Malware Analysis Report

2025-05-06 02:03

Sample ID 241110-rm2czayekd
Target 10e3948d8caf306281063beb38a0d9f734ed83552e980e03b42a8c4e62ef07c8N
SHA256 10e3948d8caf306281063beb38a0d9f734ed83552e980e03b42a8c4e62ef07c8
Tags
berbew backdoor discovery persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

10e3948d8caf306281063beb38a0d9f734ed83552e980e03b42a8c4e62ef07c8

Threat Level: Known bad

The file 10e3948d8caf306281063beb38a0d9f734ed83552e980e03b42a8c4e62ef07c8N was found to be: Known bad.

Malicious Activity Summary

berbew backdoor discovery persistence

Adds autorun key to be loaded by Explorer.exe on startup

Berbew

Berbew family

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Program crash

Unsigned PE

System Location Discovery: System Language Discovery

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 14:19

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 14:19

Reported

2024-11-10 14:21

Platform

win7-20241010-en

Max time kernel

78s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\10e3948d8caf306281063beb38a0d9f734ed83552e980e03b42a8c4e62ef07c8N.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qlgkki32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Afdiondb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cbdiia32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Opihgfop.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Cgcnghpl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Pebpkk32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Users\Admin\AppData\Local\Temp\10e3948d8caf306281063beb38a0d9f734ed83552e980e03b42a8c4e62ef07c8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Njhfcp32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lkjjma32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Pgcmbcih.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Qlgkki32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bjdkjpkb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cjonncab.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nbjeinje.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Njhfcp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Nmfbpk32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pleofj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Alnalh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Bkhhhd32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bqlfaj32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nhlgmd32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pepcelel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ajmijmnn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Bfdenafn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Mfjann32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Objaha32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Bbmcibjp.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cgcnghpl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Aakjdo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Bqlfaj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ceebklai.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cinafkkd.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dnpciaef.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Users\Admin\AppData\Local\Temp\10e3948d8caf306281063beb38a0d9f734ed83552e980e03b42a8c4e62ef07c8N.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mbhlek32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mclebc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Pgfjhcge.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Qdncmgbj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Apgagg32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aoojnc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Bffbdadk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Bjdkjpkb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cgoelh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Cbffoabe.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Djdgic32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Mcnbhb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Mqbbagjo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Pljlbf32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bfdenafn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Bnknoogp.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mjcaimgg.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bnknoogp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ciihklpj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Nibqqh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Oiffkkbk.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Opqoge32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ahebaiac.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ccmpce32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Bjpaop32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lgqkbb32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mcnbhb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Paiaplin.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nbhhdnlh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ncnngfna.exe N/A

Berbew

backdoor berbew

Berbew family

berbew

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Lkjjma32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lgqkbb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lqipkhbj.exe N/A
N/A N/A C:\Windows\SysWOW64\Mkndhabp.exe N/A
N/A N/A C:\Windows\SysWOW64\Mbhlek32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mjcaimgg.exe N/A
N/A N/A C:\Windows\SysWOW64\Mclebc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mfjann32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mcnbhb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mikjpiim.exe N/A
N/A N/A C:\Windows\SysWOW64\Mqbbagjo.exe N/A
N/A N/A C:\Windows\SysWOW64\Mbcoio32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mmicfh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nbflno32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nedhjj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nbhhdnlh.exe N/A
N/A N/A C:\Windows\SysWOW64\Nibqqh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nbjeinje.exe N/A
N/A N/A C:\Windows\SysWOW64\Nhgnaehm.exe N/A
N/A N/A C:\Windows\SysWOW64\Nlcibc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nnafnopi.exe N/A
N/A N/A C:\Windows\SysWOW64\Ncnngfna.exe N/A
N/A N/A C:\Windows\SysWOW64\Njhfcp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nmfbpk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nhlgmd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Njjcip32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ohncbdbd.exe N/A
N/A N/A C:\Windows\SysWOW64\Opihgfop.exe N/A
N/A N/A C:\Windows\SysWOW64\Ofcqcp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Objaha32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oeindm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oiffkkbk.exe N/A
N/A N/A C:\Windows\SysWOW64\Opqoge32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pepcelel.exe N/A
N/A N/A C:\Windows\SysWOW64\Pljlbf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pebpkk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pdeqfhjd.exe N/A
N/A N/A C:\Windows\SysWOW64\Pgcmbcih.exe N/A
N/A N/A C:\Windows\SysWOW64\Paiaplin.exe N/A
N/A N/A C:\Windows\SysWOW64\Pgfjhcge.exe N/A
N/A N/A C:\Windows\SysWOW64\Pidfdofi.exe N/A
N/A N/A C:\Windows\SysWOW64\Ppnnai32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pdjjag32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pleofj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qdlggg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qcogbdkg.exe N/A
N/A N/A C:\Windows\SysWOW64\Qkfocaki.exe N/A
N/A N/A C:\Windows\SysWOW64\Qlgkki32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qdncmgbj.exe N/A
N/A N/A C:\Windows\SysWOW64\Qcachc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qeppdo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Alihaioe.exe N/A
N/A N/A C:\Windows\SysWOW64\Aohdmdoh.exe N/A
N/A N/A C:\Windows\SysWOW64\Accqnc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajmijmnn.exe N/A
N/A N/A C:\Windows\SysWOW64\Ahpifj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Apgagg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aojabdlf.exe N/A
N/A N/A C:\Windows\SysWOW64\Afdiondb.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajpepm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Alnalh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aomnhd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aakjdo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ahebaiac.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e3948d8caf306281063beb38a0d9f734ed83552e980e03b42a8c4e62ef07c8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e3948d8caf306281063beb38a0d9f734ed83552e980e03b42a8c4e62ef07c8N.exe N/A
N/A N/A C:\Windows\SysWOW64\Lkjjma32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lkjjma32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lgqkbb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lgqkbb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lqipkhbj.exe N/A
N/A N/A C:\Windows\SysWOW64\Lqipkhbj.exe N/A
N/A N/A C:\Windows\SysWOW64\Mkndhabp.exe N/A
N/A N/A C:\Windows\SysWOW64\Mkndhabp.exe N/A
N/A N/A C:\Windows\SysWOW64\Mbhlek32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mbhlek32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mjcaimgg.exe N/A
N/A N/A C:\Windows\SysWOW64\Mjcaimgg.exe N/A
N/A N/A C:\Windows\SysWOW64\Mclebc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mclebc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mfjann32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mfjann32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mcnbhb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mcnbhb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mikjpiim.exe N/A
N/A N/A C:\Windows\SysWOW64\Mikjpiim.exe N/A
N/A N/A C:\Windows\SysWOW64\Mqbbagjo.exe N/A
N/A N/A C:\Windows\SysWOW64\Mqbbagjo.exe N/A
N/A N/A C:\Windows\SysWOW64\Mbcoio32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mbcoio32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mmicfh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mmicfh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nbflno32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nbflno32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nedhjj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nedhjj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nbhhdnlh.exe N/A
N/A N/A C:\Windows\SysWOW64\Nbhhdnlh.exe N/A
N/A N/A C:\Windows\SysWOW64\Nibqqh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nibqqh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nbjeinje.exe N/A
N/A N/A C:\Windows\SysWOW64\Nbjeinje.exe N/A
N/A N/A C:\Windows\SysWOW64\Nhgnaehm.exe N/A
N/A N/A C:\Windows\SysWOW64\Nhgnaehm.exe N/A
N/A N/A C:\Windows\SysWOW64\Nlcibc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nlcibc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nnafnopi.exe N/A
N/A N/A C:\Windows\SysWOW64\Nnafnopi.exe N/A
N/A N/A C:\Windows\SysWOW64\Ncnngfna.exe N/A
N/A N/A C:\Windows\SysWOW64\Ncnngfna.exe N/A
N/A N/A C:\Windows\SysWOW64\Njhfcp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Njhfcp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nmfbpk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nmfbpk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nhlgmd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nhlgmd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Njjcip32.exe N/A
N/A N/A C:\Windows\SysWOW64\Njjcip32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ohncbdbd.exe N/A
N/A N/A C:\Windows\SysWOW64\Ohncbdbd.exe N/A
N/A N/A C:\Windows\SysWOW64\Opihgfop.exe N/A
N/A N/A C:\Windows\SysWOW64\Opihgfop.exe N/A
N/A N/A C:\Windows\SysWOW64\Ofcqcp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ofcqcp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Objaha32.exe N/A
N/A N/A C:\Windows\SysWOW64\Objaha32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oeindm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oeindm32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Aohdmdoh.exe C:\Windows\SysWOW64\Alihaioe.exe N/A
File opened for modification C:\Windows\SysWOW64\Ciihklpj.exe C:\Windows\SysWOW64\Ccmpce32.exe N/A
File created C:\Windows\SysWOW64\Cgoelh32.exe C:\Windows\SysWOW64\Cbblda32.exe N/A
File created C:\Windows\SysWOW64\Mkndhabp.exe C:\Windows\SysWOW64\Lqipkhbj.exe N/A
File opened for modification C:\Windows\SysWOW64\Mclebc32.exe C:\Windows\SysWOW64\Mjcaimgg.exe N/A
File created C:\Windows\SysWOW64\Mcnbhb32.exe C:\Windows\SysWOW64\Mfjann32.exe N/A
File created C:\Windows\SysWOW64\Incjbkig.dll C:\Windows\SysWOW64\Ahpifj32.exe N/A
File opened for modification C:\Windows\SysWOW64\Aakjdo32.exe C:\Windows\SysWOW64\Aomnhd32.exe N/A
File created C:\Windows\SysWOW64\Lbmnig32.dll C:\Windows\SysWOW64\Bbmcibjp.exe N/A
File created C:\Windows\SysWOW64\Lqipkhbj.exe C:\Windows\SysWOW64\Lgqkbb32.exe N/A
File created C:\Windows\SysWOW64\Opqoge32.exe C:\Windows\SysWOW64\Oiffkkbk.exe N/A
File created C:\Windows\SysWOW64\Qkfocaki.exe C:\Windows\SysWOW64\Qcogbdkg.exe N/A
File created C:\Windows\SysWOW64\Ahebaiac.exe C:\Windows\SysWOW64\Aakjdo32.exe N/A
File created C:\Windows\SysWOW64\Adlcfjgh.exe C:\Windows\SysWOW64\Anbkipok.exe N/A
File opened for modification C:\Windows\SysWOW64\Cgfkmgnj.exe C:\Windows\SysWOW64\Ccjoli32.exe N/A
File created C:\Windows\SysWOW64\Ciffggmh.dll C:\Windows\SysWOW64\Mclebc32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mqbbagjo.exe C:\Windows\SysWOW64\Mikjpiim.exe N/A
File created C:\Windows\SysWOW64\Qeppdo32.exe C:\Windows\SysWOW64\Qcachc32.exe N/A
File opened for modification C:\Windows\SysWOW64\Alihaioe.exe C:\Windows\SysWOW64\Qeppdo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Anbkipok.exe C:\Windows\SysWOW64\Aoojnc32.exe N/A
File opened for modification C:\Windows\SysWOW64\Adlcfjgh.exe C:\Windows\SysWOW64\Anbkipok.exe N/A
File opened for modification C:\Windows\SysWOW64\Afdiondb.exe C:\Windows\SysWOW64\Aojabdlf.exe N/A
File opened for modification C:\Windows\SysWOW64\Bqlfaj32.exe C:\Windows\SysWOW64\Bieopm32.exe N/A
File created C:\Windows\SysWOW64\Ollopmbl.dll C:\Windows\SysWOW64\Lkjjma32.exe N/A
File created C:\Windows\SysWOW64\Dofhhgce.dll C:\Windows\SysWOW64\Lgqkbb32.exe N/A
File created C:\Windows\SysWOW64\Nhgnaehm.exe C:\Windows\SysWOW64\Nbjeinje.exe N/A
File created C:\Windows\SysWOW64\Gaokcb32.dll C:\Windows\SysWOW64\Nhlgmd32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ofcqcp32.exe C:\Windows\SysWOW64\Opihgfop.exe N/A
File created C:\Windows\SysWOW64\Pleofj32.exe C:\Windows\SysWOW64\Pdjjag32.exe N/A
File created C:\Windows\SysWOW64\Ccmpce32.exe C:\Windows\SysWOW64\Bjdkjpkb.exe N/A
File created C:\Windows\SysWOW64\Cgcnghpl.exe C:\Windows\SysWOW64\Ceebklai.exe N/A
File created C:\Windows\SysWOW64\Pdkefp32.dll C:\Windows\SysWOW64\Dnpciaef.exe N/A
File created C:\Windows\SysWOW64\Akafaiao.dll C:\Windows\SysWOW64\Nmfbpk32.exe N/A
File created C:\Windows\SysWOW64\Qdlggg32.exe C:\Windows\SysWOW64\Pleofj32.exe N/A
File created C:\Windows\SysWOW64\Bbbpenco.exe C:\Windows\SysWOW64\Bnfddp32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ccmpce32.exe C:\Windows\SysWOW64\Bjdkjpkb.exe N/A
File created C:\Windows\SysWOW64\Ajmijmnn.exe C:\Windows\SysWOW64\Accqnc32.exe N/A
File created C:\Windows\SysWOW64\Pmmgmc32.dll C:\Windows\SysWOW64\Alnalh32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bdcifi32.exe C:\Windows\SysWOW64\Bmlael32.exe N/A
File created C:\Windows\SysWOW64\Ckndebll.dll C:\Windows\SysWOW64\Bjpaop32.exe N/A
File created C:\Windows\SysWOW64\Bffbdadk.exe C:\Windows\SysWOW64\Boljgg32.exe N/A
File created C:\Windows\SysWOW64\Bbmcibjp.exe C:\Windows\SysWOW64\Bqlfaj32.exe N/A
File created C:\Windows\SysWOW64\Mpioba32.dll C:\Windows\SysWOW64\Opqoge32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cjonncab.exe C:\Windows\SysWOW64\Ckmnbg32.exe N/A
File created C:\Windows\SysWOW64\Ladpkl32.dll C:\Windows\SysWOW64\Mqbbagjo.exe N/A
File opened for modification C:\Windows\SysWOW64\Nedhjj32.exe C:\Windows\SysWOW64\Nbflno32.exe N/A
File opened for modification C:\Windows\SysWOW64\Oeindm32.exe C:\Windows\SysWOW64\Objaha32.exe N/A
File created C:\Windows\SysWOW64\Qdncmgbj.exe C:\Windows\SysWOW64\Qlgkki32.exe N/A
File created C:\Windows\SysWOW64\Pcaibd32.dll C:\Windows\SysWOW64\Cgcnghpl.exe N/A
File created C:\Windows\SysWOW64\Pmiljc32.dll C:\Windows\SysWOW64\Djdgic32.exe N/A
