Malware Analysis Report

2024-11-15 10:40

Sample ID 241110-bfazfavpgw
Target 9eb4a149321b5ea49a7d8707175697fbc9b37e498cdafa357140c4bb7f444e60
SHA256 9eb4a149321b5ea49a7d8707175697fbc9b37e498cdafa357140c4bb7f444e60
Tags
berbew backdoor discovery persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9eb4a149321b5ea49a7d8707175697fbc9b37e498cdafa357140c4bb7f444e60

Threat Level: Known bad

The file 9eb4a149321b5ea49a7d8707175697fbc9b37e498cdafa357140c4bb7f444e60 was found to be: Known bad.

Malicious Activity Summary

berbew backdoor discovery persistence

Adds autorun key to be loaded by Explorer.exe on startup

Berbew

Berbew family

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Program crash

System Location Discovery: System Language Discovery

Unsigned PE

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:04

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:04

Reported

2024-11-10 01:07

Platform

win7-20240903-en

Max time kernel

141s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9eb4a149321b5ea49a7d8707175697fbc9b37e498cdafa357140c4bb7f444e60.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ejfllhao.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hehhqk32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Icabeo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nhqhmj32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nedifo32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Okhgod32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Binikb32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Doqkpl32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mllhne32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nedifo32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Peeabm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pnnfkb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mbdcepcm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Inmpklpj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jgjmoace.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lffmpp32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nchipb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ogaeieoj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Beldao32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Biccfalm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hkjnenbp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lekjal32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lljkif32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nanfqo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pkjqcg32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pofldf32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bmgifa32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Users\Admin\AppData\Local\Temp\9eb4a149321b5ea49a7d8707175697fbc9b37e498cdafa357140c4bb7f444e60.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fabmmejd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bkkioeig.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Egcfdn32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fabmmejd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Naimepkp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Anpooe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cniajdkg.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cdngip32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Oomjng32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ainmlomf.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hclhjpjc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qcmkhi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ckiiiine.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nmggllha.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nkdndeon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lcedne32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kglfcd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Obnbpb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bhjpnj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Clfhml32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kkefoc32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Iadbqlmh.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jojloc32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kpoejbhe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kfacdqhf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nakikpin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Onipqp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Poacighp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Icabeo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hplphd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jjmcfl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pgaahh32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bmnofp32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Users\Admin\AppData\Local\Temp\9eb4a149321b5ea49a7d8707175697fbc9b37e498cdafa357140c4bb7f444e60.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bkkioeig.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kndbko32.exe N/A

Berbew

backdoor berbew

Berbew family

berbew

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Ckecpjdh.exe N/A
N/A N/A C:\Windows\SysWOW64\Cncolfcl.exe N/A
N/A N/A C:\Windows\SysWOW64\Cdngip32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cffjagko.exe N/A
N/A N/A C:\Windows\SysWOW64\Doqkpl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhklna32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dqinhcoc.exe N/A
N/A N/A C:\Windows\SysWOW64\Egcfdn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejfllhao.exe N/A
N/A N/A C:\Windows\SysWOW64\Faijggao.exe N/A
N/A N/A C:\Windows\SysWOW64\Fcichb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fdnlcakk.exe N/A
N/A N/A C:\Windows\SysWOW64\Fabmmejd.exe N/A
N/A N/A C:\Windows\SysWOW64\Gefolhja.exe N/A
N/A N/A C:\Windows\SysWOW64\Gampaipe.exe N/A
N/A N/A C:\Windows\SysWOW64\Hkjnenbp.exe N/A
N/A N/A C:\Windows\SysWOW64\Hdeoccgn.exe N/A
N/A N/A C:\Windows\SysWOW64\Hplphd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hehhqk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hjddaj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hclhjpjc.exe N/A
N/A N/A C:\Windows\SysWOW64\Ihiabfhk.exe N/A
N/A N/A C:\Windows\SysWOW64\Ipqicdim.exe N/A
N/A N/A C:\Windows\SysWOW64\Ijimli32.exe N/A
N/A N/A C:\Windows\SysWOW64\Icabeo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Iadbqlmh.exe N/A
N/A N/A C:\Windows\SysWOW64\Iohbjpkb.exe N/A
N/A N/A C:\Windows\SysWOW64\Ikocoa32.exe N/A
N/A N/A C:\Windows\SysWOW64\Inmpklpj.exe N/A
N/A N/A C:\Windows\SysWOW64\Ibkhak32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jdidmf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jnbifl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jgjmoace.exe N/A
N/A N/A C:\Windows\SysWOW64\Jndflk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jjkfqlpf.exe N/A
N/A N/A C:\Windows\SysWOW64\Jjmcfl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jmlobg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jojloc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kmnlhg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kpoejbhe.exe N/A
N/A N/A C:\Windows\SysWOW64\Kbmafngi.exe N/A
N/A N/A C:\Windows\SysWOW64\Kkefoc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kndbko32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kenjgi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kglfcd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kepgmh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kfacdqhf.exe N/A
N/A N/A C:\Windows\SysWOW64\Lcedne32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lfdpjp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Liblfl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lchqcd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lffmpp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Llcehg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lekjal32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lmbabj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lodnjboi.exe N/A
N/A N/A C:\Windows\SysWOW64\Liibgkoo.exe N/A
N/A N/A C:\Windows\SysWOW64\Lhlbbg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Llhocfnb.exe N/A
N/A N/A C:\Windows\SysWOW64\Lljkif32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lkmldbcj.exe N/A
N/A N/A C:\Windows\SysWOW64\Mbdcepcm.exe N/A
N/A N/A C:\Windows\SysWOW64\Mllhne32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mdgmbhgh.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9eb4a149321b5ea49a7d8707175697fbc9b37e498cdafa357140c4bb7f444e60.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9eb4a149321b5ea49a7d8707175697fbc9b37e498cdafa357140c4bb7f444e60.exe N/A
N/A N/A C:\Windows\SysWOW64\Ckecpjdh.exe N/A
N/A N/A C:\Windows\SysWOW64\Ckecpjdh.exe N/A
N/A N/A C:\Windows\SysWOW64\Cncolfcl.exe N/A
N/A N/A C:\Windows\SysWOW64\Cncolfcl.exe N/A
N/A N/A C:\Windows\SysWOW64\Cdngip32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cdngip32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cffjagko.exe N/A
N/A N/A C:\Windows\SysWOW64\Cffjagko.exe N/A
N/A N/A C:\Windows\SysWOW64\Doqkpl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Doqkpl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhklna32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhklna32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dqinhcoc.exe N/A
N/A N/A C:\Windows\SysWOW64\Dqinhcoc.exe N/A
N/A N/A C:\Windows\SysWOW64\Egcfdn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Egcfdn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejfllhao.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejfllhao.exe N/A
N/A N/A C:\Windows\SysWOW64\Faijggao.exe N/A
N/A N/A C:\Windows\SysWOW64\Faijggao.exe N/A
N/A N/A C:\Windows\SysWOW64\Fcichb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fcichb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fdnlcakk.exe N/A
N/A N/A C:\Windows\SysWOW64\Fdnlcakk.exe N/A
N/A N/A C:\Windows\SysWOW64\Fabmmejd.exe N/A
N/A N/A C:\Windows\SysWOW64\Fabmmejd.exe N/A
N/A N/A C:\Windows\SysWOW64\Gefolhja.exe N/A
N/A N/A C:\Windows\SysWOW64\Gefolhja.exe N/A
N/A N/A C:\Windows\SysWOW64\Gampaipe.exe N/A
N/A N/A C:\Windows\SysWOW64\Gampaipe.exe N/A
N/A N/A C:\Windows\SysWOW64\Hkjnenbp.exe N/A
N/A N/A C:\Windows\SysWOW64\Hkjnenbp.exe N/A
N/A N/A C:\Windows\SysWOW64\Hdeoccgn.exe N/A
N/A N/A C:\Windows\SysWOW64\Hdeoccgn.exe N/A
N/A N/A C:\Windows\SysWOW64\Hplphd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hplphd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hehhqk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hehhqk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hjddaj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hjddaj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Hclhjpjc.exe N/A
N/A N/A C:\Windows\SysWOW64\Hclhjpjc.exe N/A
N/A N/A C:\Windows\SysWOW64\Ihiabfhk.exe N/A
N/A N/A C:\Windows\SysWOW64\Ihiabfhk.exe N/A
N/A N/A C:\Windows\SysWOW64\Ipqicdim.exe N/A
N/A N/A C:\Windows\SysWOW64\Ipqicdim.exe N/A
N/A N/A C:\Windows\SysWOW64\Ijimli32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ijimli32.exe N/A
N/A N/A C:\Windows\SysWOW64\Icabeo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Icabeo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Iadbqlmh.exe N/A
N/A N/A C:\Windows\SysWOW64\Iadbqlmh.exe N/A
N/A N/A C:\Windows\SysWOW64\Iohbjpkb.exe N/A
N/A N/A C:\Windows\SysWOW64\Iohbjpkb.exe N/A
N/A N/A C:\Windows\SysWOW64\Ikocoa32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ikocoa32.exe N/A
N/A N/A C:\Windows\SysWOW64\Inmpklpj.exe N/A
N/A N/A C:\Windows\SysWOW64\Inmpklpj.exe N/A
N/A N/A C:\Windows\SysWOW64\Ibkhak32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ibkhak32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jdidmf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jdidmf32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Nakikpin.exe C:\Windows\SysWOW64\Nchipb32.exe N/A
File created C:\Windows\SysWOW64\Kmcjeh32.dll C:\Windows\SysWOW64\Ckecpjdh.exe N/A
File created C:\Windows\SysWOW64\Gefolhja.exe C:\Windows\SysWOW64\Fabmmejd.exe N/A
File opened for modification C:\Windows\SysWOW64\Kbmafngi.exe C:\Windows\SysWOW64\Kpoejbhe.exe N/A
File created C:\Windows\SysWOW64\Egqcce32.dll C:\Windows\SysWOW64\Lhlbbg32.exe N/A
File created C:\Windows\SysWOW64\Faijggao.exe C:\Windows\SysWOW64\Ejfllhao.exe N/A
File created C:\Windows\SysWOW64\Hbnjdf32.dll C:\Windows\SysWOW64\Ikocoa32.exe N/A
File opened for modification C:\Windows\SysWOW64\Nchipb32.exe C:\Windows\SysWOW64\Nedifo32.exe N/A
File created C:\Windows\SysWOW64\Doqkpl32.exe C:\Windows\SysWOW64\Cffjagko.exe N/A
File opened for modification C:\Windows\SysWOW64\Mllhne32.exe C:\Windows\SysWOW64\Mbdcepcm.exe N/A
File opened for modification C:\Windows\SysWOW64\Liblfl32.exe C:\Windows\SysWOW64\Lfdpjp32.exe N/A
File created C:\Windows\SysWOW64\Pkhdnh32.exe C:\Windows\SysWOW64\Pijgbl32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ahhchk32.exe C:\Windows\SysWOW64\Anpooe32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ejfllhao.exe C:\Windows\SysWOW64\Egcfdn32.exe N/A
File created C:\Windows\SysWOW64\Lljkif32.exe C:\Windows\SysWOW64\Llhocfnb.exe N/A
File opened for modification C:\Windows\SysWOW64\Qfkgdd32.exe C:\Windows\SysWOW64\Qcmkhi32.exe N/A
File created C:\Windows\SysWOW64\Nelgfoke.dll C:\Windows\SysWOW64\Jmlobg32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mmbnam32.exe C:\Windows\SysWOW64\Mkdbea32.exe N/A
File created C:\Windows\SysWOW64\Qaqlbmbn.exe C:\Windows\SysWOW64\Qijdqp32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ockbdebl.exe C:\Windows\SysWOW64\Oqlfhjch.exe N/A
File opened for modification C:\Windows\SysWOW64\Pnnfkb32.exe C:\Windows\SysWOW64\Peeabm32.exe N/A
File opened for modification C:\Windows\SysWOW64\Kpoejbhe.exe C:\Windows\SysWOW64\Kmnlhg32.exe N/A
File created C:\Windows\SysWOW64\Iohbjpkb.exe C:\Windows\SysWOW64\Iadbqlmh.exe N/A
File opened for modification C:\Windows\SysWOW64\Ankedf32.exe C:\Windows\SysWOW64\Almihjlj.exe N/A
File created C:\Windows\SysWOW64\Bjfpdf32.exe C:\Windows\SysWOW64\Ahhchk32.exe N/A
File created C:\Windows\SysWOW64\Pokkfdac.dll C:\Windows\SysWOW64\Nnbjpqoa.exe N/A
File created C:\Windows\SysWOW64\Ipqicdim.exe C:\Windows\SysWOW64\Ihiabfhk.exe N/A
File created C:\Windows\SysWOW64\Eglhaeef.dll C:\Windows\SysWOW64\Ongckp32.exe N/A
File created C:\Windows\SysWOW64\Mlgkbi32.exe C:\Windows\SysWOW64\Mcofid32.exe N/A
File created C:\Windows\SysWOW64\Andhah32.dll C:\Windows\SysWOW64\Npechhgd.exe N/A
File created C:\Windows\SysWOW64\Alkjpb32.dll C:\Windows\SysWOW64\Ncdpdcfh.exe N/A
File opened for modification C:\Windows\SysWOW64\Dhklna32.exe C:\Windows\SysWOW64\Doqkpl32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hdeoccgn.exe C:\Windows\SysWOW64\Hkjnenbp.exe N/A
File opened for modification C:\Windows\SysWOW64\Clclhmin.exe C:\Windows\SysWOW64\Bopknhjd.exe N/A
File created C:\Windows\SysWOW64\Ohodgb32.dll C:\Windows\SysWOW64\Caenkc32.exe N/A
File created C:\Windows\SysWOW64\Jbndmh32.dll C:\Windows\SysWOW64\Jjmcfl32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bdcnhk32.exe C:\Windows\SysWOW64\Bmjekahk.exe N/A
File created C:\Windows\SysWOW64\Nflpan32.dll C:\Windows\SysWOW64\Mdoccg32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ollqllod.exe C:\Windows\SysWOW64\Onipqp32.exe N/A
File created C:\Windows\SysWOW64\Mafalppn.dll C:\Windows\SysWOW64\Oomjng32.exe N/A
File created C:\Windows\SysWOW64\Bkkioeig.exe C:\Windows\SysWOW64\Bmgifa32.exe N/A
File created C:\Windows\SysWOW64\Podpaa32.dll C:\Windows\SysWOW64\Bmjekahk.exe N/A
File opened for modification C:\Windows\SysWOW64\Clfhml32.exe C:\Windows\SysWOW64\Clclhmin.exe N/A
File opened for modification C:\Windows\SysWOW64\Iohbjpkb.exe C:\Windows\SysWOW64\Iadbqlmh.exe N/A
File created C:\Windows\SysWOW64\Kbmafngi.exe C:\Windows\SysWOW64\Kpoejbhe.exe N/A
File opened for modification C:\Windows\SysWOW64\Ogaeieoj.exe C:\Windows\SysWOW64\Ollqllod.exe N/A
File created C:\Windows\SysWOW64\Lpjqnpjb.dll C:\Windows\SysWOW64\Ockbdebl.exe N/A
File created C:\Windows\SysWOW64\Ojoppamn.dll C:\Windows\SysWOW64\Icabeo32.exe N/A
File created C:\Windows\SysWOW64\Lalieb32.dll C:\Windows\SysWOW64\Kndbko32.exe N/A
File created C:\Windows\SysWOW64\Ockbdebl.exe C:\Windows\SysWOW64\Oqlfhjch.exe N/A
File created C:\Windows\SysWOW64\Fngooj32.dll C:\Windows\SysWOW64\Qijdqp32.exe N/A
