Daqbip32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Liimncmf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ocgmpccl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ndaggimg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Pggbkagp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Bcoenmao.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ocnjidkf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Qfcfml32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Agoabn32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Balpgb32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dknpmdfc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cfpnph32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cjkjpgfi.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dopigd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Njnpppkn.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pnakhkol.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pjjhbl32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pnfdcjkg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Chjaol32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ocgmpccl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Pcijeb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Pfaigm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Anmjcieo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Cnnlaehj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ncbknfed.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Bjmnoi32.exe N/A

Berbew

backdoor berbew

Berbew family

berbew

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Kmncnb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kplpjn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Leihbeib.exe N/A
N/A N/A C:\Windows\SysWOW64\Lpnlpnih.exe N/A
N/A N/A C:\Windows\SysWOW64\Lbmhlihl.exe N/A
N/A N/A C:\Windows\SysWOW64\Lmbmibhb.exe N/A
N/A N/A C:\Windows\SysWOW64\Llemdo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lfkaag32.exe N/A
N/A N/A C:\Windows\SysWOW64\Liimncmf.exe N/A
N/A N/A C:\Windows\SysWOW64\Ldoaklml.exe N/A
N/A N/A C:\Windows\SysWOW64\Lgmngglp.exe N/A
N/A N/A C:\Windows\SysWOW64\Likjcbkc.exe N/A
N/A N/A C:\Windows\SysWOW64\Lljfpnjg.exe N/A
N/A N/A C:\Windows\SysWOW64\Lbdolh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lingibiq.exe N/A
N/A N/A C:\Windows\SysWOW64\Lmiciaaj.exe N/A
N/A N/A C:\Windows\SysWOW64\Lphoelqn.exe N/A
N/A N/A C:\Windows\SysWOW64\Mdckfk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Medgncoe.exe N/A
N/A N/A C:\Windows\SysWOW64\Mmlpoqpg.exe N/A
N/A N/A C:\Windows\SysWOW64\Mlopkm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mpjlklok.exe N/A
N/A N/A C:\Windows\SysWOW64\Mchhggno.exe N/A
N/A N/A C:\Windows\SysWOW64\Mgddhf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mibpda32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mmnldp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mplhql32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mckemg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mgfqmfde.exe N/A
N/A N/A C:\Windows\SysWOW64\Miemjaci.exe N/A
N/A N/A C:\Windows\SysWOW64\Mmpijp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mlcifmbl.exe N/A
N/A N/A C:\Windows\SysWOW64\Mpoefk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mdjagjco.exe N/A
N/A N/A C:\Windows\SysWOW64\Mcmabg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Melnob32.exe N/A
N/A N/A C:\Windows\SysWOW64\Migjoaaf.exe N/A
N/A N/A C:\Windows\SysWOW64\Mlefklpj.exe N/A
N/A N/A C:\Windows\SysWOW64\Mpablkhc.exe N/A
N/A N/A C:\Windows\SysWOW64\Mcpnhfhf.exe N/A
N/A N/A C:\Windows\SysWOW64\Mgkjhe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Menjdbgj.exe N/A
N/A N/A C:\Windows\SysWOW64\Miifeq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mlhbal32.exe N/A
N/A N/A C:\Windows\SysWOW64\Npcoakfp.exe N/A
N/A N/A C:\Windows\SysWOW64\Ndokbi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ncbknfed.exe N/A
N/A N/A C:\Windows\SysWOW64\Nepgjaeg.exe N/A
N/A N/A C:\Windows\SysWOW64\Nilcjp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nljofl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Npfkgjdn.exe N/A
N/A N/A C:\Windows\SysWOW64\Ndaggimg.exe N/A
N/A N/A C:\Windows\SysWOW64\Ncdgcf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nebdoa32.exe N/A
N/A N/A C:\Windows\SysWOW64\Njnpppkn.exe N/A
N/A N/A C:\Windows\SysWOW64\Nlmllkja.exe N/A
N/A N/A C:\Windows\SysWOW64\Nphhmj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ndcdmikd.exe N/A
N/A N/A C:\Windows\SysWOW64\Ngbpidjh.exe N/A
N/A N/A C:\Windows\SysWOW64\Neeqea32.exe N/A
N/A N/A C:\Windows\SysWOW64\Njqmepik.exe N/A
N/A N/A C:\Windows\SysWOW64\Nnlhfn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nloiakho.exe N/A
N/A N/A C:\Windows\SysWOW64\Ncianepl.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Ndokbi32.exe C:\Windows\SysWOW64\Npcoakfp.exe N/A
File created C:\Windows\SysWOW64\Beeoaapl.exe C:\Windows\SysWOW64\Bmngqdpj.exe N/A
File opened for modification C:\Windows\SysWOW64\Beeoaapl.exe C:\Windows\SysWOW64\Bmngqdpj.exe N/A
File opened for modification C:\Windows\SysWOW64\Mgddhf32.exe C:\Windows\SysWOW64\Mchhggno.exe N/A
File opened for modification C:\Windows\SysWOW64\Menjdbgj.exe C:\Windows\SysWOW64\Mgkjhe32.exe N/A
File created C:\Windows\SysWOW64\Dmjocp32.exe C:\Windows\SysWOW64\Dogogcpo.exe N/A
File created C:\Windows\SysWOW64\Amjknl32.dll C:\Windows\SysWOW64\Deagdn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Nljofl32.exe C:\Windows\SysWOW64\Nilcjp32.exe N/A
File created C:\Windows\SysWOW64\Anadoi32.exe C:\Windows\SysWOW64\Agglboim.exe N/A
File created C:\Windows\SysWOW64\Codqon32.dll C:\Windows\SysWOW64\Nljofl32.exe N/A
File opened for modification C:\Windows\SysWOW64\Nckndeni.exe C:\Windows\SysWOW64\Ndhmhh32.exe N/A
File created C:\Windows\SysWOW64\Oncmnnje.dll C:\Windows\SysWOW64\Pnonbk32.exe N/A
File created C:\Windows\SysWOW64\Aeniabfd.exe C:\Windows\SysWOW64\Amgapeea.exe N/A
File opened for modification C:\Windows\SysWOW64\Bmkjkd32.exe C:\Windows\SysWOW64\Bjmnoi32.exe N/A
File created C:\Windows\SysWOW64\Dfknkg32.exe C:\Windows\SysWOW64\Dhhnpjmh.exe N/A
File created C:\Windows\SysWOW64\Phkjck32.dll C:\Windows\SysWOW64\Lmiciaaj.exe N/A
File created C:\Windows\SysWOW64\Nepgjaeg.exe C:\Windows\SysWOW64\Ncbknfed.exe N/A
File created C:\Windows\SysWOW64\Beihma32.exe C:\Windows\SysWOW64\Banllbdn.exe N/A
File created C:\Windows\SysWOW64\Mnodjf32.dll C:\Windows\SysWOW64\Oflgep32.exe N/A
File created C:\Windows\SysWOW64\Agoabn32.exe C:\Windows\SysWOW64\Aepefb32.exe N/A
File created C:\Windows\SysWOW64\Nlaegk32.exe C:\Windows\SysWOW64\Njciko32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ocpgod32.exe C:\Windows\SysWOW64\Odmgcgbi.exe N/A
File created C:\Windows\SysWOW64\Ghngib32.dll C:\Windows\SysWOW64\Pmdkch32.exe N/A
File opened for modification C:\Windows\SysWOW64\Anmjcieo.exe C:\Windows\SysWOW64\Ajanck32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bffkij32.exe C:\Windows\SysWOW64\Bchomn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Lphoelqn.exe C:\Windows\SysWOW64\Lmiciaaj.exe N/A
File created C:\Windows\SysWOW64\Menjdbgj.exe C:\Windows\SysWOW64\Mgkjhe32.exe N/A
File created C:\Windows\SysWOW64\Eghpcp32.dll C:\Windows\SysWOW64\Mcmabg32.exe N/A
File created C:\Windows\SysWOW64\Agglboim.exe C:\Windows\SysWOW64\Aeiofcji.exe N/A
File created C:\Windows\SysWOW64\Aepefb32.exe C:\Windows\SysWOW64\Aminee32.exe N/A
File created C:\Windows\SysWOW64\Daqbip32.exe C:\Windows\SysWOW64\Dobfld32.exe N/A
File created C:\Windows\SysWOW64\Bobiobnp.dll C:\Windows\SysWOW64\Dogogcpo.exe N/A
File opened for modification C:\Windows\SysWOW64\Lmiciaaj.exe C:\Windows\SysWOW64\Lingibiq.exe N/A
File created C:\Windows\SysWOW64\Gdkkfn32.dll C:\Windows\SysWOW64\Lingibiq.exe N/A
File opened for modification C:\Windows\SysWOW64\Npcoakfp.exe C:\Windows\SysWOW64\Mlhbal32.exe N/A
File created C:\Windows\SysWOW64\Hfligghk.dll C:\Windows\SysWOW64\Njciko32.exe N/A
File opened for modification C:\Windows\SysWOW64\Odkjng32.exe C:\Windows\SysWOW64\Oponmilc.exe N/A
File created C:\Windows\SysWOW64\Oqhacgdh.exe C:\Windows\SysWOW64\Ogpmjb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Qqijje32.exe C:\Windows\SysWOW64\Qmmnjfnl.exe N/A
File opened for modification C:\Windows\SysWOW64\Cmgjgcgo.exe C:\Windows\SysWOW64\Cndikf32.exe N/A
File created C:\Windows\SysWOW64\Cbeedbdm.dll C:\Windows\SysWOW64\Leihbeib.exe N/A
File created C:\Windows\SysWOW64\Mcmabg32.exe C:\Windows\SysWOW64\Mdjagjco.exe N/A
File opened for modification C:\Windows\SysWOW64\Qffbbldm.exe C:\Windows\SysWOW64\Qcgffqei.exe N/A
