Malware Analysis Report

2025-08-06 02:17

Sample ID 241112-q44nzsxkbr
Target ca91d1b985500ad191658d40f1eb120b99a1edf5b573314cbc8727b2adb8bfd7N.exe
SHA256 ca91d1b985500ad191658d40f1eb120b99a1edf5b573314cbc8727b2adb8bfd7
Tags
berbew backdoor discovery persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ca91d1b985500ad191658d40f1eb120b99a1edf5b573314cbc8727b2adb8bfd7

Threat Level: Known bad

The file ca91d1b985500ad191658d40f1eb120b99a1edf5b573314cbc8727b2adb8bfd7N.exe was found to be: Known bad.

Malicious Activity Summary

berbew backdoor discovery persistence

Berbew family

Adds autorun key to be loaded by Explorer.exe on startup

Berbew

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Program crash

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-12 13:49

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-12 13:49

Reported

2024-11-12 13:51

Platform

win7-20240903-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ca91d1b985500ad191658d40f1eb120b99a1edf5b573314cbc8727b2adb8bfd7N.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bceibfgj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Pleofj32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bmlael32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Bmbgfkje.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cenljmgq.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mimgeigj.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Opglafab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Mdiefffn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Pojecajj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Cchbgi32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Danpemej.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kgclio32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Kgclio32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Opglafab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Pkmlmbcd.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pafdjmkq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Qeppdo32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mdiefffn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Pkjphcff.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pojecajj.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ajmijmnn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Aojabdlf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Aakjdo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Abpcooea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Users\Admin\AppData\Local\Temp\ca91d1b985500ad191658d40f1eb120b99a1edf5b573314cbc8727b2adb8bfd7N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Nbflno32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mfokinhf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Nnmlcp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Nnoiio32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pdjjag32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bfdenafn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Ceebklai.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lqipkhbj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Mjhjdm32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ompefj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Paiaplin.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nnafnopi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Oippjl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Pafdjmkq.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Knhjjj32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lfhhjklc.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cfhkhd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Lclicpkm.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cmedlk32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pleofj32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ccmpce32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Nlqmmd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Agjobffl.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nncbdomg.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lclicpkm.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mfjann32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Olpilg32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Opnbbe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Pplaki32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ppnnai32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Bnfddp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Bjdkjpkb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Users\Admin\AppData\Local\Temp\ca91d1b985500ad191658d40f1eb120b99a1edf5b573314cbc8727b2adb8bfd7N.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lnjcomcf.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cocphf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Nnafnopi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Bjmeiq32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Phcilf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Adifpk32.exe N/A

Berbew

backdoor berbew

Berbew family

berbew

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Kdpfadlm.exe N/A
N/A N/A C:\Windows\SysWOW64\Kjmnjkjd.exe N/A
N/A N/A C:\Windows\SysWOW64\Knhjjj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kddomchg.exe N/A
N/A N/A C:\Windows\SysWOW64\Kgclio32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lgehno32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lfhhjklc.exe N/A
N/A N/A C:\Windows\SysWOW64\Llbqfe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lclicpkm.exe N/A
N/A N/A C:\Windows\SysWOW64\Lhknaf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lkjjma32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lnjcomcf.exe N/A
N/A N/A C:\Windows\SysWOW64\Lqipkhbj.exe N/A
N/A N/A C:\Windows\SysWOW64\Mnmpdlac.exe N/A
N/A N/A C:\Windows\SysWOW64\Mcjhmcok.exe N/A
N/A N/A C:\Windows\SysWOW64\Mdiefffn.exe N/A
N/A N/A C:\Windows\SysWOW64\Mfjann32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mmdjkhdh.exe N/A
N/A N/A C:\Windows\SysWOW64\Mgjnhaco.exe N/A
N/A N/A C:\Windows\SysWOW64\Mjhjdm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mpebmc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mfokinhf.exe N/A
N/A N/A C:\Windows\SysWOW64\Mimgeigj.exe N/A
N/A N/A C:\Windows\SysWOW64\Nbflno32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nedhjj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nnmlcp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nefdpjkl.exe N/A
N/A N/A C:\Windows\SysWOW64\Nlqmmd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nnoiio32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nlcibc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nnafnopi.exe N/A
N/A N/A C:\Windows\SysWOW64\Nlefhcnc.exe N/A
N/A N/A C:\Windows\SysWOW64\Nncbdomg.exe N/A
N/A N/A C:\Windows\SysWOW64\Nncbdomg.exe N/A
N/A N/A C:\Windows\SysWOW64\Nhlgmd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Njjcip32.exe N/A
N/A N/A C:\Windows\SysWOW64\Opglafab.exe N/A
N/A N/A C:\Windows\SysWOW64\Oippjl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Omklkkpl.exe N/A
N/A N/A C:\Windows\SysWOW64\Obhdcanc.exe N/A
N/A N/A C:\Windows\SysWOW64\Olpilg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ompefj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Opnbbe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oekjjl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ohiffh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Obokcqhk.exe N/A
N/A N/A C:\Windows\SysWOW64\Oabkom32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oemgplgo.exe N/A
N/A N/A C:\Windows\SysWOW64\Phlclgfc.exe N/A
N/A N/A C:\Windows\SysWOW64\Pkjphcff.exe N/A
N/A N/A C:\Windows\SysWOW64\Pofkha32.exe N/A
N/A N/A C:\Windows\SysWOW64\Padhdm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pdbdqh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pkmlmbcd.exe N/A
N/A N/A C:\Windows\SysWOW64\Pmkhjncg.exe N/A
N/A N/A C:\Windows\SysWOW64\Pafdjmkq.exe N/A
N/A N/A C:\Windows\SysWOW64\Pdeqfhjd.exe N/A
N/A N/A C:\Windows\SysWOW64\Phqmgg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pojecajj.exe N/A
N/A N/A C:\Windows\SysWOW64\Paiaplin.exe N/A
N/A N/A C:\Windows\SysWOW64\Pplaki32.exe N/A
N/A N/A C:\Windows\SysWOW64\Phcilf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pidfdofi.exe N/A
N/A N/A C:\Windows\SysWOW64\Ppnnai32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca91d1b985500ad191658d40f1eb120b99a1edf5b573314cbc8727b2adb8bfd7N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ca91d1b985500ad191658d40f1eb120b99a1edf5b573314cbc8727b2adb8bfd7N.exe N/A
N/A N/A C:\Windows\SysWOW64\Kdpfadlm.exe N/A
N/A N/A C:\Windows\SysWOW64\Kdpfadlm.exe N/A
N/A N/A C:\Windows\SysWOW64\Kjmnjkjd.exe N/A
N/A N/A C:\Windows\SysWOW64\Kjmnjkjd.exe N/A
N/A N/A C:\Windows\SysWOW64\Knhjjj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Knhjjj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kddomchg.exe N/A
N/A N/A C:\Windows\SysWOW64\Kddomchg.exe N/A
N/A N/A C:\Windows\SysWOW64\Kgclio32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kgclio32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lgehno32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lgehno32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lfhhjklc.exe N/A
N/A N/A C:\Windows\SysWOW64\Lfhhjklc.exe N/A
N/A N/A C:\Windows\SysWOW64\Llbqfe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Llbqfe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lclicpkm.exe N/A
N/A N/A C:\Windows\SysWOW64\Lclicpkm.exe N/A
N/A N/A C:\Windows\SysWOW64\Lhknaf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lhknaf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lkjjma32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lkjjma32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lnjcomcf.exe N/A
N/A N/A C:\Windows\SysWOW64\Lnjcomcf.exe N/A
N/A N/A C:\Windows\SysWOW64\Lqipkhbj.exe N/A
N/A N/A C:\Windows\SysWOW64\Lqipkhbj.exe N/A
N/A N/A C:\Windows\SysWOW64\Mnmpdlac.exe N/A
N/A N/A C:\Windows\SysWOW64\Mnmpdlac.exe N/A
N/A N/A C:\Windows\SysWOW64\Mcjhmcok.exe N/A
N/A N/A C:\Windows\SysWOW64\Mcjhmcok.exe N/A
N/A N/A C:\Windows\SysWOW64\Mdiefffn.exe N/A
N/A N/A C:\Windows\SysWOW64\Mdiefffn.exe N/A
N/A N/A C:\Windows\SysWOW64\Mfjann32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mfjann32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mmdjkhdh.exe N/A
N/A N/A C:\Windows\SysWOW64\Mmdjkhdh.exe N/A
N/A N/A C:\Windows\SysWOW64\Mgjnhaco.exe N/A
N/A N/A C:\Windows\SysWOW64\Mgjnhaco.exe N/A
N/A N/A C:\Windows\SysWOW64\Mjhjdm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mjhjdm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mpebmc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mpebmc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mfokinhf.exe N/A
N/A N/A C:\Windows\SysWOW64\Mfokinhf.exe N/A
N/A N/A C:\Windows\SysWOW64\Mimgeigj.exe N/A
N/A N/A C:\Windows\SysWOW64\Mimgeigj.exe N/A
N/A N/A C:\Windows\SysWOW64\Nbflno32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nbflno32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nedhjj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nedhjj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nnmlcp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nnmlcp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nefdpjkl.exe N/A
N/A N/A C:\Windows\SysWOW64\Nefdpjkl.exe N/A
N/A N/A C:\Windows\SysWOW64\Nlqmmd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nlqmmd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nnoiio32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nnoiio32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nlcibc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nlcibc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nnafnopi.exe N/A
N/A N/A C:\Windows\SysWOW64\Nnafnopi.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Ajpepm32.exe C:\Windows\SysWOW64\Aaimopli.exe N/A
File created C:\Windows\SysWOW64\Bqeqqk32.exe C:\Windows\SysWOW64\Bnfddp32.exe N/A
File created C:\Windows\SysWOW64\Bjmeiq32.exe C:\Windows\SysWOW64\Bgoime32.exe N/A
File created C:\Windows\SysWOW64\Lqipkhbj.exe C:\Windows\SysWOW64\Lnjcomcf.exe N/A
File created C:\Windows\SysWOW64\Mdiefffn.exe C:\Windows\SysWOW64\Mcjhmcok.exe N/A
File created C:\Windows\SysWOW64\Nlcibc32.exe C:\Windows\SysWOW64\Nnoiio32.exe N/A
File created C:\Windows\SysWOW64\Icblnd32.dll C:\Windows\SysWOW64\Nnoiio32.exe N/A
File opened for modification C:\Windows\SysWOW64\Qdlggg32.exe C:\Windows\SysWOW64\Qppkfhlc.exe N/A
File created C:\Windows\SysWOW64\Bfdenafn.exe C:\Windows\SysWOW64\Bceibfgj.exe N/A
File created C:\Windows\SysWOW64\Cnimiblo.exe C:\Windows\SysWOW64\Cileqlmg.exe N/A
File opened for modification C:\Windows\SysWOW64\Pkjphcff.exe C:\Windows\SysWOW64\Phlclgfc.exe N/A
File created C:\Windows\SysWOW64\Bhapci32.dll C:\Windows\SysWOW64\Phlclgfc.exe N/A
File created C:\Windows\SysWOW64\Aakjdo32.exe C:\Windows\SysWOW64\Akabgebj.exe N/A
File created C:\Windows\SysWOW64\Gfnafi32.dll C:\Windows\SysWOW64\Andgop32.exe N/A
File created C:\Windows\SysWOW64\Cinafkkd.exe C:\Windows\SysWOW64\Cbdiia32.exe N/A
File created C:\Windows\SysWOW64\Aebfidim.dll C:\Windows\SysWOW64\Aoojnc32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bceibfgj.exe C:\Windows\SysWOW64\Bmlael32.exe N/A
File created C:\Windows\SysWOW64\Gfikmo32.dll C:\Windows\SysWOW64\Bffbdadk.exe N/A
File opened for modification C:\Windows\SysWOW64\Bieopm32.exe C:\Windows\SysWOW64\Bjbndpmd.exe N/A
File created C:\Windows\SysWOW64\Danpemej.exe C:\Windows\SysWOW64\Dnpciaef.exe N/A
File created C:\Windows\SysWOW64\Cchbgi32.exe C:\Windows\SysWOW64\Ceebklai.exe N/A
File opened for modification C:\Windows\SysWOW64\Lclicpkm.exe C:\Windows\SysWOW64\Llbqfe32.exe N/A
File created C:\Windows\SysWOW64\Gnfnae32.dll C:\Windows\SysWOW64\Mjhjdm32.exe N/A
File created C:\Windows\SysWOW64\Olpilg32.exe C:\Windows\SysWOW64\Obhdcanc.exe N/A
File created C:\Windows\SysWOW64\Pdeqfhjd.exe C:\Windows\SysWOW64\Pafdjmkq.exe N/A
File created C:\Windows\SysWOW64\Cmbfdl32.dll C:\Windows\SysWOW64\Cbblda32.exe N/A
File created C:\Windows\SysWOW64\Ljamki32.dll C:\Windows\SysWOW64\Qcachc32.exe N/A
File created C:\Windows\SysWOW64\Bnfddp32.exe C:\Windows\SysWOW64\Bjkhdacm.exe N/A
File created C:\Windows\SysWOW64\Lmajfk32.dll C:\Windows\SysWOW64\Cenljmgq.exe N/A
File opened for modification C:\Windows\SysWOW64\Kddomchg.exe C:\Windows\SysWOW64\Knhjjj32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mgjnhaco.exe C:\Windows\SysWOW64\Mmdjkhdh.exe N/A
File created C:\Windows\SysWOW64\Nncbdomg.exe C:\Windows\SysWOW64\Nncbdomg.exe N/A
File created C:\Windows\SysWOW64\Ojefmknj.dll C:\Windows\SysWOW64\Padhdm32.exe N/A
File created C:\Windows\SysWOW64\Pafdjmkq.exe C:\Windows\SysWOW64\Pmkhjncg.exe N/A
File created C:\Windows\SysWOW64\Acnenl32.dll C:\Windows\SysWOW64\Ceebklai.exe N/A
File created C:\Windows\SysWOW64\Abpcooea.exe C:\Windows\SysWOW64\Andgop32.exe N/A
File created C:\Windows\SysWOW64\Alecllfh.dll C:\Windows\SysWOW64\Bgcbhd32.exe N/A
File created C:\Windows\SysWOW64\Bieopm32.exe C:\Windows\SysWOW64\Bjbndpmd.exe N/A
File created C:\Windows\SysWOW64\Hfiocpon.dll C:\Windows\SysWOW64\Njjcip32.exe N/A
File created C:\Windows\SysWOW64\Phlclgfc.exe C:\Windows\SysWOW64\Oemgplgo.exe N/A
File opened for modification C:\Windows\SysWOW64\Pojecajj.exe C:\Windows\SysWOW64\Phqmgg32.exe N/A
File opened for modification C:\Windows\SysWOW64\Qpbglhjq.exe C:\Windows\SysWOW64\Qndkpmkm.exe N/A
File created C:\Windows\SysWOW64\Egfokakc.dll C:\Windows\SysWOW64\Aakjdo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cfhkhd32.exe C:\Windows\SysWOW64\Cegoqlof.exe N/A
File created C:\Windows\SysWOW64\Ogqhpm32.dll C:\Windows\SysWOW64\Olpilg32.exe N/A
File created C:\Windows\SysWOW64\Pdjjag32.exe C:\Windows\SysWOW64\Ppnnai32.exe N/A
File created C:\Windows\SysWOW64\Dfefmpeo.dll C:\Windows\SysWOW64\Bmnnkl32.exe N/A
File created C:\Windows\SysWOW64\Pplaki32.exe C:\Windows\SysWOW64\Paiaplin.exe N/A
File opened for modification C:\Windows\SysWOW64\Bqeqqk32.exe C:\Windows\SysWOW64\Bnfddp32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bmbgfkje.exe C:\Windows\SysWOW64\Bjdkjpkb.exe N/A
File opened for modification C:\Windows\SysWOW64\Ceebklai.exe C:\Windows\SysWOW64\Cnkjnb32.exe N/A
File created C:\Windows\SysWOW64\Nlefhcnc.exe C:\Windows\SysWOW64\Nnafnopi.exe N/A
File opened for modification C:\Windows\SysWOW64\Obokcqhk.exe C:\Windows\SysWOW64\Ohiffh32.exe N/A
File created C:\Windows\SysWOW64\Nlbjim32.dll C:\Windows\SysWOW64\Pkcbnanl.exe N/A
File created C:\Windows\SysWOW64\Hdaehcom.dll C:\Windows\SysWOW64\Aaimopli.exe N/A
File opened for modification C:\Windows\SysWOW64\Dpapaj32.exe C:\Windows\SysWOW64\Danpemej.exe N/A
File opened for modification C:\Windows\SysWOW64\Llbqfe32.exe C:\Windows\SysWOW64\Lfhhjklc.exe N/A
File created C:\Windows\SysWOW64\Nefdpjkl.exe C:\Windows\SysWOW64\Nnmlcp32.exe N/A
File created C:\Windows\SysWOW64\Bbjclbek.dll C:\Windows\SysWOW64\Akabgebj.exe N/A
File created C:\Windows\SysWOW64\Bceibfgj.exe C:\Windows\SysWOW64\Bmlael32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cgaaah32.exe C:\Windows\SysWOW64\Cinafkkd.exe N/A
File created C:\Windows\SysWOW64\Bgoime32.exe C:\Windows\SysWOW64\Bqeqqk32.exe N/A
File created C:\Windows\SysWOW64\Lbhnia32.dll C:\Windows\SysWOW64\Bjdkjpkb.exe N/A
File created C:\Windows\SysWOW64\Cileqlmg.exe C:\Windows\SysWOW64\Cbblda32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\system32†Eanenbmi.¾ll C:\Windows\SysWOW64\Dpapaj32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Njjcip32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qpbglhjq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bffbdadk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bieopm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mfokinhf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nedhjj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Agolnbok.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Allefimb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Adifpk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cnmfdb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lqipkhbj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mjhjdm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ajmijmnn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bhjlli32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bqeqqk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kjmnjkjd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nncbdomg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pdeqfhjd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Apedah32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Akcomepg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Abmgjo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lfhhjklc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mmdjkhdh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oemgplgo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Alnalh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bnfddp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ceebklai.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ca91d1b985500ad191658d40f1eb120b99a1edf5b573314cbc8727b2adb8bfd7N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Opglafab.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ahebaiac.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cmedlk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cnkjnb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pidfdofi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qeppdo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aaimopli.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bgoime32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nbflno32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bgcbhd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nlqmmd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nncbdomg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nhlgmd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Obhdcanc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pmkhjncg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pghfnc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lnjcomcf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nnmlcp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Andgop32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bcjcme32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cjakccop.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qdlggg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qcachc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bmbgfkje.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mcjhmcok.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nnoiio32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qppkfhlc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Agjobffl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bjbndpmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ccmpce32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mimgeigj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nnafnopi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pkmlmbcd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ppnnai32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bqlfaj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cfhkhd32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Paiaplin.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Cnimiblo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghfcobil.dll" C:\Windows\SysWOW64\Oekjjl32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Ohiffh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Alnalh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bgoime32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dofhhgce.dll" C:\Windows\SysWOW64\Lnjcomcf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Obhdcanc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apqcdckf.dll" C:\Windows\SysWOW64\Pmkhjncg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Apedah32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmapmi32.dll" C:\Windows\SysWOW64\Bjkhdacm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Agjobffl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Kjmnjkjd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kjmnjkjd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Oabkom32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Pdjjag32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpqmndme.dll" C:\Windows\SysWOW64\Qnghel32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Binbknik.dll" C:\Windows\SysWOW64\Ahebaiac.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Cinafkkd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Cgaaah32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Lclicpkm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pkmlmbcd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmgbdm32.dll" C:\Windows\SysWOW64\Phqmgg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljamki32.dll" C:\Windows\SysWOW64\Qcachc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qnghel32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljlmgnqj.dll" C:\Windows\SysWOW64\Lhknaf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Nlqmmd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nnoiio32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Pkjphcff.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnbamjbm.dll" C:\Windows\SysWOW64\Bceibfgj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Danpemej.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Oabkom32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Pafdjmkq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Bmlael32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bcjcme32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Kdpfadlm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Oemgplgo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ckmnbg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lfhhjklc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Obhdcanc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Opnbbe32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Qppkfhlc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhogdg32.dll" C:\Windows\SysWOW64\Cgaaah32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liempneg.dll" C:\Windows\SysWOW64\Ckmnbg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pleofj32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Qeppdo32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CL‰ID\ÿs\I´Pro¹Ser¬er3è C:\Windows\SysWOW64\Dpapaj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cabalojc.dll" C:\Windows\SysWOW64\Kddomchg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbcjo32.dll" C:\Windows\SysWOW64\Qppkfhlc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ajmijmnn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Aojabdlf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Ccmpce32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Lqipkhbj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mjhjdm32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Akabgebj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbmnig32.dll" C:\Windows\SysWOW64\Bbmcibjp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Ceebklai.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jendoajo.dll" C:\Windows\SysWOW64\Adifpk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bjbndpmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Bieopm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Phlclgfc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CL‰ID C:\Windows\SysWOW64\Dpapaj32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Aaimopli.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Akfkbd32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1764 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\ca91d1b985500ad191658d40f1eb120b99a1edf5b573314cbc8727b2adb8bfd7N.exe C:\Windows\SysWOW64\Kdpfadlm.exe
PID 1764 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\ca91d1b985500ad191658d40f1eb120b99a1edf5b573314cbc8727b2adb8bfd7N.exe C:\Windows\SysWOW64\Kdpfadlm.exe
PID 1764 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\ca91d1b985500ad191658d40f1eb120b99a1edf5b573314cbc8727b2adb8bfd7N.exe C:\Windows\SysWOW64\Kdpfadlm.exe
PID 1764 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\ca91d1b985500ad191658d40f1eb120b99a1edf5b573314cbc8727b2adb8bfd7N.exe C:\Windows\SysWOW64\Kdpfadlm.exe
PID 1840 wrote to memory of 1640 N/A C:\Windows\SysWOW64\Kdpfadlm.exe C:\Windows\SysWOW64\Kjmnjkjd.exe
PID 1840 wrote to memory of 1640 N/A C:\Windows\SysWOW64\Kdpfadlm.exe C:\Windows\SysWOW64\Kjmnjkjd.exe
PID 1840 wrote to memory of 1640 N/A C:\Windows\SysWOW64\Kdpfadlm.exe C:\Windows\SysWOW64\Kjmnjkjd.exe
PID 1840 wrote to memory of 1640 N/A C:\Windows\SysWOW64\Kdpfadlm.exe C:\Windows\SysWOW64\Kjmnjkjd.exe
PID 1640 wrote to memory of 2704 N/A C:\Windows\SysWOW64\Kjmnjkjd.exe C:\Windows\SysWOW64\Knhjjj32.exe
PID 1640 wrote to memory of 2704 N/A C:\Windows\SysWOW64\Kjmnjkjd.exe C:\Windows\SysWOW64\Knhjjj32.exe
PID 1640 wrote to memory of 2704 N/A C:\Windows\SysWOW64\Kjmnjkjd.exe C:\Windows\SysWOW64\Knhjjj32.exe
PID 1640 wrote to memory of 2704 N/A C:\Windows\SysWOW64\Kjmnjkjd.exe C:\Windows\SysWOW64\Knhjjj32.exe
PID 2704 wrote to memory of 2816 N/A C:\Windows\SysWOW64\Knhjjj32.exe C:\Windows\SysWOW64\Kddomchg.exe
PID 2704 wrote to memory of 2816 N/A C:\Windows\SysWOW64\Knhjjj32.exe C:\Windows\SysWOW64\Kddomchg.exe
PID 2704 wrote to memory of 2816 N/A C:\Windows\SysWOW64\Knhjjj32.exe C:\Windows\SysWOW64\Kddomchg.exe
PID 2704 wrote to memory of 2816 N/A C:\Windows\SysWOW64\Knhjjj32.exe C:\Windows\SysWOW64\Kddomchg.exe
PID 2816 wrote to memory of 2852 N/A C:\Windows\SysWOW64\Kddomchg.exe C:\Windows\SysWOW64\Kgclio32.exe
PID 2816 wrote to memory of 2852 N/A C:\Windows\SysWOW64\Kddomchg.exe C:\Windows\SysWOW64\Kgclio32.exe
PID 2816 wrote to memory of 2852 N/A C:\Windows\SysWOW64\Kddomchg.exe C:\Windows\SysWOW64\Kgclio32.exe
PID 2816 wrote to memory of 2852 N/A C:\Windows\SysWOW64\Kddomchg.exe C:\Windows\SysWOW64\Kgclio32.exe
PID 2852 wrote to memory of 2636 N/A C:\Windows\SysWOW64\Kgclio32.exe C:\Windows\SysWOW64\Lgehno32.exe
PID 2852 wrote to memory of 2636 N/A C:\Windows\SysWOW64\Kgclio32.exe C:\Windows\SysWOW64\Lgehno32.exe
PID 2852 wrote to memory of 2636 N/A C:\Windows\SysWOW64\Kgclio32.exe C:\Windows\SysWOW64\Lgehno32.exe
PID 2852 wrote to memory of 2636 N/A C:\Windows\SysWOW64\Kgclio32.exe C:\Windows\SysWOW64\Lgehno32.exe
PID 2636 wrote to memory of 2612 N/A C:\Windows\SysWOW64\Lgehno32.exe C:\Windows\SysWOW64\Lfhhjklc.exe
PID 2636 wrote to memory of 2612 N/A C:\Windows\SysWOW64\Lgehno32.exe C:\Windows\SysWOW64\Lfhhjklc.exe
PID 2636 wrote to memory of 2612 N/A C:\Windows\SysWOW64\Lgehno32.exe C:\Windows\SysWOW64\Lfhhjklc.exe
PID 2636 wrote to memory of 2612 N/A C:\Windows\SysWOW64\Lgehno32.exe C:\Windows\SysWOW64\Lfhhjklc.exe
PID 2612 wrote to memory of 2328 N/A C:\Windows\SysWOW64\Lfhhjklc.exe C:\Windows\SysWOW64\Llbqfe32.exe
PID 2612 wrote to memory of 2328 N/A C:\Windows\SysWOW64\Lfhhjklc.exe C:\Windows\SysWOW64\Llbqfe32.exe
PID 2612 wrote to memory of 2328 N/A C:\Windows\SysWOW64\Lfhhjklc.exe C:\Windows\SysWOW64\Llbqfe32.exe
PID 2612 wrote to memory of 2328 N/A C:\Windows\SysWOW64\Lfhhjklc.exe C:\Windows\SysWOW64\Llbqfe32.exe
PID 2328 wrote to memory of 1060 N/A C:\Windows\SysWOW64\Llbqfe32.exe C:\Windows\SysWOW64\Lclicpkm.exe
PID 2328 wrote to memory of 1060 N/A C:\Windows\SysWOW64\Llbqfe32.exe C:\Windows\SysWOW64\Lclicpkm.exe
PID 2328 wrote to memory of 1060 N/A C:\Windows\SysWOW64\Llbqfe32.exe C:\Windows\SysWOW64\Lclicpkm.exe
PID 2328 wrote to memory of 1060 N/A C:\Windows\SysWOW64\Llbqfe32.exe C:\Windows\SysWOW64\Lclicpkm.exe
PID 1060 wrote to memory of 2952 N/A C:\Windows\SysWOW64\Lclicpkm.exe C:\Windows\SysWOW64\Lhknaf32.exe
PID 1060 wrote to memory of 2952 N/A C:\Windows\SysWOW64\Lclicpkm.exe C:\Windows\SysWOW64\Lhknaf32.exe
PID 1060 wrote to memory of 2952 N/A C:\Windows\SysWOW64\Lclicpkm.exe C:\Windows\SysWOW64\Lhknaf32.exe
PID 1060 wrote to memory of 2952 N/A C:\Windows\SysWOW64\Lclicpkm.exe C:\Windows\SysWOW64\Lhknaf32.exe
PID 2952 wrote to memory of 2948 N/A C:\Windows\SysWOW64\Lhknaf32.exe C:\Windows\SysWOW64\Lkjjma32.exe
PID 2952 wrote to memory of 2948 N/A C:\Windows\SysWOW64\Lhknaf32.exe C:\Windows\SysWOW64\Lkjjma32.exe
PID 2952 wrote to memory of 2948 N/A C:\Windows\SysWOW64\Lhknaf32.exe C:\Windows\SysWOW64\Lkjjma32.exe
PID 2952 wrote to memory of 2948 N/A C:\Windows\SysWOW64\Lhknaf32.exe C:\Windows\SysWOW64\Lkjjma32.exe
PID 2948 wrote to memory of 2924 N/A C:\Windows\SysWOW64\Lkjjma32.exe C:\Windows\SysWOW64\Lnjcomcf.exe
PID 2948 wrote to memory of 2924 N/A C:\Windows\SysWOW64\Lkjjma32.exe C:\Windows\SysWOW64\Lnjcomcf.exe
PID 2948 wrote to memory of 2924 N/A C:\Windows\SysWOW64\Lkjjma32.exe C:\Windows\SysWOW64\Lnjcomcf.exe
PID 2948 wrote to memory of 2924 N/A C:\Windows\SysWOW64\Lkjjma32.exe C:\Windows\SysWOW64\Lnjcomcf.exe
PID 2924 wrote to memory of 1932 N/A C:\Windows\SysWOW64\Lnjcomcf.exe C:\Windows\SysWOW64\Lqipkhbj.exe
PID 2924 wrote to memory of 1932 N/A C:\Windows\SysWOW64\Lnjcomcf.exe C:\Windows\SysWOW64\Lqipkhbj.exe
PID 2924 wrote to memory of 1932 N/A C:\Windows\SysWOW64\Lnjcomcf.exe C:\Windows\SysWOW64\Lqipkhbj.exe
PID 2924 wrote to memory of 1932 N/A C:\Windows\SysWOW64\Lnjcomcf.exe C:\Windows\SysWOW64\Lqipkhbj.exe
PID 1932 wrote to memory of 1844 N/A C:\Windows\SysWOW64\Lqipkhbj.exe C:\Windows\SysWOW64\Mnmpdlac.exe
PID 1932 wrote to memory of 1844 N/A C:\Windows\SysWOW64\Lqipkhbj.exe C:\Windows\SysWOW64\Mnmpdlac.exe
PID 1932 wrote to memory of 1844 N/A C:\Windows\SysWOW64\Lqipkhbj.exe C:\Windows\SysWOW64\Mnmpdlac.exe
PID 1932 wrote to memory of 1844 N/A C:\Windows\SysWOW64\Lqipkhbj.exe C:\Windows\SysWOW64\Mnmpdlac.exe
PID 1844 wrote to memory of 2104 N/A C:\Windows\SysWOW64\Mnmpdlac.exe C:\Windows\SysWOW64\Mcjhmcok.exe
PID 1844 wrote to memory of 2104 N/A C:\Windows\SysWOW64\Mnmpdlac.exe C:\Windows\SysWOW64\Mcjhmcok.exe
PID 1844 wrote to memory of 2104 N/A C:\Windows\SysWOW64\Mnmpdlac.exe C:\Windows\SysWOW64\Mcjhmcok.exe
PID 1844 wrote to memory of 2104 N/A C:\Windows\SysWOW64\Mnmpdlac.exe C:\Windows\SysWOW64\Mcjhmcok.exe
PID 2104 wrote to memory of 2108 N/A C:\Windows\SysWOW64\Mcjhmcok.exe C:\Windows\SysWOW64\Mdiefffn.exe
PID 2104 wrote to memory of 2108 N/A C:\Windows\SysWOW64\Mcjhmcok.exe C:\Windows\SysWOW64\Mdiefffn.exe
PID 2104 wrote to memory of 2108 N/A C:\Windows\SysWOW64\Mcjhmcok.exe C:\Windows\SysWOW64\Mdiefffn.exe
PID 2104 wrote to memory of 2108 N/A C:\Windows\SysWOW64\Mcjhmcok.exe C:\Windows\SysWOW64\Mdiefffn.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ca91d1b985500ad191658d40f1eb120b99a1edf5b573314cbc8727b2adb8bfd7N.exe