File created C:\Windows\SysWOW64\Pohoplja.dll C:\Windows\SysWOW64\Aljmbknm.exe N/A
File opened for modification C:\Windows\SysWOW64\Dqinhcoc.exe C:\Windows\SysWOW64\Dhklna32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hclhjpjc.exe C:\Windows\SysWOW64\Hjddaj32.exe N/A
File created C:\Windows\SysWOW64\Ckecpjdh.exe C:\Users\Admin\AppData\Local\Temp\9eb4a149321b5ea49a7d8707175697fbc9b37e498cdafa357140c4bb7f444e60.exe N/A
File opened for modification C:\Windows\SysWOW64\Faijggao.exe C:\Windows\SysWOW64\Ejfllhao.exe N/A
File opened for modification C:\Windows\SysWOW64\Bpmkbl32.exe C:\Windows\SysWOW64\Bmnofp32.exe N/A
File created C:\Windows\SysWOW64\Llhocfnb.exe C:\Windows\SysWOW64\Lhlbbg32.exe N/A
File created C:\Windows\SysWOW64\Kpfdhgca.dll C:\Windows\SysWOW64\Bkkioeig.exe N/A
File opened for modification C:\Windows\SysWOW64\Mdoccg32.exe C:\Windows\SysWOW64\Mlgkbi32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ogdaod32.exe C:\Windows\SysWOW64\Oomjng32.exe N/A
File created C:\Windows\SysWOW64\Bmgifa32.exe C:\Windows\SysWOW64\Bhjpnj32.exe N/A
File created C:\Windows\SysWOW64\Fbnqjk32.dll C:\Windows\SysWOW64\Kkefoc32.exe N/A
File opened for modification C:\Windows\SysWOW64\Lodnjboi.exe C:\Windows\SysWOW64\Lmbabj32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Inmpklpj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lhlbbg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nakikpin.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ollqllod.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fdnlcakk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hjddaj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jndflk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mlgkbi32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mbdcepcm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nnbjpqoa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pecelm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qijdqp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cffjagko.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ibkhak32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Onipqp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bopknhjd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Peeabm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qaqlbmbn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gampaipe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jojloc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ogdaod32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pkjqcg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mkdbea32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Noagjc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Obnbpb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bhjpnj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Doqkpl32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lcedne32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Llcehg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lkmldbcj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jjmcfl32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pkhdnh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bjfpdf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bmjekahk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Anpooe32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fcichb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ihiabfhk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kglfcd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lfdpjp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Egcfdn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bdcnhk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Clfhml32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kfacdqhf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Naimepkp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Alofnj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Clclhmin.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kkefoc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ogaeieoj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oomjng32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pbgefa32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cdngip32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hehhqk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lljkif32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bmgifa32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mgfiocfl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pmcgmkil.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Coindgbi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fabmmejd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Liblfl32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Liibgkoo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ninhamne.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oqlfhjch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ankedf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ckecpjdh.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aljmbknm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cdngip32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dqinhcoc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejkohlcb.dll" C:\Windows\SysWOW64\Hehhqk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Monann32.dll" C:\Windows\SysWOW64\Kbmafngi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mgfiocfl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chobpcbd.dll" C:\Windows\SysWOW64\Lmbabj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeadqq32.dll" C:\Windows\SysWOW64\Onipqp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jdidmf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jndflk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcoljb32.dll" C:\Windows\SysWOW64\Mlgkbi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaklhb32.dll" C:\Windows\SysWOW64\Qfkgdd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hkjnenbp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cophjpne.dll" C:\Windows\SysWOW64\Iohbjpkb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Okhgod32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Okkddd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ckiiiine.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cdamao32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jnbifl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lfdpjp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lchqcd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mllhne32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bfbjdf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ongckp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pkjqcg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pecelm32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ahhchk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bhjpnj32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Liibgkoo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nedifo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faiglonh.dll" C:\Windows\SysWOW64\Nedifo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Aegkfpah.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bmjekahk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmcjeh32.dll" C:\Windows\SysWOW64\Ckecpjdh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Iadbqlmh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lodnjboi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nkdndeon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ogdaod32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cffjagko.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kbmafngi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bmgifa32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khpbbn32.dll" C:\Windows\SysWOW64\Cdamao32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lekjal32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lljkif32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlbpgjjo.dll" C:\Windows\SysWOW64\Nanfqo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Qaqlbmbn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fcichb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kenjgi32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Fcichb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eglhaeef.dll" C:\Windows\SysWOW64\Ongckp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bkkioeig.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jjmcfl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Llhocfnb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ogdaod32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jmlobg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pbgefa32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bmnofp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmdoe32.dll" C:\Windows\SysWOW64\Llhocfnb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbjcpc32.dll" C:\Windows\SysWOW64\Nhqhmj32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nmggllha.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqpfnk32.dll" C:\Windows\SysWOW64\Peeabm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjlkkhne.dll" C:\Windows\SysWOW64\Clclhmin.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hplphd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Okhgod32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2400 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\9eb4a149321b5ea49a7d8707175697fbc9b37e498cdafa357140c4bb7f444e60.exe C:\Windows\SysWOW64\Ckecpjdh.exe
PID 2400 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\9eb4a149321b5ea49a7d8707175697fbc9b37e498cdafa357140c4bb7f444e60.exe C:\Windows\SysWOW64\Ckecpjdh.exe
PID 2400 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\9eb4a149321b5ea49a7d8707175697fbc9b37e498cdafa357140c4bb7f444e60.exe C:\Windows\SysWOW64\Ckecpjdh.exe
PID 2400 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\9eb4a149321b5ea49a7d8707175697fbc9b37e498cdafa357140c4bb7f444e60.exe C:\Windows\SysWOW64\Ckecpjdh.exe
PID 2688 wrote to memory of 320 N/A C:\Windows\SysWOW64\Ckecpjdh.exe C:\Windows\SysWOW64\Cncolfcl.exe
PID 2688 wrote to memory of 320 N/A C:\Windows\SysWOW64\Ckecpjdh.exe C:\Windows\SysWOW64\Cncolfcl.exe
PID 2688 wrote to memory of 320 N/A C:\Windows\SysWOW64\Ckecpjdh.exe C:\Windows\SysWOW64\Cncolfcl.exe
PID 2688 wrote to memory of 320 N/A C:\Windows\SysWOW64\Ckecpjdh.exe C:\Windows\SysWOW64\Cncolfcl.exe
PID 320 wrote to memory of 888 N/A C:\Windows\SysWOW64\Cncolfcl.exe C:\Windows\SysWOW64\Cdngip32.exe
PID 320 wrote to memory of 888 N/A C:\Windows\SysWOW64\Cncolfcl.exe C:\Windows\SysWOW64\Cdngip32.exe
PID 320 wrote to memory of 888 N/A C:\Windows\SysWOW64\Cncolfcl.exe C:\Windows\SysWOW64\Cdngip32.exe
PID 320 wrote to memory of 888 N/A C:\Windows\SysWOW64\Cncolfcl.exe C:\Windows\SysWOW64\Cdngip32.exe
PID 888 wrote to memory of 2556 N/A C:\Windows\SysWOW64\Cdngip32.exe C:\Windows\SysWOW64\Cffjagko.exe
PID 888 wrote to memory of 2556 N/A C:\Windows\SysWOW64\Cdngip32.exe C:\Windows\SysWOW64\Cffjagko.exe
PID 888 wrote to memory of 2556 N/A C:\Windows\SysWOW64\Cdngip32.exe C:\Windows\SysWOW64\Cffjagko.exe
PID 888 wrote to memory of 2556 N/A C:\Windows\SysWOW64\Cdngip32.exe C:\Windows\SysWOW64\Cffjagko.exe
PID 2556 wrote to memory of 2328 N/A C:\Windows\SysWOW64\Cffjagko.exe C:\Windows\SysWOW64\Doqkpl32.exe
PID 2556 wrote to memory of 2328 N/A C:\Windows\SysWOW64\Cffjagko.exe C:\Windows\SysWOW64\Doqkpl32.exe
PID 2556 wrote to memory of 2328 N/A C:\Windows\SysWOW64\Cffjagko.exe C:\Windows\SysWOW64\Doqkpl32.exe
PID 2556 wrote to memory of 2328 N/A C:\Windows\SysWOW64\Cffjagko.exe C:\Windows\SysWOW64\Doqkpl32.exe
PID 2328 wrote to memory of 2068 N/A C:\Windows\SysWOW64\Doqkpl32.exe C:\Windows\SysWOW64\Dhklna32.exe
PID 2328 wrote to memory of 2068 N/A C:\Windows\SysWOW64\Doqkpl32.exe C:\Windows\SysWOW64\Dhklna32.exe
PID 2328 wrote to memory of 2068 N/A C:\Windows\SysWOW64\Doqkpl32.exe C:\Windows\SysWOW64\Dhklna32.exe
PID 2328 wrote to memory of 2068 N/A C:\Windows\SysWOW64\Doqkpl32.exe C:\Windows\SysWOW64\Dhklna32.exe
PID 2068 wrote to memory of 1780 N/A C:\Windows\SysWOW64\Dhklna32.exe C:\Windows\SysWOW64\Dqinhcoc.exe
PID 2068 wrote to memory of 1780 N/A C:\Windows\SysWOW64\Dhklna32.exe C:\Windows\SysWOW64\Dqinhcoc.exe
PID 2068 wrote to memory of 1780 N/A C:\Windows\SysWOW64\Dhklna32.exe C:\Windows\SysWOW64\Dqinhcoc.exe
PID 2068 wrote to memory of 1780 N/A C:\Windows\SysWOW64\Dhklna32.exe C:\Windows\SysWOW64\Dqinhcoc.exe
PID 1780 wrote to memory of 2884 N/A C:\Windows\SysWOW64\Dqinhcoc.exe C:\Windows\SysWOW64\Egcfdn32.exe
PID 1780 wrote to memory of 2884 N/A C:\Windows\SysWOW64\Dqinhcoc.exe C:\Windows\SysWOW64\Egcfdn32.exe
PID 1780 wrote to memory of 2884 N/A C:\Windows\SysWOW64\Dqinhcoc.exe C:\Windows\SysWOW64\Egcfdn32.exe
PID 1780 wrote to memory of 2884 N/A C:\Windows\SysWOW64\Dqinhcoc.exe C:\Windows\SysWOW64\Egcfdn32.exe
PID 2884 wrote to memory of 2636 N/A C:\Windows\SysWOW64\Egcfdn32.exe C:\Windows\SysWOW64\Ejfllhao.exe
PID 2884 wrote to memory of 2636 N/A C:\Windows\SysWOW64\Egcfdn32.exe C:\Windows\SysWOW64\Ejfllhao.exe
PID 2884 wrote to memory of 2636 N/A C:\Windows\SysWOW64\Egcfdn32.exe C:\Windows\SysWOW64\Ejfllhao.exe
PID 2884 wrote to memory of 2636 N/A C:\Windows\SysWOW64\Egcfdn32.exe C:\Windows\SysWOW64\Ejfllhao.exe
PID 2636 wrote to memory of 2764 N/A C:\Windows\SysWOW64\Ejfllhao.exe C:\Windows\SysWOW64\Faijggao.exe
PID 2636 wrote to memory of 2764 N/A C:\Windows\SysWOW64\Ejfllhao.exe C:\Windows\SysWOW64\Faijggao.exe
PID 2636 wrote to memory of 2764 N/A C:\Windows\SysWOW64\Ejfllhao.exe C:\Windows\SysWOW64\Faijggao.exe
PID 2636 wrote to memory of 2764 N/A C:\Windows\SysWOW64\Ejfllhao.exe C:\Windows\SysWOW64\Faijggao.exe
PID 2764 wrote to memory of 636 N/A C:\Windows\SysWOW64\Faijggao.exe C:\Windows\SysWOW64\Fcichb32.exe
PID 2764 wrote to memory of 636 N/A C:\Windows\SysWOW64\Faijggao.exe C:\Windows\SysWOW64\Fcichb32.exe
PID 2764 wrote to memory of 636 N/A C:\Windows\SysWOW64\Faijggao.exe C:\Windows\SysWOW64\Fcichb32.exe
PID 2764 wrote to memory of 636 N/A C:\Windows\SysWOW64\Faijggao.exe C:\Windows\SysWOW64\Fcichb32.exe
PID 636 wrote to memory of 1792 N/A C:\Windows\SysWOW64\Fcichb32.exe C:\Windows\SysWOW64\Fdnlcakk.exe
PID 636 wrote to memory of 1792 N/A C:\Windows\SysWOW64\Fcichb32.exe C:\Windows\SysWOW64\Fdnlcakk.exe
PID 636 wrote to memory of 1792 N/A C:\Windows\SysWOW64\Fcichb32.exe C:\Windows\SysWOW64\Fdnlcakk.exe
PID 636 wrote to memory of 1792 N/A C:\Windows\SysWOW64\Fcichb32.exe C:\Windows\SysWOW64\Fdnlcakk.exe
PID 1792 wrote to memory of 2272 N/A C:\Windows\SysWOW64\Fdnlcakk.exe C:\Windows\SysWOW64\Fabmmejd.exe
PID 1792 wrote to memory of 2272 N/A C:\Windows\SysWOW64\Fdnlcakk.exe C:\Windows\SysWOW64\Fabmmejd.exe
PID 1792 wrote to memory of 2272 N/A C:\Windows\SysWOW64\Fdnlcakk.exe C:\Windows\SysWOW64\Fabmmejd.exe
PID 1792 wrote to memory of 2272 N/A C:\Windows\SysWOW64\Fdnlcakk.exe C:\Windows\SysWOW64\Fabmmejd.exe
PID 2272 wrote to memory of 2200 N/A C:\Windows\SysWOW64\Fabmmejd.exe C:\Windows\SysWOW64\Gefolhja.exe
PID 2272 wrote to memory of 2200 N/A C:\Windows\SysWOW64\Fabmmejd.exe C:\Windows\SysWOW64\Gefolhja.exe
PID 2272 wrote to memory of 2200 N/A C:\Windows\SysWOW64\Fabmmejd.exe C:\Windows\SysWOW64\Gefolhja.exe
PID 2272 wrote to memory of 2200 N/A C:\Windows\SysWOW64\Fabmmejd.exe C:\Windows\SysWOW64\Gefolhja.exe
PID 2200 wrote to memory of 2152 N/A C:\Windows\SysWOW64\Gefolhja.exe C:\Windows\SysWOW64\Gampaipe.exe
PID 2200 wrote to memory of 2152 N/A C:\Windows\SysWOW64\Gefolhja.exe C:\Windows\SysWOW64\Gampaipe.exe
PID 2200 wrote to memory of 2152 N/A C:\Windows\SysWOW64\Gefolhja.exe C:\Windows\SysWOW64\Gampaipe.exe
PID 2200 wrote to memory of 2152 N/A C:\Windows\SysWOW64\Gefolhja.exe C:\Windows\SysWOW64\Gampaipe.exe
PID 2152 wrote to memory of 1100 N/A C:\Windows\SysWOW64\Gampaipe.exe C:\Windows\SysWOW64\Hkjnenbp.exe
PID 2152 wrote to memory of 1100 N/A C:\Windows\SysWOW64\Gampaipe.exe C:\Windows\SysWOW64\Hkjnenbp.exe
PID 2152 wrote to memory of 1100 N/A C:\Windows\SysWOW64\Gampaipe.exe C:\Windows\SysWOW64\Hkjnenbp.exe
PID 2152 wrote to memory of 1100 N/A C:\Windows\SysWOW64\Gampaipe.exe C:\Windows\SysWOW64\Hkjnenbp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9eb4a149321b5ea49a7d8707175697fbc9b37e498cdafa357140c4bb7f444e60.exe

