Malware Analysis Report

2024-11-15 10:39

Sample ID 241110-bkwrpswerd
Target a318bb4de7f7ad2901270ac5437f316e987b10b33484d4b449eff0a40485eaec
SHA256 a318bb4de7f7ad2901270ac5437f316e987b10b33484d4b449eff0a40485eaec
Tags
berbew backdoor discovery persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a318bb4de7f7ad2901270ac5437f316e987b10b33484d4b449eff0a40485eaec

Threat Level: Known bad

The file a318bb4de7f7ad2901270ac5437f316e987b10b33484d4b449eff0a40485eaec was found to be: Known bad.

Malicious Activity Summary

berbew backdoor discovery persistence

Adds autorun key to be loaded by Explorer.exe on startup

Berbew

Berbew family

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Program crash

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:12

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 01:12

Reported

2024-11-10 01:15

Platform

win10v2004-20241007-en

Max time kernel

92s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a318bb4de7f7ad2901270ac5437f316e987b10b33484d4b449eff0a40485eaec.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dailkl32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Klapqf32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kppigdlg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Pjbkjb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Afghqa32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aakfcp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Chhdlhfe.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Goqkhk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Nghflj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Mgageace.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Nnpimkfl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ocmjlpfa.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Foiegl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Hojnnj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Lfcdjm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ddjemgal.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Dejafj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Gochmk32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jpdikffd.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nehjagbo.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pfbfod32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Mimpagqp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Pemlcdpf.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mpjlngje.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Pfqpcj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Amhdab32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Egpgiakg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Emlllk32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lfcdjm32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kicddk32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cqhljhob.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Mccooc32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nnbebk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Aqdqbaee.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Bncqgd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Bfoelf32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dejafj32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bjjjbolj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cdcolh32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Egbdoaie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Mfocelal.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mhbmbc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Qcmlig32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ahlafnag.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aompdgbl.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cfedbomi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Pmjhpdil.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pgplnmib.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ifpefbja.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jgmajifb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Kfiaco32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kihnpj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Cfedbomi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Acgfil32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fhpmjbch.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hddiqaml.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ifdoaa32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pjbkjb32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jkfaehpn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Kicddk32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bjokgd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Bcgopjba.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Egdqdagb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Fhpmjbch.exe N/A

Berbew

backdoor berbew

Berbew family

berbew

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Lfckdcoe.exe N/A
N/A N/A C:\Windows\SysWOW64\Libgpooi.exe N/A
N/A N/A C:\Windows\SysWOW64\Lmppfm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ldjhcgll.exe N/A
N/A N/A C:\Windows\SysWOW64\Lekekp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lpqihhbp.exe N/A
N/A N/A C:\Windows\SysWOW64\Memapppg.exe N/A
N/A N/A C:\Windows\SysWOW64\Mpcenhpn.exe N/A
N/A N/A C:\Windows\SysWOW64\Mgmnjb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mmgfgl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mccooc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mebkko32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mgageace.exe N/A
N/A N/A C:\Windows\SysWOW64\Mpjlngje.exe N/A
N/A N/A C:\Windows\SysWOW64\Mgddka32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mplhdghc.exe N/A
N/A N/A C:\Windows\SysWOW64\Ngfqqa32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nnpimkfl.exe N/A
N/A N/A C:\Windows\SysWOW64\Ncmaeb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nnbebk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ngkjlpkj.exe N/A
N/A N/A C:\Windows\SysWOW64\Njifhljn.exe N/A
N/A N/A C:\Windows\SysWOW64\Ngmgap32.exe N/A
N/A N/A C:\Windows\SysWOW64\Njlcmk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Npekjeph.exe N/A
N/A N/A C:\Windows\SysWOW64\Njnpck32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ocfdlqmi.exe N/A
N/A N/A C:\Windows\SysWOW64\Ofeqhl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ofgmml32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ojbinjbc.exe N/A
N/A N/A C:\Windows\SysWOW64\Odhmkcbi.exe N/A
N/A N/A C:\Windows\SysWOW64\Onqbdihj.exe N/A
N/A N/A C:\Windows\SysWOW64\Ocmjlpfa.exe N/A
N/A N/A C:\Windows\SysWOW64\Ojgbij32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oqakfdek.exe N/A
N/A N/A C:\Windows\SysWOW64\Ogkcbn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Onekoh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pqcgkc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pcbdgo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pfqpcj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pmjhpdil.exe N/A
N/A N/A C:\Windows\SysWOW64\Pdapabjo.exe N/A
N/A N/A C:\Windows\SysWOW64\Pgplnmib.exe N/A
N/A N/A C:\Windows\SysWOW64\Pjnijihf.exe N/A
N/A N/A C:\Windows\SysWOW64\Pmmefd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pddmga32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pgbicm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pnlapgnl.exe N/A
N/A N/A C:\Windows\SysWOW64\Pqknlbmp.exe N/A
N/A N/A C:\Windows\SysWOW64\Pfgfdikg.exe N/A
N/A N/A C:\Windows\SysWOW64\Pjcbeh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pqmjab32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pjeojhbn.exe N/A
N/A N/A C:\Windows\SysWOW64\Qmdkfcaa.exe N/A
N/A N/A C:\Windows\SysWOW64\Qgiodlqh.exe N/A
N/A N/A C:\Windows\SysWOW64\Qflpoi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qqadmagh.exe N/A
N/A N/A C:\Windows\SysWOW64\Amhdab32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aqdqbaee.exe N/A
N/A N/A C:\Windows\SysWOW64\Aqfmhacc.exe N/A
N/A N/A C:\Windows\SysWOW64\Aceidl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajoaqfjc.exe N/A
N/A N/A C:\Windows\SysWOW64\Acgfil32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aakfcp32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Kpkple32.exe C:\Windows\SysWOW64\Kiagokip.exe N/A
File created C:\Windows\SysWOW64\Pgplnmib.exe C:\Windows\SysWOW64\Pdapabjo.exe N/A
File opened for modification C:\Windows\SysWOW64\Inhneeio.exe C:\Windows\SysWOW64\Ikjaiijk.exe N/A
File created C:\Windows\SysWOW64\Alhegi32.dll C:\Windows\SysWOW64\Jlmgegjf.exe N/A
File created C:\Windows\SysWOW64\Loninpid.exe C:\Windows\SysWOW64\Lpkibcbj.exe N/A
File created C:\Windows\SysWOW64\Hlkcoo32.dll C:\Windows\SysWOW64\Olehko32.exe N/A
File created C:\Windows\SysWOW64\Failkdgj.dll C:\Windows\SysWOW64\Qqopml32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ofeqhl32.exe C:\Windows\SysWOW64\Ocfdlqmi.exe N/A
File created C:\Windows\SysWOW64\Lkbkkm32.dll C:\Windows\SysWOW64\Ojbinjbc.exe N/A
File created C:\Windows\SysWOW64\Kmohdknn.dll C:\Windows\SysWOW64\Bnfmmc32.exe N/A
File created C:\Windows\SysWOW64\Oeppod32.dll C:\Windows\SysWOW64\Egpgiakg.exe N/A
File created C:\Windows\SysWOW64\Jpdikffd.exe C:\Windows\SysWOW64\Jgmajifb.exe N/A
File created C:\Windows\SysWOW64\Pjgmig32.dll C:\Windows\SysWOW64\Lngcmqol.exe N/A
File created C:\Windows\SysWOW64\Hnakeg32.dll C:\Windows\SysWOW64\Eehnhhmo.exe N/A
File opened for modification C:\Windows\SysWOW64\Gecmcf32.exe C:\Windows\SysWOW64\Foiegl32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hbkgpe32.exe C:\Windows\SysWOW64\Hkqockbf.exe N/A
File created C:\Windows\SysWOW64\Kbpbhp32.exe C:\Windows\SysWOW64\Klfjlebk.exe N/A
File opened for modification C:\Windows\SysWOW64\Opljpn32.exe C:\Windows\SysWOW64\Oibbcdnh.exe N/A
File created C:\Windows\SysWOW64\Najdei32.dll C:\Windows\SysWOW64\Lbghiocp.exe N/A
File created C:\Windows\SysWOW64\Mpdkiajo.exe C:\Windows\SysWOW64\Mhmcgdim.exe N/A
File created C:\Windows\SysWOW64\Ambgha32.exe C:\Windows\SysWOW64\Ajcklf32.exe N/A
File created C:\Windows\SysWOW64\Dailkl32.exe C:\Windows\SysWOW64\Dmnpjmla.exe N/A
File created C:\Windows\SysWOW64\Ofjgla32.dll C:\Windows\SysWOW64\Jbkpfb32.exe N/A
File created C:\Windows\SysWOW64\Bhfgganp.dll C:\Windows\SysWOW64\Onekoh32.exe N/A
File created C:\Windows\SysWOW64\Hondnl32.dll C:\Windows\SysWOW64\Kfiaco32.exe N/A
File opened for modification C:\Windows\SysWOW64\Keondk32.exe C:\Windows\SysWOW64\Kbpbhp32.exe N/A
File created C:\Windows\SysWOW64\Ogfcmhma.exe C:\Windows\SysWOW64\Opljpn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mgddka32.exe C:\Windows\SysWOW64\Mpjlngje.exe N/A
File created C:\Windows\SysWOW64\Afekka32.exe C:\Windows\SysWOW64\Acfoof32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bjeago32.exe C:\Windows\SysWOW64\Bggdkd32.exe N/A
File opened for modification C:\Windows\SysWOW64\Jlmgegjf.exe C:\Windows\SysWOW64\Jinkikkb.exe N/A
File created C:\Windows\SysWOW64\Jpoijjol.dll C:\Windows\SysWOW64\Odhmkcbi.exe N/A
File created C:\Windows\SysWOW64\Fiaeni32.dll C:\Windows\SysWOW64\Pgbicm32.exe N/A
File created C:\Windows\SysWOW64\Hgqigmnb.exe C:\Windows\SysWOW64\Hfompd32.exe N/A
File created C:\Windows\SysWOW64\Mffohjpj.dll C:\Windows\SysWOW64\Hkehnj32.exe N/A
File created C:\Windows\SysWOW64\Kbgoba32.exe C:\Windows\SysWOW64\Jlmgegjf.exe N/A
File created C:\Windows\SysWOW64\Oppcholp.dll C:\Windows\SysWOW64\Bcdkpdph.exe N/A
File opened for modification C:\Windows\SysWOW64\Bnfmmc32.exe C:\Windows\SysWOW64\Bfoelf32.exe N/A
File created C:\Windows\SysWOW64\Lehhen32.dll C:\Windows\SysWOW64\Edcgcfja.exe N/A
File opened for modification C:\Windows\SysWOW64\Mhbmbc32.exe C:\Windows\SysWOW64\Mecqfh32.exe N/A
File created C:\Windows\SysWOW64\Bogbae32.dll C:\Windows\SysWOW64\Ammgblek.exe N/A
File created C:\Windows\SysWOW64\Nppkdp32.exe C:\Windows\SysWOW64\Nhiccb32.exe N/A
File created C:\Windows\SysWOW64\Njlcmk32.exe C:\Windows\SysWOW64\Ngmgap32.exe N/A
File opened for modification C:\Windows\SysWOW64\Qgiodlqh.exe C:\Windows\SysWOW64\Qmdkfcaa.exe N/A
File opened for modification C:\Windows\SysWOW64\Dfdgnc32.exe C:\Windows\SysWOW64\Ddekah32.exe N/A
File created C:\Windows\SysWOW64\Fhgmfjcf.dll C:\Windows\SysWOW64\Hfdfkddo.exe N/A
File created C:\Windows\SysWOW64\Kfiaco32.exe C:\Windows\SysWOW64\Kppigdlg.exe N/A
File created C:\Windows\SysWOW64\Bodhhffm.dll C:\Windows\SysWOW64\Leakjk32.exe N/A
File created C:\Windows\SysWOW64\Lngcmqol.exe C:\Windows\SysWOW64\Llhfaepi.exe N/A
File created C:\Windows\SysWOW64\Gmhpfdjn.dll C:\Windows\SysWOW64\Aofjch32.exe N/A
File created C:\Windows\SysWOW64\Mdnkbgfn.dll C:\Windows\SysWOW64\Agpoje32.exe N/A
File created C:\Windows\SysWOW64\Hjheclij.dll C:\Windows\SysWOW64\Gehfofol.exe N/A
File created C:\Windows\SysWOW64\Ejpkjc32.dll C:\Windows\SysWOW64\Hgqigmnb.exe N/A
File created C:\Windows\SysWOW64\Ifpefbja.exe C:\Windows\SysWOW64\Inhneeio.exe N/A
File created C:\Windows\SysWOW64\Kicddk32.exe C:\Windows\SysWOW64\Kbilhq32.exe N/A
File created C:\Windows\SysWOW64\Jbbkhbja.dll C:\Windows\SysWOW64\Lhogff32.exe N/A
File opened for modification C:\Windows\SysWOW64\Opjnko32.exe C:\Windows\SysWOW64\Oipend32.exe N/A
File created C:\Windows\SysWOW64\Kajaijjb.dll C:\Windows\SysWOW64\Mpcenhpn.exe N/A
File opened for modification C:\Windows\SysWOW64\Nhdjhcce.exe C:\Windows\SysWOW64\Mfcmqknf.exe N/A
File created C:\Windows\SysWOW64\Dejafj32.exe C:\Windows\SysWOW64\Dmbiem32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cpklee32.exe C:\Windows\SysWOW64\Cqhljhob.exe N/A
File opened for modification C:\Windows\SysWOW64\Bjmnbd32.exe C:\Windows\SysWOW64\Bgnafinp.exe N/A
File created C:\Windows\SysWOW64\Flbedadb.dll C:\Windows\SysWOW64\Fnjhmida.exe N/A
