Malware Analysis Report

2024-12-07 12:57

Sample ID 241113-vnwewswckd
Target da5485cb2f532d87e55d9f8189f877bb6cbea5d66b893fa53a8dbdca4d22d716.exe
SHA256 da5485cb2f532d87e55d9f8189f877bb6cbea5d66b893fa53a8dbdca4d22d716
Tags
berbew backdoor discovery persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

da5485cb2f532d87e55d9f8189f877bb6cbea5d66b893fa53a8dbdca4d22d716

Threat Level: Known bad

The file da5485cb2f532d87e55d9f8189f877bb6cbea5d66b893fa53a8dbdca4d22d716.exe was found to be: Known bad.

Malicious Activity Summary

berbew backdoor discovery persistence

Adds autorun key to be loaded by Explorer.exe on startup

Berbew

Berbew family

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Drops file in Windows directory

Program crash

System Location Discovery: System Language Discovery

Unsigned PE

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 17:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 17:08

Reported

2024-11-13 17:10

Platform

win7-20240903-en

Max time kernel

116s

Max time network

22s

Command Line

"C:\Users\Admin\AppData\Local\Temp\da5485cb2f532d87e55d9f8189f877bb6cbea5d66b893fa53a8dbdca4d22d716.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nlefhcnc.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Olebgfao.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pdbdqh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ahebaiac.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Loqmba32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lfmbek32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nnoiio32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nhjjgd32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bqlfaj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ckhdggom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bgoime32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lnhgim32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mqbbagjo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qpbglhjq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Aoojnc32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kffldlne.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mgjnhaco.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mikjpiim.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bchfhfeh.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Omioekbo.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Obokcqhk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cgaaah32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ljddjj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ljddjj32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Loqmba32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mnmpdlac.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mdiefffn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Padhdm32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bgoime32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bdcifi32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lnhgim32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mnmpdlac.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Abmgjo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Paknelgk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cebeem32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lklgbadb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Phlclgfc.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pljlbf32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Paiaplin.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qjklenpa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Agolnbok.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bkhhhd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mfmndn32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mfokinhf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mfokinhf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ofadnq32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mkndhabp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qkfocaki.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Alnalh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Njfjnpgp.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ahgofi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bkegah32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bdqlajbb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mgjnhaco.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nabopjmj.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pdeqfhjd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pcljmdmj.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lfoojj32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mklcadfn.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bhjlli32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Obmnna32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bdcifi32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cgfkmgnj.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lgehno32.exe N/A