File created C:\Windows\SysWOW64\Lmbmibhb.exe C:\Windows\SysWOW64\Lbmhlihl.exe N/A
File created C:\Windows\SysWOW64\Ocgmpccl.exe C:\Windows\SysWOW64\Oqhacgdh.exe N/A
File opened for modification C:\Windows\SysWOW64\Ngbpidjh.exe C:\Windows\SysWOW64\Ndcdmikd.exe N/A
File created C:\Windows\SysWOW64\Kbejge32.dll C:\Windows\SysWOW64\Beeoaapl.exe N/A
File created C:\Windows\SysWOW64\Jhbffb32.dll C:\Windows\SysWOW64\Bmemac32.exe N/A
File created C:\Windows\SysWOW64\Cnicfe32.exe C:\Windows\SysWOW64\Cjmgfgdf.exe N/A
File opened for modification C:\Windows\SysWOW64\Deagdn32.exe C:\Windows\SysWOW64\Dmjocp32.exe N/A
File created C:\Windows\SysWOW64\Mnkhmbin.dll C:\Windows\SysWOW64\Mmpijp32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ndhmhh32.exe C:\Windows\SysWOW64\Npmagine.exe N/A
File created C:\Windows\SysWOW64\Afhohlbj.exe C:\Windows\SysWOW64\Acjclpcf.exe N/A
File created C:\Windows\SysWOW64\Dmllipeg.exe C:\Windows\SysWOW64\Dknpmdfc.exe N/A
File created C:\Windows\SysWOW64\Coffpf32.dll C:\Windows\SysWOW64\Ndcdmikd.exe N/A
File opened for modification C:\Windows\SysWOW64\Ojaelm32.exe C:\Windows\SysWOW64\Ogbipa32.exe N/A
File created C:\Windows\SysWOW64\Banllbdn.exe C:\Windows\SysWOW64\Bjddphlq.exe N/A
File created C:\Windows\SysWOW64\Cfpnph32.exe C:\Windows\SysWOW64\Cdabcm32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dddhpjof.exe C:\Windows\SysWOW64\Deagdn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dmllipeg.exe C:\Windows\SysWOW64\Dknpmdfc.exe N/A
File created C:\Windows\SysWOW64\Odkjng32.exe C:\Windows\SysWOW64\Oponmilc.exe N/A
File opened for modification C:\Windows\SysWOW64\Ofqpqo32.exe C:\Windows\SysWOW64\Odocigqg.exe N/A
File created C:\Windows\SysWOW64\Poahbe32.dll C:\Windows\SysWOW64\Daqbip32.exe N/A
File created C:\Windows\SysWOW64\Kmncnb32.exe C:\Users\Admin\AppData\Local\Temp\afeef5104f433178d65285b0ce9afd5984226a9270bf5eb7150e0ff33adea5deN.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Dmllipeg.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pncgmkmj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aepefb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pcijeb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Menjdbgj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Njqmepik.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Olkhmi32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bmngqdpj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mchhggno.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ngdmod32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Odocigqg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bnkgeg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Leihbeib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ogbipa32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dfnjafap.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dkkcge32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Melnob32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Miifeq32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nfgmjqop.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ofqpqo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Agoabn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nebdoa32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Neeqea32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pnfdcjkg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Afoeiklb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Chagok32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nnqbanmo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pnlaml32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Beeoaapl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bcjlcn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ojllan32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bfhhoi32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Daconoae.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pfjcgn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pjhlml32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bmpcfdmg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bfkedibe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bapiabak.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Liimncmf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pgllfp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qcgffqei.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ajanck32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nfjjppmm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cjpckf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dobfld32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Anmjcieo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dmjocp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ndaggimg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nlaegk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Odmgcgbi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qfcfml32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aeklkchg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Likjcbkc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ojaelm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Acjclpcf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Amddjegd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ocnjidkf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cfmajipb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mmnldp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mplhql32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pgioqq32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dgbdlf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nloiakho.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ajkaii32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mlopkm32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldfgeigq.dll" C:\Windows\SysWOW64\Agoabn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Beihma32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cndikf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\afeef5104f433178d65285b0ce9afd5984226a9270bf5eb7150e0ff33adea5deN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Mgfqmfde.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnpllc32.dll" C:\Windows\SysWOW64\Nfjjppmm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aeklkchg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dgbdlf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ldoaklml.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnjknp32.dll" C:\Windows\SysWOW64\Ncbknfed.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ndcdmikd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Agoabn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Cjpckf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dfknkg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mgfqmfde.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Pcncpbmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qmmnjfnl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bmemac32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Pcijeb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ngdmod32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qqijje32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll" C:\Windows\SysWOW64\Dmgbnq32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Dkifae32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Nphhmj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qjoankoi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Dfiafg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll" C:\Windows\SysWOW64\Dfknkg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ogkcpbam.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Pnakhkol.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpmdoo32.dll" C:\Windows\SysWOW64\Aeiofcji.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqfhilhd.dll" C:\Windows\SysWOW64\Aepefb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Lfkaag32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Mplhql32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mplhql32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ngbpidjh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Cegdnopg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bnkgeg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll" C:\Windows\SysWOW64\Bfkedibe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leedqpci.dll" C:\Windows\SysWOW64\Lpnlpnih.