File opened for modification C:\Windows\SysWOW64\Kihnpj32.exe C:\Windows\SysWOW64\Kfiaco32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Cakiohmo.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cqhljhob.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nplaiqdg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pohnbjdd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ddonhf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jelihn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mlfcbc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pddmga32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bgnafinp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Egpgiakg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gdijecgi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qgiodlqh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Eodbeo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hddiqaml.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nehjagbo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aokcngdo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ogkcbn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cdcolh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hacqofpk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kbilhq32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Opljpn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oidoidle.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aiakammb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Njnpck32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Emlllk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ifbblb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kiagokip.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Afnejb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Acfoof32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ofeqhl32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ddekah32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Acgfil32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Egbdoaie.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Faednh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ngfqqa32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ojgbij32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aefbcogf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bnadadld.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cabfjmkc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dkbpda32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gdmcpb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Infapela.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pcbdgo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pgplnmib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qqopml32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Joamef32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Leedejbd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Baicdncn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hkqockbf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Amjjml32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mpcenhpn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ambgha32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Feochgff.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fgpppo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mhmcgdim.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mfocelal.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pplcglgb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ngmgap32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fkgbfo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jlmgegjf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lbghiocp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Plgdpo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pjeojhbn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cnopcb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Eokhfn32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hbkgpe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ifbblb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Goqkhk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Hfompd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhgmfjcf.dll" C:\Windows\SysWOW64\Hfdfkddo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Olehko32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdigcf32.dll" C:\Windows\SysWOW64\Pfbfod32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qgfldf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ddjemgal.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Nlbbna32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Olehko32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmbheh32.dll" C:\Windows\SysWOW64\Bjeago32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bgnafinp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hndmkiod.dll" C:\Windows\SysWOW64\Faonmibc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Klapqf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pnlapgnl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecjeno32.dll" C:\Windows\SysWOW64\Eeokaiei.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Kieajj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Plgdpo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aqmlnjio.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Gamjngfc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hddiqaml.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Njnpck32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igcmgf32.dll" C:\Windows\SysWOW64\Pqknlbmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ehdmodne.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cjaqbn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Amhdab32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Nehjagbo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfhdmdld.dll" C:\Windows\SysWOW64\Amhdab32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ambgha32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enhobfed.dll" C:\Windows\SysWOW64\Phcopoib.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geqfeclf.dll" C:\Windows\SysWOW64\Ccjlfi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gkpelm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Infapela.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Emlllk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kfbkbpjl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fejlmniq.dll" C:\Windows\SysWOW64\Nhiccb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Cpklee32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Kpkple32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mopnaq32.dll" C:\Windows\SysWOW64\Kbpbhp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ocmjlpfa.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Pfgfdikg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjkafloa.dll" C:\Windows\SysWOW64\Chhdlhfe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfociegn.dll" C:\Windows\SysWOW64\Eecdmi32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Egdqdagb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ifdoaa32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ocopgiac.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lpfogcfo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Acdbifok.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pgplnmib.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aceidl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmpjpg32.dll" C:\Windows\SysWOW64\Ajoaqfjc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mehfbi32.dll" C:\Windows\SysWOW64\Fdmjidaf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Jelihn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Jlmgegjf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\a318bb4de7f7ad2901270ac5437f316e987b10b33484d4b449eff0a40485eaec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aakfcp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egcopp32.dll" C:\Windows\SysWOW64\Cfedbomi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Eaekgjjn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhfqh32.dll" C:\Windows\SysWOW64\Jpffqfdb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Kbilhq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qhghkn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Mpjlngje.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eelidm32.dll" C:\Windows\SysWOW64\Gamjngfc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1132 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\a318bb4de7f7ad2901270ac5437f316e987b10b33484d4b449eff0a40485eaec.exe C:\Windows\SysWOW64\Lfckdcoe.exe
PID 1132 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\a318bb4de7f7ad2901270ac5437f316e987b10b33484d4b449eff0a40485eaec.exe C:\Windows\SysWOW64\Lfckdcoe.exe
PID 1132 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\a318bb4de7f7ad2901270ac5437f316e987b10b33484d4b449eff0a40485eaec.exe C:\Windows\SysWOW64\Lfckdcoe.exe
PID 1648 wrote to memory of 632 N/A C:\Windows\SysWOW64\Lfckdcoe.exe C:\Windows\SysWOW64\Libgpooi.exe
PID 1648 wrote to memory of 632 N/A C:\Windows\SysWOW64\Lfckdcoe.exe C:\Windows\SysWOW64\Libgpooi.exe
PID 1648 wrote to memory of 632 N/A C:\Windows\SysWOW64\Lfckdcoe.exe C:\Windows\SysWOW64\Libgpooi.exe
PID 632 wrote to memory of 2540 N/A C:\Windows\SysWOW64\Libgpooi.exe C:\Windows\SysWOW64\Lmppfm32.exe
PID 632 wrote to memory of 2540 N/A C:\Windows\SysWOW64\Libgpooi.exe C:\Windows\SysWOW64\Lmppfm32.exe
PID 632 wrote to memory of 2540 N/A C:\Windows\SysWOW64\Libgpooi.exe C:\Windows\SysWOW64\Lmppfm32.exe
PID 2540 wrote to memory of 4352 N/A C:\Windows\SysWOW64\Lmppfm32.exe C:\Windows\SysWOW64\Ldjhcgll.exe
PID 2540 wrote to memory of 4352 N/A C:\Windows\SysWOW64\Lmppfm32.exe C:\Windows\SysWOW64\Ldjhcgll.exe
PID 2540 wrote to memory of 4352 N/A C:\Windows\SysWOW64\Lmppfm32.exe C:\Windows\SysWOW64\Ldjhcgll.exe
PID 4352 wrote to memory of 4872 N/A C:\Windows\SysWOW64\Ldjhcgll.exe C:\Windows\SysWOW64\Lekekp32.exe
PID 4352 wrote to memory of 4872 N/A C:\Windows\SysWOW64\Ldjhcgll.exe C:\Windows\SysWOW64\Lekekp32.exe
PID 4352 wrote to memory of 4872 N/A C:\Windows\SysWOW64\Ldjhcgll.exe C:\Windows\SysWOW64\Lekekp32.exe
PID 4872 wrote to memory of 4164 N/A C:\Windows\SysWOW64\Lekekp32.exe C:\Windows\SysWOW64\Lpqihhbp.exe
PID 4872 wrote to memory of 4164 N/A C:\Windows\SysWOW64\Lekekp32.exe C:\Windows\SysWOW64\Lpqihhbp.exe
PID 4872 wrote to memory of 4164 N/A C:\Windows\SysWOW64\Lekekp32.exe C:\Windows\SysWOW64\Lpqihhbp.exe
PID 4164 wrote to memory of 1368 N/A C:\Windows\SysWOW64\Lpqihhbp.exe C:\Windows\SysWOW64\Memapppg.exe
PID 4164 wrote to memory of 1368 N/A C:\Windows\SysWOW64\Lpqihhbp.exe C:\Windows\SysWOW64\Memapppg.exe
PID 4164 wrote to memory of 1368 N/A C:\Windows\SysWOW64\Lpqihhbp.exe C:\Windows\SysWOW64\Memapppg.exe
PID 1368 wrote to memory of 940 N/A C:\Windows\SysWOW64\Memapppg.exe C:\Windows\SysWOW64\Mpcenhpn.exe
PID 1368 wrote to memory of 940 N/A C:\Windows\SysWOW64\Memapppg.exe C:\Windows\SysWOW64\Mpcenhpn.exe
PID 1368 wrote to memory of 940 N/A C:\Windows\SysWOW64\Memapppg.exe C:\Windows\SysWOW64\Mpcenhpn.exe
PID 940 wrote to memory of 3492 N/A C:\Windows\SysWOW64\Mpcenhpn.exe C:\Windows\SysWOW64\Mgmnjb32.exe
PID 940 wrote to memory of 3492 N/A C:\Windows\SysWOW64\Mpcenhpn.exe C:\Windows\SysWOW64\Mgmnjb32.exe
PID 940 wrote to memory of 3492 N/A C:\Windows\SysWOW64\Mpcenhpn.exe C:\Windows\SysWOW64\Mgmnjb32.exe
PID 3492 wrote to memory of 2760 N/A C:\Windows\SysWOW64\Mgmnjb32.exe C:\Windows\SysWOW64\Mmgfgl32.exe
PID 3492 wrote to memory of 2760 N/A C:\Windows\SysWOW64\Mgmnjb32.exe C:\Windows\SysWOW64\Mmgfgl32.exe
PID 3492 wrote to memory of 2760 N/A C:\Windows\SysWOW64\Mgmnjb32.exe C:\Windows\SysWOW64\Mmgfgl32.exe
PID 2760 wrote to memory of 224 N/A C:\Windows\SysWOW64\Mmgfgl32.exe C:\Windows\SysWOW64\Mccooc32.exe
PID 2760 wrote to memory of 224 N/A C:\Windows\SysWOW64\Mmgfgl32.exe C:\Windows\SysWOW64\Mccooc32.exe
PID 2760 wrote to memory of 224 N/A C:\Windows\SysWOW64\Mmgfgl32.exe C:\Windows\SysWOW64\Mccooc32.exe
PID 224 wrote to memory of 3152 N/A C:\Windows\SysWOW64\Mccooc32.exe C:\Windows\SysWOW64\Mebkko32.exe
PID 224 wrote to memory of 3152 N/A C:\Windows\SysWOW64\Mccooc32.exe C:\Windows\SysWOW64\Mebkko32.exe
PID 224 wrote to memory of 3152 N/A C:\Windows\SysWOW64\Mccooc32.exe C:\Windows\SysWOW64\Mebkko32.exe
PID 3152 wrote to memory of 5104 N/A C:\Windows\SysWOW64\Mebkko32.exe C:\Windows\SysWOW64\Mgageace.exe
PID 3152 wrote to memory of 5104 N/A C:\Windows\SysWOW64\Mebkko32.exe C:\Windows\SysWOW64\Mgageace.exe
PID 3152 wrote to memory of 5104 N/A C:\Windows\SysWOW64\Mebkko32.exe C:\Windows\SysWOW64\Mgageace.exe
PID 5104 wrote to memory of 1684 N/A C:\Windows\SysWOW64\Mgageace.exe C:\Windows\SysWOW64\Mpjlngje.exe
PID 5104 wrote to memory of 1684 N/A C:\Windows\SysWOW64\Mgageace.exe C:\Windows\SysWOW64\Mpjlngje.exe
PID 5104 wrote to memory of 1684 N/A C:\Windows\SysWOW64\Mgageace.exe C:\Windows\SysWOW64\Mpjlngje.exe
PID 1684 wrote to memory of 4240 N/A C:\Windows\SysWOW64\Mpjlngje.exe C:\Windows\SysWOW64\Mgddka32.exe
PID 1684 wrote to memory of 4240 N/A C:\Windows\SysWOW64\Mpjlngje.exe C:\Windows\SysWOW64\Mgddka32.exe
PID 1684 wrote to memory of 4240 N/A C:\Windows\SysWOW64\Mpjlngje.exe C:\Windows\SysWOW64\Mgddka32.exe
PID 4240 wrote to memory of 1504 N/A C:\Windows\SysWOW64\Mgddka32.exe C:\Windows\SysWOW64\Mplhdghc.exe
PID 4240 wrote to memory of 1504 N/A C:\Windows\SysWOW64\Mgddka32.exe C:\Windows\SysWOW64\Mplhdghc.exe
PID 4240 wrote to memory of 1504 N/A C:\Windows\SysWOW64\Mgddka32.exe C:\Windows\SysWOW64\Mplhdghc.exe
PID 1504 wrote to memory of 1620 N/A C:\Windows\SysWOW64\Mplhdghc.exe C:\Windows\SysWOW64\Ngfqqa32.exe
PID 1504 wrote to memory of 1620 N/A C:\Windows\SysWOW64\Mplhdghc.exe C:\Windows\SysWOW64\Ngfqqa32.exe
PID 1504 wrote to memory of 1620 N/A C:\Windows\SysWOW64\Mplhdghc.exe C:\Windows\SysWOW64\Ngfqqa32.exe
PID 1620 wrote to memory of 3104 N/A C:\Windows\SysWOW64\Ngfqqa32.exe C:\Windows\SysWOW64\Nnpimkfl.exe
PID 1620 wrote to memory of 3104 N/A C:\Windows\SysWOW64\Ngfqqa32.exe C:\Windows\SysWOW64\Nnpimkfl.exe
PID 1620 wrote to memory of 3104 N/A C:\Windows\SysWOW64\Ngfqqa32.exe C:\Windows\SysWOW64\Nnpimkfl.exe
PID 3104 wrote to memory of 1292 N/A C:\Windows\SysWOW64\Nnpimkfl.exe C:\Windows\SysWOW64\Ncmaeb32.exe
PID 3104 wrote to memory of 1292 N/A C:\Windows\SysWOW64\Nnpimkfl.exe C:\Windows\SysWOW64\Ncmaeb32.exe
PID 3104 wrote to memory of 1292 N/A C:\Windows\SysWOW64\Nnpimkfl.exe C:\Windows\SysWOW64\Ncmaeb32.exe
PID 1292 wrote to memory of 1964 N/A C:\Windows\SysWOW64\Ncmaeb32.exe C:\Windows\SysWOW64\Nnbebk32.exe
PID 1292 wrote to memory of 1964 N/A C:\Windows\SysWOW64\Ncmaeb32.exe C:\Windows\SysWOW64\Nnbebk32.exe
PID 1292 wrote to memory of 1964 N/A C:\Windows\SysWOW64\Ncmaeb32.exe C:\Windows\SysWOW64\Nnbebk32.exe
PID 1964 wrote to memory of 4904 N/A C:\Windows\SysWOW64\Nnbebk32.exe C:\Windows\SysWOW64\Ngkjlpkj.exe
PID 1964 wrote to memory of 4904 N/A C:\Windows\SysWOW64\Nnbebk32.exe C:\Windows\SysWOW64\Ngkjlpkj.exe
PID 1964 wrote to memory of 4904 N/A C:\Windows\SysWOW64\Nnbebk32.exe C:\Windows\SysWOW64\Ngkjlpkj.exe
PID 4904 wrote to memory of 456 N/A C:\Windows\SysWOW64\Ngkjlpkj.exe C:\Windows\SysWOW64\Njifhljn.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a318bb4de7f7ad2901270ac5437f316e987b10b33484d4b449eff0a40485eaec.exe