Berbew

backdoor berbew

Berbew family

berbew

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Kgclio32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kffldlne.exe N/A
N/A N/A C:\Windows\SysWOW64\Lonpma32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lgehno32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ljddjj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Loqmba32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lboiol32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lkgngb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lcofio32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lfmbek32.exe N/A
N/A N/A C:\Windows\SysWOW64\Llgjaeoj.exe N/A
N/A N/A C:\Windows\SysWOW64\Lnhgim32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lfoojj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lklgbadb.exe N/A
N/A N/A C:\Windows\SysWOW64\Lnjcomcf.exe N/A
N/A N/A C:\Windows\SysWOW64\Lhpglecl.exe N/A
N/A N/A C:\Windows\SysWOW64\Mkndhabp.exe N/A
N/A N/A C:\Windows\SysWOW64\Mnmpdlac.exe N/A
N/A N/A C:\Windows\SysWOW64\Mdghaf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mgedmb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mjcaimgg.exe N/A
N/A N/A C:\Windows\SysWOW64\Mqnifg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mdiefffn.exe N/A
N/A N/A C:\Windows\SysWOW64\Mfjann32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mnaiol32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mgjnhaco.exe N/A
N/A N/A C:\Windows\SysWOW64\Mfmndn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mikjpiim.exe N/A
N/A N/A C:\Windows\SysWOW64\Mqbbagjo.exe N/A
N/A N/A C:\Windows\SysWOW64\Mfokinhf.exe N/A
N/A N/A C:\Windows\SysWOW64\Mklcadfn.exe N/A
N/A N/A C:\Windows\SysWOW64\Mcckcbgp.exe N/A
N/A N/A C:\Windows\SysWOW64\Nbflno32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nedhjj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nmkplgnq.exe N/A
N/A N/A C:\Windows\SysWOW64\Nfdddm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nefdpjkl.exe N/A
N/A N/A C:\Windows\SysWOW64\Nnoiio32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nameek32.exe N/A
N/A N/A C:\Windows\SysWOW64\Njfjnpgp.exe N/A
N/A N/A C:\Windows\SysWOW64\Nbmaon32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nhjjgd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nlefhcnc.exe N/A
N/A N/A C:\Windows\SysWOW64\Nabopjmj.exe N/A
N/A N/A C:\Windows\SysWOW64\Nenkqi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Omioekbo.exe N/A
N/A N/A C:\Windows\SysWOW64\Opglafab.exe N/A
N/A N/A C:\Windows\SysWOW64\Ofadnq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oippjl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oaghki32.exe N/A
N/A N/A C:\Windows\SysWOW64\Odedge32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ojomdoof.exe N/A
N/A N/A C:\Windows\SysWOW64\Oibmpl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Olpilg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Odgamdef.exe N/A
N/A N/A C:\Windows\SysWOW64\Objaha32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oeindm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ompefj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Opnbbe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Obmnna32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ofhjopbg.exe N/A
N/A N/A C:\Windows\SysWOW64\Ohiffh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Olebgfao.exe N/A
N/A N/A C:\Windows\SysWOW64\Obokcqhk.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\da5485cb2f532d87e55d9f8189f877bb6cbea5d66b893fa53a8dbdca4d22d716.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\da5485cb2f532d87e55d9f8189f877bb6cbea5d66b893fa53a8dbdca4d22d716.exe N/A
N/A N/A C:\Windows\SysWOW64\Kgclio32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kgclio32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kffldlne.exe N/A
N/A N/A C:\Windows\SysWOW64\Kffldlne.exe N/A
N/A N/A C:\Windows\SysWOW64\Lonpma32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lonpma32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lgehno32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lgehno32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ljddjj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ljddjj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Loqmba32.exe N/A
N/A N/A C:\Windows\SysWOW64\Loqmba32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lboiol32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lboiol32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lkgngb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lkgngb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lcofio32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lcofio32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lfmbek32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lfmbek32.exe N/A
N/A N/A C:\Windows\SysWOW64\Llgjaeoj.exe N/A
N/A N/A C:\Windows\SysWOW64\Llgjaeoj.exe N/A
N/A N/A C:\Windows\SysWOW64\Lnhgim32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lnhgim32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lfoojj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lfoojj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lklgbadb.exe N/A
N/A N/A C:\Windows\SysWOW64\Lklgbadb.exe N/A
N/A N/A C:\Windows\SysWOW64\Lnjcomcf.exe N/A
N/A N/A C:\Windows\SysWOW64\Lnjcomcf.exe N/A
N/A N/A C:\Windows\SysWOW64\Lhpglecl.exe N/A
N/A N/A C:\Windows\SysWOW64\Lhpglecl.exe N/A
N/A N/A C:\Windows\SysWOW64\Mkndhabp.exe N/A
N/A N/A C:\Windows\SysWOW64\Mkndhabp.exe N/A
N/A N/A C:\Windows\SysWOW64\Mnmpdlac.exe N/A
N/A N/A C:\Windows\SysWOW64\Mnmpdlac.exe N/A
N/A N/A C:\Windows\SysWOW64\Mdghaf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mdghaf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mgedmb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mgedmb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mjcaimgg.exe N/A
N/A N/A C:\Windows\SysWOW64\Mjcaimgg.exe N/A
N/A N/A C:\Windows\SysWOW64\Mqnifg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mqnifg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mdiefffn.exe N/A
N/A N/A C:\Windows\SysWOW64\Mdiefffn.exe N/A
N/A N/A C:\Windows\SysWOW64\Mfjann32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mfjann32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mnaiol32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mnaiol32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mgjnhaco.exe N/A
N/A N/A C:\Windows\SysWOW64\Mgjnhaco.exe N/A
N/A N/A C:\Windows\SysWOW64\Mfmndn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mfmndn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mikjpiim.exe N/A
N/A N/A C:\Windows\SysWOW64\Mikjpiim.exe N/A
N/A N/A C:\Windows\SysWOW64\Mqbbagjo.exe N/A
N/A N/A C:\Windows\SysWOW64\Mqbbagjo.exe N/A
N/A N/A C:\Windows\SysWOW64\Mfokinhf.exe N/A
N/A N/A C:\Windows\SysWOW64\Mfokinhf.exe N/A
N/A N/A C:\Windows\SysWOW64\Mklcadfn.exe N/A
N/A N/A C:\Windows\SysWOW64\Mklcadfn.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Kffldlne.exe C:\Windows\SysWOW64\Kgclio32.exe N/A
File created C:\Windows\SysWOW64\Lcofio32.exe C:\Windows\SysWOW64\Lkgngb32.exe N/A
File created C:\Windows\SysWOW64\Hpqnnmcd.dll C:\Windows\SysWOW64\Adnpkjde.exe N/A
File created C:\Windows\SysWOW64\Ekohgi32.dll C:\Windows\SysWOW64\Kgclio32.exe N/A
File created C:\Windows\SysWOW64\Ojefmknj.dll C:\Windows\SysWOW64\Padhdm32.exe N/A
File created C:\Windows\SysWOW64\Gmoloenf.dll C:\Windows\SysWOW64\Pafdjmkq.exe N/A
File created C:\Windows\SysWOW64\Bgmdailj.dll C:\Windows\SysWOW64\Bgoime32.exe N/A
File created C:\Windows\SysWOW64\Nhjjgd32.exe C:\Windows\SysWOW64\Nbmaon32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ojomdoof.exe C:\Windows\SysWOW64\Odedge32.exe N/A
File opened for modification C:\Windows\SysWOW64\Adlcfjgh.exe C:\Windows\SysWOW64\Abmgjo32.exe N/A
File created C:\Windows\SysWOW64\Cgaaah32.exe C:\Windows\SysWOW64\Cebeem32.exe N/A
File created C:\Windows\SysWOW64\Hiablm32.dll C:\Windows\SysWOW64\Bqlfaj32.exe N/A
File created C:\Windows\SysWOW64\Cnfqccna.exe C:\Windows\SysWOW64\Ckhdggom.exe N/A
File created C:\Windows\SysWOW64\Cebeem32.exe C:\Windows\SysWOW64\Cbdiia32.exe N/A
File created C:\Windows\SysWOW64\Edeomgho.dll C:\Windows\SysWOW64\Nmkplgnq.exe N/A
File created C:\Windows\SysWOW64\Pafdjmkq.exe C:\Windows\SysWOW64\Pohhna32.exe N/A
File created C:\Windows\SysWOW64\Incjbkig.dll C:\Windows\SysWOW64\Allefimb.exe N/A
File opened for modification C:\Windows\SysWOW64\Njfjnpgp.exe C:\Windows\SysWOW64\Nameek32.exe N/A
File created C:\Windows\SysWOW64\Hnoefj32.dll C:\Windows\SysWOW64\Nbmaon32.exe N/A
File opened for modification C:\Windows\SysWOW64\Odgamdef.exe C:\Windows\SysWOW64\Olpilg32.exe N/A
File opened for modification C:\Windows\SysWOW64\Pkaehb32.exe C:\Windows\SysWOW64\Phcilf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Agolnbok.exe C:\Windows\SysWOW64\Aohdmdoh.exe N/A
File opened for modification C:\Windows\SysWOW64\Llgjaeoj.exe C:\Windows\SysWOW64\Lfmbek32.exe N/A
File opened for modification C:\Windows\SysWOW64\Nhjjgd32.exe C:\Windows\SysWOW64\Nbmaon32.exe N/A
File created C:\Windows\SysWOW64\Acfmcc32.exe C:\Windows\SysWOW64\Apgagg32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bkegah32.exe C:\Windows\SysWOW64\Bigkel32.exe N/A
File created C:\Windows\SysWOW64\Abmgjo32.exe C:\Windows\SysWOW64\Aoojnc32.exe N/A
File created C:\Windows\SysWOW64\Ihnijmcj.dll C:\Windows\SysWOW64\Lonpma32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mikjpiim.exe C:\Windows\SysWOW64\Mfmndn32.exe N/A
