Malware Analysis Report

2025-08-11 08:19

Sample ID 241112-nzhvlsvnfm
Target cd3cf93982cf62043c3943db9561ba738652b7be7fadf3afc36573029bd0c16dN
SHA256 cd3cf93982cf62043c3943db9561ba738652b7be7fadf3afc36573029bd0c16d
Tags
berbew backdoor discovery persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cd3cf93982cf62043c3943db9561ba738652b7be7fadf3afc36573029bd0c16d

Threat Level: Known bad

The file cd3cf93982cf62043c3943db9561ba738652b7be7fadf3afc36573029bd0c16dN was found to be: Known bad.

Malicious Activity Summary

berbew backdoor discovery persistence

Adds autorun key to be loaded by Explorer.exe on startup

Berbew

Berbew family

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Program crash

System Location Discovery: System Language Discovery

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-12 11:49

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-12 11:49

Reported

2024-11-12 11:52

Platform

win7-20240708-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cd3cf93982cf62043c3943db9561ba738652b7be7fadf3afc36573029bd0c16dN.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ieponofk.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Iknafhjb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gcjmmdbf.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hjohmbpd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jfcabd32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Deakjjbk.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fdkmeiei.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hffibceh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jmfcop32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cdmepgce.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hdpcokdo.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Igceej32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Glbaei32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Klcgpkhh.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kapohbfp.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bhonjg32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dgknkf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fmaeho32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kdnkdmec.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cogfqe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Flnlkgjq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fihfnp32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fliook32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hgnokgcc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kdphjm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Llepen32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fmdbnnlj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kdbepm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lofifi32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cfckcoen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dblhmoio.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dgknkf32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Djjjga32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Famaimfe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jcnoejch.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bqmpdioa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cjhabndo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ebnabb32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Giaidnkf.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jmipdo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Liipnb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Djjjga32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Elkofg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Feddombd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hjfnnajl.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ieponofk.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ibfmmb32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bdkhjgeh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Folhgbid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hnhgha32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hffibceh.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kdbepm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cqfbjhgf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cidddj32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hnmacpfj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jbfilffm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fdiqpigl.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gefmcp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kapohbfp.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Afliclij.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Eicpcm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jplfkjbd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kdeaelok.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Users\Admin\AppData\Local\Temp\cd3cf93982cf62043c3943db9561ba738652b7be7fadf3afc36573029bd0c16dN.exe N/A

Berbew

backdoor berbew

Berbew family

berbew

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Apppkekc.exe N/A
N/A N/A C:\Windows\SysWOW64\Afliclij.exe N/A
N/A N/A C:\Windows\SysWOW64\Bcpimq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bjjaikoa.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhonjg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Boifga32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bfcodkcb.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkpglbaj.exe N/A
N/A N/A C:\Windows\SysWOW64\Bqmpdioa.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhdhefpc.exe N/A
N/A N/A C:\Windows\SysWOW64\Bnapnm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bdkhjgeh.exe N/A
N/A N/A C:\Windows\SysWOW64\Cjhabndo.exe N/A
N/A N/A C:\Windows\SysWOW64\Cdmepgce.exe N/A
N/A N/A C:\Windows\SysWOW64\Cnejim32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cogfqe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cjljnn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cqfbjhgf.exe N/A
N/A N/A C:\Windows\SysWOW64\Cfckcoen.exe N/A
N/A N/A C:\Windows\SysWOW64\Cmmcpi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cfehhn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cidddj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dblhmoio.exe N/A
N/A N/A C:\Windows\SysWOW64\Difqji32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dboeco32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgknkf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Djjjga32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgnjqe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dlifadkk.exe N/A
N/A N/A C:\Windows\SysWOW64\Dmkcil32.exe N/A
N/A N/A C:\Windows\SysWOW64\Deakjjbk.exe N/A
N/A N/A C:\Windows\SysWOW64\Dahkok32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dcghkf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eicpcm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eakhdj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejcmmp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebnabb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eihjolae.exe N/A
N/A N/A C:\Windows\SysWOW64\Elgfkhpi.exe N/A
N/A N/A C:\Windows\SysWOW64\Eoebgcol.exe N/A
N/A N/A C:\Windows\SysWOW64\Efljhq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebckmaec.exe N/A
N/A N/A C:\Windows\SysWOW64\Eimcjl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Elkofg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eojlbb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fbegbacp.exe N/A
N/A N/A C:\Windows\SysWOW64\Feddombd.exe N/A
N/A N/A C:\Windows\SysWOW64\Fdgdji32.exe N/A
N/A N/A C:\Windows\SysWOW64\Flnlkgjq.exe N/A
N/A N/A C:\Windows\SysWOW64\Folhgbid.exe N/A
N/A N/A C:\Windows\SysWOW64\Fakdcnhh.exe N/A
N/A N/A C:\Windows\SysWOW64\Fdiqpigl.exe N/A
N/A N/A C:\Windows\SysWOW64\Fkcilc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmaeho32.exe N/A
N/A N/A C:\Windows\SysWOW64\Famaimfe.exe N/A
N/A N/A C:\Windows\SysWOW64\Fdkmeiei.exe N/A
N/A N/A C:\Windows\SysWOW64\Fgjjad32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fihfnp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fmdbnnlj.exe N/A
N/A N/A C:\Windows\SysWOW64\Fpbnjjkm.exe N/A
N/A N/A C:\Windows\SysWOW64\Fcqjfeja.exe N/A
N/A N/A C:\Windows\SysWOW64\Fkhbgbkc.exe N/A
N/A N/A C:\Windows\SysWOW64\Fliook32.exe N/A
N/A N/A C:\Windows\SysWOW64\Feachqgb.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd3cf93982cf62043c3943db9561ba738652b7be7fadf3afc36573029bd0c16dN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd3cf93982cf62043c3943db9561ba738652b7be7fadf3afc36573029bd0c16dN.exe N/A
N/A N/A C:\Windows\SysWOW64\Apppkekc.exe N/A
N/A N/A C:\Windows\SysWOW64\Apppkekc.exe N/A
N/A N/A C:\Windows\SysWOW64\Afliclij.exe N/A
N/A N/A C:\Windows\SysWOW64\Afliclij.exe N/A
N/A N/A C:\Windows\SysWOW64\Bcpimq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bcpimq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bjjaikoa.exe N/A
N/A N/A C:\Windows\SysWOW64\Bjjaikoa.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhonjg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhonjg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Boifga32.exe N/A
N/A N/A C:\Windows\SysWOW64\Boifga32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bfcodkcb.exe N/A
N/A N/A C:\Windows\SysWOW64\Bfcodkcb.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkpglbaj.exe N/A
N/A N/A C:\Windows\SysWOW64\Bkpglbaj.exe N/A
N/A N/A C:\Windows\SysWOW64\Bqmpdioa.exe N/A
N/A N/A C:\Windows\SysWOW64\Bqmpdioa.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhdhefpc.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhdhefpc.exe N/A
N/A N/A C:\Windows\SysWOW64\Bnapnm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bnapnm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bdkhjgeh.exe N/A
N/A N/A C:\Windows\SysWOW64\Bdkhjgeh.exe N/A
N/A N/A C:\Windows\SysWOW64\Cjhabndo.exe N/A
N/A N/A C:\Windows\SysWOW64\Cjhabndo.exe N/A
N/A N/A C:\Windows\SysWOW64\Cdmepgce.exe N/A
N/A N/A C:\Windows\SysWOW64\Cdmepgce.exe N/A
N/A N/A C:\Windows\SysWOW64\Cnejim32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cnejim32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cogfqe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cogfqe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cjljnn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cjljnn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cqfbjhgf.exe N/A
N/A N/A C:\Windows\SysWOW64\Cqfbjhgf.exe N/A
N/A N/A C:\Windows\SysWOW64\Cfckcoen.exe N/A
N/A N/A C:\Windows\SysWOW64\Cfckcoen.exe N/A
N/A N/A C:\Windows\SysWOW64\Cmmcpi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cmmcpi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cfehhn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cfehhn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cidddj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cidddj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dblhmoio.exe N/A
N/A N/A C:\Windows\SysWOW64\Dblhmoio.exe N/A
N/A N/A C:\Windows\SysWOW64\Difqji32.exe N/A
N/A N/A C:\Windows\SysWOW64\Difqji32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dboeco32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dboeco32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgknkf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgknkf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Djjjga32.exe N/A
N/A N/A C:\Windows\SysWOW64\Djjjga32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgnjqe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgnjqe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dlifadkk.exe N/A
N/A N/A C:\Windows\SysWOW64\Dlifadkk.exe N/A
N/A N/A C:\Windows\SysWOW64\Dmkcil32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dmkcil32.exe N/A
N/A N/A C:\Windows\SysWOW64\Deakjjbk.exe N/A
N/A N/A C:\Windows\SysWOW64\Deakjjbk.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Bnapnm32.exe C:\Windows\SysWOW64\Bhdhefpc.exe N/A
File opened for modification C:\Windows\SysWOW64\Fakdcnhh.exe C:\Windows\SysWOW64\Folhgbid.exe N/A
File opened for modification C:\Windows\SysWOW64\Keioca32.exe C:\Windows\SysWOW64\Kbjbge32.exe N/A
File created C:\Windows\SysWOW64\Gkeeihpg.dll C:\Windows\SysWOW64\Lekghdad.exe N/A
File created C:\Windows\SysWOW64\Cjhabndo.exe C:\Windows\SysWOW64\Bdkhjgeh.exe N/A
File created C:\Windows\SysWOW64\Eadbpdla.dll C:\Windows\SysWOW64\Cqfbjhgf.exe N/A
File opened for modification C:\Windows\SysWOW64\Iknafhjb.exe C:\Windows\SysWOW64\Igceej32.exe N/A
File created C:\Windows\SysWOW64\Hgajdjlj.dll C:\Windows\SysWOW64\Jmkmjoec.exe N/A
File opened for modification C:\Windows\SysWOW64\Hnhgha32.exe C:\Windows\SysWOW64\Hgnokgcc.exe N/A
File opened for modification C:\Windows\SysWOW64\Lmmfnb32.exe C:\Windows\SysWOW64\Kkojbf32.exe N/A
File created C:\Windows\SysWOW64\Cidddj32.exe C:\Windows\SysWOW64\Cfehhn32.exe N/A
File created C:\Windows\SysWOW64\Opjqff32.dll C:\Windows\SysWOW64\Gnfkba32.exe N/A
File created C:\Windows\SysWOW64\Khljoh32.dll C:\Windows\SysWOW64\Jmipdo32.exe N/A
File created C:\Windows\SysWOW64\Lcohahpn.exe C:\Windows\SysWOW64\Llepen32.exe N/A
File opened for modification C:\Windows\SysWOW64\Lifcib32.exe C:\Windows\SysWOW64\Lekghdad.exe N/A
File opened for modification C:\Windows\SysWOW64\Cogfqe32.exe C:\Windows\SysWOW64\Cnejim32.exe N/A
File created C:\Windows\SysWOW64\Egmpofck.dll C:\Windows\SysWOW64\Dboeco32.exe N/A
File created C:\Windows\SysWOW64\Gpidki32.exe C:\Windows\SysWOW64\Ghbljk32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hdpcokdo.exe C:\Windows\SysWOW64\Gnfkba32.exe N/A
File created C:\Windows\SysWOW64\Efljhq32.exe C:\Windows\SysWOW64\Eoebgcol.exe N/A
File created C:\Windows\SysWOW64\Ikdngobg.dll C:\Windows\SysWOW64\Fihfnp32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hjfnnajl.exe C:\Windows\SysWOW64\Hfjbmb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Iegeonpc.exe C:\Windows\SysWOW64\Ibhicbao.exe N/A
File created C:\Windows\SysWOW64\Lgfjggll.exe C:\Windows\SysWOW64\Lmmfnb32.exe N/A
File created C:\Windows\SysWOW64\Bhonjg32.exe C:\Windows\SysWOW64\Bjjaikoa.exe N/A
File created C:\Windows\SysWOW64\Cogfqe32.exe C:\Windows\SysWOW64\Cnejim32.exe N/A
File created C:\Windows\SysWOW64\Famaimfe.exe C:\Windows\SysWOW64\Fmaeho32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ikqnlh32.exe C:\Windows\SysWOW64\Iegeonpc.exe N/A
File opened for modification C:\Windows\SysWOW64\Ebckmaec.exe C:\Windows\SysWOW64\Efljhq32.exe N/A
File created C:\Windows\SysWOW64\Caefjg32.dll C:\Windows\SysWOW64\Kekkiq32.exe N/A
File created C:\Windows\SysWOW64\Ckmhkeef.dll C:\Windows\SysWOW64\Jpgmpk32.exe N/A
File created C:\Windows\SysWOW64\Kfaalh32.exe C:\Windows\SysWOW64\Kdbepm32.exe N/A
File created C:\Windows\SysWOW64\Hjfnnajl.exe C:\Windows\SysWOW64\Hfjbmb32.exe N/A
File created C:\Windows\SysWOW64\Iamfdo32.exe C:\Windows\SysWOW64\Ikqnlh32.exe N/A
File created C:\Windows\SysWOW64\Jmfcop32.exe C:\Windows\SysWOW64\Jcnoejch.exe N/A
File created C:\Windows\SysWOW64\Jmipdo32.exe C:\Windows\SysWOW64\Jbclgf32.exe N/A
File created C:\Windows\SysWOW64\Pncadjah.dll C:\Windows\SysWOW64\Hqnjek32.exe N/A
File created C:\Windows\SysWOW64\Jpgmpk32.exe C:\Windows\SysWOW64\Jmipdo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Kkojbf32.exe C:\Windows\SysWOW64\Kdeaelok.exe N/A
File created C:\Windows\SysWOW64\Ilalae32.dll C:\Windows\SysWOW64\Fbegbacp.exe N/A
File opened for modification C:\Windows\SysWOW64\Fihfnp32.exe C:\Windows\SysWOW64\Fgjjad32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ghbljk32.exe C:\Windows\SysWOW64\Gecpnp32.exe N/A
File opened for modification C:\Windows\SysWOW64\Hqnjek32.exe C:\Windows\SysWOW64\Hifbdnbi.exe N/A
File opened for modification C:\Windows\SysWOW64\Fdgdji32.exe C:\Windows\SysWOW64\Feddombd.exe N/A
File created C:\Windows\SysWOW64\Ghcmae32.dll C:\Windows\SysWOW64\Hfhfhbce.exe N/A
File opened for modification C:\Windows\SysWOW64\Lepaccmo.exe C:\Windows\SysWOW64\Lofifi32.exe N/A
File created C:\Windows\SysWOW64\Nhpfip32.dll C:\Windows\SysWOW64\Gdkjdl32.exe N/A
File opened for modification C:\Windows\SysWOW64\Fcqjfeja.exe C:\Windows\SysWOW64\Fpbnjjkm.exe N/A
File opened for modification C:\Windows\SysWOW64\Gcedad32.exe C:\Windows\SysWOW64\Gpggei32.exe N/A
File opened for modification C:\Windows\SysWOW64\Gcgqgd32.exe C:\Windows\SysWOW64\Gpidki32.exe N/A
File created C:\Windows\SysWOW64\Folhgbid.exe C:\Windows\SysWOW64\Flnlkgjq.exe N/A
File created C:\Windows\SysWOW64\Flpkcb32.dll C:\Windows\SysWOW64\Hnhgha32.exe N/A
File created C:\Windows\SysWOW64\Pccohd32.dll C:\Windows\SysWOW64\Jcnoejch.exe N/A
File opened for modification C:\Windows\SysWOW64\Cfehhn32.exe C:\Windows\SysWOW64\Cmmcpi32.exe N/A
File opened for modification C:\Windows\SysWOW64\Lofifi32.exe C:\Windows\SysWOW64\Llgljn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Jcnoejch.exe C:\Windows\SysWOW64\Jjfkmdlg.exe N/A
File opened for modification C:\Windows\SysWOW64\Koflgf32.exe C:\Windows\SysWOW64\Kdphjm32.exe N/A
File created C:\Windows\SysWOW64\Eihjolae.exe C:\Windows\SysWOW64\Ebnabb32.exe N/A
File created C:\Windows\SysWOW64\Qobmnf32.dll C:\Windows\SysWOW64\Famaimfe.exe N/A
File created C:\Windows\SysWOW64\Gmhkin32.exe C:\Windows\SysWOW64\Feachqgb.exe N/A
File created C:\Windows\SysWOW64\Gcjmmdbf.exe C:\Windows\SysWOW64\Gkcekfad.exe N/A
File created C:\Windows\SysWOW64\Fkpeem32.dll C:\Windows\SysWOW64\Glbaei32.exe N/A
File created C:\Windows\SysWOW64\Gflfedag.dll C:\Windows\SysWOW64\Hgqlafap.exe N/A
File opened for modification C:\Windows\SysWOW64\Cnejim32.exe C:\Windows\SysWOW64\Cdmepgce.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Lepaccmo.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ejcmmp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Elkofg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hnmacpfj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jmfcop32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jbfilffm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kmkihbho.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dgknkf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kjeglh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bfcodkcb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kdbepm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Fakdcnhh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gecpnp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gkcekfad.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jbhebfck.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Llbconkd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Efljhq32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Goqnae32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hjfnnajl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ibcphc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jpepkk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gefmcp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dcghkf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ieponofk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Iediin32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dblhmoio.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Elgfkhpi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Eimcjl32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gpidki32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gdkjdl32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Igceej32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ibhicbao.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bjjaikoa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cidddj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Giaidnkf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gcjmmdbf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hcgmfgfd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kdeaelok.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Apppkekc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hqnjek32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bqmpdioa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gnfkba32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Iknafhjb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Keioca32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kekkiq32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Koflgf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kfaalh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Boifga32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hgnokgcc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jmipdo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Flnlkgjq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Liipnb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gcgqgd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Deakjjbk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Eicpcm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Feachqgb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cqfbjhgf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Difqji32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Eoebgcol.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ikqnlh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jipaip32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Llepen32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cmmcpi32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bnapnm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cnejim32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Piaoqi32.dll" C:\Windows\SysWOW64\Gpggei32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ghbljk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Iamfdo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ieibdnnp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qaamhelq.dll" C:\Windows\SysWOW64\Loaokjjg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmblbf32.dll" C:\Windows\SysWOW64\Fkcilc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdgoqijf.dll" C:\Windows\SysWOW64\Gkcekfad.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkbnjifp.dll" C:\Windows\SysWOW64\Gkgoff32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npneccok.dll" C:\Windows\SysWOW64\Iknafhjb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ieibdnnp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jmfcop32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Apppkekc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bhdhefpc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Eojlbb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fkhbgbkc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibodnd32.dll" C:\Windows\SysWOW64\Jhenjmbb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gkgoff32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnnikfij.dll" C:\Windows\SysWOW64\Kocpbfei.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Liipnb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lofifi32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cmmcpi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkddco32.dll" C:\Windows\SysWOW64\Ikqnlh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jbclgf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kkojbf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnnjlmid.dll" C:\Windows\SysWOW64\Difqji32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Fihfnp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ibhicbao.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbbngc32.dll" C:\Windows\SysWOW64\Iamfdo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Fmdbnnlj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faibdo32.dll" C:\Windows\SysWOW64\Hjohmbpd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqdekgib.dll" C:\Windows\SysWOW64\Djjjga32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qobmnf32.dll" C:\Windows\SysWOW64\Famaimfe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gecpnp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cfehhn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Hcgmfgfd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dllmckbg.dll" C:\Windows\SysWOW64\Hifbdnbi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leghmkmk.dll" C:\Windows\SysWOW64\Dblhmoio.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bieepc32.dll" C:\Windows\SysWOW64\Eakhdj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffadkgnl.dll" C:\Windows\SysWOW64\Ghbljk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ghbljk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kocpbfei.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Llbconkd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dmkcil32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmeekj.dll" C:\Windows\SysWOW64\Deakjjbk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkpeem32.dll" C:\Windows\SysWOW64\Glbaei32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcepfhka.dll" C:\Windows\SysWOW64\Hcgmfgfd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caefjg32.dll" C:\Windows\SysWOW64\Kekkiq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bkpglbaj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fakdcnhh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pknbhi32.dll" C:\Windows\SysWOW64\Jbclgf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jpgmpk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cqfbjhgf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kdphjm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hqkmplen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgngaoal.dll" C:\Windows\SysWOW64\Jjfkmdlg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Flnlkgjq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckkhdaei.dll" C:\Windows\SysWOW64\Gecpnp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ikgkei32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lmmfnb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Famaimfe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odiaql32.dll" C:\Windows\SysWOW64\Hqiqjlga.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hclfag32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmiflpof.dll" C:\Windows\SysWOW64\Hjfnnajl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kmkihbho.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2020 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\cd3cf93982cf62043c3943db9561ba738652b7be7fadf3afc36573029bd0c16dN.exe C:\Windows\SysWOW64\Apppkekc.exe
PID 2020 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\cd3cf93982cf62043c3943db9561ba738652b7be7fadf3afc36573029bd0c16dN.exe C:\Windows\SysWOW64\Apppkekc.exe
PID 2020 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\cd3cf93982cf62043c3943db9561ba738652b7be7fadf3afc36573029bd0c16dN.exe C:\Windows\SysWOW64\Apppkekc.exe
PID 2020 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\cd3cf93982cf62043c3943db9561ba738652b7be7fadf3afc36573029bd0c16dN.exe C:\Windows\SysWOW64\Apppkekc.exe
PID 1768 wrote to memory of 2724 N/A C:\Windows\SysWOW64\Apppkekc.exe C:\Windows\SysWOW64\Afliclij.exe
PID 1768 wrote to memory of 2724 N/A C:\Windows\SysWOW64\Apppkekc.exe C:\Windows\SysWOW64\Afliclij.exe
PID 1768 wrote to memory of 2724 N/A C:\Windows\SysWOW64\Apppkekc.exe C:\Windows\SysWOW64\Afliclij.exe
PID 1768 wrote to memory of 2724 N/A C:\Windows\SysWOW64\Apppkekc.exe C:\Windows\SysWOW64\Afliclij.exe
PID 2724 wrote to memory of 2804 N/A C:\Windows\SysWOW64\Afliclij.exe C:\Windows\SysWOW64\Bcpimq32.exe
PID 2724 wrote to memory of 2804 N/A C:\Windows\SysWOW64\Afliclij.exe C:\Windows\SysWOW64\Bcpimq32.exe
PID 2724 wrote to memory of 2804 N/A C:\Windows\SysWOW64\Afliclij.exe C:\Windows\SysWOW64\Bcpimq32.exe
PID 2724 wrote to memory of 2804 N/A C:\Windows\SysWOW64\Afliclij.exe C:\Windows\SysWOW64\Bcpimq32.exe
PID 2804 wrote to memory of 2940 N/A C:\Windows\SysWOW64\Bcpimq32.exe C:\Windows\SysWOW64\Bjjaikoa.exe
PID 2804 wrote to memory of 2940 N/A C:\Windows\SysWOW64\Bcpimq32.exe C:\Windows\SysWOW64\Bjjaikoa.exe
PID 2804 wrote to memory of 2940 N/A C:\Windows\SysWOW64\Bcpimq32.exe C:\Windows\SysWOW64\Bjjaikoa.exe
PID 2804 wrote to memory of 2940 N/A C:\Windows\SysWOW64\Bcpimq32.exe C:\Windows\SysWOW64\Bjjaikoa.exe
PID 2940 wrote to memory of 1064 N/A C:\Windows\SysWOW64\Bjjaikoa.exe C:\Windows\SysWOW64\Bhonjg32.exe
PID 2940 wrote to memory of 1064 N/A C:\Windows\SysWOW64\Bjjaikoa.exe C:\Windows\SysWOW64\Bhonjg32.exe
PID 2940 wrote to memory of 1064 N/A C:\Windows\SysWOW64\Bjjaikoa.exe C:\Windows\SysWOW64\Bhonjg32.exe
PID 2940 wrote to memory of 1064 N/A C:\Windows\SysWOW64\Bjjaikoa.exe C:\Windows\SysWOW64\Bhonjg32.exe
PID 1064 wrote to memory of 2640 N/A C:\Windows\SysWOW64\Bhonjg32.exe C:\Windows\SysWOW64\Boifga32.exe
PID 1064 wrote to memory of 2640 N/A C:\Windows\SysWOW64\Bhonjg32.exe C:\Windows\SysWOW64\Boifga32.exe
PID 1064 wrote to memory of 2640 N/A C:\Windows\SysWOW64\Bhonjg32.exe C:\Windows\SysWOW64\Boifga32.exe
PID 1064 wrote to memory of 2640 N/A C:\Windows\SysWOW64\Bhonjg32.exe C:\Windows\SysWOW64\Boifga32.exe
PID 2640 wrote to memory of 264 N/A C:\Windows\SysWOW64\Boifga32.exe C:\Windows\SysWOW64\Bfcodkcb.exe
PID 2640 wrote to memory of 264 N/A C:\Windows\SysWOW64\Boifga32.exe C:\Windows\SysWOW64\Bfcodkcb.exe
PID 2640 wrote to memory of 264 N/A C:\Windows\SysWOW64\Boifga32.exe C:\Windows\SysWOW64\Bfcodkcb.exe
PID 2640 wrote to memory of 264 N/A C:\Windows\SysWOW64\Boifga32.exe C:\Windows\SysWOW64\Bfcodkcb.exe
PID 264 wrote to memory of 2708 N/A C:\Windows\SysWOW64\Bfcodkcb.exe C:\Windows\SysWOW64\Bkpglbaj.exe
PID 264 wrote to memory of 2708 N/A C:\Windows\SysWOW64\Bfcodkcb.exe C:\Windows\SysWOW64\Bkpglbaj.exe
PID 264 wrote to memory of 2708 N/A C:\Windows\SysWOW64\Bfcodkcb.exe C:\Windows\SysWOW64\Bkpglbaj.exe
PID 264 wrote to memory of 2708 N/A C:\Windows\SysWOW64\Bfcodkcb.exe C:\Windows\SysWOW64\Bkpglbaj.exe
PID 2708 wrote to memory of 2788 N/A C:\Windows\SysWOW64\Bkpglbaj.exe C:\Windows\SysWOW64\Bqmpdioa.exe
PID 2708 wrote to memory of 2788 N/A C:\Windows\SysWOW64\Bkpglbaj.exe C:\Windows\SysWOW64\Bqmpdioa.exe
PID 2708 wrote to memory of 2788 N/A C:\Windows\SysWOW64\Bkpglbaj.exe C:\Windows\SysWOW64\Bqmpdioa.exe
PID 2708 wrote to memory of 2788 N/A C:\Windows\SysWOW64\Bkpglbaj.exe C:\Windows\SysWOW64\Bqmpdioa.exe
PID 2788 wrote to memory of 1192 N/A C:\Windows\SysWOW64\Bqmpdioa.exe C:\Windows\SysWOW64\Bhdhefpc.exe
PID 2788 wrote to memory of 1192 N/A C:\Windows\SysWOW64\Bqmpdioa.exe C:\Windows\SysWOW64\Bhdhefpc.exe
PID 2788 wrote to memory of 1192 N/A C:\Windows\SysWOW64\Bqmpdioa.exe C:\Windows\SysWOW64\Bhdhefpc.exe
PID 2788 wrote to memory of 1192 N/A C:\Windows\SysWOW64\Bqmpdioa.exe C:\Windows\SysWOW64\Bhdhefpc.exe
PID 1192 wrote to memory of 1948 N/A C:\Windows\SysWOW64\Bhdhefpc.exe C:\Windows\SysWOW64\Bnapnm32.exe
PID 1192 wrote to memory of 1948 N/A C:\Windows\SysWOW64\Bhdhefpc.exe C:\Windows\SysWOW64\Bnapnm32.exe
PID 1192 wrote to memory of 1948 N/A C:\Windows\SysWOW64\Bhdhefpc.exe C:\Windows\SysWOW64\Bnapnm32.exe
PID 1192 wrote to memory of 1948 N/A C:\Windows\SysWOW64\Bhdhefpc.exe C:\Windows\SysWOW64\Bnapnm32.exe
PID 1948 wrote to memory of 1672 N/A C:\Windows\SysWOW64\Bnapnm32.exe C:\Windows\SysWOW64\Bdkhjgeh.exe
PID 1948 wrote to memory of 1672 N/A C:\Windows\SysWOW64\Bnapnm32.exe C:\Windows\SysWOW64\Bdkhjgeh.exe
PID 1948 wrote to memory of 1672 N/A C:\Windows\SysWOW64\Bnapnm32.exe C:\Windows\SysWOW64\Bdkhjgeh.exe
PID 1948 wrote to memory of 1672 N/A C:\Windows\SysWOW64\Bnapnm32.exe C:\Windows\SysWOW64\Bdkhjgeh.exe
PID 1672 wrote to memory of 1744 N/A C:\Windows\SysWOW64\Bdkhjgeh.exe C:\Windows\SysWOW64\Cjhabndo.exe
PID 1672 wrote to memory of 1744 N/A C:\Windows\SysWOW64\Bdkhjgeh.exe C:\Windows\SysWOW64\Cjhabndo.exe
PID 1672 wrote to memory of 1744 N/A C:\Windows\SysWOW64\Bdkhjgeh.exe C:\Windows\SysWOW64\Cjhabndo.exe
PID 1672 wrote to memory of 1744 N/A C:\Windows\SysWOW64\Bdkhjgeh.exe C:\Windows\SysWOW64\Cjhabndo.exe
PID 1744 wrote to memory of 2176 N/A C:\Windows\SysWOW64\Cjhabndo.exe C:\Windows\SysWOW64\Cdmepgce.exe
PID 1744 wrote to memory of 2176 N/A C:\Windows\SysWOW64\Cjhabndo.exe C:\Windows\SysWOW64\Cdmepgce.exe
PID 1744 wrote to memory of 2176 N/A C:\Windows\SysWOW64\Cjhabndo.exe C:\Windows\SysWOW64\Cdmepgce.exe
PID 1744 wrote to memory of 2176 N/A C:\Windows\SysWOW64\Cjhabndo.exe C:\Windows\SysWOW64\Cdmepgce.exe
PID 2176 wrote to memory of 2184 N/A C:\Windows\SysWOW64\Cdmepgce.exe C:\Windows\SysWOW64\Cnejim32.exe
PID 2176 wrote to memory of 2184 N/A C:\Windows\SysWOW64\Cdmepgce.exe C:\Windows\SysWOW64\Cnejim32.exe
PID 2176 wrote to memory of 2184 N/A C:\Windows\SysWOW64\Cdmepgce.exe C:\Windows\SysWOW64\Cnejim32.exe
PID 2176 wrote to memory of 2184 N/A C:\Windows\SysWOW64\Cdmepgce.exe C:\Windows\SysWOW64\Cnejim32.exe
PID 2184 wrote to memory of 1056 N/A C:\Windows\SysWOW64\Cnejim32.exe C:\Windows\SysWOW64\Cogfqe32.exe
PID 2184 wrote to memory of 1056 N/A C:\Windows\SysWOW64\Cnejim32.exe C:\Windows\SysWOW64\Cogfqe32.exe
PID 2184 wrote to memory of 1056 N/A C:\Windows\SysWOW64\Cnejim32.exe C:\Windows\SysWOW64\Cogfqe32.exe
PID 2184 wrote to memory of 1056 N/A C:\Windows\SysWOW64\Cnejim32.exe C:\Windows\SysWOW64\Cogfqe32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cd3cf93982cf62043c3943db9561ba738652b7be7fadf3afc36573029bd0c16dN.exe