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ajanck32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Aepefb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bmkjkd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pqbdjfln.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll" C:\Windows\SysWOW64\Caebma32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cdcoim32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dfiafg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mdckfk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Bfhhoi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll" C:\Windows\SysWOW64\Cjmgfgdf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phkjck32.dll" C:\Windows\SysWOW64\Lmiciaaj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ojllan32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Halpnqlq.dll" C:\Windows\SysWOW64\Pqknig32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Pfjcgn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Cjkjpgfi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll" C:\Windows\SysWOW64\Daqbip32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Nepgjaeg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acpcoaap.dll" C:\Windows\SysWOW64\Ogpmjb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Pnonbk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aeiofcji.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmcjlfqa.dll" C:\Windows\SysWOW64\Adgbpc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nilcjp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Odapnf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbejge32.dll" C:\Windows\SysWOW64\Beeoaapl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cfpnph32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1244 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\afeef5104f433178d65285b0ce9afd5984226a9270bf5eb7150e0ff33adea5deN.exe C:\Windows\SysWOW64\Kmncnb32.exe
PID 1244 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\afeef5104f433178d65285b0ce9afd5984226a9270bf5eb7150e0ff33adea5deN.exe C:\Windows\SysWOW64\Kmncnb32.exe
PID 1244 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\afeef5104f433178d65285b0ce9afd5984226a9270bf5eb7150e0ff33adea5deN.exe C:\Windows\SysWOW64\Kmncnb32.exe
PID 2236 wrote to memory of 1536 N/A C:\Windows\SysWOW64\Kmncnb32.exe C:\Windows\SysWOW64\Kplpjn32.exe
PID 2236 wrote to memory of 1536 N/A C:\Windows\SysWOW64\Kmncnb32.exe C:\Windows\SysWOW64\Kplpjn32.exe
PID 2236 wrote to memory of 1536 N/A C:\Windows\SysWOW64\Kmncnb32.exe C:\Windows\SysWOW64\Kplpjn32.exe
PID 1536 wrote to memory of 1168 N/A C:\Windows\SysWOW64\Kplpjn32.exe C:\Windows\SysWOW64\Leihbeib.exe
PID 1536 wrote to memory of 1168 N/A C:\Windows\SysWOW64\Kplpjn32.exe C:\Windows\SysWOW64\Leihbeib.exe
PID 1536 wrote to memory of 1168 N/A C:\Windows\SysWOW64\Kplpjn32.exe C:\Windows\SysWOW64\Leihbeib.exe
PID 1168 wrote to memory of 1240 N/A C:\Windows\SysWOW64\Leihbeib.exe C:\Windows\SysWOW64\Lpnlpnih.exe
PID 1168 wrote to memory of 1240 N/A C:\Windows\SysWOW64\Leihbeib.exe C:\Windows\SysWOW64\Lpnlpnih.exe
PID 1168 wrote to memory of 1240 N/A C:\Windows\SysWOW64\Leihbeib.exe C:\Windows\SysWOW64\Lpnlpnih.exe
PID 1240 wrote to memory of 2576 N/A C:\Windows\SysWOW64\Lpnlpnih.exe C:\Windows\SysWOW64\Lbmhlihl.exe
PID 1240 wrote to memory of 2576 N/A C:\Windows\SysWOW64\Lpnlpnih.exe C:\Windows\SysWOW64\Lbmhlihl.exe
PID 1240 wrote to memory of 2576 N/A C:\Windows\SysWOW64\Lpnlpnih.exe C:\Windows\SysWOW64\Lbmhlihl.exe
PID 2576 wrote to memory of 464 N/A C:\Windows\SysWOW64\Lbmhlihl.exe C:\Windows\SysWOW64\Lmbmibhb.exe
PID 2576 wrote to memory of 464 N/A C:\Windows\SysWOW64\Lbmhlihl.exe C:\Windows\SysWOW64\Lmbmibhb.exe
PID 2576 wrote to memory of 464 N/A C:\Windows\SysWOW64\Lbmhlihl.exe C:\Windows\SysWOW64\Lmbmibhb.exe
PID 464 wrote to memory of 968 N/A C:\Windows\SysWOW64\Lmbmibhb.exe C:\Windows\SysWOW64\Llemdo32.exe
PID 464 wrote to memory of 968 N/A C:\Windows\SysWOW64\Lmbmibhb.exe C:\Windows\SysWOW64\Llemdo32.exe
PID 464 wrote to memory of 968 N/A C:\Windows\SysWOW64\Lmbmibhb.exe C:\Windows\SysWOW64\Llemdo32.exe
PID 968 wrote to memory of 3532 N/A C:\Windows\SysWOW64\Llemdo32.exe C:\Windows\SysWOW64\Lfkaag32.exe
PID 968 wrote to memory of 3532 N/A C:\Windows\SysWOW64\Llemdo32.exe C:\Windows\SysWOW64\Lfkaag32.exe
PID 968 wrote to memory of 3532 N/A C:\Windows\SysWOW64\Llemdo32.exe C:\Windows\SysWOW64\Lfkaag32.exe
PID 3532 wrote to memory of 2648 N/A C:\Windows\SysWOW64\Lfkaag32.exe C:\Windows\SysWOW64\Liimncmf.exe
PID 3532 wrote to memory of 2648 N/A C:\Windows\SysWOW64\Lfkaag32.exe C:\Windows\SysWOW64\Liimncmf.exe
PID 3532 wrote to memory of 2648 N/A C:\Windows\SysWOW64\Lfkaag32.exe C:\Windows\SysWOW64\Liimncmf.exe
PID 2648 wrote to memory of 436 N/A C:\Windows\SysWOW64\Liimncmf.exe C:\Windows\SysWOW64\Ldoaklml.exe
PID 2648 wrote to memory of 436 N/A C:\Windows\SysWOW64\Liimncmf.exe C:\Windows\SysWOW64\Ldoaklml.exe
PID 2648 wrote to memory of 436 N/A C:\Windows\SysWOW64\Liimncmf.exe C:\Windows\SysWOW64\Ldoaklml.exe
PID 436 wrote to memory of 3268 N/A C:\Windows\SysWOW64\Ldoaklml.exe C:\Windows\SysWOW64\Lgmngglp.exe
PID 436 wrote to memory of 3268 N/A C:\Windows\SysWOW64\Ldoaklml.exe C:\Windows\SysWOW64\Lgmngglp.exe
PID 436 wrote to memory of 3268 N/A C:\Windows\SysWOW64\Ldoaklml.exe C:\Windows\SysWOW64\Lgmngglp.exe
PID 3268 wrote to memory of 2704 N/A C:\Windows\SysWOW64\Lgmngglp.exe C:\Windows\SysWOW64\Likjcbkc.exe
PID 3268 wrote to memory of 2704 N/A C:\Windows\SysWOW64\Lgmngglp.exe C:\Windows\SysWOW64\Likjcbkc.exe
PID 3268 wrote to memory of 2704 N/A C:\Windows\SysWOW64\Lgmngglp.exe C:\Windows\SysWOW64\Likjcbkc.exe
PID 2704 wrote to memory of 1992 N/A C:\Windows\SysWOW64\Likjcbkc.exe C:\Windows\SysWOW64\Lljfpnjg.exe
PID 2704 wrote to memory of 1992 N/A C:\Windows\SysWOW64\Likjcbkc.exe C:\Windows\SysWOW64\Lljfpnjg.exe
PID 2704 wrote to memory of 1992 N/A C:\Windows\SysWOW64\Likjcbkc.exe C:\Windows\SysWOW64\Lljfpnjg.exe
PID 1992 wrote to memory of 3900 N/A C:\Windows\SysWOW64\Lljfpnjg.exe C:\Windows\SysWOW64\Lbdolh32.exe
PID 1992 wrote to memory of 3900 N/A C:\Windows\SysWOW64\Lljfpnjg.exe C:\Windows\SysWOW64\Lbdolh32.exe
PID 1992 wrote to memory of 3900 N/A C:\Windows\SysWOW64\Lljfpnjg.exe C:\Windows\SysWOW64\Lbdolh32.exe
PID 3900 wrote to memory of 4876 N/A C:\Windows\SysWOW64\Lbdolh32.exe C:\Windows\SysWOW64\Lingibiq.exe
PID 3900 wrote to memory of 4876 N/A C:\Windows\SysWOW64\Lbdolh32.exe C:\Windows\SysWOW64\Lingibiq.exe
PID 3900 wrote to memory of 4876 N/A C:\Windows\SysWOW64\Lbdolh32.exe C:\Windows\SysWOW64\Lingibiq.exe
PID 4876 wrote to memory of 3892 N/A C:\Windows\SysWOW64\Lingibiq.exe C:\Windows\SysWOW64\Lmiciaaj.exe
PID 4876 wrote to memory of 3892 N/A C:\Windows\SysWOW64\Lingibiq.exe C:\Windows\SysWOW64\Lmiciaaj.exe
PID 4876 wrote to memory of 3892 N/A C:\Windows\SysWOW64\Lingibiq.exe C:\Windows\SysWOW64\Lmiciaaj.exe
PID 3892 wrote to memory of 2900 N/A C:\Windows\SysWOW64\Lmiciaaj.exe C:\Windows\SysWOW64\Lphoelqn.exe
PID 3892 wrote to memory of 2900 N/A C:\Windows\SysWOW64\Lmiciaaj.exe C:\Windows\SysWOW64\Lphoelqn.exe
PID 3892 wrote to memory of 2900 N/A C:\Windows\SysWOW64\Lmiciaaj.exe C:\Windows\SysWOW64\Lphoelqn.exe
PID 2900 wrote to memory of 2892 N/A C:\Windows\SysWOW64\Lphoelqn.exe C:\Windows\SysWOW64\Mdckfk32.exe
PID 2900 wrote to memory of 2892 N/A C:\Windows\SysWOW64\Lphoelqn.exe C:\Windows\SysWOW64\Mdckfk32.exe
PID 2900 wrote to memory of 2892 N/A C:\Windows\SysWOW64\Lphoelqn.exe C:\Windows\SysWOW64\Mdckfk32.exe
PID 2892 wrote to memory of 4200 N/A C:\Windows\SysWOW64\Mdckfk32.exe C:\Windows\SysWOW64\Medgncoe.exe
PID 2892 wrote to memory of 4200 N/A C:\Windows\SysWOW64\Mdckfk32.exe C:\Windows\SysWOW64\Medgncoe.exe
PID 2892 wrote to memory of 4200 N/A C:\Windows\SysWOW64\Mdckfk32.exe C:\Windows\SysWOW64\Medgncoe.exe
PID 4200 wrote to memory of 3912 N/A C:\Windows\SysWOW64\Medgncoe.exe C:\Windows\SysWOW64\Mmlpoqpg.exe
PID 4200 wrote to memory of 3912 N/A C:\Windows\SysWOW64\Medgncoe.exe C:\Windows\SysWOW64\Mmlpoqpg.exe
PID 4200 wrote to memory of 3912 N/A C:\Windows\SysWOW64\Medgncoe.exe C:\Windows\SysWOW64\Mmlpoqpg.exe
PID 3912 wrote to memory of 3516 N/A C:\Windows\SysWOW64\Mmlpoqpg.exe C:\Windows\SysWOW64\Mlopkm32.exe
PID 3912 wrote to memory of 3516 N/A C:\Windows\SysWOW64\Mmlpoqpg.exe C:\Windows\SysWOW64\Mlopkm32.exe
PID 3912 wrote to memory of 3516 N/A C:\Windows\SysWOW64\Mmlpoqpg.exe C:\Windows\SysWOW64\Mlopkm32.exe
PID 3516 wrote to memory of 620 N/A C:\Windows\SysWOW64\Mlopkm32.exe C:\Windows\SysWOW64\Mpjlklok.exe