"C:\Users\Admin\AppData\Local\Temp\ca91d1b985500ad191658d40f1eb120b99a1edf5b573314cbc8727b2adb8bfd7N.exe"

C:\Windows\SysWOW64\Kdpfadlm.exe

C:\Windows\system32\Kdpfadlm.exe

C:\Windows\SysWOW64\Kjmnjkjd.exe

C:\Windows\system32\Kjmnjkjd.exe

C:\Windows\SysWOW64\Knhjjj32.exe

C:\Windows\system32\Knhjjj32.exe

C:\Windows\SysWOW64\Kddomchg.exe

C:\Windows\system32\Kddomchg.exe

C:\Windows\SysWOW64\Kgclio32.exe

C:\Windows\system32\Kgclio32.exe

C:\Windows\SysWOW64\Lgehno32.exe

C:\Windows\system32\Lgehno32.exe

C:\Windows\SysWOW64\Lfhhjklc.exe

C:\Windows\system32\Lfhhjklc.exe

C:\Windows\SysWOW64\Llbqfe32.exe

C:\Windows\system32\Llbqfe32.exe

C:\Windows\SysWOW64\Lclicpkm.exe

C:\Windows\system32\Lclicpkm.exe

C:\Windows\SysWOW64\Lhknaf32.exe

C:\Windows\system32\Lhknaf32.exe

C:\Windows\SysWOW64\Lkjjma32.exe

C:\Windows\system32\Lkjjma32.exe

C:\Windows\SysWOW64\Lnjcomcf.exe

C:\Windows\system32\Lnjcomcf.exe

C:\Windows\SysWOW64\Lqipkhbj.exe

C:\Windows\system32\Lqipkhbj.exe

C:\Windows\SysWOW64\Mnmpdlac.exe

C:\Windows\system32\Mnmpdlac.exe

C:\Windows\SysWOW64\Mcjhmcok.exe

C:\Windows\system32\Mcjhmcok.exe

C:\Windows\SysWOW64\Mdiefffn.exe

C:\Windows\system32\Mdiefffn.exe

C:\Windows\SysWOW64\Mfjann32.exe

C:\Windows\system32\Mfjann32.exe

C:\Windows\SysWOW64\Mmdjkhdh.exe

C:\Windows\system32\Mmdjkhdh.exe

C:\Windows\SysWOW64\Mgjnhaco.exe

C:\Windows\system32\Mgjnhaco.exe

C:\Windows\SysWOW64\Mjhjdm32.exe

C:\Windows\system32\Mjhjdm32.exe

C:\Windows\SysWOW64\Mpebmc32.exe

C:\Windows\system32\Mpebmc32.exe

C:\Windows\SysWOW64\Mfokinhf.exe

C:\Windows\system32\Mfokinhf.exe

C:\Windows\SysWOW64\Mimgeigj.exe

C:\Windows\system32\Mimgeigj.exe

C:\Windows\SysWOW64\Nbflno32.exe

C:\Windows\system32\Nbflno32.exe

C:\Windows\SysWOW64\Nedhjj32.exe

C:\Windows\system32\Nedhjj32.exe

C:\Windows\SysWOW64\Nnmlcp32.exe

C:\Windows\system32\Nnmlcp32.exe

C:\Windows\SysWOW64\Nefdpjkl.exe

C:\Windows\system32\Nefdpjkl.exe

C:\Windows\SysWOW64\Nlqmmd32.exe

C:\Windows\system32\Nlqmmd32.exe

C:\Windows\SysWOW64\Nnoiio32.exe

C:\Windows\system32\Nnoiio32.exe

C:\Windows\SysWOW64\Nlcibc32.exe

C:\Windows\system32\Nlcibc32.exe

C:\Windows\SysWOW64\Nnafnopi.exe

C:\Windows\system32\Nnafnopi.exe

C:\Windows\SysWOW64\Nlefhcnc.exe

C:\Windows\system32\Nlefhcnc.exe

C:\Windows\SysWOW64\Nncbdomg.exe

C:\Windows\system32\Nncbdomg.exe

C:\Windows\SysWOW64\Nncbdomg.exe

C:\Windows\system32\Nncbdomg.exe

C:\Windows\SysWOW64\Nhlgmd32.exe

C:\Windows\system32\Nhlgmd32.exe

C:\Windows\SysWOW64\Njjcip32.exe

C:\Windows\system32\Njjcip32.exe

C:\Windows\SysWOW64\Opglafab.exe

C:\Windows\system32\Opglafab.exe

C:\Windows\SysWOW64\Oippjl32.exe

C:\Windows\system32\Oippjl32.exe

C:\Windows\SysWOW64\Omklkkpl.exe

C:\Windows\system32\Omklkkpl.exe

C:\Windows\SysWOW64\Obhdcanc.exe

C:\Windows\system32\Obhdcanc.exe

C:\Windows\SysWOW64\Olpilg32.exe

C:\Windows\system32\Olpilg32.exe

C:\Windows\SysWOW64\Ompefj32.exe

C:\Windows\system32\Ompefj32.exe

C:\Windows\SysWOW64\Opnbbe32.exe

C:\Windows\system32\Opnbbe32.exe

C:\Windows\SysWOW64\Oekjjl32.exe

C:\Windows\system32\Oekjjl32.exe

C:\Windows\SysWOW64\Ohiffh32.exe

C:\Windows\system32\Ohiffh32.exe

C:\Windows\SysWOW64\Obokcqhk.exe

C:\Windows\system32\Obokcqhk.exe

C:\Windows\SysWOW64\Oabkom32.exe

C:\Windows\system32\Oabkom32.exe

C:\Windows\SysWOW64\Oemgplgo.exe

C:\Windows\system32\Oemgplgo.exe

C:\Windows\SysWOW64\Phlclgfc.exe

C:\Windows\system32\Phlclgfc.exe

C:\Windows\SysWOW64\Pkjphcff.exe

C:\Windows\system32\Pkjphcff.exe

C:\Windows\SysWOW64\Pofkha32.exe

C:\Windows\system32\Pofkha32.exe

C:\Windows\SysWOW64\Padhdm32.exe

C:\Windows\system32\Padhdm32.exe

C:\Windows\SysWOW64\Pdbdqh32.exe

C:\Windows\system32\Pdbdqh32.exe

C:\Windows\SysWOW64\Pkmlmbcd.exe

C:\Windows\system32\Pkmlmbcd.exe

C:\Windows\SysWOW64\Pmkhjncg.exe

C:\Windows\system32\Pmkhjncg.exe

C:\Windows\SysWOW64\Pafdjmkq.exe

C:\Windows\system32\Pafdjmkq.exe

C:\Windows\SysWOW64\Pdeqfhjd.exe

C:\Windows\system32\Pdeqfhjd.exe

C:\Windows\SysWOW64\Phqmgg32.exe

C:\Windows\system32\Phqmgg32.exe

C:\Windows\SysWOW64\Pojecajj.exe

C:\Windows\system32\Pojecajj.exe

C:\Windows\SysWOW64\Paiaplin.exe

C:\Windows\system32\Paiaplin.exe

C:\Windows\SysWOW64\Pplaki32.exe

C:\Windows\system32\Pplaki32.exe

C:\Windows\SysWOW64\Phcilf32.exe

C:\Windows\system32\Phcilf32.exe

C:\Windows\SysWOW64\Pidfdofi.exe

C:\Windows\system32\Pidfdofi.exe

C:\Windows\SysWOW64\Ppnnai32.exe

C:\Windows\system32\Ppnnai32.exe

C:\Windows\SysWOW64\Pdjjag32.exe

C:\Windows\system32\Pdjjag32.exe

C:\Windows\SysWOW64\Pghfnc32.exe

C:\Windows\system32\Pghfnc32.exe

C:\Windows\SysWOW64\Pkcbnanl.exe

C:\Windows\system32\Pkcbnanl.exe

C:\Windows\SysWOW64\Pleofj32.exe

C:\Windows\system32\Pleofj32.exe

C:\Windows\SysWOW64\Qppkfhlc.exe

C:\Windows\system32\Qppkfhlc.exe

C:\Windows\SysWOW64\Qdlggg32.exe

C:\Windows\system32\Qdlggg32.exe

C:\Windows\SysWOW64\Qndkpmkm.exe

C:\Windows\system32\Qndkpmkm.exe

C:\Windows\SysWOW64\Qpbglhjq.exe

C:\Windows\system32\Qpbglhjq.exe

C:\Windows\SysWOW64\Qcachc32.exe

C:\Windows\system32\Qcachc32.exe

C:\Windows\SysWOW64\Qeppdo32.exe

C:\Windows\system32\Qeppdo32.exe

C:\Windows\SysWOW64\Qnghel32.exe

C:\Windows\system32\Qnghel32.exe

C:\Windows\SysWOW64\Apedah32.exe

C:\Windows\system32\Apedah32.exe

C:\Windows\SysWOW64\Agolnbok.exe

C:\Windows\system32\Agolnbok.exe

C:\Windows\SysWOW64\Ajmijmnn.exe

C:\Windows\system32\Ajmijmnn.exe

C:\Windows\SysWOW64\Allefimb.exe

C:\Windows\system32\Allefimb.exe

C:\Windows\SysWOW64\Aojabdlf.exe

C:\Windows\system32\Aojabdlf.exe

C:\Windows\SysWOW64\Aaimopli.exe

C:\Windows\system32\Aaimopli.exe

C:\Windows\SysWOW64\Ajpepm32.exe

C:\Windows\system32\Ajpepm32.exe

C:\Windows\SysWOW64\Alnalh32.exe

C:\Windows\system32\Alnalh32.exe

C:\Windows\SysWOW64\Akabgebj.exe

C:\Windows\system32\Akabgebj.exe

C:\Windows\SysWOW64\Aakjdo32.exe

C:\Windows\system32\Aakjdo32.exe

C:\Windows\SysWOW64\Adifpk32.exe

C:\Windows\system32\Adifpk32.exe

C:\Windows\SysWOW64\Ahebaiac.exe

C:\Windows\system32\Ahebaiac.exe

C:\Windows\SysWOW64\Akcomepg.exe

C:\Windows\system32\Akcomepg.exe

C:\Windows\SysWOW64\Aoojnc32.exe

C:\Windows\system32\Aoojnc32.exe

C:\Windows\SysWOW64\Abmgjo32.exe

C:\Windows\system32\Abmgjo32.exe

C:\Windows\SysWOW64\Aficjnpm.exe

C:\Windows\system32\Aficjnpm.exe

C:\Windows\SysWOW64\Agjobffl.exe

C:\Windows\system32\Agjobffl.exe

C:\Windows\SysWOW64\Akfkbd32.exe

C:\Windows\system32\Akfkbd32.exe

C:\Windows\SysWOW64\Andgop32.exe

C:\Windows\system32\Andgop32.exe

C:\Windows\SysWOW64\Abpcooea.exe

C:\Windows\system32\Abpcooea.exe

C:\Windows\SysWOW64\Adnpkjde.exe

C:\Windows\system32\Adnpkjde.exe

C:\Windows\SysWOW64\Bhjlli32.exe

C:\Windows\system32\Bhjlli32.exe

C:\Windows\SysWOW64\Bjkhdacm.exe

C:\Windows\system32\Bjkhdacm.exe

C:\Windows\SysWOW64\Bnfddp32.exe

C:\Windows\system32\Bnfddp32.exe

C:\Windows\SysWOW64\Bqeqqk32.exe

C:\Windows\system32\Bqeqqk32.exe

C:\Windows\SysWOW64\Bgoime32.exe

C:\Windows\system32\Bgoime32.exe

C:\Windows\SysWOW64\Bjmeiq32.exe

C:\Windows\system32\Bjmeiq32.exe

C:\Windows\SysWOW64\Bmlael32.exe

C:\Windows\system32\Bmlael32.exe

C:\Windows\SysWOW64\Bceibfgj.exe

C:\Windows\system32\Bceibfgj.exe

C:\Windows\SysWOW64\Bfdenafn.exe

C:\Windows\system32\Bfdenafn.exe

C:\Windows\SysWOW64\Bmnnkl32.exe

C:\Windows\system32\Bmnnkl32.exe

C:\Windows\SysWOW64\Bgcbhd32.exe

C:\Windows\system32\Bgcbhd32.exe

C:\Windows\SysWOW64\Bffbdadk.exe

C:\Windows\system32\Bffbdadk.exe

C:\Windows\SysWOW64\Bjbndpmd.exe

C:\Windows\system32\Bjbndpmd.exe

C:\Windows\SysWOW64\Bieopm32.exe

C:\Windows\system32\Bieopm32.exe

C:\Windows\SysWOW64\Bqlfaj32.exe

C:\Windows\system32\Bqlfaj32.exe

C:\Windows\SysWOW64\Bcjcme32.exe

C:\Windows\system32\Bcjcme32.exe

C:\Windows\SysWOW64\Bbmcibjp.exe

C:\Windows\system32\Bbmcibjp.exe

C:\Windows\SysWOW64\Bjdkjpkb.exe

C:\Windows\system32\Bjdkjpkb.exe

C:\Windows\SysWOW64\Bmbgfkje.exe

C:\Windows\system32\Bmbgfkje.exe

C:\Windows\SysWOW64\Ccmpce32.exe

C:\Windows\system32\Ccmpce32.exe

C:\Windows\SysWOW64\Cenljmgq.exe

C:\Windows\system32\Cenljmgq.exe

C:\Windows\SysWOW64\Cmedlk32.exe

C:\Windows\system32\Cmedlk32.exe

C:\Windows\SysWOW64\Cocphf32.exe

C:\Windows\system32\Cocphf32.exe

C:\Windows\SysWOW64\Cbblda32.exe

C:\Windows\system32\Cbblda32.exe

C:\Windows\SysWOW64\Cileqlmg.exe

C:\Windows\system32\Cileqlmg.exe

C:\Windows\SysWOW64\Cnimiblo.exe

C:\Windows\system32\Cnimiblo.exe

C:\Windows\SysWOW64\Cbdiia32.exe

C:\Windows\system32\Cbdiia32.exe

C:\Windows\SysWOW64\Cinafkkd.exe

C:\Windows\system32\Cinafkkd.exe

C:\Windows\SysWOW64\Cgaaah32.exe

C:\Windows\system32\Cgaaah32.exe

C:\Windows\SysWOW64\Ckmnbg32.exe

C:\Windows\system32\Ckmnbg32.exe

C:\Windows\SysWOW64\Cnkjnb32.exe

C:\Windows\system32\Cnkjnb32.exe

C:\Windows\SysWOW64\Ceebklai.exe

C:\Windows\system32\Ceebklai.exe

C:\Windows\SysWOW64\Cchbgi32.exe

C:\Windows\system32\Cchbgi32.exe

C:\Windows\SysWOW64\Cgcnghpl.exe

C:\Windows\system32\Cgcnghpl.exe

C:\Windows\SysWOW64\Cjakccop.exe

C:\Windows\system32\Cjakccop.exe

C:\Windows\SysWOW64\Cnmfdb32.exe

C:\Windows\system32\Cnmfdb32.exe

C:\Windows\SysWOW64\Cmpgpond.exe

C:\Windows\system32\Cmpgpond.exe

C:\Windows\SysWOW64\Cegoqlof.exe

C:\Windows\system32\Cegoqlof.exe

C:\Windows\SysWOW64\Cfhkhd32.exe

C:\Windows\system32\Cfhkhd32.exe

C:\Windows\SysWOW64\Dnpciaef.exe

C:\Windows\system32\Dnpciaef.exe

C:\Windows\SysWOW64\Danpemej.exe

C:\Windows\system32\Danpemej.exe

C:\Windows\SysWOW64\Dpapaj32.exe

C:\Windows\system32\Dpapaj32.exe

Network

N/A

Files

memory/1764-0-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1764-7-0x0000000000440000-0x0000000000476000-memory.dmp