"C:\Users\Admin\AppData\Local\Temp\cd3cf93982cf62043c3943db9561ba738652b7be7fadf3afc36573029bd0c16dN.exe"

C:\Windows\SysWOW64\Apppkekc.exe

C:\Windows\system32\Apppkekc.exe

C:\Windows\SysWOW64\Afliclij.exe

C:\Windows\system32\Afliclij.exe

C:\Windows\SysWOW64\Bcpimq32.exe

C:\Windows\system32\Bcpimq32.exe

C:\Windows\SysWOW64\Bjjaikoa.exe

C:\Windows\system32\Bjjaikoa.exe

C:\Windows\SysWOW64\Bhonjg32.exe

C:\Windows\system32\Bhonjg32.exe

C:\Windows\SysWOW64\Boifga32.exe

C:\Windows\system32\Boifga32.exe

C:\Windows\SysWOW64\Bfcodkcb.exe

C:\Windows\system32\Bfcodkcb.exe

C:\Windows\SysWOW64\Bkpglbaj.exe

C:\Windows\system32\Bkpglbaj.exe

C:\Windows\SysWOW64\Bqmpdioa.exe

C:\Windows\system32\Bqmpdioa.exe

C:\Windows\SysWOW64\Bhdhefpc.exe

C:\Windows\system32\Bhdhefpc.exe

C:\Windows\SysWOW64\Bnapnm32.exe

C:\Windows\system32\Bnapnm32.exe

C:\Windows\SysWOW64\Bdkhjgeh.exe

C:\Windows\system32\Bdkhjgeh.exe

C:\Windows\SysWOW64\Cjhabndo.exe

C:\Windows\system32\Cjhabndo.exe

C:\Windows\SysWOW64\Cdmepgce.exe

C:\Windows\system32\Cdmepgce.exe

C:\Windows\SysWOW64\Cnejim32.exe

C:\Windows\system32\Cnejim32.exe

C:\Windows\SysWOW64\Cogfqe32.exe

C:\Windows\system32\Cogfqe32.exe

C:\Windows\SysWOW64\Cjljnn32.exe

C:\Windows\system32\Cjljnn32.exe

C:\Windows\SysWOW64\Cqfbjhgf.exe

C:\Windows\system32\Cqfbjhgf.exe

C:\Windows\SysWOW64\Cfckcoen.exe

C:\Windows\system32\Cfckcoen.exe

C:\Windows\SysWOW64\Cmmcpi32.exe

C:\Windows\system32\Cmmcpi32.exe

C:\Windows\SysWOW64\Cfehhn32.exe

C:\Windows\system32\Cfehhn32.exe

C:\Windows\SysWOW64\Cidddj32.exe

C:\Windows\system32\Cidddj32.exe

C:\Windows\SysWOW64\Dblhmoio.exe

C:\Windows\system32\Dblhmoio.exe

C:\Windows\SysWOW64\Difqji32.exe

C:\Windows\system32\Difqji32.exe

C:\Windows\SysWOW64\Dboeco32.exe

C:\Windows\system32\Dboeco32.exe

C:\Windows\SysWOW64\Dgknkf32.exe

C:\Windows\system32\Dgknkf32.exe

C:\Windows\SysWOW64\Djjjga32.exe

C:\Windows\system32\Djjjga32.exe

C:\Windows\SysWOW64\Dgnjqe32.exe

C:\Windows\system32\Dgnjqe32.exe

C:\Windows\SysWOW64\Dlifadkk.exe

C:\Windows\system32\Dlifadkk.exe

C:\Windows\SysWOW64\Dmkcil32.exe

C:\Windows\system32\Dmkcil32.exe

C:\Windows\SysWOW64\Deakjjbk.exe

C:\Windows\system32\Deakjjbk.exe

C:\Windows\SysWOW64\Dahkok32.exe

C:\Windows\system32\Dahkok32.exe

C:\Windows\SysWOW64\Dcghkf32.exe

C:\Windows\system32\Dcghkf32.exe

C:\Windows\SysWOW64\Eicpcm32.exe

C:\Windows\system32\Eicpcm32.exe

C:\Windows\SysWOW64\Eakhdj32.exe

C:\Windows\system32\Eakhdj32.exe

C:\Windows\SysWOW64\Ejcmmp32.exe

C:\Windows\system32\Ejcmmp32.exe

C:\Windows\SysWOW64\Ebnabb32.exe

C:\Windows\system32\Ebnabb32.exe

C:\Windows\SysWOW64\Eihjolae.exe

C:\Windows\system32\Eihjolae.exe

C:\Windows\SysWOW64\Elgfkhpi.exe

C:\Windows\system32\Elgfkhpi.exe

C:\Windows\SysWOW64\Eoebgcol.exe

C:\Windows\system32\Eoebgcol.exe

C:\Windows\SysWOW64\Efljhq32.exe

C:\Windows\system32\Efljhq32.exe

C:\Windows\SysWOW64\Ebckmaec.exe

C:\Windows\system32\Ebckmaec.exe

C:\Windows\SysWOW64\Eimcjl32.exe

C:\Windows\system32\Eimcjl32.exe

C:\Windows\SysWOW64\Elkofg32.exe

C:\Windows\system32\Elkofg32.exe

C:\Windows\SysWOW64\Eojlbb32.exe

C:\Windows\system32\Eojlbb32.exe

C:\Windows\SysWOW64\Fbegbacp.exe

C:\Windows\system32\Fbegbacp.exe

C:\Windows\SysWOW64\Feddombd.exe

C:\Windows\system32\Feddombd.exe

C:\Windows\SysWOW64\Fdgdji32.exe

C:\Windows\system32\Fdgdji32.exe

C:\Windows\SysWOW64\Flnlkgjq.exe

C:\Windows\system32\Flnlkgjq.exe

C:\Windows\SysWOW64\Folhgbid.exe

C:\Windows\system32\Folhgbid.exe

C:\Windows\SysWOW64\Fakdcnhh.exe

C:\Windows\system32\Fakdcnhh.exe

C:\Windows\SysWOW64\Fdiqpigl.exe

C:\Windows\system32\Fdiqpigl.exe

C:\Windows\SysWOW64\Fkcilc32.exe

C:\Windows\system32\Fkcilc32.exe

C:\Windows\SysWOW64\Fmaeho32.exe

C:\Windows\system32\Fmaeho32.exe

C:\Windows\SysWOW64\Famaimfe.exe

C:\Windows\system32\Famaimfe.exe

C:\Windows\SysWOW64\Fdkmeiei.exe

C:\Windows\system32\Fdkmeiei.exe

C:\Windows\SysWOW64\Fgjjad32.exe

C:\Windows\system32\Fgjjad32.exe

C:\Windows\SysWOW64\Fihfnp32.exe

C:\Windows\system32\Fihfnp32.exe

C:\Windows\SysWOW64\Fmdbnnlj.exe

C:\Windows\system32\Fmdbnnlj.exe

C:\Windows\SysWOW64\Fpbnjjkm.exe

C:\Windows\system32\Fpbnjjkm.exe

C:\Windows\SysWOW64\Fcqjfeja.exe

C:\Windows\system32\Fcqjfeja.exe

C:\Windows\SysWOW64\Fkhbgbkc.exe

C:\Windows\system32\Fkhbgbkc.exe

C:\Windows\SysWOW64\Fliook32.exe

C:\Windows\system32\Fliook32.exe

C:\Windows\SysWOW64\Feachqgb.exe

C:\Windows\system32\Feachqgb.exe

C:\Windows\SysWOW64\Gmhkin32.exe

C:\Windows\system32\Gmhkin32.exe

C:\Windows\SysWOW64\Gpggei32.exe

C:\Windows\system32\Gpggei32.exe

C:\Windows\SysWOW64\Gcedad32.exe

C:\Windows\system32\Gcedad32.exe

C:\Windows\SysWOW64\Gecpnp32.exe

C:\Windows\system32\Gecpnp32.exe

C:\Windows\SysWOW64\Ghbljk32.exe

C:\Windows\system32\Ghbljk32.exe

C:\Windows\SysWOW64\Gpidki32.exe

C:\Windows\system32\Gpidki32.exe

C:\Windows\SysWOW64\Gcgqgd32.exe

C:\Windows\system32\Gcgqgd32.exe

C:\Windows\SysWOW64\Gefmcp32.exe

C:\Windows\system32\Gefmcp32.exe

C:\Windows\SysWOW64\Giaidnkf.exe

C:\Windows\system32\Giaidnkf.exe

C:\Windows\SysWOW64\Gkcekfad.exe

C:\Windows\system32\Gkcekfad.exe

C:\Windows\SysWOW64\Gcjmmdbf.exe

C:\Windows\system32\Gcjmmdbf.exe

C:\Windows\SysWOW64\Gdkjdl32.exe

C:\Windows\system32\Gdkjdl32.exe

C:\Windows\SysWOW64\Glbaei32.exe

C:\Windows\system32\Glbaei32.exe

C:\Windows\SysWOW64\Goqnae32.exe

C:\Windows\system32\Goqnae32.exe

C:\Windows\SysWOW64\Gaojnq32.exe

C:\Windows\system32\Gaojnq32.exe

C:\Windows\SysWOW64\Gekfnoog.exe

C:\Windows\system32\Gekfnoog.exe

C:\Windows\SysWOW64\Gdnfjl32.exe

C:\Windows\system32\Gdnfjl32.exe

C:\Windows\SysWOW64\Gkgoff32.exe

C:\Windows\system32\Gkgoff32.exe

C:\Windows\SysWOW64\Gnfkba32.exe

C:\Windows\system32\Gnfkba32.exe

C:\Windows\SysWOW64\Hdpcokdo.exe

C:\Windows\system32\Hdpcokdo.exe

C:\Windows\SysWOW64\Hgnokgcc.exe

C:\Windows\system32\Hgnokgcc.exe

C:\Windows\SysWOW64\Hnhgha32.exe

C:\Windows\system32\Hnhgha32.exe

C:\Windows\SysWOW64\Hdbpekam.exe

C:\Windows\system32\Hdbpekam.exe

C:\Windows\SysWOW64\Hgqlafap.exe

C:\Windows\system32\Hgqlafap.exe

C:\Windows\SysWOW64\Hjohmbpd.exe

C:\Windows\system32\Hjohmbpd.exe

C:\Windows\SysWOW64\Hqiqjlga.exe

C:\Windows\system32\Hqiqjlga.exe

C:\Windows\SysWOW64\Hcgmfgfd.exe

C:\Windows\system32\Hcgmfgfd.exe

C:\Windows\SysWOW64\Hffibceh.exe

C:\Windows\system32\Hffibceh.exe

C:\Windows\SysWOW64\Hnmacpfj.exe

C:\Windows\system32\Hnmacpfj.exe

C:\Windows\SysWOW64\Hqkmplen.exe

C:\Windows\system32\Hqkmplen.exe

C:\Windows\SysWOW64\Honnki32.exe

C:\Windows\system32\Honnki32.exe

C:\Windows\SysWOW64\Hfhfhbce.exe

C:\Windows\system32\Hfhfhbce.exe

C:\Windows\SysWOW64\Hifbdnbi.exe

C:\Windows\system32\Hifbdnbi.exe

C:\Windows\SysWOW64\Hqnjek32.exe

C:\Windows\system32\Hqnjek32.exe

C:\Windows\SysWOW64\Hclfag32.exe

C:\Windows\system32\Hclfag32.exe

C:\Windows\SysWOW64\Hfjbmb32.exe

C:\Windows\system32\Hfjbmb32.exe

C:\Windows\SysWOW64\Hjfnnajl.exe

C:\Windows\system32\Hjfnnajl.exe

C:\Windows\SysWOW64\Ikgkei32.exe

C:\Windows\system32\Ikgkei32.exe

C:\Windows\SysWOW64\Icncgf32.exe

C:\Windows\system32\Icncgf32.exe

C:\Windows\SysWOW64\Ieponofk.exe

C:\Windows\system32\Ieponofk.exe

C:\Windows\SysWOW64\Iikkon32.exe

C:\Windows\system32\Iikkon32.exe

C:\Windows\SysWOW64\Ikjhki32.exe

C:\Windows\system32\Ikjhki32.exe

C:\Windows\SysWOW64\Ibcphc32.exe

C:\Windows\system32\Ibcphc32.exe

C:\Windows\SysWOW64\Iebldo32.exe

C:\Windows\system32\Iebldo32.exe

C:\Windows\SysWOW64\Ibfmmb32.exe

C:\Windows\system32\Ibfmmb32.exe

C:\Windows\SysWOW64\Iediin32.exe

C:\Windows\system32\Iediin32.exe

C:\Windows\SysWOW64\Igceej32.exe

C:\Windows\system32\Igceej32.exe

C:\Windows\SysWOW64\Iknafhjb.exe

C:\Windows\system32\Iknafhjb.exe

C:\Windows\SysWOW64\Ibhicbao.exe

C:\Windows\system32\Ibhicbao.exe

C:\Windows\SysWOW64\Iegeonpc.exe

C:\Windows\system32\Iegeonpc.exe

C:\Windows\SysWOW64\Ikqnlh32.exe

C:\Windows\system32\Ikqnlh32.exe

C:\Windows\SysWOW64\Iamfdo32.exe

C:\Windows\system32\Iamfdo32.exe

C:\Windows\SysWOW64\Ieibdnnp.exe

C:\Windows\system32\Ieibdnnp.exe

C:\Windows\SysWOW64\Jjfkmdlg.exe

C:\Windows\system32\Jjfkmdlg.exe

C:\Windows\SysWOW64\Jcnoejch.exe

C:\Windows\system32\Jcnoejch.exe

C:\Windows\SysWOW64\Jmfcop32.exe

C:\Windows\system32\Jmfcop32.exe

C:\Windows\SysWOW64\Jpepkk32.exe

C:\Windows\system32\Jpepkk32.exe

C:\Windows\SysWOW64\Jbclgf32.exe

C:\Windows\system32\Jbclgf32.exe

C:\Windows\SysWOW64\Jmipdo32.exe

C:\Windows\system32\Jmipdo32.exe

C:\Windows\SysWOW64\Jpgmpk32.exe

C:\Windows\system32\Jpgmpk32.exe

C:\Windows\SysWOW64\Jbfilffm.exe

C:\Windows\system32\Jbfilffm.exe

C:\Windows\SysWOW64\Jipaip32.exe

C:\Windows\system32\Jipaip32.exe

C:\Windows\SysWOW64\Jmkmjoec.exe

C:\Windows\system32\Jmkmjoec.exe

C:\Windows\SysWOW64\Jbhebfck.exe

C:\Windows\system32\Jbhebfck.exe

C:\Windows\SysWOW64\Jfcabd32.exe

C:\Windows\system32\Jfcabd32.exe

C:\Windows\SysWOW64\Jhenjmbb.exe

C:\Windows\system32\Jhenjmbb.exe

C:\Windows\SysWOW64\Jplfkjbd.exe

C:\Windows\system32\Jplfkjbd.exe

C:\Windows\SysWOW64\Kbjbge32.exe

C:\Windows\system32\Kbjbge32.exe

C:\Windows\SysWOW64\Keioca32.exe

C:\Windows\system32\Keioca32.exe

C:\Windows\SysWOW64\Klcgpkhh.exe

C:\Windows\system32\Klcgpkhh.exe

C:\Windows\SysWOW64\Kjeglh32.exe

C:\Windows\system32\Kjeglh32.exe

C:\Windows\SysWOW64\Kapohbfp.exe

C:\Windows\system32\Kapohbfp.exe

C:\Windows\SysWOW64\Kekkiq32.exe

C:\Windows\system32\Kekkiq32.exe

C:\Windows\SysWOW64\Kdnkdmec.exe

C:\Windows\system32\Kdnkdmec.exe

C:\Windows\SysWOW64\Kocpbfei.exe

C:\Windows\system32\Kocpbfei.exe

C:\Windows\SysWOW64\Kdphjm32.exe

C:\Windows\system32\Kdphjm32.exe

C:\Windows\SysWOW64\Koflgf32.exe

C:\Windows\system32\Koflgf32.exe

C:\Windows\SysWOW64\Kdbepm32.exe

C:\Windows\system32\Kdbepm32.exe

C:\Windows\SysWOW64\Kfaalh32.exe

C:\Windows\system32\Kfaalh32.exe

C:\Windows\SysWOW64\Kmkihbho.exe

C:\Windows\system32\Kmkihbho.exe

C:\Windows\SysWOW64\Kdeaelok.exe

C:\Windows\system32\Kdeaelok.exe

C:\Windows\SysWOW64\Kkojbf32.exe

C:\Windows\system32\Kkojbf32.exe

C:\Windows\SysWOW64\Lmmfnb32.exe

C:\Windows\system32\Lmmfnb32.exe

C:\Windows\SysWOW64\Lgfjggll.exe

C:\Windows\system32\Lgfjggll.exe

C:\Windows\SysWOW64\Llbconkd.exe

C:\Windows\system32\Llbconkd.exe

C:\Windows\SysWOW64\Loaokjjg.exe

C:\Windows\system32\Loaokjjg.exe

C:\Windows\SysWOW64\Lekghdad.exe

C:\Windows\system32\Lekghdad.exe

C:\Windows\SysWOW64\Lifcib32.exe

C:\Windows\system32\Lifcib32.exe

C:\Windows\SysWOW64\Llepen32.exe

C:\Windows\system32\Llepen32.exe

C:\Windows\SysWOW64\Lcohahpn.exe

C:\Windows\system32\Lcohahpn.exe

C:\Windows\SysWOW64\Liipnb32.exe

C:\Windows\system32\Liipnb32.exe

C:\Windows\SysWOW64\Llgljn32.exe

C:\Windows\system32\Llgljn32.exe

C:\Windows\SysWOW64\Lofifi32.exe

C:\Windows\system32\Lofifi32.exe

C:\Windows\SysWOW64\Lepaccmo.exe

C:\Windows\system32\Lepaccmo.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 140