Processes

C:\Users\Admin\AppData\Local\Temp\afeef5104f433178d65285b0ce9afd5984226a9270bf5eb7150e0ff33adea5deN.exe

"C:\Users\Admin\AppData\Local\Temp\afeef5104f433178d65285b0ce9afd5984226a9270bf5eb7150e0ff33adea5deN.exe"

C:\Windows\SysWOW64\Kmncnb32.exe

C:\Windows\system32\Kmncnb32.exe

C:\Windows\SysWOW64\Kplpjn32.exe

C:\Windows\system32\Kplpjn32.exe

C:\Windows\SysWOW64\Leihbeib.exe

C:\Windows\system32\Leihbeib.exe

C:\Windows\SysWOW64\Lpnlpnih.exe

C:\Windows\system32\Lpnlpnih.exe

C:\Windows\SysWOW64\Lbmhlihl.exe

C:\Windows\system32\Lbmhlihl.exe

C:\Windows\SysWOW64\Lmbmibhb.exe

C:\Windows\system32\Lmbmibhb.exe

C:\Windows\SysWOW64\Llemdo32.exe

C:\Windows\system32\Llemdo32.exe

C:\Windows\SysWOW64\Lfkaag32.exe

C:\Windows\system32\Lfkaag32.exe

C:\Windows\SysWOW64\Liimncmf.exe

C:\Windows\system32\Liimncmf.exe

C:\Windows\SysWOW64\Ldoaklml.exe

C:\Windows\system32\Ldoaklml.exe

C:\Windows\SysWOW64\Lgmngglp.exe

C:\Windows\system32\Lgmngglp.exe

C:\Windows\SysWOW64\Likjcbkc.exe

C:\Windows\system32\Likjcbkc.exe

C:\Windows\SysWOW64\Lljfpnjg.exe

C:\Windows\system32\Lljfpnjg.exe

C:\Windows\SysWOW64\Lbdolh32.exe

C:\Windows\system32\Lbdolh32.exe

C:\Windows\SysWOW64\Lingibiq.exe

C:\Windows\system32\Lingibiq.exe

C:\Windows\SysWOW64\Lmiciaaj.exe

C:\Windows\system32\Lmiciaaj.exe

C:\Windows\SysWOW64\Lphoelqn.exe

C:\Windows\system32\Lphoelqn.exe

C:\Windows\SysWOW64\Mdckfk32.exe

C:\Windows\system32\Mdckfk32.exe

C:\Windows\SysWOW64\Medgncoe.exe

C:\Windows\system32\Medgncoe.exe

C:\Windows\SysWOW64\Mmlpoqpg.exe

C:\Windows\system32\Mmlpoqpg.exe

C:\Windows\SysWOW64\Mlopkm32.exe

C:\Windows\system32\Mlopkm32.exe

C:\Windows\SysWOW64\Mpjlklok.exe

C:\Windows\system32\Mpjlklok.exe

C:\Windows\SysWOW64\Mchhggno.exe

C:\Windows\system32\Mchhggno.exe

C:\Windows\SysWOW64\Mgddhf32.exe

C:\Windows\system32\Mgddhf32.exe

C:\Windows\SysWOW64\Mibpda32.exe

C:\Windows\system32\Mibpda32.exe

C:\Windows\SysWOW64\Mmnldp32.exe

C:\Windows\system32\Mmnldp32.exe

C:\Windows\SysWOW64\Mplhql32.exe

C:\Windows\system32\Mplhql32.exe

C:\Windows\SysWOW64\Mckemg32.exe

C:\Windows\system32\Mckemg32.exe

C:\Windows\SysWOW64\Mgfqmfde.exe

C:\Windows\system32\Mgfqmfde.exe

C:\Windows\SysWOW64\Miemjaci.exe

C:\Windows\system32\Miemjaci.exe

C:\Windows\SysWOW64\Mmpijp32.exe

C:\Windows\system32\Mmpijp32.exe

C:\Windows\SysWOW64\Mlcifmbl.exe

C:\Windows\system32\Mlcifmbl.exe

C:\Windows\SysWOW64\Mpoefk32.exe

C:\Windows\system32\Mpoefk32.exe

C:\Windows\SysWOW64\Mdjagjco.exe

C:\Windows\system32\Mdjagjco.exe

C:\Windows\SysWOW64\Mcmabg32.exe

C:\Windows\system32\Mcmabg32.exe

C:\Windows\SysWOW64\Melnob32.exe

C:\Windows\system32\Melnob32.exe

C:\Windows\SysWOW64\Migjoaaf.exe

C:\Windows\system32\Migjoaaf.exe

C:\Windows\SysWOW64\Mlefklpj.exe

C:\Windows\system32\Mlefklpj.exe

C:\Windows\SysWOW64\Mpablkhc.exe

C:\Windows\system32\Mpablkhc.exe

C:\Windows\SysWOW64\Mcpnhfhf.exe

C:\Windows\system32\Mcpnhfhf.exe

C:\Windows\SysWOW64\Mgkjhe32.exe

C:\Windows\system32\Mgkjhe32.exe

C:\Windows\SysWOW64\Menjdbgj.exe

C:\Windows\system32\Menjdbgj.exe

C:\Windows\SysWOW64\Miifeq32.exe

C:\Windows\system32\Miifeq32.exe

C:\Windows\SysWOW64\Mlhbal32.exe

C:\Windows\system32\Mlhbal32.exe

C:\Windows\SysWOW64\Npcoakfp.exe

C:\Windows\system32\Npcoakfp.exe

C:\Windows\SysWOW64\Ndokbi32.exe

C:\Windows\system32\Ndokbi32.exe

C:\Windows\SysWOW64\Ncbknfed.exe

C:\Windows\system32\Ncbknfed.exe

C:\Windows\SysWOW64\Nepgjaeg.exe

C:\Windows\system32\Nepgjaeg.exe

C:\Windows\SysWOW64\Nilcjp32.exe

C:\Windows\system32\Nilcjp32.exe

C:\Windows\SysWOW64\Nljofl32.exe

C:\Windows\system32\Nljofl32.exe

C:\Windows\SysWOW64\Npfkgjdn.exe

C:\Windows\system32\Npfkgjdn.exe

C:\Windows\SysWOW64\Ndaggimg.exe

C:\Windows\system32\Ndaggimg.exe

C:\Windows\SysWOW64\Ncdgcf32.exe

C:\Windows\system32\Ncdgcf32.exe

C:\Windows\SysWOW64\Nebdoa32.exe

C:\Windows\system32\Nebdoa32.exe

C:\Windows\SysWOW64\Njnpppkn.exe

C:\Windows\system32\Njnpppkn.exe

C:\Windows\SysWOW64\Nlmllkja.exe

C:\Windows\system32\Nlmllkja.exe

C:\Windows\SysWOW64\Nphhmj32.exe

C:\Windows\system32\Nphhmj32.exe

C:\Windows\SysWOW64\Ndcdmikd.exe

C:\Windows\system32\Ndcdmikd.exe

C:\Windows\SysWOW64\Ngbpidjh.exe

C:\Windows\system32\Ngbpidjh.exe

C:\Windows\SysWOW64\Neeqea32.exe

C:\Windows\system32\Neeqea32.exe

C:\Windows\SysWOW64\Njqmepik.exe

C:\Windows\system32\Njqmepik.exe

C:\Windows\SysWOW64\Nnlhfn32.exe

C:\Windows\system32\Nnlhfn32.exe

C:\Windows\SysWOW64\Nloiakho.exe

C:\Windows\system32\Nloiakho.exe

C:\Windows\SysWOW64\Npjebj32.exe

C:\Windows\system32\Npjebj32.exe

C:\Windows\SysWOW64\Ncianepl.exe

C:\Windows\system32\Ncianepl.exe

C:\Windows\SysWOW64\Ngdmod32.exe

C:\Windows\system32\Ngdmod32.exe

C:\Windows\SysWOW64\Nfgmjqop.exe

C:\Windows\system32\Nfgmjqop.exe

C:\Windows\SysWOW64\Njciko32.exe

C:\Windows\system32\Njciko32.exe

C:\Windows\SysWOW64\Nlaegk32.exe

C:\Windows\system32\Nlaegk32.exe

C:\Windows\SysWOW64\Npmagine.exe

C:\Windows\system32\Npmagine.exe

C:\Windows\SysWOW64\Ndhmhh32.exe

C:\Windows\system32\Ndhmhh32.exe

C:\Windows\SysWOW64\Nckndeni.exe

C:\Windows\system32\Nckndeni.exe

C:\Windows\SysWOW64\Nggjdc32.exe

C:\Windows\system32\Nggjdc32.exe

C:\Windows\SysWOW64\Nfjjppmm.exe

C:\Windows\system32\Nfjjppmm.exe

C:\Windows\SysWOW64\Nnqbanmo.exe

C:\Windows\system32\Nnqbanmo.exe

C:\Windows\SysWOW64\Olcbmj32.exe

C:\Windows\system32\Olcbmj32.exe

C:\Windows\SysWOW64\Oponmilc.exe

C:\Windows\system32\Oponmilc.exe

C:\Windows\SysWOW64\Odkjng32.exe

C:\Windows\system32\Odkjng32.exe

C:\Windows\SysWOW64\Ocnjidkf.exe

C:\Windows\system32\Ocnjidkf.exe

C:\Windows\SysWOW64\Oflgep32.exe

C:\Windows\system32\Oflgep32.exe

C:\Windows\SysWOW64\Ojgbfocc.exe

C:\Windows\system32\Ojgbfocc.exe

C:\Windows\SysWOW64\Oncofm32.exe

C:\Windows\system32\Oncofm32.exe

C:\Windows\SysWOW64\Opakbi32.exe

C:\Windows\system32\Opakbi32.exe

C:\Windows\SysWOW64\Odmgcgbi.exe

C:\Windows\system32\Odmgcgbi.exe

C:\Windows\SysWOW64\Ocpgod32.exe

C:\Windows\system32\Ocpgod32.exe

C:\Windows\SysWOW64\Ogkcpbam.exe

C:\Windows\system32\Ogkcpbam.exe

C:\Windows\SysWOW64\Olhlhjpd.exe

C:\Windows\system32\Olhlhjpd.exe

C:\Windows\SysWOW64\Odocigqg.exe

C:\Windows\system32\Odocigqg.exe

C:\Windows\SysWOW64\Ofqpqo32.exe

C:\Windows\system32\Ofqpqo32.exe

C:\Windows\SysWOW64\Ojllan32.exe

C:\Windows\system32\Ojllan32.exe

C:\Windows\SysWOW64\Olkhmi32.exe

C:\Windows\system32\Olkhmi32.exe

C:\Windows\SysWOW64\Odapnf32.exe

C:\Windows\system32\Odapnf32.exe

C:\Windows\SysWOW64\Ogpmjb32.exe

