Malware Analysis Report

2025-04-03 18:00

Sample ID 241109-swbz4sxcpj
Target be78ae62a9251d4e2c4d1081d663b443365795352ec12448e8b8521bd949114bN
SHA256 be78ae62a9251d4e2c4d1081d663b443365795352ec12448e8b8521bd949114b
Tags
berbew backdoor discovery persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

be78ae62a9251d4e2c4d1081d663b443365795352ec12448e8b8521bd949114b

Threat Level: Known bad

The file be78ae62a9251d4e2c4d1081d663b443365795352ec12448e8b8521bd949114bN was found to be: Known bad.

Malicious Activity Summary

berbew backdoor discovery persistence

Adds autorun key to be loaded by Explorer.exe on startup

Berbew

Berbew family

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

System Location Discovery: System Language Discovery

Program crash

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 15:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 15:28

Reported

2024-11-09 15:30

Platform

win7-20240903-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\be78ae62a9251d4e2c4d1081d663b443365795352ec12448e8b8521bd949114bN.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pdjjag32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Users\Admin\AppData\Local\Temp\be78ae62a9251d4e2c4d1081d663b443365795352ec12448e8b8521bd949114bN.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nbjeinje.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Opqoge32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pmmeon32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Njjcip32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ohiffh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bnfddp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bqeqqk32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pmpbdm32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qiioon32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Aojabdlf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Aomnhd32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Neiaeiii.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nhlgmd32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pebpkk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pgcmbcih.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aoojnc32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Abmgjo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bmpkqklh.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bkegah32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cegoqlof.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pepcelel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qjklenpa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ahpifj32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cfhkhd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Users\Admin\AppData\Local\Temp\be78ae62a9251d4e2c4d1081d663b443365795352ec12448e8b8521bd949114bN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nhjjgd32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Piicpk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Piicpk32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pgcmbcih.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qpbglhjq.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aojabdlf.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bnknoogp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nenkqi32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Oadkej32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ofadnq32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Olpilg32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cbblda32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nhjjgd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pohhna32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bdcifi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bffbdadk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Oabkom32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ahbekjcf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ahbekjcf.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ahebaiac.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nhgnaehm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Olpilg32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Oekjjl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Oekjjl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Adnpkjde.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bnknoogp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cnimiblo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Boljgg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Neknki32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pifbjn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qiioon32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bfdenafn.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bcjcme32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ccmpce32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ckjamgmk.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cnkjnb32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lklgbadb.exe N/A

Berbew

backdoor berbew

Berbew family

berbew

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Kadfkhkf.exe N/A
N/A N/A C:\Windows\SysWOW64\Kdbbgdjj.exe N/A
N/A N/A C:\Windows\SysWOW64\Kjokokha.exe N/A
N/A N/A C:\Windows\SysWOW64\Lbafdlod.exe N/A
N/A N/A C:\Windows\SysWOW64\Lklgbadb.exe N/A
N/A N/A C:\Windows\SysWOW64\Mbhlek32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mfjann32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mgjnhaco.exe N/A
N/A N/A C:\Windows\SysWOW64\Nmkplgnq.exe N/A
N/A N/A C:\Windows\SysWOW64\Nefdpjkl.exe N/A
N/A N/A C:\Windows\SysWOW64\Nbjeinje.exe N/A
N/A N/A C:\Windows\SysWOW64\Neiaeiii.exe N/A
N/A N/A C:\Windows\SysWOW64\Nhgnaehm.exe N/A
N/A N/A C:\Windows\SysWOW64\Nnafnopi.exe N/A
N/A N/A C:\Windows\SysWOW64\Neknki32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nhjjgd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nncbdomg.exe N/A
N/A N/A C:\Windows\SysWOW64\Nenkqi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nhlgmd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Njjcip32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oadkej32.exe N/A
N/A N/A C:\Windows\SysWOW64\Odchbe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ofadnq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Omklkkpl.exe N/A
N/A N/A C:\Windows\SysWOW64\Opihgfop.exe N/A
N/A N/A C:\Windows\SysWOW64\Ofcqcp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oibmpl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Olpilg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Objaha32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oeindm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Olbfagca.exe N/A
N/A N/A C:\Windows\SysWOW64\Ooabmbbe.exe N/A
N/A N/A C:\Windows\SysWOW64\Oekjjl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ohiffh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Opqoge32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oabkom32.exe N/A
N/A N/A C:\Windows\SysWOW64\Piicpk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pkjphcff.exe N/A
N/A N/A C:\Windows\SysWOW64\Pbagipfi.exe N/A
N/A N/A C:\Windows\SysWOW64\Pepcelel.exe N/A
N/A N/A C:\Windows\SysWOW64\Pohhna32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pebpkk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pgcmbcih.exe N/A
N/A N/A C:\Windows\SysWOW64\Pmmeon32.exe N/A
N/A N/A C:\Windows\SysWOW64\Phcilf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pmpbdm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pdjjag32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pifbjn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qdlggg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qiioon32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qpbglhjq.exe N/A
N/A N/A C:\Windows\SysWOW64\Qjklenpa.exe N/A
N/A N/A C:\Windows\SysWOW64\Apedah32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aebmjo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ahpifj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aojabdlf.exe N/A
N/A N/A C:\Windows\SysWOW64\Aaimopli.exe N/A
N/A N/A C:\Windows\SysWOW64\Ahbekjcf.exe N/A
N/A N/A C:\Windows\SysWOW64\Aomnhd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aakjdo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ahebaiac.exe N/A
N/A N/A C:\Windows\SysWOW64\Aoojnc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Abmgjo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Adlcfjgh.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\be78ae62a9251d4e2c4d1081d663b443365795352ec12448e8b8521bd949114bN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be78ae62a9251d4e2c4d1081d663b443365795352ec12448e8b8521bd949114bN.exe N/A
N/A N/A C:\Windows\SysWOW64\Kadfkhkf.exe N/A
N/A N/A C:\Windows\SysWOW64\Kadfkhkf.exe N/A
N/A N/A C:\Windows\SysWOW64\Kdbbgdjj.exe N/A
N/A N/A C:\Windows\SysWOW64\Kdbbgdjj.exe N/A
N/A N/A C:\Windows\SysWOW64\Kjokokha.exe N/A
N/A N/A C:\Windows\SysWOW64\Kjokokha.exe N/A
N/A N/A C:\Windows\SysWOW64\Lbafdlod.exe N/A
N/A N/A C:\Windows\SysWOW64\Lbafdlod.exe N/A
N/A N/A C:\Windows\SysWOW64\Lklgbadb.exe N/A
N/A N/A C:\Windows\SysWOW64\Lklgbadb.exe N/A
N/A N/A C:\Windows\SysWOW64\Mbhlek32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mbhlek32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mfjann32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mfjann32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mgjnhaco.exe N/A
N/A N/A C:\Windows\SysWOW64\Mgjnhaco.exe N/A
N/A N/A C:\Windows\SysWOW64\Nmkplgnq.exe N/A
N/A N/A C:\Windows\SysWOW64\Nmkplgnq.exe N/A
N/A N/A C:\Windows\SysWOW64\Nefdpjkl.exe N/A
N/A N/A C:\Windows\SysWOW64\Nefdpjkl.exe N/A
N/A N/A C:\Windows\SysWOW64\Nbjeinje.exe N/A
N/A N/A C:\Windows\SysWOW64\Nbjeinje.exe N/A
N/A N/A C:\Windows\SysWOW64\Neiaeiii.exe N/A
N/A N/A C:\Windows\SysWOW64\Neiaeiii.exe N/A
N/A N/A C:\Windows\SysWOW64\Nhgnaehm.exe N/A
N/A N/A C:\Windows\SysWOW64\Nhgnaehm.exe N/A
N/A N/A C:\Windows\SysWOW64\Nnafnopi.exe N/A
N/A N/A C:\Windows\SysWOW64\Nnafnopi.exe N/A
N/A N/A C:\Windows\SysWOW64\Neknki32.exe N/A
N/A N/A C:\Windows\SysWOW64\Neknki32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nhjjgd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nhjjgd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nncbdomg.exe N/A
N/A N/A C:\Windows\SysWOW64\Nncbdomg.exe N/A
N/A N/A C:\Windows\SysWOW64\Nenkqi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nenkqi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nhlgmd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nhlgmd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Njjcip32.exe N/A
N/A N/A C:\Windows\SysWOW64\Njjcip32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oadkej32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oadkej32.exe N/A
N/A N/A C:\Windows\SysWOW64\Odchbe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Odchbe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ofadnq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ofadnq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Omklkkpl.exe N/A
N/A N/A C:\Windows\SysWOW64\Omklkkpl.exe N/A
N/A N/A C:\Windows\SysWOW64\Opihgfop.exe N/A
N/A N/A C:\Windows\SysWOW64\Opihgfop.exe N/A
N/A N/A C:\Windows\SysWOW64\Ofcqcp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ofcqcp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oibmpl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oibmpl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Olpilg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Olpilg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Objaha32.exe N/A
N/A N/A C:\Windows\SysWOW64\Objaha32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oeindm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oeindm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Olbfagca.exe N/A
N/A N/A C:\Windows\SysWOW64\Olbfagca.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Nhgnaehm.exe C:\Windows\SysWOW64\Neiaeiii.exe N/A
File created C:\Windows\SysWOW64\Pdjjag32.exe C:\Windows\SysWOW64\Pmpbdm32.exe N/A
File opened for modification C:\Windows\SysWOW64\Aoojnc32.exe C:\Windows\SysWOW64\Ahebaiac.exe N/A
File created C:\Windows\SysWOW64\Dnbamjbm.dll C:\Windows\SysWOW64\Bdcifi32.exe N/A
File created C:\Windows\SysWOW64\Giddhc32.dll C:\Windows\SysWOW64\Ofadnq32.exe N/A
File created C:\Windows\SysWOW64\Kjfkcopd.dll C:\Windows\SysWOW64\Pkjphcff.exe N/A
File created C:\Windows\SysWOW64\Bbjclbek.dll C:\Windows\SysWOW64\Aomnhd32.exe N/A
File created C:\Windows\SysWOW64\Bkhhhd32.exe C:\Windows\SysWOW64\Adnpkjde.exe N/A
File created C:\Windows\SysWOW64\Oabkom32.exe C:\Windows\SysWOW64\Opqoge32.exe N/A
File created C:\Windows\SysWOW64\Aqcifjof.dll C:\Windows\SysWOW64\Pmmeon32.exe N/A
File created C:\Windows\SysWOW64\Qiioon32.exe C:\Windows\SysWOW64\Qdlggg32.exe N/A
File opened for modification C:\Windows\SysWOW64\Qiioon32.exe C:\Windows\SysWOW64\Qdlggg32.exe N/A
File created C:\Windows\SysWOW64\Bmpkqklh.exe C:\Windows\SysWOW64\Bffbdadk.exe N/A
File opened for modification C:\Windows\SysWOW64\Cgcnghpl.exe C:\Windows\SysWOW64\Caifjn32.exe N/A
File created C:\Windows\SysWOW64\Nnafnopi.exe C:\Windows\SysWOW64\Nhgnaehm.exe N/A
File opened for modification C:\Windows\SysWOW64\Nnafnopi.exe C:\Windows\SysWOW64\Nhgnaehm.exe N/A
File opened for modification C:\Windows\SysWOW64\Odchbe32.exe C:\Windows\SysWOW64\Oadkej32.exe N/A
File created C:\Windows\SysWOW64\Olbfagca.exe C:\Windows\SysWOW64\Oeindm32.exe N/A
File created C:\Windows\SysWOW64\Aaimopli.exe C:\Windows\SysWOW64\Aojabdlf.exe N/A
File opened for modification C:\Windows\SysWOW64\Adnpkjde.exe C:\Windows\SysWOW64\Andgop32.exe N/A
File created C:\Windows\SysWOW64\Icehdl32.dll C:\Windows\SysWOW64\Kadfkhkf.exe N/A
File created C:\Windows\SysWOW64\Bkegah32.exe C:\Windows\SysWOW64\Bjdkjpkb.exe N/A
File created C:\Windows\SysWOW64\Cbblda32.exe C:\Windows\SysWOW64\Cmedlk32.exe N/A
File created C:\Windows\SysWOW64\Cepipm32.exe C:\Windows\SysWOW64\Cbblda32.exe N/A
File created C:\Windows\SysWOW64\Kadfkhkf.exe C:\Users\Admin\AppData\Local\Temp\be78ae62a9251d4e2c4d1081d663b443365795352ec12448e8b8521bd949114bN.exe N/A
File created C:\Windows\SysWOW64\Ghfcobil.dll C:\Windows\SysWOW64\Oekjjl32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bmlael32.exe C:\Windows\SysWOW64\Bkjdndjo.exe N/A
File created C:\Windows\SysWOW64\Lbmnig32.dll C:\Windows\SysWOW64\Bcjcme32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cgaaah32.exe C:\Windows\SysWOW64\Cagienkb.exe N/A
File created C:\Windows\SysWOW64\Cegoqlof.exe C:\Windows\SysWOW64\Cmpgpond.exe N/A
File opened for modification C:\Windows\SysWOW64\Nenkqi32.exe C:\Windows\SysWOW64\Nncbdomg.exe N/A
File opened for modification C:\Windows\SysWOW64\Aebmjo32.exe C:\Windows\SysWOW64\Apedah32.exe N/A
File created C:\Windows\SysWOW64\Bnknoogp.exe C:\Windows\SysWOW64\Bfdenafn.exe N/A
File created C:\Windows\SysWOW64\Cgcnghpl.exe C:\Windows\SysWOW64\Caifjn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Nbjeinje.exe C:\Windows\SysWOW64\Nefdpjkl.exe N/A
File opened for modification C:\Windows\SysWOW64\Njjcip32.exe C:\Windows\SysWOW64\Nhlgmd32.exe N/A
File created C:\Windows\SysWOW64\Oomgdcce.dll C:\Windows\SysWOW64\Oadkej32.exe N/A
File created C:\Windows\SysWOW64\Gdgqdaoh.dll C:\Windows\SysWOW64\Cbblda32.exe N/A
File created C:\Windows\SysWOW64\Oeindm32.exe C:\Windows\SysWOW64\Objaha32.exe N/A
File created C:\Windows\SysWOW64\Ibkhnd32.dll C:\Windows\SysWOW64\Pebpkk32.exe N/A
File opened for modification C:\Windows\SysWOW64\Qpbglhjq.exe C:\Windows\SysWOW64\Qiioon32.exe N/A
File opened for modification C:\Windows\SysWOW64\Aaimopli.exe C:\Windows\SysWOW64\Aojabdlf.exe N/A
File opened for modification C:\Windows\SysWOW64\Cbblda32.exe C:\Windows\SysWOW64\Cmedlk32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cagienkb.exe C:\Windows\SysWOW64\Cnimiblo.exe N/A
File opened for modification C:\Windows\SysWOW64\ÿs.e¢e C:\Windows\SysWOW64\Dpapaj32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ofadnq32.exe C:\Windows\SysWOW64\Odchbe32.exe N/A
File opened for modification C:\Windows\SysWOW64\Pdjjag32.exe C:\Windows\SysWOW64\Pmpbdm32.exe N/A
File created C:\Windows\SysWOW64\Bdcifi32.exe C:\Windows\SysWOW64\Bmlael32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bmpkqklh.exe C:\Windows\SysWOW64\Bffbdadk.exe N/A
File created C:\Windows\SysWOW64\Ednoihel.dll C:\Windows\SysWOW64\Cmedlk32.exe N/A
File created C:\Windows\SysWOW64\ÿs.e¢e C:\Windows\SysWOW64\Dpapaj32.exe N/A
File created C:\Windows\SysWOW64\Kmhflfhh.dll C:\Users\Admin\AppData\Local\Temp\be78ae62a9251d4e2c4d1081d663b443365795352ec12448e8b8521bd949114bN.exe N/A
File opened for modification C:\Windows\SysWOW64\Objaha32.exe C:\Windows\SysWOW64\Olpilg32.exe N/A
File created C:\Windows\SysWOW64\Ckmcef32.dll C:\Windows\SysWOW64\Qiioon32.exe N/A
File created C:\Windows\SysWOW64\Dpapaj32.exe C:\Windows\SysWOW64\Dnpciaef.exe N/A
File opened for modification C:\Windows\SysWOW64\Ofcqcp32.exe C:\Windows\SysWOW64\Opihgfop.exe N/A
File created C:\Windows\SysWOW64\Oekjjl32.exe C:\Windows\SysWOW64\Ooabmbbe.exe N/A
File opened for modification C:\Windows\SysWOW64\Opqoge32.exe C:\Windows\SysWOW64\Ohiffh32.exe N/A
File opened for modification C:\Windows\SysWOW64\Phcilf32.exe C:\Windows\SysWOW64\Pmmeon32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cmpgpond.exe C:\Windows\SysWOW64\Cgcnghpl.exe N/A
File created C:\Windows\SysWOW64\Hcelfiph.dll C:\Windows\SysWOW64\Mfjann32.exe N/A
File opened for modification C:\Windows\SysWOW64\Pohhna32.exe C:\Windows\SysWOW64\Pepcelel.exe N/A
File created C:\Windows\SysWOW64\Pgcmbcih.exe C:\Windows\SysWOW64\Pebpkk32.exe N/A
File opened for modification C:\Windows\SysWOW64\Pmmeon32.exe C:\Windows\SysWOW64\Pgcmbcih.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bmpkqklh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ccmpce32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Caifjn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dpapaj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kjokokha.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aoojnc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nenkqi32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pmmeon32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qiioon32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ahbekjcf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aomnhd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bdcifi32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nmkplgnq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Neiaeiii.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cgaaah32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ooabmbbe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oabkom32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bkhhhd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bqeqqk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dnpciaef.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ofcqcp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Olpilg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Objaha32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pbagipfi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pepcelel.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qjklenpa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bffbdadk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nncbdomg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oadkej32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Neknki32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Olbfagca.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oekjjl32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kadfkhkf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mgjnhaco.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ohiffh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pkjphcff.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pebpkk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pgcmbcih.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qdlggg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bjdkjpkb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mfjann32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Odchbe32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cnimiblo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cmpgpond.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Opihgfop.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Opqoge32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pmpbdm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pifbjn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Apedah32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Adlcfjgh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mbhlek32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ofadnq32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bkegah32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Andgop32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bnfddp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bfdenafn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nhgnaehm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Omklkkpl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nnafnopi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oeindm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Adnpkjde.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kdbbgdjj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nefdpjkl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qpbglhjq.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nhjjgd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Oabkom32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khpjqgjc.dll" C:\Windows\SysWOW64\Apedah32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Njjcip32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maanne32.dll" C:\Windows\SysWOW64\Aaimopli.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Aoojnc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pijjilik.dll" C:\Windows\SysWOW64\Bffbdadk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmiljc32.dll" C:\Windows\SysWOW64\Cfhkhd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dnpciaef.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icehdl32.dll" C:\Windows\SysWOW64\Kadfkhkf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkclcjqj.dll" C:\Windows\SysWOW64\Nhjjgd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jendoajo.dll" C:\Windows\SysWOW64\Aakjdo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nhgnaehm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Neknki32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ohiffh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Adlcfjgh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjffnf32.dll" C:\Windows\SysWOW64\Kdbbgdjj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Olpilg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlbakl32.dll" C:\Windows\SysWOW64\Pepcelel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cmpgpond.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnoefj32.dll" C:\Windows\SysWOW64\Neknki32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odlhoigp.dll" C:\Windows\SysWOW64\Olpilg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Aebmjo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Opqoge32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Piicpk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ahpifj32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Aojabdlf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Aaimopli.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kjokokha.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nnafnopi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Odchbe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll" C:\Windows\SysWOW64\Dnpciaef.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcnfppba.dll" C:\Windows\SysWOW64\Odchbe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aomnhd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Andgop32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbjclbek.dll" C:\Windows\SysWOW64\Aomnhd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiablm32.dll" C:\Windows\SysWOW64\Bmpkqklh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Njjcip32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iacpmi32.dll" C:\Windows\SysWOW64\Opqoge32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaoplfhc.dll" C:\Windows\SysWOW64\Bmlael32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bqeqqk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akafaiao.dll" C:\Windows\SysWOW64\Nenkqi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Odchbe32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ahbekjcf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nhlgmd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cnimiblo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Oadkej32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okhdnm32.dll" C:\Windows\SysWOW64\Opihgfop.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Abmgjo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bmpkqklh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bjdkjpkb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cbblda32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbcfdk32.dll" C:\Windows\SysWOW64\Cnimiblo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghfcobil.dll" C:\Windows\SysWOW64\Oekjjl32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Qdlggg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ahbekjcf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckndebll.dll" C:\Windows\SysWOW64\Bfdenafn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cfhkhd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ofadnq32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ooabmbbe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibbklamb.dll" C:\Windows\SysWOW64\Ahebaiac.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bmlael32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bdcifi32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bcjcme32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3052 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\be78ae62a9251d4e2c4d1081d663b443365795352ec12448e8b8521bd949114bN.exe C:\Windows\SysWOW64\Kadfkhkf.exe
PID 3052 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\be78ae62a9251d4e2c4d1081d663b443365795352ec12448e8b8521bd949114bN.exe C:\Windows\SysWOW64\Kadfkhkf.exe
PID 3052 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\be78ae62a9251d4e2c4d1081d663b443365795352ec12448e8b8521bd949114bN.exe C:\Windows\SysWOW64\Kadfkhkf.exe
PID 3052 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\be78ae62a9251d4e2c4d1081d663b443365795352ec12448e8b8521bd949114bN.exe C:\Windows\SysWOW64\Kadfkhkf.exe
PID 2184 wrote to memory of 2960 N/A C:\Windows\SysWOW64\Kadfkhkf.exe C:\Windows\SysWOW64\Kdbbgdjj.exe
PID 2184 wrote to memory of 2960 N/A C:\Windows\SysWOW64\Kadfkhkf.exe C:\Windows\SysWOW64\Kdbbgdjj.exe
PID 2184 wrote to memory of 2960 N/A C:\Windows\SysWOW64\Kadfkhkf.exe C:\Windows\SysWOW64\Kdbbgdjj.exe
PID 2184 wrote to memory of 2960 N/A C:\Windows\SysWOW64\Kadfkhkf.exe C:\Windows\SysWOW64\Kdbbgdjj.exe
PID 2960 wrote to memory of 2860 N/A C:\Windows\SysWOW64\Kdbbgdjj.exe C:\Windows\SysWOW64\Kjokokha.exe
PID 2960 wrote to memory of 2860 N/A C:\Windows\SysWOW64\Kdbbgdjj.exe C:\Windows\SysWOW64\Kjokokha.exe
PID 2960 wrote to memory of 2860 N/A C:\Windows\SysWOW64\Kdbbgdjj.exe C:\Windows\SysWOW64\Kjokokha.exe
PID 2960 wrote to memory of 2860 N/A C:\Windows\SysWOW64\Kdbbgdjj.exe C:\Windows\SysWOW64\Kjokokha.exe
PID 2860 wrote to memory of 2740 N/A C:\Windows\SysWOW64\Kjokokha.exe C:\Windows\SysWOW64\Lbafdlod.exe
PID 2860 wrote to memory of 2740 N/A C:\Windows\SysWOW64\Kjokokha.exe C:\Windows\SysWOW64\Lbafdlod.exe
PID 2860 wrote to memory of 2740 N/A C:\Windows\SysWOW64\Kjokokha.exe C:\Windows\SysWOW64\Lbafdlod.exe
PID 2860 wrote to memory of 2740 N/A C:\Windows\SysWOW64\Kjokokha.exe C:\Windows\SysWOW64\Lbafdlod.exe
PID 2740 wrote to memory of 3008 N/A C:\Windows\SysWOW64\Lbafdlod.exe C:\Windows\SysWOW64\Lklgbadb.exe
PID 2740 wrote to memory of 3008 N/A C:\Windows\SysWOW64\Lbafdlod.exe C:\Windows\SysWOW64\Lklgbadb.exe
PID 2740 wrote to memory of 3008 N/A C:\Windows\SysWOW64\Lbafdlod.exe C:\Windows\SysWOW64\Lklgbadb.exe
PID 2740 wrote to memory of 3008 N/A C:\Windows\SysWOW64\Lbafdlod.exe C:\Windows\SysWOW64\Lklgbadb.exe
PID 3008 wrote to memory of 2780 N/A C:\Windows\SysWOW64\Lklgbadb.exe C:\Windows\SysWOW64\Mbhlek32.exe
PID 3008 wrote to memory of 2780 N/A C:\Windows\SysWOW64\Lklgbadb.exe C:\Windows\SysWOW64\Mbhlek32.exe
PID 3008 wrote to memory of 2780 N/A C:\Windows\SysWOW64\Lklgbadb.exe C:\Windows\SysWOW64\Mbhlek32.exe
PID 3008 wrote to memory of 2780 N/A C:\Windows\SysWOW64\Lklgbadb.exe C:\Windows\SysWOW64\Mbhlek32.exe
PID 2780 wrote to memory of 1476 N/A C:\Windows\SysWOW64\Mbhlek32.exe C:\Windows\SysWOW64\Mfjann32.exe
PID 2780 wrote to memory of 1476 N/A C:\Windows\SysWOW64\Mbhlek32.exe C:\Windows\SysWOW64\Mfjann32.exe
PID 2780 wrote to memory of 1476 N/A C:\Windows\SysWOW64\Mbhlek32.exe C:\Windows\SysWOW64\Mfjann32.exe
PID 2780 wrote to memory of 1476 N/A C:\Windows\SysWOW64\Mbhlek32.exe C:\Windows\SysWOW64\Mfjann32.exe
PID 1476 wrote to memory of 2812 N/A C:\Windows\SysWOW64\Mfjann32.exe C:\Windows\SysWOW64\Mgjnhaco.exe
PID 1476 wrote to memory of 2812 N/A C:\Windows\SysWOW64\Mfjann32.exe C:\Windows\SysWOW64\Mgjnhaco.exe
PID 1476 wrote to memory of 2812 N/A C:\Windows\SysWOW64\Mfjann32.exe C:\Windows\SysWOW64\Mgjnhaco.exe
PID 1476 wrote to memory of 2812 N/A C:\Windows\SysWOW64\Mfjann32.exe C:\Windows\SysWOW64\Mgjnhaco.exe
PID 2812 wrote to memory of 2816 N/A C:\Windows\SysWOW64\Mgjnhaco.exe C:\Windows\SysWOW64\Nmkplgnq.exe
PID 2812 wrote to memory of 2816 N/A C:\Windows\SysWOW64\Mgjnhaco.exe C:\Windows\SysWOW64\Nmkplgnq.exe
PID 2812 wrote to memory of 2816 N/A C:\Windows\SysWOW64\Mgjnhaco.exe C:\Windows\SysWOW64\Nmkplgnq.exe
PID 2812 wrote to memory of 2816 N/A C:\Windows\SysWOW64\Mgjnhaco.exe C:\Windows\SysWOW64\Nmkplgnq.exe
PID 2816 wrote to memory of 1972 N/A C:\Windows\SysWOW64\Nmkplgnq.exe C:\Windows\SysWOW64\Nefdpjkl.exe
PID 2816 wrote to memory of 1972 N/A C:\Windows\SysWOW64\Nmkplgnq.exe C:\Windows\SysWOW64\Nefdpjkl.exe
PID 2816 wrote to memory of 1972 N/A C:\Windows\SysWOW64\Nmkplgnq.exe C:\Windows\SysWOW64\Nefdpjkl.exe
PID 2816 wrote to memory of 1972 N/A C:\Windows\SysWOW64\Nmkplgnq.exe C:\Windows\SysWOW64\Nefdpjkl.exe
PID 1972 wrote to memory of 1196 N/A C:\Windows\SysWOW64\Nefdpjkl.exe C:\Windows\SysWOW64\Nbjeinje.exe
PID 1972 wrote to memory of 1196 N/A C:\Windows\SysWOW64\Nefdpjkl.exe C:\Windows\SysWOW64\Nbjeinje.exe
PID 1972 wrote to memory of 1196 N/A C:\Windows\SysWOW64\Nefdpjkl.exe C:\Windows\SysWOW64\Nbjeinje.exe
PID 1972 wrote to memory of 1196 N/A C:\Windows\SysWOW64\Nefdpjkl.exe C:\Windows\SysWOW64\Nbjeinje.exe
PID 1196 wrote to memory of 1760 N/A C:\Windows\SysWOW64\Nbjeinje.exe C:\Windows\SysWOW64\Neiaeiii.exe
PID 1196 wrote to memory of 1760 N/A C:\Windows\SysWOW64\Nbjeinje.exe C:\Windows\SysWOW64\Neiaeiii.exe
PID 1196 wrote to memory of 1760 N/A C:\Windows\SysWOW64\Nbjeinje.exe C:\Windows\SysWOW64\Neiaeiii.exe
PID 1196 wrote to memory of 1760 N/A C:\Windows\SysWOW64\Nbjeinje.exe C:\Windows\SysWOW64\Neiaeiii.exe
PID 1760 wrote to memory of 2160 N/A C:\Windows\SysWOW64\Neiaeiii.exe C:\Windows\SysWOW64\Nhgnaehm.exe
PID 1760 wrote to memory of 2160 N/A C:\Windows\SysWOW64\Neiaeiii.exe C:\Windows\SysWOW64\Nhgnaehm.exe
PID 1760 wrote to memory of 2160 N/A C:\Windows\SysWOW64\Neiaeiii.exe C:\Windows\SysWOW64\Nhgnaehm.exe
PID 1760 wrote to memory of 2160 N/A C:\Windows\SysWOW64\Neiaeiii.exe C:\Windows\SysWOW64\Nhgnaehm.exe
PID 2160 wrote to memory of 2196 N/A C:\Windows\SysWOW64\Nhgnaehm.exe C:\Windows\SysWOW64\Nnafnopi.exe
PID 2160 wrote to memory of 2196 N/A C:\Windows\SysWOW64\Nhgnaehm.exe C:\Windows\SysWOW64\Nnafnopi.exe
PID 2160 wrote to memory of 2196 N/A C:\Windows\SysWOW64\Nhgnaehm.exe C:\Windows\SysWOW64\Nnafnopi.exe
PID 2160 wrote to memory of 2196 N/A C:\Windows\SysWOW64\Nhgnaehm.exe C:\Windows\SysWOW64\Nnafnopi.exe
PID 2196 wrote to memory of 1052 N/A C:\Windows\SysWOW64\Nnafnopi.exe C:\Windows\SysWOW64\Neknki32.exe
PID 2196 wrote to memory of 1052 N/A C:\Windows\SysWOW64\Nnafnopi.exe C:\Windows\SysWOW64\Neknki32.exe
PID 2196 wrote to memory of 1052 N/A C:\Windows\SysWOW64\Nnafnopi.exe C:\Windows\SysWOW64\Neknki32.exe
PID 2196 wrote to memory of 1052 N/A C:\Windows\SysWOW64\Nnafnopi.exe C:\Windows\SysWOW64\Neknki32.exe
PID 1052 wrote to memory of 1224 N/A C:\Windows\SysWOW64\Neknki32.exe C:\Windows\SysWOW64\Nhjjgd32.exe
PID 1052 wrote to memory of 1224 N/A C:\Windows\SysWOW64\Neknki32.exe C:\Windows\SysWOW64\Nhjjgd32.exe
PID 1052 wrote to memory of 1224 N/A C:\Windows\SysWOW64\Neknki32.exe C:\Windows\SysWOW64\Nhjjgd32.exe
PID 1052 wrote to memory of 1224 N/A C:\Windows\SysWOW64\Neknki32.exe C:\Windows\SysWOW64\Nhjjgd32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\be78ae62a9251d4e2c4d1081d663b443365795352ec12448e8b8521bd949114bN.exe