"C:\Users\Admin\AppData\Local\Temp\a318bb4de7f7ad2901270ac5437f316e987b10b33484d4b449eff0a40485eaec.exe"

C:\Windows\SysWOW64\Lfckdcoe.exe

C:\Windows\system32\Lfckdcoe.exe

C:\Windows\SysWOW64\Libgpooi.exe

C:\Windows\system32\Libgpooi.exe

C:\Windows\SysWOW64\Lmppfm32.exe

C:\Windows\system32\Lmppfm32.exe

C:\Windows\SysWOW64\Ldjhcgll.exe

C:\Windows\system32\Ldjhcgll.exe

C:\Windows\SysWOW64\Lekekp32.exe

C:\Windows\system32\Lekekp32.exe

C:\Windows\SysWOW64\Lpqihhbp.exe

C:\Windows\system32\Lpqihhbp.exe

C:\Windows\SysWOW64\Memapppg.exe

C:\Windows\system32\Memapppg.exe

C:\Windows\SysWOW64\Mpcenhpn.exe

C:\Windows\system32\Mpcenhpn.exe

C:\Windows\SysWOW64\Mgmnjb32.exe

C:\Windows\system32\Mgmnjb32.exe

C:\Windows\SysWOW64\Mmgfgl32.exe

C:\Windows\system32\Mmgfgl32.exe

C:\Windows\SysWOW64\Mccooc32.exe

C:\Windows\system32\Mccooc32.exe

C:\Windows\SysWOW64\Mebkko32.exe

C:\Windows\system32\Mebkko32.exe

C:\Windows\SysWOW64\Mgageace.exe

C:\Windows\system32\Mgageace.exe

C:\Windows\SysWOW64\Mpjlngje.exe

C:\Windows\system32\Mpjlngje.exe

C:\Windows\SysWOW64\Mgddka32.exe

C:\Windows\system32\Mgddka32.exe

C:\Windows\SysWOW64\Mplhdghc.exe

C:\Windows\system32\Mplhdghc.exe

C:\Windows\SysWOW64\Ngfqqa32.exe

C:\Windows\system32\Ngfqqa32.exe

C:\Windows\SysWOW64\Nnpimkfl.exe

C:\Windows\system32\Nnpimkfl.exe

C:\Windows\SysWOW64\Ncmaeb32.exe

C:\Windows\system32\Ncmaeb32.exe

C:\Windows\SysWOW64\Nnbebk32.exe

C:\Windows\system32\Nnbebk32.exe

C:\Windows\SysWOW64\Ngkjlpkj.exe

C:\Windows\system32\Ngkjlpkj.exe

C:\Windows\SysWOW64\Njifhljn.exe

C:\Windows\system32\Njifhljn.exe

C:\Windows\SysWOW64\Ngmgap32.exe

C:\Windows\system32\Ngmgap32.exe

C:\Windows\SysWOW64\Njlcmk32.exe

C:\Windows\system32\Njlcmk32.exe

C:\Windows\SysWOW64\Npekjeph.exe

C:\Windows\system32\Npekjeph.exe

C:\Windows\SysWOW64\Njnpck32.exe

C:\Windows\system32\Njnpck32.exe

C:\Windows\SysWOW64\Ocfdlqmi.exe

C:\Windows\system32\Ocfdlqmi.exe

C:\Windows\SysWOW64\Ofeqhl32.exe

C:\Windows\system32\Ofeqhl32.exe

C:\Windows\SysWOW64\Ofgmml32.exe

C:\Windows\system32\Ofgmml32.exe

C:\Windows\SysWOW64\Ojbinjbc.exe

C:\Windows\system32\Ojbinjbc.exe

C:\Windows\SysWOW64\Odhmkcbi.exe

C:\Windows\system32\Odhmkcbi.exe

C:\Windows\SysWOW64\Onqbdihj.exe

C:\Windows\system32\Onqbdihj.exe

C:\Windows\SysWOW64\Ocmjlpfa.exe

C:\Windows\system32\Ocmjlpfa.exe

C:\Windows\SysWOW64\Ojgbij32.exe

C:\Windows\system32\Ojgbij32.exe

C:\Windows\SysWOW64\Oqakfdek.exe

C:\Windows\system32\Oqakfdek.exe

C:\Windows\SysWOW64\Ogkcbn32.exe

C:\Windows\system32\Ogkcbn32.exe

C:\Windows\SysWOW64\Onekoh32.exe

C:\Windows\system32\Onekoh32.exe

C:\Windows\SysWOW64\Pqcgkc32.exe

C:\Windows\system32\Pqcgkc32.exe

C:\Windows\SysWOW64\Pcbdgo32.exe

C:\Windows\system32\Pcbdgo32.exe

C:\Windows\SysWOW64\Pfqpcj32.exe

C:\Windows\system32\Pfqpcj32.exe

C:\Windows\SysWOW64\Pmjhpdil.exe

C:\Windows\system32\Pmjhpdil.exe

C:\Windows\SysWOW64\Pdapabjo.exe

C:\Windows\system32\Pdapabjo.exe

C:\Windows\SysWOW64\Pgplnmib.exe

C:\Windows\system32\Pgplnmib.exe

C:\Windows\SysWOW64\Pjnijihf.exe

C:\Windows\system32\Pjnijihf.exe

C:\Windows\SysWOW64\Pmmefd32.exe

C:\Windows\system32\Pmmefd32.exe

C:\Windows\SysWOW64\Pddmga32.exe

C:\Windows\system32\Pddmga32.exe

C:\Windows\SysWOW64\Pgbicm32.exe

C:\Windows\system32\Pgbicm32.exe

C:\Windows\SysWOW64\Pnlapgnl.exe

C:\Windows\system32\Pnlapgnl.exe

C:\Windows\SysWOW64\Pqknlbmp.exe

C:\Windows\system32\Pqknlbmp.exe

C:\Windows\SysWOW64\Pfgfdikg.exe

C:\Windows\system32\Pfgfdikg.exe

C:\Windows\SysWOW64\Pjcbeh32.exe

C:\Windows\system32\Pjcbeh32.exe

C:\Windows\SysWOW64\Pqmjab32.exe

C:\Windows\system32\Pqmjab32.exe

C:\Windows\SysWOW64\Pjeojhbn.exe

C:\Windows\system32\Pjeojhbn.exe

C:\Windows\SysWOW64\Qmdkfcaa.exe

C:\Windows\system32\Qmdkfcaa.exe

C:\Windows\SysWOW64\Qgiodlqh.exe

C:\Windows\system32\Qgiodlqh.exe

C:\Windows\SysWOW64\Qflpoi32.exe

C:\Windows\system32\Qflpoi32.exe

C:\Windows\SysWOW64\Qqadmagh.exe

C:\Windows\system32\Qqadmagh.exe

C:\Windows\SysWOW64\Amhdab32.exe

C:\Windows\system32\Amhdab32.exe

C:\Windows\SysWOW64\Aqdqbaee.exe

C:\Windows\system32\Aqdqbaee.exe

C:\Windows\SysWOW64\Aqfmhacc.exe

C:\Windows\system32\Aqfmhacc.exe

C:\Windows\SysWOW64\Aceidl32.exe

C:\Windows\system32\Aceidl32.exe

C:\Windows\SysWOW64\Ajoaqfjc.exe

C:\Windows\system32\Ajoaqfjc.exe

C:\Windows\SysWOW64\Acgfil32.exe

C:\Windows\system32\Acgfil32.exe

C:\Windows\SysWOW64\Aakfcp32.exe

C:\Windows\system32\Aakfcp32.exe

C:\Windows\SysWOW64\Aefbcogf.exe

C:\Windows\system32\Aefbcogf.exe

C:\Windows\SysWOW64\Ajcklf32.exe

C:\Windows\system32\Ajcklf32.exe

C:\Windows\SysWOW64\Ambgha32.exe

C:\Windows\system32\Ambgha32.exe

C:\Windows\SysWOW64\Bnadadld.exe

C:\Windows\system32\Bnadadld.exe

C:\Windows\SysWOW64\Bncqgd32.exe

C:\Windows\system32\Bncqgd32.exe

C:\Windows\SysWOW64\Bglepipb.exe

C:\Windows\system32\Bglepipb.exe

C:\Windows\SysWOW64\Bfoelf32.exe

C:\Windows\system32\Bfoelf32.exe

C:\Windows\SysWOW64\Bnfmmc32.exe

C:\Windows\system32\Bnfmmc32.exe

C:\Windows\SysWOW64\Bepeinol.exe

C:\Windows\system32\Bepeinol.exe

C:\Windows\SysWOW64\Bgnafinp.exe

C:\Windows\system32\Bgnafinp.exe

C:\Windows\SysWOW64\Bjmnbd32.exe

C:\Windows\system32\Bjmnbd32.exe

C:\Windows\SysWOW64\Bagfooep.exe

C:\Windows\system32\Bagfooep.exe

C:\Windows\SysWOW64\Bcebkjdd.exe

C:\Windows\system32\Bcebkjdd.exe

C:\Windows\SysWOW64\Bhqnki32.exe

C:\Windows\system32\Bhqnki32.exe

C:\Windows\SysWOW64\Bjokgd32.exe

C:\Windows\system32\Bjokgd32.exe

C:\Windows\SysWOW64\Baicdncn.exe

C:\Windows\system32\Baicdncn.exe

C:\Windows\SysWOW64\Bcgopjba.exe

C:\Windows\system32\Bcgopjba.exe

C:\Windows\SysWOW64\Cjagmd32.exe

C:\Windows\system32\Cjagmd32.exe

C:\Windows\SysWOW64\Ccjlfi32.exe

C:\Windows\system32\Ccjlfi32.exe

C:\Windows\SysWOW64\Cnopcb32.exe

C:\Windows\system32\Cnopcb32.exe

C:\Windows\SysWOW64\Chhdlhfe.exe

C:\Windows\system32\Chhdlhfe.exe

C:\Windows\SysWOW64\Cdoeaili.exe

C:\Windows\system32\Cdoeaili.exe

C:\Windows\SysWOW64\Cjhmnc32.exe

C:\Windows\system32\Cjhmnc32.exe

C:\Windows\SysWOW64\Cabfjmkc.exe

C:\Windows\system32\Cabfjmkc.exe

C:\Windows\SysWOW64\Caebpm32.exe

C:\Windows\system32\Caebpm32.exe

C:\Windows\SysWOW64\Cdcolh32.exe

C:\Windows\system32\Cdcolh32.exe

C:\Windows\SysWOW64\Dfakhc32.exe

C:\Windows\system32\Dfakhc32.exe

C:\Windows\SysWOW64\Dmlcennd.exe

C:\Windows\system32\Dmlcennd.exe

C:\Windows\SysWOW64\Ddekah32.exe

C:\Windows\system32\Ddekah32.exe

C:\Windows\SysWOW64\Dfdgnc32.exe

C:\Windows\system32\Dfdgnc32.exe

C:\Windows\SysWOW64\Dmnpjmla.exe

C:\Windows\system32\Dmnpjmla.exe

C:\Windows\SysWOW64\Dailkl32.exe

C:\Windows\system32\Dailkl32.exe

C:\Windows\SysWOW64\Ddhhggdo.exe

C:\Windows\system32\Ddhhggdo.exe

C:\Windows\SysWOW64\Dkbpda32.exe

C:\Windows\system32\Dkbpda32.exe

C:\Windows\SysWOW64\Dmpmpm32.exe

C:\Windows\system32\Dmpmpm32.exe

C:\Windows\SysWOW64\Ddjemgal.exe

C:\Windows\system32\Ddjemgal.exe

C:\Windows\SysWOW64\Dfiaibap.exe

C:\Windows\system32\Dfiaibap.exe

C:\Windows\SysWOW64\Dmbiem32.exe

C:\Windows\system32\Dmbiem32.exe

C:\Windows\SysWOW64\Dejafj32.exe

C:\Windows\system32\Dejafj32.exe

C:\Windows\SysWOW64\Dhhncehb.exe

C:\Windows\system32\Dhhncehb.exe

C:\Windows\SysWOW64\Dkfjoagf.exe

C:\Windows\system32\Dkfjoagf.exe

C:\Windows\SysWOW64\Dmefklfj.exe

C:\Windows\system32\Dmefklfj.exe

C:\Windows\SysWOW64\Ddonhf32.exe

C:\Windows\system32\Ddonhf32.exe

C:\Windows\SysWOW64\Egmjdb32.exe

C:\Windows\system32\Egmjdb32.exe

C:\Windows\SysWOW64\Eodbeo32.exe

C:\Windows\system32\Eodbeo32.exe

C:\Windows\SysWOW64\Eeokaiei.exe

C:\Windows\system32\Eeokaiei.exe

C:\Windows\SysWOW64\Egpgiakg.exe

C:\Windows\system32\Egpgiakg.exe

C:\Windows\SysWOW64\Eogokokj.exe

C:\Windows\system32\Eogokokj.exe

C:\Windows\SysWOW64\Eaekgjjn.exe

C:\Windows\system32\Eaekgjjn.exe

C:\Windows\SysWOW64\Edcgcfja.exe

C:\Windows\system32\Edcgcfja.exe

C:\Windows\SysWOW64\Egbdoaie.exe

C:\Windows\system32\Egbdoaie.exe

C:\Windows\SysWOW64\Emlllk32.exe

C:\Windows\system32\Emlllk32.exe

C:\Windows\SysWOW64\Eecdmi32.exe

C:\Windows\system32\Eecdmi32.exe

C:\Windows\SysWOW64\Egdqdagb.exe

C:\Windows\system32\Egdqdagb.exe

C:\Windows\SysWOW64\Eokhfn32.exe

C:\Windows\system32\Eokhfn32.exe

C:\Windows\SysWOW64\Eeeqbhoa.exe

C:\Windows\system32\Eeeqbhoa.exe

C:\Windows\SysWOW64\Ehdmodne.exe

C:\Windows\system32\Ehdmodne.exe

C:\Windows\SysWOW64\Eonekn32.exe

C:\Windows\system32\Eonekn32.exe

C:\Windows\SysWOW64\Eehnhhmo.exe

C:\Windows\system32\Eehnhhmo.exe

C:\Windows\SysWOW64\Fhfjdclb.exe

C:\Windows\system32\Fhfjdclb.exe

C:\Windows\SysWOW64\Fkdfpokf.exe

C:\Windows\system32\Fkdfpokf.exe

C:\Windows\SysWOW64\Faonmibc.exe

C:\Windows\system32\Faonmibc.exe

C:\Windows\SysWOW64\Fdmjidaf.exe

C:\Windows\system32\Fdmjidaf.exe

C:\Windows\SysWOW64\Fkgbfo32.exe

C:\Windows\system32\Fkgbfo32.exe

C:\Windows\SysWOW64\Faakbipp.exe

C:\Windows\system32\Faakbipp.exe

C:\Windows\SysWOW64\Fdogodpd.exe

C:\Windows\system32\Fdogodpd.exe

C:\Windows\SysWOW64\Fgnckpog.exe

C:\Windows\system32\Fgnckpog.exe

C:\Windows\SysWOW64\Fnhlgjfd.exe

C:\Windows\system32\Fnhlgjfd.exe

C:\Windows\SysWOW64\Feochgff.exe

C:\Windows\system32\Feochgff.exe

C:\Windows\SysWOW64\Fgpppo32.exe

C:\Windows\system32\Fgpppo32.exe

C:\Windows\SysWOW64\Fnjhmida.exe

C:\Windows\system32\Fnjhmida.exe

C:\Windows\SysWOW64\Faednh32.exe

C:\Windows\system32\Faednh32.exe

C:\Windows\SysWOW64\Fhpmjbch.exe

C:\Windows\system32\Fhpmjbch.exe

C:\Windows\SysWOW64\Foiegl32.exe

C:\Windows\system32\Foiegl32.exe

C:\Windows\SysWOW64\Gecmcf32.exe

C:\Windows\system32\Gecmcf32.exe

C:\Windows\SysWOW64\Gdfmocil.exe

C:\Windows\system32\Gdfmocil.exe

C:\Windows\SysWOW64\Gkpelm32.exe

C:\Windows\system32\Gkpelm32.exe

C:\Windows\SysWOW64\Gnoahi32.exe

C:\Windows\system32\Gnoahi32.exe

C:\Windows\SysWOW64\Gdijecgi.exe

C:\Windows\system32\Gdijecgi.exe

C:\Windows\SysWOW64\Gkbbam32.exe

C:\Windows\system32\Gkbbam32.exe

C:\Windows\SysWOW64\Gamjngfc.exe

C:\Windows\system32\Gamjngfc.exe

C:\Windows\SysWOW64\Gehfofol.exe

C:\Windows\system32\Gehfofol.exe

C:\Windows\SysWOW64\Ghfbkanp.exe

C:\Windows\system32\Ghfbkanp.exe

C:\Windows\SysWOW64\Goqkhk32.exe

C:\Windows\system32\Goqkhk32.exe

C:\Windows\SysWOW64\Gdmcpb32.exe

C:\Windows\system32\Gdmcpb32.exe

C:\Windows\SysWOW64\Ghioqqlm.exe

C:\Windows\system32\Ghioqqlm.exe

C:\Windows\SysWOW64\Gochmk32.exe

C:\Windows\system32\Gochmk32.exe

C:\Windows\SysWOW64\Gaadif32.exe

C:\Windows\system32\Gaadif32.exe

C:\Windows\SysWOW64\Gdppeb32.exe

C:\Windows\system32\Gdppeb32.exe

C:\Windows\SysWOW64\Goedbkag.exe

C:\Windows\system32\Goedbkag.exe

C:\Windows\SysWOW64\Hacqofpk.exe

C:\Windows\system32\Hacqofpk.exe

C:\Windows\SysWOW64\Hfompd32.exe

C:\Windows\system32\Hfompd32.exe

C:\Windows\SysWOW64\Hgqigmnb.exe

C:\Windows\system32\Hgqigmnb.exe

C:\Windows\SysWOW64\Hnjadg32.exe

C:\Windows\system32\Hnjadg32.exe

C:\Windows\SysWOW64\Hddiqaml.exe

C:\Windows\system32\Hddiqaml.exe

C:\Windows\SysWOW64\Hgcfmm32.exe

C:\Windows\system32\Hgcfmm32.exe

C:\Windows\SysWOW64\Hojnnj32.exe

C:\Windows\system32\Hojnnj32.exe

C:\Windows\SysWOW64\Hfdfkddo.exe

C:\Windows\system32\Hfdfkddo.exe

C:\Windows\SysWOW64\Hkqockbf.exe

C:\Windows\system32\Hkqockbf.exe

C:\Windows\SysWOW64\Hbkgpe32.exe

C:\Windows\system32\Hbkgpe32.exe

C:\Windows\SysWOW64\Hdiclq32.exe

C:\Windows\system32\Hdiclq32.exe

C:\Windows\SysWOW64\Hkckhk32.exe

C:\Windows\system32\Hkckhk32.exe