File created C:\Windows\SysWOW64\Qcachc32.exe C:\Windows\SysWOW64\Qdncmgbj.exe N/A
File created C:\Windows\SysWOW64\Hdaehcom.dll C:\Windows\SysWOW64\Afdiondb.exe N/A
File created C:\Windows\SysWOW64\Bjbndpmd.exe C:\Windows\SysWOW64\Bchfhfeh.exe N/A
File created C:\Windows\SysWOW64\Cacldi32.dll C:\Windows\SysWOW64\Mfmndn32.exe N/A
File created C:\Windows\SysWOW64\Kagflkia.dll C:\Windows\SysWOW64\Nfdddm32.exe N/A
File created C:\Windows\SysWOW64\Llgjaeoj.exe C:\Windows\SysWOW64\Lfmbek32.exe N/A
File opened for modification C:\Windows\SysWOW64\Phcilf32.exe C:\Windows\SysWOW64\Pdgmlhha.exe N/A
File opened for modification C:\Windows\SysWOW64\Bjkhdacm.exe C:\Windows\SysWOW64\Bkhhhd32.exe N/A
File created C:\Windows\SysWOW64\Gfnafi32.dll C:\Windows\SysWOW64\Aoagccfn.exe N/A
File created C:\Windows\SysWOW64\Bdqlajbb.exe C:\Windows\SysWOW64\Bbbpenco.exe N/A
File opened for modification C:\Windows\SysWOW64\Bkhhhd32.exe C:\Windows\SysWOW64\Bhjlli32.exe N/A
File created C:\Windows\SysWOW64\Jfkgbapp.dll C:\Windows\SysWOW64\Nenkqi32.exe N/A
File created C:\Windows\SysWOW64\Qjklenpa.exe C:\Windows\SysWOW64\Qeppdo32.exe N/A
File opened for modification C:\Windows\SysWOW64\Abmgjo32.exe C:\Windows\SysWOW64\Aoojnc32.exe N/A
File opened for modification C:\Windows\SysWOW64\Loqmba32.exe C:\Windows\SysWOW64\Ljddjj32.exe N/A
File created C:\Windows\SysWOW64\Ciffggmh.dll C:\Windows\SysWOW64\Mdiefffn.exe N/A
File created C:\Windows\SysWOW64\Mcckcbgp.exe C:\Windows\SysWOW64\Mklcadfn.exe N/A
File created C:\Windows\SysWOW64\Ihaiqn32.dll C:\Windows\SysWOW64\Obokcqhk.exe N/A
File created C:\Windows\SysWOW64\Ameaio32.dll C:\Windows\SysWOW64\Ppnnai32.exe N/A
File created C:\Windows\SysWOW64\Lgehno32.exe C:\Windows\SysWOW64\Lonpma32.exe N/A
File created C:\Windows\SysWOW64\Nenkqi32.exe C:\Windows\SysWOW64\Nabopjmj.exe N/A
File created C:\Windows\SysWOW64\Pgcmbcih.exe C:\Windows\SysWOW64\Pdeqfhjd.exe N/A
File opened for modification C:\Windows\SysWOW64\Bgaebe32.exe C:\Windows\SysWOW64\Bdcifi32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mkndhabp.exe C:\Windows\SysWOW64\Lhpglecl.exe N/A
File opened for modification C:\Windows\SysWOW64\Nenkqi32.exe C:\Windows\SysWOW64\Nabopjmj.exe N/A
File created C:\Windows\SysWOW64\Paknelgk.exe C:\Windows\SysWOW64\Pkaehb32.exe N/A
File created C:\Windows\SysWOW64\Bkhhhd32.exe C:\Windows\SysWOW64\Bhjlli32.exe N/A
File created C:\Windows\SysWOW64\Danpemej.exe C:\Windows\SysWOW64\Dnpciaef.exe N/A
File opened for modification C:\Windows\SysWOW64\Oippjl32.exe C:\Windows\SysWOW64\Ofadnq32.exe N/A
File created C:\Windows\SysWOW64\Hkgoklhk.dll C:\Windows\SysWOW64\Pkaehb32.exe N/A
File created C:\Windows\SysWOW64\Kbfcnc32.dll C:\Windows\SysWOW64\Pifbjn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Afdiondb.exe C:\Windows\SysWOW64\Acfmcc32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bmlael32.exe C:\Windows\SysWOW64\Bjmeiq32.exe N/A
File created C:\Windows\SysWOW64\Qpbglhjq.exe C:\Windows\SysWOW64\Qndkpmkm.exe N/A
File created C:\Windows\SysWOW64\Dnbamjbm.dll C:\Windows\SysWOW64\Bgaebe32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\system32†Dhhhbg32.¿xe C:\Windows\SysWOW64\Dpapaj32.exe N/A
File opened for modification C:\Windows\system32†Dhhhbg32.¿xe C:\Windows\SysWOW64\Dpapaj32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Dpapaj32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Phcilf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cfkloq32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mqnifg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nedhjj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pafdjmkq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Alihaioe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ajmijmnn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bchfhfeh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ceebklai.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nenkqi32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oippjl32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oemgplgo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nmkplgnq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Njfjnpgp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Paknelgk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lboiol32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lhpglecl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mikjpiim.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bfdenafn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kgclio32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aoojnc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Abpcooea.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bqlfaj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bkegah32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ciihklpj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mdiefffn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mfmndn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pkjphcff.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qdncmgbj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bcjcme32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cebeem32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lnhgim32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pljlbf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pcljmdmj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bmlael32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nameek32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qcachc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aohdmdoh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Adifpk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Allefimb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Apgagg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aomnhd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pnbojmmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Acfmcc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bchfhfeh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mgjnhaco.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ppnnai32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cjonncab.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bjmeiq32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bfioia32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cnkjnb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mcckcbgp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nbflno32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bhjlli32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Calcpm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dpapaj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mkndhabp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pojecajj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bdqlajbb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nbmaon32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Opglafab.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ofadnq32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ojomdoof.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Olpilg32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nfdddm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbfkdo32.dll" C:\Windows\SysWOW64\Ofadnq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmiljc32.dll" C:\Windows\SysWOW64\Cgfkmgnj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmdlck32.dll" C:\Windows\SysWOW64\Bbbpenco.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ckjamgmk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mdiefffn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Odgamdef.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Opnbbe32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pghfnc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lklgbadb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ofadnq32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Qdlggg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Alnalh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoapfe32.dll" C:\Windows\SysWOW64\Mcckcbgp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibbklamb.dll" C:\Windows\SysWOW64\Akcomepg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bdcifi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bjdkjpkb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ajpepm32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Aoagccfn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bmlael32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bnknoogp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Allefimb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Aomnhd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bkegah32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kheoph32.dll" C:\Windows\SysWOW64\Nedhjj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnoefj32.dll" C:\Windows\SysWOW64\Nbmaon32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pdeqfhjd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Olebgfao.