Malware Analysis Report

2025-08-05 11:31

Sample ID 241111-pwwgzazcpb
Target 0b8a7b71512d4671d5c0390a5b13c8bc93dbde9ad3651845885d9dac5c7b278aN.exe
SHA256 bc3cb5985b7cd4486ad5446b7a61965c1677487d8608ca5d27df5530afb0c97d
Tags
berbew backdoor discovery persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bc3cb5985b7cd4486ad5446b7a61965c1677487d8608ca5d27df5530afb0c97d

Threat Level: Known bad

The file 0b8a7b71512d4671d5c0390a5b13c8bc93dbde9ad3651845885d9dac5c7b278aN.exe was found to be: Known bad.

Malicious Activity Summary

berbew backdoor discovery persistence

Adds autorun key to be loaded by Explorer.exe on startup

Berbew family

Berbew

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

System Location Discovery: System Language Discovery

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 12:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 12:41

Reported

2024-11-11 12:43

Platform

win7-20240903-en

Max time kernel

69s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0b8a7b71512d4671d5c0390a5b13c8bc93dbde9ad3651845885d9dac5c7b278aN.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Baefnmml.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dnqlmq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Plpopddd.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bjjaikoa.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Djlfma32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Folhgbid.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hffibceh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Hqnjek32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jjfkmdlg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Jfmkbebl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Baefnmml.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Djjjga32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jpjifjdg.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Leikbd32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ebckmaec.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Eojlbb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Gehiioaj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Hqgddm32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ijcngenj.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jnagmc32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Apppkekc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ccgklc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Lemdncoa.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kidjdpie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Leikbd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Adfbpega.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Cfanmogq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Japciodd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Kidjdpie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Klecfkff.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Kageia32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Odkgec32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Plmbkd32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kkojbf32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dppigchi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Daaenlng.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fgjjad32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fkhbgbkc.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Igqhpj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Jbhebfck.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Onlahm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Bbjpil32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jmipdo32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jedehaea.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lcadghnk.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Adfbpega.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bnapnm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Inmmbc32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Akpkmo32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Djjjga32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Loclai32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Epbbkf32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fdiqpigl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Dcdkef32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Efhqmadd.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Edlafebn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Hmpaom32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hjfnnajl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Hiioin32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ajhddk32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Daaenlng.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Loaokjjg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Imggplgm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Iakino32.exe N/A

Berbew

backdoor berbew

Berbew family

berbew

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Nppofado.exe N/A
N/A N/A C:\Windows\SysWOW64\Nggggoda.exe N/A
N/A N/A C:\Windows\SysWOW64\Obbdml32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oniebmda.exe N/A
N/A N/A C:\Windows\SysWOW64\Onlahm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Onnnml32.exe N/A
N/A N/A C:\Windows\SysWOW64\Odkgec32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ojglhm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ppddpd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Plmbkd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Piabdiep.exe N/A
N/A N/A C:\Windows\SysWOW64\Plpopddd.exe N/A
N/A N/A C:\Windows\SysWOW64\Pfebnmcj.exe N/A
N/A N/A C:\Windows\SysWOW64\Qlfdac32.exe N/A
N/A N/A C:\Windows\SysWOW64\Adaiee32.exe N/A
N/A N/A C:\Windows\SysWOW64\Adfbpega.exe N/A
N/A N/A C:\Windows\SysWOW64\Akpkmo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajehnk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Apppkekc.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajhddk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Blfapfpg.exe N/A
N/A N/A C:\Windows\SysWOW64\Bfoeil32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bjjaikoa.exe N/A
N/A N/A C:\Windows\SysWOW64\Baefnmml.exe N/A
N/A N/A C:\Windows\SysWOW64\Bddbjhlp.exe N/A
N/A N/A C:\Windows\SysWOW64\Boifga32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bfcodkcb.exe N/A
N/A N/A C:\Windows\SysWOW64\Bgdkkc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bbjpil32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bjedmo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bnapnm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ckeqga32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cncmcm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cqaiph32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cjjnhnbl.exe N/A
N/A N/A C:\Windows\SysWOW64\Cfanmogq.exe N/A
N/A N/A C:\Windows\SysWOW64\Ciokijfd.exe N/A
N/A N/A C:\Windows\SysWOW64\Cqfbjhgf.exe N/A
N/A N/A C:\Windows\SysWOW64\Cjogcm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ccgklc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cfehhn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ckbpqe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dnqlmq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgiaefgg.exe N/A
N/A N/A C:\Windows\SysWOW64\Dppigchi.exe N/A
N/A N/A C:\Windows\SysWOW64\Daaenlng.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgknkf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dlgjldnm.exe N/A
N/A N/A C:\Windows\SysWOW64\Djjjga32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dlifadkk.exe N/A
N/A N/A C:\Windows\SysWOW64\Djlfma32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dcdkef32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhpgfeao.exe N/A
N/A N/A C:\Windows\SysWOW64\Dmmpolof.exe N/A
N/A N/A C:\Windows\SysWOW64\Dpklkgoj.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhbdleol.exe N/A
N/A N/A C:\Windows\SysWOW64\Eicpcm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Epnhpglg.exe N/A
N/A N/A C:\Windows\SysWOW64\Efhqmadd.exe N/A
N/A N/A C:\Windows\SysWOW64\Eldiehbk.exe N/A
N/A N/A C:\Windows\SysWOW64\Edlafebn.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebnabb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Emdeok32.exe N/A
N/A N/A C:\Windows\SysWOW64\Epbbkf32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b8a7b71512d4671d5c0390a5b13c8bc93dbde9ad3651845885d9dac5c7b278aN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b8a7b71512d4671d5c0390a5b13c8bc93dbde9ad3651845885d9dac5c7b278aN.exe N/A
N/A N/A C:\Windows\SysWOW64\Nppofado.exe N/A
N/A N/A C:\Windows\SysWOW64\Nppofado.exe N/A
N/A N/A C:\Windows\SysWOW64\Nggggoda.exe N/A
N/A N/A C:\Windows\SysWOW64\Nggggoda.exe N/A
N/A N/A C:\Windows\SysWOW64\Obbdml32.exe N/A
N/A N/A C:\Windows\SysWOW64\Obbdml32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oniebmda.exe N/A
N/A N/A C:\Windows\SysWOW64\Oniebmda.exe N/A
N/A N/A C:\Windows\SysWOW64\Onlahm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Onlahm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Onnnml32.exe N/A
N/A N/A C:\Windows\SysWOW64\Onnnml32.exe N/A
N/A N/A C:\Windows\SysWOW64\Odkgec32.exe N/A
N/A N/A C:\Windows\SysWOW64\Odkgec32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ojglhm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ojglhm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ppddpd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ppddpd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Plmbkd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Plmbkd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Piabdiep.exe N/A
N/A N/A C:\Windows\SysWOW64\Piabdiep.exe N/A
N/A N/A C:\Windows\SysWOW64\Plpopddd.exe N/A
N/A N/A C:\Windows\SysWOW64\Plpopddd.exe N/A
N/A N/A C:\Windows\SysWOW64\Pfebnmcj.exe N/A
N/A N/A C:\Windows\SysWOW64\Pfebnmcj.exe N/A
N/A N/A C:\Windows\SysWOW64\Qlfdac32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qlfdac32.exe N/A
N/A N/A C:\Windows\SysWOW64\Adaiee32.exe N/A
N/A N/A C:\Windows\SysWOW64\Adaiee32.exe N/A
N/A N/A C:\Windows\SysWOW64\Adfbpega.exe N/A
N/A N/A C:\Windows\SysWOW64\Adfbpega.exe N/A
N/A N/A C:\Windows\SysWOW64\Akpkmo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Akpkmo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajehnk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajehnk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Apppkekc.exe N/A
N/A N/A C:\Windows\SysWOW64\Apppkekc.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajhddk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajhddk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Blfapfpg.exe N/A
N/A N/A C:\Windows\SysWOW64\Blfapfpg.exe N/A
N/A N/A C:\Windows\SysWOW64\Bfoeil32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bfoeil32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bjjaikoa.exe N/A
N/A N/A C:\Windows\SysWOW64\Bjjaikoa.exe N/A
N/A N/A C:\Windows\SysWOW64\Baefnmml.exe N/A
N/A N/A C:\Windows\SysWOW64\Baefnmml.exe N/A
N/A N/A C:\Windows\SysWOW64\Bddbjhlp.exe N/A
N/A N/A C:\Windows\SysWOW64\Bddbjhlp.exe N/A
N/A N/A C:\Windows\SysWOW64\Boifga32.exe N/A
N/A N/A C:\Windows\SysWOW64\Boifga32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bfcodkcb.exe N/A
N/A N/A C:\Windows\SysWOW64\Bfcodkcb.exe N/A
N/A N/A C:\Windows\SysWOW64\Bgdkkc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bgdkkc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bbjpil32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bbjpil32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bjedmo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bjedmo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bnapnm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bnapnm32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Cjjnhnbl.exe C:\Windows\SysWOW64\Cqaiph32.exe N/A
File created C:\Windows\SysWOW64\Lqahpi32.dll C:\Windows\SysWOW64\Dgknkf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Icncgf32.exe C:\Windows\SysWOW64\Hmdkjmip.exe N/A
File opened for modification C:\Windows\SysWOW64\Injqmdki.exe C:\Windows\SysWOW64\Igqhpj32.exe N/A
File created C:\Windows\SysWOW64\Iamfdo32.exe C:\Windows\SysWOW64\Ijcngenj.exe N/A
File created C:\Windows\SysWOW64\Pfebnmcj.exe C:\Windows\SysWOW64\Plpopddd.exe N/A
File opened for modification C:\Windows\SysWOW64\Fglfgd32.exe C:\Windows\SysWOW64\Fmdbnnlj.exe N/A
File created C:\Windows\SysWOW64\Gfbaonni.dll C:\Windows\SysWOW64\Hnhgha32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ldgnklmi.exe C:\Windows\SysWOW64\Llpfjomf.exe N/A
File created C:\Windows\SysWOW64\Ekhnnojb.dll C:\Windows\SysWOW64\Jjfkmdlg.exe N/A
File created C:\Windows\SysWOW64\Ppddpd32.exe C:\Windows\SysWOW64\Ojglhm32.exe N/A
File created C:\Windows\SysWOW64\Bjjaikoa.exe C:\Windows\SysWOW64\Bfoeil32.exe N/A
File created C:\Windows\SysWOW64\Dmmpolof.exe C:\Windows\SysWOW64\Dhpgfeao.exe N/A
File created C:\Windows\SysWOW64\Iecbnqcj.dll C:\Windows\SysWOW64\Eojlbb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hmpaom32.exe C:\Windows\SysWOW64\Hjaeba32.exe N/A
File created C:\Windows\SysWOW64\Kageia32.exe C:\Windows\SysWOW64\Kipmhc32.exe N/A
File created C:\Windows\SysWOW64\Cfehhn32.exe C:\Windows\SysWOW64\Ccgklc32.exe N/A
File opened for modification C:\Windows\SysWOW64\Epbbkf32.exe C:\Windows\SysWOW64\Emdeok32.exe N/A
File opened for modification C:\Windows\SysWOW64\Eojlbb32.exe C:\Windows\SysWOW64\Eimcjl32.exe N/A
File created C:\Windows\SysWOW64\Gkebafoa.exe C:\Windows\SysWOW64\Gehiioaj.exe N/A
File created C:\Windows\SysWOW64\Igqhpj32.exe C:\Windows\SysWOW64\Ibcphc32.exe N/A
File opened for modification C:\Windows\SysWOW64\Kbhbai32.exe C:\Windows\SysWOW64\Kageia32.exe N/A
File created C:\Windows\SysWOW64\Nppofado.exe C:\Users\Admin\AppData\Local\Temp\0b8a7b71512d4671d5c0390a5b13c8bc93dbde9ad3651845885d9dac5c7b278aN.exe N/A
File opened for modification C:\Windows\SysWOW64\Ebnabb32.exe C:\Windows\SysWOW64\Edlafebn.exe N/A
File created C:\Windows\SysWOW64\Giaidnkf.exe C:\Windows\SysWOW64\Gcgqgd32.exe N/A
File created C:\Windows\SysWOW64\Hmdkjmip.exe C:\Windows\SysWOW64\Hiioin32.exe N/A
File created C:\Windows\SysWOW64\Imggplgm.exe C:\Windows\SysWOW64\Iikkon32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bfcodkcb.exe C:\Windows\SysWOW64\Boifga32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ehnfpifm.exe C:\Windows\SysWOW64\Eoebgcol.exe N/A
File created C:\Windows\SysWOW64\Qmeedp32.dll C:\Windows\SysWOW64\Jjhgbd32.exe N/A
File created C:\Windows\SysWOW64\Ahemgiea.dll C:\Windows\SysWOW64\Epeoaffo.exe N/A
File created C:\Windows\SysWOW64\Jnagmc32.exe C:\Windows\SysWOW64\Jjfkmdlg.exe N/A
File created C:\Windows\SysWOW64\Fofndb32.dll C:\Windows\SysWOW64\Bjedmo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dgknkf32.exe C:\Windows\SysWOW64\Daaenlng.exe N/A
File created C:\Windows\SysWOW64\Ijcngenj.exe C:\Windows\SysWOW64\Icifjk32.exe N/A
File created C:\Windows\SysWOW64\Kambcbhb.exe C:\Windows\SysWOW64\Jplfkjbd.exe N/A
File created C:\Windows\SysWOW64\Kidjdpie.exe C:\Windows\SysWOW64\Kambcbhb.exe N/A
File created C:\Windows\SysWOW64\Kfodfh32.exe C:\Windows\SysWOW64\Kdphjm32.exe N/A
File created C:\Windows\SysWOW64\Djlfma32.exe C:\Windows\SysWOW64\Dlifadkk.exe N/A
File created C:\Windows\SysWOW64\Eickphoo.dll C:\Windows\SysWOW64\Gcjmmdbf.exe N/A
File created C:\Windows\SysWOW64\Eioigi32.dll C:\Windows\SysWOW64\Hdpcokdo.exe N/A
File created C:\Windows\SysWOW64\Dhpgfeao.exe C:\Windows\SysWOW64\Dcdkef32.exe N/A
File created C:\Windows\SysWOW64\Pjddaagq.dll C:\Windows\SysWOW64\Gcgqgd32.exe N/A
File created C:\Windows\SysWOW64\Lkjmfjmi.exe C:\Windows\SysWOW64\Liipnb32.exe N/A
File created C:\Windows\SysWOW64\Iddpheep.dll C:\Windows\SysWOW64\Jbfilffm.exe N/A
File created C:\Windows\SysWOW64\Onlahm32.exe C:\Windows\SysWOW64\Oniebmda.exe N/A
File created C:\Windows\SysWOW64\Edlafebn.exe C:\Windows\SysWOW64\Eldiehbk.exe N/A
File created C:\Windows\SysWOW64\Fglfgd32.exe C:\Windows\SysWOW64\Fmdbnnlj.exe N/A
File opened for modification C:\Windows\SysWOW64\Inmmbc32.exe C:\Windows\SysWOW64\Iaimipjl.exe N/A
File created C:\Windows\SysWOW64\Kobgmfjh.dll C:\Windows\SysWOW64\Iamfdo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bddbjhlp.exe C:\Windows\SysWOW64\Baefnmml.exe N/A
File created C:\Windows\SysWOW64\Gpidki32.exe C:\Windows\SysWOW64\Ghbljk32.exe N/A
File created C:\Windows\SysWOW64\Jikhnaao.exe C:\Windows\SysWOW64\Jjhgbd32.exe N/A
File created C:\Windows\SysWOW64\Kcjeje32.dll C:\Windows\SysWOW64\Kdphjm32.exe N/A
File created C:\Windows\SysWOW64\Liefaj32.dll C:\Windows\SysWOW64\Nppofado.exe N/A
File opened for modification C:\Windows\SysWOW64\Ajhddk32.exe C:\Windows\SysWOW64\Apppkekc.exe N/A
File created C:\Windows\SysWOW64\Fmdbnnlj.exe C:\Windows\SysWOW64\Fgjjad32.exe N/A
File created C:\Windows\SysWOW64\Gqdgom32.exe C:\Windows\SysWOW64\Gglbfg32.exe N/A
File created C:\Windows\SysWOW64\Gkddco32.dll C:\Windows\SysWOW64\Ijcngenj.exe N/A
File opened for modification C:\Windows\SysWOW64\Oniebmda.exe C:\Windows\SysWOW64\Obbdml32.exe N/A
File created C:\Windows\SysWOW64\Fpnehm32.dll C:\Windows\SysWOW64\Bfoeil32.exe N/A
File created C:\Windows\SysWOW64\Qdfmchqk.dll C:\Windows\SysWOW64\Bgdkkc32.exe N/A
File opened for modification C:\Windows\SysWOW64\Fahhnn32.exe C:\Windows\SysWOW64\Eojlbb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hnhgha32.exe C:\Windows\SysWOW64\Hhkopj32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Lepaccmo.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Iamfdo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qlfdac32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cncmcm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Iaimipjl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jedehaea.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cfanmogq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fkcilc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hffibceh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kambcbhb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kageia32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nggggoda.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ghbljk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gglbfg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gpidki32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oniebmda.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Djlfma32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Eoebgcol.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jimdcqom.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pfebnmcj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ckbpqe32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hdpcokdo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Icncgf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Leikbd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Onnnml32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dlgjldnm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Edlafebn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Klcgpkhh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kocpbfei.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fgjjad32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hnhgha32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jplfkjbd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Odkgec32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dhbdleol.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Eimcjl32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Loaokjjg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lepaccmo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fgocmc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Glpepj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Igqhpj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ioeclg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Icifjk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Iclbpj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jlnmel32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dnqlmq32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hklhae32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hfhfhbce.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kkmmlgik.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Llpfjomf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cqfbjhgf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Epbbkf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Eojlbb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Plpopddd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hcjilgdb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jlqjkk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fkhbgbkc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hhkopj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Liipnb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bnapnm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cjjnhnbl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Daaenlng.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jfohgepi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lcadghnk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bjedmo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dcdkef32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ibcphc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jplfkjbd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Epnhpglg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Jedehaea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibodnd32.dll" C:\Windows\SysWOW64\Jlqjkk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kidjdpie.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fliook32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Boifga32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ehnfpifm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ifmocb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffakjm32.dll" C:\Windows\SysWOW64\Klecfkff.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oehiknbl.dll" C:\Windows\SysWOW64\Apppkekc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Cncmcm32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Hcjilgdb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Hfhfhbce.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iddpheep.dll" C:\Windows\SysWOW64\Jbfilffm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Onnnml32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Bjjaikoa.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Gcgqgd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Iaimipjl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpdjnn32.dll" C:\Windows\SysWOW64\Jnagmc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Obbdml32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbiahjpi.dll" C:\Windows\SysWOW64\Ehnfpifm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opjqff32.dll" C:\Windows\SysWOW64\Gqdgom32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaimld32.dll" C:\Windows\SysWOW64\Lemdncoa.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Dcdkef32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghdjfq32.dll" C:\Windows\SysWOW64\Cjogcm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onepbd32.dll" C:\Windows\SysWOW64\Dpklkgoj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckkhdaei.dll" C:\Windows\SysWOW64\Ggapbcne.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hellqgnm.dll" C:\Windows\SysWOW64\Gkebafoa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chpmbe32.dll" C:\Windows\SysWOW64\Hqnjek32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Jbfilffm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\0b8a7b71512d4671d5c0390a5b13c8bc93dbde9ad3651845885d9dac5c7b278aN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fkcilc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Lkjmfjmi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dgknkf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbceme32.dll" C:\Windows\SysWOW64\Glklejoo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hffibceh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecfgpaco.dll" C:\Windows\SysWOW64\Ifmocb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jjfkmdlg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaqbpk32.dll" C:\Windows\SysWOW64\Jmipdo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Kkmmlgik.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ehnfpifm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnehm32.dll" C:\Windows\SysWOW64\Bfoeil32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bgdkkc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Edlafebn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njfaognh.dll" C:\Windows\SysWOW64\Fkcilc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gicaikhj.dll" C:\Windows\SysWOW64\Fliook32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gpidki32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hfhfhbce.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ajehnk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ebckmaec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Hnhgha32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cncmcm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Blfapfpg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjpqkajf.dll" C:\Windows\SysWOW64\Dppigchi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Hjaeba32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jfmkbebl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jmipdo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkhngh32.dll" C:\Windows\SysWOW64\Ojglhm32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Klecfkff.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gcgqgd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqgpml32.dll" C:\Windows\SysWOW64\Hiioin32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hiioin32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2068 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\0b8a7b71512d4671d5c0390a5b13c8bc93dbde9ad3651845885d9dac5c7b278aN.exe C:\Windows\SysWOW64\Nppofado.exe
PID 2068 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\0b8a7b71512d4671d5c0390a5b13c8bc93dbde9ad3651845885d9dac5c7b278aN.exe C:\Windows\SysWOW64\Nppofado.exe
PID 2068 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\0b8a7b71512d4671d5c0390a5b13c8bc93dbde9ad3651845885d9dac5c7b278aN.exe C:\Windows\SysWOW64\Nppofado.exe
PID 2068 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\0b8a7b71512d4671d5c0390a5b13c8bc93dbde9ad3651845885d9dac5c7b278aN.exe C:\Windows\SysWOW64\Nppofado.exe
PID 2880 wrote to memory of 2904 N/A C:\Windows\SysWOW64\Nppofado.exe C:\Windows\SysWOW64\Nggggoda.exe
PID 2880 wrote to memory of 2904 N/A C:\Windows\SysWOW64\Nppofado.exe C:\Windows\SysWOW64\Nggggoda.exe
PID 2880 wrote to memory of 2904 N/A C:\Windows\SysWOW64\Nppofado.exe C:\Windows\SysWOW64\Nggggoda.exe
PID 2880 wrote to memory of 2904 N/A C:\Windows\SysWOW64\Nppofado.exe C:\Windows\SysWOW64\Nggggoda.exe
PID 2904 wrote to memory of 2248 N/A C:\Windows\SysWOW64\Nggggoda.exe C:\Windows\SysWOW64\Obbdml32.exe
PID 2904 wrote to memory of 2248 N/A C:\Windows\SysWOW64\Nggggoda.exe C:\Windows\SysWOW64\Obbdml32.exe
PID 2904 wrote to memory of 2248 N/A C:\Windows\SysWOW64\Nggggoda.exe C:\Windows\SysWOW64\Obbdml32.exe
PID 2904 wrote to memory of 2248 N/A C:\Windows\SysWOW64\Nggggoda.exe C:\Windows\SysWOW64\Obbdml32.exe
PID 2248 wrote to memory of 2588 N/A C:\Windows\SysWOW64\Obbdml32.exe C:\Windows\SysWOW64\Oniebmda.exe
PID 2248 wrote to memory of 2588 N/A C:\Windows\SysWOW64\Obbdml32.exe C:\Windows\SysWOW64\Oniebmda.exe
PID 2248 wrote to memory of 2588 N/A C:\Windows\SysWOW64\Obbdml32.exe C:\Windows\SysWOW64\Oniebmda.exe
PID 2248 wrote to memory of 2588 N/A C:\Windows\SysWOW64\Obbdml32.exe C:\Windows\SysWOW64\Oniebmda.exe
PID 2588 wrote to memory of 2388 N/A C:\Windows\SysWOW64\Oniebmda.exe C:\Windows\SysWOW64\Onlahm32.exe
PID 2588 wrote to memory of 2388 N/A C:\Windows\SysWOW64\Oniebmda.exe C:\Windows\SysWOW64\Onlahm32.exe
PID 2588 wrote to memory of 2388 N/A C:\Windows\SysWOW64\Oniebmda.exe C:\Windows\SysWOW64\Onlahm32.exe
PID 2588 wrote to memory of 2388 N/A C:\Windows\SysWOW64\Oniebmda.exe C:\Windows\SysWOW64\Onlahm32.exe
PID 2388 wrote to memory of 2912 N/A C:\Windows\SysWOW64\Onlahm32.exe C:\Windows\SysWOW64\Onnnml32.exe
PID 2388 wrote to memory of 2912 N/A C:\Windows\SysWOW64\Onlahm32.exe C:\Windows\SysWOW64\Onnnml32.exe
PID 2388 wrote to memory of 2912 N/A C:\Windows\SysWOW64\Onlahm32.exe C:\Windows\SysWOW64\Onnnml32.exe
PID 2388 wrote to memory of 2912 N/A C:\Windows\SysWOW64\Onlahm32.exe C:\Windows\SysWOW64\Onnnml32.exe
PID 2912 wrote to memory of 2304 N/A C:\Windows\SysWOW64\Onnnml32.exe C:\Windows\SysWOW64\Odkgec32.exe
PID 2912 wrote to memory of 2304 N/A C:\Windows\SysWOW64\Onnnml32.exe C:\Windows\SysWOW64\Odkgec32.exe
PID 2912 wrote to memory of 2304 N/A C:\Windows\SysWOW64\Onnnml32.exe C:\Windows\SysWOW64\Odkgec32.exe
PID 2912 wrote to memory of 2304 N/A C:\Windows\SysWOW64\Onnnml32.exe C:\Windows\SysWOW64\Odkgec32.exe
PID 2304 wrote to memory of 2780 N/A C:\Windows\SysWOW64\Odkgec32.exe C:\Windows\SysWOW64\Ojglhm32.exe
PID 2304 wrote to memory of 2780 N/A C:\Windows\SysWOW64\Odkgec32.exe C:\Windows\SysWOW64\Ojglhm32.exe
PID 2304 wrote to memory of 2780 N/A C:\Windows\SysWOW64\Odkgec32.exe C:\Windows\SysWOW64\Ojglhm32.exe
PID 2304 wrote to memory of 2780 N/A C:\Windows\SysWOW64\Odkgec32.exe C:\Windows\SysWOW64\Ojglhm32.exe
PID 2780 wrote to memory of 1420 N/A C:\Windows\SysWOW64\Ojglhm32.exe C:\Windows\SysWOW64\Ppddpd32.exe
PID 2780 wrote to memory of 1420 N/A C:\Windows\SysWOW64\Ojglhm32.exe C:\Windows\SysWOW64\Ppddpd32.exe
PID 2780 wrote to memory of 1420 N/A C:\Windows\SysWOW64\Ojglhm32.exe C:\Windows\SysWOW64\Ppddpd32.exe
PID 2780 wrote to memory of 1420 N/A C:\Windows\SysWOW64\Ojglhm32.exe C:\Windows\SysWOW64\Ppddpd32.exe
PID 1420 wrote to memory of 2448 N/A C:\Windows\SysWOW64\Ppddpd32.exe C:\Windows\SysWOW64\Plmbkd32.exe
PID 1420 wrote to memory of 2448 N/A C:\Windows\SysWOW64\Ppddpd32.exe C:\Windows\SysWOW64\Plmbkd32.exe
PID 1420 wrote to memory of 2448 N/A C:\Windows\SysWOW64\Ppddpd32.exe C:\Windows\SysWOW64\Plmbkd32.exe
PID 1420 wrote to memory of 2448 N/A C:\Windows\SysWOW64\Ppddpd32.exe C:\Windows\SysWOW64\Plmbkd32.exe
PID 2448 wrote to memory of 2916 N/A C:\Windows\SysWOW64\Plmbkd32.exe C:\Windows\SysWOW64\Piabdiep.exe
PID 2448 wrote to memory of 2916 N/A C:\Windows\SysWOW64\Plmbkd32.exe C:\Windows\SysWOW64\Piabdiep.exe
PID 2448 wrote to memory of 2916 N/A C:\Windows\SysWOW64\Plmbkd32.exe C:\Windows\SysWOW64\Piabdiep.exe
PID 2448 wrote to memory of 2916 N/A C:\Windows\SysWOW64\Plmbkd32.exe C:\Windows\SysWOW64\Piabdiep.exe
PID 2916 wrote to memory of 2308 N/A C:\Windows\SysWOW64\Piabdiep.exe C:\Windows\SysWOW64\Plpopddd.exe
PID 2916 wrote to memory of 2308 N/A C:\Windows\SysWOW64\Piabdiep.exe C:\Windows\SysWOW64\Plpopddd.exe
PID 2916 wrote to memory of 2308 N/A C:\Windows\SysWOW64\Piabdiep.exe C:\Windows\SysWOW64\Plpopddd.exe
PID 2916 wrote to memory of 2308 N/A C:\Windows\SysWOW64\Piabdiep.exe C:\Windows\SysWOW64\Plpopddd.exe
PID 2308 wrote to memory of 1084 N/A C:\Windows\SysWOW64\Plpopddd.exe C:\Windows\SysWOW64\Pfebnmcj.exe
PID 2308 wrote to memory of 1084 N/A C:\Windows\SysWOW64\Plpopddd.exe C:\Windows\SysWOW64\Pfebnmcj.exe
PID 2308 wrote to memory of 1084 N/A C:\Windows\SysWOW64\Plpopddd.exe C:\Windows\SysWOW64\Pfebnmcj.exe
PID 2308 wrote to memory of 1084 N/A C:\Windows\SysWOW64\Plpopddd.exe C:\Windows\SysWOW64\Pfebnmcj.exe
PID 1084 wrote to memory of 2456 N/A C:\Windows\SysWOW64\Pfebnmcj.exe C:\Windows\SysWOW64\Qlfdac32.exe
PID 1084 wrote to memory of 2456 N/A C:\Windows\SysWOW64\Pfebnmcj.exe C:\Windows\SysWOW64\Qlfdac32.exe
PID 1084 wrote to memory of 2456 N/A C:\Windows\SysWOW64\Pfebnmcj.exe C:\Windows\SysWOW64\Qlfdac32.exe
PID 1084 wrote to memory of 2456 N/A C:\Windows\SysWOW64\Pfebnmcj.exe C:\Windows\SysWOW64\Qlfdac32.exe
PID 2456 wrote to memory of 2176 N/A C:\Windows\SysWOW64\Qlfdac32.exe C:\Windows\SysWOW64\Adaiee32.exe
PID 2456 wrote to memory of 2176 N/A C:\Windows\SysWOW64\Qlfdac32.exe C:\Windows\SysWOW64\Adaiee32.exe
PID 2456 wrote to memory of 2176 N/A C:\Windows\SysWOW64\Qlfdac32.exe C:\Windows\SysWOW64\Adaiee32.exe
PID 2456 wrote to memory of 2176 N/A C:\Windows\SysWOW64\Qlfdac32.exe C:\Windows\SysWOW64\Adaiee32.exe
PID 2176 wrote to memory of 1856 N/A C:\Windows\SysWOW64\Adaiee32.exe C:\Windows\SysWOW64\Adfbpega.exe
PID 2176 wrote to memory of 1856 N/A C:\Windows\SysWOW64\Adaiee32.exe C:\Windows\SysWOW64\Adfbpega.exe
PID 2176 wrote to memory of 1856 N/A C:\Windows\SysWOW64\Adaiee32.exe C:\Windows\SysWOW64\Adfbpega.exe
PID 2176 wrote to memory of 1856 N/A C:\Windows\SysWOW64\Adaiee32.exe C:\Windows\SysWOW64\Adfbpega.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0b8a7b71512d4671d5c0390a5b13c8bc93dbde9ad3651845885d9dac5c7b278aN.exe