C:\Windows\system32\Ogpmjb32.exe

C:\Windows\SysWOW64\Oqhacgdh.exe

C:\Windows\system32\Oqhacgdh.exe

C:\Windows\SysWOW64\Ocgmpccl.exe

C:\Windows\system32\Ocgmpccl.exe

C:\Windows\SysWOW64\Ogbipa32.exe

C:\Windows\system32\Ogbipa32.exe

C:\Windows\SysWOW64\Ojaelm32.exe

C:\Windows\system32\Ojaelm32.exe

C:\Windows\SysWOW64\Pnlaml32.exe

C:\Windows\system32\Pnlaml32.exe

C:\Windows\SysWOW64\Pqknig32.exe

C:\Windows\system32\Pqknig32.exe

C:\Windows\SysWOW64\Pcijeb32.exe

C:\Windows\system32\Pcijeb32.exe

C:\Windows\SysWOW64\Pfhfan32.exe

C:\Windows\system32\Pfhfan32.exe

C:\Windows\SysWOW64\Pnonbk32.exe

C:\Windows\system32\Pnonbk32.exe

C:\Windows\SysWOW64\Pqmjog32.exe

C:\Windows\system32\Pqmjog32.exe

C:\Windows\SysWOW64\Pdifoehl.exe

C:\Windows\system32\Pdifoehl.exe

C:\Windows\SysWOW64\Pggbkagp.exe

C:\Windows\system32\Pggbkagp.exe

C:\Windows\SysWOW64\Pfjcgn32.exe

C:\Windows\system32\Pfjcgn32.exe

C:\Windows\SysWOW64\Pnakhkol.exe

C:\Windows\system32\Pnakhkol.exe

C:\Windows\SysWOW64\Pmdkch32.exe

C:\Windows\system32\Pmdkch32.exe

C:\Windows\SysWOW64\Pdkcde32.exe

C:\Windows\system32\Pdkcde32.exe

C:\Windows\SysWOW64\Pcncpbmd.exe

C:\Windows\system32\Pcncpbmd.exe

C:\Windows\SysWOW64\Pgioqq32.exe

C:\Windows\system32\Pgioqq32.exe

C:\Windows\SysWOW64\Pjhlml32.exe

C:\Windows\system32\Pjhlml32.exe

C:\Windows\SysWOW64\Pncgmkmj.exe

C:\Windows\system32\Pncgmkmj.exe

C:\Windows\SysWOW64\Pqbdjfln.exe

C:\Windows\system32\Pqbdjfln.exe

C:\Windows\SysWOW64\Pdmpje32.exe

C:\Windows\system32\Pdmpje32.exe

C:\Windows\SysWOW64\Pgllfp32.exe

C:\Windows\system32\Pgllfp32.exe

C:\Windows\SysWOW64\Pjjhbl32.exe

C:\Windows\system32\Pjjhbl32.exe

C:\Windows\SysWOW64\Pnfdcjkg.exe

C:\Windows\system32\Pnfdcjkg.exe

C:\Windows\SysWOW64\Pqdqof32.exe

C:\Windows\system32\Pqdqof32.exe

C:\Windows\SysWOW64\Pdpmpdbd.exe

C:\Windows\system32\Pdpmpdbd.exe

C:\Windows\SysWOW64\Pgnilpah.exe

C:\Windows\system32\Pgnilpah.exe

C:\Windows\SysWOW64\Pfaigm32.exe

C:\Windows\system32\Pfaigm32.exe

C:\Windows\SysWOW64\Qnhahj32.exe

C:\Windows\system32\Qnhahj32.exe

C:\Windows\SysWOW64\Qdbiedpa.exe

C:\Windows\system32\Qdbiedpa.exe

C:\Windows\SysWOW64\Qceiaa32.exe

C:\Windows\system32\Qceiaa32.exe

C:\Windows\SysWOW64\Qfcfml32.exe

C:\Windows\system32\Qfcfml32.exe

C:\Windows\SysWOW64\Qjoankoi.exe

C:\Windows\system32\Qjoankoi.exe

C:\Windows\SysWOW64\Qmmnjfnl.exe

C:\Windows\system32\Qmmnjfnl.exe

C:\Windows\SysWOW64\Qqijje32.exe

C:\Windows\system32\Qqijje32.exe

C:\Windows\SysWOW64\Qcgffqei.exe

C:\Windows\system32\Qcgffqei.exe

C:\Windows\SysWOW64\Qffbbldm.exe

C:\Windows\system32\Qffbbldm.exe

C:\Windows\SysWOW64\Ajanck32.exe

C:\Windows\system32\Ajanck32.exe

C:\Windows\SysWOW64\Anmjcieo.exe

C:\Windows\system32\Anmjcieo.exe

C:\Windows\SysWOW64\Adgbpc32.exe

C:\Windows\system32\Adgbpc32.exe

C:\Windows\SysWOW64\Acjclpcf.exe

C:\Windows\system32\Acjclpcf.exe

C:\Windows\SysWOW64\Afhohlbj.exe

C:\Windows\system32\Afhohlbj.exe

C:\Windows\SysWOW64\Anogiicl.exe

C:\Windows\system32\Anogiicl.exe

C:\Windows\SysWOW64\Ambgef32.exe

C:\Windows\system32\Ambgef32.exe

C:\Windows\SysWOW64\Aeiofcji.exe

C:\Windows\system32\Aeiofcji.exe

C:\Windows\SysWOW64\Agglboim.exe

C:\Windows\system32\Agglboim.exe

C:\Windows\SysWOW64\Anadoi32.exe

C:\Windows\system32\Anadoi32.exe

C:\Windows\SysWOW64\Amddjegd.exe

C:\Windows\system32\Amddjegd.exe

C:\Windows\SysWOW64\Aeklkchg.exe

C:\Windows\system32\Aeklkchg.exe

C:\Windows\SysWOW64\Amgapeea.exe

C:\Windows\system32\Amgapeea.exe

C:\Windows\SysWOW64\Aeniabfd.exe

C:\Windows\system32\Aeniabfd.exe

C:\Windows\SysWOW64\Afoeiklb.exe

C:\Windows\system32\Afoeiklb.exe

C:\Windows\SysWOW64\Ajkaii32.exe

C:\Windows\system32\Ajkaii32.exe

C:\Windows\SysWOW64\Aminee32.exe

C:\Windows\system32\Aminee32.exe

C:\Windows\SysWOW64\Aepefb32.exe

C:\Windows\system32\Aepefb32.exe

C:\Windows\SysWOW64\Agoabn32.exe

C:\Windows\system32\Agoabn32.exe

C:\Windows\SysWOW64\Bjmnoi32.exe

C:\Windows\system32\Bjmnoi32.exe

C:\Windows\SysWOW64\Bmkjkd32.exe

C:\Windows\system32\Bmkjkd32.exe

C:\Windows\SysWOW64\Bagflcje.exe

C:\Windows\system32\Bagflcje.exe

C:\Windows\SysWOW64\Bebblb32.exe

C:\Windows\system32\Bebblb32.exe

C:\Windows\SysWOW64\Bjokdipf.exe

C:\Windows\system32\Bjokdipf.exe

C:\Windows\SysWOW64\Bnkgeg32.exe

C:\Windows\system32\Bnkgeg32.exe

C:\Windows\SysWOW64\Bmngqdpj.exe

C:\Windows\system32\Bmngqdpj.exe

C:\Windows\SysWOW64\Beeoaapl.exe

C:\Windows\system32\Beeoaapl.exe

C:\Windows\SysWOW64\Bchomn32.exe

C:\Windows\system32\Bchomn32.exe

C:\Windows\SysWOW64\Bffkij32.exe

C:\Windows\system32\Bffkij32.exe

C:\Windows\SysWOW64\Bmpcfdmg.exe

C:\Windows\system32\Bmpcfdmg.exe

C:\Windows\SysWOW64\Balpgb32.exe

C:\Windows\system32\Balpgb32.exe

C:\Windows\SysWOW64\Beglgani.exe

C:\Windows\system32\Beglgani.exe

C:\Windows\SysWOW64\Bcjlcn32.exe

C:\Windows\system32\Bcjlcn32.exe

C:\Windows\SysWOW64\Bfhhoi32.exe

C:\Windows\system32\Bfhhoi32.exe

C:\Windows\SysWOW64\Bjddphlq.exe

C:\Windows\system32\Bjddphlq.exe

C:\Windows\SysWOW64\Banllbdn.exe

C:\Windows\system32\Banllbdn.exe

C:\Windows\SysWOW64\Beihma32.exe

C:\Windows\system32\Beihma32.exe

C:\Windows\SysWOW64\Bfkedibe.exe

C:\Windows\system32\Bfkedibe.exe

C:\Windows\SysWOW64\Bnbmefbg.exe

C:\Windows\system32\Bnbmefbg.exe

C:\Windows\SysWOW64\Bmemac32.exe

C:\Windows\system32\Bmemac32.exe

C:\Windows\SysWOW64\Bapiabak.exe

C:\Windows\system32\Bapiabak.exe

C:\Windows\SysWOW64\Bcoenmao.exe

C:\Windows\system32\Bcoenmao.exe

C:\Windows\SysWOW64\Chjaol32.exe

C:\Windows\system32\Chjaol32.exe

C:\Windows\SysWOW64\Cfmajipb.exe

C:\Windows\system32\Cfmajipb.exe

C:\Windows\SysWOW64\Cndikf32.exe

C:\Windows\system32\Cndikf32.exe

C:\Windows\SysWOW64\Cmgjgcgo.exe

C:\Windows\system32\Cmgjgcgo.exe

C:\Windows\SysWOW64\Cenahpha.exe

C:\Windows\system32\Cenahpha.exe

C:\Windows\SysWOW64\Cdabcm32.exe

C:\Windows\system32\Cdabcm32.exe

C:\Windows\SysWOW64\Cfpnph32.exe

C:\Windows\system32\Cfpnph32.exe

C:\Windows\SysWOW64\Cjkjpgfi.exe

C:\Windows\system32\Cjkjpgfi.exe

C:\Windows\SysWOW64\Cmiflbel.exe

C:\Windows\system32\Cmiflbel.exe

C:\Windows\SysWOW64\Caebma32.exe

C:\Windows\system32\Caebma32.exe

C:\Windows\SysWOW64\Cdcoim32.exe

C:\Windows\system32\Cdcoim32.exe

C:\Windows\SysWOW64\Cfbkeh32.exe

C:\Windows\system32\Cfbkeh32.exe

C:\Windows\SysWOW64\Cjmgfgdf.exe

C:\Windows\system32\Cjmgfgdf.exe

C:\Windows\SysWOW64\Cnicfe32.exe

C:\Windows\system32\Cnicfe32.exe

C:\Windows\SysWOW64\Cdfkolkf.exe

C:\Windows\system32\Cdfkolkf.exe