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fiqhbk32.dll" C:\Windows\SysWOW64\Abmgjo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfikmo32.dll" C:\Windows\SysWOW64\Bchfhfeh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpmahlfd.dll" C:\Windows\SysWOW64\Calcpm32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Njfjnpgp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Qpbglhjq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cnfqccna.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lfmbek32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qkfocaki.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bjbndpmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node C:\Users\Admin\AppData\Local\Temp\da5485cb2f532d87e55d9f8189f877bb6cbea5d66b893fa53a8dbdca4d22d716.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mkndhabp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmgbdm32.dll" C:\Windows\SysWOW64\Pgcmbcih.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Paiaplin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfcgie32.dll" C:\Windows\SysWOW64\Bkhhhd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll" C:\Windows\SysWOW64\Danpemej.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nenkqi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eibkmp32.dll" C:\Windows\SysWOW64\Pghfnc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Qcachc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdoaqh32.dll" C:\Windows\SysWOW64\Ajmijmnn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pnbojmmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aacinhhc.dll" C:\Windows\SysWOW64\Apgagg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aoojnc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgloog32.dll" C:\Windows\SysWOW64\Cnkjnb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pdgmlhha.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgpgbj32.dll" C:\Windows\SysWOW64\Ahbekjcf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjhmge32.dll" C:\Windows\SysWOW64\Cfkloq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cebeem32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Phcilf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bgoime32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lfmbek32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcmkhf32.dll" C:\Windows\SysWOW64\Mqnifg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhcmgmam.dll" C:\Windows\SysWOW64\Nhjjgd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Oeindm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofaejacl.dll" C:\Windows\SysWOW64\Cgcnghpl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ameaio32.dll" C:\Windows\SysWOW64\Ppnnai32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mcckcbgp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2236 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\da5485cb2f532d87e55d9f8189f877bb6cbea5d66b893fa53a8dbdca4d22d716.exe C:\Windows\SysWOW64\Kgclio32.exe
PID 2236 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\da5485cb2f532d87e55d9f8189f877bb6cbea5d66b893fa53a8dbdca4d22d716.exe C:\Windows\SysWOW64\Kgclio32.exe
PID 2236 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\da5485cb2f532d87e55d9f8189f877bb6cbea5d66b893fa53a8dbdca4d22d716.exe C:\Windows\SysWOW64\Kgclio32.exe
PID 2236 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\da5485cb2f532d87e55d9f8189f877bb6cbea5d66b893fa53a8dbdca4d22d716.exe C:\Windows\SysWOW64\Kgclio32.exe
PID 2084 wrote to memory of 288 N/A C:\Windows\SysWOW64\Kgclio32.exe C:\Windows\SysWOW64\Kffldlne.exe
PID 2084 wrote to memory of 288 N/A C:\Windows\SysWOW64\Kgclio32.exe C:\Windows\SysWOW64\Kffldlne.exe
PID 2084 wrote to memory of 288 N/A C:\Windows\SysWOW64\Kgclio32.exe C:\Windows\SysWOW64\Kffldlne.exe
PID 2084 wrote to memory of 288 N/A C:\Windows\SysWOW64\Kgclio32.exe C:\Windows\SysWOW64\Kffldlne.exe
PID 288 wrote to memory of 3004 N/A C:\Windows\SysWOW64\Kffldlne.exe C:\Windows\SysWOW64\Lonpma32.exe
PID 288 wrote to memory of 3004 N/A C:\Windows\SysWOW64\Kffldlne.exe C:\Windows\SysWOW64\Lonpma32.exe
PID 288 wrote to memory of 3004 N/A C:\Windows\SysWOW64\Kffldlne.exe C:\Windows\SysWOW64\Lonpma32.exe
PID 288 wrote to memory of 3004 N/A C:\Windows\SysWOW64\Kffldlne.exe C:\Windows\SysWOW64\Lonpma32.exe
PID 3004 wrote to memory of 2696 N/A C:\Windows\SysWOW64\Lonpma32.exe C:\Windows\SysWOW64\Lgehno32.exe
PID 3004 wrote to memory of 2696 N/A C:\Windows\SysWOW64\Lonpma32.exe C:\Windows\SysWOW64\Lgehno32.exe
PID 3004 wrote to memory of 2696 N/A C:\Windows\SysWOW64\Lonpma32.exe C:\Windows\SysWOW64\Lgehno32.exe
PID 3004 wrote to memory of 2696 N/A C:\Windows\SysWOW64\Lonpma32.exe C:\Windows\SysWOW64\Lgehno32.exe
PID 2696 wrote to memory of 2852 N/A C:\Windows\SysWOW64\Lgehno32.exe C:\Windows\SysWOW64\Ljddjj32.exe
PID 2696 wrote to memory of 2852 N/A C:\Windows\SysWOW64\Lgehno32.exe C:\Windows\SysWOW64\Ljddjj32.exe
PID 2696 wrote to memory of 2852 N/A C:\Windows\SysWOW64\Lgehno32.exe C:\Windows\SysWOW64\Ljddjj32.exe
PID 2696 wrote to memory of 2852 N/A C:\Windows\SysWOW64\Lgehno32.exe C:\Windows\SysWOW64\Ljddjj32.exe
PID 2852 wrote to memory of 2508 N/A C:\Windows\SysWOW64\Ljddjj32.exe C:\Windows\SysWOW64\Loqmba32.exe
PID 2852 wrote to memory of 2508 N/A C:\Windows\SysWOW64\Ljddjj32.exe C:\Windows\SysWOW64\Loqmba32.exe
PID 2852 wrote to memory of 2508 N/A C:\Windows\SysWOW64\Ljddjj32.exe C:\Windows\SysWOW64\Loqmba32.exe
PID 2852 wrote to memory of 2508 N/A C:\Windows\SysWOW64\Ljddjj32.exe C:\Windows\SysWOW64\Loqmba32.exe
PID 2508 wrote to memory of 2440 N/A C:\Windows\SysWOW64\Loqmba32.exe C:\Windows\SysWOW64\Lboiol32.exe
PID 2508 wrote to memory of 2440 N/A C:\Windows\SysWOW64\Loqmba32.exe C:\Windows\SysWOW64\Lboiol32.exe
PID 2508 wrote to memory of 2440 N/A C:\Windows\SysWOW64\Loqmba32.exe C:\Windows\SysWOW64\Lboiol32.exe
PID 2508 wrote to memory of 2440 N/A C:\Windows\SysWOW64\Loqmba32.exe C:\Windows\SysWOW64\Lboiol32.exe
PID 2440 wrote to memory of 2932 N/A C:\Windows\SysWOW64\Lboiol32.exe C:\Windows\SysWOW64\Lkgngb32.exe
PID 2440 wrote to memory of 2932 N/A C:\Windows\SysWOW64\Lboiol32.exe C:\Windows\SysWOW64\Lkgngb32.exe
PID 2440 wrote to memory of 2932 N/A C:\Windows\SysWOW64\Lboiol32.exe C:\Windows\SysWOW64\Lkgngb32.exe
PID 2440 wrote to memory of 2932 N/A C:\Windows\SysWOW64\Lboiol32.exe C:\Windows\SysWOW64\Lkgngb32.exe
PID 2932 wrote to memory of 1256 N/A C:\Windows\SysWOW64\Lkgngb32.exe C:\Windows\SysWOW64\Lcofio32.exe
PID 2932 wrote to memory of 1256 N/A C:\Windows\SysWOW64\Lkgngb32.exe C:\Windows\SysWOW64\Lcofio32.exe
PID 2932 wrote to memory of 1256 N/A C:\Windows\SysWOW64\Lkgngb32.exe C:\Windows\SysWOW64\Lcofio32.exe
PID 2932 wrote to memory of 1256 N/A C:\Windows\SysWOW64\Lkgngb32.exe C:\Windows\SysWOW64\Lcofio32.exe
PID 1256 wrote to memory of 1128 N/A C:\Windows\SysWOW64\Lcofio32.exe C:\Windows\SysWOW64\Lfmbek32.exe
PID 1256 wrote to memory of 1128 N/A C:\Windows\SysWOW64\Lcofio32.exe C:\Windows\SysWOW64\Lfmbek32.exe
PID 1256 wrote to memory of 1128 N/A C:\Windows\SysWOW64\Lcofio32.exe C:\Windows\SysWOW64\Lfmbek32.exe
PID 1256 wrote to memory of 1128 N/A C:\Windows\SysWOW64\Lcofio32.exe C:\Windows\SysWOW64\Lfmbek32.exe
PID 1128 wrote to memory of 2004 N/A C:\Windows\SysWOW64\Lfmbek32.exe C:\Windows\SysWOW64\Llgjaeoj.exe
PID 1128 wrote to memory of 2004 N/A C:\Windows\SysWOW64\Lfmbek32.exe C:\Windows\SysWOW64\Llgjaeoj.exe
PID 1128 wrote to memory of 2004 N/A C:\Windows\SysWOW64\Lfmbek32.exe C:\Windows\SysWOW64\Llgjaeoj.exe
PID 1128 wrote to memory of 2004 N/A C:\Windows\SysWOW64\Lfmbek32.exe C:\Windows\SysWOW64\Llgjaeoj.exe
PID 2004 wrote to memory of 2408 N/A C:\Windows\SysWOW64\Llgjaeoj.exe C:\Windows\SysWOW64\Lnhgim32.exe
PID 2004 wrote to memory of 2408 N/A C:\Windows\SysWOW64\Llgjaeoj.exe C:\Windows\SysWOW64\Lnhgim32.exe
PID 2004 wrote to memory of 2408 N/A C:\Windows\SysWOW64\Llgjaeoj.exe C:\Windows\SysWOW64\Lnhgim32.exe
PID 2004 wrote to memory of 2408 N/A C:\Windows\SysWOW64\Llgjaeoj.exe C:\Windows\SysWOW64\Lnhgim32.exe
PID 2408 wrote to memory of 1720 N/A C:\Windows\SysWOW64\Lnhgim32.exe C:\Windows\SysWOW64\Lfoojj32.exe
PID 2408 wrote to memory of 1720 N/A C:\Windows\SysWOW64\Lnhgim32.exe C:\Windows\SysWOW64\Lfoojj32.exe
PID 2408 wrote to memory of 1720 N/A C:\Windows\SysWOW64\Lnhgim32.exe C:\Windows\SysWOW64\Lfoojj32.exe
PID 2408 wrote to memory of 1720 N/A C:\Windows\SysWOW64\Lnhgim32.exe C:\Windows\SysWOW64\Lfoojj32.exe
PID 1720 wrote to memory of 1884 N/A C:\Windows\SysWOW64\Lfoojj32.exe C:\Windows\SysWOW64\Lklgbadb.exe
PID 1720 wrote to memory of 1884 N/A C:\Windows\SysWOW64\Lfoojj32.exe C:\Windows\SysWOW64\Lklgbadb.exe
PID 1720 wrote to memory of 1884 N/A C:\Windows\SysWOW64\Lfoojj32.exe C:\Windows\SysWOW64\Lklgbadb.exe
PID 1720 wrote to memory of 1884 N/A C:\Windows\SysWOW64\Lfoojj32.exe C:\Windows\SysWOW64\Lklgbadb.exe
PID 1884 wrote to memory of 2792 N/A C:\Windows\SysWOW64\Lklgbadb.exe C:\Windows\SysWOW64\Lnjcomcf.exe
PID 1884 wrote to memory of 2792 N/A C:\Windows\SysWOW64\Lklgbadb.exe C:\Windows\SysWOW64\Lnjcomcf.exe
PID 1884 wrote to memory of 2792 N/A C:\Windows\SysWOW64\Lklgbadb.exe C:\Windows\SysWOW64\Lnjcomcf.exe
PID 1884 wrote to memory of 2792 N/A C:\Windows\SysWOW64\Lklgbadb.exe C:\Windows\SysWOW64\Lnjcomcf.exe
PID 2792 wrote to memory of 956 N/A C:\Windows\SysWOW64\Lnjcomcf.exe C:\Windows\SysWOW64\Lhpglecl.exe
PID 2792 wrote to memory of 956 N/A C:\Windows\SysWOW64\Lnjcomcf.exe C:\Windows\SysWOW64\Lhpglecl.exe
PID 2792 wrote to memory of 956 N/A C:\Windows\SysWOW64\Lnjcomcf.exe C:\Windows\SysWOW64\Lhpglecl.exe
PID 2792 wrote to memory of 956 N/A C:\Windows\SysWOW64\Lnjcomcf.exe C:\Windows\SysWOW64\Lhpglecl.exe