"C:\Users\Admin\AppData\Local\Temp\0b8a7b71512d4671d5c0390a5b13c8bc93dbde9ad3651845885d9dac5c7b278aN.exe"

C:\Windows\SysWOW64\Nppofado.exe

C:\Windows\system32\Nppofado.exe

C:\Windows\SysWOW64\Nggggoda.exe

C:\Windows\system32\Nggggoda.exe

C:\Windows\SysWOW64\Obbdml32.exe

C:\Windows\system32\Obbdml32.exe

C:\Windows\SysWOW64\Oniebmda.exe

C:\Windows\system32\Oniebmda.exe

C:\Windows\SysWOW64\Onlahm32.exe

C:\Windows\system32\Onlahm32.exe

C:\Windows\SysWOW64\Onnnml32.exe

C:\Windows\system32\Onnnml32.exe

C:\Windows\SysWOW64\Odkgec32.exe

C:\Windows\system32\Odkgec32.exe

C:\Windows\SysWOW64\Ojglhm32.exe

C:\Windows\system32\Ojglhm32.exe

C:\Windows\SysWOW64\Ppddpd32.exe

C:\Windows\system32\Ppddpd32.exe

C:\Windows\SysWOW64\Plmbkd32.exe

C:\Windows\system32\Plmbkd32.exe

C:\Windows\SysWOW64\Piabdiep.exe

C:\Windows\system32\Piabdiep.exe

C:\Windows\SysWOW64\Plpopddd.exe

C:\Windows\system32\Plpopddd.exe

C:\Windows\SysWOW64\Pfebnmcj.exe

C:\Windows\system32\Pfebnmcj.exe

C:\Windows\SysWOW64\Qlfdac32.exe

C:\Windows\system32\Qlfdac32.exe

C:\Windows\SysWOW64\Adaiee32.exe

C:\Windows\system32\Adaiee32.exe

C:\Windows\SysWOW64\Adfbpega.exe

C:\Windows\system32\Adfbpega.exe

C:\Windows\SysWOW64\Akpkmo32.exe

C:\Windows\system32\Akpkmo32.exe

C:\Windows\SysWOW64\Ajehnk32.exe

C:\Windows\system32\Ajehnk32.exe

C:\Windows\SysWOW64\Apppkekc.exe

C:\Windows\system32\Apppkekc.exe

C:\Windows\SysWOW64\Ajhddk32.exe

C:\Windows\system32\Ajhddk32.exe

C:\Windows\SysWOW64\Blfapfpg.exe

C:\Windows\system32\Blfapfpg.exe

C:\Windows\SysWOW64\Bfoeil32.exe

C:\Windows\system32\Bfoeil32.exe

C:\Windows\SysWOW64\Bjjaikoa.exe

C:\Windows\system32\Bjjaikoa.exe

C:\Windows\SysWOW64\Baefnmml.exe

C:\Windows\system32\Baefnmml.exe

C:\Windows\SysWOW64\Bddbjhlp.exe

C:\Windows\system32\Bddbjhlp.exe

C:\Windows\SysWOW64\Boifga32.exe

C:\Windows\system32\Boifga32.exe

C:\Windows\SysWOW64\Bfcodkcb.exe

C:\Windows\system32\Bfcodkcb.exe

C:\Windows\SysWOW64\Bgdkkc32.exe

C:\Windows\system32\Bgdkkc32.exe

C:\Windows\SysWOW64\Bbjpil32.exe

C:\Windows\system32\Bbjpil32.exe

C:\Windows\SysWOW64\Bjedmo32.exe

C:\Windows\system32\Bjedmo32.exe

C:\Windows\SysWOW64\Bnapnm32.exe

C:\Windows\system32\Bnapnm32.exe

C:\Windows\SysWOW64\Ckeqga32.exe

C:\Windows\system32\Ckeqga32.exe

C:\Windows\SysWOW64\Cncmcm32.exe

C:\Windows\system32\Cncmcm32.exe

C:\Windows\SysWOW64\Cqaiph32.exe

C:\Windows\system32\Cqaiph32.exe

C:\Windows\SysWOW64\Cjjnhnbl.exe

C:\Windows\system32\Cjjnhnbl.exe

C:\Windows\SysWOW64\Cfanmogq.exe

C:\Windows\system32\Cfanmogq.exe

C:\Windows\SysWOW64\Ciokijfd.exe

C:\Windows\system32\Ciokijfd.exe

C:\Windows\SysWOW64\Cqfbjhgf.exe

C:\Windows\system32\Cqfbjhgf.exe

C:\Windows\SysWOW64\Cjogcm32.exe

C:\Windows\system32\Cjogcm32.exe

C:\Windows\SysWOW64\Ccgklc32.exe

C:\Windows\system32\Ccgklc32.exe

C:\Windows\SysWOW64\Cfehhn32.exe

C:\Windows\system32\Cfehhn32.exe

C:\Windows\SysWOW64\Ckbpqe32.exe

C:\Windows\system32\Ckbpqe32.exe

C:\Windows\SysWOW64\Dnqlmq32.exe

C:\Windows\system32\Dnqlmq32.exe

C:\Windows\SysWOW64\Dgiaefgg.exe

C:\Windows\system32\Dgiaefgg.exe

C:\Windows\SysWOW64\Dppigchi.exe

C:\Windows\system32\Dppigchi.exe

C:\Windows\SysWOW64\Daaenlng.exe

C:\Windows\system32\Daaenlng.exe

C:\Windows\SysWOW64\Dgknkf32.exe

C:\Windows\system32\Dgknkf32.exe

C:\Windows\SysWOW64\Dlgjldnm.exe

C:\Windows\system32\Dlgjldnm.exe

C:\Windows\SysWOW64\Djjjga32.exe

C:\Windows\system32\Djjjga32.exe

C:\Windows\SysWOW64\Dlifadkk.exe

C:\Windows\system32\Dlifadkk.exe

C:\Windows\SysWOW64\Djlfma32.exe

C:\Windows\system32\Djlfma32.exe

C:\Windows\SysWOW64\Dcdkef32.exe

C:\Windows\system32\Dcdkef32.exe

C:\Windows\SysWOW64\Dhpgfeao.exe

C:\Windows\system32\Dhpgfeao.exe

C:\Windows\SysWOW64\Dmmpolof.exe

C:\Windows\system32\Dmmpolof.exe

C:\Windows\SysWOW64\Dpklkgoj.exe

C:\Windows\system32\Dpklkgoj.exe

C:\Windows\SysWOW64\Dhbdleol.exe

C:\Windows\system32\Dhbdleol.exe

C:\Windows\SysWOW64\Eicpcm32.exe

C:\Windows\system32\Eicpcm32.exe

C:\Windows\SysWOW64\Epnhpglg.exe

C:\Windows\system32\Epnhpglg.exe

C:\Windows\SysWOW64\Efhqmadd.exe

C:\Windows\system32\Efhqmadd.exe

C:\Windows\SysWOW64\Eldiehbk.exe

C:\Windows\system32\Eldiehbk.exe

C:\Windows\SysWOW64\Edlafebn.exe

C:\Windows\system32\Edlafebn.exe

C:\Windows\SysWOW64\Ebnabb32.exe

C:\Windows\system32\Ebnabb32.exe

C:\Windows\SysWOW64\Emdeok32.exe

C:\Windows\system32\Emdeok32.exe

C:\Windows\SysWOW64\Epbbkf32.exe

C:\Windows\system32\Epbbkf32.exe

C:\Windows\SysWOW64\Eoebgcol.exe

C:\Windows\system32\Eoebgcol.exe

C:\Windows\SysWOW64\Ehnfpifm.exe

C:\Windows\system32\Ehnfpifm.exe

C:\Windows\SysWOW64\Epeoaffo.exe

C:\Windows\system32\Epeoaffo.exe

C:\Windows\SysWOW64\Ebckmaec.exe

C:\Windows\system32\Ebckmaec.exe

C:\Windows\SysWOW64\Eimcjl32.exe

C:\Windows\system32\Eimcjl32.exe

C:\Windows\SysWOW64\Eojlbb32.exe

C:\Windows\system32\Eojlbb32.exe

C:\Windows\SysWOW64\Fahhnn32.exe

C:\Windows\system32\Fahhnn32.exe

C:\Windows\SysWOW64\Flnlkgjq.exe

C:\Windows\system32\Flnlkgjq.exe

C:\Windows\SysWOW64\Folhgbid.exe

C:\Windows\system32\Folhgbid.exe

C:\Windows\SysWOW64\Fdiqpigl.exe

C:\Windows\system32\Fdiqpigl.exe

C:\Windows\SysWOW64\Fkcilc32.exe

C:\Windows\system32\Fkcilc32.exe

C:\Windows\SysWOW64\Famaimfe.exe

C:\Windows\system32\Famaimfe.exe

C:\Windows\SysWOW64\Fdkmeiei.exe

C:\Windows\system32\Fdkmeiei.exe

C:\Windows\SysWOW64\Fgjjad32.exe

C:\Windows\system32\Fgjjad32.exe

C:\Windows\SysWOW64\Fmdbnnlj.exe

C:\Windows\system32\Fmdbnnlj.exe

C:\Windows\SysWOW64\Fglfgd32.exe

C:\Windows\system32\Fglfgd32.exe

C:\Windows\SysWOW64\Fkhbgbkc.exe

C:\Windows\system32\Fkhbgbkc.exe

C:\Windows\SysWOW64\Fliook32.exe

C:\Windows\system32\Fliook32.exe

C:\Windows\SysWOW64\Fgocmc32.exe

C:\Windows\system32\Fgocmc32.exe

C:\Windows\SysWOW64\Glklejoo.exe

C:\Windows\system32\Glklejoo.exe

C:\Windows\SysWOW64\Gojhafnb.exe

C:\Windows\system32\Gojhafnb.exe

C:\Windows\SysWOW64\Ggapbcne.exe

C:\Windows\system32\Ggapbcne.exe

C:\Windows\SysWOW64\Ghbljk32.exe

C:\Windows\system32\Ghbljk32.exe

C:\Windows\SysWOW64\Gpidki32.exe

C:\Windows\system32\Gpidki32.exe

C:\Windows\SysWOW64\Gcgqgd32.exe

C:\Windows\system32\Gcgqgd32.exe

C:\Windows\SysWOW64\Giaidnkf.exe

C:\Windows\system32\Giaidnkf.exe

C:\Windows\SysWOW64\Glpepj32.exe

C:\Windows\system32\Glpepj32.exe

C:\Windows\SysWOW64\Gcjmmdbf.exe

C:\Windows\system32\Gcjmmdbf.exe

C:\Windows\SysWOW64\Gehiioaj.exe

C:\Windows\system32\Gehiioaj.exe

C:\Windows\SysWOW64\Gkebafoa.exe

C:\Windows\system32\Gkebafoa.exe

C:\Windows\SysWOW64\Gncnmane.exe

C:\Windows\system32\Gncnmane.exe

C:\Windows\SysWOW64\Gdnfjl32.exe

C:\Windows\system32\Gdnfjl32.exe

C:\Windows\SysWOW64\Gglbfg32.exe

C:\Windows\system32\Gglbfg32.exe

C:\Windows\SysWOW64\Gqdgom32.exe

C:\Windows\system32\Gqdgom32.exe

C:\Windows\SysWOW64\Hdpcokdo.exe

C:\Windows\system32\Hdpcokdo.exe

C:\Windows\SysWOW64\Hhkopj32.exe

C:\Windows\system32\Hhkopj32.exe

C:\Windows\SysWOW64\Hnhgha32.exe

C:\Windows\system32\Hnhgha32.exe

C:\Windows\SysWOW64\Hqgddm32.exe

C:\Windows\system32\Hqgddm32.exe

C:\Windows\SysWOW64\Hcepqh32.exe

C:\Windows\system32\Hcepqh32.exe

C:\Windows\SysWOW64\Hklhae32.exe

C:\Windows\system32\Hklhae32.exe

C:\Windows\SysWOW64\Hjohmbpd.exe

C:\Windows\system32\Hjohmbpd.exe

C:\Windows\SysWOW64\Hddmjk32.exe

C:\Windows\system32\Hddmjk32.exe

C:\Windows\SysWOW64\Hffibceh.exe

C:\Windows\system32\Hffibceh.exe

C:\Windows\SysWOW64\Hjaeba32.exe

C:\Windows\system32\Hjaeba32.exe

C:\Windows\SysWOW64\Hmpaom32.exe

C:\Windows\system32\Hmpaom32.exe

C:\Windows\SysWOW64\Hcjilgdb.exe

C:\Windows\system32\Hcjilgdb.exe

C:\Windows\SysWOW64\Hfhfhbce.exe

C:\Windows\system32\Hfhfhbce.exe

C:\Windows\SysWOW64\Hifbdnbi.exe

C:\Windows\system32\Hifbdnbi.exe

C:\Windows\SysWOW64\Hqnjek32.exe

C:\Windows\system32\Hqnjek32.exe

C:\Windows\SysWOW64\Hjfnnajl.exe

C:\Windows\system32\Hjfnnajl.exe

C:\Windows\SysWOW64\Hiioin32.exe

C:\Windows\system32\Hiioin32.exe

C:\Windows\SysWOW64\Hmdkjmip.exe

C:\Windows\system32\Hmdkjmip.exe

C:\Windows\SysWOW64\Icncgf32.exe

C:\Windows\system32\Icncgf32.exe

C:\Windows\SysWOW64\Ifmocb32.exe

C:\Windows\system32\Ifmocb32.exe

C:\Windows\SysWOW64\Iikkon32.exe

C:\Windows\system32\Iikkon32.exe

C:\Windows\SysWOW64\Imggplgm.exe

C:\Windows\system32\Imggplgm.exe

C:\Windows\SysWOW64\Ioeclg32.exe

C:\Windows\system32\Ioeclg32.exe

C:\Windows\SysWOW64\Ibcphc32.exe

C:\Windows\system32\Ibcphc32.exe

C:\Windows\SysWOW64\Igqhpj32.exe

C:\Windows\system32\Igqhpj32.exe

C:\Windows\SysWOW64\Injqmdki.exe

C:\Windows\system32\Injqmdki.exe

C:\Windows\SysWOW64\Iaimipjl.exe

C:\Windows\system32\Iaimipjl.exe

C:\Windows\SysWOW64\Inmmbc32.exe

C:\Windows\system32\Inmmbc32.exe

C:\Windows\SysWOW64\Iakino32.exe

C:\Windows\system32\Iakino32.exe

C:\Windows\SysWOW64\Icifjk32.exe

C:\Windows\system32\Icifjk32.exe

C:\Windows\SysWOW64\Ijcngenj.exe

C:\Windows\system32\Ijcngenj.exe

C:\Windows\SysWOW64\Iamfdo32.exe

C:\Windows\system32\Iamfdo32.exe

C:\Windows\SysWOW64\Iclbpj32.exe

C:\Windows\system32\Iclbpj32.exe

C:\Windows\SysWOW64\Jjfkmdlg.exe

C:\Windows\system32\Jjfkmdlg.exe

C:\Windows\SysWOW64\Jnagmc32.exe

C:\Windows\system32\Jnagmc32.exe

C:\Windows\SysWOW64\Japciodd.exe

C:\Windows\system32\Japciodd.exe

C:\Windows\SysWOW64\Jfmkbebl.exe

C:\Windows\system32\Jfmkbebl.exe

C:\Windows\SysWOW64\Jjhgbd32.exe

C:\Windows\system32\Jjhgbd32.exe

C:\Windows\SysWOW64\Jikhnaao.exe

C:\Windows\system32\Jikhnaao.exe

C:\Windows\SysWOW64\Jfohgepi.exe

C:\Windows\system32\Jfohgepi.exe

C:\Windows\SysWOW64\Jimdcqom.exe

C:\Windows\system32\Jimdcqom.exe

C:\Windows\SysWOW64\Jmipdo32.exe

C:\Windows\system32\Jmipdo32.exe

C:\Windows\SysWOW64\Jcciqi32.exe

C:\Windows\system32\Jcciqi32.exe

C:\Windows\SysWOW64\Jbfilffm.exe

C:\Windows\system32\Jbfilffm.exe

C:\Windows\SysWOW64\Jedehaea.exe

C:\Windows\system32\Jedehaea.exe

C:\Windows\SysWOW64\Jlnmel32.exe

C:\Windows\system32\Jlnmel32.exe

C:\Windows\SysWOW64\Jpjifjdg.exe

C:\Windows\system32\Jpjifjdg.exe

C:\Windows\SysWOW64\Jbhebfck.exe

C:\Windows\system32\Jbhebfck.exe

C:\Windows\SysWOW64\Jlqjkk32.exe

C:\Windows\system32\Jlqjkk32.exe

C:\Windows\SysWOW64\Jplfkjbd.exe

C:\Windows\system32\Jplfkjbd.exe

C:\Windows\SysWOW64\Kambcbhb.exe

C:\Windows\system32\Kambcbhb.exe

C:\Windows\SysWOW64\Kidjdpie.exe

C:\Windows\system32\Kidjdpie.exe

C:\Windows\SysWOW64\Klcgpkhh.exe

C:\Windows\system32\Klcgpkhh.exe

C:\Windows\SysWOW64\Kekkiq32.exe

C:\Windows\system32\Kekkiq32.exe

C:\Windows\SysWOW64\Klecfkff.exe

C:\Windows\system32\Klecfkff.exe

C:\Windows\SysWOW64\Kocpbfei.exe

C:\Windows\system32\Kocpbfei.exe

C:\Windows\SysWOW64\Kmfpmc32.exe

C:\Windows\system32\Kmfpmc32.exe

C:\Windows\SysWOW64\Kenhopmf.exe

C:\Windows\system32\Kenhopmf.exe

C:\Windows\SysWOW64\Kdphjm32.exe

C:\Windows\system32\Kdphjm32.exe

C:\Windows\SysWOW64\Kfodfh32.exe

C:\Windows\system32\Kfodfh32.exe

C:\Windows\SysWOW64\Khnapkjg.exe

C:\Windows\system32\Khnapkjg.exe

C:\Windows\SysWOW64\Kkmmlgik.exe

C:\Windows\system32\Kkmmlgik.exe

C:\Windows\SysWOW64\Kipmhc32.exe

C:\Windows\system32\Kipmhc32.exe

C:\Windows\SysWOW64\Kageia32.exe

C:\Windows\system32\Kageia32.exe

C:\Windows\SysWOW64\Kbhbai32.exe

C:\Windows\system32\Kbhbai32.exe

C:\Windows\SysWOW64\Kkojbf32.exe

C:\Windows\system32\Kkojbf32.exe

C:\Windows\SysWOW64\Llpfjomf.exe

C:\Windows\system32\Llpfjomf.exe

C:\Windows\SysWOW64\Ldgnklmi.exe

C:\Windows\system32\Ldgnklmi.exe

C:\Windows\SysWOW64\Leikbd32.exe

C:\Windows\system32\Leikbd32.exe

C:\Windows\SysWOW64\Loaokjjg.exe

C:\Windows\system32\Loaokjjg.exe

C:\Windows\SysWOW64\Lghgmg32.exe

C:\Windows\system32\Lghgmg32.exe

C:\Windows\SysWOW64\Llepen32.exe

C:\Windows\system32\Llepen32.exe

C:\Windows\SysWOW64\Loclai32.exe

C:\Windows\system32\Loclai32.exe

C:\Windows\SysWOW64\Lemdncoa.exe

C:\Windows\system32\Lemdncoa.exe

C:\Windows\SysWOW64\Liipnb32.exe

C:\Windows\system32\Liipnb32.exe

C:\Windows\SysWOW64\Lkjmfjmi.exe

C:\Windows\system32\Lkjmfjmi.exe

C:\Windows\SysWOW64\Lcadghnk.exe

C:\Windows\system32\Lcadghnk.exe

C:\Windows\SysWOW64\Lepaccmo.exe

C:\Windows\system32\Lepaccmo.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 140