"C:\Users\Admin\AppData\Local\Temp\9eb4a149321b5ea49a7d8707175697fbc9b37e498cdafa357140c4bb7f444e60.exe"

C:\Windows\SysWOW64\Ckecpjdh.exe

C:\Windows\system32\Ckecpjdh.exe

C:\Windows\SysWOW64\Cncolfcl.exe

C:\Windows\system32\Cncolfcl.exe

C:\Windows\SysWOW64\Cdngip32.exe

C:\Windows\system32\Cdngip32.exe

C:\Windows\SysWOW64\Cffjagko.exe

C:\Windows\system32\Cffjagko.exe

C:\Windows\SysWOW64\Doqkpl32.exe

C:\Windows\system32\Doqkpl32.exe

C:\Windows\SysWOW64\Dhklna32.exe

C:\Windows\system32\Dhklna32.exe

C:\Windows\SysWOW64\Dqinhcoc.exe

C:\Windows\system32\Dqinhcoc.exe

C:\Windows\SysWOW64\Egcfdn32.exe

C:\Windows\system32\Egcfdn32.exe

C:\Windows\SysWOW64\Ejfllhao.exe

C:\Windows\system32\Ejfllhao.exe

C:\Windows\SysWOW64\Faijggao.exe

C:\Windows\system32\Faijggao.exe

C:\Windows\SysWOW64\Fcichb32.exe

C:\Windows\system32\Fcichb32.exe

C:\Windows\SysWOW64\Fdnlcakk.exe

C:\Windows\system32\Fdnlcakk.exe

C:\Windows\SysWOW64\Fabmmejd.exe

C:\Windows\system32\Fabmmejd.exe

C:\Windows\SysWOW64\Gefolhja.exe

C:\Windows\system32\Gefolhja.exe

C:\Windows\SysWOW64\Gampaipe.exe

C:\Windows\system32\Gampaipe.exe

C:\Windows\SysWOW64\Hkjnenbp.exe

C:\Windows\system32\Hkjnenbp.exe

C:\Windows\SysWOW64\Hdeoccgn.exe

C:\Windows\system32\Hdeoccgn.exe

C:\Windows\SysWOW64\Hplphd32.exe

C:\Windows\system32\Hplphd32.exe

C:\Windows\SysWOW64\Hehhqk32.exe

C:\Windows\system32\Hehhqk32.exe

C:\Windows\SysWOW64\Hjddaj32.exe

C:\Windows\system32\Hjddaj32.exe

C:\Windows\SysWOW64\Hclhjpjc.exe

C:\Windows\system32\Hclhjpjc.exe

C:\Windows\SysWOW64\Ihiabfhk.exe

C:\Windows\system32\Ihiabfhk.exe

C:\Windows\SysWOW64\Ipqicdim.exe

C:\Windows\system32\Ipqicdim.exe

C:\Windows\SysWOW64\Ijimli32.exe

C:\Windows\system32\Ijimli32.exe

C:\Windows\SysWOW64\Icabeo32.exe

C:\Windows\system32\Icabeo32.exe

C:\Windows\SysWOW64\Iadbqlmh.exe

C:\Windows\system32\Iadbqlmh.exe

C:\Windows\SysWOW64\Iohbjpkb.exe

C:\Windows\system32\Iohbjpkb.exe

C:\Windows\SysWOW64\Ikocoa32.exe

C:\Windows\system32\Ikocoa32.exe

C:\Windows\SysWOW64\Inmpklpj.exe

C:\Windows\system32\Inmpklpj.exe

C:\Windows\SysWOW64\Ibkhak32.exe

C:\Windows\system32\Ibkhak32.exe

C:\Windows\SysWOW64\Jdidmf32.exe

C:\Windows\system32\Jdidmf32.exe

C:\Windows\SysWOW64\Jnbifl32.exe

C:\Windows\system32\Jnbifl32.exe

C:\Windows\SysWOW64\Jgjmoace.exe

C:\Windows\system32\Jgjmoace.exe

C:\Windows\SysWOW64\Jndflk32.exe

C:\Windows\system32\Jndflk32.exe

C:\Windows\SysWOW64\Jjkfqlpf.exe

C:\Windows\system32\Jjkfqlpf.exe

C:\Windows\SysWOW64\Jjmcfl32.exe

C:\Windows\system32\Jjmcfl32.exe

C:\Windows\SysWOW64\Jmlobg32.exe

C:\Windows\system32\Jmlobg32.exe

C:\Windows\SysWOW64\Jojloc32.exe

C:\Windows\system32\Jojloc32.exe

C:\Windows\SysWOW64\Kmnlhg32.exe

C:\Windows\system32\Kmnlhg32.exe

C:\Windows\SysWOW64\Kpoejbhe.exe

C:\Windows\system32\Kpoejbhe.exe

C:\Windows\SysWOW64\Kbmafngi.exe

C:\Windows\system32\Kbmafngi.exe

C:\Windows\SysWOW64\Kkefoc32.exe

C:\Windows\system32\Kkefoc32.exe

C:\Windows\SysWOW64\Kndbko32.exe

C:\Windows\system32\Kndbko32.exe

C:\Windows\SysWOW64\Kenjgi32.exe

C:\Windows\system32\Kenjgi32.exe

C:\Windows\SysWOW64\Kglfcd32.exe

C:\Windows\system32\Kglfcd32.exe

C:\Windows\SysWOW64\Kepgmh32.exe

C:\Windows\system32\Kepgmh32.exe

C:\Windows\SysWOW64\Kfacdqhf.exe

C:\Windows\system32\Kfacdqhf.exe

C:\Windows\SysWOW64\Lcedne32.exe

C:\Windows\system32\Lcedne32.exe

C:\Windows\SysWOW64\Lfdpjp32.exe

C:\Windows\system32\Lfdpjp32.exe

C:\Windows\SysWOW64\Liblfl32.exe

C:\Windows\system32\Liblfl32.exe

C:\Windows\SysWOW64\Lchqcd32.exe

C:\Windows\system32\Lchqcd32.exe

C:\Windows\SysWOW64\Lffmpp32.exe

C:\Windows\system32\Lffmpp32.exe

C:\Windows\SysWOW64\Llcehg32.exe

C:\Windows\system32\Llcehg32.exe

C:\Windows\SysWOW64\Lekjal32.exe

C:\Windows\system32\Lekjal32.exe

C:\Windows\SysWOW64\Lmbabj32.exe

C:\Windows\system32\Lmbabj32.exe

C:\Windows\SysWOW64\Lodnjboi.exe

C:\Windows\system32\Lodnjboi.exe

C:\Windows\SysWOW64\Liibgkoo.exe

C:\Windows\system32\Liibgkoo.exe

C:\Windows\SysWOW64\Lhlbbg32.exe

C:\Windows\system32\Lhlbbg32.exe

C:\Windows\SysWOW64\Llhocfnb.exe

C:\Windows\system32\Llhocfnb.exe

C:\Windows\SysWOW64\Lljkif32.exe

C:\Windows\system32\Lljkif32.exe

C:\Windows\SysWOW64\Lkmldbcj.exe

C:\Windows\system32\Lkmldbcj.exe

C:\Windows\SysWOW64\Mbdcepcm.exe

C:\Windows\system32\Mbdcepcm.exe

C:\Windows\SysWOW64\Mllhne32.exe

C:\Windows\system32\Mllhne32.exe

C:\Windows\SysWOW64\Mdgmbhgh.exe

C:\Windows\system32\Mdgmbhgh.exe

C:\Windows\SysWOW64\Mgfiocfl.exe

C:\Windows\system32\Mgfiocfl.exe

C:\Windows\SysWOW64\Mheeif32.exe

C:\Windows\system32\Mheeif32.exe

C:\Windows\SysWOW64\Mkdbea32.exe

C:\Windows\system32\Mkdbea32.exe

C:\Windows\SysWOW64\Mmbnam32.exe

C:\Windows\system32\Mmbnam32.exe

C:\Windows\SysWOW64\Mcofid32.exe

C:\Windows\system32\Mcofid32.exe

C:\Windows\SysWOW64\Mlgkbi32.exe

C:\Windows\system32\Mlgkbi32.exe

C:\Windows\SysWOW64\Mdoccg32.exe

C:\Windows\system32\Mdoccg32.exe

C:\Windows\SysWOW64\Nmggllha.exe

C:\Windows\system32\Nmggllha.exe

C:\Windows\SysWOW64\Npechhgd.exe

C:\Windows\system32\Npechhgd.exe

C:\Windows\SysWOW64\Ncdpdcfh.exe

C:\Windows\system32\Ncdpdcfh.exe

C:\Windows\SysWOW64\Ninhamne.exe

C:\Windows\system32\Ninhamne.exe

C:\Windows\SysWOW64\Nhqhmj32.exe

C:\Windows\system32\Nhqhmj32.exe

C:\Windows\SysWOW64\Naimepkp.exe

C:\Windows\system32\Naimepkp.exe

C:\Windows\SysWOW64\Nedifo32.exe

C:\Windows\system32\Nedifo32.exe

C:\Windows\SysWOW64\Nchipb32.exe

C:\Windows\system32\Nchipb32.exe

C:\Windows\SysWOW64\Nakikpin.exe

C:\Windows\system32\Nakikpin.exe

C:\Windows\SysWOW64\Nkdndeon.exe

C:\Windows\system32\Nkdndeon.exe

C:\Windows\SysWOW64\Nnbjpqoa.exe

C:\Windows\system32\Nnbjpqoa.exe

C:\Windows\SysWOW64\Nanfqo32.exe

C:\Windows\system32\Nanfqo32.exe

C:\Windows\SysWOW64\Noagjc32.exe

C:\Windows\system32\Noagjc32.exe

C:\Windows\SysWOW64\Oapcfo32.exe

C:\Windows\system32\Oapcfo32.exe

C:\Windows\SysWOW64\Okhgod32.exe

C:\Windows\system32\Okhgod32.exe

C:\Windows\SysWOW64\Ongckp32.exe

C:\Windows\system32\Ongckp32.exe

C:\Windows\SysWOW64\Okkddd32.exe

C:\Windows\system32\Okkddd32.exe

C:\Windows\SysWOW64\Onipqp32.exe

C:\Windows\system32\Onipqp32.exe

C:\Windows\SysWOW64\Ollqllod.exe

C:\Windows\system32\Ollqllod.exe

C:\Windows\SysWOW64\Ogaeieoj.exe

C:\Windows\system32\Ogaeieoj.exe

C:\Windows\SysWOW64\Oomjng32.exe

C:\Windows\system32\Oomjng32.exe

C:\Windows\SysWOW64\Ogdaod32.exe

C:\Windows\system32\Ogdaod32.exe

C:\Windows\SysWOW64\Oqlfhjch.exe

C:\Windows\system32\Oqlfhjch.exe

C:\Windows\SysWOW64\Ockbdebl.exe

C:\Windows\system32\Ockbdebl.exe

C:\Windows\SysWOW64\Obnbpb32.exe

C:\Windows\system32\Obnbpb32.exe

C:\Windows\SysWOW64\Pmcgmkil.exe

C:\Windows\system32\Pmcgmkil.exe

C:\Windows\SysWOW64\Poacighp.exe

C:\Windows\system32\Poacighp.exe

C:\Windows\SysWOW64\Pdnkanfg.exe

C:\Windows\system32\Pdnkanfg.exe

C:\Windows\SysWOW64\Pijgbl32.exe

C:\Windows\system32\Pijgbl32.exe

C:\Windows\SysWOW64\Pkhdnh32.exe

C:\Windows\system32\Pkhdnh32.exe

C:\Windows\SysWOW64\Peqhgmdd.exe

C:\Windows\system32\Peqhgmdd.exe

C:\Windows\SysWOW64\Pkjqcg32.exe

C:\Windows\system32\Pkjqcg32.exe

C:\Windows\SysWOW64\Pofldf32.exe

C:\Windows\system32\Pofldf32.exe

C:\Windows\SysWOW64\Pecelm32.exe

C:\Windows\system32\Pecelm32.exe

C:\Windows\SysWOW64\Pgaahh32.exe

C:\Windows\system32\Pgaahh32.exe

C:\Windows\SysWOW64\Pbgefa32.exe

C:\Windows\system32\Pbgefa32.exe

C:\Windows\SysWOW64\Peeabm32.exe

C:\Windows\system32\Peeabm32.exe

C:\Windows\SysWOW64\Pnnfkb32.exe

C:\Windows\system32\Pnnfkb32.exe

C:\Windows\SysWOW64\Palbgn32.exe

C:\Windows\system32\Palbgn32.exe

C:\Windows\SysWOW64\Qgfkchmp.exe

C:\Windows\system32\Qgfkchmp.exe

C:\Windows\SysWOW64\Qcmkhi32.exe

C:\Windows\system32\Qcmkhi32.exe

C:\Windows\SysWOW64\Qfkgdd32.exe

C:\Windows\system32\Qfkgdd32.exe

C:\Windows\SysWOW64\Qijdqp32.exe

C:\Windows\system32\Qijdqp32.exe

C:\Windows\SysWOW64\Qaqlbmbn.exe

C:\Windows\system32\Qaqlbmbn.exe

C:\Windows\SysWOW64\Ajipkb32.exe

C:\Windows\system32\Ajipkb32.exe

C:\Windows\SysWOW64\Aljmbknm.exe

C:\Windows\system32\Aljmbknm.exe

C:\Windows\SysWOW64\Ainmlomf.exe

C:\Windows\system32\Ainmlomf.exe

C:\Windows\SysWOW64\Almihjlj.exe

C:\Windows\system32\Almihjlj.exe

C:\Windows\SysWOW64\Ankedf32.exe

C:\Windows\system32\Ankedf32.exe

C:\Windows\SysWOW64\Aiqjao32.exe

C:\Windows\system32\Aiqjao32.exe

C:\Windows\SysWOW64\Alofnj32.exe

C:\Windows\system32\Alofnj32.exe

C:\Windows\SysWOW64\Abinjdad.exe

C:\Windows\system32\Abinjdad.exe

C:\Windows\SysWOW64\Aegkfpah.exe

C:\Windows\system32\Aegkfpah.exe

C:\Windows\SysWOW64\Anpooe32.exe

C:\Windows\system32\Anpooe32.exe

C:\Windows\SysWOW64\Ahhchk32.exe

C:\Windows\system32\Ahhchk32.exe

C:\Windows\SysWOW64\Bjfpdf32.exe

C:\Windows\system32\Bjfpdf32.exe

C:\Windows\SysWOW64\Bobleeef.exe

C:\Windows\system32\Bobleeef.exe

C:\Windows\SysWOW64\Beldao32.exe

C:\Windows\system32\Beldao32.exe

C:\Windows\SysWOW64\Bhjpnj32.exe

C:\Windows\system32\Bhjpnj32.exe

C:\Windows\SysWOW64\Bmgifa32.exe

C:\Windows\system32\Bmgifa32.exe

C:\Windows\SysWOW64\Bkkioeig.exe

C:\Windows\system32\Bkkioeig.exe

C:\Windows\SysWOW64\Binikb32.exe

C:\Windows\system32\Binikb32.exe

C:\Windows\SysWOW64\Bmjekahk.exe

C:\Windows\system32\Bmjekahk.exe

C:\Windows\SysWOW64\Bdcnhk32.exe

C:\Windows\system32\Bdcnhk32.exe

C:\Windows\SysWOW64\Bfbjdf32.exe

C:\Windows\system32\Bfbjdf32.exe

C:\Windows\SysWOW64\Bmlbaqfh.exe

C:\Windows\system32\Bmlbaqfh.exe

C:\Windows\SysWOW64\Biccfalm.exe

C:\Windows\system32\Biccfalm.exe

C:\Windows\SysWOW64\Bmnofp32.exe

C:\Windows\system32\Bmnofp32.exe

C:\Windows\SysWOW64\Bpmkbl32.exe

C:\Windows\system32\Bpmkbl32.exe

C:\Windows\SysWOW64\Bopknhjd.exe

C:\Windows\system32\Bopknhjd.exe

C:\Windows\SysWOW64\Clclhmin.exe

C:\Windows\system32\Clclhmin.exe

C:\Windows\SysWOW64\Clfhml32.exe

C:\Windows\system32\Clfhml32.exe

C:\Windows\SysWOW64\Ckiiiine.exe

C:\Windows\system32\Ckiiiine.exe

C:\Windows\SysWOW64\Cabaec32.exe

C:\Windows\system32\Cabaec32.exe

C:\Windows\SysWOW64\Cdamao32.exe

C:\Windows\system32\Cdamao32.exe

C:\Windows\SysWOW64\Cniajdkg.exe

C:\Windows\system32\Cniajdkg.exe

C:\Windows\SysWOW64\Caenkc32.exe

C:\Windows\system32\Caenkc32.exe

C:\Windows\SysWOW64\Coindgbi.exe

C:\Windows\system32\Coindgbi.exe

Network

N/A

Files

memory/2400-0-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2400-12-0x0000000000310000-0x0000000000343000-memory.dmp

C:\Windows\SysWOW64\Ckecpjdh.exe

MD5 217d3f898bcc5e5973d57ac0a6c4bacf
SHA1 c282561814462c8beac2a32e19cc7824bc71c7b2
SHA256 7a86e6da5d439cb5e6a45d93a7804b9f5c23e7bbb90f57536b3689f246c9efe5
SHA512 01baf1f531aff504b2b25005e83873d3d384dc6feb3dc8103d58c5c5f3701c2d284e64bd609485bad5d30c9346fb7e32631f879f35eb25d168886d8baa0d95fa

memory/2688-14-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2400-11-0x0000000000310000-0x0000000000343000-memory.dmp

memory/2688-33-0x00000000005D0000-0x0000000000603000-memory.dmp

memory/320-34-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Cdngip32.exe

MD5 c24b480a20d526ebe848db1007389c37
SHA1 35e1be26de3d9541ff844cfae0d05c782df7edfc
SHA256 1d678962611a4c921412368ded1d285599c087856f4fe6e5044f9fd7e2f61aca
SHA512 ed0819ade34f8f696e4bb3edf13a4df9e0443ac9244384e7c5bc2cf86e8a70febb87fcf89600b12df60cf353302bf2f3c88f8ab6caa23ebd4b42b0e37ac29a9e

memory/888-44-0x0000000000400000-0x0000000000433000-memory.dmp

memory/320-43-0x0000000000290000-0x00000000002C3000-memory.dmp

memory/320-42-0x0000000000290000-0x00000000002C3000-memory.dmp

memory/2688-32-0x00000000005D0000-0x0000000000603000-memory.dmp

C:\Windows\SysWOW64\Cncolfcl.exe

MD5 dd2a7b09bb5f77b2fc3f4a3ba1181594
SHA1 6f634a26d003ec9cf31e2854d75f34d5b8a08e82
SHA256 833ae8b971a4d6b85fb4074fe7b56e0ea254db71196cbfee163a7dbe41963115
SHA512 913736848e05ce69561502f2dde8347da78ebe51b4acc63ab2b78af157db65e1c2eb6ec289d1934595ba902a7fa781d7b2cca9cb9fa780167f0821baa88a4f5f

\Windows\SysWOW64\Cffjagko.exe

MD5 2652afe7783d5e4fc15d96e663f584b9
SHA1 83eb42e3d828d2583d41a78ea6c0a3af2b1945dd
SHA256 c61d3e4449bd4ea127c89638856db540c44ebaa18661466be75ccbc05dc976a6
SHA512 22847faad723a410579e3cc6a1db67ca2260542239e81c14576b3f8b00d32ca81826f1c4e4b00842f509fbab5a816d5c26fd23b543feb54ad894ae99e9783f21

memory/2556-59-0x0000000000400000-0x0000000000433000-memory.dmp

memory/888-57-0x0000000000440000-0x0000000000473000-memory.dmp

memory/888-56-0x0000000000440000-0x0000000000473000-memory.dmp

\Windows\SysWOW64\Doqkpl32.exe

MD5 9b48b032f2fd0d61b31443df37006f7c
SHA1 6eaffec8e0ac0e2d91656291014bc9436b94480f
SHA256 5e482036da6c5b01bbf7fab3110509a3257fca36f1755e3b6fed5db60f3dcf4e
SHA512 be21a50baadc74b55f4a875624640418408e4df2e264b900e08064a7d2bf3e7183f096ceb3b67406fd0651ebd418b80a007513943b48de4dd634f531572fe74a

memory/2556-71-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2328-73-0x0000000000400000-0x0000000000433000-memory.dmp

\Windows\SysWOW64\Dhklna32.exe

MD5 e20873eb5695692ff58fdb6863305dab
SHA1 954af8e30a242f8da235c4aa7ff4df72e2fd98cb
SHA256 677545bf6a6169f0351927c5b02199026e2ab245910c5798b3dc1902bf539234
SHA512 0a34f56c0ca939cfbf045cf96a55e0c98bb7e00188e08302b143cf4c6d95de7a2497c69391baae0c0120e983e3a6174855c38f7f55969e9697da85880df8fa78

memory/2068-87-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2328-85-0x00000000005D0000-0x0000000000603000-memory.dmp

memory/1780-100-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Dqinhcoc.exe

MD5 b4b3c60adc9d5d1863cddf92ced9938a
SHA1 4c66c164a59d01d24171b2f9c0dfac2055125cbf
SHA256 1f09e8f09b32dda7009592d12689518044c7002087e9cc25ca0184ae18d955b8
SHA512 5753e889cf4a8b45a493c4c5aaaaf8084e77d32d04310abfd2af9abc6bb60b523bc28aea8df8fd7ef0f0c62bb79d9c45ef678501b5912170e4540c0fc3f5ef52

\Windows\SysWOW64\Egcfdn32.exe

MD5 084c9ddf1b9b2624f09a9901db2da539
SHA1 89c89789cc79e9e480018b4c2f7f3e6105431fbb
SHA256 7e80b2f81d94312d5bc7523ce53c1a39ad8985a0b3a3fabcd119d2ace078d5fb
SHA512 6077c8c3386d9b79e2e96d76a285cf21d7491b875b2d6baa62068d7f48761237a7b3a85275654a7506ea1b82454b6e0d96694ca97908a0663e482d7dc9a29605

memory/1780-108-0x00000000002F0000-0x0000000000323000-memory.dmp

memory/1780-110-0x00000000002F0000-0x0000000000323000-memory.dmp

memory/2636-130-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2884-129-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2884-128-0x0000000000250000-0x0000000000283000-memory.dmp

C:\Windows\SysWOW64\Ejfllhao.exe

MD5 3b60a1cc749e608039916af0c40c4c4d
SHA1 25e9210a950816d58b64c8f571b74ff899d2e6c3
SHA256 559a7c137b8955034da2da80a64ec6ad13dd27090e1c920e7fbd5dc3028f9868
SHA512 605c2ad8210f77e22c006bbabef08434210f59c7e55d6ad2ddd22e61a2e10f478560f58202393361a1f9a43e7d690e95d7d12bb47e920c68cbffddf2f1d09fc1

memory/2884-119-0x0000000000400000-0x0000000000433000-memory.dmp

\Windows\SysWOW64\Faijggao.exe

MD5 e70d1ab270479c50ad85cd3e88847a50
SHA1 c96f06112d7dd1a453aafc0e5ff9feea5b1b49bb
SHA256 d20639c5d248ec64fbd7cfaee9f110bb5149c6f86aa9fe59f0d399419d1ac053
SHA512 9695409c08847a6feecc446d9747360f5b1d8bfecc16c52c6e03f456340dda2f329fbbd364dfa2727a8f0fc4f3f3276970bc510ceb4ca1fac724be3af9eb1538

memory/2636-137-0x0000000000300000-0x0000000000333000-memory.dmp

\Windows\SysWOW64\Fcichb32.exe

MD5 1cda333b63d6a6e558eb91367323d8aa
SHA1 2658e2fef7e7f814c2d95ba00bafbffbb45bff68
SHA256 16dd9c11bc590dcfedbef059a655faafaea361f6096e49193898c8de04c94e7e
SHA512 590d03f8a29fa8bd68f390b285447b26c7ea31db20ec65d39ad23d4d47b0bec0344192276e4fb10dbaafaa6f05c878fb72ea43ca2858fc8520f253972ec31e1b

memory/2764-151-0x0000000000250000-0x0000000000283000-memory.dmp

memory/636-158-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2764-156-0x0000000000250000-0x0000000000283000-memory.dmp

\Windows\SysWOW64\Fdnlcakk.exe

MD5 0bc778cd929ae300182a3edf2db87f8b
SHA1 b113910e75d6b65c70454bbb5d9a69699c0b5961
SHA256 18630184c7f67fc22028440bbd053c0c7dace86dd085a003faf74253f7c8236c
SHA512 0d74e6df9d91b247786b6e0bb98a30dba34371d3f65ff628728a70e903ea19c62c4cb2ee51e802636aacc636c184ff7f2e36a858ae80fd22c0540a45a610e41d

memory/636-165-0x0000000000280000-0x00000000002B3000-memory.dmp

memory/1792-173-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Fabmmejd.exe