Processes

C:\Users\Admin\AppData\Local\Temp\da5485cb2f532d87e55d9f8189f877bb6cbea5d66b893fa53a8dbdca4d22d716.exe

"C:\Users\Admin\AppData\Local\Temp\da5485cb2f532d87e55d9f8189f877bb6cbea5d66b893fa53a8dbdca4d22d716.exe"

C:\Windows\SysWOW64\Kgclio32.exe

C:\Windows\system32\Kgclio32.exe

C:\Windows\SysWOW64\Kffldlne.exe

C:\Windows\system32\Kffldlne.exe

C:\Windows\SysWOW64\Lonpma32.exe

C:\Windows\system32\Lonpma32.exe

C:\Windows\SysWOW64\Lgehno32.exe

C:\Windows\system32\Lgehno32.exe

C:\Windows\SysWOW64\Ljddjj32.exe

C:\Windows\system32\Ljddjj32.exe

C:\Windows\SysWOW64\Loqmba32.exe

C:\Windows\system32\Loqmba32.exe

C:\Windows\SysWOW64\Lboiol32.exe

C:\Windows\system32\Lboiol32.exe

C:\Windows\SysWOW64\Lkgngb32.exe

C:\Windows\system32\Lkgngb32.exe

C:\Windows\SysWOW64\Lcofio32.exe

C:\Windows\system32\Lcofio32.exe

C:\Windows\SysWOW64\Lfmbek32.exe

C:\Windows\system32\Lfmbek32.exe

C:\Windows\SysWOW64\Llgjaeoj.exe

C:\Windows\system32\Llgjaeoj.exe

C:\Windows\SysWOW64\Lnhgim32.exe

C:\Windows\system32\Lnhgim32.exe

C:\Windows\SysWOW64\Lfoojj32.exe

C:\Windows\system32\Lfoojj32.exe

C:\Windows\SysWOW64\Lklgbadb.exe

C:\Windows\system32\Lklgbadb.exe

C:\Windows\SysWOW64\Lnjcomcf.exe

C:\Windows\system32\Lnjcomcf.exe

C:\Windows\SysWOW64\Lhpglecl.exe

C:\Windows\system32\Lhpglecl.exe

C:\Windows\SysWOW64\Mkndhabp.exe

C:\Windows\system32\Mkndhabp.exe

C:\Windows\SysWOW64\Mnmpdlac.exe

C:\Windows\system32\Mnmpdlac.exe

C:\Windows\SysWOW64\Mdghaf32.exe

C:\Windows\system32\Mdghaf32.exe

C:\Windows\SysWOW64\Mgedmb32.exe

C:\Windows\system32\Mgedmb32.exe

C:\Windows\SysWOW64\Mjcaimgg.exe

C:\Windows\system32\Mjcaimgg.exe

C:\Windows\SysWOW64\Mqnifg32.exe

C:\Windows\system32\Mqnifg32.exe

C:\Windows\SysWOW64\Mdiefffn.exe

C:\Windows\system32\Mdiefffn.exe

C:\Windows\SysWOW64\Mfjann32.exe

C:\Windows\system32\Mfjann32.exe

C:\Windows\SysWOW64\Mnaiol32.exe

C:\Windows\system32\Mnaiol32.exe

C:\Windows\SysWOW64\Mgjnhaco.exe

C:\Windows\system32\Mgjnhaco.exe

C:\Windows\SysWOW64\Mfmndn32.exe

C:\Windows\system32\Mfmndn32.exe

C:\Windows\SysWOW64\Mikjpiim.exe

C:\Windows\system32\Mikjpiim.exe

C:\Windows\SysWOW64\Mqbbagjo.exe

C:\Windows\system32\Mqbbagjo.exe

C:\Windows\SysWOW64\Mfokinhf.exe

C:\Windows\system32\Mfokinhf.exe

C:\Windows\SysWOW64\Mklcadfn.exe

C:\Windows\system32\Mklcadfn.exe

C:\Windows\SysWOW64\Mcckcbgp.exe

C:\Windows\system32\Mcckcbgp.exe

C:\Windows\SysWOW64\Nbflno32.exe

C:\Windows\system32\Nbflno32.exe

C:\Windows\SysWOW64\Nedhjj32.exe

C:\Windows\system32\Nedhjj32.exe

C:\Windows\SysWOW64\Nmkplgnq.exe

C:\Windows\system32\Nmkplgnq.exe

C:\Windows\SysWOW64\Nfdddm32.exe

C:\Windows\system32\Nfdddm32.exe

C:\Windows\SysWOW64\Nefdpjkl.exe

C:\Windows\system32\Nefdpjkl.exe

C:\Windows\SysWOW64\Nnoiio32.exe

C:\Windows\system32\Nnoiio32.exe

C:\Windows\SysWOW64\Nameek32.exe

C:\Windows\system32\Nameek32.exe

C:\Windows\SysWOW64\Njfjnpgp.exe

C:\Windows\system32\Njfjnpgp.exe

C:\Windows\SysWOW64\Nbmaon32.exe

C:\Windows\system32\Nbmaon32.exe

C:\Windows\SysWOW64\Nhjjgd32.exe

C:\Windows\system32\Nhjjgd32.exe

C:\Windows\SysWOW64\Nlefhcnc.exe

C:\Windows\system32\Nlefhcnc.exe

C:\Windows\SysWOW64\Nabopjmj.exe

C:\Windows\system32\Nabopjmj.exe

C:\Windows\SysWOW64\Nenkqi32.exe

C:\Windows\system32\Nenkqi32.exe

C:\Windows\SysWOW64\Omioekbo.exe

C:\Windows\system32\Omioekbo.exe

C:\Windows\SysWOW64\Opglafab.exe

C:\Windows\system32\Opglafab.exe

C:\Windows\SysWOW64\Ofadnq32.exe

C:\Windows\system32\Ofadnq32.exe

C:\Windows\SysWOW64\Oippjl32.exe

C:\Windows\system32\Oippjl32.exe

C:\Windows\SysWOW64\Oaghki32.exe

C:\Windows\system32\Oaghki32.exe

C:\Windows\SysWOW64\Odedge32.exe

C:\Windows\system32\Odedge32.exe

C:\Windows\SysWOW64\Ojomdoof.exe

C:\Windows\system32\Ojomdoof.exe

C:\Windows\SysWOW64\Oibmpl32.exe

C:\Windows\system32\Oibmpl32.exe

C:\Windows\SysWOW64\Olpilg32.exe

C:\Windows\system32\Olpilg32.exe

C:\Windows\SysWOW64\Odgamdef.exe

C:\Windows\system32\Odgamdef.exe

C:\Windows\SysWOW64\Objaha32.exe

C:\Windows\system32\Objaha32.exe

C:\Windows\SysWOW64\Oeindm32.exe

C:\Windows\system32\Oeindm32.exe

C:\Windows\SysWOW64\Ompefj32.exe

C:\Windows\system32\Ompefj32.exe

C:\Windows\SysWOW64\Opnbbe32.exe

C:\Windows\system32\Opnbbe32.exe

C:\Windows\SysWOW64\Obmnna32.exe

C:\Windows\system32\Obmnna32.exe

C:\Windows\SysWOW64\Ofhjopbg.exe

C:\Windows\system32\Ofhjopbg.exe

C:\Windows\SysWOW64\Ohiffh32.exe

C:\Windows\system32\Ohiffh32.exe

C:\Windows\SysWOW64\Olebgfao.exe

C:\Windows\system32\Olebgfao.exe

C:\Windows\SysWOW64\Obokcqhk.exe

C:\Windows\system32\Obokcqhk.exe

C:\Windows\SysWOW64\Oemgplgo.exe

C:\Windows\system32\Oemgplgo.exe

C:\Windows\SysWOW64\Phlclgfc.exe

C:\Windows\system32\Phlclgfc.exe

C:\Windows\SysWOW64\Pkjphcff.exe

C:\Windows\system32\Pkjphcff.exe

C:\Windows\SysWOW64\Pofkha32.exe

C:\Windows\system32\Pofkha32.exe

C:\Windows\SysWOW64\Padhdm32.exe

C:\Windows\system32\Padhdm32.exe

C:\Windows\SysWOW64\Pdbdqh32.exe

C:\Windows\system32\Pdbdqh32.exe

C:\Windows\SysWOW64\Pljlbf32.exe

C:\Windows\system32\Pljlbf32.exe

C:\Windows\SysWOW64\Pohhna32.exe

C:\Windows\system32\Pohhna32.exe

C:\Windows\SysWOW64\Pafdjmkq.exe

C:\Windows\system32\Pafdjmkq.exe

C:\Windows\SysWOW64\Pdeqfhjd.exe

C:\Windows\system32\Pdeqfhjd.exe

C:\Windows\SysWOW64\Pgcmbcih.exe

C:\Windows\system32\Pgcmbcih.exe

C:\Windows\SysWOW64\Pojecajj.exe

C:\Windows\system32\Pojecajj.exe

C:\Windows\SysWOW64\Paiaplin.exe

C:\Windows\system32\Paiaplin.exe

C:\Windows\SysWOW64\Pdgmlhha.exe

C:\Windows\system32\Pdgmlhha.exe

C:\Windows\SysWOW64\Phcilf32.exe

C:\Windows\system32\Phcilf32.exe

C:\Windows\SysWOW64\Pkaehb32.exe

C:\Windows\system32\Pkaehb32.exe

C:\Windows\SysWOW64\Paknelgk.exe

C:\Windows\system32\Paknelgk.exe

C:\Windows\SysWOW64\Ppnnai32.exe

C:\Windows\system32\Ppnnai32.exe

C:\Windows\SysWOW64\Pcljmdmj.exe

C:\Windows\system32\Pcljmdmj.exe

C:\Windows\SysWOW64\Pghfnc32.exe

C:\Windows\system32\Pghfnc32.exe

C:\Windows\SysWOW64\Pifbjn32.exe

C:\Windows\system32\Pifbjn32.exe

C:\Windows\SysWOW64\Pnbojmmp.exe

C:\Windows\system32\Pnbojmmp.exe

C:\Windows\SysWOW64\Qdlggg32.exe

C:\Windows\system32\Qdlggg32.exe

C:\Windows\SysWOW64\Qkfocaki.exe

C:\Windows\system32\Qkfocaki.exe

C:\Windows\SysWOW64\Qndkpmkm.exe

C:\Windows\system32\Qndkpmkm.exe

C:\Windows\SysWOW64\Qpbglhjq.exe

C:\Windows\system32\Qpbglhjq.exe

C:\Windows\SysWOW64\Qdncmgbj.exe

C:\Windows\system32\Qdncmgbj.exe

C:\Windows\SysWOW64\Qcachc32.exe

C:\Windows\system32\Qcachc32.exe

C:\Windows\SysWOW64\Qeppdo32.exe

C:\Windows\system32\Qeppdo32.exe

C:\Windows\SysWOW64\Qjklenpa.exe

C:\Windows\system32\Qjklenpa.exe

C:\Windows\SysWOW64\Alihaioe.exe

C:\Windows\system32\Alihaioe.exe

C:\Windows\SysWOW64\Aohdmdoh.exe

C:\Windows\system32\Aohdmdoh.exe

C:\Windows\SysWOW64\Agolnbok.exe

C:\Windows\system32\Agolnbok.exe

C:\Windows\SysWOW64\Ajmijmnn.exe

C:\Windows\system32\Ajmijmnn.exe

C:\Windows\SysWOW64\Allefimb.exe

C:\Windows\system32\Allefimb.exe

C:\Windows\SysWOW64\Apgagg32.exe

C:\Windows\system32\Apgagg32.exe

C:\Windows\SysWOW64\Acfmcc32.exe

C:\Windows\system32\Acfmcc32.exe

C:\Windows\SysWOW64\Afdiondb.exe

C:\Windows\system32\Afdiondb.exe

C:\Windows\SysWOW64\Ajpepm32.exe

C:\Windows\system32\Ajpepm32.exe

C:\Windows\SysWOW64\Ahbekjcf.exe

C:\Windows\system32\Ahbekjcf.exe

C:\Windows\SysWOW64\Alnalh32.exe