Network

N/A

Files

memory/2020-0-0x0000000000400000-0x000000000043F000-memory.dmp

\Windows\SysWOW64\Apppkekc.exe

MD5 ad080e80d97ba0af8a7d13cf475cf73e
SHA1 934a5b634448d799f3c14916ad59d7a79cbcdd8e
SHA256 efd2f9c3880da8db67be982c27943de065141030b9ca927097b15ce5f348656d
SHA512 2be83fbdcbbb0c2d7378f9331c5ce48f1aa5d6284fdf91265a8f9443ca05a3f11421c5639f1aa60cd7a940f296da12f0dbb9881d0f4588cfd5cba52ebffe5128

memory/1768-19-0x0000000000400000-0x000000000043F000-memory.dmp

\Windows\SysWOW64\Afliclij.exe

MD5 27c64988671f2e9937fec981ff409b9b
SHA1 ef9faa9e5f6e02b92f90c1dc73533786650e1131
SHA256 6eb82867769e687999f9031fd7515df35613673eb3a4df49139f48c258c382f7
SHA512 8a379ad94ef7c9b949434e92442004365f6dc9e8bf27f534bf32995317a9d7a1fed810ac899d53687d09962d36f368c9db37bc404515d177bdcc5a5ee5b66820

memory/2020-12-0x0000000000250000-0x000000000028F000-memory.dmp

memory/2020-11-0x0000000000250000-0x000000000028F000-memory.dmp

memory/1768-22-0x0000000000260000-0x000000000029F000-memory.dmp

\Windows\SysWOW64\Bcpimq32.exe

MD5 37640c3b38700c5c059df3e13499330b
SHA1 c0600b0d288fa82ab4dfde0ad3da5d061ac58a25
SHA256 7d26400790fb13ea192a3b6475f38954f296869f3c873b30359be85aa4f016a4
SHA512 f622c36233e41fea6e8916efda5f6a74e8365d05f814a82a8cc3eb249e3b4350e0d130ae866300e77701f6866a99bddfaf60760972dd3f8c1c0277678d3dae93

memory/2724-36-0x0000000000250000-0x000000000028F000-memory.dmp

memory/2804-46-0x0000000000400000-0x000000000043F000-memory.dmp

\Windows\SysWOW64\Bjjaikoa.exe

MD5 b4a80b4e648b47e96ccc0c743676c8ce
SHA1 352daa0b09a69325dde99813fc14c4e0224f7dda
SHA256 166419ad63891335f438cec7244b407b3ea590eabe1206be6cd997a3763bb05d
SHA512 79dfe834b9039cf40fa561090de2c1d3c3497376f823bdd82c6755ea19b9080ebafb24f5fd390ab3225d6896563794f47eb91a78786c8b0367fed318b1cd5aea

memory/2804-49-0x0000000000250000-0x000000000028F000-memory.dmp

\Windows\SysWOW64\Bhonjg32.exe

MD5 c55a0c0339c8442a1772c2b38ccb0302
SHA1 a6534fc7712ceb6282ae7dedbac4557e8a61ecb8
SHA256 22e77847b0fcb202c142cfc7cf8896637f4c4b08498ff69c70e0d2c267064f8f
SHA512 edaac7bd08c359213ce3e700c9608bc6dee40e92a1d9bd29af156b538cb27b9982549df58c68d521cfb1f8f3c7e468d02fa9a7a289f6e1e661aa4c177e85f8ba

memory/2940-62-0x0000000000250000-0x000000000028F000-memory.dmp

\Windows\SysWOW64\Boifga32.exe

MD5 5c2a8fb33de8bcac3cae9b210d510be7
SHA1 785e2b4b59df29d82f02d2a47c5ae222eb66a3b1
SHA256 7b501fed097a2b23b87a412c920c71a9609f21dbdd57a81d5bbec70fadd6eec3
SHA512 01c81b2b404a55ee471b1b23abe3232c4a8abc58649b1c50e2481369ed94bb9980cedacabb6e919107064dee8af2cc09725dd9da03424fa6ec67b71766fdc5d2

memory/1064-75-0x0000000000440000-0x000000000047F000-memory.dmp

\Windows\SysWOW64\Bfcodkcb.exe

MD5 2287ef758e863ccf8d3da09847ce3156
SHA1 4a70360c28654023867bfd4bed2c92ebfcd06d41
SHA256 d3e56f72e09ad81de91dda0b8343b197059b7caf892728cd9f7ff527bc32b0d3
SHA512 1237e7fb9528f7f4fc375d7cf0ac72e3491f78551a6aec9fe76932789575f35421352d3fe001c097aff6fa56ea7fbdec885896dfe47c77032b512d949a5ea087

memory/2640-87-0x0000000000290000-0x00000000002CF000-memory.dmp

memory/264-98-0x0000000000400000-0x000000000043F000-memory.dmp

\Windows\SysWOW64\Bkpglbaj.exe

MD5 772b55a46e86a55e4df02309ec65871e
SHA1 c079a40761d4826274a44c99bfa4b784d6d8f743
SHA256 d36300efa4970a536227f44bd35a475a7f6c4490823f8f2baf64d5d0657d70fe
SHA512 374187d23ad5b532f4c6fa04915dbc8f372154c0a62d3d599c1607a974b1c484144b34372979618241594a630e05d012d164dd69e86bc798bcb56048356c5697

memory/2708-107-0x0000000000400000-0x000000000043F000-memory.dmp

\Windows\SysWOW64\Bqmpdioa.exe

MD5 7d3efcaaf4a4d6df39b2670028101ce0
SHA1 ad7cb2844950a033bc12ee7632a36470259c1d93
SHA256 d2772c9ae2e14f568b76cc5aac9da40f44abce59d0b397cf5e6008a5e18dc3aa
SHA512 f5e00532a6613774255f04a64662439c2632bb23416cda1339c3e0ef569182065765c32ff7612b0aa2e235a7c2ae7cf142162836cdcfe63369bd90c44d9e6dee

memory/2708-115-0x0000000000250000-0x000000000028F000-memory.dmp

\Windows\SysWOW64\Bhdhefpc.exe

MD5 248521d088221ccedc9edfbee2d15e7d
SHA1 8ba4b7057f5a94e246f8ca96caa129ad0889cfbf
SHA256 c0e6696f7814c13e7762d9018fa2f0fe264cd663e65a1369dbe8756f19056e0f
SHA512 f67b9261dffc8fae237edba9fd0b2dec16925894712f12b082a9a5a1c29cddca5ecc4b3b95ae92c00c3dbc9ee8abc8a6d952657bfd6790d766c1a93929467fe2

memory/1192-133-0x0000000000400000-0x000000000043F000-memory.dmp

\Windows\SysWOW64\Bnapnm32.exe

MD5 1cc819ec3e1cd4067728046d65d7ebfb
SHA1 22c1a5c05c33df3f8006f3ca02aa44302a31c818
SHA256 9a31f3c2ad969f978ee47239bb88f23289c252ed85773e5e156afd5355df81e6
SHA512 366b1ebac6063f88d0afd5e77a94d23135aa89bec1a839c49b3d891b4258e18781c94d720e577e061282085889fd9e5c23823618d97eed175e655b69dc00cd34

memory/1948-146-0x0000000000400000-0x000000000043F000-memory.dmp

\Windows\SysWOW64\Bdkhjgeh.exe

MD5 41e919c396fde296cc255e614d40fa69
SHA1 d1e040da17fe4112847453eb7251778f27d8ba8a
SHA256 27675237c94f8a7a0e86301bbd950db2fd8b67f295507d0963a46ad1c54b9886
SHA512 de40c2a2604bfc5f0d034b4530e22eb5c9f3fc8ad602aba84667d8f2175e49bb0d5cdc484be61655a093c6548f473df5d81f5ee6fbfd2cc2a201ae04fcbd3365

memory/1672-159-0x0000000000400000-0x000000000043F000-memory.dmp

\Windows\SysWOW64\Cjhabndo.exe

MD5 5c1e90614bba57a7817863264501d699
SHA1 56b57f7e233cebbc95a022fbed0faacb71d17253
SHA256 b817889343d6a6856ec609a2031cf14eee7602b3ea5a83b7e738b2f7ce9515ce
SHA512 290f0472923e9ec98c21b36b3713d0a0fbc97890322dc6400b236848c8cad571738e28f2fa7583ee69865a247f8ce1d0c235e47176a31fdf630b3bc31a9f0804

memory/1672-167-0x0000000000250000-0x000000000028F000-memory.dmp

memory/1744-173-0x0000000000400000-0x000000000043F000-memory.dmp

\Windows\SysWOW64\Cdmepgce.exe

MD5 9e9a8973eb8bb5dcee6d892fb2ccdf6b
SHA1 26ed31c5301705f3845e04f5bb9b5422971ec31c
SHA256 996ab65dd5a81f43edbf16d487e4ede86119afa81db310db383d0bf75078cbed
SHA512 fdcd81af817617c33c983ad708529ec128df01cb5c9a21294d7f3014c85e2c9e2019e6292f942f28a28b609f32d111d73c0beba222d68bbcc093093d641b6d44

memory/2176-187-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1744-185-0x0000000000250000-0x000000000028F000-memory.dmp

\Windows\SysWOW64\Cnejim32.exe

MD5 07a1e8c6cc9160a7ae1b8b14620140b9
SHA1 355321b3f94d26e130d9cb7e0aeca87041869361
SHA256 def8bad133197491cd44269c9dfe4963c30c724c68a296f5964aef6ac22cc45a
SHA512 ba7c48da4a8cca627c8b999d09d4ed1c1586fe24464b2c033b2a2ab5b5e322b3e65084d7d2b2319dbc9353f71ac392887673c19f309793254a61cf27ae438088

memory/2176-195-0x0000000000260000-0x000000000029F000-memory.dmp

memory/2184-201-0x0000000000400000-0x000000000043F000-memory.dmp

\Windows\SysWOW64\Cogfqe32.exe

MD5 2f9ced79d275e6060659b06b1fdf9e69
SHA1 18b523a37e09005e2fe4b0d2a745e65a2d99020a
SHA256 4b72ecde3423ac5654d82025e5fa31f1299e18e671983adfa6528ed79fcfdabc
SHA512 fe068f7f7a42de69460bd3ae2fd3acbf208e2e13bf4a71bf7a5e3739cca1390972a1571bbc93b1fdcbae5d02c8a4a0b5ef2e47bc27ad5944758f2fb88ba96525

memory/2184-209-0x0000000000250000-0x000000000028F000-memory.dmp

memory/1056-215-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Cjljnn32.exe

MD5 649cf93908eefdd26bb18a848088e588
SHA1 5b96e29e6a9c103033c126eec3d42302ec54d555
SHA256 af56745ee8c347dd42c6fa4c928ba518d872c165ac7f9edcc8d676c15b87a325
SHA512 05871585d4efd0245cfa1336071b008bff840c8707c6ebbb7a302fb7e3aaabb2649d1bfc735102581abf14e869ede540128631a6d3c39e55d24ab30754f6219e

memory/1056-225-0x0000000000300000-0x000000000033F000-memory.dmp

memory/884-226-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Cqfbjhgf.exe

MD5 e260d2c396291ec1fa26e205dbd47234
SHA1 b9f4e870ffef26d434a8cba9916d267d1e86af6c
SHA256 abf50af18d0620c7539d35b630e63c0220f9221697384ef154328fbed4637fe0
SHA512 aa7d579b551ce8bb60e85c34485dcb0119c89da57dcfd13163684c308d3d6b880b51037e1b6e360590706e2e3cf7b4625d7b232235bb55a60114dab3562ee60a

memory/1832-238-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Cfckcoen.exe

MD5 672faff2e8f34d4f7ea30a773c37a9e4
SHA1 f776e19c9fadeec5e68ab3380e43cd89f494b9a0
SHA256 35f703492f9c05bd9b0faf0e3c4b723ec1b7d85b111f56ac5fbfea1a2e63a5fb
SHA512 4ad51f6c897283be36b252b57ec36001f25b9c203d357e9579fc43c4889c0d270993b888a6280eda7ade258f386010bce0f941a02dd89d1f82e55dfdb37fb237

memory/1832-244-0x00000000002E0000-0x000000000031F000-memory.dmp

memory/776-249-0x0000000000400000-0x000000000043F000-memory.dmp

memory/776-251-0x0000000000250000-0x000000000028F000-memory.dmp

memory/776-255-0x0000000000250000-0x000000000028F000-memory.dmp

C:\Windows\SysWOW64\Cmmcpi32.exe

MD5 61d05e6fb9763ec401723803c53160a8
SHA1 56ef90ee172328938e7008c6b371c28dc5015061
SHA256 d617653ecd2d225f01510b684c797d60cd058ef920c913a218122c8e345508f9
SHA512 1583dd6d90c6fd8ba1f494c114aba620f065809847ecfaf9335009329c8b27e7158de14bf6ea1563a3f6f329d4a295ad79ee40163633a077c20c429f43b6bb65

memory/1288-261-0x00000000002D0000-0x000000000030F000-memory.dmp

C:\Windows\SysWOW64\Cfehhn32.exe

MD5 1566565ae880beb0ccfbfa8bde084af2
SHA1 6ca4c81672a620900883f41327a9fa95c2bbf783
SHA256 36c27d1086d842e00368e6a5e1bd43e327fa98e3510fbef516032f400c9c4655
SHA512 c5b331cf76290eac5246633e6f292f25b1670f85cd0198574882e432f5caf25acb7b14f0b2b37270d5d08345ded02a40f923be035d28a5bc58faf3e99552e437

C:\Windows\SysWOW64\Cidddj32.exe

MD5 8ff0fe0e68482a1f5df219c300fe5a9b
SHA1 052d83b5339f34f9f9ff31b968652990cbc6d8a5
SHA256 04c534de669157b1d387bfcd3074e654d7bfe584f32483444c531bd520da5aa1
SHA512 964809d6a5bda6e79c812c2a95a0534151a1c2b4c85e1a65857472d70f5d2cae7ec6f30f745d6b70e7c256fe60ea81b3537044441e55f789a176240035b24480

memory/2336-271-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1288-269-0x00000000002D0000-0x000000000030F000-memory.dmp

memory/2336-276-0x0000000000250000-0x000000000028F000-memory.dmp

memory/2032-277-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2336-275-0x0000000000250000-0x000000000028F000-memory.dmp

memory/2032-287-0x0000000000250000-0x000000000028F000-memory.dmp

memory/2032-286-0x0000000000250000-0x000000000028F000-memory.dmp

memory/2620-288-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Dblhmoio.exe

MD5 5d3689a28c6f12e93e23d7550b75e42a
SHA1 faebb66eab21500a87ec4fa74cc1f6fc1f77640a
SHA256 9f80a1c0ab2892ca00ebde0a375311b6d756a0a0c69dd8551788cf9c35068135
SHA512 3ae1ac40163886b6ed94d02cab1c304778b2facd4bc47cadddd3a2eeba6a5eee3ecb1f1ab4b65d5ba01bc8450f14a6e60f9f48955bd9fda498a0d02eed5b0fee

memory/876-299-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2620-298-0x0000000000250000-0x000000000028F000-memory.dmp

memory/2620-297-0x0000000000250000-0x000000000028F000-memory.dmp

C:\Windows\SysWOW64\Difqji32.exe

MD5 1ac31185158730bcf068cb8d44d93178
SHA1 89ee53126b240e5734b2cc9c786cea24c45954ee
SHA256 147d905f67cda16d1a237799e708ca6084cab18490a5f5854b9acd3e57bef512
SHA512 4e087c6abc5ca79af3f546b0c9bec4f8459257e8115f92da00fdc4cf83e8f4d48fb6c3892df093759877fe42f143a03f899c677ae32789a12e82f1ff9dec0350

memory/876-308-0x0000000000250000-0x000000000028F000-memory.dmp

memory/1636-310-0x0000000000400000-0x000000000043F000-memory.dmp

memory/876-309-0x0000000000250000-0x000000000028F000-memory.dmp

C:\Windows\SysWOW64\Dboeco32.exe

MD5 67f0c3636635d653b9d10613eb1d203a
SHA1 e7da1fc58a1ecb03ab0331f797772592757512ba
SHA256 fbcfd74f0eee9d367e4cfd5ac7d00b94e03d3c571a7932574a186e326200fc51
SHA512 0c6b154ea70fa8ca8c101c360ad95bc5c9dc2d99f4cde754ebeeba35943dcb49f08f1b85e721d7ea6ebb0508f8b7bf25cb53081f94dcf31d351b53e426b0f6b6

C:\Windows\SysWOW64\Dgknkf32.exe

MD5 04528fb7d64f3a63432d6ad0f6daca15
SHA1 d616580b313f9271b2eff8f59e81c38808b546e8
SHA256 0d8ea16c25f491f1d4a86a2e7ba590a1afaa419ea36a79ed3de6e038b876bcaf
SHA512 1755daa4580b3796900d75dd50288bc90378bceb280fa0aa8bfc7b64aacc39791523fa481c54f84efe63e45a66778b21e6e7160e406bbe9dfa4151babfe9ec5b

memory/1640-321-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1636-320-0x0000000000250000-0x000000000028F000-memory.dmp

memory/1636-319-0x0000000000250000-0x000000000028F000-memory.dmp

C:\Windows\SysWOW64\Djjjga32.exe

MD5 79eed1e33860ddee5161f94f03f9bf96
SHA1 9b436bfadac1bf04c91c1594ce49a094485584b1
SHA256 7f5017a3a02e36a8270eb169dbdc577dbdd7df2cbca9489f0499f39dc77ee380
SHA512 b5128071105cf70329d90549bbffd20b5f8cf0f7c155639cc36e0c5e3e11fd025b13a5b4ea666a272a4b8ca3a463551516fe7e3b81e226e2a3e25de5f45b3717

memory/1640-331-0x0000000000250000-0x000000000028F000-memory.dmp

memory/2748-332-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1640-330-0x0000000000250000-0x000000000028F000-memory.dmp

memory/2812-348-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2748-342-0x0000000000250000-0x000000000028F000-memory.dmp

memory/2020-343-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2636-358-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2812-351-0x0000000000250000-0x000000000028F000-memory.dmp

C:\Windows\SysWOW64\Dlifadkk.exe

MD5 ce537f1a8dbccb4e4ae9f2d3b6dbfc4b
SHA1 4f1274044c2fa44bae8f3e8314ff408fd2132589
SHA256 8adac132cf5a05a6a786f4640b62d73d0934bd253222b4369324ded087cb3701
SHA512 35cea5a327ff26be1e8492a44bdfb230686e8838b3c2c4d4de5c026a9b3efb4134c540180cf42100604aa68222d08d4bade4d47b8f1ee5d747c03c0474fc06b4

C:\Windows\SysWOW64\Dgnjqe32.exe

MD5 f2e4bf12c6375b80ce29a1f621928e1f
SHA1 376f4fa98bfb2b0fbd9b038fd33aa0cd15a77d78
SHA256 17a503333146229135959dbeb08721dd0c292e412757ed74d7abbf481af3f8d7
SHA512 b115d54ec386f5469a762fa04ce8201b4615c56121465113640333bec121b1996f5dcfe2e51c89cbae962e93d90630bf2b5a6a0f08a6df820a8575d5aa4cbe1b

memory/2748-341-0x0000000000250000-0x000000000028F000-memory.dmp

C:\Windows\SysWOW64\Dmkcil32.exe

MD5 ad6a6829a285426f0f420a6881b3c146
SHA1 b9fbd773fffa0b4e1b87450970d1136389a4ca02
SHA256 27086a2a98b97e74d844958ceddc8c0a79e1d9e25a0563dcd2668e22ebda665a
SHA512 8f406452dae117e02aa45591e61ff94626fecf5137e483d40ac53838205a9f075a3371020209d8a1beaa8e1b29e7ca90ffed9dab48bef08f4f19b3e887819001

memory/2516-368-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2724-367-0x0000000000250000-0x000000000028F000-memory.dmp

memory/2724-366-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1768-365-0x0000000000260000-0x000000000029F000-memory.dmp

memory/2636-364-0x00000000002D0000-0x000000000030F000-memory.dmp

memory/2636-363-0x00000000002D0000-0x000000000030F000-memory.dmp

C:\Windows\SysWOW64\Deakjjbk.exe

MD5 4d942a43e4db344f22eeeb02942c1928
SHA1 6036023575a16cbce3c8abc2628a99042b83b996
SHA256 805d1135fb461c506a37dfde691a1a7858ccd3494828549713d223b7d00868f9
SHA512 3a05ce0ff5399f897ae0ae205b7264df3af4a84daf12770bbb83aa1b5a63c818b63438cb5ddbfcde73a58a87fae31aad059977a6ae22c63411ef3270420e0366

memory/2804-377-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2348-380-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Dahkok32.exe

MD5 da9168e4799f764671e5b10e22a99aad
SHA1 19e72fb75ff00bf5cc5916e8cd334c0b9c18c222
SHA256 66b3ead15ec2066656678cdfc24c259f3fff931cb29391141faafa6989d62e81
SHA512 49748df9337908a7e78d0247fa81ec96800e1c587e756810e7a8bf19fd58bf3443dbb0eef6bb32ca3d30e05e728ea57809202846f20246473bbbb56d0664eb02

memory/2348-387-0x0000000000260000-0x000000000029F000-memory.dmp

memory/2348-392-0x0000000000260000-0x000000000029F000-memory.dmp

memory/1960-393-0x0000000000400000-0x000000000043F000-memory.dmp

memory/340-399-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2940-398-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Dcghkf32.exe

MD5 60b392fb6a82e26c226dcdfc319d11ac
SHA1 33f6660c9b9968fb1d5b047639d0fd86c1286753
SHA256 a9d20d28b670ef3b5bf1dac98f3f54382940621e2703a72bc40bc3730f1d52e0
SHA512 ddec1cbe6f383890fcd197ecbb5043be63064809744c0e3cb1963138eca44856d9e60aa5e3908df7d38b1ba7f302da4d91f04a569aeb69cb03893cc653ad28b5

memory/2848-410-0x0000000000400000-0x000000000043F000-memory.dmp

memory/340-409-0x00000000002D0000-0x000000000030F000-memory.dmp

memory/1064-408-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Eicpcm32.exe

MD5 2ac5e826404fb41861c6f35da1a9a5e3
SHA1 b7a575aa553f006eb568bb69ea0935c603cb8015
SHA256 2c1012ae777363269ce31db44a98149825e414d0d18c3c8f9b8918dd94fdb509
SHA512 a69f2c51caf4d487cfea9bc2cf30cb8114dc6165386f174b8387f9fb2e956195a9a82cccd0688bc8eb45e765f14d447fca3bb1431b17a1e29de6a4db48e9caee

memory/264-425-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2796-426-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2640-420-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Eakhdj32.exe

MD5 d948a7fe8d664b6532be5cb089c67df1
SHA1 31679988a5442a9e9bc206719a95eef43f9037aa
SHA256 c946ce07e098beeedfcd6e1e2bbd01633d726103532b54cbf12a201f1d52fbcf
SHA512 e4518cf1198f4912c97d8ba24a7b007b3b8a60144129a876273cbee8e3307341794a6e4690597f12935663dd302ed60958863a8848533bab2152a1d2d688996d

memory/2848-419-0x00000000005D0000-0x000000000060F000-memory.dmp

memory/2388-432-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2796-431-0x00000000002D0000-0x000000000030F000-memory.dmp