C:\Windows\SysWOW64\Chagok32.exe

C:\Windows\system32\Chagok32.exe

C:\Windows\SysWOW64\Cjpckf32.exe

C:\Windows\system32\Cjpckf32.exe

C:\Windows\SysWOW64\Cmnpgb32.exe

C:\Windows\system32\Cmnpgb32.exe

C:\Windows\SysWOW64\Ceehho32.exe

C:\Windows\system32\Ceehho32.exe

C:\Windows\SysWOW64\Chcddk32.exe

C:\Windows\system32\Chcddk32.exe

C:\Windows\SysWOW64\Cffdpghg.exe

C:\Windows\system32\Cffdpghg.exe

C:\Windows\SysWOW64\Cnnlaehj.exe

C:\Windows\system32\Cnnlaehj.exe

C:\Windows\SysWOW64\Calhnpgn.exe

C:\Windows\system32\Calhnpgn.exe

C:\Windows\SysWOW64\Cegdnopg.exe

C:\Windows\system32\Cegdnopg.exe

C:\Windows\SysWOW64\Dfiafg32.exe

C:\Windows\system32\Dfiafg32.exe

C:\Windows\SysWOW64\Dopigd32.exe

C:\Windows\system32\Dopigd32.exe

C:\Windows\SysWOW64\Danecp32.exe

C:\Windows\system32\Danecp32.exe

C:\Windows\SysWOW64\Dejacond.exe

C:\Windows\system32\Dejacond.exe

C:\Windows\SysWOW64\Dhhnpjmh.exe

C:\Windows\system32\Dhhnpjmh.exe

C:\Windows\SysWOW64\Dfknkg32.exe

C:\Windows\system32\Dfknkg32.exe

C:\Windows\SysWOW64\Dobfld32.exe

C:\Windows\system32\Dobfld32.exe

C:\Windows\SysWOW64\Daqbip32.exe

C:\Windows\system32\Daqbip32.exe

C:\Windows\SysWOW64\Dfnjafap.exe

C:\Windows\system32\Dfnjafap.exe

C:\Windows\SysWOW64\Dkifae32.exe

C:\Windows\system32\Dkifae32.exe

C:\Windows\SysWOW64\Dmgbnq32.exe

C:\Windows\system32\Dmgbnq32.exe

C:\Windows\SysWOW64\Daconoae.exe

C:\Windows\system32\Daconoae.exe

C:\Windows\SysWOW64\Deokon32.exe

C:\Windows\system32\Deokon32.exe

C:\Windows\SysWOW64\Dhmgki32.exe

C:\Windows\system32\Dhmgki32.exe

C:\Windows\SysWOW64\Dkkcge32.exe

C:\Windows\system32\Dkkcge32.exe

C:\Windows\SysWOW64\Dogogcpo.exe

C:\Windows\system32\Dogogcpo.exe

C:\Windows\SysWOW64\Dmjocp32.exe

C:\Windows\system32\Dmjocp32.exe

C:\Windows\SysWOW64\Deagdn32.exe

C:\Windows\system32\Deagdn32.exe

C:\Windows\SysWOW64\Dddhpjof.exe

C:\Windows\system32\Dddhpjof.exe

C:\Windows\SysWOW64\Dgbdlf32.exe

C:\Windows\system32\Dgbdlf32.exe

C:\Windows\SysWOW64\Dknpmdfc.exe

C:\Windows\system32\Dknpmdfc.exe

C:\Windows\SysWOW64\Dmllipeg.exe

C:\Windows\system32\Dmllipeg.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 7740 -ip 7740

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 7740 -s 416

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/1244-0-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Kmncnb32.exe

MD5 5cb8ad11f4e2b879e1ac916390911b11
SHA1 b80d097e69202e69838f229dea6e2617b4a8ca0f
SHA256 225cd3c4993fe32ef8ff6b086d8315e1dc9937d183814f3ca6179e26cde6885e
SHA512 1724f3b6a17cddef51e6f49679577f96bc1b7cd4f6fea7b59c463eb662e38671677c97ba455dd508ea7250bc52c325f512a4104f7a7e1eafa5844008c0bce55e

memory/2236-8-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Kplpjn32.exe

MD5 b09cd1d587808031d76a36f4b6235dea
SHA1 8e07552925b44177ff9158f784bdf57f8941aebf
SHA256 95c7a6f6d169fcd0dec8683e2efebf22341333a5530b5b48dd07761e9663031b
SHA512 b43828e6879bbe51d4b3ab000b03663f86573b919c9143c7d1ac37a133dc3f8eccee85e64f49be3749c10f81b2470de77ea96d654261bdaeba8bb8a8f5c8f946

memory/1536-16-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1168-23-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Leihbeib.exe

MD5 79938529a2be5f287b06499e7eadadba
SHA1 253da46212d89056cb9fe5c44c74b97e96d0d855
SHA256 d188ad5e2b6403a625d37738844489098f132a68f9397fe472bf66a1f5d9fdfa
SHA512 6c01755230d9e710fb20cb017708cfa6b2a77d18f3314d1d2d920f0c863167ad16190e9392182fae77ea02d7b65018760d1d9f4c55e1ac3ffb4916fbd8b5dd29

C:\Windows\SysWOW64\Lpnlpnih.exe

MD5 7fb4f72600c442c12f4dc60212c70694
SHA1 f981d1958dc07c29370e5e874491c5bc10fd5ef8
SHA256 c7dc6afb381d263aaceaa89f61faf711c96e7534443ae5843ead6ed4b9ff20f0
SHA512 b7eecf7ab391328159b49225fcd59cafa00760b93348422aea0ec4cb4aec8eff18b90bfcf500ecbe13bd9fcc0007a8859034eab9fed3a69403f0b2a5c42473a5

memory/1240-31-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Leedqpci.dll

MD5 e5407833bb4179bf9a26e0e70e8ad8b9
SHA1 cf162a529f7a567c2565460cafdf150b917afb76
SHA256 f4f521ae510914c62bea16454c32c847afa6b30d6b9a7c18038c19a0d78db691
SHA512 21b66b9e55cc7a6aa51df1080f4c6a8f1895aa187e486b6f7474680c81d0f5eb9d69edb52f26d771403ac9deaf1ab1584156ae37a45fa478f7f269c3a7a27392

C:\Windows\SysWOW64\Lbmhlihl.exe

MD5 aabd31f4b9b1514d09af926c49305235
SHA1 9efae5a4ec6cb9d33ebac75ac003c0b851e432e0
SHA256 293c7f3255b79b433c15306691d285264d5e4fc6e56982f316f332d2370e7aa0
SHA512 08d980672b7c3ca79b1e1c315fdcadebc97a160ab14fee936e0ab840be347fa05420ed26245d800771a774a7a7d6a55122dadb2629b3ef6e35e0e225279152de

memory/2576-39-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Lmbmibhb.exe

MD5 c004e2df1795d4ffe7aa384fa34f92f3
SHA1 d712a874d9b4460647b0330716c2cdee41c656b3
SHA256 d62512f17cb40fe0ff686c513bd7d776514a21211ce43016f4f1209da6d8c09f
SHA512 daebd950d0ad825bb14c36ebe244fcfd288e1276ea4c56faceddb9eda03f45b4d7ffd983493892c712e14d23cada65b88d5ec15d272a100626282668ae6dfdd2

memory/464-48-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Llemdo32.exe

MD5 c23a1ef210409a46f1995f8b012c36f5
SHA1 e5e44ce30bd484c310e7eff1cc693d55d6ae5c6f
SHA256 6f199e3833939314949332949e7f51aa471defdd766a5eb788b956540128f686
SHA512 3940926b0320078a80cdf7f669ec097043fecdf1a4d931c438f5ef1c70255536672f183509017669d20fce9fad161a1b28edc7a259fc9580cae34d3d5d8dfa4f

memory/968-56-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Lfkaag32.exe

MD5 b8e1fec3b9005a4237d7ceb587f541d5
SHA1 bb61f3bdb0e0d8814bbc9bd3aaae688d930b2513
SHA256 f7bce6ef10ab60931839e6da7e24d6087bcaa79299c02fa3d51417e4b7a9f81e
SHA512 5acb2e5fcea7a94ca61d22a6c86b2bddb4ac62d90e05a615dfbbeeec7206fd2e4fbb5aceeddbf513a5e30e3f3448037ecd86af536109bd23b21e9ffa6071884d

memory/3532-64-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Liimncmf.exe

MD5 56699589c7613ed5885c67772904e66b
SHA1 ef9c49904f5d3f33dd502f999a4301a69cf02b73
SHA256 626e6cedacafd069b8e9a37862eed60187e49a8a8ea987cabe2c0241e5e479b7
SHA512 37ccbc21e05579d6b94afa6af35d9d9d76000b3a04ed56be0362f3bc62d4bf6578167c52ca352e1f3cb2824afa336b6fa66d3f8ec22b75bdbc7cf4ee10027f6c

memory/2648-71-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Ldoaklml.exe

MD5 35d98ca5184d0b6e9cf624bc661c1dd7
SHA1 52335297f182ebc62c72ea0e0ae5f735b7630cd5
SHA256 2955b25fc92dc887300df36dae03f2f8d1e695e6ef5950ba82719f54554a3161
SHA512 c08a19b2de13232dcf661fc85335cad23027da19b1963ff18065102e72aee1359d0934b1fc5865d6639b40a7edd40a62c3ab14e82ff6711497155dc45456272d

memory/436-81-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1244-80-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Lgmngglp.exe