C:\Windows\SysWOW64\Hnagdf32.exe

C:\Windows\system32\Hnagdf32.exe

C:\Windows\SysWOW64\Hdkpapgd.exe

C:\Windows\system32\Hdkpapgd.exe

C:\Windows\SysWOW64\Hkehnj32.exe

C:\Windows\system32\Hkehnj32.exe

C:\Windows\SysWOW64\Inddje32.exe

C:\Windows\system32\Inddje32.exe

C:\Windows\SysWOW64\Ifklkc32.exe

C:\Windows\system32\Ifklkc32.exe

C:\Windows\SysWOW64\Iglhckde.exe

C:\Windows\system32\Iglhckde.exe

C:\Windows\SysWOW64\Infapela.exe

C:\Windows\system32\Infapela.exe

C:\Windows\SysWOW64\Ifmiqbld.exe

C:\Windows\system32\Ifmiqbld.exe

C:\Windows\SysWOW64\Ikjaiijk.exe

C:\Windows\system32\Ikjaiijk.exe

C:\Windows\SysWOW64\Inhneeio.exe

C:\Windows\system32\Inhneeio.exe

C:\Windows\SysWOW64\Ifpefbja.exe

C:\Windows\system32\Ifpefbja.exe

C:\Windows\SysWOW64\Igabnk32.exe

C:\Windows\system32\Igabnk32.exe

C:\Windows\SysWOW64\Iohjoh32.exe

C:\Windows\system32\Iohjoh32.exe

C:\Windows\SysWOW64\Ifbblb32.exe

C:\Windows\system32\Ifbblb32.exe

C:\Windows\SysWOW64\Ieebgooi.exe

C:\Windows\system32\Ieebgooi.exe

C:\Windows\SysWOW64\Iojgegoo.exe

C:\Windows\system32\Iojgegoo.exe

C:\Windows\SysWOW64\Ifdoaa32.exe

C:\Windows\system32\Ifdoaa32.exe

C:\Windows\SysWOW64\Iegomnmf.exe

C:\Windows\system32\Iegomnmf.exe

C:\Windows\SysWOW64\Ikagjh32.exe

C:\Windows\system32\Ikagjh32.exe

C:\Windows\SysWOW64\Jbkpfb32.exe

C:\Windows\system32\Jbkpfb32.exe

C:\Windows\SysWOW64\Jeilbn32.exe

C:\Windows\system32\Jeilbn32.exe

C:\Windows\SysWOW64\Jkcdohbq.exe

C:\Windows\system32\Jkcdohbq.exe

C:\Windows\SysWOW64\Jooppg32.exe

C:\Windows\system32\Jooppg32.exe

C:\Windows\SysWOW64\Jelihn32.exe

C:\Windows\system32\Jelihn32.exe

C:\Windows\SysWOW64\Jkfaehpn.exe

C:\Windows\system32\Jkfaehpn.exe

C:\Windows\SysWOW64\Joamef32.exe

C:\Windows\system32\Joamef32.exe

C:\Windows\SysWOW64\Jbpiab32.exe

C:\Windows\system32\Jbpiab32.exe

C:\Windows\SysWOW64\Jgmajifb.exe

C:\Windows\system32\Jgmajifb.exe

C:\Windows\SysWOW64\Jpdikffd.exe

C:\Windows\system32\Jpdikffd.exe

C:\Windows\SysWOW64\Jfnbgp32.exe

C:\Windows\system32\Jfnbgp32.exe

C:\Windows\SysWOW64\Jilndl32.exe

C:\Windows\system32\Jilndl32.exe

C:\Windows\SysWOW64\Jpffqfdb.exe

C:\Windows\system32\Jpffqfdb.exe

C:\Windows\SysWOW64\Jfpomp32.exe

C:\Windows\system32\Jfpomp32.exe

C:\Windows\SysWOW64\Jinkikkb.exe

C:\Windows\system32\Jinkikkb.exe

C:\Windows\SysWOW64\Jlmgegjf.exe

C:\Windows\system32\Jlmgegjf.exe

C:\Windows\SysWOW64\Kbgoba32.exe

C:\Windows\system32\Kbgoba32.exe

C:\Windows\SysWOW64\Kfbkbpjl.exe

C:\Windows\system32\Kfbkbpjl.exe

C:\Windows\SysWOW64\Kiagokip.exe

C:\Windows\system32\Kiagokip.exe

C:\Windows\SysWOW64\Kpkple32.exe

C:\Windows\system32\Kpkple32.exe

C:\Windows\SysWOW64\Kbilhq32.exe

C:\Windows\system32\Kbilhq32.exe

C:\Windows\SysWOW64\Kicddk32.exe

C:\Windows\system32\Kicddk32.exe

C:\Windows\SysWOW64\Klapqf32.exe

C:\Windows\system32\Klapqf32.exe

C:\Windows\SysWOW64\Kbkimpnn.exe

C:\Windows\system32\Kbkimpnn.exe

C:\Windows\SysWOW64\Kieajj32.exe

C:\Windows\system32\Kieajj32.exe

C:\Windows\SysWOW64\Kppigdlg.exe

C:\Windows\system32\Kppigdlg.exe

C:\Windows\SysWOW64\Kfiaco32.exe

C:\Windows\system32\Kfiaco32.exe

C:\Windows\SysWOW64\Kihnpj32.exe

C:\Windows\system32\Kihnpj32.exe

C:\Windows\SysWOW64\Klfjlebk.exe

C:\Windows\system32\Klfjlebk.exe

C:\Windows\SysWOW64\Kbpbhp32.exe

C:\Windows\system32\Kbpbhp32.exe

C:\Windows\SysWOW64\Keondk32.exe

C:\Windows\system32\Keondk32.exe

C:\Windows\SysWOW64\Llhfaepi.exe

C:\Windows\system32\Llhfaepi.exe

C:\Windows\SysWOW64\Lngcmqol.exe

C:\Windows\system32\Lngcmqol.exe

C:\Windows\SysWOW64\Leakjk32.exe

C:\Windows\system32\Leakjk32.exe

C:\Windows\SysWOW64\Lhogff32.exe

C:\Windows\system32\Lhogff32.exe

C:\Windows\SysWOW64\Lpfogcfo.exe

C:\Windows\system32\Lpfogcfo.exe

C:\Windows\SysWOW64\Lechpjdf.exe

C:\Windows\system32\Lechpjdf.exe

C:\Windows\SysWOW64\Liocpi32.exe

C:\Windows\system32\Liocpi32.exe

C:\Windows\SysWOW64\Lpilmcdl.exe

C:\Windows\system32\Lpilmcdl.exe

C:\Windows\SysWOW64\Lbghiocp.exe

C:\Windows\system32\Lbghiocp.exe

C:\Windows\SysWOW64\Lfcdjm32.exe

C:\Windows\system32\Lfcdjm32.exe

C:\Windows\SysWOW64\Leedejbd.exe

C:\Windows\system32\Leedejbd.exe

C:\Windows\SysWOW64\Lhdqaeag.exe

C:\Windows\system32\Lhdqaeag.exe

C:\Windows\SysWOW64\Lpkibcbj.exe

C:\Windows\system32\Lpkibcbj.exe

C:\Windows\SysWOW64\Loninpid.exe

C:\Windows\system32\Loninpid.exe

C:\Windows\SysWOW64\Lfeaomjf.exe

C:\Windows\system32\Lfeaomjf.exe

C:\Windows\SysWOW64\Licmkhij.exe

C:\Windows\system32\Licmkhij.exe

C:\Windows\SysWOW64\Llbigdhn.exe

C:\Windows\system32\Llbigdhn.exe

C:\Windows\SysWOW64\Lejnpi32.exe

C:\Windows\system32\Lejnpi32.exe

C:\Windows\SysWOW64\Mbnnjnmh.exe

C:\Windows\system32\Mbnnjnmh.exe

C:\Windows\SysWOW64\Mlfcbc32.exe

C:\Windows\system32\Mlfcbc32.exe

C:\Windows\SysWOW64\Mhmcgdim.exe

C:\Windows\system32\Mhmcgdim.exe

C:\Windows\SysWOW64\Mpdkiajo.exe

C:\Windows\system32\Mpdkiajo.exe

C:\Windows\SysWOW64\Mfocelal.exe

C:\Windows\system32\Mfocelal.exe

C:\Windows\SysWOW64\Mimpagqp.exe

C:\Windows\system32\Mimpagqp.exe

C:\Windows\SysWOW64\Mlklnbpc.exe

C:\Windows\system32\Mlklnbpc.exe

C:\Windows\SysWOW64\Mecqfh32.exe

C:\Windows\system32\Mecqfh32.exe

C:\Windows\SysWOW64\Mhbmbc32.exe

C:\Windows\system32\Mhbmbc32.exe

C:\Windows\SysWOW64\Mpieda32.exe

C:\Windows\system32\Mpieda32.exe

C:\Windows\SysWOW64\Mfcmqknf.exe

C:\Windows\system32\Mfcmqknf.exe

C:\Windows\SysWOW64\Nhdjhcce.exe

C:\Windows\system32\Nhdjhcce.exe

C:\Windows\SysWOW64\Nplaiqdg.exe

C:\Windows\system32\Nplaiqdg.exe

C:\Windows\SysWOW64\Nehjagbo.exe

C:\Windows\system32\Nehjagbo.exe

C:\Windows\SysWOW64\Nlbbna32.exe

C:\Windows\system32\Nlbbna32.exe

C:\Windows\SysWOW64\Npnnopbd.exe

C:\Windows\system32\Npnnopbd.exe

C:\Windows\SysWOW64\Nghflj32.exe

C:\Windows\system32\Nghflj32.exe

C:\Windows\SysWOW64\Nhiccb32.exe

C:\Windows\system32\Nhiccb32.exe

C:\Windows\SysWOW64\Nppkdp32.exe

C:\Windows\system32\Nppkdp32.exe

C:\Windows\SysWOW64\Nemcmg32.exe

C:\Windows\system32\Nemcmg32.exe

C:\Windows\SysWOW64\Nlgliaef.exe

C:\Windows\system32\Nlgliaef.exe

C:\Windows\SysWOW64\Ncadfk32.exe

C:\Windows\system32\Ncadfk32.exe

C:\Windows\SysWOW64\Neopbf32.exe

C:\Windows\system32\Neopbf32.exe

C:\Windows\SysWOW64\Nlihoq32.exe

C:\Windows\system32\Nlihoq32.exe

C:\Windows\SysWOW64\Nohdkl32.exe

C:\Windows\system32\Nohdkl32.exe

C:\Windows\SysWOW64\Neamhfjd.exe

C:\Windows\system32\Neamhfjd.exe

C:\Windows\SysWOW64\Ohpidaig.exe

C:\Windows\system32\Ohpidaig.exe

C:\Windows\SysWOW64\Ocfmajin.exe

C:\Windows\system32\Ocfmajin.exe

C:\Windows\SysWOW64\Ogaiai32.exe

C:\Windows\system32\Ogaiai32.exe

C:\Windows\SysWOW64\Oipend32.exe

C:\Windows\system32\Oipend32.exe

C:\Windows\SysWOW64\Opjnko32.exe

C:\Windows\system32\Opjnko32.exe

C:\Windows\SysWOW64\Ochjgj32.exe

C:\Windows\system32\Ochjgj32.exe

C:\Windows\SysWOW64\Oibbcdnh.exe

C:\Windows\system32\Oibbcdnh.exe

C:\Windows\SysWOW64\Opljpn32.exe

C:\Windows\system32\Opljpn32.exe

C:\Windows\SysWOW64\Ogfcmhma.exe

C:\Windows\system32\Ogfcmhma.exe

C:\Windows\SysWOW64\Oidoidle.exe

C:\Windows\system32\Oidoidle.exe

C:\Windows\SysWOW64\Olbkeoki.exe

C:\Windows\system32\Olbkeoki.exe

C:\Windows\SysWOW64\Oghpbh32.exe

C:\Windows\system32\Oghpbh32.exe

C:\Windows\SysWOW64\Ojgloc32.exe

C:\Windows\system32\Ojgloc32.exe

C:\Windows\SysWOW64\Olehko32.exe

C:\Windows\system32\Olehko32.exe

C:\Windows\SysWOW64\Ocopgiac.exe

C:\Windows\system32\Ocopgiac.exe

C:\Windows\SysWOW64\Pemlcdpf.exe

C:\Windows\system32\Pemlcdpf.exe

C:\Windows\SysWOW64\Plgdpo32.exe

C:\Windows\system32\Plgdpo32.exe

C:\Windows\SysWOW64\Pofalj32.exe

C:\Windows\system32\Pofalj32.exe

C:\Windows\SysWOW64\Pgminggi.exe

C:\Windows\system32\Pgminggi.exe

C:\Windows\SysWOW64\Pljafneq.exe

C:\Windows\system32\Pljafneq.exe

C:\Windows\SysWOW64\Pohnbjdd.exe

C:\Windows\system32\Pohnbjdd.exe

C:\Windows\SysWOW64\Pgoecgef.exe

C:\Windows\system32\Pgoecgef.exe

C:\Windows\SysWOW64\Pfbfod32.exe

C:\Windows\system32\Pfbfod32.exe

C:\Windows\SysWOW64\Phqbko32.exe

C:\Windows\system32\Phqbko32.exe

C:\Windows\SysWOW64\Pgabig32.exe

C:\Windows\system32\Pgabig32.exe

C:\Windows\SysWOW64\Phcopoib.exe

C:\Windows\system32\Phcopoib.exe

C:\Windows\SysWOW64\Plnkan32.exe

C:\Windows\system32\Plnkan32.exe

C:\Windows\SysWOW64\Pgdonf32.exe

C:\Windows\system32\Pgdonf32.exe

C:\Windows\SysWOW64\Pjbkjb32.exe

C:\Windows\system32\Pjbkjb32.exe

C:\Windows\SysWOW64\Pplcglgb.exe

C:\Windows\system32\Pplcglgb.exe

C:\Windows\SysWOW64\Qgfldf32.exe

C:\Windows\system32\Qgfldf32.exe

C:\Windows\SysWOW64\Qhghkn32.exe

C:\Windows\system32\Qhghkn32.exe

C:\Windows\SysWOW64\Qqopml32.exe

C:\Windows\system32\Qqopml32.exe

C:\Windows\SysWOW64\Qcmlig32.exe

C:\Windows\system32\Qcmlig32.exe

C:\Windows\SysWOW64\Qjgdealp.exe

C:\Windows\system32\Qjgdealp.exe

C:\Windows\SysWOW64\Qleaamkc.exe

C:\Windows\system32\Qleaamkc.exe

C:\Windows\SysWOW64\Qodmnhjg.exe

C:\Windows\system32\Qodmnhjg.exe

C:\Windows\SysWOW64\Afnejb32.exe

C:\Windows\system32\Afnejb32.exe

C:\Windows\SysWOW64\Ahlafnag.exe

C:\Windows\system32\Ahlafnag.exe

C:\Windows\SysWOW64\Aofjch32.exe

C:\Windows\system32\Aofjch32.exe

C:\Windows\SysWOW64\Agmbde32.exe

C:\Windows\system32\Agmbde32.exe

C:\Windows\SysWOW64\Ahonlmoe.exe

C:\Windows\system32\Ahonlmoe.exe

C:\Windows\SysWOW64\Amjjml32.exe

C:\Windows\system32\Amjjml32.exe

C:\Windows\SysWOW64\Acdbifok.exe

C:\Windows\system32\Acdbifok.exe

C:\Windows\SysWOW64\Agpoje32.exe

C:\Windows\system32\Agpoje32.exe

C:\Windows\SysWOW64\Ajnkfp32.exe

C:\Windows\system32\Ajnkfp32.exe

C:\Windows\SysWOW64\Aiakammb.exe

C:\Windows\system32\Aiakammb.exe

C:\Windows\SysWOW64\Ammgblek.exe

C:\Windows\system32\Ammgblek.exe

C:\Windows\SysWOW64\Aokcngdo.exe

C:\Windows\system32\Aokcngdo.exe

C:\Windows\SysWOW64\Acfoof32.exe

C:\Windows\system32\Acfoof32.exe

C:\Windows\SysWOW64\Afekka32.exe

C:\Windows\system32\Afekka32.exe

C:\Windows\SysWOW64\Aichgm32.exe

C:\Windows\system32\Aichgm32.exe

C:\Windows\SysWOW64\Aqjphj32.exe

C:\Windows\system32\Aqjphj32.exe

C:\Windows\SysWOW64\Aompdgbl.exe

C:\Windows\system32\Aompdgbl.exe

C:\Windows\SysWOW64\Agdhedco.exe

C:\Windows\system32\Agdhedco.exe

C:\Windows\SysWOW64\Afghqa32.exe

C:\Windows\system32\Afghqa32.exe

C:\Windows\SysWOW64\Aqmlnjio.exe

C:\Windows\system32\Aqmlnjio.exe

C:\Windows\SysWOW64\Bckijehc.exe

C:\Windows\system32\Bckijehc.exe

C:\Windows\SysWOW64\Bggdkd32.exe

C:\Windows\system32\Bggdkd32.exe

C:\Windows\SysWOW64\Bjeago32.exe

C:\Windows\system32\Bjeago32.exe

C:\Windows\SysWOW64\Bmcmck32.exe

C:\Windows\system32\Bmcmck32.exe

C:\Windows\SysWOW64\Bobiof32.exe

C:\Windows\system32\Bobiof32.exe

C:\Windows\SysWOW64\Bmfjhj32.exe

C:\Windows\system32\Bmfjhj32.exe

C:\Windows\SysWOW64\Bjjjbolj.exe

C:\Windows\system32\Bjjjbolj.exe

C:\Windows\SysWOW64\Bjlggnjh.exe

C:\Windows\system32\Bjlggnjh.exe

C:\Windows\SysWOW64\Bcdkpdph.exe

C:\Windows\system32\Bcdkpdph.exe

C:\Windows\SysWOW64\Bfchlopl.exe

C:\Windows\system32\Bfchlopl.exe

C:\Windows\SysWOW64\Biadhkop.exe

C:\Windows\system32\Biadhkop.exe

C:\Windows\SysWOW64\Cqhljhob.exe

C:\Windows\system32\Cqhljhob.exe

C:\Windows\SysWOW64\Cpklee32.exe

C:\Windows\system32\Cpklee32.exe

C:\Windows\SysWOW64\Cfedbomi.exe

C:\Windows\system32\Cfedbomi.exe

C:\Windows\SysWOW64\Cjaqbn32.exe

C:\Windows\system32\Cjaqbn32.exe

C:\Windows\SysWOW64\Cakiohmo.exe

C:\Windows\system32\Cakiohmo.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 7384 -ip 7384