\Windows\SysWOW64\Kdpfadlm.exe

MD5 cf66163ff9442602011658a30ea65355
SHA1 383be95b5a257c2a06ce9fa86d877d2d43c575a0
SHA256 82d0bbf1cb773f5696c0bb3470930a3952a8bb543987fa0b28c8f3d0d996f95b
SHA512 79f85eabd1d14cc07fb9ba48ead65cdeeb5f037a624ba61b88f8fecc0792c4f7e8a648c7f37e8d57511a017b035a4ef8806c0a99eb258d91ad79948ec6aec53c

C:\Windows\SysWOW64\Kjmnjkjd.exe

MD5 2faa36080023c56bc8ed8d03221b3530
SHA1 a78bcd9cee4b49b44aeb61de27a573962bd62f52
SHA256 6ac281bc8efc13c8d32b912a163ebaf70cd3b4d496d18293b6883868b17f3dbb
SHA512 fa66458a7ec3fe59da14b1101617f0eea29285c2bd17d75f6f4925f63a38ea7d0fdcc2e9c50167954b773ebc83c715fa44c69d8d83976be793166daf90e0fe2b

memory/1640-32-0x0000000000400000-0x0000000000436000-memory.dmp

\Windows\SysWOW64\Knhjjj32.exe

MD5 25421ab7a1d9a9a9d01d40dc12c4a402
SHA1 850eb6a98ccdfe6e0b40e802872f25aa57c58e90
SHA256 6d976b437f1e99bf59928d55d7766ec5aeceab4072dc07f7c41de4c9760369e6
SHA512 b1f11cc3f4c96b4c2e881b1d263a6ce989b917ed3f8d9fb3e4e92f77323ad623f587211a92c47e63e3f2a36be125bc7fc87516750e5e73e7dae89b673303d4ba

memory/1840-31-0x00000000002D0000-0x0000000000306000-memory.dmp

memory/1840-30-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2704-41-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1640-39-0x00000000002D0000-0x0000000000306000-memory.dmp

\Windows\SysWOW64\Kddomchg.exe

MD5 0842eff4744a717125d1e9572669c53d
SHA1 dea8ab953a60f017ccb8e0904edf3cfa762e364c
SHA256 fd46b4c887bff759bd1db6df1ad80f2ac3f56175dc4dcbeaa5ed4206e5103eca
SHA512 410e4038238d700c11864e7443314e7bf49d83a16d821e8547797c3373184b34fcb3cde5f8fb9cb195db69f63347198325539506e6e7754db0aa327e6f09d61e

memory/2852-68-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Windows\SysWOW64\Kgclio32.exe

MD5 e55be53d2aadcc1bc5450709f5f926ed
SHA1 23be61373a17118b9fe0baa2ec4b72a4989296e7
SHA256 89f3ab19b1820cb95f3258b659d015124dee2f01189f285f95b57696fc6053c5
SHA512 530a4e2ee11e78454aadd3ada8c0f672f40de6c206fd3cb2c17fe4df3f1d72336a78a6dd4bd28806822a4ad59fe3c83c3c5148a8f930dc8a71daa175614b4ce8

memory/2816-66-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Windows\SysWOW64\Cabalojc.dll

MD5 03351148024b3e2196190b10f646ba9b
SHA1 64a3489dc2a053bfd5dcfe751ef5d07d4d2f1939
SHA256 0c58ee3de018b2d5eaf22689d8aa6de26dc58c775efe44ef9910dd76dbfcada4
SHA512 22743a672f99f07f40b7edc08e249755905ab1efd665d62de13b12545edb2aac59709e0db2598e1831bb4400f41ca28cedd98eb812ca08b7685667a7bb6de9eb

memory/2704-53-0x0000000000330000-0x0000000000366000-memory.dmp

\Windows\SysWOW64\Lgehno32.exe

MD5 c2c6f9eec419d0109964e3b910794df2
SHA1 040b782d532019a04029c529d6a9dce6e6b1ac8f
SHA256 33ee1a524ec6aaaa429f573970f084417f0c50804553cf25f0f6c9817f2c851f
SHA512 d488d458d70ac4af4739d8070c52a97a3fc2b2bb7f70046f8748cc7b539e0b6735495881bb7899127add28b9de95d52533e6dbc573229dfdd8faab81a840b117

memory/2612-97-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2636-96-0x00000000006A0000-0x00000000006D6000-memory.dmp

C:\Windows\SysWOW64\Lfhhjklc.exe

MD5 bb85fcc134e2f8e1f4f453d178d0a3b4
SHA1 e42292f2e5d44c48e39180848e0453888530bd2d
SHA256 d6d655c6616a473faf205568ca240cd858bcdc96777e58b44132f3f187991376
SHA512 9ef5b44e0ca48c8de6b5d2c09f67273ed9c0ce3bb6ed8a7b6155f6a3ab71727e280243b213cc399673a8e37de064091bf49f7e6aaa342e52e055dd258888dbb2

memory/2636-83-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2852-82-0x0000000000250000-0x0000000000286000-memory.dmp

memory/2328-118-0x00000000002E0000-0x0000000000316000-memory.dmp

\Windows\SysWOW64\Lclicpkm.exe

MD5 77d731687bc3979d633b5fabcb56dd08
SHA1 31f51ce21f62a52eab6934876a8b39aedf5c1202
SHA256 6b56127492bc3de3e4eb32ab52ebd970808ec8a3d6350a14cf1858c00e5e469b
SHA512 b9df25ed0b197fed6971263b59eb8e2a93592e6227e6a48e08cf0b2cf2b42a78e90ab2dec66d8da9288618f7ba64a5a81827d84cec6ea9808791fd10c63e570d

memory/2328-114-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2612-113-0x0000000000250000-0x0000000000286000-memory.dmp

C:\Windows\SysWOW64\Llbqfe32.exe

MD5 24de762617ce8344eee4980b0077d9fc
SHA1 05c716a8613f0f13925fc3d328681afc9a541a34
SHA256 16c81c73fabb4551b725a775c06deec7199d40b3836b32f8fb7d05a68582bc60
SHA512 23eb1f7fa88c87597dee9b444bb3e292f20b278b29b37516d009ac6f5f4262229f5d934fe642d40cd41978c25c0635a1c9377137c77a673664bb0233c278915e

memory/1060-125-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2328-123-0x00000000002E0000-0x0000000000316000-memory.dmp

\Windows\SysWOW64\Lhknaf32.exe

MD5 1f076de17a33a7eb940248f74e9e3d71
SHA1 4128fe794d5b71f493bc92dd294f3ab2f07d8660
SHA256 7cd2b32c47d6f29f50d7ec99941d8efadce0364f3f2e129672bdf1f50810509d
SHA512 d7523aa86ff372a17b895a3cce4ee6d4bd5a9f30b0ea758235b49142fdb7e3453ff81f9c1a3ac08d2bc4ef0942977a32483b611a6905101accb3b28c5ed862cf

memory/2948-152-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2952-151-0x0000000000290000-0x00000000002C6000-memory.dmp

C:\Windows\SysWOW64\Lkjjma32.exe

MD5 a6045fd6b7a50534fdc0ae2e97c7178e
SHA1 8b89b5dd9c2860be4d19f913b7dc3504e9b59b24
SHA256 28bcd1596e7c170dae91f0c7b8f378ef4c0801b61d943375519d226981c4350c
SHA512 acb7e21d4952d73a5129ffb40d91a8de7a4acab3dffd838cc5693509f952759bb9f62497259321b43387de8c74b1d066148ab78f84ec13469e03cb1850869b9c

memory/2952-143-0x0000000000400000-0x0000000000436000-memory.dmp

\Windows\SysWOW64\Lnjcomcf.exe

MD5 e1b8fff8a98555415f816f8747e4e06d
SHA1 f870f01ffe38acdaeda75e11ddcc931e9b61c9a1
SHA256 87e3cddbaac4db677c292efd9d4e00b9daa84c7209eb8d5fa5cc7a844c520a2a
SHA512 5311cd355c88f6618a2dc267289a0e49b21d812315bc405a540f5dbdffb830470feeca52a67307b52d7c6ccdd4d2274b8778eb0b66bb4efcb75ad0f3f2decc0e

memory/2948-164-0x0000000000290000-0x00000000002C6000-memory.dmp

C:\Windows\SysWOW64\Lqipkhbj.exe

MD5 d067223feeff7442ebc21b699f37f868
SHA1 bc0cb2bad682df791e5470e3db4cefd50abc6169
SHA256 82e4f20f4c4ca87dcb58da497bc11e6352bee0d97eb3c57cedcfe21d79d92ed9
SHA512 c81eab7f97a892c79a1b00879abd38178549f88125d6893b0218ec54d92cec83ca0501c6424aa947e0e6b9e23e1ceaf954270abb47873b23d989a7f81e455160

memory/1932-180-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2924-179-0x0000000000440000-0x0000000000476000-memory.dmp

memory/2924-178-0x0000000000400000-0x0000000000436000-memory.dmp

\Windows\SysWOW64\Mnmpdlac.exe

MD5 0d72b334e8daca528a5fa3df39188746
SHA1 0f8cbafef79dd961268392d1187344f18b7d7379
SHA256 7826fa2893118fd2af8a145bc97e6896e6717086f0251e52e358cd4035aa0b13
SHA512 a381ced85320881eeb04fd4cea5186787ce9538e9d597d96979d118c5a2beb69d77a0eae88b6aab6b7e5aa6a90d4a95cfb00de2b3b29ffba8df1d190109e0543

memory/1844-197-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1844-201-0x0000000000320000-0x0000000000356000-memory.dmp

\Windows\SysWOW64\Mcjhmcok.exe

MD5 56437d4de17b11f398b5d7ec71ef3655
SHA1 15bda0b94e0363cc038d8c5e7c542f06c467edbd
SHA256 9b7a641fa5fbeb325fb9d4efb4fa750fec5dc7b3ed76702b787f872bcd1e6446
SHA512 cc865a396a1bf00c9b140c1ceeec93871d58356d68031b8c94ddec39409aef07fbd6f4919edc0fcf4b8f25ba15bf9d880041306b4b21e9f2f8233c46c6dc35b4

memory/2104-207-0x0000000000400000-0x0000000000436000-memory.dmp

\Windows\SysWOW64\Mdiefffn.exe

MD5 4e4af22744c422a0f08d50f454467c37
SHA1 d82af2d429ed8e34c69eee26988b8358080e7400
SHA256 4e7eb72af7c957166a708c82649d11d500ca0263bb122f02125d928200b22e73
SHA512 08f1e58a640011b5a6c06e24e639ed19ec699377e4a4f21ef2390dd11b0e0d7a4083d6a9559aad80da91a405c4375fa7bb6cf88c4fb9a5b0f574b6d293bb0714

memory/2108-221-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1128-230-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Windows\SysWOW64\Mfjann32.exe

MD5 1f21e68485901317641528238fa02cc6
SHA1 1433d678724516201c70cc777a5503a2a93832c1
SHA256 2593da3e0fbfda14639b51d35c8aab56b7371a8901068879934d6c651e3d0ff9
SHA512 8e4f92b9844c6cc5817be243cc701588c404bb78a9fbc19a491e3e3683335e16fafe37050da520238aef348fa43b59a6f7ed32d2476d3dd4f43787f5208f36bc

memory/1128-235-0x00000000002D0000-0x0000000000306000-memory.dmp

C:\Windows\SysWOW64\Mmdjkhdh.exe

MD5 7d69fd5fd3c6c9da8d755b6455185f4f
SHA1 f96fbbc03dbe0acd653120625ffce5c81b7f83e6
SHA256 40ba25c77479fedc03645cbb6d0261b094b4d47cedd53e56732107272e67705a
SHA512 9bfb3284addeb4dc275859fa8b1c8223ab248707588cbcc86c7cffab307d44a8fcdbfb62e994a575c0203c10521956b9172205f706da15f822fdb1e3333c2d42

memory/1588-242-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1588-246-0x0000000000250000-0x0000000000286000-memory.dmp

C:\Windows\SysWOW64\Mgjnhaco.exe

MD5 a42cef41b253363f50d5caa3b82b1819
SHA1 f2e3ffcc3e94b738b52142660e0a556fdfb69338
SHA256 6a72b5aef1aaf14b8aa53d875b1d3d35b14b87019766c74ea1a44e28e4f418fa
SHA512 e49a8497052d3c6fd8304d011a9ffb2448edc9b1fc6b961436fb6a1f796efbd7112689db7ddd142b169f3eb3978098aa3c0754d968a9e0c6189f8408b46388bd

memory/1456-250-0x0000000000400000-0x0000000000436000-memory.dmp

memory/612-259-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Windows\SysWOW64\Mjhjdm32.exe

MD5 aa854ba382bde509f128a880e88d3e26
SHA1 2d53ac9d93b42cfe8db52deeda6cf0b3c2566aab
SHA256 a30d9977d4a552dd56f28a3def7b4d78a60b29e57ae4cecd0ccc1d421148fa5c
SHA512 b656ddde3706a2de75977047d754878584c62a279690bd8b80381b077cf190966237dbb67dd0b7e61762d6946e9a910e0753014ee34581372d8f1d7011d852bd

C:\Windows\SysWOW64\Mpebmc32.exe

MD5 d5af2ce2ac9ed2089fd32148bedcf41a
SHA1 837c1337c74753a08eab3b27b5dabdbafae1a5f8
SHA256 45592d7945103e43d223821eea9766c25d9ce902751507d1cdcd9c3dbee95f07
SHA512 abb857390d434349d1d86810f37e1e52b241d78ca41b96580eaa84d0ebe1930b8f24d688efbb3f2103039128ce3e8a766daa21e0b4d9a2fa3e963f7077de6fa5

memory/1688-268-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1688-277-0x0000000000280000-0x00000000002B6000-memory.dmp

C:\Windows\SysWOW64\Mfokinhf.exe

MD5 73cbac64f8f557aafb6de2b8287d6a15
SHA1 3db3df21c59731d7754bea7dbbc60bf6c8a9c8f3
SHA256 bf6f7c1aacd5fb7d5e0b97aee3ddf1886b9894f9fa142fee891f340885e0bad5
SHA512 5a8678a63ef6ebe70dc8c0e538a63142bd530d4f85f85ee62dd67c6ddb0fcc550c1f4c38d972570d18ef5dbbaa7f80756e76cdb4732d14f76749506081873e4e

memory/620-289-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1924-288-0x0000000000250000-0x0000000000286000-memory.dmp

memory/1924-287-0x0000000000250000-0x0000000000286000-memory.dmp

memory/1924-286-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Windows\SysWOW64\Mimgeigj.exe

MD5 4ff415216959890a67cdcdefb540089d
SHA1 a41d48bd1c910ac960bd044e19e344176959bfde
SHA256 80c0869fa7703d695b34a705c6088760dd41334c331810927a7bfeae415772a5
SHA512 db79a6266b6f867cefe67f57e10be95c913754418bb88eee02cd681f1b76a07e0a1f84405dcf9ab94b58efa37a4254947e9972da2a5413217ee8bbd3ce02affb

memory/620-295-0x00000000002E0000-0x0000000000316000-memory.dmp

C:\Windows\SysWOW64\Nbflno32.exe

MD5 f5cc6ffc41999b378431c61cab539586
SHA1 dcfdbc09c4cb7883e78f73bde48ac79e910521e5
SHA256 68346ef44a2c9a6519b66793a831a1b640d30f4b8fba8dbbf788c0c89ac40b4e
SHA512 5dc94cddbdca72a4434c51e603c195551514074c5dc85c1b44947b1d33144fe5a80d58a3f44e040feecbeef009c67bc0763637a89f4d49de8125c246082f5052

memory/1264-304-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1264-310-0x0000000000250000-0x0000000000286000-memory.dmp

memory/2260-311-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1264-309-0x0000000000250000-0x0000000000286000-memory.dmp

C:\Windows\SysWOW64\Nedhjj32.exe

MD5 5142bebe5c673ef1f9802d2d4082c47a
SHA1 215da2d1fdd552a194f2f5f75158482a959c6313
SHA256 02dfcf5774294f50b16e7d73c1b23928fe325d63c4cfc4e9c03719985bf4843b
SHA512 5e57123bed3eb182a8dd46d9406fc2c3623b7ce2f5578a2dbf27b81b65a50a2ade837a28ab3b4b9c73f1295b4ca8d3a11375867f2f9b8eb57426fb41a8e1d869

memory/620-303-0x00000000002E0000-0x0000000000316000-memory.dmp

memory/2260-317-0x0000000000440000-0x0000000000476000-memory.dmp

C:\Windows\SysWOW64\Nnmlcp32.exe

MD5 0fedb52cb93cd6faeb96bee559ea5e51
SHA1 409efcd3c07f6554005064cc7650b75ba62e4e9b
SHA256 b45f5af00f9529d7dc88e20533668a5102166cc0db76397fc40bf30f076df76f
SHA512 d3f814e3b0d0305b6a1c971f7ba65746db39326e6f651e6fd6c371e3fb6106b0cdef063f6569bc3e45188538638f270419067fe4a34efb361f0eb845cea9b848

memory/2060-325-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2060-330-0x0000000000250000-0x0000000000286000-memory.dmp

C:\Windows\SysWOW64\Nefdpjkl.exe

MD5 407408c862303b824626da43c6be8af9
SHA1 b71185bb0d1db1f947811cc4c80796c3548bca46
SHA256 5f542f19e364d9a4d898ae10291cbb48def65b23e8f31858ba18661c7d13b5df
SHA512 114140b270645cef1d8fbd2e48b806362f4a2125e0b3192103c9b8719e4e5c1988a7627ce2dbd5c2db6c4ef9882b329b412acf31afafafc8f09dd35fc76b7053

memory/1508-331-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Windows\SysWOW64\Nlqmmd32.exe

MD5 1a7afb0372f1492547711454c9b26a3a
SHA1 2016284b8701c8c20e5dff00693fe57f0b0efffe
SHA256 b0e53d2913302ec911f8dbc8bc5c654c4d08ac474a7659d12d6f6ba82ee2c53b
SHA512 ffd22a9e7c9c72b961af33310c8102c2a369c221db18e5e4b4422e04d727f9a76ac327168c0fa4eab29fd3a35ef37148e38f85da68a4b70040a399d72c520f73

memory/2752-353-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2552-352-0x00000000002D0000-0x0000000000306000-memory.dmp

memory/2552-351-0x00000000002D0000-0x0000000000306000-memory.dmp

C:\Windows\SysWOW64\Nnoiio32.exe

MD5 4aa665beeaf385fba985bd79fc4a0b57
SHA1 b36bf2b00aa5137c22d5fa350871c5d2aad71a0f
SHA256 2cd02d3c5c786df43bbde3f5d734c4d99419f7c4d80c6e8431f25e103f126a82
SHA512 c3170cbf54800f9c44099a7c4d05f0b60057cfa12df6f33319f2232c6b43dd7e14e90a58e92fd87efd5c09a7f1d03a21f6337f5bba30dde6fffcb6d10b0e28a8

memory/2552-346-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1508-341-0x0000000000250000-0x0000000000286000-memory.dmp

memory/1508-340-0x0000000000250000-0x0000000000286000-memory.dmp

memory/2752-363-0x00000000002D0000-0x0000000000306000-memory.dmp

memory/2752-360-0x00000000002D0000-0x0000000000306000-memory.dmp

C:\Windows\SysWOW64\Nlcibc32.exe

MD5 fbc7105c6b131cadaa032ea8b07e5d8b
SHA1 7a0454b85fa9a715f347b184f5d4a6fd9ac53aba
SHA256 631d934d36f7150f442da5f08e6b5e3f2d2f4854c4226da053164ddd5f7e3660
SHA512 d0aa15d00814cb875c4179495cf083062825fdfd552cf77c0757a6d304a04162349fc6ed8d87c9d6d120ec53c6273e4f3d9ffec8e84b81e3692f1881113c9999

C:\Windows\SysWOW64\Nnafnopi.exe

MD5 acd37e3436dc4fd5117b3dab814c778d
SHA1 8856312ef6f773c66bb0180dc3172f7795b4e453
SHA256 41b93118fe3da6d89723d8adc9e5b08a34a10d5a5e98f8a02e8e03970582e9cf
SHA512 4d93cc702f06137a776075fe132df975dd1b2901c927eebcdd486271d4e40c7308d1239938ed0e2d1787e5754b78aaa3c950cb40bc0fa2310042fd47569361cd

memory/2736-374-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3040-375-0x0000000000440000-0x0000000000476000-memory.dmp

memory/3040-373-0x0000000000440000-0x0000000000476000-memory.dmp

memory/3040-372-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1764-385-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2736-384-0x00000000002D0000-0x0000000000306000-memory.dmp

C:\Windows\SysWOW64\Nlefhcnc.exe

MD5 cdde663ce443187176b9de994649f222
SHA1 09702fd9ad0047c7922654ba2e716106ec443fc5
SHA256 2c56ffbb0400174a8fb447f421efe64ced7e9a4d8be1112748459d8bd13d4711
SHA512 54b1cdeed2b6ad4bdf4deb99a45fcb1a6826954dab9728f561a6cd429031db801d2277eecf0352c5c237c00a96e2e011954ba27c09d4333c002a5b32f1e8637d

memory/1764-390-0x0000000000440000-0x0000000000476000-memory.dmp

C:\Windows\SysWOW64\Nncbdomg.exe

MD5 7805404ca449db4e6f93b80ce2feb23e
SHA1 ac4c1afd66644b520f622e412de2e78d02ff5cbb
SHA256 b8443fc09043dcdaed0a5f12e9c8086c6518c0a0d05141851e6154ae619ec477
SHA512 fa32610ec34d2a54297a84e9cb66e86b443a964a328d3ce2f91c235e970f2b752b3cc16bd254e3ff668a99adfd4f1af84f4b5af9414272570555b1ed6c2a8bee

memory/2336-397-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2748-396-0x0000000000320000-0x0000000000356000-memory.dmp

memory/2748-395-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2704-410-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2620-411-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1640-409-0x00000000002D0000-0x0000000000306000-memory.dmp

memory/268-408-0x0000000001F80000-0x0000000001FB6000-memory.dmp

memory/268-407-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Windows\SysWOW64\Nhlgmd32.exe

MD5 cb09970f9c75e1ce4be0b03b70f3c49d
SHA1 d4ff56ca5f5d53efd73e653886e47df9e722c0ed
SHA256 5664400941780e9f3a30d3b73a2813277ad3a66452f9173e63fd2741480af273
SHA512 1ada43893742f77de3b8757b3df5c31b7c9b986f9dd5a7fe130a432735426914291217de05c7f320f0626023a0f03f3544fd3618a698abf8fa6b4f9c8fe5df05

memory/2620-420-0x00000000002D0000-0x0000000000306000-memory.dmp

C:\Windows\SysWOW64\Njjcip32.exe

MD5 cfe022cffc8f9442a57f3da474c3f35f
SHA1 afa7acc04f75b58f97474653023c58afcf7bf5ed
SHA256 20f0a9f9c44d2a082c57d6179dc259d7544a58f4ffa8c841f67ba745971cf9af
SHA512 f32532438eedf5596c7b009bf05eb8e3aeac1624587ae22462c0ddb50b487999442b2a8c80a325def93d8c3a60572dc6e467d62e97c87faa0b783381baac5da0

memory/2816-421-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1008-430-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1904-432-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2852-431-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Windows\SysWOW64\Opglafab.exe