MD5 fb04fdc7a94b3e5994d81ca84a4beef7
SHA1 128ed58f35df13534f7a2b9b42bf7967046a1f49
SHA256 34b711e226fb4309bf94f4e9ee99a54bc84c87c4f13f02ebf69092df76a184e6
SHA512 895d40447ebe5de2f7204e492b5eee553be3bdc69c68e8e0a2c016fc2d1a0b92de9298879024cb7299e7afebcf30e6340065ba0004b6f60018c85d73577fa71f

memory/3268-90-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2236-89-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Likjcbkc.exe

MD5 18db0e29210b3b2ade14ce37417e1be3
SHA1 b1be25e883e403e52f50811702f284db38f84176
SHA256 3d297eac0054bd645348ce19dc3172710ab4e13b11a89c93d6c56daebd7a509e
SHA512 86bb5c5bef8142a95009d9f1dccdb27624d2fb7c90a5e3b76480f462708db9dc39bc936c7a13e7e3772154afd3f09f322af99e6033cb3086fbd60498a04ad5b1

memory/2704-99-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1536-98-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Lljfpnjg.exe

MD5 3e62b60250bd3ee0cb90724c23ef0654
SHA1 0173810765fa6adc13ff6a24a1bce77cae600cb5
SHA256 af95131827c86ee5e97c07ff547576e2caad04feac97a8d9d4be4c0eaa061069
SHA512 df262483b050609a45607de50beb3634aad14fb3f3c6d3861b1e1efc76f517b6ecd9afa479d5ac0fa71ab9184730948d7ee9821adf34858a4e10a64a707157a8

memory/3900-116-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Lbdolh32.exe

MD5 96580cc645175ae91d3cb1a73168bf34
SHA1 ac8be1d14d15e0654a1e31368c9c207a3dc33a8a
SHA256 a3b1cd1b21b0ffa286ed5e4bb8a5e88243df71aa3d49f9446575e2c27160d2b8
SHA512 6a173dd1212eeedcedf5f4fc7bb779f383672e1c32c7b2d9411585a03c9602498ea4626ff9fa06a7613a7fb2c928723ed2aff31850f78cdfbd64f7c948093701

memory/1240-115-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4876-130-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3892-139-0x0000000000400000-0x0000000000442000-memory.dmp

memory/968-147-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3532-151-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Mdckfk32.exe

MD5 845d8c2e0cf40ec426a93a2c2509ba91
SHA1 8b387e73dc82b0b6562db0715f868c659f45c38c
SHA256 1c90ed85ad04de4bdd521fd62d3198947a16b7f7aa563ae74ef3ce1ad8939014
SHA512 d89c21e1e0512bf90e268ffbf0d7e43e42a6da798b5f639fe5c875440f0df1329e0cc7b9101e65e4c1ab4b2c2b7d8768737851a5cfc9c812df70295e0259a35f

C:\Windows\SysWOW64\Medgncoe.exe

MD5 3d83043512e92e7dd3efb3b22422cf50
SHA1 df6c29caf3533abce41ca9d3805ef7710772b80d
SHA256 448e8d6d3cc498dae01fa5b0fc495011fb47ac8be1ad6ea6d0a6a147d3a6a33d
SHA512 7d1c463e17f51bb8c183bfbe2e814bc310a06f35fa11151805d00599013bd82495a1437442b5b8b15570aac466878a332f1004b28191cd6dc12a0e919b560931

memory/436-174-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3268-183-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Mgddhf32.exe

MD5 acc656fa4b9a7ae59a50fc26f1e06ebd
SHA1 abf7a616ac94ec0d48795693055154788a9158cd
SHA256 9c9d5098ecbe94f6e0ca2564003f51d025fffae05ab2948183c8c53650788f4a
SHA512 630c3447a621c9b90b3abf5975b756814c85bbb34c0f1076fb55385ed0d207255e539f25250fecc8474e8fdf80df61ba3c65fbdefbe765456353ca4fa1aa15ed

C:\Windows\SysWOW64\Mmnldp32.exe

MD5 ecac04861dfa44ad52eea4bc9ce1f41c
SHA1 5be7cb43d9f12952078c9307b731d38e20ac10e9
SHA256 10d190a1bdac516946fd33f633f96edb9f78b3aa1b33a72bdaaa6468d6405f39
SHA512 2e110ce43c61446b762e0bf0efd42db94244c5b0b7b6964f6384b54946c195070e70ac4f32d423d31b7ec043c275ac2fa87d5032d415d552bb63cc2f215120c9

memory/4000-259-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2248-299-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3640-347-0x0000000000400000-0x0000000000442000-memory.dmp

memory/116-366-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3956-463-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4100-493-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1348-505-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1520-517-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1000-529-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3436-541-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3604-559-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4404-553-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2984-547-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4936-534-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1012-523-0x0000000000400000-0x0000000000442000-memory.dmp

memory/316-511-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2336-498-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4412-487-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4700-481-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3444-475-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4220-469-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3920-457-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3440-456-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4912-450-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4580-443-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2516-437-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4608-431-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2944-426-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2760-420-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3600-414-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3968-408-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1464-402-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2688-396-0x0000000000400000-0x0000000000442000-memory.dmp

memory/64-389-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2772-384-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2640-378-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3656-372-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3644-360-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3420-353-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2628-341-0x0000000000400000-0x0000000000442000-memory.dmp

memory/648-335-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1524-329-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3952-324-0x0000000000400000-0x0000000000442000-memory.dmp

memory/560-318-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3416-311-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3608-306-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3492-294-0x0000000000400000-0x0000000000442000-memory.dmp

memory/5092-287-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4516-281-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4760-276-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Mlcifmbl.exe

MD5 e84b7e4a40d074e8c67e7768a43d626f
SHA1 54e00d9e86dd1d1305f999c57130516ab6c5b437
SHA256 10b56a89ff610923a8cb9ade58662aabdbbb77ab41ae921fe2e37a90493f1761
SHA512 730c6ad286ebb8fac8202b23eb0b9a80009fc99b212f0d16c9b08d61ecd59515ce762c4a7e9ce3302abd55f2299290657f0c5df7d9656efd3132904667fc7273

memory/4104-268-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Mmpijp32.exe

MD5 cdcc0f346085fa3c34e1ea7602a02484
SHA1 c7a66f59985aae175b3b8c0074369cc669a1af15
SHA256 09391d3b6d76d80c94a4cbb250c2b8e9e807fa42a4fdcd9d3b4364c2488bf126
SHA512 780e649de1e05bfda58a2f2e9771bc9ed9fd91d9983cba11fc69ef8bcc0b63eedaa5d045afa9ffe65958f88a6a7854fb648bf06f466925997071920349024312

C:\Windows\SysWOW64\Miemjaci.exe

MD5 5ee781f621fed8e9807ed2df086362d3
SHA1 a846d87c234125b0b6de9f0536ad5cd893e9e769
SHA256 8a507cc8421a36c363f317035384b5fc112fe0d459b7bfa947d514539dc9f7c6
SHA512 a60fb58ad9675db85bb30a7a177b237acd429cc4e111cd7103d299ed830887afe94b4f6eef3a7d47ca4cac6c0829d996962ebb7cd7fb12bcdf6c0ee7b5f5e070

memory/3848-252-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Mgfqmfde.exe

MD5 2a047a320c6134957c9f723c0591c12a
SHA1 4fbc752da98d960de035a73b723eae73b6d45416
SHA256 ad5e64c4c7872bd5fdc82fae444bc9e142449b1a1196168a7c0257db5604115a
SHA512 5957bcff1a646006291f53be82aad7af7a413603482543529b8b8733c678cfab240cb80ce75f2318d9e81c87b8cc42c8e34809aedf774604545dbb6d75eb05e9

memory/4048-243-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2892-242-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Mckemg32.exe

MD5 2653aba059f3366c46acb9983520d49d
SHA1 bd27dbb1641736d55254926f363abdb65d2f49fb
SHA256 038c5519702ffdf5521e5064eef5975bd08b82e265730fccee754e80a769980c
SHA512 54479b20b13a9ccc8bcd7defbefe59c4ffcbc6172ce482ee84e604b1fc0e3ad318be5345cbd182e5341f92879959d2ce60c59e090492ae0635a1f4491c4f4421

memory/1540-234-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Mplhql32.exe

MD5 c0306f3a8392af77aa4f18950fea3b85
SHA1 5ad369fa38e8fbaf1355e26bc6a32d0f1c41cb5a
SHA256 80ae229d13f5bd52ef793503e5f8ad0dd22484ef388b000f85047a6f070901aa
SHA512 1a5f8206dc9551e9a61cbeb23372e513157e4e8fb6790a162f26bd6257c43f6b503242a087e5c23eb28e0b356cbd1a902c89c5adbf10bb00f42bd9c3b617ceaf

memory/4672-227-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4176-218-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Mibpda32.exe

