Malware Analysis Report

2025-04-03 16:37

Sample ID 241110-lv39msxnek
Target 381270b97a462e0707f20b5d8e124da6940b783bc3f1caa63356ec8ce2160258N
SHA256 381270b97a462e0707f20b5d8e124da6940b783bc3f1caa63356ec8ce2160258
Tags
berbew backdoor discovery persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

381270b97a462e0707f20b5d8e124da6940b783bc3f1caa63356ec8ce2160258

Threat Level: Known bad

The file 381270b97a462e0707f20b5d8e124da6940b783bc3f1caa63356ec8ce2160258N was found to be: Known bad.

Malicious Activity Summary

berbew backdoor discovery persistence

Adds autorun key to be loaded by Explorer.exe on startup

Berbew family

Berbew

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Program crash

System Location Discovery: System Language Discovery

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 09:52

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 09:52

Reported

2024-11-10 09:54

Platform

win7-20240903-en

Max time kernel

29s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\381270b97a462e0707f20b5d8e124da6940b783bc3f1caa63356ec8ce2160258N.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Users\Admin\AppData\Local\Temp\381270b97a462e0707f20b5d8e124da6940b783bc3f1caa63356ec8ce2160258N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kbkameaf.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lphhenhc.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mieeibkn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mapjmehi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mmihhelk.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nigome32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Npagjpcd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Npagjpcd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kfmjgeaj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mmldme32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jfknbe32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lgjfkk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lgjfkk32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mpmapm32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mgalqkbk.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mmldme32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ngdifkpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Users\Admin\AppData\Local\Temp\381270b97a462e0707f20b5d8e124da6940b783bc3f1caa63356ec8ce2160258N.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kbkameaf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lpjdjmfp.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mencccop.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Naimccpo.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kmjojo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Knklagmb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lgmcqkkh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lphhenhc.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kkolkk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lndohedg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Migbnb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mencccop.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jfknbe32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Knklagmb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kegqdqbl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mpmapm32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mffimglk.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Migbnb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Modkfi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mbpgggol.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kfmjgeaj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nenobfak.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kegqdqbl.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mapjmehi.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ngdifkpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kkolkk32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mhhfdo32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Modkfi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mkmhaj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Naimccpo.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jjdmmdnh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lghjel32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Liplnc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mieeibkn.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mbpgggol.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mmihhelk.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nenobfak.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kmjojo32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lghjel32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ndhipoob.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nlcnda32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nigome32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lpjdjmfp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ndjfeo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Liplnc32.exe N/A

Berbew

backdoor berbew

Berbew family

berbew

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Jjdmmdnh.exe N/A
N/A N/A C:\Windows\SysWOW64\Jfknbe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kbbngf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kfmjgeaj.exe N/A
N/A N/A C:\Windows\SysWOW64\Kmjojo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Knklagmb.exe N/A
N/A N/A C:\Windows\SysWOW64\Kkolkk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kegqdqbl.exe N/A
N/A N/A C:\Windows\SysWOW64\Kbkameaf.exe N/A
N/A N/A C:\Windows\SysWOW64\Lghjel32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lgjfkk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lndohedg.exe N/A
N/A N/A C:\Windows\SysWOW64\Lgmcqkkh.exe N/A
N/A N/A C:\Windows\SysWOW64\Lphhenhc.exe N/A
N/A N/A C:\Windows\SysWOW64\Liplnc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lpjdjmfp.exe N/A
N/A N/A C:\Windows\SysWOW64\Mpmapm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mffimglk.exe N/A
N/A N/A C:\Windows\SysWOW64\Mieeibkn.exe N/A
N/A N/A C:\Windows\SysWOW64\Mhhfdo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mapjmehi.exe N/A
N/A N/A C:\Windows\SysWOW64\Migbnb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Modkfi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mbpgggol.exe N/A
N/A N/A C:\Windows\SysWOW64\Mencccop.exe N/A
N/A N/A C:\Windows\SysWOW64\Mmihhelk.exe N/A
N/A N/A C:\Windows\SysWOW64\Mgalqkbk.exe N/A
N/A N/A C:\Windows\SysWOW64\Mkmhaj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mmldme32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ngdifkpi.exe N/A
N/A N/A C:\Windows\SysWOW64\Naimccpo.exe N/A
N/A N/A C:\Windows\SysWOW64\Ndhipoob.exe N/A
N/A N/A C:\Windows\SysWOW64\Nlcnda32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ndjfeo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nigome32.exe N/A
N/A N/A C:\Windows\SysWOW64\Npagjpcd.exe N/A
N/A N/A C:\Windows\SysWOW64\Nenobfak.exe N/A
N/A N/A C:\Windows\SysWOW64\Nlhgoqhh.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\381270b97a462e0707f20b5d8e124da6940b783bc3f1caa63356ec8ce2160258N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\381270b97a462e0707f20b5d8e124da6940b783bc3f1caa63356ec8ce2160258N.exe N/A
N/A N/A C:\Windows\SysWOW64\Jjdmmdnh.exe N/A
N/A N/A C:\Windows\SysWOW64\Jjdmmdnh.exe N/A
N/A N/A C:\Windows\SysWOW64\Jfknbe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jfknbe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kbbngf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kbbngf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kfmjgeaj.exe N/A
N/A N/A C:\Windows\SysWOW64\Kfmjgeaj.exe N/A
N/A N/A C:\Windows\SysWOW64\Kmjojo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kmjojo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Knklagmb.exe N/A
N/A N/A C:\Windows\SysWOW64\Knklagmb.exe N/A
N/A N/A C:\Windows\SysWOW64\Kkolkk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kkolkk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kegqdqbl.exe N/A
N/A N/A C:\Windows\SysWOW64\Kegqdqbl.exe N/A
N/A N/A C:\Windows\SysWOW64\Kbkameaf.exe N/A
N/A N/A C:\Windows\SysWOW64\Kbkameaf.exe N/A
N/A N/A C:\Windows\SysWOW64\Lghjel32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lghjel32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lgjfkk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lgjfkk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lndohedg.exe N/A
N/A N/A C:\Windows\SysWOW64\Lndohedg.exe N/A
N/A N/A C:\Windows\SysWOW64\Lgmcqkkh.exe N/A
N/A N/A C:\Windows\SysWOW64\Lgmcqkkh.exe N/A
N/A N/A C:\Windows\SysWOW64\Lphhenhc.exe N/A
N/A N/A C:\Windows\SysWOW64\Lphhenhc.exe N/A
N/A N/A C:\Windows\SysWOW64\Liplnc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Liplnc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lpjdjmfp.exe N/A
N/A N/A C:\Windows\SysWOW64\Lpjdjmfp.exe N/A
N/A N/A C:\Windows\SysWOW64\Mpmapm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mpmapm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mffimglk.exe N/A
N/A N/A C:\Windows\SysWOW64\Mffimglk.exe N/A
N/A N/A C:\Windows\SysWOW64\Mieeibkn.exe N/A
N/A N/A C:\Windows\SysWOW64\Mieeibkn.exe N/A
N/A N/A C:\Windows\SysWOW64\Mhhfdo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mhhfdo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mapjmehi.exe N/A
N/A N/A C:\Windows\SysWOW64\Mapjmehi.exe N/A
N/A N/A C:\Windows\SysWOW64\Migbnb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Migbnb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Modkfi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Modkfi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mbpgggol.exe N/A
N/A N/A C:\Windows\SysWOW64\Mbpgggol.exe N/A
N/A N/A C:\Windows\SysWOW64\Mencccop.exe N/A
N/A N/A C:\Windows\SysWOW64\Mencccop.exe N/A
N/A N/A C:\Windows\SysWOW64\Mmihhelk.exe N/A
N/A N/A C:\Windows\SysWOW64\Mmihhelk.exe N/A
N/A N/A C:\Windows\SysWOW64\Mgalqkbk.exe N/A
N/A N/A C:\Windows\SysWOW64\Mgalqkbk.exe N/A
N/A N/A C:\Windows\SysWOW64\Mkmhaj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mkmhaj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mmldme32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mmldme32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ngdifkpi.exe N/A
N/A N/A C:\Windows\SysWOW64\Ngdifkpi.exe N/A
N/A N/A C:\Windows\SysWOW64\Naimccpo.exe N/A
N/A N/A C:\Windows\SysWOW64\Naimccpo.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Modkfi32.exe C:\Windows\SysWOW64\Migbnb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mmldme32.exe C:\Windows\SysWOW64\Mkmhaj32.exe N/A
File created C:\Windows\SysWOW64\Giegfm32.dll C:\Windows\SysWOW64\Kbbngf32.exe N/A
File created C:\Windows\SysWOW64\Kbkameaf.exe C:\Windows\SysWOW64\Kegqdqbl.exe N/A
File created C:\Windows\SysWOW64\Lghjel32.exe C:\Windows\SysWOW64\Kbkameaf.exe N/A
File created C:\Windows\SysWOW64\Lgmcqkkh.exe C:\Windows\SysWOW64\Lndohedg.exe N/A
File created C:\Windows\SysWOW64\Liplnc32.exe C:\Windows\SysWOW64\Lphhenhc.exe N/A
File created C:\Windows\SysWOW64\Mpmapm32.exe C:\Windows\SysWOW64\Lpjdjmfp.exe N/A
File created C:\Windows\SysWOW64\Mkmhaj32.exe C:\Windows\SysWOW64\Mgalqkbk.exe N/A
File created C:\Windows\SysWOW64\Egnhob32.dll C:\Windows\SysWOW64\Naimccpo.exe N/A
File created C:\Windows\SysWOW64\Ihlfca32.dll C:\Windows\SysWOW64\Kkolkk32.exe N/A
File created C:\Windows\SysWOW64\Mmihhelk.exe C:\Windows\SysWOW64\Mencccop.exe N/A
File opened for modification C:\Windows\SysWOW64\Ndjfeo32.exe C:\Windows\SysWOW64\Nlcnda32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mpmapm32.exe C:\Windows\SysWOW64\Lpjdjmfp.exe N/A
File opened for modification C:\Windows\SysWOW64\Lndohedg.exe C:\Windows\SysWOW64\Lgjfkk32.exe N/A
File created C:\Windows\SysWOW64\Mieeibkn.exe C:\Windows\SysWOW64\Mffimglk.exe N/A
File created C:\Windows\SysWOW64\Modkfi32.exe C:\Windows\SysWOW64\Migbnb32.exe N/A
File created C:\Windows\SysWOW64\Mmldme32.exe C:\Windows\SysWOW64\Mkmhaj32.exe N/A
File opened for modification C:\Windows\SysWOW64\Nigome32.exe C:\Windows\SysWOW64\Ndjfeo32.exe N/A
File created C:\Windows\SysWOW64\Kegqdqbl.exe C:\Windows\SysWOW64\Kkolkk32.exe N/A
File created C:\Windows\SysWOW64\Nigome32.exe C:\Windows\SysWOW64\Ndjfeo32.exe N/A
File created C:\Windows\SysWOW64\Eeieql32.dll C:\Windows\SysWOW64\Knklagmb.exe N/A
File created C:\Windows\SysWOW64\Migbnb32.exe C:\Windows\SysWOW64\Mapjmehi.exe N/A
File opened for modification C:\Windows\SysWOW64\Migbnb32.exe C:\Windows\SysWOW64\Mapjmehi.exe N/A
File created C:\Windows\SysWOW64\Nlhgoqhh.exe C:\Windows\SysWOW64\Nenobfak.exe N/A
File created C:\Windows\SysWOW64\Lpjdjmfp.exe C:\Windows\SysWOW64\Liplnc32.exe N/A
File created C:\Windows\SysWOW64\Kbbngf32.exe C:\Windows\SysWOW64\Jfknbe32.exe N/A
File created C:\Windows\SysWOW64\Nafmbhpm.dll C:\Users\Admin\AppData\Local\Temp\381270b97a462e0707f20b5d8e124da6940b783bc3f1caa63356ec8ce2160258N.exe N/A
File created C:\Windows\SysWOW64\Gnddig32.dll C:\Windows\SysWOW64\Lgmcqkkh.exe N/A
File created C:\Windows\SysWOW64\Naimccpo.exe C:\Windows\SysWOW64\Ngdifkpi.exe N/A
File created C:\Windows\SysWOW64\Mehjml32.dll C:\Windows\SysWOW64\Npagjpcd.exe N/A
File created C:\Windows\SysWOW64\Hoaebk32.dll C:\Windows\SysWOW64\Kegqdqbl.exe N/A
File created C:\Windows\SysWOW64\Mencccop.exe C:\Windows\SysWOW64\Mbpgggol.exe N/A
File created C:\Windows\SysWOW64\Nlcnda32.exe C:\Windows\SysWOW64\Ndhipoob.exe N/A
File created C:\Windows\SysWOW64\Mapjmehi.exe C:\Windows\SysWOW64\Mhhfdo32.exe N/A
File created C:\Windows\SysWOW64\Lamajm32.dll C:\Windows\SysWOW64\Nenobfak.exe N/A
File opened for modification C:\Windows\SysWOW64\Ndhipoob.exe C:\Windows\SysWOW64\Naimccpo.exe N/A
File opened for modification C:\Windows\SysWOW64\Nenobfak.exe C:\Windows\SysWOW64\Npagjpcd.exe N/A
File created C:\Windows\SysWOW64\Qaqkcf32.dll C:\Windows\SysWOW64\Mgalqkbk.exe N/A
File created C:\Windows\SysWOW64\Ogjgkqaa.dll C:\Windows\SysWOW64\Ndhipoob.exe N/A
File created C:\Windows\SysWOW64\Mmdcie32.dll C:\Windows\SysWOW64\Lghjel32.exe N/A
File created C:\Windows\SysWOW64\Fdilgioe.dll C:\Windows\SysWOW64\Lndohedg.exe N/A
File opened for modification C:\Windows\SysWOW64\Mbpgggol.exe C:\Windows\SysWOW64\Modkfi32.exe N/A
File opened for modification C:\Windows\SysWOW64\Nlhgoqhh.exe C:\Windows\SysWOW64\Nenobfak.exe N/A
File opened for modification C:\Windows\SysWOW64\Kbbngf32.exe C:\Windows\SysWOW64\Jfknbe32.exe N/A
File opened for modification C:\Windows\SysWOW64\Knklagmb.exe C:\Windows\SysWOW64\Kmjojo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Liplnc32.exe C:\Windows\SysWOW64\Lphhenhc.exe N/A
File opened for modification C:\Windows\SysWOW64\Mkmhaj32.exe C:\Windows\SysWOW64\Mgalqkbk.exe N/A
File created C:\Windows\SysWOW64\Cgmgbeon.dll C:\Windows\SysWOW64\Mkmhaj32.exe N/A
File opened for modification C:\Windows\SysWOW64\Lgjfkk32.exe C:\Windows\SysWOW64\Lghjel32.exe N/A
File created C:\Windows\SysWOW64\Fbpljhnf.dll C:\Windows\SysWOW64\Mmldme32.exe N/A
File created C:\Windows\SysWOW64\Npagjpcd.exe C:\Windows\SysWOW64\Nigome32.exe N/A
File created C:\Windows\SysWOW64\Lgjfkk32.exe C:\Windows\SysWOW64\Lghjel32.exe N/A
File created C:\Windows\SysWOW64\Hebpjd32.dll C:\Windows\SysWOW64\Jjdmmdnh.exe N/A
File opened for modification C:\Windows\SysWOW64\Lgmcqkkh.exe C:\Windows\SysWOW64\Lndohedg.exe N/A
File created C:\Windows\SysWOW64\Nenobfak.exe C:\Windows\SysWOW64\Npagjpcd.exe N/A
File created C:\Windows\SysWOW64\Jfknbe32.exe C:\Windows\SysWOW64\Jjdmmdnh.exe N/A
File opened for modification C:\Windows\SysWOW64\Npagjpcd.exe C:\Windows\SysWOW64\Nigome32.exe N/A
File created C:\Windows\SysWOW64\Oqaedifk.dll C:\Windows\SysWOW64\Ndjfeo32.exe N/A
File created C:\Windows\SysWOW64\Eppddhlj.dll C:\Windows\SysWOW64\Ngdifkpi.exe N/A
File created C:\Windows\SysWOW64\Mahqjm32.dll C:\Windows\SysWOW64\Nigome32.exe N/A
File opened for modification C:\Windows\SysWOW64\Kbkameaf.exe C:\Windows\SysWOW64\Kegqdqbl.exe N/A
File opened for modification C:\Windows\SysWOW64\Mmihhelk.exe C:\Windows\SysWOW64\Mencccop.exe N/A
File created C:\Windows\SysWOW64\Nkeghkck.dll C:\Windows\SysWOW64\Mencccop.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Nlhgoqhh.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lpjdjmfp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mhhfdo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mmldme32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nlcnda32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ndjfeo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kmjojo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lghjel32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lndohedg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ndhipoob.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Knklagmb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kegqdqbl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lphhenhc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nlhgoqhh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jfknbe32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lgjfkk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mmihhelk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kfmjgeaj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mpmapm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Modkfi32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mieeibkn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mgalqkbk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kbbngf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kkolkk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Liplnc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ngdifkpi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Naimccpo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jjdmmdnh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mffimglk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mbpgggol.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mapjmehi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mencccop.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nigome32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\381270b97a462e0707f20b5d8e124da6940b783bc3f1caa63356ec8ce2160258N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kbkameaf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lgmcqkkh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nenobfak.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Migbnb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mkmhaj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Npagjpcd.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kbbngf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Liplnc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mhhfdo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mapjmehi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Knklagmb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kfmjgeaj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kkolkk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lndohedg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Liplnc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kmjojo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mhhfdo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpahiebe.dll" C:\Windows\SysWOW64\Modkfi32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Naimccpo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nigome32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mffimglk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecfmdf32.dll" C:\Windows\SysWOW64\Mhhfdo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jjdmmdnh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kkolkk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mencccop.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Naimccpo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Modkfi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Npagjpcd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kmjojo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnddig32.dll" C:\Windows\SysWOW64\Lgmcqkkh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mieeibkn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ndjfeo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjfhfnim.dll" C:\Windows\SysWOW64\Kmjojo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpcnkg32.dll" C:\Windows\SysWOW64\Kbkameaf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mapjmehi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eppddhlj.dll" C:\Windows\SysWOW64\Ngdifkpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jfknbe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihlfca32.dll" C:\Windows\SysWOW64\Kkolkk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbpljhnf.dll" C:\Windows\SysWOW64\Mmldme32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nlcnda32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jjdmmdnh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kbkameaf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lghjel32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lpjdjmfp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkeghkck.dll" C:\Windows\SysWOW64\Mencccop.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgmgbeon.dll" C:\Windows\SysWOW64\Mkmhaj32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\381270b97a462e0707f20b5d8e124da6940b783bc3f1caa63356ec8ce2160258N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} C:\Users\Admin\AppData\Local\Temp\381270b97a462e0707f20b5d8e124da6940b783bc3f1caa63356ec8ce2160258N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kbbngf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mgalqkbk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqaedifk.dll" C:\Windows\SysWOW64\Ndjfeo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\381270b97a462e0707f20b5d8e124da6940b783bc3f1caa63356ec8ce2160258N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kegqdqbl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lpjdjmfp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Migbnb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mkmhaj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mmihhelk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\381270b97a462e0707f20b5d8e124da6940b783bc3f1caa63356ec8ce2160258N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdilgioe.dll" C:\Windows\SysWOW64\Lndohedg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olahaplc.dll" C:\Windows\SysWOW64\Lpjdjmfp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Migbnb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mmihhelk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hebpjd32.dll" C:\Windows\SysWOW64\Jjdmmdnh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mbpgggol.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mmldme32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egnhob32.dll" C:\Windows\SysWOW64\Naimccpo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lphhenhc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mffimglk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nafmbhpm.dll" C:\Users\Admin\AppData\Local\Temp\381270b97a462e0707f20b5d8e124da6940b783bc3f1caa63356ec8ce2160258N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeieql32.dll" C:\Windows\SysWOW64\Knklagmb.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1884 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\381270b97a462e0707f20b5d8e124da6940b783bc3f1caa63356ec8ce2160258N.exe C:\Windows\SysWOW64\Jjdmmdnh.exe
PID 1884 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\381270b97a462e0707f20b5d8e124da6940b783bc3f1caa63356ec8ce2160258N.exe C:\Windows\SysWOW64\Jjdmmdnh.exe
PID 1884 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\381270b97a462e0707f20b5d8e124da6940b783bc3f1caa63356ec8ce2160258N.exe C:\Windows\SysWOW64\Jjdmmdnh.exe
PID 1884 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\381270b97a462e0707f20b5d8e124da6940b783bc3f1caa63356ec8ce2160258N.exe C:\Windows\SysWOW64\Jjdmmdnh.exe
PID 2292 wrote to memory of 3040 N/A C:\Windows\SysWOW64\Jjdmmdnh.exe C:\Windows\SysWOW64\Jfknbe32.exe
PID 2292 wrote to memory of 3040 N/A C:\Windows\SysWOW64\Jjdmmdnh.exe C:\Windows\SysWOW64\Jfknbe32.exe
PID 2292 wrote to memory of 3040 N/A C:\Windows\SysWOW64\Jjdmmdnh.exe C:\Windows\SysWOW64\Jfknbe32.exe
PID 2292 wrote to memory of 3040 N/A C:\Windows\SysWOW64\Jjdmmdnh.exe C:\Windows\SysWOW64\Jfknbe32.exe
PID 3040 wrote to memory of 2748 N/A C:\Windows\SysWOW64\Jfknbe32.exe C:\Windows\SysWOW64\Kbbngf32.exe
PID 3040 wrote to memory of 2748 N/A C:\Windows\SysWOW64\Jfknbe32.exe C:\Windows\SysWOW64\Kbbngf32.exe
PID 3040 wrote to memory of 2748 N/A C:\Windows\SysWOW64\Jfknbe32.exe C:\Windows\SysWOW64\Kbbngf32.exe
PID 3040 wrote to memory of 2748 N/A C:\Windows\SysWOW64\Jfknbe32.exe C:\Windows\SysWOW64\Kbbngf32.exe
PID 2748 wrote to memory of 2704 N/A C:\Windows\SysWOW64\Kbbngf32.exe C:\Windows\SysWOW64\Kfmjgeaj.exe
PID 2748 wrote to memory of 2704 N/A C:\Windows\SysWOW64\Kbbngf32.exe C:\Windows\SysWOW64\Kfmjgeaj.exe
PID 2748 wrote to memory of 2704 N/A C:\Windows\SysWOW64\Kbbngf32.exe C:\Windows\SysWOW64\Kfmjgeaj.exe
PID 2748 wrote to memory of 2704 N/A C:\Windows\SysWOW64\Kbbngf32.exe C:\Windows\SysWOW64\Kfmjgeaj.exe
PID 2704 wrote to memory of 3000 N/A C:\Windows\SysWOW64\Kfmjgeaj.exe C:\Windows\SysWOW64\Kmjojo32.exe
PID 2704 wrote to memory of 3000 N/A C:\Windows\SysWOW64\Kfmjgeaj.exe C:\Windows\SysWOW64\Kmjojo32.exe
PID 2704 wrote to memory of 3000 N/A C:\Windows\SysWOW64\Kfmjgeaj.exe C:\Windows\SysWOW64\Kmjojo32.exe
PID 2704 wrote to memory of 3000 N/A C:\Windows\SysWOW64\Kfmjgeaj.exe C:\Windows\SysWOW64\Kmjojo32.exe
PID 3000 wrote to memory of 2516 N/A C:\Windows\SysWOW64\Kmjojo32.exe C:\Windows\SysWOW64\Knklagmb.exe
PID 3000 wrote to memory of 2516 N/A C:\Windows\SysWOW64\Kmjojo32.exe C:\Windows\SysWOW64\Knklagmb.exe
PID 3000 wrote to memory of 2516 N/A C:\Windows\SysWOW64\Kmjojo32.exe C:\Windows\SysWOW64\Knklagmb.exe
PID 3000 wrote to memory of 2516 N/A C:\Windows\SysWOW64\Kmjojo32.exe C:\Windows\SysWOW64\Knklagmb.exe
PID 2516 wrote to memory of 2456 N/A C:\Windows\SysWOW64\Knklagmb.exe C:\Windows\SysWOW64\Kkolkk32.exe
PID 2516 wrote to memory of 2456 N/A C:\Windows\SysWOW64\Knklagmb.exe C:\Windows\SysWOW64\Kkolkk32.exe
PID 2516 wrote to memory of 2456 N/A C:\Windows\SysWOW64\Knklagmb.exe C:\Windows\SysWOW64\Kkolkk32.exe
PID 2516 wrote to memory of 2456 N/A C:\Windows\SysWOW64\Knklagmb.exe C:\Windows\SysWOW64\Kkolkk32.exe
PID 2456 wrote to memory of 332 N/A C:\Windows\SysWOW64\Kkolkk32.exe C:\Windows\SysWOW64\Kegqdqbl.exe
PID 2456 wrote to memory of 332 N/A C:\Windows\SysWOW64\Kkolkk32.exe C:\Windows\SysWOW64\Kegqdqbl.exe
PID 2456 wrote to memory of 332 N/A C:\Windows\SysWOW64\Kkolkk32.exe C:\Windows\SysWOW64\Kegqdqbl.exe
PID 2456 wrote to memory of 332 N/A C:\Windows\SysWOW64\Kkolkk32.exe C:\Windows\SysWOW64\Kegqdqbl.exe
PID 332 wrote to memory of 1488 N/A C:\Windows\SysWOW64\Kegqdqbl.exe C:\Windows\SysWOW64\Kbkameaf.exe
PID 332 wrote to memory of 1488 N/A C:\Windows\SysWOW64\Kegqdqbl.exe C:\Windows\SysWOW64\Kbkameaf.exe
PID 332 wrote to memory of 1488 N/A C:\Windows\SysWOW64\Kegqdqbl.exe C:\Windows\SysWOW64\Kbkameaf.exe
PID 332 wrote to memory of 1488 N/A C:\Windows\SysWOW64\Kegqdqbl.exe C:\Windows\SysWOW64\Kbkameaf.exe
PID 1488 wrote to memory of 2800 N/A C:\Windows\SysWOW64\Kbkameaf.exe C:\Windows\SysWOW64\Lghjel32.exe
PID 1488 wrote to memory of 2800 N/A C:\Windows\SysWOW64\Kbkameaf.exe C:\Windows\SysWOW64\Lghjel32.exe
PID 1488 wrote to memory of 2800 N/A C:\Windows\SysWOW64\Kbkameaf.exe C:\Windows\SysWOW64\Lghjel32.exe
PID 1488 wrote to memory of 2800 N/A C:\Windows\SysWOW64\Kbkameaf.exe C:\Windows\SysWOW64\Lghjel32.exe
PID 2800 wrote to memory of 2864 N/A C:\Windows\SysWOW64\Lghjel32.exe C:\Windows\SysWOW64\Lgjfkk32.exe
PID 2800 wrote to memory of 2864 N/A C:\Windows\SysWOW64\Lghjel32.exe C:\Windows\SysWOW64\Lgjfkk32.exe
PID 2800 wrote to memory of 2864 N/A C:\Windows\SysWOW64\Lghjel32.exe C:\Windows\SysWOW64\Lgjfkk32.exe
PID 2800 wrote to memory of 2864 N/A C:\Windows\SysWOW64\Lghjel32.exe C:\Windows\SysWOW64\Lgjfkk32.exe
PID 2864 wrote to memory of 1336 N/A C:\Windows\SysWOW64\Lgjfkk32.exe C:\Windows\SysWOW64\Lndohedg.exe
PID 2864 wrote to memory of 1336 N/A C:\Windows\SysWOW64\Lgjfkk32.exe C:\Windows\SysWOW64\Lndohedg.exe
PID 2864 wrote to memory of 1336 N/A C:\Windows\SysWOW64\Lgjfkk32.exe C:\Windows\SysWOW64\Lndohedg.exe
PID 2864 wrote to memory of 1336 N/A C:\Windows\SysWOW64\Lgjfkk32.exe C:\Windows\SysWOW64\Lndohedg.exe
PID 1336 wrote to memory of 1572 N/A C:\Windows\SysWOW64\Lndohedg.exe C:\Windows\SysWOW64\Lgmcqkkh.exe
PID 1336 wrote to memory of 1572 N/A C:\Windows\SysWOW64\Lndohedg.exe C:\Windows\SysWOW64\Lgmcqkkh.exe
PID 1336 wrote to memory of 1572 N/A C:\Windows\SysWOW64\Lndohedg.exe C:\Windows\SysWOW64\Lgmcqkkh.exe
PID 1336 wrote to memory of 1572 N/A C:\Windows\SysWOW64\Lndohedg.exe C:\Windows\SysWOW64\Lgmcqkkh.exe
PID 1572 wrote to memory of 1080 N/A C:\Windows\SysWOW64\Lgmcqkkh.exe C:\Windows\SysWOW64\Lphhenhc.exe
PID 1572 wrote to memory of 1080 N/A C:\Windows\SysWOW64\Lgmcqkkh.exe C:\Windows\SysWOW64\Lphhenhc.exe
PID 1572 wrote to memory of 1080 N/A C:\Windows\SysWOW64\Lgmcqkkh.exe C:\Windows\SysWOW64\Lphhenhc.exe
PID 1572 wrote to memory of 1080 N/A C:\Windows\SysWOW64\Lgmcqkkh.exe C:\Windows\SysWOW64\Lphhenhc.exe
PID 1080 wrote to memory of 1988 N/A C:\Windows\SysWOW64\Lphhenhc.exe C:\Windows\SysWOW64\Liplnc32.exe
PID 1080 wrote to memory of 1988 N/A C:\Windows\SysWOW64\Lphhenhc.exe C:\Windows\SysWOW64\Liplnc32.exe
PID 1080 wrote to memory of 1988 N/A C:\Windows\SysWOW64\Lphhenhc.exe C:\Windows\SysWOW64\Liplnc32.exe
PID 1080 wrote to memory of 1988 N/A C:\Windows\SysWOW64\Lphhenhc.exe C:\Windows\SysWOW64\Liplnc32.exe
PID 1988 wrote to memory of 2468 N/A C:\Windows\SysWOW64\Liplnc32.exe C:\Windows\SysWOW64\Lpjdjmfp.exe
PID 1988 wrote to memory of 2468 N/A C:\Windows\SysWOW64\Liplnc32.exe C:\Windows\SysWOW64\Lpjdjmfp.exe
PID 1988 wrote to memory of 2468 N/A C:\Windows\SysWOW64\Liplnc32.exe C:\Windows\SysWOW64\Lpjdjmfp.exe
PID 1988 wrote to memory of 2468 N/A C:\Windows\SysWOW64\Liplnc32.exe C:\Windows\SysWOW64\Lpjdjmfp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\381270b97a462e0707f20b5d8e124da6940b783bc3f1caa63356ec8ce2160258N.exe