C:\Windows\SysWOW64\Ejcmmp32.exe

MD5 55dfd21eacb9ca1b48d13223727e219e
SHA1 65d96a93503ba84d59d39af70036249b82875678
SHA256 5f503cc964189dfaaceaa7016531d17d7aa04f4c744de2d206e3d4776f4e2020
SHA512 3aaca4c9a736a13fa6254ae796474a757c86325837eb68b10cb2e079ee722c9c8b2d5ce885a90e8ebcbb87668be81e92a967094d1e55dc83dad02606e7425890

C:\Windows\SysWOW64\Ebnabb32.exe

MD5 25286b1de147d44f6b80eaef5985cc9c
SHA1 bce79c8e60e1d805d96b2756574c8bfab5305281
SHA256 1ded0ee9e87cd95c7155f3147d558a84b2ca67bce30284382c44b7a8713338ee
SHA512 5c41a8c31d22e0f813305b649c94bf1f4dc56f37c1a4ee0accb38a631f48d8a055071f64867cb2c604be83f0ccb4e8bc05bba9d0501d4ae52a81b917e5f97dcf

memory/2708-442-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2388-441-0x0000000000250000-0x000000000028F000-memory.dmp

memory/1892-451-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1892-458-0x0000000000300000-0x000000000033F000-memory.dmp

memory/352-466-0x0000000000250000-0x000000000028F000-memory.dmp

memory/1192-465-0x0000000000400000-0x000000000043F000-memory.dmp

memory/352-464-0x0000000000250000-0x000000000028F000-memory.dmp

C:\Windows\SysWOW64\Elgfkhpi.exe

MD5 98097f4ff48d6eb155253cdbdc11ce7e
SHA1 66f0a2f3b597785559085ce2defe4b5b9c6c06d8
SHA256 3cee85ad8b17ae20667cd2271d9fa0e3f4bcad04dbdc0d5d806d644f3ddfb63a
SHA512 63c86bfc0e5eda4fa9f662943b0c8837d850dcc67da000e812191234f43d61dc2f6ccb9046f41997589a2308b126ba20c70aa841570d083681eb81c49b7c62a2

memory/2248-477-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2988-476-0x0000000000250000-0x000000000028F000-memory.dmp

C:\Windows\SysWOW64\Eoebgcol.exe

MD5 4c091550d979faa5076d31c3df949b36
SHA1 338ef7c6d9df06fda5d245317652d4b55b8f54ab
SHA256 8e880d07756afd8246119ebf47d48e9c8ce51f7e82eff184309981ca980a460b
SHA512 e4165a02e5c4feddfd521b6160aeb50ce772a193007f2b8f35e5ed0a907a7670ccd21830870de49b74fe189038ea6597f05036ab5df429fcd27d8d2ada502328

memory/2988-472-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2788-460-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1892-457-0x0000000000300000-0x000000000033F000-memory.dmp

memory/352-452-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Eihjolae.exe

MD5 8b6c9e95ca61e97a4a98a3230ae2de40
SHA1 9760732405e8e27a708c21829747615455849f42
SHA256 361a23830bcfe384c293ab755a1968aea42e4f402c7f429590a656a504237b14
SHA512 c8207e1d060b0ddaef516de41a307e7dfeb9b559b8e334a3e1e7156534e05eaedbf9058793a8a2bc6fe52557e90a4ea668385ce3d0c3e9e269503ecc2f384ca5

C:\Windows\SysWOW64\Efljhq32.exe

MD5 219567e3329cb3ee48e73c92e5f0b1b1
SHA1 e5874a844a9a75eacb106c05917dd2cb2019af3a
SHA256 b7bcc56521ccedb3a489a3988e2919ab14d957bc45b210c884fc63c98fbbdffc
SHA512 2d8a8cf2c2b6174ec35c5046e39f40bf0c13656b59709c0c3328830472a364a90331b88e8f4ee4f8f7fa692f180ce2143bb79d840de5b12a83e19fe9b79c71be

memory/1948-487-0x0000000000290000-0x00000000002CF000-memory.dmp

memory/1948-483-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Ebckmaec.exe

MD5 35cd5899f1125c35d54888481865f6de
SHA1 fa4cfd4650b4d13d908baf079245d827aa3c369d
SHA256 7f2fefd17fdebd8f6ad3ca5089e1629685d9387402e0bed3ba73bf2ec1ea727a
SHA512 6f9053421763584df412f8f24bf08a254186a3b4f716c956698f10ef72268f55dd3bfa7278416d7969bb3df84859c36b826001265004f180ec257496f46c5b5c

C:\Windows\SysWOW64\Eimcjl32.exe

MD5 687e3b52fd983d02cb123efcc1ffc766
SHA1 34b60f4227b96134eb86d97ec262635cadd09ef5
SHA256 1e233993a3b1bd306019493444e06bd1b0e28a6e99d315353130d304f52743de
SHA512 0c52a8031dfd7cd56f43f526024522ed93ea52903c12fdb2896e6daa7ae53bf2902459be893cef3a5d3803428849677354992adcbe1112bb8202d999bf940c28

C:\Windows\SysWOW64\Elkofg32.exe

MD5 f6a1470d430d717601551a8cbd3be0cd
SHA1 622334c5b61d196864783828745f64e2386e45cd
SHA256 eaa3086759d90859343bde708fb3652434a52748a943d7c136270cc97b34e123
SHA512 95acfc8119a0f3b1139af8f2d74af2a3350a9264a9a179375a36291906081dfe773ac16419252289599b07bd8e3cae886c5f50ad8124f6ddbca956054a81cdfa

C:\Windows\SysWOW64\Eojlbb32.exe

MD5 131f407c09c944e171ece3514eab835f
SHA1 cd3292acf2d304f15ca2ff648bb75b87f3700721
SHA256 6bc362a904fdd6a4c291e47caacde19d749142ee9beb24e4b3c12bf870e8f20d
SHA512 6711335d42a5638b92219f97698ff42789e076ceccbac256e5b287a772db2a773112a99d7fa1c9f837bed6d11d6834cf2f5bde830210637c00ceb39de2c060a9

C:\Windows\SysWOW64\Fbegbacp.exe

MD5 13b059b04e83157d3b52528bcf2e25c1
SHA1 5cde303962abc636c3be1d0fb7166d70e1166af8
SHA256 aac04b2d20888478364808ab54d92245b673cbe067953cd97889c6e991b08ac7
SHA512 34bd4e620c63ea851354b647044972c18ae6db6da806323e6fce4edb0008e4d6aeff336bde158cc0f0c686277df1d60432ed4c08255189b2ab551ddc445de725

C:\Windows\SysWOW64\Feddombd.exe

MD5 427c11b1f59e6501f36b2b1e6e6c0a07
SHA1 44e99559065a4004dfc0cf439874a19442409939
SHA256 b9f156a36d2577cbed6fc7549c0982d09e58760779db4c89c0684208d52e776a
SHA512 8718db0c6d357158b6128219a5d211a302554c3b4592fc6ec76e311d20cd5f3ffaffd5f0d86501bb0343e78d74893bf42197f08c234f1699c157844dcac68cb5

C:\Windows\SysWOW64\Fdgdji32.exe

MD5 d9be657f9ee281f239e2a2e1f034f0e8
SHA1 17eb6265c2d271192c9e8ff0f7c23c805f7eeef4
SHA256 009fa77d34cdd74c8ed324d9817a9f4969924c32e8bfe02e87ddb478b87de20c
SHA512 0cfe961e781a0c816b44804ecc5ea8c65872ba1d0e4acddb5e6e38ab3988904df44b37f985a68337401ff40da2cf620818ee1f134022deb82f8175ff5fecff60

C:\Windows\SysWOW64\Flnlkgjq.exe

MD5 21c673b9735fe9cc57248b749b595776
SHA1 c40508c1508f1b2eea62f667c1628b818b6a554e
SHA256 ddd94cd8a3be6853b4085179502b8530b5bbf340a48808ee0b024fb9b7f4cffd
SHA512 0be3aaacb2e5d466bc87eae721155e10b6cf96c350183685858b033758d58de3a5d8ef2da46cdc5435a100b30d53c95369f278c5d01d6217f8060e8de6630686

C:\Windows\SysWOW64\Folhgbid.exe

MD5 e558e761e419fd1c59faf217376155d6
SHA1 0cc7aab41bfc01f275c498443f71dd1fcfccc5d8
SHA256 81f902fcd61fc4a5f73bcd11102b56fc748605f74af04d56dc12b5da9175570b
SHA512 3876ae7526ef87da25338f84af6a54c252acc5b93f92913af0e58c08ec97ae2e9d79e1b8030517ac8a3c8cfa31cbb561a5c3da9915efdedc687763e177f73482

C:\Windows\SysWOW64\Fakdcnhh.exe

MD5 96242d5d049cdc4676ea5ac54fc109f5
SHA1 2f96e5e1b3cce98b4cf5d6aec5123611d4fc6df5
SHA256 4321d46118371eb052ccafb27d4f183a7a0a625177835936f0e46b4c1c2ecff6
SHA512 6f7637f53a20d51aedd8df984fe25d3dcfa234b39f5639393fdb93911623d209207b41c95c612ccb1d0c22ec9a356bc663bc7e3578c298b1efcddca6bc79e29c

C:\Windows\SysWOW64\Fdiqpigl.exe

MD5 eb7d8937d74324539b72d3c0d5a5eb37
SHA1 c7ebe5550044968ceed357a1b142435739b56aee
SHA256 53b2259eccbcc7816fe2d86b70c55d1ae361b10d754efc3f9fbbd9ad3f78badc
SHA512 c70a429055195aaff6b9101576b0f1936267c05d6ccd95fc4eed5d3b0870714703b33ebcbf060cef5fc48454dfb392a69a7ecbd7c26e029739a6dc8e2530fe30

C:\Windows\SysWOW64\Fkcilc32.exe

MD5 7077358c71831c67de20a50fad7d5398
SHA1 ce0a60f420e3549365cd451cb49dbf797ac040f1
SHA256 e486dbe655ed0ac708e295b5bd528fec5e9a0e0d4d43852c9a0ee2b5a4080418
SHA512 05b3226fe87fd95fc45d2f6b0df46842bef362488486998a885a1d45b2229ddfdf6ce1ea4a43c9fc822e9a3c88cfac2436aff1876cc30509eb3b7191a63dd82f

C:\Windows\SysWOW64\Famaimfe.exe

MD5 53112c4829de861a4822f9f413a598f1
SHA1 12cec35e89a3c1739ced1c32d9a2a27a90b1680e
SHA256 bab560778fc52b3fb62e4fc35b70126ca2634caa001b00d3090a0d44c541420b
SHA512 60adb7d1183da362274bcf4e8d85c57d7cb34db0abe77b59cd8b3909b86a85d60ef6c41547e8e9976750f33cd2063572f7feae159e0de7efa24f4e672d6922c2

C:\Windows\SysWOW64\Fmaeho32.exe

MD5 180e4d76b2f344a1837ce2fbdb887ff0
SHA1 1b41e23979048d7c1a660e167146f642f53e1114
SHA256 54f3f4679c5510c1f0806ba8490796f72f2d4845599620c75ee605c25ce92379
SHA512 d81b1a8d0320cfb77a809b1b524ce7ac4ce7435871749a2509b4040da229aed7f352878657c648e3df3ecb46ab6cf4cc1ecb354a74fc926f2d6d32590bb89058

C:\Windows\SysWOW64\Fdkmeiei.exe

MD5 c75db592dd3b8ee082f7e835ee7d8378
SHA1 ceeccf45fb407102461e80044643289cff942d3c
SHA256 fc7c8cbad579b07d7e004de13f35bd3cec8d6e7cb1e77f13f3b49658dba00a5c
SHA512 2fd9c30f7ad3eb996df2bd9c165995a61da36354f81a458fe21ce53daa84ead9de0b33ce10c7d774580a2315dee559945defaaf2756c4a4873bc20c101fbf30d

C:\Windows\SysWOW64\Fgjjad32.exe

MD5 283e95820c02a5ee009ee6a3a17526bc
SHA1 e65c942eccb6b138186d357ef150c588c65f5002
SHA256 f5b991ac4d3c141569f22e9bd424331776cca8f3675daa799858387f817d06ea
SHA512 211b77cf03bd3e9cc7159e6486e573f36a24600fbd2f3ba31de5f7880b70b80288920bfef32a99ed2856dd73c3d704d8616ffa1115ae84f92152aa79b53b27b2

C:\Windows\SysWOW64\Fihfnp32.exe

MD5 edef32dfbc95f65ead323df81fe0d679
SHA1 09a06a007e123bcc6d9f11c6c68b84b3692ceed0
SHA256 a7b5c419b7d35186dbd888eed8d40fa3bfe723bcd06d5b15fa4d82517008b4ea
SHA512 c80601cc159c4f3d80126a0b8fd7eaad015e01321afc4f7909c606196b06f5a0d779100d7a39cc57e21ca125b643db1415bc464a28a59feb1b3889e63b16491b

C:\Windows\SysWOW64\Fmdbnnlj.exe

MD5 7419a7cf6c2f7ff03564193783940de9
SHA1 38a6b49a6d839670fbdffd4d48e81e3f0c743bcc
SHA256 a3f4e905d2024117ece405e3262299000d338d3020afd912e38a5810877af711
SHA512 26f4cafaaa695fca47e95a46585a25d1580c15c5a17cb6a3e8494108840a559c87053c1e5f596d59d375e48560df43de2a26001997db5dccb031cbb67918c729

C:\Windows\SysWOW64\Fpbnjjkm.exe

MD5 1f7d4ddb47c1dd2bf3543cc2bfb33674
SHA1 61c06adcb64808f2495a269ee9153abb8794e123
SHA256 0cfda7e7a4a60e7fdf339f887972590941ab5422db10083162c684396ed55d5c
SHA512 3c5ad912f3c681bd6e80a9df64665961b92f47b1206d0763508c6a30bb37659f96a8050ccd5c2592779a81b94ca2672adb18305aa6924c6f004497dda47db7e0

C:\Windows\SysWOW64\Fcqjfeja.exe

MD5 53489a60ac66166fa955791583925826
SHA1 b215bbb86447df4801ba0a2d82f5e9794e39ded3
SHA256 05edb3c2f461dd9d2b603243531669e63becae080d3a8f097af42edd36d9bee0
SHA512 0bc667c3f82ab2898f6cf27585574c26609517f1a9d7a7868fe79fd0ae883e71529be23dafc557f39fd9af9f373c0559983e0df5ba8de0cc7b238a92a63dd992

C:\Windows\SysWOW64\Fkhbgbkc.exe

MD5 084f987ffbf8c98c31cb70d5df14f079
SHA1 70c99526fd97d6aac43c9af85e073fefe2d59a90
SHA256 42697c1180f336776be26a889e0641b179ef79e8336f2f7473f99a02a4ee4d63
SHA512 0c49c299fa8aef827e27d7683af71df6f6a1f49124f68b8b4688536963bac10ff927692877545ad354c7d8aa9b5310109bcf641d33de949ab81f307cbcbbde0d

C:\Windows\SysWOW64\Fliook32.exe

MD5 acf8ec328c8fe8322afeba70e92087ee
SHA1 1c26d6ba361a827925dee3eb434fe0b362a2cf97
SHA256 f1dd61950558576fa21f143da748f473a5e9b26bda2c6f770f30154689c05a41
SHA512 bff922985c26be321ab744874932307df3c20504e54d210194d2b9c3748364490d99b85fc0d72b21cf5d24c37d354755d87b66833997c629a601054315d4b757

C:\Windows\SysWOW64\Feachqgb.exe

MD5 774302d686681b658783efb9174c799d
SHA1 0c0460f4b0f86b14e529138ceb0624f09383e829
SHA256 32f8b2b644d2c8e7acbaeae4b5772522c3dbf30ea7ea54faba49de3c23fd6868
SHA512 6c78601ee89f4389e50ac50370d3877741d1dd6c6d8e57ef17ba011624b133b9d30fb4263c7a1d3f8b2879f258956bc7213dca63d538fd1300b611b130e7e204

C:\Windows\SysWOW64\Gmhkin32.exe

MD5 60efc0310f2b08c7088036ae84a388c7
SHA1 3b8e1cdd1644b1da9d0d7f6e738c1ac3500b3a1c
SHA256 0ff115c45167938fbe13a79de8618184b6f124a43e2de21a2b5a401da1a4d242
SHA512 6f321c596ca9a68381f8003c72b8fe683159e4ff04c57cf6f5fd7a0856fc791a1cad9ef00ca3c6b17902ef7016e99482144d6ce9ce2dfc4becbdb722e83cc7c4

C:\Windows\SysWOW64\Gpggei32.exe

MD5 f0b93d133daacd9dbc6e4c70dc05320b
SHA1 2186b5b6eca16d01877dbc39e3a424604aea5474
SHA256 440a83c4eae4c7491e15c7bf0bef95c1d6572bc4334c82c5f89a75e58f042f89
SHA512 b1a1fd8154849b6a8b33fba95459b34b9629b752c30262e656fc50dd1e79403858a48f1334b28a7fe65ec195b5222a7cbadd990193abb5fda69034b42133c137

C:\Windows\SysWOW64\Gcedad32.exe

MD5 f847ddaceeccadf5247bfd36eaf9babc
SHA1 4185c0a7de6dc9fe4db730e6d69dcf7162fb22e1
SHA256 cac1f6cd819248095240f945aadbc1746788531c21007471d4cfb2a4f0cea92c
SHA512 ca28a80199820754dbd8fe967282206c5b5553591ad6b6c5f9efe7d3f0e22f9f69057d816e64705e7e19064b96822c5eb78ca0cae9a78f23c3b96af4439476ea

C:\Windows\SysWOW64\Gecpnp32.exe

MD5 b23a0df5ab012cc969d3565f575e5de3
SHA1 6e296e2693640d61f9a88dbc1e9acd6acef1d42f
SHA256 61a2dcc937ab6eb620eaf294873d411f613cd869810778db6010346fe6ccf024
SHA512 1955a7c65dd19fd5d29dccdd9307dbe52b7e6aa6a33f6bbfc24f2dc8761b5439187c5002e4cfa3083b8d26f952389435fe02990befa917e8301d6b6c89b4f388

C:\Windows\SysWOW64\Ghbljk32.exe

MD5 48f4f45ad32e17a0b12028b61fe8f52b
SHA1 3a60537dbe3aa98c88bb4389d333f5dc65af9083
SHA256 ea00533a6544a0f372bd6d05beb9893fa0be6ed328ea9f1aea96c1669d0f5f6c
SHA512 ec0fb6524c4da4494c8e11a68827ab6ef4843cd3d235a6a3eeab13fd128455c390fb6c3c3ff89703cf5c75283b9b2583c34194f58e2e937b48f5d45e6e263725

C:\Windows\SysWOW64\Gpidki32.exe

MD5 1a56eef88b577ab5349fd18bf9869a58
SHA1 8980ecea772ebc11b9befb6c5170e031000cb2d3
SHA256 ec842ef64b6a5bde0b103dd7f9472c7c7df646abb33661eb3acd00c5601d2f03
SHA512 10ee2a5542098366fc775e0893bb6b05e74844eb6dc31fb2b7ed6df598353a4989352e40c8efd0bdf8bc4b687aba9c4f76b94a34979cafe46fb87917ad2a8c07

C:\Windows\SysWOW64\Gcgqgd32.exe

MD5 c9401a88d1220c00e58c756dec6bece6
SHA1 bbfcce729f78c2869ef6e8d6755d9e102ff78ce5
SHA256 202258d46da798e4cc7bb56d31baced19099eb0c80c2d0be2a680b8c0826c0b2
SHA512 7ffe6dfb33c787949e5747edffaa311cd9ce311c146de9d6a3d3d974f2f110589131c97ff920538d678423a957da2bf24529a4376d91ecb6be3b25a3e3367704

C:\Windows\SysWOW64\Gefmcp32.exe

MD5 bceac7c13fced8688f250143fcfaf34d
SHA1 15f3248a0c3c5e8aa9b785a114403f5d1b7888d4
SHA256 66e270f85ffe052a930e673e70d93992ec9ede75a8c363d59d64e21a9581579e
SHA512 512b3dc464a6bfe48fdc6ce00731f32bd1ff9e6218aebb95063934a8d73512c8d447adbfca2e31b2e753bbd28dbdf4415f525e9a12d76c5358f5b2e83788fde9

C:\Windows\SysWOW64\Giaidnkf.exe

MD5 49d72e4d8a8843822e4fd3091cbc8123
SHA1 aaf453a9cb826cfc884210bfc63b4251d55c69d1
SHA256 ed223caa37d9cbf80e20b3d439b9f3f455a6fff07182adb57f0e8b68be5da519
SHA512 5203da1ccf9abbc77de630dcdce06b0c9f5b9f9bc7f935ce9e65b0ba24cfa080ed1679cf49022be9da98bb8eaa16a43496f59eed11d6192cfba9f7bcfaf66cab

C:\Windows\SysWOW64\Gkcekfad.exe

MD5 44c8f7312b39387b962fd937584963b7
SHA1 999db0b230b1ca3ce2359071df74c8268ff9e48d
SHA256 25aca0597c766b4cbb9ab923dd2e61924dc64605c28e5b27452cacf6b4a3ea5f
SHA512 9f7e7d42f14c0883edca20446b9b45137524d66b92bd237feef59498a7d12b8599d773c9159c8ff1a0772c3c0806aa0cdb94af70824ac52558e9766a515c2e2f

C:\Windows\SysWOW64\Gcjmmdbf.exe

MD5 0f88def498ba2448d1b87bcce371d1d4
SHA1 b4d06ef324b7cd2bc48e93f50f4c11b4fe190cc6
SHA256 d732805d7aee8c0ef053b9ae0bc57b878fd31c1681b654e466e8541b1dcc852e
SHA512 b40828020d4872def0569631b45d4381364400d97422f43522d570075375a900dc3c67e44d9ec35cf1a95e4e18257e9f6336b51c1ff86f8608cca1b5156f8cdc

C:\Windows\SysWOW64\Gdkjdl32.exe

MD5 04136eb516aa1e5e26bde5b8558891d5
SHA1 0b0d8312ae9d057172382e191bab33914243acc1
SHA256 4edfe76dbc08229ad03688b275a1335324c30fab3496ec3df60a55b3ca59a7b6
SHA512 74272fd2e4d0722878047b77198232e338cbd535f3814e2e32dda0535df0d7cc704be7987084858df600749c7084993806236ffa39ab4d9415e6899a49e004e2

C:\Windows\SysWOW64\Glbaei32.exe

MD5 3a640fdf2744751081371b5490c8e819
SHA1 ce359c87d3ece931374d254cd23de2dbc82503c9
SHA256 2d6f7ab2a98527c555f74e77332ce0164f6b47976d40c9196c2ad20f7c4a2446
SHA512 6da28c2fbcbc447fcdc5a9e63ed9eea44a7a34d559b524ad958f160fedbee4596986f5209936e346161df9e731e52e3a3f09ddecc67ed72665c1b63b744e174f

C:\Windows\SysWOW64\Goqnae32.exe

MD5 b050466db87cf3ff7eb23b7bb7c3e7d3
SHA1 8418e0157fad8492a0a410086bdb127b2a8ff9c9
SHA256 0c8cfa59e4a1fa51a8866042046a6aa5a29d1dd1696d593e83eef0a468a8cede
SHA512 9f705e51eddb3b722141456aeb283dfc31e794b2e5b63d72e334c8b3c069fcf08ec788219297761199bf1843412ec71b943320c3e479cea298ebb4629d49ee26

C:\Windows\SysWOW64\Gaojnq32.exe

MD5 5dd1780a251bb66e9c572e0922fb5511
SHA1 bfb3756fc4b118ca1c8cfb9bbd27cd640e93aef9
SHA256 10c4dc00d01cb8711a8abbdc81ee598a05a8b58e8dbf4838d7586632423d6436
SHA512 5507a1df229716c155b3252fb75e0ff66afb8443917b881cf99cd960800af81635328e9e8df575ac587885c99682da84c864f1b70da046b1bcb5f01937c8b7f3

C:\Windows\SysWOW64\Gekfnoog.exe

MD5 5a4932c54b99b4efdcbf8c5f109df443
SHA1 d9e06e23fa4c51620afa85a5b9957001d315df29
SHA256 62228b12b73f42e1feda09e9a0f6fb7ab3052ecc3b998032a62b3eafc765266c
SHA512 c322ec1e6dc29ed720e788ee70df8faaaa19e9aec6c4a21100cde41c93f75cc5b6422f4acd881d6e79850c579cbb0b2247ccefc1e75745910fcec1b70296e321