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 7384 -s 236

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/1132-0-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Lfckdcoe.exe

MD5 5f107309a7a29d2a76521a52c7e09620
SHA1 46e36331b28d66da3eeb4cecc472cff7c6cccdb5
SHA256 3afa3075e56e7615791b896b7a19a9b3d870bff7ac8d285a88ca07e233bfa508
SHA512 06b11001b0019b70b727d5dbe9f636a685bda394056b91a4f1c3e8a944c0d718bf57123fe18282853936ca6388a1d79581789ee1a1246a8f3c8249bea6f8e76c

memory/1648-8-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Libgpooi.exe

MD5 82fc5778e40a8031097a7fb246ce742c
SHA1 f4080fc1e2e81eb1aa4098125f354ecd25d13b48
SHA256 1e28f64b3daac486188ed8118cd086877ab3d1dd541f9df111001031d0b89d53
SHA512 8aafb6172ccca1f587d49664f44d17ea5339dd7b52022fc7a80f88429120a14f359bf9b3ad98344263680bfc786c35a6de1e08aefc9fcc87291cf7189d10b9e2

memory/632-15-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Lmppfm32.exe

MD5 252f1daf9d0362af0362539a17d3d205
SHA1 62dfb8273639843343aa36f7f23d06735d7045dc
SHA256 5dfa8f5db21488d700420a3ecee81e57d93b09d083414b191fb4d915c71d25bd
SHA512 02476a9d2ffdb5b246aad478515198d71802f5d5065cd9aeb5d93d2aead7c76671940dcaf84b9a2d32a554e81281d9fa5b9fd9c21168c499ccf4d797fa17bb53

memory/2540-23-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4352-32-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Ldjhcgll.exe

MD5 aa074b4d6f38e2638f5a6cd07576cec2
SHA1 2c1f88b850070b21dfe2d701544d28fdaa4c195d
SHA256 cdecd4209bc316d973da0ecd31b81dddf19a9d2b70b107ce23e78492b2cd0d74
SHA512 d4dd09486a64a7c297bb1be3ea8159a569f3322fc63b85e9ed6f62700620b8133d2094f29aca226fc3d53ed7c19d742ec8fd2d07fb5717499a12a4a38b01ad6c

C:\Windows\SysWOW64\Hqmfgcnl.dll

MD5 17982ff51b17be332b6adb02e6922d7e
SHA1 321283706bbb990deae16fad9854903b13a75335
SHA256 51ba4abd3051e0711e4b3c1a08a103fb44541c1dc8ae2e080f5c1b3d1bd2d286
SHA512 b4a7b75dcc849422baa39577e5478ae3e0b604e8834a1bef1ad8a6d81bf9f41f6fa7db0973835f2a9bf857b30ec7ecdea2bb4da4c84ee06d04fedd70325237ce

C:\Windows\SysWOW64\Lekekp32.exe

MD5 6976bb9179b6d517a40b643120c424f1
SHA1 cc50040d12db1f9eceaa1b02bf87c0456c7db38f
SHA256 6445c6b6f720d8efe9f1760a16b7869f13239d9066a9e42db81b14a701c5f047
SHA512 b7c4b3b90cec5b2a6473379db92fcc8224abaa275aff39a7a73ee0403353871153282100d01eb6429abc3cf0c9cba7d2d3a7cf2e1f4f995f22f24ad3922ad35c

memory/4872-39-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Lpqihhbp.exe

MD5 48dfb0b8c26a5f42c61231ffd59779bd
SHA1 4d786cd653ae3daa9e91225e5c06cd3396034415
SHA256 730f5146a759fb39c59de00603408bf798f00d5ad88a7946cf02a1ef98bf651e
SHA512 adaf27d1f22f421cff1e7a465339fe4e4c9bc7160f6d0c3affb69835e3874a5b718f5971c843e9aa3e8ea6b28d46c70d1f8ebab467074b154d60750cc9e74eb5

memory/4164-47-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Memapppg.exe

MD5 bcb8e0bd058eda40845cedb0713c8c76
SHA1 571ec20a65af43a3bcc1203cdee20483e1523245
SHA256 216d192a95017ab9056a413b468bdcdd5128bffde9e3bfab28205f753f3e2cd6
SHA512 a83397f874b5d2730ed3c40a1ebe5e96e7f754e7638114ea70be78bd9540ac2c240eeb7c5bcbb009ebf016b716c1a4abf7b2c6ff9a38c8fe3493702ef9ff4f91

memory/1368-56-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Mpcenhpn.exe

MD5 7bfdc8937a958e0f021980823335cd2c
SHA1 62b846abe537fb8b8d0a20a42f83dca4f17516d5
SHA256 a5d364b5ecc3ab13b0f2f7fe2429fb93e1d22a89d35d8b7d2eb893dcd4725731
SHA512 50c1c9b6805ebe147f78d59596094d033f9c93ff8049fdf702d6d716c12ec7d639b68441cc8c3a6f69ae0a7c758c7333d10ad449c46f785579599bf56d5bdc68

memory/940-63-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Mgmnjb32.exe

MD5 3ab111e8457ea3b904098831abdb227e
SHA1 6b5250ce1ff2e5aa2127206af34d860f359c07f1
SHA256 9b21f92e90f743c78ea9b2f4740d899529fcf2b3421758f668a5afc1c99a8969
SHA512 899e77c55eba2ea14ed78b94231b65da88b88afaa6d51e91d409be3f707ebd1dd015cf42c92011c7461c17e5e108aea11cbcf0379c8d4587949e1cb84887bfbe

memory/3492-72-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Mmgfgl32.exe

MD5 13bf5cb51411a62ad9fcde530c4dfa1b
SHA1 9f7998f3b318c55962787d88694f303065934b75
SHA256 3b390cc78daacfcb4179104040e499606622b98857ff925f0a1e6edc66ad6d3c
SHA512 63914519de3fe12583f796b835d36a3b3c28ac20b8e081df6435cbd997d9810f94e3cc3b68556de404371c7b9ee509912f92cba9296211cbf6deb4cdf4a74063

memory/2760-79-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Mccooc32.exe

MD5 6683875490e7383c024fc7341e6d1e65
SHA1 5d09c2b4bae0120e2c8b85802517bf55df503817
SHA256 5402e931a993b5f1f600f510ad5f39a0ce9d688b344ed4a057b7fbb6890a7abc
SHA512 6d8e85df9d650c9b9948c6d99b5ce5731fb0f4241d249dc378853a0c0d461c81031167a500b97332dab54d49bf613e82d2d9a135736e29c9b3b8c67695d0856d

memory/224-88-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Mebkko32.exe

MD5 c2d163a0f7ecd63fc702e71a30f10614
SHA1 433181fed5c56132ecde4e17cc5e5504f37b65c9
SHA256 83999fd3eeb68ec8c501108bdcdf19a5f127bc9a45c78f5144e9994a8c74d02a
SHA512 43fabab2f7c3a624130302623b110f5d365b174f9ac226d1b5d63533f8d05d3d83f69e8c6a6869eb04c4dcc33a7db97480b7837084cf48ae81ef48e52508f0cb

memory/3152-96-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Mgageace.exe

MD5 a79a0e348f3eff5cb8e901d00ba8e0e1
SHA1 ef068f1c2e8f30725b0a3f48b7f4998f856c6337
SHA256 4f0821787faa38d7204d8a21e42e1bd2c67f1340d7475e6b47d1722e2522f2e4
SHA512 f249dd402689c8f86a087795b4d49727c0e36e1c77de630d63a9cecf9d36f3929de37e19ae7b65848ace55fe12e991132fa841b5bf1526be0123045ed3485284

memory/5104-104-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Mpjlngje.exe

MD5 2e209cea577b2219dc09d10bc4ff5e71
SHA1 2da478f75de1554a0ba8801ca15dca62e3daeb3a
SHA256 d66f5da72b239c037549b82f7faa62c8a4972aba1707bb5ad53012e9cb54d75a
SHA512 7b5b66a413772fe28c7ea00fa206d0e531a74c768eeb2b01c7e3197e9b749b9c6e0e08a1d1c25d8b46224058c1cf2616ba422acba0cd59a9487c4d0dbefdb4df

memory/1684-111-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Mgddka32.exe

MD5 ffa0324ffb6cf3291b44869dac5a4b68
SHA1 386e9a60b24d9994ca13a8fd6334fe2694157dac
SHA256 97513d9ef2ef6c77193adec38b1e4b475cb756aae1515d430816386ae6d0e5b0
SHA512 6e2c912eb480f20554f407f6e109714104562a49f4f4ec64d56c98b0116c7e33cfac1928a015545b554ce5cfd565e955673546cf30ac1bc230424870095f5258

memory/4240-119-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Mplhdghc.exe

MD5 cfd37e272d73c646e19512c00c3c0c81
SHA1 4497a19b921fa528c0c0d3bef44931f2bc1ce8f7
SHA256 64cc37afc808a2f57383f5dadbff45f7164aab66a7ba74d8fbab80e3674f977d
SHA512 33b649ad1787ac6436ec425629c89d1c5d7de6f509f9e6e0e3a901643a6a0fc47182d16badd19de485e9a4170cae855725303e7bf42f5064f68e6764019d838c

memory/1504-127-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Ngfqqa32.exe

MD5 55033e588cb6eef7920a3475cd0e0d60
SHA1 9f8f4620c9a31b9b7bdd6cd977fa4299e5280426
SHA256 62ca0ec081894e4f856d4b988cbf1e03b1418372bcdab90fcc936135b757510b
SHA512 abdc20c0294fb31ca20159207463bd9691bc604dd4f51dd67a4a3ec580a4c8025dcddfb675422df7aaf91beea617d94220420b81986029eecf939c398a8edcf0

memory/1620-135-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3104-144-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Nnpimkfl.exe

MD5 a3f79eda3ae07aff28ed4778dc5eb597
SHA1 7050965a869cc784aa8c342a2e6e75270a32d63d
SHA256 9385406e2e87a8edff879e90c7738945aebcbb79196d282347fc185bc5e5aaf1
SHA512 7641208086818884ccc5b795a3e702acd423a20e89b94be52d934935cd1e5de0e4bc78e5ed97da505df408541af8b4b765e727008d1732d7565bbc0f828b5fc5

C:\Windows\SysWOW64\Ncmaeb32.exe

MD5 76ed6afcc067c919b285a43486f7f040
SHA1 e751937f9b330069b13a542cd93a9508a9235af0
SHA256 4b1607823262a4717cd51e24432ccccfc3236be5aaa67dbb78354bb5aa880a40
SHA512 1ecb37421a2ba5284a40e477b60f79f0b7cda9db9bd31820fa9b30fb4cf34c9d297bb24924796e807f09cfe73655feb5fc6c322b44bb11962e19e7fab9b3b2d8

memory/1292-152-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Nnbebk32.exe

MD5 32b701aeca3081a796510b6bb9cf3dc3
SHA1 8960a7f0d2bd84147328e172769f8f972890ac2f
SHA256 954b9e22db1a5b7d2699f2e6d8d0c6dc0f2dcba93c15be17434da6e6f868ff5e
SHA512 2ebfbffb6829c327859982878393d6b0271d9b55457d8da5f8579d497f5edc793435c02912de30b675106dcf10dd5374d9c412d8671ced303cfb5db42c126000

memory/1964-159-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Ngkjlpkj.exe

MD5 b15950fbfddcf1a6cb20f77a7eba0537
SHA1 11ac6ff418383320ab9ae2f17401601f9de41c9e
SHA256 f107d649211f8737db065f2e1832ad0327124b2d6e0a65aaac9a19028a786efd
SHA512 bd94eea5cdc114aed5bae188d2aa13b54f0365fea525f07d4e1a3dcc82c5bac4b08deb1e56534b46f5287e3428fd874b6aae5f6deb0ed319a202d06aaf52d330

memory/4904-168-0x0000000000400000-0x0000000000434000-memory.dmp

memory/456-175-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Njifhljn.exe

MD5 4f87cd38872f656c94ee7346fd6527ee
SHA1 24c450d6f271ef81aecf7395300884373e5e4c52
SHA256 0dc868cfb0778b7cff367fca0cc1c224f6a5adb1b8d1c81e3e0b3ddd1d990727
SHA512 4930e6c97958c9bf5ff53fa299d9d1c2e4809cc4e0980127befccc1d8b3a82a97b3f9021eddb5b6fe074a169870be06ac920ca73c0e847cc8e3056c1c1880dcd

C:\Windows\SysWOW64\Ngmgap32.exe

MD5 334c80dbb68c8e374db9bcddfb34381a
SHA1 ce9ba9a7012aceae0b91c3008a1568f25392c0d7
SHA256 ccef4afa7c281ddba498f28116e45cc8c85eaf46771994d9a73bcae3883f4050
SHA512 f255a4ec37ef37c3c06f20567f35c1835b26ec78f7803240cfff91df8ce7343b2234f02f4c10bfaa1e353ee86b7bd187ed45782bde6ed8d38b1693fb9a820012

memory/2812-183-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Njlcmk32.exe

MD5 e77eb7db412c83e133c99a3dadd3c762
SHA1 3a17e41eae921735645ac48e8dcc1d448522e803
SHA256 6c803e9174002ebfdefda48ee5271e280ff8cd4c53fc3827382e006d93347828
SHA512 61d5c73662a3c2e7eb932ff317f54f8658fc869594bd615798326c96d1ae9a4578e76288ffedf1da39549b20623ef66d4acf82aa0c8a7d33b99c6a46c7557b73

memory/4752-192-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Npekjeph.exe