MD5 8690896d456aafcc57be04e0e64d4e93
SHA1 6e97a5b06c6892e9d02b6910e86609958ea6ceeb
SHA256 23ea0e69d71176b252b4948e66f66b4ca255e3b2081bbfd44669142cd2b8ee5d
SHA512 9b415b556b391c6a117219a409481aae830fafe1ca496a258a4e57f2dd18efeb09dc0cb7eff72136ad4f3d6c1faf687c3fd0f8715c968a9533c2253a9199c834

memory/2636-442-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2852-441-0x0000000000250000-0x0000000000286000-memory.dmp

C:\Windows\SysWOW64\Oippjl32.exe

MD5 664c4e05a522486cc7b37153ca236653
SHA1 88732ccbd551be03a76d08550e102c177fb63f91
SHA256 98b70db3e1d69f740475ba235c0501af476f2af91a30dd671032e33c969f367d
SHA512 5a35c0450f5989f8f233e1c29f78be0f585a2a6f02aa74101699f743199e17394cf0758c32ac1d669cfd1e1decd856478585a3fdca52686374adc6e11227f927

memory/1748-450-0x0000000000250000-0x0000000000286000-memory.dmp

memory/1748-448-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2852-443-0x0000000000250000-0x0000000000286000-memory.dmp

memory/2328-461-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1712-456-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2612-455-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2636-454-0x00000000006A0000-0x00000000006D6000-memory.dmp

C:\Windows\SysWOW64\Omklkkpl.exe

MD5 ed689248ad6f5a149914b81cdd0a910e
SHA1 c678305003d31e340f236dbfd7d2ebd7103e29ef
SHA256 949c25f94ddcb07768894e25d6c4c54dc3c69775d94733fde703e542eafeaa98
SHA512 f8831cea90076a805d2c9d22135af2f837adb0c791cd367b2f64047a747353a4e443a68c5fc78c37627e6389f70f832189804ca6d285cc06f36f0e6b12b3ee3a

memory/1712-467-0x0000000000310000-0x0000000000346000-memory.dmp

memory/2612-466-0x0000000000250000-0x0000000000286000-memory.dmp

C:\Windows\SysWOW64\Obhdcanc.exe

MD5 75a8912a07dc992b022a32591f4463b3
SHA1 6442814f25a44af7ef39c6c9ab670050ed20c690
SHA256 9589ddb0225cd19597c8ed0cb60036f1fa80f048a5904dbf3ae9065c83e7a4f7
SHA512 e8f4d8aa377f1dcb47d874975aa36978b168982233a97268279a6b1c280b5309d449fbe45f59f26504cedcb05f3955e930dbd4e541c99495c4c83b76569ca6a8

memory/3020-480-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1060-479-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1848-478-0x0000000000260000-0x0000000000296000-memory.dmp

memory/1848-477-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Windows\SysWOW64\Olpilg32.exe

MD5 f427c880f2bf51905ed16e96fb04d0af
SHA1 132ed123f3b3bd7b1be887e32236ec80d624cc0d
SHA256 ab22761ec711c1b0a60b05f473f105157f788b498730d28af5814137a9d05881
SHA512 789c90115a0626ce7e95d49d0c2c2eef021a8d25d689f0d3478c5b819db4836b9c81f5c52cf778766487367bd1fba6cb9fb1ce12a03ae81abbb82f641d05b72c

memory/2328-468-0x00000000002E0000-0x0000000000316000-memory.dmp

C:\Windows\SysWOW64\Ompefj32.exe

MD5 c2e3a2e7e7b40a3b8f3317ee58061e50
SHA1 8987855fa7da58a6d4cc221af2b256385c0793fa
SHA256 bddef9245bb5d54be1f1a4a2d0f76ae6fe84c201ebfb25ba68401a7b667d34fa
SHA512 cb757fc0127216f07b4e770c8316ad0fde71b18621316a9110f3b8f6da0a75306b73a0749e4eeddc42a1dbf261224443adcb754dbbbba31149dc008d2bf386c7

C:\Windows\SysWOW64\Opnbbe32.exe

MD5 2cf8bc83271a75df4143d12d04f0b98d
SHA1 1dc50c8f9607db801deb57ec24df97ec233b87ac
SHA256 6918fcb17b15d356a4ed19e7018262d0244dc7520697cd5edc2eff50438c001d
SHA512 da789f31a4c391365e292a7d3346cf37fb8c50943def55ce669f35c579cabc660999af13527246ae2e9741b3b72c38282f16e49c3d98e53a9422aff9e363df1b

C:\Windows\SysWOW64\Oekjjl32.exe

MD5 f39b5093c4a47f0825df5283a987f3cc
SHA1 7391f3ef84b793a88c5f1b05ba4f6f6c9f9b5238
SHA256 c65e47c93cc8924cc51c777dfe5be9492959b935513aeb37fa73667073deac01
SHA512 3c5d988dc74a632c7bf92dfe9b0009ba873eea31c1f5ca22bc629ac5abf3428e4788e13f4c1f31b2ed16936b87717708ab4f1992a919116e8e11aca8a7d3eaca

C:\Windows\SysWOW64\Ohiffh32.exe

MD5 aacbcb0f23c64945000d606149c14e42
SHA1 e83170fd4a3af7d2498b91223f6d12564f382bde
SHA256 0d0cd89ae7221569a3e6ac61847d851dc805bac458a25013d47465dd1e157045
SHA512 5dbbfd97513a26efdf43ad096af454cfdb9c73b662e1a081c21ad9cdb4c3e6cd44e378a83ea63b3e0f79ce2b7bd75e0c8f4b1232dc8c493e98d386f94d74e694

C:\Windows\SysWOW64\Obokcqhk.exe

MD5 d23834d221eec6265f269dcc5da119d0
SHA1 432f418a08b1cfa7fbd01f073b63d686a9b36001
SHA256 e020294f34c83a93fe8cc869cc3fef692000f0d99cb947d9772937ccd01d4df0
SHA512 75a98409b7bc80b8b4ad341bda7c188bbe2219c107ff5984cd8760c49c218b5ff1fe1f8139e810c532106e6bc4381aa14c467cdfb8cc5481b0774b397a89fe33

C:\Windows\SysWOW64\Oabkom32.exe

MD5 479f8c0f9173618a1827a63c13007edf
SHA1 1d032de5a426509204389c138d8c11e81837c1e0
SHA256 3836bab2319a54e110acee0c249ca997e96bc5416c94407a9b8e729a3f68e567
SHA512 b62d9105f8004bb663a856ae80a72a1c761647b552764f473e73ab935796fac0b82764b397ffb1db4f8e2bdd3df83dd3926eabe066d216f6a7d70ac30d6edc26

C:\Windows\SysWOW64\Oemgplgo.exe

MD5 7cf2f481e34c4f633514e7208a28ec6e
SHA1 72940662b479d2a56438a4803a95b70b4a294d87
SHA256 8e3866daf7db255f470b5bd8f95823794da53eda875486a33915721f12282779
SHA512 e2620043d99d0fbfd26401263d28149dbe30dcdce9d74efdc0ea82cc854105cf2d987a63cfc1785c66170672912027658d7cd4166a37ea6a8360406f82c24a26

C:\Windows\SysWOW64\Phlclgfc.exe

MD5 8e8252e25f4ebdf357cef48555319992
SHA1 48bb4ab61a807a06533cedbfbb0634bf49c744b1
SHA256 89ccb0f49308d795c599d293dfec3c1620d459a958b7afc571c1eeefbaac0e5a
SHA512 e1170a7efbe59e32b3a8cc11ff512c6b8415dee0d5ad3d741b9ee3110f00d1c0c70325ae48273ce9df63585dd9615297fb6351900953ade492020f2a51795bf1

C:\Windows\SysWOW64\Pkjphcff.exe

MD5 26230b1b0216c82a1a1174639fb317ea
SHA1 ced0fc73bd64b808f8c69931c287aea21cb46613
SHA256 bfc39fcfefd0d874b6dc4abe83b9f69cf199a6b783909df13d589ad716bfc876
SHA512 64a37fe99a8c926992a1dedc5d72f5c717c7d179306bfef1d0dc62b155e28dc4835a04b43f82941ac9990dcd7ae8c30ec6ad7d5f5bdec3810185782e9f604597

C:\Windows\SysWOW64\Pofkha32.exe

MD5 deeab814f7f849588d82bc60fbdecafe
SHA1 aaa8954a7a17a7409a61bbdb4d6c669fb6bbde42
SHA256 51531ba0a9bab73611cc1e74762ea35b7e2373258f5c30714dbf40769d527330
SHA512 a7d7e5a18efcbcb0ddb109b9fcbd1c9ba6f2a46009a0fa3e0206a1aeb09e0bbfc5110a2e2cf452ecdd259bb908e462b36eafcdc17a12d80e9d3d67632ed459c1

C:\Windows\SysWOW64\Padhdm32.exe

MD5 c0af9d4c4d0af5ffac5c7e8d0269b904
SHA1 91c837f174e55b5aef9460082aa35e665e73a060
SHA256 07d277560ac1dad742dfdff53af7d24e7ba9cc0968727f619ff6634311b41674
SHA512 35aaafdc08c5205b5e86b346c301fb30a81f570dd7b78c67a932c8bc7941097e102c356eeab46163ebc2204a6044a3beb6cdb953c19a63be8cfd52f7d0ee9be9

C:\Windows\SysWOW64\Pdbdqh32.exe

MD5 729d17c28f56a448c1ec8291c95b64ac
SHA1 1d419eaed0724240788707c03fc1779fa3fb6f1c
SHA256 70f3e8234bc3592120027418278549a3d0dfd596f7ac8720f3d614bf0be6a678
SHA512 384fc428e4a3aef142360f175ad4b53ce3b5e19b5f53c071e5a60e581ba78daa6a0555b02e4181507f80fdf77420801c6f0a04c72367725172dada4c17480ad0

C:\Windows\SysWOW64\Pkmlmbcd.exe

MD5 979b6a92fe993715215b0c29a523bfff
SHA1 79d6ad061558f2031e4bb418489004331d0825ce
SHA256 2cb4afd208933ecf06230a347a76c1fab2e7601ca06a8ebb41747471cc05052e
SHA512 a5a0f962e42aecd04f6f465da263f8ecac95f87f2b4e707c793f0e0dccb903164d53dc4741e270a2aa5dfdac9f3fe35564635004cc85bfc2ae46108cdb277fb6

C:\Windows\SysWOW64\Pmkhjncg.exe

MD5 dcb0db0820d242af13c266dd5371f3fc
SHA1 86dc111ec3fc9961d4f3ec96c24428587dc6c35d
SHA256 6470e87368b606f73ddb951c402aba10855c501ff5bc524dc89b7f4853da18f9
SHA512 13e414cbcc62c994068cc7c97579e552714f8b4a415517f4c187605e0c81c6939ba5a5c879f548b6896c10216d03ff6dc0ca5d8e7d7739a58e201b7c8cd593c1

C:\Windows\SysWOW64\Pafdjmkq.exe

MD5 8167895d507938a68342510e3757fa9d
SHA1 74c8ae5321ab8de92d31da793541ab85b8336f92
SHA256 bf8bf6bc550469eceefdd0612664890070b979f44a18a291c5487040df872f02
SHA512 9a6abf7eccd24e141e072451cc85927e9e48778ef05a58a885b614e26523b5fe4be6a0da301d19ea01934bb2aa791751c640a942d9004cceebd2b8357cab2ea4

C:\Windows\SysWOW64\Phqmgg32.exe

MD5 1b458ec961ba9d221fa08e6047d19962
SHA1 26e9cdd94487e438dbb77d0cf76e0c8ed7dbcd1d
SHA256 f2f8da2d9729b817a10b32296747cbc4daeae3d55651c22313e43106173d044a
SHA512 9a66f3c7276a6e4bd907f0349c315c60d3f5693c94cf035b594eb214bdd5d067d02647d17b9d8dce213997d2d972a6dea6cf78f6c0c55784ae2fef898281dfdc

C:\Windows\SysWOW64\Pdeqfhjd.exe

MD5 8fb2b1abb699ff9dff3f44cb8a42eb82
SHA1 d0fdb5d93779173a59d46274ee439f3b10d8665e
SHA256 708422ad58b9f2ac520cf9288dedd8e57060f577ccdf4eb4525241159235922f
SHA512 c6faec8e67bce35a4a20d2631e9f1c11ba5d14bad2ddc837a8a0c66589751c90550a7c23aaa9a39a8f384babb6197c1c40f7d880ef2d1926ff95585ff7f5aa52

C:\Windows\SysWOW64\Pojecajj.exe

MD5 50eda7a5869b99f264166204d8e68168
SHA1 4de1cf455c421f6e1bfcbe958bec6a94f2a9a764
SHA256 8cbc78c9272c4c61c7e95e12dbad3bc148982076c1f8d6fd5ec791d2c9099e5c
SHA512 3cc419b37c90e2d7959c137f31eb0b79e65c43c8f8426b617990aa884e6f239c982dd7fc33bdef190fcc9db0db89b030bb888c2bdbab07b7901e08d0802f9766

C:\Windows\SysWOW64\Paiaplin.exe

MD5 5e2ab832aeb5c66759c8f470f96e0886
SHA1 e4524cf718ce6f9ffdaad3d5e3a7855a6af5bbc7
SHA256 9cb595b975723b075662bb55de0aa03b920bd8c400f7871fc72120a0b373b6d6
SHA512 ccb1521e67e2e51ff7491ff413f0560b31bc0438b2a704785f62624cceee39aad9fe08b62867065eccce4acd992ba1e356972bd8b27e3ee9da84a7b5f52ef722

C:\Windows\SysWOW64\Pplaki32.exe

MD5 c930ff5b3f2136206fc1d1e051677294
SHA1 541df65f7c427f744c71331660f6d8649f925f95
SHA256 1513912f32c7646ef602aa1f7449fc9e069b5fbf62b3a282a73e372458a9f6a7
SHA512 34297b8d2d246693ab8a7eecb9c6fdfa9d4ca46179f7eb1c5a43fb369c24b5f3057be425c94b50e43e93b4c6a84c155d1ea4ad5445461c1886e393893b179f71

C:\Windows\SysWOW64\Phcilf32.exe

MD5 367b4daedaaf1e62730528a58a7cd705
SHA1 475736e8de8764591df5c9dc2b1944800c1ef031
SHA256 6a4472e6933ca9b5acb26f09996549b87b23fcb7ce7a756c227b5912fc77bc26
SHA512 3b89da85bd4cdc7d013efe259632fc79077467a885b8422bd118d8805860372007acdff7fd7ba27e9a734bb2f266927be42d2a7baedd4281bbd4462579287f28

C:\Windows\SysWOW64\Pidfdofi.exe

MD5 03ded1ccb5ea89bd3f93cc1bab5338e8
SHA1 6f67866d67a94743a459f00906fab8b593f364c1
SHA256 3f95fa6879c8f9594ec8d945f6bf3539dc573af3706175a5139c6e1a157b3a7a
SHA512 56dff0cfb19364fe9e460a22090d9b48bf46aad1723450b825fb5c95a22d73dc98aeed638f61be7154ccb5de2642c02bf212818fd959e58eaab1207ed9620e9c

C:\Windows\SysWOW64\Ppnnai32.exe

MD5 be063d8f8a6ea5a4918fc36e937bf346
SHA1 e665f1f292250904eb5599b7d385dbd89db19253
SHA256 294af33e46641056ed0c85df94ff92a5d46d73a7cc2555f44a6652cc3519854b
SHA512 697ef845168394a3d2ffdfd23e149c40c017bc15e15345abf36cbdd42b84f439756944c180aeae2d649e0a90888ae4a0c0f9b66597b4ed6b8dde23389709d243

C:\Windows\SysWOW64\Pdjjag32.exe

MD5 f3ec426cc1efd5cc2e4b9f68d3716739
SHA1 532bcc076fe4a80acd8f556837ff316d25bd38d9
SHA256 4b7fa3ac4155139421e82c954d0064022aed6749d42943c8f853a172ca579fe4
SHA512 f123fc2f95f4eb64bd61130422dad756d8b37b98a2ea66c9bdb6854befae5696ed49c68e178d4445a508bcb2523e585cd83cd8f02cba2d5682dca86926a35a84

C:\Windows\SysWOW64\Pghfnc32.exe

MD5 042963962114f29b289dc8f21ce107b8
SHA1 a279b7698bc4e93a054f30ea94dfcf40d0142036
SHA256 d17251e29b036f549986eac8bb78f4265c99f16fe30539798fc9ddb32289fe95
SHA512 3f70c7ef41ea9e0b7c5b1f541217795b66c3b49a2ca318e97ec08f3da97f0c1b6a6afeac83cd00b8131c124486440c38b7402e9a81fa87f36d9f079d4b3e2ce6

C:\Windows\SysWOW64\Pkcbnanl.exe

MD5 dd39fdac8bf46abf74e0920d37f75ed8
SHA1 5ae2a6ab756156d2b94792b590a2482541756708
SHA256 f0c8ae2ff4b61ddc8812091134c33bf178d06de6109c9ac5ff0ae20104bc65ed
SHA512 427303195e797ca05fe2a5976adb38b51a07ec0c5152444df0fb870b0c784bfa90f67ec80b773ff3e69ee0ce7e4eed153ee523a36b6c902f0a1ffe7117dbf5f1

C:\Windows\SysWOW64\Qdlggg32.exe

MD5 fc80bbaf266b64d667ec2241a5b4ee28
SHA1 5d4dd1d85e3be2898ac15d9a080796d2fbc3b97a
SHA256 894911eb77bdaeac3c8d3b791a8d6c23d90490f7a0e8666ee8dbd1fdd2fe7675
SHA512 b85606b394a380012d1ef7288ac0df71ab26eb21abbaec245ef7ed2875f73b07a6f48d485b25b1c47b8dc2b4b5e7f88f13ae9782f237ae34fe9d8515b6dcf58b

C:\Windows\SysWOW64\Qppkfhlc.exe

MD5 aa40a14aa2c913dc4fd5de55b07a024c
SHA1 0ae4bc36bed6995e0a9863dc8c2a507b1d71ae06
SHA256 ddf3323ead2664ffb9419f8c4180c483f757007cb545ed9f6b10883f9f3dab69
SHA512 c633fea97720e8b5b4417ed876f1bcbe5bee8eaabf44c8e0125c50537c69fe6b9cc7747f48a96031f2ef18fc6fa4dce0330be9815afe185fd842546606d32c5d

C:\Windows\SysWOW64\Pleofj32.exe

MD5 ed0eae2486ec4dc1fe0f1e1136500686
SHA1 415f58794427b0f3510bddf122d4e9fa1edb611f
SHA256 0ddf0fb299d7121829aaa1be402eeee9dbbe3b8edb099a684665c4dc338f4e9e
SHA512 a22810b021794e3223ff161dd0ac937f6d1c2868d2c632dab1c8373bb937e9cb1cddf3de799cee97674551fa4697866cdfed9db2498ed6cadb1bc163e65edf61

C:\Windows\SysWOW64\Qndkpmkm.exe

MD5 3f3f2528ddf26e18732a1ba0a4403aee
SHA1 6beeb36a2bd280df6765bbfe26c7a33cec1d9c8d
SHA256 60ba27527f034f57180e200f98ae25745262f9dc23d93b7f6e179f63a1a2b708
SHA512 df22e0fef39914bb36c0083b9d017d3c49c366562d3871ba4226ddcfe4561fee0fcd0d4fea1c1dd760b9f443416af1dffe6ff6d94faca64cccabc53aecb89c97

C:\Windows\SysWOW64\Qpbglhjq.exe

MD5 2ce502fff0c0b962da3cc1712b373ff3
SHA1 f218d1fe9a920ba155589d0597a634efa6b079aa
SHA256 0a7441dc690fde6a5af744eb1f028ecf4dcf706c8219f4943b8ab483228e5cf2
SHA512 70292d83d8b2df9c036891d9f4a56b731e0cbcb49eb6d3b74e3591f8e01705e01c6b33e94ef03cfe32291464ddc04446f1a8192c35d46db17333e21ac176c238

C:\Windows\SysWOW64\Qcachc32.exe

MD5 153d63bdb2c5a4fd16f634930e1af290
SHA1 2d64156104532f5fc1976945252c1bab783c24c4
SHA256 f8f11c2b5700020637654741c944f277914a611639ca5388730ebc9dd47de7a9
SHA512 b08ab7d880e0df56623fe2a308c965c597d121a59d50b4e32f265693fed2cae9b1d869e0af40f0149f97d04602899544748eb54f7e042716dc7679a7d4028641

C:\Windows\SysWOW64\Qeppdo32.exe

MD5 c22dd54fba41f6d6ca6f51ead3d96ff0
SHA1 5dbdf637917d3ac5a1bb0e54bbd9d34c13489a88
SHA256 be2f1e9071dd0db3e94ff91921d880159ab52097869059498e2f6d3fa7975334
SHA512 4dcf279bd8cdc348ad7728a7248dd6ed8c687b760785469a25393f1680d7cb8c22a1d7e00ec351022a95cb8daf53bc00ffcb6659114a4882432f0b802cf1a08e

C:\Windows\SysWOW64\Qnghel32.exe

MD5 61321b89d81b5683b4abedfaae320bd6
SHA1 bc9a578c03771234d959c245a6da492e7e57beb8
SHA256 30cb6cabf648112b9d202adc99b28b483fc369323e1a5b18d058084758733f20
SHA512 449b87974a50cc8cf6474e04b7b5cd36d7d2355fd06dff61b8f0df2ac29f6004534d70232e5682e6c92001489cb664fbaa2a95656efd2e5165a1de22633fadd5

C:\Windows\SysWOW64\Apedah32.exe

MD5 50f3aa6f8e901a9759dd27777d7c541c
SHA1 edc9a48507e56c233ccdd7cc28daa1db104386c1
SHA256 54fe3a93308cf8903b6bfda85a4034c5c887ac756ea3ff041fc8f6050c20e1ce
SHA512 759205379656a93bd1d91d3897ac01810b8ec1d6e6b23ceaab1d89f5cfd5b1c1d6a2aed74a04aa61196cc185c943a52f2701a053ef1c862e5e5555bed9daa765

C:\Windows\SysWOW64\Agolnbok.exe

MD5 b72836ce0935c19976ede25ce3f0e45d
SHA1 f993ead58ac1f2ba907df4e087ae18976fb9b5c6
SHA256 b14dbab2d47f437d25120cc05aaa8f7585de6152af6826f11a2a98d4750d4e18
SHA512 e5c9bef979bee1dc649cde49dc02604be1b54a2d3f64f7cb338ecec6262149c68c8b4729fc11097dabf313e9d58f3dc68636eebe677e11ce2ff865fae130eeaa

C:\Windows\SysWOW64\Ajmijmnn.exe

MD5 c336800c30e96717191958805441853a
SHA1 19a418e3550629e7f55ede7d38814a7e5c80d1b3
SHA256 1fa4d6caefb8d0a66f091c28bedb70754afdbf96462e80d970c23a4b2877b5ad
SHA512 a628b284ed995131c0c1a6ced99b6e83faefc868da7cb12ff335e4cc0fe92366ea4fa982ab6ded3c70eabc3cc516c4284fcbb4f1b99702d2811f75b270a179cb

C:\Windows\SysWOW64\Allefimb.exe

MD5 3c6b72b1e47efadd21d7adfde4316dce
SHA1 483d445442a3c1c885fb9bdac9786316274fd245
SHA256 ac0f126509a7513295df2ab4112545791c3d8d7a34a1fae1204fe05eb6fd2cc3
SHA512 d3e9bc9e32118d74f1c4790d5465bc51c743d60b058a96c6171e072ca3edb38f82d04bc3a528420024abc7873bdbb01193d50b63d9087e1c11d075be0b6bcdb0