"C:\Users\Admin\AppData\Local\Temp\be78ae62a9251d4e2c4d1081d663b443365795352ec12448e8b8521bd949114bN.exe"

C:\Windows\SysWOW64\Kadfkhkf.exe

C:\Windows\system32\Kadfkhkf.exe

C:\Windows\SysWOW64\Kdbbgdjj.exe

C:\Windows\system32\Kdbbgdjj.exe

C:\Windows\SysWOW64\Kjokokha.exe

C:\Windows\system32\Kjokokha.exe

C:\Windows\SysWOW64\Lbafdlod.exe

C:\Windows\system32\Lbafdlod.exe

C:\Windows\SysWOW64\Lklgbadb.exe

C:\Windows\system32\Lklgbadb.exe

C:\Windows\SysWOW64\Mbhlek32.exe

C:\Windows\system32\Mbhlek32.exe

C:\Windows\SysWOW64\Mfjann32.exe

C:\Windows\system32\Mfjann32.exe

C:\Windows\SysWOW64\Mgjnhaco.exe

C:\Windows\system32\Mgjnhaco.exe

C:\Windows\SysWOW64\Nmkplgnq.exe

C:\Windows\system32\Nmkplgnq.exe

C:\Windows\SysWOW64\Nefdpjkl.exe

C:\Windows\system32\Nefdpjkl.exe

C:\Windows\SysWOW64\Nbjeinje.exe

C:\Windows\system32\Nbjeinje.exe

C:\Windows\SysWOW64\Neiaeiii.exe

C:\Windows\system32\Neiaeiii.exe

C:\Windows\SysWOW64\Nhgnaehm.exe

C:\Windows\system32\Nhgnaehm.exe

C:\Windows\SysWOW64\Nnafnopi.exe

C:\Windows\system32\Nnafnopi.exe

C:\Windows\SysWOW64\Neknki32.exe

C:\Windows\system32\Neknki32.exe

C:\Windows\SysWOW64\Nhjjgd32.exe

C:\Windows\system32\Nhjjgd32.exe

C:\Windows\SysWOW64\Nncbdomg.exe

C:\Windows\system32\Nncbdomg.exe

C:\Windows\SysWOW64\Nenkqi32.exe

C:\Windows\system32\Nenkqi32.exe

C:\Windows\SysWOW64\Nhlgmd32.exe

C:\Windows\system32\Nhlgmd32.exe

C:\Windows\SysWOW64\Njjcip32.exe

C:\Windows\system32\Njjcip32.exe

C:\Windows\SysWOW64\Oadkej32.exe

C:\Windows\system32\Oadkej32.exe

C:\Windows\SysWOW64\Odchbe32.exe

C:\Windows\system32\Odchbe32.exe

C:\Windows\SysWOW64\Ofadnq32.exe

C:\Windows\system32\Ofadnq32.exe

C:\Windows\SysWOW64\Omklkkpl.exe

C:\Windows\system32\Omklkkpl.exe

C:\Windows\SysWOW64\Opihgfop.exe

C:\Windows\system32\Opihgfop.exe

C:\Windows\SysWOW64\Ofcqcp32.exe

C:\Windows\system32\Ofcqcp32.exe

C:\Windows\SysWOW64\Oibmpl32.exe

C:\Windows\system32\Oibmpl32.exe

C:\Windows\SysWOW64\Olpilg32.exe

C:\Windows\system32\Olpilg32.exe

C:\Windows\SysWOW64\Objaha32.exe

C:\Windows\system32\Objaha32.exe

C:\Windows\SysWOW64\Oeindm32.exe

C:\Windows\system32\Oeindm32.exe

C:\Windows\SysWOW64\Olbfagca.exe

C:\Windows\system32\Olbfagca.exe

C:\Windows\SysWOW64\Ooabmbbe.exe

C:\Windows\system32\Ooabmbbe.exe

C:\Windows\SysWOW64\Oekjjl32.exe

C:\Windows\system32\Oekjjl32.exe

C:\Windows\SysWOW64\Ohiffh32.exe

C:\Windows\system32\Ohiffh32.exe

C:\Windows\SysWOW64\Opqoge32.exe

C:\Windows\system32\Opqoge32.exe

C:\Windows\SysWOW64\Oabkom32.exe

C:\Windows\system32\Oabkom32.exe

C:\Windows\SysWOW64\Piicpk32.exe

C:\Windows\system32\Piicpk32.exe

C:\Windows\SysWOW64\Pkjphcff.exe

C:\Windows\system32\Pkjphcff.exe

C:\Windows\SysWOW64\Pbagipfi.exe

C:\Windows\system32\Pbagipfi.exe

C:\Windows\SysWOW64\Pepcelel.exe

C:\Windows\system32\Pepcelel.exe

C:\Windows\SysWOW64\Pohhna32.exe

C:\Windows\system32\Pohhna32.exe

C:\Windows\SysWOW64\Pebpkk32.exe

C:\Windows\system32\Pebpkk32.exe

C:\Windows\SysWOW64\Pgcmbcih.exe

C:\Windows\system32\Pgcmbcih.exe

C:\Windows\SysWOW64\Pmmeon32.exe

C:\Windows\system32\Pmmeon32.exe

C:\Windows\SysWOW64\Phcilf32.exe

C:\Windows\system32\Phcilf32.exe

C:\Windows\SysWOW64\Pmpbdm32.exe

C:\Windows\system32\Pmpbdm32.exe

C:\Windows\SysWOW64\Pdjjag32.exe

C:\Windows\system32\Pdjjag32.exe

C:\Windows\SysWOW64\Pifbjn32.exe

C:\Windows\system32\Pifbjn32.exe

C:\Windows\SysWOW64\Qdlggg32.exe

C:\Windows\system32\Qdlggg32.exe

C:\Windows\SysWOW64\Qiioon32.exe

C:\Windows\system32\Qiioon32.exe

C:\Windows\SysWOW64\Qpbglhjq.exe

C:\Windows\system32\Qpbglhjq.exe

C:\Windows\SysWOW64\Qjklenpa.exe

C:\Windows\system32\Qjklenpa.exe

C:\Windows\SysWOW64\Apedah32.exe

C:\Windows\system32\Apedah32.exe

C:\Windows\SysWOW64\Aebmjo32.exe

C:\Windows\system32\Aebmjo32.exe

C:\Windows\SysWOW64\Ahpifj32.exe

C:\Windows\system32\Ahpifj32.exe

C:\Windows\SysWOW64\Aojabdlf.exe

C:\Windows\system32\Aojabdlf.exe

C:\Windows\SysWOW64\Aaimopli.exe

C:\Windows\system32\Aaimopli.exe

C:\Windows\SysWOW64\Ahbekjcf.exe

C:\Windows\system32\Ahbekjcf.exe

C:\Windows\SysWOW64\Aomnhd32.exe

C:\Windows\system32\Aomnhd32.exe

C:\Windows\SysWOW64\Aakjdo32.exe

C:\Windows\system32\Aakjdo32.exe

C:\Windows\SysWOW64\Ahebaiac.exe

C:\Windows\system32\Ahebaiac.exe

C:\Windows\SysWOW64\Aoojnc32.exe

C:\Windows\system32\Aoojnc32.exe

C:\Windows\SysWOW64\Abmgjo32.exe

C:\Windows\system32\Abmgjo32.exe

C:\Windows\SysWOW64\Adlcfjgh.exe

C:\Windows\system32\Adlcfjgh.exe

C:\Windows\SysWOW64\Akfkbd32.exe

C:\Windows\system32\Akfkbd32.exe

C:\Windows\SysWOW64\Andgop32.exe

C:\Windows\system32\Andgop32.exe

C:\Windows\SysWOW64\Adnpkjde.exe

C:\Windows\system32\Adnpkjde.exe

C:\Windows\SysWOW64\Bkhhhd32.exe

C:\Windows\system32\Bkhhhd32.exe

C:\Windows\SysWOW64\Bnfddp32.exe

C:\Windows\system32\Bnfddp32.exe

C:\Windows\SysWOW64\Bqeqqk32.exe

C:\Windows\system32\Bqeqqk32.exe

C:\Windows\SysWOW64\Bkjdndjo.exe

C:\Windows\system32\Bkjdndjo.exe

C:\Windows\SysWOW64\Bmlael32.exe

C:\Windows\system32\Bmlael32.exe

C:\Windows\SysWOW64\Bdcifi32.exe

C:\Windows\system32\Bdcifi32.exe

C:\Windows\SysWOW64\Bfdenafn.exe

C:\Windows\system32\Bfdenafn.exe

C:\Windows\SysWOW64\Bnknoogp.exe

C:\Windows\system32\Bnknoogp.exe

C:\Windows\SysWOW64\Boljgg32.exe

C:\Windows\system32\Boljgg32.exe

C:\Windows\SysWOW64\Bffbdadk.exe

C:\Windows\system32\Bffbdadk.exe

C:\Windows\SysWOW64\Bmpkqklh.exe

C:\Windows\system32\Bmpkqklh.exe

C:\Windows\SysWOW64\Bcjcme32.exe

C:\Windows\system32\Bcjcme32.exe

C:\Windows\SysWOW64\Bjdkjpkb.exe

C:\Windows\system32\Bjdkjpkb.exe

C:\Windows\SysWOW64\Bkegah32.exe

C:\Windows\system32\Bkegah32.exe

C:\Windows\SysWOW64\Ccmpce32.exe

C:\Windows\system32\Ccmpce32.exe

C:\Windows\SysWOW64\Cmedlk32.exe

C:\Windows\system32\Cmedlk32.exe

C:\Windows\SysWOW64\Cbblda32.exe

C:\Windows\system32\Cbblda32.exe

C:\Windows\SysWOW64\Cepipm32.exe

C:\Windows\system32\Cepipm32.exe

C:\Windows\SysWOW64\Ckjamgmk.exe

C:\Windows\system32\Ckjamgmk.exe

C:\Windows\SysWOW64\Cnimiblo.exe

C:\Windows\system32\Cnimiblo.exe

C:\Windows\SysWOW64\Cagienkb.exe

C:\Windows\system32\Cagienkb.exe

C:\Windows\SysWOW64\Cgaaah32.exe

C:\Windows\system32\Cgaaah32.exe

C:\Windows\SysWOW64\Cnkjnb32.exe

C:\Windows\system32\Cnkjnb32.exe

C:\Windows\SysWOW64\Caifjn32.exe

C:\Windows\system32\Caifjn32.exe

C:\Windows\SysWOW64\Cgcnghpl.exe

C:\Windows\system32\Cgcnghpl.exe

C:\Windows\SysWOW64\Cmpgpond.exe

C:\Windows\system32\Cmpgpond.exe

C:\Windows\SysWOW64\Cegoqlof.exe

C:\Windows\system32\Cegoqlof.exe

C:\Windows\SysWOW64\Cfhkhd32.exe

C:\Windows\system32\Cfhkhd32.exe

C:\Windows\SysWOW64\Dnpciaef.exe

C:\Windows\system32\Dnpciaef.exe

C:\Windows\SysWOW64\Dpapaj32.exe

C:\Windows\system32\Dpapaj32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 144

Network

N/A

Files

memory/3052-0-0x0000000000400000-0x0000000000433000-memory.dmp

\Windows\SysWOW64\Kadfkhkf.exe

MD5 32602ec51d5bfde1649d3c7656b89d1c
SHA1 d36d3faa6850576bede1e14981357abb3a6b146e
SHA256 39144ed43d096645394f6cd54966f7f7adf8c98231512adf3fa2b11231b999a8
SHA512 2f76e8507b6f3431ae0d1e40547f77e9df93c5a43d9d27696269050a6f13ad4b0a9215596fdb3ad41e5006735b818cb39038550697147ffcd04c2fa23f9925ca

memory/3052-12-0x00000000002D0000-0x0000000000303000-memory.dmp

memory/3052-11-0x00000000002D0000-0x0000000000303000-memory.dmp

C:\Windows\SysWOW64\Kdbbgdjj.exe

MD5 4f664aa1a82b120e53430d2b299f4bad
SHA1 60ffba3d1e755457cf45cd14ed087badb3893005
SHA256 3ade42ac08c7387f1764d5e5755576ca68917bc2ad70e2fe9daff5ba55bf2561
SHA512 e9e59c5912838dc5541b60b9f98306cd38437b1c7b82857e690c0590e5aac15d478c21840aa4ee46552859db79992a26b6c1b3154a552cfa7050adbfa8177b74

memory/2960-27-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2184-19-0x0000000000400000-0x0000000000433000-memory.dmp

\Windows\SysWOW64\Kjokokha.exe

MD5 72f0e8f5910eca67a9eb4866efc53f36
SHA1 fe1bc3b277bdee203f6e8f98a4037e1984069361
SHA256 8143349d6be33bbf0e43839ff02bf5dd099220fa2c5a7ae9fce33392aef3dd93
SHA512 2b8b43af25eb1e966990d02a24f03fb3ad0fc45474eceedbb763240633f9c95ace2c2eee7657d8134447f615708dd34bb368d4395f004c2ca3fce643ea772095

memory/2960-40-0x0000000000300000-0x0000000000333000-memory.dmp

memory/2960-35-0x0000000000300000-0x0000000000333000-memory.dmp

\Windows\SysWOW64\Lbafdlod.exe

MD5 8e6f1d5dc13be49315c6276f6aa30e52
SHA1 91f87d0108844e8c3925425d29e11f7e04ae5578
SHA256 4bf46a502af555e07ca5b2e93ba79cfbd0bc50ffc5803a1dff10e81b7e1c532a
SHA512 eee538f17ca647aa28dbab18f6f5a569e0c09837f2f6cdf8df7f185bf793948889fda7c60c2bb4c0556a86ef21e02c28c08cb502e5a3e53719eb1d4fc4234ad9

memory/2860-49-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2740-55-0x0000000000400000-0x0000000000433000-memory.dmp

\Windows\SysWOW64\Lklgbadb.exe

MD5 20d4fe7fedf77dd019c6d4361a0046bd
SHA1 44c75410db0e13aecdd5298795954dfa5da27691
SHA256 98ef9ccd9c243c3f4025e6feb38cba9c78e39407f3d6b0ff02d0e47327620ca5
SHA512 61836203ce237d7704b7891c4a649b91d58873c2c1e23781f8945b5fcf1ebe4368f8ad96688add273e854a6ae63afec9ef5275de13b31aca683277f98b2ae53e

memory/2740-63-0x0000000000280000-0x00000000002B3000-memory.dmp

\Windows\SysWOW64\Mbhlek32.exe

MD5 4d7ed5a0dc52f754e08809ebf8e1af22
SHA1 fe425459e0c2f3638e280e04fe411f99b5c4a51e
SHA256 f1f9b4158b70ae72faf9f00b91265bb2cdea0c83a0e18aa41ce230fca6634aff
SHA512 38f9729f5678a22a4cf92d2cbf8ffc8137e6b0c27b4a54280ddb9013a51c892722d763a323761e492430abe0df26212f8f4cf90b481c799add1c1467b3a04722

memory/2780-81-0x0000000000400000-0x0000000000433000-memory.dmp

\Windows\SysWOW64\Mfjann32.exe

MD5 fc961dc73bca974959d763626b7505c5
SHA1 46a4d09c00ec1a5711cf380b635944e7c4cbbbe7
SHA256 1c5fdb3a957264338c82ee6781ff425871f24043fe9b03f14cda4c84ab44fc37
SHA512 4708b1f55ec691087f445aafd0b4ee63c816dd28091e7cf04e8f7218c39e2acd85de3b31fdcc11295648a53b4e8a435043bd18d93f8ab6bbbab6a86ad124ff86

memory/2780-88-0x0000000000250000-0x0000000000283000-memory.dmp

\Windows\SysWOW64\Mgjnhaco.exe

MD5 178711750df1bfa781a5875ddf15db28
SHA1 f73082f83db9712f2e5bd5c0af945cbc0e6ed059
SHA256 671277dbb01b221972d0acc74f2cc36f8f02d3219f225c944ac98da2926cb901
SHA512 2baadea1e5350a7e24b8c550acd0e27b07e348aa0b28987b4c57f1ca0f5219f15a5f8da1d01e3dc46ce6f023cece316197c49944826933ad82be928c2d360fa9

memory/1476-100-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2812-108-0x0000000000400000-0x0000000000433000-memory.dmp

\Windows\SysWOW64\Nmkplgnq.exe

MD5 860a4b6da0c3a475be152b9f52fa7027
SHA1 45dcca80401a492d69018bce04ff80bdafb7547f
SHA256 7b1702599b5450337e3d6b236939a9c3ccbba85d0b059f53b563d9b97c06be61
SHA512 6a8cb8e680835d42647b158adc80399c3ceab04faccd3e73fb3826316cc34c220ed0d3584b0cdca18c59375e5de4506df2ac05f6db76beb73f2f9c219e0d2c54

memory/2812-115-0x0000000000290000-0x00000000002C3000-memory.dmp

memory/2816-127-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1972-135-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Nefdpjkl.exe

MD5 efe4ffb0d7d99e75e97caa41ebad4725
SHA1 1c0a179cccdeef48bbb8ec70327db98a84a16489
SHA256 b4826c0c19c2b0177953acf4fccea7415c75202996fc216cec27c6630aa251bd
SHA512 4e0d39c8a2b880707123e469bf200f3788d00996d3cb40c31323310e12f02e6c85228ccd8a389244a806b70234de86a29386598396cf461662357125440dda6f

memory/1196-148-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Neiaeiii.exe

MD5 fa2a1720f1a4497642a7812f0a907c98
SHA1 ba7e0718fa25535d57fabbfc13aa05ded613566f
SHA256 5bcc77e40bf725d10c6461ec8f9071fadb2d84cb54b828649ed363081b600830
SHA512 4d218ec05791af3434ec262643bd4bafa9be2984a2ebedb45e0c788d835c9e9d047aec91fa3559a2a397b578ecb59bdace03e309dfeff67e10b7425eafb57e43

C:\Windows\SysWOW64\Nhgnaehm.exe

MD5 a30397d2a4234a328cf4d30070144003
SHA1 6dbedb9b7936013fd4f36cc348fb59185ee02ca1
SHA256 0b45578a78884c474ff191535d877c7d582b045636abbd69fd26d5bcdbe1c4fd
SHA512 f4a6400cb6b4190a3f2cd03b271ffb0da4f30cd18798a022505158c2669e3601c4d976a986a0cc3d338a87729b11a43c839d25b484db5f3c2cbe13af51945fde

C:\Windows\SysWOW64\Nnafnopi.exe

MD5 350caac0a12ce4286e25a9a75abbdf2a
SHA1 d62d86fc3510cff93b41320983c5583c6845c42f
SHA256 73e176353a77ab9df7dd1d7a39f6e789316721ac474cd89342704f6a84d15554
SHA512 cc3fcb6ac97b66bb9787b8466472a718997e27103109931f6dc38366b4deec9c8f2d095dd9096a65d73d8ebdbe262b4284a544270a6c015655ad9ed767341581

C:\Windows\SysWOW64\Neknki32.exe

MD5 506355f81cf5b7241fdda64f6178123d
SHA1 a03fb14b576591601dd1101e196e75a038420a80
SHA256 ce36e83e50147fc1d482215d5f2f1b14eb8c452d12928f5e1da10d5008a7eeb2
SHA512 6c566b2e6ce979acd2bd507c4ebb9c486fe92503930ff0dc88f5c31fc7ef6e4c7c6348ae1df255164c12eb478a5978f456fa113eaa3c47704b75881d0902ef6c

memory/2308-332-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2844-397-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1516-427-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1224-498-0x0000000000400000-0x0000000000433000-memory.dmp

memory/268-519-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Bmpkqklh.exe

MD5 e4347062fabd54e85d1e18202eff46eb
SHA1 8f1b6054f6e530ee262a7a77753e218a0c0a7c44
SHA256 04c30f9b6c566737dc2801a67b8492c90f73f880f9ac614397a0ea9865d780ae
SHA512 d45e43d8e03e0ff6cf57c80bf13a5ba11df3cc6f068df5a26ce777725bbe93279da6a082e7027f9c8486673286afd7fc3eb7b860ea909261b35bb9f452902b7b

C:\Windows\SysWOW64\Caifjn32.exe

MD5 edd51b91f1ca8c9afc97a95b11a4dace
SHA1 dbb75dea95ace3272d9a830b389ce11bbf30d8a0
SHA256 f6317b30608ed5e20efa95d8a479b308c31f8dbc978cc2a7d458ded8f7ec48d0
SHA512 c1365c0dce227e4c5e37d52854dffa0742c60175579d41b3ec0510a21e91cedcc4aa04734594c17b96afc2b0d067397c5bcf6e7f1457ce0b65089297e6f53abd

C:\Windows\SysWOW64\Cegoqlof.exe

MD5 b2d1e0c6fae2a601b91510029dab3cc2
SHA1 3669cf018931369372a33739f89cf0ca1744e2c8
SHA256 919d72289a27596aae847187242002eee2652829da5a43ca5f5159ec03570d0d
SHA512 e45fe3dff9b9973354efb4f11f4a39500f6212dc3e791a44d2557fbc31b17c343380e8e97744b03aa0e1a5a2a9e72cb3d6e2ae66986fcb53455232f0402f148c

C:\Windows\SysWOW64\Dpapaj32.exe

MD5 ff6146eb8b1d9809b4ad31558f7c63c1
SHA1 26312174c44183975bef749ec9cf3a57d8cc42bf
SHA256 e4eea6a3eea8e4eac254be4060c415c0859e091b3c3009f79d5ff648aa97cfbb
SHA512 bb41ec1f97463620a60bcd60e7191ad06461768228f704f0afb5d2913657552806e9ab49619fdcbf216ee2c427b51724f43612862b3936b60d2f9ede54b34d1a

C:\Windows\SysWOW64\Dnpciaef.exe

MD5 d0bff5793fe9b5da67ff63cdec364b44
SHA1 8b1a6e1ccd1de2a0382ac9e50711de831c009df3
SHA256 537d530ef77cd40cb5a2b6a85b11497de0f18db795747d32f5a16ef43a5404a8
SHA512 b726aea302945c5097ca8573404c24dcecfa822d3906abe22e33a1c61d852738bf724f2a9fd75e9dee1a7c0555f036f43599262f1b5fb2923663052dae85a52f