C:\Windows\SysWOW64\Gdnfjl32.exe

MD5 9089ca14d860b6281c78235d34f49ed6
SHA1 3ee4fd672d7138558b87063fa0df2ed6bc1fde47
SHA256 5e730e7fd23d133aee91a279c1f5e5cce287602e5bf9d58b5d9f76c625089a2e
SHA512 1069e13c178d5b6a22d998303cf380eb6c5d1cef5b97756c09cbb2ab9b40c262378fc41590cc10f0313e77437d5a8036f6d4cef75f223a57237602fc9d3c1c5f

C:\Windows\SysWOW64\Gkgoff32.exe

MD5 81be357d89053874de7f9f6fb143280d
SHA1 2559ea7e24357e3c9f06afb01e57b7bb3e6374be
SHA256 a604a6f664cd63210a5a7ab7a5895b9f731d8ddb0526922e5f02b1519f397a00
SHA512 e7de80ca88354688961dd191d0734d8c81b497ed8018ec38b16b0d7f1a9a5d38f8225700f61d7e2eab0439a58b8729babec9d0415a6602aac39489b14c2c2281

C:\Windows\SysWOW64\Gnfkba32.exe

MD5 67929a62fd044aab4e2ed291bdb6849d
SHA1 4ee4c0e2717b843c6bd495ce41bc8f5891837273
SHA256 88068aa8d12a37b4b864a58cac69a4300c8b581fa4c973feddad04c165fe9e1b
SHA512 f7dd30f20cb1fbfc6236f812b3b0b8a850fbbe8faf3413368f3b9e96339ef78c487bc173668237fb56e8523cf5f2642c410fa7470ddee4a1bebb1c07a1c7b5ee

C:\Windows\SysWOW64\Hdpcokdo.exe

MD5 af3af2c4fb353e35395798ab377c506c
SHA1 159ea3d6e1f4de3b7dfc1bcf2062d7cbf56b6c6d
SHA256 cfec32d6f3afb5769c61c808a7e6b5cfe7b078787a1887d7e4efbf31abce4132
SHA512 3381d0237595ebdc2b7c0da3262851a7418fe9111883ff90455aad90a35668042e5ab8342d5a0d8e3d7fc924bb068280d7d38a0f61a06c2cac3d6c015f1acb95

C:\Windows\SysWOW64\Hgnokgcc.exe

MD5 67ef47b8aa1f1ff7875bda681effc2d5
SHA1 c47ae6fe73a1a620de87a34eb8bfaa15e595692a
SHA256 de00eab09f3d7bef47db7614889517e47fef94b69c92fba09879fbb2b519d478
SHA512 f7700eb4ab4b5165a83c2025d6c4d6cc5130595d73c6feb7a0cc550f88438b332c74e1ffa431d92ca961fe037c2398380d396d550245905621f456afa3ceae0e

C:\Windows\SysWOW64\Hnhgha32.exe

MD5 70184d78673c9e56f27772cea889ece9
SHA1 1279ca5d2d0ce05d75dd8f0aa5f4f5b30f8a25e8
SHA256 a54dce2c68f2d86cdb12642cda4049458d9ae7ba108bb2d3c85c61366bf99772
SHA512 c87bec4e818fa7e93a566a73bd866dcfd8925dafcda3dc1cbf3c6bf53e969d617f64ee7775d4865741e8f62c0c294b63be2fd0ce99ef3820c8b3873ddcd3c193

C:\Windows\SysWOW64\Hdbpekam.exe

MD5 7d15df8e470602487cf2749da99acaf1
SHA1 a3c4b251e37d9229ce24b737d3c69031f034c343
SHA256 cc83daa95320bcdbb67de3f280db05f614e7ee7df286f4e58eef4156c15c1831
SHA512 4c47105c5fef94b925875bb0af54c9a331b9be403fc231c283ff7931b6285335eb84f152f18f629e4d33e3191ea87713fbc3a42bd7c9e3292f6516e1d5a71eca

C:\Windows\SysWOW64\Hgqlafap.exe

MD5 925a040f56cfcf7b974313a20d312419
SHA1 bffdaf0ebfe68467bb102a1a342e08b3a8122c0c
SHA256 80b9c6108b5cae313a796ee745e9bc04799cec617e96a9509ed6c0c0a983823e
SHA512 9f502e5cf8255856026733c875c56d53b2a3b456ab7d3ebbc260cce0ebc6d0c298e2fd0c5960b3fa0e5dcb59b1e9890dce52bc66bc9e817a3974fb0db4707a15

C:\Windows\SysWOW64\Hjohmbpd.exe

MD5 8eb59e2b5e08e93665e10e2c168e3b36
SHA1 da0153d81dfd64e554f7ab91acac6c0ff43d4bc5
SHA256 6b21c5c5dd37ec1cec6e75a14e47904d89cfc0ad3a32f83e94663d044b25be88
SHA512 8c3a8f60e18ccf6ff826d648f7c4ffe502ae946d0808bc5ead00cc3e4c8d8ea96e77105039c76d3a0c3e8e85c5800f5c0d95f5fb1c7298fb08d16410b3a6d13b

C:\Windows\SysWOW64\Hqiqjlga.exe

MD5 68f3ce0149ea5c55ad03de20007a9b37
SHA1 24e7cfcefe27276403bd404b523f2a14218156bd
SHA256 3519e026e51ff7bc46ed666af7581c483c559b445b6feb48ac3d00f54b78e79a
SHA512 cf0f2b69fd0c845b89da11bc7e5b8bb61ece5a30415a98797f9e08486f8652970fbdccae6f07c38a89a0ecffaf3b49314b9247be0fd733a0ea450e49d70e3ec0

C:\Windows\SysWOW64\Hcgmfgfd.exe

MD5 38d71ccec10b88ad33678cd05f256287
SHA1 845ed1448bfc4e9eddc68dd0249853d78ef0b96b
SHA256 4e3e63c37b7a015b5264fc62d888fd4d1595b6c185d67f3ae49ee4e667f5ec63
SHA512 3fc5e23a943012b7c9f03e388006e6f4ac61b24be1d2c497599399b9d9becd90784a06d40bc56215702c049aff552ea3ce26806ffdbcc6047e2d8f9c0858c94c

C:\Windows\SysWOW64\Hffibceh.exe

MD5 3f4a6b207319f1db8f649ba5d6a7a921
SHA1 f328ebf3101ef93f78f34ab7d6da22bb9c851eae
SHA256 02b102c60455c0bccbea0bec846100e9cfca61346af52cc5d8f6e86218f9ca42
SHA512 c0828a081153eb56f2a0e0a376f904e2008356f194bd99f4866c433eebacfc9ddd82c0f88deacbac9d445fca8ed873f4e6f84fa2a5153528645b080cc9baa3a1

C:\Windows\SysWOW64\Hnmacpfj.exe

MD5 9551deca71f590109567531d0fcf4c61
SHA1 d5f3e3a758a92f38578e49954d1934ddc2056fd5
SHA256 6085f05f38c75f6470b7d2bf3202a9fc53e55b849b4215706b1669520a64799c
SHA512 dcc685fb59d2660553fdd1310b102507b7ba57d7e3534ea8567eb1a5627908a687dce486d4c82ba6aa2540b1f555f0376182a081b0f3bd0dbb64bc0a0d60d5f0

C:\Windows\SysWOW64\Hqkmplen.exe

MD5 8c999dd87ac1f295cfd12ce6740b9c88
SHA1 ec7e9337797d600fe73e692fa65b6d1d9fe1c5ef
SHA256 bdef2980666cb602e7e8854ff8137c1986b893d9355a31255f73bf2856ac73c2
SHA512 2902378b229820073d583ee6cb24fdf1e31d6d0bb47f5efff15cc593d08670d5f72be907776474adb45c6db0fb117f91f2ecf2ad5d6154b0bb14ab82a42180c1

C:\Windows\SysWOW64\Honnki32.exe

MD5 8105071d5a5690b84881093b97cadade
SHA1 eeb32805285bd00af52c55d9787e5b03c617561e
SHA256 1d77609cfb58df21bc6a96928fb2dc851860fc551d227b4dba3f120fa8bd71a3
SHA512 53600096fa3148e67bfa8d86c42204ac88150a03e7d9725ec031e33a18c3326a4d3c5f4209343d263e433bfeee53d67f58bd806c84e5e89729c08ec7b24ebc92

C:\Windows\SysWOW64\Hfhfhbce.exe

MD5 a478ab78a6f8ced73a5a0e723e90cacb
SHA1 1fcda4e091bef0d6841471e40e752b37e3872488
SHA256 ca9d252b7d072c9f5b7122cdcb9af328e184f3c1967faeadfccee03b41ec1ea7
SHA512 710fb12296c5d81420f3edb2b2b1f435fab708a3192bee5f74aac91fec008884d37fcf577a7e3ced385618e8b92005f4147e589df7a61e9777e125e760922a39

C:\Windows\SysWOW64\Hifbdnbi.exe

MD5 f3f1d0e0098b46469e2585f713c18ca4
SHA1 85930774d210436b372e3b7cacf643504f8a181f
SHA256 b5d91f41c335d31e95ad93d8888864befe9bcd0ffc9b89d6e3aaec0ccf5960b3
SHA512 fc04a1d51e3f965396993709ccf1ab7025c3aaddc56d3331b7f1aad25344b85c105ebdd205ff71be371b44ff528b6031cdb7952ce0cb9eb4a0581708274017c0

C:\Windows\SysWOW64\Hqnjek32.exe

MD5 81babae9ccc44dfc88524d463cf37f86
SHA1 4702de54fa9b40bd443dfc71fea7ad58d669474c
SHA256 866f4c7c0212836bf4caad333e8c3cb5822d82a6bb249a90d38b55eae0b7a633
SHA512 eb6166da39255b39e94268e46a153cc050d12ed7ac297ff6534ee35186eb6f5f5e114444cf653a29db3574c424682fd8a12a50e1a1bd321fe34c958367641f0d

C:\Windows\SysWOW64\Hclfag32.exe

MD5 faf12e870d0914c51ba02d1a6b538823
SHA1 bac2a21b6db1a911bb5bad045734f631ce6cdc71
SHA256 6063da14d12a0c3062f7c2d7aca5ff4c4a127f2555a56b54068815ef485d1d99
SHA512 0bfe95ee88b0ee59c2732abd6ceefcc56928f2443039c62698831cb5675859d66defee5b6410bec22cb262710526994cba30b2fc34fb8931e239e2ff564a1466

C:\Windows\SysWOW64\Hfjbmb32.exe

MD5 7fad383cf1118e56b231a74661e29c42
SHA1 02ad369592a8b40ac334637443e939c71cfe1bd9
SHA256 233ed92924697e1f1c2ca4d9331e7e1c5d171fe9b3b487ee5279946fce4c4946
SHA512 b0107880316623dd3c98de1a451f8a1939bc109d6afc974b13bb9e6a1df566bf80ec5d72f159b2da012eecaf7b914943e8bdf7d018b58f62a1188fc3fe64366e

C:\Windows\SysWOW64\Hjfnnajl.exe

MD5 366434ab1e6cefe0692ea2cfa72bc456
SHA1 c404632d937308bae41c11f59660d88b6a815d68
SHA256 5e34987a644269a72ef914e7e422acecc53b70af1f992b7e3ccbf20d9b84a701
SHA512 9620613a65f7eacfa6668aefc6848e3bb4e472ebcb8c8f3afbc135c43f216b385e6bbebcbfed727db86e9344fb2f14f7fb93c27cce5d6557e86c2faa4074610d

C:\Windows\SysWOW64\Ikgkei32.exe

MD5 735c05820de0634b5b7891f3bdab9843
SHA1 a389b4dee5b9bc0bd9d952c12dcfcc55359fd0dd
SHA256 aee825c9bcd4f65949f3c938ff30f4c307fbaf592d1402e13fd775fa5cef7b47
SHA512 af09479e3bde2d0b995bfd0111dbc4b59089f89e7b2529187da5ddfc944cb61752b77e1fa476a18f5f61f1f8aad7a92f0e6c123d105ee8a893d82d6074c79861

C:\Windows\SysWOW64\Icncgf32.exe

MD5 c7b27d35db2c7375083b21626729a2c1
SHA1 90b92c3d2dfb6880af6cc68e9068aaf65fbe3146
SHA256 e71e6fb8b1de36abe1ef1f5db4500fabb61755508e022ba408ec3f3553d8c618
SHA512 0de336ba603b6b8d9fe8627beb5824fcbaf9e4cc0c4a5e95ce4adca924a5821ee9d8087215f644c01b4ce7fee47d172637e07c1ecceafb5660c7b92b5e2108cf

C:\Windows\SysWOW64\Ieponofk.exe

MD5 31dc895056ed1b29648174748501fe7d
SHA1 fc996454283eab25d62d38fb10fe8f1f7d11f8b1
SHA256 8ac15186332e617a5af21afd907344700c8a805fd4d61b4fc9653ffb1da58315
SHA512 3ff54fe6c26c14c0dd41f3b142981a87d37c1127aedabf65f23beac8ef8754fff5117a78b7542358b070c557db2d04322dc7756a8c606d203ea5fed08ecf2339

C:\Windows\SysWOW64\Iikkon32.exe

MD5 696ae24ba30eb79dd88705e45100ac62
SHA1 813997692120c56f9a629059a6e5810efdcaa0fc
SHA256 fca696a54b0dd64c26342615316cf945ec72f3f48e1b0830bedde76ea3fc16e9
SHA512 fac3072d7fe5065dfe9084ad9d05de95c6515078d475a3296c3373eeea98f4bfae4ccd67dfac768f902f593a87bba6d5ab5ed80152508cd884724120feac4c28

C:\Windows\SysWOW64\Ikjhki32.exe

MD5 e912cccc0575ade79f38c86cd2273221
SHA1 0745d97728f8ee04344e888997dd1c5f90cd0c11
SHA256 a801613937ae773eec00f3d17de52b59038fae5e2bcdcfe92bcc1806de0ab41d
SHA512 9f3954d5402ab172b60eb7ed2133a873b4dc0598cda621bbc085a1edc6697e6e187f884dd438be73a00188ddc356d2a5d11028a6a7882fb39ef7e6547b8aaf52

C:\Windows\SysWOW64\Ibcphc32.exe

MD5 dd9ab95e64e23b23852950b6d20651aa
SHA1 02ad05158644b19a87f73e75fd063f742dc28b73
SHA256 cd91a34ef43d3258fea545618493b31fbac2e532ff83fdc2d3fbaaf54a716185
SHA512 d960e7acd59059e843c2aa0e77e74f508a55e0208e014edbeb37fd3bc9c298f3e2907c2542aa3e8a9a48f46e16fddd722fdf0e1ffd3f9c8d66bb55c270e26d42

C:\Windows\SysWOW64\Iebldo32.exe

MD5 dd06ca8d3b5b0c9098a9339677186c8a
SHA1 0428dc2fea537150838795cb980223933c68cc2b
SHA256 7f558881959ae650fd876295af7d8e5908b6ca7486e6b73a25608c178fd9c9da
SHA512 c75d8338a8b363cb07bc6371e96310a1f1bf1fc64d93604a5f145a5d386bdef9ffdac583b8bdc6cbef69be9d02659d52c4eee529930db4fad8a4117e51da07f9

C:\Windows\SysWOW64\Ibfmmb32.exe

MD5 a35925094018e9bbac48f0e664b33c43
SHA1 43c3ddce54356fae4df0eceef6ed1234a233bb99
SHA256 d197f82d1151f9d4773c25cf2bb6dcc671d037111df372f7732659580f830c6a
SHA512 200749d2929f2d923ad27ccce134c33cec2b005cb076c81bf6deb87788956f2a5fec5f00b774e7149f9681559e62f28aa55e8a790d07fe2403d449f1eb887b6b

C:\Windows\SysWOW64\Iediin32.exe

MD5 070da42becb5e62ebe1c37a70ae2cbf5
SHA1 0d5fa67bb0d40112829dba0d8b798faa65be88f0
SHA256 bfbbecfe2d6a35386de709255ece3aa30fe88cf765adaf54b0bd89f2d42bfd79
SHA512 ec559f45ccc65b962fe7436e4b7ed60499c0bd2d3a43b85fadda8f09ef54ad6f1283b5924f3e50be0c2c25f409750080d775d826bf43cc7981909ddd29fa71d1

C:\Windows\SysWOW64\Igceej32.exe

MD5 ffe7a38a37ec70655a20fdc8669a52da
SHA1 78e9b43e749b37f59cf511cedc796dd6875f4052
SHA256 c5b11d76f553df9febcd3aabbb0a50707db742a26d6317a71f890da1bb1d531a
SHA512 9a1c289a7a665f0b912465fc99a8bd01ee1b3333671af43fe390d31b82417bd1de072b76029fbfff65c576f0096fdf7b3b2c0be3ef841560e0dff5d45246b301

C:\Windows\SysWOW64\Iknafhjb.exe

MD5 301986ad20133a07336ad89ff9942d1f
SHA1 4fde861a2f7b771f0a44a29e33220690c08e1846
SHA256 8db795bc1bd2be61d08f033c7258e6c6269707c62ddb0ed54f07d358db11ee42
SHA512 0d214d4eb968d33c50c693bd25a72355736cdca961026d8b875fb75ac4b28cbc039b543cb3a1f5ea5ac9fc9e27464a0f81bb80c607258b95a731dd1fd58e85b9

C:\Windows\SysWOW64\Ibhicbao.exe

MD5 2f32a8f73072fade2c7d23f85adc529b
SHA1 9f3b337b16f16464cbe56ed101e38e7f77afbaa5
SHA256 889d2d094f9284e12e56dd6505675dba0944b032d881cdcabcc1030533176a84
SHA512 621fdc323d34e536fa2fc34c4c8372da0684e77841bd7288cb87b516685ea0065ff0242b3a4d1908a13188267cc595ff60666c1cd29c3f8dbca5c56663943656

C:\Windows\SysWOW64\Iegeonpc.exe

MD5 44c300e764b403c7e130db7dbf95e2d9
SHA1 cee22c17776dba68e490f49b3b781dde4d9a3e8e
SHA256 12aff7f876e955343f50348bda7ab5424084d6ab084ae62899468045acbb914e
SHA512 8e53e0ea75313cb4aafd07db9fa852c24b7272cdaaf89ca6ced473502667547a9d7978729890573d66029020ff7c599f8af8d50388de1ac2676c6d1e273ea2b0

C:\Windows\SysWOW64\Ikqnlh32.exe

MD5 6b8908a2e42afa849168d1032c3c13c4
SHA1 c1cad6363fadce155b25cacfd4972bb38898e39b
SHA256 149c79355815347190a9536403492c2a08b5a004d09fd92312ecbbfe80b990a0
SHA512 b327754417204b515c46ff57ec59a885bb4ab8610a50bae3b4bf01526a8d066321f19cc90355a4785cc6201607b5cdf090879cc4b550540db1c3bf1b2593b344

C:\Windows\SysWOW64\Iamfdo32.exe

MD5 8f4fa580eda071473d69102f67b12992
SHA1 7f3fcb5251880e770303feb6b290616fa00aee5e
SHA256 d335f1596e9024bed4948b96c01fdb799fd5a995e0b0da78f16eaa620de2c7b3
SHA512 dbe70b09f01d7a76bf80357c3757a7b3394eb35176eacf780f19c62dd99cbe0277b1b06a3ed3d3ef52cd89a7a7e5d24879546110156027a946ff1e5fbd4e372c

C:\Windows\SysWOW64\Ieibdnnp.exe

MD5 02d23efe0d2194b44178b134b59c8356
SHA1 ee4e58f0777c6112fe65a463ed1df2a0af22352a
SHA256 0255b1208f4fd34632f980ede36afe569ffdc8a376ec5130c4a8d98a571dfe10
SHA512 12cd8ec73466abcef179e37c0255a1e301474069b6575c03ef238a8550fc9aa123c032026cebe5e50a148bb906c23e23e25c2811f04df4d4123f8fc379b54420

C:\Windows\SysWOW64\Jjfkmdlg.exe

MD5 13c6aa9dcfe8138eda4e7860e9e7f91f
SHA1 07fd8034e732dab35ddb4e7957b660bece908c58
SHA256 ea1b60f6f0eccfbc509a24b2f8a9e0ad422f6c61a14aefe67c4a996b10109b8d
SHA512 feed58cd86fe9e8905d8c9e76887600fc04016d077a9312a646e3039b6b66747c8686d9d210708425c36e93f8bbd661715c5f5705249268b3b65c0a9d50bfca5

C:\Windows\SysWOW64\Jcnoejch.exe

MD5 6f537621657ee253086c55179a8e6f35
SHA1 15fbe199a79e7cbc7a970cbd3d85ce7a681e5773
SHA256 24e93cf287fc64fd2f7168b697d393e7e5736ead0935328a005ff2c2c86683b1
SHA512 c97a462858c31f2e47e48151577705d63743bcf365d042f4d7355deeb9a9594f58531b71951921bd42420cd53061e49c639cc136364fc53b2f72ba3628eb552e

C:\Windows\SysWOW64\Jmfcop32.exe

MD5 5370367790b1b4c81043773f825483bb
SHA1 3377c0e45495d9a5b8f6367798d13a392bca1a71
SHA256 38f4cd815a3158fe91a9390d2d29a6bd8d2038644e2aadc0d55a1f097bcacdf1
SHA512 e8bf9dc1cb712cbe968f85f411e3ca4882eca5f62b3b4411d3af4b9ba2227d7c7ad5a9d91f57b5988b888698ff42d3cd8b83cde090a04a01d9aee36670abfce7

C:\Windows\SysWOW64\Jpepkk32.exe

MD5 1b5a55bd15123c3f84d30235427bd2b5
SHA1 42aac8574e7ac2fb2dd51113384ab1439d76cde0
SHA256 7154bb8d78ec6bfe711f64496a2bac377ff84b5088db9a06c4c458df060e68a2
SHA512 837aa53c93b77b08de98938d982a6929b30773d01867c7c94bc9018a5fcc9bfeb3a701285a245c3c3659fd7cfa74f8e82fa1773fa1404af3864332ade6d3fae9

C:\Windows\SysWOW64\Jbclgf32.exe

MD5 81ecc46590bb082a0af2925d1a434254
SHA1 0f83b130e9a9739a197b2a14fe56548c6b7d9cd1
SHA256 08fe241bb5c2f8a900b9ce4ed826d28be0926701a71dc784c94554594d6c546a
SHA512 f59a5a015e3a684e55e971af5f4e7fb8740c70ef298c484cd7edea46da72ce004d244063b856f0b04622a832fae72f5bc56c0e52f1dc0115d05594a507617f9b

C:\Windows\SysWOW64\Jmipdo32.exe

MD5 dffb862990f96d23913e5d50116d9e34
SHA1 6eedf9d4b5ff4927aae627895784d2fffc466500
SHA256 08f200d1d70ba8d97fd21afaf9f91e72c195d5c58d44b165dfd837dbf39175c7
SHA512 453f09397d53a62ad790c30fffa1847af0262f8b1d5826dbb543e24db5a78228bc947632643860ffe6b4dc670ddd7332131fbebc7516d63137b3f28e54b35f6b

C:\Windows\SysWOW64\Jpgmpk32.exe

MD5 f66a293524a8e6ef9415ee1af095f1ed
SHA1 c92dd5c85345f28af8726fe4c0b5b6f4ddec35bd
SHA256 dc8794273f8344c26cadadad20a0b2b67c920775ce1765c4be3a4ce792990f67
SHA512 1f979dd50bb8226fbbd1d4ad1483279f207a8ac554b3fbcc708f610e9a91c6dcb373b6f3170153eda2054aea6257f5d6af975ccecf75038197ab6ea68521962a

C:\Windows\SysWOW64\Jbfilffm.exe

MD5 bd4b521452adb186470d7eeac75285d7
SHA1 28736eba224cf4e7504ffb8b37f4445fc7c451de
SHA256 f0d94a5d5d4142094a90d0f03aac3f39092ff49ae225717d4843381420186346
SHA512 31632b6e8a2d38afde273f8d61836af341ac371d59891bb46c7968ca037a9f4452e9d41e254b8c87c3389ae59ff3fa889257cb0682708fff248bd2572c27a3e8