"C:\Users\Admin\AppData\Local\Temp\381270b97a462e0707f20b5d8e124da6940b783bc3f1caa63356ec8ce2160258N.exe"

C:\Windows\SysWOW64\Jjdmmdnh.exe

C:\Windows\system32\Jjdmmdnh.exe

C:\Windows\SysWOW64\Jfknbe32.exe

C:\Windows\system32\Jfknbe32.exe

C:\Windows\SysWOW64\Kbbngf32.exe

C:\Windows\system32\Kbbngf32.exe

C:\Windows\SysWOW64\Kfmjgeaj.exe

C:\Windows\system32\Kfmjgeaj.exe

C:\Windows\SysWOW64\Kmjojo32.exe

C:\Windows\system32\Kmjojo32.exe

C:\Windows\SysWOW64\Knklagmb.exe

C:\Windows\system32\Knklagmb.exe

C:\Windows\SysWOW64\Kkolkk32.exe

C:\Windows\system32\Kkolkk32.exe

C:\Windows\SysWOW64\Kegqdqbl.exe

C:\Windows\system32\Kegqdqbl.exe

C:\Windows\SysWOW64\Kbkameaf.exe

C:\Windows\system32\Kbkameaf.exe

C:\Windows\SysWOW64\Lghjel32.exe

C:\Windows\system32\Lghjel32.exe

C:\Windows\SysWOW64\Lgjfkk32.exe

C:\Windows\system32\Lgjfkk32.exe

C:\Windows\SysWOW64\Lndohedg.exe

C:\Windows\system32\Lndohedg.exe

C:\Windows\SysWOW64\Lgmcqkkh.exe

C:\Windows\system32\Lgmcqkkh.exe

C:\Windows\SysWOW64\Lphhenhc.exe

C:\Windows\system32\Lphhenhc.exe

C:\Windows\SysWOW64\Liplnc32.exe

C:\Windows\system32\Liplnc32.exe

C:\Windows\SysWOW64\Lpjdjmfp.exe

C:\Windows\system32\Lpjdjmfp.exe

C:\Windows\SysWOW64\Mpmapm32.exe

C:\Windows\system32\Mpmapm32.exe

C:\Windows\SysWOW64\Mffimglk.exe

C:\Windows\system32\Mffimglk.exe

C:\Windows\SysWOW64\Mieeibkn.exe

C:\Windows\system32\Mieeibkn.exe

C:\Windows\SysWOW64\Mhhfdo32.exe

C:\Windows\system32\Mhhfdo32.exe

C:\Windows\SysWOW64\Mapjmehi.exe

C:\Windows\system32\Mapjmehi.exe

C:\Windows\SysWOW64\Migbnb32.exe

C:\Windows\system32\Migbnb32.exe

C:\Windows\SysWOW64\Modkfi32.exe

C:\Windows\system32\Modkfi32.exe

C:\Windows\SysWOW64\Mbpgggol.exe

C:\Windows\system32\Mbpgggol.exe

C:\Windows\SysWOW64\Mencccop.exe

C:\Windows\system32\Mencccop.exe

C:\Windows\SysWOW64\Mmihhelk.exe

C:\Windows\system32\Mmihhelk.exe

C:\Windows\SysWOW64\Mgalqkbk.exe

C:\Windows\system32\Mgalqkbk.exe

C:\Windows\SysWOW64\Mkmhaj32.exe

C:\Windows\system32\Mkmhaj32.exe

C:\Windows\SysWOW64\Mmldme32.exe

C:\Windows\system32\Mmldme32.exe

C:\Windows\SysWOW64\Ngdifkpi.exe

C:\Windows\system32\Ngdifkpi.exe

C:\Windows\SysWOW64\Naimccpo.exe

C:\Windows\system32\Naimccpo.exe

C:\Windows\SysWOW64\Ndhipoob.exe

C:\Windows\system32\Ndhipoob.exe

C:\Windows\SysWOW64\Nlcnda32.exe

C:\Windows\system32\Nlcnda32.exe

C:\Windows\SysWOW64\Ndjfeo32.exe

C:\Windows\system32\Ndjfeo32.exe

C:\Windows\SysWOW64\Nigome32.exe

C:\Windows\system32\Nigome32.exe

C:\Windows\SysWOW64\Npagjpcd.exe

C:\Windows\system32\Npagjpcd.exe

C:\Windows\SysWOW64\Nenobfak.exe

C:\Windows\system32\Nenobfak.exe

C:\Windows\SysWOW64\Nlhgoqhh.exe

C:\Windows\system32\Nlhgoqhh.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1248 -s 140

Network

N/A

Files

memory/1884-0-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1884-13-0x0000000001F20000-0x0000000001F4F000-memory.dmp

memory/2292-14-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1884-12-0x0000000001F20000-0x0000000001F4F000-memory.dmp

C:\Windows\SysWOW64\Jjdmmdnh.exe

MD5 75a32e86bd4244ececfaaaef6e073495
SHA1 56e77366a9606d78b7c3aa63aa19892289cf7b8c
SHA256 2805121550ddf8a2e9c7484b3ffbc97c5d12a2e211c4b9a6fb7f8370f52eaf94
SHA512 7f2daff22317bed4417d1d26dcc8b0aa727408d702dcb43420bd6a955e4dea81b9e83bb793e64b9e7fd6d828c9d266cb13aae7aa9fc806fff45ca9c635044c56

memory/2292-21-0x0000000000430000-0x000000000045F000-memory.dmp

\Windows\SysWOW64\Jfknbe32.exe

MD5 df03e01de2fe8e7d3bf86ce45c356992
SHA1 f9eeb79748f1b92e2ee69e2c32e3ee8106c8f093
SHA256 10503398de48e4701c175143159a0c030e1ec97b9929c3f6e814ba2aa05aa3f3
SHA512 ddad4b8c37bbc86bcec850f2c587b6f5ee41095a31fae88eccaa59101dd50e89cf126234e5bcb8207975d29305e1669db969795a312720da345eff4db04cfcaf

C:\Windows\SysWOW64\Kbbngf32.exe

MD5 ebceff5313e98b09fad663ae7978d870
SHA1 d239e3c10fc7abd3b70a4a895206dbac9267e224
SHA256 5617aab2f022f8eb584c54f7c0860261e67bedad08f867d0a6916c972522b6ff
SHA512 061866b46d552d5d912ac1d3ce05a414fec852df4a9634876a308d0f746d3300ac87986e1b57c2a7bddc9a7ce001f14d8aecbd7890fe359c1b8790a745071488

memory/2748-46-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3040-34-0x0000000000250000-0x000000000027F000-memory.dmp

memory/2704-55-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Kfmjgeaj.exe

MD5 22ffec7dbe8771517a80309b3a6126e9
SHA1 d1285e68232770a31f26b7f14840842bd1aa7fa7
SHA256 a266c55c9294b8d65682426058d7c10ad303689bf76125865d7c9821be1383c6
SHA512 c17f358d3e66674d9040c4de6199b6c1e646ab645127855ce2c47f33daad36b078e6bea28dfce17ae70ae5318c98168cec4481955bf41ea51cedb91774f6c6c1

memory/2748-53-0x00000000003D0000-0x00000000003FF000-memory.dmp

\Windows\SysWOW64\Kmjojo32.exe

MD5 85ba2011e9760fc1d9b3e4fdfa6f48a3
SHA1 26476f71a1722e6870802033c7489f95acf566c2
SHA256 0ba1596e9440108bb87bb6f6a3e3540fd35f19e41b964ce368bdc4b0de962761
SHA512 1952c029a36101110c775c55c6861bc766eb1df37b76720a29a64300fbcc7fe94d4645f26a56c82811d4ff36a8695027340ddb125e1842fc5b1a2c6048a340b4

memory/2704-63-0x00000000002D0000-0x00000000002FF000-memory.dmp

memory/3000-70-0x0000000000400000-0x000000000042F000-memory.dmp

\Windows\SysWOW64\Knklagmb.exe

MD5 2e113ccfdac54b6eb757ecaf7699123c
SHA1 536a518fdf9d388c8239b7ccad0bbb605bc9b6c5
SHA256 9a4d5f2d5268badbcaad7d976139ef77f9eefb8e307bdbacd1765f4b0c109ca9
SHA512 2252c973924e18a7de74356024349aa78d2095b0a4aa02667d35a2ed9e463081529c71c09021d76719fdbcfe2cf34b225de4f606e0ae3bed1c85b4eb5b7b53ed

memory/2516-83-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3000-82-0x0000000000250000-0x000000000027F000-memory.dmp

\Windows\SysWOW64\Kkolkk32.exe

MD5 58b7a9df58620b086a52626c759fe979
SHA1 354c66e3442214c32b51d857bcc1f9fe71b7678c
SHA256 bfc5e16a1dc34a38ede0d1657e3a2bf5c3156ad6394253c5dabc8e64d1ea8690
SHA512 0c0f059f16c0bd20a908077fad97289372ea343672f12ef40c247b14452d0a166991ab2dc5a90ee981761adfdd1eff48110bfc02753e63f7d3cc4e9444c542af

memory/2516-90-0x0000000000250000-0x000000000027F000-memory.dmp

C:\Windows\SysWOW64\Kegqdqbl.exe

MD5 bf320c442e57a187344ac3acfaf7810b
SHA1 3c4f4af369e4c73ab8a79c989beeb809ba83d3da
SHA256 076d6b47c9133abed4f7a8a5ceda5e51e4cf332327cbad66c3a4e28d75e395d0
SHA512 44e76af20f7af72e22a0d2d839cf060b0c984878dc7213909e1bcee0e5df43ab0fdba25ae35809f932c2a2c93b2667db79571f1ee5564d5523670dcd89ebfce7

memory/332-110-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2456-108-0x0000000000250000-0x000000000027F000-memory.dmp

\Windows\SysWOW64\Kbkameaf.exe

MD5 d6cfb7d8c929cca119b6a935e2218af5
SHA1 757041679d8e2495b3bfae50cf62cb8f965065d5
SHA256 5bf27f67c2b86fb51356433dd1a028fd8af443cad34b86593f7679900a673323
SHA512 b1397cc25d1b6056661bb5a859d0630b37274fb2aad6f8749cea3b68ebefa59d146ff6426afef91ef1ceda064daa10c76f961b5bb60545aec31ae3ff4645a5af

memory/332-117-0x00000000005C0000-0x00000000005EF000-memory.dmp

memory/1488-124-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2800-138-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Lghjel32.exe

MD5 ca754e81c9037cb85ac57a248aac77ef
SHA1 459e5f491f9764817615b2aa7c9478400265b859
SHA256 e05971d06a6e08a5571238f36a3509d8b7881c7fc05fec718b3e899e0874f79f
SHA512 cfe62dea537315755dc724e5c4b4f5b612d8b371d93564e21132969207391dcf2db2eba0af8aa41a5f4ce4983c43da05122e35ea11cb253e1244524198993f46

memory/1488-136-0x0000000000280000-0x00000000002AF000-memory.dmp

\Windows\SysWOW64\Lgjfkk32.exe

MD5 1d40036f408c4c1ed17525d3c6d92a79
SHA1 de389235439f12f9149d9ba23d1f013bd90399e9
SHA256 fe8754ca39ae326352d568389e7794d418b3b64fd1da558ff3a5af0010a39831
SHA512 814817cb038ff6b7dad34148111c08bf6242babbd56601acc23478b58b4e1e2563911dbca62d967348f9d66017692def67075ab97a394fd5f59ab3433e587457

memory/2800-145-0x00000000002D0000-0x00000000002FF000-memory.dmp

\Windows\SysWOW64\Lndohedg.exe

MD5 996234cd5a096c83e3fa80c07a448570
SHA1 e3fbfae4514ea180da4c7bf50967b08d0464d8b0
SHA256 5d7027392d7b04bc7632f0c922771360953c32fbf60d3de7d403be37268f5565
SHA512 738a2db10b377230b2cec3799faa7485e95742609dc6967466c3224793ff5994ca279e3aa0971cfc5519b66cb1ef9ee8331c04ceca847f80bece3bddf8f98cc3

memory/1336-165-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2864-163-0x0000000000250000-0x000000000027F000-memory.dmp

\Windows\SysWOW64\Lgmcqkkh.exe

MD5 b2257c9279f6d297bda7a14952142ff1
SHA1 52740c2a71385dcf37010ad9c6b97b0ac27499e2
SHA256 a7c94db5f811b06bce58b45bbc44d60caa4dd69ccdd8ed3262a95a7f1b21e48e
SHA512 11ac30108cb1aee04f0404948178a07eb2939207cd0c47f4484c20103d415f9f2f00d5e69943d2749df1b2e063d6d5b9dbea3ce8816c74ca38a94c389e993ad3

memory/1336-172-0x0000000000250000-0x000000000027F000-memory.dmp

\Windows\SysWOW64\Lphhenhc.exe

MD5 8dc4b4344653aa76e95b4c8c54bd118d
SHA1 bc6a8585cc268cb3b39f40279e4bf948feffc9c4
SHA256 183998fa33b32706c707a3d85ac155caa5f8578c4f53c66cd430dc042fae2ed7
SHA512 4139b1e84f67d60850066c0e679f376c3d1297d0c19813c2b88df466cc8f0afc90ba953dbea73bdcd1cd5ada65ac224cee6ca2f7425ec64ee94075758b31bbd8

memory/1572-190-0x0000000000250000-0x000000000027F000-memory.dmp

memory/1080-192-0x0000000000400000-0x000000000042F000-memory.dmp

\Windows\SysWOW64\Liplnc32.exe

MD5 efce0c38eee01d6c74d0d4b6a5639119
SHA1 2ad8ec6e080b4c61dba4b09679991122092a4cbd
SHA256 96a72b8f5c7de0497d16e1bc1a722744bb4f15b8022e964efcf947f7a460a5e6
SHA512 cc322bec2f90457deaef305bf9df77df8a0d76d984ceedb26b835e5d65e32e5c76d745c24b86ffec95de03f8995a00c047e439b6bb6a6a04a60ccf43e49a3fa5

memory/1080-205-0x0000000000250000-0x000000000027F000-memory.dmp

memory/1988-208-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1080-204-0x0000000000250000-0x000000000027F000-memory.dmp