Network

N/A

Files

memory/2068-0-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Nppofado.exe

MD5 4cfc37c2f63a982b7f9f334575c52603
SHA1 3132059803f27e4759efad321ffbe285447e8018
SHA256 6ba0c7dad3890d8e095b8d21ff9ab565ede080ae688dd3200c86efeb35a5485d
SHA512 2702032bf5187bad9aa141b92527f1c3868ae533470f4c3dd4d33a5c2a949357dc1ce149305b44af2e4fabe4655a2d18aab6e38eb84b0fd1b978383854bc9c5e

memory/2880-19-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2068-18-0x0000000000290000-0x00000000002C4000-memory.dmp

C:\Windows\SysWOW64\Nggggoda.exe

MD5 d033a33bf67535ce474eecfc43814a39
SHA1 9e39e4eabc60655e4e6251688f2d2ee42b94a65e
SHA256 6f8f400d8c587cf2f5f93c5e0230f80a9a92c5798939d598e9d9df42a31664e5
SHA512 6e897057d674122351279d216c82de28535f3f83d414ccc7a8564295d99a65b3f661dde4d4ab40da1324a12a347f12a273849e671c76e8c0e826a80b23c236df

memory/2068-12-0x0000000000290000-0x00000000002C4000-memory.dmp

memory/2904-27-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Obbdml32.exe

MD5 b63ed2204f8e89bfea6a77d78246a6d3
SHA1 a1625a3221d8ecf3acce9f6290e1e12522780a05
SHA256 09e8fcbcfc5a418fa7cc1f6d554a81328907abf08213592bcacf7c79fe6ba8cc
SHA512 3d1f6ebf0caebb9ba37cc339d3204fb31de429e7f589f71b4d41d17b6e26e999a5700e58c77a72640052471d7a275c9c0a0e0fe144597c6063e8d029595e0d5d

memory/2248-41-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2904-40-0x00000000002E0000-0x0000000000314000-memory.dmp

memory/2248-49-0x0000000000440000-0x0000000000474000-memory.dmp

\Windows\SysWOW64\Oniebmda.exe

MD5 de801bd2d83c72d8ad4ac733bad4e3a9
SHA1 89b1d968eb30a98ca06fdd4afed0c42844aceeb9
SHA256 e6765e28fef494bb015bfca62f5fde9d729175c974422c3ab15ee4db7112cc3a
SHA512 7e9c78492cd491e7f50a379247447e859b30edc4320902d15461eb11a017e1282400af103691017433a3af3e36c74ee9121193d63debc040f4751854b1e58859

C:\Windows\SysWOW64\Meoaif32.dll

MD5 047fb28c7670804a02e8a29ba2fbcc29
SHA1 59a5aa379ec0adaa1ff21dec8c31365c8a88283c
SHA256 2ee48272b7676af57dd155469e3ac5d5ef1d358785ee2866fd2ae1d04eef31fa
SHA512 9b0c746c34c654c76c86b4075e3f33db258b33b0e5a900414c585bd8e01407d08edd4402e2ffca50aa0aa482d58e20f0a9bdc44e7ff2e5746acd15564e87fd20

C:\Windows\SysWOW64\Onlahm32.exe

MD5 abd218e36c098f49d66e99f7a6efae61
SHA1 02d1bf10b8d50a91dc8b954f7d63878ec40c744d
SHA256 bfcd3841920588ec243133f6c32e32c67e1a043cbdbeebf6d439ccc79f2fe16e
SHA512 609b31433e97e4ffe7cbab26fc162ef1f62403684f35b775ded76dd1d0d9f96d286905d1d7fd29d8655631890cb35833152d13d1626c5d71da5fc62967152db7

memory/2388-69-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2588-68-0x00000000002F0000-0x0000000000324000-memory.dmp

memory/2588-67-0x00000000002F0000-0x0000000000324000-memory.dmp

memory/2388-77-0x0000000000280000-0x00000000002B4000-memory.dmp

\Windows\SysWOW64\Onnnml32.exe

MD5 c85bd97a38438deb6e3f6d301074cfbd
SHA1 cf649a8a545878669e057f9116624f1a9754ba4c
SHA256 7a85f25e5a6445100e21b831f9e6e6762701f03faa6a075252367e5dc37d6040
SHA512 f732f796463d591b04e12d78a570e5c2cba4abed2742fd12b260f2b13b7ed3dae60caf574095c6adff85d80562e280401b7b02162eca479997215625fb6825a3

memory/2912-90-0x0000000000440000-0x0000000000474000-memory.dmp

\Windows\SysWOW64\Odkgec32.exe

MD5 454bbbb97b08c1daaed5955d087bc623
SHA1 b8094a7bacf457f37f981cce3ca475524a410047
SHA256 25a8d21d9c05485554541f78f153b9dbbdfd3bbf9bc3228cbb464de6056856cd
SHA512 8fbf77c9758f6458d8fe66ec2f2f22e3c8d7cdd9695d4c7e833d1a3f570d4c82be0f9418b6b6c3267266b1c32bbe4870800066b5a757ce199c77235d97737a47

memory/2304-96-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2304-104-0x0000000000250000-0x0000000000284000-memory.dmp

\Windows\SysWOW64\Ojglhm32.exe

MD5 3d140dffb8b7d6029faef7a3987d1ef9
SHA1 cf5703a6f51d5be3ff6d7fdfddf8829974e6912e
SHA256 2959594279e800c73243c8e222b4bf9cd34b0a10abb6afa422e6a58b30de23c1
SHA512 aaa6e4f80bed8c35b1e7326346e78fff81ee6b6d4158a01a5c309eeb1d8cad29c68e65b59a505a82d0391527d15f89647855293db658575d2a5af207c7362758

\Windows\SysWOW64\Ppddpd32.exe

MD5 ff10d8f17eac5bb13be5a7b558af4aa2
SHA1 40809aa8db97c3e40f9cde071fe85be5020755d7
SHA256 6a4337ddecc68e367dbf64c01ef04b0a38c2d09b7c671133025cee808d8834fe
SHA512 d49273b3f727760b9a5eb72530416ac6da84e41c2379fcdc7df0440c2f28f00e4a6448b5861797f05678955ecd500c14e56958ef36627b1e885e5cba3a235169

memory/1420-122-0x0000000000400000-0x0000000000434000-memory.dmp

\Windows\SysWOW64\Plmbkd32.exe

MD5 735433f48a0b9001853c7853dfcf6955
SHA1 141f4d4aaa1b9248b8e757e0f6f3b7c36957fe54
SHA256 409d3d2fd7944fee508d363dd6279979e9583b5e7f40db28cbbc24f28f44b5f1
SHA512 61c901d33d148354c0e0937adc2b7600928fe4ef613d56a47646d27e32bed4cf933697296ad6de6e51c3c59ef7fd938cda882c29691084b02fc831a73a6de47e

memory/1420-129-0x0000000000250000-0x0000000000284000-memory.dmp

\Windows\SysWOW64\Piabdiep.exe

MD5 053c723bc9ac834bb1ff7494911d0d52
SHA1 95e5e260d4978b4c5a747f3e17275199195ff757
SHA256 9128ebc64af904c1215a7c4c309628322b4925092e7abc0b42b031a3f4ac70d6
SHA512 fc97fcdd92e449cda30c75c1f936401ae273f5f548ad62b5fdfc41c268e34f2bc61693f2b9d2eb319e0f113914816463eb4f08c9781b1e5ab3c4779e8961c64a

memory/2916-151-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Plpopddd.exe

MD5 2200554dfbc8c013cf5fbda608b153f4
SHA1 3d8018b8ca8d6bc525da8fa861aae08c21516e59
SHA256 ca3429d3d475d658938993602ae693b70e20597eb4764718a165f552c27fdc19
SHA512 fb39aa9273ecab4e3260194b5ab3376b4d55c7c78d93884d286c5dd5b39645d36d9257706e4b2ee46d106609fbbecd3c4a920c3baf366177f0b7fbf9e46f916c

memory/2308-168-0x0000000000400000-0x0000000000434000-memory.dmp

\Windows\SysWOW64\Pfebnmcj.exe

MD5 608ffbb391a1b94ccba10efc4ad2ae8d
SHA1 0926456c24adbcaeb0fc723bacdabf0139b9aa88
SHA256 436bf7e3ee7902c45af442789325ec0fb35140ce82435f92f0bef0c82b69ef54
SHA512 6a030c16c19d47d8bbd51e9f369d99d2fdb940419312f55d750adcfe63e439fbcccc81e0ac2e4f662e7f228889aa67132981d2ebaff53ca3ad076f02cc434e35

memory/2448-150-0x00000000002D0000-0x0000000000304000-memory.dmp

memory/2448-136-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1084-177-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2308-175-0x00000000002D0000-0x0000000000304000-memory.dmp

\Windows\SysWOW64\Qlfdac32.exe

MD5 40a130bda0047dfa8c5e4d1161824863
SHA1 a8e3c41e8c398b0515f01af6d1823ec0b3421a4b
SHA256 b891cdf976fd747c369e7d75620fc3dc5025bb306c84c1511460bc38f61844f0
SHA512 238d38aacbacc7ba0a38f874d878bd075c82100f87bd7d352486d5c3f9b5ff4d2cea60cc2abb592abb8e5eff13afb264bb81cb030cd03edbaa357998961949fe

memory/1084-184-0x0000000000300000-0x0000000000334000-memory.dmp

memory/2456-194-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Adaiee32.exe

MD5 8e1362a22ddac1439dcd263e1032271c
SHA1 a6bc6478334a94535cf1aac57bdad45e6945d250
SHA256 934aeb3bc0d30caff1fc507e55086f8c9b3c7738346c49702c9b1f7f1361eaa0
SHA512 287c1f7511bfbea7409887380dc3f39f22a4319118ae7666db4e3277ea845347363814428628b8e01db9b3b09794b6bda390f78101c8defa95d2c18e2c7c7e2e

memory/2176-204-0x0000000000400000-0x0000000000434000-memory.dmp

\Windows\SysWOW64\Adfbpega.exe

MD5 f84e0ba50336ada4a2c2b969f9886e31
SHA1 618fbc1251d9f391a1cbdc07eba9e852ab67efef
SHA256 7c147d21a1a818425a97f8b8213f1bc55bfdc38211bc029e925eb081fb9a229a
SHA512 eff0d046bf11082661246762e07c294823e184f75819e8d3b7fb79c4ffeb1b1a2ffa97fd80a364a26ac8562a61de8bfd2610bf751ec8434763e00793eeeed7db

memory/2176-212-0x0000000000440000-0x0000000000474000-memory.dmp

C:\Windows\SysWOW64\Akpkmo32.exe

MD5 8a4e3c199295b7fd600b8e36c5935d7a
SHA1 3dc4f52fd082b3d21d122edd65cd5fa8f99f752c
SHA256 97b127a8aac70988c53274b284727604c586c01deabcd5dc91ee0e1373a1369d
SHA512 604218d3c0bd611f9840ef57d55d507c0bc0cf3269ca7b3b9786bd8aaebb8829fe9a25683e3c8659f98d96439dbc6fb90f2b4cc5358ee94c1b0b004d7d0699e1

memory/640-228-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1856-227-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1456-237-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1456-243-0x00000000002E0000-0x0000000000314000-memory.dmp

C:\Windows\SysWOW64\Ajehnk32.exe

MD5 5a4aca296218eb31d6d975416585c59b
SHA1 61373f6445219e0f9bfcc8a839610cb07126488d
SHA256 ffd9d0005ddd7f244d5fe6709f290a808245e645d3b447e90abed5ef58d3f4a2
SHA512 07514b9408f480456c4af3bf23108539f2a55321d6ba04b8f0b49f21ea77f46a6981bc650d05967ee8dd11a5c668a52208221450039d5df8d9da82ea8866df1b

C:\Windows\SysWOW64\Apppkekc.exe

MD5 c2bfca9de26db22314b8098104c68f38
SHA1 01796e0469230825f307a117ad435438673663e2
SHA256 d9a876ec9d78a66820d8fde099fabad9ea4d73ad22ee860d68f063750af4b297
SHA512 186f1491099210c84a9710d8bdfecbd2f4ad4225bcb03cf5e3e09835241da6231a88bea9027c3238b60520da6f35c72239c04984bb0a5292710380e88f215d3d

memory/1604-252-0x0000000000440000-0x0000000000474000-memory.dmp

memory/2088-256-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Ajhddk32.exe

MD5 d085afb485109d97e5f5057499a56383
SHA1 79c75d14d59233abb5531d190d1a2f3ecbc49b44
SHA256 7f0810497d7725b14aa065f7347b8a8969412ee3d4e860f648d4fd2d912e9176
SHA512 1ba4d26e6fbb19eb67e53f4d7ca8d0a85fdaae5a54cbc18170df2552ffd735385a9ff8619cd46095d304bf115faa21758e04d102e12cd9c5fb93d43f6e03452a

memory/1360-265-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Blfapfpg.exe

MD5 61a8c854e6bef103946b15659c5f9c13
SHA1 ea8a24abd33ed4b8ec264f439d51824b28f5e1bb
SHA256 def024a1138ca109ba40382dbdbd35c68b573712a36cc3ac3634a991fe20df3b
SHA512 3a8fc9e5a8a82bb0319df8a90317a36630c74f752056995c2b0b8315810643a842e035b7361800ede0958e2f520b71a897fbdb4c3f9370ddb28a62acc283455a

C:\Windows\SysWOW64\Bfoeil32.exe

MD5 a48748110cc67bb40f9b56b7098605db
SHA1 4909a30ef48aa9b8741f58d8dcd5843b9cdb517c
SHA256 c7f8cc23c175c72886b61d3c0d473c33a5632cf57ade200e75ca53f3eabe89ed
SHA512 b8c0225971401090dd42fc95d4793ae2544784a9a5599000dd91d9714add2bf245f509dc64b8c0600f3315da6d9eb3f4e2dede8125c834cde2c83387abb4763c

memory/2532-277-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Bjjaikoa.exe

MD5 fac9c72880cc6782ef45f100013090f9
SHA1 f273cb44b5a12599f478b853108fe61874eb7baa
SHA256 05287586d0fd416054f73e8c2b99ecdda390d3aa7c5924047d9276ed18e0395a
SHA512 13c2dc0a231d648e1a61285f0dd99df5a5a4beb4727f7fc1426995a58e19b4e8312af6013c83194c62d83540709eefe5f29c69e94e3bafe215ca053239cd5cae

memory/2052-285-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2532-284-0x0000000000440000-0x0000000000474000-memory.dmp

memory/2532-283-0x0000000000440000-0x0000000000474000-memory.dmp

memory/2052-291-0x0000000000490000-0x00000000004C4000-memory.dmp

C:\Windows\SysWOW64\Baefnmml.exe

MD5 5e8821731797773067c92a65b6d28428
SHA1 ac08a2f9472b931b4eb44616f6d600205a837c61
SHA256 03a40d9da172f9ddb2ba8ed3bde341a48ec9dd5d104a90a3af8bcc4bb8fb87c7
SHA512 a09e935f5c46be200e614cb6a8bc33b09215ccc90685abbe96b873400fdfa05a02ccf1cd5e71ee381ee759fb35f2cb8eebb7dfa48793c1518eb0793d09aa40ea

memory/2052-295-0x0000000000490000-0x00000000004C4000-memory.dmp

memory/2196-296-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2452-307-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2196-306-0x0000000000440000-0x0000000000474000-memory.dmp

memory/2196-305-0x0000000000440000-0x0000000000474000-memory.dmp

C:\Windows\SysWOW64\Bddbjhlp.exe

MD5 764ea79ffd6a103e678210f3d505c7ea
SHA1 81a5a477fa1cd066db1711a225433c5545c44234
SHA256 dcdac5935ef5610e6c4a289be5a298699b98222279fc7363951502409d65cd84
SHA512 ae91027f3917d857ed3b8373ddde754a8f2e2e67453abe5b8f1b968586c2cf0cd902e115b3ab9354223bc55965f34bfb825e00a87ebfb5cdda8b35da7913c7d9

memory/2452-313-0x0000000000250000-0x0000000000284000-memory.dmp

memory/1552-318-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2452-317-0x0000000000250000-0x0000000000284000-memory.dmp

C:\Windows\SysWOW64\Boifga32.exe

MD5 92921fb45dd23e0dc4dcd4cec5e9674a
SHA1 85c2a8d788ab153360b07e6cbd5f839f88afc99c
SHA256 8893b6159cc8e45173e5bd7be0bc17ac8a8818321a6b600bc2126f284d181a3c
SHA512 5e478db4ae54d5bd4c060062bd4bc173b6559eb50de5e85881f6d1aa785336f76225f4b25e9f5d06fbf6f1ac23aed8b15c193e7b6d18218a742517e8d05c3447

C:\Windows\SysWOW64\Bfcodkcb.exe

MD5 bd2a0ad5125d95eade2b9afb31d98764
SHA1 cba0df6feda230d57b54d190b12e74baaf3a3038
SHA256 b3ea8e822d2830252c0ec71c2cff81a798ec00cc947d7a95d865e1604199b463
SHA512 819094e6f52ce70fc7b26ef8c33952d78d50d5edbb32e5aaf8251e3da291b324f3029247f5cbd412a7507579eee2cdc5d7343b4e364992ec90e73b267513f2c4

memory/1552-328-0x0000000000340000-0x0000000000374000-memory.dmp

memory/2324-329-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1552-327-0x0000000000340000-0x0000000000374000-memory.dmp

memory/2324-335-0x0000000000250000-0x0000000000284000-memory.dmp

C:\Windows\SysWOW64\Bgdkkc32.exe

MD5 1bef84ba874bfd3215229ad2ffa38346
SHA1 08fee08022f8182dc3e573d77bd6e3d868bd307e
SHA256 56bbe016fe41d5e9a01c0e713181950ac35a3c248c6552170eaea9e65ee166af
SHA512 2d91e756407212801497f26b3b127eb0a340816cdbe0dfb3f2c20711dc1d7c3d07658e5f6bcb8a69346ba164967d8439de21883193f7e02f702e5c75f74cec99

memory/2324-343-0x0000000000250000-0x0000000000284000-memory.dmp

memory/2604-344-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2732-351-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2604-350-0x0000000000250000-0x0000000000284000-memory.dmp

memory/2604-349-0x0000000000250000-0x0000000000284000-memory.dmp

C:\Windows\SysWOW64\Bbjpil32.exe

MD5 c9a78cee68fb57f4888a9c4426031dc3
SHA1 1db562eabf2407e03213420820aa70e13543763b
SHA256 9e6f841e3c1e42f219a4920190ece44a4529047fd50589db2b828e9258b7eba2
SHA512 3b986e7dc7130343450f8d223e3badbf604139f4486d1eb4b050dcbeb2b998e0a565cbfccdc255d4cde0452171bb734bd7a5264852516617c0e7369306fc7415

C:\Windows\SysWOW64\Bjedmo32.exe

MD5 1e10ce16383911e2494946873deef95e
SHA1 f6e19fe34ff863e477cbe32ae35065d578deb632
SHA256 31a68d004c4460343d00977097fcce5b9e1511ebb0e50c126e0c15738cc64209
SHA512 9b04adac431548faee780d245edb90f0f58b04a6241e471791e003f11657b81d16572c1871f08ce4a35986bf350e9c1205f1830fcada96045947ff4f81501dfc

memory/2688-365-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2688-369-0x0000000000250000-0x0000000000284000-memory.dmp

C:\Windows\SysWOW64\Bnapnm32.exe

MD5 8839210c3dd503c089acfd4c59ab2bb5
SHA1 d3cb540d1da63497ac36718acf4a86397038299e
SHA256 d0f24fc3365af86031146e37f7a27e14399e10ab18e32367c36fa96cabbe2277
SHA512 5c3cbe1615b27b10ba2cc5ede9407a1e89b234e1fbc587a26784b03a94043847be408245976a98be39e239a2d88f6263c37d60f2a50f4634e857889d8ae6930d

memory/2732-364-0x0000000000360000-0x0000000000394000-memory.dmp

memory/2732-363-0x0000000000360000-0x0000000000394000-memory.dmp

memory/1952-373-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2688-372-0x0000000000250000-0x0000000000284000-memory.dmp

memory/1952-379-0x00000000002D0000-0x0000000000304000-memory.dmp

C:\Windows\SysWOW64\Ckeqga32.exe

MD5 e215981030f21ece74476da857ba1120
SHA1 1f9003838794d0d8850332626ef9fbfbc5ab194d
SHA256 593a1bd83e787d35d4d3c689deaa6cb4c854d97de9ec8f924dacc1023a75284a
SHA512 b7c1f8ab522f6e9b65224032aba50c9a3cc4bfe677deea5fe89061dc9a22853b4d6169869ff2da0433c8e0815bccb9cab0169ff87a6fcdf681f0020fbca1fb42

memory/1792-384-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1952-383-0x00000000002D0000-0x0000000000304000-memory.dmp

C:\Windows\SysWOW64\Cncmcm32.exe

MD5 0e034aa91cb32b2fffaa07102798faed
SHA1 07c228c5d694e974ec18eb2ff3cba7d7b8641788
SHA256 a1ad09e2b3a5cc292ddc2064d108f84b5e8c2f110c020112f6a6bceabb6578a9
SHA512 f8a6e27dc040480521abe7be6002246c3233a429d9396d99d2a91b7a5b91f004058fa47e1feef87d0787383ac7a1b6d67a7e227d7907a022f2cd070fce006fa3

memory/1792-395-0x0000000000250000-0x0000000000284000-memory.dmp

memory/1852-394-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1792-393-0x0000000000250000-0x0000000000284000-memory.dmp

memory/1852-401-0x0000000000250000-0x0000000000284000-memory.dmp

memory/2548-412-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2904-407-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2904-420-0x00000000002E0000-0x0000000000314000-memory.dmp

memory/2248-419-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2556-418-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2068-417-0x0000000000290000-0x00000000002C4000-memory.dmp

C:\Windows\SysWOW64\Cjjnhnbl.exe

MD5 191e78df95800488c6a0826660a12906
SHA1 63d88503bdb7c8be0dbabb58406f1e96de3103f0
SHA256 00e34116a6ea8c25e012593220e6b8634f60c5bd4885644012036c88fd1b8b8b
SHA512 d47e3f760cca62e826646463ea54439c20d07fde73dc3fb7a3f59571fef896da7ea169d42ec25a651f0df443e651a70cbb3adc6de5e61b161bb988b54b88784a

memory/2068-406-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Cqaiph32.exe

MD5 be8097cc6f936fd1e92f7e971a092d41
SHA1 8a82d88d19908b1d671b1cbf40b8fb61f23acc88
SHA256 54518289d6b0f98aa07a1f123a11aff0c3a671e39caaea3b3f436627f316fc30
SHA512 fe56ea913e12cef5ff6989c4d88d571d68860a84e5d86ad8df3a8bbd735319b78713dee90959cf2a98bdaec800ac98b8c8beb992739db3e4224d3b6195eed7fe

memory/1852-405-0x0000000000250000-0x0000000000284000-memory.dmp

C:\Windows\SysWOW64\Cfanmogq.exe

MD5 1f37b921d741dc9a5c61229e31f0f144
SHA1 2cb6c7a3aeda578f8f5c82a203de35471c5730e0
SHA256 fd546323f4e9554955cb1c0e9a7884e30432bb7c74e21620400224ca39ef2321
SHA512 d12bb6ef94eccecc525a1fcf654fe833a7c6f7c8c2ef4aaf4c26248ee786112fdce865747a7ff63eab55f7db248c361fb74f1be9f201c8289e4f2da4e77eb442

memory/2796-431-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2248-430-0x0000000000440000-0x0000000000474000-memory.dmp

memory/2556-429-0x0000000000250000-0x0000000000284000-memory.dmp

memory/1264-445-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2388-444-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2588-443-0x00000000002F0000-0x0000000000324000-memory.dmp

memory/2588-442-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2796-441-0x0000000000440000-0x0000000000474000-memory.dmp

memory/2796-440-0x0000000000440000-0x0000000000474000-memory.dmp

C:\Windows\SysWOW64\Ciokijfd.exe

MD5 c0ec950b2c99fb1021a6de81a7efde5f
SHA1 2d096655049a45b458a5058857770c5e396a5721
SHA256 cc9c13ab650a7b69bcbe8b5699283ec930f063c78b3681f259ddbeedae3194c0
SHA512 12455cc873ca9d3f82b0a3d03b7ba1a17186e3b876d5594a6b52fe8c208347de9bd24dd2fb604062f5c29953979c591e1c9927c7c328313d3cc591dec9ce306e