C:\Windows\SysWOW64\Cfhkhd32.exe

MD5 769713dae5797050c9ed5d512380fb4f
SHA1 09e9cc36e6d5e430620c487ab6fd322285a78613
SHA256 ba17ae173850a4ebc5deaf07d658f2f05e45918b4895618533ef4dcfe81edc25
SHA512 ef40ab740b291e02e148463ed1689921956290c39aaedd2a6b3844c8c1ebf93b7d9d94cf63213d175bd26b5f5b4adf85870469d84179bb00a5bc5301c81a8aee

C:\Windows\SysWOW64\Cmpgpond.exe

MD5 23b5fd27f11059eec7c2c769b9aa4465
SHA1 cac0f9a8a451b7863d04832e7c3dcbbd636bad26
SHA256 7de3138e480b367888d428ddcede735e920f19278371fa2baf3b84a12abbb2b4
SHA512 07b68e677825d6a738f26d9181d4cb789f6e83c1681c3f16c06fd1188a867635779c0eccd29e67b3b3e170b4c9e2058965e7399a76ad9a55a8ee63df22c36785

C:\Windows\SysWOW64\Cgcnghpl.exe

MD5 b08b45d8b87ad85707d32e928ebe8ac4
SHA1 91b85a091590c67b1e4906cd4b17815c021ebcd7
SHA256 db0b0745a52809a059b4ce5edbd73eedd16f2913c5b80634c4b7da596b79ce76
SHA512 950981d37c8c8e5d5fdb4d740e60270e808e6d2fbfccb6bd89906f32751713efb6250d0b438e8a6eee80ebf7ed22102c7515d6206aa87b8780de6b011a5a1f03

C:\Windows\SysWOW64\Cnkjnb32.exe

MD5 1ee1d78b03275ee4e8edbd5c6ec862df
SHA1 2b61da102afbebd58d929d7511d85717fc24dd9a
SHA256 3a32e6b5961485980685185cce917ab192ae238ce04346900dd17a1452fdb366
SHA512 7c06e8057edab9be15423b54133a2a07a1bf05280787082522aa24e42df7e5ced28ee0fc78a2cf7c5b60e5c43f3d8da3ce2d456a8740142704b24d0d629e6633

C:\Windows\SysWOW64\Cgaaah32.exe

MD5 e0ac395e5173c6e6e50d40511499e5ea
SHA1 bae7375b68b6ea15c2309951782c87e95592fd8f
SHA256 b42aed7b972cdff1044351951cb20c40009e0068099946b88ea22da4765db60f
SHA512 f6c3d388979eda0398d4885c8df9b2843ed171c035709f9c95ece4c1c0aeaa037ec5c5330f82cc17c8b376ef3c522d9d7df7caa7731c85360d6da3b43cd52cd9

C:\Windows\SysWOW64\Cagienkb.exe

MD5 ee9e547c13cfa560e719b0f9a4acebdf
SHA1 34bd52c029eec7e99f00a921db5aaf2624ebb465
SHA256 0f7753e2aa31a66a9edf1af117cc056b473094f37bd41de47ba1281b4bdb711f
SHA512 f1fd109884d9d9aa9310f16050f4dc0b44ab048bd16ac8c8d6d539fe16d91960a2a2e07245db69066b9ca409e9f0d23feb37687d2e0ae172c245e6aea5e41e1d

C:\Windows\SysWOW64\Cnimiblo.exe

MD5 c33eceffe96aed61f2adb0be1f7ff7cd
SHA1 4f6e31dee336025dfc5f0a754da941513aef320b
SHA256 4d96af5002f5543b3ea1c8e5c30a52d4817031b3efb6aa9eaaf276cc322d3e73
SHA512 bb2767041bace622d950a32618381db730517f176180120a1a84723b04a577055391f38e34f303fb9f2f4239b94b0125c2d4d69424427be774e4e7d99beee86b

C:\Windows\SysWOW64\Ckjamgmk.exe

MD5 8bdd9505b620a9b05e5a5cc8269248d3
SHA1 fc005fe9eeede9a6274a1acb5584ba615de2f6dc
SHA256 01a6432a3150ef79823262002a0aa2e4a2cc3b33c52272765a806fde4da2e6d6
SHA512 05f32f21ec98a5e8d67a93b4649e8112c39f54304abb85856bead2f9675174f0dfcb5df700ee78de05f2142cf2d4e18b48d75a6e5e064149ab6323445dc18c1e

C:\Windows\SysWOW64\Cepipm32.exe

MD5 2983a2cb5267dc795a7fcd4186c903d8
SHA1 089614c3e26cee2b377aff47f1dce83e056e3f43
SHA256 42417453fb98ef4cb263fe8a1fba3ffa6431dcc91e384e13f07fc278072e6102
SHA512 9abcf90daf5f0c738afde5d47134c5a26dcfae6c9025cb47fa6bd1b385553cb66a3166aa9868226522508c53b974ef1d3fe895bbc0d3aac71e44edf019ad9e66

C:\Windows\SysWOW64\Cbblda32.exe

MD5 d648a5ecba2f0c2100f44244d0a66dd4
SHA1 6451032b5e0530863fdb777bd7773049af538759
SHA256 ace49067d34b0f034f6da2bd8914742e0fd17b9bacb082ccbfb81d81e98afa44
SHA512 8b5431a3bb247824f08df812b845d727605b05bd52fd954f9e8ea56b59283a6a618a8ebab48eb13b03e4d0dfcb35879e74cf51b455dd92dd31a778b57d613590

C:\Windows\SysWOW64\Cmedlk32.exe

MD5 8591e9be7d77e2ea4aa48e29e34df0aa
SHA1 9b39629110a52e462a9fdb4c84893caeb24139ce
SHA256 c9ca06714c1322628484a22e94351979d4363651b6a86fd9179cc77a7539c578
SHA512 ca8a1959f4bfd76e06e8c6c3b6e61423411ed6927e29f58feacb80161006119e09ebf786ba06d07efde19dab7ac9d5926ff1e3cbfc8c70a78dde9d51a777a4b4

C:\Windows\SysWOW64\Ccmpce32.exe

MD5 2a34538d480c7b1df88004e56b13de32
SHA1 a8ee914aa6d298550780610b65c064802cf1bece
SHA256 468b772c6e56a1d27bcf3c70c1b28a4fa89ffd2a98dbe52fb6429de1e141d61d
SHA512 a4d8dbac4ad9163c213db1b99461148c1167603b69379fbf67f5c38466ae26d39421b86052eba3190c32d8d32eeee15ac3527c00050e76617231d7582286e9e4

C:\Windows\SysWOW64\Bjdkjpkb.exe

MD5 6ae6fe3955e63f98a3e828ff0d29e005
SHA1 44677364db65d1ed920f46d101d5909d9ad3f6e9
SHA256 619c7024fda86db9cd76ae42e2427b15927d88bfa5bfd0dfa605ca90ca114e42
SHA512 59f118ae3c11ef62ecc9e5e3526f7a0c9f12839470945dd53a6ca6c843da14986e9909ba2475f14a7d724c6c66fd395569ed4f92353d49aeffd5b6f038bceae9

C:\Windows\SysWOW64\Bkegah32.exe

MD5 1c29870ad5229e4ce065fd233fc9eea5
SHA1 9d281e97c6db450d166876b4688e90096f1b2b23
SHA256 8def9d192066976e6f39aadeddc2fe42cafe00cf6c467bfa009caae1cddeeaac
SHA512 7f47d4c4a502e1b26efd7982f273eafbfbe7fc10b0318409fd998304fa20e7d8be2d5de1396522ea7f1fde9ec57c217ef42caffbb55e5223adb3dadf78610096

C:\Windows\SysWOW64\Bcjcme32.exe

MD5 92f113a74c93990ff5d11a5481d07fa2
SHA1 cdbbd38cebe6369dfc95f2bd275a4382c6f94252
SHA256 1aa770ce873cb567846dd5d995620f8d4ed549053d68abf5f5794b29f43b61c8
SHA512 4d665e0b3f0dff7eb02b792fd500600b678a6da1eb748d9e07119e81829dd070995385d1784ff4b2c5cc1108385a44e654933e39f24f80184661d5f69416c13e

C:\Windows\SysWOW64\Bffbdadk.exe

MD5 cab066f0fd85f6be241bd417ba36878f
SHA1 5606669c66ab985b93f7d67c7dffc8862998afc6
SHA256 cfe575c19f25156004a21ff4d7d73ccdaa5211f6d43e66ea77f8e69093be6cbe
SHA512 0fcc7da962d7790b4bf3ff7dcea9e7ee4910c84e14d7346f322a557304fe3118723685329270b4c074eeee9995cab3955624291e6839d541f4855580bf8b2c92

C:\Windows\SysWOW64\Boljgg32.exe

MD5 61234e1c9c14126da3ee8ac11ec687df
SHA1 7386cf3b266947165fac0729889817f0a75f497f
SHA256 7eb0bcadff1c8a823a2dd0c2b844a190a6106fea4dd009f5f9e7925abb113b35
SHA512 8fc1af444a45e620ce0d12bffe66f2aea271cd6eed82bb91ce439268ce08c4642e1c93553d63baf6e359954f587e2535d585e130c58dcf13eccaf9b9382a8f0e

C:\Windows\SysWOW64\Bnknoogp.exe

MD5 ac948917b064099381df404cd1cb3a14
SHA1 1f98312d67db1ee40388a90d6b64578aeee55551
SHA256 5c4dd889d827085bedf8e8ab03e7eb48d68a0abdfdb3ac658a2ceda907a560de
SHA512 248b211a046b0dec39e24bb2198f51c41a380667be4edf7ac69868c4343a6a31559b5da8fc352c3061c06a103759cabbde6149618c1546125e9d26e607ca532f

C:\Windows\SysWOW64\Bfdenafn.exe

MD5 4d3318a5c51c6e3ed49bd1dd9a09a49d
SHA1 93941aa6fded7320765e62a96cd981a668b32405
SHA256 835de359fae5db7638c78091cce6274899436755c646e40dcd5ff5a93a10635e
SHA512 0d31cfb620b65956d0fbaff9e6022d519a74a2df161f3314885e93f9d490935389ea5495721e4d2b74e7dabb2aba279e6c13bd4660c57285ccb85c00eb726081

C:\Windows\SysWOW64\Bdcifi32.exe

MD5 2a68c5bfb5ccce1d16e7165e3a1b36be
SHA1 74bf78c0e57b17fe4af04070b35356e3f6c42007
SHA256 c35ba3911badd11dc290f658a0d5aeb033b26e089fafe3589746c9db58afa36d
SHA512 e3e1ceb0f8a0fd82fa4906e2f5caf2f134032dd4fd5681823c3bc31228d2510da60023e29bbe34b20c12943563b4072acf004f89ec9dd7591a4f75af5abaa75b

C:\Windows\SysWOW64\Bmlael32.exe

MD5 ff98fd418a6c9c28d8cd3910acb4191d
SHA1 f7ed8c593fcd890587976ad61a6acd77a3d88eab
SHA256 c5f0184b76d7c99b2741495b64898014e5fda6b86173159c4b9caf429b5f2e88
SHA512 d334fd75a7ebcd603a2c7b390a30177496332f21e5bb1f34baa6ead7fdc7bbe7d45ae25109afbbc532cd7beff4d0f86b39cfc8f4032b3e39db49106da8b0ddea

C:\Windows\SysWOW64\Bkjdndjo.exe

MD5 57d0abd9e11e3f491d00952cdd0e5397
SHA1 6d1f0d870704da539ce4fe9654e37105d35ca10f
SHA256 cc3aed72fe633d18e9af3a304742e4abb5bf0944fe7f870dcfc95ba772f84e4d
SHA512 2e47e2cbb4d1b7e6090f1eee971d7fde17608f4c43b49d633dbd8b900c060ff0bb59687413c355823ae64dae7de8d97670f541461bb5c9a7301db23c07486752

C:\Windows\SysWOW64\Bqeqqk32.exe

MD5 bfa602be11808498526d499097eaadaa
SHA1 8201b9836f742faa7cfb2c1c98adedb7258c44c0
SHA256 e9694a6e548e926f399caaeba9616ba894a3194d832e58932bfa9c2729b9f2fd
SHA512 a151a99cdff057cc1362e42f62ca567090f318b4a90fbe1aa3ebbef170cd6c155e1540691db10627cddc6e908d0826ee56b5ef4d5b2f7b051b34d1c15406c3f2

C:\Windows\SysWOW64\Bnfddp32.exe

MD5 02e50a10d0209f3d1dbb1b70ebf1e8c8
SHA1 04a894933e2e5ffc8ea0c3db803bda30573730a7
SHA256 d55fb6bbb8e2cd03d23cf5c4702b0cc5e381c00e95bde8ff8027cd9765ebc076
SHA512 4f974032f30a4e39a942ec3e69a95d3c20be217b8c0b5ccfc46b0a3120de167370d2c5a5207277020a7f587ee075150dc5b62b78c490f29fe3287552e5fcddc7

C:\Windows\SysWOW64\Bkhhhd32.exe

MD5 bce83d65229c058972d1d2249ec6198f
SHA1 1baea05f69fbd4bc5f5b83662d2ba151c20a73d7
SHA256 9ca6490af5a7782874be5a04b12fffa9e121ab4f1d1b1c725baf7a51f760495e
SHA512 9b8f46162da1684d3f1c502bc1e59fdb1289aac43e4a1d30c641c27d3264c4817f7f40e6033361bd1b403fc11f279f9c5b6f476f468d70b849ff0a5b779a72f8

C:\Windows\SysWOW64\Adnpkjde.exe

MD5 6401e302eb0face536a88f9eb809a3e9
SHA1 3a5909e38220be5531bc9c95586e970bf6028dd6
SHA256 fcec99552f22367e1ff7b8cd8ee5661b7cb60c98b5b9db7150162b8ec60bd4fa
SHA512 a8d5be490c84b9e61a33169296003a180ea494634ddc9d4764091750e2e78b182f27bae19c0f4cb928bc86e220fcb780061e38b804a1c1e353e1714ac828718d

C:\Windows\SysWOW64\Andgop32.exe

MD5 bf4002aeef0d9fa8db596bbb029d9580
SHA1 ac72ecb05d17bb277ef57664a34bf1e49de4a037
SHA256 a1fcb3332655d50a3874a32da2b1e447ef7d4910a93676c16f8526e3d382e4ee
SHA512 2a6ec3705b023cf4b9f88857b1bed63bc24e6bd77ea4fb730c16cbc36fbe1aad1fb468d644cd2a703505b731a4abe9cfd5b33dd9623ec6f3e7a6c8f8ade3383f

C:\Windows\SysWOW64\Akfkbd32.exe

MD5 0389d80ff27f15616b2f0a49762e71c1
SHA1 fbfb6d19dd8817534c5eaa4ca8c6a0b6483ed925
SHA256 6ebe2105d30ffbf80b9a022075075cbe0377edbde3397387d1e54b4586630d2b
SHA512 7583642320baf72c3e7776b305809cc65142d591458ef22328b9d067b510200d1aa504a5d65bff13a8b13933e9b1621c8babdcb199d5e0a56f2ee73f86b89063

C:\Windows\SysWOW64\Adlcfjgh.exe

MD5 265a8a75d6fb071436dd65f038b9f893
SHA1 dba55a06e730a5f926193f48b346845809b808ef
SHA256 e939ef455701241e40636051b16951c5bb097ab97cd4e5550d9b7ed53872387d
SHA512 07bb5600ce1409fdc84a3381fb7a4b12ba5115aa32fa96445c9149c16fdd4ae03db0a001e26e98273c64c8e5c46526d1c2035f1ddfc343f5bd68bfcbdfa91d6e

C:\Windows\SysWOW64\Abmgjo32.exe

MD5 d8c8c02e7688444e279848de9ebe380b
SHA1 d49bf35f929d4a41e25bd1f22421bfcc4e719003
SHA256 db5a19b3575e055237daabd9436e52b064e1620c6ab647689128b45ae37ac1e8
SHA512 78f983323a9cc100588999ae58a60bc9a086b4188854cd5db0261852a920e61617be7093263aef8ff9796d49609a7f6cab7aa94b872ee5f3c1556d0c96c81266

C:\Windows\SysWOW64\Aoojnc32.exe

MD5 7713aad5022b9a4131e8c949630a200a
SHA1 3443f1b8d2fee800680202fcd96955fb2effec21
SHA256 7cbcacd5841f34414304c29f5101af32945374c35d43d40c178678d0d28f6272
SHA512 ff55ff1039218b0ece01cd8ade8c76130366149852f6b4665020c3ae535e263242a94ca7b77f36d11d5355d5d9f5b39005f6df43e52e6316df32113d44df0613

C:\Windows\SysWOW64\Ahebaiac.exe

MD5 a50a53c6db305ed8590e230248885e4d
SHA1 a1de5e24fa71748b2de8169515ff31aea43ba7a1
SHA256 b389d18d497deeefe5ff0baec3c16ba8672817739d7d9b8340dbafbbf62c1967
SHA512 13a6fb71b40f6f53f694f79d23116003629a962e932486e6453dd2bc6e640ff13fdd3db1fac393efec756c783f298ba939be741778a7af9906d1797d7091bb45

C:\Windows\SysWOW64\Aakjdo32.exe

MD5 dbe403f5e6f147ec729becc552c87bae
SHA1 f58c9c56a1a934c69e19b49fa2635b9c375d8cfa
SHA256 6da31d982feb30c49a12c254ecfd49db527a2085f72841a3379076efab4fb941
SHA512 19bcaaf0295b167cc6ff42336e9ee662874a28f88cc45c63b4cda74bafb8222e1a4cc75dd464f985e08ceebcfba7933133af885136f2979fccd0546f7ae3098f

C:\Windows\SysWOW64\Aomnhd32.exe

MD5 f7812d2ef64a6daca0824cca464c0b12
SHA1 019bce56c9d600ae06869c28cd7eb3b139667f2e
SHA256 ac6d6798383cd67e8004ecf1e28d8aa9cafb3213f0285608db5441b1b4c31453
SHA512 d71af2a8ee3180926c7ebbda8b6bfdea7e2617c23f2d052020d2622a733e1ba474fe85c6397ead744d783bdc2c37150222d679a9518fe6befd55b8d9886ac96f

C:\Windows\SysWOW64\Ahbekjcf.exe

MD5 1bf2a5ae075b28cd02f3923f18f40a55
SHA1 b4df2b9c136bc212642172ebc68fd3295c3a3f82
SHA256 29300a7968da549e5a9685bb527063bf2d368354eebe5043e1028dd704b1bc6e
SHA512 658272c7710b43515cab1ca111d517d8f849a1b3bfc864cba10d23a521958e9b726e7c36182cbc4733ee9d5449331f67e25d87593437a792809c790c6ecccd9b

C:\Windows\SysWOW64\Aojabdlf.exe

MD5 ca43dc21ab972c211d91e901d7f7a5dd
SHA1 9e401e046ba60e12e1ee5fa4826ce0a817111644
SHA256 f8a94b740704b1c76ac71827a1a7ff54e66626206e45e36af3b82ca4fb523f62
SHA512 2d6924a31bdb6201e0f05d5e9a39264cb7aae6842537e5738a811e0c6e9e2e71f3bf0b5a1f0ad6ab42426884523a849baffdc15f16e2e38b9006f33adfd26013

C:\Windows\SysWOW64\Aaimopli.exe

MD5 ab5dbabe5f9c98f56e5f0cbad5803d4f
SHA1 aaf9518c740af89a59e9a3de95d8f8dd9f462b59
SHA256 6380dd761f7a3755aef862fb5830efea27f3e5ee87fbddda021213f02ea42783
SHA512 92601c0476e8d0169c3b5694cfe6e09c630b95badfdf48b1a5a55a6a5fbddbec94f05d9adfee12acef56f394dd7adc0ffd7db10d44ea956036cc58a7de594f1e

C:\Windows\SysWOW64\Ahpifj32.exe

MD5 dff30143e3002e966aa00ac0e54dffe4
SHA1 2786a5a3af0be3348245fc435e38bae0a4679521
SHA256 e759ba8eccefe3458e4bd134b8c7e1b32f076e0ec7f0745340712f46ad50cc76
SHA512 e4adda3857049caa5f7e55ce4969d445aec4044c8b343d4be27bf76cc1f0cbc80ecd29851702a54f4e56ede7754b6d9a9acb275cf6b6b32aea1fd984bebb3877

C:\Windows\SysWOW64\Aebmjo32.exe

MD5 2edfcf8f2942e98ca45702c19f38486f
SHA1 353e76852a605d8c54f1e24ecc912fda5093196e
SHA256 2279a2495cb073c67d28196d09137f6a201bc90798f93d2685105912ecdb9f40
SHA512 271acc542d985bd6ed61867ec167cbb025468655e9a503be3ee827449c86587b033849a3183cf0267aca05327f9b81f4fc45e68e7583cde68f3690b6eaca4d79

C:\Windows\SysWOW64\Apedah32.exe

MD5 5d093754493e652ad71eb8a89c8a73b0
SHA1 92a7d0f51ec7daf849548b01f9e584960dcaa6c5
SHA256 01b257a2ca741c174ea73bfd76681b061d2276ff8ee4e4e9440eff5a0ae9cb9b
SHA512 c996376ee7e20eca2fc279109d6b3b8bea417b836011d115294b684b70ed15f3175761bc97e11a511eaf9cd7f195a0b460cb6b19c7a12cffee9e0437e3a608f1

C:\Windows\SysWOW64\Qjklenpa.exe

MD5 0a735530579cf1069318a603d78496e4
SHA1 e198271a283476d95a24db51ea6dfa70fc2feb8a
SHA256 4f136fbbd0f472c79201c4e49dce03514c398e2e6d58fcc70bef12adcf18f98e
SHA512 aa0e7b18055045dfe5d213227546119cbfb20d0ad77e1c50a384162bab30078a32d116259b546742fa7a74d9b89214d930dab288e3672ec27a8088646a6348b6

C:\Windows\SysWOW64\Qpbglhjq.exe

MD5 d925dbf148ee99b3810bfa9d40207add
SHA1 d9d3e393a97c44aabe29c5bae5f8f33508fc3d60
SHA256 8b51aea61812c72ff2d96304bc51d19c29569cc0e35bf3690007898caff63a69
SHA512 1d3689edc4e93672438b859524ccf741089f4cc6959d1c21522c238d26d4f1529658a7ff0aa97a58184353ce6c874314258d6638fff2adfe7b17b5dcbfb1163d

C:\Windows\SysWOW64\Qiioon32.exe

MD5 9f33a3aa29281e7e3bab503149a6e078
SHA1 3ef88647db6b32b761210f52b513ce3c3f0b9f43
SHA256 cef970920a782515ea25e975a03b2207777eb9b2116164f3d4091cdbf1710c3e
SHA512 767e57664211afb70e2b264e5969b4c0e1c2c0feb0754638187389046c1b8353271b21411640d7ed2b3c65c11ce103d64ae350e4619101694833fbf9ce950601

C:\Windows\SysWOW64\Qdlggg32.exe

MD5 1ae1cd0163e8b1df03dbd5d6eb989b28
SHA1 d6bdf60563f24cf51fad40edacaf62d57682c7f6
SHA256 6be1e657d1cf60f28139cf8466c48a1b85e11e71a6dacd956b4af55e230f3d0b
SHA512 c5d4c5f52ffdbfffe58cdee22892014b93e85de7d7506c4f4beb5125ef8d3f1f24744d2a0ceaaa413cea906d96f9e983c1746afa38d6d79af6263b6b59e11f88

C:\Windows\SysWOW64\Pifbjn32.exe

MD5 0e7a468686aad38cf07d4ce5662074ce
SHA1 374bc04215e2aac06faa0a10d468b666c9f0363e
SHA256 6302344dbfd9d82d80cacf7a824dc13a1a4d470f4cda5cdc19ccd08bc9ead5ab
SHA512 81b78f052ac44d6bd480ea837867ba600d8782269378156ea0ce0e13916359643b5fb0109db87adc643151f844438e7a9bec251f6bdbafe352c1513a753751c8

C:\Windows\SysWOW64\Pdjjag32.exe

MD5 0a1db1ff955f269ab14aa67db70dd147
SHA1 5f408997ac3756312c5c4c3e8f6b572f175b2d4b
SHA256 6d9e8f455dc44c7a6c8af01624fc5a6217fac83d6abc4dc3f01a37164c7caef7
SHA512 7d1c3853da3c859f2874a81fd7cc7f21ae7d0f34f06f31174edd2f3919ff38e3cb41ef4906b226cf06a980def5e663b8df0350b30dedfecbdfee2fa048773e55

C:\Windows\SysWOW64\Pmpbdm32.exe

MD5 6f48fea0e335c754066fcd316f3bb242
SHA1 0abcf24f42b30f5fe36b86d7ebabb46c98a34386
SHA256 d9bcbaf653c160782fa749bb0a4f2ce13a192c2ea0a5c83ba031c2afa01677ae
SHA512 8d0d3a3802802b4e3d3c63da3cf58f9f9c9d3fceff83f7704184ac3832f041bc165c9e1c1bdd5e9753b9b3c9f23358c0829cf51dc877c6255f65b06319320186

C:\Windows\SysWOW64\Phcilf32.exe

MD5 c935a81019f9010e63e209384f7d3338
SHA1 9556cd454fcc278f8ed2177515d49eec1e0bbbd8
SHA256 965f1020cdd5cf2a3d1b81fef974ccf6a43e711a12c08790f201cef154eef481
SHA512 52767026ced0786e94150210c6242299ee2f785c66e84ccb0f3dece97ff14a0173fbfc6a1c10a6d32dce73fd62c8331f71930b1c56e0ced81f4d5cd53e4140e0

memory/2688-515-0x0000000000290000-0x00000000002C3000-memory.dmp

memory/2688-509-0x0000000000400000-0x0000000000433000-memory.dmp

memory/320-508-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Pmmeon32.exe

MD5 6ec212aa9f6347718b987f954e184c7d
SHA1 3981fda2a061af39506972056c786017d7625db1
SHA256 762cff0ac4ffd82f8609d27c068291dec15ed2a885a6472c7ba1dabe5a730394
SHA512 d943535a8fc16d1062656c7316c9ef845687804d5b880bd2d5674a9ad13af49093a6148ef3ba62606576cc4565a7a71cbd156fbe9cf458ad3609b83480dd7505

memory/1692-499-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Pgcmbcih.exe

MD5 20fc343114a0351c4a50d60e6ab75cfa
SHA1 e9939c9bae7902f552c50798ecc7bcde5c3f18f3
SHA256 ce0d1ea4da5cf3333a0150cd710df8063db0f3d5b2cf5e1b1e89afea5b56723b
SHA512 f2592e16f2e46c9e7f764efc0e3675063495e1de416cdbfc789998dc3ad665755e2c150da886be544b9632389df49dd25e955193ab3d63420371bd7733d4609f

memory/572-489-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1052-488-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1388-487-0x0000000000250000-0x0000000000283000-memory.dmp