C:\Windows\SysWOW64\Jipaip32.exe

MD5 1ae7ff6a3e3cd79b6ed86a9dcb9ee2eb
SHA1 ac3ff2432c60fe404285559b7f87c5c54d6e4ff2
SHA256 ba183a3140bd570b8e95607a897bf8b07dbf163494f9fccfa823b78f4784f1ca
SHA512 84b0a1913130bb1b7a1408d727a61c4bf88b6fae2b014825aca05a6226286cd3c7ca0ca1bc337aeff5015cad1ba8b8e32e4b377593ccf182e8400b792c1c66ef

C:\Windows\SysWOW64\Jmkmjoec.exe

MD5 11c97e71dafa39e8f699896a541b02a8
SHA1 bf2875ea157a95d195363f339fa6c55ccfb25dc0
SHA256 a09c8ce8c21ff4fa0966dc259140348c2c8f2c7bf462dd825306be8290f788ce
SHA512 f97226c1e0b7d94df78112135d75b8f2560c9747b8e7b55fdd45ad749b7590ab6d5f6e3e3576aaad154fad6d5e9847f25554c580d25e41e5a3409edfccecac04

C:\Windows\SysWOW64\Jbhebfck.exe

MD5 38bf8f406970f75fb0efebe4ee6ed52b
SHA1 ea623250c49d806a68b73ad1c7b5e52c1817e0b5
SHA256 970ce37b18cd1ab62b03bf7d0ebe055348338cb58065019b5109d2780ee15eeb
SHA512 bf66165cefa574511c7e5cafb9337bf405539b0c962c5dcade67009f5a511c76ecdcbcd7c03b6e3fa91cef4343f1d6e8f8f96d1d1566d9822c229beb1d83ffa5

C:\Windows\SysWOW64\Jfcabd32.exe

MD5 98a4a431379ab0ecf8f01fa8d1aedd04
SHA1 a03320601340526b20f0051556ab620daf9b7d19
SHA256 fb6f94c63f62407c6a264c549757225a4ca83a56af8ba3c0db4c2ac743256c2e
SHA512 99658863bd071b4df043b260ed7963d36bc8a7b7cb03b54abbfa1d2b01125afc2bb5398013cee0e57931395b9cca27a309911f865a8dae71c25febc272edb21d

C:\Windows\SysWOW64\Jhenjmbb.exe

MD5 8693cb4d4cc71461b871166010d71a87
SHA1 063578623ad170b3f35f99a1958949e61040873b
SHA256 202f3b738b8355aad6395590ee0597b09ab26c4edd276f83cd23c19986a8bf54
SHA512 8857f5a040b910ff018967c2c0a15e1a29fd282127882d0846e2e0815583bfbc8c08c83d84bdc89f73f50773c06d2b21413320879764fb14090b2f22bd8bac9a

C:\Windows\SysWOW64\Jplfkjbd.exe

MD5 365c524f00f1aef4ea48ee97a49f94c8
SHA1 f8f5c93581c7a0464956cb46ec088aee4be9059a
SHA256 b0ece985964c325134e4b10c07a6653ff5b5efaec5d29af63dcc42d35c7e2040
SHA512 7b61ed5ab3c2aa49b9c7e0620bbf9e2eab151d7bdf4e677956803ec424af626de8d4f4d23cbac2510b283884450909d58b2888ac190676fbcc5b8faec53df1f4

C:\Windows\SysWOW64\Kbjbge32.exe

MD5 d2e3ea5f5bbf6f559dc65d567760e8c3
SHA1 401ace26e9c3d34a50212ffd20212e468c0c850d
SHA256 788b80725804667ad4e3cc347cd1bf044f9ef7c49ccb00310066cd5f367f4ecd
SHA512 69432edd445e203035a5adda6c446b93b11b548826d63d83860defbb06c597529c44b0df3e5c3adc25e0b7b911e14bbf1ff24f4904c657d84825c149abdcee07

C:\Windows\SysWOW64\Keioca32.exe

MD5 bc519546ab82b64eace26ea7f88e656f
SHA1 c2936538b0891ac34f8be6d7c9cbbedb554300b3
SHA256 115df1ddb0e6f3a76dbf41d91797b8464cadcadfcb98ba0680965ecfa2a7ce3f
SHA512 024a3c95acad6800d8a0cda9e65091cd159064a356f4ad90433e0046249f1553428c79e8850404c47caa667adb931ba212a451d24f2aca59b266f53853b55ce4

C:\Windows\SysWOW64\Klcgpkhh.exe

MD5 69a860a6cdadc2f0520445bcdbb61654
SHA1 752bbaeb20b8aec82a252b821164973666686044
SHA256 78315047b1d2bb69d0e18aafb33a78d803d3de359515203dd9d37e81e861bbed
SHA512 e683f7266a7519eafd78d3b940819af8035d3614d068abc19812a22b89d3db215905d933cad9ef0a2e12b62bf0a0a223dd190dadb337596e368ca89d2435802e

C:\Windows\SysWOW64\Kjeglh32.exe

MD5 73be6065c02748204d14f2152518d26a
SHA1 f4f8bcb468cac46e3d61e4e240a05443116bf3cd
SHA256 0c5f3c449c9ca24d803f169f25299ab8fd63c5b01ba86d59c80ce65d1322f167
SHA512 7ebf0966d995929551ca34b244516adcc74d3c72847152a9a66de7be19037fb52e40a999f1088d236bcff59c3008d48634e7a56c435e2fa8713f6ba9a91c6609

C:\Windows\SysWOW64\Kekkiq32.exe

MD5 b4e02e5cfbee972b566327f8753a1564
SHA1 abb273340e62c4ce02514b5e029df57399fbd792
SHA256 a5cdcd537738271cd65515e68d0e82c9a42b3d58752da973f9fc06624f0b0c35
SHA512 5ad2fdd0e1e97dd2585ad8a7af02b1e1b32ad5a064c1126d1fb8c64e06d2734c561bd7ff7c16bce3d1bfe73bb76b8233181ee91d371ed47324b31a6d41468dbe

C:\Windows\SysWOW64\Kdnkdmec.exe

MD5 4c75abc6a3d56d05a81a2540148b2a3a
SHA1 aadd67066f619050a4829e1ff1dfc4fa8c55219e
SHA256 e1955045690263f8e267b37a00a84fcc08c4b5946e88845d24b373f535b61160
SHA512 aac02cf92363b88e9f41edb82ce45c3b84e789808df2600bdc9f4c88a4861eea5a7bf2bf01789ba63033df10ec46004c1b9cbf6ad67dcc0230c692028dccdcc3

C:\Windows\SysWOW64\Kocpbfei.exe

MD5 70afb906008c14a7603d553460dc6409
SHA1 fee5947c1e1691794270ce2ed8c758f6197edbe7
SHA256 09447aff1c2079358b38a7ece3c28b321696d563f8cf75a793aa558e5f9d6367
SHA512 b0f90b6b7759a28e556ca5693cdb71225fead6910d4086fdcc3b1489d81fb114d70b18aa9017f2ece05fc1294ec131f897da783ab3ebe77aba16e3a5c4b1cf27

C:\Windows\SysWOW64\Kdphjm32.exe

MD5 df2e4588931ff9f33f766a9c282c64a9
SHA1 94bd952117ff986487684e6939601d793dd0b18c
SHA256 c92e4a2d97d53c642e2bd1a480ed2b29f73ecfb7ece31eeecfccf36158a7d981
SHA512 647af73d03a25d7fff9cf27553e7004996e210c2afcfd48a10a60e294a3f04c0c998a5fa48bd181647eab9b4ade2ef0e52736fb83e59bc2ba37cabf09704a4ba

C:\Windows\SysWOW64\Koflgf32.exe

MD5 35672ca85b74d854cefe73a316cc9de2
SHA1 0601a7d46b6bf8b905f93ed22eb7ee3c6693c498
SHA256 40b9096f6f27f949f4e0d0e2ba2ba417bc0939351ca5b9f3e010655c0f02fa22
SHA512 de09496bb0301249e670a76d27a69aaa948fb66bc95dae4bb6d7cc864dc885246f3af32472d73312c4b11c5f2feba0b347b133e018b991623ad74da5eec052ac

C:\Windows\SysWOW64\Kdbepm32.exe

MD5 977dcb5ddc14fc9b4c674486f6c9cfc3
SHA1 00bd272468e45db08cb77f985fd298a9126b0356
SHA256 16e86690ea8b6dbc42dd9982b58f5a27841aed8a586fa31463fcd4af5ac4dea3
SHA512 72a55e0524317e666922be6829dc4ba41ea08d99477a372d21ee501aceb42a3d85d0380f6d0aa5ee15419db5ef6b073fc7988652de39452f93d4819dc8cd907f

C:\Windows\SysWOW64\Kfaalh32.exe

MD5 ad51e0345ba63fcf6d67edc0929eecdc
SHA1 699ccec5a9a9e8fee482e36bca95c0247308b9e2
SHA256 3a7729ebd9bfd159b3cc38223b3741283ee51815af38956ec57e4f9ce825aca5
SHA512 a82412fd0073e28d53e33d757f15402182d17ecb9681c65d5730a9e3c707ff50a27410541a1caed1e8169dd2b36a7522a3ddee44afd70f024e78f265ad6a88a9

C:\Windows\SysWOW64\Kmkihbho.exe

MD5 ea208123e23e5fc82cad2148381c1471
SHA1 df87de4a15d0208fa52eb065c5ac7888cf7ef028
SHA256 67b700d92546d4a72b7e8caf2aba3d4df9abb2b3ff491812611d5f8ada98f4d1
SHA512 f221902b98f70fa5a716749b5ccf9c3b298154df819833ba06594beeb06211b96fa4c0d2e90bd6c28efb4bf0ee6d7ff5fa61531e460e1223a1f40ebd22b6d9b1

C:\Windows\SysWOW64\Kdeaelok.exe

MD5 14139a7b34402b1f280b761ba339dc10
SHA1 fdb1bb65f7681b0c79f3859ea83ec0c675033ba3
SHA256 c914cfb526b3d3ad7e88689c8982fdc808cab05fa97eeaed23071a21ccec872a
SHA512 3cd75ba5e0c91bb8772deb1fcf87580e2af9553710ae1b5d798ca868ddac13f80ecfbaa8ebc217f3dd9468c9b3d2624f318d8c26fc34be793274407755b9404a

C:\Windows\SysWOW64\Kkojbf32.exe

MD5 ea99a6e4f033517883c6f9ea0643229b
SHA1 8c8a721630dd56171f0ad66bac165296b7b69ead
SHA256 2ed1657b54397411cca37ab467035d359c1fbcb61636676435858cfd3d30df2a
SHA512 36489727ca62f5ec7b90e751bc991832e28b264d53ccc26466625be540be59d2c4d81e7fc5e8b95d4d04c23d422bc2252a1ac3c438842365a916272c90ed123d

C:\Windows\SysWOW64\Lmmfnb32.exe

MD5 3b4337640a8ea8ef6055c7544711a05e
SHA1 252cfd965ebec7c4bf194e1afb34b92f411b020e
SHA256 22b90b3ec32189d0d43128924dba260e8772fbda0056cc1cb010eeddcd4fdfbe
SHA512 d31a392433a22229f50c7c1ff7267d09015cce29c6ca30e4f8379e69747bd58f9439d16562a2c4d5b36fe7d049018eac7941747259146126a9545e187cf8c97d

C:\Windows\SysWOW64\Lgfjggll.exe

MD5 1ac5bdcee57eb5074eebe8a30ef24823
SHA1 2326e8c043682405708853c148b845d898d9184e
SHA256 6bd406c9ffd6ea1368f711d11a879d7c8d81ba0b873c05f00864652ef8b32141
SHA512 cd6d7c417607f3e49b277bca7b3b982cc016309864b0d72f307d00ff8a4e0f3bdc99dfd213d18df3074156c46559c64e5de2b627b4679bb7e15d94cef4e1be0f

C:\Windows\SysWOW64\Llbconkd.exe

MD5 4f858a6c0e70c763d76b16900192444d
SHA1 eccde23aed26d9a758811cb3dfaaea4278e32150
SHA256 4cee0802d14b67ebfdf24075bf5c292bbb201cfe4b30c55d9760c93dc6a52eef
SHA512 dc52fa671485c4946c0ed6ff0cd64588cfbe23f51e3aaf9e373bf068c403fb50f01bf4f309a3d7690b326711b87ac7923b4dfbc4034aff8d90e4049a402e2f59

C:\Windows\SysWOW64\Loaokjjg.exe

MD5 29c6ae26ef7ca882ea704e7a721e74f4
SHA1 2f907e2498ac15c0d575d4646d9bd99d5846b805
SHA256 dbbed2deb5ad138160b6b2b36284c5707c1babd9547862c7ddaf95f5fd277702
SHA512 54a70ffe990ac7e5982fb37c60579c94b58770168b5aff919690d49c98615ef126d92a620f70666dc479a5393901f0f4f22d78bc79957b4d4523f0ac29d2ab93

C:\Windows\SysWOW64\Lekghdad.exe

MD5 e2188831031a6e76a655f5170898829d
SHA1 f85da2d3d98f84fd5538a6371a170fa1c5cf91d2
SHA256 90efbcf05aef0679190dbe86101c3d4bac1a07326a0785861951a099ef743fab
SHA512 eca7686d09075d9c5a772cc73b516fe519e3527bf22d7fc60949ecc37e246e76719ff881ca9ba0e4cbea6925d0fe98820846630f358499dd06475f4dbe0675fe

C:\Windows\SysWOW64\Lifcib32.exe

MD5 3fc97303a71a0fff0be8a0c6783c044a
SHA1 c8ea49f97df07e9dee69cb12d6a4cc42cd352fb6
SHA256 0bff30441fc140f795ba30a6395e551345f26f72cf92b9cc754730c2fcaf1cf2
SHA512 513c0a6ea413bb2e7db21e19c4ad0f3c9b95810008ba4aa3cb6eed703945b017b0b89575d3a12c6c85601070d642bc75f28e6aff907d15a88406bbae9c7484a7

C:\Windows\SysWOW64\Llepen32.exe

MD5 09049f145b3c05a8f765d61617696ab4
SHA1 97c58fd167e6a98dda23cf4ec85cba294469f874
SHA256 aefc1422494e9e93d3f6d5444a578f32f14035181a4b757d34739bca9ff5ab67
SHA512 3700f9438d6a726b6973e3fc0af473d48c76c6e40b742ca4211b9693517a35e0d7a0319de67692ea17294af0cf706922cc082232e89f49752ba88840b3f69574

C:\Windows\SysWOW64\Lcohahpn.exe

MD5 a91391e1e94e91c4c0b78b67361b625e
SHA1 4f3b6bedf93ce8d658f5b407c3f22007202e48be
SHA256 73db2525db184fbab4610334513a3f3b044590a965b2cc2d4dbea65764c0e8aa
SHA512 3acbf46cd7d05d0b277fd06897a6473d5eca2df483c62426ac09a5217f27119fb1abfff7d746c4ccb1f5696231534d3bbdb80122b2b8d0ef5f1769f2c6706a0d

C:\Windows\SysWOW64\Liipnb32.exe

MD5 72d1aace02e658e1d8683e55f54498b9
SHA1 18eacf665c75fef628b7c6008d4c1b8bd52c802e
SHA256 6b93837c5d588ffc566fe443b5adb3b6ee8bb58230f96a433f72a4a959c3eba9
SHA512 0200f9fba682c91ece2b87310a910a5d392cfcef49dd605bc4e9013c41c85c78d76ce874c4d22472a99f8c5673bea3d5514a00b7764825c63f37a4b437dc6db6

C:\Windows\SysWOW64\Llgljn32.exe

MD5 18e41d1c059f64af552ce78408c15e4d
SHA1 bea1831e5b8ee4515ea91d9f087a678b824d436c
SHA256 e6b9255bace8ccdfb192ed6dfcfcb1fad931d596cfc67a54bce8cb490ff970af
SHA512 f12013e90ff0c03e1259b8710048110a8d4898d1854362d9fa15144acba8f24b2f41b2a490342004b43996220a5a0ab0e91eba0e37eebbbcb90b6660970d978f

C:\Windows\SysWOW64\Lofifi32.exe

MD5 f4961468930712a29a2ff2fdb9dd8180
SHA1 28749aa9a17218810584afa1a1a3f48e2a6847dc
SHA256 293f19a03bee27ed53ab63712a11f294f22add204df8779f3cffae5c66e9b7fc
SHA512 7aa508d9babdd5f604266f4f2155af3c555779e69ede518f4dbe61f378ae647ed6cadf912530dcb8f0e7349e1eb1fea0fb5f56e618a6ee06e2a1adc7bf82394d

C:\Windows\SysWOW64\Lepaccmo.exe

MD5 e3ee54a2c929ef6de3d8f19d0c3dd54b
SHA1 6bf093ce2260b3e4bfc6d64f5966b1d7cca58ede
SHA256 be51d9e5793057ec3b05b5d7c295a0bec90732afaec2cf0046e7c6e0888e4c01
SHA512 958d9f5fd5806d0033b67f0d7c00d888e64d31f341bf6bbda59d5f2f3d11bf8c0b98945aa6017457690d51422879e637df1fb85b4dd8de189e6a0920e4ac4366

memory/392-1788-0x0000000077850000-0x000000007794A000-memory.dmp

memory/392-1787-0x0000000077730000-0x000000007784F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-12 11:49

Reported

2024-11-12 11:52

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cd3cf93982cf62043c3943db9561ba738652b7be7fadf3afc36573029bd0c16dN.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Caebma32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cnicfe32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qddfkd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Aminee32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bjmnoi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Balpgb32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aglemn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bjmnoi32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dgbdlf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bfhhoi32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bjfaeh32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cdfkolkf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bmpcfdmg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cmnpgb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Deokon32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qfcfml32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ajhddjfn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Aglemn32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bmpcfdmg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cmlcbbcj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pgioqq32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Adgbpc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Beeoaapl.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ceqnmpfo.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cjinkg32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Chagok32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dejacond.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pqdqof32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qqfmde32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qmmnjfnl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ajfhnjhq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Beihma32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Caebma32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cdfkolkf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cmlcbbcj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dmefhako.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ajckij32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Anogiicl.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Afoeiklb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bagflcje.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dejacond.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Agoabn32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bgcknmop.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cjinkg32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dmcibama.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aabmqd32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bganhm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bmemac32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Users\Admin\AppData\Local\Temp\cd3cf93982cf62043c3943db9561ba738652b7be7fadf3afc36573029bd0c16dN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qceiaa32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ajckij32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ajfhnjhq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Chagok32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Chcddk32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dkifae32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qnhahj32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Amddjegd.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Balpgb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bgehcmmm.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qffbbldm.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bfhhoi32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cnkplejl.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dmefhako.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dhhnpjmh.exe N/A