MD5 9358e008f2ff5deef5073d2c0c6f99eb
SHA1 c36e3b0f7fd87bc0d80bbeb03a2faa00439a751b
SHA256 35a1dcb472a02914ef7327a62c413ce6256a520edb7a6e1cc42babd2d4122701
SHA512 f7e75f47406c89cc0c6ff724b631b00b9c46307751dc5c41d0f4da97107a7c54e1488dff5b54ceb891394afa72b55dc95300330e457483f46631db37224f5264

memory/2272-187-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1792-186-0x0000000000250000-0x0000000000283000-memory.dmp

memory/1792-185-0x0000000000250000-0x0000000000283000-memory.dmp

\Windows\SysWOW64\Gefolhja.exe

MD5 84653a4c088d17a388e20543c8e04179
SHA1 a2014ebc3c21aab1fc37b82dff17550f90b45760
SHA256 34d83a0d87cdb9b458e7df66fd2472f344c817456aeb927ae958d27cfc42cac2
SHA512 b08c5af755734d975d85fc4cd3587774337c80a2cbc3dadc1e9847a38a94bbb8f03d66a18d5d4fc039b24d54d2eafd266ddf26a1a9ca205f96e2367949ea0025

memory/2272-194-0x0000000000260000-0x0000000000293000-memory.dmp

memory/2200-205-0x0000000000400000-0x0000000000433000-memory.dmp

\Windows\SysWOW64\Gampaipe.exe

MD5 be4dd27a0c56e37ef3e9088a6c2c463c
SHA1 822cb8c2e0314766183db53df17d752445ef674d
SHA256 1dbd74b46db4cc9022c8d8dba9a1c407b168160128f9bea1dd9804dc81d64dc0
SHA512 616629a834aafba3c26a4b0086b9eef94260cd3da1220c77a73edd4927930d14d4b72fd9a6dcf4b29b3156db980ff4a4ebd908b4dccb2cf8753981339ab8db01

memory/2152-214-0x0000000000400000-0x0000000000433000-memory.dmp

\Windows\SysWOW64\Hkjnenbp.exe

MD5 d19ae6a93e6e4a9532fd68308eb35771
SHA1 ae9c2d99ffd5b181ff08fa14fe6f7b16014626eb
SHA256 a76fbb485c89308048a312fbf94e548653d32b6d7d9f23e056b0117ae62fab1c
SHA512 fde52eeac90dff5a716ffd3d4fae2d45b027801abf697c5568329f12c9f58954f6bf0bd87aaa723881d48b00d6786cad86c4af7c18facba1edc0e71eccd83877

memory/2152-222-0x0000000000250000-0x0000000000283000-memory.dmp

memory/1100-234-0x0000000000250000-0x0000000000283000-memory.dmp

C:\Windows\SysWOW64\Hdeoccgn.exe

MD5 97df79e5310add66463416c26442327f
SHA1 bc35c41630d415cc1da42fc9bd7dc3676aeab16d
SHA256 d69260c40541464473eeaa7cf96e77dbc78bd69a0205b07cd6ad47d2f5642775
SHA512 bbefb0a1ba6872e6a21b79c0dcd9584db530faa7b88d7dcf329382907769d2d0223cf44c05591de8d6086484ea87a292e36f1a579cae0132b81993fa68624e88

memory/1100-238-0x0000000000250000-0x0000000000283000-memory.dmp

memory/876-239-0x0000000000400000-0x0000000000433000-memory.dmp

memory/876-245-0x0000000000250000-0x0000000000283000-memory.dmp

C:\Windows\SysWOW64\Hplphd32.exe

MD5 9897d95e93d69f584643f7c7d331dc91
SHA1 67843448432a32dd832a4b3d6c4df157a40ad109
SHA256 ae4584422a01c1774af378532af6ee49df3b8199a195fa3719e302c256696fd8
SHA512 7fe0bb160d1453681b0b90878a735302c52c583e9177637d6c6f1990a1be82325ba464157984aad192c9c416f27e4b16ee882dd0153d502d9cbbab8dda7f979c

C:\Windows\SysWOW64\Hehhqk32.exe

MD5 d39498adb1ef2181a4354046b799a14a
SHA1 86c631b216d02a041ae8c254ec00a92f71c050d8
SHA256 a8978c051c6c7fc25ff1bb4f0685dcc4b9b21f8a9c7c313d032245fa6dfbd497
SHA512 71be308d07c8187b928328b7a31e09c8261cec0863bb13f5bfcd287955b33c206325329cd1572344c99c4f0d30ce6a211a495843e73e37a31094cdf5bec0462e

memory/1088-257-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1088-263-0x0000000001F30000-0x0000000001F63000-memory.dmp

C:\Windows\SysWOW64\Hjddaj32.exe

MD5 618efdb1f16d7c352e88358ea5bd2255
SHA1 dc053ec9a567e10f2221e813403998b87315b162
SHA256 154cc5f968f2fcd106fed145baccc12550314cce22658a0479ae4ea04269a5f9
SHA512 c49066c1cd636fa915992acf76e60ac8519f73d6871455f8ca40ddf4d2752bd32ecec38aead16937a5409ddceb1bfeb6267f792c27f6ca16f237fa2f578c519d

C:\Windows\SysWOW64\Hclhjpjc.exe

MD5 11bdbcc4fd3c5848cae5049971e59256
SHA1 bb866634fc640cb97baa6cc24ab82d37d8ed7c73
SHA256 ca6e1991a539801b0fe664bbefe4bfb09a56d3b7ec27b5b2e3018d3b501b94d6
SHA512 acbf8b0d97f4634c1a23fdffa81e65dd96a368d113d54d6bbac19643e7d256c5684e54f6c97d5bf8649337bccdb3b17f18099f7ef1ae3ab6afcf96232d956ebb

memory/1468-275-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ihiabfhk.exe

MD5 edf9a708455235d1010e638a44ae3da7
SHA1 5278f96b60722a267d93a2fc2f182322c32176e8
SHA256 2e8a2cb31cc674385a9619666d472ca2539a5703b3e50e4cf7b705b131eb7ebb
SHA512 71b4954603eca74ae1dd0ef7983ed5191ec754df552261b790a560a02bd00ea09c41f6493d5d866f98159804a442ea484919428e0fd5bb371ed733eb992439e7

memory/2288-288-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ipqicdim.exe

MD5 9b266f2326e7af6c39b5590370d3da1f
SHA1 0f7dce415c4f3025fca2061948f72acf5fbe5e7d
SHA256 8dc8a06dcd91f298b55d9fd3bf2ec63a0a0d060b5d45ada49664f6f88bc62160
SHA512 0b22d7d6b14c37187b21a65538cbc674e8becfd4c5a408180b6b0b9049482aade8d2fa16ef0c907728f8169b14e8e831a2c1dfa4dd7fe03a0f0bba5b2484e67a

memory/768-293-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1612-304-0x0000000000400000-0x0000000000433000-memory.dmp

memory/768-303-0x00000000002D0000-0x0000000000303000-memory.dmp

memory/768-302-0x00000000002D0000-0x0000000000303000-memory.dmp

C:\Windows\SysWOW64\Ijimli32.exe

MD5 3bdeef240d6190cf48f44cd4b47e2dc7
SHA1 ab05877d9ddf66e48536b28fcf5c679d236a83e1
SHA256 2cc9eadf3f2de94df9101f4bb71cb40dda125ef9320bbcb123e072e871b9aba0
SHA512 faefca2645a94d56bfbb624d601efbf8950e1d785ac778040126878158230b6ee7046b7df3d8e36221396ae9b4ba38d9cef447f932ab683b83480180e2e8d5cb

memory/2648-315-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1612-314-0x0000000000250000-0x0000000000283000-memory.dmp

memory/1612-313-0x0000000000250000-0x0000000000283000-memory.dmp

C:\Windows\SysWOW64\Icabeo32.exe

MD5 cc046dbf996d0aa4bff969e74579ebf3
SHA1 14a9b41f9763aff5a548132f294329a336fdb777
SHA256 a39fb97847fa8d3fa70bf8e4d4374789e67e250f72144a947c831d3bf32d595e
SHA512 a30602896fdaddc43b283bf0a1de97f41fe4a1120fac46f5fe3de556778a8e6ceab7d74980b77423b4fc30276d9eca23dace84e014d4ed27e3441f6444a33aba

memory/2648-325-0x0000000000290000-0x00000000002C3000-memory.dmp

memory/2648-324-0x0000000000290000-0x00000000002C3000-memory.dmp

C:\Windows\SysWOW64\Iadbqlmh.exe

MD5 aec0d37d1dcbaaacb96a56a6100f9d35
SHA1 638020e656812825ff65370e431dced1f53e4aa5
SHA256 452d1ed486de0d4bafea1faff7a3c55e5f572b555f956c2618a62b78b4cc38d4
SHA512 edaa2408f28213dcac4bbd1ecb829c6c8ab0893c5290f6e68b117d187a995b6c43cf0d7ffbada46c5d7b6c399e5785c5d0ef6746ee1283e46284ea588e97fb41

C:\Windows\SysWOW64\Iohbjpkb.exe

MD5 4563cee9fe6e01e2829433eb776ce51c
SHA1 df546a07e32aea245580af5c9a7bb64d0ee274f1
SHA256 e2fe16a26b49ce7b1bce56de845d22abf8450d8164e5b1489b0199eb66539574
SHA512 f023bb197dc8745a40e849d2c084867bd2e9a4f1f9f1154855bead93ad1b36f0e2c004c87c705507cba1a3a7815f025dc81c19bcbdb1848e32a617b9ad438b69

memory/2736-337-0x0000000000440000-0x0000000000473000-memory.dmp

memory/2664-336-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2736-335-0x0000000000440000-0x0000000000473000-memory.dmp

memory/2736-334-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2664-347-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2664-346-0x0000000000250000-0x0000000000283000-memory.dmp

C:\Windows\SysWOW64\Ikocoa32.exe

MD5 9ee7e3df34e3662c01da5baa862af607
SHA1 09fb70b016ca1a32e4e937ecc17dd5de95d4b92c
SHA256 7f6264902ce9ddac99a4d178ae780585f5bbd2e29e6a42b99e7c085ba81131f8
SHA512 4c3dbd4af68c492c436bd8896fc4ef87474de0dc2eb3e0656307e99d27983918ec304c5e5bed42a158ccaaf4c2accf06c0e68e2a96bae2b27f67d411eec1e6e7

memory/2800-354-0x0000000000250000-0x0000000000283000-memory.dmp

C:\Windows\SysWOW64\Inmpklpj.exe

MD5 76f8d3d8a0506b8e41540e448c8b946f
SHA1 87c7a7b8f55d4df59eb8af620f0d7bdf622dd2b9
SHA256 33932f345c4f7f35a30458db941f6a08b9d0f795b77184eb16d21b4a664eac40
SHA512 34d760665174c8a005c682c2f79e7f17fc01ab74c0235e36ab352a21f649a26628c63b5d485df11a5b22b2cd954660573c6e62d67ab32993749a65ea861f3df8

memory/2800-358-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2780-359-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2800-352-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1708-370-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2780-369-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2780-368-0x0000000000250000-0x0000000000283000-memory.dmp

C:\Windows\SysWOW64\Ibkhak32.exe

MD5 8ae5bcd2c1e9d3666760b623508a7c48
SHA1 e3e7186b0481db9f5e37bca9708122a80dee4cc8
SHA256 a4ca7110c2e3a5b4c32d8406d4d8b95aaabd5fbc3c5dc0ea320492ddd46b7939
SHA512 8b29af7eb08acfe52a8756bdba089f2a05daa89b8e29326187cfde75f8b3482b6c795e8c516f5706fcc959cbf9c0b7972213e896ba5310a5ad73ba00737af0ee

C:\Windows\SysWOW64\Jdidmf32.exe

MD5 0e0cf19b3d9e2a580dd4d0c45e7eb600
SHA1 8fb34701e10918139c3b134720c0546a73028d17
SHA256 9214a7a50d60d3ee20c4497d7858883ca9a7698e653978222261023c6b57e15d
SHA512 1d9f44f8640ec5ff15c0361fd85f61fac60df16a7841fff5c7e87de51d56bf2341745257fff71a3a0999abe6ac8bd1f569b8f7bbe1bd3f536fa4ca4b92544333

memory/2400-383-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2392-381-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1708-380-0x00000000002D0000-0x0000000000303000-memory.dmp

memory/2400-379-0x0000000000310000-0x0000000000343000-memory.dmp

C:\Windows\SysWOW64\Jnbifl32.exe

MD5 29a4b04a13726777b520b214173c2025
SHA1 61f1555677fcfb1b73966db31821d2215404f0b1
SHA256 e0156d30f8df0fd6b9edb947fa7c5e39578d5b0ac216ebc0396adf518682a619
SHA512 7c4efdfe1d8a15bfeb63a77afc27e79e523100653b80b8e8c5caae97c5c3ec3c31cf4e97cfa6647016492668873222a4a34f7fd228f9ee5caffbc778ca41dcd9

memory/2688-396-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2172-395-0x0000000000400000-0x0000000000433000-memory.dmp

memory/888-403-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2688-402-0x00000000005D0000-0x0000000000603000-memory.dmp

memory/2464-401-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Jgjmoace.exe

MD5 b9d5e7776365d79136fd7f0a6c2235e4
SHA1 842d287ec41d4dbc7de660efb286c9877f579df8
SHA256 2e42cf84e5c67473bc1c1b1277b25b27ca2cb2fcb93deb5f1f9a70abe2e6caa2
SHA512 28dee9eaed90bad4d8aa81b74b43400dd6c09b17c84f76ecfff75a24daecf35a83ca573f76187d3aa44f1b560d1f05a6560b1488dd45b0143acf503aa2ab978a

memory/2464-414-0x0000000000250000-0x0000000000283000-memory.dmp

memory/320-413-0x0000000000290000-0x00000000002C3000-memory.dmp

memory/320-412-0x0000000000290000-0x00000000002C3000-memory.dmp

C:\Windows\SysWOW64\Jndflk32.exe

MD5 32ac5a0c4d85dc61419ecbdd2a36d8eb
SHA1 338536895be17679f9221a645368d8899d7cb439
SHA256 7c902e2f52a9da801774b5581c88ce857eb52d1b98d2c6eb975db886f0315a83
SHA512 a66520a26f79ecbf1f89d11ba42f456a714672fa53af36bbd9793dc3c49c7fcc54f47607febe3100dde297a943cebd88cd5bf5bc13e3152551179a061ee2633b

memory/888-421-0x0000000000440000-0x0000000000473000-memory.dmp

memory/2320-418-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Jjkfqlpf.exe

MD5 6c2b34e342e8ddf4ed89019955d9d701
SHA1 db179b6a3cef2eaf3d66d95e80453657f3d5c07a
SHA256 29b2b0f72ea969c55e3b7ac08d123c9c17a7ac8f003a9cb5d76d026b12b61be1
SHA512 6313157559f8b0caced91dd62e274a74b2a07be3d5d383f94f9e38f1b71fd5a21b6e338b8069cf47eef5590d819b4a9b7b76fc5c9495ec6f177d90b70c067187

memory/2880-426-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2556-425-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Jjmcfl32.exe

MD5 e6fc1957a1cfc5f5cbf521e1dc441f72
SHA1 4636bc2bfc088f8e80192a9b830ff0def0a02e0d
SHA256 4f7d806e02e3bbe89a1884e9f437881b80e6cf6fd687478fa8b4db7cd31dff57
SHA512 cba88be07561c759a55fbc61efa70678aa31fcc114674445a3df9fdd969cbead66ad68ae04f9e627e0ca9bbcc81edae0aac993518450e49affa9f6c4f4684506

memory/2556-440-0x0000000000250000-0x0000000000283000-memory.dmp

memory/3064-439-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2864-447-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3064-446-0x00000000002D0000-0x0000000000303000-memory.dmp

memory/2328-445-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Jmlobg32.exe

MD5 c580994e0abec45afc3daf45aa54db72
SHA1 d4be97e5c4f099ac4e6169c1c7b6929f4f27a51c
SHA256 30a8e2e6d05369bed07f3e143310c41f54d0730534ceb1ea4c93d0e293fdbc70
SHA512 523e9350bfff641db4ddc8854c2c55679d8f2e1f635ecbfb6673278de4db5f8802972175be9f82abed57001475c0730cf740fd4a2ccf626509c12e0be6c7a78d

memory/2068-458-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2864-457-0x0000000000250000-0x0000000000283000-memory.dmp

memory/2864-456-0x0000000000250000-0x0000000000283000-memory.dmp

C:\Windows\SysWOW64\Jojloc32.exe

MD5 554e3530b4f548aa9b43a9f86eef9736
SHA1 74034dbc604df8532a0ad1acb97d3c3d364e1615
SHA256 0ac34a1ceb61eecb0e6d9272ac1299c089ee80c21ce5ad872a1320c2afc9300b
SHA512 73860c265004d579ce06f203cba43e55e014c73de35cee68a46a5e970490600844f89d3d0b46c73b9edaaac7b4427ac3ebdf287ad9a624e218244e5be7097439

memory/1972-463-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3012-471-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1972-470-0x0000000000250000-0x0000000000283000-memory.dmp

memory/1972-469-0x0000000000250000-0x0000000000283000-memory.dmp

C:\Windows\SysWOW64\Kmnlhg32.exe

MD5 fa6e2dd55696a11ea508c542755106d7
SHA1 326a1e695ef0278213746301ac023ca1a214cc03
SHA256 777c5d54a4028d585745a2621e8bb2f79953fc5a6941945dcf8c384c45d792a4
SHA512 4a390c78e25474e40de77ffc806d2f690f1ecd0f6325874b00fe22a4a7303effc7f295c7f98c97711056ee4f21441dd471a94ca7a6c79356d5b30feb4f2ba716

memory/1780-462-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Kpoejbhe.exe

MD5 cf151a04ec72ef1aa74367844a041ec8
SHA1 13ae52bcdbae7be46fed2aef6a1cf2a00fb319c9
SHA256 aa69fc801bbd9b8c642f4fb92b354dd9972778a53236b375838b1ca8132bc8de
SHA512 9214c58ca2ed79835b24e8649a47a4b6356eb5326053efbc0ad9d74d451e651274bcdb9a12cf7c0061699416f8d0c1f0ceb26db812027e0b82c1f3210df517e6

C:\Windows\SysWOW64\Kbmafngi.exe

MD5 652454397f559c55548b20d740d976d9
SHA1 df5f361a00a96b7c4ac87d7814021cba7c706914
SHA256 a0c67fc3b20159c73e3008d9f35688e6907f4f90edb8d4463f82f4368ebad632
SHA512 6c938e317f992072abe03b1db127fb5cf67b46fa239f7e2cbc1252b4a9ea92085b91bdfca80c1d9be59598bb0367a8956ebb69a2e3ae3fe5d29ab3bd689a8461

C:\Windows\SysWOW64\Kkefoc32.exe

MD5 54817994a3b83414bc44eb9817d52f49
SHA1 e3b33df7516ed9a766b7d98242e460426ea51724
SHA256 a497cf895264d40c660f3c60656bced3d6b342d9ba5839da4cf06c4174cc96d2
SHA512 0d64a7098bd29b518176fead727e566a9182bf239aa461d14a7728ffc2c05b476c60ec2c7f30d1dac4f6cedcacbb283e44f77c8dc3100ad7373af790cafdfdcf

C:\Windows\SysWOW64\Kndbko32.exe

MD5 d1857bf7dc374cb7e419c4e8cb7d48a3
SHA1 3799590297be65cd8470fe2e98e258f1670d0059
SHA256 e3d78bc942cc3fc68a9e0aeaea6a6762eebc433784d55afe70ad526278594e7c
SHA512 9201613479ab35ffa034e0895967b8e24a3e13f8fc2b4986b8865d6c9b29ea6c7c30701391c6a9859740fa634d58a932b08699259729ec28e1e2dfe1b8fe0593