C:\Windows\SysWOW64\Pebpkk32.exe

MD5 19047b0edf02b76a97d297da2b538bee
SHA1 ba6331bad70aaa75120c062e0701264fb245b22f
SHA256 5c2b1836b08dcb7ad5e169c5eab649364ab714227ebeb5550e0129a474ccdab1
SHA512 06ff2ce15cfb125c57b490bc940fe997578ac938527d52bddc6cc4845f3686571ca73420b5282aa23ecf95064839d1005ad7ad04439a32a6d34f91835f7ee99d

memory/1388-478-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2196-477-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Pohhna32.exe

MD5 72850d6191ef4d2e8e4f306e544e8532
SHA1 e40352278d944e277df08f2f5f7352838001b373
SHA256 1a611b71461a75b0cc975ffc27463929215ec84b6cc9a3ffad3aad0bda781297
SHA512 b432dde9e6f943ea05a88a2a07f3f54b0e38d97690b2d23afe06eff8b21ed19c87b101a8a3e486d737f76352c9a92c0440daa4a6509466868d2a62000f03a6ef

memory/376-468-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2160-467-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Pepcelel.exe

MD5 2fa1eead3fc67bc9dd4f332d69491ee5
SHA1 6f7b0f8433055bde1bac3e7dab6e57859ccd52ba
SHA256 7724fa4cf8537517f02c1f8160dbdab3c6d2103387482391db2142015d870e11
SHA512 d59a8c888be66a71d2855188c41dbb5278ef47a0b6ca25b32899ae15bc25b4ae0675399593fec686a0e56a2e6c5be56325109edd637f6dedd03edb270920d1a0

memory/1980-458-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1760-457-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Pbagipfi.exe

MD5 996f1b565b0ff2031642db979b25421f
SHA1 749b5a2d691f02880888e20f898f679665dde639
SHA256 a386023427dab2e73bd6e6151bfb2e82bda14e897ec1145559875d8eb31d72d7
SHA512 f3d65a22ff447e1720958c0b97bc102c12a84c404bb17f1314a08934ab7d43620464c77f423d27f15b5bbb6bf050e2be2c4015e0737bde28c7f1df9f0412a572

memory/300-453-0x0000000000250000-0x0000000000283000-memory.dmp

memory/300-447-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1196-446-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Pkjphcff.exe

MD5 620da66770f5c47e4212b77ab00fe301
SHA1 deb3f612db8ddd2d5d9429bcd8930fcc74be8400
SHA256 2f7c8a243c32c3d0ef55f6a5e05a86d50a36767e2684b358b3f1d36bd7a8da7d
SHA512 48063c705ba13a44d8a8e54e9594cf4d6aa4609913cb5f4a4d523bf274de5d58ec9b18bd3c97b12fa72a32b1dc5595f69308b66a9ba7eabfe4d8680cba32e078

memory/1920-437-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1972-436-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Piicpk32.exe

MD5 f6e11044984c5f57116d7712ef47919e
SHA1 452e0235123c7c9095d75c3c204a1da7b2a680c0
SHA256 384d1542c6a561868eb49be289208cfcab3b47d78b973cdebc2ec3d1907dadf3
SHA512 acb5a41b24ff8e1e0a5f314687e5fe800cb771ff4ed6a509b28c5715fdc13d0db8e619a3cd374d124dd8d79ec2a23b07a1c095c347422d9392d871ed6eaf37ba

memory/2816-426-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1536-425-0x0000000000250000-0x0000000000283000-memory.dmp

C:\Windows\SysWOW64\Oabkom32.exe

MD5 f58e2ffc27622073bde96f06b460b52a
SHA1 8281e2dd2430f9c11b76dc0196069c4c8566fb6c
SHA256 90cb0feb0528d141d338f46a458565a793a19b628bae1fd610e5b8c481a6ea92
SHA512 0007db7976cc21341a6bed6268be027a181627ea7be89661abd01c231e149ac6509a807a71f58bdb3acfc980a1583d0a3c25666ba8ee71afbf6be8e13ff78423

memory/1536-416-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2812-415-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Opqoge32.exe

MD5 6768e92a65b47f2f3b1c8867ad870b56
SHA1 b1083c41266a4e1db9cc65701bc683d7fbcb0a58
SHA256 0e5ca8f9e7d352ec3f305c50fa31a09d9706dab0716073bbd8cee0cf4ddb5f61
SHA512 9d4d22b6de3119a75c0bd0e20bc57feb4cd9651dc3dfeed649572f59f4b800fc30609f8b6fe9c6de75662ab84e4f923300f4e86c0329f9a01f40052706d68024

memory/2828-406-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ohiffh32.exe

MD5 4ee498037e0991ebdd1d3fc0c52c636b
SHA1 9372470e39b39f9b58b8b6cc05481329eb9d7a17
SHA256 f1332ed5827594b335e910da1caa340f51d6d2a685c7dc38b59e97ec4a0742d0
SHA512 80b139ab8b9b876cdbc4c76eb11e5ffa0210b7fcaf9d90980f6a3c4aaa22c0523d889d1e70850b99b247bcadb43dd8c041d9fdc74634b40552d6d4916e9da327

memory/2780-396-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Oekjjl32.exe

MD5 0fc07d22e4f6571f63b8a6768be3197a
SHA1 52b993e939c416ba78cdb30c47c941ef4a7286fd
SHA256 c561f51e4a3f79b904406c03b9accb8c426c9bba59f34b860ab0a9dda6f6bef3
SHA512 5b63a86cc29bca114eb659b77d30a619bdaa6642d3eacac7b2f95829b0ff53eca686dda21027f6118928eb3c8b517cda00bfcdb8271fe343bb89efe6ab349d9f

memory/2612-392-0x00000000002E0000-0x0000000000313000-memory.dmp

memory/2612-386-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3008-385-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ooabmbbe.exe

MD5 3c02c98f00117662a143206dba87e9df
SHA1 e81616be5ff672b2c5b6b02f10f473f67ff99fe1
SHA256 1700695ce7c9a0bad9e825f293f74ac051defd869fb28cf68fb29feb0cb2cb1e
SHA512 5502a617ff64186e3b513ba881df5b27807f672a8dc217b40653c60134b17797bb8982bcd252af6c55bc60100bce207acda0e1e6536c688aa22bc8cda820544c

memory/2640-376-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2740-375-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Olbfagca.exe

MD5 aed27634f2a2e25abf35a6403ca69697
SHA1 610c4a09498fe594b2fcaa5eff335827d30cc337
SHA256 2fbe146fe7216cfb9be4d823e8b457bffbac69a52024f68214aea8cbc4c6f12f
SHA512 ec32c3154696a86f3fc3e5ab3c197cd56e8912ceef6f388f196e4a40fb9d49c0265159b01e458d6a602323cde34bd6462e63f27e169811820adc2e364c0f4a6c

memory/2860-371-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2952-365-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2860-364-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2724-363-0x0000000001F50000-0x0000000001F83000-memory.dmp

C:\Windows\SysWOW64\Oeindm32.exe

MD5 d844e11a97644e7d9865b5d273369153
SHA1 678ee8d041ce1baa8f9a90bd534c430b6f2f7bcb
SHA256 c1d0aa11bd35e0e4d822a3ca4b0f570d5b64b16eddf40ae1961fec1ea31a864a
SHA512 32bceded80de0686f98cd9ee6daee9c3bd7d43fb0d21c1740e1ee5cf1a0efff233702b11d511d19bcb2331f3e74f980c9d55e9aa9b9ed31ad00223941e410a91

memory/2724-354-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2960-353-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Objaha32.exe

MD5 27a2e257e36f77b41dca0eda6d1f9e1d
SHA1 b7b657163ce9695e1b44ff745fca57905bdead7e
SHA256 7a7ee50a7c5ad9966798c33716358489d734868ba42219314cd4b7e7a9a3f88c
SHA512 956e6fcbd0ef1d843a3a842ad04acac90a6980af9bfafd7421e19a9d6f99e57442fab1b633cee9aeb8a36cb13944b2bd66de602b0415047ce9b88d42909dabb9

memory/2712-349-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2712-343-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2184-342-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Olpilg32.exe

MD5 de49fc9de02637517bf321a199870507
SHA1 e1e8e90b75a76d6f427cff6a7d352a361361064d
SHA256 11b1a61cd8e637c71e544c81c07ed33061567d98305fbd22ae5bbf5c479adc61
SHA512 8038683ee659653f1100c8fcf6fb538e944cd8f973ea0f46b7980b3c2688fb15c3cf737efac9eebbbb97c166f722a6671324eba8de6d9ea671501de5531a24b6

memory/2308-338-0x0000000000310000-0x0000000000343000-memory.dmp

memory/3052-331-0x00000000002D0000-0x0000000000303000-memory.dmp

memory/3052-330-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Oibmpl32.exe

MD5 3cd74f875bdad2e92dce4dd83f9e2704
SHA1 62002a88c41ba99fa22ac3b092e8694908cf65c9
SHA256 7761fa255d24de7184093ba80981918cbbc773613771f18e8098953dcff68eaf
SHA512 f4f45a9981f704d49a49193739b8b616cff0da8a48420d9016b26dc646d84301d41afc3e84fc9057b41ec204793124356356a355d761029ef4db8f8cc6ee3dae

memory/1600-326-0x00000000002E0000-0x0000000000313000-memory.dmp

memory/1600-320-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2108-319-0x00000000002E0000-0x0000000000313000-memory.dmp

C:\Windows\SysWOW64\Ofcqcp32.exe

MD5 868437649f7c8ee173295d1303f0df76
SHA1 feba74c18e43a80ef1b6aad1049dc3a8fd22f69b
SHA256 d0ea7433f6245ccf20cf17568a49ab6a6541d864b6f9796fb944eb9aad19d60a
SHA512 30b9acd6333d96ea12f9cb6992a9d31bf071c7c13bbc15b596e1e2de14529c8a5f8ddcf857f02055f278db2227e0730c764d46a5e5a81a001b5891318bffc1ca

memory/2108-315-0x00000000002E0000-0x0000000000313000-memory.dmp

memory/2108-309-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2524-308-0x0000000000250000-0x0000000000283000-memory.dmp

C:\Windows\SysWOW64\Opihgfop.exe

MD5 9d7f8f13c342f788bc195a56196af26a
SHA1 0dd9ffd7f81dbef1f654c349c301e7f19b120338
SHA256 d72dee0d34be2ba6dbe143a20aaae409154fbc4c15bf52d19fe3c03c65ee15ec
SHA512 3400528ac14e133e7e12f6b257481cf54a3d1dd44fa6887394a71f959bd5bfc9eac3a468c352ba7867703823609dec9aa3d5ee02bff913747c552dde56cf2fb4

memory/2524-304-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2524-298-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2480-297-0x0000000001F40000-0x0000000001F73000-memory.dmp

memory/2480-296-0x0000000001F40000-0x0000000001F73000-memory.dmp

C:\Windows\SysWOW64\Omklkkpl.exe

MD5 39f844fd618b3a5988f62f26db044654
SHA1 c55698b870033baee01daa27ef276a8c389b6c3d
SHA256 9019cd5661acbd38f913976ed0c95ab08af108ef15233a88d2d01c499da011ce
SHA512 304ad6221e29150e5e5fe0663d9fb57b324cd1865d8664df90c22125414897d936880aaee25a058da434ab51e08bd72f02b9ebb65c546462560a644f71514cb3

memory/2480-287-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1836-286-0x0000000000250000-0x0000000000283000-memory.dmp

C:\Windows\SysWOW64\Ofadnq32.exe

MD5 08f4a34fd1be588cd1296e52a448cd67
SHA1 14b94e0128e0e5d17816f8a8f5531af7a31f77ff
SHA256 59166b57783cb9c9a1cd2ee04c7c73b29e78214429fb7685e2d55a34d8e13700
SHA512 86752394738b56a31ea3520a4f00cff983622b91a1883be9078815ab817c3462e1f196bfe7b33b32b30e220ef059976e754cbc510ded828dc36262745d2f65c8

memory/1836-282-0x0000000000250000-0x0000000000283000-memory.dmp

memory/1836-276-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2452-275-0x0000000000440000-0x0000000000473000-memory.dmp

C:\Windows\SysWOW64\Odchbe32.exe

MD5 4419b9e924b492669b84be55a65bf8e8
SHA1 b565aebf8afd921ddef756345659b2bba7eb4421
SHA256 da92d54da05fa0be760bb79bc67d3b4e863de0dea5a666a0327459f9dbf08f78
SHA512 8f9e3a6ecaacb114aa18ce1114d7a271de9999b8d750ba8610cc2ecfdc21a1b1aea0b2a6d2828cddb02a391f1699ab0001128ed3328b9923974f3a3f388813b2

memory/2452-271-0x0000000000440000-0x0000000000473000-memory.dmp

memory/2452-265-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1528-264-0x0000000000250000-0x0000000000283000-memory.dmp

C:\Windows\SysWOW64\Oadkej32.exe

MD5 61242d062ac3c3f6614a52aa1693216a
SHA1 e23e825000bfe7137280efaa487f465b618257e2
SHA256 023567a3dde6731288af17e3f759f00bceb860e5a3708e9351f92b68646255e3
SHA512 28367ecbf3962e1f130a58e545d372a4d14fa272957159c47a6e38194ddc711089be9f2fc8077997488d4da419278951ca355984483f12ec08c1fb577720d11c

memory/1528-260-0x0000000000250000-0x0000000000283000-memory.dmp

memory/1528-254-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1992-253-0x00000000005D0000-0x0000000000603000-memory.dmp

C:\Windows\SysWOW64\Njjcip32.exe

MD5 1b7709616e84ba98d6111075776ba877
SHA1 5d706ad963d7f48346b9056af4bf7b79114b0f07
SHA256 869266beb06b1ef79dee34c8d78d505a0b09f664bd53a8f9800a71e333ef2c8e
SHA512 4a6a71ce933e39c64c375c28c48267d054f56ef12e09433907010930a7da8bfc4187af54691bb5653e992588077fa2db7c0c6891fe57f7893ec367b4a5d77fea

memory/1992-249-0x00000000005D0000-0x0000000000603000-memory.dmp

memory/1992-243-0x0000000000400000-0x0000000000433000-memory.dmp

memory/268-242-0x00000000005D0000-0x0000000000603000-memory.dmp

C:\Windows\SysWOW64\Nhlgmd32.exe

MD5 ed235976813ebf6b3ded0847a4ee4b75
SHA1 e096fce8657d90c600b76fb285915d3b673ea132
SHA256 4fb2bbbf8139b423fa08b226cd5188494e9e325e198c7131d6499e6ed23566c7
SHA512 f7ec31f2334d0626d8d5c542220fe91bee49b535015d321aa5844134ba9c76714071df6174d3082571d638037a986c1ba83c7633877ac15cccc081d0bb8b2bb0

memory/268-238-0x00000000005D0000-0x0000000000603000-memory.dmp

memory/268-232-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Nenkqi32.exe

MD5 556b38503aa7e48d9a27847ce006823b
SHA1 eed81fdd22ca60f5b754e3956f5f7db01387e942
SHA256 70a6087de199129358eafa3a24772867f034660df8531fb89f92f0108e96480c
SHA512 ef8e09977588e7fe3e7bbe0eab19b773068ea25da05826d1144859e11da08ffa0a9364995583f83eb071da54025ffb5b0597c888239ced5909526190ba422c0d

memory/320-223-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Nncbdomg.exe

MD5 e4844527cdedb9ca0db900b95d0e5f52
SHA1 68767fb61009250f261d636747363133665a59ed
SHA256 d3dec39b79e1e033862940a441ffe9a9103832e1d73f52faa18cc3a50f41a140
SHA512 ae3524f2c8c3fddbb715e27ecd294fbd144b0c1047e027906139076e21a67d67a5bd19a30d022f093d2548e6f55dc383b656ee38ed84a2c1ee65a4262f4bbf79

C:\Windows\SysWOW64\Nhjjgd32.exe

MD5 99c6d3a74cf279fff660268b17b2fa90
SHA1 bf045e883b3243b20f469cf1ea4ca015d03a6772
SHA256 6b05bb0210421aa0ef77847219939839c3ec1808bf8f0b67e20eea8e40aef748
SHA512 1834bd9eb9f026b7ac8de7579d310c14b2f7ae6a5d2c44e865c4dd3f885afc2fee61a2b877b2109c42dea58d5e3a3b0a07432e29e0792867cc925dc4aefcf3df

memory/1224-213-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1052-200-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2196-187-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2160-174-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1760-161-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Nbjeinje.exe

MD5 e3e5ba6186bb32de602ab83f71a4406d
SHA1 45edab3d3532560ff3487ee5dc3f5ea570443391
SHA256 a5ad20fa1d3d8d0b80997076e4e65d5646fb2e4b686aa18c6e242b1a84cd9a0b
SHA512 4cb0997e13f73b9671608746481c693d00340f518597f7564e5aa441650615b66686f257ecbc6431ea1316f1e4a4dfd17afcd3003c317167a2f092c66d736b60

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 15:28

Reported

2024-11-09 15:30

Platform

win10v2004-20241007-en

Max time kernel

96s

Max time network

97s

Command Line

"C:\Users\Admin\AppData\Local\Temp\be78ae62a9251d4e2c4d1081d663b443365795352ec12448e8b8521bd949114bN.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ncqlkemc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Users\Admin\AppData\Local\Temp\be78ae62a9251d4e2c4d1081d663b443365795352ec12448e8b8521bd949114bN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jdfjld32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nmlddqem.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ohhnbhok.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gbchdp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pldcjeia.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bkaobnio.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ilafiihp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jqhafffk.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kmieae32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dkokcl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cnjdpaki.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cbdjeg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Eeelnp32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lnldla32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hginecde.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Icfekc32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lmbhgd32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pocpfphe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Aolblopj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Phcgcqab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kclgmq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Oanfen32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Omgmeigd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Aogbfi32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Inqbclob.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hbjoeojc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Iohejo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mjodla32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Knooej32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ljfhqh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jngbjd32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lcimdh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pmnbfhal.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lggldm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Aogiap32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pfiddm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ilccoh32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kgninn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bahkih32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gpbpbecj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Odoogi32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qaalblgi.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ckeimm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gidnkkpc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mkohaj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Omjpeo32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bheplb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mfhbga32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jkimho32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cfipef32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jmeede32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bgkiaj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Adhdjpjf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Chiblk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cpdgqmnb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Aajohjon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bojomm32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cofnik32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ddgplado.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mgphpe32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pmnbfhal.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dahmfpap.exe N/A