\Windows\SysWOW64\Lpjdjmfp.exe

MD5 06ee87e88e6daf226580a3f0ee0f39aa
SHA1 f6bbf68535843b9ce61a732371ee07d5ac97bc0b
SHA256 7b0bfde653ef6508eaab9d80ab33b9f0bef62d642fd7dcedf8ee89d93284077a
SHA512 002fea1f3152e43ce48e84c6a17f0281da7a405a654c4d18fd307b64cee2e44687c29a4dce2edd83648f746b624e0ef4a4d79deb71fe48972dd13ee9b90f5689

memory/2468-221-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1988-219-0x0000000000280000-0x00000000002AF000-memory.dmp

memory/2468-228-0x0000000000270000-0x000000000029F000-memory.dmp

C:\Windows\SysWOW64\Mpmapm32.exe

MD5 749dfce1b0404109bb8ccf2b88282c9a
SHA1 f4ef4e59ec36f8a2d6301c48ceb4624439035b28
SHA256 a6e69565b98338592d71866700115faa1d7dc6bc22ac27923133f59024abf5d1
SHA512 da98a62ad61bd3555a4e1460b025e8da92b89ba8357bef81c7cce4420a8720e0022f7b8c812d17c98450a53668aba80e07c05e7c40390df1e910796e2756be3a

memory/2468-232-0x0000000000270000-0x000000000029F000-memory.dmp

C:\Windows\SysWOW64\Mffimglk.exe

MD5 4fb87bf2f35d0b066ded9b6e618bc05b
SHA1 36873daae6016ea22b40bb34a9341c344f276eee
SHA256 3eaf30548a7c8267b24675fcd59405463dd0083e44665dac6343dfff69bb2469
SHA512 63515508b3094139b6e5f121ad2bd153aca957315233863c02e1168e56ff16efb0dec5bf1dd4a3d8e71b27feb2717689196d35969646958a4fc64c1d0c02a898

memory/2356-242-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2920-241-0x0000000000250000-0x000000000027F000-memory.dmp

memory/2356-248-0x0000000000250000-0x000000000027F000-memory.dmp

C:\Windows\SysWOW64\Mieeibkn.exe

MD5 ac6d1370f03ab0fb5a2195e6e3a146de
SHA1 0b2169b15db64b182e1aa6b95e98f0bb765b4780
SHA256 14f581db2a9139fb0bdbb1af47cc1303c9d521157094a8d3f672776314e83c4c
SHA512 ea5383fc010968d72e49ce2ac763f75f93398a61b1408e16b2f2b7c9e5f69a72a15c864d72b80851fad06c6bcfeff1c5a10d9d23fcec38bce793acf92909d819

memory/2352-254-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2352-258-0x0000000000250000-0x000000000027F000-memory.dmp

C:\Windows\SysWOW64\Mhhfdo32.exe

MD5 c03f97efea0127890c528932bf83ea9a
SHA1 efba75d19dd5ce636eadb00d20805841416cbf79
SHA256 e8160188f23a0a6ac3c5ccbc63a24114da78b14794b30fd984781ae4bcff1969
SHA512 d2e363252cb3e783f000bf2883639593356d90ac6d45fffcef649aacd2a1e85ce26f87cb8059b245a9af8d0f768dd42c1b40290c425152e5ad7b1ef0287affa3

C:\Windows\SysWOW64\Mapjmehi.exe

MD5 dc8f99ed55673a4a11b90fe3ec3c79ab
SHA1 d421379409d1505b72a938de31c01174f8497a9a
SHA256 b0c47b9f647b31feb983b093b55f66247788ff50fa9fc51ac404cbe30a16e6bd
SHA512 bdb2a3a061fd1169975829aabb16478c654a7789048e843a6fa4bfbe98863f900f6751b32b6cc9c6419951df852b947f2f47008d86d0e71546c53dff37039825

memory/1768-270-0x00000000002F0000-0x000000000031F000-memory.dmp

memory/700-271-0x0000000000400000-0x000000000042F000-memory.dmp

memory/700-277-0x0000000001F20000-0x0000000001F4F000-memory.dmp

C:\Windows\SysWOW64\Migbnb32.exe

MD5 f3e3819ed1cf1f6d9a8e7756d0e178f0
SHA1 de3f6d586131b0ea05060f9e7fcca60ebf1c841a
SHA256 d8b76b24fc2911eb98a870786476c26719f519aab223832e0ef4837a1be8f5b6
SHA512 215c35f740731654c57f606b18ed4cd8fa739094e3f5d98445015c5d6bc9dfff54204c5fcc18eda35b2adbaee5ad3777605aaf27cbb632f4abe7ad2b8e65b61d

memory/3064-289-0x0000000000260000-0x000000000028F000-memory.dmp

C:\Windows\SysWOW64\Modkfi32.exe

MD5 5c2c27f781361b24332a34057fca3a76
SHA1 10018985920006e713e8aec22d6f0a8e2f0acbd9
SHA256 233bf098f261b1ffd82858e96e0fc9a5663937b8142ab89e742f568d4f4ec820
SHA512 4576e152402f82f977c05ea114617f34d37c553ae39969089c568e1d48d9bfbae363afe5048aa78fbc06640b1e8f7ad9abb60c7ef1c92466dd6cc86fd3682255

memory/2044-294-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Mbpgggol.exe

MD5 a6ae179e4ad90527d490ed73475c9882
SHA1 778f84fd5098d6121d0997932c2742284fa82765
SHA256 a0000f3e2b6e67f98ca74cfcfa62d2fac768f6f3abdbf22dd6ddfd4086908a95
SHA512 8bb35e522677f9c3c8a77098dc061fb394a6a4ad36011a13cdc1ed046c270af4bc4342b31309771e31c89d1745a2b2a3a983a30849c3d27767023fa69c5fd299

memory/2044-299-0x0000000000250000-0x000000000027F000-memory.dmp

C:\Windows\SysWOW64\Mencccop.exe

MD5 491f09da524938434ac38509ad7f9548
SHA1 d2761392d046a9b1c4b9ed999317e5c7715ea4f9
SHA256 1c1c0e5b879eb12645be50232a379658332232f1a3026fe415d2a23c1d733ee3
SHA512 546e435874693cb190bd7dd2d178827fde513e79cc30fe3704218e8914794ccac0286210e554d89cc241d5ac9adc2667ac453c77aeba18fd89a410c52eee7cae

memory/916-308-0x0000000000250000-0x000000000027F000-memory.dmp

memory/2948-309-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Mmihhelk.exe

MD5 eb5691f8e5c0da13bf51ca3c714262e1
SHA1 050d89044e6bda0981705cde2e3f7d604c2b734a
SHA256 85bd5531dec956c36a707ef449b36f896ffdc3b9cfeb03b2bb090b40e6b85496
SHA512 8775cbf5ca8aaf8516528f0d4b7062f7c1a9e7f7fe245cf5b15524b93e78deb68d08dcc999f8e73f8b861e9a1f3fdfb3c821d523db6c8d0ec4a595d41228a2f7

memory/2060-320-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2948-319-0x00000000002D0000-0x00000000002FF000-memory.dmp

memory/2948-318-0x00000000002D0000-0x00000000002FF000-memory.dmp

C:\Windows\SysWOW64\Mgalqkbk.exe

MD5 ef3982ce30f8f83ba4cb8bef61d0988d
SHA1 31ce5c760aab364aa1b7374fe7497a2c12a75095
SHA256 dae948585d0ff1b3f7574873f55b065b7bb0c2dd47c4e3e935b73ab8063c35c7
SHA512 c4f385d64845bf47cdd5c4e7649201cd83f2b179a4d66f934094137594ef2a7e296a8b2abd89396ed77b30865fc210c364ca526ed58cdc8538e4f650c66c7f35

memory/1620-335-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2060-330-0x00000000001E0000-0x000000000020F000-memory.dmp

memory/2060-329-0x00000000001E0000-0x000000000020F000-memory.dmp

C:\Windows\SysWOW64\Mkmhaj32.exe

MD5 71e686c686a6e7f464188b493aef873e
SHA1 99b0dbffccacab94636708242d269faa7a4e96cb
SHA256 4ee393f1a4621381fbdd4fda6fb51a02dcf38fd6acc223644198e61bbe68becb
SHA512 565e3fbaf4836cbfb99b2fcf26425f84369604e98e83e42b78743d0b63ab598e563bfdce725a5a0b471d10685ea4e3e13b81f268749da1b6f36df7f35342bf91

memory/2640-346-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2292-342-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1620-341-0x0000000000250000-0x000000000027F000-memory.dmp

memory/1884-340-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Mmldme32.exe

MD5 84a7517cb4b01503ea62f7751147e2ff
SHA1 aab9b10ce3c93e9f7eae2239a3df3533bf92e72f
SHA256 80f054870417268cc217a93446ee1f12433df65ebf756637223c3c5e26f81986
SHA512 ad7f382d0b1e19b7b5037fe7cf51eb56f2262b02ca94dda4331111f9a451d279dcd430ad2e99b7460d6484b7fd7d70f34342936cec0cc3522628f2d4691b57b5

memory/1884-352-0x0000000001F20000-0x0000000001F4F000-memory.dmp

memory/2732-357-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2732-363-0x0000000000250000-0x000000000027F000-memory.dmp

memory/2616-365-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3040-364-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2292-362-0x0000000000430000-0x000000000045F000-memory.dmp

C:\Windows\SysWOW64\Ngdifkpi.exe

MD5 2347271fe616b178af5e35b6ba6b8e9e
SHA1 fe592eebba448d1a325a097e63950b0cd54d2a01
SHA256 5c7bca9fbc4262e2d06f63ea929b210412b98f2fc64dcd3268492ed73146208e
SHA512 8e35b0331cc72ad0a62cea7aff22955ea645e86103dcd366756d4d5bc0e39ed0596112fcfa51c5c7e1581b585bbe7588ca1d62465b08f0584f8d9114569c5f23

memory/2616-371-0x00000000002D0000-0x00000000002FF000-memory.dmp

C:\Windows\SysWOW64\Naimccpo.exe

MD5 b17d66bbf584607b4ff656f03db3d7fa
SHA1 74de6d1a00c82a6f2c05c81d6a8f44675d867619
SHA256 245ab62aa3e77a5f77852f9580e159813f8ef85051071332cb3c795c1e510419
SHA512 df2e43f5dfe9f0fd885c3408cea7be1195c8e3ff755934251500011d0a71a024a5eaa91b3dd0903197edfbb7130f9f4ef1d9e146bc9473aa1c63785ee4af654b

memory/2664-381-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2616-376-0x00000000002D0000-0x00000000002FF000-memory.dmp

memory/2748-375-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2664-383-0x0000000000250000-0x000000000027F000-memory.dmp

C:\Windows\SysWOW64\Ndhipoob.exe

MD5 abf4e5687831016fac5b43ca186fa18f
SHA1 9cbd0ab80a7ccd10ae568e0d0f6bd2a2032b6433
SHA256 21cf32e116a76497dccba5426516bdac7b64d138763d29741acb26967d92101f
SHA512 4255a39eacc147570c7a898e7efdab236f554a3b280b1692872413c25cd402cc7823fb8ac23bbb14c4ad1fc8ca37658cdde6a6f96b3adfa9559a5810aa6fe346

memory/2664-388-0x0000000000250000-0x000000000027F000-memory.dmp

memory/2704-387-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Nlcnda32.exe

MD5 f90827ca2827873a7454858babffe812
SHA1 2d1ca5c98005ae9d226e30094805c57d2eaa613a
SHA256 c0c78c776fa8fb18781027fe30106e570e63e6f31d9897a0db1b63fb3c4606e3
SHA512 f28085828bb3dfc1edd0e5e74a3fde58753acb6a4bbcc1c138d5f7c840a5905c59458152f03569ac927edc39db895ea8c8d5f593d214550dea67a7b9a23c5d1f

memory/3000-397-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2556-399-0x00000000002D0000-0x00000000002FF000-memory.dmp

memory/2552-405-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3000-398-0x0000000000250000-0x000000000027F000-memory.dmp

memory/2516-400-0x0000000000400000-0x000000000042F000-memory.dmp

memory/896-412-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2516-411-0x0000000000250000-0x000000000027F000-memory.dmp

memory/2552-410-0x0000000000260000-0x000000000028F000-memory.dmp

C:\Windows\SysWOW64\Ndjfeo32.exe

MD5 6602e63a4ba2f06d1996249621e2f3c5
SHA1 e6ff48f08d9ff38846613d65a7f6eb318f57c1f8
SHA256 5924f7cc6ed9743a59c60999d85cfc62b772446c9a0a262d6ed91d0d761dccac
SHA512 821c64e1d7aca6b8bea472c46915cc375981586886caf6d545bb0266298fe044443f8bccdc299672e5a23f17f6149f089b3602007c6e8c0ad749cd6f24386497

memory/2456-417-0x0000000000400000-0x000000000042F000-memory.dmp

memory/896-419-0x00000000002D0000-0x00000000002FF000-memory.dmp

C:\Windows\SysWOW64\Nigome32.exe

MD5 4c2b082323cfaf233477cfae26e45000
SHA1 43abaf507e2fc363b6406fda6b78f8c85c8638f6
SHA256 2b436bc99b720b38ed0071c335fd7d09ec70f99323c2e270377bbb1ce81534bc
SHA512 410a3098b7114bdc97c6181d5819200dfc133720c169ef65cbe28e795c5f4fe57c742bb441126765ced2cdd0a15700d4f21c7efbc903ad2ec88ba1109e453e57

memory/2456-423-0x0000000000250000-0x000000000027F000-memory.dmp

memory/332-424-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1492-429-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2488-435-0x0000000000400000-0x000000000042F000-memory.dmp

memory/332-434-0x00000000005C0000-0x00000000005EF000-memory.dmp

C:\Windows\SysWOW64\Npagjpcd.exe

MD5 cdea8d0b2d6d7e106d490d5fddc8779c
SHA1 5d079e2d7adcc70a819fa6d6af34846d7590639a
SHA256 12cdbc989c5fcca5539357d6f1b285876af7cd3643e8a20c7aa5126b551e6379
SHA512 d98cde663967b29eb957ae9182855c695c69d1e8a9cc850a9daae07e7464d5facc7698ca31506d9d4cc682112d56cc1aee5e861191d5a5e8867c8177f6ab241c

memory/2488-442-0x00000000002D0000-0x00000000002FF000-memory.dmp

memory/1488-440-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1488-446-0x0000000000280000-0x00000000002AF000-memory.dmp

memory/1488-447-0x0000000000280000-0x00000000002AF000-memory.dmp

C:\Windows\SysWOW64\Nenobfak.exe

MD5 4bc4228851d4eac7fd9d69a24b7a81e2
SHA1 230e17e363d16410102ed1bf9cc5169e8e2db585
SHA256 496f30fe443dca16af87c511517bf82ae3e9129c2531e0a60eb2a0100431bafa
SHA512 d636c61f64c591acae8555d80a2d8cd56311375a7b69cbb0bf09dcfbbff0dcf6485f6eb082f9756a0e4be5a102ee7f6eb9dcacd51f299bb809c4524746a0ecca

memory/2800-456-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2800-458-0x00000000002D0000-0x00000000002FF000-memory.dmp

memory/1248-457-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Nlhgoqhh.exe

MD5 9d69dd5030ceed0c07db8acaf070891e
SHA1 b0d23691b719e0f7b7dc4fd68b64c845af312494
SHA256 1790535cc10a4753dbcd5209d6e45303c8e7f9de7398113cf5033bcb6f500aec
SHA512 ed8ecf18c838b801b63b6d3aef0ed10bcf3986bbf508e0ba7ca31e857e1e7d3614bc966ffade6562d92f4fde1db1ff6238864b0bcc70bb927ab26f156579085b

memory/2864-459-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2864-460-0x0000000000250000-0x000000000027F000-memory.dmp

memory/1336-461-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2352-482-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1768-509-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2860-512-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1572-506-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2468-508-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2552-467-0x0000000000400000-0x000000000042F000-memory.dmp

memory/896-465-0x0000000000400000-0x000000000042F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 09:52

Reported

2024-11-10 09:54

Platform

win10v2004-20241007-en

Max time kernel

109s

Max time network

110s

Command Line

"C:\Users\Admin\AppData\Local\Temp\381270b97a462e0707f20b5d8e124da6940b783bc3f1caa63356ec8ce2160258N.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fjohde32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kdmqmc32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lcggio32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Aagkhd32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cnaaib32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fjjnifbl.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Clchbqoo.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cnkkjh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jljbeali.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ikdcmpnl.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lklbdm32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lfbped32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mmmqhl32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Chfegk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lqpamb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Odoogi32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ffqhcq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mcpcdg32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dokgdkeh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qmgelf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hblkjo32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jphkkpbp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Users\Admin\AppData\Local\Temp\381270b97a462e0707f20b5d8e124da6940b783bc3f1caa63356ec8ce2160258N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dpdaepai.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dfiildio.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Phajna32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nmigoagp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Adkgje32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hibjli32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bacjdbch.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gdlfhj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nghekkmn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dkahilkl.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dbnmke32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jcanll32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qoelkp32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dmlkhofd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Glipgf32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lnoaaaad.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mjlhgaqp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bdmmeo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cnaaib32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ldgccb32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Panhbfep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dcpmen32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Emdajb32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kqfngd32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Onmfimga.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pdfehh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ojomcopk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Iloidijb.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nghekkmn.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aggpfkjj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kjjiej32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aoalgn32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ipjoja32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Eppqqn32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gljgbllj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pkpmdbfd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Palbgl32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ddgibkpc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mcecjmkl.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hibafp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mgclpkac.exe N/A