C:\Windows\SysWOW64\Cqfbjhgf.exe

MD5 2919cf7f63aa9da91adcc2839abc030a
SHA1 edf853c2a58761e0d4420c57cb1c59e899b72db5
SHA256 a6fae42e6d7b7bda92df75b1643a5b355a8bb9b2340cc4ca6ac68eb040d3956d
SHA512 ab4c0a9de8b158940b863890fd2816d5df4e2a8ba72cb8708f19bdc3d35cd80ce1450a466ef17068078c4204ee21336442ac97646321c99996816c857710db2e

memory/2080-459-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1264-458-0x0000000000260000-0x0000000000294000-memory.dmp

memory/1264-457-0x0000000000260000-0x0000000000294000-memory.dmp

memory/2912-468-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2500-467-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2080-466-0x0000000000280000-0x00000000002B4000-memory.dmp

memory/2388-465-0x0000000000280000-0x00000000002B4000-memory.dmp

C:\Windows\SysWOW64\Cjogcm32.exe

MD5 4312780794ee3c1e9e1f90e6d4231366
SHA1 437df0bea942a96286f89811d2f8abbc1054eacf
SHA256 2da07989b62120edd2cedd02dbf6d5f7547457421ee3c7a4e87133d29df46d4f
SHA512 ab7715da4b2033f27e3619840bcd11cb0b0adef0a9f73098e6105aa6352ed877027d03b12013fdb11c892a5c865391409ca7aa138d66e00859281d0d8fcc084d

memory/2912-474-0x0000000000440000-0x0000000000474000-memory.dmp

memory/2912-479-0x0000000000440000-0x0000000000474000-memory.dmp

C:\Windows\SysWOW64\Ccgklc32.exe

MD5 4dd1fdb9b2ca8a7f9a527bbdd2b50a10
SHA1 893188cf268919cd544cb65a827fdfcb6ca4de56
SHA256 52474a92c0d5b7ff072a483458c25bba5566d97413c725448732d48da68bdc07
SHA512 f7b6a9b169fe82a63b484559dfcc90c1b48456893d3707e68be3281c5774e89f83105e48f9202caaf2ca43a7799cd91809a17f9e19e8c0e3f3df726e695df972

memory/2500-475-0x0000000000290000-0x00000000002C4000-memory.dmp

C:\Windows\SysWOW64\Cfehhn32.exe

MD5 30e998ffc172a22308324e559b8f9ea1
SHA1 0ef2c9b5c8e68bf398b36dc9af65a2d555b6f408
SHA256 15fbb23432b8533d27984331848d131a7f97629520e0b1d3e2cf714e00f95f1b
SHA512 308358bcca9fc21ec6325cf976d5f2596a4d62fa940e33aaef280d1807110f915efff919a1ecd43386f49e674a28df886901e21ba16e57212358bda8307b5c15

C:\Windows\SysWOW64\Ckbpqe32.exe

MD5 801acaeab7d88063d3b7f67018cfe07b
SHA1 d0308207de7f8b259eee59867fad16b8cb9f4a52
SHA256 db36518130a43137b5dcdce39497add355f259365a9b463aba25f3b9a6d71094
SHA512 3cf524c2174c5f4e55f21c2ae5a9f16cc937087236510aed0878f46243e0dceda9d41863248699b6900f1794cd7880a4d22049b347e86bdf6b8727fdd2666f79

C:\Windows\SysWOW64\Dnqlmq32.exe

MD5 a73de318be3dcf1483451f8d45eaaaa9
SHA1 37cd30943d034e77475938b099a79ebd32742172
SHA256 3d7e20c7ec031f53febd2a6eaf3520b77f428f66f328bba11afcb8041dab94c0
SHA512 faf605b53280450b668fc8194a7b19402cecd0443d2cb37d49172df22df61a30595fd79f7d2e4fc65e3626702ad6f5cba54c948c73380a4fd240dd4f58089c37

C:\Windows\SysWOW64\Dgiaefgg.exe

MD5 fabcfe2d846a62e59ec45e5f5a43fa27
SHA1 350de2aeeed5b36f23d6867e14fb6b62e25e98e2
SHA256 5e0dc05cfdd277093a9eba021b8d456a8ffcc15b3e4cb65f7f11b41b6dca6f1d
SHA512 798e532aa3b2b8253df3589896a39ca5c1d44edd59ea5fb69256409b64ff6fcc66058d5ae537233347b0cb02a32d74055af309eb60fde43be69b5a124c596322

C:\Windows\SysWOW64\Dppigchi.exe

MD5 2f08c2745a549e87347f256b1a272cbf
SHA1 41046f48d079bd4523047d9475c6fbe5827386e1
SHA256 6db7c51f083af07ca12f44ef0d288e385b87b843ea412f6a5b37fe2af1c24ec6
SHA512 fc987b2fb287dfe8f921def8712797d580f48e1cde2e8a336ca35a3af783bc2d89c4d79acedc0afed4c7d46330b30ecd0fad766792ca310f4fff0af66a2db9e9

C:\Windows\SysWOW64\Daaenlng.exe

MD5 edcde58ab8b52a726ed98f4898ecc988
SHA1 36a1799960e48485f4fd3f7949c4ffdf0e8e0c93
SHA256 1c3ae0fc942137689745e291fc79721a09a54b1d39ca6f4c68e1680d6870a1c9
SHA512 dc9851570cf6ccadf1b486b496a748c440d4c6423316904c73417c33107e4c21296fbfe37a542ff38904495e8d9e90ed1ec466fae6237eb906d89164e7713fb8

C:\Windows\SysWOW64\Dgknkf32.exe

MD5 9fa8bd2dfe8718234280609e3d93c5b8
SHA1 e21e88d88828d09b08de989b0352d5ea90dae962
SHA256 bb2c31a7deee57c3cd4e3fdba6944910c07e5cddfe45bbfb1c0c10f43675d119
SHA512 f77abbc62bac7df247ca587564e8fb19f030dad740fb40e197d60a3576fb18d490d979c31c0dc09b6e1928c3e744bc446eea641763bfc628532e7a60190e7c1b

C:\Windows\SysWOW64\Djjjga32.exe

MD5 ad59c81d6b98fe8f7fe3383ff786e794
SHA1 67210475d531477a330c8a14b53d0e3b34976d8f
SHA256 d36140bc897fc993c5a982ecc16dd2f5b4c591c9de6cfb4cd4b27a4701e238f5
SHA512 d09769c0843691a86ac2d5f01ba45e74f887fed1a0a528dd56258bea2c74b84e3762959338e64e869b16f0055bd1649a79953c4fa96f45b78475fa65ace9e4d6

C:\Windows\SysWOW64\Dlgjldnm.exe

MD5 e0f1ac690f88f95a9177ef091cf48f3a
SHA1 5299c27ec16a69f37376829755054a71445303c1
SHA256 0423995d57ccc05f1c715b611a179b2aefcb75a3bc1a80aa79bbbef3bf09450e
SHA512 c9eb47b9d1b33d3e859380e9a6d1bdfc980d7676ea65f015d39a3b9a61cab01244d4091f165d12203513987e654e419949507f26c83a9ead4abfc624b4098a5e

C:\Windows\SysWOW64\Dlifadkk.exe

MD5 2bd7fa920fe4542d96370ad4e4c3e3b4
SHA1 04969605b9067207e1d9eb1246dcb227cf9b6355
SHA256 046a39e0ae9d55c7919d918b42488b2d9390801070ee782d87e144fe006d7726
SHA512 3fa8d6d8ec6a075e42170167ba962419d61bd601a7806707cd6f2771bb130ae19bd556dd79f8d20620034a411163e555d6b0be822ea03a3c77801180ad025c42

C:\Windows\SysWOW64\Djlfma32.exe

MD5 9a6a6b58dbe305c16dd181e4ad7f8ae7
SHA1 70adedfd739d33183d6a8e3923e3a0a88436c519
SHA256 ba99c73abd590b05d8f13b8a9b16760acdbc2efeef64b2e1a5015664e2ca26a9
SHA512 c71afc2271175b9c6a7d230b74c205f7c081bdaab37bb922fe33c4246f0891d9cbf829edbba418e153b3d68bca1bf7b28d00a7b08c0d1055344679f0c3b7bbc8

C:\Windows\SysWOW64\Dcdkef32.exe

MD5 680f7bf7b799b100224b72a134e6a31e
SHA1 18d161ceac5379332f09644ac4a23ba5f46c1102
SHA256 1a8f5893475b865cc85c2d9efaf90a262eeb0435132344845c233932cfeb7fdb
SHA512 da8667b67a8c59f3c96cee6f341ebacb1669d3a20a660ad652f2ec9868a38581e7845217b0d3735bfc51a876f94a7f1bdc005f7adf14ad74ff2bdcd9a9d94cea

C:\Windows\SysWOW64\Dhpgfeao.exe

MD5 91eb25a931ccb27cd670b0de00399e4e
SHA1 b5f29979ae479a6134be862a7054b90f72272be6
SHA256 19747efc3a64a92af3a802483ba0584f3e7c01a78e79326cf845f384bd6e7ee3
SHA512 22dcc1d44b57ffd60f69b02f9e48a47a0d410c9b36fc12bbba7629db014ad8201c4f2a6d776b03f8e7f7481320632283de6bf2cf6c69476531ea3a05544a6525

C:\Windows\SysWOW64\Dmmpolof.exe

MD5 261dd55909739b5efc778a6edf8b3013
SHA1 909ecc438fdb495370ca244ab40e8d57bec1864d
SHA256 f1dee4f7f3d9e31664ea27d75280196b2b7a8106e397311066bdb11a82023cb3
SHA512 cba1ed520b01156da89b4805324dec678265fe028d76d07e0c6b90ca186ff31cae9b6c37b9929a7fb6910fd48e69a255280d3289bf2bb059a509fc18bcad6a61

C:\Windows\SysWOW64\Dpklkgoj.exe

MD5 fae21ab0ff0b37128766fefda38ced5d
SHA1 8e59932714ecb3002c1c20e6a777210d3150fd1e
SHA256 9feb9d33a1f15bd440f4da95844fbb3c22549184dc250c5b63b02c2dfe22682c
SHA512 2a840809fce5d0e238caeca44d2a9621170d0fc43a124cd496915f732aa4fdd93a243d6c6f6c5388a3aaae1f1371a5cca3f797004dc920c2e36ddffcd9513ea2

C:\Windows\SysWOW64\Dhbdleol.exe

MD5 a03d389420e9dc0cdc4384353b8d3134
SHA1 d43d0090a9d230da3647b221927d8fc05d28bfe3
SHA256 358a0581b14dde569376c310059a71675e8f40b9a832a9bc08a77c4632efc851
SHA512 c45766627e83d6ef34e55fc361a2b6305370b99814025229a07e53163fc97a4c043c8a2012308fa2f25ddbb4a662e0a33201c2b38fa20a5d1035da77a432d766

C:\Windows\SysWOW64\Eicpcm32.exe

MD5 b3e5d2ac22ff51a009e009b61636ce3d
SHA1 1e32d373d4324eef189254799a628ef286261a98
SHA256 f5ed90ea7859914b17144e66c7131354de50f7f71222f0df9cacfec5c989c274
SHA512 e16ab221d530cd964526494c62db1754340f7567af46e9604e605925d086012ca06c8a9f174c7c310d2cd76de18dea37c00014697ded02ff2a059386dd5a9158

C:\Windows\SysWOW64\Epnhpglg.exe

MD5 85c6fa5e2edd719376bdcccb3e9e1cae
SHA1 6ce3ac63695685986f6d2c43ef93a3826ba0bacf
SHA256 2f35731e3e71fb3523f16554b12bace7cc3695cf34ea5967298c1001373af693
SHA512 1224ad1f3bb2f54ae81227a712143ab45fa1e3f47e46ec91c87fd4e93999c94f26ab587d27241479f44d652b49168cb345f7c4d06ec30aea15169fb00d8b0c6c

C:\Windows\SysWOW64\Efhqmadd.exe

MD5 168e357aed97f135f31ba99ae5c6cec0
SHA1 8387c32ec83235a0d1337a80afd42fcfb1ea5540
SHA256 f5053cb2aecf00c14618ca961295673b881367c798ff911ff8f50a9767ff3bac
SHA512 df511ffaea72bd5f2ed6905433247c1f5e45a570e54715d512e723fabf68fcbc96e7087e13fa8570a5586c1a601128efbce26ed444a9c043f4ea400302ab77c8

C:\Windows\SysWOW64\Eldiehbk.exe

MD5 6f61bc46adcad9cceeadf85e6e4f5112
SHA1 57aec4f60d9248b4c4a17151cb86d0d3042274df
SHA256 522d5cbe2b6c07dab3d15c9737d386dc71fdaf942dae502d33f0cd48abc8c0c8
SHA512 052820f27716aa01c8703c5f1d4f139f706aedd743e83ef282efb676a58eff7e2237cbd5fc2a6cbaef016dcf770a49830975bc9a7a486f36eb654ade66068f92

C:\Windows\SysWOW64\Edlafebn.exe

MD5 b43f818769c795cafa8dc4d08b92f430
SHA1 a6857d8d9cf7aae958fa5732c3c7c9468d0fc55f
SHA256 e1ae01b21659f6a21f2907207e761a34ef7c360f40c5a6bdb05d759f0ed80835
SHA512 58cc84c10ac74f47c535da3f4b855de3496d0a21c0db7d7633e330e96460598510a233b7bde538ec7aab8fe99a2c4370f18501ef8aa41b8eb9d23a501fbc4eb9

C:\Windows\SysWOW64\Ebnabb32.exe

MD5 eb4285cd021ef1fde02018bd62c65523
SHA1 d71824ba7c34c1fab7821a7cb5cf8a5297eb57d7
SHA256 4f4e12805b5ec16205cfd6c54bbf0de7135a6b6c4eb51aea6c52976b5a194ebb
SHA512 9a609d1876f7d1a99ce868dce9366acb7154c88d1f86d22fad1124b223c23cb887a3230a1a5f981ba5d66eda74fa6edb8063b7d231cb347304f58c5b51d67d55

C:\Windows\SysWOW64\Emdeok32.exe

MD5 8d16103f21baeb19473f48fef989a5e8
SHA1 53500b17069c7fe3dc74a62e6e203b2bad738969
SHA256 cb85c8c83fbdf375e49be344f6b742eee4b560a63512943ebf34066965e77aef
SHA512 bff280256918ef72d348967d1ed661b5f535691426d2501f40897a5d80dac7053b991f0f803fb6d3c9377d3d987408d76a995c515d57958908466a38e2523eda

C:\Windows\SysWOW64\Epbbkf32.exe

MD5 98547fbc970cd6de4cfa52693024f2c5
SHA1 3a0104b0298b1be7ad5e30763cc010f2b9cb83d8
SHA256 fc77f5cb3f6ff8ec3119019582a2bddd3191b3fbcc72a82dc7420b059281363a
SHA512 edbda0809290bef8d2b12d2c6cc09fce10d81548ccba3d9a3b41db7585bed9db871bf899cf9bb0a2c4e686658d1004034d0864be1e71b8fa828416e65dcf175c

C:\Windows\SysWOW64\Eoebgcol.exe

MD5 8f0a047ba442de9849e5347e055d1092
SHA1 9410f24df32dc5f1ea77b3ace74e9924bf5181ce
SHA256 56f2837d74087a9a8521aa5839df82623bc45ef6bd55a9535e59b65e460ea7ab
SHA512 89b47904e4522e3197c50ec5f6951960f9231e3976453d1a61d146ed7de78271e96dd3056c296801ccba10aded8204de6f499680944557f78b6d3f99dcd26199

C:\Windows\SysWOW64\Ehnfpifm.exe

MD5 f6102df7b396ee53548fe3bb69138901
SHA1 671d3257af4308d4fb1f79bf678ff0d25970ab73
SHA256 3f270088f73461a4d0a06757cb0d98f8b39cd753dc3400fddfdd77f76277d71a
SHA512 5369325564e6384380f64778101dcde74d1f262877ea6e8f5dd81824b498a110b79e781c8c05d6ef4c7607fb8014c2dadb657d7d9b21297cb1e4950b2993674b

C:\Windows\SysWOW64\Epeoaffo.exe

MD5 24b7f0e71161b7b5c0b7a0ddfac20fa4
SHA1 48f1120d358c77c882bdc532c3cb2552afe6be99
SHA256 de0524cd88b0c0ee3f95c803a4465ba237ce553ed045cdf22ec28664e399a4f2
SHA512 6a50d723243f37efc45df1e3c9979134a5875bac9c0dc12c32efd324f7855659695c2974392fb8acef37c2df80c3790ba714262fed5c7b6440543c846eea43c4

C:\Windows\SysWOW64\Ebckmaec.exe

MD5 fe567b34e4d72761ff9517d10bf9717e
SHA1 ff0ef056ef308710a654973bd8c661110dcfabb5
SHA256 df1d1ceff65f385c6ca78dd7db2e88408bf971349d7363e8fd9e8e3c90ac5616
SHA512 d459668fd84c7f7a0552eecd3e5561917fcaf1a4ea6ebca2f526239b48711bf791a12d61f0764c14a551e48d9621ee49c2d0231b15c1430a29c74fe014404857

C:\Windows\SysWOW64\Eimcjl32.exe

MD5 841bac8b48ae34334bd5e0b216eded77
SHA1 c1c055a4d20b57695ae13ff965647c95ae470abf
SHA256 f3a298a9c811893f1a1448ed96e6ef256cf6761448e56bb00551144ee871cb5f
SHA512 4d729ea9bf923e4e142a3aac870eb63818e3242ff496a6b6d8fbe8b4115fefb2277d641d2956323cac73b82487dfcb8838a94509f189b545e04871d8c9a60a84

C:\Windows\SysWOW64\Eojlbb32.exe

MD5 ff5180d501e21b3b3ccc805bd43627e6
SHA1 d2c275bda628ef36338d008daab84049f9ed3dda
SHA256 c8e68da0a6d22be660d4e669b362fb8c7130ded6eabcb1bdae6ef5ba78f145b9
SHA512 5b90d5e4dbfece6ac145fcdbc42a181f8bb3c9da977031c7f60d59de143800aa05ee04a52e63eee221e7c2b45a8626075b061554ef82b14c3389d8cc3b6ac94d

C:\Windows\SysWOW64\Fahhnn32.exe

MD5 e07785298cdfd3c498b0981e3be2d80c
SHA1 0b6021dfa43e6cd4a88321c0bd92cf33d1212b3c
SHA256 881f432dc79e1178ce79bd934b4c27404a3ea189d09829a47035d6d9071b236d
SHA512 a8f75f658e31d5a60ee0e839b6331e2f6c7ad0a8c0f8cd80da6f9f8d4fba009bfa050a0feeda5ce36751ab4d194974ff0ab7e310ebed578d3c4d0cc702f52e48

C:\Windows\SysWOW64\Flnlkgjq.exe

MD5 ddc4f444f1ee20333fc8975e48377043
SHA1 85dcce087d3f83d5df2a831e0dfc1127574d088d
SHA256 e9c8cc0f8ab7d6ff7ce1b3e9222a750c71540e1689005f05d7ee5bf6aa7dbfff
SHA512 f891dd3eab4502262b5a738566cd7f83400cc496a779eab1e38239438e7ccab67adc393274451f241fd617f79ef2c0e3a175a48059f96700ed9e27dcea134e41

C:\Windows\SysWOW64\Folhgbid.exe

MD5 8980032bf9478c29250758dff7299c25
SHA1 6058c99ede79b81832ea8b96547ed7770d7099c2
SHA256 6fd334845149cf0feb426479221e91cc69bd35de15a08f26e6370c3104c53d07
SHA512 c3488e4d5813a80ca88ffe64cd910e1afd3985e555d029fe84e0b2dddf806919d23d18846d4c1da8c31da63c2a81509bd9f979934e8de2c7f3c8a6e47e1632f9

C:\Windows\SysWOW64\Fdiqpigl.exe

MD5 3fa7e8549497aca394b71fec9d098d73
SHA1 592461aead3dca4bb998f09b7164be26d5d43a32
SHA256 50a354d7533efd703d8fbf165a9fffab210723ffd89bcd2c57c986e52ded0fe9
SHA512 963da39e431b27a80f58205f6e7451a513cca8d8c7bf8078a32f0b97b7a7d2372ad4ae4bcc5365e05d0ee81b3c9bfe551dab8967d6306a84d22f6f143da940ce

C:\Windows\SysWOW64\Fkcilc32.exe

MD5 5f1ad4311c97e3d2e58f19b37211c48e
SHA1 0373d52fc226b76358a3890241c44918eaa2130e
SHA256 6d0fae022ac993e20b549a6d22a537f944f6c319a7c20a28ee5516d0d9790ce4
SHA512 dacdd05bb5b22b0d8e96b5ef272db2e0e81f4c7b9affb612f55a498db60b3f4ff4931501a7ce1bc9d267f3d10eeec1844f6ca25c8978c91e714635419a91e8a5

C:\Windows\SysWOW64\Famaimfe.exe

MD5 d40de34523b1946ab8e248dae0e42059
SHA1 a52be625ab6782823431ef8f87f094146bb115a8
SHA256 182b5326fb506d75d4837853d3264330ea58932a51aef92c102ca97252334b27
SHA512 6ba6e715315537046a77e237549a1b6d753df2705a595211a10aceb69a0074b3bcc6de5415cb2f051ca3b7d97b542a35365aa0e62236ad08b62f8057f32acecc

C:\Windows\SysWOW64\Fdkmeiei.exe

MD5 fd966d89ea96334dda7a6d398faaffa8
SHA1 a9b7247084c6c9ca84bfe866d9c0cbf7a5b1d217
SHA256 d00ff7f8f80460e350162b06a60dd6b3a2bc3e5b89197d72d8dcb663d5575013
SHA512 3e48d8872104233ad6c100c29986e68afc2da67ee818297a589ea98600b8d02db92b76b53532ee4650b2f77d5d6e9915f0ec3f7e22bef8c57f1e0bcc3af4d8ca

C:\Windows\SysWOW64\Fgjjad32.exe

MD5 dab1fabdd22fc400ecd3715439bb08f0
SHA1 4e419f9362c790f1e957d791774e821ebf0f666c
SHA256 3b18af65cd69a6ef8ef7fa2edb3cac0d2da87ff5225aab1284fbdf195e87efa8
SHA512 76c1288b4fe6a757d9d0655e6df90c9df6ba9d3c9bfeccfb5348ce323eb654090e669356bda8a9b4e16de587a7510de769b0f81809d9976af9dde62b8de664e7

C:\Windows\SysWOW64\Fmdbnnlj.exe

MD5 cd9aecc38b87210bfaebb27a73a88b63
SHA1 d06011aa79329c4fd6a05556c975273a508865dc
SHA256 c4f419a41728608ca757162ae59c0c64917db4adf119a74621bbffe52dd6d7a4
SHA512 0ff3df4081a476e01e916e5984cfd0dd360c800f1a86e81ea159c31533ec7c30f358774653562d34a062e562f5ec4d9e91501b4db2a15d177774aa206e3170dd

C:\Windows\SysWOW64\Fglfgd32.exe

MD5 e4884b2822d9dea46bfbc585b93d22d9
SHA1 d5ddbbe21a6c888759bc9f78e7cb7b9ebf7543db
SHA256 c1eea1d13cfddc0d500521034fa7baa5b3a409406965c0247361a0c8628f71d2
SHA512 6fade09c9e6aac613aee8b9a0c3fc0ab49c52feb7bb6f7dc44b95f5c80e7f312b2eda4f1bcfba68e3126a601f3ef91ade2113bd897c2c0157e5920278b8f036b

C:\Windows\SysWOW64\Fkhbgbkc.exe

MD5 f33c478f1c4cb879eb79785a669540f4
SHA1 a7eee8ec82f7d43d0c86e79bd7caa09292b6092f
SHA256 9a7c3ce81d37417553e02cd32e7b3d4ffa50e6c1c718e8d24a740434e7d4503b
SHA512 0204724ca4e981f872f1241baf3b5d7794c5d4c8a01fe6086922e5429d5aef2d60bc485cd538e50bf800ee4b42151665441eb9418373cea9451d6b5455f0799b

C:\Windows\SysWOW64\Fliook32.exe

MD5 3bad61ddd0f8815a0209bcbfbc33c6e8
SHA1 6016dc0f40de7685bf39b333d4daffd080b1ecc9
SHA256 d7c6c92c07e077d4260909aa2d4df11a2d9eb0b29d5253583fab1c5c9670a568
SHA512 21e75e3800503db070536529b5d6ba5195c8dcb211b72a2f94630b6a87cefe533dca7a83d79edd18218a46d51a88f466c089c833adce23c9bee4745a89d7d963