MD5 9d9190926a9f0d092adf40bf4235db0a
SHA1 fd5c351c7de4cf75d4bce44cf6d10feebfb224c6
SHA256 2d1983d08057f94cf71e854fa739ef566bbfda176337a0b24fc9157ac51b11c5
SHA512 576be372b12a6652b4bf4081f11e22c05743e64e48f043dc43e0c987ed579ac948d819ecdef6fe0ed9e23fe0ac16222d3d45c5973aa2981c9d1a12a2124ea17d

memory/3852-210-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3900-209-0x0000000000400000-0x0000000000442000-memory.dmp

memory/732-202-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Mchhggno.exe

MD5 b4537470b120e6d775db714128195893
SHA1 2d237146cfb4819aa2e118673f4d53afc3dc2f5b
SHA256 4930e5aab9470ba12b1af11ad6c9964a1eb051f20e204c775de3327975f66f76
SHA512 54639dcdef902a906a2e4941f4abacc553b66dcba26d14887dc372c9e6f49603f6b005f87140aedef15623fa6ae355275f098d524ccb90157dceb68ce76b4aa8

memory/620-193-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2704-192-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Mpjlklok.exe

MD5 1d920883f4d3e4f9f23ce128ba80278a
SHA1 6006d170ae6a759f4b133acfcbdbe0e84116659d
SHA256 3b0c0952c56586421279db3689b47c157a01737fe7661a5bdd04ef3af3261b4c
SHA512 ab36ce1ba1e11cdf7a238a34d392c12a0f75ad7201635f9ed143f2a67ed95dd1a0c6d51af5d97da299afaf45ec2ace25eefd6a1678606eb990a515fcf5c1cbe9

memory/3516-185-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Mlopkm32.exe

MD5 c592e56b40b0069f5c65101fa10507cd
SHA1 d2df37a23b30c567e48535b29dea62a27c83174f
SHA256 05fd529920651b59d5f5538e4faa91a9c0e40d33a2bfd708399e13a50c4da62c
SHA512 ba218cc5f2e40a07b7a62c6a63dbe528d67c18c18bb5ce00d60bbcb6bb1a97b9252a6b619a9f0a65369ea489aa9baece81b574da379c972024dd8caa4ef34ae0

memory/3912-175-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Mmlpoqpg.exe

MD5 af632affa611cb2bf6ae2a5dd332a86c
SHA1 a8327b75143b39dd9f2d208f7d954f25fe57b0e3
SHA256 0df38aceb0abe2d277aad90a300e13e09ef77d3d3941d4d5fb376df2b1f2e023
SHA512 10ef1605e1a1aed1da3a381d1bdba82a3b74a29b091bf4060f918dff1c4153246ecbe288b99ea0565a2f84214ccffcbbdda58f6c9cb1acd7fa6072881b650577

memory/4200-167-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2648-165-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2892-152-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2900-149-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Lphoelqn.exe

MD5 83d4880db53fa95478c96e8b28489079
SHA1 7a1b5033cbf225e74a6c622bcd3ded0b7ee50f8f
SHA256 f583b1bb9475c159ed00b6a9ea2350e56ca0d9ad7caa41c9eaabacfef0e483df
SHA512 dfd56659220b02b5f3f422c26a7cbcb889c0d49779c637ec7ada2612065ba612095c7b31e8bc47225e317b8d99e8682b2e349c5551c531981274c27ac7d91cf2

memory/464-138-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Lmiciaaj.exe

MD5 8761dad55af7361ee4ab62030a3aa321
SHA1 fd812a0712b59bc58939b3beb54c28e9a88e36e0
SHA256 8529582503e1e61d8b21a452723293b8e4cd464348ad00ae77aa9517bc253814
SHA512 054ca44f90d9bbfe88b8b259cb04c833e3172958131d6ba34bde2e8e5eb1559157b8b15f8159f6a550e5b0ab786bf494b1b454bab66773e5f3019063f9b74a72

memory/2576-129-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Lingibiq.exe

MD5 30161459fc5a9ecfec737959edfe3490
SHA1 b5674a8b440d3b0d055c97a300066619132c5d06
SHA256 be08a3e554490893f48a4f58436cceaf29e54fe716931f4aba61be3602352828
SHA512 c0fe405ae895552904a8be2dbf5a012d27a3e146e74fb93ef13611ce70b0e74acd879576af7b17156519fb6bb799a8b1c730f23aa6e23a37cfc1796c748c0740

memory/1992-113-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1168-111-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\Qqijje32.exe

MD5 486550cc04a5212eaf521756f9b47cb5
SHA1 8b45057cdfad1be63b37edd3bd77aa8a24cef708
SHA256 766cddc45ced59b1da87fa87e838de19749e85854a96e1829c68729c1118e496
SHA512 739e702b57d7483fd71ec42ddc00ed08c689e04ac820c3682a39213da14bd1037cd4c336b651938064aa245a06d296e86f4d3b0778b88dd02aa7d7aa68076712

C:\Windows\SysWOW64\Adgbpc32.exe

MD5 ee9a620df689cf86c3435fd035532c57
SHA1 b41c255b825302af335a39d90ba8cc1387b12d18
SHA256 8a95a1182b7bbae461bb7dfe953783db77802247ab64365d5ed15f7d023b3bcc
SHA512 48d21e90fa4189ddfc8f3fdeb4de1a1d6a523a1615c0a98376cebb70a7cf175281e445f0b0eed0af987f0ddf8555c0c936ecf5fba38dc1009504d52ca7e2b549

C:\Windows\SysWOW64\Afhohlbj.exe

MD5 1729a6b4c652fe17e9851d153fa56a98
SHA1 f0d053bae210c14b2a7858b3774f7822c7d45774
SHA256 dc24db9709a8cb450048548112b1dd8e64a125a11e243e2a9800b98870b225f7
SHA512 8c8c0374292745442673cf03770c57b544c842d8cda04a5a40e23e3b3b69b0c9b6681411a072b351d3c292f0dbc1053aee5f254bc5853c21ab0e1bc0d2b8830f

C:\Windows\SysWOW64\Agglboim.exe

MD5 73d6721360aa7b2dda8e7dadd41f2793
SHA1 56eb9873314c49c68ed5693e907e0165790e0331
SHA256 98cffb3a87a148b968b73b205232768cc05335a0eb399b2b1367e9e3bf338332
SHA512 f739b67e2890892ab2a39d82dd2d8cf35fae825139f68c2c7726bf13ccff6f73b9897eb85d6fd04edb1262477413c38c10b60037cc9abb1c58385b9645dc1ac9

C:\Windows\SysWOW64\Bebblb32.exe

MD5 db855a6ab355d660ad56847945d5b5ef
SHA1 06ed61a2fb6057d1882b04ef5fb4ff2de6945972
SHA256 bb05c9115f55de0556b5129a2445dab75121fa0fbc284e6ffb02f9e17c8aae47
SHA512 351c23820984e7b5e965bf497d1e1daa463f65d4b2d072fd80ffd6f5b533f8ed45caf8e35f5f32c35dd2a5fd6870e57994730f0cb47fc8b9ddf13580f7a5645d

C:\Windows\SysWOW64\Cfmajipb.exe

MD5 c2a2dc5867f959223d56504c64b68398
SHA1 f952b229d1e96a77f2663628b786658107612248
SHA256 0342bc205b289536d0c71f7a4c4f51f707a2005349bebaa421af9f4e186cecce
SHA512 934d9020fbd6e8f3355df421577d82e7fc972fe0fe6725a2ffdf72b0636781e5a7f387e56fa4b9d1e099358d82f8fc3b39f0518817573fd421f8f962fd02529f

C:\Windows\SysWOW64\Cenahpha.exe

MD5 979e7d2ea239244ca7a733096c26f3bf
SHA1 ec3daa205c6fcfda0a0a132727bc4287064c1601
SHA256 a7fb34bee8645d690b3b475bbe7a80d844f94a47fbadc9ec3db0306d1c45162f
SHA512 d753ee9346208d13a9dbe34822e913e3ac67d5fe3a05fb73daf70bbc9abb804b90481205f546ad57ca40d6490e19e15a90f2be6e3c4525faa4f9a324f168f316

C:\Windows\SysWOW64\Dfiafg32.exe

MD5 03cd720b4c75ca167a6f06971f19867a
SHA1 59aed75334ad0a145a8e158c0e4cfe0c7a5ea4ca
SHA256 596e5fd5df2ae53db63d3c79a12a9c2e9d42231e2c19203c4afc9b89ee8a9f7e
SHA512 da8b52891e6cf0adedca34b165bde432ea758c3ef5369dd390c55626fe6a821de44b0039afe7752b20806b1e7c71a2cda17f1257ddefc8248d5f6742d02c5d72

C:\Windows\SysWOW64\Daqbip32.exe

MD5 8393bea6cfc322303d044c62599652e8
SHA1 961444ef45f60f7ce060d15c3182fda80e5c9806
SHA256 f8679fdbce5848188cb30a48f2986ad172dfead856d21b645627b36f16e79583
SHA512 94a6f24fafbfe9aebc8fd4589ade4d3e8b853d335b8e607b0bb6736c32b27af29c9372f42007f27f70658b649c4bd6c787ebc48c42ff357324d93c09e8956d84