Berbew

backdoor berbew

Berbew family

berbew

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Hbhijepa.exe N/A
N/A N/A C:\Windows\SysWOW64\Hibafp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hginecde.exe N/A
N/A N/A C:\Windows\SysWOW64\Higjaoci.exe N/A
N/A N/A C:\Windows\SysWOW64\Hdokdg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hildmn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Iphioh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Icfekc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ijqmhnko.exe N/A
N/A N/A C:\Windows\SysWOW64\Ipjedh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Iciaqc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ijcjmmil.exe N/A
N/A N/A C:\Windows\SysWOW64\Ilafiihp.exe N/A
N/A N/A C:\Windows\SysWOW64\Icknfcol.exe N/A
N/A N/A C:\Windows\SysWOW64\Ikbfgppo.exe N/A
N/A N/A C:\Windows\SysWOW64\Inqbclob.exe N/A
N/A N/A C:\Windows\SysWOW64\Ilccoh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Icnklbmj.exe N/A
N/A N/A C:\Windows\SysWOW64\Ikdcmpnl.exe N/A
N/A N/A C:\Windows\SysWOW64\Jjgchm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jlfpdh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jdmgfedl.exe N/A
N/A N/A C:\Windows\SysWOW64\Jgkdbacp.exe N/A
N/A N/A C:\Windows\SysWOW64\Jjjpnlbd.exe N/A
N/A N/A C:\Windows\SysWOW64\Jnelok32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jpdhkf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jcbdgb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jkimho32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jnhidk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jdaaaeqg.exe N/A
N/A N/A C:\Windows\SysWOW64\Jcdala32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jklinohd.exe N/A
N/A N/A C:\Windows\SysWOW64\Jnjejjgh.exe N/A
N/A N/A C:\Windows\SysWOW64\Jqhafffk.exe N/A
N/A N/A C:\Windows\SysWOW64\Jcgnbaeo.exe N/A
N/A N/A C:\Windows\SysWOW64\Jknfcofa.exe N/A
N/A N/A C:\Windows\SysWOW64\Jnlbojee.exe N/A
N/A N/A C:\Windows\SysWOW64\Jqknkedi.exe N/A
N/A N/A C:\Windows\SysWOW64\Jdfjld32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kkpbin32.exe N/A
N/A N/A C:\Windows\SysWOW64\Knooej32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kqmkae32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kclgmq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kkconn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Knalji32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kqphfe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kcndbp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kkeldnpi.exe N/A
N/A N/A C:\Windows\SysWOW64\Knchpiom.exe N/A
N/A N/A C:\Windows\SysWOW64\Kqbdldnq.exe N/A
N/A N/A C:\Windows\SysWOW64\Kglmio32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kjjiej32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kmieae32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kdpmbc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kgninn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kjmfjj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kmkbfeab.exe N/A
N/A N/A C:\Windows\SysWOW64\Kcejco32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lklbdm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lnjnqh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lknojl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lnmkfh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lqkgbcff.exe N/A
N/A N/A C:\Windows\SysWOW64\Lcjcnoej.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Icknfcol.exe C:\Windows\SysWOW64\Ilafiihp.exe N/A
File created C:\Windows\SysWOW64\Jqknkedi.exe C:\Windows\SysWOW64\Jnlbojee.exe N/A
File opened for modification C:\Windows\SysWOW64\Lkalplel.exe C:\Windows\SysWOW64\Lcjcnoej.exe N/A
File created C:\Windows\SysWOW64\Blielbfi.exe C:\Windows\SysWOW64\Bdbnjdfg.exe N/A
File opened for modification C:\Windows\SysWOW64\Hiipmhmk.exe C:\Windows\SysWOW64\Hpqldc32.exe N/A
File opened for modification C:\Windows\SysWOW64\Lgpoihnl.exe C:\Windows\SysWOW64\Lljklo32.exe N/A
File created C:\Windows\SysWOW64\Gdgiklme.dll C:\Windows\SysWOW64\Hibafp32.exe N/A
File created C:\Windows\SysWOW64\Fbihneaj.dll C:\Windows\SysWOW64\Kclgmq32.exe N/A
File created C:\Windows\SysWOW64\Lknojl32.exe C:\Windows\SysWOW64\Lnjnqh32.exe N/A
File created C:\Windows\SysWOW64\Oodcdb32.exe C:\Windows\SysWOW64\Odoogi32.exe N/A
File created C:\Windows\SysWOW64\Cdbfab32.exe C:\Windows\SysWOW64\Cbdjeg32.exe N/A
File created C:\Windows\SysWOW64\Oaplqh32.exe C:\Windows\SysWOW64\Ojfcdnjc.exe N/A
File created C:\Windows\SysWOW64\Icknfcol.exe C:\Windows\SysWOW64\Ilafiihp.exe N/A
File opened for modification C:\Windows\SysWOW64\Lnjnqh32.exe C:\Windows\SysWOW64\Lklbdm32.exe N/A
File created C:\Windows\SysWOW64\Pjdhhc32.dll C:\Windows\SysWOW64\Pajeam32.exe N/A
File created C:\Windows\SysWOW64\Bffcpg32.exe C:\Windows\SysWOW64\Bnoknihb.exe N/A
File created C:\Windows\SysWOW64\Ogekbb32.exe C:\Windows\SysWOW64\Opnbae32.exe N/A
File created C:\Windows\SysWOW64\Ekppjn32.dll C:\Windows\SysWOW64\Cnjdpaki.exe N/A
File created C:\Windows\SysWOW64\Nfamlc32.dll C:\Windows\SysWOW64\Jdaaaeqg.exe N/A
File opened for modification C:\Windows\SysWOW64\Anmfbl32.exe C:\Windows\SysWOW64\Aknifq32.exe N/A
File created C:\Windows\SysWOW64\Bdcebook.dll C:\Windows\SysWOW64\Aoalgn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Fihnomjp.exe C:\Windows\SysWOW64\Enbjad32.exe N/A
File created C:\Windows\SysWOW64\Qnidao32.dll C:\Windows\SysWOW64\Hildmn32.exe N/A
File created C:\Windows\SysWOW64\Kcndbp32.exe C:\Windows\SysWOW64\Kqphfe32.exe N/A
File opened for modification C:\Windows\SysWOW64\Nhmofj32.exe C:\Windows\SysWOW64\Nabfjpak.exe N/A
File opened for modification C:\Windows\SysWOW64\Nmnqjp32.exe C:\Windows\SysWOW64\Njpdnedf.exe N/A
File created C:\Windows\SysWOW64\Jdobpkmb.dll C:\Windows\SysWOW64\Qhkdof32.exe N/A
File created C:\Windows\SysWOW64\Pmphblgf.dll C:\Windows\SysWOW64\Ddjmba32.exe N/A
File opened for modification C:\Windows\SysWOW64\Gpbpbecj.exe C:\Windows\SysWOW64\Gmdcfidg.exe N/A
File opened for modification C:\Windows\SysWOW64\Nglhld32.exe C:\Windows\SysWOW64\Ncqlkemc.exe N/A
File created C:\Windows\SysWOW64\Ojjhjm32.dll C:\Windows\SysWOW64\Pnplfj32.exe N/A
File opened for modification C:\Windows\SysWOW64\Kmkbfeab.exe C:\Windows\SysWOW64\Kjmfjj32.exe N/A
File opened for modification C:\Windows\SysWOW64\Pmaffnce.exe C:\Windows\SysWOW64\Pkbjjbda.exe N/A
File created C:\Windows\SysWOW64\Bdbnjdfg.exe C:\Windows\SysWOW64\Badanigc.exe N/A
File created C:\Windows\SysWOW64\Npiiffqe.exe C:\Windows\SysWOW64\Ncchae32.exe N/A
File created C:\Windows\SysWOW64\Ijilflah.dll C:\Windows\SysWOW64\Cpdgqmnb.exe N/A
File created C:\Windows\SysWOW64\Jpmcbhlp.dll C:\Windows\SysWOW64\Qachgk32.exe N/A
File created C:\Windows\SysWOW64\Clgbmp32.exe C:\Windows\SysWOW64\Cfnjpfcl.exe N/A
File opened for modification C:\Windows\SysWOW64\Dkhnjk32.exe C:\Windows\SysWOW64\Doaneiop.exe N/A
File created C:\Windows\SysWOW64\Kofmfi32.dll C:\Windows\SysWOW64\Ocgbld32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ocaebc32.exe C:\Windows\SysWOW64\Omgmeigd.exe N/A
File created C:\Windows\SysWOW64\Jcoaglhk.exe C:\Windows\SysWOW64\Jleijb32.exe N/A
File created C:\Windows\SysWOW64\Bcjfln32.dll C:\Windows\SysWOW64\Mogcihaj.exe N/A
File opened for modification C:\Windows\SysWOW64\Ljfhqh32.exe C:\Windows\SysWOW64\Lggldm32.exe N/A
File created C:\Windows\SysWOW64\Pocpfphe.exe C:\Windows\SysWOW64\Pldcjeia.exe N/A
File created C:\Windows\SysWOW64\Ocaebc32.exe C:\Windows\SysWOW64\Omgmeigd.exe N/A
File created C:\Windows\SysWOW64\Glmoga32.dll C:\Windows\SysWOW64\Kkeldnpi.exe N/A
File created C:\Windows\SysWOW64\Nhmofj32.exe C:\Windows\SysWOW64\Nabfjpak.exe N/A
File created C:\Windows\SysWOW64\Ohofdmkm.dll C:\Windows\SysWOW64\Enbjad32.exe N/A
File created C:\Windows\SysWOW64\Ahfmpnql.exe C:\Windows\SysWOW64\Apodoq32.exe N/A
File opened for modification C:\Windows\SysWOW64\Jcdala32.exe C:\Windows\SysWOW64\Jdaaaeqg.exe N/A
File created C:\Windows\SysWOW64\Pmmanjof.dll C:\Windows\SysWOW64\Qemhbj32.exe N/A
File created C:\Windows\SysWOW64\Amoljp32.dll C:\Windows\SysWOW64\Aknifq32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mmkkmc32.exe C:\Windows\SysWOW64\Lgjijmin.exe N/A
File opened for modification C:\Windows\SysWOW64\Gbalopbn.exe C:\Windows\SysWOW64\Gpbpbecj.exe N/A
File created C:\Windows\SysWOW64\Gbchdp32.exe C:\Windows\SysWOW64\Gbalopbn.exe N/A
File opened for modification C:\Windows\SysWOW64\Paoollik.exe C:\Windows\SysWOW64\Popbpqjh.exe N/A
File created C:\Windows\SysWOW64\Gcedencn.dll C:\Windows\SysWOW64\Qdbdcg32.exe N/A
File created C:\Windows\SysWOW64\Pnplfj32.exe C:\Windows\SysWOW64\Pfiddm32.exe N/A
File created C:\Windows\SysWOW64\Qkhnbpne.dll C:\Windows\SysWOW64\Ahfmpnql.exe N/A
File created C:\Windows\SysWOW64\Lekmnajj.exe C:\Windows\SysWOW64\Lmdemd32.exe N/A
File opened for modification C:\Windows\SysWOW64\Iebngial.exe C:\Windows\SysWOW64\Iohejo32.exe N/A
File created C:\Windows\SysWOW64\Accimdgp.dll C:\Windows\SysWOW64\Ipoheakj.exe N/A
File created C:\Windows\SysWOW64\Kcbfcigf.exe C:\Windows\SysWOW64\Kcpjnjii.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Dkqaoe32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jngbjd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mfnoqc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nflkbanj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Apaadpng.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bgpcliao.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Adfgdpmi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Icknfcol.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Knchpiom.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nnbnhedj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qachgk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nglhld32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nopfpgip.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Naecop32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Doaneiop.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hfaajnfb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lfeljd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mfhbga32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ohcegi32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bnoknihb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jgmjmjnb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ljnlecmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cgnomg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aogbfi32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cnjdpaki.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Icnklbmj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lekmnajj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pkpmdbfd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bdgged32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cdnmfclj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Geaepk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kjmfjj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lqkgbcff.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oalipoiq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ahbjoe32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aoalgn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ikdcmpnl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kmieae32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Alelqb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lljklo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ocgbld32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ppjbmc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pmnbfhal.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\be78ae62a9251d4e2c4d1081d663b443365795352ec12448e8b8521bd949114bN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dooaoj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fnlmhc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gldglf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lcimdh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Eeelnp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ncchae32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ahfmpnql.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ilccoh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kqmkae32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Odoogi32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jnjejjgh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kdpmbc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bllbaa32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Domdjj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hmpcbhji.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ocaebc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Odmbaj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pmaffnce.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cbdjeg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pnfiplog.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nghekkmn.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aggpfkjj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kdpmbc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fklenm32.dll" C:\Windows\SysWOW64\Pkbjjbda.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfklem32.dll" C:\Windows\SysWOW64\Adkgje32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Aekddhcb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kncaec32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ncqlkemc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nddbqe32.dll" C:\Windows\SysWOW64\Jklinohd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Haaaidfk.dll" C:\Windows\SysWOW64\Lnohlgep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfniqp32.dll" C:\Windows\SysWOW64\Oodcdb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmpmfmao.dll" C:\Windows\SysWOW64\Aajohjon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jebfng32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cnkkjh32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Adcjop32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Aajohjon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bojomm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Adcjop32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fmmmfj32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Enbjad32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhoneioi.dll" C:\Windows\SysWOW64\Jjjpnlbd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjijkmod.dll" C:\Windows\SysWOW64\Ohcegi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ojdnid32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibknda32.dll" C:\Windows\SysWOW64\Bohbhmfm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bojomm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jknfcofa.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Chglab32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Aopemh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nchkcb32.dll" C:\Windows\SysWOW64\Dahmfpap.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ocaebc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lgpoihnl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ombnni32.dll" C:\Windows\SysWOW64\Ljnlecmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Comjoclk.dll" C:\Windows\SysWOW64\Jqhafffk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcjdoc32.dll" C:\Windows\SysWOW64\Kcejco32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Qemhbj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nklinjmj.dll" C:\Windows\SysWOW64\Dooaoj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jdmgfedl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhjhdagb.dll" C:\Windows\SysWOW64\Hmpcbhji.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oblknjim.dll" C:\Windows\SysWOW64\Chnlgjlb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kkconn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilmifh32.dll" C:\Windows\SysWOW64\Ebdcld32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcjfln32.dll" C:\Windows\SysWOW64\Mogcihaj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Qaqegecm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hibafp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ijcjmmil.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edhjghdk.dll" C:\Windows\SysWOW64\Chglab32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jnjejjgh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nhahaiec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pkpmdbfd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bllbaa32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggpdhj32.dll" C:\Windows\SysWOW64\Gbchdp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ijcjmmil.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pmaffnce.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmokdgeg.dll" C:\Windows\SysWOW64\Lljklo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfdqcn32.dll" C:\Windows\SysWOW64\Pfandnla.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qobhkjdi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcphdpff.dll" C:\Windows\SysWOW64\Icfekc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ahpmjejp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmkgk32.dll" C:\Windows\SysWOW64\Alnfpcag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bdgged32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ckhecmcf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiapmnp.dll" C:\Windows\SysWOW64\Cacckp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jnelok32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lcimdh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olhldm32.dll" C:\Windows\SysWOW64\Jpdhkf32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1956 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\be78ae62a9251d4e2c4d1081d663b443365795352ec12448e8b8521bd949114bN.exe C:\Windows\SysWOW64\Hbhijepa.exe
PID 1956 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\be78ae62a9251d4e2c4d1081d663b443365795352ec12448e8b8521bd949114bN.exe C:\Windows\SysWOW64\Hbhijepa.exe
PID 1956 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\be78ae62a9251d4e2c4d1081d663b443365795352ec12448e8b8521bd949114bN.exe C:\Windows\SysWOW64\Hbhijepa.exe
PID 924 wrote to memory of 1844 N/A C:\Windows\SysWOW64\Hbhijepa.exe C:\Windows\SysWOW64\Hibafp32.exe
PID 924 wrote to memory of 1844 N/A C:\Windows\SysWOW64\Hbhijepa.exe C:\Windows\SysWOW64\Hibafp32.exe
PID 924 wrote to memory of 1844 N/A C:\Windows\SysWOW64\Hbhijepa.exe C:\Windows\SysWOW64\Hibafp32.exe
PID 1844 wrote to memory of 2912 N/A C:\Windows\SysWOW64\Hibafp32.exe C:\Windows\SysWOW64\Hginecde.exe
PID 1844 wrote to memory of 2912 N/A C:\Windows\SysWOW64\Hibafp32.exe C:\Windows\SysWOW64\Hginecde.exe
PID 1844 wrote to memory of 2912 N/A C:\Windows\SysWOW64\Hibafp32.exe C:\Windows\SysWOW64\Hginecde.exe
PID 2912 wrote to memory of 4368 N/A C:\Windows\SysWOW64\Hginecde.exe C:\Windows\SysWOW64\Higjaoci.exe
PID 2912 wrote to memory of 4368 N/A C:\Windows\SysWOW64\Hginecde.exe C:\Windows\SysWOW64\Higjaoci.exe
PID 2912 wrote to memory of 4368 N/A C:\Windows\SysWOW64\Hginecde.exe C:\Windows\SysWOW64\Higjaoci.exe
PID 4368 wrote to memory of 2464 N/A C:\Windows\SysWOW64\Higjaoci.exe C:\Windows\SysWOW64\Hdokdg32.exe
PID 4368 wrote to memory of 2464 N/A C:\Windows\SysWOW64\Higjaoci.exe C:\Windows\SysWOW64\Hdokdg32.exe
PID 4368 wrote to memory of 2464 N/A C:\Windows\SysWOW64\Higjaoci.exe C:\Windows\SysWOW64\Hdokdg32.exe
PID 2464 wrote to memory of 3276 N/A C:\Windows\SysWOW64\Hdokdg32.exe C:\Windows\SysWOW64\Hildmn32.exe
PID 2464 wrote to memory of 3276 N/A C:\Windows\SysWOW64\Hdokdg32.exe C:\Windows\SysWOW64\Hildmn32.exe
PID 2464 wrote to memory of 3276 N/A C:\Windows\SysWOW64\Hdokdg32.exe C:\Windows\SysWOW64\Hildmn32.exe
PID 3276 wrote to memory of 2068 N/A C:\Windows\SysWOW64\Hildmn32.exe C:\Windows\SysWOW64\Iphioh32.exe
PID 3276 wrote to memory of 2068 N/A C:\Windows\SysWOW64\Hildmn32.exe C:\Windows\SysWOW64\Iphioh32.exe
PID 3276 wrote to memory of 2068 N/A C:\Windows\SysWOW64\Hildmn32.exe C:\Windows\SysWOW64\Iphioh32.exe
PID 2068 wrote to memory of 3484 N/A C:\Windows\SysWOW64\Iphioh32.exe C:\Windows\SysWOW64\Icfekc32.exe
PID 2068 wrote to memory of 3484 N/A C:\Windows\SysWOW64\Iphioh32.exe C:\Windows\SysWOW64\Icfekc32.exe
PID 2068 wrote to memory of 3484 N/A C:\Windows\SysWOW64\Iphioh32.exe C:\Windows\SysWOW64\Icfekc32.exe
PID 3484 wrote to memory of 2996 N/A C:\Windows\SysWOW64\Icfekc32.exe C:\Windows\SysWOW64\Ijqmhnko.exe
PID 3484 wrote to memory of 2996 N/A C:\Windows\SysWOW64\Icfekc32.exe C:\Windows\SysWOW64\Ijqmhnko.exe
PID 3484 wrote to memory of 2996 N/A C:\Windows\SysWOW64\Icfekc32.exe C:\Windows\SysWOW64\Ijqmhnko.exe
PID 2996 wrote to memory of 3008 N/A C:\Windows\SysWOW64\Ijqmhnko.exe C:\Windows\SysWOW64\Ipjedh32.exe
PID 2996 wrote to memory of 3008 N/A C:\Windows\SysWOW64\Ijqmhnko.exe C:\Windows\SysWOW64\Ipjedh32.exe
PID 2996 wrote to memory of 3008 N/A C:\Windows\SysWOW64\Ijqmhnko.exe C:\Windows\SysWOW64\Ipjedh32.exe
PID 3008 wrote to memory of 4472 N/A C:\Windows\SysWOW64\Ipjedh32.exe C:\Windows\SysWOW64\Iciaqc32.exe
PID 3008 wrote to memory of 4472 N/A C:\Windows\SysWOW64\Ipjedh32.exe C:\Windows\SysWOW64\Iciaqc32.exe
PID 3008 wrote to memory of 4472 N/A C:\Windows\SysWOW64\Ipjedh32.exe C:\Windows\SysWOW64\Iciaqc32.exe
PID 4472 wrote to memory of 4816 N/A C:\Windows\SysWOW64\Iciaqc32.exe C:\Windows\SysWOW64\Ijcjmmil.exe
PID 4472 wrote to memory of 4816 N/A C:\Windows\SysWOW64\Iciaqc32.exe C:\Windows\SysWOW64\Ijcjmmil.exe
PID 4472 wrote to memory of 4816 N/A C:\Windows\SysWOW64\Iciaqc32.exe C:\Windows\SysWOW64\Ijcjmmil.exe
PID 4816 wrote to memory of 4684 N/A C:\Windows\SysWOW64\Ijcjmmil.exe C:\Windows\SysWOW64\Ilafiihp.exe
PID 4816 wrote to memory of 4684 N/A C:\Windows\SysWOW64\Ijcjmmil.exe C:\Windows\SysWOW64\Ilafiihp.exe
PID 4816 wrote to memory of 4684 N/A C:\Windows\SysWOW64\Ijcjmmil.exe C:\Windows\SysWOW64\Ilafiihp.exe
PID 4684 wrote to memory of 3168 N/A C:\Windows\SysWOW64\Ilafiihp.exe C:\Windows\SysWOW64\Icknfcol.exe
PID 4684 wrote to memory of 3168 N/A C:\Windows\SysWOW64\Ilafiihp.exe C:\Windows\SysWOW64\Icknfcol.exe
PID 4684 wrote to memory of 3168 N/A C:\Windows\SysWOW64\Ilafiihp.exe C:\Windows\SysWOW64\Icknfcol.exe
PID 3168 wrote to memory of 5020 N/A C:\Windows\SysWOW64\Icknfcol.exe C:\Windows\SysWOW64\Ikbfgppo.exe
PID 3168 wrote to memory of 5020 N/A C:\Windows\SysWOW64\Icknfcol.exe C:\Windows\SysWOW64\Ikbfgppo.exe
PID 3168 wrote to memory of 5020 N/A C:\Windows\SysWOW64\Icknfcol.exe C:\Windows\SysWOW64\Ikbfgppo.exe
PID 5020 wrote to memory of 4624 N/A C:\Windows\SysWOW64\Ikbfgppo.exe C:\Windows\SysWOW64\Inqbclob.exe
PID 5020 wrote to memory of 4624 N/A C:\Windows\SysWOW64\Ikbfgppo.exe C:\Windows\SysWOW64\Inqbclob.exe
PID 5020 wrote to memory of 4624 N/A C:\Windows\SysWOW64\Ikbfgppo.exe C:\Windows\SysWOW64\Inqbclob.exe
PID 4624 wrote to memory of 676 N/A C:\Windows\SysWOW64\Inqbclob.exe C:\Windows\SysWOW64\Ilccoh32.exe
PID 4624 wrote to memory of 676 N/A C:\Windows\SysWOW64\Inqbclob.exe C:\Windows\SysWOW64\Ilccoh32.exe
PID 4624 wrote to memory of 676 N/A C:\Windows\SysWOW64\Inqbclob.exe C:\Windows\SysWOW64\Ilccoh32.exe
PID 676 wrote to memory of 3080 N/A C:\Windows\SysWOW64\Ilccoh32.exe C:\Windows\SysWOW64\Icnklbmj.exe
PID 676 wrote to memory of 3080 N/A C:\Windows\SysWOW64\Ilccoh32.exe C:\Windows\SysWOW64\Icnklbmj.exe
PID 676 wrote to memory of 3080 N/A C:\Windows\SysWOW64\Ilccoh32.exe C:\Windows\SysWOW64\Icnklbmj.exe
PID 3080 wrote to memory of 1648 N/A C:\Windows\SysWOW64\Icnklbmj.exe C:\Windows\SysWOW64\Ikdcmpnl.exe
PID 3080 wrote to memory of 1648 N/A C:\Windows\SysWOW64\Icnklbmj.exe C:\Windows\SysWOW64\Ikdcmpnl.exe
PID 3080 wrote to memory of 1648 N/A C:\Windows\SysWOW64\Icnklbmj.exe C:\Windows\SysWOW64\Ikdcmpnl.exe
PID 1648 wrote to memory of 4732 N/A C:\Windows\SysWOW64\Ikdcmpnl.exe C:\Windows\SysWOW64\Jjgchm32.exe
PID 1648 wrote to memory of 4732 N/A C:\Windows\SysWOW64\Ikdcmpnl.exe C:\Windows\SysWOW64\Jjgchm32.exe
PID 1648 wrote to memory of 4732 N/A C:\Windows\SysWOW64\Ikdcmpnl.exe C:\Windows\SysWOW64\Jjgchm32.exe
PID 4732 wrote to memory of 112 N/A C:\Windows\SysWOW64\Jjgchm32.exe C:\Windows\SysWOW64\Jlfpdh32.exe
PID 4732 wrote to memory of 112 N/A C:\Windows\SysWOW64\Jjgchm32.exe C:\Windows\SysWOW64\Jlfpdh32.exe
PID 4732 wrote to memory of 112 N/A C:\Windows\SysWOW64\Jjgchm32.exe C:\Windows\SysWOW64\Jlfpdh32.exe
PID 112 wrote to memory of 4948 N/A C:\Windows\SysWOW64\Jlfpdh32.exe C:\Windows\SysWOW64\Jdmgfedl.exe

Processes

C:\Users\Admin\AppData\Local\Temp\be78ae62a9251d4e2c4d1081d663b443365795352ec12448e8b8521bd949114bN.exe

"C:\Users\Admin\AppData\Local\Temp\be78ae62a9251d4e2c4d1081d663b443365795352ec12448e8b8521bd949114bN.exe"