C:\Windows\system32\Alnalh32.exe

C:\Windows\SysWOW64\Aomnhd32.exe

C:\Windows\system32\Aomnhd32.exe

C:\Windows\SysWOW64\Aakjdo32.exe

C:\Windows\system32\Aakjdo32.exe

C:\Windows\SysWOW64\Adifpk32.exe

C:\Windows\system32\Adifpk32.exe

C:\Windows\SysWOW64\Ahebaiac.exe

C:\Windows\system32\Ahebaiac.exe

C:\Windows\SysWOW64\Akcomepg.exe

C:\Windows\system32\Akcomepg.exe

C:\Windows\SysWOW64\Aoojnc32.exe

C:\Windows\system32\Aoojnc32.exe

C:\Windows\SysWOW64\Abmgjo32.exe

C:\Windows\system32\Abmgjo32.exe

C:\Windows\SysWOW64\Adlcfjgh.exe

C:\Windows\system32\Adlcfjgh.exe

C:\Windows\SysWOW64\Ahgofi32.exe

C:\Windows\system32\Ahgofi32.exe

C:\Windows\SysWOW64\Aoagccfn.exe

C:\Windows\system32\Aoagccfn.exe

C:\Windows\SysWOW64\Abpcooea.exe

C:\Windows\system32\Abpcooea.exe

C:\Windows\SysWOW64\Adnpkjde.exe

C:\Windows\system32\Adnpkjde.exe

C:\Windows\SysWOW64\Bhjlli32.exe

C:\Windows\system32\Bhjlli32.exe

C:\Windows\SysWOW64\Bkhhhd32.exe

C:\Windows\system32\Bkhhhd32.exe

C:\Windows\SysWOW64\Bjkhdacm.exe

C:\Windows\system32\Bjkhdacm.exe

C:\Windows\SysWOW64\Bbbpenco.exe

C:\Windows\system32\Bbbpenco.exe

C:\Windows\SysWOW64\Bdqlajbb.exe

C:\Windows\system32\Bdqlajbb.exe

C:\Windows\SysWOW64\Bgoime32.exe

C:\Windows\system32\Bgoime32.exe

C:\Windows\SysWOW64\Bjmeiq32.exe

C:\Windows\system32\Bjmeiq32.exe

C:\Windows\SysWOW64\Bmlael32.exe

C:\Windows\system32\Bmlael32.exe

C:\Windows\SysWOW64\Bdcifi32.exe

C:\Windows\system32\Bdcifi32.exe

C:\Windows\SysWOW64\Bgaebe32.exe

C:\Windows\system32\Bgaebe32.exe

C:\Windows\SysWOW64\Bfdenafn.exe

C:\Windows\system32\Bfdenafn.exe

C:\Windows\SysWOW64\Bnknoogp.exe

C:\Windows\system32\Bnknoogp.exe

C:\Windows\SysWOW64\Bmnnkl32.exe

C:\Windows\system32\Bmnnkl32.exe

C:\Windows\SysWOW64\Bchfhfeh.exe

C:\Windows\system32\Bchfhfeh.exe

C:\Windows\SysWOW64\Bchfhfeh.exe

C:\Windows\system32\Bchfhfeh.exe

C:\Windows\SysWOW64\Bjbndpmd.exe

C:\Windows\system32\Bjbndpmd.exe

C:\Windows\SysWOW64\Bieopm32.exe

C:\Windows\system32\Bieopm32.exe

C:\Windows\SysWOW64\Bqlfaj32.exe

C:\Windows\system32\Bqlfaj32.exe

C:\Windows\SysWOW64\Bcjcme32.exe

C:\Windows\system32\Bcjcme32.exe

C:\Windows\SysWOW64\Bfioia32.exe

C:\Windows\system32\Bfioia32.exe

C:\Windows\SysWOW64\Bjdkjpkb.exe

C:\Windows\system32\Bjdkjpkb.exe

C:\Windows\SysWOW64\Bigkel32.exe

C:\Windows\system32\Bigkel32.exe

C:\Windows\SysWOW64\Bkegah32.exe

C:\Windows\system32\Bkegah32.exe

C:\Windows\SysWOW64\Ccmpce32.exe

C:\Windows\system32\Ccmpce32.exe

C:\Windows\SysWOW64\Cfkloq32.exe

C:\Windows\system32\Cfkloq32.exe

C:\Windows\SysWOW64\Ciihklpj.exe

C:\Windows\system32\Ciihklpj.exe

C:\Windows\SysWOW64\Ckhdggom.exe

C:\Windows\system32\Ckhdggom.exe

C:\Windows\SysWOW64\Cnfqccna.exe

C:\Windows\system32\Cnfqccna.exe

C:\Windows\SysWOW64\Cfmhdpnc.exe

C:\Windows\system32\Cfmhdpnc.exe

C:\Windows\SysWOW64\Cileqlmg.exe

C:\Windows\system32\Cileqlmg.exe

C:\Windows\SysWOW64\Ckjamgmk.exe

C:\Windows\system32\Ckjamgmk.exe

C:\Windows\SysWOW64\Cbdiia32.exe

C:\Windows\system32\Cbdiia32.exe

C:\Windows\SysWOW64\Cebeem32.exe

C:\Windows\system32\Cebeem32.exe

C:\Windows\SysWOW64\Cgaaah32.exe

C:\Windows\system32\Cgaaah32.exe

C:\Windows\SysWOW64\Cjonncab.exe

C:\Windows\system32\Cjonncab.exe

C:\Windows\SysWOW64\Cnkjnb32.exe

C:\Windows\system32\Cnkjnb32.exe

C:\Windows\SysWOW64\Ceebklai.exe

C:\Windows\system32\Ceebklai.exe

C:\Windows\SysWOW64\Cgcnghpl.exe

C:\Windows\system32\Cgcnghpl.exe

C:\Windows\SysWOW64\Calcpm32.exe

C:\Windows\system32\Calcpm32.exe

C:\Windows\SysWOW64\Cgfkmgnj.exe

C:\Windows\system32\Cgfkmgnj.exe

C:\Windows\SysWOW64\Dnpciaef.exe

C:\Windows\system32\Dnpciaef.exe

C:\Windows\SysWOW64\Danpemej.exe

C:\Windows\system32\Danpemej.exe

C:\Windows\SysWOW64\Dpapaj32.exe

C:\Windows\system32\Dpapaj32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2068 -s 144

Network

N/A

Files

memory/2236-0-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2236-12-0x0000000000250000-0x000000000027F000-memory.dmp

C:\Windows\SysWOW64\Kgclio32.exe

MD5 11f1f3252749e2f7401cab83ad0dfcbc
SHA1 0acbfd7a9dc48f230b7f495c4f5c5a98164d8f95
SHA256 2aa12eb264b703d1046112760caea24866c0b3ed4fc382dba527a2fb6c131b69
SHA512 36b5f2fb787e536eaa61ed69ecb88a7e3bd4d196a7e86df12b8b979582f2c7b952e88593875c465906850b82418e5022f64822998ddb29f999f08e37c110e90a

memory/2084-14-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2236-13-0x0000000000250000-0x000000000027F000-memory.dmp

\Windows\SysWOW64\Kffldlne.exe

MD5 2959974c63eac1a97b96d958f1a0e08f
SHA1 9f03fd17117f96872b993765b02969e585fed666
SHA256 a7922dd13ac7cb924c8d2e9b904893e90b1db18510a3f6ca97779a673f809b90
SHA512 fe86bdd0c04a900251f766b9b9f464a99eec38a79419d037fa37402019cfc5baabb994766cddf8f264ae4ba05b6b0347ae53ea53d4fc807ff8db0d9e9df09166

memory/288-32-0x0000000000400000-0x000000000042F000-memory.dmp

\Windows\SysWOW64\Lgehno32.exe

MD5 d00942e90f064ed5b99959334eec4a14
SHA1 6d8fd3b88bce008f8bb6d1f5c0641a76d20b0de9
SHA256 3757331e1a1257ee134993f947bd24a2956dfc9522c7853ebbbb3116b40d1490
SHA512 ceca8dd3f1e5fd846b1c6ccd0c9ad0e7d9039a74351e83d98baa14cc6b9b15357c15cf8ca9477fb2a0ddddffdbe99aeab99628cff2480b7f28123feefd1ef282

\Windows\SysWOW64\Lonpma32.exe

MD5 ab3a82becf437ecc07a6335eef815085
SHA1 da2f9d6527806c34d761ca26fb46aa527e68784b
SHA256 b4f0885f342a353033fb6a2d9dc5d328cc7d01798287e86789299ad958655853
SHA512 32b6d33e43928f6fdee9ad8b418efc2976634b4a6dec87bc4429f1367f23cb9d24003cab962dcaea6e6201acf7efdeb9d3d7b91f65e625ebe0ca1d22232fa05e

memory/3004-45-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Ljddjj32.exe

MD5 54c9011d179938c2014def73e26bc97f
SHA1 3d229c1cae0309fb95d3d269c9c45df96fc7c42f
SHA256 fdd999b84954dd390dbe8e8c8add1796d79f1dcb68b9ff5db194945977d38f08
SHA512 913539de45fc2f2007ef6419e6dfd11bef7cefa123d536dfc8461a4d1bbc2a470b7fe3c0778d15b28be513fdf7b19ff99bd81264cf30154677272f7413874758

memory/2696-61-0x00000000003D0000-0x00000000003FF000-memory.dmp

memory/2696-58-0x0000000000400000-0x000000000042F000-memory.dmp

\Windows\SysWOW64\Loqmba32.exe

MD5 adb151829d119cadade584df6d2957a2
SHA1 1fc3d0ddb56ece4e3760989b9b785edbc8d942cd
SHA256 52f477120440a053e6c359966f8d8bedef1b2016c89d2ce5a1de398257ed535b
SHA512 c67fd1f6f5e36fd2ca56e9c28cc6c63d63f0ce568e715c903e6ac308f3efa99346c17e2c797ae7a3baa0b96a5e9c0a7ab707609e6359565883f0fca5960dcaa8

memory/2508-88-0x0000000000250000-0x000000000027F000-memory.dmp

\Windows\SysWOW64\Lboiol32.exe

MD5 3cd1bc41ab3792b69584153e82b6d468
SHA1 fbc688da14e9d3aa2d1c0522aabcefeb0337e5c0
SHA256 d35e907f50cd8f9328cc4fff4ca485d6a2645e07484a21f22da961746f94db94
SHA512 e974be08fcf596401b36c81aac143c2564bbf91c0cc44b2c2cc6554fc86bc498652fc9a05083ceb2dac656510bd1ebfe59a7d8dd413de13a8feddd52cdaee8af

memory/2508-80-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2852-74-0x0000000000250000-0x000000000027F000-memory.dmp

memory/2440-94-0x0000000000400000-0x000000000042F000-memory.dmp

\Windows\SysWOW64\Lkgngb32.exe

MD5 e90c9bb2c324c4249eaf17021164efdc
SHA1 9045e1e0a0e104301fafba3c405595a5481a92dd
SHA256 a8287d90ccf62f1d6e979749cd8ba0bbf59d980924ff638dc0d85bb1bd814b36
SHA512 ae5fa0dd007355f2ff2387e9d9b16db1d37c1d8acedd31664be0726ad2374794f2b8923602c7932aaf6719d9e2fb455bd10eecbce41d8f006cbb7a054a3befed

memory/2440-105-0x00000000002E0000-0x000000000030F000-memory.dmp

memory/2932-108-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Lcofio32.exe