File created C:\Windows\SysWOW64\Mfakaoam.dll C:\Windows\SysWOW64\Bqlfaj32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ceebklai.exe C:\Windows\SysWOW64\Cbffoabe.exe N/A
File created C:\Windows\SysWOW64\Mikjpiim.exe C:\Windows\SysWOW64\Mcnbhb32.exe N/A
File created C:\Windows\SysWOW64\Pjdjea32.dll C:\Windows\SysWOW64\Nibqqh32.exe N/A
File created C:\Windows\SysWOW64\Nmfbpk32.exe C:\Windows\SysWOW64\Njhfcp32.exe N/A
File created C:\Windows\SysWOW64\Hqjpab32.dll C:\Windows\SysWOW64\Accqnc32.exe N/A
File created C:\Windows\SysWOW64\Nmlfpfpl.dll C:\Windows\SysWOW64\Ajmijmnn.exe N/A
File created C:\Windows\SysWOW64\Gbnbjo32.dll C:\Windows\SysWOW64\Bieopm32.exe N/A
File created C:\Windows\SysWOW64\Dpapaj32.exe C:\Windows\SysWOW64\Dnpciaef.exe N/A
File opened for modification C:\Windows\SysWOW64\Nbhhdnlh.exe C:\Windows\SysWOW64\Nedhjj32.exe N/A
File created C:\Windows\SysWOW64\Nhlgmd32.exe C:\Windows\SysWOW64\Nmfbpk32.exe N/A
File created C:\Windows\SysWOW64\Pljlbf32.exe C:\Windows\SysWOW64\Pepcelel.exe N/A
File created C:\Windows\SysWOW64\Dgnenf32.dll C:\Windows\SysWOW64\Bnknoogp.exe N/A
File opened for modification C:\Windows\SysWOW64\Dnpciaef.exe C:\Windows\SysWOW64\Djdgic32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Dpapaj32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nbflno32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nibqqh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qdlggg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bkhhhd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bmlael32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qlgkki32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qcachc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Apgagg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lkjjma32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ppnnai32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cgfkmgnj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pgfjhcge.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pleofj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qkfocaki.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cjonncab.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cmpgpond.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pdeqfhjd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qdncmgbj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qeppdo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bgllgedi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bqijljfd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bieopm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cbblda32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dnpciaef.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mjcaimgg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pepcelel.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ccjoli32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bbmcibjp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ckmnbg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Njhfcp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ofcqcp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oiffkkbk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ahebaiac.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lqipkhbj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qcogbdkg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cgoelh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cbdiia32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cinafkkd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lgqkbb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oeindm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Andgop32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bnfddp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ajpepm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Afdiondb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Adnpkjde.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bdcifi32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bnknoogp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Boljgg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aomnhd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mikjpiim.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mqbbagjo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mbcoio32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ncnngfna.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mcnbhb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pljlbf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pebpkk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bccmmf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mfjann32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nbhhdnlh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Paiaplin.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aohdmdoh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dpapaj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nlcibc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Njjcip32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mfjann32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Cgcnghpl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Lkjjma32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qdlggg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bqlfaj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ccjoli32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmiljc32.dll" C:\Windows\SysWOW64\Djdgic32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nmfbpk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iidobe32.dll" C:\Windows\SysWOW64\Pepcelel.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Qcogbdkg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqjpab32.dll" C:\Windows\SysWOW64\Accqnc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ollopmbl.dll" C:\Windows\SysWOW64\Lkjjma32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ofcqcp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Pdjjag32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Apgagg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll" C:\Windows\SysWOW64\Dnpciaef.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iocnkj32.dll" C:\Windows\SysWOW64\Mkndhabp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbbobb32.dll" C:\Windows\SysWOW64\Nbflno32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Opihgfop.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaaded32.dll" C:\Windows\SysWOW64\Pgfjhcge.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqcjjk32.dll" C:\Windows\SysWOW64\Ppnnai32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Adlcfjgh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nedhjj32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Qlgkki32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Adnpkjde.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckndebll.dll" C:\Windows\SysWOW64\Bjpaop32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dofhhgce.dll" C:\Windows\SysWOW64\Lgqkbb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okhdnm32.dll" C:\Windows\SysWOW64\Opihgfop.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aojabdlf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Bnfddp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\10e3948d8caf306281063beb38a0d9f734ed83552e980e03b42a8c4e62ef07c8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ohncbdbd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bqijljfd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ciihklpj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcaibd32.dll" C:\Windows\SysWOW64\Cgcnghpl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Mbhlek32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmiacp32.dll" C:\Windows\SysWOW64\Mjcaimgg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nbhhdnlh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ofcqcp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Objaha32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pljlbf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ahebaiac.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mclebc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nbflno32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khoqme32.dll" C:\Windows\SysWOW64\Apgagg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjmeignj.dll" C:\Windows\SysWOW64\Adnpkjde.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Bbmcibjp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Cmpgpond.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ohncbdbd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jidmcq32.dll" C:\Windows\SysWOW64\Cbblda32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ccjoli32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Nbflno32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhiejpim.dll" C:\Windows\SysWOW64\Pidfdofi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ahpifj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ahpifj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bjpaop32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Cgoelh32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Mmicfh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Alnalh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cbblda32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Djdgic32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qeppdo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ceebklai.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Adnpkjde.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1488 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\10e3948d8caf306281063beb38a0d9f734ed83552e980e03b42a8c4e62ef07c8N.exe C:\Windows\SysWOW64\Lkjjma32.exe
PID 1488 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\10e3948d8caf306281063beb38a0d9f734ed83552e980e03b42a8c4e62ef07c8N.exe C:\Windows\SysWOW64\Lkjjma32.exe
PID 1488 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\10e3948d8caf306281063beb38a0d9f734ed83552e980e03b42a8c4e62ef07c8N.exe C:\Windows\SysWOW64\Lkjjma32.exe
PID 1488 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\10e3948d8caf306281063beb38a0d9f734ed83552e980e03b42a8c4e62ef07c8N.exe C:\Windows\SysWOW64\Lkjjma32.exe
PID 2396 wrote to memory of 2316 N/A C:\Windows\SysWOW64\Lkjjma32.exe C:\Windows\SysWOW64\Lgqkbb32.exe
PID 2396 wrote to memory of 2316 N/A C:\Windows\SysWOW64\Lkjjma32.exe C:\Windows\SysWOW64\Lgqkbb32.exe
PID 2396 wrote to memory of 2316 N/A C:\Windows\SysWOW64\Lkjjma32.exe C:\Windows\SysWOW64\Lgqkbb32.exe
PID 2396 wrote to memory of 2316 N/A C:\Windows\SysWOW64\Lkjjma32.exe C:\Windows\SysWOW64\Lgqkbb32.exe
PID 2316 wrote to memory of 2784 N/A C:\Windows\SysWOW64\Lgqkbb32.exe C:\Windows\SysWOW64\Lqipkhbj.exe
PID 2316 wrote to memory of 2784 N/A C:\Windows\SysWOW64\Lgqkbb32.exe C:\Windows\SysWOW64\Lqipkhbj.exe
PID 2316 wrote to memory of 2784 N/A C:\Windows\SysWOW64\Lgqkbb32.exe C:\Windows\SysWOW64\Lqipkhbj.exe
PID 2316 wrote to memory of 2784 N/A C:\Windows\SysWOW64\Lgqkbb32.exe C:\Windows\SysWOW64\Lqipkhbj.exe
PID 2784 wrote to memory of 2836 N/A C:\Windows\SysWOW64\Lqipkhbj.exe C:\Windows\SysWOW64\Mkndhabp.exe
PID 2784 wrote to memory of 2836 N/A C:\Windows\SysWOW64\Lqipkhbj.exe C:\Windows\SysWOW64\Mkndhabp.exe
PID 2784 wrote to memory of 2836 N/A C:\Windows\SysWOW64\Lqipkhbj.exe C:\Windows\SysWOW64\Mkndhabp.exe
PID 2784 wrote to memory of 2836 N/A C:\Windows\SysWOW64\Lqipkhbj.exe C:\Windows\SysWOW64\Mkndhabp.exe
PID 2836 wrote to memory of 2060 N/A C:\Windows\SysWOW64\Mkndhabp.exe C:\Windows\SysWOW64\Mbhlek32.exe
PID 2836 wrote to memory of 2060 N/A C:\Windows\SysWOW64\Mkndhabp.exe C:\Windows\SysWOW64\Mbhlek32.exe
PID 2836 wrote to memory of 2060 N/A C:\Windows\SysWOW64\Mkndhabp.exe C:\Windows\SysWOW64\Mbhlek32.exe
PID 2836 wrote to memory of 2060 N/A C:\Windows\SysWOW64\Mkndhabp.exe C:\Windows\SysWOW64\Mbhlek32.exe
PID 2060 wrote to memory of 2684 N/A C:\Windows\SysWOW64\Mbhlek32.exe C:\Windows\SysWOW64\Mjcaimgg.exe
PID 2060 wrote to memory of 2684 N/A C:\Windows\SysWOW64\Mbhlek32.exe C:\Windows\SysWOW64\Mjcaimgg.exe
PID 2060 wrote to memory of 2684 N/A C:\Windows\SysWOW64\Mbhlek32.exe C:\Windows\SysWOW64\Mjcaimgg.exe
PID 2060 wrote to memory of 2684 N/A C:\Windows\SysWOW64\Mbhlek32.exe C:\Windows\SysWOW64\Mjcaimgg.exe
PID 2684 wrote to memory of 2704 N/A C:\Windows\SysWOW64\Mjcaimgg.exe C:\Windows\SysWOW64\Mclebc32.exe
PID 2684 wrote to memory of 2704 N/A C:\Windows\SysWOW64\Mjcaimgg.exe C:\Windows\SysWOW64\Mclebc32.exe
PID 2684 wrote to memory of 2704 N/A C:\Windows\SysWOW64\Mjcaimgg.exe C:\Windows\SysWOW64\Mclebc32.exe
PID 2684 wrote to memory of 2704 N/A C:\Windows\SysWOW64\Mjcaimgg.exe C:\Windows\SysWOW64\Mclebc32.exe
PID 2704 wrote to memory of 2500 N/A C:\Windows\SysWOW64\Mclebc32.exe C:\Windows\SysWOW64\Mfjann32.exe
PID 2704 wrote to memory of 2500 N/A C:\Windows\SysWOW64\Mclebc32.exe C:\Windows\SysWOW64\Mfjann32.exe
PID 2704 wrote to memory of 2500 N/A C:\Windows\SysWOW64\Mclebc32.exe C:\Windows\SysWOW64\Mfjann32.exe
PID 2704 wrote to memory of 2500 N/A C:\Windows\SysWOW64\Mclebc32.exe C:\Windows\SysWOW64\Mfjann32.exe
PID 2500 wrote to memory of 3036 N/A C:\Windows\SysWOW64\Mfjann32.exe C:\Windows\SysWOW64\Mcnbhb32.exe
PID 2500 wrote to memory of 3036 N/A C:\Windows\SysWOW64\Mfjann32.exe C:\Windows\SysWOW64\Mcnbhb32.exe
PID 2500 wrote to memory of 3036 N/A C:\Windows\SysWOW64\Mfjann32.exe C:\Windows\SysWOW64\Mcnbhb32.exe
PID 2500 wrote to memory of 3036 N/A C:\Windows\SysWOW64\Mfjann32.exe C:\Windows\SysWOW64\Mcnbhb32.exe
PID 3036 wrote to memory of 2820 N/A C:\Windows\SysWOW64\Mcnbhb32.exe C:\Windows\SysWOW64\Mikjpiim.exe
PID 3036 wrote to memory of 2820 N/A C:\Windows\SysWOW64\Mcnbhb32.exe C:\Windows\SysWOW64\Mikjpiim.exe
PID 3036 wrote to memory of 2820 N/A C:\Windows\SysWOW64\Mcnbhb32.exe C:\Windows\SysWOW64\Mikjpiim.exe
PID 3036 wrote to memory of 2820 N/A C:\Windows\SysWOW64\Mcnbhb32.exe C:\Windows\SysWOW64\Mikjpiim.exe
PID 2820 wrote to memory of 1276 N/A C:\Windows\SysWOW64\Mikjpiim.exe C:\Windows\SysWOW64\Mqbbagjo.exe
PID 2820 wrote to memory of 1276 N/A C:\Windows\SysWOW64\Mikjpiim.exe C:\Windows\SysWOW64\Mqbbagjo.exe
PID 2820 wrote to memory of 1276 N/A C:\Windows\SysWOW64\Mikjpiim.exe C:\Windows\SysWOW64\Mqbbagjo.exe
PID 2820 wrote to memory of 1276 N/A C:\Windows\SysWOW64\Mikjpiim.exe C:\Windows\SysWOW64\Mqbbagjo.exe
PID 1276 wrote to memory of 2960 N/A C:\Windows\SysWOW64\Mqbbagjo.exe C:\Windows\SysWOW64\Mbcoio32.exe
PID 1276 wrote to memory of 2960 N/A C:\Windows\SysWOW64\Mqbbagjo.exe C:\Windows\SysWOW64\Mbcoio32.exe
PID 1276 wrote to memory of 2960 N/A C:\Windows\SysWOW64\Mqbbagjo.exe C:\Windows\SysWOW64\Mbcoio32.exe
PID 1276 wrote to memory of 2960 N/A C:\Windows\SysWOW64\Mqbbagjo.exe C:\Windows\SysWOW64\Mbcoio32.exe
PID 2960 wrote to memory of 1988 N/A C:\Windows\SysWOW64\Mbcoio32.exe C:\Windows\SysWOW64\Mmicfh32.exe
PID 2960 wrote to memory of 1988 N/A C:\Windows\SysWOW64\Mbcoio32.exe C:\Windows\SysWOW64\Mmicfh32.exe
PID 2960 wrote to memory of 1988 N/A C:\Windows\SysWOW64\Mbcoio32.exe C:\Windows\SysWOW64\Mmicfh32.exe
PID 2960 wrote to memory of 1988 N/A C:\Windows\SysWOW64\Mbcoio32.exe C:\Windows\SysWOW64\Mmicfh32.exe
PID 1988 wrote to memory of 2148 N/A C:\Windows\SysWOW64\Mmicfh32.exe C:\Windows\SysWOW64\Nbflno32.exe
PID 1988 wrote to memory of 2148 N/A C:\Windows\SysWOW64\Mmicfh32.exe C:\Windows\SysWOW64\Nbflno32.exe
PID 1988 wrote to memory of 2148 N/A C:\Windows\SysWOW64\Mmicfh32.exe C:\Windows\SysWOW64\Nbflno32.exe
PID 1988 wrote to memory of 2148 N/A C:\Windows\SysWOW64\Mmicfh32.exe C:\Windows\SysWOW64\Nbflno32.exe
PID 2148 wrote to memory of 2072 N/A C:\Windows\SysWOW64\Nbflno32.exe C:\Windows\SysWOW64\Nedhjj32.exe
PID 2148 wrote to memory of 2072 N/A C:\Windows\SysWOW64\Nbflno32.exe C:\Windows\SysWOW64\Nedhjj32.exe
PID 2148 wrote to memory of 2072 N/A C:\Windows\SysWOW64\Nbflno32.exe C:\Windows\SysWOW64\Nedhjj32.exe
PID 2148 wrote to memory of 2072 N/A C:\Windows\SysWOW64\Nbflno32.exe C:\Windows\SysWOW64\Nedhjj32.exe
PID 2072 wrote to memory of 1080 N/A C:\Windows\SysWOW64\Nedhjj32.exe C:\Windows\SysWOW64\Nbhhdnlh.exe
PID 2072 wrote to memory of 1080 N/A C:\Windows\SysWOW64\Nedhjj32.exe C:\Windows\SysWOW64\Nbhhdnlh.exe
PID 2072 wrote to memory of 1080 N/A C:\Windows\SysWOW64\Nedhjj32.exe C:\Windows\SysWOW64\Nbhhdnlh.exe
PID 2072 wrote to memory of 1080 N/A C:\Windows\SysWOW64\Nedhjj32.exe C:\Windows\SysWOW64\Nbhhdnlh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\10e3948d8caf306281063beb38a0d9f734ed83552e980e03b42a8c4e62ef07c8N.exe