C:\Windows\SysWOW64\Hbhijepa.exe

C:\Windows\system32\Hbhijepa.exe

C:\Windows\SysWOW64\Hibafp32.exe

C:\Windows\system32\Hibafp32.exe

C:\Windows\SysWOW64\Hginecde.exe

C:\Windows\system32\Hginecde.exe

C:\Windows\SysWOW64\Higjaoci.exe

C:\Windows\system32\Higjaoci.exe

C:\Windows\SysWOW64\Hdokdg32.exe

C:\Windows\system32\Hdokdg32.exe

C:\Windows\SysWOW64\Hildmn32.exe

C:\Windows\system32\Hildmn32.exe

C:\Windows\SysWOW64\Iphioh32.exe

C:\Windows\system32\Iphioh32.exe

C:\Windows\SysWOW64\Icfekc32.exe

C:\Windows\system32\Icfekc32.exe

C:\Windows\SysWOW64\Ijqmhnko.exe

C:\Windows\system32\Ijqmhnko.exe

C:\Windows\SysWOW64\Ipjedh32.exe

C:\Windows\system32\Ipjedh32.exe

C:\Windows\SysWOW64\Iciaqc32.exe

C:\Windows\system32\Iciaqc32.exe

C:\Windows\SysWOW64\Ijcjmmil.exe

C:\Windows\system32\Ijcjmmil.exe

C:\Windows\SysWOW64\Ilafiihp.exe

C:\Windows\system32\Ilafiihp.exe

C:\Windows\SysWOW64\Icknfcol.exe

C:\Windows\system32\Icknfcol.exe

C:\Windows\SysWOW64\Ikbfgppo.exe

C:\Windows\system32\Ikbfgppo.exe

C:\Windows\SysWOW64\Inqbclob.exe

C:\Windows\system32\Inqbclob.exe

C:\Windows\SysWOW64\Ilccoh32.exe

C:\Windows\system32\Ilccoh32.exe

C:\Windows\SysWOW64\Icnklbmj.exe

C:\Windows\system32\Icnklbmj.exe

C:\Windows\SysWOW64\Ikdcmpnl.exe

C:\Windows\system32\Ikdcmpnl.exe

C:\Windows\SysWOW64\Jjgchm32.exe

C:\Windows\system32\Jjgchm32.exe

C:\Windows\SysWOW64\Jlfpdh32.exe

C:\Windows\system32\Jlfpdh32.exe

C:\Windows\SysWOW64\Jdmgfedl.exe

C:\Windows\system32\Jdmgfedl.exe

C:\Windows\SysWOW64\Jgkdbacp.exe

C:\Windows\system32\Jgkdbacp.exe

C:\Windows\SysWOW64\Jjjpnlbd.exe

C:\Windows\system32\Jjjpnlbd.exe

C:\Windows\SysWOW64\Jnelok32.exe

C:\Windows\system32\Jnelok32.exe

C:\Windows\SysWOW64\Jpdhkf32.exe

C:\Windows\system32\Jpdhkf32.exe

C:\Windows\SysWOW64\Jcbdgb32.exe

C:\Windows\system32\Jcbdgb32.exe

C:\Windows\SysWOW64\Jkimho32.exe

C:\Windows\system32\Jkimho32.exe

C:\Windows\SysWOW64\Jnhidk32.exe

C:\Windows\system32\Jnhidk32.exe

C:\Windows\SysWOW64\Jdaaaeqg.exe

C:\Windows\system32\Jdaaaeqg.exe

C:\Windows\SysWOW64\Jcdala32.exe

C:\Windows\system32\Jcdala32.exe

C:\Windows\SysWOW64\Jklinohd.exe

C:\Windows\system32\Jklinohd.exe

C:\Windows\SysWOW64\Jnjejjgh.exe

C:\Windows\system32\Jnjejjgh.exe

C:\Windows\SysWOW64\Jqhafffk.exe

C:\Windows\system32\Jqhafffk.exe

C:\Windows\SysWOW64\Jcgnbaeo.exe

C:\Windows\system32\Jcgnbaeo.exe

C:\Windows\SysWOW64\Jknfcofa.exe

C:\Windows\system32\Jknfcofa.exe

C:\Windows\SysWOW64\Jnlbojee.exe

C:\Windows\system32\Jnlbojee.exe

C:\Windows\SysWOW64\Jqknkedi.exe

C:\Windows\system32\Jqknkedi.exe

C:\Windows\SysWOW64\Jdfjld32.exe

C:\Windows\system32\Jdfjld32.exe

C:\Windows\SysWOW64\Kkpbin32.exe

C:\Windows\system32\Kkpbin32.exe

C:\Windows\SysWOW64\Knooej32.exe

C:\Windows\system32\Knooej32.exe

C:\Windows\SysWOW64\Kqmkae32.exe

C:\Windows\system32\Kqmkae32.exe

C:\Windows\SysWOW64\Kclgmq32.exe

C:\Windows\system32\Kclgmq32.exe

C:\Windows\SysWOW64\Kkconn32.exe

C:\Windows\system32\Kkconn32.exe

C:\Windows\SysWOW64\Knalji32.exe

C:\Windows\system32\Knalji32.exe

C:\Windows\SysWOW64\Kqphfe32.exe

C:\Windows\system32\Kqphfe32.exe

C:\Windows\SysWOW64\Kcndbp32.exe

C:\Windows\system32\Kcndbp32.exe

C:\Windows\SysWOW64\Kkeldnpi.exe

C:\Windows\system32\Kkeldnpi.exe

C:\Windows\SysWOW64\Knchpiom.exe

C:\Windows\system32\Knchpiom.exe

C:\Windows\SysWOW64\Kqbdldnq.exe

C:\Windows\system32\Kqbdldnq.exe

C:\Windows\SysWOW64\Kglmio32.exe

C:\Windows\system32\Kglmio32.exe

C:\Windows\SysWOW64\Kjjiej32.exe

C:\Windows\system32\Kjjiej32.exe

C:\Windows\SysWOW64\Kmieae32.exe

C:\Windows\system32\Kmieae32.exe

C:\Windows\SysWOW64\Kdpmbc32.exe

C:\Windows\system32\Kdpmbc32.exe

C:\Windows\SysWOW64\Kgninn32.exe

C:\Windows\system32\Kgninn32.exe

C:\Windows\SysWOW64\Kjmfjj32.exe

C:\Windows\system32\Kjmfjj32.exe

C:\Windows\SysWOW64\Kmkbfeab.exe

C:\Windows\system32\Kmkbfeab.exe

C:\Windows\SysWOW64\Kcejco32.exe

C:\Windows\system32\Kcejco32.exe

C:\Windows\SysWOW64\Lklbdm32.exe

C:\Windows\system32\Lklbdm32.exe

C:\Windows\SysWOW64\Lnjnqh32.exe

C:\Windows\system32\Lnjnqh32.exe

C:\Windows\SysWOW64\Lknojl32.exe

C:\Windows\system32\Lknojl32.exe

C:\Windows\SysWOW64\Lnmkfh32.exe

C:\Windows\system32\Lnmkfh32.exe

C:\Windows\SysWOW64\Lqkgbcff.exe

C:\Windows\system32\Lqkgbcff.exe

C:\Windows\SysWOW64\Lcjcnoej.exe

C:\Windows\system32\Lcjcnoej.exe

C:\Windows\SysWOW64\Lkalplel.exe

C:\Windows\system32\Lkalplel.exe

C:\Windows\SysWOW64\Lnohlgep.exe

C:\Windows\system32\Lnohlgep.exe

C:\Windows\SysWOW64\Lmbhgd32.exe

C:\Windows\system32\Lmbhgd32.exe

C:\Windows\SysWOW64\Ldipha32.exe

C:\Windows\system32\Ldipha32.exe

C:\Windows\SysWOW64\Lggldm32.exe

C:\Windows\system32\Lggldm32.exe

C:\Windows\SysWOW64\Ljfhqh32.exe

C:\Windows\system32\Ljfhqh32.exe

C:\Windows\SysWOW64\Lmdemd32.exe

C:\Windows\system32\Lmdemd32.exe

C:\Windows\SysWOW64\Lekmnajj.exe

C:\Windows\system32\Lekmnajj.exe

C:\Windows\SysWOW64\Lgjijmin.exe

C:\Windows\system32\Lgjijmin.exe

C:\Windows\SysWOW64\Mmkkmc32.exe

C:\Windows\system32\Mmkkmc32.exe

C:\Windows\SysWOW64\Mcecjmkl.exe

C:\Windows\system32\Mcecjmkl.exe

C:\Windows\SysWOW64\Mkmkkjko.exe

C:\Windows\system32\Mkmkkjko.exe

C:\Windows\SysWOW64\Mmnhcb32.exe

C:\Windows\system32\Mmnhcb32.exe

C:\Windows\SysWOW64\Mkohaj32.exe

C:\Windows\system32\Mkohaj32.exe

C:\Windows\SysWOW64\Mmpdhboj.exe

C:\Windows\system32\Mmpdhboj.exe

C:\Windows\SysWOW64\Mgehfkop.exe

C:\Windows\system32\Mgehfkop.exe

C:\Windows\SysWOW64\Mnpabe32.exe

C:\Windows\system32\Mnpabe32.exe

C:\Windows\SysWOW64\Meiioonj.exe

C:\Windows\system32\Meiioonj.exe

C:\Windows\SysWOW64\Nghekkmn.exe

C:\Windows\system32\Nghekkmn.exe

C:\Windows\SysWOW64\Nnbnhedj.exe

C:\Windows\system32\Nnbnhedj.exe

C:\Windows\SysWOW64\Napjdpcn.exe

C:\Windows\system32\Napjdpcn.exe

C:\Windows\SysWOW64\Njinmf32.exe

C:\Windows\system32\Njinmf32.exe

C:\Windows\SysWOW64\Nabfjpak.exe

C:\Windows\system32\Nabfjpak.exe

C:\Windows\SysWOW64\Nhmofj32.exe

C:\Windows\system32\Nhmofj32.exe

C:\Windows\SysWOW64\Njkkbehl.exe

C:\Windows\system32\Njkkbehl.exe

C:\Windows\SysWOW64\Naecop32.exe

C:\Windows\system32\Naecop32.exe

C:\Windows\SysWOW64\Neqopnhb.exe

C:\Windows\system32\Neqopnhb.exe

C:\Windows\SysWOW64\Njmhhefi.exe

C:\Windows\system32\Njmhhefi.exe

C:\Windows\SysWOW64\Nmlddqem.exe

C:\Windows\system32\Nmlddqem.exe

C:\Windows\SysWOW64\Neclenfo.exe

C:\Windows\system32\Neclenfo.exe

C:\Windows\SysWOW64\Nhahaiec.exe

C:\Windows\system32\Nhahaiec.exe

C:\Windows\SysWOW64\Njpdnedf.exe

C:\Windows\system32\Njpdnedf.exe

C:\Windows\SysWOW64\Nmnqjp32.exe

C:\Windows\system32\Nmnqjp32.exe

C:\Windows\SysWOW64\Oeehkn32.exe

C:\Windows\system32\Oeehkn32.exe

C:\Windows\SysWOW64\Ohcegi32.exe

C:\Windows\system32\Ohcegi32.exe

C:\Windows\SysWOW64\Ojbacd32.exe

C:\Windows\system32\Ojbacd32.exe

C:\Windows\SysWOW64\Omqmop32.exe

C:\Windows\system32\Omqmop32.exe

C:\Windows\SysWOW64\Oalipoiq.exe

C:\Windows\system32\Oalipoiq.exe

C:\Windows\SysWOW64\Ohfami32.exe

C:\Windows\system32\Ohfami32.exe

C:\Windows\SysWOW64\Ojdnid32.exe

C:\Windows\system32\Ojdnid32.exe

C:\Windows\SysWOW64\Oanfen32.exe

C:\Windows\system32\Oanfen32.exe

C:\Windows\SysWOW64\Odmbaj32.exe

C:\Windows\system32\Odmbaj32.exe

C:\Windows\SysWOW64\Ohhnbhok.exe

C:\Windows\system32\Ohhnbhok.exe

C:\Windows\SysWOW64\Oaqbkn32.exe

C:\Windows\system32\Oaqbkn32.exe

C:\Windows\SysWOW64\Odoogi32.exe

C:\Windows\system32\Odoogi32.exe

C:\Windows\SysWOW64\Oodcdb32.exe

C:\Windows\system32\Oodcdb32.exe

C:\Windows\SysWOW64\Oacoqnci.exe

C:\Windows\system32\Oacoqnci.exe

C:\Windows\SysWOW64\Ohmhmh32.exe

C:\Windows\system32\Ohmhmh32.exe

C:\Windows\SysWOW64\Omjpeo32.exe

C:\Windows\system32\Omjpeo32.exe

C:\Windows\SysWOW64\Peahgl32.exe

C:\Windows\system32\Peahgl32.exe

C:\Windows\SysWOW64\Phodcg32.exe

C:\Windows\system32\Phodcg32.exe

C:\Windows\SysWOW64\Pmlmkn32.exe

C:\Windows\system32\Pmlmkn32.exe

C:\Windows\SysWOW64\Pdfehh32.exe

C:\Windows\system32\Pdfehh32.exe

C:\Windows\SysWOW64\Pkpmdbfd.exe

C:\Windows\system32\Pkpmdbfd.exe

C:\Windows\SysWOW64\Pajeam32.exe

C:\Windows\system32\Pajeam32.exe

C:\Windows\SysWOW64\Phdnngdn.exe

C:\Windows\system32\Phdnngdn.exe

C:\Windows\SysWOW64\Pkbjjbda.exe

C:\Windows\system32\Pkbjjbda.exe

C:\Windows\SysWOW64\Pmaffnce.exe

C:\Windows\system32\Pmaffnce.exe

C:\Windows\SysWOW64\Plbfdekd.exe

C:\Windows\system32\Plbfdekd.exe

C:\Windows\SysWOW64\Popbpqjh.exe

C:\Windows\system32\Popbpqjh.exe

C:\Windows\SysWOW64\Paoollik.exe

C:\Windows\system32\Paoollik.exe

C:\Windows\SysWOW64\Pldcjeia.exe

C:\Windows\system32\Pldcjeia.exe

C:\Windows\SysWOW64\Pocpfphe.exe

C:\Windows\system32\Pocpfphe.exe

C:\Windows\SysWOW64\Qaalblgi.exe

C:\Windows\system32\Qaalblgi.exe

C:\Windows\SysWOW64\Qemhbj32.exe

C:\Windows\system32\Qemhbj32.exe

C:\Windows\SysWOW64\Qhkdof32.exe

C:\Windows\system32\Qhkdof32.exe

C:\Windows\SysWOW64\Qkipkani.exe

C:\Windows\system32\Qkipkani.exe

C:\Windows\SysWOW64\Qachgk32.exe

C:\Windows\system32\Qachgk32.exe

C:\Windows\SysWOW64\Qdbdcg32.exe

C:\Windows\system32\Qdbdcg32.exe

C:\Windows\SysWOW64\Qlimed32.exe

C:\Windows\system32\Qlimed32.exe

C:\Windows\SysWOW64\Aogiap32.exe

C:\Windows\system32\Aogiap32.exe

C:\Windows\SysWOW64\Aafemk32.exe

C:\Windows\system32\Aafemk32.exe

C:\Windows\SysWOW64\Ahpmjejp.exe

C:\Windows\system32\Ahpmjejp.exe

C:\Windows\SysWOW64\Aknifq32.exe

C:\Windows\system32\Aknifq32.exe

C:\Windows\SysWOW64\Anmfbl32.exe

C:\Windows\system32\Anmfbl32.exe

C:\Windows\SysWOW64\Aednci32.exe

C:\Windows\system32\Aednci32.exe

C:\Windows\SysWOW64\Ahbjoe32.exe

C:\Windows\system32\Ahbjoe32.exe

C:\Windows\SysWOW64\Alnfpcag.exe

C:\Windows\system32\Alnfpcag.exe

C:\Windows\SysWOW64\Aolblopj.exe

C:\Windows\system32\Aolblopj.exe

C:\Windows\SysWOW64\Aajohjon.exe

C:\Windows\system32\Aajohjon.exe

C:\Windows\SysWOW64\Adikdfna.exe

C:\Windows\system32\Adikdfna.exe

C:\Windows\SysWOW64\Alpbecod.exe

C:\Windows\system32\Alpbecod.exe

C:\Windows\SysWOW64\Aonoao32.exe

C:\Windows\system32\Aonoao32.exe

C:\Windows\SysWOW64\Aamknj32.exe

C:\Windows\system32\Aamknj32.exe

C:\Windows\SysWOW64\Adkgje32.exe

C:\Windows\system32\Adkgje32.exe

C:\Windows\SysWOW64\Albpkc32.exe

C:\Windows\system32\Albpkc32.exe

C:\Windows\SysWOW64\Aoalgn32.exe

C:\Windows\system32\Aoalgn32.exe

C:\Windows\SysWOW64\Aekddhcb.exe

C:\Windows\system32\Aekddhcb.exe

C:\Windows\SysWOW64\Alelqb32.exe

C:\Windows\system32\Alelqb32.exe

C:\Windows\SysWOW64\Bdpaeehj.exe

C:\Windows\system32\Bdpaeehj.exe

C:\Windows\SysWOW64\Blgifbil.exe

C:\Windows\system32\Blgifbil.exe

C:\Windows\SysWOW64\Boeebnhp.exe

C:\Windows\system32\Boeebnhp.exe

C:\Windows\SysWOW64\Badanigc.exe

C:\Windows\system32\Badanigc.exe

C:\Windows\SysWOW64\Bdbnjdfg.exe

C:\Windows\system32\Bdbnjdfg.exe

C:\Windows\SysWOW64\Blielbfi.exe

C:\Windows\system32\Blielbfi.exe

C:\Windows\SysWOW64\Bohbhmfm.exe

C:\Windows\system32\Bohbhmfm.exe

C:\Windows\SysWOW64\Bafndi32.exe

C:\Windows\system32\Bafndi32.exe

C:\Windows\SysWOW64\Bddjpd32.exe

C:\Windows\system32\Bddjpd32.exe

C:\Windows\SysWOW64\Bllbaa32.exe

C:\Windows\system32\Bllbaa32.exe

C:\Windows\SysWOW64\Bojomm32.exe

C:\Windows\system32\Bojomm32.exe

C:\Windows\SysWOW64\Bahkih32.exe

C:\Windows\system32\Bahkih32.exe

C:\Windows\SysWOW64\Bdgged32.exe

C:\Windows\system32\Bdgged32.exe

C:\Windows\SysWOW64\Bkaobnio.exe

C:\Windows\system32\Bkaobnio.exe

C:\Windows\SysWOW64\Bnoknihb.exe

C:\Windows\system32\Bnoknihb.exe

C:\Windows\SysWOW64\Bffcpg32.exe

C:\Windows\system32\Bffcpg32.exe

C:\Windows\SysWOW64\Bheplb32.exe

C:\Windows\system32\Bheplb32.exe

C:\Windows\SysWOW64\Ckclhn32.exe

C:\Windows\system32\Ckclhn32.exe

C:\Windows\SysWOW64\Cnahdi32.exe

C:\Windows\system32\Cnahdi32.exe

C:\Windows\SysWOW64\Cfipef32.exe

C:\Windows\system32\Cfipef32.exe

C:\Windows\SysWOW64\Chglab32.exe

C:\Windows\system32\Chglab32.exe

C:\Windows\SysWOW64\Ckeimm32.exe

C:\Windows\system32\Ckeimm32.exe

C:\Windows\SysWOW64\Cndeii32.exe

C:\Windows\system32\Cndeii32.exe

C:\Windows\SysWOW64\Cdnmfclj.exe

C:\Windows\system32\Cdnmfclj.exe

C:\Windows\SysWOW64\Ckhecmcf.exe

C:\Windows\system32\Ckhecmcf.exe

C:\Windows\SysWOW64\Cnfaohbj.exe

C:\Windows\system32\Cnfaohbj.exe

C:\Windows\SysWOW64\Cfnjpfcl.exe

C:\Windows\system32\Cfnjpfcl.exe

C:\Windows\SysWOW64\Clgbmp32.exe

C:\Windows\system32\Clgbmp32.exe

C:\Windows\SysWOW64\Cofnik32.exe

C:\Windows\system32\Cofnik32.exe

C:\Windows\SysWOW64\Cbdjeg32.exe

C:\Windows\system32\Cbdjeg32.exe

C:\Windows\SysWOW64\Cdbfab32.exe

C:\Windows\system32\Cdbfab32.exe

C:\Windows\SysWOW64\Cljobphg.exe

C:\Windows\system32\Cljobphg.exe

C:\Windows\SysWOW64\Cnkkjh32.exe

C:\Windows\system32\Cnkkjh32.exe

C:\Windows\SysWOW64\Cfbcke32.exe

C:\Windows\system32\Cfbcke32.exe

C:\Windows\SysWOW64\Chqogq32.exe

C:\Windows\system32\Chqogq32.exe

C:\Windows\SysWOW64\Dkokcl32.exe

C:\Windows\system32\Dkokcl32.exe

C:\Windows\SysWOW64\Dokgdkeh.exe

C:\Windows\system32\Dokgdkeh.exe

C:\Windows\SysWOW64\Dbicpfdk.exe

C:\Windows\system32\Dbicpfdk.exe

C:\Windows\SysWOW64\Ddgplado.exe

C:\Windows\system32\Ddgplado.exe

C:\Windows\SysWOW64\Dmohno32.exe

C:\Windows\system32\Dmohno32.exe

C:\Windows\SysWOW64\Domdjj32.exe

C:\Windows\system32\Domdjj32.exe

C:\Windows\SysWOW64\Dbkqfe32.exe

C:\Windows\system32\Dbkqfe32.exe

C:\Windows\SysWOW64\Ddjmba32.exe

C:\Windows\system32\Ddjmba32.exe

C:\Windows\SysWOW64\Dooaoj32.exe

C:\Windows\system32\Dooaoj32.exe

C:\Windows\SysWOW64\Digehphc.exe

C:\Windows\system32\Digehphc.exe

C:\Windows\SysWOW64\Doaneiop.exe

C:\Windows\system32\Doaneiop.exe

C:\Windows\SysWOW64\Dkhnjk32.exe

C:\Windows\system32\Dkhnjk32.exe

C:\Windows\SysWOW64\Emhkdmlg.exe

C:\Windows\system32\Emhkdmlg.exe

C:\Windows\SysWOW64\Ebdcld32.exe

C:\Windows\system32\Ebdcld32.exe

C:\Windows\SysWOW64\Emjgim32.exe

C:\Windows\system32\Emjgim32.exe

C:\Windows\SysWOW64\Ebgpad32.exe

C:\Windows\system32\Ebgpad32.exe

C:\Windows\SysWOW64\Eeelnp32.exe

C:\Windows\system32\Eeelnp32.exe

C:\Windows\SysWOW64\Ennqfenp.exe

C:\Windows\system32\Ennqfenp.exe

C:\Windows\SysWOW64\Eicedn32.exe

C:\Windows\system32\Eicedn32.exe

C:\Windows\SysWOW64\Emanjldl.exe

C:\Windows\system32\Emanjldl.exe

C:\Windows\SysWOW64\Enbjad32.exe

C:\Windows\system32\Enbjad32.exe

C:\Windows\SysWOW64\Fihnomjp.exe

C:\Windows\system32\Fihnomjp.exe

C:\Windows\SysWOW64\Fpbflg32.exe

C:\Windows\system32\Fpbflg32.exe

C:\Windows\SysWOW64\Fflohaij.exe

C:\Windows\system32\Fflohaij.exe

C:\Windows\SysWOW64\Fligqhga.exe

C:\Windows\system32\Fligqhga.exe

C:\Windows\SysWOW64\Fbbpmb32.exe

C:\Windows\system32\Fbbpmb32.exe

C:\Windows\SysWOW64\Fpgpgfmh.exe

C:\Windows\system32\Fpgpgfmh.exe

C:\Windows\SysWOW64\Fechomko.exe

C:\Windows\system32\Fechomko.exe

C:\Windows\SysWOW64\Fnlmhc32.exe

C:\Windows\system32\Fnlmhc32.exe

C:\Windows\SysWOW64\Fbgihaji.exe

C:\Windows\system32\Fbgihaji.exe

C:\Windows\SysWOW64\Fmmmfj32.exe

C:\Windows\system32\Fmmmfj32.exe

C:\Windows\SysWOW64\Fnnjmbpm.exe

C:\Windows\system32\Fnnjmbpm.exe

C:\Windows\SysWOW64\Gidnkkpc.exe

C:\Windows\system32\Gidnkkpc.exe

C:\Windows\SysWOW64\Gpnfge32.exe

C:\Windows\system32\Gpnfge32.exe

C:\Windows\SysWOW64\Gblbca32.exe

C:\Windows\system32\Gblbca32.exe

C:\Windows\SysWOW64\Gejopl32.exe

C:\Windows\system32\Gejopl32.exe

C:\Windows\SysWOW64\Gldglf32.exe

C:\Windows\system32\Gldglf32.exe

C:\Windows\SysWOW64\Gemkelcd.exe

C:\Windows\system32\Gemkelcd.exe

C:\Windows\SysWOW64\Gmdcfidg.exe

C:\Windows\system32\Gmdcfidg.exe

C:\Windows\SysWOW64\Gpbpbecj.exe

C:\Windows\system32\Gpbpbecj.exe

C:\Windows\SysWOW64\Gbalopbn.exe

C:\Windows\system32\Gbalopbn.exe

C:\Windows\SysWOW64\Gbchdp32.exe

C:\Windows\system32\Gbchdp32.exe

C:\Windows\SysWOW64\Geaepk32.exe

C:\Windows\system32\Geaepk32.exe

C:\Windows\SysWOW64\Gpgind32.exe

C:\Windows\system32\Gpgind32.exe

C:\Windows\SysWOW64\Hfaajnfb.exe

C:\Windows\system32\Hfaajnfb.exe

C:\Windows\SysWOW64\Hfcnpn32.exe

C:\Windows\system32\Hfcnpn32.exe

C:\Windows\SysWOW64\Hplbickp.exe

C:\Windows\system32\Hplbickp.exe

C:\Windows\SysWOW64\Hbjoeojc.exe

C:\Windows\system32\Hbjoeojc.exe

C:\Windows\SysWOW64\Hmpcbhji.exe

C:\Windows\system32\Hmpcbhji.exe

C:\Windows\SysWOW64\Hekgfj32.exe

C:\Windows\system32\Hekgfj32.exe

C:\Windows\SysWOW64\Hpqldc32.exe

C:\Windows\system32\Hpqldc32.exe

C:\Windows\SysWOW64\Hiipmhmk.exe

C:\Windows\system32\Hiipmhmk.exe

C:\Windows\SysWOW64\Hlglidlo.exe

C:\Windows\system32\Hlglidlo.exe

C:\Windows\SysWOW64\Iepaaico.exe

C:\Windows\system32\Iepaaico.exe

C:\Windows\SysWOW64\Iohejo32.exe

C:\Windows\system32\Iohejo32.exe

C:\Windows\SysWOW64\Iebngial.exe

C:\Windows\system32\Iebngial.exe

C:\Windows\SysWOW64\Illfdc32.exe

C:\Windows\system32\Illfdc32.exe

C:\Windows\SysWOW64\Igdgglfl.exe

C:\Windows\system32\Igdgglfl.exe

C:\Windows\SysWOW64\Imnocf32.exe

C:\Windows\system32\Imnocf32.exe

C:\Windows\SysWOW64\Iidphgcn.exe

C:\Windows\system32\Iidphgcn.exe

C:\Windows\SysWOW64\Ipoheakj.exe

C:\Windows\system32\Ipoheakj.exe

C:\Windows\SysWOW64\Jleijb32.exe

C:\Windows\system32\Jleijb32.exe

C:\Windows\SysWOW64\Jcoaglhk.exe

C:\Windows\system32\Jcoaglhk.exe

C:\Windows\SysWOW64\Jmeede32.exe

C:\Windows\system32\Jmeede32.exe

C:\Windows\SysWOW64\Jgmjmjnb.exe

C:\Windows\system32\Jgmjmjnb.exe

C:\Windows\SysWOW64\Jngbjd32.exe

C:\Windows\system32\Jngbjd32.exe

C:\Windows\SysWOW64\Jebfng32.exe

C:\Windows\system32\Jebfng32.exe

C:\Windows\SysWOW64\Jphkkpbp.exe

C:\Windows\system32\Jphkkpbp.exe

C:\Windows\SysWOW64\Jjpode32.exe

C:\Windows\system32\Jjpode32.exe

C:\Windows\SysWOW64\Kegpifod.exe

C:\Windows\system32\Kegpifod.exe

C:\Windows\SysWOW64\Kgflcifg.exe

C:\Windows\system32\Kgflcifg.exe

C:\Windows\SysWOW64\Kpoalo32.exe

C:\Windows\system32\Kpoalo32.exe

C:\Windows\SysWOW64\Kncaec32.exe

C:\Windows\system32\Kncaec32.exe

C:\Windows\SysWOW64\Kcpjnjii.exe

C:\Windows\system32\Kcpjnjii.exe

C:\Windows\SysWOW64\Kcbfcigf.exe

C:\Windows\system32\Kcbfcigf.exe

C:\Windows\SysWOW64\Lljklo32.exe

C:\Windows\system32\Lljklo32.exe

C:\Windows\SysWOW64\Lgpoihnl.exe

C:\Windows\system32\Lgpoihnl.exe

C:\Windows\SysWOW64\Ljnlecmp.exe

C:\Windows\system32\Ljnlecmp.exe

C:\Windows\SysWOW64\Lokdnjkg.exe

C:\Windows\system32\Lokdnjkg.exe

C:\Windows\SysWOW64\Lcgpni32.exe

C:\Windows\system32\Lcgpni32.exe

C:\Windows\SysWOW64\Lfeljd32.exe

C:\Windows\system32\Lfeljd32.exe

C:\Windows\SysWOW64\Lnldla32.exe

C:\Windows\system32\Lnldla32.exe

C:\Windows\SysWOW64\Lcimdh32.exe

C:\Windows\system32\Lcimdh32.exe

C:\Windows\SysWOW64\Lgdidgjg.exe

C:\Windows\system32\Lgdidgjg.exe

C:\Windows\SysWOW64\Ljeafb32.exe

C:\Windows\system32\Ljeafb32.exe

C:\Windows\SysWOW64\Mmfkhmdi.exe

C:\Windows\system32\Mmfkhmdi.exe

C:\Windows\SysWOW64\Mfnoqc32.exe

C:\Windows\system32\Mfnoqc32.exe

C:\Windows\SysWOW64\Mogcihaj.exe

C:\Windows\system32\Mogcihaj.exe

C:\Windows\SysWOW64\Mmkdcm32.exe

C:\Windows\system32\Mmkdcm32.exe

C:\Windows\SysWOW64\Mgphpe32.exe

C:\Windows\system32\Mgphpe32.exe

C:\Windows\SysWOW64\Mjodla32.exe

C:\Windows\system32\Mjodla32.exe

C:\Windows\SysWOW64\Monjjgkb.exe

C:\Windows\system32\Monjjgkb.exe

C:\Windows\SysWOW64\Mfhbga32.exe

C:\Windows\system32\Mfhbga32.exe

C:\Windows\SysWOW64\Mjcngpjh.exe

C:\Windows\system32\Mjcngpjh.exe

C:\Windows\SysWOW64\Nopfpgip.exe

C:\Windows\system32\Nopfpgip.exe

C:\Windows\SysWOW64\Nqpcjj32.exe

C:\Windows\system32\Nqpcjj32.exe

C:\Windows\SysWOW64\Nflkbanj.exe

C:\Windows\system32\Nflkbanj.exe

C:\Windows\SysWOW64\Ncqlkemc.exe

C:\Windows\system32\Ncqlkemc.exe

C:\Windows\SysWOW64\Nglhld32.exe

C:\Windows\system32\Nglhld32.exe

C:\Windows\SysWOW64\Ncchae32.exe

C:\Windows\system32\Ncchae32.exe

C:\Windows\SysWOW64\Npiiffqe.exe

C:\Windows\system32\Npiiffqe.exe

C:\Windows\SysWOW64\Omnjojpo.exe

C:\Windows\system32\Omnjojpo.exe

C:\Windows\SysWOW64\Ocgbld32.exe

C:\Windows\system32\Ocgbld32.exe

C:\Windows\SysWOW64\Ojajin32.exe

C:\Windows\system32\Ojajin32.exe

C:\Windows\SysWOW64\Opnbae32.exe

C:\Windows\system32\Opnbae32.exe

C:\Windows\SysWOW64\Ogekbb32.exe

C:\Windows\system32\Ogekbb32.exe

C:\Windows\SysWOW64\Ombcji32.exe

C:\Windows\system32\Ombcji32.exe

C:\Windows\SysWOW64\Oclkgccf.exe

C:\Windows\system32\Oclkgccf.exe

C:\Windows\SysWOW64\Ojfcdnjc.exe

C:\Windows\system32\Ojfcdnjc.exe

C:\Windows\SysWOW64\Oaplqh32.exe

C:\Windows\system32\Oaplqh32.exe

C:\Windows\SysWOW64\Ocohmc32.exe

C:\Windows\system32\Ocohmc32.exe

C:\Windows\SysWOW64\Omgmeigd.exe

C:\Windows\system32\Omgmeigd.exe

C:\Windows\SysWOW64\Ocaebc32.exe

C:\Windows\system32\Ocaebc32.exe

C:\Windows\SysWOW64\Pnfiplog.exe

C:\Windows\system32\Pnfiplog.exe

C:\Windows\SysWOW64\Ppgegd32.exe

C:\Windows\system32\Ppgegd32.exe

C:\Windows\SysWOW64\Pfandnla.exe

C:\Windows\system32\Pfandnla.exe

C:\Windows\SysWOW64\Pmlfqh32.exe

C:\Windows\system32\Pmlfqh32.exe

C:\Windows\SysWOW64\Ppjbmc32.exe

C:\Windows\system32\Ppjbmc32.exe

C:\Windows\SysWOW64\Phajna32.exe

C:\Windows\system32\Phajna32.exe

C:\Windows\SysWOW64\Pmnbfhal.exe

C:\Windows\system32\Pmnbfhal.exe

C:\Windows\SysWOW64\Phcgcqab.exe

C:\Windows\system32\Phcgcqab.exe

C:\Windows\SysWOW64\Pnmopk32.exe

C:\Windows\system32\Pnmopk32.exe

C:\Windows\SysWOW64\Ppolhcnm.exe

C:\Windows\system32\Ppolhcnm.exe

C:\Windows\SysWOW64\Pfiddm32.exe

C:\Windows\system32\Pfiddm32.exe

C:\Windows\SysWOW64\Pnplfj32.exe

C:\Windows\system32\Pnplfj32.exe

C:\Windows\SysWOW64\Panhbfep.exe

C:\Windows\system32\Panhbfep.exe

C:\Windows\SysWOW64\Ppahmb32.exe

C:\Windows\system32\Ppahmb32.exe

C:\Windows\SysWOW64\Qfkqjmdg.exe

C:\Windows\system32\Qfkqjmdg.exe

C:\Windows\SysWOW64\Qobhkjdi.exe

C:\Windows\system32\Qobhkjdi.exe

C:\Windows\SysWOW64\Qaqegecm.exe

C:\Windows\system32\Qaqegecm.exe