C:\Windows\SysWOW64\Aojabdlf.exe

MD5 0e9460b56e634eca0ae7e480f2c2331f
SHA1 8be2e21ffeabc73f65b28595a63ace04dffb619f
SHA256 4d0dc1a8eceeea8886464ce4130479659c05fb784f5dc2c83b941044c1fe918f
SHA512 5c64ce8e04eb21a1a910b166c26ad23cd9c397ee537f495d4faf453ac12728ab073d3c8464f5b5343cc2f908c43ecfa4d7e35d1f9bf70b3209e2302c23c734cf

C:\Windows\SysWOW64\Aaimopli.exe

MD5 7396984537da0c603839b7393b7f3ac3
SHA1 daa9438aa4ff28b9d3d6aa118b5d02a7e651e163
SHA256 fbc078567c050c4ef7b43fe5233e365c629f80602d39a024e07831d22b244a71
SHA512 4adbe1e7d236f7ab1599294f78ad4391732ea395fb399f7354a46395d14ef29e36410cd6f3f9eebd87f0baa0b6f97afb5794ca2a95213b841a8a823844e2aaa6

C:\Windows\SysWOW64\Ajpepm32.exe

MD5 d5450261c14fca6b2005d9f64a3cfce4
SHA1 0bca32d6d278fd4730491365cf43fd64483a5951
SHA256 f6ebb307d28d2a95eae64a698ab873cd273519dc2a123fd28fa8dcdf9ecaf411
SHA512 c1b3344b2cd753b2b2b67cdf03bab3b086f54169b86e3db3af0bf15bea372710cde82e7a0df4c7bd2a7c1db526c7a284e11a384948fe3a158123399284d21c61

C:\Windows\SysWOW64\Alnalh32.exe

MD5 b12c0786b156706d112a03e94544b135
SHA1 c407acfbeb3c1bdacd78f34fbf1e99db5e3bca7d
SHA256 74fe39ac34847aecd2aaa6307d41114e84f560406536f15d33c6cb45aa971bbf
SHA512 37c27faa2bd886fc480ea1b287d831d8020eedf9815ce03b26b757db10cbbfc9409c51c8fa4270b2e5b032e2d3457f779a6b3b372911c80669dbdadde9f20908

C:\Windows\SysWOW64\Akabgebj.exe

MD5 93f11e0e50f094b02388c9359bbc3bb0
SHA1 2c3c84902d577d1920ea9821129b40a8e9f0096e
SHA256 da359b0844979326ae1423ed685d560b2ce394a87ba6d45bfbbce5e3366c8ac7
SHA512 c004253b6e84c4785669d9420b3c3f659eca7826ce38eb231c369dbb4c786dbaa06341aa02f7ac09e7b6adcf44243bc0785c5c9d0f9c94433cf9825dba826041

C:\Windows\SysWOW64\Aakjdo32.exe

MD5 023fbb7e76e5eb3a24b93c8051974716
SHA1 c05cb67efa6403ccb26a6df6f17080061203b45d
SHA256 12b50d79e03d4f503bc444508129e700c314d4633f3119adfe386e496588e792
SHA512 c5afed257ed3197788cd24f1fb3a172fe24d017a4efc9f7015662722799b53179b68853b637c1f6346bad35d97aea0e739a7c1ad33c23f96b14d17d6acb1c87a

C:\Windows\SysWOW64\Adifpk32.exe

MD5 583ff1a8846211ff98339ef72d00f7b5
SHA1 75628eef24d8402394e122ff6ac36ee3b84fa357
SHA256 64bedfe90871e2b3ea3deab0a4e5163020a35b0b24e0fee59507dbd39c86e218
SHA512 784cd4555b2811302266cd9b08dc59d7a5d460fa2ec2829ec98bb8617091fdc0d2c75ad90b4cb1ffb72154436c53dda6c1ae980afa1f1e3818b840dac0b103e7

C:\Windows\SysWOW64\Ahebaiac.exe

MD5 39cfa8a556558a68b49b130737e7324e
SHA1 5ae5e3672fb2643b2221d7b8c4e120c65e3421af
SHA256 73e74a24a3a3a54b67fb79f1630179add496b8512781f98570dd3efcb3f4cdf1
SHA512 f29bea10f66e16a0a3f2e483d2113ee77af0ec96c3132862242b5b0c30a5c26af1a9ad4b5ea00df4ab318c6754f58e28b525819436c0430ce17ac5ae579ac79a

C:\Windows\SysWOW64\Akcomepg.exe

MD5 2f24bffe1238a3d302ed6dfcdfc66921
SHA1 522c1eb180e74883ad6479db5742aa1d7a155aa5
SHA256 1d238a693106c5bf3b9678f07f27dd7cb7dc65bf6285269e95a5ba92e6eadf64
SHA512 ce16dbc6ccebf68861f630e0d2ac4bec62d344906ed6e944e8f8c34a50f65e912426c3e89fe6af879837d2f79ae97c4cf3a5f3d47effa49d7c09de275c54dac2

C:\Windows\SysWOW64\Aoojnc32.exe

MD5 e332fc8bf2099c6aa70066669f334e21
SHA1 3cc8b50bcf49a7f2d214f53cdaa64cc0e8047d97
SHA256 66ee60f8e564c95d00e6e3bf237bc858edaf21fe60b1f0bb0bcc1b1bc083adc6
SHA512 cb3798ef0eb0e4f303b9857f4584703af3ad9cc1aacf33b1a30cd38a3c51b3e74cd5fc8b768121d03d4cd2abc81819aae7eb5e1c0ea73e46b4b0bbd6802a4303

C:\Windows\SysWOW64\Abmgjo32.exe

MD5 c850e68cb90a48664f03822a2bb4e752
SHA1 4e1b4eb7060405b1f8843d2045cc56f18e445768
SHA256 1df31e8563c67ffa83d454279a9b734b741d6a02a727578188cf3c95c86bf30b
SHA512 8222b0f0491debd43f7cbb64efae86743413c55144184d4681d89d8391490cf464a5308aef48f0226c4b83be17d47266a30319694ba7943ca58e049d9014cdb3

C:\Windows\SysWOW64\Aficjnpm.exe

MD5 a838054910fd4d07746181a9779f9946
SHA1 a3ef17836f2a91a2c4f11f8ed3f3b10c88f3dbe5
SHA256 fb61f2a04c4ea090063b8cdc0b8277f6a075c85b38fde0c161cf4a01b75ec294
SHA512 997189f2176ef40851e6dc91b9a2b1941eb24c98680c2ff24f693ba413f8131d22c56943d3a4eb40d395a2db00f5ebfd31422e32b0d2df68bfbd0610e5957319

C:\Windows\SysWOW64\Agjobffl.exe

MD5 ec89f3bb901c6919e57c731d699f74eb
SHA1 31e119cb6630428e5b79aa5072f2d560dd780acc
SHA256 2abd7f306749f5d8b8f62d70db781b0ef605f8ab32fbe264124a3e0293cccad5
SHA512 af66911133ab734de854d8b46d0adaa793873cf0b8ed1f5d4a15edfca42847cbbfc8d0b2a65795c38d13cba677e4681c7dba8f158f9733548582effcc3980aa4

C:\Windows\SysWOW64\Akfkbd32.exe

MD5 1ab6fceb453b4be0f88553c1f3b44662
SHA1 27d778badd78b11f38852187b8e697ef221ccecc
SHA256 3c31f1ee010d69ff1e3aea2e8451d86d915efbef142d237af2ab20a7160878e1
SHA512 53bb0168202e1f8819ce16614e7d33969bcdb1b9a770d5d43dc8f905c7523c54c22e1c4854bf4c0e5f66d82b416de274fb25635ab20b9b7ec025a58140a55310

C:\Windows\SysWOW64\Andgop32.exe

MD5 174966c219c464b1a0a29b10f9ded05d
SHA1 a74e44106007396674a43e70a97edc9d290239a9
SHA256 d1cb8e3ff67d66e5cbd91eac9616f60585f641ee88d87c64063a04931f365ef7
SHA512 b45a847f54a63a4bb135f0d3d58f230f7f31543dad7d1cd1bfd3f8b88fe7358f26ca08a03ce6df740c0b557d7490005b8ab66ef50bd2a37aae3481e55dba366a

C:\Windows\SysWOW64\Abpcooea.exe

MD5 4466e81768bdf62d12fde2cdf4883316
SHA1 15eadd2e7bf79e15fb3fd6e4e365979317d66038
SHA256 e2d969739450c239a146572ca680f4122e650b22013dd52cbafd64d0c0630515
SHA512 55a0a164755641d1787691dfb749c13f92d218f9c9fc60ae3b9ef0739170f4f3a1c45b302429c990b2b4a7f21290c80a2b5936e272197d031af8f4b95998b14f

C:\Windows\SysWOW64\Adnpkjde.exe

MD5 38e3841f9b22c84b0cf1eccad358b37b
SHA1 5c734bc81c11db7c426674c1c6236f1d34f5a58e
SHA256 6deea801ceb9fc0576e35ae95f4f1a3d8eab33edb1e1413205c30cb400dab05b
SHA512 1bd51d3f0bbc2d46eb02f2633818f526a6585628a07577038129715e09c20a8023ea8a16f5b508629c045b9913982b4f2f7ab2b845f3984b64c044ccdb3c7896

C:\Windows\SysWOW64\Bhjlli32.exe

MD5 5ed9e78c4a20f7d12406ec04fa4e04bd
SHA1 aebda54306ce200c29aeb947dec28798d4368dfb
SHA256 4ce7e6f8a56a90f33519e201a6bea265fe029ae9f52767da2b22192b29434fd2
SHA512 f815630ec9b8d80199b8b69911cfc246e9969bb6b9864f0c4e2ccfcdd9dbff267ca28854ca5cc60967d036260ac209c8ad06f4ab0d78497420d361d952577de7

C:\Windows\SysWOW64\Bjkhdacm.exe

MD5 ba4c25b4e6758c7dd1c5fb88c17c9410
SHA1 f8ffc000dc6c369d8e3ed581d9cce456f1db1ca9
SHA256 87c8338050ceb66396eec0fc56f13c99aca8250322179783cd64a3a6060e11b3
SHA512 b235a0413cc9728b70f00170248f43b143ba0b203f8fd37fa13a86dfac4065cb126d14b2d7c6234a44d345a34d5673e309f686af20243eb98506aa301f0a36e0

C:\Windows\SysWOW64\Bnfddp32.exe

MD5 0816ff6545ebe32ba31483f643810d78
SHA1 d928ed9fdee1e70ecca546df32d7000ff36f1c5a
SHA256 65ed34b32deec5cba353ec0adf950a7bb91d07a0ec445f18aa9d6a1bb59d547a
SHA512 764b60bd4d3a9c5b65feab44903a65c203048efac41c5224fce5cadad6813301e8baf5a4a8ad07203734b6b82d18e49a9409a5b50052b657622445d9b9904093

C:\Windows\SysWOW64\Bqeqqk32.exe

MD5 7f8ffd8b1026f772f4f4688c415b491d
SHA1 24b7ce778bbe8171e2675cf6457f2e1dfef3868a
SHA256 1775169d49fdbb0d160f472e8487c09994fab390e1779a6de0f116f026ba50bc
SHA512 1368409fee0ffb5d9c3552c40ac0fcda2ecd724c63daa56c3cc6b74ebfbea9b3ef97e2799ea93ea7fed191ecfbba66c752431d629984fa88a7a066a2c678a9c2

C:\Windows\SysWOW64\Bgoime32.exe

MD5 29341fc5bc5e8ffe935ba4a099194c9f
SHA1 94b3472a4158852c55810991b11da1294bbffeba
SHA256 a097c619277ad6a21bd6c8a51fe459a9c5ac622d79f043173c2a0f568bd6ff57
SHA512 d68f94a9c4afba862aa2a9142fff2a406bca5469dd472b9c995fec47ecfd6886f158ba08ab4f4f4613af29eefdc0a6d47f2cf0b42c0147759c06f10c5d643775

C:\Windows\SysWOW64\Bjmeiq32.exe

MD5 c74b6ce6c78cace033bf17f42b817549
SHA1 25f014025a9942e6e2b0dceaaa700fdf2fdf4756
SHA256 e104c4b61bf30da2dd678f7e00b4119b56169ae68ead056c078bdc730f634315
SHA512 b8c47f2814d525de446394da084a65bb420e09a80149ac8b4b5294159324cf564fac5f71712098dd32ce297dd47a128de26087ee7af218c3abbafedd226e5bd4

C:\Windows\SysWOW64\Bmlael32.exe

MD5 8aca04d6e65ebe479736c45d10584a43
SHA1 61088eb56160253c3fe0043b12efa492362c6b82
SHA256 6bea83cad0922569c29746566d725b0915a48c0226e3d0a7774841735a719a78
SHA512 86a6918f022c3b6eb68aeee5a1bd3a6070e85ad6905254214a49714e50b59b3976cd3c6f5b4895876271664a1fd39776bd5c7f935dde7911ee39884d657a5222

C:\Windows\SysWOW64\Bfdenafn.exe

MD5 2e7a349e5e2c333bd4d1ef302db440f3
SHA1 793f0959823c44f90b1006de616a9cb3b1ffc7ac
SHA256 40995645535ee7cb47ed3929f97c09e911741f8b31e8ad49e3993a3cc82b2407
SHA512 1a4431ea1fd35d55f497f809243cb9a07f3ed03528144233f99ed8cbbafe94b624f48b7dbd602f2f7076d72bef10c3e3f4597239022257a1f9efb3d884282079

C:\Windows\SysWOW64\Bceibfgj.exe

MD5 c04375e40f4b24fccb93f4ac111b5b8a
SHA1 b60bf19512dd34fc5b900418993cfe8a06e2dbad
SHA256 197fb38ba87ad6f38f67fcc386b0f6dbad072ba150747fe301b8f05a22677290
SHA512 fdda502b4f3715e03e88276fa293a8bc4514dab33e31484b263451e5617dccdbc500a6c14efd6774f499e05ecf73d620f607394595f155944085710eee39678e

C:\Windows\SysWOW64\Bmnnkl32.exe

MD5 dd19855c0af5b145370d9ac3dd2595e0
SHA1 e7eeab48507d7b3d657769f234c66023e9e19ad9
SHA256 25c288fb619a66a6883fea6a600db9880a12e44e172608c0bdf7ab549a2b68c4
SHA512 79756f0059324248d221945aba708e446776a5eb9f481278ff09861414be5d7aeaa8a72eab98c963ea1cddd9eea783073a0538e35600e944665a003adcf8ed42

C:\Windows\SysWOW64\Bgcbhd32.exe

MD5 dec7bd550f3ef9772c2964521c5fe8eb
SHA1 189643d7db105dd3d18c3cd946d7ee3e292e997c
SHA256 6f9b7f5d45bb07fb38f635c2446b6fc4038c2c6e19924f9a1dd4e3364c5edb5d
SHA512 458fd2a55b7b2ad761a8887c830837eda44eae452a53e16098d27159d1e20d3809746edff30cdd09666c9d0d74ac148dc57a5e1d9c01297180cbfff025955b62

C:\Windows\SysWOW64\Bffbdadk.exe

MD5 1ec6cf1a64fa608da579520f4939b3ff
SHA1 5cf6d76b68bd894e5b76e19fa7f0428393514590
SHA256 cbfdf2a4068be32d3000f9f1a09662e528a0f07946c43b2efb80dc1327a98837
SHA512 1153066db1c4d585dad7bc6033d63c3c900ef17a0a025b70dd56447f15e97858f6613676821d79cc35c0d024d2954595e6dbfb05695df094dd2d45703eb759dc

C:\Windows\SysWOW64\Bjbndpmd.exe

MD5 bc3f6e8dc411b5c8327efd6c863f42b9
SHA1 49330225562491ed1c7bce7c0ed277edf3f7fcfa
SHA256 eb112d311a84e3031ed0046564261fc231b0cd7ccaaade41c21ac7013501621c
SHA512 b34a0dc54fd3970f5ae95b67c33e1933bb5adbe0f96228566b208f9464babef132d6c07e4057708f6db51c5e4fd68d167688b42fafa8cc6cc6b0754e6234918d

C:\Windows\SysWOW64\Bieopm32.exe

MD5 3e01385cfb65c40840d527540ef2ec7d
SHA1 1941e77fe696a480881b599e1d4853840fe26f9b
SHA256 8d7657313bdf4f7e20c24955f6a3d601c1ae2e6a032f77175031130900e05573
SHA512 4d94a317516b099d18f61e5438becb85f79e7e26c223aa87ca2109e79a94d6001a5f07ad05d7af13a6bcf6df1e87a85dda4986b3c6647458578fb60cdf3d98e9

C:\Windows\SysWOW64\Bqlfaj32.exe

MD5 554cb53802a2c51254117707516b9e30
SHA1 0194a7a8996805f5f365819b6453dca438db6c60
SHA256 6d50028b4df19524c002ed3391e7235649aa8fd08596bff18c8a68a75a5046e3
SHA512 b388ab22585d724ee31d3e7ff6cdf74fb17f17d29d7e665b5291e35156a863b4a7eb1659b85ad1bc2258d96933c89be77e3e5eae9de97de3a4987611f5b576ec

C:\Windows\SysWOW64\Bcjcme32.exe

MD5 c42f723eb5166d1b88740344c08c17ea
SHA1 4d56644de65c25e373e7523aa2815f370cf5e65f
SHA256 e6dbd5af5d9672ec1e51783cd9a8ada39a75402523882a052c5c9088ccfdf97b
SHA512 f43e1cc62d18494357ec7d788887a1e1c3422a870212c6504a3a7af0096f6b59647b7a480c3d331fba801426eb4eda7b79d84f607a1f5831fd4802a84615d058

C:\Windows\SysWOW64\Bbmcibjp.exe

MD5 bc2a673160f4d8f93da426516ddb73f8
SHA1 167cb50428d44f642926a956019efa41007bc8c1
SHA256 2c100e3368f9c4e29b44be6e489e51d062a7f42510f19189e42276dfad182eef
SHA512 8e752cd52bcc054a9e269132e52cab7491415ad238542d06a4764a34b68658f200c0be9aa0c53c6562753d5fff55312efa55a42c6e9429e7cd3504b6a24bfb4a

C:\Windows\SysWOW64\Bjdkjpkb.exe

MD5 3247ba2dd0f8f3bca184e70780dccb5e
SHA1 b923019ad4ebfe19f64082bd54c6ae30e30dbafb
SHA256 3e20f0ac6d4630c0944426dc86089eff644aa93ed15e3c6644e50ee23d4bcc5a
SHA512 b968eea9c887de9d6ee96a031d2e3ccdbbdf7b649ec8c472a186dc54e71565879283bd717c503416fb8dc62896981b28336881dbf46f3bfe37a8953d317c6a39

C:\Windows\SysWOW64\Bmbgfkje.exe

MD5 56eee87ce2db4062fc9ede56589f2be9
SHA1 079d225461828b0e53d35a6ffa2561bc9084508f
SHA256 c8ae4e8202610840b0d4ca7ad859343d20f6e27810c5ebfa68155f80bbd76c96
SHA512 88dbf9561d2afaadb9e77a2d30496923e13141fc92a6709114bdb8310c4d684728071428aa7063112d4bb556b26396ae7c4d9e9d934598fd0577783ee0908db7

C:\Windows\SysWOW64\Ccmpce32.exe

MD5 6633b02bd9010f37d9aa28542be6b953
SHA1 560e4fd367a17ab57e9b797b7c10314f8bb5ac8b
SHA256 a98739a9311d3052b5cb4357f06bf97fc867a078e5b865b3b68115c68bbfa5e2
SHA512 16856922ba80eb4d96aa09df2820628be629dc981f195478829b715c00256aba0cf064d3bb86215faa0f50c0d7b0861e60baaada666a6b339446d663d19c131e

C:\Windows\SysWOW64\Cenljmgq.exe

MD5 39fc5248867b2860caf8e52e8cc5cec7
SHA1 c235c00c1c285039bd541ca4dda9a20f5096a861
SHA256 1ebd30468d7bff0e6e6c9cbb92c81a437da2d74334efcf1548a435eadb923153
SHA512 a9baa029eae946540815229dfea5ab56dcd556b45dc46ca97f354be80249654632ef5ad58a72e8861da3f750cea0410a91c117761738d1b7e9f749ef0f20b6cd

C:\Windows\SysWOW64\Cmedlk32.exe

MD5 352d8c6eb781a652b26277effffd7e3b
SHA1 861c3c33b680cae17e8586559775ebec1e30a716
SHA256 277766db947fd9ec4f3c1d76428c001300b7a3e880270c9de1cd88196b59a816
SHA512 01b3dc9112d42fc1f5f66292c3c1e6401fd53c414088444a690a114894d06e3e36b0c60ed5096d84b827cc1870db4ac4eb87357149cd33d7f493519d129256fd

C:\Windows\SysWOW64\Cocphf32.exe

MD5 65f45602ac3fdfc570a98cd6bc83ca5d
SHA1 0ff03b99849ceb38f9684630b02d3db470285da0
SHA256 344bda86ad77f1c0e4438bbd01da719d6f0d6b5b3813493c952c78b8bef90ec2
SHA512 715d570863d7b814a3b3f9971d97e8a69e029e2e269eb1f672c56c200c7aee934e64c9be69c3f3b076450b1b6ebcf20f4dd0966094bb1dd4f10cce506626517d

C:\Windows\SysWOW64\Cbblda32.exe

MD5 baf32aea96be8b112ad593abbcf4fe74
SHA1 ce990a7fe94394a33e45c1c69bf3fcdba4c08794
SHA256 ea0c88bd81e647f4795545530b7985e2c9e9714c2fef51f933e6daf605001729
SHA512 a7a5161424ec45a10f89778c18c599fb3f76a1cfb03be693b2c23d6861236ada6bfa51c60234e1cd400047b9ffcabe711b4bb3440688ed544a911471c670655e

C:\Windows\SysWOW64\Cileqlmg.exe

MD5 101d7a5e375b4e51132323f0701de95f
SHA1 82cebbaccaccd147cb25fe26b6dbd6ada4543b33
SHA256 5b892e0844f2ae0ac3a013feadfebff67bb6127dcc0407f398506d1a7150dc32
SHA512 a12697651378a8cd9aecf3406b8cde7a1f55fc13cb35a3a59537c2b1ffe949f6f59a9f4bc1bb53967f6bdd10a9101aadab2a12959c9ed6eec7d8d31948ce83a8

C:\Windows\SysWOW64\Cnimiblo.exe

MD5 3f05783ef226d06ad2173cef8790be38
SHA1 967d492101321958d0b0be29c9a14a2ed2772596
SHA256 a87979f900582f492eee328577731e1a229a895677e2faf5c5407f5ed5fc7380
SHA512 332561ee178bdcb219b5a450e3574b30c7b747b10f9156bd37d6346db312789915304061b33db0b4979afdcd58dc833b457bcdb8748f8fe0a1ec53cbc94cf072

C:\Windows\SysWOW64\Cinafkkd.exe

MD5 443179e59237203f44f7abc0bfa2a405
SHA1 0c52c1d2d930f6fcd891bea77759e28a203a35a2
SHA256 4dd0c0bd11c75d5d2380c0c8c8638f3a7c2733ada203724427ae1d8506416b24
SHA512 473911362b220170ad8c541389b3a94cfbf76f1e34cae45995c9d2708737de157386aefa5c08b3abd415c15bff6ca103e28bc5d3d157184551f13991d0bf8735