"C:\Users\Admin\AppData\Local\Temp\10e3948d8caf306281063beb38a0d9f734ed83552e980e03b42a8c4e62ef07c8N.exe"

C:\Windows\SysWOW64\Lkjjma32.exe

C:\Windows\system32\Lkjjma32.exe

C:\Windows\SysWOW64\Lgqkbb32.exe

C:\Windows\system32\Lgqkbb32.exe

C:\Windows\SysWOW64\Lqipkhbj.exe

C:\Windows\system32\Lqipkhbj.exe

C:\Windows\SysWOW64\Mkndhabp.exe

C:\Windows\system32\Mkndhabp.exe

C:\Windows\SysWOW64\Mbhlek32.exe

C:\Windows\system32\Mbhlek32.exe

C:\Windows\SysWOW64\Mjcaimgg.exe

C:\Windows\system32\Mjcaimgg.exe

C:\Windows\SysWOW64\Mclebc32.exe

C:\Windows\system32\Mclebc32.exe

C:\Windows\SysWOW64\Mfjann32.exe

C:\Windows\system32\Mfjann32.exe

C:\Windows\SysWOW64\Mcnbhb32.exe

C:\Windows\system32\Mcnbhb32.exe

C:\Windows\SysWOW64\Mikjpiim.exe

C:\Windows\system32\Mikjpiim.exe

C:\Windows\SysWOW64\Mqbbagjo.exe

C:\Windows\system32\Mqbbagjo.exe

C:\Windows\SysWOW64\Mbcoio32.exe

C:\Windows\system32\Mbcoio32.exe

C:\Windows\SysWOW64\Mmicfh32.exe

C:\Windows\system32\Mmicfh32.exe

C:\Windows\SysWOW64\Nbflno32.exe

C:\Windows\system32\Nbflno32.exe

C:\Windows\SysWOW64\Nedhjj32.exe

C:\Windows\system32\Nedhjj32.exe

C:\Windows\SysWOW64\Nbhhdnlh.exe

C:\Windows\system32\Nbhhdnlh.exe

C:\Windows\SysWOW64\Nibqqh32.exe

C:\Windows\system32\Nibqqh32.exe

C:\Windows\SysWOW64\Nbjeinje.exe

C:\Windows\system32\Nbjeinje.exe

C:\Windows\SysWOW64\Nhgnaehm.exe

C:\Windows\system32\Nhgnaehm.exe

C:\Windows\SysWOW64\Nlcibc32.exe

C:\Windows\system32\Nlcibc32.exe

C:\Windows\SysWOW64\Nnafnopi.exe

C:\Windows\system32\Nnafnopi.exe

C:\Windows\SysWOW64\Ncnngfna.exe

C:\Windows\system32\Ncnngfna.exe

C:\Windows\SysWOW64\Njhfcp32.exe

C:\Windows\system32\Njhfcp32.exe

C:\Windows\SysWOW64\Nmfbpk32.exe

C:\Windows\system32\Nmfbpk32.exe

C:\Windows\SysWOW64\Nhlgmd32.exe

C:\Windows\system32\Nhlgmd32.exe

C:\Windows\SysWOW64\Njjcip32.exe

C:\Windows\system32\Njjcip32.exe

C:\Windows\SysWOW64\Ohncbdbd.exe

C:\Windows\system32\Ohncbdbd.exe

C:\Windows\SysWOW64\Opihgfop.exe

C:\Windows\system32\Opihgfop.exe

C:\Windows\SysWOW64\Ofcqcp32.exe

C:\Windows\system32\Ofcqcp32.exe

C:\Windows\SysWOW64\Objaha32.exe

C:\Windows\system32\Objaha32.exe

C:\Windows\SysWOW64\Oeindm32.exe

C:\Windows\system32\Oeindm32.exe

C:\Windows\SysWOW64\Oiffkkbk.exe

C:\Windows\system32\Oiffkkbk.exe

C:\Windows\SysWOW64\Opqoge32.exe

C:\Windows\system32\Opqoge32.exe

C:\Windows\SysWOW64\Pepcelel.exe

C:\Windows\system32\Pepcelel.exe

C:\Windows\SysWOW64\Pljlbf32.exe

C:\Windows\system32\Pljlbf32.exe

C:\Windows\SysWOW64\Pebpkk32.exe

C:\Windows\system32\Pebpkk32.exe

C:\Windows\SysWOW64\Pdeqfhjd.exe

C:\Windows\system32\Pdeqfhjd.exe

C:\Windows\SysWOW64\Pgcmbcih.exe

C:\Windows\system32\Pgcmbcih.exe

C:\Windows\SysWOW64\Paiaplin.exe

C:\Windows\system32\Paiaplin.exe

C:\Windows\SysWOW64\Pgfjhcge.exe

C:\Windows\system32\Pgfjhcge.exe

C:\Windows\SysWOW64\Pidfdofi.exe

C:\Windows\system32\Pidfdofi.exe

C:\Windows\SysWOW64\Ppnnai32.exe

C:\Windows\system32\Ppnnai32.exe

C:\Windows\SysWOW64\Pdjjag32.exe

C:\Windows\system32\Pdjjag32.exe

C:\Windows\SysWOW64\Pleofj32.exe

C:\Windows\system32\Pleofj32.exe

C:\Windows\SysWOW64\Qdlggg32.exe

C:\Windows\system32\Qdlggg32.exe

C:\Windows\SysWOW64\Qcogbdkg.exe

C:\Windows\system32\Qcogbdkg.exe

C:\Windows\SysWOW64\Qkfocaki.exe

C:\Windows\system32\Qkfocaki.exe

C:\Windows\SysWOW64\Qlgkki32.exe

C:\Windows\system32\Qlgkki32.exe

C:\Windows\SysWOW64\Qdncmgbj.exe

C:\Windows\system32\Qdncmgbj.exe

C:\Windows\SysWOW64\Qcachc32.exe

C:\Windows\system32\Qcachc32.exe

C:\Windows\SysWOW64\Qeppdo32.exe

C:\Windows\system32\Qeppdo32.exe

C:\Windows\SysWOW64\Alihaioe.exe

C:\Windows\system32\Alihaioe.exe

C:\Windows\SysWOW64\Aohdmdoh.exe

C:\Windows\system32\Aohdmdoh.exe

C:\Windows\SysWOW64\Accqnc32.exe

C:\Windows\system32\Accqnc32.exe

C:\Windows\SysWOW64\Ajmijmnn.exe

C:\Windows\system32\Ajmijmnn.exe

C:\Windows\SysWOW64\Ahpifj32.exe

C:\Windows\system32\Ahpifj32.exe

C:\Windows\SysWOW64\Apgagg32.exe

C:\Windows\system32\Apgagg32.exe

C:\Windows\SysWOW64\Aojabdlf.exe

C:\Windows\system32\Aojabdlf.exe

C:\Windows\SysWOW64\Afdiondb.exe

C:\Windows\system32\Afdiondb.exe

C:\Windows\SysWOW64\Ajpepm32.exe

C:\Windows\system32\Ajpepm32.exe

C:\Windows\SysWOW64\Alnalh32.exe

C:\Windows\system32\Alnalh32.exe

C:\Windows\SysWOW64\Aomnhd32.exe

C:\Windows\system32\Aomnhd32.exe

C:\Windows\SysWOW64\Aakjdo32.exe

C:\Windows\system32\Aakjdo32.exe

C:\Windows\SysWOW64\Ahebaiac.exe

C:\Windows\system32\Ahebaiac.exe

C:\Windows\SysWOW64\Aoojnc32.exe

C:\Windows\system32\Aoojnc32.exe

C:\Windows\SysWOW64\Anbkipok.exe

C:\Windows\system32\Anbkipok.exe

C:\Windows\SysWOW64\Adlcfjgh.exe

C:\Windows\system32\Adlcfjgh.exe

C:\Windows\SysWOW64\Agjobffl.exe

C:\Windows\system32\Agjobffl.exe

C:\Windows\SysWOW64\Andgop32.exe

C:\Windows\system32\Andgop32.exe

C:\Windows\SysWOW64\Adnpkjde.exe

C:\Windows\system32\Adnpkjde.exe

C:\Windows\SysWOW64\Bgllgedi.exe

C:\Windows\system32\Bgllgedi.exe

C:\Windows\SysWOW64\Bkhhhd32.exe

C:\Windows\system32\Bkhhhd32.exe

C:\Windows\SysWOW64\Bnfddp32.exe

C:\Windows\system32\Bnfddp32.exe

C:\Windows\SysWOW64\Bbbpenco.exe

C:\Windows\system32\Bbbpenco.exe

C:\Windows\SysWOW64\Bccmmf32.exe

C:\Windows\system32\Bccmmf32.exe

C:\Windows\SysWOW64\Bjmeiq32.exe

C:\Windows\system32\Bjmeiq32.exe

C:\Windows\SysWOW64\Bmlael32.exe

C:\Windows\system32\Bmlael32.exe

C:\Windows\SysWOW64\Bdcifi32.exe

C:\Windows\system32\Bdcifi32.exe

C:\Windows\SysWOW64\Bfdenafn.exe

C:\Windows\system32\Bfdenafn.exe

C:\Windows\SysWOW64\Bjpaop32.exe

C:\Windows\system32\Bjpaop32.exe

C:\Windows\SysWOW64\Bnknoogp.exe

C:\Windows\system32\Bnknoogp.exe

C:\Windows\SysWOW64\Bqijljfd.exe

C:\Windows\system32\Bqijljfd.exe

C:\Windows\SysWOW64\Boljgg32.exe

C:\Windows\system32\Boljgg32.exe

C:\Windows\SysWOW64\Bffbdadk.exe

C:\Windows\system32\Bffbdadk.exe

C:\Windows\SysWOW64\Bieopm32.exe

C:\Windows\system32\Bieopm32.exe

C:\Windows\SysWOW64\Bqlfaj32.exe

C:\Windows\system32\Bqlfaj32.exe

C:\Windows\SysWOW64\Bbmcibjp.exe

C:\Windows\system32\Bbmcibjp.exe

C:\Windows\SysWOW64\Bjdkjpkb.exe

C:\Windows\system32\Bjdkjpkb.exe

C:\Windows\SysWOW64\Ccmpce32.exe

C:\Windows\system32\Ccmpce32.exe

C:\Windows\SysWOW64\Ciihklpj.exe

C:\Windows\system32\Ciihklpj.exe

C:\Windows\SysWOW64\Cbblda32.exe

C:\Windows\system32\Cbblda32.exe

C:\Windows\SysWOW64\Cgoelh32.exe

C:\Windows\system32\Cgoelh32.exe

C:\Windows\SysWOW64\Cbdiia32.exe

C:\Windows\system32\Cbdiia32.exe

C:\Windows\SysWOW64\Cinafkkd.exe

C:\Windows\system32\Cinafkkd.exe

C:\Windows\SysWOW64\Ckmnbg32.exe

C:\Windows\system32\Ckmnbg32.exe

C:\Windows\SysWOW64\Cjonncab.exe

C:\Windows\system32\Cjonncab.exe

C:\Windows\SysWOW64\Cbffoabe.exe

C:\Windows\system32\Cbffoabe.exe

C:\Windows\SysWOW64\Ceebklai.exe

C:\Windows\system32\Ceebklai.exe

C:\Windows\SysWOW64\Cgcnghpl.exe

C:\Windows\system32\Cgcnghpl.exe

C:\Windows\SysWOW64\Cmpgpond.exe

C:\Windows\system32\Cmpgpond.exe

C:\Windows\SysWOW64\Ccjoli32.exe

C:\Windows\system32\Ccjoli32.exe

C:\Windows\SysWOW64\Cgfkmgnj.exe

C:\Windows\system32\Cgfkmgnj.exe

C:\Windows\SysWOW64\Djdgic32.exe

C:\Windows\system32\Djdgic32.exe

C:\Windows\SysWOW64\Dnpciaef.exe

C:\Windows\system32\Dnpciaef.exe

C:\Windows\SysWOW64\Dpapaj32.exe

C:\Windows\system32\Dpapaj32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 568 -s 144

Network

N/A

Files

memory/1488-0-0x0000000000400000-0x0000000000437000-memory.dmp

\Windows\SysWOW64\Lkjjma32.exe

MD5 b2ecbe9b0a97db60cc7e561e62b887ef
SHA1 3c8050366fe9367848bb0ef7d4b88fadbaaf4838
SHA256 fbc2026e08e8badb887a1b82617675057280194516d2f7945194eff14066d530
SHA512 dd917af19d4b6a5704bbf74244c27b9b212005289943143f563c0fdb3338dd0d65bb1a6744aa846d38fdf089968dc3e26ec377bc17da8c29546ff4bf4d0aa37c

memory/2396-14-0x0000000000400000-0x0000000000437000-memory.dmp

memory/1488-13-0x0000000001F70000-0x0000000001FA7000-memory.dmp

memory/1488-12-0x0000000001F70000-0x0000000001FA7000-memory.dmp

\Windows\SysWOW64\Lgqkbb32.exe

MD5 37e5a2679b344f506d595335a2ad782a
SHA1 ea5e22f04a4f718214700f6ba93a9a671a1e6cbb
SHA256 3e31c1e82e6cb976a5bcd61e79fb31f62accec0fa85f1b2011efbb4495b8d013
SHA512 07412a503c766f4c129366d1792a243802ea612b20fc361ec4a4d2a5165f34e55e4138607b2b029a1fd7094610c868a240de6a0f916860bc80323cf83970f737

memory/2316-29-0x0000000000400000-0x0000000000437000-memory.dmp

memory/2396-28-0x0000000000300000-0x0000000000337000-memory.dmp

memory/2396-27-0x0000000000300000-0x0000000000337000-memory.dmp

\Windows\SysWOW64\Lqipkhbj.exe

MD5 cb2ba723a0e6d8bac862776b65dfc33b
SHA1 e79c7ea727da01828c517b9270566daf2b8b7ce5
SHA256 3bb5d7f8adbf34f58db129cf93d0e5a36a54161ea0a80943db74dab1eaa94681
SHA512 32d7d4d3402a8a9c441f6bf73190a2300b3557a2480b6887517d3d1c1393e906cbb067788d3337ff5ab5e42267bfcfa96640a12ccdb1c803001bd42690002a1b

memory/2784-42-0x0000000000400000-0x0000000000437000-memory.dmp

\Windows\SysWOW64\Mkndhabp.exe

MD5 94b0a5c8fd9ef473056f937ad1e16ec0
SHA1 a07eef88f4e346f2a4010a41288bf4c6c917230b
SHA256 323a3f8b558114e555934b202a6ea3c9fb9d6937bd4106f2d65c019c089bf862
SHA512 bea105879d7a778cd16de00772fcd7d41f7c9084a83a26b94a029766b79c1dbbc844ae2c4955b922738b2664fb8a0b510953791b0048ec187190586e08462faf

memory/2784-50-0x0000000000290000-0x00000000002C7000-memory.dmp

C:\Windows\SysWOW64\Iocnkj32.dll

MD5 909cdbecab137d7063d7ade007f41317
SHA1 c9acd4f87ed13a3aa59fbfcff54e987f7a70d261
SHA256 a52ca70ab74996434c7f4bb0c8c5a4f7375a59f83da69355d3a006d67ab8afcf
SHA512 f7409aa6d2824af178eba98c1119853f188295715a91af224730858ab0eadbd0433dd5983461592b5c473fbbd7992d364f9e31b1760d5a348eb25848678236ee

\Windows\SysWOW64\Mbhlek32.exe

MD5 48796abe0af980f2b9a0e5836a06e984
SHA1 89abf7b96d51d01659b74251cb9150e555815599
SHA256 9d0422acedf118f8861458ec672a255b819deb4db0b660913a69624c17ea9504
SHA512 c0dedb4aa7e7499c52bc6cdea4cad7732e9464ac0e07e73f98cfb116da77982e17891bf4ebee1c209dce9c3bd7653d29d41e8040474505aac0553baaf1b27e7c

memory/2836-60-0x0000000000400000-0x0000000000437000-memory.dmp

memory/2060-69-0x0000000000400000-0x0000000000437000-memory.dmp

\Windows\SysWOW64\Mjcaimgg.exe

MD5 e6dcb2684431709f99187e65124e0d3e
SHA1 b69d1f69c196db7e9efddc1c77a28b1ffb011cff
SHA256 85859c27320d6691a477ea1c902cf13c1a995cf977f681b746c812b2edb328cf
SHA512 6480b9f20c499186852d8394539498cbf7e49f244a8c7883c4a6ab8624c08064c53093517d75e42f6ef3b15c4fd93fb25ce0cd019c78b63068a48d074ee9b07e

memory/2060-76-0x0000000000260000-0x0000000000297000-memory.dmp

memory/2684-88-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Windows\SysWOW64\Mclebc32.exe

MD5 2b7a9ac8715fcf7b06ad1c91bd7f61c6
SHA1 08879cdd35901d35b81d256bb4bee55dd674a71c
SHA256 8f853deb4226cddf4a772f6e8c65452acace1379068440ad694028a22a1abfa7
SHA512 3561a4099a61540630fc649a9474fb99f20b149ea6f8e025bd5635c1d759af3258c8b65de85bbbfc74d384a4d0e46feb0db88799a489f58e2c30390c859e45e3

memory/2704-96-0x0000000000400000-0x0000000000437000-memory.dmp

\Windows\SysWOW64\Mfjann32.exe

MD5 27f274cc4bb8a2cb1da63fef2d9af6fc
SHA1 ec535160393b59a7003f742987f2a6d5cb58dcaa
SHA256 e3e09fb8100ea8a631c27cf085f9cf67fcc8f600a50e59f3ec8750389c7bce0b
SHA512 93970393b91db959b5860a5ac34fde07de78c0930e0cfd06b511d35c4a37973e6301122db29270fd0dffd0a4427ad9ff9e615dea6888fce68b8cea905c87528f

memory/2704-108-0x00000000002D0000-0x0000000000307000-memory.dmp

\Windows\SysWOW64\Mcnbhb32.exe

MD5 39f41007aa628442490f63faabaafbde
SHA1 9cf4a689958ce2db6b92ca269af2ffba2878d2d5
SHA256 9a3e9567f5c3c7227bd4c9d7965f2a8db928b793e80ddeb412b0d003339869a4
SHA512 5e17656afb74ea3bc8513f48dd1b17a35e1549eb3a95a0a920d80b8b4085500257d8a7560a3a5a912ead09f47d8c7cfe02a54a272522c74559473b7b308292cc

memory/3036-122-0x0000000000400000-0x0000000000437000-memory.dmp

memory/3036-130-0x0000000000480000-0x00000000004B7000-memory.dmp

\Windows\SysWOW64\Mikjpiim.exe

MD5 f9877014689c7c80621f06d33bd04c90
SHA1 9bd12b74105be7f5b1873dbe1b5f0bbf8136a861
SHA256 95b7a37bd35906268039739774aa47481eafd1b64f5c6ad491dfbb1d350ba72c
SHA512 e3d5a86aba07d60bc1162181afbb8f9233b4e11a83a961937b5e481aec415f289096489b10a30dc42acfe0ffcb0c60b786514cddaf4c667ed50de7f456924bd6

C:\Windows\SysWOW64\Mqbbagjo.exe

MD5 e24033bc32be2361977f5612b915cfa8
SHA1 18fd617ae66c690ad32f8356dd9aa190d1b42559
SHA256 73cfe00c6dbb76f318b8f87309859bd043177d2d242e6a8b2891ff43a9e8ecb7
SHA512 bbf389ffabfbc93e750999d0ef3963901ad051bb643f46927beb4ccbf4cacb11ddb0dd5597f35382481ad30dba2ce869d0b55cb20141c21c8933e24a0b992110

memory/2820-148-0x0000000000400000-0x0000000000437000-memory.dmp

memory/1276-149-0x0000000000400000-0x0000000000437000-memory.dmp

\Windows\SysWOW64\Mbcoio32.exe

MD5 6ea9624e94a5a2b153ebadd66f02c389
SHA1 af3cf71ecf47c28856029acc64eb7ebc46b33253
SHA256 78936cc403e3a8c449435089c2996e2461e97a94838196bb45d194881c0cc9a7
SHA512 377a986e8b2396a66fc206fd7782480f1b52616c5ff91261abe0cc065fa5fd9a610dca1530df2ab7efece94f2e24346a717116427f6f03ff24f9a468f25df7e2

memory/1276-161-0x0000000000290000-0x00000000002C7000-memory.dmp

\Windows\SysWOW64\Mmicfh32.exe

MD5 85f31db90fa7f8f3eee8b6ab68c2a613
SHA1 235651213e17d2ad576a0ac9fbce84f762aa5e6b
SHA256 0d0a6fb694ca13dafa3a96c04f225c44d1e504b7ce583a6eeeb65e3a597a1a88
SHA512 04f240f0613832e908917e7464736610cc79b50d750ffce464496fdcd282cbaed49091d2c13d49edfe367d3d8f7f65dd53a4d0fea3f6bf20fe918fc23f35319b

memory/2960-175-0x0000000000400000-0x0000000000437000-memory.dmp

memory/1988-182-0x0000000000400000-0x0000000000437000-memory.dmp

memory/2960-176-0x0000000000250000-0x0000000000287000-memory.dmp

C:\Windows\SysWOW64\Nbflno32.exe

MD5 72c381aa7fa2e4a1c59693149e0c03c7
SHA1 9c37c475022d5c4c776dbf6e1982d678a54a7b4c
SHA256 d50e32f13ea9ba1ea3b9c404ba06627528fe2f77fa9c6138ef5b85d7dee0499c
SHA512 0fc679c86ff196d8562c40acebd708311942e316f1471f21f2c293a797705e3ca252920b6113f1df8839e440d00662fa76f316222442afd9a38992f9b101987e

memory/2148-195-0x0000000000400000-0x0000000000437000-memory.dmp

\Windows\SysWOW64\Nedhjj32.exe

MD5 24edeeaeb815cfd22cd620c842456ac2
SHA1 1ff03369f72dc46c045c09885c8913a2e0b656ee
SHA256 2597fa5cf80ace4a7bfb350e49a30ef382509cf7cf2b4b96413e1ae222e8366c
SHA512 8f4dd76366ccf420e93fa42b8fad5552d6c23c76a2ffa7ea8b860368bf7d484b40a7626a251404b61a4496e0abdcd8b48a39b160b5cda292c9e11f92b6f3f906

memory/2072-203-0x0000000000400000-0x0000000000437000-memory.dmp

\Windows\SysWOW64\Nbhhdnlh.exe

MD5 bc51133d8f2da156036f34419847824e
SHA1 c153a7f73e8fd74664ff3e3b4fa70cfe7ff36dd6
SHA256 1eecb571033773b88d05aecde0b71cd850119f1d2d0ae4b774c151bc89b3e918
SHA512 a84499d0b09d5c85d99ea14b2a140d3ca2bb373b7593fd604921c14789104c61319c0aa0f1894aa37c9771d0d0e5728defc5ca420563da8a7e7062cfffaff788

memory/1628-227-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Windows\SysWOW64\Nibqqh32.exe

MD5 d67ded53a1bafb33db4e7575e2e43d97
SHA1 86d992e7e2760f6c45dca3fd60742fa1b396a335
SHA256 6c1071aa07d32aa4dc6490e2ffbe67563d4410708f17cbb439ccf1e2ef6b449b
SHA512 e6fd99f6fd33ccc601bd8219951839bc213c6d42ef24b29b4b48b159f614f24afe445ae8eeee1f7b6d5dcf92edc6acd8be4515b2d209c4b2e560cd8f371141fe

memory/1080-222-0x0000000000400000-0x0000000000437000-memory.dmp

memory/2072-215-0x00000000002A0000-0x00000000002D7000-memory.dmp

memory/1628-237-0x0000000000280000-0x00000000002B7000-memory.dmp

memory/1628-236-0x0000000000280000-0x00000000002B7000-memory.dmp

C:\Windows\SysWOW64\Nbjeinje.exe

MD5 1cbeecd3969281652703748678e3f98a
SHA1 d7b882abc204174f104b4daad05835ad6dcb6a74
SHA256 57e7b9cf21d104a6733c6d370e260991169af8185202f16ac4a974dbe4e06d70
SHA512 ea499970fff4a2adcf787370e2690a0cd93319a3bea5f451ede0c3124b09305eda0092efd70ed7ce386ccd994242978b18624296b5fc3b9fa2b7396e9c9b9214

memory/1032-246-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Windows\SysWOW64\Nhgnaehm.exe

MD5 f5c7c0249376923abb88c2f6ce8ca524
SHA1 d284e595b4c36ab7a7894deae9d78dc29f402588
SHA256 a046928f66b34b0c5a46a263e5913861f30696e3aeb0757927b95d80ad3fd24a
SHA512 79fa3bafc2e523ff02455f5ac6f88a541a57bc58ac78b47b2f023482bb4a205823599add60edccf43e530aa4cd172d5900d7378f3dd1c63742a8d7e0b178e1c4

memory/1160-256-0x0000000000400000-0x0000000000437000-memory.dmp

memory/1032-253-0x0000000000250000-0x0000000000287000-memory.dmp

C:\Windows\SysWOW64\Nlcibc32.exe

MD5 798e7011b0188b759e4d139ba7a91f89
SHA1 c86672de915aef1c46c0f97e6b490457e3da0ff6
SHA256 a4b8e2c12be0d7d5bea99453d83d325b2ea25e99ce912a98f6324438e0482bd8
SHA512 aec192278c677ad5ec63bd9b66412e3719c95a24ab6af4f403143741dc52c23e43b0b2ee39c2f7c719ff3d4c97e6eb5d1705050922c19fcc9428b4882dfcc6a7