MD5 a08f3d13a587a8285bc1a7a490a734f7
SHA1 d7c03c324b25599b82d15c83cfc96fe5ad539117
SHA256 e13c9a5be6cd668b3ab03361292f2a67045144a745c33aa57a49d11343af1f05
SHA512 b7e08614935e4846fd3a9f316e2e96bceaa205ea1f2bc8f6d84b5b6cca046f9e0697365bf9f3a23745b3102c6a59ebd05dc8ce5c280a3e3ba29d56642209be4d

memory/3272-200-0x0000000000400000-0x0000000000434000-memory.dmp

memory/472-207-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Njnpck32.exe

MD5 6980d5c32df09e6c1fbdd5ffbcfe11f4
SHA1 c0a354d31cd3a32776b720bcf9d741c7c459dcf8
SHA256 a6f3fab5040d1c52878d411ce48fa7012d9db8b56d1ce81f175cdfcace8108fe
SHA512 b22da39cfe3484006f86a509463d21194cc534310b34283ca7c672382224ae00c8306645226a3a0e4e4bd4d87cd4943bc85066f9fbf2daad8be49e9973abc27d

C:\Windows\SysWOW64\Ocfdlqmi.exe

MD5 131d4b53d4faac0a1d108ace9a787d14
SHA1 abfe7a45b53eca440b98d53df38d997293807726
SHA256 4da120244371f508c5e686a2060d04d2d4f1ab7ed93c700cd365d569d3573554
SHA512 45de8ad65469dbe55ae5450001329e3e7278e916b4450de9ee53994c7210e5cf6e164878e6523551c35bcf2b6f92ef3374dd73c6aec93443119617099725aaee

memory/4548-215-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Ofeqhl32.exe

MD5 8217d5f047d79a567d89a431051e2bde
SHA1 e45a93e0d8c58a87c4bbba2c1a0f68c9cda81adf
SHA256 7e600fc90f2f6e7b6d053280fd51e61e7ed61107c5abad1aca017c671912dd63
SHA512 14a442c24af9f8aab5b3e92df6cda90062f058097a85ecaa2a469667118e2b791c679c46afd8484659ac07978270393380b27082dc437b638231b24bdd619fbc

memory/2960-223-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Ofgmml32.exe

MD5 7af484720c892197039b341dad598366
SHA1 d55051cad031c8ba46f185fbf1c50e5d23f02382
SHA256 0a8574997b541fbb175c6b1ede7df97eb308778768acf0f6c16aa6425d96f480
SHA512 8cbc319156abbf39309f1356f3dbc73ebfcded787b98692ca8a68e2339eb12297c4e9fafdad20fd4840a6415f490ae25435feb54c6ed5a7326054418a9ded248

memory/5040-231-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Ojbinjbc.exe

MD5 b2a1658750be174d179f0a47ab2e225a
SHA1 24ffacad35b34b28f9bab2fcdba33532cf755c0d
SHA256 ec852fef26a7804703263aae047d40c6b0c3a6df2325c4c09309a453b590b0f9
SHA512 ea6d64cc654718dceda876194990b38e4e90070ab75940e6c37d36f5b6eb7b8ccb6b7fee2104c146fc9055ebe92b4ad3aa18788722a82d7ec884fcf947b01933

memory/1040-239-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Odhmkcbi.exe

MD5 a8b6e1bce018f6722f8a7c6dc4b1ce0a
SHA1 f42cd9b63bb22b827d8137b300fe7087030f42d7
SHA256 641158e193df046d88919a521623a38ca0a5d647404ceb51b592ef6f85b2a85e
SHA512 b6906fc1f1408d25c464c890023ad063c6bc3babf1724e25f3fac96a39eb71b71ee250899e83d6277d55d9379acfa7c600ff5f401e264d2115190c1ce748d185

memory/2252-247-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Onqbdihj.exe

MD5 9bc159ff654cab6ed2643d734eb75f28
SHA1 98af60e248152e8671aa85f5ceadbb9af5d82ea3
SHA256 3c28ddde9dbb7b0485588fadd443bdd89ff722989b23463ef71501a68a3c2056
SHA512 befdf9d5603cae6384e5c5ca89628456ded8738242c88ce1eee0241332ae38e647f9243580e3cd7f0bd9449b2e9697339194f498eeda9fba117a590ae0dba83d

memory/1164-255-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3364-262-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Ojgbij32.exe

MD5 a4925f014ebfb3b6762aa650eb3c34de
SHA1 0672ec57e3c01832efa2e774741227a24370a417
SHA256 73a22f0d620f65106d11b5c0a7b1c31b84c77d39a3d9eafa6ad6f7adb631c07f
SHA512 b967dcc073cfb718c3f6e572fa0b810863980a5ad5eb495632cbf0d1700434bec035df58c5061f53d6b4963920b99b61c8b729e8a14db28aa5c4c4f823f1db02

memory/4748-268-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4760-274-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2972-280-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1968-286-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1780-292-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1652-298-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4952-304-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4972-310-0x0000000000400000-0x0000000000434000-memory.dmp

memory/116-316-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4128-322-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4120-328-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4852-334-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4700-344-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2016-346-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3964-352-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3960-358-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4692-368-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4124-370-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3500-376-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3048-382-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4816-388-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2492-394-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1332-400-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Qqadmagh.exe

MD5 266cb8f8099a17e7e2ca3e6677f254de
SHA1 b065aeaae9946e4fa5c06d631c21a1b95762cb7c
SHA256 2bbe4f0a7aa9477658e4492134eaff560e589db7254aa0b7fcdfc6c62b92a68a
SHA512 c43503b4900c1ab218e967195e2f2baabb06cb08cf6ea81be07a586f971cd5261910d7319d9b2dbfa84b8e88e270c75aedd14433d19762f0cfa4087fcce98c87

memory/3928-406-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4316-412-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1036-418-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Aceidl32.exe

MD5 175ffd2932aebdd60bd8169b9c4b8f3e
SHA1 aeb3e456f48063a0181404c0f5c32b688f2d6503
SHA256 f2f8f26825178ab27b261abb416d21e50c1fd35e650f98a9b16d8af9b1dc9299
SHA512 ef8f1e7bec247f591aa9f74bbd69eac24803dbdb0e2ec56e15d6b20bb0475415e4877e67a73249b7c1488ea7b1ca61905949e4fb3f165a389a9ef96add64e6c1

memory/2148-424-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4716-430-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3824-436-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Acgfil32.exe

MD5 cce78cfc1925d465aa73e066af2eddc9
SHA1 8537a39f08c86fe8765da33d20d051127fc5186a
SHA256 81307d22feda2ebaaf7f7b029451b73304b9c250225f00e6f2b9495e891ba9a9
SHA512 851ca2763bca43e6988148d671ac6590bb8d0528c75dc1743f78f9d4c9be1a8e65e81ddda304637e7da87b0dc2f9ca29579c7d9a1d303560edfa5d73847d361b

memory/764-442-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3264-448-0x0000000000400000-0x0000000000434000-memory.dmp

memory/840-454-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4412-460-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Ambgha32.exe

MD5 5c09b9e9a58ef551096a5aaa4206b30d
SHA1 8df7f882a231df8731af647b83cfa4069318ab8e
SHA256 5aa69e8172caabf208d04c20bc9d499f6ecf5fb43122b3f7aae5357ddb230c53
SHA512 2f36f76fae787e58c1970af4d544891d1ce6b3c8ad6950ce28c8a5c96f3879497702a5ca3ebde452063fdfadac3754a7a1754b4954cb36636639ad8e69396a63

memory/1472-466-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Bnadadld.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2140-472-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4552-478-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4620-484-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4440-490-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1980-496-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4436-502-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3096-512-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4564-514-0x0000000000400000-0x0000000000434000-memory.dmp

memory/700-520-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Bcebkjdd.exe

MD5 3628bbb278fc2d597efb739622e4ce0d
SHA1 06af668725f522001754897b9c320ae00682d408
SHA256 a3e8b0bd978558a6619f81799b3bcd120ae5a8c263b7da389e99fa1acd85b798
SHA512 32f61148816806cef43302209262a952ca5f30d82fabb6d89d55e1baa6b8f5c2b41c82f449ef3464567b361e8eb4fb72a1381426caf62ea9ae344d7e8245953f

memory/2192-530-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2716-536-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5016-538-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3080-545-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1132-544-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1648-551-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3800-552-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1920-559-0x0000000000400000-0x0000000000434000-memory.dmp

memory/632-558-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4576-566-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2540-565-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4844-573-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4352-572-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4872-579-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4948-580-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4164-586-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4908-587-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1524-594-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1368-593-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Cabfjmkc.exe

MD5 f0228b05d145ec7df8b5ba030111f17a
SHA1 b78afb306fef3088ae0579e2ef00ca98e4b625e5
SHA256 8feee1b666493d34f8b097e71e350e0cd0dc2807c25f8114ea6bfe886a93982f
SHA512 ce0413f9f59210d9d0c42b596db92c0cff4bde5bf88a5c8eef0717d659158a67ef529f99ab51062207f9d1b2e9d8fb467229a834688e0f5f235b261ef872adf0

C:\Windows\SysWOW64\Dmlcennd.exe

MD5 8f13361e737c456412a82ab90fa3a79a
SHA1 0897353df896abf877803143c7ed884b2aa91d16
SHA256 503fcee4d3ae4e2548233f36f92b669e39adddb461189fcf8044f38cf2b0bd5e
SHA512 f07e7d0f026ae376bb8ca664f5c700472f275195d0451db9568159b80ed5f288ff05217ecbed9afc66361bdd021ac88328043a2bbf60c8843239fbb7bcd92f5f

C:\Windows\SysWOW64\Dkbpda32.exe

MD5 fd42388e411e345f82e54304955e89f4
SHA1 a1e99e1e392d683f4fcc9c4a14efc74ebeeb2acc
SHA256 4f6cdb26e2e853d0c1f0fa9fb0a3fd9cb469e21d8f4eedd3646307fc87d356d1
SHA512 01d5c9155cd665335ee5f56c9e04820128845af040216675a3da4d3b083c7db13afdb4e39ca6b0b419626540b4087f883482dde5667d6435ad9ba7418f137345

C:\Windows\SysWOW64\Dfiaibap.exe

MD5 92485e33a8947dfd21a8febe4136229e
SHA1 d821ca5289610b55a81f879b2883e9d422ac715e
SHA256 0f0e1f1602503740264e86bc068380e7edbe4abc64059d2e167ff3244df3a1be
SHA512 d06db1f01f3a55ad29ed04cd3cf1421a91c00a5db0600883a68a4ffd8c70e070e120fd993d71e494328a7fa9a4fd2c315d9e1160409798c502c9a8747191c357

C:\Windows\SysWOW64\Dkfjoagf.exe

MD5 186052fd8e4c8c1e0279f48d8c8fe6d6
SHA1 796580361c24e9ccc163fe604688c846f96d7e5d
SHA256 60ca203dd6ad54520830dea0dd1c113c754a733fc58d02157bf75bb512bfdcf3
SHA512 fab49e7bd9883f230a22e1300d4a36e0dbf0154c3b33ee4baf9ae67f8457228b5993dc10db877b72549dac1a2d0519799e1952e367549b8f31508a45ba1762b3

C:\Windows\SysWOW64\Ddonhf32.exe

MD5 22bd0f71d98f76b164587047ac5a5405
SHA1 4e86afce9164755c2d48d70c6721172ea42267ac
SHA256 e34757b524ac469daa2cc3ae1bd58729ef683e15a999428f146a92587e386ff1
SHA512 7bd9b494b35e6b65358b5c40bad0090048dadeb566a0c6d811dfc5f66475836ff4a1b95cd29e2b1387101abf07c689af2aebbba44684010a819680381ac07c1b

C:\Windows\SysWOW64\Eeokaiei.exe

MD5 15cdb0ce4c3e599781fc3ae802587603
SHA1 957781d9dd3f8113d08c434824e54f59201cfa75
SHA256 c294e968563c7f0161f706003c7d7f627594b71b6a2f37e29b877ec0bada824d
SHA512 e3c99250e1b0fc47d13471fe60efeefa3cf9cc5da6b34b4b6f034f88431f7da872db773558ffa85444515ea7e615ae953df8f348720db9b0fbfc27e49753ae91

C:\Windows\SysWOW64\Eecdmi32.exe

MD5 fb56fac81184b4f103e15f811ef3e715
SHA1 7646793d347d9a94045e8f293df94b4c16229190
SHA256 319432a3a0ab44494682ed1f9d04ffef1067a07ea72d4cd03563b4886d5b926a
SHA512 a16205ff9791c2b0829c8862129bca14f14d73eacea49d076c6bece2b72f3475972225b5bae63e6d166b54d2036fc7139f2775256d487d51ea1008090566c693

C:\Windows\SysWOW64\Eeeqbhoa.exe

MD5 bd8ac751bacbead93bc7f31b694b2177
SHA1 0ebeb26dbe093815ac74fe47e4564b2a05298967
SHA256 69c0a45acacd260a4899a5cb25c6689b6e1a13f8e80d4c17bba7b6978661a167
SHA512 9ee5cec87712e5d5928d0be34a1df90ee8aa84655f0140613b3eced18dfcc2f5595768d4cf8969bf455dc32e93833c8f06662f235da3fac5787ebef320296ad5

C:\Windows\SysWOW64\Eonekn32.exe

MD5 3f9b2d08626d677b8b104957feaed48a
SHA1 1c8686db985eac0258160781cf57d6eaaaaadf82
SHA256 ece559eac737fe0f7aefcdd73ad748f61027c66a543c4fb13bd6272b63c0e2ae
SHA512 aa932b7d40bbb0496ee7b04c351f0fe2299e9c2b5abc0b6d306c0c55966e4a7ffa3b20df94f67cfaff70f52dccfb76d70c42e9ed430228248b46b54471eee70d

C:\Windows\SysWOW64\Faonmibc.exe

MD5 2dbe935e502981795ff3883eac2253b0
SHA1 79a34a1268f07e346d6b0bdb2131bda7896fdebb
SHA256 11162b1673b43d6ac5b71824a80ed3b00a9c882838f76e1b688ef7b702a4ab2d
SHA512 4a1a2aed243bf89b9ed468b860c4d2626032fd7600f1a75290fcaf7aa5216fbe08bc12aa545cb0628ab2deb48acddc6b54f68dfc996c1618aa9afa3797d52d5d

C:\Windows\SysWOW64\Fkgbfo32.exe

MD5 3a1918c6e89f0a0ceb476be2b73c6ba0
SHA1 d500c137f8b7ee3b5df9811d7e729fae3db7624a
SHA256 736d06080f55809fe2a0878adee8d95afecd38393a50e994e645a0960c499af6
SHA512 33f5810de88a490e5b11d9379f33e8b4a5f0c0fd3be02a1778d3bfd7e64a54eb5435f2e1e8987678e1289cc13aae0f7c6478a33878298a70fd345cfe2f8e0fda

C:\Windows\SysWOW64\Fgnckpog.exe

MD5 fc5ec3ecd385474b319be44db1ec4fd5
SHA1 967e2f6bad297dfd68a924fa57f74fe699a46bb3
SHA256 14175f7b5de0cdd2faee0faabff6b5b89de4d64f0ef2dd7ddea13aa831949ba8
SHA512 7b2bf609d02714ec5f2b19011cefa414fa020ac3c6261a13c4afb56e46a31f0bc630f33f762393539a0ed5ba3c90f4af675c226aa1fa48c625514dff7da68d48

C:\Windows\SysWOW64\Fgpppo32.exe

MD5 b2acf695b93e2ea6f4c27c96cffd0b1f
SHA1 d3291637b4e9126b2f872286aa6750c49363f086
SHA256 85641ffea6d4824a7b3c5390f86d4c34c40db9ebe46a6c7db61dc9fb4de56183
SHA512 f1755ba79a4d4a87d7b27d35f1f2dccaa397e3a2dbecfd1b497761fc57d1c760dc1a93bf903be2a91db1c60425208c92bd903feb0248fecee7a259bfc358ed4c

C:\Windows\SysWOW64\Fhpmjbch.exe

MD5 b6c3b43f21391f7e0f49cf27250189d7
SHA1 2e5aa8c422a30e5327c6cdb4a39023989fc85804
SHA256 3982e2769e109b70732ff1fecf632389689ee1e3917cf254bb50380ec070464b
SHA512 0cc2af19dd53e825d63ef5a9af60bc4ffcdd6b1061c07fe30079fe537801f3c188bc114033e0c322e30b483732d95f7db442335f8f58c5e5c88e9bf5ae55a059