C:\Windows\SysWOW64\Kenjgi32.exe

MD5 1aed1b0fb767b6e0790c43734bf5b831
SHA1 c87518f9b5f309661fca8e5a6867a9b0623c4c41
SHA256 ba22f1dae306b3c5dc022ffa7785cb61d093662acb66d3782f29523b85bb5ceb
SHA512 cb8dd09bead934b43444cd2697bf5d0607ae68107edb37647534ca1da4c9b20e4642c93808a735060cbdc554c90ea469bafbf065b7bc2e04d0e36cea6398f0e8

C:\Windows\SysWOW64\Kglfcd32.exe

MD5 f0144237aaa081dca8166276203c9da6
SHA1 b6f423948436f06f585e876c02f28a964a25601f
SHA256 f21e4275b3adb1b824f6c5681d20124c7f41e8ef2983b73830c5979f35b7f85f
SHA512 9cce81548695cb5488aeb9ac314030b91c49ac22d0b012e1236f5ae1c202003d3b32f828ef6a42fe021438b5dcfa6d755944267abf5746dc53694483be1be147

C:\Windows\SysWOW64\Kepgmh32.exe

MD5 4feffbd674d975fcb5019048c0974224
SHA1 66a9332d5781cc87357b7f922b7c533c6d39d5fc
SHA256 a15997b0dcbe1633bf800b2ce7a4e31b18d0ebc4ee2cb7b51d3ee658f04c27fd
SHA512 172b3fd4ffdf4577da5191c8fa2ad179f1cf668cb06ee378a119a57e274ad1dfb4386039c771f23b822a9b104e05184711468b6f75e6e6a16897a035b29a3b37

C:\Windows\SysWOW64\Kfacdqhf.exe

MD5 25295056b84755c9afad0334320b49d7
SHA1 67d4fdccdef18555570875f470d26f39f0a32ffb
SHA256 23e03fc658ba97dd79836b463bd8e015e3808e64907456ee864939ae5a8404e0
SHA512 3f76643c7a8b38242070d9c870abf84b54bf0498107d71d0514c344353b11c3184e2ff3ed40db623498b1595c8ed9a63a2a9d282068d37b80307b7b4ea072103

C:\Windows\SysWOW64\Lcedne32.exe

MD5 0820f769313cd35df21c374b3edfba73
SHA1 adf597c4ff462ded74ff379bd57fe7f78cabae28
SHA256 795084203a9777d78685469921fd294763aa913e1edb3b3f351fc136c1b18050
SHA512 dc42fabcd390e14d72097281a0bbdbe2142feeab5c5d6a89dd6589eaeddfcaa39bed6609b82843aea690253f37de209a2255ceddff47de7a189466502e4a3ec1

C:\Windows\SysWOW64\Lfdpjp32.exe

MD5 31f241f4ff5e020ac02d6c29a1cbeca0
SHA1 1cf1b9a89c54d1556af4d6bf95787a8d4ac23332
SHA256 818e1fa1df17f61d4d0a96d06685bcac40b160b9d5b5a53b5863a85b56afc8a2
SHA512 d2084d55dc84df02964b06a275e16c76922b4f79ef05e16109d10fbcadac8c7e04d1f000f8149acf60c3e1ad943ed77af8a85b1872bd7e18acd3b67a7f1908f1

C:\Windows\SysWOW64\Liblfl32.exe

MD5 90f16ef8e31fe0a15e3cf1da7da447ca
SHA1 4b59b22387d3c1c6733bcb5919b003bc2eeae1a4
SHA256 1be709379841233a1527aa7ba98964186818cbe754b31854a36f7beec0c4d902
SHA512 d3122ca26b9b6b2ad13a5ea6a8e7119b35f6a61a668f56f1d563895230606733d448f54d997e947b63ba2bea365ccd8caa835ee0a451dca2def46a8ee97631ac

C:\Windows\SysWOW64\Lchqcd32.exe

MD5 9c55cd9916b71fb357938b4a04d8042b
SHA1 e7676f6cc3bb2bff75b68142308df19d7a682630
SHA256 879df63273255ae7987c68e95fc5293d359a3710170331854e1b51b9ceca6a70
SHA512 d5a40fca4b17e7016e66c5f557792dcfd23b387cfbbf14da3fcb4c9052e18590fc07a8c6152550a7d5096666fec15df01629a84510e818f57bad113b3efd385e

C:\Windows\SysWOW64\Lffmpp32.exe

MD5 56993b018496dca300464cabe08f3723
SHA1 ae5d7dba37cd422b8ecd580d685b9dae48300206
SHA256 37b4abf026b7702927f62e285922f78d3f6f89efa823339a54762293d7312083
SHA512 598baa201ed593c78aca88552d3fcbb7fcdd450799d7d9fb9f9490a0a6095562bc60723e76f36bfed50c3f828546a50a4a4ee7d2386e57df352632741f3e110d

C:\Windows\SysWOW64\Llcehg32.exe

MD5 b96c7c62b67add41fb74d48a4c258dfe
SHA1 59917cf7ae1ae001cb9ac7946f3f2ed8f06642d2
SHA256 93c75dc29179584f474e534764c9f23b39b3c3aa9673d1e556188b9ec615ff86
SHA512 20005e962502834dc245ad9ff6aebd0fbd0acaf465d220ee9cdefec79f4833302b79172c5e3f134a127b2c61851304b6c1a2205e575e986a0f3c7e7970579042

C:\Windows\SysWOW64\Lekjal32.exe

MD5 b7dbfe76611b5f6b29534f989fb9425e
SHA1 fb72fb5bd5c832bf4977d9c5ce7e4d67f7259e96
SHA256 049c579946c82929d2e8a2f1e9ee7430857d088322cc4866b0e049361f688ed5
SHA512 3bbb0f2a013b6a6e0ec64057949f98ff339785a2c10304906a8c0583ffd3ff7c6b810fa810df7123465cf6660ec95f6eae8b544b5e45d810d90e57b2166c04eb

C:\Windows\SysWOW64\Lmbabj32.exe

MD5 22c91862c8d09311b5a77de3edeb6d29
SHA1 ac0de8d0b34573558ab97088cb0c51fe6fb48d1e
SHA256 deee0964975e8e067321c9a8363d68d9e50af631df223fbc01b0991af481ff03
SHA512 9dbf2c77cff55e80e0bb0af9eb6c219496acd41692148b3abc218087f177cb21e26a1549f6935505ff92e802ca235e894726fa1d65a391c675b58b10ab362f9d

C:\Windows\SysWOW64\Lodnjboi.exe

MD5 24f95a6d2ffd2ba7b25db341d07550a5
SHA1 fd1c740bb853c8ae091879e5440a713dbdfba473
SHA256 015c254f5cc7a56638ac0785e24f1ae884c01cfa7579a244295c61d9810400bc
SHA512 2dba87907f0413aea98c0023049d58001915ad160ff05e9b0b25f039646ef33def167f9694110504de20549d460f346f9b6354b839c8eb96a0007cce0aeb8fc4

C:\Windows\SysWOW64\Liibgkoo.exe

MD5 d17fcae23430d25916e2964a18cd2735
SHA1 17de06d9702be80dc9841150535c9e5f19c322dd
SHA256 ab7ba68aa038f5c6b4a149a1c24529bb784930422dbd43562f5d315745d141dd
SHA512 cb213825a807bf6f0d7026d6a559724ab0ea202a25127aed6ec7e69cc04a574bd2f37b06176658fbeedf71b0c17e49d54b2fa1edc4855b5f3e31408899f0bd05

C:\Windows\SysWOW64\Lhlbbg32.exe

MD5 e0cf80d74a6c0374396a53f959eb9db4
SHA1 0dcfd5fd0fe2b4567d2acdf5f64988a1b9fefbb2
SHA256 ceae60b4ae6064583c8f04391309d5d508aaca49ea669775ec250326e31a291c
SHA512 5bb1e58f3057f32dc39ba081b170051e50172ea83873cdd16434ede16895bf0c99af57b84122ea99d90ba9815ad322c269bcce37c05b3ff65c02d1044058395d

C:\Windows\SysWOW64\Llhocfnb.exe

MD5 b723c70e2c07b9c2feca5b02b547c0dc
SHA1 71e9d550766922e8c2c1730d60b9a5941bea0397
SHA256 df063396ba80bfad29b14cd9406b59bfb35e08fbf74162c4caa8335324e2cd5b
SHA512 493ab90fa07e9481348b45007fff3ebccff52f8aa5598f8aea75f92a6366c5f27bf9ddc6b1563fecc74e7a1d847993f3dcc1b92af24d4da483ff3cf0da854895

C:\Windows\SysWOW64\Lljkif32.exe

MD5 1af55cffc4945876a89dcd551b85c284
SHA1 f8d3a20b5aebe748bf8ded88574692ae12bb8a45
SHA256 e0ce15585a3799635dbe881fea514f871004c193157cab712c26bd2370e4123e
SHA512 07e6970a0deab8a6976a98033909345f663e45442b3536e3b370da89f2cf0979116f61a8b330d6015ba5787567648f1b0f35a4d20b8b2011dd97c4d199cc2009

C:\Windows\SysWOW64\Lkmldbcj.exe

MD5 5528dabbd6ee3b57fa924be4b4b6a1bd
SHA1 d698ef4dca3994dc59b14c4797ab1feac2e89031
SHA256 bc401b641b0cfe7382326391661cb6038c60bb7b37f57a14dd64d3c7907fef79
SHA512 6356c9166e77bd7a3a3e2b3ad0987385d284f6bcb514aa42c3408dc32548079d9d6249a3c860e86c6a895f41ad22a0695cf2b3adad01a99ee91ce31df6694896

C:\Windows\SysWOW64\Mbdcepcm.exe

MD5 0ae16d4115233556fff7c14cf97b0082
SHA1 759a567a5c99ea89d0145bd7e703f7cccca57085
SHA256 10ddded1a6ab3be5af7f36fd9809cdab17030b91959855812a9591cf2ea4d5fe
SHA512 0f0afcc6c7e31a2264c02d7b4b67c3cfa4675d3adb6b9f82e1e89e000a97e0ec6a359cc1974b4826365fae164820a4e28bb44341d561229c81503592467062a4

C:\Windows\SysWOW64\Mllhne32.exe

MD5 b7597584bf33688bc52a6ece69674c30
SHA1 f2a383bc3dda2cc83befc8aa7d00a83cada6770f
SHA256 2fa6833a501a4d661537bb81d8792bdbf27386ba2eed2f9428525381b81e59d4
SHA512 8e1fb665e08d41fe7ce45930b651caac79cf62fff5775df9e1fcffe2f0fb5a90042c63431c4d27697909878f703da64420a329ee518cc71e1cf82c0a88cd7199

C:\Windows\SysWOW64\Mdgmbhgh.exe

MD5 79845df88c158a3a0fa2801788d19b87
SHA1 fa5f2f308d2711dd45d86cfc626a5b97e01b57df
SHA256 8eb59378a7ce12ab5c080179bfb209b37ba3123609a408a21f6eb2fd539ecb1b
SHA512 6fc9c571ce17e3789d9129cb170c892b87dbcaaecc7a726189e334f1238a6a2a0a5fa9d662f91c9f9a4a327bef8ca1a83e2a681f598ae40d7954c59dada99358

C:\Windows\SysWOW64\Mgfiocfl.exe

MD5 3463b64bd064fc7456fcbb1b971df29b
SHA1 e5c0bfa476e63b8a7a64f91f3d9a49913aa1cacc
SHA256 ac8c2a32daec32a42127d7c8492fbc38cae98b916ab778b029b50df389b114a5
SHA512 5b081f638a994a6be5ae19d18c22f2656ee0437cbea6643b76cdd253743e92d6e919333c2328aab0df87a8de7561b4c077437a06bcb0e020514e42fa3b005a96

C:\Windows\SysWOW64\Mheeif32.exe

MD5 3df72223730f68e7503e38f163d5e38b
SHA1 cb11b8beb060dd6626b62f12449b69b5bded0a18
SHA256 c4476f3e6fc5d537dafb48fdc566ad459ef5260c4d19877c26d015b7a925f3b6
SHA512 ad3079184bcc8cc3fe50b40bd7c8a7ee7bf6b0961df890bb99be709258f20fa249c66a30bebfb93c686a8f16f8fd979bb929be31e5fa42c3b0c7fb6674ca6be4

C:\Windows\SysWOW64\Mkdbea32.exe

MD5 240e26db5f26e2a6971a7551656d9d86
SHA1 60e4fd9149ae705121303863247cb7ca23d030b8
SHA256 704e85d7eaa9897c4c563926d16db71d2efcc7643df1733dda99f2940f61cb4b
SHA512 202a9b005740077d71398ed8de3a514b7078561a8edf94c364cc8ebcb989b1ed34af3fc89b4c5cbada4a478e7c0f3e7311fda48e7c7a3e9ac2d67d8ac0a2f9d1

C:\Windows\SysWOW64\Mmbnam32.exe

MD5 fb1e3bf5ec89731f642f11df832b6d35
SHA1 4d397a2bb3bc723cfcc2df32dd3da6dda591963c
SHA256 6254c29756e6f638bf3426966ae6fcabed3dab5c9794b04eb87c66f2aa21fc48
SHA512 332e6b9067fb52864225d94f8bfb70b2da9cebd27ad53b1f04c5e7886188359abf9fe0ad13dc02459cad3e7053f288734e17b5adb27a7949ce6c464a52f93efb

C:\Windows\SysWOW64\Mcofid32.exe

MD5 3bba6e487fd1632f8d37176d84e08b2d
SHA1 f34a53ff588f65fc59af9073388ed3653f488675
SHA256 b960b462be6e2bfb19a3be95191d61886b29c045eb3c4167441d3b4de925e2f6
SHA512 3c19bfbf228692d37cf3747c561e9eaceb654334fafb20d930cd901e7c0e45f4991f4affe053784a31601f421ddf4f029f6d37c28504eb97af74e9983f7041fb

C:\Windows\SysWOW64\Mlgkbi32.exe

MD5 23e86ebb07a556ea9d3380ea1240d897
SHA1 d1468b5cfa79925da613c4d0469dacbf874711b0
SHA256 c66d847be715cffe6bc90cc4a85155604b57e613b4ddddedcd6235e2566bd274
SHA512 e26d52e2fe9d80b880c8484ff14bea894b4cadabd250c342a009e2a5a1f0a89bcefed492def909128dc3fc1b363dc6fad78df6151a89822d0a3426894c2a2ad4

C:\Windows\SysWOW64\Mdoccg32.exe

MD5 4ab56833322516019d199e294f1f3ce5
SHA1 1c1e6ff7f7766bbf8a581b50085cfdd889da3395
SHA256 41c9945d8d463581b0aef5701cd467cdf81a41c218595bf82e652db93e40d8ad
SHA512 f46e349c5e6be234cc497d4a2714433312d587b4acbedd374c6281c913c3dbed24fc79bb0803305c2b9b44986b2333bf46b3935df008071d203d1e973f345992

C:\Windows\SysWOW64\Nmggllha.exe

MD5 5d9b1ce97f6bc1ab70574f24d7d86dc2
SHA1 954fe1751d0ebdb4daf87d706edb23805a5ddd3a
SHA256 82b28d5858f5e278f7e2ab6700d4d1a8a6976ceaa0275cd16f337144a93755f1
SHA512 78a9edf054d7955d021b184daded51e20e4764517ff5bab209b9783cd69e885a4ff5cdc3d50aa8aa0e78e56157cbd585068467654bef4e22d36e9c14dbe9e60b

C:\Windows\SysWOW64\Npechhgd.exe

MD5 b4bcdf32635efa35fe8319738ae473cd
SHA1 74bd9797410a98b4d3718c5cc1551ad9dfd9120f
SHA256 006754a2246e8194bcf12505f6f02d168c3a04d87acb5a6e369d34279b9959ca
SHA512 497486f17b1f6cc1787b5eb102c11c5d37eb25302a126469138d84a2eed9ea4b3dfce3233dacb91e75c5ad0ca14a8716ee49b49d5a269937ae7fcb9102214f67

C:\Windows\SysWOW64\Ncdpdcfh.exe

MD5 f52a48c1bc11968d72e216c72088f01f
SHA1 5e9e1ac3ae3da62706ae8219167f27bc794eba98
SHA256 eb8ba41e22df4231cf49110d6ab3fb4cdbda374c03738dfcff70764d02d6fdc6
SHA512 2158c92ef32fe4454aea5780fd25cb149714c56a028e3015f4552f4d7e2a88fd3f8b57bb826a34875ca2b78303105b5d7771c6b723f2ee99354638bc35bb754a

C:\Windows\SysWOW64\Ninhamne.exe

MD5 35c70463cb7b105fa27f21bf6560b85c
SHA1 6428899263174ac85a356ba96e3eea34a8ed0504
SHA256 6ff7a694c035b95525c4988b0b231779417828928b97bd0fa77d032397748762
SHA512 1305de44d65c3b059e16d18586a2090d23ae41565bb975591e6473e2b95e47e33a49a36c5e902625ae7b016e2a96a8b2bc0ed5930342efbb53b44dd30cb1d605

C:\Windows\SysWOW64\Nhqhmj32.exe

MD5 5919ffa09dbe0646692bf88650a45d9e
SHA1 4567128806a486f32ffe836d9614470f5bece5ea
SHA256 40938c85ad5f7abfb0cbb912196f41b27825cd1f252f9986c38440bd9e6f61c0
SHA512 8195e6d5785856849050169e5c880a0e3a186add6e04d251b6a7c430005a618f673c95b4b4f5ea407ad3669ea819ccc1a4a8b55401feb30db91748b8ca6815f1

C:\Windows\SysWOW64\Naimepkp.exe

MD5 5b8100f3ae31371c6b4ad4286b0289be
SHA1 2a887d4432c03275a186f5cd06daed8eb9240d24
SHA256 6c2d7770ee356260f50ba489cdb38f4944ae3499e6605eb494fdcd2485151f09
SHA512 9cf07e12f7b0a758fa2f4f10f0e03a009797ff95f7cd55075f6356b6a40a46d948a9c7ef68c80075f6b7afb432778fa36126b986b91e7a7e5aab6e4d1b1142e7

C:\Windows\SysWOW64\Nedifo32.exe

MD5 9f7018208d337ca56db22a10f4b548f4
SHA1 65a84d150e688695ef1ef4b9a6c848a41692eb48
SHA256 29c6994a9a7b2e5d6ae2f90e2c02c40db2e7e1fc80771cf213bd3965cf26331b
SHA512 e4b3b6a8761c8dbe871026cc782cfbb723b8c5bb6089fb70cdeed35a26f13dc793f5f0595d21804689decce0e2b83957d3335cf41c1e13c54db4ae2e098d2d6c

C:\Windows\SysWOW64\Nchipb32.exe

MD5 a8670aa7b41c8de5cfc4678a35305a19
SHA1 b5416547c6a3c776a3efc990eb41347dad9c13e3
SHA256 a6c4ac50a42981cf477df4c5dec34c45ec5a2e31d452751c9adbd7fa5e2dc7a5
SHA512 b1960e03a1d6cbff2a76665e57b24065261104f41231c23477f38547e13353326ea7540c47aab523cb54b0b4e560f77bb1f0ecf90ea494d470eaa8c2c806c34e