C:\Windows\SysWOW64\Nnafnopi.exe

MD5 57b2a2e25adc03f201dd2b90babca122
SHA1 cab8393e6f9bc32117b6f1f301a9f6b29c51bda1
SHA256 60b74192d1e57cd703484b3f9c0f06eaa53f26649251bdb84436713f058cfc97
SHA512 6c13af3bcd2fa4ff54663a883ae8a66eab9080c1c1365f485139a2eeced9d53a016485f0ff2b07975cf51dbe896bd064b7da321bd63f06ebbc0a73552734c032

memory/2436-265-0x0000000000400000-0x0000000000437000-memory.dmp

memory/868-278-0x0000000000400000-0x0000000000437000-memory.dmp

memory/2436-274-0x0000000000260000-0x0000000000297000-memory.dmp

C:\Windows\SysWOW64\Ncnngfna.exe

MD5 2025378daaf50de2a2cf4dd0484f89bc
SHA1 8fed3eacfb6e59356e6cda4aa16270b7cee92ddf
SHA256 29651f85b6e003c6f53c4a205b81d0afdd217e7dbcf010ee01c243a9a3a2ea6e
SHA512 5f0db13973e4e7a9b0fb95707a6b9d14162bd98ef92f71b9e01fff4f6efffd8b82dab1ba422e83da5de62d6f294fe2e1ab6b11651fd333b05f3067b237bc3525

C:\Windows\SysWOW64\Njhfcp32.exe

MD5 c87a369dace9bf8ea3c460601094d5ca
SHA1 cea06a33ec49ae20e5c6bdbc028e3afa962e7f36
SHA256 2d6e75c99c3571dc015dc084231408409b49048d370f73a704b06a63fe9f3927
SHA512 ef09bf4f5bbe7cc74bc2801d637affd92a2cbd44ee3869b1ab33bd743fac13b89921ae3526c0865ac912c1a9d55030b7f86c5c6794df3b3b897d786c4da83c69

memory/2016-286-0x0000000000400000-0x0000000000437000-memory.dmp

memory/868-285-0x0000000000250000-0x0000000000287000-memory.dmp

memory/868-284-0x0000000000250000-0x0000000000287000-memory.dmp

memory/2016-296-0x0000000000250000-0x0000000000287000-memory.dmp

memory/2016-295-0x0000000000250000-0x0000000000287000-memory.dmp

C:\Windows\SysWOW64\Nmfbpk32.exe

MD5 2b528d8474cf993d7a89271e2a9e20e5
SHA1 2434b421643b3815823ee6cd0e0f68e9f1c0c7c6
SHA256 d2b54f9490725a396817ec068e6bfc7ea65aa9268c820e7a444935036e9e0ccd
SHA512 f573fa77983e6c6ba4c7eba463223dc1094b523985acd0e3b2f629b7395f9ebbf0f1cf68c4548f1e587d81331280e20466d4f6d7551cd4e40b92af00ec1034f5

C:\Windows\SysWOW64\Nhlgmd32.exe

MD5 3a99c2ebf7d9ed26082f383b44261a7a
SHA1 e6d0233abf73c4b6fd1c2bc8f52ca8538316c909
SHA256 64f9ad99b777baae670b3959bb6b1e606a98a130259e2576bf598fa80540195c
SHA512 b42d953d21c6611982d8b639d3cc5dd659eda5e169a627548cdb424d2c7343c6b6b770d6db07b8522a4d9505247568499b016632103f36ed3124e1204d9b8d9d

memory/2568-308-0x00000000002B0000-0x00000000002E7000-memory.dmp

memory/1876-307-0x0000000000400000-0x0000000000437000-memory.dmp

memory/2568-306-0x00000000002B0000-0x00000000002E7000-memory.dmp

memory/2568-305-0x0000000000400000-0x0000000000437000-memory.dmp

memory/2588-319-0x0000000000400000-0x0000000000437000-memory.dmp

memory/1876-318-0x0000000000270000-0x00000000002A7000-memory.dmp

memory/1876-317-0x0000000000270000-0x00000000002A7000-memory.dmp

C:\Windows\SysWOW64\Njjcip32.exe

MD5 0303cb04cd5b41f7312954f8c298315a
SHA1 24072353255b7afd1c3db766c7e4076caf8b823d
SHA256 3e7ac77df22aefb89c8a4fbfbd75dbad6b5348b1eb39c1b32947c957cb3ae97e
SHA512 4655eb5947327f614a80c1f2125b05ced00e64fe0b8449c61b5999d3cc8471cfbff1ff9c39df38cc6067d3dc7da173bcc228b0c66402e05b526e59d3f47d7861

C:\Windows\SysWOW64\Ohncbdbd.exe

MD5 2ed3bb0c07933c562c706faace7cb207
SHA1 d66de599b860a3a8695616693498e77eef3dcbeb
SHA256 b30c979bb869ad3d5f47a49eef161f52da538838074ea1c73747d78c497bdc06
SHA512 cb1135f430302ea48161918a330f6173b35e14b151f130cd89ea1dc57ca8f08005d180db7d0743da6e0dac808e6d7dec5e03459e3fac41e4ef1ffbc3539e27de

memory/2588-329-0x0000000000250000-0x0000000000287000-memory.dmp

memory/2840-330-0x0000000000400000-0x0000000000437000-memory.dmp

memory/2588-328-0x0000000000250000-0x0000000000287000-memory.dmp

C:\Windows\SysWOW64\Opihgfop.exe

MD5 0d9a6e686a6265658103b13671e41d7c
SHA1 44fd227a19c29ad6275203f4bbd7386cfd366bcc
SHA256 b706656a123a9651e1cd9d587153d1ca55454df692e74424bf5ff4428158a8b2
SHA512 fb1d08b32a5e0f3b05684c0e4c688b22494ba8304486864331242e77dffd685cb439b605c27a1e37a22c8bd7231b574685b7b0668de075db7d795b24813eb3a2

memory/2840-340-0x0000000000270000-0x00000000002A7000-memory.dmp

memory/2792-345-0x0000000000400000-0x0000000000437000-memory.dmp

memory/2840-339-0x0000000000270000-0x00000000002A7000-memory.dmp

memory/2664-351-0x0000000000400000-0x0000000000437000-memory.dmp

memory/2792-350-0x00000000002E0000-0x0000000000317000-memory.dmp

C:\Windows\SysWOW64\Ofcqcp32.exe

MD5 a325000c99b3719b3def6c6b9ae93e93
SHA1 b0f8a48f01be0cb9dba8242cba23dedf276dc492
SHA256 0fdfcc0b044b67c4f4aa2de69b11a2eec68882f8021b34f06b29e0e61ccd7140
SHA512 eada2541bb8d5947762b3d7f71d30b719e265eeb3327111ae46f84c8d0c852863ced8775b3c3914e7d9651c83c0622a65c099cf6f44b62660a99498863297c78

memory/2664-361-0x0000000000300000-0x0000000000337000-memory.dmp

memory/2664-360-0x0000000000300000-0x0000000000337000-memory.dmp

C:\Windows\SysWOW64\Objaha32.exe

MD5 6bd9ad5e079319ed10884e227eeec86a
SHA1 7a0368c325c19532d7fbfb5d8b4f793ebdcb047f
SHA256 b794ebf6b3ab5e27388ffcbef6251207ac14c54ea34634edf5d67e18793ceb3c
SHA512 73d46059f200dda42f039565ee64366b92ff0eaca941e8ec1a40cde3f6af9bea3a1aafb7525132fbeb07a8573b72a86b5be94767dc9abf0ca5c1e3762a4e3286

memory/2656-373-0x0000000000400000-0x0000000000437000-memory.dmp

memory/2808-372-0x0000000000250000-0x0000000000287000-memory.dmp

memory/2808-371-0x0000000000250000-0x0000000000287000-memory.dmp

C:\Windows\SysWOW64\Oeindm32.exe

MD5 882a66efbdfe6693d2632d6579c0b674
SHA1 7e2a8643b52436a91a206155741baf530d4f29aa
SHA256 2e0b0d6b28d427d5893bfbf854caa00e6fd985b510b49103c9405540127c964c
SHA512 1bd05ec04e8205ee2858564c79dc2ccef95978da08a04ad14d136ec5ea19578dfa8fb7b4e5834cec613fbae4669606f65ce148ddd0ef94faaecfa530381b1f7e

memory/2808-366-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Windows\SysWOW64\Oiffkkbk.exe

MD5 074ba593b037ef5aaac2b7821c6cbd1f
SHA1 17350b8e4308b11421a1e9240c203809669ca2be
SHA256 58c18297ac91e2ee3c7ce83f01a70c8c9fae1ccf4c6508e4dba4e90a2444e3c2
SHA512 a4f26a8a94e1323d74265a00f4f4c3d74dd5e6e148e6777d48c280638cc7c18904cead38ac6b0a4db3199ab1f52224209d32e8b0bff694ab223d503ba64144af

memory/1488-386-0x0000000001F70000-0x0000000001FA7000-memory.dmp

memory/2396-385-0x0000000000300000-0x0000000000337000-memory.dmp

memory/2396-384-0x0000000000400000-0x0000000000437000-memory.dmp

memory/1488-383-0x0000000000400000-0x0000000000437000-memory.dmp

memory/2656-382-0x0000000000440000-0x0000000000477000-memory.dmp

memory/2692-395-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Windows\SysWOW64\Opqoge32.exe

MD5 a1f7a8c97da49addcb065fcb7afee6c2
SHA1 312b0055859690378a738479c9d5e68d098e92c0
SHA256 3b9964922641b8720acbab9a9d2e9e73eb488eacc8336120614eba2e9b41bb47
SHA512 ccce6ad97e4254fc6a16c03b119c56a4c318c885930ff4f5c16b2de7e20cd4ea6a0c55315db8835b49e9c9a86e4dcba923b4d7f093481387856a5149309bd4aa

memory/2692-398-0x00000000002D0000-0x0000000000307000-memory.dmp

memory/3012-400-0x0000000000400000-0x0000000000437000-memory.dmp

memory/2316-399-0x0000000000400000-0x0000000000437000-memory.dmp

memory/2692-397-0x00000000002D0000-0x0000000000307000-memory.dmp

memory/2396-396-0x0000000000300000-0x0000000000337000-memory.dmp

memory/3012-406-0x0000000000440000-0x0000000000477000-memory.dmp

C:\Windows\SysWOW64\Pepcelel.exe

MD5 de8ac9583feb940c43daf11dc7493922
SHA1 6d0999a3bc302c209d1588de96f943b16d515942
SHA256 590572efcbc85f6bf846213210e5d3d94bb0ddcf9158c36ecc4075e43e656736
SHA512 0d2f56aa14ef6848ddad7df38434fc376c3b5d0576769e4d615042a5983b86d11441ed2fcaf90fd029ab9968372cdec90906e102bcaf96ca4eab033528e3669f

memory/3060-411-0x0000000000400000-0x0000000000437000-memory.dmp

memory/2316-410-0x0000000000250000-0x0000000000287000-memory.dmp

memory/2948-422-0x0000000000400000-0x0000000000437000-memory.dmp

memory/3060-421-0x0000000000440000-0x0000000000477000-memory.dmp

memory/2784-420-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Windows\SysWOW64\Pljlbf32.exe

MD5 99a67794d12b14d432ce0f6cf6822e1a
SHA1 d309a3f16cf98c8ab0c704c1071f221e9ec2a1f3
SHA256 11da16ae6dc82e6a900f94770443077dee2022b5633233871aac5d5c0eae99fa
SHA512 0973a61af6c9b69a206b98b340d5cc8abfe9471ce99ec21064f5c64062ce03232f61cd82d9365f9f4e091956244773cf2c526836b135988ee5cb4df485b6db50

memory/2836-431-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Windows\SysWOW64\Pebpkk32.exe

MD5 6d1081ebc7286624fa89b3a5e124cd34
SHA1 07802f4bda9964425941c1ee10ab658e1125dcd0
SHA256 8e65d1f712101c977cb98cd65a450abcf77b321cdf8a6216e816691512ec4539
SHA512 37a9bd74bc5de29d277b30f60f971f13cc2beeae9f23a769020a9737f087639feadec830d230f0c5b2595033bc1c906802b101af9c82c1cb53703a90c1a9bcdd

C:\Windows\SysWOW64\Pdeqfhjd.exe

MD5 a8b69f38e153864894bfe1e217d78d28
SHA1 a652ac68ec6f3da1929ebe7fb1a91393e205b9a2
SHA256 464be1c7874b0c5026233007921b824a3b730e70cc88299adc66828183ef2d5a
SHA512 127c14c58a9ffa615c39a2e9e621ad94dfcd5f53eb467f5192206b24707a45619d6e1bb1f6f82da0955334494a6572741b9eea705b8a37585cfb875cce4b6a5e

memory/2512-441-0x0000000000400000-0x0000000000437000-memory.dmp

memory/1324-440-0x0000000000400000-0x0000000000437000-memory.dmp

memory/2736-451-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Windows\SysWOW64\Pgcmbcih.exe

MD5 29aa6bc990aa40d59fec85ed1214523e
SHA1 e5ec4d4c630e5a34d01e994e6f9a4c5367954c47
SHA256 453ebe78b1ba7012e35d664914673b009b13ed1c04fcd206d03d7b75e4f3a775
SHA512 8d52f382ac64a17d2a4a431907403da5ed302d40eb25602a50bbbb40f1f0c1ee8918c1b7b3717c5c5cebc9f0514b7720a66c6084b3ee2cd5e6275001c024a3c7

memory/2060-447-0x0000000000400000-0x0000000000437000-memory.dmp

memory/2736-461-0x0000000000250000-0x0000000000287000-memory.dmp

C:\Windows\SysWOW64\Paiaplin.exe

MD5 723e9dbd20d46e6f421344689c6a2464
SHA1 a658faa002161be3c7b405b91b33d1c36c0fe236
SHA256 00704bb5b5013cf1ae0096a092abbc1ed7b22d901a01ca2fce7ddcb2940257ff
SHA512 4b419acef6f8aa6767b9fcbd648e3325f787a2d92ba897ef1dac48a6ff1a937301e44fa5c9f563f3b2d29c037f71ac1d5ce2956a7c304f8a3714a0f10a004808

memory/896-462-0x0000000000400000-0x0000000000437000-memory.dmp

memory/2684-457-0x0000000000400000-0x0000000000437000-memory.dmp

memory/896-472-0x0000000000250000-0x0000000000287000-memory.dmp

C:\Windows\SysWOW64\Pidfdofi.exe

MD5 0c6f1153f8f5dbe599fcca87f52411be
SHA1 05262b411e7232245fb5a31fcd022a52aa27c692
SHA256 4948c79df1315ff4434cd3b3a5af514fa1627bfe620fc4c0bd6253a95154e90e
SHA512 f46770d4dc0eb1591c14dfa202717ade5bb3b3f70851b13ff35d505fa2785b40fc50df562ea955e10544f2146204c0daf09c7c554f3d5ce4e86d65655e6e05c9

C:\Windows\SysWOW64\Pgfjhcge.exe

MD5 57f649a85acfb0488eabbeb79dbfdfa5
SHA1 0f06ee9cbb80a6c524bce3396b7ea67343266bdd
SHA256 9fb335332d9586b26a04c8fb9705e2f092d7e6bd50e637c1c0543443cb1c5007
SHA512 65ab65acac55a13f1052d89ba3d937ddb981804f11df56fffd5f3426bb565b002078eec16169cdeaa58d63aecf8f067e16bcf5a354c631efe7f480a694cf44d3

memory/2704-467-0x0000000000400000-0x0000000000437000-memory.dmp

memory/1100-490-0x00000000002A0000-0x00000000002D7000-memory.dmp

memory/1760-494-0x00000000002D0000-0x0000000000307000-memory.dmp

memory/2500-487-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Windows\SysWOW64\Ppnnai32.exe

MD5 83a62aee5be1ba124c903b322f8929b6
SHA1 7127ef7d897c683342f5cffc49f61f017cd9ff6c
SHA256 38dcd4788cd6d004b0c2121c26540f84438fd899e9707900046f692f0bc42768
SHA512 5db04485a4b4fff41c5e59c9bdb8072b15f350b7c27005644bf02a83772dc9a00e3625c6a18b078f9277ec77d62c42a946be3c2b075d2e14db30331e0aed9453

C:\Windows\SysWOW64\Pdjjag32.exe

MD5 2cfc38693cc30bd8fb791d3b3b53bad8
SHA1 9b30e0325901976305b52c9dd0bc056bc37858a6
SHA256 8092b1f2731af7f3198c6effa70df307720a2e6166d4f8092aec7310a8a38fc2
SHA512 e3564cc598b56bcd0f93245f36ec3134ce26c7a0ceef570b8061e2b0d80239d2f0b9a808f175f9da3865000d88ffc1af6a66d67350fb7b0fc3d8ba57960461c8

memory/1760-483-0x0000000000400000-0x0000000000437000-memory.dmp

memory/1100-482-0x00000000002A0000-0x00000000002D7000-memory.dmp

memory/3036-499-0x0000000000400000-0x0000000000437000-memory.dmp

memory/1100-481-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Windows\SysWOW64\Pleofj32.exe

MD5 62f0c019a27c2fc3565f05e7f8fd69a4
SHA1 15bface7f30de58de798cef5a4aadb21a3ae680b
SHA256 2bf64b73cc8c793ed77cc4a04c9f963fda1250a38cb2f164da1e66cb136af2c0
SHA512 961615e70f11fd9ad3c28cbd90cec54b2197c87fef7da99414b230c655cabc758bbe1303b6d7ea81db8cfa9d069ba4542b81f51e0ca5f62af233070495658bfa

C:\Windows\SysWOW64\Qdlggg32.exe

MD5 ba476c9867ace79e378c3d07ad518dae
SHA1 223e0f90079200610b952a7bba04c27e07c2d2b7
SHA256 ec52f00b97d44c233c51b6ba8c9c46e45789d604bf05f8c194863435e7982daa
SHA512 10ba221897f514a9cd49d50945343d7eae61481e5d50727513dc0b7aed66e91957120abe6dcef734e732b0c767eaccd8eb1a6fe6318efe9958e7aef1130cc86c

C:\Windows\SysWOW64\Qcogbdkg.exe

MD5 bb5e63928062eba2f05d2cd5f1eb3f21
SHA1 48c02dd028df7a01547ad80e756979813b29c1b8
SHA256 6e5fe797e4d37a2dbd05b6114f0c8c3826587e9eec7bf9bf439e2c8cc2fb8210
SHA512 cf4c1d0824239777173c1746d2b3719f7ef01836d3043d5c83fd9051363fa95517f1e4cecb1aba01227e4b9ac6960c3523b27334395ed020313ea9815bb46b95

C:\Windows\SysWOW64\Qkfocaki.exe

MD5 5ca120e51782439b3b5ddfc03f7d0a10
SHA1 5988a90e142bdc5c4d57e842d45c43969e02bcab
SHA256 1c959a959d8dad0a669a8234babeb7ef0fecafdb6b9368a1e4bd2cf757f3af35
SHA512 677c2d8f4a94db12ca624d6fe7e348ccf2585e34ccd71cf3f6b7d92a15d15937a3ceb8925c817565d3f316d5ef83f6573dbf450db00d277a1f0f00e9a6eaca41