MD5 3a02dda04b9117a6ef6a2b1d2120ce8c
SHA1 87990312de61c287ef00cd9c2468929721907464
SHA256 177339339df146105209e0ce14e79ad5dae9be44d2c98c8ccd3e211486e084bb
SHA512 c9f47c12b7b57d10fe4ade08dc11217e5224bf29dac4acda5cc787383ac048f4364eb83756de8802c262cccfc71a45f885ad317335c739d255f262bcd7eb3f6f

memory/1256-123-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1256-129-0x00000000001E0000-0x000000000020F000-memory.dmp

\Windows\SysWOW64\Lfmbek32.exe

MD5 96f7e2f188f347f7d2ee944e09e38c6b
SHA1 ccc11182daadd077dd3cc0619c328296f6d74484
SHA256 d70ef92916e37c56cb172fd5109b49701b0f5adc28e03fd3f1a037ee0bae6579
SHA512 87db13b6e4b90f6377e5a9d6bc5e04b4b402a281b23f4ba5b074258ac5b6affce49a626364ac7495c2f4337c9df3dd0e87b514a1ee91ba45de17765a537d1fa3

memory/1128-142-0x0000000000250000-0x000000000027F000-memory.dmp

C:\Windows\SysWOW64\Llgjaeoj.exe

MD5 bf51834ade7e72b6fa621f0703416161
SHA1 24c8df6ff9eeac124fcd1e2813c180acaca2d01b
SHA256 7d163e58ffe032b69986b1eb8cb53ecc92f84406fe5381176c8cb7eaeba7b047
SHA512 7f5ff958745f44c0893568da949ceae2539f89b969810a65726369a67d0d818acee245b609e5e2628f068551de3434a6c870ff0eb21dff504a0a9e3429f7246e

\Windows\SysWOW64\Lnhgim32.exe

MD5 bf0459298019b18bf1fd72b7bea560df
SHA1 98ed65e1217d62fd7c991e2a8d1bc3c54ac2e47a
SHA256 faef3d1b703b8dfb7ba790276bb2b5871f472035b986e6a73db8d09faf7e48c1
SHA512 12ef081ec0197527b8e37fad0ef147e4002128d8fe0e224df23e66c47a720a0fd3977f41b12ede4fc3f09f3d948c1df2de2706db74c4e8365e89bac689b2265b

memory/2004-154-0x00000000003D0000-0x00000000003FF000-memory.dmp

memory/2408-166-0x0000000000400000-0x000000000042F000-memory.dmp

\Windows\SysWOW64\Lfoojj32.exe

MD5 e9423bd2e62b5c56ab1abde652e1f629
SHA1 ab616c9db8f4c7b3f8c653f5d87346677d21d8fd
SHA256 c6866a21371902c0ced302e51d53100e443b529a81800092ceab24f6d12dd05a
SHA512 937efcf1f58f72dedf260c8ea1d20fe9e1cb18495b88e301fb3f7cf07eb82965a3756f5b99c1b4ad105b32831b59f027adba1554b3323471f2b6d796035fbdf2

memory/1720-174-0x0000000000400000-0x000000000042F000-memory.dmp

\Windows\SysWOW64\Lklgbadb.exe

MD5 013eb7aa83a768604adf8d31a70b77eb
SHA1 eae1e91402deb1575b1889e93373b547057ad803
SHA256 6f18c66af2c99197d5cfc566e95457a8ecaf36dae680b0a0bbfba7fb55d23d54
SHA512 642c4bc00efdd46e82f1a171f1d4df5472312637d92d99657f670def2aa5f436441ab9015d6ccbe7ee4af422898697e51a8f1293eb37873e9c2d611feb36d051

memory/1720-182-0x0000000000250000-0x000000000027F000-memory.dmp

memory/1884-188-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1884-196-0x00000000003D0000-0x00000000003FF000-memory.dmp

C:\Windows\SysWOW64\Lnjcomcf.exe

MD5 5f4554734279a4237a9db69d730af23f
SHA1 d49bcc826413540925d79b7d91da78966e6885c0
SHA256 26703f185d085bb857acf7ba70ebf33c56f899597124514b3e2bec7be7ae85c0
SHA512 4f699fdf69d625d605d4a9fb69f0fb9240540683df53d9678d3168cb6c788646b8104618ade8f1efb7ae2a06f9737ef5bd94aa5c54267e6ed317f6ecc78b9f91

\Windows\SysWOW64\Lhpglecl.exe

MD5 817807201e6ef292b0871b43e4936d7e
SHA1 d78768c63b6a4692a7753b9c35d14913818953d4
SHA256 570bd8b0fe49ce6a8e09654153338bfef188c0a3bcdaaefa0ad633e1941719a7
SHA512 fa8b6c0616e73590ef64b0787050aa093f7463db4d38510396476aaa5619c28732471e2f6d114ac34a853d8574ef792b173cfdeb810495c5889e02fc9f858ea7

memory/2792-209-0x0000000000270000-0x000000000029F000-memory.dmp

memory/956-215-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Mkndhabp.exe

MD5 68f3be8e4f8b057f13b325e5d2ce13c1
SHA1 57b42cb734c8a5e27207e4a083acd3443296dd63
SHA256 70019829ea5dcd0b3127d60922e2821e1a90cfa2dba0ca03013989a2a6032d59
SHA512 32469705a11d419e39fe2561770b347e6df069b37808c4f7947c621fad7b09c8c6ae8158096690afda6d59409ff85f099f101c9c6e8f7c6fc44c2ce7b2946cf7

memory/2920-225-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Mnmpdlac.exe

MD5 bafb622403e4a88539def1a23038c251
SHA1 180ec3f6fe6914c95b9d57c612c80f9a9486771f
SHA256 a1c22fad5c059f3717d92f953bd553196ca45de5fc476d10a310fc6bae65d16e
SHA512 aa2a14d10a243e079006b60ed7f13de687b81a71ee92314afb78f381cabb781f2442b0afda9e354d81fa47f6c33b91b429a9398d132bccc6ae6decaacb395966

memory/2920-231-0x0000000000280000-0x00000000002AF000-memory.dmp

memory/992-240-0x0000000000260000-0x000000000028F000-memory.dmp

C:\Windows\SysWOW64\Mdghaf32.exe

MD5 00841a1cf54d37e20148344043f4558a
SHA1 aba94f583a09e3f800eb161669f53eb3ab286f78
SHA256 fff212ea76bb663b4e1a8bfe86d3f4cba469be621bc6bc87e785e9fe0e0d960b
SHA512 b673994a515726bdab840dc7103443cd99c3dfb7cddf31e4c0fbd1f750dac67c13e035a7c74f43a06b0c8c068cb16d28094d231f7f4fc2c0ddb245347b8468a6

memory/1640-249-0x0000000000250000-0x000000000027F000-memory.dmp

C:\Windows\SysWOW64\Mgedmb32.exe

MD5 335e577538e81a7a7c38e842256ea02a
SHA1 d62b071020363290d2f05f6cf973945f27d91cb0
SHA256 6ceb29b7b0efdf77b1c6afd88020e8fca386534c1038164c41d4120452b24714
SHA512 2308050e5bec35e122e699dcc57519fb498e96cd73c14fa906ee50e6f3d52cba23e861201d3da21a2483b329ae5af4925e90a9c3e5768b6b207db34244290e20

C:\Windows\SysWOW64\Mjcaimgg.exe

MD5 489c560712aca3621e458b1ab1c8b0a1
SHA1 fdc69c225e6bd909888100377d85b2691a430d1d
SHA256 2ebf0d340eabb71c24961b1432ceace639a4ecff0b3ef589b21a80b834303259
SHA512 7f1d302227fb8570aae9880f48991707dae68b5f36f7d83aebb9ff46ff2ad9f1a40a4a90b8881675c3ac0d32534d13fbd6b3b63075ab7fc123580a085a47ca28

memory/1408-261-0x0000000000250000-0x000000000027F000-memory.dmp

memory/1144-267-0x0000000000250000-0x000000000027F000-memory.dmp

C:\Windows\SysWOW64\Mqnifg32.exe

MD5 e9f0facc4b809e616ea11317c46afc40
SHA1 055a161c9481ef058cf7db48767eadb61d46ea83
SHA256 f2bc9e85a8e308fbc4f65bbb15b8689c14da89ed3f42a6d1635557ed6daa4c59
SHA512 77a2d1e90571b40a7ffc2ec9b038e9ee88e8843ee095c5903ff9680e8c225ca4490b1e28599e31440bd1951503ecc7e39573059743478ac1b9288261cda9fa83