Berbew

backdoor berbew

Berbew family

berbew

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Pgioqq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pjhlml32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pdmpje32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pfolbmje.exe N/A
N/A N/A C:\Windows\SysWOW64\Pqdqof32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pgnilpah.exe N/A
N/A N/A C:\Windows\SysWOW64\Qnhahj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qqfmde32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qceiaa32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qfcfml32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qmmnjfnl.exe N/A
N/A N/A C:\Windows\SysWOW64\Qddfkd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qgcbgo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qffbbldm.exe N/A
N/A N/A C:\Windows\SysWOW64\Anmjcieo.exe N/A
N/A N/A C:\Windows\SysWOW64\Adgbpc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajckij32.exe N/A
N/A N/A C:\Windows\SysWOW64\Anogiicl.exe N/A
N/A N/A C:\Windows\SysWOW64\Aeiofcji.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajfhnjhq.exe N/A
N/A N/A C:\Windows\SysWOW64\Amddjegd.exe N/A
N/A N/A C:\Windows\SysWOW64\Acnlgp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajhddjfn.exe N/A
N/A N/A C:\Windows\SysWOW64\Amgapeea.exe N/A
N/A N/A C:\Windows\SysWOW64\Aabmqd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aglemn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Afoeiklb.exe N/A
N/A N/A C:\Windows\SysWOW64\Aminee32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aepefb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Agoabn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bjmnoi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bagflcje.exe N/A
N/A N/A C:\Windows\SysWOW64\Bganhm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bjokdipf.exe N/A
N/A N/A C:\Windows\SysWOW64\Bnkgeg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Baicac32.exe N/A
N/A N/A C:\Windows\SysWOW64\Beeoaapl.exe N/A
N/A N/A C:\Windows\SysWOW64\Bgcknmop.exe N/A
N/A N/A C:\Windows\SysWOW64\Bjagjhnc.exe N/A
N/A N/A C:\Windows\SysWOW64\Bmpcfdmg.exe N/A
N/A N/A C:\Windows\SysWOW64\Balpgb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bgehcmmm.exe N/A
N/A N/A C:\Windows\SysWOW64\Bfhhoi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bmbplc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Beihma32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bjfaeh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bmemac32.exe N/A
N/A N/A C:\Windows\SysWOW64\Belebq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bcoenmao.exe N/A
N/A N/A C:\Windows\SysWOW64\Cjinkg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cmgjgcgo.exe N/A
N/A N/A C:\Windows\SysWOW64\Cenahpha.exe N/A
N/A N/A C:\Windows\SysWOW64\Cdabcm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cjkjpgfi.exe N/A
N/A N/A C:\Windows\SysWOW64\Caebma32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ceqnmpfo.exe N/A
N/A N/A C:\Windows\SysWOW64\Cjmgfgdf.exe N/A
N/A N/A C:\Windows\SysWOW64\Cnicfe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cmlcbbcj.exe N/A
N/A N/A C:\Windows\SysWOW64\Cdfkolkf.exe N/A
N/A N/A C:\Windows\SysWOW64\Chagok32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cnkplejl.exe N/A
N/A N/A C:\Windows\SysWOW64\Cmnpgb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Chcddk32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Pfolbmje.exe C:\Windows\SysWOW64\Pdmpje32.exe N/A
File created C:\Windows\SysWOW64\Cjmgfgdf.exe C:\Windows\SysWOW64\Ceqnmpfo.exe N/A
File created C:\Windows\SysWOW64\Dmllipeg.exe C:\Windows\SysWOW64\Dgbdlf32.exe N/A
File created C:\Windows\SysWOW64\Bjagjhnc.exe C:\Windows\SysWOW64\Bgcknmop.exe N/A
File created C:\Windows\SysWOW64\Bmemac32.exe C:\Windows\SysWOW64\Bjfaeh32.exe N/A
File created C:\Windows\SysWOW64\Dkkcge32.exe C:\Windows\SysWOW64\Deokon32.exe N/A
File created C:\Windows\SysWOW64\Ndhkdnkh.dll C:\Windows\SysWOW64\Beihma32.exe N/A
File opened for modification C:\Windows\SysWOW64\Caebma32.exe C:\Windows\SysWOW64\Cjkjpgfi.exe N/A
File created C:\Windows\SysWOW64\Jgilhm32.dll C:\Windows\SysWOW64\Chcddk32.exe N/A
File created C:\Windows\SysWOW64\Qoqbfpfe.dll C:\Windows\SysWOW64\Adgbpc32.exe N/A
File created C:\Windows\SysWOW64\Dqfhilhd.dll C:\Windows\SysWOW64\Aepefb32.exe N/A
File created C:\Windows\SysWOW64\Bjmnoi32.exe C:\Windows\SysWOW64\Agoabn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bjagjhnc.exe C:\Windows\SysWOW64\Bgcknmop.exe N/A
File created C:\Windows\SysWOW64\Idnljnaa.dll C:\Windows\SysWOW64\Amgapeea.exe N/A
File created C:\Windows\SysWOW64\Dejacond.exe C:\Windows\SysWOW64\Dmcibama.exe N/A
File opened for modification C:\Windows\SysWOW64\Deokon32.exe C:\Windows\SysWOW64\Dmgbnq32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cmqmma32.exe C:\Windows\SysWOW64\Cjbpaf32.exe N/A
File created C:\Windows\SysWOW64\Gidbim32.dll C:\Windows\SysWOW64\Dobfld32.exe N/A
File created C:\Windows\SysWOW64\Qffbbldm.exe C:\Windows\SysWOW64\Qgcbgo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cnicfe32.exe C:\Windows\SysWOW64\Cjmgfgdf.exe N/A
File created C:\Windows\SysWOW64\Ckmllpik.dll C:\Windows\SysWOW64\Cjmgfgdf.exe N/A
File opened for modification C:\Windows\SysWOW64\Cdfkolkf.exe C:\Windows\SysWOW64\Cmlcbbcj.exe N/A
File opened for modification C:\Windows\SysWOW64\Ajhddjfn.exe C:\Windows\SysWOW64\Acnlgp32.exe N/A
File created C:\Windows\SysWOW64\Alcidkmm.dll C:\Windows\SysWOW64\Dhhnpjmh.exe N/A
File created C:\Windows\SysWOW64\Okgoadbf.dll C:\Windows\SysWOW64\Cjbpaf32.exe N/A
File created C:\Windows\SysWOW64\Kngpec32.dll C:\Windows\SysWOW64\Dgbdlf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Qgcbgo32.exe C:\Windows\SysWOW64\Qddfkd32.exe N/A
File created C:\Windows\SysWOW64\Qopkop32.dll C:\Windows\SysWOW64\Bagflcje.exe N/A
File created C:\Windows\SysWOW64\Qlgene32.dll C:\Windows\SysWOW64\Cdfkolkf.exe N/A
File opened for modification C:\Windows\SysWOW64\Dgbdlf32.exe C:\Windows\SysWOW64\Deagdn32.exe N/A
File created C:\Windows\SysWOW64\Pqdqof32.exe C:\Windows\SysWOW64\Pfolbmje.exe N/A
File opened for modification C:\Windows\SysWOW64\Anogiicl.exe C:\Windows\SysWOW64\Ajckij32.exe N/A
File created C:\Windows\SysWOW64\Baicac32.exe C:\Windows\SysWOW64\Bnkgeg32.exe N/A
File created C:\Windows\SysWOW64\Djdmffnn.exe C:\Windows\SysWOW64\Cmqmma32.exe N/A
File created C:\Windows\SysWOW64\Anogiicl.exe C:\Windows\SysWOW64\Ajckij32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bagflcje.exe C:\Windows\SysWOW64\Bjmnoi32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bjokdipf.exe C:\Windows\SysWOW64\Bganhm32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cjbpaf32.exe C:\Windows\SysWOW64\Chcddk32.exe N/A
File created C:\Windows\SysWOW64\Hjfhhm32.dll C:\Windows\SysWOW64\Cjinkg32.exe N/A
File created C:\Windows\SysWOW64\Qmmnjfnl.exe C:\Windows\SysWOW64\Qfcfml32.exe N/A
File created C:\Windows\SysWOW64\Ajhddjfn.exe C:\Windows\SysWOW64\Acnlgp32.exe N/A
File created C:\Windows\SysWOW64\Bfhhoi32.exe C:\Windows\SysWOW64\Bgehcmmm.exe N/A
File opened for modification C:\Windows\SysWOW64\Bfhhoi32.exe C:\Windows\SysWOW64\Bgehcmmm.exe N/A
File opened for modification C:\Windows\SysWOW64\Balpgb32.exe C:\Windows\SysWOW64\Bmpcfdmg.exe N/A
File opened for modification C:\Windows\SysWOW64\Dhhnpjmh.exe C:\Windows\SysWOW64\Dejacond.exe N/A
File created C:\Windows\SysWOW64\Djnkap32.dll C:\Windows\SysWOW64\Qqfmde32.exe N/A
File created C:\Windows\SysWOW64\Gallfmbn.dll C:\Windows\SysWOW64\Bmemac32.exe N/A
File created C:\Windows\SysWOW64\Cmnpgb32.exe C:\Windows\SysWOW64\Cnkplejl.exe N/A
File opened for modification C:\Windows\SysWOW64\Dmefhako.exe C:\Windows\SysWOW64\Dobfld32.exe N/A
File created C:\Windows\SysWOW64\Amgapeea.exe C:\Windows\SysWOW64\Ajhddjfn.exe N/A
File opened for modification C:\Windows\SysWOW64\Aepefb32.exe C:\Windows\SysWOW64\Aminee32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cdabcm32.exe C:\Windows\SysWOW64\Cenahpha.exe N/A
File created C:\Windows\SysWOW64\Dmefhako.exe C:\Windows\SysWOW64\Dobfld32.exe N/A
File created C:\Windows\SysWOW64\Ddonekbl.exe C:\Windows\SysWOW64\Dmefhako.exe N/A
File created C:\Windows\SysWOW64\Ccdlci32.dll C:\Windows\SysWOW64\Pqdqof32.exe N/A
File created C:\Windows\SysWOW64\Aabmqd32.exe C:\Windows\SysWOW64\Amgapeea.exe N/A
File created C:\Windows\SysWOW64\Balpgb32.exe C:\Windows\SysWOW64\Bmpcfdmg.exe N/A
File created C:\Windows\SysWOW64\Olfdahne.dll C:\Windows\SysWOW64\Cjkjpgfi.exe N/A
File created C:\Windows\SysWOW64\Dobfld32.exe C:\Windows\SysWOW64\Dhhnpjmh.exe N/A
File created C:\Windows\SysWOW64\Pdmpje32.exe C:\Windows\SysWOW64\Pjhlml32.exe N/A
File created C:\Windows\SysWOW64\Ldfgeigq.dll C:\Windows\SysWOW64\Agoabn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Baicac32.exe C:\Windows\SysWOW64\Bnkgeg32.exe N/A
File created C:\Windows\SysWOW64\Cmgjgcgo.exe C:\Windows\SysWOW64\Cjinkg32.exe N/A
File created C:\Windows\SysWOW64\Aeiofcji.exe C:\Windows\SysWOW64\Anogiicl.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Dmllipeg.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pqdqof32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qffbbldm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aminee32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bmbplc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Chcddk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ajfhnjhq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Beihma32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cenahpha.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qmmnjfnl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Anogiicl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bjokdipf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bcoenmao.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cmgjgcgo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cmqmma32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Deokon32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Adgbpc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dogogcpo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Amddjegd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bnkgeg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ceqnmpfo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pjhlml32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qgcbgo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ajhddjfn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aabmqd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aepefb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bjfaeh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cmnpgb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dgbdlf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cd3cf93982cf62043c3943db9561ba738652b7be7fadf3afc36573029bd0c16dN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pgioqq32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qqfmde32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Acnlgp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aglemn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bganhm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cdabcm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Caebma32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bjagjhnc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Balpgb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dhhnpjmh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pfolbmje.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pgnilpah.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bgcknmop.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bmemac32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cnicfe32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Anmjcieo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dmcibama.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dkifae32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dkkcge32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qnhahj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bjmnoi32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cjbpaf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pdmpje32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cjmgfgdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Chagok32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dmgbnq32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dmllipeg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qfcfml32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ajckij32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Baicac32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bgehcmmm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bfhhoi32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Amgapeea.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Beeoaapl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cjinkg32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bnkgeg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Chcddk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlaqpipg.dll" C:\Windows\SysWOW64\Pgioqq32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Acnlgp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Aminee32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Deokon32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Qfcfml32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfddbh32.dll" C:\Windows\SysWOW64\Afoeiklb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cnkplejl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll" C:\Windows\SysWOW64\Dmefhako.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll" C:\Windows\SysWOW64\Dogogcpo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bgcknmop.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocan32.dll" C:\Windows\SysWOW64\Cdabcm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll" C:\Windows\SysWOW64\Cjbpaf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cjbpaf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pdmpje32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bgehcmmm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll" C:\Windows\SysWOW64\Caebma32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bmpcfdmg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Beihma32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bcoenmao.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baacma32.dll" C:\Windows\SysWOW64\Anmjcieo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Amddjegd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll" C:\Windows\SysWOW64\Bfhhoi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll" C:\Windows\SysWOW64\Dmcibama.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dhhnpjmh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pqdqof32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qffbbldm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bagflcje.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bmemac32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Qgcbgo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Adgbpc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Belebq32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cmlcbbcj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll" C:\Windows\SysWOW64\Cnkplejl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll" C:\Windows\SysWOW64\Ddonekbl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Beeoaapl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eflgme32.dll" C:\Windows\SysWOW64\Bgcknmop.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjgghdi.dll" C:\Windows\SysWOW64\Aabmqd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bagflcje.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidlk32.dll" C:\Windows\SysWOW64\Baicac32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bfhhoi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll" C:\Windows\SysWOW64\Ceqnmpfo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Deagdn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Qmmnjfnl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idnljnaa.dll" C:\Windows\SysWOW64\Amgapeea.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dgbdlf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ochpdn32.dll" C:\Windows\SysWOW64\Pfolbmje.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pgnilpah.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qnhahj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ajckij32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll" C:\Windows\SysWOW64\Cnicfe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll" C:\Windows\SysWOW64\Chagok32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\cd3cf93982cf62043c3943db9561ba738652b7be7fadf3afc36573029bd0c16dN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pgioqq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll" C:\Windows\SysWOW64\Cmnpgb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Acnlgp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkobg32.dll" C:\Windows\SysWOW64\Bjmnoi32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bgcknmop.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dkkcge32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccdlci32.dll" C:\Windows\SysWOW64\Pqdqof32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Qceiaa32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll" C:\Windows\SysWOW64\Cjinkg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dmgbnq32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3464 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\cd3cf93982cf62043c3943db9561ba738652b7be7fadf3afc36573029bd0c16dN.exe C:\Windows\SysWOW64\Pgioqq32.exe
PID 3464 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\cd3cf93982cf62043c3943db9561ba738652b7be7fadf3afc36573029bd0c16dN.exe C:\Windows\SysWOW64\Pgioqq32.exe
PID 3464 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\cd3cf93982cf62043c3943db9561ba738652b7be7fadf3afc36573029bd0c16dN.exe C:\Windows\SysWOW64\Pgioqq32.exe
PID 4212 wrote to memory of 4744 N/A C:\Windows\SysWOW64\Pgioqq32.exe C:\Windows\SysWOW64\Pjhlml32.exe
PID 4212 wrote to memory of 4744 N/A C:\Windows\SysWOW64\Pgioqq32.exe C:\Windows\SysWOW64\Pjhlml32.exe
PID 4212 wrote to memory of 4744 N/A C:\Windows\SysWOW64\Pgioqq32.exe C:\Windows\SysWOW64\Pjhlml32.exe
PID 4744 wrote to memory of 4372 N/A C:\Windows\SysWOW64\Pjhlml32.exe C:\Windows\SysWOW64\Pdmpje32.exe
PID 4744 wrote to memory of 4372 N/A C:\Windows\SysWOW64\Pjhlml32.exe C:\Windows\SysWOW64\Pdmpje32.exe
PID 4744 wrote to memory of 4372 N/A C:\Windows\SysWOW64\Pjhlml32.exe C:\Windows\SysWOW64\Pdmpje32.exe
PID 4372 wrote to memory of 1368 N/A C:\Windows\SysWOW64\Pdmpje32.exe C:\Windows\SysWOW64\Pfolbmje.exe
PID 4372 wrote to memory of 1368 N/A C:\Windows\SysWOW64\Pdmpje32.exe C:\Windows\SysWOW64\Pfolbmje.exe
PID 4372 wrote to memory of 1368 N/A C:\Windows\SysWOW64\Pdmpje32.exe C:\Windows\SysWOW64\Pfolbmje.exe
PID 1368 wrote to memory of 4300 N/A C:\Windows\SysWOW64\Pfolbmje.exe C:\Windows\SysWOW64\Pqdqof32.exe
PID 1368 wrote to memory of 4300 N/A C:\Windows\SysWOW64\Pfolbmje.exe C:\Windows\SysWOW64\Pqdqof32.exe
PID 1368 wrote to memory of 4300 N/A C:\Windows\SysWOW64\Pfolbmje.exe C:\Windows\SysWOW64\Pqdqof32.exe
PID 4300 wrote to memory of 3760 N/A C:\Windows\SysWOW64\Pqdqof32.exe C:\Windows\SysWOW64\Pgnilpah.exe
PID 4300 wrote to memory of 3760 N/A C:\Windows\SysWOW64\Pqdqof32.exe C:\Windows\SysWOW64\Pgnilpah.exe
PID 4300 wrote to memory of 3760 N/A C:\Windows\SysWOW64\Pqdqof32.exe C:\Windows\SysWOW64\Pgnilpah.exe
PID 3760 wrote to memory of 2688 N/A C:\Windows\SysWOW64\Pgnilpah.exe C:\Windows\SysWOW64\Qnhahj32.exe
PID 3760 wrote to memory of 2688 N/A C:\Windows\SysWOW64\Pgnilpah.exe C:\Windows\SysWOW64\Qnhahj32.exe
PID 3760 wrote to memory of 2688 N/A C:\Windows\SysWOW64\Pgnilpah.exe C:\Windows\SysWOW64\Qnhahj32.exe
PID 2688 wrote to memory of 4980 N/A C:\Windows\SysWOW64\Qnhahj32.exe C:\Windows\SysWOW64\Qqfmde32.exe
PID 2688 wrote to memory of 4980 N/A C:\Windows\SysWOW64\Qnhahj32.exe C:\Windows\SysWOW64\Qqfmde32.exe
PID 2688 wrote to memory of 4980 N/A C:\Windows\SysWOW64\Qnhahj32.exe C:\Windows\SysWOW64\Qqfmde32.exe
PID 4980 wrote to memory of 4156 N/A C:\Windows\SysWOW64\Qqfmde32.exe C:\Windows\SysWOW64\Qceiaa32.exe
PID 4980 wrote to memory of 4156 N/A C:\Windows\SysWOW64\Qqfmde32.exe C:\Windows\SysWOW64\Qceiaa32.exe
PID 4980 wrote to memory of 4156 N/A C:\Windows\SysWOW64\Qqfmde32.exe C:\Windows\SysWOW64\Qceiaa32.exe
PID 4156 wrote to memory of 1824 N/A C:\Windows\SysWOW64\Qceiaa32.exe C:\Windows\SysWOW64\Qfcfml32.exe
PID 4156 wrote to memory of 1824 N/A C:\Windows\SysWOW64\Qceiaa32.exe C:\Windows\SysWOW64\Qfcfml32.exe
PID 4156 wrote to memory of 1824 N/A C:\Windows\SysWOW64\Qceiaa32.exe C:\Windows\SysWOW64\Qfcfml32.exe
PID 1824 wrote to memory of 1548 N/A C:\Windows\SysWOW64\Qfcfml32.exe C:\Windows\SysWOW64\Qmmnjfnl.exe
PID 1824 wrote to memory of 1548 N/A C:\Windows\SysWOW64\Qfcfml32.exe C:\Windows\SysWOW64\Qmmnjfnl.exe
PID 1824 wrote to memory of 1548 N/A C:\Windows\SysWOW64\Qfcfml32.exe C:\Windows\SysWOW64\Qmmnjfnl.exe
PID 1548 wrote to memory of 2880 N/A C:\Windows\SysWOW64\Qmmnjfnl.exe C:\Windows\SysWOW64\Qddfkd32.exe
PID 1548 wrote to memory of 2880 N/A C:\Windows\SysWOW64\Qmmnjfnl.exe C:\Windows\SysWOW64\Qddfkd32.exe
PID 1548 wrote to memory of 2880 N/A C:\Windows\SysWOW64\Qmmnjfnl.exe C:\Windows\SysWOW64\Qddfkd32.exe
PID 2880 wrote to memory of 1844 N/A C:\Windows\SysWOW64\Qddfkd32.exe C:\Windows\SysWOW64\Qgcbgo32.exe
PID 2880 wrote to memory of 1844 N/A C:\Windows\SysWOW64\Qddfkd32.exe C:\Windows\SysWOW64\Qgcbgo32.exe
PID 2880 wrote to memory of 1844 N/A C:\Windows\SysWOW64\Qddfkd32.exe C:\Windows\SysWOW64\Qgcbgo32.exe
PID 1844 wrote to memory of 2628 N/A C:\Windows\SysWOW64\Qgcbgo32.exe C:\Windows\SysWOW64\Qffbbldm.exe
PID 1844 wrote to memory of 2628 N/A C:\Windows\SysWOW64\Qgcbgo32.exe C:\Windows\SysWOW64\Qffbbldm.exe
PID 1844 wrote to memory of 2628 N/A C:\Windows\SysWOW64\Qgcbgo32.exe C:\Windows\SysWOW64\Qffbbldm.exe
PID 2628 wrote to memory of 3332 N/A C:\Windows\SysWOW64\Qffbbldm.exe C:\Windows\SysWOW64\Anmjcieo.exe
PID 2628 wrote to memory of 3332 N/A C:\Windows\SysWOW64\Qffbbldm.exe C:\Windows\SysWOW64\Anmjcieo.exe
PID 2628 wrote to memory of 3332 N/A C:\Windows\SysWOW64\Qffbbldm.exe C:\Windows\SysWOW64\Anmjcieo.exe
PID 3332 wrote to memory of 3148 N/A C:\Windows\SysWOW64\Anmjcieo.exe C:\Windows\SysWOW64\Adgbpc32.exe
PID 3332 wrote to memory of 3148 N/A C:\Windows\SysWOW64\Anmjcieo.exe C:\Windows\SysWOW64\Adgbpc32.exe
PID 3332 wrote to memory of 3148 N/A C:\Windows\SysWOW64\Anmjcieo.exe C:\Windows\SysWOW64\Adgbpc32.exe
PID 3148 wrote to memory of 1640 N/A C:\Windows\SysWOW64\Adgbpc32.exe C:\Windows\SysWOW64\Ajckij32.exe
PID 3148 wrote to memory of 1640 N/A C:\Windows\SysWOW64\Adgbpc32.exe C:\Windows\SysWOW64\Ajckij32.exe
PID 3148 wrote to memory of 1640 N/A C:\Windows\SysWOW64\Adgbpc32.exe C:\Windows\SysWOW64\Ajckij32.exe
PID 1640 wrote to memory of 3228 N/A C:\Windows\SysWOW64\Ajckij32.exe C:\Windows\SysWOW64\Anogiicl.exe
PID 1640 wrote to memory of 3228 N/A C:\Windows\SysWOW64\Ajckij32.exe C:\Windows\SysWOW64\Anogiicl.exe
PID 1640 wrote to memory of 3228 N/A C:\Windows\SysWOW64\Ajckij32.exe C:\Windows\SysWOW64\Anogiicl.exe
PID 3228 wrote to memory of 4636 N/A C:\Windows\SysWOW64\Anogiicl.exe C:\Windows\SysWOW64\Aeiofcji.exe
PID 3228 wrote to memory of 4636 N/A C:\Windows\SysWOW64\Anogiicl.exe C:\Windows\SysWOW64\Aeiofcji.exe
PID 3228 wrote to memory of 4636 N/A C:\Windows\SysWOW64\Anogiicl.exe C:\Windows\SysWOW64\Aeiofcji.exe
PID 4636 wrote to memory of 2216 N/A C:\Windows\SysWOW64\Aeiofcji.exe C:\Windows\SysWOW64\Ajfhnjhq.exe
PID 4636 wrote to memory of 2216 N/A C:\Windows\SysWOW64\Aeiofcji.exe C:\Windows\SysWOW64\Ajfhnjhq.exe
PID 4636 wrote to memory of 2216 N/A C:\Windows\SysWOW64\Aeiofcji.exe C:\Windows\SysWOW64\Ajfhnjhq.exe
PID 2216 wrote to memory of 4948 N/A C:\Windows\SysWOW64\Ajfhnjhq.exe C:\Windows\SysWOW64\Amddjegd.exe
PID 2216 wrote to memory of 4948 N/A C:\Windows\SysWOW64\Ajfhnjhq.exe C:\Windows\SysWOW64\Amddjegd.exe
PID 2216 wrote to memory of 4948 N/A C:\Windows\SysWOW64\Ajfhnjhq.exe C:\Windows\SysWOW64\Amddjegd.exe
PID 4948 wrote to memory of 3480 N/A C:\Windows\SysWOW64\Amddjegd.exe C:\Windows\SysWOW64\Acnlgp32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cd3cf93982cf62043c3943db9561ba738652b7be7fadf3afc36573029bd0c16dN.exe

"C:\Users\Admin\AppData\Local\Temp\cd3cf93982cf62043c3943db9561ba738652b7be7fadf3afc36573029bd0c16dN.exe"