C:\Windows\SysWOW64\Qlgkki32.exe

MD5 ddace3375a97c4705e7036ce70bc880e
SHA1 65b39d1bffbea2f825648d686ec51abdf6d9f53f
SHA256 c09a411c077f88cff65b098da3749c42ebb1bca383e89c20d8734fd951c6d596
SHA512 d595676de3ae00783b9c312e2b5fdd7f3b934e38b371db789aac6a81349ee123ef33ae8c7aec90c96ba575133de8952760ef6d703eb65880c255b3d2fa8eb399

C:\Windows\SysWOW64\Qdncmgbj.exe

MD5 0d88789d78661515a7d911e40991bae8
SHA1 da233608a17904d7a3ed9bc12784a423c38b46b5
SHA256 6f84a3033a095e7a4c01849f727115be8569fc8acd5cf41267e6b94931c4c831
SHA512 431aa20af5187cea9fd4828bfd7863c8863a74c47af16e8bc7949e0e6056bc691a656d20cba95bb71ef23fd3c5a165853c192f9a08702d47e658efdc1c648349

C:\Windows\SysWOW64\Qcachc32.exe

MD5 0858e32b5bc80bfee5501e99c5de0738
SHA1 a84180c77f6de5853c26197a015f108c527df048
SHA256 4ae9acf5dc3152931c996ea1c745db6f36e8ebf2a03527f2ae46c3413ba6c1f7
SHA512 9edc206d9d1520b87621b0bde54000946c1349dfacd75906f5d766c9b45b6b1f809a0ee9e709f7478bc7040c342af1b9620a512f9320faa67d1f85f02dfb0d80

C:\Windows\SysWOW64\Qeppdo32.exe

MD5 10c384e4495e986e853bb131c66d0cf0
SHA1 0156e08ddd3741a77394f4bc6a1f33451cf1a61b
SHA256 ee02e39d12efe89c8a9340e7a3ae52b7901fcb35ca0e7adaef183dc4c92cdd07
SHA512 8847e00349c3a0284789e7ac02f9c05b8db970a7b350d30bfa7fdd15d8b0a0feb277dd56f86d5ccf6367059ea4a35a7f561a86ca6ca7d49630bdbf9cedabb022

C:\Windows\SysWOW64\Alihaioe.exe

MD5 8fa6d702a20f15a09d5af6fcfe7465bb
SHA1 21cd7232ac73b016e931989fb18278f4e3dfa234
SHA256 83bec0e2aac8ec8c2e505ad1648abf3bb4ad7a632620fe6b4ebb36512a09e33d
SHA512 75a091cf90673e061b11f6594b7434a5ce8c00954ecfd1d9d9b9208e8a2864be0c82506e62804ca6cd461364f86de60e3de3dd036f84212f41b7eb1763554630

C:\Windows\SysWOW64\Aohdmdoh.exe

MD5 036763cbbb8d6e4398892af957fd2523
SHA1 3bf2338f40aecff387ed3d84a8e0801f059b0656
SHA256 85243a1feb7286357a4613f53ae1102cb2ddab3f87e886580979efa76cfb5636
SHA512 299f4ad349b2c0c1a0e86ae4adb08ced2171dcd9ae4d60a63e4e823ecee94ce6553691794e3742c74959ff3d8246fadce745a12901574d3cfa01775b67e05ed3

C:\Windows\SysWOW64\Accqnc32.exe

MD5 eb1131b89ab829e2ae8c2a4b92c22a70
SHA1 666252e38fac957d7a6ebe745a8747e3e0fe4e1b
SHA256 728720ba4101eef658ae3e2335896cdbd8664a51a2036f874bd5a1fcf00d453c
SHA512 5e108529190f562f439c19fb920135e7b65ba7313a70a4f4282dcb64c3638e73a2f45baae77978e381b4b439eabed2813e58221b5249200061866bfb15e27811

C:\Windows\SysWOW64\Ajmijmnn.exe

MD5 14d7c110a5fb4767ff28c0c9194c7491
SHA1 b7a8f835dc53fbdf5bcc92edce10d3383984cf38
SHA256 a4ddbd81c7d95fae786c76f8318b834d0b95f964d237deab68136d0ab9587d0e
SHA512 f4058799caf02af6354529b67280dd61b59e3ab8354405b6abf169635d56fb442eacceca083ba38ab2b89cdc47fde8de4ff194173c02aa05277f545eadb66fda

C:\Windows\SysWOW64\Ahpifj32.exe

MD5 9003878b662c7bc5536c9c45113dcc80
SHA1 06d97be75f1b3d550f5a9c8b5bfd0095254f9297
SHA256 6e96f4ba094e132d557a5ab0b7875b7557d509d32577f28888256f3b033ef1a8
SHA512 bff443a05e5b4f57b24c4f4f12bfc64559fdb83257a96d1ce4bc6d7f5b573796990caaab437289cab9731d7f345d08f3ce556294b7ed32b01915384ebb77270b

C:\Windows\SysWOW64\Apgagg32.exe

MD5 f324c6df9e89597c8c265bb6e4e2b556
SHA1 2aedfa00a44984c5e4e0046814e32c0631060eee
SHA256 d60a174379d97cdf8366d90ef28a3cd73fc2e22d94cfb35b6ea2abee04b03f5a
SHA512 fb6b50738a18e031864efbd3fa8457b7173ae5f15558f7f546570062cc7d3e795053ba5cdd0682ffd51a69747f109bc0ac375b6a2e40b18df014e069bd660a29

C:\Windows\SysWOW64\Aojabdlf.exe

MD5 1b0a966e048b5ff94c8705b6fe2dba19
SHA1 24bb7b5cd8b527156864f4fe4eb76eb326ef199e
SHA256 800293de7683bbb1d73550f63117c6299377ddfd65bc039c05c4c9cf4e6dcf84
SHA512 94ef642359a7bcf75009efe5ba3d2fa3d09b49c03b92a332b4efe32b2b3dadf5b753cb9d0a79d46fbf7a26357a815aecc7fcce8afbd344edb59209fe597e5549

C:\Windows\SysWOW64\Afdiondb.exe

MD5 b9b705c0bf26d2dd673935c25f4a2bc5
SHA1 b5d8f57cbcc4335930a98866cd70969bddb51dd5
SHA256 e97d4e5dd14763726e2a60d784241eca4e3dd3f747d7e0308c74f21def1bc0ca
SHA512 ff899b151953c35cb90b2a043faf0909a913f813ea530e5c8c6f4c9c72d5388cd6313445282a189142acfa0bc5b008d581ee651ffc1c0ae2288fc79fa5ee4634

C:\Windows\SysWOW64\Ajpepm32.exe

MD5 e4d4d16e8ee08171f0591916c0e617fd
SHA1 5512b5a71bbb0d776704921b8618fd6d6acc9db4
SHA256 021ca130b84e4703df083f9f3ec3f1f8adbfc15e992f7474e7aa51f01ceaf41c
SHA512 a6cdf16a47f8ec0246a155ebfbaef42171180c2e82b7401af195426f776fcf944f523912ce2e66ee8711d5b3c5ddde77c655d89dbd2b358509be0de4201939f2

C:\Windows\SysWOW64\Alnalh32.exe

MD5 f9e235bdd375dabc4e34b7ae3972c17d
SHA1 d555ca2b9c6b8610c83ffe447a979bf00b0ef0a7
SHA256 960567a1cc404c47252bcf1966ad66fdb2ac9c6f37306eac80d14d206c71740e
SHA512 fea05e794282509d7a6862bd17d57941d1d98bc20c6d50c88cf426f64b05dfec26e94311c3870e789b76ce03ceabf0f126fa428623e2a6f339248a36ef910bdf

C:\Windows\SysWOW64\Aomnhd32.exe

MD5 1f58d47ce827678814d295dcc750dc91
SHA1 f4db8a3e00fd71301ef3f88bf07a9eb38b6b9d38
SHA256 9e2ce7ce1c1e06624620d813739b11046dd55a8dfa4dd7b6ed9c6a8c31f554a3
SHA512 012eb43c96b062f4bca97aa0900b5ad2bdff85d8265e8da563a68bf922a0268bb22408b677392ded674927bc7e6a62b907db12022753be11834d971b20366d16

C:\Windows\SysWOW64\Aakjdo32.exe

MD5 9795dda7c6b271fb23be04c11a6ecda2
SHA1 ed4bf9c55ea0288b025cff95baea45c390a0946b
SHA256 a7f989b71a9369bdab8875208398d99e7e6ef5b4334497dd05d447f3823eda57
SHA512 c46352d6fa019c7f2bd7cff10ba92541978590b1a74898441518959786cce562c8a49db15e8b6373acac16e92f3d95d70dcc72120cc309fa3129908c56c13b05

C:\Windows\SysWOW64\Ahebaiac.exe

MD5 b0b2130311cb184b0c41bfbc10f75add
SHA1 f3727e2e9295b051d29332b3a634bb5ffcd99951
SHA256 25933536b57c1b81411c376349d7e0781a587b70390b92140bc25196a1540e3c
SHA512 a702db325c0f4fcfb7ee79c0c81462c0e7d316f11f05de2ec8748f78e4c30321ab2ac10650427c72f0b670cd6140b30302ed251c4a3a30bba2579f899cb0b962

C:\Windows\SysWOW64\Aoojnc32.exe

MD5 2daa7ffd431ef159e8901d4ca392085f
SHA1 bbb775dfe31710eac35cd900f5565a2b43509fe4
SHA256 e90c647cb64c02153e4d10bd71cad85ce9de714676f67072982195044a30bf18
SHA512 8fe1392fa7916c4a3bb1ba7d8a6e333398e7458b2a206602e3950b19c12091ee5c8f2f649813d591fae679d70f9b08ce4d1415ffecfca8f67883723c8d314211

C:\Windows\SysWOW64\Anbkipok.exe

MD5 a2a091ade54bfcd0dd427ba1baf3ee23
SHA1 78b36d52ffc45bc908a3de9229fe40ea0b697ead
SHA256 d12e589f25e833f63e6b46b322d82d4b9fb3ecec547bb3eb399772bd87a1e8bf
SHA512 dbf302d441eb1d0b47bc771aa9c9ebba5ea147ed716bee07a2ba6e887cdd8fdb84676cb16f3aab39fecc5d3446b8dc06c498ffd87e02e1e1afe13055b48c9d4b

C:\Windows\SysWOW64\Adlcfjgh.exe

MD5 44d201bce2a8cbd5aef74880ac48b4b4
SHA1 39b9fabedc4b6ea1a7ae7e6514602784055bcbb5
SHA256 92916e40d617a1e96f30d5ccb02c9142972a3e7a75d0d1cf37f37b607b72e7c1
SHA512 9fe4da166c2dc62b80f4e3230914bc6483bcc3428a565027d65791ba6d9854926c5e88661b27a9b2fe6bb0f5373ed9040675d63c87c7c363911027eca17cb5de

C:\Windows\SysWOW64\Agjobffl.exe

MD5 b30106dd62a6daf81eb074e20cab976f
SHA1 613d02eb1f7db04fd7e6791eaea5627b59e172fd
SHA256 a0f58a2c5bb28404e08125ebcb64eb2a428388cc19402dcb57aaef8da7267aee
SHA512 3ff78be52206d00ead81d7a22483d93182e1c0817cd80a109d8aeb4f689189671b6abc11040e27edcf1626708ea52daae78684b8333f5b3a7d8124dc9c787d0d

C:\Windows\SysWOW64\Andgop32.exe

MD5 86770f9f1f0f7736b7e67452eedbd9ad
SHA1 5838d0c3f95b0f1e5358a1342361d381bc344e55
SHA256 86a62c1670002da33e250f3bed1bebabd66b7e67086a4d45d8f7f04ff762e2cb
SHA512 f0d5a7d4006d5b4e9631fd496f24e117c0b48bf5da7cc73bfe4d518a86e464b7cf28629016bfd828e4d12a55d7a0ca8928f614c6e739a5e508ec6f5ae04e8947

C:\Windows\SysWOW64\Adnpkjde.exe

MD5 b07520f6cac19a085ef8d6ed4f161986
SHA1 326fb91997d4db93e8ae59ed20d43bda14cf0e24
SHA256 d50e7715f76e82e8e66706f43b51977255683c54bbf8eab6805f42ea329b904d
SHA512 c6ee8505a3cfbf10170304aef6e4a15d00972302d40389dafff7c78fbaa2f370e7ff6d53febffe06c3b55f9ab41c52366f1b4c47bc93df96743c78aa4098b73f

C:\Windows\SysWOW64\Bgllgedi.exe

MD5 c31df46ab22b09feaf9326f8a797b05a
SHA1 e021022ab48a7d6ddd02f03d40e11dcbfa73e57c
SHA256 b5a01675435d86dea319a5ca1376dece0f71bdb6544e155c3067d45c4c43cc33
SHA512 c2834067ef77c72b5a1bd1a8811d2dd68d90ec77ca6f06fcca162f3a816362fc1f63b7ed4a82800ddcda614fa62c5930e57e6bbe136402081e500afba02488aa

C:\Windows\SysWOW64\Bkhhhd32.exe

MD5 c4f22e0958b7796be3206ad45c82f3b8
SHA1 6618328bf9c40c677a4d72d28b685ee356e40a3f
SHA256 a4d5fe71d04835d44254bd30c62adf0ee862941ace5989ce6f7edc657fb0f170
SHA512 17c7fd8cb79a0e39f94479bf2c4f3e2d4f3e50658c72ca4c461cf98f8579f911edf0382bfe4ead3be99797c1357efb755c9b52ad148adae9276fc6ebe5bbde2d

C:\Windows\SysWOW64\Bnfddp32.exe

MD5 a82c9f8ee89b0808eb9d023c026d9d0d
SHA1 0300fd2e5093fc0beb6bb4ee2c9851c0198b8fc8
SHA256 3427d79a9285023fd74d64d94a3b0000123cf1944ade065a888bfbf24726756f
SHA512 64b2f768c928828833524666a55a02d3d96a8e7510b1c93d58fac244657482d0b659268b4da75a760bbab6c8318268bd93a89ddf5bc708e299fde8ddc4d4ea8d

C:\Windows\SysWOW64\Bbbpenco.exe

MD5 74d3d44a5ee6ad485f8adddecc8a65ea
SHA1 12e88d6def3e79f0e475a2aa487742e8f6b6ab59
SHA256 685184e5f329a132ba4ffae195ab2005026b6845ac3fe583d4688692e4501a2a
SHA512 f2640717b190d119be5c73a63862174f60915312b5ff1e42bd201074266ef19bffc8d0141bca6ec553121fcb18cc7163ac14404568b57935cca73059c7701317

C:\Windows\SysWOW64\Bccmmf32.exe

MD5 bef5e9d4d02fd3b31b167c0541bef0e7
SHA1 b178c5e4fc4034745ca0a196775c2f239110c7d2
SHA256 13f7753a7751f5f2a93feec1835c3793798c3d2495b564bdbb4afedab3d0e182
SHA512 0feba0245fc21c6b3bf8b5e90fde803e68fb4d4be0e43ae67c176fa8d8cc347c9b6d73ba34bd1d7cc9d05f5d00a038bd3ddf62d2b32d78cd877a4ba3f49bbaa5

C:\Windows\SysWOW64\Bjmeiq32.exe

MD5 763b8cedc17c73d12db8dd0dc72dfd77
SHA1 0230d3daf5ff0f162e501c3cb047b9ae94131308
SHA256 2317849632e0f78388f1be2a1f47426b35cde741b62f69cef42001f0cb8d9bf2
SHA512 a15c5e1eb800274e9709cb212cb7c5bbd98046b4cb7da6ad4e165787695c24249fb92104d4c7c980f289185c9494b737ca21dd062b24442d126b8c00e30d871c

C:\Windows\SysWOW64\Bmlael32.exe

MD5 8c861e67b1f4001bb2b98c4b4f7e8416
SHA1 e2517859bbce3919ca2662eb74163c6a378b0fbd
SHA256 56a95e37754d3d024d0508575bb9b0ba11d409bc223d9c5e5b6d4ec055648287
SHA512 69a1d8b72cc9673c1d4895c08e192b55f95e9e67671823e4f78bdaad4b9496f0ae316946dcd3d9d34122b70b6b7759a46476779d77514933233cccd30333d532

C:\Windows\SysWOW64\Bdcifi32.exe

MD5 b34e4f439e152898919511330798af31
SHA1 68684382acdfcfe1295204155785692787c1527f
SHA256 474a642b30ea5f60ee98c1dd412687a32935b0be683098dcb02804b0ef2625c9
SHA512 7929c616ec014e00753b1b4bf783b53eee95f910712318d2d10c58f56201bbc3cb4295dc216b59f08ad24571e1e3955484f2d7a053feeb99582842c53a722cff

C:\Windows\SysWOW64\Bfdenafn.exe

MD5 84309ab4a7c806e14385cd78565266a3
SHA1 0942015deb61c3c592afa9f1902b35bd48307776
SHA256 fcd97225d848dfd3aa749ec8a4698d855d7cec42b83c38025e01703f8f73109d
SHA512 92bf972b770e273f3dd08e23bdf9bfbacdeedec886d3ea36ff702512d1667f76c2475b78e2db5d57973df284ca603c1a92160866baf188c271c97eb3e0571bfa

C:\Windows\SysWOW64\Bjpaop32.exe

MD5 ff9e276c4b42f02750bb8c68b43d6549
SHA1 349ea58562031120689d059eedefe66f691c6ade
SHA256 88101bdc03b75cc27ee0c7fbcdf71b61d6c4666ed18d9350d8bc8bfe28f2256c
SHA512 14c3478c6bf743b23cae6247e449bf60ffee56f7945578dd3514cd122b86f6ff0e11df416f0506444baf21a36cd70bebc8b7e5c5f424effb4127a72c07c38c68

C:\Windows\SysWOW64\Bnknoogp.exe

MD5 86abba24db62d398bc0b919c5b13d14e
SHA1 cdb95e7de3186a3891d73b79b45e438b1f1d6d22
SHA256 d6ba161b103de476e01416b79e633de5ade5d1729181f4b79454755a013a6544
SHA512 3ff9f42799f5468daf31edcd743baabff26eef02fe211e8acf89d7ce861eda95f06b9228f50c519ba475c9cf9592eb4629caba5826e20e35ed4312d7d8a10774

C:\Windows\SysWOW64\Bqijljfd.exe

MD5 1ac8ca174b2386a076cbf314e3463e06
SHA1 8d81748e9a7f3ce31211c20854e6f3da6cbc766c
SHA256 48da81b4a9d65fb80d784bbe4bdb67dcd8f2fde23403b29db76681a34b064125
SHA512 db8a80a48abf2c517f2ca03ac176bd14cd7ac36b26412983ffaf30bae77fbf8b245f3aa502192300e0328db429c3253782c07d74d0b3af91ba088b817bce21bc

C:\Windows\SysWOW64\Boljgg32.exe

MD5 4caea0932de037f5f43a2f569dd9e10b
SHA1 7bcc1a7c32ea47f91ddb0bbd1dcd68edcac37a5f
SHA256 15cb46569a6c7819d4d7844fa1b98f229a4464f69d3a3dab626998b545c7c5e5
SHA512 21e02834df62db8e2aeedc4fc438a02d70840bb1587f4afe97846d11dae6550032b155580a9b073590214c7cb6ae625d4a18ae2d1a5e7b3932fd1eee5b6480f8