C:\Windows\SysWOW64\Gkpelm32.exe

MD5 a38478055310b22f09bc7b9565fd2176
SHA1 129f2268c310ee83ecb876a09258ecb3300cf1a4
SHA256 53ad61f5d7d9d9ba5d4cecf597563b4b351e7c90aedba53d2143019fde2834d1
SHA512 cffc6f078968b4877eb05bcaeb95bf2e1a4ec602015a2ba6b9d61909e176be3155a90884196d6d10180902bff1996d6f2f9a8eb1499420e090db6bc8a3ce6d48

C:\Windows\SysWOW64\Gdijecgi.exe

MD5 1b03c244a95d026cdac92e78f63feee6
SHA1 39b7bb7d911fad3282b6e2a3686aead8310e23f9
SHA256 96c272818c057630261264bde5ea1bc32ab5f35b3d8e65fd03ceb0af6a38ff47
SHA512 4bf472e53ed590afb07ee79341c80253605c34ee565bda0afb275e655e4b7394f16dd24ca82be846a8bf4efd0273828b81163e43f48a5d5f2e8b5bdac7549c7e

C:\Windows\SysWOW64\Goqkhk32.exe

MD5 e4128485753b287034a073e99a2a7372
SHA1 1f6402127d686c2ebc37935e454065bc21aa3879
SHA256 187be6231cedf8aa866871075ab6aa3b8572e230d07b09002edb5bb30cceb799
SHA512 2cd05de565c8e343908a3e7a02c66110902179b9a8f7ef3c556080dec992735191594f77301626e0e38850bf634edd225d9a66433e173e4fe3a779501e20a165

C:\Windows\SysWOW64\Gochmk32.exe

MD5 e8044dd5650bab962e41ebf285ed6425
SHA1 d05a3ccc3e727f73cc692baafbe1b33a1b2983e8
SHA256 00ea338eefc99217c0d40e13d5593a71dabd0d2fb1063412e8544c9ecce87364
SHA512 b47f6ca3710904770d4b1c02f30aed2136208671584b4a66078a52b621212780d806a3da1478828c1cbf12826e9505188fd57805130deec0e34b5b361927e836

C:\Windows\SysWOW64\Gdppeb32.exe

MD5 202251a2ddd27f0c22042d19e719811d
SHA1 6c9001ece765786b8a6d0b1e84c94ef7f131ec9d
SHA256 d1f6480a6d2950a1f1cff6a54b32dd8ea950eab56f3f52b994fdebd98b7d537b
SHA512 038bad19e1ee16fc88576b10abb48435b37c3d27e1930097eb6def132620a98e94d276f3ceb145d3598932ad358674fd18f7ea0b90bcdb08296339d6628f1a55

C:\Windows\SysWOW64\Hgqigmnb.exe

MD5 43788e45c49c4d3504bb480877422649
SHA1 8bf722c21966b5af24a4ff95bf263613fe49b577
SHA256 1ec99dc9cac48b4777944aad5d685ab1ef2d36a153ed355b2da510aeb2ad43b6
SHA512 89cd2aae5e550f6af43d275fd649c64847b9a41c36252caf31321b5531b40561938e35f53f7971f2369301df189f4c001c366f67686851c3a3e236c2f61a15c4

C:\Windows\SysWOW64\Hnjadg32.exe

MD5 ec31a86c468b13294e2c1c2ae31f57d7
SHA1 29afe91571fe6da6b01a1b11336355148ef6315c
SHA256 d4c3c9aba1bed757a869d737ab11fddc1d56d62af43c6fb4b41507a7cc97199e
SHA512 7e4d94afac696c971968785feacf581df4ba93c65a8fadb4f596235770a5ddd7657cfe36ab18c6868618b1f3181d10cc33e7d4d6de0acd904b12938b4ead1af2

C:\Windows\SysWOW64\Hfdfkddo.exe

MD5 4be310aa1342a3040f7d091a6c749db1
SHA1 79459ed69186ab547dd6c1edf7334fa78956757e
SHA256 b94c0861cb2319c61888e0b58fe07760bf523021d1678dce8e808d327ab45c36
SHA512 55c12096a3dfa3a9a40497cbdf0f81e807e5863c59fa417f41474ff01863a3a07973b86f149f7ab33f915c1e91e0857145ffd6cb6cf08caee614b8d5d1793700

C:\Windows\SysWOW64\Hkckhk32.exe

MD5 079672cd22a83d14632a2b145a37606f
SHA1 e74997978afe0b1a6b9857087a75e2abee21aa84
SHA256 d03e46aed412d5a4e1dae369af3b90491dd795dd6a07b21facbdefe9e9d4d8b2
SHA512 464f1dc9ee80103b7cc169430191806ed0738c394f7f9ebe2fdd5815dd20ebb686a2aa10321ac86fb6bae8eb4f0f159ac33dc1d01e5cbf5079fc3db2d5dfe572

C:\Windows\SysWOW64\Hdkpapgd.exe

MD5 0a68811b0498fb122b65de14415a2add
SHA1 26f58d705a814ebac7c66b5c24b4bab27a569948
SHA256 794bcc53b6343ed6c91df5ae3f19df479eb87159c3f142b6529b5ff5f57d1e18
SHA512 dd8490cf3daefaa8949276f4b7f05c567d624972c59ccf982ec639449e144666126493f411c024d31e4a2e8355a6e14ecb29a82e459f3fd1321fb2801ca8cd0e

C:\Windows\SysWOW64\Ifklkc32.exe

MD5 17982c2a3ab4125a0402c940a1be62a2
SHA1 28335160dda350aa9dda740d289b2389a87ade06
SHA256 4e418d117bc2bddb7c62da62110973c0fd06ef3b77ea1e7d8314d42df2f2d7d1
SHA512 97ad4906e0893e7d52179f058ef043cca330f86bdb2165601c437d801343d4227b7420ac994dd350f6682c8684382142996219c028f3c5a49dd32639b170675f

C:\Windows\SysWOW64\Infapela.exe

MD5 bd5f86c431d36d72fdec046bc163182b
SHA1 d8670bc207bd0f6aeda301353e88bc90e16171ce
SHA256 d2c1ad6100729e86bc0d345e947ca0a1f1da4ff9a558ce87bea870ba45759c9a
SHA512 6aa3406c4ac3dbe80d3c9874239e469fa7230737d86d6fc54e2702db06e33aa122c82325ee6925f233004e1be2c19ee5ef72a07400ad545493005a62afa71498

C:\Windows\SysWOW64\Ikjaiijk.exe

MD5 a5ebb0e04a8035cb36a49b79b26a3a66
SHA1 0b139ac27b4ea5d27da4dae56f665582d64b6be3
SHA256 e1e67798a660ee7e6f342240a7a80cf4d6d148aee2403d437c4ec92e9428f0c2
SHA512 7931cc972abeae95dfb00ac57f435cf12c7f6a3cb9806e7ee5100b1210f5270353a75bd392f69581425a57cc469bd820fabe0c8248399099a7537e3d14634df0

C:\Windows\SysWOW64\Ikagjh32.exe

MD5 b336fe3c2201e2ac0d64c7699a718841
SHA1 c5848d2309302f094037dd6fe652dce7d9320f5a
SHA256 9db3f067bf3b93dd11c11550277f7692b0b531c0fd9bdd2002222bd900e5274a
SHA512 fbc71cd01f9ebb2c7e68c57b4ccd19b21b9d497f026ac9164354cc7f46100dc95b11643650233ba1e6fabf3244b161eafbf993203afede445d44192758c79982

C:\Windows\SysWOW64\Jooppg32.exe

MD5 d89e305db56d3bfb1c1d82e36836190e
SHA1 95c27dd07d1ae97e09815cfe0ce3c72be0124d4a
SHA256 efe43ad8751c5f516a4f4c1a3bb738f8be8a62f294d4ec391566b957fd8f11e2
SHA512 5c655143fcea4e2b6ca76c51a0bdf88cbf30e35c3d5e1e14acbdfca6212d89ed9fbe49aa4193e4eb70ddeccb069820fe98b88acb2112adc26cdfd53fd380c5cd

C:\Windows\SysWOW64\Jbpiab32.exe

MD5 fd051ffdbb8d613b241dd01205c8c1fd
SHA1 52772c9101c3a9c1e3807862821c4eecbd41f43e
SHA256 752592f21e55c5e0ff88688acc67843c77a86150e88e886f2664cabfded74dce
SHA512 cc1dabc45cd307a60796a96a2616c5d5f3b76a80d4b89a80685819bea3a92e4bee766daf4dea87f8b28bcc3f42444b1493055f3f21e5b477523428189aaee538

C:\Windows\SysWOW64\Kpkple32.exe

MD5 2d82a8618571d15a66c651a798143c31
SHA1 628df891edd59cf829ed1febb78cbaf6bcbd379a
SHA256 45214c90418476b100f0d1391871e397a8d262fac93998001cd9147b0c32700a
SHA512 012fa3bf0c390be6928fbd0c3591f9fdb763fa528aaf76e9bf77f27a6a3381c1382cedbf7826deb974d1015daa5e13ecc461bcf66e178dbea339474803fbe5c9

C:\Windows\SysWOW64\Klapqf32.exe

MD5 d2173df03bbb1822c3de010644e961e5
SHA1 09e3fb4d40f630e3a15ea4c448f62b1dfeeab6f2
SHA256 ce4ec18300e774eaad5fc7bb226b8c8c23885e0535e4bb4053885917130123ab
SHA512 9e2e706ed8565fb61bcda8defa76bdfe356c1f21faff8d174edfcbe3bb2f9dcf0d0b86d845c5a1bfdd071e7039d51dd53b28fe115883760267a04796736c2a48

C:\Windows\SysWOW64\Kieajj32.exe

MD5 8a1c2821c33f907cc483ac121076928e
SHA1 be2160f8770cc46994bd83c8fc00008e098f6755
SHA256 d3c8dcc85187fab4be8835cda6a1c77e8434bcc65ada5659a146465be7a82f5a
SHA512 3edbc6ae81fc1dfd4c03e9bf9393627e62898618f802fb37851e58cffee2fdf1374af0665d2dc81b980f179c1fba570fa17bb6533089a979a38fed16fca4860e

C:\Windows\SysWOW64\Kbpbhp32.exe

MD5 02a17c971ddf47313ff2d75c14d7f594
SHA1 c66ed50c2f3499ce9072d0ebc26f4f5356d9c567
SHA256 0e4f016c6c38361cd206072bb553bf5826f6e9df7a581105808b3de537440854
SHA512 2fa4e55fddadc65367d84fac1a2983beff06e75c38b98e3b55ea74a09e065a2fb9001fc87544dfa8afe4615fa8a821573997201c0228ac660fb8b747e5f56f89

C:\Windows\SysWOW64\Llhfaepi.exe

MD5 44828501754de925d86b412907f64857
SHA1 66b4f2133a4dd8655cd572e008167c7d20f54252
SHA256 757195bc99be460d9484ede677dd88c67f047ecc204c878d6879253a70050155
SHA512 6d92baba2e63c761d2bc9b04565ed5ce25ffaffde26e6735171504b8444834b975db75172c3cc0183591273186dff16abee501b32641afea1895bda1af2d2e64

C:\Windows\SysWOW64\Lpfogcfo.exe

MD5 8a7b273bdc77b8c885d5a2f7bbd7b2f4
SHA1 8db03d3ddf429d7bea5e43ec5e6e01c111234394
SHA256 b29ddbf5cc4bda7945996eaee1c1083b3b192caa8407e089024c4476d782d924
SHA512 411abf5a0e541d524caa9726a986da2d461df76d1a82651bcd2ddfcf34afe19b568160f3710b1ae69f44dbb6be321356651b7646970ae4d27d64cb0720e9dfc3

C:\Windows\SysWOW64\Llbigdhn.exe

MD5 91a3530c9c84a2c7755d70911195dffc
SHA1 243e908c110708797eb573f78b19c01149916360
SHA256 82bb958e11c6c3f5bbaf88d11a05604009bc778dc88d10673e882c7dc9085cf3
SHA512 51134fe877f75b10ea8148591e32e9255586e196618b50351295e735a40bdf90a4caed726a19460a565bf8d6603bc46eed7e60a58e0fef55de8609dd507cd7a1

C:\Windows\SysWOW64\Mbnnjnmh.exe

MD5 510b26da96a8d25961ebbd8432976b86
SHA1 9a5e4a8cf9886de9e76a7b98ccd328794fd81b08
SHA256 a6f2f3d5de622ebc9d5ec7a5600ea786d3354293ef1c5af6aab7a11c4e5510b6
SHA512 fe2e944b10a8ef63a0508283a60492fec89b5208cc4e2fb69020f037f6c78b05b0ea1676f6af8b08ef32d8df2b8b184b5eb7497e3739ae0bac85929b4d734de6

C:\Windows\SysWOW64\Mimpagqp.exe

MD5 f1644762b4cfeafb03bfa03828cffdfd
SHA1 cd2ca68394c7e2f8938676a1eb66bf9f4e33204d
SHA256 0ef7004f41411ceb4d674770de11d14344250c66e7a72a4077bbec0e61518e9c
SHA512 b17916532e220aef6a2f42e1e99f306f42edc8a70f392286106fc2c8562f9802a5a30f61959cd70a01dc2febcf35e0a58571b41c95c07eecf310fac4a3becac8

C:\Windows\SysWOW64\Mecqfh32.exe

MD5 dfb54b82b4506a48a6973d3bfd5791ce
SHA1 d41490faa68ed2716c34da47ce7c3891681e72e1
SHA256 e789981c337ca20d5f126e19c9c7c8645980c1b8e441ad2fc764ceeff96d6ce7
SHA512 3eeadcdb07de4b399dfae7c4b0d38c4918553c9dc5128e7accbb92516f8e96a4516546c5a126ca13b6382830152dc45fb2f3fe0078a21b153fb206f14225fdba

C:\Windows\SysWOW64\Nhdjhcce.exe

MD5 7cab8ba0e06b527b5f274851e72c6caf
SHA1 663fdc85bbf13eb8a01923cba9e5ee23a13ad4b5
SHA256 03b7ac6c0bfb007737cd403c3fb6fab21a44044009c0464282f2d472edb1dd50
SHA512 166bb71e5f9d83227b4781e0051dca6c09b5fca5f43e0dd6b15dbe45fe481b363bf62aa3ea41a663300b9c3796e43733ee6e6621e8caef97a35127ec857aa173

C:\Windows\SysWOW64\Nehjagbo.exe

MD5 b189f7555ac59b679350f2880cbebcec
SHA1 1cf001c379702f6e61bd783af73fabe367142aae
SHA256 ca1fe06db925af97d448c2e02f39063a5aa7fd6409ea05f3125f9bda24bcccca
SHA512 f5729104f7b54290da003dbd01292a5ee4864bfd52c0bf92eff2931dce9ac39c4c4026f04dce95822bf671bc43c4306ffef6c4b579cdf5b1e38d6c54eb2eaf0a

C:\Windows\SysWOW64\Nghflj32.exe

MD5 d3620609c6cf43b2dd670b05ce727c90
SHA1 42c5b9e4def67d1f197e2445ebe68f0f40fb3eb1
SHA256 6eea2454e824404b3ed745d51a941584643534477433f097346da3c1efe7ca48
SHA512 1bee62c881be0288007a29672dab0e2eb04a6000bfde0244233ce7ed4537656489d878736af0ff2212f50be2d5c311f743d317b19ecb68617072c4e639bab11f

C:\Windows\SysWOW64\Nppkdp32.exe

MD5 21439401286215fe90eea06cf93f9379
SHA1 14486ec6eb2f2ca25640abc5bc9ba343a99dd0d1
SHA256 45503c3440a1bd225804024367caaeb024b5e830c483f2a14f9ecc76bd686f68
SHA512 d1ac80492145ac82798baf3c78bdb45487e1c993677fbbe477e32de48535f164a2bd36daed8e6519d016052da8b29a691835d6ca861c92d0ffed234477e57051