C:\Windows\SysWOW64\Cbdiia32.exe

MD5 8d4d5dc92b648b6b18821b0d63dfb52e
SHA1 cd8257abcf180d9ae5df72f361b79d85a53827b3
SHA256 64783f8093a179f32a916a9c08616afd8110bb72aa37b60f65d731016672ba6e
SHA512 aecc678ceba3d0456773e65e81983c2b897322df09d52966dd777ea5f680c27bb33961c216f1847fc77f116daf9e8ae0bfa68aef027519fcc60716548062873c

C:\Windows\SysWOW64\Cgaaah32.exe

MD5 1ba5634b65746e360a15366aac9f4034
SHA1 380db5002b7dc723ca447e35429f8776a6b66988
SHA256 cf71c9d145547e97abe1b82cdf3351864e801d2b72f11b2459679f514572fed2
SHA512 874082557a425ee4c1a770384a1b2b9842edc1dc88bf0b2602046730c4a87f4a36e311904acb9216910dbfb9317f35276a1c49485a3f373e701f172c37796135

C:\Windows\SysWOW64\Ckmnbg32.exe

MD5 19896bf3c5ea53a3b22b5da50477745d
SHA1 5f12eba406dfe17d08e3a6454ff172337861c054
SHA256 759b1377c85e6c0e74a4d17202134770472a04c05f1ba96458e7d1a68886af7c
SHA512 f9a893c3bcaa54345c63f4973b62d693918a1037b57153aba5b0351747c11ac894c8defb217cb2c131228ce25b6576ecc87d5ea30eb8a0a76c07ea303417e16a

C:\Windows\SysWOW64\Cnkjnb32.exe

MD5 7c407931170ceac65dd21aec9354ff77
SHA1 bcb5924bab2f20e185b72bc5aa3e2def6d0f95d0
SHA256 7e55f4ae9799502440d2e7afbadd8717911e68486907640d9ac9871c53cf6cef
SHA512 18aecc7f1bf3406206e6edaf4986fd08d0b5f1544e4aae10ca9016c68fe5d2da00bf5941631e274331ff9ed05c70e5f6615a24d3e056dc2541b3c5d62c87f3f8

C:\Windows\SysWOW64\Ceebklai.exe

MD5 50af1ab321211c849544cb3eb4bc1e1f
SHA1 4a69559c265893a19accd1b337ac4a8190217312
SHA256 0bae8ab1f0931b8eaefefc10b30c8d519841b96432f3223499dc05f05a8d605e
SHA512 5efcb1e66638bc05cd1bc1ad679dda82417797fc815b531516159bfb1786016d7c55ed0a458ab28a5bb26b63b76403ff5aec71f9cdadf26bc476b5c936ec7da5

C:\Windows\SysWOW64\Cchbgi32.exe

MD5 bfaa6d4553f5e4a1255385406ba2aa29
SHA1 2dac7be652291d408641ffee93532eac9e44f16c
SHA256 3b20c6d4bdb595c9ea98f0c5dd908d4c1b2c3eafcb3b85adddf7a3d33b0d3d7d
SHA512 a4d3c3033890fde79e5a2a49dec71e356cdb4449d38afda05ea695f792a154a6a7d8db4bb2cb2870e8a7fd87c942d20cde4a5ba29df0abae4cd06f423bf6d6c9

C:\Windows\SysWOW64\Cjakccop.exe

MD5 68ff213729b7185644dabf80f05de0eb
SHA1 1e318111062986ebe1b27585525c59efda89e4e8
SHA256 367392b5c569244ab9fed05694e064915acbcac3471149a01f1f7827cc82308a
SHA512 a62858996801c5d679449cc4d229949d816dfa4b6c70d75332ccb154386dfad9ca6191cc83eb2a9af0cc1e816f268e0f7bb42ceaf7360566052915896f8740af

C:\Windows\SysWOW64\Cgcnghpl.exe

MD5 2e1b68e117ca608715c65722fc610258
SHA1 b87ef62208edf4f9d0f5e0e291520c69e41e4688
SHA256 4291092c0c69dd5915bfa331246061d9fba73a79ad5a4c8f98c0e12f2790ed86
SHA512 7f49783bd869230bdf0aa54f03749d936fb10c42625882f46570e6699e91d68e5ab16885ad45e191b8993371c30c4dc6c76c53cf6c776fb3778f7370ae910976

C:\Windows\SysWOW64\Cnmfdb32.exe

MD5 33f5b5e1f38ab836074fecc12a41fa59
SHA1 acf811739399f8848c690b5f05c80f14a25bcd0d
SHA256 5509297a4cb2730044381acd6472ae3597b60f70bc16f5b46338d388eaee5957
SHA512 1737d6624954ffdb01201bc0de1b482af795c8baa3ea931516a1a500fe12caa15b0a3123cc09ef78a9bba64edce49c52f89583101635770526806d18e8c1aa51

C:\Windows\SysWOW64\Cmpgpond.exe

MD5 5f11152fa233e41e0d535f7d60ffe58c
SHA1 829ff832adcb3dbf3fa9fc8b2e0da895baac2d4b
SHA256 9ae390bc2d3cceb373a5cc88ce679cc102fa1f0be8da641e6d20e0460efab932
SHA512 886728936d8383977263d16666f399a4215a46b0019654d9cae348aea10c12a2c62a85baeb1c6b9d519633f0faf013b28743086d0116da83a864b9d81effc0fa

C:\Windows\SysWOW64\Cegoqlof.exe

MD5 55b64dfdd61deaaf0443e5ddda4fce6f
SHA1 2304496a36a5368b7bd7630c148f029bdd5c0e93
SHA256 577ee15d677e54948627e9804fbeabbf82bc3e4c8c81b2fdfa707d37adf3afc6
SHA512 8e384dc3b4d56bda2ece338c74b62a33be4663d0f2054121a742aaa202329d9e9abcb0f7c2569ce597788150ed425d0875099fa857e5248ecf48ca3d915228e3

C:\Windows\SysWOW64\Cfhkhd32.exe

MD5 543c056990ab34d2450756168bf22361
SHA1 a67820deda35a8d8a91c0b4f777618d173382b19
SHA256 4967f30c7405a19fa4c60d86f09e9dc9cc9b82f7a118ecde84a7accb6c22704a
SHA512 53ecaab6c5b25bb0202d84eee8ab1fde384cca99c89147cedc4b6c5ac4f68413c5ede01fd3495cdce34c19e6ad4117976a04a91cd89164a347383ca94837b360

C:\Windows\SysWOW64\Danpemej.exe

MD5 4943f8a70af86c829d161460c5785b52
SHA1 e47e8add31c84d31b3db9cf689742ef042202074
SHA256 cd3eca38353cf4ea83ff0cf8bc9eec668d0bc3b05a47521569e19bde90948d39
SHA512 126ff3d38a31b2df916b7ab7d5ff5e192610adfcb47f700ec8b5408796cbab980a9c20c13b5ab8333ea7430155414a3a47a2285333a200282b13f49033876178

C:\Windows\SysWOW64\Dpapaj32.exe

MD5 8b0183440f9f06c4ec548381fdad5a37
SHA1 b888b0141ecb3fbd301cdcb9e1230ef89598eb0f
SHA256 b51c422b52fb2447a316b6e2cfc0e8612066b647be02a5de476e66f0d6aef835
SHA512 8ed57413bd7066e9c9c25cd22b09feb21d63a1df8c08f1201529f8c54822d099967bc97e48a8cba4dabf24afae02c5a79a60c5ee5a8840595ed2cd1da8127722

memory/2560-1618-0x00000000778F0000-0x00000000779EA000-memory.dmp

memory/2560-1617-0x00000000777D0000-0x00000000778EF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-12 13:49

Reported

2024-11-12 13:51

Platform

win10v2004-20241007-en

Max time kernel

92s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ca91d1b985500ad191658d40f1eb120b99a1edf5b573314cbc8727b2adb8bfd7N.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ajfhnjhq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Acnlgp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Bgehcmmm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Cmgjgcgo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Ogifjcdp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ogbipa32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Pcppfaka.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pqdqof32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Dhmgki32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Oponmilc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Pgioqq32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bfabnjjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Cdcoim32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Bapiabak.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Delnin32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Daekdooc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Pqpgdfnp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Aepefb32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bmngqdpj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Balpgb32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bcoenmao.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Bcoenmao.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cdhhdlid.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dhhnpjmh.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ogifjcdp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Agglboim.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Bganhm32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Beeoaapl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Dhhnpjmh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Beeoaapl.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cabfga32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Cfpnph32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Pggbkagp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Pqdqof32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Amgapeea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Afoeiklb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Cdhhdlid.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cegdnopg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Qddfkd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Qgcbgo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Bnmcjg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Cajlhqjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Dkkcge32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Users\Admin\AppData\Local\Temp\ca91d1b985500ad191658d40f1eb120b99a1edf5b573314cbc8727b2adb8bfd7N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Pgnilpah.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Dmgbnq32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dkkcge32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aabmqd32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bnmcjg32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cajlhqjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Cegdnopg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Oqfdnhfk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Oddmdf32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pqpgdfnp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aeiofcji.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Beihma32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Dfnjafap.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dhocqigp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Ojoign32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Qceiaa32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Accfbokl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Bagflcje.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bgehcmmm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" C:\Windows\SysWOW64\Cmiflbel.exe N/A

Berbew

backdoor berbew

Berbew family

berbew

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Oponmilc.exe N/A
N/A N/A C:\Windows\SysWOW64\Ogifjcdp.exe N/A
N/A N/A C:\Windows\SysWOW64\Ojgbfocc.exe N/A
N/A N/A C:\Windows\SysWOW64\Opakbi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ogkcpbam.exe N/A
N/A N/A C:\Windows\SysWOW64\Oneklm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Odocigqg.exe N/A
N/A N/A C:\Windows\SysWOW64\Ognpebpj.exe N/A
N/A N/A C:\Windows\SysWOW64\Onhhamgg.exe N/A
N/A N/A C:\Windows\SysWOW64\Oqfdnhfk.exe N/A
N/A N/A C:\Windows\SysWOW64\Ocdqjceo.exe N/A
N/A N/A C:\Windows\SysWOW64\Ojoign32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oddmdf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ogbipa32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pmoahijl.exe N/A
N/A N/A C:\Windows\SysWOW64\Pcijeb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pfhfan32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pqmjog32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pggbkagp.exe N/A
N/A N/A C:\Windows\SysWOW64\Pjeoglgc.exe N/A
N/A N/A C:\Windows\SysWOW64\Pqpgdfnp.exe N/A
N/A N/A C:\Windows\SysWOW64\Pgioqq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pjhlml32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pqbdjfln.exe N/A
N/A N/A C:\Windows\SysWOW64\Pcppfaka.exe N/A
N/A N/A C:\Windows\SysWOW64\Pjjhbl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pqdqof32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pcbmka32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pgnilpah.exe N/A
N/A N/A C:\Windows\SysWOW64\Qnhahj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qqfmde32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qceiaa32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qddfkd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qgcbgo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qffbbldm.exe N/A
N/A N/A C:\Windows\SysWOW64\Ampkof32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aqkgpedc.exe N/A
N/A N/A C:\Windows\SysWOW64\Ageolo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajckij32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ambgef32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aeiofcji.exe N/A
N/A N/A C:\Windows\SysWOW64\Agglboim.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajfhnjhq.exe N/A
N/A N/A C:\Windows\SysWOW64\Aqppkd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Acnlgp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Afmhck32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajhddjfn.exe N/A
N/A N/A C:\Windows\SysWOW64\Amgapeea.exe N/A
N/A N/A C:\Windows\SysWOW64\Aabmqd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Afoeiklb.exe N/A
N/A N/A C:\Windows\SysWOW64\Anfmjhmd.exe N/A
N/A N/A C:\Windows\SysWOW64\Aepefb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Accfbokl.exe N/A
N/A N/A C:\Windows\SysWOW64\Bfabnjjp.exe N/A
N/A N/A C:\Windows\SysWOW64\Bjmnoi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bagflcje.exe N/A
N/A N/A C:\Windows\SysWOW64\Bcebhoii.exe N/A
N/A N/A C:\Windows\SysWOW64\Bganhm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bjokdipf.exe N/A
N/A N/A C:\Windows\SysWOW64\Bmngqdpj.exe N/A
N/A N/A C:\Windows\SysWOW64\Beeoaapl.exe N/A
N/A N/A C:\Windows\SysWOW64\Bgcknmop.exe N/A
N/A N/A C:\Windows\SysWOW64\Bnmcjg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Balpgb32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Ladjgikj.dll C:\Windows\SysWOW64\Ogkcpbam.exe N/A
File created C:\Windows\SysWOW64\Maghgl32.dll C:\Windows\SysWOW64\Aqppkd32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cmiflbel.exe C:\Windows\SysWOW64\Cfpnph32.exe N/A
File created C:\Windows\SysWOW64\Bganhm32.exe C:\Windows\SysWOW64\Bcebhoii.exe N/A
File created C:\Windows\SysWOW64\Jbaqqh32.dll C:\Windows\SysWOW64\Oneklm32.exe N/A
File created C:\Windows\SysWOW64\Oddmdf32.exe C:\Windows\SysWOW64\Ojoign32.exe N/A
File created C:\Windows\SysWOW64\Ehaaclak.dll C:\Windows\SysWOW64\Pqpgdfnp.exe N/A
File created C:\Windows\SysWOW64\Ldfgeigq.dll C:\Windows\SysWOW64\Bfabnjjp.exe N/A
File opened for modification C:\Windows\SysWOW64\Aqkgpedc.exe C:\Windows\SysWOW64\Ampkof32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cnnlaehj.exe C:\Windows\SysWOW64\Cffdpghg.exe N/A
File created C:\Windows\SysWOW64\Lpggmhkg.dll C:\Windows\SysWOW64\Cajlhqjp.exe N/A
File created C:\Windows\SysWOW64\Poahbe32.dll C:\Windows\SysWOW64\Delnin32.exe N/A
File created C:\Windows\SysWOW64\Oqfdnhfk.exe C:\Windows\SysWOW64\Onhhamgg.exe N/A
File opened for modification C:\Windows\SysWOW64\Bcebhoii.exe C:\Windows\SysWOW64\Bagflcje.exe N/A
File created C:\Windows\SysWOW64\Nedmmlba.dll C:\Windows\SysWOW64\Cmiflbel.exe N/A
File created C:\Windows\SysWOW64\Cnnlaehj.exe C:\Windows\SysWOW64\Cffdpghg.exe N/A
File created C:\Windows\SysWOW64\Pmoahijl.exe C:\Windows\SysWOW64\Ogbipa32.exe N/A
File opened for modification C:\Windows\SysWOW64\Pjjhbl32.exe C:\Windows\SysWOW64\Pcppfaka.exe N/A
File created C:\Windows\SysWOW64\Djnkap32.dll C:\Windows\SysWOW64\Qqfmde32.exe N/A
File created C:\Windows\SysWOW64\Accfbokl.exe C:\Windows\SysWOW64\Aepefb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Beeoaapl.exe C:\Windows\SysWOW64\Bmngqdpj.exe N/A
File created C:\Windows\SysWOW64\Dmjapi32.dll C:\Windows\SysWOW64\Bgcknmop.exe N/A
File created C:\Windows\SysWOW64\Bapiabak.exe C:\Windows\SysWOW64\Bnbmefbg.exe N/A
File created C:\Windows\SysWOW64\Clghpklj.dll C:\Windows\SysWOW64\Cfdhkhjj.exe N/A
File created C:\Windows\SysWOW64\Pcijeb32.exe C:\Windows\SysWOW64\Pmoahijl.exe N/A
File created C:\Windows\SysWOW64\Pjeoglgc.exe C:\Windows\SysWOW64\Pggbkagp.exe N/A
File created C:\Windows\SysWOW64\Acnlgp32.exe C:\Windows\SysWOW64\Aqppkd32.exe N/A
File created C:\Windows\SysWOW64\Mmnbeadp.dll C:\Windows\SysWOW64\Bapiabak.exe N/A
File opened for modification C:\Windows\SysWOW64\Cmgjgcgo.exe C:\Windows\SysWOW64\Cjinkg32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dhhnpjmh.exe C:\Windows\SysWOW64\Danecp32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bganhm32.exe C:\Windows\SysWOW64\Bcebhoii.exe N/A
File opened for modification C:\Windows\SysWOW64\Ddjejl32.exe C:\Windows\SysWOW64\Cegdnopg.exe N/A
File created C:\Windows\SysWOW64\Pfhfan32.exe C:\Windows\SysWOW64\Pcijeb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Qnhahj32.exe C:\Windows\SysWOW64\Pgnilpah.exe N/A
File created C:\Windows\SysWOW64\Ajckij32.exe C:\Windows\SysWOW64\Ageolo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Aabmqd32.exe C:\Windows\SysWOW64\Amgapeea.exe N/A
File opened for modification C:\Windows\SysWOW64\Aepefb32.exe C:\Windows\SysWOW64\Anfmjhmd.exe N/A
File created C:\Windows\SysWOW64\Cfpnph32.exe C:\Windows\SysWOW64\Cdabcm32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cmqmma32.exe C:\Windows\SysWOW64\Cnnlaehj.exe N/A
File opened for modification C:\Windows\SysWOW64\Ogkcpbam.exe C:\Windows\SysWOW64\Opakbi32.exe N/A
File created C:\Windows\SysWOW64\Pgioqq32.exe C:\Windows\SysWOW64\Pqpgdfnp.exe N/A
File opened for modification C:\Windows\SysWOW64\Qqfmde32.exe C:\Windows\SysWOW64\Qnhahj32.exe N/A
File created C:\Windows\SysWOW64\Nbgngp32.dll C:\Windows\SysWOW64\Danecp32.exe N/A
File created C:\Windows\SysWOW64\Dmgabj32.dll C:\Windows\SysWOW64\Oqfdnhfk.exe N/A
File opened for modification C:\Windows\SysWOW64\Pgnilpah.exe C:\Windows\SysWOW64\Pcbmka32.exe N/A
File created C:\Windows\SysWOW64\Jhbffb32.dll C:\Windows\SysWOW64\Bnbmefbg.exe N/A
File opened for modification C:\Windows\SysWOW64\Agglboim.exe C:\Windows\SysWOW64\Aeiofcji.exe N/A
File created C:\Windows\SysWOW64\Ickfifmb.dll C:\Windows\SysWOW64\Agglboim.exe N/A
File opened for modification C:\Windows\SysWOW64\Afmhck32.exe C:\Windows\SysWOW64\Acnlgp32.exe N/A
File created C:\Windows\SysWOW64\Fjbodfcj.dll C:\Windows\SysWOW64\Accfbokl.exe N/A
File created C:\Windows\SysWOW64\Cdlgno32.dll C:\Windows\SysWOW64\Bganhm32.exe N/A
File created C:\Windows\SysWOW64\Ogkcpbam.exe C:\Windows\SysWOW64\Opakbi32.exe N/A
File opened for modification C:\Windows\SysWOW64\Pqbdjfln.exe C:\Windows\SysWOW64\Pjhlml32.exe N/A
File created C:\Windows\SysWOW64\Qgcbgo32.exe C:\Windows\SysWOW64\Qddfkd32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cegdnopg.exe C:\Windows\SysWOW64\Cmqmma32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dmllipeg.exe C:\Windows\SysWOW64\Dgbdlf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bnpppgdj.exe C:\Windows\SysWOW64\Bgehcmmm.exe N/A
File created C:\Windows\SysWOW64\Cmlcbbcj.exe C:\Windows\SysWOW64\Cfbkeh32.exe N/A
File created C:\Windows\SysWOW64\Ojoign32.exe C:\Windows\SysWOW64\Ocdqjceo.exe N/A
File opened for modification C:\Windows\SysWOW64\Afoeiklb.exe C:\Windows\SysWOW64\Aabmqd32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bmngqdpj.exe C:\Windows\SysWOW64\Bjokdipf.exe N/A
File created C:\Windows\SysWOW64\Bnbmefbg.exe C:\Windows\SysWOW64\Bhhdil32.exe N/A
File created C:\Windows\SysWOW64\Ndkqipob.dll C:\Windows\SysWOW64\Cmgjgcgo.exe N/A
File created C:\Windows\SysWOW64\Flgehc32.dll C:\Windows\SysWOW64\Cdabcm32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Dmllipeg.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bgcknmop.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dhocqigp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ocdqjceo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pqmjog32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Accfbokl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cjinkg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dfnjafap.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cabfga32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bcoenmao.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bnmcjg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bgehcmmm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bnbmefbg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dmgbnq32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Odocigqg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dmllipeg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pjeoglgc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qddfkd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aabmqd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bcebhoii.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Balpgb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cegdnopg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ogifjcdp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pcijeb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Beihma32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cfbkeh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pqbdjfln.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bjmnoi32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cdfkolkf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ojgbfocc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pcbmka32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Danecp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qqfmde32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cmgjgcgo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dopigd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Acnlgp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bhhdil32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cmlcbbcj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dhhnpjmh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cdabcm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cnnlaehj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ddjejl32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dkkcge32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Beeoaapl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pqdqof32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dgbdlf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cajlhqjp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ogbipa32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Afmhck32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oponmilc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pcppfaka.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oneklm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ognpebpj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cdcoim32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dhmgki32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Anfmjhmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ca91d1b985500ad191658d40f1eb120b99a1edf5b573314cbc8727b2adb8bfd7N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qgcbgo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cfpnph32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pmoahijl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pgioqq32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aqppkd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dmefhako.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qceiaa32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qffbbldm.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djoeni32.dll" C:\Windows\SysWOW64\Oponmilc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ladjgikj.dll" C:\Windows\SysWOW64\Ogkcpbam.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bfabnjjp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Bagflcje.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Balpgb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Dopigd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Dgbdlf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Oneklm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oncmnnje.dll" C:\Windows\SysWOW64\Pfhfan32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pgnilpah.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Aqppkd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Ddjejl32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Dmgbnq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifoihl32.dll" C:\Windows\SysWOW64\Pqbdjfln.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ickfifmb.dll" C:\Windows\SysWOW64\Agglboim.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Ajhddjfn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oadacmff.dll" C:\Windows\SysWOW64\Ojgbfocc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efmolq32.dll" C:\Windows\SysWOW64\Aqkgpedc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bmngqdpj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Bnbmefbg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll" C:\Windows\SysWOW64\Dfnjafap.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll" C:\Windows\SysWOW64\Daekdooc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ojgbfocc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Ogbipa32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Pmoahijl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Pcijeb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bjokdipf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bnmcjg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Cmiflbel.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Dhmgki32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Pggbkagp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Afoeiklb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfiloih.dll" C:\Windows\SysWOW64\Anfmjhmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Bgcknmop.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bnbmefbg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll" C:\Windows\SysWOW64\Cmiflbel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Danecp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbnamnpl.dll" C:\Windows\SysWOW64\Pggbkagp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pjeoglgc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Pqbdjfln.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aqkgpedc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdijfii.dll" C:\Windows\SysWOW64\Balpgb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bcoenmao.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Cdabcm32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Pfhfan32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Qqfmde32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aqppkd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oicmfmok.dll" C:\Windows\SysWOW64\Afmhck32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pqmjog32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmjapi32.dll" C:\Windows\SysWOW64\Bgcknmop.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Cdhhdlid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aeiofcji.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Amgapeea.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Cnnlaehj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bgehcmmm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnodjf32.dll" C:\Windows\SysWOW64\Ogifjcdp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clncadfb.dll" C:\Windows\SysWOW64\Ocdqjceo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pcijeb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djnkap32.dll" C:\Windows\SysWOW64\Qqfmde32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Qffbbldm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ambgef32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ddjejl32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 C:\Windows\SysWOW64\Cmqmma32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\ca91d1b985500ad191658d40f1eb120b99a1edf5b573314cbc8727b2adb8bfd7N.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 544 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\ca91d1b985500ad191658d40f1eb120b99a1edf5b573314cbc8727b2adb8bfd7N.exe C:\Windows\SysWOW64\Oponmilc.exe
PID 544 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\ca91d1b985500ad191658d40f1eb120b99a1edf5b573314cbc8727b2adb8bfd7N.exe C:\Windows\SysWOW64\Oponmilc.exe
PID 544 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\ca91d1b985500ad191658d40f1eb120b99a1edf5b573314cbc8727b2adb8bfd7N.exe C:\Windows\SysWOW64\Oponmilc.exe
PID 4188 wrote to memory of 1392 N/A C:\Windows\SysWOW64\Oponmilc.exe C:\Windows\SysWOW64\Ogifjcdp.exe
PID 4188 wrote to memory of 1392 N/A C:\Windows\SysWOW64\Oponmilc.exe C:\Windows\SysWOW64\Ogifjcdp.exe
PID 4188 wrote to memory of 1392 N/A C:\Windows\SysWOW64\Oponmilc.exe C:\Windows\SysWOW64\Ogifjcdp.exe
PID 1392 wrote to memory of 1932 N/A C:\Windows\SysWOW64\Ogifjcdp.exe C:\Windows\SysWOW64\Ojgbfocc.exe
PID 1392 wrote to memory of 1932 N/A C:\Windows\SysWOW64\Ogifjcdp.exe C:\Windows\SysWOW64\Ojgbfocc.exe
PID 1392 wrote to memory of 1932 N/A C:\Windows\SysWOW64\Ogifjcdp.exe C:\Windows\SysWOW64\Ojgbfocc.exe
PID 1932 wrote to memory of 4244 N/A C:\Windows\SysWOW64\Ojgbfocc.exe C:\Windows\SysWOW64\Opakbi32.exe
PID 1932 wrote to memory of 4244 N/A C:\Windows\SysWOW64\Ojgbfocc.exe C:\Windows\SysWOW64\Opakbi32.exe
PID 1932 wrote to memory of 4244 N/A C:\Windows\SysWOW64\Ojgbfocc.exe C:\Windows\SysWOW64\Opakbi32.exe
PID 4244 wrote to memory of 2696 N/A C:\Windows\SysWOW64\Opakbi32.exe C:\Windows\SysWOW64\Ogkcpbam.exe
PID 4244 wrote to memory of 2696 N/A C:\Windows\SysWOW64\Opakbi32.exe C:\Windows\SysWOW64\Ogkcpbam.exe
PID 4244 wrote to memory of 2696 N/A C:\Windows\SysWOW64\Opakbi32.exe C:\Windows\SysWOW64\Ogkcpbam.exe
PID 2696 wrote to memory of 4592 N/A C:\Windows\SysWOW64\Ogkcpbam.exe C:\Windows\SysWOW64\Oneklm32.exe
PID 2696 wrote to memory of 4592 N/A C:\Windows\SysWOW64\Ogkcpbam.exe C:\Windows\SysWOW64\Oneklm32.exe
PID 2696 wrote to memory of 4592 N/A C:\Windows\SysWOW64\Ogkcpbam.exe C:\Windows\SysWOW64\Oneklm32.exe
PID 4592 wrote to memory of 4284 N/A C:\Windows\SysWOW64\Oneklm32.exe C:\Windows\SysWOW64\Odocigqg.exe
PID 4592 wrote to memory of 4284 N/A C:\Windows\SysWOW64\Oneklm32.exe C:\Windows\SysWOW64\Odocigqg.exe
PID 4592 wrote to memory of 4284 N/A C:\Windows\SysWOW64\Oneklm32.exe C:\Windows\SysWOW64\Odocigqg.exe
PID 4284 wrote to memory of 2860 N/A C:\Windows\SysWOW64\Odocigqg.exe C:\Windows\SysWOW64\Ognpebpj.exe
PID 4284 wrote to memory of 2860 N/A C:\Windows\SysWOW64\Odocigqg.exe C:\Windows\SysWOW64\Ognpebpj.exe
PID 4284 wrote to memory of 2860 N/A C:\Windows\SysWOW64\Odocigqg.exe C:\Windows\SysWOW64\Ognpebpj.exe
PID 2860 wrote to memory of 3372 N/A C:\Windows\SysWOW64\Ognpebpj.exe C:\Windows\SysWOW64\Onhhamgg.exe
PID 2860 wrote to memory of 3372 N/A C:\Windows\SysWOW64\Ognpebpj.exe C:\Windows\SysWOW64\Onhhamgg.exe
PID 2860 wrote to memory of 3372 N/A C:\Windows\SysWOW64\Ognpebpj.exe C:\Windows\SysWOW64\Onhhamgg.exe
PID 3372 wrote to memory of 372 N/A C:\Windows\SysWOW64\Onhhamgg.exe C:\Windows\SysWOW64\Oqfdnhfk.exe
PID 3372 wrote to memory of 372 N/A C:\Windows\SysWOW64\Onhhamgg.exe C:\Windows\SysWOW64\Oqfdnhfk.exe
PID 3372 wrote to memory of 372 N/A C:\Windows\SysWOW64\Onhhamgg.exe C:\Windows\SysWOW64\Oqfdnhfk.exe
PID 372 wrote to memory of 4936 N/A C:\Windows\SysWOW64\Oqfdnhfk.exe C:\Windows\SysWOW64\Ocdqjceo.exe
PID 372 wrote to memory of 4936 N/A C:\Windows\SysWOW64\Oqfdnhfk.exe C:\Windows\SysWOW64\Ocdqjceo.exe
PID 372 wrote to memory of 4936 N/A C:\Windows\SysWOW64\Oqfdnhfk.exe C:\Windows\SysWOW64\Ocdqjceo.exe
PID 4936 wrote to memory of 892 N/A C:\Windows\SysWOW64\Ocdqjceo.exe C:\Windows\SysWOW64\Ojoign32.exe
PID 4936 wrote to memory of 892 N/A C:\Windows\SysWOW64\Ocdqjceo.exe C:\Windows\SysWOW64\Ojoign32.exe
PID 4936 wrote to memory of 892 N/A C:\Windows\SysWOW64\Ocdqjceo.exe C:\Windows\SysWOW64\Ojoign32.exe
PID 892 wrote to memory of 3532 N/A C:\Windows\SysWOW64\Ojoign32.exe C:\Windows\SysWOW64\Oddmdf32.exe
PID 892 wrote to memory of 3532 N/A C:\Windows\SysWOW64\Ojoign32.exe C:\Windows\SysWOW64\Oddmdf32.exe
PID 892 wrote to memory of 3532 N/A C:\Windows\SysWOW64\Ojoign32.exe C:\Windows\SysWOW64\Oddmdf32.exe
PID 3532 wrote to memory of 2612 N/A C:\Windows\SysWOW64\Oddmdf32.exe C:\Windows\SysWOW64\Ogbipa32.exe
PID 3532 wrote to memory of 2612 N/A C:\Windows\SysWOW64\Oddmdf32.exe C:\Windows\SysWOW64\Ogbipa32.exe
PID 3532 wrote to memory of 2612 N/A C:\Windows\SysWOW64\Oddmdf32.exe C:\Windows\SysWOW64\Ogbipa32.exe
PID 2612 wrote to memory of 4948 N/A C:\Windows\SysWOW64\Ogbipa32.exe C:\Windows\SysWOW64\Pmoahijl.exe
PID 2612 wrote to memory of 4948 N/A C:\Windows\SysWOW64\Ogbipa32.exe C:\Windows\SysWOW64\Pmoahijl.exe
PID 2612 wrote to memory of 4948 N/A C:\Windows\SysWOW64\Ogbipa32.exe C:\Windows\SysWOW64\Pmoahijl.exe
PID 4948 wrote to memory of 3472 N/A C:\Windows\SysWOW64\Pmoahijl.exe C:\Windows\SysWOW64\Pcijeb32.exe
PID 4948 wrote to memory of 3472 N/A C:\Windows\SysWOW64\Pmoahijl.exe C:\Windows\SysWOW64\Pcijeb32.exe
PID 4948 wrote to memory of 3472 N/A C:\Windows\SysWOW64\Pmoahijl.exe C:\Windows\SysWOW64\Pcijeb32.exe
PID 3472 wrote to memory of 4408 N/A C:\Windows\SysWOW64\Pcijeb32.exe C:\Windows\SysWOW64\Pfhfan32.exe
PID 3472 wrote to memory of 4408 N/A C:\Windows\SysWOW64\Pcijeb32.exe C:\Windows\SysWOW64\Pfhfan32.exe
PID 3472 wrote to memory of 4408 N/A C:\Windows\SysWOW64\Pcijeb32.exe C:\Windows\SysWOW64\Pfhfan32.exe
PID 4408 wrote to memory of 3720 N/A C:\Windows\SysWOW64\Pfhfan32.exe C:\Windows\SysWOW64\Pqmjog32.exe
PID 4408 wrote to memory of 3720 N/A C:\Windows\SysWOW64\Pfhfan32.exe C:\Windows\SysWOW64\Pqmjog32.exe
PID 4408 wrote to memory of 3720 N/A C:\Windows\SysWOW64\Pfhfan32.exe C:\Windows\SysWOW64\Pqmjog32.exe
PID 3720 wrote to memory of 1412 N/A C:\Windows\SysWOW64\Pqmjog32.exe C:\Windows\SysWOW64\Pggbkagp.exe
PID 3720 wrote to memory of 1412 N/A C:\Windows\SysWOW64\Pqmjog32.exe C:\Windows\SysWOW64\Pggbkagp.exe
PID 3720 wrote to memory of 1412 N/A C:\Windows\SysWOW64\Pqmjog32.exe C:\Windows\SysWOW64\Pggbkagp.exe
PID 1412 wrote to memory of 3512 N/A C:\Windows\SysWOW64\Pggbkagp.exe C:\Windows\SysWOW64\Pjeoglgc.exe
PID 1412 wrote to memory of 3512 N/A C:\Windows\SysWOW64\Pggbkagp.exe C:\Windows\SysWOW64\Pjeoglgc.exe
PID 1412 wrote to memory of 3512 N/A C:\Windows\SysWOW64\Pggbkagp.exe C:\Windows\SysWOW64\Pjeoglgc.exe
PID 3512 wrote to memory of 2344 N/A C:\Windows\SysWOW64\Pjeoglgc.exe C:\Windows\SysWOW64\Pqpgdfnp.exe
PID 3512 wrote to memory of 2344 N/A C:\Windows\SysWOW64\Pjeoglgc.exe C:\Windows\SysWOW64\Pqpgdfnp.exe
PID 3512 wrote to memory of 2344 N/A C:\Windows\SysWOW64\Pjeoglgc.exe C:\Windows\SysWOW64\Pqpgdfnp.exe
PID 2344 wrote to memory of 2340 N/A C:\Windows\SysWOW64\Pqpgdfnp.exe C:\Windows\SysWOW64\Pgioqq32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ca91d1b985500ad191658d40f1eb120b99a1edf5b573314cbc8727b2adb8bfd7N.exe