C:\Windows\SysWOW64\Bffbdadk.exe

MD5 9880aec7006aa3a71c11a95565ba4cf2
SHA1 5b21db9d3af30f1eabd7116723933aef5693f577
SHA256 740b734bafe2782151ee5edb1fe49d47a5181cf0215c8b6c432f7f3f2481158a
SHA512 513fdcf863a512eefbbd80970b3226bede4f781cac4b023f88282f48d0fb971736e27684e4351005cadef78b211ca471f545294ca6690379c9a4af4b6e7e88ce

C:\Windows\SysWOW64\Bieopm32.exe

MD5 ff3d557c29be7815be8711f84db3d72e
SHA1 029e323a52b344b6784761a1f3e70b6f4e4e0120
SHA256 4210779d062af8795ccfde806142c119a5717400b79b5156cbc58968d31ba775
SHA512 41b90642242ce0cb4f823da0c43ffefed8187396d6ac1e8520456903f42f63949dc885fc3789ad4e4d3aa3293b7980d99d0aa29a5fa2cc33db45b015c83e89c4

C:\Windows\SysWOW64\Bqlfaj32.exe

MD5 0c37773f71cbeef3ef392529ed213206
SHA1 b4e925f7401eaf25a30b8a3c85bb73125049ce2c
SHA256 e269a2249f548abb23f5c0612914e017e0f6c900e5c4b4b930f3cdc74670b20c
SHA512 73788bddaab4be8eb5ac376a53ab2db4929d4d31e5f4e7aee69da58946af3153ce6ebd530e3ca104b9af97aa58d760046ff6007b877bb6f5103d3aa808438198

C:\Windows\SysWOW64\Bbmcibjp.exe

MD5 4a53bb6932168b72b5b263919f60bee8
SHA1 dd55b0da951d9b047827c7e15408b69a1be75bc3
SHA256 23cf9fd0003b37563316a27f3d1bb5f5c8dd8a02484428fb3bd3eb0a85a48a00
SHA512 5a8047b2bd8153ed0ea9f38e612141cbf5f4a651916bfa54c5cae3bcd309db672fa9d2d8b18c9a014719e35a2f73e9aa91a28bfe521331eb0a1b7d9abbc38959

C:\Windows\SysWOW64\Bjdkjpkb.exe

MD5 ca5535de12dabc8a3ca3c674a0bfe3b9
SHA1 f4dd6ae40f52efc8cfcf3fcbbea6261774cd36fb
SHA256 49df7e096f5b656fefc36494d3bef6204cf931138b2ea6f8c83f5c28f10ea91b
SHA512 6f7618a30831f05e28eaa034d527c5e0c9e2dec93f4659b23d6e6bc92c94e1322e518ce443504591afc71ab15c34e1d9271a513a38c8c18f9469a9d157913639

C:\Windows\SysWOW64\Ccmpce32.exe

MD5 756e85bd6e76c651d077b3cd3295d262
SHA1 78971ae49861a3a58007c0ee552a009b9d668da6
SHA256 35f6af6d0ee81879ab0ff727eb67ec37ec8fa613630c0f892c1257a0dcca60c1
SHA512 b5c34a0e42f921bde3150d49566d389cf4c0f6c1b1cf0d473b08057517340b47aa8e3aab36cb1d3dda03d24f2337004cdbdefacad41134df21cfcb443512c7ae

C:\Windows\SysWOW64\Ciihklpj.exe

MD5 547e6e20f86e2294630889bfb7095379
SHA1 337ba3b2f64f5ac6831c809f76b247be2e367cb5
SHA256 80bda95a465395d711a075ce2f93e57ff72af35317cb08fa7a0c96a1844dd8d6
SHA512 f747296b232d368031f083a92430ef4e4a95bff15b2249fd2c6dc917a5b35508fd76a38a7b8f8999bb52676945ac1256eba28d3ee69c472d01a8f925547828d3

C:\Windows\SysWOW64\Cbblda32.exe

MD5 b1f5ca1592cdf35b31fd4fed5983aea1
SHA1 5dcf50bcb266b09bdeb4f077841445749570d97b
SHA256 60c22df855acc545b1ca0918cbf8e0efc2b46026ab3e01f0712f2b1d5046b58b
SHA512 87a76e059c09d196d8c5a0e1b3248bc34375b45e75cc64b944603b331af0eb3247a8aa1427949a8fb7bbbab0ad8f8108e88ccaad7fc4d52fd3acd17fe76fe557

C:\Windows\SysWOW64\Cgoelh32.exe

MD5 955654ba62203041e8c4d8326f202e18
SHA1 1a14b7c84029447996080d2dc6550c236d3d84e9
SHA256 1922d7a0fed6b616c8d0622fe7a986157129ce9012d40e9dabaadf10c37a032d
SHA512 ad97babf3c440c221c512b0863805a15c2c6a170c3046e98236612430b830c5a22f4ac9f7c47d65643384c3c3862a80548a0ed4e963357013d40b55fdbbceb50

C:\Windows\SysWOW64\Cbdiia32.exe

MD5 f5827c8a92f7eeb29caf6d7461abdac8
SHA1 d7878475d6bb777b77ec208e9bd7f923958aa6bd
SHA256 373c2d48777d2b79ff6f15bc2941de21faf86c95e95659d256c7b201b85efe25
SHA512 a4ef0757fc20b4fb1a3f6631f1ae4697f63fe0a057b329381cd5371da57c675f924d02c451411b120c67dd40b0b8b89908a26eb0568e83972617cb59a9e722eb

C:\Windows\SysWOW64\Cinafkkd.exe

MD5 bc751732a20a77e46f78d011bf75c61d
SHA1 48911886a5f7035cc4e6e3257b3f20d8b08997f8
SHA256 65e1955558bc30ebc46d4b8b3ce864221f57d5b35b61f1d8740435efcd3a63ed
SHA512 9f30e00bcce1fa876d0cbecb6033bf21b0ac1d780273b394d69ab8d5c5f95242614c15a10e2cb443a5a7a851df5be2250947d5db8bd679ea6f8c853df8e40117

C:\Windows\SysWOW64\Ckmnbg32.exe

MD5 dc9e3a64318682c684f631557a942df8
SHA1 e6fdbbb9b98ec34ba990b3fc994d9f77b291713f
SHA256 037e02d99fec72a4e078185fa38790a4a2eb8b38435f62984abc1a14634976d3
SHA512 e6f8aad67a67f6ef195a5408bab2309a1bda456f14ded82649dd5e9ac658edcb05f4ce68482fe39d6b36c92020fc88b7c968e6f03ac05d01d66f62808276700d

C:\Windows\SysWOW64\Cjonncab.exe

MD5 aa1fe04baece41380daec75cae325ce1
SHA1 919459a5bdcd4156f163832b85edf1dfd4580fab
SHA256 3a375565f566f0cec554db33e8aa41256a8705c38f3c7223acf729c3bee88277
SHA512 095264b4fb4ae7247cc5313f89f51f66d4f95b62f447af618319efc2214b6a961fc46026d9361de3828b89c680e8e040bd717d8b9dda6a8428118e8b7468f092

C:\Windows\SysWOW64\Cbffoabe.exe

MD5 5debd31ee2f722d9e238f9a5a1aaf862
SHA1 f5c032c907e5a9c05c29fe61af714c7dee818760
SHA256 0f997cb2164d4662d63f1111f61392ac0fb8d714b994d2e7efac5f45805ea76e
SHA512 d71ba32a649e62de8d4fc9629d92f71ef77f5b161d2486b31af078d636643cd9ac7ef3016c54964fafe5b3f328e58c430d8e06d0587c2a34901d47d2a88e943e

C:\Windows\SysWOW64\Ceebklai.exe

MD5 c61bfb2ccb9961ad3cb6afd699b7b5f0
SHA1 2270b420dd735fa417dafcc32f2957b04178dfa0
SHA256 7e2bf5ee9c676c34b1aa180f664160ef554f49a702686f8a2a45f3ea9f473137
SHA512 4053cca8bc1a13f0c8ce7593b4b8608908b76434df546529bbdaae065139a5403d8644ce7183e55bf5826781ac7a436833db3755d2349b0739359451d4176a1b

C:\Windows\SysWOW64\Cgcnghpl.exe

MD5 2481ccbee1e41c10c060a4fb4deefded
SHA1 2dbf18d44ada6b76de450816bfe9c7d89552e96e
SHA256 ef4aeca19a362baf52e6c7afe113c6967e8410ca0d9e10dcdd0f38e0aa434d20
SHA512 7cf23896557514964b8705758548ae6f9ba3930aa86376dea3efa7d2cd0c6f22aef46a19ec4e8a64482948df129b42dcc4a6c470b0dd9394af03487f7a5624d9

C:\Windows\SysWOW64\Cmpgpond.exe

MD5 1c44db250d60d334923865383ab12348
SHA1 c3a9a7a03ad08ce14d871ca62241aea5b63ec7ed
SHA256 9283827be16cd53fc231db5381cdfb76757427c1fb5b9467a8ce0c0feba2f16f
SHA512 ea1eb5ba4b40e0886c3a0e4c2ddef1b549d7f271c78c0ac655a0b86af227474f9816c6ffa5d001244a0aee8c17b40fb647bb8a7b7026b03ceb5e5a69bfdc06e2

C:\Windows\SysWOW64\Ccjoli32.exe

MD5 94838f2d5db58e1a2569924ccbe8cd03
SHA1 669c64aea3e566134be91915bd75548592506810
SHA256 432879553dd1d3c7655f768b7718144f87a99e9104c20ee4b5dc9c4e50bc874e
SHA512 4adbfebab4e50ad338bc89fa0afe3f39946251aaaf1b3cce4b848774ad8949b28689b4b226d65796c375f7edf25e535e4605a8a95e4b87f9a606c17834cdd161

C:\Windows\SysWOW64\Cgfkmgnj.exe

MD5 8a9bf25b81f5f85fd753288e7b0ba376
SHA1 6205e4c3ab6fa400355f01d65a33d481516ac58e
SHA256 a97797e80e3f922fc1549102a2a0f914a0ad3fc4ad8dfcbc0477ac591b4ee062
SHA512 3ef830740b2e3cacf270841621d4920ec1097d3770d7fdc74a6d1ddc872ab009749d7ab48812f078822a167aca1b537f3eb373ac0fb333a8a9282921391f05b0

C:\Windows\SysWOW64\Djdgic32.exe

MD5 ecd78cea85ace0488489cbf32919504b
SHA1 0d4bf0f80bbe364be6c433494512203c9bad230c
SHA256 4bd967073dc881bc449533c2951ee524f45ad3220ea0d531162727a6173b96d0
SHA512 6ae9bd058eb9bd1e025538cc5479afa36751c9ffb93099b82a291dbf16cce0e5dbc5c48388eebb43afd2de22fb16f679ac5650169990642f22cd69b5ec766f47

C:\Windows\SysWOW64\Dnpciaef.exe

MD5 dc82060f0531566f926345feb055c4ad
SHA1 b49093ae8f470f4d2bfc9f37dab7bff0867944ee
SHA256 261de5a1d5d918d1d92c0ae507507eee572964de61e0003bdea47250af6a5df4
SHA512 78acef5ca00179e7fdf3f84e319a0341a9d48ea5c6918633f7320ffc13bb542483797399bf989846e4d86cac1f105f97927ba603a8a55a6c8d46eb96f6b2ee87

C:\Windows\SysWOW64\Dpapaj32.exe

MD5 cfcf7c11d5648a7c66556b168b600122
SHA1 30fda3d3e04705fb1e5d16ff87568c68df2fa0a0
SHA256 15995bb0449ea71048bf945a29680b7f103ecbeb151c8e6a9aa334fb41f78c97
SHA512 d2fd28389b1ea2eafbe5e8dba7ff9e3672669c533b0f9b8cc7b010ea949d149671cb816dfcdd827566c40e521705201e8df8e82d20f4951f2796a2aec4fb3701

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 14:19

Reported

2024-11-10 14:21

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\10e3948d8caf306281063beb38a0d9f734ed83552e980e03b42a8c4e62ef07c8N.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Djgjlelk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Dgbdlf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Cdcoim32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cjpckf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Dkifae32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Users\Admin\AppData\Local\Temp\10e3948d8caf306281063beb38a0d9f734ed83552e980e03b42a8c4e62ef07c8N.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cjbpaf32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cdabcm32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cmiflbel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Dhhnpjmh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Caebma32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Cjbpaf32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dhhnpjmh.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dkifae32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dgbdlf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ceckcp32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Danecp32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dddhpjof.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Caebma32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cdcoim32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Cnicfe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Danecp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Dfpgffpm.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cnicfe32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Chcddk32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cegdnopg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ddakjkqi.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Djgjlelk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ddonekbl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Dmjocp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Cjpckf32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dfiafg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Dfiafg32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dmefhako.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Users\Admin\AppData\Local\Temp\10e3948d8caf306281063beb38a0d9f734ed83552e980e03b42a8c4e62ef07c8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Cdabcm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Cfdhkhjj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ceehho32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Cjkjpgfi.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ceckcp32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cfdhkhjj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Cmiflbel.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ceehho32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Cegdnopg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Dddhpjof.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Chcddk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Dmefhako.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ddonekbl.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Doilmc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Doilmc32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dmjocp32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cjkjpgfi.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ddakjkqi.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dfpgffpm.exe N/A