C:\Windows\SysWOW64\Fgocmc32.exe

MD5 4ab69f9482cd6d590ba1664cf66ec267
SHA1 fc800f72fefaf0003758b510065a1016e23ead50
SHA256 ec3928fb8d353af8dbcf44cde38cf7e6dd915bbe1450e860bfafccf71384cb73
SHA512 6e3fac852b8d47d4a4df5651aec6c4ad04492cbff6f8a7ccdfabecccdb7e48a7177418eb6b6b2af6484374bc134623841f006a231c70c753d204d65bd98c1f9e

C:\Windows\SysWOW64\Glklejoo.exe

MD5 d95b94a11ab981cd0ca7fd50e9a74ed8
SHA1 d8a03e0b66412fbc15c31fbefb4b318cf8339a66
SHA256 3d2bdf5767ba3a318c61493203bcf2cc34db9e3c5387108a2f397f5ab33a4eac
SHA512 ffa2808fd83b9e304ed083d5abdb6303b945af561b17a34535562e956c004847d48416eda2b5f157207953e3a83e95b4c58e3011444f09dba6e41a43e0b7b9f6

C:\Windows\SysWOW64\Gojhafnb.exe

MD5 43585bc293ca4e66f5d3a3505a923cda
SHA1 de4526415d3d2718adbc596009b5af1968e926f6
SHA256 fe62e0749284113003b8422f7c424a38a313bbb137a1afc2701db7f57306312d
SHA512 4cd563d3d470b7c9e38117aaee78380a616a903ff3a82849a16cf6c44a6e132aab0218267567c368005253a5631df113d2bfdc537f04b404d0cf54dd5e422404

C:\Windows\SysWOW64\Ggapbcne.exe

MD5 228469a907055c9fc2f3e81cf9357f19
SHA1 659a6c81c6927507ae80f5a3f3efca9bfdf40827
SHA256 64988eefaac130dd57262085c3cb928623300673657fb9daff201bbed2dd38e5
SHA512 027d934cd829470da62a9a0e7bc41880781711d188a92e380e1877478a586bf1a95f1b26ff5f16d8ab9210c3c6c7c7ae3e89137416fcee7dd16d1dd5c21f4d68

C:\Windows\SysWOW64\Ghbljk32.exe

MD5 af4f2eaba553116ad9a8f72ce4612f59
SHA1 6f200492b5e77173483b5e6896e7a559e860ae98
SHA256 d2b9c6f0030b951339b1140fb02efa5ec452f03c3458a07f63d158ab343de017
SHA512 14b81154893260f34cd922ff3b1e66d80a383581d282a486b3d33edaabd1ed2f0c20db94399d2ec8a2c93505a7061caf1135c80404e84e47af85883bc6642043

C:\Windows\SysWOW64\Gpidki32.exe

MD5 1bdb545789a789d8a8b93141ea4f3d8f
SHA1 3c50f95556310b10bc110dc7406adb275bb0035b
SHA256 c2251e6780d624f19e4ddc0161626c06e01365bf4c2e7693ff4ed60b2f8db0b1
SHA512 c3f12fb0475664297fe062b6b671af97966f0ddf4b57c27cdbbdb06e44375ab4a4a188fc7a4bb1c3e9852f0cfce5dfb14782dc0538e208fe78a10b8974b829ad

C:\Windows\SysWOW64\Gcgqgd32.exe

MD5 d38b5cfae658b16f5919b4558248cc09
SHA1 a27e77acf42fc091e93614b86364403c308919aa
SHA256 ff7569441a0d20e2dfabc49aa5d1769260f92038cd8d66dcc0f8213803b1b6bf
SHA512 08597f4326e124551c8b844d2e4803296c4d531ae27c2b0c989d830202a579ac609a1ee56d2c0a699e62ccb52e478e19e5a7ee19c4b922fce8dab7a14c7c71e6

C:\Windows\SysWOW64\Giaidnkf.exe

MD5 ca8d3d9a02b219dff33936f9d8719d83
SHA1 2ab085b735a27254f81a8d29c19ce0ac116e32e9
SHA256 3cfec709d97032aeff054e5d4b8fffc8f2b2936d146ceb9bc66680e236ffb34e
SHA512 8d337dc7a0524057e86d958941a3121e0b13c71dde022299248ea8bfe1658f00f9e17c405d2384bd270c098b36d704af902f6fbbd887e343c912b805064f2500

C:\Windows\SysWOW64\Glpepj32.exe

MD5 d457026d4f02feabebca6143420b2a56
SHA1 e30e7906fb863d48af572c33a01189591f09ba55
SHA256 74fda3f3fd7646ad3b6aa86180b8b7378eff177d6c880dc56d44fb3ebd0b924d
SHA512 2f37ddc4967bcd05c7190b719e75e5a6a81cbdd2940e59bc0ca8e61063559ce3c6da0b13c2b904699c26ede2946acf55c72be5a2eb74867dac00fe20330cda82

C:\Windows\SysWOW64\Gcjmmdbf.exe

MD5 4a63b6456c86dd2bf5386a1dc7755e05
SHA1 b00bbac32f3b7fdee1f1b13952d8385480bc9a64
SHA256 ca126264eefef32dc9d455cb3857f3f70bcaa39f7bc53f8c878b625a6d11a043
SHA512 f76ba7b82473c911333020f98c0e570e60eb012bce9fd9ca3845f69f7ecfe80b26c619cdac74bd5bb61e302c6c3f44be8a5077555ab82ec8534b8b13e5e397cb

C:\Windows\SysWOW64\Gehiioaj.exe

MD5 6ea84374b6dee6ff6daa55f5d293e0ae
SHA1 782f0cf067aef68ce1aa935773d149527228788d
SHA256 c9db0912d8e6357e21a872f3b5c77cf5b7ed1b90bbd92a40b35d6836d68cb31d
SHA512 43bf51d597c98a8a82616c6483b47a004f791cfb951c17f4a54c8c1c30ab8b161396dd012d9aa46ab43c50351cc8fffeac67ef67a84a1060388d06d67b5a7cc1

C:\Windows\SysWOW64\Gkebafoa.exe

MD5 44be5923f2e0c50b3746767716c6177f
SHA1 8f0fa5242dba053b382b56533127cfb5a60aec38
SHA256 4338837752d22853d37c0d1ab1e97864cdf4baeeba80ede7fe1c6435bdfa6b76
SHA512 aa787e43b261c6e41d19b14a9fb46bc3e972dbdb9f7e190a506941cb54be6f15051dd8306b04698654e5bc920852d9f0484b6d73aa6bf41f7b0f7822d9613afb

C:\Windows\SysWOW64\Gncnmane.exe

MD5 893e00ec3e5e527f900d480fb8ae5c0a
SHA1 4d80769e7746a2f263d8a88fa4367022e817159c
SHA256 581dd34a38083e54a706d1da507ede908da35421358bc844501315e9fb7d1bc6
SHA512 4a87ecb69bd98e545d66f194271a47f596ccfaf60729930c6c3e3b8f4c1a3f16f005f4716005ecc86a8b36d28a17be8bec0b684801192fbc2abfc126c2f551af

C:\Windows\SysWOW64\Gdnfjl32.exe

MD5 778aaa595b3d93f794edbed3fb8e1d6f
SHA1 93422c39f3007f439ac6f55166fe637cfe92aa69
SHA256 bc389977b2b9921c2af792eccdcde61e3b41482d94e0758c2604ada8196aa4ea
SHA512 65750ac77d58b00e8ef5e96d4beb9c87ea7aabe876eb7aa14f4ae9ff830e8b740d32451200c9d7aac8e669ce147f6a63ecb64f1ff102c41956119c785aef648f

C:\Windows\SysWOW64\Gglbfg32.exe

MD5 f94bbce281b96984e02034833c627189
SHA1 bb6d82b6549f6b4e40a780ab55194b377dd35baf
SHA256 961aa990b544e3be565f5b6f1477b7aed4353a1fd87c437df6f8db849dee0fe0
SHA512 01e2d60a15b39c0f0d0b8e06e2db67333cb08eb45b2907b8217b30d530b9292a1717a0c173dfcdce65c8caa63ed5d0d8728f5156fc808bc5fe376362c5ca2fe7

C:\Windows\SysWOW64\Gqdgom32.exe

MD5 cf136c5bf0f093796d15714b19ff17d0
SHA1 184ffc95c106d6e491384a48d0c5d77894f77d01
SHA256 8c696414410d7a35acc7a75df3e517562085ffd15400ff16c9071dc2c760ad0a
SHA512 8654477e016443790c7b256d9f5a6c788a90a47607e828c18ffece643431e4b62fc9c66cdd45385de07743aa8352005ca8fffe033aa0bc2b0b88b55927d32e68

C:\Windows\SysWOW64\Hdpcokdo.exe

MD5 4e89ae518b81d8b4c62991670668c161
SHA1 264eb8b599de4c8e4787492db15c4ac01fd91eef
SHA256 ac391696ad8e04d9dd8c0ffbeed4afac7c12c78925075d15feda7b9484ea942b
SHA512 9ac84886404843d6d36b62064ba3d7d4397a84e56bb3e755116321598b54404d5969d08750e691ad2bd1ef37694b435a7fb1f08ad08ae7e02634ef6893166ec3

C:\Windows\SysWOW64\Hhkopj32.exe

MD5 147c7ef7a1973b3cc62cd654f21cbd20
SHA1 1c10582876f37255137b690b8dc431cf217c1908
SHA256 79d2af55b3db381619f43ebe0b53647a25f6e13e751f9541963db5e4ab4e4392
SHA512 fab4d3485803c6b64890bdade0c8ea8d0e60ce61b1d0ef8b14a648cc8c4eb8fdcb9eebd751aa720ae3df59e16804fff2a27c53486d36cb96f5e3ccad0d11a19b

C:\Windows\SysWOW64\Hnhgha32.exe

MD5 ec572871f26646e93f03d53118822acd
SHA1 c2bb632b8b0e024b8e2d8557ddb92959736f8bf5
SHA256 8a332fb22b69ca682cf2982673399182e1dd27ce552efbaadc45b96e198ca4d9
SHA512 e70e513e355f4ca718de94a5a8b618ac6faddeb9ba2e7ec64f28b28187d777d552c1586ec0e371f13d76b0d180c741bb00de3a99ad385829722fb7a1bf99ba15

C:\Windows\SysWOW64\Hqgddm32.exe

MD5 c0ef07f5474b37243403f79aa2e09cda
SHA1 7d068e24d538866fd646204fcd430be674b13a81
SHA256 eefa8d1f3fece6eaacf3d0cb23e794242624c19399d06b36e540067d9b54acb1
SHA512 d71220c9d38248431da70408b7f7f34760d573ddb6e74e7ae7f1c8d4cd07dc9ea6a075aaffdfd0fbe3fe7126568b485c46dfd838a75f7cb938add84d23140244

C:\Windows\SysWOW64\Hcepqh32.exe

MD5 6f7968debfe019c1cc807936d592c3b2
SHA1 fdcd8b9fdd9f335714b64a29aa55769062b97959
SHA256 81d34a1cccc94ec1a3fad8f40a964e73c699e469a1ae7ff08d166f0e4362bb79
SHA512 6c0ed561e3a1ee20e69df7bfafb56a26eba1c6e99f6930d7d155dd47d679f2f78d6399ccd0001ff91c28630a29b80d74a493860b20ca138bde2fd06b046fb77a

C:\Windows\SysWOW64\Hklhae32.exe

MD5 6723dd5928937479a3b6252f9e8d6b2a
SHA1 849726c02309597077b97fe9eaac202dd79743d7
SHA256 cb1b6091a53fe6d410b6a4ef734aa973d6d075e524b5a53e0c78726c50e90a1f
SHA512 ce13f86a99b473eaaf8ee9969208026909cfc9bd739e5aacfcef0648da826a695c5848a8da416e63967e33328b5009ceba06ef31ee5a084d11c4711da531183f

C:\Windows\SysWOW64\Hjohmbpd.exe

MD5 a4d961eb740500e6db01e4b6affe2b75
SHA1 f778777eb879fa07846425fd2ec6c17d34a8422d
SHA256 05a4f11ec88b6cb530fb43e529d308ff25078a3672b36e0543282292fb26b7a2
SHA512 70184c767a94ac4a8b08874985fddd623db99e448ea34594aef1fb5d7a11320a8e6eb2ae18fc6fb508a9723e020fd5e0923e095942eed9462b2292df4e75bb03

C:\Windows\SysWOW64\Hddmjk32.exe

MD5 1783c6c8c2d6101dfb6baaf0f018f32f
SHA1 92bd3b1f0651b7943595625829157bc890dc1e22
SHA256 e24f4969c59c0358b5629ce1eb41884a8d95ca2e3f71168e0d70305d020c98b1
SHA512 e6d182d1512c41310293b14893e56187b7a395f996f342905efc63f36e8377a2dc11158e8beeffe01543512df508f5a87d39b17f5395f82e1635b37a733c3fcd

C:\Windows\SysWOW64\Hffibceh.exe

MD5 ce83638a66ab8396a983db07c3d20ae0
SHA1 ce9613cc3545632014570df678f9de2a50e15bcc
SHA256 c16912df7968c8c92c43a32fea66db1bbd4562baf2d7d83d10b68bf235a78d01
SHA512 ee2450cdae8d6ff6587e4ab6f495c30b23757dc10d1fb7a8bd57ee7fdc1809692e1aa8313424daa41dbe1d6a02ff8b7cc963c9efc636a858914a7bfdf4b8f595

C:\Windows\SysWOW64\Hjaeba32.exe

MD5 5ccc7c13197d5fc61d4042cb360d787a
SHA1 1ca6f997dce09bc24b08d9fde0a99e74d2b57c94
SHA256 f6fbd6f9df7956fc7dfc76c34434db04f13693b77dfa071ccd971db4c9814762
SHA512 db2f2c082a1315c9427d4d7fc3708cf571f2a101d8ded9ac6fdad2cc07f135a49410dd28e69460cdb8e2fb9410e205e30f3289d58aec8def0638dd34993ee994

C:\Windows\SysWOW64\Hmpaom32.exe

MD5 0e894bfb38a40041b823f70c13801efc
SHA1 9f260f4e282d43063b2b319ed8277eecf8c43ce4
SHA256 be0aa9f696d1de94cbb8daad7bacc9901a6473392872af8a60fa88c7cdfbd618
SHA512 aba7b3d1ca10ce9b72e497104420eb063bd49a94a6c37f7d3e7694f64607b315a130f7b55e95f4d470e5e5c0361d9064bee6d2f77d7c3a31a19b790640cce300

C:\Windows\SysWOW64\Hcjilgdb.exe

MD5 dca4a726a0f270e51dcbb9771900b043
SHA1 99287e29649aa41e3c892d3294bc783c8d52de9e
SHA256 a2d940dbdb7cf66f32bc36825940d749c12f74d8ccec0e4e20b4db2bb365731d
SHA512 9d222cdd178aec70d08da84791b4c6474403e6ef4b4a8171b4f24a04da7ae0cfecf55a30948e8ecdd6b582ff2cd70ed11162c08db1ceaf1faa00b071d2b427e5

C:\Windows\SysWOW64\Hfhfhbce.exe

MD5 755aff9a7868c9530b52b76e1cc956fe
SHA1 77fef652be917ef6eb1c6fb66ec00f512cbd1cc0
SHA256 aacb976a09c9ce688e19b0c48acaa1f8e32bbab5d20c324baa0d2726e6056052
SHA512 5e0b548ceaf5c9e51eb92d6d9769e8545c0dbc9ef3d1de4d1e8be2a1a6b8129837ac67061fe219dbf55a0a4427cd9777238e0aa2bcad14b4c08e268277469874

C:\Windows\SysWOW64\Hifbdnbi.exe

MD5 00c8a19bd8fc04cda9071301953227d6
SHA1 d16a5e74bcb8dfbb072a49334c697483eda24bf9
SHA256 920386c6f3bb1b36f04b30e65adc32a4a8bb2a5d7e073e43665a8a52b57cc2b4
SHA512 6716a9bc1559a2d8578cd485dbf13f04521cf4e757c98fc16a780e695d804b93848e08dd5cfaf47b2a96851a59940305df29a29500dca6d1b5adbaf6fc6372ad

C:\Windows\SysWOW64\Hqnjek32.exe

MD5 850120938fa9375d252e74c8cdc9c9ca
SHA1 f3cb2eea4ef277764770e66e94dd51380fabef0e
SHA256 0e8db7b67a84ad9579fc7fb3646ed3ba15bf76aba14fd6d064971bfcba78be3b
SHA512 4f2b459dcfeccc42713ac5ff28a1027c814d2e9a4447030ebc8ae0386021ee3b39e7800e83da7d977f16d37c40856dfb41fb83f9d4ab4a49ec0f3a8d3b408f34

C:\Windows\SysWOW64\Hjfnnajl.exe

MD5 b9fb05e04e3ac8072e425846a7ff50f3
SHA1 e66aa8524a26d0af471bd158d06a52c69756efe3
SHA256 be78b151e58c31525c128eee14c8c6773560e29b0ddd5eb0a65da92c04cf30e3
SHA512 c1ea226cd3dd9a84a0133acdb35db17fb94a90453028887109f5626ce6fb8aeaf93871e4ec864bc782d88cbdc20db99254a34588d5c9ecb228262ea16733b8ce

C:\Windows\SysWOW64\Hiioin32.exe

MD5 8467aeb008806594ca40cb76dadc8f5a
SHA1 f0f0cd774f2632879d820a40121ce0f83b01b92a
SHA256 c03627541883f3fdc91903836360db7b6c6885eb85aff7d6228dd537c7ee3784
SHA512 c588fbd305805d23b53c56c7e43be4e0cc3aabd1ad5b02ab6accb30dbffc41fa027ef916aae5163ee12852a4084e9840088fe1907e84cb8ab52e895b0b5699dd

C:\Windows\SysWOW64\Hmdkjmip.exe

MD5 6712027f8fe0769294b1c3f0dc30262a
SHA1 45c75bea343bc85be3c5011c33b27ef875caf8f4
SHA256 1284a3c087f63af2dc115bf050ca19909a2a15add8a749959ddfe96ed5c97883
SHA512 8434df87a8bf3977adcf5da9db9cdb5d9bce9a82cc5c65787107171e8763207298c70fa0b67e1f78374029100bbf554e84f60ead9955de26cce5c0e47b8632f7

C:\Windows\SysWOW64\Icncgf32.exe

MD5 0fa4d7f2c78aa6113927fa00e6e898ce
SHA1 df5163def5f0f453dd95728df697a101b60bec58
SHA256 9bdd018768626bb7eafaa6576d65f666efe1c75d4265a89c89f735d8865bc5c4
SHA512 5f35bbe175d93a45e61f4999ac55358ce0ac35e41838e094158a209c0739aed0ea6c8f36d52926f6ab702f032e1210ea4f1f4b877602c73b4faaf2fb337fafb9

C:\Windows\SysWOW64\Ifmocb32.exe

MD5 cdd1d401c8af1ada47db7c0d5f00d956
SHA1 4d252088ca781b5164dba34f4ecdc9dc6b74cc03
SHA256 697301d7a27cc5b8be826ee79706af5de777213e57769882fc9e5ce705e719d5
SHA512 f171c849959a76f933a8c337962228dc7f59faec0acb5740d387f991dec4bd3aa1906f72205891b5236530edaa5dbf2314a7a2ce2266423be480e11828d1a0be

C:\Windows\SysWOW64\Imggplgm.exe

MD5 d3953979e07bf1d8856937c330984498
SHA1 f8e2de4b727b594c9f1f0c97073f00f43f23274e
SHA256 98122a320b018554e18f1ae084605b4abc4347fbcf2de8af4bc409ea73a94c90
SHA512 973062e145af5479eeda3234ecfcdb63e6cd931253ce8b7ac93da398d742b8465f80491408594412eca6983b0cd75c2ca8b33965b8ee879a87228b6baae8b310

C:\Windows\SysWOW64\Iikkon32.exe

MD5 3391d5c82fde820aa9e58261a95d9ef1
SHA1 1a56aaa4e7df3dd5556c2c8c15d8dcad4e8717f0
SHA256 dfa4fc70d87fb92a723cebba647bbb5b71cda9915d8f1d9a0659fcdfd08c0185
SHA512 0d7470a55a1423ffd0c133bbffb74cbd4ca159f9d5f6fc092a63b0a7fa255b373af62a083c268c29986772086c76b1ccab00dd8fb1ba3630d028ed047ca3d391

C:\Windows\SysWOW64\Ioeclg32.exe

MD5 2cec007cffe32fe7722f76d65ea2d370
SHA1 56ca5a48fbf0260f098fe51f7ffd5a45dcbb2c4d
SHA256 d753e5166eab635ded29fe672e3a4468b0c8e27ec34140828ae8ea05757ff65d
SHA512 c199d4609b1cdc529a078ae6f6307cf631f830f5f80fb56eff1835f36e0752652bd3d5da02afc39048283cdc46c64ba01641f7be3fdf71d13527e7dedc41ec2d

C:\Windows\SysWOW64\Ibcphc32.exe

MD5 8fae4e5d552f68c2d208bae40f506a4a
SHA1 6bbaf7503b577d74ff4ad35da256c82e825da3f5
SHA256 5f5ca42fbef4e0bc7f638bd5e0c8892e61fdefe2087d0a32aee8b91c9e6257c8
SHA512 7cc217d7c84dae28e893ec49c9eb4c334f914f76630e3f0411ec9d6586795fd8e4491c909f03caac2fec8daee46c2c0f5c25d2d7feba2a96bcda5914319ec941

C:\Windows\SysWOW64\Igqhpj32.exe

MD5 c74a36da743bc1351219daba51829b72
SHA1 07c588d592d369f26b948f076879fce2dd607003
SHA256 d035a99147cf98652b6b8dfe41ef00e6150220f0d09ca9fb0d589a1001ad1671
SHA512 65afb0a104fcfc48f245707315b2ed027a5f5c3d60d2f2f6c24b8302178c19b91f91a7c863a392fe421fb1ee1cfb0262a18c915494a496802901e6085ce96d62

C:\Windows\SysWOW64\Injqmdki.exe

MD5 3ca6a6afd122be29f21485eccbf81bd3
SHA1 bb41ee1fde39d5b35353dbcb9e945884cf248960
SHA256 277edd1fbf691448f8a2762614c1fedc7daf349b114f0863f8b4b8db48067916
SHA512 0f19ac9a368a7524a0f42cc746351ddaf14c0f7669d55408f8947d6a145e1afc0ebeb7370f576f8f51184abfac921229070e0159dcfeca637b896b3326027efb

C:\Windows\SysWOW64\Iaimipjl.exe

MD5 1ee2c52db1a3d1ab674e5dba3ba80d4e
SHA1 244b7fcd741eaa5685b53242d7db786ae9ce7552
SHA256 03436e00c2ad40237f0c1cda6bedcafeb875570598207f131e78cee36dfe56b4
SHA512 7d5c0bd9e024b75c33a2e8d3b67e014042c1522fff4726389db50666dbce1bfffad5ff632815b2ad0e89016547795180f913a6c9e8ffe3c373e1a48f802ff88d

C:\Windows\SysWOW64\Inmmbc32.exe

MD5 d0a94b2beb58a8e484d24964831d4846
SHA1 a0ce18e8c66e6cac107fcb640d68f3857c349854
SHA256 c5cf61890b2351c32d92df43ba4339a88d05059e95d0b42731165ddfb81b441f
SHA512 5cd60bc8b44394a4349d10d7f564f231be99449e74553cc4558b71457708a10b425a1da2b7fb60f60648b985f52e2160f3ab47e86362a9b0bf58213874327c23

C:\Windows\SysWOW64\Iakino32.exe

MD5 ced115f12a022241f86b00e4391c48ec
SHA1 95e06b485ba47ec9d90826d07b30041c0db5a8da
SHA256 5b473d9e8e3c6f0846240e03c7aae5b2b3a45d338749a7223f0322be898345a6
SHA512 2b74c2709cb236ee8b0aff628e0443b2cf882e305a9017db98ef6a36b554ca1a328cf1f7d1717ff617bc7b66e5fb48508c1de43f0df65ddbe0229e4bea13110d

C:\Windows\SysWOW64\Icifjk32.exe

MD5 10ecd30998d07867245a015a441677c0
SHA1 fd1dd87e2577e9c5cd9e40c59cb01565fc33ad72
SHA256 198b27e044b3c01a1c13c53978c6a166748dbed53d6ffdc13d2e9c1cb98605ad
SHA512 06f00c7b662559d33e121da7fa88e13a21f2f98cc65cf99f2e3f6989e5c9806ec48b60a620b9c308390e79e1c5006800daf62c459dadc62007b4f9f402b3f755