C:\Windows\SysWOW64\Nakikpin.exe

MD5 7e01a4cec33f5d6857ba9c8f47a50778
SHA1 97ee96d96b8de8dd296f2f79000b65f6ae9f6d7e
SHA256 04535915b33de57c720b05540a405f211510bf385d9eb7c5d1fd214901bde2bb
SHA512 07ff74803363bec46f09f984cf29d7713260df59beaa96053dbe0ae8555dfbbce931a3401b0fcee2169c947d87e834eba9233f4c1c3596d60e4f74865011bad3

C:\Windows\SysWOW64\Nnbjpqoa.exe

MD5 678b896a9b462e860e8911a1759fc93d
SHA1 53e0a5903ba361d8d8879cfc372db5b1e1f28904
SHA256 1fcbaedc4b2fdcfcc475639cc23b6eefb7196df0779ab97caecf23556c742635
SHA512 f29f638d0b4b285e3bb40b87f479f62e00756ad6e5c0f5b3e5a18c7b9e7642bc4c47ffc5d50995638dc4a13c581ba8e91d31147ba6eccc5d7ac96df044152e92

C:\Windows\SysWOW64\Nkdndeon.exe

MD5 5cdd2dbe35d8eb679e7057d64a902170
SHA1 c9997cddd58d996cba01ec63dc9fe9d4252f9072
SHA256 3fb448fbfa0682ba538f89118ff861055b601c5796ca66a431a7b93cc598c1a3
SHA512 beedf1d4651d44d92970a47c27bf490b49928bed9c812cc8ac22a4eefc03b1798d9e4e2f0df1ccf52c72b2e48d630f18a13361f8510addc8054bf2d8906e1237

C:\Windows\SysWOW64\Nanfqo32.exe

MD5 196c66b46992d195a593de9f1e294a9a
SHA1 2d8f5c6c5c9c3c96a4d84ffd092ab6608d2c438f
SHA256 06f5956f9f45169bc21aa09fd8d7d8d6b7367d3c4fc8ac34dd14c1d364d99995
SHA512 df40f98a365a0f9f93bb3ce2778de1b4c256988c539341137d254177e32b7c5ca9d8cddfe2523e4c6862e6140c58d2b4606d9cc20c719c127cc13c68d418b98b

C:\Windows\SysWOW64\Noagjc32.exe

MD5 d25e47caa32c013d75cec243a5de70af
SHA1 3efc90628f9b1157651241cd62a30ac54df23ab2
SHA256 c17d8dbb6303d54bcc420e2bb675d34378c464c60f50f4833d55312e9c65d9c4
SHA512 a184eab43896f5a326fbf5e2910332053d1a723fc146bd703214d9d7e6b6b18e4c928a12ef9c5db5fc19fe4e8ea873172d9bc050fdb96808acec3592644fba9d

C:\Windows\SysWOW64\Oapcfo32.exe

MD5 30fab731519a1c16e00bca5b4737fbc8
SHA1 5ce24cc7b2a3c9a04db22c793c83aaa8182d6c2d
SHA256 c341990a390290b5c24231902e56c2998c8dd5efdb6c10205be2755d18af9e60
SHA512 aa8d44b43cd6e1e731aeabfc90336fe76b2b01096f2592346e42c88aec40d2846a73498c190dbfabd954c324dec834a4f45adc624b8f81ba92214e046c78be60

C:\Windows\SysWOW64\Okhgod32.exe

MD5 edb25331c57e135b63dc61f62d1b97ee
SHA1 4bf722a0391e41c3e719980bc4f2211d1dcbfa7e
SHA256 2be063349dee74e4086b8f23bd711eda5288c312b7cad92e6d3e77c7c975218d
SHA512 7abd37736aab456a0f736a2a1d11f4156a32366f79f6d66d9b1b6060e18a77e4624f3673004176e53e8fa9367d6536e983414828a1ea8c69c1ae2ae690eaf8ab

C:\Windows\SysWOW64\Ongckp32.exe

MD5 9a99865260dc966e0658c07b3a3d33c5
SHA1 d75dbbaa3a715e66d6ee04d152fb1d1bf68d09d9
SHA256 c704f167bb2c82daf4833a5cf3ef1d8c03a06461836ee8061a951b62f17170c5
SHA512 206e1604cc52cb1d91bcdd41ea39729dd5b53fbbf5d6048b239a75c6c6d9ebe2ecf895f1c121dbabf76111e48fb4b7870c0c029fdbb2c61f7d3b500d27973a7d

C:\Windows\SysWOW64\Okkddd32.exe

MD5 4a8d98f748edbf8feffe8f8683738e44
SHA1 a4cd3ab4a3eee64f7d7d853057e814093f02caf5
SHA256 c0b51ea31197835351b08cf2fa5f6cda2bdbf81b10c8f686539fd46ba7bffd3e
SHA512 630945e7177c77ffd0be897903ae884912cd3f8a6a1308393d5eb3fe2e8f654cbd41c032c513b9b6eba5a3df16c82b0a7b7e93dff6895adff3dabab23dd7a0dd

C:\Windows\SysWOW64\Onipqp32.exe

MD5 a1994d13f39cfa3c8e58e18a495d11e7
SHA1 b9b03305e85bb7dd15a7a78dbb38c1ff4d040b88
SHA256 1da2ebc92f2bb03586bd04327f79f720c941a7713567d1fd2bf523a37a448895
SHA512 e3c5f62b5fc6048410eff21ebb3268a54f95f8d528d2e10cda4f47be21c5491dd151ff9dc22949ee6c44a8ecf86a1824fc8c82e2d149b9acaa1727ce005a2e0e

C:\Windows\SysWOW64\Ollqllod.exe

MD5 1f5c72577677dda09b14820459eb4f3b
SHA1 90b92b7da3ccc02b047c14999306f0fe52c4511b
SHA256 74cb560757fbd301563eab231765ca1fb5e9debf47799779482e84004bfc9551
SHA512 cbb86cbdbfca782e928021855a5685e20e1a52f0af3bbedc1db6318e98fb663d1590bf0e7c23242b8f6bbd2266a92e5dfdb91220253270234809fbd0506e9f68

C:\Windows\SysWOW64\Ogaeieoj.exe

MD5 d44881a1d9acf70438abd8e5c2afd722
SHA1 7783f840a48a99962c1fa8aea3dac4ab1fca7806
SHA256 26f886f6eb8d220ae9860e6c8f6cf4deebd676cf4e0ffa4e1e332eff5abe400e
SHA512 9291a6c755bd0465e7301cf07d4ea5a19a14016b1313f4c40f68c75a1bf032b10cd9820842a076c5de51d6c23f57a1144b6e38ff409802dd4ac5d61771d79adb

C:\Windows\SysWOW64\Oomjng32.exe

MD5 ce5fd93fb4f251c0bc630d8284cf47e7
SHA1 015e9ef69c254b8415b98e623f6ff911e73ce35a
SHA256 95537c8650f5a78e4a1e615deda36abea7b734a0803eb4c1749834d81c9e6345
SHA512 34b2a40925e191e29980566c1e7c8e68f9196a3f5d1aebe3ccf36e41f8bb75802fbb81abfe3a349d3af021a93a0973a48662853aa2a07de6590ca6162eead8df

C:\Windows\SysWOW64\Ogdaod32.exe

MD5 27633dc83d82287ce96aead79f0820b8
SHA1 4be7f41bb54c89ec68ebb2d883ded522f8a6de61
SHA256 33bd4ed576454f3a8641b63adc04442cbcf9474383c622206c572214c3fc94d1
SHA512 ea89a859cfd6130626e1bafe093189eeb8a7ffaa2acedccc061bac8a295b74bad529b8c2d3cc26f4304274bf4394b2a43b972f79fa84bdca75d9085e54f86b05

C:\Windows\SysWOW64\Oqlfhjch.exe

MD5 7f4485d6ba66a9a8335ad0aa29a04bc1
SHA1 9f9e9bb5ae7bec683bd71022c143a45609f2d15f
SHA256 ded84ddf64d475b2ef90a1f95d70fdda0bee383b7c0b0ae2efd2af62d80907e1
SHA512 59f5dc1f56563ca5d9f245384fa6cf9007b5cb3b91c82741fedb3e68620945e2b2ee1665d690873b9759ec6fbef90dad7bda3ed88fac83c343988cf7eb314cd3

C:\Windows\SysWOW64\Ockbdebl.exe

MD5 cbf6c81a625a0abec606c998b66e03b8
SHA1 655b444ad1b2dfd2e98e54946f3fd52627d1d3b8
SHA256 16ce0d6a2d3c11a2b5ea34ba93d271e63d95e7f26854515de0cd6e8717ec017d
SHA512 92d3a5f5a6c3e4268a75a6247abddfee20a6dee5dc8088235ef1fc828e5f1b6c8b20aa98d4d74e265be09ac4d2ce85fdb467a28b16094e52bffbc77d40d28106

C:\Windows\SysWOW64\Obnbpb32.exe

MD5 7cf1f0d3ba3e2b009f94bd7c1d3daa93
SHA1 c20ff8322e0f9390844bbd434d72d4ef30c5b42d
SHA256 ce24db379d01531090786fff3e2f761b059ef601d69c891b4870bb65772cc67a
SHA512 2ca513e764be16c29266a9a616807713094e1452cd96293ff3378e51da7181d662718b19f1b1445f15be4307c999eda880d7a9aebf81c4e688eed3bf4ebe419c

C:\Windows\SysWOW64\Pmcgmkil.exe

MD5 7ec3920543db41315fe870a54814548f
SHA1 95953784cfc33e7e605bd29bdef5049b025bd0a0
SHA256 450c70e1067c48c9ebe2c8df6161a7101790105d33a3297a145c40a37aec8acb
SHA512 f4eae77e0e406ddccf73f1493e0f43a255f46045441ecae9f55912cbe515365a7a13c0775c97f5c9f1f8d2697b65f7d23398a65ce8c6602e371f5792ae49cef4

C:\Windows\SysWOW64\Poacighp.exe

MD5 556bdb1199d45092be61186a174f9b4e
SHA1 5f7bc27d9a4854097b3cb591e49bb4904f7af6e0
SHA256 1f93b529de7d2276d6d3e0d7ae895a9e5939bb9ca4b7ad0a552012ebfa95a3a5
SHA512 78da8b50f63b6aca47d82500c194f78d09065259a59b3cc504dbb429457c621b13375692d6d4bf8cf3487fa2aba1cca7069526a404d5d6466ea6f61b3c7d39f6

C:\Windows\SysWOW64\Pdnkanfg.exe

MD5 3c5fe2461cd652fb909fa502051562e0
SHA1 e8dc845563483305f33ad04ebddd3467ad9eff45
SHA256 893f98b46c8fa9a9a1c90307834154572e35065b1fff3d404340d24313be7f83
SHA512 c792abe7b3c0e0c8615ff5b5c6c36316beef82e319a71880eb9556daa17b9c00eb0678335502d2f5415b19fbd2c951acd6edd26b22d5a6ce400bbd44e3b8965e

C:\Windows\SysWOW64\Pijgbl32.exe

MD5 3c8aadb167be071cbc88097a92a6f77e
SHA1 eee27858ec1263c1e0f4b81296f724d251f843cc
SHA256 05e53c18cbc5a04f13b802dad77ee93152e4a42b69c36a389ab5f462bc219e61
SHA512 7b14d5e11a32773f1da7c88ec5109e0909e223d9e96dcc389353c929f72ee27b937c491f46400a0cf287084a09c19d0c725f5ff12fabfc45d8c943da68448e78

C:\Windows\SysWOW64\Pkhdnh32.exe

MD5 aa394a81e996c66ea90fd9d8ff4266cb
SHA1 61fab3e745d4f68f8df12d21eaa3fdedafadbae7
SHA256 c2a623e7967e6a02e3bea68efb5e8b25ae47d7ccb20e5c49c2a3b0a263ec2325
SHA512 5a96ab986933f15c537112f56993946742fd3163feaae8bd838219577192b5fff8b3215b421283c81868e949765cd8529bdb6983c9b60f9f83869a2e6cc29f7d

C:\Windows\SysWOW64\Peqhgmdd.exe

MD5 130e20251d7120043fc2e0d30ae6848c
SHA1 c35055417195061c83ef8bcc6f6bcbb1aa62a54c
SHA256 fff5d8f14f8e4b1af33e0e2cc089507560917277c95305da7df9a72694d9883a
SHA512 a881d6efddc4683595013dd951c816c592aec5eea9a39b0a9481f8a1e59c1b52790ccf0085f5ede2ed55e9f91e8a357a12582c56a6aa28e2ba71421ddaef7b8e

C:\Windows\SysWOW64\Pkjqcg32.exe

MD5 8664e1ae2ed29b8d5404cd8f16a5c9db
SHA1 eb384b1dec2509b554d20c02c654ad6653569a1f
SHA256 c43e5c8c29c0774bbcaa76eae61773d1e695ae67591ae1a19262b5f5c6684bb8
SHA512 728e668056fbf2369e098a355053335dbdc107b47ad69df809bda3fe6f2682205f864a638840931707fcf2a8db19c990f351d8de0c792e9f4246ded383fe6fe1

C:\Windows\SysWOW64\Pofldf32.exe

MD5 c72955ea4cef87b51fa115d698141a11
SHA1 0f111d49821b087e8e4e93a5f44d0301ff7340b9
SHA256 e23e2740078ff7888280a5a49c31de85d244b27cc9bd6e8d6637c6a7342a86dc
SHA512 0847c8afb015e2f839252d8759f5c3ed176105a899ff2622c748ec3b459b35226b6d52ef528ed6371435673cc8fa04b8207b4669aa582d92c6dc7829448d75d1

C:\Windows\SysWOW64\Pecelm32.exe

MD5 50afbb5cb9012bbf23ccce30fe795671
SHA1 4f87bab6a62abe78d176b6a8b5361fa319076339
SHA256 7c49c44cda2b49c7700496723026c56c143bd2f13d2a90cf25b34c5692c6ba38
SHA512 0eb5da6d446c533aa2dda7166c37c6feeea0045f23e1a237ff9f59d4ee6778859d56d2315b2cd4d8c447fb0216957ae978fd0e85befdf0bc4c25424807f4bb9c

C:\Windows\SysWOW64\Pgaahh32.exe

MD5 62605630c1ab7676eda0b7324fef83b2
SHA1 09519c75fe4f33b9197ddb34abb4ea27c1719968
SHA256 918fc6d8c566c5f83937c50b7c9c151d6449334f56642a24ff6a3a9abbcbdd19
SHA512 38004fcc1398ff63fc171b6398381689b64e73625234a202aad481d3788c7c2da4d593c0e329f611abe4878b9ae06c24d542a6c5179d1b75c859d68f8340f7f6

C:\Windows\SysWOW64\Pbgefa32.exe

MD5 2950c883d7aa563bf2f3fcb5e600470a
SHA1 cb479b34e14a6997e7cdb0878acf505ccffbfd7c
SHA256 277b19b2112ff01a6b89cb3c6ec1b784056e76a01786186f8859d25fd1c27e4d
SHA512 cde6f0a31226694baddcbd48f85b9ec3dd2e7e5052adc9a69d0e97059fdc2bb37e3ccc8c6b02c3764798646012534fefdd31bd35871f12ca83e4d8adccd15c62

C:\Windows\SysWOW64\Peeabm32.exe

MD5 cb34960ee3259843f28dde321cd153b9
SHA1 21ad66bcf67a000bbc2688eccc41f40617578bdf
SHA256 ef035af9d1424005f24fbcae682d4003bf17b43879cb13b379f635d688abc148
SHA512 23b05f60b3ba581d40b0970d8901837642d887d3636893b54354bb57756532c0bcc6305354d2e9318f64ffa0551c27ce100643acbf97f7d39ff6d98937cc16c5

C:\Windows\SysWOW64\Pnnfkb32.exe

MD5 97aaa55e750ae1d85d130fcb90016835
SHA1 28d126d4d58297ea0d623fda6abf8b742e24ce5d
SHA256 0eb724e42f07b05e6d93d9e2c3a598263930f1a8943c0d6856afa84947b2dbfe
SHA512 7d53ad041e38cf0d0280db27031c37ff88d7c2d7291f6242fadee4de75dd413bb9b263a5fab92f5a15ef999ea6f0acbb803c02dd0d7ea5d381402411ce4e02fb

C:\Windows\SysWOW64\Palbgn32.exe

MD5 f5973378b83017c6c6cb8e2645bb4a20
SHA1 91f91543978fc00a5ab0b456f8a1917219ccb084
SHA256 0eae8b7f40d5c024131d48ee5e9392f28abf7dc0d82cf1d21b89c8339d9b0036
SHA512 de5e7b4c3c109ead2e6fe6195a015876ccf0df22262ce7b0564304873b4e69b7951e8c2239446f0e9c65477001d7d315645bbe62923f76135176a4eeb8de327c

C:\Windows\SysWOW64\Qgfkchmp.exe

MD5 68aa9766139f1ed91a786eefdd1a5cc1
SHA1 a3897c31179e558b8ac58b0f09ab1d82dfcddb68
SHA256 19ac79015084012c920485de68ea1c87acea16dd9e851bf520568d4ad7f20aba
SHA512 e5ccb60e30eb988c0ac4bcffdd9d63f9f54d9448ab8b8517ee9286d12803627665c1df9300793a71f31b3e7a2d286d73ea69196023543bf0ae3d38811f6a1967

C:\Windows\SysWOW64\Qcmkhi32.exe

MD5 4d721976fce429570cfb184f1f1e5fca
SHA1 44b4744dbe16bfd6e24324b1266cd99a3b55eb0c
SHA256 815b6ce0429a16f8028a8f8998dec3fbc5d1cd8138d909ab7d0a002ade5808ef
SHA512 9ddda5164f53c27cfde3005d7f74f1bed2679a04010ff04d98e01e125f76791b8979343ce037c73a3552317b41f88ff3b704c0498a93d547c4168e4deaa094b1

C:\Windows\SysWOW64\Qfkgdd32.exe

MD5 53a82712e85de8c3508446568c1391b0
SHA1 9bea4fb5f26bbb53b44c6f9f75d4489d988c713e
SHA256 8d5c9a3cb1449c69a5f57a8bfcb71e9f800ccb9bc9ba0c6d0839491140ae116b
SHA512 fc53850d1b71fc86733ffec9babaff0ba431158d952d8b5052118c3e63a02e06d1461a7d6d49e16b33f18ac71846ad11a2301e73312f295452fc335938f7fa65

C:\Windows\SysWOW64\Qijdqp32.exe

MD5 af7a9655dcc37c7655cde687dd064311
SHA1 5eb92a0cabbeabfdaf2edf19540a24d9d6d31159
SHA256 8cd5e8f27ab4824c627b461bca0c5e28f2c56258deda91ce23e2b038b3ed2722
SHA512 674ad8f5d2f87683d64b48f18dc8a604c858bb2d7d3eba51abe10be8d8f1077184861a9460fedd9f9be233b6260002f746d8c9079241b116cadf3ae242b9ddb0