Berbew

backdoor berbew

Berbew family

berbew

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Ceehho32.exe C:\Windows\SysWOW64\Cjpckf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cegdnopg.exe C:\Windows\SysWOW64\Cjbpaf32.exe N/A
File created C:\Windows\SysWOW64\Ddonekbl.exe C:\Windows\SysWOW64\Dmefhako.exe N/A
File opened for modification C:\Windows\SysWOW64\Ddonekbl.exe C:\Windows\SysWOW64\Dmefhako.exe N/A
File opened for modification C:\Windows\SysWOW64\Dddhpjof.exe C:\Windows\SysWOW64\Dmjocp32.exe N/A
File created C:\Windows\SysWOW64\Bbloam32.dll C:\Windows\SysWOW64\Cjkjpgfi.exe N/A
File opened for modification C:\Windows\SysWOW64\Ceckcp32.exe C:\Windows\SysWOW64\Cnicfe32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cfdhkhjj.exe C:\Windows\SysWOW64\Ceckcp32.exe N/A
File created C:\Windows\SysWOW64\Mjelcfha.dll C:\Windows\SysWOW64\Dmefhako.exe N/A
File opened for modification C:\Windows\SysWOW64\Dkifae32.exe C:\Windows\SysWOW64\Ddonekbl.exe N/A
File opened for modification C:\Windows\SysWOW64\Dmjocp32.exe C:\Windows\SysWOW64\Dfpgffpm.exe N/A
File opened for modification C:\Windows\SysWOW64\Dgbdlf32.exe C:\Windows\SysWOW64\Dddhpjof.exe N/A
File created C:\Windows\SysWOW64\Diphbb32.dll C:\Windows\SysWOW64\Dgbdlf32.exe N/A
File created C:\Windows\SysWOW64\Cfdhkhjj.exe C:\Windows\SysWOW64\Ceckcp32.exe N/A
File created C:\Windows\SysWOW64\Ghilmi32.dll C:\Windows\SysWOW64\Ceckcp32.exe N/A
File opened for modification C:\Windows\SysWOW64\Danecp32.exe C:\Windows\SysWOW64\Dfiafg32.exe N/A
File created C:\Windows\SysWOW64\Kngpec32.dll C:\Windows\SysWOW64\Doilmc32.exe N/A
File created C:\Windows\SysWOW64\Omocan32.dll C:\Windows\SysWOW64\Cdabcm32.exe N/A
File created C:\Windows\SysWOW64\Gifhkeje.dll C:\Windows\SysWOW64\Dkifae32.exe N/A
File opened for modification C:\Windows\SysWOW64\Doilmc32.exe C:\Windows\SysWOW64\Dgbdlf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cdcoim32.exe C:\Windows\SysWOW64\Caebma32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cjbpaf32.exe C:\Windows\SysWOW64\Chcddk32.exe N/A
File created C:\Windows\SysWOW64\Cegdnopg.exe C:\Windows\SysWOW64\Cjbpaf32.exe N/A
File created C:\Windows\SysWOW64\Cdabcm32.exe C:\Users\Admin\AppData\Local\Temp\10e3948d8caf306281063beb38a0d9f734ed83552e980e03b42a8c4e62ef07c8N.exe N/A
File opened for modification C:\Windows\SysWOW64\Cdabcm32.exe C:\Users\Admin\AppData\Local\Temp\10e3948d8caf306281063beb38a0d9f734ed83552e980e03b42a8c4e62ef07c8N.exe N/A
File opened for modification C:\Windows\SysWOW64\Cmiflbel.exe C:\Windows\SysWOW64\Cjkjpgfi.exe N/A
File created C:\Windows\SysWOW64\Jekpanpa.dll C:\Windows\SysWOW64\Cjpckf32.exe N/A
File created C:\Windows\SysWOW64\Bilonkon.dll C:\Windows\SysWOW64\Ceehho32.exe N/A
File created C:\Windows\SysWOW64\Mgcail32.dll C:\Windows\SysWOW64\Cjbpaf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dfiafg32.exe C:\Windows\SysWOW64\Cegdnopg.exe N/A
File opened for modification C:\Windows\SysWOW64\Dmefhako.exe C:\Windows\SysWOW64\Djgjlelk.exe N/A
File created C:\Windows\SysWOW64\Bhicommo.dll C:\Users\Admin\AppData\Local\Temp\10e3948d8caf306281063beb38a0d9f734ed83552e980e03b42a8c4e62ef07c8N.exe N/A
File created C:\Windows\SysWOW64\Cjkjpgfi.exe C:\Windows\SysWOW64\Cdabcm32.exe N/A
File created C:\Windows\SysWOW64\Cacamdcd.dll C:\Windows\SysWOW64\Cfdhkhjj.exe N/A
File created C:\Windows\SysWOW64\Bobiobnp.dll C:\Windows\SysWOW64\Dfpgffpm.exe N/A
File created C:\Windows\SysWOW64\Gfghpl32.dll C:\Windows\SysWOW64\Dddhpjof.exe N/A
File opened for modification C:\Windows\SysWOW64\Dhhnpjmh.exe C:\Windows\SysWOW64\Danecp32.exe N/A
File created C:\Windows\SysWOW64\Dfpgffpm.exe C:\Windows\SysWOW64\Ddakjkqi.exe N/A
File opened for modification C:\Windows\SysWOW64\Caebma32.exe C:\Windows\SysWOW64\Cmiflbel.exe N/A
File created C:\Windows\SysWOW64\Dmefhako.exe C:\Windows\SysWOW64\Djgjlelk.exe N/A
File opened for modification C:\Windows\SysWOW64\Ddakjkqi.exe C:\Windows\SysWOW64\Dkifae32.exe N/A
File created C:\Windows\SysWOW64\Cjpckf32.exe C:\Windows\SysWOW64\Cfdhkhjj.exe N/A
File created C:\Windows\SysWOW64\Dhhnpjmh.exe C:\Windows\SysWOW64\Danecp32.exe N/A
File opened for modification C:\Windows\SysWOW64\Chcddk32.exe C:\Windows\SysWOW64\Ceehho32.exe N/A
File created C:\Windows\SysWOW64\Dfiafg32.exe C:\Windows\SysWOW64\Cegdnopg.exe N/A
File created C:\Windows\SysWOW64\Danecp32.exe C:\Windows\SysWOW64\Dfiafg32.exe N/A
File created C:\Windows\SysWOW64\Dkifae32.exe C:\Windows\SysWOW64\Ddonekbl.exe N/A
File opened for modification C:\Windows\SysWOW64\Dfpgffpm.exe C:\Windows\SysWOW64\Ddakjkqi.exe N/A
File opened for modification C:\Windows\SysWOW64\Cjkjpgfi.exe C:\Windows\SysWOW64\Cdabcm32.exe N/A
File created C:\Windows\SysWOW64\Cdcoim32.exe C:\Windows\SysWOW64\Caebma32.exe N/A
File created C:\Windows\SysWOW64\Ckmllpik.dll C:\Windows\SysWOW64\Cdcoim32.exe N/A
File created C:\Windows\SysWOW64\Doilmc32.exe C:\Windows\SysWOW64\Dgbdlf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dmllipeg.exe C:\Windows\SysWOW64\Doilmc32.exe N/A
File created C:\Windows\SysWOW64\Eifnachf.dll C:\Windows\SysWOW64\Cnicfe32.exe N/A
File created C:\Windows\SysWOW64\Pdheac32.dll C:\Windows\SysWOW64\Ddonekbl.exe N/A
File created C:\Windows\SysWOW64\Dmjocp32.exe C:\Windows\SysWOW64\Dfpgffpm.exe N/A
File created C:\Windows\SysWOW64\Kmdjdl32.dll C:\Windows\SysWOW64\Ddakjkqi.exe N/A
File opened for modification C:\Windows\SysWOW64\Ceehho32.exe C:\Windows\SysWOW64\Cjpckf32.exe N/A
File created C:\Windows\SysWOW64\Agjbpg32.dll C:\Windows\SysWOW64\Dfiafg32.exe N/A
File opened for modification C:\Windows\SysWOW64\Djgjlelk.exe C:\Windows\SysWOW64\Dhhnpjmh.exe N/A
File opened for modification C:\Windows\SysWOW64\Cjpckf32.exe C:\Windows\SysWOW64\Cfdhkhjj.exe N/A
File created C:\Windows\SysWOW64\Jgilhm32.dll C:\Windows\SysWOW64\Chcddk32.exe N/A
File created C:\Windows\SysWOW64\Kkmjgool.dll C:\Windows\SysWOW64\Cegdnopg.exe N/A
File created C:\Windows\SysWOW64\Beeppfin.dll C:\Windows\SysWOW64\Dhhnpjmh.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Dmllipeg.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cmiflbel.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Caebma32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cegdnopg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ddonekbl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dmjocp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Danecp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cdabcm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dddhpjof.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cnicfe32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ceckcp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dhhnpjmh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ddakjkqi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Doilmc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dfiafg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dfpgffpm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dgbdlf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10e3948d8caf306281063beb38a0d9f734ed83552e980e03b42a8c4e62ef07c8N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ceehho32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Djgjlelk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dkifae32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cfdhkhjj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Chcddk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cjbpaf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dmefhako.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cjkjpgfi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cdcoim32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cjpckf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dmllipeg.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cfdhkhjj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cegdnopg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll" C:\Windows\SysWOW64\Doilmc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Cdcoim32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll" C:\Windows\SysWOW64\Cdcoim32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dhhnpjmh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dddhpjof.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Doilmc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Cnicfe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cjbpaf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Dfiafg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Dfpgffpm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717} C:\Users\Admin\AppData\Local\Temp\10e3948d8caf306281063beb38a0d9f734ed83552e980e03b42a8c4e62ef07c8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocan32.dll" C:\Windows\SysWOW64\Cdabcm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ceckcp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Cfdhkhjj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cjpckf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll" C:\Windows\SysWOW64\Cegdnopg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Dkifae32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll" C:\Windows\SysWOW64\Ddakjkqi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\10e3948d8caf306281063beb38a0d9f734ed83552e980e03b42a8c4e62ef07c8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll" C:\Windows\SysWOW64\Caebma32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll" C:\Windows\SysWOW64\Djgjlelk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ddonekbl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node C:\Users\Admin\AppData\Local\Temp\10e3948d8caf306281063beb38a0d9f734ed83552e980e03b42a8c4e62ef07c8N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cnicfe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll" C:\Windows\SysWOW64\Cfdhkhjj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ddakjkqi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Dgbdlf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Cdabcm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Danecp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Djgjlelk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll" C:\Windows\SysWOW64\Dmefhako.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll" C:\Windows\SysWOW64\Dkifae32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Chcddk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll" C:\Windows\SysWOW64\Danecp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll" C:\Windows\SysWOW64\Cmiflbel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll" C:\Windows\SysWOW64\Ceckcp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll" C:\Windows\SysWOW64\Ceehho32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Cjbpaf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Danecp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Dddhpjof.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll" C:\Windows\SysWOW64\Dddhpjof.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Cmiflbel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll" C:\Windows\SysWOW64\Cnicfe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll" C:\Windows\SysWOW64\Cjbpaf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Dhhnpjmh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Dmefhako.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ddonekbl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dkifae32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll" C:\Windows\SysWOW64\Dfpgffpm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cdabcm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Caebma32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ceckcp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ceehho32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dgbdlf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Cjkjpgfi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Chcddk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ddakjkqi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dfpgffpm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll" C:\Windows\SysWOW64\Dmjocp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diphbb32.dll" C:\Windows\SysWOW64\Dgbdlf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Caebma32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Cegdnopg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1592 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\10e3948d8caf306281063beb38a0d9f734ed83552e980e03b42a8c4e62ef07c8N.exe C:\Windows\SysWOW64\Cdabcm32.exe
PID 1592 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\10e3948d8caf306281063beb38a0d9f734ed83552e980e03b42a8c4e62ef07c8N.exe C:\Windows\SysWOW64\Cdabcm32.exe
PID 1592 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\10e3948d8caf306281063beb38a0d9f734ed83552e980e03b42a8c4e62ef07c8N.exe C:\Windows\SysWOW64\Cdabcm32.exe
PID 2360 wrote to memory of 2228 N/A C:\Windows\SysWOW64\Cdabcm32.exe C:\Windows\SysWOW64\Cjkjpgfi.exe
PID 2360 wrote to memory of 2228 N/A C:\Windows\SysWOW64\Cdabcm32.exe C:\Windows\SysWOW64\Cjkjpgfi.exe
PID 2360 wrote to memory of 2228 N/A C:\Windows\SysWOW64\Cdabcm32.exe C:\Windows\SysWOW64\Cjkjpgfi.exe
PID 2228 wrote to memory of 1264 N/A C:\Windows\SysWOW64\Cjkjpgfi.exe C:\Windows\SysWOW64\Cmiflbel.exe
PID 2228 wrote to memory of 1264 N/A C:\Windows\SysWOW64\Cjkjpgfi.exe C:\Windows\SysWOW64\Cmiflbel.exe
PID 2228 wrote to memory of 1264 N/A C:\Windows\SysWOW64\Cjkjpgfi.exe C:\Windows\SysWOW64\Cmiflbel.exe
PID 1264 wrote to memory of 2324 N/A C:\Windows\SysWOW64\Cmiflbel.exe C:\Windows\SysWOW64\Caebma32.exe
PID 1264 wrote to memory of 2324 N/A C:\Windows\SysWOW64\Cmiflbel.exe C:\Windows\SysWOW64\Caebma32.exe
PID 1264 wrote to memory of 2324 N/A C:\Windows\SysWOW64\Cmiflbel.exe C:\Windows\SysWOW64\Caebma32.exe
PID 2324 wrote to memory of 468 N/A C:\Windows\SysWOW64\Caebma32.exe C:\Windows\SysWOW64\Cdcoim32.exe
PID 2324 wrote to memory of 468 N/A C:\Windows\SysWOW64\Caebma32.exe C:\Windows\SysWOW64\Cdcoim32.exe
PID 2324 wrote to memory of 468 N/A C:\Windows\SysWOW64\Caebma32.exe C:\Windows\SysWOW64\Cdcoim32.exe
PID 468 wrote to memory of 3452 N/A C:\Windows\SysWOW64\Cdcoim32.exe C:\Windows\SysWOW64\Cnicfe32.exe
PID 468 wrote to memory of 3452 N/A C:\Windows\SysWOW64\Cdcoim32.exe C:\Windows\SysWOW64\Cnicfe32.exe
PID 468 wrote to memory of 3452 N/A C:\Windows\SysWOW64\Cdcoim32.exe C:\Windows\SysWOW64\Cnicfe32.exe
PID 3452 wrote to memory of 516 N/A C:\Windows\SysWOW64\Cnicfe32.exe C:\Windows\SysWOW64\Ceckcp32.exe
PID 3452 wrote to memory of 516 N/A C:\Windows\SysWOW64\Cnicfe32.exe C:\Windows\SysWOW64\Ceckcp32.exe
PID 3452 wrote to memory of 516 N/A C:\Windows\SysWOW64\Cnicfe32.exe C:\Windows\SysWOW64\Ceckcp32.exe
PID 516 wrote to memory of 112 N/A C:\Windows\SysWOW64\Ceckcp32.exe C:\Windows\SysWOW64\Cfdhkhjj.exe
PID 516 wrote to memory of 112 N/A C:\Windows\SysWOW64\Ceckcp32.exe C:\Windows\SysWOW64\Cfdhkhjj.exe
PID 516 wrote to memory of 112 N/A C:\Windows\SysWOW64\Ceckcp32.exe C:\Windows\SysWOW64\Cfdhkhjj.exe
PID 112 wrote to memory of 3304 N/A C:\Windows\SysWOW64\Cfdhkhjj.exe C:\Windows\SysWOW64\Cjpckf32.exe
PID 112 wrote to memory of 3304 N/A C:\Windows\SysWOW64\Cfdhkhjj.exe C:\Windows\SysWOW64\Cjpckf32.exe
PID 112 wrote to memory of 3304 N/A C:\Windows\SysWOW64\Cfdhkhjj.exe C:\Windows\SysWOW64\Cjpckf32.exe
PID 3304 wrote to memory of 2156 N/A C:\Windows\SysWOW64\Cjpckf32.exe C:\Windows\SysWOW64\Ceehho32.exe
PID 3304 wrote to memory of 2156 N/A C:\Windows\SysWOW64\Cjpckf32.exe C:\Windows\SysWOW64\Ceehho32.exe
PID 3304 wrote to memory of 2156 N/A C:\Windows\SysWOW64\Cjpckf32.exe C:\Windows\SysWOW64\Ceehho32.exe
PID 2156 wrote to memory of 1624 N/A C:\Windows\SysWOW64\Ceehho32.exe C:\Windows\SysWOW64\Chcddk32.exe
PID 2156 wrote to memory of 1624 N/A C:\Windows\SysWOW64\Ceehho32.exe C:\Windows\SysWOW64\Chcddk32.exe
PID 2156 wrote to memory of 1624 N/A C:\Windows\SysWOW64\Ceehho32.exe C:\Windows\SysWOW64\Chcddk32.exe
PID 1624 wrote to memory of 4144 N/A C:\Windows\SysWOW64\Chcddk32.exe C:\Windows\SysWOW64\Cjbpaf32.exe
PID 1624 wrote to memory of 4144 N/A C:\Windows\SysWOW64\Chcddk32.exe C:\Windows\SysWOW64\Cjbpaf32.exe
PID 1624 wrote to memory of 4144 N/A C:\Windows\SysWOW64\Chcddk32.exe C:\Windows\SysWOW64\Cjbpaf32.exe
PID 4144 wrote to memory of 1936 N/A C:\Windows\SysWOW64\Cjbpaf32.exe C:\Windows\SysWOW64\Cegdnopg.exe
PID 4144 wrote to memory of 1936 N/A C:\Windows\SysWOW64\Cjbpaf32.exe C:\Windows\SysWOW64\Cegdnopg.exe
PID 4144 wrote to memory of 1936 N/A C:\Windows\SysWOW64\Cjbpaf32.exe C:\Windows\SysWOW64\Cegdnopg.exe
PID 1936 wrote to memory of 4676 N/A C:\Windows\SysWOW64\Cegdnopg.exe C:\Windows\SysWOW64\Dfiafg32.exe
PID 1936 wrote to memory of 4676 N/A C:\Windows\SysWOW64\Cegdnopg.exe C:\Windows\SysWOW64\Dfiafg32.exe
PID 1936 wrote to memory of 4676 N/A C:\Windows\SysWOW64\Cegdnopg.exe C:\Windows\SysWOW64\Dfiafg32.exe
PID 4676 wrote to memory of 4048 N/A C:\Windows\SysWOW64\Dfiafg32.exe C:\Windows\SysWOW64\Danecp32.exe
PID 4676 wrote to memory of 4048 N/A C:\Windows\SysWOW64\Dfiafg32.exe C:\Windows\SysWOW64\Danecp32.exe
PID 4676 wrote to memory of 4048 N/A C:\Windows\SysWOW64\Dfiafg32.exe C:\Windows\SysWOW64\Danecp32.exe
PID 4048 wrote to memory of 3184 N/A C:\Windows\SysWOW64\Danecp32.exe C:\Windows\SysWOW64\Dhhnpjmh.exe
PID 4048 wrote to memory of 3184 N/A C:\Windows\SysWOW64\Danecp32.exe C:\Windows\SysWOW64\Dhhnpjmh.exe
PID 4048 wrote to memory of 3184 N/A C:\Windows\SysWOW64\Danecp32.exe C:\Windows\SysWOW64\Dhhnpjmh.exe
PID 3184 wrote to memory of 4972 N/A C:\Windows\SysWOW64\Dhhnpjmh.exe C:\Windows\SysWOW64\Djgjlelk.exe
PID 3184 wrote to memory of 4972 N/A C:\Windows\SysWOW64\Dhhnpjmh.exe C:\Windows\SysWOW64\Djgjlelk.exe
PID 3184 wrote to memory of 4972 N/A C:\Windows\SysWOW64\Dhhnpjmh.exe C:\Windows\SysWOW64\Djgjlelk.exe
PID 4972 wrote to memory of 2880 N/A C:\Windows\SysWOW64\Djgjlelk.exe C:\Windows\SysWOW64\Dmefhako.exe
PID 4972 wrote to memory of 2880 N/A C:\Windows\SysWOW64\Djgjlelk.exe C:\Windows\SysWOW64\Dmefhako.exe
PID 4972 wrote to memory of 2880 N/A C:\Windows\SysWOW64\Djgjlelk.exe C:\Windows\SysWOW64\Dmefhako.exe
PID 2880 wrote to memory of 1328 N/A C:\Windows\SysWOW64\Dmefhako.exe C:\Windows\SysWOW64\Ddonekbl.exe
PID 2880 wrote to memory of 1328 N/A C:\Windows\SysWOW64\Dmefhako.exe C:\Windows\SysWOW64\Ddonekbl.exe
PID 2880 wrote to memory of 1328 N/A C:\Windows\SysWOW64\Dmefhako.exe C:\Windows\SysWOW64\Ddonekbl.exe
PID 1328 wrote to memory of 4072 N/A C:\Windows\SysWOW64\Ddonekbl.exe C:\Windows\SysWOW64\Dkifae32.exe
PID 1328 wrote to memory of 4072 N/A C:\Windows\SysWOW64\Ddonekbl.exe C:\Windows\SysWOW64\Dkifae32.exe
PID 1328 wrote to memory of 4072 N/A C:\Windows\SysWOW64\Ddonekbl.exe C:\Windows\SysWOW64\Dkifae32.exe
PID 4072 wrote to memory of 5000 N/A C:\Windows\SysWOW64\Dkifae32.exe C:\Windows\SysWOW64\Ddakjkqi.exe
PID 4072 wrote to memory of 5000 N/A C:\Windows\SysWOW64\Dkifae32.exe C:\Windows\SysWOW64\Ddakjkqi.exe
PID 4072 wrote to memory of 5000 N/A C:\Windows\SysWOW64\Dkifae32.exe C:\Windows\SysWOW64\Ddakjkqi.exe
PID 5000 wrote to memory of 2948 N/A C:\Windows\SysWOW64\Ddakjkqi.exe C:\Windows\SysWOW64\Dfpgffpm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\10e3948d8caf306281063beb38a0d9f734ed83552e980e03b42a8c4e62ef07c8N.exe

"C:\Users\Admin\AppData\Local\Temp\10e3948d8caf306281063beb38a0d9f734ed83552e980e03b42a8c4e62ef07c8N.exe"

C:\Windows\SysWOW64\Cdabcm32.exe

C:\Windows\system32\Cdabcm32.exe

C:\Windows\SysWOW64\Cjkjpgfi.exe

C:\Windows\system32\Cjkjpgfi.exe

C:\Windows\SysWOW64\Cmiflbel.exe

C:\Windows\system32\Cmiflbel.exe

C:\Windows\SysWOW64\Caebma32.exe

C:\Windows\system32\Caebma32.exe

C:\Windows\SysWOW64\Cdcoim32.exe

C:\Windows\system32\Cdcoim32.exe

C:\Windows\SysWOW64\Cnicfe32.exe

C:\Windows\system32\Cnicfe32.exe

C:\Windows\SysWOW64\Ceckcp32.exe

C:\Windows\system32\Ceckcp32.exe

C:\Windows\SysWOW64\Cfdhkhjj.exe

C:\Windows\system32\Cfdhkhjj.exe

C:\Windows\SysWOW64\Cjpckf32.exe

C:\Windows\system32\Cjpckf32.exe

C:\Windows\SysWOW64\Ceehho32.exe

C:\Windows\system32\Ceehho32.exe

C:\Windows\SysWOW64\Chcddk32.exe

C:\Windows\system32\Chcddk32.exe

C:\Windows\SysWOW64\Cjbpaf32.exe

C:\Windows\system32\Cjbpaf32.exe

C:\Windows\SysWOW64\Cegdnopg.exe

C:\Windows\system32\Cegdnopg.exe

C:\Windows\SysWOW64\Dfiafg32.exe

C:\Windows\system32\Dfiafg32.exe

C:\Windows\SysWOW64\Danecp32.exe

C:\Windows\system32\Danecp32.exe

C:\Windows\SysWOW64\Dhhnpjmh.exe

C:\Windows\system32\Dhhnpjmh.exe

C:\Windows\SysWOW64\Djgjlelk.exe

C:\Windows\system32\Djgjlelk.exe

C:\Windows\SysWOW64\Dmefhako.exe

C:\Windows\system32\Dmefhako.exe

C:\Windows\SysWOW64\Ddonekbl.exe

C:\Windows\system32\Ddonekbl.exe

C:\Windows\SysWOW64\Dkifae32.exe

C:\Windows\system32\Dkifae32.exe

C:\Windows\SysWOW64\Ddakjkqi.exe

C:\Windows\system32\Ddakjkqi.exe

C:\Windows\SysWOW64\Dfpgffpm.exe

C:\Windows\system32\Dfpgffpm.exe

C:\Windows\SysWOW64\Dmjocp32.exe

C:\Windows\system32\Dmjocp32.exe

C:\Windows\SysWOW64\Dddhpjof.exe

C:\Windows\system32\Dddhpjof.exe

C:\Windows\SysWOW64\Dgbdlf32.exe

C:\Windows\system32\Dgbdlf32.exe

C:\Windows\SysWOW64\Doilmc32.exe

C:\Windows\system32\Doilmc32.exe

C:\Windows\SysWOW64\Dmllipeg.exe

C:\Windows\system32\Dmllipeg.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4724 -ip 4724