"C:\Users\Admin\AppData\Local\Temp\ca91d1b985500ad191658d40f1eb120b99a1edf5b573314cbc8727b2adb8bfd7N.exe"

C:\Windows\SysWOW64\Oponmilc.exe

C:\Windows\system32\Oponmilc.exe

C:\Windows\SysWOW64\Ogifjcdp.exe

C:\Windows\system32\Ogifjcdp.exe

C:\Windows\SysWOW64\Ojgbfocc.exe

C:\Windows\system32\Ojgbfocc.exe

C:\Windows\SysWOW64\Opakbi32.exe

C:\Windows\system32\Opakbi32.exe

C:\Windows\SysWOW64\Ogkcpbam.exe

C:\Windows\system32\Ogkcpbam.exe

C:\Windows\SysWOW64\Oneklm32.exe

C:\Windows\system32\Oneklm32.exe

C:\Windows\SysWOW64\Odocigqg.exe

C:\Windows\system32\Odocigqg.exe

C:\Windows\SysWOW64\Ognpebpj.exe

C:\Windows\system32\Ognpebpj.exe

C:\Windows\SysWOW64\Onhhamgg.exe

C:\Windows\system32\Onhhamgg.exe

C:\Windows\SysWOW64\Oqfdnhfk.exe

C:\Windows\system32\Oqfdnhfk.exe

C:\Windows\SysWOW64\Ocdqjceo.exe

C:\Windows\system32\Ocdqjceo.exe

C:\Windows\SysWOW64\Ojoign32.exe

C:\Windows\system32\Ojoign32.exe

C:\Windows\SysWOW64\Oddmdf32.exe

C:\Windows\system32\Oddmdf32.exe

C:\Windows\SysWOW64\Ogbipa32.exe

C:\Windows\system32\Ogbipa32.exe

C:\Windows\SysWOW64\Pmoahijl.exe

C:\Windows\system32\Pmoahijl.exe

C:\Windows\SysWOW64\Pcijeb32.exe

C:\Windows\system32\Pcijeb32.exe

C:\Windows\SysWOW64\Pfhfan32.exe

C:\Windows\system32\Pfhfan32.exe

C:\Windows\SysWOW64\Pqmjog32.exe

C:\Windows\system32\Pqmjog32.exe

C:\Windows\SysWOW64\Pggbkagp.exe

C:\Windows\system32\Pggbkagp.exe

C:\Windows\SysWOW64\Pjeoglgc.exe

C:\Windows\system32\Pjeoglgc.exe

C:\Windows\SysWOW64\Pqpgdfnp.exe

C:\Windows\system32\Pqpgdfnp.exe

C:\Windows\SysWOW64\Pgioqq32.exe

C:\Windows\system32\Pgioqq32.exe

C:\Windows\SysWOW64\Pjhlml32.exe

C:\Windows\system32\Pjhlml32.exe

C:\Windows\SysWOW64\Pqbdjfln.exe

C:\Windows\system32\Pqbdjfln.exe

C:\Windows\SysWOW64\Pcppfaka.exe

C:\Windows\system32\Pcppfaka.exe

C:\Windows\SysWOW64\Pjjhbl32.exe

C:\Windows\system32\Pjjhbl32.exe

C:\Windows\SysWOW64\Pqdqof32.exe

C:\Windows\system32\Pqdqof32.exe

C:\Windows\SysWOW64\Pcbmka32.exe

C:\Windows\system32\Pcbmka32.exe

C:\Windows\SysWOW64\Pgnilpah.exe

C:\Windows\system32\Pgnilpah.exe

C:\Windows\SysWOW64\Qnhahj32.exe

C:\Windows\system32\Qnhahj32.exe

C:\Windows\SysWOW64\Qqfmde32.exe

C:\Windows\system32\Qqfmde32.exe

C:\Windows\SysWOW64\Qceiaa32.exe

C:\Windows\system32\Qceiaa32.exe

C:\Windows\SysWOW64\Qddfkd32.exe

C:\Windows\system32\Qddfkd32.exe

C:\Windows\SysWOW64\Qgcbgo32.exe

C:\Windows\system32\Qgcbgo32.exe

C:\Windows\SysWOW64\Qffbbldm.exe

C:\Windows\system32\Qffbbldm.exe

C:\Windows\SysWOW64\Ampkof32.exe

C:\Windows\system32\Ampkof32.exe

C:\Windows\SysWOW64\Aqkgpedc.exe

C:\Windows\system32\Aqkgpedc.exe

C:\Windows\SysWOW64\Ageolo32.exe

C:\Windows\system32\Ageolo32.exe

C:\Windows\SysWOW64\Ajckij32.exe

C:\Windows\system32\Ajckij32.exe

C:\Windows\SysWOW64\Ambgef32.exe

C:\Windows\system32\Ambgef32.exe

C:\Windows\SysWOW64\Aeiofcji.exe

C:\Windows\system32\Aeiofcji.exe

C:\Windows\SysWOW64\Agglboim.exe

C:\Windows\system32\Agglboim.exe

C:\Windows\SysWOW64\Ajfhnjhq.exe

C:\Windows\system32\Ajfhnjhq.exe

C:\Windows\SysWOW64\Aqppkd32.exe

C:\Windows\system32\Aqppkd32.exe

C:\Windows\SysWOW64\Acnlgp32.exe

C:\Windows\system32\Acnlgp32.exe

C:\Windows\SysWOW64\Afmhck32.exe

C:\Windows\system32\Afmhck32.exe

C:\Windows\SysWOW64\Ajhddjfn.exe

C:\Windows\system32\Ajhddjfn.exe

C:\Windows\SysWOW64\Amgapeea.exe

C:\Windows\system32\Amgapeea.exe

C:\Windows\SysWOW64\Aabmqd32.exe

C:\Windows\system32\Aabmqd32.exe

C:\Windows\SysWOW64\Afoeiklb.exe

C:\Windows\system32\Afoeiklb.exe

C:\Windows\SysWOW64\Anfmjhmd.exe

C:\Windows\system32\Anfmjhmd.exe

C:\Windows\SysWOW64\Aepefb32.exe

C:\Windows\system32\Aepefb32.exe

C:\Windows\SysWOW64\Accfbokl.exe

C:\Windows\system32\Accfbokl.exe

C:\Windows\SysWOW64\Bfabnjjp.exe

C:\Windows\system32\Bfabnjjp.exe

C:\Windows\SysWOW64\Bjmnoi32.exe

C:\Windows\system32\Bjmnoi32.exe

C:\Windows\SysWOW64\Bagflcje.exe

C:\Windows\system32\Bagflcje.exe

C:\Windows\SysWOW64\Bcebhoii.exe

C:\Windows\system32\Bcebhoii.exe

C:\Windows\SysWOW64\Bganhm32.exe

C:\Windows\system32\Bganhm32.exe

C:\Windows\SysWOW64\Bjokdipf.exe

C:\Windows\system32\Bjokdipf.exe

C:\Windows\SysWOW64\Bmngqdpj.exe

C:\Windows\system32\Bmngqdpj.exe

C:\Windows\SysWOW64\Beeoaapl.exe

C:\Windows\system32\Beeoaapl.exe

C:\Windows\SysWOW64\Bgcknmop.exe

C:\Windows\system32\Bgcknmop.exe

C:\Windows\SysWOW64\Bnmcjg32.exe

C:\Windows\system32\Bnmcjg32.exe

C:\Windows\SysWOW64\Balpgb32.exe

C:\Windows\system32\Balpgb32.exe

C:\Windows\SysWOW64\Bgehcmmm.exe

C:\Windows\system32\Bgehcmmm.exe

C:\Windows\SysWOW64\Bnpppgdj.exe

C:\Windows\system32\Bnpppgdj.exe

C:\Windows\SysWOW64\Beihma32.exe

C:\Windows\system32\Beihma32.exe

C:\Windows\SysWOW64\Bhhdil32.exe

C:\Windows\system32\Bhhdil32.exe

C:\Windows\SysWOW64\Bnbmefbg.exe

C:\Windows\system32\Bnbmefbg.exe

C:\Windows\SysWOW64\Bapiabak.exe

C:\Windows\system32\Bapiabak.exe

C:\Windows\SysWOW64\Bcoenmao.exe

C:\Windows\system32\Bcoenmao.exe

C:\Windows\SysWOW64\Cjinkg32.exe

C:\Windows\system32\Cjinkg32.exe

C:\Windows\SysWOW64\Cmgjgcgo.exe

C:\Windows\system32\Cmgjgcgo.exe

C:\Windows\SysWOW64\Cabfga32.exe

C:\Windows\system32\Cabfga32.exe

C:\Windows\SysWOW64\Cdabcm32.exe

C:\Windows\system32\Cdabcm32.exe

C:\Windows\SysWOW64\Cfpnph32.exe

C:\Windows\system32\Cfpnph32.exe

C:\Windows\SysWOW64\Cmiflbel.exe

C:\Windows\system32\Cmiflbel.exe

C:\Windows\SysWOW64\Cdcoim32.exe

C:\Windows\system32\Cdcoim32.exe

C:\Windows\SysWOW64\Cfbkeh32.exe

C:\Windows\system32\Cfbkeh32.exe

C:\Windows\SysWOW64\Cmlcbbcj.exe

C:\Windows\system32\Cmlcbbcj.exe

C:\Windows\SysWOW64\Cdfkolkf.exe

C:\Windows\system32\Cdfkolkf.exe

C:\Windows\SysWOW64\Cfdhkhjj.exe

C:\Windows\system32\Cfdhkhjj.exe

C:\Windows\SysWOW64\Cajlhqjp.exe

C:\Windows\system32\Cajlhqjp.exe

C:\Windows\SysWOW64\Cdhhdlid.exe

C:\Windows\system32\Cdhhdlid.exe

C:\Windows\SysWOW64\Cffdpghg.exe

C:\Windows\system32\Cffdpghg.exe

C:\Windows\SysWOW64\Cnnlaehj.exe

C:\Windows\system32\Cnnlaehj.exe

C:\Windows\SysWOW64\Cmqmma32.exe

C:\Windows\system32\Cmqmma32.exe

C:\Windows\SysWOW64\Cegdnopg.exe

C:\Windows\system32\Cegdnopg.exe

C:\Windows\SysWOW64\Ddjejl32.exe

C:\Windows\system32\Ddjejl32.exe

C:\Windows\SysWOW64\Djdmffnn.exe

C:\Windows\system32\Djdmffnn.exe

C:\Windows\SysWOW64\Dopigd32.exe

C:\Windows\system32\Dopigd32.exe

C:\Windows\SysWOW64\Danecp32.exe

C:\Windows\system32\Danecp32.exe

C:\Windows\SysWOW64\Dhhnpjmh.exe

C:\Windows\system32\Dhhnpjmh.exe

C:\Windows\SysWOW64\Dmefhako.exe

C:\Windows\system32\Dmefhako.exe

C:\Windows\SysWOW64\Delnin32.exe

C:\Windows\system32\Delnin32.exe

C:\Windows\SysWOW64\Dfnjafap.exe

C:\Windows\system32\Dfnjafap.exe

C:\Windows\SysWOW64\Dmgbnq32.exe

C:\Windows\system32\Dmgbnq32.exe

C:\Windows\SysWOW64\Daconoae.exe

C:\Windows\system32\Daconoae.exe

C:\Windows\SysWOW64\Dhmgki32.exe

C:\Windows\system32\Dhmgki32.exe

C:\Windows\SysWOW64\Dkkcge32.exe

C:\Windows\system32\Dkkcge32.exe

C:\Windows\SysWOW64\Daekdooc.exe

C:\Windows\system32\Daekdooc.exe

C:\Windows\SysWOW64\Dhocqigp.exe

C:\Windows\system32\Dhocqigp.exe

C:\Windows\SysWOW64\Dgbdlf32.exe

C:\Windows\system32\Dgbdlf32.exe

C:\Windows\SysWOW64\Dmllipeg.exe

C:\Windows\system32\Dmllipeg.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5884 -ip 5884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5884 -s 408

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp

Files

memory/544-0-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Windows\SysWOW64\Oponmilc.exe

MD5 ed0b715f4dd096e55d4d4453794abc5f
SHA1 b6179b2f87b4cc8ee2c6f522f5ea700bdad7cc14
SHA256 80260c547d193858c99502103a48c3790685c1d9b50d79d8d7f8112141211b25
SHA512 e5ad12fdc84149fb38a10d9d61cdc33cb65ebde89048e09ea3708a33fc8366ce86e09fabdc9b792ebafa181602d32310ec58364533f6c7beb654680736086237

memory/4188-7-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1392-16-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Windows\SysWOW64\Ogifjcdp.exe