Berbew

backdoor berbew

Berbew family

berbew

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Coknoaic.exe N/A
N/A N/A C:\Windows\SysWOW64\Dpnkdq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Djcoai32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dmalne32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dpphjp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dbndfl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Djelgied.exe N/A
N/A N/A C:\Windows\SysWOW64\Dmdhcddh.exe N/A
N/A N/A C:\Windows\SysWOW64\Dpbdopck.exe N/A
N/A N/A C:\Windows\SysWOW64\Dbqqkkbo.exe N/A
N/A N/A C:\Windows\SysWOW64\Dflmlj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dikihe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dmfeidbe.exe N/A
N/A N/A C:\Windows\SysWOW64\Dpdaepai.exe N/A
N/A N/A C:\Windows\SysWOW64\Dcpmen32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dimenegi.exe N/A
N/A N/A C:\Windows\SysWOW64\Dlkbjqgm.exe N/A
N/A N/A C:\Windows\SysWOW64\Dpgnjo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebejfk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejlbhh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eiobceef.exe N/A
N/A N/A C:\Windows\SysWOW64\Elnoopdj.exe N/A
N/A N/A C:\Windows\SysWOW64\Ecefqnel.exe N/A
N/A N/A C:\Windows\SysWOW64\Efccmidp.exe N/A
N/A N/A C:\Windows\SysWOW64\Eiaoid32.exe N/A
N/A N/A C:\Windows\SysWOW64\Emmkiclm.exe N/A
N/A N/A C:\Windows\SysWOW64\Eplgeokq.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebjcajjd.exe N/A
N/A N/A C:\Windows\SysWOW64\Efepbi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eidlnd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Emphocjj.exe N/A
N/A N/A C:\Windows\SysWOW64\Epndknin.exe N/A
N/A N/A C:\Windows\SysWOW64\Eblpgjha.exe N/A
N/A N/A C:\Windows\SysWOW64\Efhlhh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eifhdd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eleepoob.exe N/A
N/A N/A C:\Windows\SysWOW64\Eppqqn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebommi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejfeng32.exe N/A
N/A N/A C:\Windows\SysWOW64\Emdajb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Elgaeolp.exe N/A
N/A N/A C:\Windows\SysWOW64\Fcniglmb.exe N/A
N/A N/A C:\Windows\SysWOW64\Ffmfchle.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmfnpa32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fpejlmcf.exe N/A
N/A N/A C:\Windows\SysWOW64\Fjjnifbl.exe N/A
N/A N/A C:\Windows\SysWOW64\Fllkqn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fbfcmhpg.exe N/A
N/A N/A C:\Windows\SysWOW64\Fipkjb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fdepgkgj.exe N/A
N/A N/A C:\Windows\SysWOW64\Fjohde32.exe N/A
N/A N/A C:\Windows\SysWOW64\Flqdlnde.exe N/A
N/A N/A C:\Windows\SysWOW64\Fbjmhh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fideeaco.exe N/A
N/A N/A C:\Windows\SysWOW64\Gpnmbl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gbmingjo.exe N/A
N/A N/A C:\Windows\SysWOW64\Gjdaodja.exe N/A
N/A N/A C:\Windows\SysWOW64\Gmbmkpie.exe N/A
N/A N/A C:\Windows\SysWOW64\Glengm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gdlfhj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gfkbde32.exe N/A
N/A N/A C:\Windows\SysWOW64\Giinpa32.exe N/A
N/A N/A C:\Windows\SysWOW64\Gpcfmkff.exe N/A
N/A N/A C:\Windows\SysWOW64\Gdobnj32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Nqbpojnp.exe C:\Windows\SysWOW64\Nmdgikhi.exe N/A
File opened for modification C:\Windows\SysWOW64\Pmlfqh32.exe C:\Windows\SysWOW64\Pnfiplog.exe N/A
File created C:\Windows\SysWOW64\Qjiipk32.exe C:\Windows\SysWOW64\Qdoacabq.exe N/A
File created C:\Windows\SysWOW64\Efeifngp.dll C:\Windows\SysWOW64\Eifhdd32.exe N/A
File created C:\Windows\SysWOW64\Njmhhefi.exe C:\Windows\SysWOW64\Nlkgmh32.exe N/A
File opened for modification C:\Windows\SysWOW64\Iomoenej.exe C:\Windows\SysWOW64\Ipjoja32.exe N/A
File created C:\Windows\SysWOW64\Kckqbj32.exe C:\Windows\SysWOW64\Klahfp32.exe N/A
File created C:\Windows\SysWOW64\Minqeaad.dll C:\Windows\SysWOW64\Lokdnjkg.exe N/A
File opened for modification C:\Windows\SysWOW64\Bahdob32.exe C:\Windows\SysWOW64\Bgbpaipl.exe N/A
File opened for modification C:\Windows\SysWOW64\Fcniglmb.exe C:\Windows\SysWOW64\Elgaeolp.exe N/A
File created C:\Windows\SysWOW64\Jlmcka32.dll C:\Windows\SysWOW64\Hlcjhkdp.exe N/A
File opened for modification C:\Windows\SysWOW64\Aoalgn32.exe C:\Windows\SysWOW64\Albpkc32.exe N/A
File created C:\Windows\SysWOW64\Qdbdcg32.exe C:\Windows\SysWOW64\Qachgk32.exe N/A
File opened for modification C:\Windows\SysWOW64\Emmdom32.exe C:\Windows\SysWOW64\Efblbbqd.exe N/A
File opened for modification C:\Windows\SysWOW64\Gidnkkpc.exe C:\Windows\SysWOW64\Fmmmfj32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mfchlbfd.exe C:\Windows\SysWOW64\Mcelpggq.exe N/A
File created C:\Windows\SysWOW64\Hkdjfb32.exe C:\Windows\SysWOW64\Hcmbee32.exe N/A
File created C:\Windows\SysWOW64\Jebiel32.dll C:\Windows\SysWOW64\Nmigoagp.exe N/A
File created C:\Windows\SysWOW64\Mhpbkngk.dll C:\Windows\SysWOW64\Nmnqjp32.exe N/A
File created C:\Windows\SysWOW64\Fqehjpfj.dll C:\Windows\SysWOW64\Eofgpikj.exe N/A
File opened for modification C:\Windows\SysWOW64\Llmhaold.exe C:\Windows\SysWOW64\Lfbped32.exe N/A
File opened for modification C:\Windows\SysWOW64\Emphocjj.exe C:\Windows\SysWOW64\Eidlnd32.exe N/A
File created C:\Windows\SysWOW64\Jhdnigno.dll C:\Windows\SysWOW64\Ilccoh32.exe N/A
File created C:\Windows\SysWOW64\Jkiocibf.dll C:\Windows\SysWOW64\Ldgccb32.exe N/A
File created C:\Windows\SysWOW64\Lnnlhc32.dll C:\Windows\SysWOW64\Giinpa32.exe N/A
File created C:\Windows\SysWOW64\Lfojmmbg.dll C:\Windows\SysWOW64\Peahgl32.exe N/A
File created C:\Windows\SysWOW64\Qklmpalf.exe C:\Windows\SysWOW64\Qdbdcg32.exe N/A
File created C:\Windows\SysWOW64\Dmfeidbe.exe C:\Windows\SysWOW64\Dikihe32.exe N/A
File created C:\Windows\SysWOW64\Enabbk32.dll C:\Windows\SysWOW64\Efccmidp.exe N/A
File created C:\Windows\SysWOW64\Fpejlmcf.exe C:\Windows\SysWOW64\Fmfnpa32.exe N/A
File created C:\Windows\SysWOW64\Gmbmkpie.exe C:\Windows\SysWOW64\Gjdaodja.exe N/A
File created C:\Windows\SysWOW64\Iogkekkb.dll C:\Windows\SysWOW64\Cfnjpfcl.exe N/A
File created C:\Windows\SysWOW64\Figmglee.dll C:\Windows\SysWOW64\Ocjoadei.exe N/A
File opened for modification C:\Windows\SysWOW64\Hibjli32.exe C:\Windows\SysWOW64\Hfcnpn32.exe N/A
File created C:\Windows\SysWOW64\Okehmlqi.dll C:\Windows\SysWOW64\Mnmmboed.exe N/A
File created C:\Windows\SysWOW64\Hlhccj32.exe C:\Windows\SysWOW64\Hkfglb32.exe N/A
File created C:\Windows\SysWOW64\Hdjgko32.dll C:\Windows\SysWOW64\Jgeghp32.exe N/A
File created C:\Windows\SysWOW64\Ojgjndno.exe C:\Windows\SysWOW64\Ohhnbhok.exe N/A
File created C:\Windows\SysWOW64\Iehjdl32.dll C:\Windows\SysWOW64\Lcggio32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hblkjo32.exe C:\Windows\SysWOW64\Hlbcnd32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cncnob32.exe C:\Windows\SysWOW64\Ckebcg32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cbpajgmf.exe C:\Windows\SysWOW64\Clchbqoo.exe N/A
File created C:\Windows\SysWOW64\Nmiadaea.dll C:\Windows\SysWOW64\Nmdgikhi.exe N/A
File opened for modification C:\Windows\SysWOW64\Nnfpinmi.exe C:\Windows\SysWOW64\Nglhld32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dpnkdq32.exe C:\Windows\SysWOW64\Coknoaic.exe N/A
File created C:\Windows\SysWOW64\Gphphj32.exe C:\Windows\SysWOW64\Gmiclo32.exe N/A
File created C:\Windows\SysWOW64\Ngjbaj32.exe C:\Windows\SysWOW64\Nelfeo32.exe N/A
File created C:\Windows\SysWOW64\Aeaanjkl.exe C:\Windows\SysWOW64\Qklmpalf.exe N/A
File created C:\Windows\SysWOW64\Gjdaodja.exe C:\Windows\SysWOW64\Gbmingjo.exe N/A
File opened for modification C:\Windows\SysWOW64\Lgepom32.exe C:\Windows\SysWOW64\Ldgccb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ljclki32.exe C:\Windows\SysWOW64\Lgepom32.exe N/A
File opened for modification C:\Windows\SysWOW64\Omjpeo32.exe C:\Windows\SysWOW64\Olicnfco.exe N/A
File created C:\Windows\SysWOW64\Cdecba32.dll C:\Windows\SysWOW64\Dheibpje.exe N/A
File created C:\Windows\SysWOW64\Hlfpph32.dll C:\Windows\SysWOW64\Bdojjo32.exe N/A
File created C:\Windows\SysWOW64\Ikfhji32.dll C:\Windows\SysWOW64\Fllkqn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hcmbee32.exe C:\Windows\SysWOW64\Hlcjhkdp.exe N/A
File created C:\Windows\SysWOW64\Gedapeof.dll C:\Windows\SysWOW64\Kmaopfjm.exe N/A
File created C:\Windows\SysWOW64\Jleijb32.exe C:\Windows\SysWOW64\Jmbhoeid.exe N/A
File created C:\Windows\SysWOW64\Lgbloglj.exe C:\Windows\SysWOW64\Lokdnjkg.exe N/A
File created C:\Windows\SysWOW64\Bfjkjgbh.dll C:\Windows\SysWOW64\Eidlnd32.exe N/A
File created C:\Windows\SysWOW64\Lciibdmj.dll C:\Windows\SysWOW64\Hoclopne.exe N/A
File created C:\Windows\SysWOW64\Iedjmioj.exe C:\Windows\SysWOW64\Igajal32.exe N/A
File opened for modification C:\Windows\SysWOW64\Djelgied.exe C:\Windows\SysWOW64\Dbndfl32.exe N/A
File opened for modification C:\Windows\SysWOW64\Eiobceef.exe C:\Windows\SysWOW64\Ejlbhh32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Dkqaoe32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mglfplgk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kglmio32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cleegp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pjdpelnc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ljfhqh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cdlqqcnl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Clchbqoo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oalipoiq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qoelkp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Klfaapbl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pdhkcb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qmgelf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bacjdbch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ebjcajjd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nmnqjp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dmlkhofd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nelfeo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lqbncb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nmigoagp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dkahilkl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fjohde32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hlhccj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Chlflabp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jinboekc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lljklo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fipkjb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mfchlbfd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nmdgikhi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qdoacabq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fmmmfj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aajohjon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ljclki32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fcniglmb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pmoiqneg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mjjkaabc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bdmmeo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dpbdopck.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fdepgkgj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lknojl32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lmpkadnm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Poimpapp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Adkgje32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dflfac32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lcnfohmi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Emdajb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mmnhcb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ncabfkqo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pkpmdbfd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cnindhpg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hloqml32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bkjiao32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gjdaodja.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gpcfmkff.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gljgbllj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ikdcmpnl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kmaopfjm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hipmfjee.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ipjoja32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Djelgied.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Omjpeo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dcpmen32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cpmapodj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nmgjia32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hcpojd32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbhafkok.dll" C:\Windows\SysWOW64\Nqbpojnp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehkljb32.dll" C:\Windows\SysWOW64\Lmpkadnm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Plbfdekd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dbkqfe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gejopl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hblkjo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ingpmmgm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bnfihkqm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cfbcke32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Klahfp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cnaaib32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bkgeainn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iemlnm32.dll" C:\Windows\SysWOW64\Ggahedjn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgnagk32.dll" C:\Windows\SysWOW64\Kqfngd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lcnmin32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdflmg32.dll" C:\Windows\SysWOW64\Phodcg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pdhbmh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jljbeali.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ljeafb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mmmqhl32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Eiaoid32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Gljgbllj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Igdnabjh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbibld32.dll" C:\Windows\SysWOW64\Chlflabp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Emjgim32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bgbpaipl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nmigoagp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ohfami32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Aahbbkaq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gofdmmgd.dll" C:\Windows\SysWOW64\Bhpfqcln.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dngjff32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fllkqn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Fbfcmhpg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cbpajgmf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adfonlkp.dll" C:\Windows\SysWOW64\Jcoaglhk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mmnhcb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nlfnaicd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhpbkngk.dll" C:\Windows\SysWOW64\Nmnqjp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhffdban.dll" C:\Windows\SysWOW64\Eplgeokq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gdobnj32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Igbalblk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iigkob32.dll" C:\Windows\SysWOW64\Lggldm32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ljfhqh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpoeg32.dll" C:\Windows\SysWOW64\Alkijdci.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqhejb32.dll" C:\Windows\SysWOW64\Gbalopbn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lnldla32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bdfpkm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nflnbh32.dll" C:\Windows\SysWOW64\Cpmapodj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okehmlqi.dll" C:\Windows\SysWOW64\Mnmmboed.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcgmgn32.dll" C:\Windows\SysWOW64\Phajna32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oajpfn32.dll" C:\Windows\SysWOW64\Hkfglb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jabdjc32.dll" C:\Windows\SysWOW64\Jcgnbaeo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mchppmij.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfklem32.dll" C:\Windows\SysWOW64\Adkgje32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ddgibkpc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aagkhd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Giinpa32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hdehni32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nmnqjp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Digehphc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qmgelf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoqqpnlk.dll" C:\Windows\SysWOW64\Cdnmfclj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nklinjmj.dll" C:\Windows\SysWOW64\Dfiildio.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jphkkpbp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4464 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\381270b97a462e0707f20b5d8e124da6940b783bc3f1caa63356ec8ce2160258N.exe C:\Windows\SysWOW64\Coknoaic.exe
PID 4464 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\381270b97a462e0707f20b5d8e124da6940b783bc3f1caa63356ec8ce2160258N.exe C:\Windows\SysWOW64\Coknoaic.exe
PID 4464 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\381270b97a462e0707f20b5d8e124da6940b783bc3f1caa63356ec8ce2160258N.exe C:\Windows\SysWOW64\Coknoaic.exe
PID 4940 wrote to memory of 864 N/A C:\Windows\SysWOW64\Coknoaic.exe C:\Windows\SysWOW64\Dpnkdq32.exe
PID 4940 wrote to memory of 864 N/A C:\Windows\SysWOW64\Coknoaic.exe C:\Windows\SysWOW64\Dpnkdq32.exe
PID 4940 wrote to memory of 864 N/A C:\Windows\SysWOW64\Coknoaic.exe C:\Windows\SysWOW64\Dpnkdq32.exe
PID 864 wrote to memory of 4504 N/A C:\Windows\SysWOW64\Dpnkdq32.exe C:\Windows\SysWOW64\Djcoai32.exe
PID 864 wrote to memory of 4504 N/A C:\Windows\SysWOW64\Dpnkdq32.exe C:\Windows\SysWOW64\Djcoai32.exe
PID 864 wrote to memory of 4504 N/A C:\Windows\SysWOW64\Dpnkdq32.exe C:\Windows\SysWOW64\Djcoai32.exe
PID 4504 wrote to memory of 2556 N/A C:\Windows\SysWOW64\Djcoai32.exe C:\Windows\SysWOW64\Dmalne32.exe
PID 4504 wrote to memory of 2556 N/A C:\Windows\SysWOW64\Djcoai32.exe C:\Windows\SysWOW64\Dmalne32.exe
PID 4504 wrote to memory of 2556 N/A C:\Windows\SysWOW64\Djcoai32.exe C:\Windows\SysWOW64\Dmalne32.exe
PID 2556 wrote to memory of 4084 N/A C:\Windows\SysWOW64\Dmalne32.exe C:\Windows\SysWOW64\Dpphjp32.exe
PID 2556 wrote to memory of 4084 N/A C:\Windows\SysWOW64\Dmalne32.exe C:\Windows\SysWOW64\Dpphjp32.exe
PID 2556 wrote to memory of 4084 N/A C:\Windows\SysWOW64\Dmalne32.exe C:\Windows\SysWOW64\Dpphjp32.exe
PID 4084 wrote to memory of 4320 N/A C:\Windows\SysWOW64\Dpphjp32.exe C:\Windows\SysWOW64\Dbndfl32.exe
PID 4084 wrote to memory of 4320 N/A C:\Windows\SysWOW64\Dpphjp32.exe C:\Windows\SysWOW64\Dbndfl32.exe
PID 4084 wrote to memory of 4320 N/A C:\Windows\SysWOW64\Dpphjp32.exe C:\Windows\SysWOW64\Dbndfl32.exe
PID 4320 wrote to memory of 4532 N/A C:\Windows\SysWOW64\Dbndfl32.exe C:\Windows\SysWOW64\Djelgied.exe
PID 4320 wrote to memory of 4532 N/A C:\Windows\SysWOW64\Dbndfl32.exe C:\Windows\SysWOW64\Djelgied.exe
PID 4320 wrote to memory of 4532 N/A C:\Windows\SysWOW64\Dbndfl32.exe C:\Windows\SysWOW64\Djelgied.exe
PID 4532 wrote to memory of 3868 N/A C:\Windows\SysWOW64\Djelgied.exe C:\Windows\SysWOW64\Dmdhcddh.exe
PID 4532 wrote to memory of 3868 N/A C:\Windows\SysWOW64\Djelgied.exe C:\Windows\SysWOW64\Dmdhcddh.exe
PID 4532 wrote to memory of 3868 N/A C:\Windows\SysWOW64\Djelgied.exe C:\Windows\SysWOW64\Dmdhcddh.exe
PID 3868 wrote to memory of 2572 N/A C:\Windows\SysWOW64\Dmdhcddh.exe C:\Windows\SysWOW64\Dpbdopck.exe
PID 3868 wrote to memory of 2572 N/A C:\Windows\SysWOW64\Dmdhcddh.exe C:\Windows\SysWOW64\Dpbdopck.exe
PID 3868 wrote to memory of 2572 N/A C:\Windows\SysWOW64\Dmdhcddh.exe C:\Windows\SysWOW64\Dpbdopck.exe
PID 2572 wrote to memory of 2352 N/A C:\Windows\SysWOW64\Dpbdopck.exe C:\Windows\SysWOW64\Dbqqkkbo.exe
PID 2572 wrote to memory of 2352 N/A C:\Windows\SysWOW64\Dpbdopck.exe C:\Windows\SysWOW64\Dbqqkkbo.exe
PID 2572 wrote to memory of 2352 N/A C:\Windows\SysWOW64\Dpbdopck.exe C:\Windows\SysWOW64\Dbqqkkbo.exe
PID 2352 wrote to memory of 1324 N/A C:\Windows\SysWOW64\Dbqqkkbo.exe C:\Windows\SysWOW64\Dflmlj32.exe
PID 2352 wrote to memory of 1324 N/A C:\Windows\SysWOW64\Dbqqkkbo.exe C:\Windows\SysWOW64\Dflmlj32.exe
PID 2352 wrote to memory of 1324 N/A C:\Windows\SysWOW64\Dbqqkkbo.exe C:\Windows\SysWOW64\Dflmlj32.exe
PID 1324 wrote to memory of 4216 N/A C:\Windows\SysWOW64\Dflmlj32.exe C:\Windows\SysWOW64\Dikihe32.exe
PID 1324 wrote to memory of 4216 N/A C:\Windows\SysWOW64\Dflmlj32.exe C:\Windows\SysWOW64\Dikihe32.exe
PID 1324 wrote to memory of 4216 N/A C:\Windows\SysWOW64\Dflmlj32.exe C:\Windows\SysWOW64\Dikihe32.exe
PID 4216 wrote to memory of 4280 N/A C:\Windows\SysWOW64\Dikihe32.exe C:\Windows\SysWOW64\Dmfeidbe.exe
PID 4216 wrote to memory of 4280 N/A C:\Windows\SysWOW64\Dikihe32.exe C:\Windows\SysWOW64\Dmfeidbe.exe
PID 4216 wrote to memory of 4280 N/A C:\Windows\SysWOW64\Dikihe32.exe C:\Windows\SysWOW64\Dmfeidbe.exe
PID 4280 wrote to memory of 60 N/A C:\Windows\SysWOW64\Dmfeidbe.exe C:\Windows\SysWOW64\Dpdaepai.exe
PID 4280 wrote to memory of 60 N/A C:\Windows\SysWOW64\Dmfeidbe.exe C:\Windows\SysWOW64\Dpdaepai.exe
PID 4280 wrote to memory of 60 N/A C:\Windows\SysWOW64\Dmfeidbe.exe C:\Windows\SysWOW64\Dpdaepai.exe
PID 60 wrote to memory of 2504 N/A C:\Windows\SysWOW64\Dpdaepai.exe C:\Windows\SysWOW64\Dcpmen32.exe
PID 60 wrote to memory of 2504 N/A C:\Windows\SysWOW64\Dpdaepai.exe C:\Windows\SysWOW64\Dcpmen32.exe
PID 60 wrote to memory of 2504 N/A C:\Windows\SysWOW64\Dpdaepai.exe C:\Windows\SysWOW64\Dcpmen32.exe
PID 2504 wrote to memory of 3588 N/A C:\Windows\SysWOW64\Dcpmen32.exe C:\Windows\SysWOW64\Dimenegi.exe
PID 2504 wrote to memory of 3588 N/A C:\Windows\SysWOW64\Dcpmen32.exe C:\Windows\SysWOW64\Dimenegi.exe
PID 2504 wrote to memory of 3588 N/A C:\Windows\SysWOW64\Dcpmen32.exe C:\Windows\SysWOW64\Dimenegi.exe
PID 3588 wrote to memory of 4664 N/A C:\Windows\SysWOW64\Dimenegi.exe C:\Windows\SysWOW64\Dlkbjqgm.exe
PID 3588 wrote to memory of 4664 N/A C:\Windows\SysWOW64\Dimenegi.exe C:\Windows\SysWOW64\Dlkbjqgm.exe
PID 3588 wrote to memory of 4664 N/A C:\Windows\SysWOW64\Dimenegi.exe C:\Windows\SysWOW64\Dlkbjqgm.exe
PID 4664 wrote to memory of 4108 N/A C:\Windows\SysWOW64\Dlkbjqgm.exe C:\Windows\SysWOW64\Dpgnjo32.exe
PID 4664 wrote to memory of 4108 N/A C:\Windows\SysWOW64\Dlkbjqgm.exe C:\Windows\SysWOW64\Dpgnjo32.exe
PID 4664 wrote to memory of 4108 N/A C:\Windows\SysWOW64\Dlkbjqgm.exe C:\Windows\SysWOW64\Dpgnjo32.exe
PID 4108 wrote to memory of 2628 N/A C:\Windows\SysWOW64\Dpgnjo32.exe C:\Windows\SysWOW64\Ebejfk32.exe
PID 4108 wrote to memory of 2628 N/A C:\Windows\SysWOW64\Dpgnjo32.exe C:\Windows\SysWOW64\Ebejfk32.exe
PID 4108 wrote to memory of 2628 N/A C:\Windows\SysWOW64\Dpgnjo32.exe C:\Windows\SysWOW64\Ebejfk32.exe
PID 2628 wrote to memory of 1064 N/A C:\Windows\SysWOW64\Ebejfk32.exe C:\Windows\SysWOW64\Ejlbhh32.exe
PID 2628 wrote to memory of 1064 N/A C:\Windows\SysWOW64\Ebejfk32.exe C:\Windows\SysWOW64\Ejlbhh32.exe
PID 2628 wrote to memory of 1064 N/A C:\Windows\SysWOW64\Ebejfk32.exe C:\Windows\SysWOW64\Ejlbhh32.exe
PID 1064 wrote to memory of 3048 N/A C:\Windows\SysWOW64\Ejlbhh32.exe C:\Windows\SysWOW64\Eiobceef.exe
PID 1064 wrote to memory of 3048 N/A C:\Windows\SysWOW64\Ejlbhh32.exe C:\Windows\SysWOW64\Eiobceef.exe
PID 1064 wrote to memory of 3048 N/A C:\Windows\SysWOW64\Ejlbhh32.exe C:\Windows\SysWOW64\Eiobceef.exe
PID 3048 wrote to memory of 216 N/A C:\Windows\SysWOW64\Eiobceef.exe C:\Windows\SysWOW64\Elnoopdj.exe

Processes

C:\Users\Admin\AppData\Local\Temp\381270b97a462e0707f20b5d8e124da6940b783bc3f1caa63356ec8ce2160258N.exe

"C:\Users\Admin\AppData\Local\Temp\381270b97a462e0707f20b5d8e124da6940b783bc3f1caa63356ec8ce2160258N.exe"