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 416

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/1592-0-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Windows\SysWOW64\Cdabcm32.exe

MD5 826fd67a279289d0da56ad765d96a716
SHA1 12e5b51de28f1509d88ad439c25e572770062f7e
SHA256 1a9b68b0ad9924f0e0f3beadb795148813af0cdbd150058ec84faf8bf13f2066
SHA512 f449bc349aaf846c5c88b2120b413eb1b743b036266e567f16b426666c772d5026b5877f3c4a2d75a6314a0dd8e26857a0099009c89b0ee123f10e1e6bd330db

memory/2360-7-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Windows\SysWOW64\Cjkjpgfi.exe

MD5 84096d780dbd84cca88070982438d21a
SHA1 f2c8f1fa7de632ad341d812f254d7b30290377b1
SHA256 c28723efb0170e8d3cbc41350fe36cdcf2f9a875ebe6c542612ad85a0063fdc2
SHA512 0c4a1b9f867a155a46bf8d14f23630a35dbb49a20ba3ba2b824a8b0d1e8296cc4e6fc77a7a66a1b443174694d72009806267da2c4334797b96fe81f1f774c9a5

C:\Windows\SysWOW64\Cmiflbel.exe

MD5 01ece0d9d8ea3eb1fda53b3982b944cb
SHA1 add1d9fee308262b1320498bcd13c17945133ecd
SHA256 17f27fc473a69066e933054d08886c745d663d62887840a0b6648e22b5f68d1b
SHA512 bcd4fc4eb4274f7d901aab0804ab1e18f56f82a769c963626a3bcff288a9e59590aa5370dd5f8cf2c9bd7b9fd086254433bb5d3c71934810824bd2b86861fe61

memory/2228-15-0x0000000000400000-0x0000000000437000-memory.dmp

memory/1264-27-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Windows\SysWOW64\Caebma32.exe

MD5 54793eb9b3aecb0d9364daccd96180dd
SHA1 53de0f0e1b7a6dc550633ae34e185d667dbf1965
SHA256 019aaaf376cadb55afaf180db8a21e94e198be41878c3afab557f48a3d27362a
SHA512 e0da704f4f8f0e234f728fb5be4a5e6adbcdb10103047ac96c73257d098dc920a03343fc9a2a72cdd291c3eed92a2ff2a55613ddf05cc3ec86e82f6c7c2f6eab

memory/2324-31-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Windows\SysWOW64\Nedmmlba.dll

MD5 af1da632033bd44b7626581019df4b25
SHA1 249c432b9f06b792a1f914f2bb6b39086ddec5c5
SHA256 95226d5e16e5b6fef77c3695b3847bd29dde17c10b1a0b6074be3d6a1bf86e76
SHA512 31ba7a47beea8f048c9920e2c9d7b065f2d1451043424fd621a3b7616c1c168be4bfa5cd0dffaa3e7411ce9245acc7b78de7e2f20b979de890dd3b71936bbe63

C:\Windows\SysWOW64\Cdcoim32.exe

MD5 6c20ffce8a97421b80761c983feca3c6
SHA1 f5b3c61f7feba9d9e9cf5a44a930606a444b2e82
SHA256 05fc99a560289d407b95375852225de0bdd4a00af04f62f57b80d88729233a95
SHA512 24042a0c8aac669c0821103efed40bdda12d5a838574fd41925069b9abc30b2210b636e31ee484da937da3b1a3eee4577bc13ab7401ea1a8cad5250440735c78

memory/468-39-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Windows\SysWOW64\Cnicfe32.exe

MD5 eb2fdbea88cb0fd16c831fab467f5601
SHA1 fa91547114748712f96a5329982f906e50991518
SHA256 a683c21228b99a2d5d6a4047bc38a0d50dafc58cd0eb39ae9fd3bef757485f6d
SHA512 9da4577247488365f25a85ab2b25282248f8d051a6fc62783099da5084653ce8242b08c43b2ba97b28f79ad30b74bf03a0e15d25b617b263faf1289dcf769fe4

memory/3452-48-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Windows\SysWOW64\Ceckcp32.exe

MD5 b137e5cfe18aaa66555f6f6886b8fe8b
SHA1 3642d9ab2705ce347f878774da2c405f8a5fad14
SHA256 9e73affcaa603ce37cd61b8cbbe2941490c0dbfff241566f3815937a13414823
SHA512 43de038606b691e89aa994ad1eece499318daea225a576a2ab96180a9ac06a8da8f55971bec5976345394890c47e0376f9dafce9a9f74d0dbab8a6c1f63a6e7d

memory/516-55-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Windows\SysWOW64\Cfdhkhjj.exe

MD5 f0837c01809c6ea5d9d9e97b61fa3d1e
SHA1 efd32af9119bc83fa8f1607ead8ece82d17d8be1
SHA256 a9cfb8a7fcc5c6a52f8c861a41857fac24c46346c46787adc62ca1d1f0953a29
SHA512 0f0a12b43840fa9428fc7cbc0fbe6c69fad9e21e090e64c917795efcb3c78d0b7d468d77d93b2f38f85baf25ed7fe020cf2bfd6098eeb9113a0e3ba57279ce36

C:\Windows\SysWOW64\Cjpckf32.exe

MD5 be1bd9dce8124cc47923b53da5b7f644
SHA1 5a62c5e05870030b958c52c1a6e53c5b527acdfc
SHA256 31e6c438844468a1f2cb98063a03a909c9e15c30ba85f4bc2157322da35b4742
SHA512 6a4e8b293964ef4c39695255b4756db47e49cd70d8ea44ddf6b56f2fe7eab33c8cea965d73b7999b843fbef29722d9191e614cdbdc3240263dd73d9a7ba7e848

memory/112-64-0x0000000000400000-0x0000000000437000-memory.dmp

memory/3304-71-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Windows\SysWOW64\Ceehho32.exe

MD5 ced9fb3968fa365643f4e2c52c38f135
SHA1 ea07c2ece3e4234d771e4719c3a477b60bef67a2
SHA256 1229ec4bbd9eb57f0c1e5fb01f209fe2cef63853091e6ead3171c4fcc8255366
SHA512 8108d6322ff0ead2a3c5d24f8c3cb366db10369038fe84c59dbecae73a71961214e6cf288d1f0de05507ea50aa99535c9fb8fd0f8222190eed1a0b9fc801f1ba

memory/2156-79-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Windows\SysWOW64\Chcddk32.exe

MD5 8aee369243639760a3a42138da5db937
SHA1 379b4e9bbde4c90e8b2f3116b5de739dcdc9a1d4
SHA256 efa2db6296ff1260ffe62633e9063c0b03022f553cbd29b94ee23dda2fba10fa
SHA512 2efee00fe6042f7aeef98d4e757f93d172ec6198aa76492727f8203e09e78d4644daec85f9730574a75a8ac0ba520f97e60674e68bfca1896e59d84ced7f245a

memory/1624-88-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Windows\SysWOW64\Cjbpaf32.exe

MD5 3089d791cca18cd60afb73052c900a49
SHA1 8b763cf194ef8dbbd8edc9053226123847d251f2
SHA256 e87c7c3fba6cab76fb34cbad7814b522fc2b30bbb2f7d30a4ccb6633344c1afc
SHA512 d690a6ab1e6c3c1c4fefac967486402bfae9cd0272bf09a53125fd8bad648a8f7931c8ce230f632dba827ac27a44fc9cc0b39587ca8578ca8b12e30b82656ac0

memory/4144-95-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Windows\SysWOW64\Cegdnopg.exe

MD5 16d029e1e8d37a7263a3314b5055ecb3
SHA1 3be0331aab664fdfd7769f84a2be2c3bc8d5ac3d
SHA256 ce5c2c4963aeab9056945327f9b9882fb03396a819c0ad9c4177ea2e4204c387
SHA512 7b30750b50abc83f9cb60851daaaa80a75b23abc314737d028a8a0ac9ca2f69a0db925289fd6edc80ccd13f8abf5e89ea08fcfd8b1c8f08a1bc7dd72c44ab60f

memory/1936-104-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Windows\SysWOW64\Dfiafg32.exe

MD5 4da75e874a3cebdddfc11e7d9de02760
SHA1 a8bd0af35becff4f497c35db50bd74a27d3a30e2
SHA256 0e425d45118801755478fe29174d1ddf3806be48868042e687e0ce16bef697f4
SHA512 894780873099faf01d85c9a3ca7f8cad682a39f7c5d1ce0435c4fc4b69a1d5a6d4de216d6b47ee27c7c382c83095e2b6fd7d7c125dcf3ddd7d633d6519f85d8c

memory/4676-111-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Windows\SysWOW64\Danecp32.exe

MD5 0b4d631734276d07b5e86f534b65a9a1
SHA1 e4405fc62432715ac2bfc95f4accd610caf958c3
SHA256 261ce64f7db1f33826eacd6f1eb043d01ab201db3a7792f6bfc7117bb0f6a94a
SHA512 0e4c86a99533983d2ee64f4f38a5e9da176db907d9176982de99f8de09e1b1f01ccce2f02f7ba5968e7eff1d0b77616e3c09c233c17c29a413fecfe9b76c269b

memory/4048-119-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Windows\SysWOW64\Dhhnpjmh.exe

MD5 5ffc2ed3179994d7cd2a57eef26b80fe
SHA1 49bd3ed62039b39701ce2c398b73ddfde35836ae
SHA256 fbbc31d2f0fb663f8bbc702e99da4cfdb449797b25b384886803f45778d13a99
SHA512 e5ab1658d4d41da4f1d0e73b18615ba8a7e7efa12a23b0d54b7c9b27310691b4cd9e8d6785dd6db364f9a1eaf84fa859c0f3b63d50c02c107ec8906111ffe7eb

memory/3184-127-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Windows\SysWOW64\Djgjlelk.exe

MD5 c455233fe0dab8a369b7a11d6ba72891
SHA1 42866a3cbac19a3c3cc40f2ecb7ece9a5dd6c813
SHA256 e636087321073b51192cceccd22176d3bfbc330c5ec1969ebe8892a469cab17b
SHA512 a1e56f9f8c96a37fd07ac4b3a1c87e3f754fecb5329e6189e8dd42cd598354c10efab26f4c3656f6c3fb09baf0477514a54735bfc44dc3148ed36d294434cc59

memory/4972-136-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Windows\SysWOW64\Dmefhako.exe

MD5 5bf7834c98a611ef707fef9dc2871981
SHA1 0daa90abb98633c73c089b26e03e5e54f7af6cfc
SHA256 fbad722a75ac72f11d55fbd90a360d2c724b0d9d3e77529ff678751ee34a4307
SHA512 11af5be9efd7b906ea0d3c1aec6b7cc3cc3f364702b7eade337c1e1b3996a77771b0c5dbe9101efedace79398bbeda16482c078568834549e1cf4831e87e2416

memory/2880-143-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Windows\SysWOW64\Ddonekbl.exe

MD5 69d5842c54c3fcfee59b424ac1da7a21
SHA1 482bd0918984b87e92b732dabd453714f1b49a20
SHA256 7399d348db2c86c573800148394149281067fc81edf2cd23a590f295a0d0b652
SHA512 fe1e714c829048a4f02124ae2aea1aebd59c697b5d8cd3c90fa1e009f6cbf47876d9c064f4d9aad46dc7aedf6d2d6213fdabbca83238fa2effe320809fc696a8

memory/1328-152-0x0000000000400000-0x0000000000437000-memory.dmp

memory/4072-159-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Windows\SysWOW64\Dkifae32.exe

MD5 ac46655bc91b41444757ec17b5b1938d
SHA1 7809819c1f01f85191286725665245aad0237c57
SHA256 f6b67917153b9c1781453f282e35dc1a1f24a8d8707fc16b1c56dbe14230b613
SHA512 f730b89263368220646b7c39ea306de42ca41fc81abbea6acd93ab86f96411b7f45fa3527a6f7f7477cd8d7a7c19d6d57c1bb6a2adfcadb340b9614161669ac9

C:\Windows\SysWOW64\Ddakjkqi.exe

MD5 a753b2e597323f95bfa083db96d7abbc
SHA1 13cf2599b88686a66d49471a1787e0a00b4c4c95
SHA256 bdc53f1d8101617f837967c5717853b95746cbbf338c9313e3f19b3b7c70fc63
SHA512 4ebc48dc91d9d3fb5a8fac4c5eba899da75bda977eb4036c3b75953f8175c54c1dc8d14a594a0231bd15571ffeee0ea25450ca3adf3aa3ecd3367e2c11542f4f

memory/5000-172-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Windows\SysWOW64\Dfpgffpm.exe

MD5 856f009f9aaa04d87d3a48ff932c8a08
SHA1 48126e2e94205b7019c2f878cc1a5a07360be506
SHA256 560c9cd8e3324a2f51bc6c0b691f848ab393aa79bb9a3f63f28d41154f4967e7
SHA512 0f999b86951d2a9bd51d9538d600ee633597bce5ccfea9512d357f4b2560408c2bb7768b0397e7b1b0ad73b2813bf7bc17ff5794392cfa566788a612a66c3ea0

memory/2948-175-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Windows\SysWOW64\Dmjocp32.exe

MD5 ed5d95ba35e9cfe447bdb7e5e84ff046
SHA1 b078e0845e20fa36f9cb5972cb70df260fba9cd4
SHA256 0990580b51e5d98f71d822c4ad238936618e5b2bdd02c063888191067d4dcc53
SHA512 6dee1fd930a797f8b76c44c2ca2371c143f918772669c53593b57f7ac05a9690f627024f3ccf88d6c341a7cd6bada12590f2af06a4edc389b8123faf083fbc76

memory/2688-183-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Windows\SysWOW64\Dddhpjof.exe

MD5 52972750a6f7f8cadabd2a3604fded7d
SHA1 53691d6b0c4e85b66985789f4116d1417ffb50f6
SHA256 d448c78488dea27c85a99f5606ad5bf5027859e301cfa97a5e7f29b83ad2e0e9
SHA512 5ff06555d32e9ab77d5d9e32f78c5f7e520433ad4f25ba31f216a0107e596fa169e05f1a96237fd1cd813d2c704c4f80c09cdcf3e68112fc3b763f55a688d5dd

memory/3608-192-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Windows\SysWOW64\Dgbdlf32.exe

MD5 3e958359f44fb481149a2e0e295c8597
SHA1 dde7ce80fe2005387a2e552b65ae3ebf256d7c6d
SHA256 ef59f212b13acc127bcc31912bf0649c4b18fa6593ff0f0c31b097bcf1c2eec6
SHA512 0fa8d85950ea29490c26197bbcbc9d8b6fff8baf1d6333a8c8f787f53c623402de59ff8afad8661388a56d756fc4359605f629fe11bf92d5f5e44c2a2671800d

memory/1896-199-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Windows\SysWOW64\Doilmc32.exe

MD5 fa72dc5ef18e18164b6d0764512a9159
SHA1 284ac322971890beb46b108d0115ab90c36b225a
SHA256 c5de75e116aed6d870c3f1d5346905354ed92cf52a0a14bfd5d027074f139f91
SHA512 e0c88ddbc1b4f13696d925e95e28439b188b21cc778bbc6643c2123227c5d390bb7154afb917bcf34a9d7d4b6353e43ac83315458a52bab89844644ddf44bf99

memory/1516-212-0x0000000000400000-0x0000000000437000-memory.dmp

memory/4724-216-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Windows\SysWOW64\Dmllipeg.exe

MD5 a237e6a51456f1f1fac35df6862317fc
SHA1 a204b92fdad4bd244d2960428544d045a6d1df8c
SHA256 6046608959fad343efda52c2ee532d4edab69b6591328ea23ee87ccdbaa072da
SHA512 3cea33131a160ac8b1ff6cf6c362b0ea57dda4b873a1ae87c286ad00a757dd0ce7b02b92cbd75696a116ad278391d0b23b526d97f33db606088fe64ed60e9ba6

memory/1896-218-0x0000000000400000-0x0000000000437000-memory.dmp

memory/2948-221-0x0000000000400000-0x0000000000437000-memory.dmp

memory/4072-222-0x0000000000400000-0x0000000000437000-memory.dmp

memory/4972-225-0x0000000000400000-0x0000000000437000-memory.dmp

memory/516-235-0x0000000000400000-0x0000000000437000-memory.dmp

memory/2360-241-0x0000000000400000-0x0000000000437000-memory.dmp

memory/1592-242-0x0000000000400000-0x0000000000437000-memory.dmp

memory/2228-240-0x0000000000400000-0x0000000000437000-memory.dmp

memory/1264-239-0x0000000000400000-0x0000000000437000-memory.dmp

memory/2324-238-0x0000000000400000-0x0000000000437000-memory.dmp

memory/468-237-0x0000000000400000-0x0000000000437000-memory.dmp

memory/3452-236-0x0000000000400000-0x0000000000437000-memory.dmp

memory/112-234-0x0000000000400000-0x0000000000437000-memory.dmp

memory/3304-233-0x0000000000400000-0x0000000000437000-memory.dmp

memory/2156-232-0x0000000000400000-0x0000000000437000-memory.dmp

memory/1624-231-0x0000000000400000-0x0000000000437000-memory.dmp

memory/4144-230-0x0000000000400000-0x0000000000437000-memory.dmp

memory/1936-229-0x0000000000400000-0x0000000000437000-memory.dmp

memory/4676-228-0x0000000000400000-0x0000000000437000-memory.dmp

memory/4048-227-0x0000000000400000-0x0000000000437000-memory.dmp

memory/3184-226-0x0000000000400000-0x0000000000437000-memory.dmp

memory/2880-224-0x0000000000400000-0x0000000000437000-memory.dmp

memory/1328-223-0x0000000000400000-0x0000000000437000-memory.dmp

memory/3608-219-0x0000000000400000-0x0000000000437000-memory.dmp

memory/2688-220-0x0000000000400000-0x0000000000437000-memory.dmp

memory/4724-217-0x0000000000400000-0x0000000000437000-memory.dmp