MD5 82c2825045163b6b1dcad0421f3683f5
SHA1 3675c3dc36d80fb797e14473593ae03cfbb17e72
SHA256 949f5127d29ce9710a71ba66a71a6ed1d35d81fd94bab92c2fa2ac9ca91c41da
SHA512 a85c24f325102af89ab6d75fc8691dd6e9e3af1e69b88b996fb1a2ecbd3a954dc6208dab1b719aea02511ad00f7417a80c2a968ba4bb7956b4cc6f2de6b0660a

memory/1932-24-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Windows\SysWOW64\Ojgbfocc.exe

MD5 469feb88a4779f4833518ffcfdb390f6
SHA1 75c55717ac299cfef095bb81577fc46087fc13c1
SHA256 a40ddce973c5889a7c78b86465c1c224ce08eec6a43e744148cb78211e211166
SHA512 cf739db9543e18841382482b2717487b3601422489d0f269864c650869a3d2cd99a0e05530c5622a8cda04cccf91ab7551dcc70608e87a0773f902b37b6aff1d

C:\Windows\SysWOW64\Opakbi32.exe

MD5 4337edffea5dc9985cb2b10aa5f8b7f9
SHA1 f11f6f5277d3227e636f935bac49a4d46457b535
SHA256 4311b3cf7911877e27f089791538419d6943f21a35e4911ccf1151a9a194b1fd
SHA512 be4c90d9a0d36959270b90d2096c696332293558d1edb74c9e0712b9023fd904f8941781266f3109d0bc21db2726349b8ce2b5dcef453427b29e348bbbeb01e0

memory/4244-31-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Windows\SysWOW64\Lcnhho32.dll

MD5 91bba4c6f9aed3fd9fae940a817a8aea
SHA1 e749b91c2c7533af9ad9893c0e41bddeee615d0a
SHA256 72e8161146a22a2d1cc75fd529701f41da1c1af92873e1582d6b686680c6ddbe
SHA512 71e6ff9f170f0e056fff7896358f5acc7340258c71852b0e372ba17df7224c8be599345ab4737ba94d2a32c35027148ab5eb26de0d074146f0ec003a29721bfc

C:\Windows\SysWOW64\Ogkcpbam.exe

MD5 738eb6fae2d2943f465989bf06929ee2
SHA1 534adfcd01acf9a0ca0481ce538e4f1731c6b1d5
SHA256 040dfdd3e5cb3d9f9031ea9403b0f42cab2870ebf76c9a0ea32e4e68c04e0087
SHA512 1e26f41bc11b26cd7582e01ecf1b52db843a134b24a97e41a1d1ab0c4a4e78f98bdecdef39d82c6c4f4ff51fdb14c0c71939e8f875ae431751f34bcaee27eddf

memory/2696-39-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Windows\SysWOW64\Oneklm32.exe

MD5 036fe4ea672801789b359698dcb521b3
SHA1 afdea672907f98946c633e3491175ca0cad14b5b
SHA256 39369b61d695a23e1e5a737ec8157824b10786a58c8d8d2d08d36d8d55046fe4
SHA512 360912f57c029659a90730825eb47db55d99d8aea1aaf01de11a6ef70c2710fe8fd98c2953d7b6482d1ca0617c72772adfdfaf87dc5faae02b3633f6266114af

memory/4592-47-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Windows\SysWOW64\Odocigqg.exe

MD5 36dcb153b4f375cbe617594933754348
SHA1 75da6274dfca7a4ba524c61857275f2f6be4f5c4
SHA256 4fe2e842ed86a408b0d1e5acbe36ac5400312a8f0fcb60417009a84f222f13e0
SHA512 7d068e14aa0c0eda9d19d51f0ea6dd351c135af5e87bd53a8470a13d3847db8716af147ca4ce77fdabb2c30cc257401fe7b486f8a3492f89c4da166a4a6609fa

memory/4284-55-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Windows\SysWOW64\Ognpebpj.exe

MD5 b77d04e237bab71da8faa6b28d686f5d
SHA1 c4c19f2661f3275baf96d0cbb3843ddbf5f11c7f
SHA256 cf9bd5c9b3ebe5e5b2ca6bb90ace2fd66ee76929a038a77c78c52f1fabb137f3
SHA512 a8b703882e2650e0dd610547c3dff764e5483c6297e39307330d7e77ab7688f97c9d8ddfc23157e73c50c3e6a59cb5c98fe65e07896b85ad5978b0b6fb790929

memory/2860-63-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Windows\SysWOW64\Onhhamgg.exe

MD5 8f3bd3b94b96f1739b7b08c96f6194d0
SHA1 ad01fd0c6d95f00c6d3f377b3b01ee955b748234
SHA256 69e09a6ee116a36ab695574bc6644c6e862a5abdb2916ff40ddf00ceaa2f29b9
SHA512 b0ddb35e2d0e50e30c6d4441265b05ad131cf2112e8e9be135800b2836c3f861577ccb727990ed05fda356c48c988e7326f3ce7a733d8e0aca46b216f8489d0d

memory/3372-71-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Windows\SysWOW64\Oqfdnhfk.exe

MD5 8dcdc69c8e11aefc9a56434c82e11717
SHA1 69863ebc94b3df408d65b7881dd8276de39703d3
SHA256 6d0b03922d84830cec4bdcdb7d7affd789ddf9d35e02e88336d7c64a9db25a56
SHA512 734d32f58fcf1c8caae57e0a5d27c6eae7ef2c9777566037761555e13afefb9eb9eec2b939684b5610e955ccbf696f28e1538030e2504884fb66cfb64836575a

memory/372-79-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Windows\SysWOW64\Ocdqjceo.exe

MD5 0b85f234572145177c223db1f9ec8bd8
SHA1 1860031e69e6f8207980ae6d49c2a4e5538881a6
SHA256 e0698d184e05d2135d2c98f018203493a4ac994bb0dc8de894219f0d11cb9768
SHA512 854ba730911f2ff9492f0327a81e5b460cac31b49f2dba90d5ec250cbd2947a4a6ef2e141ac1d1d3097cad59f1725d48828a97b33ae19f1ee949755b4e1de85f

memory/4936-87-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Windows\SysWOW64\Ojoign32.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\SysWOW64\Ojoign32.exe

MD5 3bfb12304afeb6aedc76d0d923fc1e64
SHA1 03ba6ef1857dcd88aabb6a023acfcc2bbce2cff7
SHA256 bddbfae8d69723bd7b8d3088a3e0c98e6a14da7ed5e5fabb57ede7e02877519e
SHA512 a02a52b4a46e02832fc460db3c78e648134404aee96fd6c55ca7dcfb3b0dbd6fa46d30482046cd92ba8b518fcb9b06bd14f3eae08e05b36ad775741a99931270

memory/892-95-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Windows\SysWOW64\Oddmdf32.exe

MD5 348424eeaaa2dbd1b825abd86c2a37f8
SHA1 7b27435c16e174cb2a0ba75d2c53fc31e59dfd52
SHA256 eb189dda47177600c3a9d7b4951656f2d69a94e2742a828f14504cdc7113ab9a
SHA512 2d526a959e601389f4c3809030fbf47439989dad885236724dff11cbf0c17e1126dd9e8fcdef29117ba905b46b067f8a8ffec0c9c7d5c0800c9304d24c900c99

memory/3532-104-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Windows\SysWOW64\Ogbipa32.exe

MD5 a18c0951240fbc12f2f8d2358fba9f13
SHA1 3303ca0843609a8b70be3fa14c07834a4fef151d
SHA256 177a29bc7edd69452790116e19426fc2555b054387c15276ebfc36af1afb385c
SHA512 6f266190cf250e75f15487c180371b67e38078236e96944b1f94831a18cd812f598c59dbeee1327b084e465df278e56823e1d0cf0e70be9eb75a27446abf105b

memory/2612-111-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Windows\SysWOW64\Pmoahijl.exe

MD5 eb36939808f1368a075dbc80f650b27c
SHA1 a0031d9ee3b584465507bf5a64a0f47fb6f16636
SHA256 ca665a923fc46e6df7048b55849d78eb30dfed6449ff416809ec1dac602a2073
SHA512 be982f0f15271594294ee9cd4ee9ac56f05ecaf721203e6128c8da81192c84ca4c8138665d7c9979bf867f499d52e58b0ec0d280accffbf431bd892638e60fa8

memory/4948-120-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Windows\SysWOW64\Pcijeb32.exe

MD5 fd8045764d822dc27a729507721c70d5
SHA1 d31d7f5e24dfc39ecaf2558d65523442b6c45351
SHA256 108fec3b43975c57b3077663858bbf64cadfc2b7f26f6d5ddcff097592e0d135
SHA512 5a049df97ae8714ca438f52dc14b422689453c36631f1e33277a5015ec16acb0a86157b360527507909b62d6cae55437c9e823ed328812fa73c851cac01ecc86

memory/3472-127-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Windows\SysWOW64\Pfhfan32.exe

MD5 408be0441bfd5457e0c8d4510cfd93ff
SHA1 fea5c8a001b6ccea591d020a92cbf70ac55d9b75
SHA256 3e126d1a5a5dfa7227a192bc6b6509c6cb84873d2b13951d1877dc43e1ba8a35
SHA512 cbdc7c523b527428d1568edbcfbb34e3b37490e6b2a13429eaf4820e856bd472483fd06e5397c44372baf022c2e2404ec5dcdb1c44f79e5521423b8872c6dfd1

memory/4408-135-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Windows\SysWOW64\Pqmjog32.exe

MD5 53adc07dc371ff8742c1c9ec54ed65b5
SHA1 b8ac815ad2a0bcf7bf99712f110da08e355f637a
SHA256 6e70e777d0c675f14f3327675f2c6a681219fcfdbf62d2337f1e8ce246352ad2
SHA512 650efb251ffe93c32fe1171c548ce10d95d6805033f7c1f5793c03b4c43484f4e2f5ae5e30ee084737ba56d1f05d49333d2663838dab13e091b7f8938e19375a

memory/3720-143-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Windows\SysWOW64\Pggbkagp.exe

MD5 bd5bbe49e289a79de6252d17b49e1bab
SHA1 a14710c7cb60a907bfd04d7900eab1346fca6de3
SHA256 12cdd71bd70d4cb6f4b6453f0f4b1dcf86b55414925e9fc3bcfb96cba975acb0
SHA512 585bd67caf950942f8c211378a2f594fe63e8be6fed705a47ad76ddcc3991618522e5b09358383366add287f5f77a150349d82f7cbfbf0a21cdf591e165adc7c

memory/1412-151-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3512-159-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Windows\SysWOW64\Pjeoglgc.exe

MD5 141e091edc655ccb4cf7c94e99c8673d
SHA1 0c49fda575e7056412a453128d6e7c12118d2a18
SHA256 e206735a67ee11f6e64ae69b6827fcb815c741833a1c38c38d43815add25e733
SHA512 5a37d41b9202299d4aae9b9062e02470d0ccd6102a62656645406d513b5e1c1453a4f1d5bff6b582ae9c4f0046d4287e8852b04d6221630f23f40e26b8b6fa92

C:\Windows\SysWOW64\Pqpgdfnp.exe

MD5 6f7d823508cc1d6408e61d73dc321798
SHA1 1cbdbeacbea862f85f9c49b77bedafadb46d496f
SHA256 46dc587e68749fd19166fbf5047443c0d3fe6b7c19c633a5003c6ee731396d88
SHA512 4051813d74cf82cd3fdec288bca25ab47adb532eb58b490c6a4aa6635be0d66998d773d4d5318a3599b28b7e3c9d770928d61f3858077b515f6f5314753f20a6

memory/2344-167-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Windows\SysWOW64\Pgioqq32.exe

MD5 1166c05725321fb3334cc196fa3a9bf5
SHA1 0273fdb18385767c50bbec72027bc44f3657c6e8
SHA256 4767c384c67bb186e3c7ac7e6a4a00f2b4b1d10278f24da3dd211b615af51e06
SHA512 a397fb7f0aa05b8cb46514ca0e93215b3f76abf5840ecb4f9ae9977d0a5340e1c2c274a054b007b450289284547cee3cef13d8c566b520cb4478e11cd0fdb61b

memory/2340-176-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Windows\SysWOW64\Pjhlml32.exe

MD5 98085966971e79d06e44d23172b683a1
SHA1 6dbc24940faf8822192720c6a26d8b697f89d7f1
SHA256 2699b6882ccf4e6e879afe16697d80f4bfdd5ec981b4fff46f7cd8e842b6b05b
SHA512 8858b5f27ad2ed312fa07207bca8a7c56c0a335693b1e41ee7e4e7dc922f3a993f0dfa429d6e73f06cc06e7d224a18f3fbddb77e029ceb7b84bfa0d98db4f0eb

memory/3332-183-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Windows\SysWOW64\Pqbdjfln.exe

MD5 0909282573861188e6fff24e453e03a1
SHA1 7b1f941fef6931364a237ab71d98c59f6ca8e30e
SHA256 907cb229f8d62faa02a857dbb88b7e3c2b88c9f28a34cc13875ec445f706b035
SHA512 03995fa4cd7cc9d8e0c8bb531af24004bccb5550d850a4392f6ce0eae4777ea6270eee4d5f108f479c375af9a1702469a9625c99bf683484d8963528804efbbc

memory/4564-191-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Windows\SysWOW64\Pcppfaka.exe

MD5 28ece1f82744dbb723bcbaa3ae80a3c8
SHA1 5e21d37a5846e622d47030fd344de28aa5dc7f60
SHA256 127f34328aeb2003255ff78fc7a047cccbd7e6a74ff85794c255ff7f66626917
SHA512 590a0d5dd176cc1789789d16ed085136789e25391a5b62313908ab8684359ab5c26d209165cdee15ec7992f798aa0875149c3df348bb1bb4f507b522b414b5a3

memory/4712-200-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Windows\SysWOW64\Pjjhbl32.exe

MD5 ec112104dc3e10966b15fbe2e92b63b2
SHA1 3080baedf034b8b87ee7ed503f745c7e3edcf115
SHA256 ad7604fc337b2b37941da2e44493e9ec0f727387dc44624ea0aa0cbc840b2b9d
SHA512 9945565212aa67d465acff51728516899dbff31d419b61e77817819d6c0243453adfcf883bb2bdba1a6111b0781b6ff2968abbcf6d2aa96770b1f8a9ef97053b

memory/2864-207-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Windows\SysWOW64\Pqdqof32.exe

MD5 c18048a42acffa3f126c5ac6438cb7af
SHA1 cdaa4b38519dbf24fbdffe2b3eab254899194547
SHA256 59ed7d408b1538c10d02eea1feb7581bdc4e9c58ed3b179c443d6a51dd93dd9f
SHA512 bb12d83353457463c39f8a7a487726d57cf545e180408a964817a1d2818cbb7c2e47d4c91153a7bc7abc85dbe3444ee7ab259cb63bda6466746abbd2f0ac401a

memory/3540-218-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Windows\SysWOW64\Pcbmka32.exe

MD5 7bf007df54d3901687a6f70910703534
SHA1 9c9ff46732126a934e616dc7852dfba8ef67534d
SHA256 8e7213e73d4c8ca48295fbd3593d7e140f1d9e6f79a3c90abe31c22417193a8a
SHA512 48238559e72ebcd43acc235653f697f0c976d312a33d943a71f3117757e87a0c7a0259136840be5a19aec3863f62e606c983985bd383da4513f8c46aa7b72009

memory/744-228-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4364-231-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Windows\SysWOW64\Pgnilpah.exe

MD5 bb331b954501c98f88306058d3d218ab
SHA1 540885a5253f55f61cc9a6de2ef86fa6d7be5f55
SHA256 dac1f9b56309abc55695b2b8063c0a6048a1124265591abc6ff861f98f03b96f
SHA512 6fbf2ecdfc75141f44278f1ada8a99d30eb3b8adcf777057b850427c456552ac4ea8fde295731b26cd4b3760574043de7dff7bb4853e52bbde9345646e1fded6

C:\Windows\SysWOW64\Qnhahj32.exe

MD5 9b08b08a8daa5cfc43cf216f382c6c4b
SHA1 07efc30d0fd787799189cb57e611ba23fae5d476
SHA256 c3505c967aff1c2ac930233eb9112243847c454dcb22cd4aed21e9657c6a4300
SHA512 ffddfacc3b2eb5ba7d7b6bb2d4d0b4f3eeaaf49c05ae7204181ec50f859b86658f787e10aaf3ed31ec5afeaabf592caaabff3b658577f2398b4a99b554430ef2

memory/4876-239-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Windows\SysWOW64\Qqfmde32.exe

MD5 1d04dc7a16b3d9dd46a3fa310d10ef85
SHA1 d4f994bfbd1a8b9cdee3b43bc8cb095837ffa122
SHA256 b74cbc1118cf718842c2d267c66392c871e06d0789d9e07d2ebbf6cf12e7fce2
SHA512 f8c3a1e63de42a332b7795b07896fe04d3e08f6402451e869b7f219b2caa78ce4184680df59c5c7e13f1366a026e9d4863c47ac881c93c518a3236be2feab4b8

memory/1588-248-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Windows\SysWOW64\Qceiaa32.exe

MD5 39bd7ae96250551edd6472e894f93da4
SHA1 af59faed6a919ca0ad2f3d8df923e9f66660c7d0
SHA256 c3c13d2b024b0568607cbedf8e809d69c94f14aae9e0704336aadb1a96cd4e6c
SHA512 3b00f4a455ee195ce1ebf0be3eeea49e7ae08e023501225728e8b4a0ba544f0304160663f97f920744fc7c091f9be82da5a69566f249488c2683ae8b3bb532e7

memory/2876-255-0x0000000000400000-0x0000000000436000-memory.dmp

memory/408-262-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2572-268-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4928-274-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1488-280-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3180-286-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4816-295-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1436-298-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3888-304-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1176-310-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3520-316-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4072-322-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4620-328-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3136-334-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3952-340-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4596-346-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3312-352-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3736-358-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2708-364-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Windows\SysWOW64\Anfmjhmd.exe

MD5 e912a4fb2effcd0f9faa0f0bf284d6b7
SHA1 ed34d9e6b60aa7618b9408b87a058587e4743973
SHA256 b6bb32172780a8efc1c508eda8cffffbdfcb76cc5094c22cc3412cf7c938023a
SHA512 f10937e407d41ccf37a66d494e9483e3390f185b023b0aac34f7e1e53e4e7c94374a0e096b2083fbd2e2ddc1a51a59d16a52a12c1146a7befcc175ae609943c9

memory/4976-370-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2368-376-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4192-382-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1544-391-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4016-394-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2820-400-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4908-406-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1156-412-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2376-418-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3844-424-0x0000000000400000-0x0000000000436000-memory.dmp

memory/880-430-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3412-436-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4980-446-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1148-448-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3032-454-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3692-460-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Windows\SysWOW64\Beihma32.exe

MD5 983941fa0a59ff2d3c2addc2b1a2424b
SHA1 f104d634d3c19a7c2d00f3634d881cbe3c171ca5
SHA256 b0b6f0c152b1c596493b4ce310c3f661b84a678b77cf357f66df53687fa3e9f8
SHA512 53e2c314a85a3dc1568cb9bd3a6d18862ad7880cdb474250910f2ce33f274cd5f9da17a0ff9f25f664314fcf648d1a4c1e6ef9ea4741f84f09710d73dbe057ff

memory/2844-466-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2916-472-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3912-478-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4004-484-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2972-490-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Windows\SysWOW64\Cjinkg32.exe

MD5 42d981b96e431c0e8767b5b622f35ad3
SHA1 9aac97ed7f45a862d3b796f43689ccee190b2286
SHA256 43f2bd952db466d8cdbd79477263800627af65e597c2b989b97883b3a8a017c3
SHA512 f507a8de29004f49f11db31bc65cc4ee3091ff9430fa0f16c2e59e028058fcb7e6a7c8ea01ab32d3eaa3ec125c5f86d6c4aae698a2e37661f29ccf92b07e3535

memory/1460-496-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1388-502-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4044-508-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4056-518-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2180-520-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4716-526-0x0000000000400000-0x0000000000436000-memory.dmp

memory/452-532-0x0000000000400000-0x0000000000436000-memory.dmp

memory/812-538-0x0000000000400000-0x0000000000436000-memory.dmp

memory/544-544-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3484-545-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4456-552-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4188-551-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Windows\SysWOW64\Cfdhkhjj.exe

MD5 07726168bf97e3e02b309629c53a6cbc
SHA1 19a7266c948ad103cff168db466db3feae127a7a
SHA256 50ca00adaf905629cefbefc19f1cdb0aa69afb9e4da08893a2d078eb6b8173fd
SHA512 32072685421cb2a1ea502be32e3c5bcf08f0c311510342e73a2fcec415552fd328636db953e14ce86743cb1f595cd7ee3371a3fb9661db9233096e92968da53c

memory/1564-559-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1392-558-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1932-565-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2616-566-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3840-573-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4244-572-0x0000000000400000-0x0000000000436000-memory.dmp

memory/388-580-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2696-579-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4592-586-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1220-587-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4284-593-0x0000000000400000-0x0000000000436000-memory.dmp

memory/5132-594-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Windows\SysWOW64\Ddjejl32.exe

MD5 f7bc1b2321638b65e720e8165c4e0798
SHA1 1c308b2c2f8c70471f9b86eeda4144689354721d
SHA256 7a3f289f9f070effb2ed535c0a885d98d339f3d8a7b516f41c75d7e9b20ff211
SHA512 94d20733dc343a71c677574a9c79a8d0a97de3402820eb724cb737ee2784ce513ed3e7f01c2959b9be0c7e7ebf9dc1648c8a7bf8be156a1542b49bba563c0ace

C:\Windows\SysWOW64\Dopigd32.exe

MD5 575c5da06b361ebd95a16def8f2e1bb1
SHA1 11ea47af047246de3161f1a3d23e69476152f165
SHA256 2291c38209af8be01dcc2e6093bf71de1e801a3465cc4286451dc151acb42c74
SHA512 6ae2e796430940a41395a3e6e159d7625e1e169aa070a4ce6d95546dc1a5d9352c2f71000a9cc12e8280dee9834a60b12d08fe215ffb6363e86347c0ca7e4beb

C:\Windows\SysWOW64\Dhhnpjmh.exe

MD5 77454c10be86b095f8756b6e47f024cf
SHA1 f43a62f25cfcb41b5c9c7348603feeaf7a028ecf
SHA256 1cac6511fdf1e445a3d21653a18e93570ff8c44462b27ada2e8bd85ef59a0ade
SHA512 46714b1d653e1727733a58b3cee168b2ebda89863766628065501c5692dde0e8646f052bc88de5526bdca4c866e6d42901771dc77c5761abb446c391aead2158

C:\Windows\SysWOW64\Daekdooc.exe

MD5 f417e0437e102931770568a68926c570
SHA1 ada3dda9ed2f6ba8b39fed4faad92f4257245606
SHA256 f12432d8b466ed1584ed30a43e60a0f2ef9004d080378fbac868f900fa15af11
SHA512 43fb87f9aced28ba2b3299509ad7d71ea4b54f73266df2132d7afdcf0ee32174468aa74940da211976b54ecbff31b3a5ee6343942ce0af10c350f91f67f9d7c9

C:\Windows\SysWOW64\Dgbdlf32.exe

MD5 5b950a63e2c4aeab18f938e87959ebef
SHA1 f326e4cfe6e1f2f2cd3f3879da8a510599a6ea5c
SHA256 8443c0eef33ba47d47bc26d9b9dc52656c90abfcb11eaa37e3508bded62e0630
SHA512 c0c603b1f0525dd550247aaf5dd446dd7d1cf935191e0267a775eaf4c16531ef1a581ed45f276b33f81552682b0647b5207f7506706c114ac2721bf7f8322793