C:\Windows\SysWOW64\Ijcngenj.exe

MD5 75c1710f6cfd812fcbb30a587861fe77
SHA1 003d990be60f8e62d2999dacbd7d610f2c3d7018
SHA256 0ff4991401cd5b38870f05233b3aae16728759a82c88b086e39661c1f183a9b5
SHA512 fac21ffcc86c7e89952237dfd0174dc8b5551852d6366cc15bdf084b13da73cdf738cbc96d11f4771381a10da5cd67915454e48558359e864a763516060dd7ab

C:\Windows\SysWOW64\Iamfdo32.exe

MD5 4a6bff9fb9bc96158e09991005bf0b84
SHA1 ea828f67d6389831096b3ce394f13384c0ee2c8a
SHA256 6af2cb9f39bd14e0d1619b3aad0019c480f1fa3f7e8788b7f66e786e9555c34f
SHA512 c97bba3d8a00dec853a4f3dfb652b11f7a8688a7c8b7294d98256831b92a0cfb8c13851307d359a997c8e86dda19c19812f4fa5662d84c8968d03b4f038703eb

C:\Windows\SysWOW64\Iclbpj32.exe

MD5 f7c67987cf1173b38d85e6b37eb3e2b7
SHA1 ee79f42358002ad687086bb004e5cc3512617bcb
SHA256 b79f88face9b710c2e50359334f06fb2dd34f6c077c9aac4258c60fd355a6190
SHA512 3cf4ab6b4d6bd75d7ec6d9a102e7b949b6f74b102fac07debd7928602f22e03116349322b58820c636e672dc7c2033d59cc04b0425b9529751b8294536929678

C:\Windows\SysWOW64\Jjfkmdlg.exe

MD5 0a4430134eed967bafc1ad4e11bb43df
SHA1 f8dd7a3af739e911c9af5faec3f514c8d70813c9
SHA256 19e9113e20eb4f0c3709f3d07adaaf9e1c6f5307d77b52cf99eeceababdf76af
SHA512 4ae935af663d78b85dff13e337a682c311ae55da9eba469fea67e466c437a93a75cacf3333085e0851b3108a0f723aab9b0df245c5160fbd7a6397425f0bde28

C:\Windows\SysWOW64\Jnagmc32.exe

MD5 6c72f0d8690a73e527e3f8f093e3fac0
SHA1 8c4d88632e607892d4923f87fc0a73429c74a910
SHA256 bac4c88990357431bb0b5babab441191d502fc830dc3533e53fc1495917017ab
SHA512 d74d66931cb4e23b5bf9ffc21b8e1ef42f1b3eced47f8685bf6d28ea554d6f2922909fef2b06e8f907838bad3269b5481e35e9faf8700be067268059d61c5b96

C:\Windows\SysWOW64\Japciodd.exe

MD5 970a7f8d6c59ad57316f0e5fc70455c9
SHA1 9ec0b66c40f8d4627a889c5e11cb335cb7b8d5c0
SHA256 e45d9fcb47c81dc3b61f67f128c7bffef88417d5dea4892405e0b9ddf993f855
SHA512 81d6a5fa7b79e4ba9211234634fcff79cc120e37e326f717b0289b571c57fa3b6d34fecb3bd5d5f0874f0e4de8f2320887178ecccce09a8fe9b57ce0b6c646e8

C:\Windows\SysWOW64\Jfmkbebl.exe

MD5 598988b198437b86ab5dbae99766d210
SHA1 cc5a5fdcc15a6651a50b4ec23e0da90f778a506b
SHA256 0bed95a504362d75033662978e41f35c08076d4bc390dae20478191248c1fa5a
SHA512 7b3749653e00d51195bccbe6d421d067e97bb4ce5ac549f8233a857c12e1ffbdeefa846cfc706363d91f1fa84e80dacfcbf767bd1476b67971babe1362773185

C:\Windows\SysWOW64\Jjhgbd32.exe

MD5 d6022d7d3803658abec643b239b09eb0
SHA1 2b04648fca58c60ead75a8c1d8eab4c05d5b8592
SHA256 8956219ca5ff03b3d0629f71e281e6819c91f23fceb24afc0f80b198870a9f51
SHA512 71677e9b056f24a1d13a2bf758bd702bcb424a8d4eda51f58dfdacffd50010239a530d416ff290f4de13a25428471c3cafed900a9d6d48dd3604c7f925577d20

C:\Windows\SysWOW64\Jikhnaao.exe

MD5 6a3a7aa17bbd30df5feee2193cb36a5e
SHA1 0a9d488f8a6ecb57243afcf33609cf9134a97bc3
SHA256 ed6dd08eb41e097c88759f3e0ba7ff7a4a464020130425478dcb15c2d46404cf
SHA512 1ead1710da5e594b41b2db44735029b45c142ea051c60058fdb39e41acc59c2471a1027194c7d570997fa70c180dc31e3302e52d5aa82f2491cd4886b353feba

C:\Windows\SysWOW64\Jfohgepi.exe

MD5 648e7b3d80329a7f247c5bce774f2aa3
SHA1 5f4ec2c3d15185d60032eb3dfd66a9d15d3cca19
SHA256 319a478452c81d217246440db37a2b506e4b6d94c5dbb276a591a46b473154f5
SHA512 fd96cb2c80e90a25320678c24a455cbb516831b30f01575664615036f59b55af08b3cefdaaddf0bea4b66c959131b3927e91546d8d74276ea0f7ea58bc9acf9f

C:\Windows\SysWOW64\Jimdcqom.exe

MD5 fe6beb7be36516c7763112477dd95c0b
SHA1 ee5f9b3378146207c36b02213c5a02a0869f7fa7
SHA256 699fc042b0911f971fd9172f1c1cc103c1202238504343e18874dd28652fa629
SHA512 93863cce2bdf8ffb3211a62fd7b4ec87148dfd65972ea79d46b4e0d97d80d9d600fbdb602a16b470c18050291af6d8caa3963587b2f29e9bf9fb7a7ad04a57b5

C:\Windows\SysWOW64\Jmipdo32.exe

MD5 f64fae640094da26b176d8096eb051ac
SHA1 e63ce17f09d7e3fe3cd7bdb8fc870b441b24331b
SHA256 8051c7ec3ef8d7754c886eaba81edafb3e036ca059a3d4d6b8b24e5a274502be
SHA512 f29119f1debae11667b8a03a07c26c8e7d9cbe65f98f6f57666ac64f819ff4e1d623d07cfb39ae6250de234f2509756041b07406fe9ef1cbb1225c54e3df6a2c

C:\Windows\SysWOW64\Jcciqi32.exe

MD5 fae439b6b42f81db332f913f341daae1
SHA1 799ccd170ee38d628afabadcaa755ac9e8e0d7f6
SHA256 98ed436713350db8219fd341bb84e9b6000c18319814d324f30076d18888838f
SHA512 b5527c81bf7a84fc8c5654abacd4b3d651995ab006ff44965cfe5789d85b322b8abe07c8b55c986311e195dd6c54a37c91736d052b31a825da3c6645c17c66fd

C:\Windows\SysWOW64\Jbfilffm.exe

MD5 fa911dc263f331af42baaf53e4703c23
SHA1 3a8fb68f7852d9946c76cab5c957ddfa6e64bcb5
SHA256 68313ea736b456d7663bcb14c15f4b0b9e67a85399aded416bfc55df10151f9b
SHA512 9f906c958ba002951fbdefcf7a71e60e0222b8074ada528cf29ae5c9bca35835efaeb4913cbd341ebfd26a4dbef68d266e1abfacb4f91baa159952649f0549d4

C:\Windows\SysWOW64\Jedehaea.exe

MD5 340dd128d79a68cc15492a53b606f3a5
SHA1 b6ba4b96b41c5ecb76245f38483aafabc9079fc8
SHA256 ef8cb2cf3e58d43363f87866432ae6fd786f810b4ff88f92f550d4751ffb6531
SHA512 431ef9ffe3ca419edad3bde8f512254a5d837a23c4630aa1dc7fee9d95e0ffef768c5aee9f0dead081766a35c69a54e3bb5438e81a483a1d7be9e68346468d1f

C:\Windows\SysWOW64\Jlnmel32.exe

MD5 5342a90693877f3b58d3b520603e14e6
SHA1 0302f75c959059db5caed66c64eeda682715dfdb
SHA256 bcce36b00d1d9cb59d9fcfec38206bc336e8cb1bdfe646bff229ae16bda7b8bb
SHA512 557f3603febddfaa592c550f068740920f8c06a5d71c053e8368798c0f6e918288907e7d36aa17510443a8814721d3ba9d0c4d306aaf89e861ea47e578a1682f

C:\Windows\SysWOW64\Jpjifjdg.exe

MD5 37ec7ef325b4106b14584941c35ee38e
SHA1 9f569254bc0f82286c972aa2f537a036e5d4579c
SHA256 01bef06f1647170cfb373d285e7de40299243df85b9f024fe5b6f5bcf906c4e1
SHA512 f809d1ec4f164968af58aa1827749bfa667df293794d8b85b56bb8a1b2b7c5a7ea8079cf1c804e3175a67203fd6767cd6c78e8a2abc08a187f3090822cbe1568

C:\Windows\SysWOW64\Jbhebfck.exe

MD5 731d41a210a1907f4a6a02e3da3bd593
SHA1 f491483a949b904001d30c9ed045be8287e90a3c
SHA256 b15471ee52808f691e32d2a7eec337317ff2debdde4c3d45c0dba6b771c4ab36
SHA512 128ac3e3ee124ddf6d35e3ddbe23731f49857a0308341d7ca84acc35ae4d9b13493772fd005c233457a8d6e2fcee2688802aadc1943cb3330c5a968fb440ea65

C:\Windows\SysWOW64\Jlqjkk32.exe

MD5 b69249c704f012d940382040b690207f
SHA1 b21e9f6ecc42a4f65c6d22f1666f8e68d4b0bdf0
SHA256 3de08f3c4ecd66dca3a2cd6f25a75c75d9146f6eefbc7f9ba371c4fdb8338080
SHA512 8e7d77594c0500b138e9b716654680d51bb3de1a5d1da9defd337a0a7e55d97f9d8a44f4f93013c164e1f38abf537d9d6a096ddecb1c4d907a012762ccb74096

C:\Windows\SysWOW64\Jplfkjbd.exe

MD5 cf0d74e446aad20613479b48f701254b
SHA1 385b4b905ca0b66033995f1f0cd1915bdebfd9b5
SHA256 d610c9712a4db35aff92afe49fc17f76775e42abe9154af8304b938c06c451cd
SHA512 f30d436c981aaa72cb014b5e2c68cbb4f2537c6611706705a5efebf6357e0a94b56d948e3ab14f5dd34529227a19c9b9e60552b5bfd6445dcdbd6a35fa192b43

C:\Windows\SysWOW64\Kambcbhb.exe

MD5 c3551ad61d0158b6c8aa106dc0513dc1
SHA1 10bd1ebed0a6d6dcc095aaf5d90c12d319ca695e
SHA256 a1c32d716ce47238584efd4b16072601f179a2b0530da2b4a0b69b52ed09f309
SHA512 520d98afde5a742b653741918c014040330acf59144ed5fd09f5dbf9d13488a467b4200170313a1fe0e743e9e5f03156f0739ad1866a6c3b96613e1f03bbb828

C:\Windows\SysWOW64\Kidjdpie.exe

MD5 bb8889ecbac20895c7aaf1f06b89f5f0
SHA1 b591d5e837d9541c34d3a53ad05da7d25e66941e
SHA256 ff4b09ea99b5793e6ec2a6c2356965d5bb03cd46ae9343d3ede33b10ee31f3dd
SHA512 75ce89c4c48af608af785ea9527a23775a19514902edeb314cfde037eda0d20ea59b2b81a9b9203549cfd7679e681ceaf7d103fe2e56badbcda4e50e9f52b820

C:\Windows\SysWOW64\Klcgpkhh.exe

MD5 d08ef187917f5f0baf4eaf148998d7d8
SHA1 457679f4b99ab078fca5b3bf31a2ce09826d4b1b
SHA256 445fd0e32be4748e8240ef9c726746dbf92c313c381615633fc1fca98b0643f9
SHA512 c9cc60162d7011cbb73ea7841036dc4aa23639f6ac54e756da7617a4d11d6b03c4db3dbe5d00578a40259155cef4e7eb290f5de71320981eb0595c55f2f47d97

C:\Windows\SysWOW64\Kekkiq32.exe

MD5 70ea7a476f544090f56c569d84974b90
SHA1 783c4a51f653e56a2bc45fddab20045b5be69df8
SHA256 e6b4cab7b73eb8fe7ccda10d957fe79c88c1c9eea752cf80f89ce8ecb4941684
SHA512 1aad358bd3093c1e069e3c1f51d0c201eb39116f0772310f5359607ac2a0f5db6e18b3f1eccbeb5ec5fdda20bfb866aafe66c0b98c6e01715e31e49c2d0a96e3

C:\Windows\SysWOW64\Klecfkff.exe

MD5 aee9aa9eacf26c120456a22cf55480e4
SHA1 4a0ea4f9a0fa70e7c0580f29f00197285e8b43d9
SHA256 f1c4a1a608e969f84f96f7985450a66ed504ebf1f9a7e9263ccb8ecdf4da788d
SHA512 e6a4d62e4dc674cff1c2a6b51cf1ed79c13e42cc9a5e1734b3d87f202421fabe6bf2238019499bb18d92defeac45ca17c489da8ee93300512235ada237289da7

C:\Windows\SysWOW64\Kocpbfei.exe

MD5 f2e71056db0a24fea57aaa1d50a4f279
SHA1 7c393d056b075c1de0225aef7b54944cc06afc00
SHA256 ca03291ca550fb1eef621f4b86c27b1a194e275f3e65a4804eca26cc648653f9
SHA512 9411eb34b107d419c7de8bac27c58ce5e1b584b83738bea60e02c4dc9efc39271d265fdf31525f4cc2bbb806a9476040f77a80f6ee8f4c7d8a66066afa0272bf

C:\Windows\SysWOW64\Kmfpmc32.exe

MD5 7a35684555efd172f90357b884e00e83
SHA1 c5fc4bdfd974ee3f7dd383b4eec04657ff4e2ddd
SHA256 5fc96a07024b6d119149fc552519cd849ad5d824a2bbce9f27a247649c9b0b52
SHA512 181c19b28ec0f781ff57c89e5fa10c7e5d0eafdf75e793e823a46ddec4f103a41670504e22022b1634a456828005f7e9b564c518ba68315deaa30e63d04c6d00

C:\Windows\SysWOW64\Kenhopmf.exe

MD5 6beb89fa79a8f031f17c61a998352c62
SHA1 9d83e6350e9439aef949342f66f6d400be6d4b5b
SHA256 4437f09f26ee3971eca2a2aec72c926b787df92d0a39106379d81d0cc1164b3a
SHA512 f2e900212f67ebbc0b69db2b35128055bc1b465f0e97a66775f5770ca08bd6db1b3c011339f43fac942b3cad576578057b0816f00d52acda89015e95405c0209

C:\Windows\SysWOW64\Kdphjm32.exe

MD5 93ff544e1d9357bd9ac46a3fcae2944f
SHA1 4baf41746f498bdaa98032f65cfaa70e03ddc798
SHA256 50600dc8b3b884bd81617eee82f984e4922675f4a02696fbc86879eb1964b33c
SHA512 37d3c32aa46b9e12af6ba598d8fef928b4f73f01f207db96e09a52f60b9b9c28320df96ae31ea9140e4829b6eb923679a41d9b1d4ba7f615139d9f755ed5dc58

C:\Windows\SysWOW64\Kfodfh32.exe

MD5 c5ba1dcf241ef589892b63c2bd2295fb
SHA1 9be18a6cf75a7d24f46f2cd28e4e3b5629fe220b
SHA256 1f6341b3fcc6e6492c8b6053011e6f42bf5856a62339356eaab5e0ea9621b6bf
SHA512 b5f484c9461c3e113b13b677193c2c55feeefc274a4478c5b4c53b59a2fa5446575c0709e382f7d138f9a2cdf3a66337588ab86d7c9fdab257f805e5aee5b5ba

C:\Windows\SysWOW64\Khnapkjg.exe

MD5 76b7f52d73025f645e1da0a7cb1a2332
SHA1 7bc435c7702a8467d029a1ffe34f022a26b8567f
SHA256 b68ec825a04aedc5aae8cefb156de317d4e1ba11a2ef18f1ba884a889e8f0bc7
SHA512 0a2b0a5095a2ee0354805a74b3bfd77a1c07023b07dcdfc20dc1b4711b11ce4f48dd5b9eb7ba37a839b6e040a79b8364a901ed64bd13e6c6b34cfb1ece452b09

C:\Windows\SysWOW64\Kkmmlgik.exe

MD5 2e51cebd39d3a274d0003faaa8d26970
SHA1 e178f4e6622e170f7e38c9c5e5993d27bc84ef77
SHA256 91143a0f1df145a50364e3b3a32700865147209bb5df7cc6c0a83fd26f5e2b2f
SHA512 edf1dd7cc48270e3b5dee523d242bf6fa621067531af348183bbbf80a0321dcbb8d58049a45c6d58ec03b9ad3e9b20d150e416cc0022d901582a6f5ce653a941

C:\Windows\SysWOW64\Kipmhc32.exe

MD5 991360dfe27ddfaa6f0524890cf008ba
SHA1 5597fb393d75322f4aae3f3948dd6cf6da1d0c00
SHA256 1404c88ff75f8865137ea96361630bb81727af0f5fc79c97a51db9554adb858d
SHA512 a737fed13ddc184de9af66c0e2605fa979ecb994a759ccfdb5fa46ee323bfb32ac9923667b7db1b0f3d4baa08f5197a5e9580aafb256262447d21220126c2688

C:\Windows\SysWOW64\Kageia32.exe

MD5 d0a176cd44250705e6e4f9c23dec4cb6
SHA1 47172e3510ba5460d6d40d67ed5cf9debf634f3f
SHA256 d16015043f76d8a7ac482f95559530e58cf73b3b11873885a62b8335b8f0a176
SHA512 7a34a2be971815daea833e188c22ae4fb7456f623af23f3dc9c547618f7ff1a6b6f2e75f73f53139d5a9c1d8cbafb33bae2eab44f43e25fcc4c2a925f206232e

C:\Windows\SysWOW64\Kkojbf32.exe

MD5 0d4f9da9d8fef21eb7e8eeaa2fb9b57d
SHA1 f0428f62cc872fc1a709eb0800b7568cb1abb228
SHA256 4294df040eb9430bb9bb9e6048700b13eeb19c24f768e1e1050c6f63ca78bb8f
SHA512 e7dde762229b31003b470f1cf59f63376793b2a5e1dd599903de1d5fe48cc0699963ccedc68117802af1f7881d54d14f9287fcd51490cff5cff62494750655cb

C:\Windows\SysWOW64\Kbhbai32.exe

MD5 204e690cbacd6402f1d7f8de7c0d936d
SHA1 10fcc9ca03e57aa07eec603348de13dbe8bfe3fe
SHA256 6a93c4ca4b10675a19eab210f27be1fd42b1f6ea26164bf26d8835a5c6d481ff
SHA512 3e77c0c9f045960a8349dda2843421baf9c1bf08c67423adb43585dadb1ec074052d33adbc1f305b16099ca90fd69f20412a41c8dcbdd640b63c27cab9dc5a2a

C:\Windows\SysWOW64\Llpfjomf.exe

MD5 fa80894617d3b13d4295078f4c839b86
SHA1 3ea13a7cc370a96806ff83f0fc2161d39e9db884
SHA256 d165d385cddc89ca84343e6f5d4105977dd15ba9855bf6c00cfc67d8fcd93c87
SHA512 d6da77b33042bf358cfc1d39cf34e3803cbf4568cfd8d86a4807bff6884b9b639f30d9e8a5fb94835b5e05bcb1a77735fdd4f7e29e382b43284c1fb47dbd24f8

C:\Windows\SysWOW64\Ldgnklmi.exe

MD5 31314d2904bbbcc8c85b9b0514ec59ad
SHA1 cef7b54e5ebdddb1d87a377b080cf1e2e54de575
SHA256 00b011e35149384fffd22a1d0dd149e2be96e0a1e7c678ca571e6804add92b41
SHA512 cde133543170268eb05d14c74dcc12755dbded99de08b19a648d5f11683514b1fb273f3195db3bc7d5f2d46860eccac9e71307e8c05c0434020bdb7fe50aa5f3

C:\Windows\SysWOW64\Leikbd32.exe

MD5 e67bea745a7bbe201683e24b67f4f8a5
SHA1 7811fa9ec932de6139ab894bf0711ccbbbfdef15
SHA256 912cfa8507125dd9c33bab09e4b075dea785cd871f8c8db9b1d949d807f7639a
SHA512 7070b21fa8f77ac16497efc4e757ca875cfcdb7381371066a3d53300013b9f6d4dd6049480caf48c0e788e981f4d7729eee97e22d7e38d5c2c5dc129939caaed

C:\Windows\SysWOW64\Loaokjjg.exe

MD5 785dffe2799286f36fd94a01e7ebb67e
SHA1 737ed3a5e3c6b521bcd774a6821b46d2cd47f3d7
SHA256 7d2ed7d7b23a8d82a7a49c5ac31f17499051f7cc994b0bbc625ffb81950c7b00
SHA512 a3ebf18c425f73ae692b3740cda6c7848e591135ac53bf04214aa12a4ba2b3b3ef0a28547038d85b8755fc0335837b47cc205318e969c473db57f5334fe83eb3

C:\Windows\SysWOW64\Lghgmg32.exe

MD5 69a568beae992b1fc32acbffec2a5e15
SHA1 d4c4868fa823a8f64f7de9eff9f668772de622bf
SHA256 9db465bcf753653de7717284f0e4f835afefa6067045c874ae59792d99c13e98
SHA512 c42d692a5df9c333751eda86e276fc3468d611cdda99a25292c2c78740b864d7a476c46979ab76e245cfd8dceae734890f66b52c80a8bb97799d6cf076fbd890

C:\Windows\SysWOW64\Llepen32.exe

MD5 c3cac2c7df9d35385591e0827b675cc1
SHA1 f2cea8f1dc6816ce7d2afe9f52ef151de6139c30
SHA256 5cf0a6d97b0426e7dfbdad0537c915b8ff0769a7d6be1f4ad3bcebbdf76048a9
SHA512 7f5f009a7f7cce9124430a03bec1f998919b097018b065420844c61472996f64c5fc050b21612d006735684b8db9959fff54355a42220e3dabb2e1e59c518c06

C:\Windows\SysWOW64\Loclai32.exe

MD5 a42d2573c7ec3640d28a6019cc02d55d
SHA1 e0483b93d6909364fc15add6bebe12144498f501
SHA256 35c05ceddaf88463dcb194d69ac25ee0cf0fcf655a57941c43a8877c2e615a75
SHA512 a57bf705c8f93830f2fcd6030aa341651ba69510935ad737ec36f584047ed0baf14d4211a52cf5f04e99ad957b8cd100da4a9216ef70e62136c4253f592a1587

C:\Windows\SysWOW64\Lemdncoa.exe

MD5 977db335f9cd5ae794fee70d6e46d871
SHA1 0918f259b58b8e1631a4bb4611dec8de806ecd13
SHA256 2fd1ee503a76f414ae32628c769f6e739e2ef0a747fd93eb01aae7f3c9d4fb98
SHA512 612566e67c3f7339d5cef3c6a8680d3efb08da8316806a9b151e4333b3989698b938badcd1aeffae5bc0827f13312d4df85181bd38ea5581d440ad0471622fb4

C:\Windows\SysWOW64\Lkjmfjmi.exe

MD5 acf3baf714126adbd37e77240b71d077
SHA1 e061a0fbb0ee215bad8d244647ef0bf0c883bfc8
SHA256 1ad99bb61d47ec7d9c1da956af7e21bf1261e73902d18f69572b73b481a7d113
SHA512 518992eecf160860b913b9d07d66986694c98e9dd98388c5375f6ae8ce90c328517dd5fdf6cf0802b77c0c15cc0ed8e056e8a7a3e1251e6e84549482d7fe6a0b

C:\Windows\SysWOW64\Lcadghnk.exe

MD5 64b799d9778e2ed495ae702ac25d481f
SHA1 e52bbdbb308e776ec4e9dc3fe73d05e1c29ff87b
SHA256 3767d7ea28498d5a5235663989ba9bcce87d011e7f76d1a1b86ec6cd79b544c5
SHA512 9c83e6d6f30a921ee90a856056c3a4008c03ce1702d7065fe277e49bc018da79ab8cb1ed9abaca8eebee7fd9cbdd1d9af9e39df22cdb513d137147336065dfdc