C:\Windows\SysWOW64\Qaqlbmbn.exe

MD5 dfa2fc74f3fd3feb733fa45b397fcacd
SHA1 27a720e1fe8b09c8ac464d6827d739cc68be9859
SHA256 41f78b460d61efef51c4154c131bd97115d774762f60961e35519ecb587aa731
SHA512 8a808f14e655c0af4e2088af7d9f5d1e6fd48a93796d8a7ed5443c98d2a82047993f533bd57743df73efd69175091c51538b6391a5458cc2ba73846b543fd681

C:\Windows\SysWOW64\Ajipkb32.exe

MD5 a3e825308aa57d00b5c03c43b47809f5
SHA1 081332e979771b24ddec9f292282db055624b468
SHA256 1f2acb56a23803c558362f5b9cebeda54ebcfb1dfaa6b56bf4278a087d6d5504
SHA512 e7fd9a2ab1b3617f6bea5e8925f8980be8034b92c1c43e9c64eb082239efe68491b7f54e40ed3131df6f89aa2603fab548b2de179847f94b1e524421680d81af

C:\Windows\SysWOW64\Aljmbknm.exe

MD5 931c268f10e5aea99d423a2715b9a7dd
SHA1 6155bd8e5ef1efdb67ce4b196da23e59c192bb5e
SHA256 eec8023a042635c67ae70ed8f0d2320ec1a4e6ebac93b08124e1b3413d4ca298
SHA512 d8d5c307551db1dc7b122e102316ebdef79ad35ea261e089ccefe3020386ae6714a82c0df44e57f62acc88ee81df5fe4048e8982baac588695ad1aa50e90af77

C:\Windows\SysWOW64\Ainmlomf.exe

MD5 6c586dcc990ed7bfe0a45fd338840c71
SHA1 2052897c605913ad4454a081fdbca8cde4142570
SHA256 dd5183d3b5c8502a845d30fd95e339ef95c5913e7ca4027edcc41cc5a9b7acfd
SHA512 b9c4432169c1c36c8d2456a1386047dbf6d3e4317c01c26ebb76456ca4d55f8d5002f6d4194b2677675cdba7eeb07d823f87ef45255b99ee74a7ae402e697b78

C:\Windows\SysWOW64\Almihjlj.exe

MD5 d3f17229809c29ade52ab71a6c5e74e6
SHA1 766ab16822760302f5e1352376c1c30ea054b6a7
SHA256 e12f8b6c6957959117418f0d376be920e4612bee61901943b1cd330d5110e976
SHA512 1ce9e6bae2012b6da54cadcd3ae7d85b63d55bd7fcbc31358a54050434d322a05027a8b221ad7b8c8c8e0787ed6f8778123436dcc3b869895c3c73b569ce33a7

C:\Windows\SysWOW64\Ankedf32.exe

MD5 e7e9083e6ca9b0d80733eb8767f747ba
SHA1 cd76e56bdca2021e58a76c01df721f0d29087102
SHA256 192f3dce8617a02cbdff3634104a73b472b153f21bfc080e55a40f50095b6d7c
SHA512 babd7405bf20eb2d797f1538a77b46817a323255e98583249d8eeb69871ffb9828f2b7777ec974562fa59294ca7e4f3d076bdc0154069c4b3c3fd22e7406512b

C:\Windows\SysWOW64\Aiqjao32.exe

MD5 ab2e1245ab26ff24a9a9ac9fa9f789ac
SHA1 0e807fca907e01aacc2edf29a4d680799e73f274
SHA256 bb6e6c40625ef15af1b4293dc5b7e0a52729bf96a68eff5b1537a80c34d9e8b6
SHA512 f23581dceb381ab09a399ba68ea4f38a574c8459c56783462282c12a6365e2a64353eb722bb1a2b6467ed29cbbf936e2b56e39b792987ab0580c7e1648528ace

C:\Windows\SysWOW64\Alofnj32.exe

MD5 6aba02fcdbfc7433a8186b4b1897e7b1
SHA1 5feb97a22500df05973effcd89e22eb1f95e9991
SHA256 127645a79ddbc05518f77fb5022e6cf38d570c8441111cce202bbdda328de78b
SHA512 4d0066396f65ce3f04c564f68b22e947cc08cf93a21390c5af8508c3e43fd2b0a3b2ff06e4c776ea3f6db523865255a80b2155ca2748dd2a835e41962fcd6958

C:\Windows\SysWOW64\Abinjdad.exe

MD5 eb8d4cbcebf992325853c6712dc6c9d0
SHA1 e05f55ec9b2d2e300755b2d70c8452d82aa1e0b1
SHA256 871a69bf6fb5ce307c1de4127b4c507c63f04772173922d53c2592b8c0b53f13
SHA512 6397a3e8757c8acf13222d109a3319dd8157f4570e82bf834c41c72ead327201e5b40f696e65b06cd4c13ce8772355cb0bcb8f1558a0a52140d4de33ac5fcb40

C:\Windows\SysWOW64\Aegkfpah.exe

MD5 21df9f9e327719a4438e855e7f43b54c
SHA1 2225459ca74ef75c0caba36f12b7d592e6a1dc46
SHA256 eb3591b418e4300a9d77ec2ac7ecaa7e728c334ae1575cf7f7b9a286ae1a4f3b
SHA512 cfe4f652e08a8dd57c0e2d225531623d45855934b211c94f99db2fb903db9bf02e6cd6fcbb0cb3b0e4961a78656da9db556c3fd62724964bddf74b37d09d101f

C:\Windows\SysWOW64\Anpooe32.exe

MD5 948357757c6d1d608989a779597fe533
SHA1 3d55cc2afb89c128fae997dac44ed136da09e296
SHA256 60e84235d9ade82c90173101dc0c09dc25f7f1dafe36d7df586d82527ea979f4
SHA512 d8a1f45fdeb3547a511be5bb903ee7dc0899d3d1d5cb9ac974e90868bd07b18a2a9b3234b688fc23242a8009721210717eac9cf9ba304aa39bf4e565e260fb1d

C:\Windows\SysWOW64\Ahhchk32.exe

MD5 64d8f2dfc156b19a687d379cea8edaea
SHA1 f007cb8cad666368955470e2883e9858f10dae74
SHA256 2abfe64bb010aaf2a9b42a79ae9b93923013eea8aeaacf61e9558f85b9d9557c
SHA512 a98850951ae099d4c0074c2517dc9bf942856bddcf3dee180c24363c08f6896f359bc32b4b3d71134c516be87a4d57bbeadd97639ec7fbd5c2dc3cfdeaac122d

C:\Windows\SysWOW64\Bjfpdf32.exe

MD5 8c3ea842fa5b5e3ce5dc51e21f06e5c6
SHA1 65ed053fd99534fc1672e8e5c2386af32b8f5722
SHA256 b1c035fdaba8cedd44da1815ea08a8611c3e764c09c6ba61dfb9325ff8c70e68
SHA512 e0dff2b96862be2ad994aec92fc5f0fdd1e30abb34c2c16ef9b5c33c7297d58b0f059926ce276d7caf42b62fb12c563234375e8721eca3ff12ea355aa91ae682

C:\Windows\SysWOW64\Bobleeef.exe

MD5 3c344f66fc529f66dc00c856c8cdc4d3
SHA1 332b632832b21d4328e9cc91b94fa26272b51381
SHA256 32e579b6f94e4998a635de64eaeebedb5bdcc856d36d3dd2ce1e7191c916d400
SHA512 2a3a88a3dc6018de8a8868b09faab4241b81037f03f3724ee74aae849bb9dd358d089f2f7871c6237338da4feb39796a006bf20aa7ce94d251f010f9531354de

C:\Windows\SysWOW64\Beldao32.exe

MD5 aff02a562ce36a7dbf5d5c57eb6d4b70
SHA1 008b0ceac0711dc08772548ea50c470b2d6b4b5c
SHA256 a210701d8e3cfc3c31015c0c46d9baa65a7cd0b4ea2a30b1bd8af4257c635a63
SHA512 791607d587f2aa6c6a76cc9555df66d5a33df53380cf5bf69f84108dfeccc359cca69d239f7c7c80664b926df242f90a17b71de262f7da21a873ce6a7ac7d41c

C:\Windows\SysWOW64\Bhjpnj32.exe

MD5 e9a046d5d3062751e8387588c6d1fe4a
SHA1 f263f612d738b4f79f8db3358eefa7ca50905c15
SHA256 c6474c9e385b0282d11ea4143d9d90c8c9d3ca55ea22378b614debcf136e6ba5
SHA512 e0fe31e6f01616374a74cfcd3b947734125218557ced07c32f9a58ea70103aa52d3d34f6b740c7c26cfec79a7383423b825509e17c12f08f71ad59abd925da63

C:\Windows\SysWOW64\Bmgifa32.exe

MD5 27f9be073662532afc4a198621afcc2b
SHA1 3538c5e1fb2966e76e1f27803e34f14e648e8f0e
SHA256 4382938854d4f78bdf30f8ed985fc6cb39ce8bb43734f41be84891f2b41ab343
SHA512 f8327c52f526b6c1a1f90d8d7a423ac30bbcfdb4745b825a9794f3196fb46ac0c66d31fd9c2265fa88552c7000b9f08fb135f3e20ee68221f76a140824d30b4c

C:\Windows\SysWOW64\Binikb32.exe

MD5 65189f85db91065c5d4fb64784792476
SHA1 d9ab206dda17338c8f9acdfe542660e0623c3e85
SHA256 2fc3b9372a1b77aba8cd784927197be99ce17b19b67e07d0824c25a168b8b630
SHA512 3711843b78971442643dd701dd31ef6d1ab6cb4dca8f81f881e6c689d871c32e7dd9e096ef295a4143723ea9a7f108bec249c5f34d9aee4fe4b83bdbc7dfd74d

C:\Windows\SysWOW64\Bkkioeig.exe

MD5 c089b11aee46b0a53d07486018cea3c3
SHA1 157e13fa40dea0d79f01fdb9b731762cafb4acc9
SHA256 6e337e0d648ada434cb54be5147365674166f3bd2c5e9f4a7181c939fa3c6f88
SHA512 f45960cdf36e5910a483d7890c9a1f68b44798a93225e8bd8a050843a1dbb02625ee304f77b004e741a4ddd2e22b4c240524d20083227f6972df493c73905585

C:\Windows\SysWOW64\Bmjekahk.exe

MD5 ad5c2fabefea7d7a404a4de9ff5d313a
SHA1 0c309f5a437b2438d47fbbc36f5a7a68f3fc45d1
SHA256 eb0b4bf1db97fb3a34a0d017ab7d120eebfa3a88e95db4e6a02780b4fdbb6680
SHA512 17a622a40b800c627fe0fcf832e4d2a65d14e8274b32c4a9f00f31fe2ceeb0d4c2a341605297a872d290a3528ec86f9db98b3e45cdd8b93bab1f74e3ab55b2e8

C:\Windows\SysWOW64\Bdcnhk32.exe

MD5 2a54716087fddcfeecbf3629477795c8
SHA1 f17e1c6c3acf42d0267946d93a3d00579cc9a9a6
SHA256 ff8c2b45b27b75281c7fd552c57d1d850a8ee217f8f84e6bcce62102d13a5e04
SHA512 158a0f94cde76d65d42794c35275969ee2e34f0177f9df070228d58b2621820798716bf06b5296817a116edadb4c099ecc17e03659db0484c60add6a3757501c

C:\Windows\SysWOW64\Bfbjdf32.exe

MD5 5a713385026cfc274ca574f10df2e8b6
SHA1 2373c13c523dd0f7915cb9c5d96c21ca59786833
SHA256 1f9fbca036b0bb7d1467d630ce2ff12af422dd6ca18008c134f89e4d8cabe089
SHA512 2048c2951ac9fc39e1ce2b42304d4b010bb75f84d395bd81811779e04dc0f7cc02d1ee883073a8832764aa0288b2d5edc6231a9bcf58fac22e417968d0ee2c32

C:\Windows\SysWOW64\Bmlbaqfh.exe

MD5 b87dddcf91610781b036bdedf0c54ecc
SHA1 b36b6db3bf0b7390c35ecde5de5b6a5bc50323f3
SHA256 30256751b314429b979e990cb52b8452feffc4ac95ad941e4e901c361360ddf3
SHA512 17e902afc8c56753abcb8ed3bd47774eb0b4602af22b904515ef3f718e9b54a00d7d7196414d64572167c39465996393d684318dcaf60c12cabe351feed73f67

C:\Windows\SysWOW64\Biccfalm.exe

MD5 da6a7c8a7d6429740d235e7649ba046d
SHA1 267fe7caf6dcd39789cd24de8dcdb41cb144b1ef
SHA256 f8fc574e12d5e7585d366b45502972ce29c067ba7a15ee3323be6658c89022b4
SHA512 ff6e4446eb579dd0d5eadbfa4058ae3e81c94c4c310cbc7654a89d7a1573c7cba73dbab11425ec0501959d97045193eae48a07460fbb3d55b342b4c38fa37d43

C:\Windows\SysWOW64\Bpmkbl32.exe

MD5 bed22a6ff6138483a4e4412274c06240
SHA1 deb7af619211f91cb915b15f738490636530db68
SHA256 70c300d7eebd1b67d8361ac782ec871589d76ff4249fe38473d17560d4eb24dd
SHA512 3b554d19d67daad320acd3640b954284100c60f49111786b3b9d742f5366074ee2154ca95f1eb20188bb4fe9a9a26745c2a3281b8b51475a8783e3deafbff599

C:\Windows\SysWOW64\Bmnofp32.exe

MD5 5af1f24601a882ad1ed3d7bea2fffdd6
SHA1 81c65972744d5121e3dc54c56be402ca5e794b9d
SHA256 2c22dc99d967abd88669b9bbbdabc8563366721ae5e74f8323b91ae2b003d6d6
SHA512 a86f3684a737711ce9462688fe58ec37e7b1c0e4baa672cad26e70c77c46b751a24fcf59ddde8593ada806e732cbf579c78285ef536fd0f5f06171571333b9f1

C:\Windows\SysWOW64\Bopknhjd.exe

MD5 dd4c79a01c8b73b6125261dffaf01387
SHA1 e6ab4ec9b5c1657343b88d38fe1704ef82c64ff3
SHA256 20d339146249ec9809f72a3835996f5730de93e527f72fe73e97f7c57e284fe7
SHA512 edf0f7969da68252e272d3e6c0c3daaf475dabcb03fbec3f1e789b487f56bea008d962764a31e2c83e3f828db12b3675b0b56d676ed988590a95ec8120939803

C:\Windows\SysWOW64\Clclhmin.exe

MD5 1b878b447fef3adfb21909352773b0c1
SHA1 0a8b2c265d4bd09613c2769faf381b51f35c333f
SHA256 22221167186d79237265fb872ffac687ed7692fb28f1b7cff11ab7d5c4861af6
SHA512 11087a0c1ee8fd78c8ddbb8e3f00bc764ce041d07677287895dad2f36c1238f9ab75d5aa125504be837e868cda82ec16eb6224a8979a14fb2d88697b1f94131d

C:\Windows\SysWOW64\Clfhml32.exe

MD5 bdfdf2547f1dd853db35916a899224dc
SHA1 110db7a27c0bc19500004d11e7c021eb44334707
SHA256 806c9ab80fab1bb74a149afcfbf33768db9981ea746ad8c51c97dceb7d260664
SHA512 43adc0b7f7c1e8686b4fbe0ea2c27be1307223f36c6beaeb5740546cf77a6962c3c3b8f7f3ce39adcd7215862140bdb37fa3684796c776b19189144eada11fa6

C:\Windows\SysWOW64\Ckiiiine.exe

MD5 176bb4ed3322080a8b734166a16ead9e
SHA1 922414d99e5cb7186e2d01831b592d88119c4b9c
SHA256 027008732f3f0380f6ea15fa49d7b843023b1756a7878a236637a63b84d9b118
SHA512 f5f33a172e0228f61879415e226647179638b4d0edc9d42500af441b513ae13acb9169b88c48546bff4d8c19a33b6e32a757fdb0e18d59ef025b2cf1c015d0eb

C:\Windows\SysWOW64\Cabaec32.exe

MD5 2e9ff248bf087dda582bb127875a7625
SHA1 4466adfd63334a5050db52f020952065e761aee7
SHA256 a35b985c9235cc1ce8612e511307c64538541f5456fe2f1cdb2b6773f767b96a
SHA512 fd4acf52ebbc613cbf987d42e17a4211a1643bdc96db7321dd05b2fe4184bba94540c4ac5c1f160e4f13cc06a5c31fcbbb29d27d45f2a44cb55474b61b4e132a

C:\Windows\SysWOW64\Cdamao32.exe

MD5 81a6c128bf3922f03f7566e2fea3171f
SHA1 638b02c03fe01fa5e2545b5c41d1f157b5d0f0a3
SHA256 8d633d9f4be199f0f1a65e99315d79b35fa6c72797f61240a1a3d64d29a20ec7
SHA512 9103f955cdc23475fe42efcbb2f3876781d114cd7d2533b0d150cf1fca94ec042b36e5b5fe7f8e76882218558087edbeca2c13caf74c354ad798a371b518699c

C:\Windows\SysWOW64\Cniajdkg.exe

MD5 13af78edfd835f6b7568cca1f897a8f1
SHA1 4d2d8b9e6a0d10db2850034bcd907f8e470f28bb
SHA256 42cc2366af920b893298201218f410dcc43c129fa26f0e9fb84c4ec271dbfa38
SHA512 c4827889556cb62236736baf748f0fa0d59550af73ee119417e62a6d3d613bc9981d89922d650fbdc0709c930adca0f1106340d36d8c56c888d2af548f87886a

C:\Windows\SysWOW64\Caenkc32.exe

MD5 b64f1b03b3e927670891a858ffac3936
SHA1 3bec0c02bee17aa962f4895fa91f96d06fbebc7a
SHA256 8145839327f7ba0903f38bd0b9f49a4b29bf6b05f4381670976aec751d777c4c
SHA512 7576ceb029bd4d77da6900c21ac0cde3eb90cbeb4d7d6ab1b891640f5859f973a592927c8c274c7e9de923edd72287304cf1e4607bf4a6c73ec53025dab55616

C:\Windows\SysWOW64\Coindgbi.exe

MD5 029548233c8c28902f06a6a505bbfc6d
SHA1 f5cc73012e9d89da0dde615c4b9c4224f0d9b7a1
SHA256 12a2eb27109a4c17f0d8d66c8b13ce5d8cd36f91b5f39005c80a1cf14ae725a5
SHA512 715169555f80b47d5520cd0a2776bdcaf6a503c053e0553555bdc325e7acb5af39752cd1bd7cc9e447bf12e3c1da9d7feb63fc486ab13220222b8785a947b3dd