C:\Windows\SysWOW64\Pgioqq32.exe

C:\Windows\system32\Pgioqq32.exe

C:\Windows\SysWOW64\Pjhlml32.exe

C:\Windows\system32\Pjhlml32.exe

C:\Windows\SysWOW64\Pdmpje32.exe

C:\Windows\system32\Pdmpje32.exe

C:\Windows\SysWOW64\Pfolbmje.exe

C:\Windows\system32\Pfolbmje.exe

C:\Windows\SysWOW64\Pqdqof32.exe

C:\Windows\system32\Pqdqof32.exe

C:\Windows\SysWOW64\Pgnilpah.exe

C:\Windows\system32\Pgnilpah.exe

C:\Windows\SysWOW64\Qnhahj32.exe

C:\Windows\system32\Qnhahj32.exe

C:\Windows\SysWOW64\Qqfmde32.exe

C:\Windows\system32\Qqfmde32.exe

C:\Windows\SysWOW64\Qceiaa32.exe

C:\Windows\system32\Qceiaa32.exe

C:\Windows\SysWOW64\Qfcfml32.exe

C:\Windows\system32\Qfcfml32.exe

C:\Windows\SysWOW64\Qmmnjfnl.exe

C:\Windows\system32\Qmmnjfnl.exe

C:\Windows\SysWOW64\Qddfkd32.exe

C:\Windows\system32\Qddfkd32.exe

C:\Windows\SysWOW64\Qgcbgo32.exe

C:\Windows\system32\Qgcbgo32.exe

C:\Windows\SysWOW64\Qffbbldm.exe

C:\Windows\system32\Qffbbldm.exe

C:\Windows\SysWOW64\Anmjcieo.exe

C:\Windows\system32\Anmjcieo.exe

C:\Windows\SysWOW64\Adgbpc32.exe

C:\Windows\system32\Adgbpc32.exe

C:\Windows\SysWOW64\Ajckij32.exe

C:\Windows\system32\Ajckij32.exe

C:\Windows\SysWOW64\Anogiicl.exe

C:\Windows\system32\Anogiicl.exe

C:\Windows\SysWOW64\Aeiofcji.exe

C:\Windows\system32\Aeiofcji.exe

C:\Windows\SysWOW64\Ajfhnjhq.exe

C:\Windows\system32\Ajfhnjhq.exe

C:\Windows\SysWOW64\Amddjegd.exe

C:\Windows\system32\Amddjegd.exe

C:\Windows\SysWOW64\Acnlgp32.exe

C:\Windows\system32\Acnlgp32.exe

C:\Windows\SysWOW64\Ajhddjfn.exe

C:\Windows\system32\Ajhddjfn.exe

C:\Windows\SysWOW64\Amgapeea.exe

C:\Windows\system32\Amgapeea.exe

C:\Windows\SysWOW64\Aabmqd32.exe

C:\Windows\system32\Aabmqd32.exe

C:\Windows\SysWOW64\Aglemn32.exe

C:\Windows\system32\Aglemn32.exe

C:\Windows\SysWOW64\Afoeiklb.exe

C:\Windows\system32\Afoeiklb.exe

C:\Windows\SysWOW64\Aminee32.exe

C:\Windows\system32\Aminee32.exe

C:\Windows\SysWOW64\Aepefb32.exe

C:\Windows\system32\Aepefb32.exe

C:\Windows\SysWOW64\Agoabn32.exe

C:\Windows\system32\Agoabn32.exe

C:\Windows\SysWOW64\Bjmnoi32.exe

C:\Windows\system32\Bjmnoi32.exe

C:\Windows\SysWOW64\Bagflcje.exe

C:\Windows\system32\Bagflcje.exe

C:\Windows\SysWOW64\Bganhm32.exe

C:\Windows\system32\Bganhm32.exe

C:\Windows\SysWOW64\Bjokdipf.exe

C:\Windows\system32\Bjokdipf.exe

C:\Windows\SysWOW64\Bnkgeg32.exe

C:\Windows\system32\Bnkgeg32.exe

C:\Windows\SysWOW64\Baicac32.exe

C:\Windows\system32\Baicac32.exe

C:\Windows\SysWOW64\Beeoaapl.exe

C:\Windows\system32\Beeoaapl.exe

C:\Windows\SysWOW64\Bgcknmop.exe

C:\Windows\system32\Bgcknmop.exe

C:\Windows\SysWOW64\Bjagjhnc.exe

C:\Windows\system32\Bjagjhnc.exe

C:\Windows\SysWOW64\Bmpcfdmg.exe

C:\Windows\system32\Bmpcfdmg.exe

C:\Windows\SysWOW64\Balpgb32.exe

C:\Windows\system32\Balpgb32.exe

C:\Windows\SysWOW64\Bgehcmmm.exe

C:\Windows\system32\Bgehcmmm.exe

C:\Windows\SysWOW64\Bfhhoi32.exe

C:\Windows\system32\Bfhhoi32.exe

C:\Windows\SysWOW64\Bmbplc32.exe

C:\Windows\system32\Bmbplc32.exe

C:\Windows\SysWOW64\Beihma32.exe

C:\Windows\system32\Beihma32.exe

C:\Windows\SysWOW64\Bjfaeh32.exe

C:\Windows\system32\Bjfaeh32.exe

C:\Windows\SysWOW64\Bmemac32.exe

C:\Windows\system32\Bmemac32.exe

C:\Windows\SysWOW64\Belebq32.exe

C:\Windows\system32\Belebq32.exe

C:\Windows\SysWOW64\Bcoenmao.exe

C:\Windows\system32\Bcoenmao.exe

C:\Windows\SysWOW64\Cjinkg32.exe

C:\Windows\system32\Cjinkg32.exe

C:\Windows\SysWOW64\Cmgjgcgo.exe

C:\Windows\system32\Cmgjgcgo.exe

C:\Windows\SysWOW64\Cenahpha.exe

C:\Windows\system32\Cenahpha.exe

C:\Windows\SysWOW64\Cdabcm32.exe

C:\Windows\system32\Cdabcm32.exe

C:\Windows\SysWOW64\Cjkjpgfi.exe

C:\Windows\system32\Cjkjpgfi.exe

C:\Windows\SysWOW64\Caebma32.exe

C:\Windows\system32\Caebma32.exe

C:\Windows\SysWOW64\Ceqnmpfo.exe

C:\Windows\system32\Ceqnmpfo.exe

C:\Windows\SysWOW64\Cjmgfgdf.exe

C:\Windows\system32\Cjmgfgdf.exe

C:\Windows\SysWOW64\Cnicfe32.exe

C:\Windows\system32\Cnicfe32.exe

C:\Windows\SysWOW64\Cmlcbbcj.exe

C:\Windows\system32\Cmlcbbcj.exe

C:\Windows\SysWOW64\Cdfkolkf.exe

C:\Windows\system32\Cdfkolkf.exe

C:\Windows\SysWOW64\Chagok32.exe

C:\Windows\system32\Chagok32.exe

C:\Windows\SysWOW64\Cnkplejl.exe

C:\Windows\system32\Cnkplejl.exe

C:\Windows\SysWOW64\Cmnpgb32.exe

C:\Windows\system32\Cmnpgb32.exe

C:\Windows\SysWOW64\Chcddk32.exe

C:\Windows\system32\Chcddk32.exe

C:\Windows\SysWOW64\Cjbpaf32.exe

C:\Windows\system32\Cjbpaf32.exe

C:\Windows\SysWOW64\Cmqmma32.exe

C:\Windows\system32\Cmqmma32.exe

C:\Windows\SysWOW64\Djdmffnn.exe

C:\Windows\system32\Djdmffnn.exe

C:\Windows\SysWOW64\Dmcibama.exe

C:\Windows\system32\Dmcibama.exe

C:\Windows\SysWOW64\Dejacond.exe

C:\Windows\system32\Dejacond.exe

C:\Windows\SysWOW64\Dhhnpjmh.exe

C:\Windows\system32\Dhhnpjmh.exe

C:\Windows\SysWOW64\Dobfld32.exe

C:\Windows\system32\Dobfld32.exe

C:\Windows\SysWOW64\Dmefhako.exe

C:\Windows\system32\Dmefhako.exe

C:\Windows\SysWOW64\Ddonekbl.exe

C:\Windows\system32\Ddonekbl.exe

C:\Windows\SysWOW64\Dkifae32.exe

C:\Windows\system32\Dkifae32.exe

C:\Windows\SysWOW64\Dmgbnq32.exe

C:\Windows\system32\Dmgbnq32.exe

C:\Windows\SysWOW64\Deokon32.exe

C:\Windows\system32\Deokon32.exe

C:\Windows\SysWOW64\Dkkcge32.exe

C:\Windows\system32\Dkkcge32.exe

C:\Windows\SysWOW64\Dogogcpo.exe

C:\Windows\system32\Dogogcpo.exe

C:\Windows\SysWOW64\Deagdn32.exe

C:\Windows\system32\Deagdn32.exe

C:\Windows\SysWOW64\Dgbdlf32.exe

C:\Windows\system32\Dgbdlf32.exe

C:\Windows\SysWOW64\Dmllipeg.exe

C:\Windows\system32\Dmllipeg.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 516 -ip 516

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 516 -s 396

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp

Files

memory/3464-0-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Pgioqq32.exe

MD5 1f416978c8808c88bfa93ffd4d17a1c9
SHA1 ee00a3630b9ecafda50e1b5c2c2f0f64aac24456
SHA256 007399f8677426b74bdc8110cb63579d2120a8255b20cfd6179066c0bd9ca7ec
SHA512 1a8c23690665bd358c6eb2ca35f4be5128314b0b375ffa99fd1cf4098967c7fd055ece5698b1013b3ae20922588704d87847afc372129947a6c6b831367ebcbe

memory/4212-12-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Pjhlml32.exe

MD5 1e468e5a8e0351ae559ea17d024035a8
SHA1 58aec073e1762050aa013d1a61e28bfb013c6b5b
SHA256 15116b40cd7ea0b9c767acc54f23e293867d0d7342ea03c9afbd442e33d99570
SHA512 77582c6adef4e7eae340a2d3d5cdc4f3a7a0f0dbe61c54e1a269630e089762a97e097e9bc44af546d98cb0f5ef92d32abb10d41463bdcc12734bd29acf8831fc

memory/4744-16-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Pdmpje32.exe

MD5 609806c31d7767dce064ad518149d09f
SHA1 a34f8a56bcf5163d2325fe16251ccc3f5d5f0cb0
SHA256 9b813eb3ef960ac4e33164e070d356f73f9963585d78497d2d167299a648b3d3
SHA512 f744d56d43615487eb7c71a55a0047a1b24fe617fca263906cc31bfed096f5a5c1b7a387557af64ba6b3c640c28c802bf624a14bd0c24f7465a003524c6176c5

memory/4372-23-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Pfolbmje.exe

MD5 2403f2fb921699ca0d5f67e0c1444df8
SHA1 33cd4e45a4b3f127da1d5ab621de5da965392f38
SHA256 3294fab36601934f0c025787ad33c6410416771170d62e267f0b8b187bd68e92
SHA512 118ff5e27ac0287d8e118c3128a562f77974875cd64e40ade6870968aaa32c13690027418fc4534295c3348738894d02d8dc66d87550a36c122dd8678ba03ae5

memory/1368-31-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Pqdqof32.exe

MD5 94ded773bf2ddc7b98e32792f942c234
SHA1 51eb9eae3edf0f1bf35afb4364f40747d96b11a1
SHA256 3fc33446d6a6ea6e00a5178fcf770341e2818d653a7a16acaf53b13df1bf0f1d
SHA512 c2c515b8f612072e7d028331ab73ede8e28377f3fb52c55102602138f0d3c3cf95436efb008a8ef052b0f61f52aa7246d81d3878b97711bf8aa9d768e09eb617

memory/4300-39-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Pgnilpah.exe

MD5 1640d8fe06b0a655361388378eeb5fdb
SHA1 0a3efe3721e435e2954dc8183c04925f2afebe94
SHA256 af8751f3a5e7423fb708b52afdca8a6c85130536dfae89e5087f5b5fffb22ae3
SHA512 ab3d9259a5cd74e5d8cf1e687302694f16a22857fe48e0cac1465cfb5af3d452bb8d78f709bd8c6ec4bf19f57b4ba4475accff3d0f93ef1ae44678da31e8001a

memory/3760-47-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Qnhahj32.exe

MD5 2eb476b6c27125ada520f644fe3fdd7c
SHA1 331306f3f462d72f25d704bae9236365b7f0f160
SHA256 fb13cc40c71b8b5775a3f9ce7b25d74f5ef81298bf5f31ed4e31ef639fa68262
SHA512 3ecfae30f5efec2834f75b112ef12fddd35e84058da0a66c3ae25ccd71389d85d80ca59ee66478b38f1e7a37c7de6b0d83ad9dc7c2ccb7903a5f58c4594672cb

memory/2688-55-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Qqfmde32.exe

MD5 b3b39cb1788f27d16d436708416326fb
SHA1 d9b96ef362c6c3e277d61230d0543f0f355cf716
SHA256 541d44da6647330a096cb9d38d18d6315f07e87cc0ec1508206d500ebddc2a82
SHA512 b38445d9d79ae9feeff96e0cd3cb8d0c1e4ab0cb15fad6db2ebe35c7d3894368745931c73c33fea48a744cd6394fcb8cdaabe7b858f8b3c3e2bac72d494efba9

memory/4980-64-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Qceiaa32.exe

MD5 04ef37c49a17b74efdcf76a85f4913b1
SHA1 521ea48d8c9d2db098561be63614f0156e058160
SHA256 58d7dcdd801318a99f086f37c2ae216996ff7f8546bcf1972137f0645814a086
SHA512 d615c8f92930d265079d0a94507e8b8199c2c4f7b3188085d61dd27ba1c3461ac0afeb6b431f5ccb082f599de1bb86c4b64320d0e795971560074d299d3e66ac

memory/4156-72-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Qfcfml32.exe

MD5 f4f17ddb404c8c0a793fc1ec23df36fe
SHA1 495d9f2ff9831cd6c61fc9f0406f18a79e41e756
SHA256 d3a8493941539210f2385b355ff890b3b2a4c99cb9ff7c22009ac5fc538a3206
SHA512 6f135e9dd5dd7266141124d2565e1d83f8fb191781d4272a17ad4471bf4aa97a0d36055d1fe14882137e68f7d1552dcbf92fa46d87959c83be02ddd6dce4ca35

memory/1824-79-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Qmmnjfnl.exe

MD5 4c0679cf95b95634f1cacafbbb54637e
SHA1 772439fbe25501cf0c653ab93e515ef6a02b3ca4
SHA256 a9fc991ba3c741ad2af2ce55b4aae8c4f67b9f55a49b863c075bec6c6c2ee8ef
SHA512 9a06a71731a14455db26fe6391f1425b514e423f84053d3661724a50e8700621664ef9f540b17ec4d4b5a323d375eb1b89a58f636eec9d76beacfe0f055c9e3b

memory/1548-88-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Qddfkd32.exe

MD5 c5fd08b4ad670753aef3c6e8f03e3d27
SHA1 2f0f577091f3db46f85aa298dfec0b2423e99329
SHA256 cc06d8ef6153de7895b74fb205d444ae630367e14ad957f8408eafafff654450
SHA512 f48a4b3d8cae27857dcb687bd007cd6ac14b3596315f5c78a3ce8df12ac5ad07679682a8f7d221f7d0f70c737dc11b7995ce1d40ff21fbf31c6073b128dc98a7

memory/2880-96-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Qgcbgo32.exe

MD5 6b627ea92b774aee174e379214036e5d
SHA1 1fdaa0e106e2b2fb0a04a70d45c0f1521afec0d5
SHA256 c3116a9dda27e3c6a5d4f14848c6676bd52f06aac0f1fe0d52b7b406cb3615ba
SHA512 9999687420954dc8a98d0bfc848b5956fa9afd30ec780776035c8ef133e2db45d825fcfd25593a3c18ffb704a1b4de9ef88e9c16bb2d61a4b4057eee87e5c629

memory/1844-104-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Qffbbldm.exe

MD5 ae59499b491fe61864d386fc847a2f1c
SHA1 95a38a3c40280c3959949bdddd1558e229bd5b90
SHA256 e3b961b04c97daf90316161f229b91c0781f5449a1d495441b6b5131bee9302e
SHA512 b4360a3f660ff67f4752d5cc1bf2d432c33c8a245295b0d171f212ba3a46b1106d508b9ef31170a8f83c9452aea532b590bf7cc9c16126d29f06e09ce18b6cb3

memory/2628-112-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3332-119-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Anmjcieo.exe

MD5 1f620d2a41e8093bb57e328defd2ff88
SHA1 df627741f0188facc6629a8fc043c3c62a5f673d
SHA256 c64758bf7c1ec403e59ef049969bf388664157c45aea472bf7d78d2758557fda
SHA512 20d85db8940ce6c22acaec6ba061b8480890b2a72b44bede1921cd6a4c09c374ccadec029d27e6b7ed714bd94ebc97ef5356239eb967db4d3dcbbfb2b9361f3c

C:\Windows\SysWOW64\Adgbpc32.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\SysWOW64\Adgbpc32.exe

MD5 13d0487e778763f10852fbd39a4765e6
SHA1 1aa267e52bb95d559bc0e10ac5fb413f043bb0e7
SHA256 e8041c6aa1b06ee52d0cc93309143a6fa3cd7d4ae6922cb7849bde18ed612f44
SHA512 e6f6b9adddf9e55e3395d147ed74ff28bd1323be31f84446ce52436d11e29e2880fa8ffa954d8360b27715ffe0a02eecfcf8263ab90c105d58ed4822af6709bd

memory/3148-127-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Ajckij32.exe

MD5 6b4648a7c25c96fc189737cceb3eb422
SHA1 5290ea249507f44fd2f773a80a26974c6f809a2d
SHA256 d362bf9f04a7d3cab744f6cf478e81dc37fd62d0e76f22517dc241cb1015dc95
SHA512 88661b3c895089b15fc106976488edb17dda961c6d21c43204422a26a9deb8ec81f7ac5f99e38a46622eb972944ea76323fabe4bce735899b40e93d19e9b7717

memory/1640-135-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Anogiicl.exe

MD5 8b7144ab3b09116a30efa8dbbe5df786
SHA1 fa05d33f43b08ca59978f324f6da9cab8777b93a
SHA256 20285cd9e391cc55cbfd8b9ad908c507aabd3f6dbcd01842b35b1da36b79e2c7
SHA512 c22e0d33dc8e39c25a9d85c4c4486218552021c0127f3bc67d48bfdff5d492518cf42505b840db0b303a2fea99632ec5769157539c82a16ced1856febabff3a5

memory/3228-143-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Aeiofcji.exe

MD5 6e2970210acc798ea2b5579581ab3de5
SHA1 d7f1cbc056d644f0da507b4424983880073bf8f6
SHA256 373493d513809c17e5f5c84a7f47090ea84b2ddd903571a2b87ccda797046316
SHA512 0a01000c61999c7bb9009cd16d56881bc7620ad4d16d5c27892382e9627be2f4beae6f80580ca1c1830af653bbc9b7b901834524efa3fedee1d6ab50bcd4eb99

memory/4636-152-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Ajfhnjhq.exe

MD5 c6ab9347dcbcab482f583b0d6a77530e
SHA1 64b5d117212356e46afdc0130656fd059393d3e1
SHA256 7c5652c998b29092acdd58d374e3753cf939085b8999ffa32f19fdbba47fff88
SHA512 6849595017f8f46c0643ee211355f5eb390b3bc536e9518f7874051e8900cdf52e70f9361b8d5b8a19f819897e084d6021f84c3736082e30de1ab840321ef7e0

memory/2216-159-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Amddjegd.exe

MD5 0b18cd10a1d894e4f4a7fa016ddc89c5
SHA1 499cf02270bbfef70f9ccad388b2dbde66edb55a
SHA256 ad4167899989a9079d360af135b41ab8e714e6169fcc434b56fe71065c2c4ba3
SHA512 a4503d0de91b6d7ac2169f212dff69cf0f6ddea2c3e72a026596fcd57edd8828ecc3bd409db2d28997fb89889f864fb8a0f6dc413ef220b91091766bf449aa83

memory/4948-167-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Acnlgp32.exe

MD5 14fe7d8f99bba2d53d4ac0c43da8efc4
SHA1 4fb66a5786c01e0befa5a8434127f6fca8d6f2c3
SHA256 139073bafd44e522d0d9b4d4592bc83625f169f7df55024124c81215ea90fdfc
SHA512 c12fe42b6359ccb54489706a7c8f42d3b8c9cf9bb59ca8f616246a4fe09bf6d36e869490a3d8894bcc33bda7036b867d8b296c3e06ba5f6e94c66eded5327a95

memory/3480-176-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Ajhddjfn.exe

MD5 e4ba53a81dd353080a8b516c3d9b3568
SHA1 aa11e383a62e46e9ffa96ad3c0fd9b29934288db
SHA256 6df25b620f280dd9e5d31da65fb41fb062987d06d37be8df6c54f51e50b73816
SHA512 1732840280e4c62a0cc93ce4cbae25ddbba7c0e51c34cef24d86bcfcd6ceec3de26e7c937a0de33441e943f3f483e6a8836e543c6efa8570478011b54afba62b

memory/2332-183-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Amgapeea.exe

MD5 83a7e54039fb0c3340d4871787514e8d
SHA1 0908289ad111df5d7029c65decdf51caa98efb4e
SHA256 8b0e1de9265c3c4e88d56e6650e9f26dd3f60e7bf84ec9c040d85e53180d1813
SHA512 44333903dfec100d5ac9a145fb2220dbf621c568bfbca34d47ee132e590db3471253d6fe6d9b19be2414fe41023a8cfe2d190c9b1ebca6124ecc9be35967c8b9

memory/1500-192-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4764-199-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Aabmqd32.exe

MD5 9cde5f6667871c17b17e7c82c85c5ee3
SHA1 c688ee39ee36d09e82cd8567579327cd0f7820dc
SHA256 510ae036815610d43879d8ba0c7d9182ca766ab0f04c7ebe090b3c8ccc9fe787
SHA512 5802aefe80f8c7e256e1b6eff061653a76e1bf5303c64dfe401c3f1fdb08ef5a6af1a4ac8fff0484dc3c24c8ab7272ebf572cca86dd02b1613c62aabbfab9c06

C:\Windows\SysWOW64\Aglemn32.exe

MD5 764e2de16177aba2b1434bedab1d65f9
SHA1 eeeeeb5397686e81aa139f24d4c5262072ec0369
SHA256 bd2386b2738f7d691cc97e74bad18d1a5630fccb560394497f6f633e9ce5a097
SHA512 ee6b5cf188d9fd02a8dad3539c06d5dae2fa5b977fe77ff8500c5993ca9467128fec2631cffeca469eac1a1051120f2b284f66842aee3f238edde3d0814d668e

memory/4420-210-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Afoeiklb.exe

MD5 d889c9d0582dfa43cf6668312ff985ab
SHA1 2086969bc73149e2b3b4ca530d763885dd5cfdb3
SHA256 48898de0938da526f1588a1864140ba1fcc0fd074dde74630ae99624ebad75e7
SHA512 ee0eb63a66a0cc29000592770c6d807f92cbf958e966809377b0cb1929082eba9f26724846931692fe2a25ec76958c02817487b6a0804ac9f63bd260a48a73fd

memory/5108-216-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Aminee32.exe

MD5 f8cc38d06589429d7127add45e1eb898
SHA1 8d47e619b2551cbbc6cac85c41d9939c14d32823
SHA256 8047c1a696bf506e74bc90d44f67e6cdb901e7d8469959c444069d78d7cdb116
SHA512 ef9363037e5f0a6e297f96dc85fe7512f297b0307015d55c6db842b66af086dcf81d58a9cb6a0b5aed7b4cef16bdeb7c243d3595a400f8ba74adf9611571985c

memory/2520-224-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Aepefb32.exe

MD5 f61a01138bd782ad5d14b09a1a93d340
SHA1 5cc955cd0627f60cec5dc40f3bf30d0a781e80e4
SHA256 867d8e02b62bf0a6592248712186b6729d88bdf4d22221412e1e8e276197fbcd
SHA512 696716cb8d22eb16c151edae399e039af6c93cbd47205389095a5097b21b129cb83eba1e89d8de51442cbe26a5d412713f00eb19e14a66a8ecc3d33fd06a826e

memory/4448-231-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Agoabn32.exe

MD5 53d74d3c47775a5a29e9e79818015168
SHA1 3d72077fbe33496a1018c77ec7e7d6171e7238c5
SHA256 7162fd4b78800052df348b51bfe53fb4f7ba0aec8e2c5a5502bcbf6bcf24708f
SHA512 8615a3f9170cfe9d205b2f757254ec85d53e5ffa6f5b9dfe09e1b7361d8781b9bb7b99c1227a6e26901d78e88699e41c52ed5202de9c5706246f0b91ffa1ef98

memory/4932-239-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Bjmnoi32.exe

MD5 cea60416c055b30c457cd5d5c5961b38
SHA1 e6e7fe8a508b457db45a2fad4293c7daaf0c2eb2
SHA256 9c23ae8011cfd733d4ca8064ee7a773a9d92019398fc5f9d95eaf113170f95b9
SHA512 a10d1d420ac979e8db0c7219d8b249e725411077e513c141fb8dcc1a53c6fc4b40668ed63ca9a0c81ca244c37514eff07c201c00b4095f80c551a153193d2683

memory/1116-247-0x0000000000400000-0x000000000043F000-memory.dmp

memory/412-255-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Bagflcje.exe

MD5 73f91fc5ffcb711a679e962d5f7daf7b
SHA1 6294c03ab673424c496dd6d69cc8bf9ca81b8c32
SHA256 e74f717cb14b81dab5d47550bd118518ffa2877017c9a33c8b1226ecbce48dd2
SHA512 c4197ed8e1c4d7374fc3ff367f6c16ed80e3837401c23266718753830708500155f60c93bfdc301d5b5dc50591620174972018f6066f5eae7e44125b4a70151d

memory/3060-262-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4540-268-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3420-274-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2084-280-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1616-290-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1904-292-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1484-298-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1040-309-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4128-310-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4956-316-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4816-322-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1260-328-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2248-334-0x0000000000400000-0x000000000043F000-memory.dmp

memory/396-340-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1512-346-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3932-356-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2596-358-0x0000000000400000-0x000000000043F000-memory.dmp

memory/916-364-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4644-370-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2640-376-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4560-382-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4736-388-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1952-394-0x0000000000400000-0x000000000043F000-memory.dmp

memory/5056-400-0x0000000000400000-0x000000000043F000-memory.dmp

memory/440-406-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1488-416-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4828-418-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1208-424-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4684-430-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\SysWOW64\Cnkplejl.exe

MD5 263f76738f1fa2d8f6b132af16a37d87
SHA1 ca1c7062f0b02edc1a13a9576b45b072fcdc36d0
SHA256 539d61c6ff402bd3642be4f9ec40e513a240e0c6d02c24bc72f80bf0124131d8
SHA512 4c161032a6f10777cf8695e064ee836aa56550d1dcb29fb1736285d1feebafa857c8c96863d77090e1fb08e93c314feac33807f43da729424b7ea293a33955c5

memory/2388-436-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1192-442-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2960-448-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2540-454-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1452-460-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4620-466-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4876-472-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3232-478-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2300-484-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3120-494-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1352-496-0x0000000000400000-0x000000000043F000-memory.dmp

memory/400-502-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4580-508-0x0000000000400000-0x000000000043F000-memory.dmp

memory/884-518-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4972-520-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2124-526-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4568-527-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4228-533-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3052-540-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3464-539-0x0000000000400000-0x000000000043F000-memory.dmp

memory/516-547-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4212-546-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4744-548-0x0000000000400000-0x000000000043F000-memory.dmp

memory/400-556-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3232-559-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2300-558-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1352-557-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4580-555-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4972-554-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2124-553-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4568-552-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4228-551-0x0000000000400000-0x000000000043F000-memory.dmp

memory/516-549-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3052-550-0x0000000000400000-0x000000000043F000-memory.dmp