C:\Windows\SysWOW64\Lepaccmo.exe

MD5 f75800a78b995de52e218b5704be315c
SHA1 899ddae9240454984536fed30d46673b9f18262b
SHA256 7329fb8789ee3bf6b774e3f4d21c3557d970edb625295c7b3474cc6cda5c0200
SHA512 91700da85ae6235f9935ad2c6340874102b5e6b94167876597646ddac4f7f8ef7aa5869b098cde8f63e6ecfb0a3f665d80f979a09cfe25664750860adea55f17

memory/1928-2075-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1212-2076-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2700-2074-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1324-2077-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1256-2086-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2896-2085-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2208-2084-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2592-2083-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2972-2082-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1656-2081-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2648-2079-0x00000000778B0000-0x00000000779CF000-memory.dmp

memory/2648-2080-0x00000000777B0000-0x00000000778AA000-memory.dmp

memory/2648-2078-0x0000000000400000-0x0000000000434000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-11 12:41

Reported

2024-11-11 12:43

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0b8a7b71512d4671d5c0390a5b13c8bc93dbde9ad3651845885d9dac5c7b278aN.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dfpgffpm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Dfpgffpm.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Anogiicl.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bmngqdpj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Cabfga32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ceehho32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Bmngqdpj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ddonekbl.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dodbbdbb.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dknpmdfc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qdbiedpa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Bchomn32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ddmaok32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Dodbbdbb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Dmjocp32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Beihma32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cdcoim32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Chagok32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cnnlaehj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dmefhako.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Users\Admin\AppData\Local\Temp\0b8a7b71512d4671d5c0390a5b13c8bc93dbde9ad3651845885d9dac5c7b278aN.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bganhm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Cnnlaehj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dopigd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Dddhpjof.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dgbdlf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Qmkadgpo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ddmaok32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ddakjkqi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Dogogcpo.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dmjocp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Qdbiedpa.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Amgapeea.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dfknkg32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ddakjkqi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Chagok32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dfiafg32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dejacond.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Dfknkg32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bagflcje.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Cfmajipb.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cabfga32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Cdcoim32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dddhpjof.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dfnjafap.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qmkadgpo.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cnkplejl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Calhnpgn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Dfiafg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Dgbdlf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ajfhnjhq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Cagobalc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Dejacond.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Delnin32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Anfmjhmd.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dogogcpo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Ceehho32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Dmefhako.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Amgapeea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Bagflcje.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cfmajipb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Cnkplejl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" C:\Windows\SysWOW64\Beihma32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cagobalc.exe N/A

Berbew

backdoor berbew

Berbew family

berbew

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Qmkadgpo.exe N/A
N/A N/A C:\Windows\SysWOW64\Qdbiedpa.exe N/A
N/A N/A C:\Windows\SysWOW64\Qddfkd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Anogiicl.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajfhnjhq.exe N/A
N/A N/A C:\Windows\SysWOW64\Amgapeea.exe N/A
N/A N/A C:\Windows\SysWOW64\Anfmjhmd.exe N/A
N/A N/A C:\Windows\SysWOW64\Bagflcje.exe N/A
N/A N/A C:\Windows\SysWOW64\Bganhm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bmngqdpj.exe N/A
N/A N/A C:\Windows\SysWOW64\Bchomn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Beihma32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cfmajipb.exe N/A
N/A N/A C:\Windows\SysWOW64\Cabfga32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cdcoim32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cagobalc.exe N/A
N/A N/A C:\Windows\SysWOW64\Chagok32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cnkplejl.exe N/A
N/A N/A C:\Windows\SysWOW64\Ceehho32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cnnlaehj.exe N/A
N/A N/A C:\Windows\SysWOW64\Calhnpgn.exe N/A
N/A N/A C:\Windows\SysWOW64\Ddjejl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dfiafg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dopigd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dejacond.exe N/A
N/A N/A C:\Windows\SysWOW64\Ddmaok32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dfknkg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dmefhako.exe N/A
N/A N/A C:\Windows\SysWOW64\Delnin32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ddonekbl.exe N/A
N/A N/A C:\Windows\SysWOW64\Dfnjafap.exe N/A
N/A N/A C:\Windows\SysWOW64\Dodbbdbb.exe N/A
N/A N/A C:\Windows\SysWOW64\Daconoae.exe N/A
N/A N/A C:\Windows\SysWOW64\Ddakjkqi.exe N/A
N/A N/A C:\Windows\SysWOW64\Dfpgffpm.exe N/A
N/A N/A C:\Windows\SysWOW64\Dogogcpo.exe N/A
N/A N/A C:\Windows\SysWOW64\Dmjocp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dddhpjof.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgbdlf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dknpmdfc.exe N/A
N/A N/A C:\Windows\SysWOW64\Dmllipeg.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Oammoc32.dll C:\Windows\SysWOW64\Dodbbdbb.exe N/A
File created C:\Windows\SysWOW64\Ddakjkqi.exe C:\Windows\SysWOW64\Daconoae.exe N/A
File created C:\Windows\SysWOW64\Kmdjdl32.dll C:\Windows\SysWOW64\Ddakjkqi.exe N/A
File opened for modification C:\Windows\SysWOW64\Dmefhako.exe C:\Windows\SysWOW64\Dfknkg32.exe N/A
File created C:\Windows\SysWOW64\Bchomn32.exe C:\Windows\SysWOW64\Bmngqdpj.exe N/A
File opened for modification C:\Windows\SysWOW64\Chagok32.exe C:\Windows\SysWOW64\Cagobalc.exe N/A
File opened for modification C:\Windows\SysWOW64\Ddakjkqi.exe C:\Windows\SysWOW64\Daconoae.exe N/A
File opened for modification C:\Windows\SysWOW64\Dmllipeg.exe C:\Windows\SysWOW64\Dknpmdfc.exe N/A
File created C:\Windows\SysWOW64\Amgapeea.exe C:\Windows\SysWOW64\Ajfhnjhq.exe N/A
File opened for modification C:\Windows\SysWOW64\Bchomn32.exe C:\Windows\SysWOW64\Bmngqdpj.exe N/A
File created C:\Windows\SysWOW64\Ceehho32.exe C:\Windows\SysWOW64\Cnkplejl.exe N/A
File created C:\Windows\SysWOW64\Kkmjgool.dll C:\Windows\SysWOW64\Ddjejl32.exe N/A
File opened for modification C:\Windows\SysWOW64\Delnin32.exe C:\Windows\SysWOW64\Dmefhako.exe N/A
File created C:\Windows\SysWOW64\Dddhpjof.exe C:\Windows\SysWOW64\Dmjocp32.exe N/A
File created C:\Windows\SysWOW64\Kgldjcmk.dll C:\Windows\SysWOW64\Qmkadgpo.exe N/A
File created C:\Windows\SysWOW64\Cabfga32.exe C:\Windows\SysWOW64\Cfmajipb.exe N/A
File created C:\Windows\SysWOW64\Ddmaok32.exe C:\Windows\SysWOW64\Dejacond.exe N/A
File created C:\Windows\SysWOW64\Dgbdlf32.exe C:\Windows\SysWOW64\Dddhpjof.exe N/A
File opened for modification C:\Windows\SysWOW64\Qdbiedpa.exe C:\Windows\SysWOW64\Qmkadgpo.exe N/A
File opened for modification C:\Windows\SysWOW64\Beihma32.exe C:\Windows\SysWOW64\Bchomn32.exe N/A
File created C:\Windows\SysWOW64\Cagobalc.exe C:\Windows\SysWOW64\Cdcoim32.exe N/A
File created C:\Windows\SysWOW64\Ljbncc32.dll C:\Windows\SysWOW64\Amgapeea.exe N/A
File opened for modification C:\Windows\SysWOW64\Cnnlaehj.exe C:\Windows\SysWOW64\Ceehho32.exe N/A
File created C:\Windows\SysWOW64\Poahbe32.dll C:\Windows\SysWOW64\Ddonekbl.exe N/A
File created C:\Windows\SysWOW64\Dmjocp32.exe C:\Windows\SysWOW64\Dogogcpo.exe N/A
File created C:\Windows\SysWOW64\Gfghpl32.dll C:\Windows\SysWOW64\Dddhpjof.exe N/A
File created C:\Windows\SysWOW64\Mjpabk32.dll C:\Users\Admin\AppData\Local\Temp\0b8a7b71512d4671d5c0390a5b13c8bc93dbde9ad3651845885d9dac5c7b278aN.exe N/A
File opened for modification C:\Windows\SysWOW64\Cnkplejl.exe C:\Windows\SysWOW64\Chagok32.exe N/A
File created C:\Windows\SysWOW64\Kngpec32.dll C:\Windows\SysWOW64\Dknpmdfc.exe N/A
File opened for modification C:\Windows\SysWOW64\Amgapeea.exe C:\Windows\SysWOW64\Ajfhnjhq.exe N/A
File opened for modification C:\Windows\SysWOW64\Bganhm32.exe C:\Windows\SysWOW64\Bagflcje.exe N/A
File created C:\Windows\SysWOW64\Ajfhnjhq.exe C:\Windows\SysWOW64\Anogiicl.exe N/A
File created C:\Windows\SysWOW64\Fnmnbf32.dll C:\Windows\SysWOW64\Dfnjafap.exe N/A
File created C:\Windows\SysWOW64\Delnin32.exe C:\Windows\SysWOW64\Dmefhako.exe N/A
File created C:\Windows\SysWOW64\Gmcfdb32.dll C:\Windows\SysWOW64\Dmefhako.exe N/A
File opened for modification C:\Windows\SysWOW64\Dknpmdfc.exe C:\Windows\SysWOW64\Dgbdlf32.exe N/A
File created C:\Windows\SysWOW64\Hjfgfh32.dll C:\Windows\SysWOW64\Qdbiedpa.exe N/A
File opened for modification C:\Windows\SysWOW64\Bmngqdpj.exe C:\Windows\SysWOW64\Bganhm32.exe N/A
File created C:\Windows\SysWOW64\Nedmmlba.dll C:\Windows\SysWOW64\Cabfga32.exe N/A
File created C:\Windows\SysWOW64\Gifhkeje.dll C:\Windows\SysWOW64\Daconoae.exe N/A
File opened for modification C:\Windows\SysWOW64\Dfpgffpm.exe C:\Windows\SysWOW64\Ddakjkqi.exe N/A
File created C:\Windows\SysWOW64\Qddfkd32.exe C:\Windows\SysWOW64\Qdbiedpa.exe N/A
File opened for modification C:\Windows\SysWOW64\Bagflcje.exe C:\Windows\SysWOW64\Anfmjhmd.exe N/A
File created C:\Windows\SysWOW64\Ndkqipob.dll C:\Windows\SysWOW64\Cfmajipb.exe N/A
File opened for modification C:\Windows\SysWOW64\Dejacond.exe C:\Windows\SysWOW64\Dopigd32.exe N/A
File created C:\Windows\SysWOW64\Dodbbdbb.exe C:\Windows\SysWOW64\Dfnjafap.exe N/A
File created C:\Windows\SysWOW64\Ickfifmb.dll C:\Windows\SysWOW64\Anogiicl.exe N/A
File created C:\Windows\SysWOW64\Cdcoim32.exe C:\Windows\SysWOW64\Cabfga32.exe N/A
File opened for modification C:\Windows\SysWOW64\Calhnpgn.exe C:\Windows\SysWOW64\Cnnlaehj.exe N/A
File created C:\Windows\SysWOW64\Qopkop32.dll C:\Windows\SysWOW64\Bagflcje.exe N/A
File opened for modification C:\Windows\SysWOW64\Ddjejl32.exe C:\Windows\SysWOW64\Calhnpgn.exe N/A
File created C:\Windows\SysWOW64\Dfknkg32.exe C:\Windows\SysWOW64\Ddmaok32.exe N/A
File created C:\Windows\SysWOW64\Dogogcpo.exe C:\Windows\SysWOW64\Dfpgffpm.exe N/A
File opened for modification C:\Windows\SysWOW64\Dogogcpo.exe C:\Windows\SysWOW64\Dfpgffpm.exe N/A
File opened for modification C:\Windows\SysWOW64\Dmjocp32.exe C:\Windows\SysWOW64\Dogogcpo.exe N/A
File created C:\Windows\SysWOW64\Ddjejl32.exe C:\Windows\SysWOW64\Calhnpgn.exe N/A
File opened for modification C:\Windows\SysWOW64\Dfiafg32.exe C:\Windows\SysWOW64\Ddjejl32.exe N/A
File created C:\Windows\SysWOW64\Dknpmdfc.exe C:\Windows\SysWOW64\Dgbdlf32.exe N/A
File created C:\Windows\SysWOW64\Naeheh32.dll C:\Windows\SysWOW64\Cnnlaehj.exe N/A
File created C:\Windows\SysWOW64\Dopigd32.exe C:\Windows\SysWOW64\Dfiafg32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ajfhnjhq.exe C:\Windows\SysWOW64\Anogiicl.exe N/A
File created C:\Windows\SysWOW64\Gblnkg32.dll C:\Windows\SysWOW64\Bchomn32.exe N/A
File created C:\Windows\SysWOW64\Echdno32.dll C:\Windows\SysWOW64\Cdcoim32.exe N/A
File created C:\Windows\SysWOW64\Hfanhp32.dll C:\Windows\SysWOW64\Calhnpgn.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Dmllipeg.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bagflcje.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ddonekbl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qdbiedpa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dgbdlf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dknpmdfc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cagobalc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bganhm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cdcoim32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Chagok32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cnnlaehj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dejacond.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Delnin32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dodbbdbb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Anfmjhmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dfpgffpm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ajfhnjhq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dopigd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dfnjafap.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ddakjkqi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0b8a7b71512d4671d5c0390a5b13c8bc93dbde9ad3651845885d9dac5c7b278aN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ddmaok32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dfiafg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cfmajipb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dmefhako.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dmllipeg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qddfkd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Amgapeea.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bmngqdpj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Beihma32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cabfga32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dfknkg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dogogcpo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Anogiicl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bchomn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cnkplejl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ceehho32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Calhnpgn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ddjejl32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Daconoae.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dmjocp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qmkadgpo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dddhpjof.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ddakjkqi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cagobalc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekgcil.dll" C:\Windows\SysWOW64\Qddfkd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qopkop32.dll" C:\Windows\SysWOW64\Bagflcje.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bganhm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll" C:\Windows\SysWOW64\Cabfga32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dodbbdbb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljbncc32.dll" C:\Windows\SysWOW64\Amgapeea.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Bagflcje.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bchomn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll" C:\Windows\SysWOW64\Chagok32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dopigd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dknpmdfc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Anogiicl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ceehho32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll" C:\Windows\SysWOW64\Ddonekbl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717} C:\Users\Admin\AppData\Local\Temp\0b8a7b71512d4671d5c0390a5b13c8bc93dbde9ad3651845885d9dac5c7b278aN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Dfiafg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ddmaok32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Dejacond.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll" C:\Windows\SysWOW64\Ddmaok32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Anogiicl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Amgapeea.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Anfmjhmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkobg32.dll" C:\Windows\SysWOW64\Anfmjhmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\0b8a7b71512d4671d5c0390a5b13c8bc93dbde9ad3651845885d9dac5c7b278aN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bagflcje.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll" C:\Windows\SysWOW64\Dfknkg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Dknpmdfc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Dmefhako.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll" C:\Windows\SysWOW64\Dogogcpo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Bganhm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll" C:\Windows\SysWOW64\Cfmajipb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Cnnlaehj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll" C:\Windows\SysWOW64\Delnin32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Dfnjafap.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll" C:\Windows\SysWOW64\Dmjocp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Ajfhnjhq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ajfhnjhq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Amgapeea.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Bchomn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dfpgffpm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Dogogcpo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjpabk32.dll" C:\Users\Admin\AppData\Local\Temp\0b8a7b71512d4671d5c0390a5b13c8bc93dbde9ad3651845885d9dac5c7b278aN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bmngqdpj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll" C:\Windows\SysWOW64\Cdcoim32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Dfpgffpm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgldjcmk.dll" C:\Windows\SysWOW64\Qmkadgpo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Chagok32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll" C:\Windows\SysWOW64\Dfiafg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dmefhako.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Cagobalc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll" C:\Windows\SysWOW64\Cnnlaehj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll" C:\Windows\SysWOW64\Ddakjkqi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll" C:\Windows\SysWOW64\Cnkplejl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cnnlaehj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Calhnpgn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dogogcpo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 C:\Windows\SysWOW64\Qddfkd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gblnkg32.dll" C:\Windows\SysWOW64\Bchomn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Beihma32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cfmajipb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dddhpjof.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll" C:\Windows\SysWOW64\Dmefhako.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2156 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\0b8a7b71512d4671d5c0390a5b13c8bc93dbde9ad3651845885d9dac5c7b278aN.exe C:\Windows\SysWOW64\Qmkadgpo.exe
PID 2156 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\0b8a7b71512d4671d5c0390a5b13c8bc93dbde9ad3651845885d9dac5c7b278aN.exe C:\Windows\SysWOW64\Qmkadgpo.exe
PID 2156 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\0b8a7b71512d4671d5c0390a5b13c8bc93dbde9ad3651845885d9dac5c7b278aN.exe C:\Windows\SysWOW64\Qmkadgpo.exe
PID 2184 wrote to memory of 4964 N/A C:\Windows\SysWOW64\Qmkadgpo.exe C:\Windows\SysWOW64\Qdbiedpa.exe
PID 2184 wrote to memory of 4964 N/A C:\Windows\SysWOW64\Qmkadgpo.exe C:\Windows\SysWOW64\Qdbiedpa.exe
PID 2184 wrote to memory of 4964 N/A C:\Windows\SysWOW64\Qmkadgpo.exe C:\Windows\SysWOW64\Qdbiedpa.exe
PID 4964 wrote to memory of 1088 N/A C:\Windows\SysWOW64\Qdbiedpa.exe C:\Windows\SysWOW64\Qddfkd32.exe
PID 4964 wrote to memory of 1088 N/A C:\Windows\SysWOW64\Qdbiedpa.exe C:\Windows\SysWOW64\Qddfkd32.exe
PID 4964 wrote to memory of 1088 N/A C:\Windows\SysWOW64\Qdbiedpa.exe C:\Windows\SysWOW64\Qddfkd32.exe
PID 1088 wrote to memory of 4556 N/A C:\Windows\SysWOW64\Qddfkd32.exe C:\Windows\SysWOW64\Anogiicl.exe
PID 1088 wrote to memory of 4556 N/A C:\Windows\SysWOW64\Qddfkd32.exe C:\Windows\SysWOW64\Anogiicl.exe
PID 1088 wrote to memory of 4556 N/A C:\Windows\SysWOW64\Qddfkd32.exe C:\Windows\SysWOW64\Anogiicl.exe
PID 4556 wrote to memory of 2028 N/A C:\Windows\SysWOW64\Anogiicl.exe C:\Windows\SysWOW64\Ajfhnjhq.exe
PID 4556 wrote to memory of 2028 N/A C:\Windows\SysWOW64\Anogiicl.exe C:\Windows\SysWOW64\Ajfhnjhq.exe
PID 4556 wrote to memory of 2028 N/A C:\Windows\SysWOW64\Anogiicl.exe C:\Windows\SysWOW64\Ajfhnjhq.exe
PID 2028 wrote to memory of 3036 N/A C:\Windows\SysWOW64\Ajfhnjhq.exe C:\Windows\SysWOW64\Amgapeea.exe
PID 2028 wrote to memory of 3036 N/A C:\Windows\SysWOW64\Ajfhnjhq.exe C:\Windows\SysWOW64\Amgapeea.exe
PID 2028 wrote to memory of 3036 N/A C:\Windows\SysWOW64\Ajfhnjhq.exe C:\Windows\SysWOW64\Amgapeea.exe
PID 3036 wrote to memory of 1952 N/A C:\Windows\SysWOW64\Amgapeea.exe C:\Windows\SysWOW64\Anfmjhmd.exe
PID 3036 wrote to memory of 1952 N/A C:\Windows\SysWOW64\Amgapeea.exe C:\Windows\SysWOW64\Anfmjhmd.exe
PID 3036 wrote to memory of 1952 N/A C:\Windows\SysWOW64\Amgapeea.exe C:\Windows\SysWOW64\Anfmjhmd.exe
PID 1952 wrote to memory of 4320 N/A C:\Windows\SysWOW64\Anfmjhmd.exe C:\Windows\SysWOW64\Bagflcje.exe
PID 1952 wrote to memory of 4320 N/A C:\Windows\SysWOW64\Anfmjhmd.exe C:\Windows\SysWOW64\Bagflcje.exe
PID 1952 wrote to memory of 4320 N/A C:\Windows\SysWOW64\Anfmjhmd.exe C:\Windows\SysWOW64\Bagflcje.exe
PID 4320 wrote to memory of 2208 N/A C:\Windows\SysWOW64\Bagflcje.exe C:\Windows\SysWOW64\Bganhm32.exe
PID 4320 wrote to memory of 2208 N/A C:\Windows\SysWOW64\Bagflcje.exe C:\Windows\SysWOW64\Bganhm32.exe
PID 4320 wrote to memory of 2208 N/A C:\Windows\SysWOW64\Bagflcje.exe C:\Windows\SysWOW64\Bganhm32.exe
PID 2208 wrote to memory of 3756 N/A C:\Windows\SysWOW64\Bganhm32.exe C:\Windows\SysWOW64\Bmngqdpj.exe
PID 2208 wrote to memory of 3756 N/A C:\Windows\SysWOW64\Bganhm32.exe C:\Windows\SysWOW64\Bmngqdpj.exe
PID 2208 wrote to memory of 3756 N/A C:\Windows\SysWOW64\Bganhm32.exe C:\Windows\SysWOW64\Bmngqdpj.exe
PID 3756 wrote to memory of 2008 N/A C:\Windows\SysWOW64\Bmngqdpj.exe C:\Windows\SysWOW64\Bchomn32.exe
PID 3756 wrote to memory of 2008 N/A C:\Windows\SysWOW64\Bmngqdpj.exe C:\Windows\SysWOW64\Bchomn32.exe
PID 3756 wrote to memory of 2008 N/A C:\Windows\SysWOW64\Bmngqdpj.exe C:\Windows\SysWOW64\Bchomn32.exe
PID 2008 wrote to memory of 3220 N/A C:\Windows\SysWOW64\Bchomn32.exe C:\Windows\SysWOW64\Beihma32.exe
PID 2008 wrote to memory of 3220 N/A C:\Windows\SysWOW64\Bchomn32.exe C:\Windows\SysWOW64\Beihma32.exe
PID 2008 wrote to memory of 3220 N/A C:\Windows\SysWOW64\Bchomn32.exe C:\Windows\SysWOW64\Beihma32.exe
PID 3220 wrote to memory of 3148 N/A C:\Windows\SysWOW64\Beihma32.exe C:\Windows\SysWOW64\Cfmajipb.exe
PID 3220 wrote to memory of 3148 N/A C:\Windows\SysWOW64\Beihma32.exe C:\Windows\SysWOW64\Cfmajipb.exe
PID 3220 wrote to memory of 3148 N/A C:\Windows\SysWOW64\Beihma32.exe C:\Windows\SysWOW64\Cfmajipb.exe
PID 3148 wrote to memory of 1960 N/A C:\Windows\SysWOW64\Cfmajipb.exe C:\Windows\SysWOW64\Cabfga32.exe
PID 3148 wrote to memory of 1960 N/A C:\Windows\SysWOW64\Cfmajipb.exe C:\Windows\SysWOW64\Cabfga32.exe
PID 3148 wrote to memory of 1960 N/A C:\Windows\SysWOW64\Cfmajipb.exe C:\Windows\SysWOW64\Cabfga32.exe
PID 1960 wrote to memory of 4444 N/A C:\Windows\SysWOW64\Cabfga32.exe C:\Windows\SysWOW64\Cdcoim32.exe
PID 1960 wrote to memory of 4444 N/A C:\Windows\SysWOW64\Cabfga32.exe C:\Windows\SysWOW64\Cdcoim32.exe
PID 1960 wrote to memory of 4444 N/A C:\Windows\SysWOW64\Cabfga32.exe C:\Windows\SysWOW64\Cdcoim32.exe
PID 4444 wrote to memory of 5032 N/A C:\Windows\SysWOW64\Cdcoim32.exe C:\Windows\SysWOW64\Cagobalc.exe
PID 4444 wrote to memory of 5032 N/A C:\Windows\SysWOW64\Cdcoim32.exe C:\Windows\SysWOW64\Cagobalc.exe
PID 4444 wrote to memory of 5032 N/A C:\Windows\SysWOW64\Cdcoim32.exe C:\Windows\SysWOW64\Cagobalc.exe
PID 5032 wrote to memory of 668 N/A C:\Windows\SysWOW64\Cagobalc.exe C:\Windows\SysWOW64\Chagok32.exe
PID 5032 wrote to memory of 668 N/A C:\Windows\SysWOW64\Cagobalc.exe C:\Windows\SysWOW64\Chagok32.exe
PID 5032 wrote to memory of 668 N/A C:\Windows\SysWOW64\Cagobalc.exe C:\Windows\SysWOW64\Chagok32.exe
PID 668 wrote to memory of 2376 N/A C:\Windows\SysWOW64\Chagok32.exe C:\Windows\SysWOW64\Cnkplejl.exe
PID 668 wrote to memory of 2376 N/A C:\Windows\SysWOW64\Chagok32.exe C:\Windows\SysWOW64\Cnkplejl.exe
PID 668 wrote to memory of 2376 N/A C:\Windows\SysWOW64\Chagok32.exe C:\Windows\SysWOW64\Cnkplejl.exe
PID 2376 wrote to memory of 5064 N/A C:\Windows\SysWOW64\Cnkplejl.exe C:\Windows\SysWOW64\Ceehho32.exe
PID 2376 wrote to memory of 5064 N/A C:\Windows\SysWOW64\Cnkplejl.exe C:\Windows\SysWOW64\Ceehho32.exe
PID 2376 wrote to memory of 5064 N/A C:\Windows\SysWOW64\Cnkplejl.exe C:\Windows\SysWOW64\Ceehho32.exe
PID 5064 wrote to memory of 1484 N/A C:\Windows\SysWOW64\Ceehho32.exe C:\Windows\SysWOW64\Cnnlaehj.exe
PID 5064 wrote to memory of 1484 N/A C:\Windows\SysWOW64\Ceehho32.exe C:\Windows\SysWOW64\Cnnlaehj.exe
PID 5064 wrote to memory of 1484 N/A C:\Windows\SysWOW64\Ceehho32.exe C:\Windows\SysWOW64\Cnnlaehj.exe
PID 1484 wrote to memory of 3172 N/A C:\Windows\SysWOW64\Cnnlaehj.exe C:\Windows\SysWOW64\Calhnpgn.exe
PID 1484 wrote to memory of 3172 N/A C:\Windows\SysWOW64\Cnnlaehj.exe C:\Windows\SysWOW64\Calhnpgn.exe
PID 1484 wrote to memory of 3172 N/A C:\Windows\SysWOW64\Cnnlaehj.exe C:\Windows\SysWOW64\Calhnpgn.exe
PID 3172 wrote to memory of 3228 N/A C:\Windows\SysWOW64\Calhnpgn.exe C:\Windows\SysWOW64\Ddjejl32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0b8a7b71512d4671d5c0390a5b13c8bc93dbde9ad3651845885d9dac5c7b278aN.exe