C:\Windows\SysWOW64\Coknoaic.exe

C:\Windows\system32\Coknoaic.exe

C:\Windows\SysWOW64\Dpnkdq32.exe

C:\Windows\system32\Dpnkdq32.exe

C:\Windows\SysWOW64\Djcoai32.exe

C:\Windows\system32\Djcoai32.exe

C:\Windows\SysWOW64\Dmalne32.exe

C:\Windows\system32\Dmalne32.exe

C:\Windows\SysWOW64\Dpphjp32.exe

C:\Windows\system32\Dpphjp32.exe

C:\Windows\SysWOW64\Dbndfl32.exe

C:\Windows\system32\Dbndfl32.exe

C:\Windows\SysWOW64\Djelgied.exe

C:\Windows\system32\Djelgied.exe

C:\Windows\SysWOW64\Dmdhcddh.exe

C:\Windows\system32\Dmdhcddh.exe

C:\Windows\SysWOW64\Dpbdopck.exe

C:\Windows\system32\Dpbdopck.exe

C:\Windows\SysWOW64\Dbqqkkbo.exe

C:\Windows\system32\Dbqqkkbo.exe

C:\Windows\SysWOW64\Dflmlj32.exe

C:\Windows\system32\Dflmlj32.exe

C:\Windows\SysWOW64\Dikihe32.exe

C:\Windows\system32\Dikihe32.exe

C:\Windows\SysWOW64\Dmfeidbe.exe

C:\Windows\system32\Dmfeidbe.exe

C:\Windows\SysWOW64\Dpdaepai.exe

C:\Windows\system32\Dpdaepai.exe

C:\Windows\SysWOW64\Dcpmen32.exe

C:\Windows\system32\Dcpmen32.exe

C:\Windows\SysWOW64\Dimenegi.exe

C:\Windows\system32\Dimenegi.exe

C:\Windows\SysWOW64\Dlkbjqgm.exe

C:\Windows\system32\Dlkbjqgm.exe

C:\Windows\SysWOW64\Dpgnjo32.exe

C:\Windows\system32\Dpgnjo32.exe

C:\Windows\SysWOW64\Ebejfk32.exe

C:\Windows\system32\Ebejfk32.exe

C:\Windows\SysWOW64\Ejlbhh32.exe

C:\Windows\system32\Ejlbhh32.exe

C:\Windows\SysWOW64\Eiobceef.exe

C:\Windows\system32\Eiobceef.exe

C:\Windows\SysWOW64\Elnoopdj.exe

C:\Windows\system32\Elnoopdj.exe

C:\Windows\SysWOW64\Ecefqnel.exe

C:\Windows\system32\Ecefqnel.exe

C:\Windows\SysWOW64\Efccmidp.exe

C:\Windows\system32\Efccmidp.exe

C:\Windows\SysWOW64\Eiaoid32.exe

C:\Windows\system32\Eiaoid32.exe

C:\Windows\SysWOW64\Emmkiclm.exe

C:\Windows\system32\Emmkiclm.exe

C:\Windows\SysWOW64\Eplgeokq.exe

C:\Windows\system32\Eplgeokq.exe

C:\Windows\SysWOW64\Ebjcajjd.exe

C:\Windows\system32\Ebjcajjd.exe

C:\Windows\SysWOW64\Efepbi32.exe

C:\Windows\system32\Efepbi32.exe

C:\Windows\SysWOW64\Eidlnd32.exe

C:\Windows\system32\Eidlnd32.exe

C:\Windows\SysWOW64\Emphocjj.exe

C:\Windows\system32\Emphocjj.exe

C:\Windows\SysWOW64\Epndknin.exe

C:\Windows\system32\Epndknin.exe

C:\Windows\SysWOW64\Eblpgjha.exe

C:\Windows\system32\Eblpgjha.exe

C:\Windows\SysWOW64\Efhlhh32.exe

C:\Windows\system32\Efhlhh32.exe

C:\Windows\SysWOW64\Eifhdd32.exe

C:\Windows\system32\Eifhdd32.exe

C:\Windows\SysWOW64\Eleepoob.exe

C:\Windows\system32\Eleepoob.exe

C:\Windows\SysWOW64\Eppqqn32.exe

C:\Windows\system32\Eppqqn32.exe

C:\Windows\SysWOW64\Ebommi32.exe

C:\Windows\system32\Ebommi32.exe

C:\Windows\SysWOW64\Ejfeng32.exe

C:\Windows\system32\Ejfeng32.exe

C:\Windows\SysWOW64\Emdajb32.exe

C:\Windows\system32\Emdajb32.exe

C:\Windows\SysWOW64\Elgaeolp.exe

C:\Windows\system32\Elgaeolp.exe

C:\Windows\SysWOW64\Fcniglmb.exe

C:\Windows\system32\Fcniglmb.exe

C:\Windows\SysWOW64\Ffmfchle.exe

C:\Windows\system32\Ffmfchle.exe

C:\Windows\SysWOW64\Fmfnpa32.exe

C:\Windows\system32\Fmfnpa32.exe

C:\Windows\SysWOW64\Fpejlmcf.exe

C:\Windows\system32\Fpejlmcf.exe

C:\Windows\SysWOW64\Fjjnifbl.exe

C:\Windows\system32\Fjjnifbl.exe

C:\Windows\SysWOW64\Fllkqn32.exe

C:\Windows\system32\Fllkqn32.exe

C:\Windows\SysWOW64\Fbfcmhpg.exe

C:\Windows\system32\Fbfcmhpg.exe

C:\Windows\SysWOW64\Fipkjb32.exe

C:\Windows\system32\Fipkjb32.exe

C:\Windows\SysWOW64\Fdepgkgj.exe

C:\Windows\system32\Fdepgkgj.exe

C:\Windows\SysWOW64\Fjohde32.exe

C:\Windows\system32\Fjohde32.exe

C:\Windows\SysWOW64\Flqdlnde.exe

C:\Windows\system32\Flqdlnde.exe

C:\Windows\SysWOW64\Fbjmhh32.exe

C:\Windows\system32\Fbjmhh32.exe

C:\Windows\SysWOW64\Fideeaco.exe

C:\Windows\system32\Fideeaco.exe

C:\Windows\SysWOW64\Gpnmbl32.exe

C:\Windows\system32\Gpnmbl32.exe

C:\Windows\SysWOW64\Gbmingjo.exe

C:\Windows\system32\Gbmingjo.exe

C:\Windows\SysWOW64\Gjdaodja.exe

C:\Windows\system32\Gjdaodja.exe

C:\Windows\SysWOW64\Gmbmkpie.exe

C:\Windows\system32\Gmbmkpie.exe

C:\Windows\SysWOW64\Glengm32.exe

C:\Windows\system32\Glengm32.exe

C:\Windows\SysWOW64\Gdlfhj32.exe

C:\Windows\system32\Gdlfhj32.exe

C:\Windows\SysWOW64\Gfkbde32.exe

C:\Windows\system32\Gfkbde32.exe

C:\Windows\SysWOW64\Giinpa32.exe

C:\Windows\system32\Giinpa32.exe

C:\Windows\SysWOW64\Gpcfmkff.exe

C:\Windows\system32\Gpcfmkff.exe

C:\Windows\SysWOW64\Gdobnj32.exe

C:\Windows\system32\Gdobnj32.exe

C:\Windows\SysWOW64\Gfmojenc.exe

C:\Windows\system32\Gfmojenc.exe

C:\Windows\SysWOW64\Gikkfqmf.exe

C:\Windows\system32\Gikkfqmf.exe

C:\Windows\SysWOW64\Gljgbllj.exe

C:\Windows\system32\Gljgbllj.exe

C:\Windows\SysWOW64\Gpecbk32.exe

C:\Windows\system32\Gpecbk32.exe

C:\Windows\SysWOW64\Gbdoof32.exe

C:\Windows\system32\Gbdoof32.exe

C:\Windows\SysWOW64\Gkkgpc32.exe

C:\Windows\system32\Gkkgpc32.exe

C:\Windows\SysWOW64\Gmiclo32.exe

C:\Windows\system32\Gmiclo32.exe

C:\Windows\SysWOW64\Gphphj32.exe

C:\Windows\system32\Gphphj32.exe

C:\Windows\SysWOW64\Gdcliikj.exe

C:\Windows\system32\Gdcliikj.exe

C:\Windows\SysWOW64\Ggahedjn.exe

C:\Windows\system32\Ggahedjn.exe

C:\Windows\SysWOW64\Gipdap32.exe

C:\Windows\system32\Gipdap32.exe

C:\Windows\SysWOW64\Hloqml32.exe

C:\Windows\system32\Hloqml32.exe

C:\Windows\SysWOW64\Hdehni32.exe

C:\Windows\system32\Hdehni32.exe

C:\Windows\SysWOW64\Hgdejd32.exe

C:\Windows\system32\Hgdejd32.exe

C:\Windows\SysWOW64\Hibafp32.exe

C:\Windows\system32\Hibafp32.exe

C:\Windows\SysWOW64\Hlambk32.exe

C:\Windows\system32\Hlambk32.exe

C:\Windows\SysWOW64\Hdhedh32.exe

C:\Windows\system32\Hdhedh32.exe

C:\Windows\SysWOW64\Hgfapd32.exe

C:\Windows\system32\Hgfapd32.exe

C:\Windows\SysWOW64\Hienlpel.exe

C:\Windows\system32\Hienlpel.exe

C:\Windows\SysWOW64\Hlcjhkdp.exe

C:\Windows\system32\Hlcjhkdp.exe

C:\Windows\SysWOW64\Hcmbee32.exe

C:\Windows\system32\Hcmbee32.exe

C:\Windows\SysWOW64\Hkdjfb32.exe

C:\Windows\system32\Hkdjfb32.exe

C:\Windows\SysWOW64\Hmbfbn32.exe

C:\Windows\system32\Hmbfbn32.exe

C:\Windows\SysWOW64\Hpabni32.exe

C:\Windows\system32\Hpabni32.exe

C:\Windows\SysWOW64\Hcpojd32.exe

C:\Windows\system32\Hcpojd32.exe

C:\Windows\SysWOW64\Hkfglb32.exe

C:\Windows\system32\Hkfglb32.exe

C:\Windows\SysWOW64\Hlhccj32.exe

C:\Windows\system32\Hlhccj32.exe

C:\Windows\SysWOW64\Hdokdg32.exe

C:\Windows\system32\Hdokdg32.exe

C:\Windows\SysWOW64\Hgmgqc32.exe

C:\Windows\system32\Hgmgqc32.exe

C:\Windows\SysWOW64\Ingpmmgm.exe

C:\Windows\system32\Ingpmmgm.exe

C:\Windows\SysWOW64\Ipflihfq.exe

C:\Windows\system32\Ipflihfq.exe

C:\Windows\SysWOW64\Icdheded.exe

C:\Windows\system32\Icdheded.exe

C:\Windows\SysWOW64\Ikkpgafg.exe

C:\Windows\system32\Ikkpgafg.exe

C:\Windows\SysWOW64\Injmcmej.exe

C:\Windows\system32\Injmcmej.exe

C:\Windows\SysWOW64\Idcepgmg.exe

C:\Windows\system32\Idcepgmg.exe

C:\Windows\SysWOW64\Igbalblk.exe

C:\Windows\system32\Igbalblk.exe

C:\Windows\SysWOW64\Ijqmhnko.exe

C:\Windows\system32\Ijqmhnko.exe

C:\Windows\SysWOW64\Iloidijb.exe

C:\Windows\system32\Iloidijb.exe

C:\Windows\SysWOW64\Idfaefkd.exe

C:\Windows\system32\Idfaefkd.exe

C:\Windows\SysWOW64\Igdnabjh.exe

C:\Windows\system32\Igdnabjh.exe

C:\Windows\SysWOW64\Ijcjmmil.exe

C:\Windows\system32\Ijcjmmil.exe

C:\Windows\SysWOW64\Ilafiihp.exe

C:\Windows\system32\Ilafiihp.exe

C:\Windows\SysWOW64\Idhnkf32.exe

C:\Windows\system32\Idhnkf32.exe

C:\Windows\SysWOW64\Iggjga32.exe

C:\Windows\system32\Iggjga32.exe

C:\Windows\SysWOW64\Ijegcm32.exe

C:\Windows\system32\Ijegcm32.exe

C:\Windows\SysWOW64\Ilccoh32.exe

C:\Windows\system32\Ilccoh32.exe

C:\Windows\SysWOW64\Icnklbmj.exe

C:\Windows\system32\Icnklbmj.exe

C:\Windows\SysWOW64\Ikdcmpnl.exe

C:\Windows\system32\Ikdcmpnl.exe

C:\Windows\SysWOW64\Jncoikmp.exe

C:\Windows\system32\Jncoikmp.exe

C:\Windows\SysWOW64\Jpaleglc.exe

C:\Windows\system32\Jpaleglc.exe

C:\Windows\SysWOW64\Jcgnbaeo.exe

C:\Windows\system32\Jcgnbaeo.exe

C:\Windows\SysWOW64\Jjafok32.exe

C:\Windows\system32\Jjafok32.exe

C:\Windows\SysWOW64\Jqknkedi.exe

C:\Windows\system32\Jqknkedi.exe

C:\Windows\SysWOW64\Jgeghp32.exe

C:\Windows\system32\Jgeghp32.exe

C:\Windows\SysWOW64\Kmaopfjm.exe

C:\Windows\system32\Kmaopfjm.exe

C:\Windows\SysWOW64\Kdigadjo.exe

C:\Windows\system32\Kdigadjo.exe

C:\Windows\SysWOW64\Kggcnoic.exe

C:\Windows\system32\Kggcnoic.exe

C:\Windows\SysWOW64\Knalji32.exe

C:\Windows\system32\Knalji32.exe

C:\Windows\SysWOW64\Kkeldnpi.exe

C:\Windows\system32\Kkeldnpi.exe

C:\Windows\SysWOW64\Kjhloj32.exe

C:\Windows\system32\Kjhloj32.exe

C:\Windows\SysWOW64\Kdmqmc32.exe

C:\Windows\system32\Kdmqmc32.exe

C:\Windows\SysWOW64\Kglmio32.exe

C:\Windows\system32\Kglmio32.exe

C:\Windows\SysWOW64\Kjjiej32.exe

C:\Windows\system32\Kjjiej32.exe

C:\Windows\SysWOW64\Kmieae32.exe

C:\Windows\system32\Kmieae32.exe

C:\Windows\SysWOW64\Kcbnnpka.exe

C:\Windows\system32\Kcbnnpka.exe

C:\Windows\SysWOW64\Knhakh32.exe

C:\Windows\system32\Knhakh32.exe

C:\Windows\SysWOW64\Kqfngd32.exe

C:\Windows\system32\Kqfngd32.exe

C:\Windows\SysWOW64\Kcejco32.exe

C:\Windows\system32\Kcejco32.exe

C:\Windows\SysWOW64\Lklbdm32.exe

C:\Windows\system32\Lklbdm32.exe

C:\Windows\SysWOW64\Lnjnqh32.exe

C:\Windows\system32\Lnjnqh32.exe

C:\Windows\SysWOW64\Lcggio32.exe

C:\Windows\system32\Lcggio32.exe

C:\Windows\SysWOW64\Lknojl32.exe

C:\Windows\system32\Lknojl32.exe

C:\Windows\SysWOW64\Ljaoeini.exe

C:\Windows\system32\Ljaoeini.exe

C:\Windows\SysWOW64\Lmpkadnm.exe

C:\Windows\system32\Lmpkadnm.exe

C:\Windows\SysWOW64\Ldgccb32.exe

C:\Windows\system32\Ldgccb32.exe

C:\Windows\SysWOW64\Lgepom32.exe

C:\Windows\system32\Lgepom32.exe

C:\Windows\SysWOW64\Ljclki32.exe

C:\Windows\system32\Ljclki32.exe

C:\Windows\SysWOW64\Lmbhgd32.exe

C:\Windows\system32\Lmbhgd32.exe

C:\Windows\SysWOW64\Ldipha32.exe

C:\Windows\system32\Ldipha32.exe

C:\Windows\SysWOW64\Lggldm32.exe

C:\Windows\system32\Lggldm32.exe

C:\Windows\SysWOW64\Ljfhqh32.exe

C:\Windows\system32\Ljfhqh32.exe

C:\Windows\SysWOW64\Lmdemd32.exe

C:\Windows\system32\Lmdemd32.exe

C:\Windows\SysWOW64\Lqpamb32.exe

C:\Windows\system32\Lqpamb32.exe

C:\Windows\SysWOW64\Lcnmin32.exe

C:\Windows\system32\Lcnmin32.exe

C:\Windows\SysWOW64\Lndagg32.exe

C:\Windows\system32\Lndagg32.exe

C:\Windows\SysWOW64\Lqbncb32.exe

C:\Windows\system32\Lqbncb32.exe

C:\Windows\SysWOW64\Mglfplgk.exe

C:\Windows\system32\Mglfplgk.exe

C:\Windows\SysWOW64\Mjkblhfo.exe

C:\Windows\system32\Mjkblhfo.exe

C:\Windows\SysWOW64\Mminhceb.exe

C:\Windows\system32\Mminhceb.exe

C:\Windows\SysWOW64\Madjhb32.exe

C:\Windows\system32\Madjhb32.exe

C:\Windows\SysWOW64\Mgobel32.exe

C:\Windows\system32\Mgobel32.exe

C:\Windows\SysWOW64\Mjmoag32.exe

C:\Windows\system32\Mjmoag32.exe

C:\Windows\SysWOW64\Mmkkmc32.exe

C:\Windows\system32\Mmkkmc32.exe

C:\Windows\SysWOW64\Mcecjmkl.exe

C:\Windows\system32\Mcecjmkl.exe

C:\Windows\SysWOW64\Mkmkkjko.exe

C:\Windows\system32\Mkmkkjko.exe

C:\Windows\SysWOW64\Mmnhcb32.exe

C:\Windows\system32\Mmnhcb32.exe

C:\Windows\SysWOW64\Mchppmij.exe

C:\Windows\system32\Mchppmij.exe

C:\Windows\SysWOW64\Mgclpkac.exe

C:\Windows\system32\Mgclpkac.exe

C:\Windows\SysWOW64\Mnmdme32.exe

C:\Windows\system32\Mnmdme32.exe

C:\Windows\SysWOW64\Malpia32.exe

C:\Windows\system32\Malpia32.exe

C:\Windows\SysWOW64\Mcjmel32.exe

C:\Windows\system32\Mcjmel32.exe

C:\Windows\SysWOW64\Mkadfj32.exe

C:\Windows\system32\Mkadfj32.exe

C:\Windows\SysWOW64\Mnpabe32.exe

C:\Windows\system32\Mnpabe32.exe

C:\Windows\SysWOW64\Manmoq32.exe

C:\Windows\system32\Manmoq32.exe

C:\Windows\SysWOW64\Meiioonj.exe

C:\Windows\system32\Meiioonj.exe

C:\Windows\SysWOW64\Nghekkmn.exe

C:\Windows\system32\Nghekkmn.exe

C:\Windows\SysWOW64\Nlcalieg.exe

C:\Windows\system32\Nlcalieg.exe

C:\Windows\SysWOW64\Njfagf32.exe

C:\Windows\system32\Njfagf32.exe

C:\Windows\SysWOW64\Nmenca32.exe

C:\Windows\system32\Nmenca32.exe

C:\Windows\SysWOW64\Nelfeo32.exe

C:\Windows\system32\Nelfeo32.exe

C:\Windows\SysWOW64\Ngjbaj32.exe

C:\Windows\system32\Ngjbaj32.exe

C:\Windows\SysWOW64\Nlfnaicd.exe

C:\Windows\system32\Nlfnaicd.exe

C:\Windows\SysWOW64\Nndjndbh.exe

C:\Windows\system32\Nndjndbh.exe

C:\Windows\SysWOW64\Nmgjia32.exe

C:\Windows\system32\Nmgjia32.exe

C:\Windows\SysWOW64\Ncabfkqo.exe

C:\Windows\system32\Ncabfkqo.exe

C:\Windows\SysWOW64\Nhmofj32.exe

C:\Windows\system32\Nhmofj32.exe

C:\Windows\SysWOW64\Njkkbehl.exe

C:\Windows\system32\Njkkbehl.exe

C:\Windows\SysWOW64\Nmigoagp.exe

C:\Windows\system32\Nmigoagp.exe

C:\Windows\SysWOW64\Neqopnhb.exe

C:\Windows\system32\Neqopnhb.exe

C:\Windows\SysWOW64\Nccokk32.exe

C:\Windows\system32\Nccokk32.exe

C:\Windows\SysWOW64\Nlkgmh32.exe

C:\Windows\system32\Nlkgmh32.exe

C:\Windows\SysWOW64\Njmhhefi.exe

C:\Windows\system32\Njmhhefi.exe

C:\Windows\SysWOW64\Nmlddqem.exe

C:\Windows\system32\Nmlddqem.exe

C:\Windows\SysWOW64\Neclenfo.exe

C:\Windows\system32\Neclenfo.exe

C:\Windows\SysWOW64\Nhahaiec.exe

C:\Windows\system32\Nhahaiec.exe

C:\Windows\SysWOW64\Njpdnedf.exe

C:\Windows\system32\Njpdnedf.exe

C:\Windows\SysWOW64\Nmnqjp32.exe

C:\Windows\system32\Nmnqjp32.exe

C:\Windows\SysWOW64\Oeehkn32.exe

C:\Windows\system32\Oeehkn32.exe

C:\Windows\SysWOW64\Oloahhki.exe

C:\Windows\system32\Oloahhki.exe

C:\Windows\SysWOW64\Oalipoiq.exe

C:\Windows\system32\Oalipoiq.exe

C:\Windows\SysWOW64\Ohfami32.exe

C:\Windows\system32\Ohfami32.exe

C:\Windows\SysWOW64\Ojdnid32.exe

C:\Windows\system32\Ojdnid32.exe

C:\Windows\SysWOW64\Omcjep32.exe

C:\Windows\system32\Omcjep32.exe

C:\Windows\SysWOW64\Oejbfmpg.exe

C:\Windows\system32\Oejbfmpg.exe

C:\Windows\SysWOW64\Ohhnbhok.exe

C:\Windows\system32\Ohhnbhok.exe

C:\Windows\SysWOW64\Ojgjndno.exe

C:\Windows\system32\Ojgjndno.exe

C:\Windows\SysWOW64\Omegjomb.exe

C:\Windows\system32\Omegjomb.exe

C:\Windows\SysWOW64\Odoogi32.exe

C:\Windows\system32\Odoogi32.exe

C:\Windows\SysWOW64\Olfghg32.exe

C:\Windows\system32\Olfghg32.exe

C:\Windows\SysWOW64\Oodcdb32.exe

C:\Windows\system32\Oodcdb32.exe

C:\Windows\SysWOW64\Oacoqnci.exe

C:\Windows\system32\Oacoqnci.exe

C:\Windows\SysWOW64\Odalmibl.exe

C:\Windows\system32\Odalmibl.exe

C:\Windows\SysWOW64\Olicnfco.exe

C:\Windows\system32\Olicnfco.exe

C:\Windows\SysWOW64\Omjpeo32.exe

C:\Windows\system32\Omjpeo32.exe

C:\Windows\SysWOW64\Peahgl32.exe

C:\Windows\system32\Peahgl32.exe

C:\Windows\SysWOW64\Phodcg32.exe

C:\Windows\system32\Phodcg32.exe

C:\Windows\SysWOW64\Poimpapp.exe

C:\Windows\system32\Poimpapp.exe

C:\Windows\SysWOW64\Pahilmoc.exe

C:\Windows\system32\Pahilmoc.exe

C:\Windows\SysWOW64\Pdfehh32.exe

C:\Windows\system32\Pdfehh32.exe

C:\Windows\SysWOW64\Pkpmdbfd.exe

C:\Windows\system32\Pkpmdbfd.exe

C:\Windows\SysWOW64\Pmoiqneg.exe

C:\Windows\system32\Pmoiqneg.exe

C:\Windows\SysWOW64\Pdhbmh32.exe

C:\Windows\system32\Pdhbmh32.exe

C:\Windows\SysWOW64\Plpjoe32.exe