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 01:04

Reported

2024-11-10 01:07

Platform

win10v2004-20241007-en

Max time kernel

96s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9eb4a149321b5ea49a7d8707175697fbc9b37e498cdafa357140c4bb7f444e60.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Users\Admin\AppData\Local\Temp\9eb4a149321b5ea49a7d8707175697fbc9b37e498cdafa357140c4bb7f444e60.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Users\Admin\AppData\Local\Temp\9eb4a149321b5ea49a7d8707175697fbc9b37e498cdafa357140c4bb7f444e60.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cjpckf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cmnpgb32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dknpmdfc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dhfajjoj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ddonekbl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dhmgki32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cjpckf32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cmnpgb32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dejacond.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dfnjafap.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dhmgki32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dknpmdfc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cjbpaf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cjbpaf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dhfajjoj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dejacond.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ddonekbl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dfnjafap.exe N/A

Berbew

backdoor berbew

Berbew family

berbew

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Cjpckf32.exe C:\Users\Admin\AppData\Local\Temp\9eb4a149321b5ea49a7d8707175697fbc9b37e498cdafa357140c4bb7f444e60.exe N/A
File created C:\Windows\SysWOW64\Cjbpaf32.exe C:\Windows\SysWOW64\Cmnpgb32.exe N/A
File created C:\Windows\SysWOW64\Jgilhm32.dll C:\Windows\SysWOW64\Cmnpgb32.exe N/A
File created C:\Windows\SysWOW64\Eokchkmi.dll C:\Windows\SysWOW64\Cjbpaf32.exe N/A
File created C:\Windows\SysWOW64\Mjelcfha.dll C:\Windows\SysWOW64\Dejacond.exe N/A
File created C:\Windows\SysWOW64\Cacamdcd.dll C:\Users\Admin\AppData\Local\Temp\9eb4a149321b5ea49a7d8707175697fbc9b37e498cdafa357140c4bb7f444e60.exe N/A
File created C:\Windows\SysWOW64\Ffpmlcim.dll C:\Windows\SysWOW64\Cjpckf32.exe N/A
File created C:\Windows\SysWOW64\Poahbe32.dll C:\Windows\SysWOW64\Ddonekbl.exe N/A
File created C:\Windows\SysWOW64\Nokpao32.dll C:\Windows\SysWOW64\Dhmgki32.exe N/A
File created C:\Windows\SysWOW64\Dknpmdfc.exe C:\Windows\SysWOW64\Dhmgki32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dknpmdfc.exe C:\Windows\SysWOW64\Dhmgki32.exe N/A
File created C:\Windows\SysWOW64\Cjpckf32.exe C:\Users\Admin\AppData\Local\Temp\9eb4a149321b5ea49a7d8707175697fbc9b37e498cdafa357140c4bb7f444e60.exe N/A
File opened for modification C:\Windows\SysWOW64\Dhfajjoj.exe C:\Windows\SysWOW64\Cjbpaf32.exe N/A
File created C:\Windows\SysWOW64\Ddonekbl.exe C:\Windows\SysWOW64\Dejacond.exe N/A
File opened for modification C:\Windows\SysWOW64\Dfnjafap.exe C:\Windows\SysWOW64\Ddonekbl.exe N/A
File created C:\Windows\SysWOW64\Dhmgki32.exe C:\Windows\SysWOW64\Dfnjafap.exe N/A
File opened for modification C:\Windows\SysWOW64\Cjbpaf32.exe C:\Windows\SysWOW64\Cmnpgb32.exe N/A
File created C:\Windows\SysWOW64\Dejacond.exe C:\Windows\SysWOW64\Dhfajjoj.exe N/A
File created C:\Windows\SysWOW64\Dmllipeg.exe C:\Windows\SysWOW64\Dknpmdfc.exe N/A
File created C:\Windows\SysWOW64\Hpnkaj32.dll C:\Windows\SysWOW64\Dhfajjoj.exe N/A
File opened for modification C:\Windows\SysWOW64\Ddonekbl.exe C:\Windows\SysWOW64\Dejacond.exe N/A
File created C:\Windows\SysWOW64\Fpdaoioe.dll C:\Windows\SysWOW64\Dfnjafap.exe N/A
File created C:\Windows\SysWOW64\Kngpec32.dll C:\Windows\SysWOW64\Dknpmdfc.exe N/A
File created C:\Windows\SysWOW64\Cmnpgb32.exe C:\Windows\SysWOW64\Cjpckf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cmnpgb32.exe C:\Windows\SysWOW64\Cjpckf32.exe N/A
File created C:\Windows\SysWOW64\Dfnjafap.exe C:\Windows\SysWOW64\Ddonekbl.exe N/A
File opened for modification C:\Windows\SysWOW64\Dhmgki32.exe C:\Windows\SysWOW64\Dfnjafap.exe N/A
File opened for modification C:\Windows\SysWOW64\Dmllipeg.exe C:\Windows\SysWOW64\Dknpmdfc.exe N/A
File created C:\Windows\SysWOW64\Dhfajjoj.exe C:\Windows\SysWOW64\Cjbpaf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dejacond.exe C:\Windows\SysWOW64\Dhfajjoj.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Dmllipeg.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cjpckf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ddonekbl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dmllipeg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9eb4a149321b5ea49a7d8707175697fbc9b37e498cdafa357140c4bb7f444e60.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cjbpaf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dhfajjoj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dejacond.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dfnjafap.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dhmgki32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dknpmdfc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cmnpgb32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cjbpaf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dejacond.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll" C:\Windows\SysWOW64\Ddonekbl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dfnjafap.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} C:\Users\Admin\AppData\Local\Temp\9eb4a149321b5ea49a7d8707175697fbc9b37e498cdafa357140c4bb7f444e60.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll" C:\Windows\SysWOW64\Cjpckf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll" C:\Windows\SysWOW64\Dejacond.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll" C:\Users\Admin\AppData\Local\Temp\9eb4a149321b5ea49a7d8707175697fbc9b37e498cdafa357140c4bb7f444e60.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cjbpaf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll" C:\Windows\SysWOW64\Cjbpaf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dhmgki32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dejacond.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dhmgki32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll" C:\Windows\SysWOW64\Dknpmdfc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\9eb4a149321b5ea49a7d8707175697fbc9b37e498cdafa357140c4bb7f444e60.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dhfajjoj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll" C:\Windows\SysWOW64\Dhmgki32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dknpmdfc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cmnpgb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ddonekbl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cmnpgb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dfnjafap.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\9eb4a149321b5ea49a7d8707175697fbc9b37e498cdafa357140c4bb7f444e60.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node C:\Users\Admin\AppData\Local\Temp\9eb4a149321b5ea49a7d8707175697fbc9b37e498cdafa357140c4bb7f444e60.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll" C:\Windows\SysWOW64\Cmnpgb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dhfajjoj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll" C:\Windows\SysWOW64\Dhfajjoj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ddonekbl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll" C:\Windows\SysWOW64\Dfnjafap.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dknpmdfc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cjpckf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cjpckf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\9eb4a149321b5ea49a7d8707175697fbc9b37e498cdafa357140c4bb7f444e60.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1428 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\9eb4a149321b5ea49a7d8707175697fbc9b37e498cdafa357140c4bb7f444e60.exe C:\Windows\SysWOW64\Cjpckf32.exe
PID 1428 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\9eb4a149321b5ea49a7d8707175697fbc9b37e498cdafa357140c4bb7f444e60.exe C:\Windows\SysWOW64\Cjpckf32.exe
PID 1428 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\9eb4a149321b5ea49a7d8707175697fbc9b37e498cdafa357140c4bb7f444e60.exe C:\Windows\SysWOW64\Cjpckf32.exe
PID 1828 wrote to memory of 2484 N/A C:\Windows\SysWOW64\Cjpckf32.exe C:\Windows\SysWOW64\Cmnpgb32.exe
PID 1828 wrote to memory of 2484 N/A C:\Windows\SysWOW64\Cjpckf32.exe C:\Windows\SysWOW64\Cmnpgb32.exe
PID 1828 wrote to memory of 2484 N/A C:\Windows\SysWOW64\Cjpckf32.exe C:\Windows\SysWOW64\Cmnpgb32.exe
PID 2484 wrote to memory of 4964 N/A C:\Windows\SysWOW64\Cmnpgb32.exe C:\Windows\SysWOW64\Cjbpaf32.exe
PID 2484 wrote to memory of 4964 N/A C:\Windows\SysWOW64\Cmnpgb32.exe C:\Windows\SysWOW64\Cjbpaf32.exe
PID 2484 wrote to memory of 4964 N/A C:\Windows\SysWOW64\Cmnpgb32.exe C:\Windows\SysWOW64\Cjbpaf32.exe
PID 4964 wrote to memory of 4928 N/A C:\Windows\SysWOW64\Cjbpaf32.exe C:\Windows\SysWOW64\Dhfajjoj.exe
PID 4964 wrote to memory of 4928 N/A C:\Windows\SysWOW64\Cjbpaf32.exe C:\Windows\SysWOW64\Dhfajjoj.exe
PID 4964 wrote to memory of 4928 N/A C:\Windows\SysWOW64\Cjbpaf32.exe C:\Windows\SysWOW64\Dhfajjoj.exe
PID 4928 wrote to memory of 4580 N/A C:\Windows\SysWOW64\Dhfajjoj.exe C:\Windows\SysWOW64\Dejacond.exe
PID 4928 wrote to memory of 4580 N/A C:\Windows\SysWOW64\Dhfajjoj.exe C:\Windows\SysWOW64\Dejacond.exe
PID 4928 wrote to memory of 4580 N/A C:\Windows\SysWOW64\Dhfajjoj.exe C:\Windows\SysWOW64\Dejacond.exe
PID 4580 wrote to memory of 2060 N/A C:\Windows\SysWOW64\Dejacond.exe C:\Windows\SysWOW64\Ddonekbl.exe
PID 4580 wrote to memory of 2060 N/A C:\Windows\SysWOW64\Dejacond.exe C:\Windows\SysWOW64\Ddonekbl.exe
PID 4580 wrote to memory of 2060 N/A C:\Windows\SysWOW64\Dejacond.exe C:\Windows\SysWOW64\Ddonekbl.exe
PID 2060 wrote to memory of 3836 N/A C:\Windows\SysWOW64\Ddonekbl.exe C:\Windows\SysWOW64\Dfnjafap.exe
PID 2060 wrote to memory of 3836 N/A C:\Windows\SysWOW64\Ddonekbl.exe C:\Windows\SysWOW64\Dfnjafap.exe
PID 2060 wrote to memory of 3836 N/A C:\Windows\SysWOW64\Ddonekbl.exe C:\Windows\SysWOW64\Dfnjafap.exe
PID 3836 wrote to memory of 804 N/A C:\Windows\SysWOW64\Dfnjafap.exe C:\Windows\SysWOW64\Dhmgki32.exe
PID 3836 wrote to memory of 804 N/A C:\Windows\SysWOW64\Dfnjafap.exe C:\Windows\SysWOW64\Dhmgki32.exe
PID 3836 wrote to memory of 804 N/A C:\Windows\SysWOW64\Dfnjafap.exe C:\Windows\SysWOW64\Dhmgki32.exe
PID 804 wrote to memory of 3676 N/A C:\Windows\SysWOW64\Dhmgki32.exe C:\Windows\SysWOW64\Dknpmdfc.exe
PID 804 wrote to memory of 3676 N/A C:\Windows\SysWOW64\Dhmgki32.exe C:\Windows\SysWOW64\Dknpmdfc.exe
PID 804 wrote to memory of 3676 N/A C:\Windows\SysWOW64\Dhmgki32.exe C:\Windows\SysWOW64\Dknpmdfc.exe
PID 3676 wrote to memory of 3116 N/A C:\Windows\SysWOW64\Dknpmdfc.exe C:\Windows\SysWOW64\Dmllipeg.exe
PID 3676 wrote to memory of 3116 N/A C:\Windows\SysWOW64\Dknpmdfc.exe C:\Windows\SysWOW64\Dmllipeg.exe
PID 3676 wrote to memory of 3116 N/A C:\Windows\SysWOW64\Dknpmdfc.exe C:\Windows\SysWOW64\Dmllipeg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9eb4a149321b5ea49a7d8707175697fbc9b37e498cdafa357140c4bb7f444e60.exe

"C:\Users\Admin\AppData\Local\Temp\9eb4a149321b5ea49a7d8707175697fbc9b37e498cdafa357140c4bb7f444e60.exe"

C:\Windows\SysWOW64\Cjpckf32.exe

C:\Windows\system32\Cjpckf32.exe

C:\Windows\SysWOW64\Cmnpgb32.exe

C:\Windows\system32\Cmnpgb32.exe

C:\Windows\SysWOW64\Cjbpaf32.exe

C:\Windows\system32\Cjbpaf32.exe

C:\Windows\SysWOW64\Dhfajjoj.exe

C:\Windows\system32\Dhfajjoj.exe

C:\Windows\SysWOW64\Dejacond.exe

C:\Windows\system32\Dejacond.exe

C:\Windows\SysWOW64\Ddonekbl.exe

C:\Windows\system32\Ddonekbl.exe

C:\Windows\SysWOW64\Dfnjafap.exe

C:\Windows\system32\Dfnjafap.exe

C:\Windows\SysWOW64\Dhmgki32.exe

C:\Windows\system32\Dhmgki32.exe

C:\Windows\SysWOW64\Dknpmdfc.exe

C:\Windows\system32\Dknpmdfc.exe

C:\Windows\SysWOW64\Dmllipeg.exe

C:\Windows\system32\Dmllipeg.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3116 -ip 3116

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3116 -s 396

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/1428-0-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1428-1-0x0000000000431000-0x0000000000432000-memory.dmp

memory/1828-9-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Cjpckf32.exe

MD5 dd05e32fc15d7f926df8e652f8f603fe
SHA1 a0f834b14cebde502f49e809df756ae699bd40fd
SHA256 db628b54a00fe778912e20b782533d36b7b5bcb36c9356f4ce0296990c8cfd1f
SHA512 0026809a06c5ff8c02473b30eb7313f60bcddd5b44c51d82b514cca436753c9d11212a22ca1492c20f492f480562c019129c83d12890c8e69b9343ffa3f4d994

memory/2484-16-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Cmnpgb32.exe

MD5 14739f26ce659f15b463a303e7802490
SHA1 8be1e29adc041d36126c716801fe36359328694b
SHA256 5be20caa50de0b82aeebd25c5482b0192bcdc6db55ea0b0c4a23c5ef054cb5c9
SHA512 12b9a39bb189e060f4ab8cc8c87be8702d43aa5fa44a6371c2dd7081e42907fb273ce5290dd2f9e804d76c38ebec0dbb67f93a2d677ee1789738c8c01a6fb663

C:\Windows\SysWOW64\Cjbpaf32.exe

MD5 0fd65424693ee89a0575074802983033
SHA1 e23c50c4fb41f08f94450c79663e4a3d645b346d
SHA256 86f4648e3ad7367875b070618f99c5796f4c7aed3187b5ae479aced1eaa8e1a8
SHA512 bf967b9b12d2445ee65d7e435ae278f1ccb59cfa486fb47f51ce4d5974262653e552db3ee0c5e90a16d437bd8864501c77fa187926e816fcce498eb0a2d7989c

memory/4964-24-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Dhfajjoj.exe

MD5 b55cfc59ea752dca727da5e972afaea3
SHA1 b32f6c3817ef07e87fb6779aa8900a1a78b4f533
SHA256 1ba49d67128b0877c60ce3ab4948f578ea35f9727208dcc2c80b3f0e97ed9ae3
SHA512 dc31ec8d4296e767a8322a66de3b7fbe6d75118fc6893928befcd29d9c8cfd4f2d9efc68758fc59900715fcd101a91797c36bc7c8257b27f945dc8648287322d

memory/4928-32-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Dejacond.exe

MD5 eb12302d512caab91f8e68f4a5b1e729
SHA1 0f8660ba2ba288f5049b882b0250853022e2bb45
SHA256 645f10af7a6412f9c2b7db8cedcaf102e61e903bf8837347c067b124e7d7cb10
SHA512 35d9660303d123a99db1dc10efd9ab4778cfe96430cecaba32e67a5ad16e0883905fda4f7369570391669d5f9a5296cf9b634965105f2a493ec1a82398681a7e

memory/4580-41-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Ddonekbl.exe

MD5 adbd4eecab755b30eadeae58958c9c53
SHA1 9d7e035d2443b2a714d4dbcb2d8096982433c69a
SHA256 5f0845d62c47e447837ccdcfb971e4ea3664f0fd56ae5db31de86815e64cc597
SHA512 f4cb2e194659a852507648687b4ef2fa3aeb1344e153d5d73eb639fcecf3a48f3410219c17fe13921ad2c70f7508776c509926fc0587fc3177191ec17f9e0c8b

memory/2060-49-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Dfnjafap.exe

MD5 c0f38a7a05bb99495647d46a13406869
SHA1 01169263fd43a81fd85ea345470f88ebc8468349
SHA256 96ea1ad0a345ea40f686e9c73e45e7f5d01d6a511f2f65a868b0e319b8be2c4d
SHA512 80214ed320875987eccd6c12cd562883697252d5891570634b2f8cafc25820496d6fc4f9b2ac531128384b8a26ec6314ed4ad46bf66c6a7f648618253e568aa0

memory/3836-56-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Dhmgki32.exe

MD5 6ff6fde0109989034a552cf271846bb0
SHA1 45360b4e7651c52b77bb706ad71da0d68133972e
SHA256 fd77e6f0c4dda1102e8d2530e709dd4f480695df07f5e7288a7b99ccd42ba190
SHA512 656de7896cb3c26c9dfb1d26b480d7f4ac7b96ebc2c8e4815d9bae46de0e8a36137ed352a8a7f2d40780deed3176e609f87f8de50f5303a07c5c3f79099c5982

memory/804-64-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Dknpmdfc.exe

MD5 5a4cd14951e30219eaa39a9ba4659e40
SHA1 2a3393c355f3dce72ea2de8b656759178d9926ea
SHA256 19f9cbd5ca440147aa464debfba7c97b55eca24b6d7887165d0866309b6b8f77
SHA512 c1fdb70bba0b0f52dbaa8a09cf7a4f0af1074c5f5d1cd9715b3dc412fd6782d6ffcaf0ce92621fa4f7464ae0bb241e7702374b9c51bb255143931bc3c3a0d2b3

memory/3676-72-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\Dmllipeg.exe

MD5 b1fdf715cf14af037acac051e4f89c17
SHA1 031c9f2478713078c709b864fae23d5a1868a06f
SHA256 d86625df6c92abd1def9fef79f2fca39c8d6d5a11ce1c40cb24c3a84773b263e
SHA512 f90a40d8ea383c4cf148df121a21ffcd53d3a79c4cab9ac5e253f46e5959a8e14fce20c758483e81befe5eae4877883331afac0868f8fc8856dc0e6fb2312284

memory/3116-81-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3676-84-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3836-88-0x0000000000400000-0x0000000000433000-memory.dmp

memory/804-86-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4580-92-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1828-100-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1428-101-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2484-98-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4964-96-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4928-94-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2060-90-0x0000000000400000-0x0000000000433000-memory.dmp