C:\Windows\SysWOW64\Qdoacabq.exe

C:\Windows\system32\Qdoacabq.exe

C:\Windows\SysWOW64\Qjiipk32.exe

C:\Windows\system32\Qjiipk32.exe

C:\Windows\SysWOW64\Qacameaj.exe

C:\Windows\system32\Qacameaj.exe

C:\Windows\SysWOW64\Ahmjjoig.exe

C:\Windows\system32\Ahmjjoig.exe

C:\Windows\SysWOW64\Aogbfi32.exe

C:\Windows\system32\Aogbfi32.exe

C:\Windows\SysWOW64\Adcjop32.exe

C:\Windows\system32\Adcjop32.exe

C:\Windows\SysWOW64\Adfgdpmi.exe

C:\Windows\system32\Adfgdpmi.exe

C:\Windows\SysWOW64\Akpoaj32.exe

C:\Windows\system32\Akpoaj32.exe

C:\Windows\SysWOW64\Amnlme32.exe

C:\Windows\system32\Amnlme32.exe

C:\Windows\SysWOW64\Adhdjpjf.exe

C:\Windows\system32\Adhdjpjf.exe

C:\Windows\SysWOW64\Aggpfkjj.exe

C:\Windows\system32\Aggpfkjj.exe

C:\Windows\SysWOW64\Amqhbe32.exe

C:\Windows\system32\Amqhbe32.exe

C:\Windows\SysWOW64\Apodoq32.exe

C:\Windows\system32\Apodoq32.exe

C:\Windows\SysWOW64\Ahfmpnql.exe

C:\Windows\system32\Ahfmpnql.exe

C:\Windows\SysWOW64\Akdilipp.exe

C:\Windows\system32\Akdilipp.exe

C:\Windows\SysWOW64\Aopemh32.exe

C:\Windows\system32\Aopemh32.exe

C:\Windows\SysWOW64\Apaadpng.exe

C:\Windows\system32\Apaadpng.exe

C:\Windows\SysWOW64\Bgkiaj32.exe

C:\Windows\system32\Bgkiaj32.exe

C:\Windows\SysWOW64\Bdojjo32.exe

C:\Windows\system32\Bdojjo32.exe

C:\Windows\SysWOW64\Bkibgh32.exe

C:\Windows\system32\Bkibgh32.exe

C:\Windows\SysWOW64\Bdagpnbk.exe

C:\Windows\system32\Bdagpnbk.exe

C:\Windows\SysWOW64\Bgpcliao.exe

C:\Windows\system32\Bgpcliao.exe

C:\Windows\SysWOW64\Bphgeo32.exe

C:\Windows\system32\Bphgeo32.exe

C:\Windows\SysWOW64\Bhpofl32.exe

C:\Windows\system32\Bhpofl32.exe

C:\Windows\SysWOW64\Boihcf32.exe

C:\Windows\system32\Boihcf32.exe

C:\Windows\SysWOW64\Bpkdjofm.exe

C:\Windows\system32\Bpkdjofm.exe

C:\Windows\SysWOW64\Bnoddcef.exe

C:\Windows\system32\Bnoddcef.exe

C:\Windows\SysWOW64\Chdialdl.exe

C:\Windows\system32\Chdialdl.exe

C:\Windows\SysWOW64\Cnaaib32.exe

C:\Windows\system32\Cnaaib32.exe

C:\Windows\SysWOW64\Cncnob32.exe

C:\Windows\system32\Cncnob32.exe

C:\Windows\SysWOW64\Chiblk32.exe

C:\Windows\system32\Chiblk32.exe

C:\Windows\SysWOW64\Cpdgqmnb.exe

C:\Windows\system32\Cpdgqmnb.exe

C:\Windows\SysWOW64\Cgnomg32.exe

C:\Windows\system32\Cgnomg32.exe

C:\Windows\SysWOW64\Cacckp32.exe

C:\Windows\system32\Cacckp32.exe

C:\Windows\SysWOW64\Chnlgjlb.exe

C:\Windows\system32\Chnlgjlb.exe

C:\Windows\SysWOW64\Cogddd32.exe

C:\Windows\system32\Cogddd32.exe

C:\Windows\SysWOW64\Cnjdpaki.exe

C:\Windows\system32\Cnjdpaki.exe

C:\Windows\SysWOW64\Dhphmj32.exe

C:\Windows\system32\Dhphmj32.exe

C:\Windows\SysWOW64\Dahmfpap.exe

C:\Windows\system32\Dahmfpap.exe

C:\Windows\SysWOW64\Ddgibkpc.exe

C:\Windows\system32\Ddgibkpc.exe

C:\Windows\SysWOW64\Dkqaoe32.exe

C:\Windows\system32\Dkqaoe32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1720 -ip 1720

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 232

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

memory/1956-0-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1956-1-0x0000000000431000-0x0000000000432000-memory.dmp

C:\Windows\SysWOW64\Hbhijepa.exe

MD5 844e401c63d1800e0bd059db6089453e
SHA1 89ecbf52b01e156203ba48586bd14ec876def5c0
SHA256 8759a2808b3d3516431dac909c31401609c5f87302cb0d6059f7e915f1eb082c
SHA512 61273295d01d73190fce617407c87bbfe53da416c46e9bbc9b51f73a76fd6888e0709abc254949567180dfb3346fb0a06d0d9a48f64e3b5ca350b5cb3f0ab1ce

memory/924-8-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Hibafp32.exe

MD5 6ef8692bcdcc1037033a7814901f9d15
SHA1 e2c54a9c1ddd370d7dbc5846b6c01788ebfdd212
SHA256 f2afc5a2cbf40fb9182978cef3f1041f9109e930c83b8f9421dcdf2b912225df
SHA512 e7fc8062a7a471acf3cd8f150e15f3e5855d676a6fc3c04bb09a2ebf2ba2899fc1a4b81c28604a39c1b61d288c57dbed094ba43e7e06b40732f5514645f8a43f

memory/1844-17-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Hginecde.exe

MD5 48602abec847e0a06362a22dd76f6ec3
SHA1 b8a6469230ddcb0ad882a0672d0bd81ded89ed09
SHA256 68b21c32ba1c124875c8841c4ccda0a09f084defb44570af7efc481c424f4667
SHA512 04aadfccec1cc5c50d7d9cfa2df86532da5adc4a3a540e4696ef5f6b6ee1b54b6381e933093b0af7b11b0456bb2b81ff1578079dd36ab6a15d776db6b97ef496

memory/2912-29-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Higjaoci.exe

MD5 005e3f743292b5a242912f8fbcea2c55
SHA1 f213af5e1c28aa30bc8170ad67b2d92e30fd9419
SHA256 ed62f74884a392f8804c3e6d9c0ee8e4c3c1da878966285efb8b6aae1c2b5fc4
SHA512 7e05d65c7b78874c489e7cadb1af5a5b01f533451dee762068d4c9492ee7cf606d0bdfb8fd59d29447eb14c90ae242eee3f4500a925d35f8a3bec555ce8d508f

memory/4368-32-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Hdokdg32.exe

MD5 1e94e264adce8526462a38c8c65a95a6
SHA1 76eb3ea9b637b0753b4c87f154a2cbfcd2c53ee7
SHA256 f17448185da9acacacbada316de86b1e42e3e93e7c8a85af6fc60ecfa6429d42
SHA512 72328d5bc3ca595683b6df7ba41a30455ffffe5bc4644c9b119e2bf4ecefa9340e5833dc4d2193e5d7559f389572014c34dc2fc5cf4993d854d524244643916f

memory/2464-40-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Hildmn32.exe

MD5 2a5de1d73b9f9fe9e268fb90ae430ad3
SHA1 c1bfac2f773d77155028905ce0ef94776e9e5d83
SHA256 b41267609f15495ac3a6ac1b6aaead62cd899b049999401616f71b7f2f5da091
SHA512 3dd44dc0fa4bcb0c80d069d1743b2051dacb51ba28c74b4b6b81f44aaadf772006ff539c930cde4f24f1ddac807b31b8a466fb0131d49561e6dd1665ab3a1008

memory/3276-48-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Iphioh32.exe

MD5 afcae7d2b4aa1b420b21577e6baace89
SHA1 951b5f86f8c6b8d44e66ab8cc3fdfd7a3ecaa405
SHA256 f764cc6917d13fbb2edb190ea86d05395bcd58618f4df68d4eac1242e53363cd
SHA512 7dc6cf6ff07478472cc386de5ea490b24b264ceb34e3a0acd16ef16769b4ae6d8eb031c78beb3ebdb94a99e862c4458f03d3ff9bf4d77af86fb39a99dd88cdc3

memory/2068-57-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Icfekc32.exe

MD5 039ca5e4e31ce1671482e764bccdc1a1
SHA1 2114ff2c40f46048ab7efe2794444e0251ff5622
SHA256 e075873041e5b32981ee1952712f875cac527d2ee7bf82e45a0140f5d9a93343
SHA512 72961989ac09c155b4b85a31be30063caa6e6ea093da008cb95ab0c9b82b05b7f6d30226adcedb0ac25b0d0d2c72003484ce946a694e669f17c5acf3b8d8ca45

memory/3484-65-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ijqmhnko.exe

MD5 ce0c26de542efd1be892a6d180dea442
SHA1 bda82422087e9c1bcd504f800196260dd08127cf
SHA256 7260c7b50149bf76be9073577ddcdcc8a85d0a001d95bc0eeba1da19ec725b2f
SHA512 38eb99480e6b79f5f752019b76d72398b7e2185bfea61d4094b71936773e673f3be53c2bc218973419b6f02f4fc885ef1d7230fce6870c75375f434f497d8cda

memory/2996-73-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ipjedh32.exe

MD5 351600234a1cedbc99f730c28c165974
SHA1 a36828809847a23e39675ca94f69e9f823401077
SHA256 63c3720a5ddcb93f759547086fc6cd894e11f9ff007be20f7ee195d4d7a78937
SHA512 84f230e6403e95c4e523838e931d856b18066a427cf6a0dbf794a90eb2577f3565d66d286f445dab377e6453c36b0a95be8078a2ec80b3cc45aa63d638eb1aa0

C:\Windows\SysWOW64\Iciaqc32.exe

MD5 eca7b11b3e5a7e717654d9bed1f09611
SHA1 2870cd49fe44fa57936cd2baab8d12ae8654d4a4
SHA256 4aa97051dbd4f1ee6dc6b8d07c6138b4140add548be9b95cb205694173cf04af
SHA512 6260b82169044a8c5777a5c9924b3293c1bf4e47227bee8ab2fa057a1adb0820b8faae83ec8887117f9288f04a7e88acbca4876fcbae6ed92698e0adb70bc626

C:\Windows\SysWOW64\Ijcjmmil.exe

MD5 9087409a1875cded8ac6c36ee632af46
SHA1 46ae43ebf7c46eef70ec62188117edfb74a91f56
SHA256 7406e4f0903b556ea2956fb598d729114910fff97f83b4cf76098d6115877467
SHA512 878b25db9bf5abcd574a0677b031b6c3a58f201cd651d99f5faf4b936f7f1086617f461ba494936ef8dcd901edd1e474e79b456304519c69aca5866626cf5ddb

memory/4816-101-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4684-105-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ikbfgppo.exe

MD5 50998e0331cbcdf78967e826983bcbb4
SHA1 f8d76d79b7de19a66346002eb8c53e209ab65ea2
SHA256 f80971f89db25de37bd0800b95894249b4ce6fcbdf8d2b465e2253dca81052e0
SHA512 88cd1e6d3951e9281c161e70d8bd2dbc55cb0620101b7411bc0886a556ba3db327b81bf3d9f25b6705a59b0c1205fca67dcbcefd5d75dccc75c093140072dbef

C:\Windows\SysWOW64\Inqbclob.exe

MD5 2002b2ec7b6369f93f4cdaac55a1429b
SHA1 d241ec800c4d1acaaf655e3424d534f61b17933e
SHA256 4e88a97982fe6fa81874c0c15cec6ee9731b59a514db7181933e8a0ebd2c151a
SHA512 56672e2ecf3cb747df4f410722721abd4317e853ea3b83c22790b794c2334807dae569b188ee5c7b4399b6e2acace7fd017aa785cf5241f0f0c1c1da7bf770f8

C:\Windows\SysWOW64\Icnklbmj.exe

MD5 75c0acc8bf7c24b2851308e80aaa1e1a
SHA1 8e77d4b369a212405a2c7d4d48f89e048eea2236
SHA256 7072399040bd3362b42c219504521ec859d5871045365d73273a647ccff64b6a
SHA512 9f75a0657ea6a148d2bfeb40a67058543af97b79989b742750fc3b321a798a59031f981c900219fedfbfc9c4d56e8bc1b16ae78e484ad3f83ddf8cf8796ed523

C:\Windows\SysWOW64\Ikdcmpnl.exe

MD5 09c2a593cc20d0319c06a6b16b6dc213
SHA1 6b32e8f3725d126bbe339846b193d8b44338fe21
SHA256 635615974960a1539ebe8b5cc30e86f2e502aa19efd5e61b7bf26961f3f68b00
SHA512 218e4856f299cea5fe637602088177748a8495f4a53499dc7fb928877e2c99cedb3bb2b3f98052fea849315be83b6efedfb871ab02ad994b48d0c15124673f82

memory/4732-165-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Jjjpnlbd.exe

MD5 c94e2f37565029c382088f78a001a692
SHA1 164773845e47f2e63a0f7045f10cd90e4b4e98d8
SHA256 7160c9e43dbc977e49a1b99ec6e9e5f5479a5a74380679b73df4095f81ae4d3e
SHA512 e1b2b93b69f7ad8003b8082ece6919c8e1475ad18b4387552ec28d0e6fafe0dc405ac0755cbc0675d7cdef4fd9cc48fa9828ee128695c23762a79d724b9bf753

memory/2880-206-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Jnhidk32.exe

MD5 6d61332c8c0dbac380bc47f73c02ce36
SHA1 de45a97887aa2379e321aec6c8730281f806cb92
SHA256 bf9aa241e1ab71588fb7cde8c209e36c81373534d09b5d323c0b919d085ef6c3
SHA512 d50e14b6643e796fe8c3a27452dd4bbd267142c777212ee01f7f83ca7f6f0fe137fb247885d1f3ceed5fa5a986dcbff59f2f13af29b623705eba8988f90537df

memory/4448-253-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4184-298-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1772-316-0x0000000000400000-0x0000000000433000-memory.dmp

memory/548-328-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4072-352-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5084-382-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1948-400-0x0000000000400000-0x0000000000433000-memory.dmp

memory/956-412-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2932-448-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2656-478-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4280-484-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3156-490-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4764-496-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2848-501-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1120-472-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4756-466-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3128-460-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2968-454-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2944-442-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4508-436-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2616-430-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1980-423-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3856-418-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4752-406-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3120-394-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3964-388-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2596-376-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2308-370-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4780-364-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5068-358-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4172-346-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4336-340-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4812-334-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4376-321-0x0000000000400000-0x0000000000433000-memory.dmp

memory/812-309-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2592-304-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4268-292-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3480-286-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3988-280-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4672-274-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4332-267-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3252-262-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Jklinohd.exe

MD5 27ee71e89d79e2296adbf8ae761f083f
SHA1 5497b249175644ad92003e410838aacea70cae33
SHA256 0e2298fd58709d7101a90dc9861ac5682144a84043b39758242d3a7cd97f6398
SHA512 30faba9e65fa13245af7bfe5060fbba8345e0fc35cfe7db41d5a088af808c8021e7ded1dc15594d22f96f57d20411d14a4c18f3434cd1c2f9c4eb528dba46491

C:\Windows\SysWOW64\Jcdala32.exe

MD5 30483adfbb23da6615d42575becd1dfd
SHA1 eb2a4fa9ecab6aec4b32fe94c545c872244feac7
SHA256 1e1f23de974e77b3e98a8f1496efe837fc1570f5f8c61d4cf57a5d8d6da13c67
SHA512 5d1708048e63e07748202b36ddf40e37f86dba64f731e53a99e158f95d6504d94d9edba43523338ae06f1f7cba06ca476d70f95414cfa741fc9c3ebe0f664d8c

memory/3576-246-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Jdaaaeqg.exe

MD5 0c76eadc92518801e6f1a230fa2488ce
SHA1 70710b1d2459299f4f43e396af0ed132a6657ef9
SHA256 7f55f32f6b3106da23f6c3b2f44f1a9ef8914a62016755b41dfde60fab9f2fcf
SHA512 9fe8aac0a360ca48e15bab04349a141d22e48c2bd8f1875783a56cc055e97130e9582a2c94dfcfe09cdca502389c855ca39fd539278dccc598f8fc5c7c9ca934

memory/4992-238-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5044-230-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Jkimho32.exe

MD5 4a679200c0eb9a337fe811b5bee60026
SHA1 6859bb9cd9f5846be220f0d0c1c7305d3056b9cc
SHA256 3943696a9f36782cdf27ac96772e6d782161874eeae6c5c4a9246b934c4e3b1d
SHA512 bd1666d84c649858273d57367ed7cc0d2355faf94cd25b2c26391820c7218da09e1d5f651e5df36a168dd07b904d94751e0b3262d5433334fa6b8aa7a52582c4

memory/2692-222-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Jcbdgb32.exe

MD5 ee73c885373c5dec70ccfcf29533b134
SHA1 f3d2566dddf466cbf7f5970686c4eb099fbad24e
SHA256 d5c3d859362cbb4081e1a4fc6cdca6d4532aeb595bc04aaa657409b2b5ac2dd3
SHA512 9f171fea279ce180cefaad6d69a37ea0abacfb0b2235bf97efee9bf7b8361d4d62441e12ad5c54d1c4474fc47bf43a33bc97552a605bac530951e958500d57e2

memory/4536-214-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Jpdhkf32.exe

MD5 38f024a4c327abfe63cb2e616f61ffdc
SHA1 f9674f2051135b93d32e455d801ca1705c02f64d
SHA256 7720af92c41a8e94af45595ad74b5bfd2811c3025321c861ef1e08ff27a18bf3
SHA512 4bdefbb5b207b2c9592adf5c497b58340fe9cc9336ad545d69427e51b3fdd8235bdb904a50898e2ec7c459d49980fe88b66a6358a6cc89fbeb65f4bcb14aa7c0

C:\Windows\SysWOW64\Jnelok32.exe

MD5 aa3f3fe0e4510a9df3e0f25a33e1037b
SHA1 4e1df26fa65ececb531dee76344f2debbc26993b
SHA256 617bd966139e7eab872a020e7c3314786c418f989055344f5f5a80e5d0e898e1
SHA512 fd5561c74c1f479607eef79891193d92e47daf8186171c10a355564d991332bfcbb96a2ff8d5bb4c88e3b5f8753161e389a6af317839bb90a19f684bbbdff0b5

memory/460-197-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3736-190-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Jgkdbacp.exe

MD5 400452bf25d8d00abbb8d3e3875657b6
SHA1 41a2667173026b160d9a3a7ca90aceea4533850b
SHA256 40f270d6820f3c8bd1955eee95a4481a7e776ac935e23a66fd32c05b8ab6e173
SHA512 6927f4423e555b08470bdb1c73c69cb81d819510f1f96634aa10f95c20a87c970bb2401a623f66a66281381dd29b92881396daa5d9495483350d0f7ddbf678c6

memory/4948-181-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Jdmgfedl.exe

MD5 0ef5abdb034c91ed3f94e5f0169e228b
SHA1 58d53eea0a11d2851dbc6f3238bb7052e7b5a0eb
SHA256 a6e873dfcdc39d85d6bc2c6c6c990558bff4722a4d6c7e44ee5006c687295b0f
SHA512 768af4fd0d88bdb16e1d6e893fd02f03d0958159dc9bc279f401db7896d6e75f7c6af55c8edfca9aae4360a02d86ac20165f1b156c7194d8700aa014a0acec77

memory/112-174-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Jlfpdh32.exe

MD5 90178aa2eb6825f16860c7deb5e7cc37
SHA1 724056eb2dbb4eae8437dc62129f58bc0eab6fb7
SHA256 a9cfefe19e01b5af82e49119b01e91f82ef596681677d7137f4f2eaae8f51dc0
SHA512 f590ae602c7e1ca9e809d1b45f65b0bc5cd8a4a8233d2c56ff9965a858e6ec4061a9ea3b5f465e3c9e4dfb7ca31a2e44c7aac15ed0b6d7747968e9170026d842

C:\Windows\SysWOW64\Jjgchm32.exe

MD5 29738ca93bcbe3fdb7b761839a1c98ed
SHA1 ff2504645bc297afc36dc751f1c628be8ee68573
SHA256 c61d95adbd3b259d4cffa5c89547bdbf546937eab583442370451a1eed2c8a35
SHA512 a2b8b624e1379d999e2d9b260776e78ae5de4af16714b2146864b6c322d7e546b7f17a3f820f212419899957da0d706671d38d3c5e88eff22889ab3cedd6e5d3

memory/1648-157-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3080-149-0x0000000000400000-0x0000000000433000-memory.dmp

memory/676-141-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ilccoh32.exe

MD5 7197b058ce47d4318f31ddb9f5cb962f
SHA1 40c1bc12a5a7251ca0dac6f38690a85870ebee38
SHA256 618a1ef0bd39e85416169e23a3e9fe3e8805ac2488ba8f77f8a2634699c60692
SHA512 5a603d91b765919493866af615c9e38a8fac0b7cda12df1873d15fd429a763055dafa4174144fa285d44946dcc742ae6639ed5d18d451fffd1ad05be284dd1d1

memory/4624-132-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5020-126-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3168-117-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Icknfcol.exe

MD5 640d2e27fadfd6efaa4c6c27fb07ef7f
SHA1 dea12a63e192fd7d759e06e6862e40723335b843
SHA256 21f9d399ef747e358f27df913e711d9b745580248d43a338cf248982d8720465
SHA512 9ea4c5dffae75abf5785077dfa244c3872d8cafe249e7a2c5269ed964652681109b1108e4ffd46d19402bf014c837ec56e2923d4f26328a108b7e9e673e7d6fb

C:\Windows\SysWOW64\Ilafiihp.exe

MD5 9b84ba59a97fd6ed9c3651d55639ceca
SHA1 d9942d5a41aecb36c0c07bc6ff1a087b3e7079d3
SHA256 659e778b47fb5361672f52d73c6c47bacedb3dfe82cb0b57f485b7bc0821e8fb
SHA512 a474a2b93a22e99b01e39f65cc6a8dde740139d6025913e593d8e1bf24a1cea4f2414b0454ae097d895ee2931ad8716a7bab7f1a728ae3281977cfe88c8bdda2

memory/4472-94-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3008-86-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3984-503-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1448-509-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Mcecjmkl.exe

MD5 c507a3c44d2fe18793a56831777702fa
SHA1 c5bed4a022a94b01e7dde6cc878f65aeffc1a512
SHA256 108833493574b290acffd64870652d5e4820a52c94850f2c2dc9d4f66be6a0aa
SHA512 3ad29efa51de826d53f54add793914af96052fe5eb7ad49f5c168a6049118e2eef333d90c495d4cee88815729046b111fa30d8618c8055a212aea40cd1026b17

memory/1248-519-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3208-521-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5028-532-0x0000000000400000-0x0000000000433000-memory.dmp

memory/876-533-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1956-539-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3144-540-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3600-546-0x0000000000400000-0x0000000000433000-memory.dmp

memory/924-552-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2892-553-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1844-559-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4344-560-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1504-566-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4368-572-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4980-573-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2464-579-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2708-580-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3680-587-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3276-586-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5060-594-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2068-593-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Neqopnhb.exe

MD5 38c50014bbf084fb20bbc7f679dc650b
SHA1 8eb340f9a4d5c1b8d163181996fa2feecc659dea
SHA256 8c2be2624f2c44a5f211e3e5a864756664e5fb662836a22e74dde16ea9be966d
SHA512 9bb1997392c7a554436bc08dee0007393b4e908967f4390741f2223757f416ab9a66ae5c12f4e1f7501b78688c7e1c5f1aad2aa5b386ddc063ed29ed445344e8

C:\Windows\SysWOW64\Oalipoiq.exe

MD5 4ce130763b29400717840a50f1ed1845
SHA1 fc64c4e7075de5b25c2e07751b3161a46fe9e99b
SHA256 5594f6be33fb1a4b6abbe738bee19a9fb2f9f0beed15928d224cf632e18517eb
SHA512 c42aef3e0de9f7ada029ef810e8a4645d230d497a9654cc8b4f12c5391b3aa0486fddee12c5816d4868f345e6c28e4f41407cd02608513e4302d907820bbaf0f

C:\Windows\SysWOW64\Ohhnbhok.exe

MD5 4e691670a3da5d5802b83f549f20380a
SHA1 ec4399f7ecd1215cbf0429852d752c69a5281fe0
SHA256 0c5bbb59e4c28a418b4d6c74fe3190ed4ef3d079a9ae366208548230098c9b7c
SHA512 46322528d64289f7c66a7ef3280e8f25bc838b81c419708554f459ec2ae94ffe16840d7ae31d4ed4e11f4340dae323741ed8340e3da3b262ee95be8c3845222f

C:\Windows\SysWOW64\Odoogi32.exe

MD5 c5f4a392ce87cff5f7e4247b0a45be43
SHA1 281ad56c73e9c3059d7459f6e0b5c40d54764c3b
SHA256 b3a8be6847ee0623df8fe39c00019ac36ed4f28e7c36adf6f2e4089fbdcb32af
SHA512 14c6ad59c8715d22e12756cec04f8abef6a4be7df4a502afd69d80c6ce88ed410ee7c6373e91eb38fd4f5390afd4ff5ab3f0c606bdd1ee72b0c1464eb58c1b00

C:\Windows\SysWOW64\Ohmhmh32.exe

MD5 bb0faa930b1a5b1354cf5dd8de2f014b
SHA1 31113a0e2f04b36248cbca75a4f9a9cdbce9f455
SHA256 fd14c2938396f4f8b9c4f4e2fa34522b1b45b7293569d5487ec89f603fd45caa
SHA512 0f29e38e2d6ef7ea61c9d24f52b1e0d1eb57a0954e17d89f5d798b2ba48f7a50ff9016c5626aaedc9a5e4f08d0f714c45cbc3d0c6bd58ff6e4b5aebbbeb877d3

C:\Windows\SysWOW64\Phodcg32.exe

MD5 cd5d4483ab9fe9ed96917e16d657431c
SHA1 5eb060f63bee61a015ce300313101a715c3b7a33
SHA256 956b2f73d1226de02984d4678be9ed67a32f8160897562de02433d5c6148409d
SHA512 1fe06b321423bb81e6bbdba5303d62bcc4a512345c26d1becb4442f682f4c2d01de5d730d613480056abf6cdb5ebd67fbc2348ca8441df4e5ae417e0520dc0a2

C:\Windows\SysWOW64\Pajeam32.exe

MD5 31e6691651d2d8db2d5f9d237f5d1619
SHA1 bf56899236a3ada9fc7588d054d89583934caba5
SHA256 b57a4fd036ba44ec52caec4bd5612cc37962d3e69127bda3b6940a2892869da6
SHA512 2129b973421ba82bdda584b0b64102d8c47a1d22ca248984af78428681988c70de0f3b6d4310a96295bbe919d51622144dd1e4e44b1ee7d122a0826025ec0d94