"C:\Users\Admin\AppData\Local\Temp\0b8a7b71512d4671d5c0390a5b13c8bc93dbde9ad3651845885d9dac5c7b278aN.exe"

C:\Windows\SysWOW64\Qmkadgpo.exe

C:\Windows\system32\Qmkadgpo.exe

C:\Windows\SysWOW64\Qdbiedpa.exe

C:\Windows\system32\Qdbiedpa.exe

C:\Windows\SysWOW64\Qddfkd32.exe

C:\Windows\system32\Qddfkd32.exe

C:\Windows\SysWOW64\Anogiicl.exe

C:\Windows\system32\Anogiicl.exe

C:\Windows\SysWOW64\Ajfhnjhq.exe

C:\Windows\system32\Ajfhnjhq.exe

C:\Windows\SysWOW64\Amgapeea.exe

C:\Windows\system32\Amgapeea.exe

C:\Windows\SysWOW64\Anfmjhmd.exe

C:\Windows\system32\Anfmjhmd.exe

C:\Windows\SysWOW64\Bagflcje.exe

C:\Windows\system32\Bagflcje.exe

C:\Windows\SysWOW64\Bganhm32.exe

C:\Windows\system32\Bganhm32.exe

C:\Windows\SysWOW64\Bmngqdpj.exe

C:\Windows\system32\Bmngqdpj.exe

C:\Windows\SysWOW64\Bchomn32.exe

C:\Windows\system32\Bchomn32.exe

C:\Windows\SysWOW64\Beihma32.exe

C:\Windows\system32\Beihma32.exe

C:\Windows\SysWOW64\Cfmajipb.exe

C:\Windows\system32\Cfmajipb.exe

C:\Windows\SysWOW64\Cabfga32.exe

C:\Windows\system32\Cabfga32.exe

C:\Windows\SysWOW64\Cdcoim32.exe

C:\Windows\system32\Cdcoim32.exe

C:\Windows\SysWOW64\Cagobalc.exe

C:\Windows\system32\Cagobalc.exe

C:\Windows\SysWOW64\Chagok32.exe

C:\Windows\system32\Chagok32.exe

C:\Windows\SysWOW64\Cnkplejl.exe

C:\Windows\system32\Cnkplejl.exe

C:\Windows\SysWOW64\Ceehho32.exe

C:\Windows\system32\Ceehho32.exe

C:\Windows\SysWOW64\Cnnlaehj.exe

C:\Windows\system32\Cnnlaehj.exe

C:\Windows\SysWOW64\Calhnpgn.exe

C:\Windows\system32\Calhnpgn.exe

C:\Windows\SysWOW64\Ddjejl32.exe

C:\Windows\system32\Ddjejl32.exe

C:\Windows\SysWOW64\Dfiafg32.exe

C:\Windows\system32\Dfiafg32.exe

C:\Windows\SysWOW64\Dopigd32.exe

C:\Windows\system32\Dopigd32.exe

C:\Windows\SysWOW64\Dejacond.exe

C:\Windows\system32\Dejacond.exe

C:\Windows\SysWOW64\Ddmaok32.exe

C:\Windows\system32\Ddmaok32.exe

C:\Windows\SysWOW64\Dfknkg32.exe

C:\Windows\system32\Dfknkg32.exe

C:\Windows\SysWOW64\Dmefhako.exe

C:\Windows\system32\Dmefhako.exe

C:\Windows\SysWOW64\Delnin32.exe

C:\Windows\system32\Delnin32.exe

C:\Windows\SysWOW64\Ddonekbl.exe

C:\Windows\system32\Ddonekbl.exe

C:\Windows\SysWOW64\Dfnjafap.exe

C:\Windows\system32\Dfnjafap.exe

C:\Windows\SysWOW64\Dodbbdbb.exe

C:\Windows\system32\Dodbbdbb.exe

C:\Windows\SysWOW64\Daconoae.exe

C:\Windows\system32\Daconoae.exe

C:\Windows\SysWOW64\Ddakjkqi.exe

C:\Windows\system32\Ddakjkqi.exe

C:\Windows\SysWOW64\Dfpgffpm.exe

C:\Windows\system32\Dfpgffpm.exe

C:\Windows\SysWOW64\Dogogcpo.exe

C:\Windows\system32\Dogogcpo.exe

C:\Windows\SysWOW64\Dmjocp32.exe

C:\Windows\system32\Dmjocp32.exe

C:\Windows\SysWOW64\Dddhpjof.exe

C:\Windows\system32\Dddhpjof.exe

C:\Windows\SysWOW64\Dgbdlf32.exe

C:\Windows\system32\Dgbdlf32.exe

C:\Windows\SysWOW64\Dknpmdfc.exe

C:\Windows\system32\Dknpmdfc.exe

C:\Windows\SysWOW64\Dmllipeg.exe

C:\Windows\system32\Dmllipeg.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3688 -ip 3688

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3688 -s 408

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/2156-0-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Qmkadgpo.exe

MD5 3746a78a02d0d3b5bfdf7039e77416c1
SHA1 2e762deedd01fc0338d402c8cd065a2ab5912cc2
SHA256 de1aa30585b20fcbcfca4e14f4df16fb173253dccf31ada086a77d8bdc43d90d
SHA512 161dda84f55116de79786e3218aace8158d919baae6cc75a95d9c8fa364fd52749a685faeaa8a75d666fdac5ce1c006dcd0021897d66ff7bae67b0cd5f5d1176

memory/2184-8-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Qdbiedpa.exe

MD5 30c087c5bd1dac59f7e5fe557779fd8f
SHA1 e97ca3578652a7e63203bdfe4c290c6c3ba7ce26
SHA256 50ed6f521396c255fae00d18b6ae99e67946388d5f5ee05a583d15b29b6829df
SHA512 f0a2a69ee73038181fee983033d32d4067aef3b77e13c5f3f1cb5d812c360d7a1def808079d3a373697300a37c92d4744f0623a52f1030e48cfd1235ba558433

memory/4964-20-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Qddfkd32.exe

MD5 80e0b2d02c6ed3c7a607600502d47e2b
SHA1 95f21ea3ba3322ba4a093131836f3626f56f4bc5
SHA256 b43cc94b7f560c2876ae9bcbd8064a80598261ac0ba33f787d9613691d2cf2b3
SHA512 014ec56effd1d2819b6266dbdf656bee6777dc70051147dfcc75fe6904d06818978e39a234488cb431b540d347f32f6671166b06e131daba1999a4cce33923d2

memory/1088-24-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Anogiicl.exe

MD5 95a1c50ee12bdcdc257ca46d5a01470f
SHA1 86bc5c8259d7edf781a0cd137a0199b2856ec42f
SHA256 38ffdf2af9849fdf7e57318af7e5a11c0008824d97579864ef2729e63f5c3082
SHA512 8f9b6487fb8ed28f48929ef0f4fcd581f6ce1729bb3232cd0638802eb96d91ba33d692187748f88c4386bf6eb423a28274e1ee044cbaabe79c34c31f2e7bb6ee

memory/4556-32-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Ajfhnjhq.exe

MD5 e2161968a805d5c680eef8503828a0f0
SHA1 a76c49e27297dc544e1dc469bd0b8a89537c4c1c
SHA256 bc54da9ce0117229fef76525f00ad5a453af39c51cf10106bccd5ffb5cb3ea1a
SHA512 89ea901dba6a8b034373c94917012760a4af924b7f8956f2aefa80e578fc8e24d1dcbbc515174f13dcd5946139f451a3e2afe0bc36123e56cfc9214af144c5e5

C:\Windows\SysWOW64\Ickfifmb.dll

MD5 59112989b79917bca07cf351c29925e7
SHA1 939249591a6aeb786454604327d63e4e287c86b8
SHA256 75b717be6b9a9e9afef9393d03c6597ac14f52ce60b3c213d750e4f452edb81d
SHA512 499a4955f758d96ed6f7e691589056ba3be8f0308d277264e96c154d376b99eaede3d4f55f671ec70827854e5ce2e768c293b5d46895f412f245ddbfc1d8ee71

memory/2028-39-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Amgapeea.exe

MD5 0ad6beea2c5e4dca6b7a249bc5ae7deb
SHA1 7a109683a8fb948bb9e6cfed30e7555e4dfac67f
SHA256 f4886cb1c078f45c421d7976271d21d79fdca49242d9d9eecdf7f34b8051721b
SHA512 2f5b1d8f4bdd16562d57dfda60e8716105d66374d40009d6dbee626d9bb52aa9122ec5f45d9776d1136d5847dd91265fbeedd409b2ac3ca75d2162165db77a3f

memory/3036-47-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Anfmjhmd.exe

MD5 1c2ec32766b21d6ed40376734af0367e
SHA1 51e1cbe387d6d52cdebed9ad822848ab90de8e3e
SHA256 6f2441e4c90b1577b199da94ffceb8bee536529268a59df2d519625251a2d9f3
SHA512 9ac6e650b6880ff1d057d3e87019811b67d3d9d5cf6be09623dd6d252ac28f66ab6c819ba4118c06c94c9575af0129661fed68202f018d630657c1cc46b37583

memory/1952-55-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Bagflcje.exe

MD5 d405ee796bd09be6687a6ab8135c025f
SHA1 e69805e4069ce35145669ddf183a793f0bb1048e
SHA256 61bec1dff509a92869127206a2489272ee7bff06b804c22f8bfc27e8fe1dcc9d
SHA512 81cd6db66d462d8ccfe4c71aca2d978340f4d5c77959c2ccfd650b3d2dd0cb05790224d9c7e1d2a503ba3e47551b2d89b99a60603e8c539ca9b8b13ba9e8c47d

memory/4320-63-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Bganhm32.exe

MD5 6d9f98f753dbd2007be3d0a0e41c63ac
SHA1 7442d8d6a7cd2c61c5bbd1a4cb2fe8ddd8ee70d9
SHA256 18fd56c428ba152d1dcb9a9c5d192a2c41ec169b5f070eb38065863bedbae247
SHA512 434340d7a387a524be85bdffa2eeceed2ac33b6ef113f3141b13f4c2cf986964ce6c70bd661b2fb0aca65cd7da8d954069d8b24b343cf7e73fe5d862b633b3d9

memory/2208-72-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Bmngqdpj.exe

MD5 8b6c0d11c951ab77d4efb1d62a14829c
SHA1 c767429b6a0dc2d1a3f2775e6e1df45aab83e8a0
SHA256 d8bad3d3f6be876f1cdc09624223ec267baea9e43d1f3e1eb7137cec92d042cc
SHA512 5b663387466bfed9ed7beecb9440b55e7e1b7738ba6d94d7bec035a9e401f782d6da8ffae883bda64683708528ebe5d429ab141354b353b1f045dec04b63c0a9

memory/3756-80-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2008-88-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Bchomn32.exe

MD5 0e2b747da7e35e4eb8d03c6400c2dba5
SHA1 22dedcb1605646b95905b9ab5ae26a07bdf12c5d
SHA256 366f249848742c56e7472bcad94d7a51a3966b5ffba1cea4fe55f453b80b4ff7
SHA512 be3249427333e72522ded159905bfee522855c1e8f2900915fbff1a0889eddc21ec966e6b58abd8d4cba52570365c3d890e5545abc10a6ef03d16b112fe98d60

C:\Windows\SysWOW64\Beihma32.exe

MD5 37b6d687e7e12bfed059d04de5918eb9
SHA1 c770b303cbc689c9d4f3f65a0e436517b273d53a
SHA256 3c6db13e338fe4feac05a8fbe35e61bd91745f8662d6d2257ec6f7830bc90c6b
SHA512 4706a34976fbd3b79df60936d0de414a80f6c5a63af3ef6ab94e45d8c5f8c263c9d8afa20b59aae5f1e451597a8daeed9e8eac3571ed0b33e49edd11f748c1c0

memory/3220-96-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Cfmajipb.exe

MD5 7da4491c1125d428471b4be0a416e2fc
SHA1 cfbaa19065c6bfff109dbde408deb1e28320c1e7
SHA256 9519e2508059d04843dcadd81e30528ca4c8e7dd8dddeb80bd2c8b27ba08c29a
SHA512 690ea207aa13d10eb78e52162cea0434499fa0e2de326a2894854c435cf454199b965a94fbdd331f71b5e37721c01631d551a330f0215eaa1abd70f88227c31e

memory/3148-103-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Cabfga32.exe

MD5 041a5b2d537089a3cd948c2a959a36b3
SHA1 51a4db5808ebcdb47a9f5891f50e125793347ce7
SHA256 fd0f23fbff1bcc1c98d4257c9248487fbc84009bb01d86a112bdf3041d8def50
SHA512 11fd69ca5be2f30c17a0b1e4526f02603459456f1909beb3455f02dfe48d03f34252f5603493715bfb7b537daa89cb3c03177ffe48ed566354e12ab5e011f1c5

memory/1960-112-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Cdcoim32.exe

MD5 f19ab431eadde60004e6c27bed47209c
SHA1 ef1ebfb12da03bef4ce8b0610b1b15acf6eabb06
SHA256 2e7946cb18fe56582d3d1e845c95abea27d2385a7e2885fa25d8434e5d38425e
SHA512 4fc0cbb70aaddb350d19d116b1f82dbc108b8b418492a52329951cbe9cac4ca7452dcd82069248972d46c71f0e9ee65fd1973c1098f91456ed0bc202fe8888e6

memory/4444-119-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Cagobalc.exe

MD5 3bb98c579f48e97de27bcfb703bbdaa8
SHA1 8947f2588283c73ec97a9ab8152914cfe065ac75
SHA256 6d4ce83c581e0118b9d2e2087ceecc98fa2ce86d3203acd797329194a93f5b59
SHA512 3df9db06f735b63ad6c5dcf00080d6a0dec05a8676b4d1dd3ada585992a6d8b3fb63bea4b904e8cf85059f128032e6d8a0fe7ea490ead515ffbd4a6643961693

memory/5032-128-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Chagok32.exe

MD5 7f712f840043892b6922ca844d5e2268
SHA1 7aaa7210901f5434ac595ea2ffddde3df9f9f202
SHA256 648f99e51b76d66ef797acff6456d14ef2cb3b2f10acf2d4259a46d1975a9f37
SHA512 4a9cab461f26cc47b0cb653bcd0c19183d7bd79fff6ba5697b48d24725c7d16af3beeb523b0bd43cdce1815c1b090fe0b99303e457c61a45cb0fc7ce75dc9f82

C:\Windows\SysWOW64\Cnkplejl.exe

MD5 f6b7dde3ec5822e0cfdb87d94142bb64
SHA1 98559d7c0afd6c15d4d773bd964024ffeded840a
SHA256 8b2b0b368a411e38b55f85c82a1084ce4be40d72a874ff002afbbd16588689fa
SHA512 4e62564abbf9951115e0bd4eec3c15d2555b8dac0c071e34d04330376c1f849c068ec9243a91e5b9909b48188f492bc79d76583ab0b96ffd6f65cfa809018070

memory/2376-148-0x0000000000400000-0x0000000000434000-memory.dmp

memory/668-144-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5064-152-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Cnnlaehj.exe

MD5 fbf3e1790c51b518c6ddb15ff7cb1689
SHA1 f6dbfc581ea678026951b094ddf7f60d8735d529
SHA256 0d7907c0b1745d8953213ed40aae6b4682fecf29b93429be8b31c330babcae09
SHA512 2072adc8c87334124e9cb2552dd67f62b344dd6760b659735d793710e98dcfcb945b0c16584fa16128ad5b4f468f98504e412dc7fe2dd2850a5b8efd06dc74e5

memory/3172-172-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Dfiafg32.exe

MD5 ad026feb0c6524dc0888d335b40ca2e9
SHA1 c52dbc06531e7f0d3e0669757036dc59940f4e8f
SHA256 5cdbe87f4041522faed5300c1d1df7b7c773f9ee8622de07a1994215d1bd9915
SHA512 ef667a384fd431853c023e5fe2439b835894d9595bf7b14c931501998d961eee18f8bdba63c273b61eba3ee865aa11695e12435d8cfb7b7c7144ff3482f6cd4e

C:\Windows\SysWOW64\Dopigd32.exe

MD5 4f2edd0365f3fe58e635c2ec02759963
SHA1 780cb8237d1c41b71dbbf3e4b1c2ba8909d3c075
SHA256 859ff66ed17b79d2efa2082d2cdc517cc0f9ea87ff1430089f43cfe662191a23
SHA512 25ba1a2d82a9c0045bb1dfbb0e6575ed8178ed1865247edcedb23a745477865d0742f817a702dad7af7b79db5dda005bc50739dcdfda0265c90fd207933cb42c

C:\Windows\SysWOW64\Ddmaok32.exe

MD5 f4ced4842d103f099f45f8d23d743374
SHA1 46678a9388cf8961a72571d8a5b5a43ec4ff6a04
SHA256 a87a4b41c4144c4340dfafe5801cb618d9d4747b1d31334771cb9c77716e1559
SHA512 8649c12dc90e7f26234a7c867d402de8f8d07fabbf52d9f670285022839065e3f939acc82f38ec765e4b5cfafeae70bbe547e4ceb8e164b3e7169da937ebb81a

C:\Windows\SysWOW64\Dfnjafap.exe

MD5 c52c3b6958c699c4de31203ea5ec33f5
SHA1 3514b8a6bf71e044db0df3faf9c011bedeef509f
SHA256 78ee2bf729724b601f8f74a98e28a4a867483e60039924e9f1e5d885ca3e7138
SHA512 df0b6d559d6b5a496bf1d5bf28ffc9bd5ea1ea7c878500821ba7300915ba6ab86b6b9c8d90c18aef98dd3951bb1526cd64940c95828f6554d48c46a5255555e3

memory/1072-303-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3688-310-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4804-309-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2952-297-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2884-291-0x0000000000400000-0x0000000000434000-memory.dmp

memory/68-285-0x0000000000400000-0x0000000000434000-memory.dmp

memory/100-279-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2620-273-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2284-267-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2960-261-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Dodbbdbb.exe

MD5 121b02f3baf5bb13e760a6790df208ae
SHA1 ae5b19b1c0e35ad0f5823f1a1c77098a7385a708
SHA256 de43e68db234566d6efe71318cc376c91c455f8783d7abc1824fd924160968b8
SHA512 5cdaa836506cd60ce6990dee96435414b51ce3bdb97c5caf34ab38599a58375150f763930ebdfb6d6b39aacb2ffeaeda6bf1f035441b0a49b790cf6d069e9c52

memory/4980-252-0x0000000000400000-0x0000000000434000-memory.dmp

memory/216-245-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Ddonekbl.exe

MD5 c75b9f83287b973ce3271e4689e3bf1a
SHA1 5653bf4eeaba7ca004da1da32f25602c955379c6
SHA256 04ef7e06865cb96c728502c6255770fabe91c9f77deca02331dbc503b3b69640
SHA512 8bfb46bb7f66412140c927178853b1e15af9d78ad3e59ad3b8841658112a53119bec753de9a5381b5682438e57b5b3d077090cc6223a11ea9fdecb9b65d06529

memory/4448-237-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Delnin32.exe

MD5 389cbebfb4d413c2be3b89f0cd4cf270
SHA1 018d232353a6c3ab91373a2d35147750b714106e
SHA256 f83ab0ebdb544e7113d4c94ceb9fe168468706e0ef7a8056f612a36a07253ae2
SHA512 19bcc54b2b37cc8dac9639da71d6805ba80c3485cf473b66572fc40327ede0324343e5929c4c6c44728e80a3729cbe9542ac7eab03a4cf0ab7db76c7a296c76b

memory/5008-229-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Dmefhako.exe

MD5 9b84931c31089430a488c574697068f0
SHA1 ae352f1fb63e8e0547c6504074d2a9ddf677f6db
SHA256 a5384f4b4445cabf8f691d06816d03ba02342c9d4870942c43b7c3612bed2ac0
SHA512 113ff629baf642964c08ef9f852fb59fb88b7a30fe3ca77bac4c07c2eed7c8b4fda6e2f63c2b8074369df36fcee7ed80f5957734be2f3763e936a7e7225306f2

memory/4460-221-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Dfknkg32.exe

MD5 42a180cff27f1abb6df717e94ef9390a
SHA1 2a44c75a7b071d1c019955361072370172731584
SHA256 71c5084392fedfd25b41eb75a02b980322834f9113de97a4e29194ed6d8dd893
SHA512 22d54404e8315ca6b3923dacd1a79de8ab3c059683009699daf119b6ef884008c2886f0bf9142c9a4f7ce36a5b770f8d08e1fdbf290691f6b9cc4d790234311a

memory/2476-213-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4576-204-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Dejacond.exe

MD5 4d3c1cbcc39bf4800e671ff7fdde839f
SHA1 09631db994d41e930e20871cd245c8def78d2ebf
SHA256 5f97d5b674a419b4b36042ad82bd17a36fca3270117023ec96671a975f32126a
SHA512 95e74e69e4705df92ab8b746da94128e4486da6321bfdf1cce9405487cfe4a8a88fba825e980c7127d7231de263bbe2c6f0579b372b6dfa3995434c429823e0f

memory/1692-197-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2760-188-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3228-180-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Ddjejl32.exe

MD5 7c56299054d45f842850d7d911cc4735
SHA1 f5b9663a541732de4dd672fea854eeb784be0fe0
SHA256 3982f4e938efa90fcd3462d26e4604d4a9669bdddb9aa276692db415d33d728f
SHA512 e95a5792b520e3fc5d377753f8f4c8ca7697a5b52d7a3ebec52f5e9b3fe8c665aef964a36b1b90468101bc21f93b384b86fbfa67fa83aa1100ffff159df18f8f

C:\Windows\SysWOW64\Calhnpgn.exe

MD5 7aa0e547fdbb02ea191f41fde0130e69
SHA1 17e9635725db793e35adfcfa569c5727c900fbea
SHA256 feae5aa44c25d03c04db2a8055eb3f757c9e135aee94b1fa3bc09573b782f029
SHA512 72a363eaadb0ce6ef8d959583801f813f5a57f127d388bc9af039fa29d0d89eba6827e26aa1aeb12315f73abad89c776c1292da8dcc6597bf6d0d3e57b8f9eda

memory/1484-164-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\Ceehho32.exe

MD5 cec1b665994e7569f1a9a05e546c057e
SHA1 c5ffc51fb2ed9b115ab9a07e7e9b1c23c3e339ae
SHA256 98669be679caffc3e7ea02c9b30972599301e6db4967c6bac2b4bf551c43912f
SHA512 9ec4f551a8792769a2e16f756ca24c2f1475a18e9f67935e3feb95399b4ca23e07faffa628574f4bdd2b659f45bcfbb5b577118d04a8f20199c37b2c43d87115

memory/5064-335-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2376-336-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3148-345-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3220-347-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2208-353-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4320-355-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3036-359-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2184-368-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2156-370-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1088-365-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4556-363-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2028-361-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1952-357-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3756-351-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2008-349-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4444-343-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1960-342-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5032-339-0x0000000000400000-0x0000000000434000-memory.dmp