C:\Windows\system32\Plpjoe32.exe

C:\Windows\SysWOW64\Ponfka32.exe

C:\Windows\system32\Ponfka32.exe

C:\Windows\SysWOW64\Palbgl32.exe

C:\Windows\system32\Palbgl32.exe

C:\Windows\SysWOW64\Pdkoch32.exe

C:\Windows\system32\Pdkoch32.exe

C:\Windows\SysWOW64\Plbfdekd.exe

C:\Windows\system32\Plbfdekd.exe

C:\Windows\SysWOW64\Pmcclm32.exe

C:\Windows\system32\Pmcclm32.exe

C:\Windows\SysWOW64\Pejkmk32.exe

C:\Windows\system32\Pejkmk32.exe

C:\Windows\SysWOW64\Pldcjeia.exe

C:\Windows\system32\Pldcjeia.exe

C:\Windows\SysWOW64\Pocpfphe.exe

C:\Windows\system32\Pocpfphe.exe

C:\Windows\SysWOW64\Qaalblgi.exe

C:\Windows\system32\Qaalblgi.exe

C:\Windows\SysWOW64\Qdphngfl.exe

C:\Windows\system32\Qdphngfl.exe

C:\Windows\SysWOW64\Qlgpod32.exe

C:\Windows\system32\Qlgpod32.exe

C:\Windows\SysWOW64\Qoelkp32.exe

C:\Windows\system32\Qoelkp32.exe

C:\Windows\SysWOW64\Qachgk32.exe

C:\Windows\system32\Qachgk32.exe

C:\Windows\SysWOW64\Qdbdcg32.exe

C:\Windows\system32\Qdbdcg32.exe

C:\Windows\SysWOW64\Qklmpalf.exe

C:\Windows\system32\Qklmpalf.exe

C:\Windows\SysWOW64\Aeaanjkl.exe

C:\Windows\system32\Aeaanjkl.exe

C:\Windows\SysWOW64\Alkijdci.exe

C:\Windows\system32\Alkijdci.exe

C:\Windows\SysWOW64\Aahbbkaq.exe

C:\Windows\system32\Aahbbkaq.exe

C:\Windows\SysWOW64\Adfnofpd.exe

C:\Windows\system32\Adfnofpd.exe

C:\Windows\SysWOW64\Alnfpcag.exe

C:\Windows\system32\Alnfpcag.exe

C:\Windows\SysWOW64\Aajohjon.exe

C:\Windows\system32\Aajohjon.exe

C:\Windows\SysWOW64\Adikdfna.exe

C:\Windows\system32\Adikdfna.exe

C:\Windows\SysWOW64\Akccap32.exe

C:\Windows\system32\Akccap32.exe

C:\Windows\SysWOW64\Anaomkdb.exe

C:\Windows\system32\Anaomkdb.exe

C:\Windows\SysWOW64\Adkgje32.exe

C:\Windows\system32\Adkgje32.exe

C:\Windows\SysWOW64\Albpkc32.exe

C:\Windows\system32\Albpkc32.exe

C:\Windows\SysWOW64\Aoalgn32.exe

C:\Windows\system32\Aoalgn32.exe

C:\Windows\SysWOW64\Aaohcj32.exe

C:\Windows\system32\Aaohcj32.exe

C:\Windows\SysWOW64\Ahippdbe.exe

C:\Windows\system32\Ahippdbe.exe

C:\Windows\SysWOW64\Akglloai.exe

C:\Windows\system32\Akglloai.exe

C:\Windows\SysWOW64\Bnfihkqm.exe

C:\Windows\system32\Bnfihkqm.exe

C:\Windows\SysWOW64\Blgifbil.exe

C:\Windows\system32\Blgifbil.exe

C:\Windows\SysWOW64\Bkjiao32.exe

C:\Windows\system32\Bkjiao32.exe

C:\Windows\SysWOW64\Bdbnjdfg.exe

C:\Windows\system32\Bdbnjdfg.exe

C:\Windows\SysWOW64\Bohbhmfm.exe

C:\Windows\system32\Bohbhmfm.exe

C:\Windows\SysWOW64\Bhpfqcln.exe

C:\Windows\system32\Bhpfqcln.exe

C:\Windows\SysWOW64\Bedgjgkg.exe

C:\Windows\system32\Bedgjgkg.exe

C:\Windows\SysWOW64\Bakgoh32.exe

C:\Windows\system32\Bakgoh32.exe

C:\Windows\SysWOW64\Blqllqqa.exe

C:\Windows\system32\Blqllqqa.exe

C:\Windows\SysWOW64\Coohhlpe.exe

C:\Windows\system32\Coohhlpe.exe

C:\Windows\SysWOW64\Cdlqqcnl.exe

C:\Windows\system32\Cdlqqcnl.exe

C:\Windows\SysWOW64\Clchbqoo.exe

C:\Windows\system32\Clchbqoo.exe

C:\Windows\SysWOW64\Cbpajgmf.exe

C:\Windows\system32\Cbpajgmf.exe

C:\Windows\SysWOW64\Cdnmfclj.exe

C:\Windows\system32\Cdnmfclj.exe

C:\Windows\SysWOW64\Cleegp32.exe

C:\Windows\system32\Cleegp32.exe

C:\Windows\SysWOW64\Cfnjpfcl.exe

C:\Windows\system32\Cfnjpfcl.exe

C:\Windows\SysWOW64\Chlflabp.exe

C:\Windows\system32\Chlflabp.exe

C:\Windows\SysWOW64\Cnindhpg.exe

C:\Windows\system32\Cnindhpg.exe

C:\Windows\SysWOW64\Ckmonl32.exe

C:\Windows\system32\Ckmonl32.exe

C:\Windows\SysWOW64\Cnkkjh32.exe

C:\Windows\system32\Cnkkjh32.exe

C:\Windows\SysWOW64\Cfbcke32.exe

C:\Windows\system32\Cfbcke32.exe

C:\Windows\SysWOW64\Dmlkhofd.exe

C:\Windows\system32\Dmlkhofd.exe

C:\Windows\SysWOW64\Dokgdkeh.exe

C:\Windows\system32\Dokgdkeh.exe

C:\Windows\SysWOW64\Dfdpad32.exe

C:\Windows\system32\Dfdpad32.exe

C:\Windows\SysWOW64\Dhclmp32.exe

C:\Windows\system32\Dhclmp32.exe

C:\Windows\SysWOW64\Dkahilkl.exe

C:\Windows\system32\Dkahilkl.exe

C:\Windows\SysWOW64\Domdjj32.exe

C:\Windows\system32\Domdjj32.exe

C:\Windows\SysWOW64\Dbkqfe32.exe

C:\Windows\system32\Dbkqfe32.exe

C:\Windows\SysWOW64\Dheibpje.exe

C:\Windows\system32\Dheibpje.exe

C:\Windows\SysWOW64\Dkceokii.exe

C:\Windows\system32\Dkceokii.exe

C:\Windows\SysWOW64\Dooaoj32.exe

C:\Windows\system32\Dooaoj32.exe

C:\Windows\SysWOW64\Dbnmke32.exe

C:\Windows\system32\Dbnmke32.exe

C:\Windows\SysWOW64\Dfiildio.exe

C:\Windows\system32\Dfiildio.exe

C:\Windows\SysWOW64\Digehphc.exe

C:\Windows\system32\Digehphc.exe

C:\Windows\SysWOW64\Dkfadkgf.exe

C:\Windows\system32\Dkfadkgf.exe

C:\Windows\SysWOW64\Dndnpf32.exe

C:\Windows\system32\Dndnpf32.exe

C:\Windows\SysWOW64\Dflfac32.exe

C:\Windows\system32\Dflfac32.exe

C:\Windows\SysWOW64\Dijbno32.exe

C:\Windows\system32\Dijbno32.exe

C:\Windows\SysWOW64\Dngjff32.exe

C:\Windows\system32\Dngjff32.exe

C:\Windows\SysWOW64\Eiloco32.exe

C:\Windows\system32\Eiloco32.exe

C:\Windows\SysWOW64\Eofgpikj.exe

C:\Windows\system32\Eofgpikj.exe

C:\Windows\SysWOW64\Efpomccg.exe

C:\Windows\system32\Efpomccg.exe

C:\Windows\SysWOW64\Emjgim32.exe

C:\Windows\system32\Emjgim32.exe

C:\Windows\SysWOW64\Eoideh32.exe

C:\Windows\system32\Eoideh32.exe

C:\Windows\SysWOW64\Enkdaepb.exe

C:\Windows\system32\Enkdaepb.exe

C:\Windows\SysWOW64\Efblbbqd.exe

C:\Windows\system32\Efblbbqd.exe

C:\Windows\SysWOW64\Emmdom32.exe

C:\Windows\system32\Emmdom32.exe

C:\Windows\SysWOW64\Ebimgcfi.exe

C:\Windows\system32\Ebimgcfi.exe

C:\Windows\SysWOW64\Eehicoel.exe

C:\Windows\system32\Eehicoel.exe

C:\Windows\SysWOW64\Ekaapi32.exe

C:\Windows\system32\Ekaapi32.exe

C:\Windows\SysWOW64\Efgemb32.exe

C:\Windows\system32\Efgemb32.exe

C:\Windows\SysWOW64\Eifaim32.exe

C:\Windows\system32\Eifaim32.exe

C:\Windows\SysWOW64\Enbjad32.exe

C:\Windows\system32\Enbjad32.exe

C:\Windows\SysWOW64\Felbnn32.exe

C:\Windows\system32\Felbnn32.exe

C:\Windows\SysWOW64\Fbpchb32.exe

C:\Windows\system32\Fbpchb32.exe

C:\Windows\SysWOW64\Fligqhga.exe

C:\Windows\system32\Fligqhga.exe

C:\Windows\SysWOW64\Flkdfh32.exe

C:\Windows\system32\Flkdfh32.exe

C:\Windows\SysWOW64\Ffqhcq32.exe

C:\Windows\system32\Ffqhcq32.exe

C:\Windows\SysWOW64\Flmqlg32.exe

C:\Windows\system32\Flmqlg32.exe

C:\Windows\SysWOW64\Fnlmhc32.exe

C:\Windows\system32\Fnlmhc32.exe

C:\Windows\SysWOW64\Fefedmil.exe

C:\Windows\system32\Fefedmil.exe

C:\Windows\SysWOW64\Fmmmfj32.exe

C:\Windows\system32\Fmmmfj32.exe

C:\Windows\SysWOW64\Gidnkkpc.exe

C:\Windows\system32\Gidnkkpc.exe

C:\Windows\SysWOW64\Gejopl32.exe

C:\Windows\system32\Gejopl32.exe

C:\Windows\SysWOW64\Gbnoiqdq.exe

C:\Windows\system32\Gbnoiqdq.exe

C:\Windows\SysWOW64\Gmdcfidg.exe

C:\Windows\system32\Gmdcfidg.exe

C:\Windows\SysWOW64\Gbalopbn.exe

C:\Windows\system32\Gbalopbn.exe

C:\Windows\SysWOW64\Glipgf32.exe

C:\Windows\system32\Glipgf32.exe

C:\Windows\SysWOW64\Gfodeohd.exe

C:\Windows\system32\Gfodeohd.exe

C:\Windows\SysWOW64\Gpgind32.exe

C:\Windows\system32\Gpgind32.exe

C:\Windows\SysWOW64\Hipmfjee.exe

C:\Windows\system32\Hipmfjee.exe

C:\Windows\SysWOW64\Hfcnpn32.exe

C:\Windows\system32\Hfcnpn32.exe

C:\Windows\SysWOW64\Hibjli32.exe

C:\Windows\system32\Hibjli32.exe

C:\Windows\SysWOW64\Hlbcnd32.exe

C:\Windows\system32\Hlbcnd32.exe

C:\Windows\SysWOW64\Hblkjo32.exe

C:\Windows\system32\Hblkjo32.exe

C:\Windows\SysWOW64\Hpqldc32.exe

C:\Windows\system32\Hpqldc32.exe

C:\Windows\SysWOW64\Hoclopne.exe

C:\Windows\system32\Hoclopne.exe

C:\Windows\SysWOW64\Ibaeen32.exe

C:\Windows\system32\Ibaeen32.exe

C:\Windows\SysWOW64\Iikmbh32.exe

C:\Windows\system32\Iikmbh32.exe

C:\Windows\SysWOW64\Ibcaknbi.exe

C:\Windows\system32\Ibcaknbi.exe

C:\Windows\SysWOW64\Iinjhh32.exe

C:\Windows\system32\Iinjhh32.exe

C:\Windows\SysWOW64\Ipgbdbqb.exe

C:\Windows\system32\Ipgbdbqb.exe

C:\Windows\SysWOW64\Igajal32.exe

C:\Windows\system32\Igajal32.exe

C:\Windows\SysWOW64\Iedjmioj.exe

C:\Windows\system32\Iedjmioj.exe

C:\Windows\SysWOW64\Ipjoja32.exe

C:\Windows\system32\Ipjoja32.exe

C:\Windows\SysWOW64\Iomoenej.exe

C:\Windows\system32\Iomoenej.exe

C:\Windows\SysWOW64\Imnocf32.exe

C:\Windows\system32\Imnocf32.exe

C:\Windows\SysWOW64\Ipoheakj.exe

C:\Windows\system32\Ipoheakj.exe

C:\Windows\SysWOW64\Jmbhoeid.exe

C:\Windows\system32\Jmbhoeid.exe

C:\Windows\SysWOW64\Jleijb32.exe

C:\Windows\system32\Jleijb32.exe

C:\Windows\SysWOW64\Jocefm32.exe

C:\Windows\system32\Jocefm32.exe

C:\Windows\SysWOW64\Jcoaglhk.exe

C:\Windows\system32\Jcoaglhk.exe

C:\Windows\SysWOW64\Jcanll32.exe

C:\Windows\system32\Jcanll32.exe

C:\Windows\SysWOW64\Jljbeali.exe

C:\Windows\system32\Jljbeali.exe

C:\Windows\SysWOW64\Jcdjbk32.exe

C:\Windows\system32\Jcdjbk32.exe

C:\Windows\SysWOW64\Jgpfbjlo.exe

C:\Windows\system32\Jgpfbjlo.exe

C:\Windows\SysWOW64\Jinboekc.exe

C:\Windows\system32\Jinboekc.exe

C:\Windows\SysWOW64\Jphkkpbp.exe

C:\Windows\system32\Jphkkpbp.exe

C:\Windows\SysWOW64\Jgbchj32.exe

C:\Windows\system32\Jgbchj32.exe

C:\Windows\SysWOW64\Kgdpni32.exe

C:\Windows\system32\Kgdpni32.exe

C:\Windows\SysWOW64\Klahfp32.exe

C:\Windows\system32\Klahfp32.exe

C:\Windows\SysWOW64\Kckqbj32.exe

C:\Windows\system32\Kckqbj32.exe

C:\Windows\SysWOW64\Koaagkcb.exe

C:\Windows\system32\Koaagkcb.exe

C:\Windows\SysWOW64\Klfaapbl.exe

C:\Windows\system32\Klfaapbl.exe

C:\Windows\SysWOW64\Kofkbk32.exe

C:\Windows\system32\Kofkbk32.exe

C:\Windows\SysWOW64\Lljklo32.exe

C:\Windows\system32\Lljklo32.exe

C:\Windows\SysWOW64\Lfbped32.exe

C:\Windows\system32\Lfbped32.exe

C:\Windows\SysWOW64\Llmhaold.exe

C:\Windows\system32\Llmhaold.exe

C:\Windows\SysWOW64\Lokdnjkg.exe

C:\Windows\system32\Lokdnjkg.exe

C:\Windows\SysWOW64\Lgbloglj.exe

C:\Windows\system32\Lgbloglj.exe

C:\Windows\SysWOW64\Ljqhkckn.exe

C:\Windows\system32\Ljqhkckn.exe

C:\Windows\SysWOW64\Lnldla32.exe

C:\Windows\system32\Lnldla32.exe

C:\Windows\SysWOW64\Lomqcjie.exe

C:\Windows\system32\Lomqcjie.exe

C:\Windows\SysWOW64\Lfgipd32.exe

C:\Windows\system32\Lfgipd32.exe

C:\Windows\SysWOW64\Lnoaaaad.exe

C:\Windows\system32\Lnoaaaad.exe

C:\Windows\SysWOW64\Lqmmmmph.exe

C:\Windows\system32\Lqmmmmph.exe

C:\Windows\SysWOW64\Ljeafb32.exe

C:\Windows\system32\Ljeafb32.exe

C:\Windows\SysWOW64\Lcnfohmi.exe

C:\Windows\system32\Lcnfohmi.exe

C:\Windows\SysWOW64\Mcpcdg32.exe

C:\Windows\system32\Mcpcdg32.exe

C:\Windows\SysWOW64\Mjjkaabc.exe

C:\Windows\system32\Mjjkaabc.exe

C:\Windows\SysWOW64\Mnegbp32.exe

C:\Windows\system32\Mnegbp32.exe

C:\Windows\SysWOW64\Mjlhgaqp.exe

C:\Windows\system32\Mjlhgaqp.exe

C:\Windows\SysWOW64\Mcelpggq.exe

C:\Windows\system32\Mcelpggq.exe

C:\Windows\SysWOW64\Mfchlbfd.exe

C:\Windows\system32\Mfchlbfd.exe

C:\Windows\SysWOW64\Mmmqhl32.exe

C:\Windows\system32\Mmmqhl32.exe

C:\Windows\SysWOW64\Mokmdh32.exe

C:\Windows\system32\Mokmdh32.exe

C:\Windows\SysWOW64\Mgbefe32.exe

C:\Windows\system32\Mgbefe32.exe

C:\Windows\SysWOW64\Mnmmboed.exe

C:\Windows\system32\Mnmmboed.exe

C:\Windows\SysWOW64\Monjjgkb.exe

C:\Windows\system32\Monjjgkb.exe

C:\Windows\SysWOW64\Nmbjcljl.exe

C:\Windows\system32\Nmbjcljl.exe

C:\Windows\SysWOW64\Nopfpgip.exe

C:\Windows\system32\Nopfpgip.exe

C:\Windows\SysWOW64\Nmdgikhi.exe

C:\Windows\system32\Nmdgikhi.exe

C:\Windows\SysWOW64\Nqbpojnp.exe

C:\Windows\system32\Nqbpojnp.exe

C:\Windows\SysWOW64\Nglhld32.exe

C:\Windows\system32\Nglhld32.exe

C:\Windows\SysWOW64\Nnfpinmi.exe

C:\Windows\system32\Nnfpinmi.exe

C:\Windows\SysWOW64\Ngndaccj.exe

C:\Windows\system32\Ngndaccj.exe

C:\Windows\SysWOW64\Ojomcopk.exe

C:\Windows\system32\Ojomcopk.exe

C:\Windows\SysWOW64\Offnhpfo.exe

C:\Windows\system32\Offnhpfo.exe

C:\Windows\SysWOW64\Onmfimga.exe

C:\Windows\system32\Onmfimga.exe

C:\Windows\SysWOW64\Ocjoadei.exe

C:\Windows\system32\Ocjoadei.exe

C:\Windows\SysWOW64\Onocomdo.exe

C:\Windows\system32\Onocomdo.exe

C:\Windows\SysWOW64\Ofkgcobj.exe

C:\Windows\system32\Ofkgcobj.exe

C:\Windows\SysWOW64\Ogjdmbil.exe

C:\Windows\system32\Ogjdmbil.exe

C:\Windows\SysWOW64\Pnfiplog.exe

C:\Windows\system32\Pnfiplog.exe

C:\Windows\SysWOW64\Pmlfqh32.exe

C:\Windows\system32\Pmlfqh32.exe

C:\Windows\SysWOW64\Phajna32.exe

C:\Windows\system32\Phajna32.exe

C:\Windows\SysWOW64\Pdhkcb32.exe

C:\Windows\system32\Pdhkcb32.exe

C:\Windows\SysWOW64\Pjdpelnc.exe

C:\Windows\system32\Pjdpelnc.exe

C:\Windows\SysWOW64\Panhbfep.exe

C:\Windows\system32\Panhbfep.exe

C:\Windows\SysWOW64\Qdoacabq.exe

C:\Windows\system32\Qdoacabq.exe

C:\Windows\SysWOW64\Qjiipk32.exe

C:\Windows\system32\Qjiipk32.exe

C:\Windows\SysWOW64\Qmgelf32.exe

C:\Windows\system32\Qmgelf32.exe

C:\Windows\SysWOW64\Qpeahb32.exe

C:\Windows\system32\Qpeahb32.exe

C:\Windows\SysWOW64\Ahmjjoig.exe

C:\Windows\system32\Ahmjjoig.exe

C:\Windows\SysWOW64\Adcjop32.exe

C:\Windows\system32\Adcjop32.exe

C:\Windows\SysWOW64\Aagkhd32.exe

C:\Windows\system32\Aagkhd32.exe

C:\Windows\SysWOW64\Amnlme32.exe

C:\Windows\system32\Amnlme32.exe

C:\Windows\SysWOW64\Aggpfkjj.exe

C:\Windows\system32\Aggpfkjj.exe

C:\Windows\SysWOW64\Agimkk32.exe

C:\Windows\system32\Agimkk32.exe

C:\Windows\SysWOW64\Amcehdod.exe

C:\Windows\system32\Amcehdod.exe

C:\Windows\SysWOW64\Bdmmeo32.exe

C:\Windows\system32\Bdmmeo32.exe

C:\Windows\SysWOW64\Bkgeainn.exe

C:\Windows\system32\Bkgeainn.exe

C:\Windows\SysWOW64\Bdojjo32.exe

C:\Windows\system32\Bdojjo32.exe

C:\Windows\SysWOW64\Bgnffj32.exe

C:\Windows\system32\Bgnffj32.exe

C:\Windows\SysWOW64\Bacjdbch.exe

C:\Windows\system32\Bacjdbch.exe

C:\Windows\SysWOW64\Bgpcliao.exe

C:\Windows\system32\Bgpcliao.exe

C:\Windows\SysWOW64\Bogkmgba.exe

C:\Windows\system32\Bogkmgba.exe

C:\Windows\SysWOW64\Bgbpaipl.exe

C:\Windows\system32\Bgbpaipl.exe

C:\Windows\SysWOW64\Bahdob32.exe

C:\Windows\system32\Bahdob32.exe

C:\Windows\SysWOW64\Bdfpkm32.exe

C:\Windows\system32\Bdfpkm32.exe

C:\Windows\SysWOW64\Bgelgi32.exe

C:\Windows\system32\Bgelgi32.exe

C:\Windows\SysWOW64\Cpmapodj.exe

C:\Windows\system32\Cpmapodj.exe

C:\Windows\SysWOW64\Cnaaib32.exe

C:\Windows\system32\Cnaaib32.exe

C:\Windows\SysWOW64\Chfegk32.exe

C:\Windows\system32\Chfegk32.exe

C:\Windows\SysWOW64\Ckebcg32.exe

C:\Windows\system32\Ckebcg32.exe

C:\Windows\SysWOW64\Cncnob32.exe

C:\Windows\system32\Cncnob32.exe

C:\Windows\SysWOW64\Chiblk32.exe

C:\Windows\system32\Chiblk32.exe

C:\Windows\SysWOW64\Cdpcal32.exe

C:\Windows\system32\Cdpcal32.exe

C:\Windows\SysWOW64\Coegoe32.exe

C:\Windows\system32\Coegoe32.exe

C:\Windows\SysWOW64\Cacckp32.exe

C:\Windows\system32\Cacckp32.exe

C:\Windows\SysWOW64\Cgqlcg32.exe

C:\Windows\system32\Cgqlcg32.exe

C:\Windows\SysWOW64\Cklhcfle.exe

C:\Windows\system32\Cklhcfle.exe

C:\Windows\SysWOW64\Dddllkbf.exe

C:\Windows\system32\Dddllkbf.exe

C:\Windows\SysWOW64\Ddgibkpc.exe

C:\Windows\system32\Ddgibkpc.exe

C:\Windows\SysWOW64\Dkqaoe32.exe

C:\Windows\system32\Dkqaoe32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 11068 -ip 11068