C:\Windows\SysWOW64\Ncadfk32.exe

MD5 7b04bb32866145d294d549c9c0c48c4e
SHA1 09fcef815979d52f13bd9ec529b34df74180ee6f
SHA256 f5dd6609d966e6973617cec1de49745e503cf5206c962a7a6f1fb8fa8fae91fc
SHA512 4a6fd5693cdb9d59c845a9dfccfa91924954eee51dc3906e356dfe2216c1ff701ba370cb334052e344506f57e11ece9ecbfaa26d0eece889b4f046ff63d2051b

C:\Windows\SysWOW64\Nohdkl32.exe

MD5 173769d02ff35504289a65eccb654922
SHA1 61eec9b2d1b00562d5f038709ef49c66cbc5d1c7
SHA256 19ad71a75dfa947a30ab362c8606a517d39b5e4576108a8982a46fd0cf28600e
SHA512 09aec65fb67467ba5cc4395f0174b8c73288a50b81ed3e7f012359b9d3a4f48fddf3bd93ca6f91174833c27df5505b145155444e19938802b70d63d28a2e1bc4

C:\Windows\SysWOW64\Ohpidaig.exe

MD5 61ac941ab4235ba3a933161f89886922
SHA1 55fa842ec6166d0c1ac6d73d410b3ac4eadcc334
SHA256 bb7294756e7856780b7990af357a6680b29e310f8f444c2d6e04afb98af11a73
SHA512 4689bbc1ef587168e81ba30daebe8919a2adf6077cdc66724a113ce91480d9277e7422656842a3c6a29d9ba661e3d9110ebbdc14b09d7c6b626646eff8102999

C:\Windows\SysWOW64\Opjnko32.exe

MD5 2c7360a8598a6245ccab68f4f4b39596
SHA1 cd8ffce7517c8be5e41d4839e4fdfe889eff8bd3
SHA256 e73381dc50d9eef6dc87434a05cc68348e824de1d1cb9cb1a679d712c622a87e
SHA512 4c508f0be9d3621b37923043984eb4e1daf946142b907fe0e047cdd6c3e12ff0ad458f263546cf60357ce3d251850587103d4a7aceac419a1026fe07b2d8d69b

C:\Windows\SysWOW64\Opljpn32.exe

MD5 456db4345b04ab6ac6a08a7eb3b6b949
SHA1 b58c81d7c327d8c14a3c67fe8388ed52c68d2ece
SHA256 eb218cb56ede524740419334ff45beee9a4dfd5a670050765def9aefc4faf3a9
SHA512 bb61d6d025427992e38632fb41d51981598eb58191bad6048d08e43da4a04ee60c74dd22df850ae5172d89072862dfd5941a97f35b8dd35b4989e77760001c7e

C:\Windows\SysWOW64\Pgminggi.exe

MD5 01f1e40da2eef1255d9a2bd49e0abad4
SHA1 bc1f9de68840524fa19bcec7a233fd7d9d8fa1cb
SHA256 36978009c8719d124d7e70a80260f8919494f0a7322d7a5d0bcfa92ce1aa7c7d
SHA512 8528f308360551d45df66fc154bc79a9db9b91e43bf54f874c1fcb67edf4a89253ba5152f7ae5eab59322127810e78909923cd3ffc4bb5ccd2a764702c1be2c2

C:\Windows\SysWOW64\Pljafneq.exe

MD5 b29cf9f555df4f45aad1f6a216b9e0f2
SHA1 f529b8961142a5f44c29fc28b39ac57ed0b875e7
SHA256 875ccfde69aadf49afe6a36d8106a0ab219c6396692858557548d8f07d2bd20d
SHA512 aacd1bf6bf8a03b4bcf545de14701e8a7ef29ecf12c2e2c251bd5e48941ca479582c3d7f7c67264e67d14876ccdafa9747398d1ae5e1216479be4c7ef2319687

C:\Windows\SysWOW64\Pgabig32.exe

MD5 07f75a636588bccdf99cb620eeb40c90
SHA1 ed020ccbedd54d27f04cbfe059933a88bfa8763d
SHA256 824524382bfe47a6d9c378de11f658d3e57545e764b0edd0e82a8c31e27aec78
SHA512 4ece54b8530c271ca9a34701e8cc15081e4c0db377723e8bd8b780d301275805191ec2d32086da3099922d77aa4d06f8760789e6fdb925d718604054c2d79d99

C:\Windows\SysWOW64\Pgdonf32.exe

MD5 274093d411cffc5e43a0fbfce46ca4cd
SHA1 5c5849cb11b538a71ef5220264f117bee6e26f6e
SHA256 92f088c998059380ff0a01a3c189b6e6a449afc973c830dbb209df55ecbf1e24
SHA512 64e71e2bfac948b73242e15f6efbd4c0d86eaf450ead7f42a9d4ad5908f3b72790aa940eb01e43df1218571c56e8233dd611501ae14da0fcfc84cb49acc1a54e

C:\Windows\SysWOW64\Pplcglgb.exe

MD5 86df7e8ed38cc5ff0dcd969fe7d24b18
SHA1 9469ac7cd47f3e45114206e66809fdca626cca4c
SHA256 d31125a07fe9e8c7b03bcdd25871875d89ac1ca955a93ff9db7798b34bc65435
SHA512 4916e8974812e388811d9c53c11857d8d5c35ffffaa0410fef1ca6b58f8ef7bccfe1b8153c1646d85c3ec63bfcabe620189f010dab1a9852973bbb82fd67211b

C:\Windows\SysWOW64\Qjgdealp.exe

MD5 6814f0274f57488b767201b49761dfcd
SHA1 40d938e30f3b6e5adba6566bb7269887b24b9448
SHA256 96c16e485e90eb474d41bba4e84b0182b8e1d0f9088690518baa4fdd0f39d4bf
SHA512 6a3b05b9d247e934da5268d88c3fa197b0e29379b49f1270d51507d4c41e03f3fe448accc97ca76151d532dd0248627b014179983bd977bbef3a2d4de4a282bb

C:\Windows\SysWOW64\Ammgblek.exe

MD5 be07b2ea4564fc5316e0f289b157519c
SHA1 739500f3746db0b6b6d6edcce31d31572225c0c0
SHA256 607c01316c4633434e8d6017cf062025098a3b4c6c46739b93bc0c8cc635bd3c
SHA512 5846e08bc59155ff04878aed71c021779cadc8ba1b533b70a0606c74ae83f1b9bd34e3915691690d7243b96c1bd7f9e0a1e46e503f04c86dc29e3a8521a6215f

C:\Windows\SysWOW64\Afghqa32.exe

MD5 f5e3debd2ed534c6be804807654c7204
SHA1 10aaa3b2453fcd74a72b5e14e23be5c01b816d63
SHA256 cced90193bfaf57434cde6bea204116f1997cbd59d2f6d00122b3f7acdb52594
SHA512 882af663ae611a839be3fa206174d1b1bd9117bf390843c0700cf87306dd99a64cc3342cd7d1e8cf46cfd66efaf6307b55d7dc82ad1f3c3716530625b0c3b448

C:\Windows\SysWOW64\Bobiof32.exe

MD5 f865ce58d03a994e4db2be47a2743ac4
SHA1 0b632a1ad5ebb35107e535209294b95f152da180
SHA256 c8878c3f7af266bdd8e90cf3cc7dd52a4d4db4c8e6f977b0ed817a75ad9f586e
SHA512 2adb0e80a5d26009adea57e635e1b71d88e7070146853e99b0347e9b5b29abfed72cc72162ef9566cf4e9a11788812807c86c1ba724035b45c4276f1398ac005

C:\Windows\SysWOW64\Bjlggnjh.exe

MD5 72e2b4d0e8ff19139e29796d32942066
SHA1 18e5345513f42b45163d6e72e6ba1157a156ba1d
SHA256 7c28506f4c239adf2d6f4665c7bc5f0d2473a789839a1617b212b27efd150192
SHA512 53c1594d423e602b32ac9723edac6ab72a91b78953537ba2a61dc23ee7e190b9abc3eb27ac1ecc83e21d200f721cce650277341556c1df02621c2d0454649239

C:\Windows\SysWOW64\Cakiohmo.exe

MD5 71c7c6ec305298cbeebb258c07fd84d2
SHA1 0aabb39dec567d8ed912c0360133d56919af8ad6
SHA256 1d9769b88dd7676189665e4322f247e68868528cf68a97ff129d7c6c7be20e7c
SHA512 b6a8e9c4f3702863d941f37319e5094edbfe9b7d0c4db7f1a1df22cfd2b3708f07562a37f09f3860b9c63ba83bb7c5d6f16ec3fdc2ada9a6ca5addb8bf876432

memory/1448-2331-0x0000000000400000-0x0000000000434000-memory.dmp

memory/8976-2354-0x0000000000400000-0x0000000000434000-memory.dmp

memory/8948-2343-0x0000000000400000-0x0000000000434000-memory.dmp

memory/8728-2336-0x0000000000400000-0x0000000000434000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:12

Reported

2024-11-10 01:15

Platform

win7-20240708-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a318bb4de7f7ad2901270ac5437f316e987b10b33484d4b449eff0a40485eaec.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Users\Admin\AppData\Local\Temp\a318bb4de7f7ad2901270ac5437f316e987b10b33484d4b449eff0a40485eaec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Users\Admin\AppData\Local\Temp\a318bb4de7f7ad2901270ac5437f316e987b10b33484d4b449eff0a40485eaec.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Npagjpcd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Npagjpcd.exe N/A

Berbew

backdoor berbew

Berbew family

berbew

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Npagjpcd.exe N/A
N/A N/A C:\Windows\SysWOW64\Nlhgoqhh.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Nlhgoqhh.exe C:\Windows\SysWOW64\Npagjpcd.exe N/A
File opened for modification C:\Windows\SysWOW64\Nlhgoqhh.exe C:\Windows\SysWOW64\Npagjpcd.exe N/A
File created C:\Windows\SysWOW64\Lamajm32.dll C:\Windows\SysWOW64\Npagjpcd.exe N/A
File created C:\Windows\SysWOW64\Npagjpcd.exe C:\Users\Admin\AppData\Local\Temp\a318bb4de7f7ad2901270ac5437f316e987b10b33484d4b449eff0a40485eaec.exe N/A
File opened for modification C:\Windows\SysWOW64\Npagjpcd.exe C:\Users\Admin\AppData\Local\Temp\a318bb4de7f7ad2901270ac5437f316e987b10b33484d4b449eff0a40485eaec.exe N/A
File created C:\Windows\SysWOW64\Mahqjm32.dll C:\Users\Admin\AppData\Local\Temp\a318bb4de7f7ad2901270ac5437f316e987b10b33484d4b449eff0a40485eaec.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Nlhgoqhh.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Npagjpcd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nlhgoqhh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a318bb4de7f7ad2901270ac5437f316e987b10b33484d4b449eff0a40485eaec.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lamajm32.dll" C:\Windows\SysWOW64\Npagjpcd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Npagjpcd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\a318bb4de7f7ad2901270ac5437f316e987b10b33484d4b449eff0a40485eaec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node C:\Users\Admin\AppData\Local\Temp\a318bb4de7f7ad2901270ac5437f316e987b10b33484d4b449eff0a40485eaec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\a318bb4de7f7ad2901270ac5437f316e987b10b33484d4b449eff0a40485eaec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Npagjpcd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\a318bb4de7f7ad2901270ac5437f316e987b10b33484d4b449eff0a40485eaec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717} C:\Users\Admin\AppData\Local\Temp\a318bb4de7f7ad2901270ac5437f316e987b10b33484d4b449eff0a40485eaec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mahqjm32.dll" C:\Users\Admin\AppData\Local\Temp\a318bb4de7f7ad2901270ac5437f316e987b10b33484d4b449eff0a40485eaec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2160 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\a318bb4de7f7ad2901270ac5437f316e987b10b33484d4b449eff0a40485eaec.exe C:\Windows\SysWOW64\Npagjpcd.exe
PID 2160 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\a318bb4de7f7ad2901270ac5437f316e987b10b33484d4b449eff0a40485eaec.exe C:\Windows\SysWOW64\Npagjpcd.exe
PID 2160 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\a318bb4de7f7ad2901270ac5437f316e987b10b33484d4b449eff0a40485eaec.exe C:\Windows\SysWOW64\Npagjpcd.exe
PID 2160 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\a318bb4de7f7ad2901270ac5437f316e987b10b33484d4b449eff0a40485eaec.exe C:\Windows\SysWOW64\Npagjpcd.exe
PID 2792 wrote to memory of 2168 N/A C:\Windows\SysWOW64\Npagjpcd.exe C:\Windows\SysWOW64\Nlhgoqhh.exe
PID 2792 wrote to memory of 2168 N/A C:\Windows\SysWOW64\Npagjpcd.exe C:\Windows\SysWOW64\Nlhgoqhh.exe
PID 2792 wrote to memory of 2168 N/A C:\Windows\SysWOW64\Npagjpcd.exe C:\Windows\SysWOW64\Nlhgoqhh.exe
PID 2792 wrote to memory of 2168 N/A C:\Windows\SysWOW64\Npagjpcd.exe C:\Windows\SysWOW64\Nlhgoqhh.exe
PID 2168 wrote to memory of 2752 N/A C:\Windows\SysWOW64\Nlhgoqhh.exe C:\Windows\SysWOW64\WerFault.exe
PID 2168 wrote to memory of 2752 N/A C:\Windows\SysWOW64\Nlhgoqhh.exe C:\Windows\SysWOW64\WerFault.exe
PID 2168 wrote to memory of 2752 N/A C:\Windows\SysWOW64\Nlhgoqhh.exe C:\Windows\SysWOW64\WerFault.exe
PID 2168 wrote to memory of 2752 N/A C:\Windows\SysWOW64\Nlhgoqhh.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a318bb4de7f7ad2901270ac5437f316e987b10b33484d4b449eff0a40485eaec.exe

"C:\Users\Admin\AppData\Local\Temp\a318bb4de7f7ad2901270ac5437f316e987b10b33484d4b449eff0a40485eaec.exe"

C:\Windows\SysWOW64\Npagjpcd.exe

C:\Windows\system32\Npagjpcd.exe

C:\Windows\SysWOW64\Nlhgoqhh.exe

C:\Windows\system32\Nlhgoqhh.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2168 -s 140

Network

N/A

Files

memory/2160-0-0x0000000000400000-0x0000000000434000-memory.dmp

\Windows\SysWOW64\Npagjpcd.exe

MD5 1070c2ee886db07cf2c37559119209c6
SHA1 166a2fe50dad978c63020e21f62cf699b3f82fa3
SHA256 5412c939043b7ab3825149e33ddadddaca623527c016132862debf5c9b54ef29
SHA512 0707a862fa1103fdaba634ea447ffafccd4e53ba0be0ec01b47355c2fcefe3428691f0101e71c5c8a67f2a15d30b05a3589973302594e7578c137c378971e5e5

memory/2792-14-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2160-13-0x0000000000290000-0x00000000002C4000-memory.dmp

memory/2160-12-0x0000000000290000-0x00000000002C4000-memory.dmp

\Windows\SysWOW64\Nlhgoqhh.exe

MD5 096bd25ffb16647fb8577c9da14aeab1
SHA1 485d423a94f28b040de7e9529500c634c2fce3cc
SHA256 d97617c5f485899f09a654128ace9d1e035f58366ad4ac91dfab1436023bc84a
SHA512 96d7606c3a01bf3a7f19bf0762a366c1cc9631a1140eb538ecf423070713f34bf7628fd815f2b79c2bee763d7395cb41e142d10146b8259dec255a906a8d13e7

memory/2168-29-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2792-27-0x0000000000250000-0x0000000000284000-memory.dmp

memory/2792-26-0x0000000000250000-0x0000000000284000-memory.dmp

memory/2168-36-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2792-37-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2160-39-0x0000000000400000-0x0000000000434000-memory.dmp