C:\Windows\SysWOW64\Pmaffnce.exe

MD5 a0bc7bccd7fdb1dab51c02e9248cc894
SHA1 7cf9360d311e6d833b4989b5bf6fd4ed539697c8
SHA256 da096eff62a76521667b2a95770219f18bbe0fd835ef6b3c5838fc569471a879
SHA512 1296f760aeb26e7bf7992d26712b4b3e86063968aadceba96f3dace0c73a13a8489ef658bd3be73c1d999b06010aa6818b72bff94cfcd495a324fa9c24396451

C:\Windows\SysWOW64\Aafemk32.exe

MD5 964a273dbf81d340b3d8ab089b47dbd0
SHA1 08436d3019db5ebd808a6ebfe065cca2f3bdf89e
SHA256 56cc2797e8797662a7ba859fed9b0cede514076840bace4dc9108e949059481b
SHA512 e91b8bce80f7827c25865d723b1dd6675fa310495c75ce49bcea92dce099df7f1e3ee09c56f3ae1f3a395c62975b669cfe75d1d5e1df91c43647bd173030f653

C:\Windows\SysWOW64\Alelqb32.exe

MD5 985e419cc43d6b8102af19805fe37e09
SHA1 61d892bc14e31236f5ae18e5016640c4c55f659f
SHA256 8910135c66cf0b78619ffb912c8e1da55c2e64fcbb3498427de27d44a5767a90
SHA512 9e754f622987855fa2860589e5901fe88ae2210f6ed6cf4b724fe73c972b5f914c68a214bd2c2c71a2132262d8cc9e2975006d02156fea50b9f87ea4930cb34f

C:\Windows\SysWOW64\Bdgged32.exe

MD5 7f47a165423542b84888bd7a695ef496
SHA1 94f236abb9a91bb27bb49ac1e4e728e1964d4611
SHA256 e9d13f2bc2ab928973e6f87ce5e38c6e8356e2109cbbedca8844dbf438ca4248
SHA512 2c604bf452d0c2e61fd4a8f86359de762fb08b7f222b5b37a0a4d12df1840387b8ffbacd3926fb8b4dedd984fe66216ca885b9f4fb566b53651888ac42fb3651

C:\Windows\SysWOW64\Cdnmfclj.exe

MD5 64c4b7c1842ef1c0024150426f71c93e
SHA1 29623b9f7b2e0bfaa045b31d28b2618b5631064d
SHA256 477768a2765493d7d01434a85fe6692f9963d60051e707de7d8903c4ce320dd3
SHA512 28159671d7296b3d47829ce296d22b086c409568bcdd68d46dd3c95e688ef8ab9755036a0cb5bb69bc268204eccc1d9a07dfe2fd8d1916a8ea552c3dbb9d2223

C:\Windows\SysWOW64\Cdbfab32.exe

MD5 a9bd0e145fc3cb009e7fa275aae1e696
SHA1 2ae063915f5f841e01023efa69f7c7aefb35f324
SHA256 0f4a6a048a0ccbc3a4598a508602c626123d2595a64b080c2631848fd186a5a7
SHA512 52ea71b1a2ea1c4c8cf4782db6cf6d2941821c3241f0380315a9f3d8e6180b5fc83423805ee5d7f065cb0462d7b0a14a0d9a8a02a5e4645596892ea3a6be0c92

C:\Windows\SysWOW64\Dooaoj32.exe

MD5 97ceaaecbe5b5d2bef663dfa149432ca
SHA1 7a986860e57a66a248c5c738c74cea1c1060ac3d
SHA256 7b07f0a5554d1efb3e40e68fb8c143a0818cb299dd37a1a4d7c00a7d1c548881
SHA512 6faa7375a927865a0f29387062710aa5ee4c9851c6366e5f6a5c3d8d6abcde31ef6c40648acc3d5e37167978b26466ff4faeac5289415e15ef6fc6f0026474ec

C:\Windows\SysWOW64\Doaneiop.exe

MD5 1c81f8e6ded963f63d9b5bfd5871ee70
SHA1 01b3234b4462e0deed81fc883070b9dc479564bd
SHA256 3401250560cf8cefd36698fcf2ab7703b43566a785e5b6ff06501ebf5e84c48e
SHA512 eb9f5f08aa20ad4f71a08efc12627645b58315e2624e45246b2a9c7d96aff5db5e654eaca04758af24740415b81233c729e3aa783c2c6fec80a3d35af338ae31

C:\Windows\SysWOW64\Eeelnp32.exe

MD5 c3110e161cce9c82761c475b83becdd7
SHA1 c6a780320b8ba11577ef337b6c8f24574a4d1e60
SHA256 515d1d670d1966fd050e022339a095e4b7d460c157ff81505f2124ed83a49c3b
SHA512 b261e3b87328195f19d8093dcaeaa8cd8f081e8f8cde25788cc61dbc479929518b20cbe4c8790ea8d66cf3138bdf366f1ed8eb0dd97b336dd4119d9e21b8e702

C:\Windows\SysWOW64\Eicedn32.exe

MD5 0b1a1f06b5b101ce3b763923bfe78c84
SHA1 7abfe9878dc0b6a88ae79f87296840ba66a10c80
SHA256 33386bb4973c207752d7ed0454b4b00d3f4b083107899cb330aff56c145d88f5
SHA512 e486a52fdd7d2f662d2282ad622cd9f40086c77d786fa799e5a355f084453f759080ac0e527fe495b7a9fbafc46097fae7405850faa3d96352cd3413bbbe90a8

C:\Windows\SysWOW64\Fpbflg32.exe

MD5 19b87c5da5e87fa99e5630db30c67288
SHA1 b1dd0207544ad3cf87ebbd2a57bcefc6d2b175c7
SHA256 196e8c9d3ca00084740b9371c6efebca775e55418f91450e2975e89c75ac48a8
SHA512 347e31c55d31221ab20814c6406c85b33eddd5f94b7dce3ece614c5066cf6636fa7a8a4c37321669a47f3d0d03d45493c75b401d136c56e0750fdb5dd039698d

C:\Windows\SysWOW64\Fbbpmb32.exe

MD5 f101b85c00dc8dbc7809b569d3d9c8c2
SHA1 7647691a86f8ae12f868f08ae061a7434574e378
SHA256 e4c516e62367b71b54ffb6c1b1588b29091f75c0b6673f9ee07b046579dcaec3
SHA512 8b6d3285298f187356a9f1c566248a659da80142cac0c9d25338832840ac6c45845a266fc9bef55ae913618efd471b21660122e0065e281c061a483ed60978f1

C:\Windows\SysWOW64\Fpgpgfmh.exe

MD5 f8a19272a0237945b41a4ae4c4d51a48
SHA1 d31583a3579a7652aaaf42ce5a7fa26b9ac631ba
SHA256 97267c995505a1fc11a398b777fe175b6163e1a8f516ce3e06c14c2401dab39c
SHA512 d10cb962d269dee8e98497464ebeab1042279b6d4031e65f07644f528c232ea3d9996a873f34151b483b49ac9eed566b12a2afdc9374f8415ee7725fc01569ac

C:\Windows\SysWOW64\Gblbca32.exe

MD5 4df606c05306aa5be222d5ce012f3f4c
SHA1 552e85f0657d3701e978c5b0c2b644c1ec89193b
SHA256 a6f552124e78b9cac8e3a4e398914efef246d222c2ffb4000a88cc56128532f6
SHA512 732a8bf582d982e54b0d609fb0744958d3172e21ee5b671075efeeb268cd1660a0f0b4ae06be7ef0dd3a9da04634d64e6042b209f545c82d6bac55b5fe29ebd0

C:\Windows\SysWOW64\Geaepk32.exe

MD5 891dc80e0086bc8a82027c1eca98772e
SHA1 753bdb90a88473c3d3d91c8013267438ce23e976
SHA256 438580d1a370c62c27aaac47171880f9c5da2eeab1f2ea780cc9cc0c6f50f720
SHA512 aa0235636f5943574fec6e49d82f879d3b23c6531a475d4ae6b9eb0f46c32c9246deac5848333d3c6406db4bdbc18ab9a8c8c65c63be77f8ea4479ac7cffa991

C:\Windows\SysWOW64\Gpgind32.exe

MD5 84bec677157169971a95ec94a32e1673
SHA1 c93e76648d5eb8b101857d0a8a112ebf21026adb
SHA256 8665517927e40d35ce26183ae6b51f8c8943ea13b7f5708ad74d708faaaebb47
SHA512 f887751ba5f594711bcbb3cfb14c7acf7a33958262489b3dea0461348ff8f5f7bfefe01659983f4046004dc9381140736b8487ccecbfb4a4dd090810b4ea3962

C:\Windows\SysWOW64\Hmpcbhji.exe

MD5 772f27fbbc3bb7e899aa68db634b08e2
SHA1 ad0375b89cc16cd6ccf74c75ac17a6cb76dfbac3
SHA256 2c41cc599877e143a550bfb89f978e121a64e406cb7ec8cf2e5ba7b666669f29
SHA512 76ab3122173e512ec4ee05b9d757849050529cb82526582e9dd44355bb92cbd8bfa92fa61bda2db7f31655a5be1108b5c0e6a212176a11b0ba0ce075d6bc4c62

C:\Windows\SysWOW64\Hlglidlo.exe

MD5 6b5dc26bee6559a2043167492e8aa166
SHA1 b233e67a79554701e14bbc9445119a5b42f881be
SHA256 9e2df9fc7b1cd80a3a579a586997d366d456983710883009ce04ebba46ee4110
SHA512 1ac283d19914d4878dc3b4f6df9c51f401f579855a2075b1fd1d3086d360a5353ac991aad3f1a974e951120005ebed1e3cb9347cb78c576af76f8462a28751bd

C:\Windows\SysWOW64\Illfdc32.exe

MD5 6c7eb6180d624b0d08d655901a907787
SHA1 8c89dc64fe319621881bb4534be85762de20c5e0
SHA256 7d3d80dfc4faa6be1a066502c9a8c8f4a4917f8f64b315c815fe329b155ce195
SHA512 d5a5a0517aa9846bdd139195f644a4e1fe6136088ff5b27cd6ea7ad6011679bf26e32f9b06c866e9469bd30ba36d685af137928116864e1162d53e2146333e7b

C:\Windows\SysWOW64\Imnocf32.exe

MD5 37d1ef2aad9f48bdc05efc14761899fc
SHA1 bf56ee83eb20a7d87ca1b555b5ecde633ca87bdf
SHA256 829a8b91934ca993e6f649b91bcc67e643b3aa234d923fca7eb8d472ed54a61e
SHA512 520ec93b6102873d79d25f3aaee11654bc39e5fb0e2ee4b7190092ce5f40959327a38179d2eafcc358c65abfdf82233f6a1b8b9e63ec1e01dee0b426655385c4

C:\Windows\SysWOW64\Ipoheakj.exe

MD5 ecdb0aeaa69a3f84d744c7d55d642c66
SHA1 d8053569a995bf9d438d615e625b78a588c32082
SHA256 b038d75e92d78ccc8656428dd62111959d7c586adcb72b768180f6ae5f87213c
SHA512 59fd22177a66c1bd3465768de205598c87f22e74be6844cf26dac835f8a3e84f1f2bdc1e1d5629faa9f315e73a557989d658fe0766269bf2883bc05113491589

C:\Windows\SysWOW64\Jmeede32.exe

MD5 6a9aa00978fc78276db9012d23e8c56a
SHA1 32f37150676878a35dc0a12f2fda8ae7487fcfdd
SHA256 6316d488256d459a62717db1432fd65fad3f11cea6da7b193871b40adbe3ef6d
SHA512 97dc182e0dbb264253990318a8c9121903cc9d4e7d20c96002acc376e353874eda3a02006ea29de660b5e8d0a7b77ab02c43ddefd43973cae29b9a81f3934977

C:\Windows\SysWOW64\Kpoalo32.exe

MD5 84dd6628175c3bc6465657940abebf54
SHA1 9f5ec98df7002cfb0837264eb327128001fdfc78
SHA256 9567c07f672197d49d1a19458c368d033bb80409a23a014284c5d85ddf5a97af
SHA512 a823673f91dc4bc8d4c715382ccd638d3f0c4888c52489213e0bef5e6ff07015b0c9f58b65d2068f926a7ab73a7b6b0ce884ec9bc810d973401da2e63602c3f5

C:\Windows\SysWOW64\Kcpjnjii.exe

MD5 869f8cb806a50166f6514560beb81dce
SHA1 2c0b445c3c9a475c4698c129539d6bb4ea468846
SHA256 b528a53e2816aeadd1f30c3395221548cbbcb8aaf0103ea8a71c84b46ffd48a8
SHA512 af4ee515c7c4aa58901548d17f25c5ed0118cbb9133c52453a340d01e242dc56f6c4f7daa076b13806263a29679cd2a92698d8b2b6ec7784d89ce85c1d5eb61d

C:\Windows\SysWOW64\Lljklo32.exe

MD5 4404791d962207287280a227feead304
SHA1 b2d7cee865fda7cdd557366fc2d67ad6c2d29f0b
SHA256 e3b8eb126b5fc4322035722b92e458e4db97c44e1b33868abd3be12fb04a2446
SHA512 b45f67a272e07d9dbd27439c2819c3f182f9c112fc40e0a2ae68132ebb69431d290a099e8ad6cc59a9bd731cbfa55463b6d7787fc84709c1df2a145a6918543e

C:\Windows\SysWOW64\Ljnlecmp.exe

MD5 012cac542c1e83258f7c58b073cd10cc
SHA1 74619d70ea987b46a2116ccfad31901f02c28329
SHA256 0e17c097e96b4c4303f744c4a9d2c259e81abd73bc337570e38c1e5d892c3c80
SHA512 3803c82379e731fede2b987c4cc9e8c9437dd2e56174d4b2ac41c2224483feb23f30f9c2e4a170cca476e32bfacba4cf25d2b54b75b626a579bf4faa96aaa95c

C:\Windows\SysWOW64\Lcgpni32.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\SysWOW64\Ljeafb32.exe

MD5 1c64338e3f3c747b35734b89a6849163
SHA1 a8850c8afed12e717529c6584dd57a2e610b5417
SHA256 bec0a195435a0f95f4a100140870375b3e25e1ee09af26ad558368a40516e1cd
SHA512 d8b947b2d60f942be669d973fd244647df620c617844b37bff81141bc730d83d9693bae9cd02f8db943aaf555d81c3193a3a83d2647ce338d07bc0afa54dab10

C:\Windows\SysWOW64\Mjodla32.exe

MD5 dd55af22668024c6180d1f511aff8022
SHA1 685d801379f78a088c414abd591d6de43beba3ea
SHA256 8e8c359b01225040db4a056a8ac2f88277c071f857bc19dfc8a33386a53af12f
SHA512 f39ec6b001664292780885bffa33241b00d7580f2e87503b306be5b1217e52c1dd20cfbd577b97baa460b43072204262289a0b2310e3742966a045ce137e3fb0

C:\Windows\SysWOW64\Nopfpgip.exe

MD5 e7b4bfc88cb9ca2ea21759bd2944aa3f
SHA1 d096140994253d26e200bd63182665bf2247a49c
SHA256 9ca823d956b8aa27c56b6b48538d39357128ebe7ceefcfee8287c2388bf7094c
SHA512 6cc27489d22e9614399894ae5268c50189609cdcf2e6101b96a6e6e6838e3225e4fec617c1360e5f80df4cb3305117b9b3ede989db5dcb8432dd9bd2b878d954

C:\Windows\SysWOW64\Nflkbanj.exe

MD5 cebb5a710bace2431b40d62c01011c65
SHA1 89715fb84a4066cddead40e1e5d17213f159fb53
SHA256 cf68b5039ca68124c6091590b11402686a3e66da1a65b085c41784235eb2c69c
SHA512 bf6fa936befc3010aa2a5c9c685b1befd76b5d6f5a51548b70536d90b1b77e098de73f177d1826961b54ab9d4ece6228905d4f15be111a2b7e375638bc03689b

C:\Windows\SysWOW64\Ncchae32.exe

MD5 3363686439bc84f78451fe5312af89c3
SHA1 99d15552ed6d982124b37d004297d64ab5e3319d
SHA256 1cf6d59939a6ab13a96f6349ae881310d83f73e1699d2e50efae6bebe47e5cbf
SHA512 1f5114086dae9c110d8961e38701d85ee3cf12bb64fc06d1886258fc2382b51ed378a296ba76e6bc06fc8eab39542235afdad3e57ce9dfab615564699fbc99c1

C:\Windows\SysWOW64\Ojajin32.exe

MD5 67ab37eedcdefaf63861b4d56f2cca36
SHA1 b591863aebd015f302869cf778087ffa5bdc465f
SHA256 f9601a8dd7a40eeb17ba7dfa03de0003aa6aac6765023ffb8053ad48971d046d
SHA512 43ed613b0433196b698dbeec321548e5ef2b84eb7f64812a44777d7849233baaaa00173e52ba8b1e4c3a63508c7181ffe1954ef479e1661cce8952b5919a0671

C:\Windows\SysWOW64\Ombcji32.exe

MD5 8ea63100b6a3e5e486933e395d662426
SHA1 a4a3c2cc22bc0ceafca9d14e34264232bf01a84f
SHA256 8f58b534b02cac9639fccb2f60e6b038a654ea39fa2d00c0673ac8514bcd7598
SHA512 04cb925879f7c68c9945ccb99afdc18adcaf1f61f28ef7472c0fc8b88908df486467bb5a377375a8b968c42005ceeda449462d26e32480710a3c89a10b0f128b

C:\Windows\SysWOW64\Oaplqh32.exe

MD5 a5ee2c1c1c4bd06f9eff1553aaff8b63
SHA1 dd77a913ad0941244fa70d771d44a3027388c963
SHA256 497645d74693d02d8c389db921a650e8e80bd78bd2bcdb93367d65bd68f35dd2
SHA512 c4e7bc67fd88f06ee32dd1a18e5e8dfc2f27b3d72847559ce22497e08fb0720677454692c728f70ca2f840e33edeafd0dae7f03de5f7b2ecc42362aeb6266942

C:\Windows\SysWOW64\Ocaebc32.exe

MD5 5a6cab8306028f4e7ab52e8015ea2af0
SHA1 7745a898b69b3b768ce175515bb3cabfdb23ba81
SHA256 6a33f86531a6518b6f8b50fbbe0cc03999dd9c915b11e482664bfe922fdcaabd
SHA512 2fe8d65d627518b2fbaa34dc4878c9a33773dac0e64335791071e9fe3a5305677138f6065d4e6abb989464043c6ede8d70d1ef89db6ec77c4721242bedff72b1

C:\Windows\SysWOW64\Ppgegd32.exe

MD5 cc10e4174e1a22a50c6ba917dd171018
SHA1 b2f77aa8e7a0f6f6509f37be713fa4230df69fe9
SHA256 ccc2ee3ba82ecee498e332b2d3b72e3d0111f064f9b64dece73f927a184811fc
SHA512 d98eeecbd49f37ddde887d706e4c3600e3201b88fffcec2f3cb8bcc37bfff51e370b64c85177ec3e483bcc8d3c13eaf818fbc15a249da429ff81283d6fec9260

C:\Windows\SysWOW64\Pmnbfhal.exe

MD5 eac2c9e43042852f21be05ecce9d6af4
SHA1 c41f0ca77d495ca63d87d50f59beda172995d006
SHA256 2ec1d53387b0d4af163af7ba6aae381945ed3712a0113df061d00a9c997e24dc
SHA512 28a18697e3554d956ba13cdb074ce34bbb0d30958e1331ec2a15c210d5f93aa79757d183e98fc8bf78d6842093c7f9b19dd260e8b87dc7ef8abfa871a2dc85fa

C:\Windows\SysWOW64\Ppahmb32.exe

MD5 6f5438b25e7ace19d4b001f806b1e99f
SHA1 dc411186be2fa34e145b494455dfe2237885dc68
SHA256 6c36d528ea8d8281529f51f676a11f93aa4a4968d5a91234f3dbd9602bc3000d
SHA512 5063571ff4abffca04aa1c995a2a4bf13f1f6975e74b383870bd6ebed2a57ed220940d2e2160854fdf8fbf1a16f57c17dc09454bcc6d74e799ace061c8ff9059

C:\Windows\SysWOW64\Aogbfi32.exe

MD5 c438682503b4d8f283b7bd491c507ac5
SHA1 c9a02c11b4f0338f42707a28cadb93677720b65b
SHA256 6f5946f28b39012ad6ed01d2ef5c5196148caad3e1e9b1b1a5d99d7b066c18a8
SHA512 096cca93c3d17031314d1729f7617c1c04a169f34a1a982a64931e699975e5285cc2fccbd66100e0c399b6133bc365b4b52ce4819e547cc57dbbcaa76191fd25

C:\Windows\SysWOW64\Adcjop32.exe

MD5 88e65076d790a9481d992d87137dec88
SHA1 58e07b0147711b7e7d1e7d4e928d71d58f4e5f14
SHA256 ca7ee9b55ba5f00b5cbdb06395f7df0684c73f7ab7e851ac076bdbeb61771b90
SHA512 0b68608b9ec3175ead4a587f94d3bb50e82875769820f6ab1d0f14138efdcfad604ca0280a110a084229727fb6ada7f877e05a1a5d712a5f85f9279d00b447f5

C:\Windows\SysWOW64\Amnlme32.exe

MD5 da1d6958ac873af9cfc18b5ca0157bdc
SHA1 c05d6291be8c6310a0e921c4a365b1e8bce99690
SHA256 f2eac0135c2c090521fbb7fbae4583037717d21c8ed7c2a9890fb0da4f6cbddd
SHA512 f7c65706232dcbd649f46425759070e723a23ce1c0633914510596fb108429f964ab74bd24826acaf8b2b3d10a7b24c9a42acc1813538609fd36f4cf49b12ee7

C:\Windows\SysWOW64\Aggpfkjj.exe

MD5 d78fbba082f99d6cf6a24023f4bc3376
SHA1 c2b1f1e35ea03f8f560fd58b949b7701ffdd2046
SHA256 33aa8991b89ad74bc842c505d8e9cab23fa4dc374211ef1093891c546aa322b7
SHA512 0a11a3841893a9e49ac79dc85c5eeb2b48ce81a13e160a74b1e7e36298edbf85d30537dd60f344fc70c5090bbc73ce77409960abfb9767d1c02765b17cfba2b1

C:\Windows\SysWOW64\Bgkiaj32.exe

MD5 44f33c856d89e8a9d166109540e27387
SHA1 12ece90630a7efed4b8860bfca4a860529e77b3b
SHA256 da09dc6eed367558136fba84bc6bce85fa076bf2babcbcb44046a371c67e7ad2
SHA512 a16228f24e03e2d69aedf4e4171bf233b8274abdb7ada065ac60716def1d9236fd5393f4f9d9babe5cf45b3d8ff9c6e60a7b8e2467d3f6f136ea2b9a48d47aa6

C:\Windows\SysWOW64\Bkibgh32.exe

MD5 2deac6cce5972ba3661f9283d09aba43
SHA1 11c3f0d55e3bd9021c0e5020b707b500cd09d3fa
SHA256 912626eb61bdd2b97c0975851f225d658c506076f9440cdcfd0be1199d3e16bd
SHA512 a2dcf4c75f35c5c6514549ecd354bf1f0d1f679fcb57aca12a9a2f6c1285a5c815c3f9eae66a1f69ade5de289103dda8e34f466b9020a83ad751860061a9d1bc

C:\Windows\SysWOW64\Bpkdjofm.exe

MD5 4079ba5650cf371a3d7fd6dc77946d31
SHA1 83da22efbbb3303457829e921f7f4360808fc422
SHA256 3af57e5a05685b8c3c6c7b8d07b9e7c390fe386c503ac7090f70b43020148972
SHA512 2913597e2bb6624247b795c7f853d01756d1980e4bbf15c2b11be2f7fa24ad8bacae741315570b5b283ce80ce02eed76874377bd63fdfac79ae83d9378af9376

C:\Windows\SysWOW64\Cnaaib32.exe

MD5 79c30540a595775bf08d082e79171de5
SHA1 9a3bfac50790bcc4512b774e592cf43364debbf7
SHA256 b7eb7650e85cd507248d26f2d073c6a1c2d35ff5f45dd982c93f43552f33e647
SHA512 12489a9ebe853c74a660c4b96e225a61958092b01f2fe5825450d3cbe6ff7797f1b47659ffa5a925fc798ffb0ca4dceeefb167999050b61546e35835815cad95

C:\Windows\SysWOW64\Chiblk32.exe

MD5 03c8f33188ccf09972add98ebca2c118
SHA1 dab6e5d5ce22730c2ade48b3d723044165bf42d3
SHA256 63bddae80a7b5072902254b3f79b9994e1e05d221a23ba203a625cf0da5465ac
SHA512 b715bead2ae2ad46b7119eaec1c4fc7446db5d8554f68047c1a55cc6a8c98b281a5176a62d8d9ea8e68e01de428a3b3e0267d6f07478c7dd106660cb01762987

C:\Windows\SysWOW64\Cgnomg32.exe

MD5 c54630518a80d0ca75c88f977c6a1fee
SHA1 1c5e486734c1cc069bf35e3f84f87048ff3537c8
SHA256 025bb4d18e8962972e2c22d2a01a18ec55cbf487ac5a95fe1ac6a34380fdbf3e
SHA512 6756b63ab3f7d37bdbc7ad3020e86ec18b342d46941e2b4034015e3be002a89145b2a36e358fe9fa114eade1d0517bddcb2a0eb937fb107989fe600a173a3caa

C:\Windows\SysWOW64\Dhphmj32.exe

MD5 66dfc5d8c7b23cc4d63e878d7c02d9a8
SHA1 b37866faeef872154946e7d6cd152dde6df761af
SHA256 d566d45286c841428ebeadd0e91e81d11623e8a57aa82d147524ba69a1c75b18
SHA512 be03d4f958cc99effcfc5646c1fec093e08f90fd61ce505aee1e6ed75684b0481c0f85259f9c62e0c1d5704d54fb7d2f2bf7aa19261f733a729f6ad2c2210cfd

C:\Windows\SysWOW64\Dkqaoe32.exe

MD5 b2b059d1c2f6fa6181f42566c2c869d6
SHA1 586f29cb16dcc85adb90e2bd97fc8dc4a140522b
SHA256 31ed846bd0f8663d833a331293ae1e7bb3beaba24210cef6986e61328dc9f49d
SHA512 832b0d11c40334ca1528262cecb8f6717fee6da2ca6f903ed23077b44c79389e0a70dc749017079781d3861805129f302f961874c339ae510069f050da0d4e35

memory/9976-2476-0x0000000000400000-0x0000000000433000-memory.dmp

memory/9844-2482-0x0000000000400000-0x0000000000433000-memory.dmp

memory/9404-2501-0x0000000000400000-0x0000000000433000-memory.dmp