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 11068 -s 400

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp

Files

memory/4464-0-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Coknoaic.exe

MD5 5964f553e056b92afb37bd828b4a5617
SHA1 1808fd8bd9136668e33169805710b3e0d21a2fed
SHA256 f5acc1e39ca4d8095b0a592a95355cd0360afc7e2b7595b68063a0ed6a490bdd
SHA512 b41ed4de05b2f5a5bde8785299d6da7d1ff9c433805ceee0499537762545d860d143b81688a067e5a6be9505796bfe0b48225d773e3c7dfc23d25275594dc897

memory/4940-8-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Dpnkdq32.exe

MD5 22dfcf44cc6dc43424ffb2a5b235fb9b
SHA1 02475e559042686e2c619760a19fe044ad6a64ce
SHA256 cc63d30e6b573caba40662cbbef4ac189e376ae69fad7043c48f433e5fb6cdb0
SHA512 e8d3c4f146062d8402f37403fa06899814ac0bca1b9796825d1f46b35d54026036a9ce576a8b1e46ff81ce7230a1c1e3e0e196b2a7fdadf49b2171986c01acdf

memory/864-15-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Djcoai32.exe

MD5 8b09c1a4f6893083b28acaab09ee7efb
SHA1 0283edccfa0cecbb80ba7320066ed0708fa20f7a
SHA256 b01984d170e85ade5999a6118b76db056b1972157976e9383ea2bf7af5eed069
SHA512 06afec7d7a2c735b427d2a9c9d66b1c3c13deb2ca32a276ae4c4db931792aa7f362c01951cb8891c820628c4d544b367bd39a1d119188e176fcb3d7c57ff156c

memory/4504-28-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Dpphjp32.exe

MD5 e06be9320c21f3fd681f8de488cd3bb0
SHA1 0f6ef2effe05757d8fd232249efc46f563a1a131
SHA256 f00526523b729a7d95b5f09b4caf5eb9f328dda0985f96d680a863567996b954
SHA512 8151cb22a6f3e081d0a73a005c4ff75503c1116c744751a95f353aab5a8c1050f1777be50305bec69ee53e9a3f143ed5322db9cb896379f80fa8693723c72309

C:\Windows\SysWOW64\Dbndfl32.exe

MD5 a94dfbd81af26723534ba7631c1f66a7
SHA1 bc4848ea9a03006cfe48b8c26a8f2b63e6e7bf18
SHA256 9b84ea56cfac05de5894e5b94e4c67c12433c9276beb5f204696090095d266f3
SHA512 0199b6051aabc3f35eba32ce8e8ba9ae25be44b0ab3b226107690244725549f5f11aa60ea8620ed77c9d501ad534667931892463809b0b3f33261f7c9ef5e5e5

C:\Windows\SysWOW64\Djelgied.exe

MD5 82336b6cd90daab448ea94412157d070
SHA1 9c378d2195f74bc5e846c96de2edb8b932551496
SHA256 9d6898c77005648d2e76f43e582aa935e700707f9357c6c898b6c358c8d8ce72
SHA512 b53aa29539e399b97e9b78ef19c7fe0b14de4fa7b3b037f99fef1b0da0c64e51530f16637fcb8139c07026acc5e7dface191a2210fd6401dd7abb18d5cceeb4b

C:\Windows\SysWOW64\Dmdhcddh.exe

MD5 5ad60ce9f9c72672a6bb9fefab6f1ae2
SHA1 26624666684b28b22840999a82e327bed55fb383
SHA256 f68a4770c1a0d74737e9c04a09216df81e6b5215de7c4e61b6de37fe942e2588
SHA512 2d8b947cbe8b91c755076978f026befffba077dc6d89640e62f3cded27007c7b44a24c3cda4b6820e1296bb823df08ce5cdb5ffadde8195670d7e91cc5fe2a3f

C:\Windows\SysWOW64\Dcpmen32.exe

MD5 84dc0d1497797e35a84ac3df9b1e75ca
SHA1 43154d3d5cda52293379eb2ac5ec656844489b3a
SHA256 f54ba0d329d0daabd1be98ffc24b259d5959b0e8f5cd7d1ad346c376a7e3f407
SHA512 0289bf70b19aba4769dc7e8ba4657c5877b2cd3b75065e59f6dc5a299e9e47b88f9a54387c0bccb2152c62561853ad4db06f1bc6d72aa08a006fc9aaadc421ea

C:\Windows\SysWOW64\Dlkbjqgm.exe

MD5 77e59734f0f260ab8a130b5eb1d86a0b
SHA1 95227c07e508d1558f28ccc72239f8586d8efde4
SHA256 1184bdfb2b19a42209e8a04de31542990677846be480cd81077266fa1c470364
SHA512 bd36578e8406a32d505aa194f100698d9a47224df56065bcf1a1248fbb45d2115da20505efc69578afbfed1ed051bd5ede509ff7eb14167f5b29108f563d59be

C:\Windows\SysWOW64\Eplgeokq.exe

MD5 54e586b8b60a793c37bb3c7580ba8f58
SHA1 807fcd1ee795566efce387d717e51aadcb3e6720
SHA256 afad206a91007261022eb79fd229ec19b37e21e700826a78cbf47a06e490bfb2
SHA512 ee3c1eb06c80d51c79b080cfa339b8d514b5d5c6f09af13635e2f1c8a2b8210d6fa6d188e95cb153ad5e135d54672aaac55d984a45a369ae7506e2097b5eeb13

C:\Windows\SysWOW64\Epndknin.exe

MD5 75a4f6c14912b87e47474b0b302d3dac
SHA1 1011a319db02e716141ee38187a66131a6a4218a
SHA256 ce45b5e37d80537c88e931b986e82ac1da4938caca58423134503c74923d49aa
SHA512 456782d20461e6143333c77ed6f5db5f64a6e90cf83563867b3cf1207a81d621c0ded29db88c36da29bbbf6d64deba56d0ae115c6906c07ed92052492f38ac31

memory/1684-351-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2108-465-0x0000000000400000-0x000000000042F000-memory.dmp

memory/5952-601-0x0000000000400000-0x000000000042F000-memory.dmp

memory/6072-619-0x0000000000400000-0x000000000042F000-memory.dmp

memory/6032-613-0x0000000000400000-0x000000000042F000-memory.dmp

memory/5992-607-0x0000000000400000-0x000000000042F000-memory.dmp

memory/5908-595-0x0000000000400000-0x000000000042F000-memory.dmp

memory/5868-589-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4532-588-0x0000000000400000-0x000000000042F000-memory.dmp

memory/5828-582-0x0000000000400000-0x000000000042F000-memory.dmp

memory/5788-576-0x0000000000400000-0x000000000042F000-memory.dmp

memory/5740-570-0x0000000000400000-0x000000000042F000-memory.dmp

memory/864-568-0x0000000000400000-0x000000000042F000-memory.dmp

memory/5700-563-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4940-562-0x0000000000400000-0x000000000042F000-memory.dmp

memory/5656-556-0x0000000000400000-0x000000000042F000-memory.dmp

memory/5616-550-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4464-549-0x0000000000400000-0x000000000042F000-memory.dmp

memory/5576-543-0x0000000000400000-0x000000000042F000-memory.dmp

memory/5536-537-0x0000000000400000-0x000000000042F000-memory.dmp

memory/5496-531-0x0000000000400000-0x000000000042F000-memory.dmp

memory/5464-525-0x0000000000400000-0x000000000042F000-memory.dmp

memory/5416-514-0x0000000000400000-0x000000000042F000-memory.dmp

memory/5376-513-0x0000000000400000-0x000000000042F000-memory.dmp

memory/5336-507-0x0000000000400000-0x000000000042F000-memory.dmp

memory/5296-501-0x0000000000400000-0x000000000042F000-memory.dmp

memory/5256-495-0x0000000000400000-0x000000000042F000-memory.dmp

memory/5216-489-0x0000000000400000-0x000000000042F000-memory.dmp

memory/5176-483-0x0000000000400000-0x000000000042F000-memory.dmp

memory/5136-477-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3560-471-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3472-459-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1196-453-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1552-447-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2396-441-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4116-435-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1292-429-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4836-423-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2696-417-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2904-411-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4516-405-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2996-399-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2784-393-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3836-392-0x0000000000400000-0x000000000042F000-memory.dmp

memory/5064-381-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4272-375-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3948-369-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4796-362-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4920-357-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2440-350-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2000-339-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3396-333-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3636-327-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4952-321-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4484-315-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1356-309-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4792-303-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1872-296-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1556-291-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4364-285-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4968-279-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2832-272-0x0000000000400000-0x000000000042F000-memory.dmp

memory/628-267-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4604-261-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3744-253-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Emphocjj.exe

MD5 aaa219be1179f54d1d2528452e9237dc
SHA1 3e1c33772a270d7ce5b1acbe7c919723fa7eb6ae
SHA256 02e1acead2806a89b3f09276a652701dfbfa5a2a2e0599e07beaf24b5aae1c13
SHA512 8011bc5324145f4f2a04b8256234e2c1b25fe90879db1b744b06a83d490d1dde60bb44728db2bd338bf94c7ac4332efa336d881d3d33c4aba41ac9ef0056bb51

memory/4328-244-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Eidlnd32.exe

MD5 556df0c08250b78f35c73e60e1e41f8d
SHA1 5780c4f69f3e9e4d5cb065d4e122b8b9e72a0e3f
SHA256 b57dbdf7ab49e441cb0db4c7e3b2197ef0191fca3cbb54a0ef0319cff075d498
SHA512 68ca57bb7a1c77c519bfd9859db8826cc825b73a2f54296cc7e78091a8bb3c441f3b135465306793c7af19d37c0387e7ff0d65012750955353f025dce80a433c

memory/2388-236-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Efepbi32.exe

MD5 5d054970f5fc7dea3225adc26bf18c12
SHA1 3f9eedf4fe027ac4ab092d472535d2aab2b283e7
SHA256 8aef5abb3169cf1e05b7b5aec3a7f480760aeb09a40d8dfef109f8ff762b2a56
SHA512 ffb4534a1e1a673759e8527df44592f0972b8fdbf5cc0ca34824561b227c556c9286e51832bdf0e8c942b97206b765e011c53426641b4fe20b4f79843e30349e

memory/2680-229-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Ebjcajjd.exe

MD5 8fcc5e651a676b01674063b0e135cc8a
SHA1 d8b2a2fd9d4c7f0765d9927a75b02c49ccbfbed8
SHA256 044018438bb5781781ef7b0fa24e8e1fe02bc8cb939051bd1f6b23b2b0d1e638
SHA512 bb1e2a230d2d63ff770b460eb40cd5036daefd18262f0783c4d2704400358f91cd6d03b7673bb4701028adce5f091a7eaa9e89aab29a15addb7c2258800d2667

memory/4228-221-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3112-213-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Emmkiclm.exe

MD5 c67335f5a5479c82336b4452f95b902a
SHA1 76d542c1d595d7172181afdc9834b6b2c2012d59
SHA256 b730473307eea3673ab6f3cec95b044825d5360b3b6cfa6cd6c62b3e3f2afa0f
SHA512 1ea9579e9a4683378183ebc8181a62c99519dd935690892363c67851bc2e4b571b828cfe110a192698b6733d33416142f30e1792a68bc8f89118faf8fdc1c342

memory/1524-204-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Eiaoid32.exe

MD5 7493cd5ba25f52b0350d452810745797
SHA1 91e806e4329c1d3efcb6b86867b88da0553e0e4b
SHA256 0dbbff42b4d84b470b13ec88bbe51ed2f225b66a7cbc8f547037ff42b72a27eb
SHA512 342f2849441b2ff4a9f0aa696c213cc85cd8ee9dfea559522cae997c627be3d5b488e57ab9f5d43a7ad6dad9920b4aadec380c4c56715a153d6572f33b85f274

memory/1076-197-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Efccmidp.exe

MD5 f328ed107e6fd3d62d5458f581df7456
SHA1 0707e3e783b079621be7e43531f6518835c1fe21
SHA256 a78eae1d37e867f10fc77b20a7df755260512d7f6c2b06cc23b14d873f05d771
SHA512 6fc80e82a09ab0aa6fbced28fef8bca1e78a46b2781d7b01b9229bcbb7a6064ad17db0363d3092df8edb9c13f451de265c853f70e6af0800dc64d7bdbc3ff0a1

memory/1696-188-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Ecefqnel.exe

MD5 78fb26e9537e182c1208edd67448ec90
SHA1 b14ca063aafd0e30d8bf6e57033b41a01e973567
SHA256 47882bbf92c2ec7b13a6b1a2b03f1a5b033d219cb2ec96a947d9d4071099948b
SHA512 486a2b7db318cf46278f18cdf923dd5c9e0a8da3613b6c0cf659f9c18caec1baca2bcefda2ad8b986b349ef654c08699e09e7da34720dd08ba46743a6300a4f6

memory/216-180-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Elnoopdj.exe

MD5 7bc99f59bfae2bf6c87a8f34598f20bc
SHA1 0891f17350add7c32055979667b8c9c434f9c0f4
SHA256 2f391605bf0232d5151073996453197a2d191ff776bc7482ceaa19175cdabab5
SHA512 f49c02f4959d31316ee026b6a308341404707338d635160eaa6a0b169ec2863f02149c73d9e84bdeffc14b00948168e34281dbee1d8530e79880c2f0a609be52

memory/3048-173-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Eiobceef.exe

MD5 180e99c3d7225882a62fb772c3db21ab
SHA1 04a041d03c2ea0e81c4f3599f60895b8ed12b421
SHA256 5b097f4a3d333cb2d52122f20cdea7e1da9fcbce9caef67eb8af85207d07c7ee
SHA512 9fdb3e8393c5a4d11fa4dfa150aacb28e579a62a7d21b8d1e4ba0b956ae630277ce90ec462808fe8926d70accf714dc67325d6c66b2ad54bfb217559ab24ff62

memory/1064-164-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Ejlbhh32.exe

MD5 00c8569f7599785c5a5a8031fd8197b9
SHA1 b97df50ac6996c37fcf2fa30d4a5146e11c233ee
SHA256 d1ff9b75f79c49f7aa669d75c28ba1e0bb3bf473c5e03b37a050f87297ee315a
SHA512 49b800a9bdca6f446c8bff52bb0a56ce2cca1e5348fac2083accd6dc13d9343f6f55a347a1f8d71592afae5bd6bda52bc1f91a96bcb2efab62d621fdd0f1a5c1

memory/2628-157-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Ebejfk32.exe

MD5 b0987ac977949cfe0dc3a59db0f935a5
SHA1 758777966ace66f3662fcbb09ab25395e3bbe6cc
SHA256 e89d9d9dcb01144fd30c4cd46e230b4afaa09fe5ab59dfebaf254b4192fcef88
SHA512 1350f153e941c090d5c764218c17f1f36e63ccf771aa99a0bdcd8057249c99288286729e167b13d206b4f3e08210cd21c96d3f9c5007568b1cfce39dc41497ea

memory/4108-148-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Dpgnjo32.exe

MD5 9cf40cd548fe5fb6ec44629f0408a72f
SHA1 b4be5e9bfb5d9a6fea9a8f473c92986badfa7103
SHA256 36923a0963532877feca8e2cb45abd17b5e614b6706b22f0b7de6bb993ef9c08
SHA512 1cfb0c035e400730a2247e1f7a7ccfbf6a005ae5bcbe0a7d054cbbe6189bcc2b847b0517d80414b3626115241407fe9971cc4efff87f859ad0f356ec1d03dc04

memory/4664-141-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3588-133-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Dimenegi.exe

MD5 365b270cce5d85280022a748151018c0
SHA1 f5ac541effdcbb1714983097249e006be2f1f3fb
SHA256 c221284b170b4a28040d408e53349512bb9560779b27abb94e7ccb4aca003d90
SHA512 16f6a4a7327cbffaffa9c3f6abecd42b92798f684af3cb76aef169b07f42ec76636cc2eb93772e9d120fccb0a8f05c942edab520755a8d3a02b845346dc1b581

memory/2504-125-0x0000000000400000-0x000000000042F000-memory.dmp

memory/60-116-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Dpdaepai.exe

MD5 4be03f4b2d3316d75c1ac1b8bb7f6a5c
SHA1 b8fe196429ac1e767ec17627789e7fc519c87454
SHA256 3aa4f55cf190524f8fe1d11c02766cf52cfd964e9a2310b8c5f94bc8189a75cf
SHA512 56beaacb1b8c9ae4096a4d3d63c7a998e0fc65c8d74c04dd29175da5d781497a2ba3bb3ab16acaf4f13351615d881832ada4f5656801abad6cfaf3e5f9068dc3

memory/4280-109-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Dmfeidbe.exe

MD5 63bbf12a68c6255cbacaadfaa7fe6102
SHA1 1521fa6e150faa1d8066b68fe80998d912cf4986
SHA256 28f1a86c6698ca98363ebd59db9ef50b43784b6a56d678af957d019b51f76d5b
SHA512 3a768e1bf662da324422670043d15e360ed61445c1e8b2931022dd90da0b2c30d448b65ebfdb9a4e87ea7517f6ec3219419512dcf1775c542d4ae299d1051077

memory/4216-101-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Dikihe32.exe

MD5 991bf396e1c0ff8bc9a4a6442f758406
SHA1 5ef2026e7882310963c133984d911dc52674456a
SHA256 e639580a3f35ede51e3ed54a4ed4bb1eaa7bcbaa5a0ee267cc774a77081dccbd
SHA512 2505da8b877245f2dca7c4c6173359117e2dc02482159b85b36147d1e3d50b9c44c6e974b4437dced31e9074452aa4a3cfb7cca511999ac250abafac3c884f5c

memory/1324-92-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Dflmlj32.exe

MD5 e3d32033cf6954bcffdbe3ce04138961
SHA1 24a5f2c789f8074430252bbe51d38ac8ae69dbb4
SHA256 1817e353b005cabb1643f0b0bc66c1998d8a9866ba933406bcfaec7a9e6b098d
SHA512 6fcef19b271b9ef45a0604f8d2f26ba78e8f0cc30c8fb9f27977d4a541539b47b602817dc27b93155efcd6a89260035fecfae00c6c47f2a271432baf5e21ee59

memory/2352-84-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Dbqqkkbo.exe

MD5 fe69fa9a03f2221bb03b27154bd8d42c
SHA1 154c7cac1c4b792bf2bbe7b8c920c9d194727528
SHA256 52d7a4ef292aa26c549af148a2019ee7d661376ec5cefd66fff31955f8dc77f3
SHA512 95e79b854c8560e31f5d4dd69a4b534a4c4e50253c3800f85adfa3e46ff9fb2f1facef5d2c735246d86979953512e4a3478abef6fa9a9ae25784a85b5149b767

memory/2572-77-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Dpbdopck.exe

MD5 b5f62a4f3b811a47ca0f26d70bf101d4
SHA1 0ec36e7a2f4a6adeefdca9d1e35b8a642caf94ae
SHA256 9009df6de82586b47a0c4a324978d18693c890da13220d7748393bb4b5888a6e
SHA512 cb3713beb12cb7efb0ec2be75c74d14221326d3423ff29c67038c0d5cfa2d124022e034a24c2997c09e6e47c42655635bc22a0abbde00351f5cf38691d6c8506

memory/3868-68-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4320-60-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4532-59-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4084-54-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Dmalne32.exe

MD5 26c6d1d227fdbb447b5a4f4c52641f46
SHA1 be4b507278352289d5754dad097acb874bde4cb5
SHA256 16f70f4e56911f5c3c2fb8bef6121e45cd5f1ad12893364f2d98116703a2d873
SHA512 82c33e7b8ad7e91c209080a3d0a2a2e640dfe4feeae76a02165cd463f174295d2faa7bde77ba5115c848fcabaac631930e85a99f3a83ed673aa5c916b854a76f

memory/2556-37-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Jgeghp32.exe

MD5 66e279db673454853af13e406fcf06c5
SHA1 954445fc376dcb31deb2a45e4fbac03fd9b5ebe7
SHA256 e768666d50834e37d5f21873b74dc0ac1f21de73ff7ac3b2472b58a5febbce8c
SHA512 6f66afefb8bfe4e759abb29a5a30a3788ff319e35ff14d8096a000928f52a7cf93bd68fc5bf8fa9f679f64955e9577629cdb938e4769105992307b12529b52ef

C:\Windows\SysWOW64\Knalji32.exe

MD5 d11b5ecd9730f3196d4f50dad03b04b7
SHA1 d98bf84b601414e986e59f0ce1df965f6198be97
SHA256 c49bf679dfc393caffe3448be8dae4db5917b3188a65ea9b785c3d4055c63ec3
SHA512 03840c9228ffc8c921ea441c544b34a5bacfa5987cf46ee32961d220f36d864d88dd7dbb15c79c182c640da22469ea7d3f10e00419f4470c2b7fd86e975e9408

C:\Windows\SysWOW64\Kjhloj32.exe

MD5 0bfe6f74285781a8535ff3e470f3325b
SHA1 ba1335c98082e5d1b8d2245246fb7ad0e679573f
SHA256 8823bdc0394a3b53ec0e6197a6c89ed02fb2137551ab59c279ab680d73091e27
SHA512 0f7be19fefa02edbbc07236e0a91e06d90fd991e20359975b5fdc8166e5811fd5eb74ee2886957f5e7b17c547868bd0d7afca4f73f91aaf1fa4459dfcc575c4b

C:\Windows\SysWOW64\Kcejco32.exe

MD5 a8214ea3f201e22cca0ae7a257aae367
SHA1 d4a68604db70ea9c969daec15a074e319b9f9b3e
SHA256 ee51f1ab973a5b266247e72b1532a3d5715cefa2e87915f27c1c56e835def096
SHA512 dd4a8dc602b9650dd560a55f785c88e2e475078eb2e9bfc8de700141212eab79b9e62d66fc19dc196643048bc769bebe855bf2d84509bf0e8c99760f1eae37d1

C:\Windows\SysWOW64\Lnjnqh32.exe

MD5 a09a5bb7af10533af46a51ce7ad0921a
SHA1 f14b89a1464a65a9d4c37f1c9ef2c5d722aff042
SHA256 e4789f9d27d51bd7cbee41d5ddc53481738d9e4dc7b9e9c44f25e73125893cc4
SHA512 50de3f6f14f90138e54c4633184619c591086e22b60541237e3c89bd5bd96ce0468745240b57b3c5c34bfb3cbe85ea012edc5ae378b0413be0b0f5370844d695

C:\Windows\SysWOW64\Lmbhgd32.exe

MD5 55232a85588a92f1adf601d7c1dbe867
SHA1 0c43caa72d512a619149d3a9df03a7527bcec1e2
SHA256 51151eef7596ff5a3e693945986ac99071a68206e1b40055d75a6453cd0be7ae
SHA512 22278b650a11d7d40e6aa634e745b0bc60e45e78e750cd572332bfea25b154ca575cfe86e0e9d37b10847b877fbe3815695d4a1c7ea1ae6e647d562e8242c74b

C:\Windows\SysWOW64\Lqbncb32.exe

MD5 c4bbc193d6d50feab7f476604f4c35c1
SHA1 af6761086afdaf648cd2bf5a83344e1074f6bc44
SHA256 ba9e83a52c8a650ab835c9ca43e9057260b5898b9d01b3e335cadaaaa9278d10
SHA512 5af77c764952b8efab8dd78526619752ad9b28a69d0adefcac57b43d0dac01f93ef8df185fd090b41110f555495ed88aa833952ab68c9bf4bc1b8cbb8ad281f2

C:\Windows\SysWOW64\Mmkkmc32.exe

MD5 75638797bad284b7a5e7a39efdf23522
SHA1 dcb1c3fcfdb566de7310802b0dc1765d61fbb328
SHA256 22ab404f92db1e8f4549e174387be1334c8b47ae2dcbd656045609de008ac3f5
SHA512 7d767f804c46fa1a0fe4654acd653ac64f172dd706d7283bf79d24c9ad3d41e080e68bf6ed4997d25f261932e543c02df9ea9bd2b8b61b3f045a7ae76a18a7e3

C:\Windows\SysWOW64\Mmnhcb32.exe

MD5 bd950b3e1d5b0833b7715ea41f5813f0
SHA1 e3ca0eeaf049795f7ceebc1159a8b55c04940ed5
SHA256 fc19dd44df2adde2ed4e465dd2d5f4f23ee0401a2d95855f28747c733568602d
SHA512 10859894c95c68cbd726ee545939f638a03f8ff584c21f7a081537632577bf60c97728b6a889f0c7006da1f580895ea2198b60fac00f99e296f764f611fb54b9

C:\Windows\SysWOW64\Nmgjia32.exe

MD5 56e6202ad562077ed25d4c59465193be
SHA1 5ec721253d007382098a64d27f569b35189defaf
SHA256 3fefcd19c4ce7b6ff69732818d2e45952476ae8653ec2c8c8cb6a6fb96519882
SHA512 ed42089b934d01758b4d076ebc4d0a4c9c72cffec9fd2ddd6850b184edff02796c3342a2eedb77589e795fba584117d740ce9251c69ce981f9960a3b3b4a84c2

C:\Windows\SysWOW64\Oeehkn32.exe

MD5 6b5d2264763e5db434ab6682163825b0
SHA1 21296854c29816fe08d4bd028432db4e86930023
SHA256 5bcce2f7d0d20ca1bd9dbedcb3efb43ba06a5d4b28e2cd33546e0aeb291921ca
SHA512 91b7a26cb7623a627ce132ca2e681ba15e0e55ead3bcc5660cac34f1151eaa63eda308b984e3e084b31104a759efc5413e42917dc619ea4fcb851ac72f706555

C:\Windows\SysWOW64\Oalipoiq.exe

MD5 8a6e9cf2d222a6a99f2b2353f52e74b0
SHA1 a0bcf2e8ff565d154a057de488120d459fb18d9b
SHA256 931bd48d33db22160183a5513ed992822941f5ef2787709f6176f1e435d37695
SHA512 92bd262fd2373a747858f21d15b84a4fa226d41193dfac762096c4822795f0753f5921d1a1a5f656a4604977ef72326111331e88639dda2aae277e7cd930969d

C:\Windows\SysWOW64\Qoelkp32.exe

MD5 47f8c7bf3789316d454ad8166bf7201c
SHA1 057c6f1c8aebb008226ff6cf1463ffab600edcda
SHA256 302edf2eddc5d9f461c13492e5f0b9aee69f3e8205de43d683878097b471b246
SHA512 16eb59331a9abd4d5c6a4fc110cea0a210fc3f6ba07d8e0f4b2a6ea04a52a433199783175bc1dca39a77a31e40c9b3bc33595a0ffd9ec18b04eedf7f49ab5a30

C:\Windows\SysWOW64\Aeaanjkl.exe

MD5 04ca96989a4b33c8c0fa05933e7949e8
SHA1 44d7d7b53b76b5c2a9e9844c09c66ffebd86a4fb
SHA256 f4e2efe29936b1a7113544071d220f92867334b8d063e5f788fc321caea6d8f1
SHA512 5d414f76d422d7280bdb69d2861094cf6f48dcf74a76cb27b019573adcca8e72d345e9504915cea79b23b9b2c2c4941e557289b0407db0c823a9af6485265f2b

C:\Windows\SysWOW64\Alkijdci.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\SysWOW64\Adikdfna.exe

MD5 13201bea25dd88c712ec371cbf0a1abb
SHA1 b455dc1dddb38b0f6eac617dbc6b0d18e2fae8b1
SHA256 f9d8283a3da7cb578dc9823a753d5489f1e3148ca89c2d51393d921feea41f39
SHA512 ec7f64680082723ba9a92c6c81a7273677dac4e16fd11ba5011764d97102aa6e750dcec3c73465a9839132d129eef96c89445b32ef44aa9166c90f485b65c546

C:\Windows\SysWOW64\Aoalgn32.exe

MD5 61bbdfc56eeb60c63c7ec7825e0759ae
SHA1 0a500473c0dff3892f384bbf684f0778241af375
SHA256 de496e138963192f2fdd295c26a856f8fbc1e499e796c8b8427a6ea1000b6862
SHA512 3bb55dc6a65c6e08e9c05ffa43af9796cbc0bf0e5bf1d5a12c65f3a3ef708afc9b2084f6320311caf59c36500dab39579cb3fe4431fe97a4c54e6e6a2d145500

C:\Windows\SysWOW64\Bkjiao32.exe

MD5 612192fac817b65e29099b588ba95938
SHA1 1a9cccbcae5616997eed94829ecea4586283504b
SHA256 0c9ce8188ae66491e3a69da2ddbeadbd629f0c763033837ec5cab2d2ffc746a1
SHA512 813f206c4ffb11f78930d29b966acc026fb4d927d61d2ec39a6f85a74a7a592c612915e45b24cb7fbe7a9d6b1537aa584890a977518b6fd6136a7de43ca25253

C:\Windows\SysWOW64\Bhpfqcln.exe

MD5 9b14d9f472a43b9ce7b61dfa30703121
SHA1 0f2ebed16ae22e34b5b78facf13390b2432711a4
SHA256 c6477453008048b3d9c3878fced3a535550b7c2b3fe56a42ec8bc359f1c502dd
SHA512 6e453a60ef9f449fafe6256bbfe5271f6c8a91a12ded0be18f2d0be4f5365dc9c53a9dcc11a0f2e84177b15ffe39bc880bf1d8e06686217a3404b2097b067db0

C:\Windows\SysWOW64\Coohhlpe.exe

MD5 f6c93179a040a1fe9c8c1e628faf426b
SHA1 beb7a0a529a056bfe480acb892ec082a411bf4dd
SHA256 8358d2ea3823100f8724c78564df1c84949becae3a1c6cb4e851fa2438f26b7d
SHA512 eea430c831d6ed34f7a0b8b52fd836f2f5523b84a182aad1e837a356f4d1634a0387a56b7f2c75dfc6e4cb0ec590992957c4f5bfb26fea42657aa9f4e6237873

C:\Windows\SysWOW64\Cleegp32.exe

MD5 44ee041941969b9a4acc11929d49ef0d
SHA1 a29ec9df71cc3ec928daa8cc266ea1f390007298
SHA256 8762ab353eb3fcd63c13886ce15f51644e85001e38ef676341e3cbe9779220f1
SHA512 15e12020c870b48c76810453756ac0b7d5d1ec99ee8d4f8ab43b3034cbb0b08f6e4ea369664a1616fda5381b38f3b303931032e703e55bdc572e18627b6042e9

C:\Windows\SysWOW64\Dokgdkeh.exe

MD5 005db371b882c31e883dfeb088bbd23c
SHA1 fff94e171434e5a1a28d40cc9b7aff689decfd1c
SHA256 f47be2c8c2200a2b8724eb6c0c4a7b3f68d0eb6450bc6902feb2b5e28bf19092
SHA512 3b9035f9556e756e0435216473f94215d0b8ed8ddcd08da51d10436a338c46ab54a21cfe72f73171600071032d03436d1aeb8c2bc9de6963fea445d0468b3467

C:\Windows\SysWOW64\Efpomccg.exe

MD5 3c7783ccfcdb0807e024677fd72d734c
SHA1 4e812773ff60f1ec41a1a5f63c7102b24d8e7469
SHA256 cb81ad212dd1d0c221af02880bbb0505e93799b5dda5aed16bd366bdaee22cde
SHA512 893791381ed8b2b1deb35c75c97a6082600b656532efd99851b457216b951bbc370f96c52e33ae64c8252fa88660e2b5ad04f5b8b48af07e7f6a85ecdb3cfac3

C:\Windows\SysWOW64\Fnlmhc32.exe

MD5 3bd1f9134f0767e25319f23420f14324
SHA1 a4fc9d811e15d478ee28b8f561f431614d28f336
SHA256 120eeb9927981f2ce500c3ff9759f37f5f5e766156f475d7909d08c497f3666a
SHA512 eacc6fd5c84d3f7299dbcb18ca414508f4698743b720857443addcfc4fd60d2315cb5de3f759ed5d3b967bbb8ca9b718876429d5d01afb6d49f76737c5b9246b

C:\Windows\SysWOW64\Fmmmfj32.exe

MD5 abd3a8c4b4e77e414560c50fddc50485
SHA1 8c5dba4b5fc7d810e7a62f13e79f0f14d168838a
SHA256 a72c4574552552690cf2a4715c08998b72738731b6876aa1ad36855254747698
SHA512 9d9b713501859d3398774e63bb6995195cba581c4eff0fab6d06995a4deb113175ab97f7609d049ccbd2e19c8453f413090d8f7da606c1df97bca5c9abe05a57

C:\Windows\SysWOW64\Gbalopbn.exe

MD5 1ce9a8f3a7c1b17bebc27137421c22ca
SHA1 7e11e2bbc92066c15cc542dc80f93abe4bb86659
SHA256 cbfbb0c2ec8a0e09431559e6d6e767dc5aa47f3448a42bd1c08349d39952ac4a
SHA512 8a29873b72dbf5d42cc6123935251f019b0c173cd44a2b479ed004b6f8439bca30ce6672137d4a7f41385de5bfbbc6214b3369020057105c97113f965465d43f

C:\Windows\SysWOW64\Gfodeohd.exe

MD5 482c7647d81950f2764c8709953ac207
SHA1 74d6a894bef256894f37a9cd5b1a18b1c9be73c8
SHA256 643b582b0c2117e2ad70092995be55730f6778b880c4820b3e5d5b5db2839749
SHA512 67d9d5241404c98582e4dc7e5b97e6daac22d1a3139367af5344b329e3018ab81b313d2cc1d558916521253e85eda554e894c1c73064e5f5071ddfa73493e8df

C:\Windows\SysWOW64\Hibjli32.exe

MD5 0fea01252637a6305b731cfec084e2a3
SHA1 5436218fccd915b259481c2e119d1a9ecbe2a97d
SHA256 d25e30ea4f8a6724e27dcf104bb1097eeae2bc54093da654fc3412b24045cfa2
SHA512 ee652dc9e2d273fbe0dc8a730e2ff9673c0ff38897bd9f69c6e8335c839156394ac53ce53f90a7eb17f0e15dacebbe8fa6f857fbd439cae31a049458d2f1df7e

C:\Windows\SysWOW64\Ibcaknbi.exe

MD5 4e43c2a6bae03cdd6bff2c131e7ae424
SHA1 adef0b7a192e77ee6bd05b751aaca8ccc4b3f21a
SHA256 9c4c96ad9659ef814d27477bb08fc5a81e01268495773454e7264f1fcfd47b47
SHA512 166e9868e1f6b98f8cdbc95df97902691aadd5f9b595ebc1593b3b8dedc628fae321f064104b8e1b8ff9a8af7e22ac76f4c6ac0b91afcf57218334b31819d498

C:\Windows\SysWOW64\Iomoenej.exe

MD5 db24141353dbd93c12e1afd779138d3b
SHA1 1c806c09b30a1e86b2173d2ddf07efc27dcc371a
SHA256 2ea0ea38f733f1f622afc408205c8352835fc7eba5b29502602d9eef1ad26745
SHA512 82eac99134d4042dc35e933ef11c31926782ba5f1cf842ecd248b3baeef81dd697b96a2ba28837376a6da88804ac4d87697fa7238c4eb67f6db9b8837fe76bb9

C:\Windows\SysWOW64\Jgbchj32.exe

MD5 a13976e5022a614e4edff9bcf51c43ca
SHA1 088796f6e8c46384e93432576adc650fce882687
SHA256 458c91e5e5eb0f3aca4083a366f0ba22e3302c2b2f790a6486de2a104ed23b0c
SHA512 80471ab51dc9781b61b4beac62a04023125ff0e9204358dfac9a335140669fc77971a2aec3c414faef4cf11f7880123edac5ff0d8cbfc8dcc41242611f7a93a1

C:\Windows\SysWOW64\Lljklo32.exe

MD5 cbcbdb724bc23606face0221435b9ffd
SHA1 096517acc345401f887fcd046037c20da96c4fdf
SHA256 54ea1f92f58afe7c97f7865523e80735953862e8cbab58ffa576e69eca388ffa
SHA512 e6026f7458525b6b6010326ab5d4001c0956f1af65172307975c9313554b8af6db3c36209b23d177269ce100239b293b9be3e25fe9e5a3d4ca55b3965f4fc083

C:\Windows\SysWOW64\Lgbloglj.exe

MD5 9e0709a1af93f80033656f5e5b5a8104
SHA1 2bc5a87330d722c6f0fea5b4ae7d4953d312a237
SHA256 1fba67afe3f41fb46f3b7d9394b7b9b170c359f17aebc8c8f21725c63ab82cec
SHA512 5921f208f0500681106cbfbab4ae0860f6d0bdd62138e0ef94285e4053db1ae8beb05c4d343e4abb3ff384b5ef6a83f5b3ef45c23b72f525e288f3376a6ea97a

C:\Windows\SysWOW64\Lqmmmmph.exe

MD5 2c3f9e7b47da5e180299984227dd52f3
SHA1 34ad8bd6cd32418726eee8e91bc787b8245d3e3b
SHA256 82ac6f8a72d4e8a60cfd18ac8710011fb624b6796ecde5b046ab7fa58890f400
SHA512 3ec05c3ce081f5fc6196559f22265e42636b5ed38af5ab743e7bbe29094c74f47221e2484b14a212f2ae65e3381c561fbfc3f041c79ec06c88916cfcce1fbb3d

C:\Windows\SysWOW64\Mnegbp32.exe

MD5 2944b285a40cbbcb58b3567f8c76339e
SHA1 9d78047f70e2d7734edd99d83d8c360dc8f2dc63
SHA256 3fdd7a5a2f1b66f110c19f512be4b7498350b6021663feaf49498cf4318610d2
SHA512 ce4100dd213bdcaef3d3f2700b33b81f7dfd8a470e08b8da39fa12c64a5f1e942b26c3aad7c4fa7253a49a03614ef2112e3b9a9907d713dc7f479dd4b46a3573

C:\Windows\SysWOW64\Monjjgkb.exe

MD5 84021072b17ba54e9334ddcc9d9e6eba
SHA1 ef0aca34a715e032dd20b229cc3c97e3315e829c
SHA256 2854c99d5d5f172167b87cdb80925073dc85903924224cf6d2d32cf03f043d6f
SHA512 47d54fb18dbc0313928d136c5f0585e56e6f0953e76b89ed95dc6b8c37367a9ee3229b1ff47717b4031861582f95f57db5eb8bde788e82f1eb18f0d67b2d549c

C:\Windows\SysWOW64\Nnfpinmi.exe

MD5 6692093787cd5a1e633db553c92e9c05
SHA1 ee35f36e3d202606270a8944690a8d843cd90f34
SHA256 b41b79875136a0037c3548eb34993785a58973ae374f34b54729ede32adb4666
SHA512 8294dab7733ff054b126833a0ff5d1f202abc4c143c74e1d015c27e2a697a7a526131edd5c0e0b65e4df6db6d3732f763affefe01bb5c72ad35a41f81e4c4467

C:\Windows\SysWOW64\Ojomcopk.exe

MD5 396621498d546fa8051a19f3b383f9a5
SHA1 a9cbbe06602dbe0d4b3b9e3a5ab6db8dfcfbefae
SHA256 93515ec85276d8c71b0151037c67a164fe37b4133f20a01f7c10c18e7534734d
SHA512 df57f9ffea2523613d4687e3d99c97da052c2f6ad649ca91ac5d2efc9483f15bf76a88a4bd00aff091e6bf1b600b7a3d62e9d0f3f4cdf952e675cd6f20bc5517

C:\Windows\SysWOW64\Pnfiplog.exe

MD5 809a7783daa4b79778e9be2bd85fd843
SHA1 2a903f2335dc5cef1b8756079f3b5101fe40ae06
SHA256 9c68688afe081f45d9242301b782d7a11c0af813933c5762c5760a6f5c293164
SHA512 bedbd1424a5f1d0d8a2d1d19bb7433bff2cb4e33f639a89ba6cef156e1f48f5694d078b388f9f87882ac63d3717fe2d9710a7e5ba1fc3019b3372574093be886

C:\Windows\SysWOW64\Pdhkcb32.exe

MD5 f42d61948c4f9a51f0b8348901a036a4
SHA1 2cb3e606d7716925c2ea1313e5f7203a1d1616db
SHA256 19466df36c81b857bb55a0338d72e3dddadd51e61875d491ccaf0c47d8d4489a
SHA512 13c19c28904389cc929e6b51a87ca73ecd9a2000f8d63931aa2b6f10a5bc1fa925ddd470f00095b06070caf5ed028f690f849e6c1854d6a6ed0e5ada695095e7

C:\Windows\SysWOW64\Panhbfep.exe

MD5 d46c0ae72bf1b8623962b14694766a6f
SHA1 8569cc34a0e0001a19dfb6cf7ca1a49e2d90f368
SHA256 af762290fb02eab3839b2119d17c2c026313b55d559720c8b5d31ff2aceb2e9f
SHA512 68b2ceaa81be56df7391488e2a9c76b153d67e7de6189bf885cc501b9a0b651782db1419dc0b78687817f6495c3dac5d1040f69a50f6b051e3e2b6e5303d3cb5

C:\Windows\SysWOW64\Amnlme32.exe

MD5 5e8937ce187bdcf62d51c91d520724a8
SHA1 f465dfc1cc46ce1d5a8184fad197fe4adc07f382
SHA256 e9e97c2e56b32699f52ffb7f5a6c3c068e8c05f640a745c24555ae627e897e76
SHA512 525f41163efba9588177d4cd83e647d14ccce10befef8244a65dd597fd2825b5052fc88eced67c7bc085dceb95d5e18cd3a948f5880befaeed4a7b4d7fca688c

C:\Windows\SysWOW64\Agimkk32.exe

MD5 89a97929fa77805dd139caa4515a665a
SHA1 8cee9006b4b49fc14ef9a6a5d37ecf57ef704cef
SHA256 0c352428faa30924ee38ed40baba438d15f53e6840fb7055272af0dbe6881bb6
SHA512 24b2f8ab5e93d743ddb9a3a1a359a762a258fac56d2b53dff9fe346dd074be03068a430cd5b2ac4a9b3661f3bd28c46c15c2c9289d119beb5e655837f7fbda77

C:\Windows\SysWOW64\Bacjdbch.exe

MD5 1bbc57aca45a37b13a591eab255ffe54
SHA1 33e999cd92d1153b6bf200da94a96fb219c31565
SHA256 57de726fd9f1ddb7c45e7d007b69ea13d5d45fef3d1f8f97ca3d1de8d1fbdd4b
SHA512 07c26e3e6ae8607d00ccb0ca4511d9e8a6e436817ab4685c159b5e0f6e704c59a79760e1c42f53099396aa8fc11897fce0bd52bd6121946a5b8c628814b9e4dc

C:\Windows\SysWOW64\Chiblk32.exe

MD5 ac353ee95af59f83f6face03624eea8a
SHA1 348a6e3e63dee78a230d8db4b6c6ee2457e06089
SHA256 887667f3aca248dc07ab1de1d033205e57857e1b35a745a2d188db8860037eec
SHA512 6af7ef9a2316023ba71c78e16bd6bb7ab6c00f7c21997714d8afe5b56c40180cc0454662adbc5fd4d37363a848191b985235fe6e7e2c648f5c9b74cfead7ac78

C:\Windows\SysWOW64\Cgqlcg32.exe

MD5 8ec6b1fab449cfe07a2b39d537b2246f
SHA1 6ffeeedd4f6d1b8434bd99afb0bbc8eba51270fe
SHA256 1290f0f4afe64362e3738af19e99c5bd9440eed3032a4fa892dd8df765e2f0ca
SHA512 1942e0dad60f0e12cc80ac501d900710b2d0d8de14d16389a6ebe45f80cda71d7a2d928c227df5aea971ec8e65f5e996ef4abbe63eb7f3a0e1e7d89ccf3eaaec

C:\Windows\SysWOW64\Ddgibkpc.exe

MD5 4f20e0d0787bed92f226d08c044a7b50
SHA1 fbef23653eccac6aa32e2dc4a6dceb8be51bfc82
SHA256 4d05dcfd5748631f1fb0cec415843d16ac5f5024517303825eb6c8c95960ccdb
SHA512 b9c983b4a26ba68dabeee12d45a90de3ef063d740d12f8ef9d340139157431148142d31e6acee4ac2299a7796ef0bf07991862de6b1864996e94767737d05598