C:\Windows\SysWOW64\Mdiefffn.exe

MD5 3f4630a063c62601fede34f67f4abff8
SHA1 53ba7438eb2fa7b3fc3112f0287d6b90926b1801
SHA256 6cc84b8ef2f1c85dd0811b21749adcfed9d4737c49605988aa822dcf66450569
SHA512 91078844cee979f8c51d4ebd94eb3a6738748502eb64fa884316a35b083d526915b33b2d136bd20e8b4483ce6ed759d971c696795b3b5294391d49f8a98f6daf

memory/1704-276-0x00000000002D0000-0x00000000002FF000-memory.dmp

memory/852-285-0x0000000000250000-0x000000000027F000-memory.dmp

memory/852-289-0x0000000000250000-0x000000000027F000-memory.dmp

C:\Windows\SysWOW64\Mfjann32.exe

MD5 4acc75addf0929443ed2487d399abcb9
SHA1 f66c3bf67baef30117e137f188e4bcec54b2207d
SHA256 ea769d912b0ce0fbe4ae93352f270bca70238784a8b1b9ce222db5616663d6a8
SHA512 8a21cbec20b892fa5c7fad353fbffda0423bf4d3bb30b14a066d069b94f5df33f0ab6247d1cdb1e6a4af67129d33d9ae65fbeb369da9183337956a2d2847b515

memory/3064-294-0x0000000000250000-0x000000000027F000-memory.dmp

C:\Windows\SysWOW64\Mnaiol32.exe

MD5 85c12021987df14531dc993127f7572b
SHA1 840682aef5aa7fa91a71a03a5c037338b2d114b6
SHA256 68c33044ea0873158ad37ee885c37056db84ec892d25173cf08e056a4eebc107
SHA512 9eb0e043620579a472922880f6e9fecb8730e6e6c44707e52e7984cf35fcb28ad235dbfcbcc678a8e501f991e3be20e7a4c982407edb7117d0eb9424a37f30bc

memory/1992-300-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3064-299-0x0000000000250000-0x000000000027F000-memory.dmp

memory/1992-306-0x00000000002D0000-0x00000000002FF000-memory.dmp

memory/1992-310-0x00000000002D0000-0x00000000002FF000-memory.dmp

C:\Windows\SysWOW64\Mgjnhaco.exe

MD5 f12b42d0ab31a1e0cc1a616d21c1bdba
SHA1 3026690ea187b7ebc308d079441c563211a4a354
SHA256 2719d399a4140b67cb4c42f3d7783a39917cc8c14a75e0ab17544c023a0d4d53
SHA512 a2efa1c3f1b3ba20b130ef9da6e4bf995f2f556203f37ff564670655ad1ef08bb046f037be49ade3bf3e5466959ce0f4206e7b92a903c37c758e8622e923196e

memory/1508-316-0x00000000003D0000-0x00000000003FF000-memory.dmp

C:\Windows\SysWOW64\Mfmndn32.exe

MD5 3dddf8283fa3935155685291d1a4f23d
SHA1 bca95ede891d58976a7b43537e48f5c4e34c30ec
SHA256 be57010cc8ef0480d55d2a301724817658340447dd0af3c1a0495379e1a9275a
SHA512 82dc8f4c287e994d20d4b7b36c732e1e55c1dc67219a540edfa0e6af2709e94b3688f8a5a2d9eca3c7927ebf46e37cca5b187f9e90f04cf20ed24a2863676804

memory/2312-321-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1508-320-0x00000000003D0000-0x00000000003FF000-memory.dmp

memory/2312-327-0x0000000000270000-0x000000000029F000-memory.dmp

memory/2312-331-0x0000000000270000-0x000000000029F000-memory.dmp

C:\Windows\SysWOW64\Mikjpiim.exe

MD5 4336eec98653c7733d323526ea6138ab
SHA1 2b571667d640a50f0f67ef95ab4e82b442b0dcba
SHA256 a7cba7c6e58bc9480ddd93ada8efabe6ef76b42ee11a0a3e0eb8094c06f08ae3
SHA512 af8cb1c5f6edea5c9bdebb42127878d1facaf20fa397184097e5e564a59d749dbfc99392ba204f1268b07ec6dc782d31963c3eb57c053ac74fab3f2abfd3362b

memory/2372-342-0x00000000002D0000-0x00000000002FF000-memory.dmp

memory/1656-343-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2372-341-0x00000000002D0000-0x00000000002FF000-memory.dmp

memory/2372-340-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Mqbbagjo.exe

MD5 424b212ea529d18929a5f7c9631097df
SHA1 b009ac4f25daf1818a08c0c79b96743f2e702343
SHA256 8c89c100255a8498d1ac448bc4ded709b36a3e0c3378665ce0d314e04955c375
SHA512 ead7ef640893d889b83d45e123803c1a181803663fb124511ec91485a6e58c7032f8a53fa4dbb7235b245afd9d648065735c7627640901dd689a37c6d22ff5e1

C:\Windows\SysWOW64\Mfokinhf.exe

MD5 e7d6e68b89532ffe36a70057e71defa0
SHA1 37b07be40b4ab531cd0ea8a28c748ab3df0c6bee
SHA256 7d3d1aebcfaf08e32139eaa4e8ef1368f73004d891eee8334e454074f908f469
SHA512 4928ee6f899975ec2b9b4a9577a261b7c31ad6c08c09c2a7630b8922805cdbc1f234aa0c37873ffe6460835253414f54f85858ce834a8321fc46c77be7a857a3

memory/2236-350-0x0000000000250000-0x000000000027F000-memory.dmp

memory/2236-348-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2648-356-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2084-354-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1656-353-0x0000000001F20000-0x0000000001F4F000-memory.dmp

memory/288-362-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Mklcadfn.exe

MD5 8755dcd95353ad5d38279d6fc5ea9328
SHA1 e5655525c049d5cf8d68c7bd899b45775c4b4024
SHA256 8e2108beec9fb71e074015ac828e2adfdffaf697cb7c407637ad0ab11a38efe3
SHA512 6f27ed31826f288f5f28d7a1e8fd6601a84f302dc72674368d0c2e755d44fa02382f6dcb146bf9f01cf266c8d48fb13e7ce81738b3fabd26018156a031d0b89b

memory/2740-366-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Mcckcbgp.exe

MD5 79667112a4662a25a4e9fde99347563b
SHA1 d02d2e6789cbf478372cf6fbbe086b8e84c064f7
SHA256 704d8b6e29a63d4834bf0c4ebe88581fbfe151f21cc020fc5ce18603bbfd8c3f
SHA512 aa7a74d3dacd5b31a543c799264f44ade4f5789ac3ee24a7eca46ef304090e8e6c9598bc0a7e9f6d944ddfd4eaae06e5a865dd6a553d8dbd709c66cf9e682e1d

memory/2484-377-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2696-376-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2740-375-0x0000000000250000-0x000000000027F000-memory.dmp

C:\Windows\SysWOW64\Nbflno32.exe

MD5 1e4496652ed4257c1b36d6bf938b3c90
SHA1 c36630b6615f923e122fb956440ab4ae84ccf0da
SHA256 31198f909b56aacf87441220c14c6989ec057d625dde68c34ff930e40e86cdcc
SHA512 0d59f811705664bf03ff877de298dcfb8e5212ce7c2ffa57e92d458f152f04309e14ed71e848b8a6a3f4eae5d2ec7af2e702bda78932529b80147ac3d0bfddba

memory/2564-388-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2484-387-0x0000000000270000-0x000000000029F000-memory.dmp

memory/3004-386-0x0000000000280000-0x00000000002AF000-memory.dmp

C:\Windows\SysWOW64\Nedhjj32.exe

MD5 ac51a5d68d079dd15772548cb2b2d809
SHA1 7e1726324c8a46a029eff9b112555acbd1109107
SHA256 a353c4d873d739d9369aa2f8f5f90ae315d1fecdf9c8339b35b0e7d878f205a3
SHA512 6049ad887bce10d303617062c5b7e55f70178c569ed5cb63410af2bc5ffd61b8a7e87a9769c15634726e0e1f1d64c9cc83e6a9e37a5b66b244a39ca5261ba85e

C:\Windows\SysWOW64\Nmkplgnq.exe

MD5 8575ede4b7de5520383c19d489b3f3b1
SHA1 550df7090e846f06b61c81dddd4c00e4fb327719
SHA256 4d035d4ac7dbe06d2a1d171198f28e374134e31539e57c484f5716460aa7de4c
SHA512 a4cc9722c1b247180c555ef2f3dde4abd9c6a9b0b83efe38c93a427a53b5eb196fd196e4ba05067939daaeee049e7b00a3d08e0e16734121d64636ec4d1c2b79

memory/1868-410-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2852-409-0x0000000000400000-0x000000000042F000-memory.dmp

memory/352-408-0x00000000002D0000-0x00000000002FF000-memory.dmp

memory/352-407-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2564-406-0x0000000000250000-0x000000000027F000-memory.dmp

memory/2564-405-0x0000000000250000-0x000000000027F000-memory.dmp

memory/2508-416-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2852-415-0x0000000000250000-0x000000000027F000-memory.dmp

memory/1872-428-0x0000000000250000-0x000000000027F000-memory.dmp

memory/1872-422-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1868-421-0x0000000000270000-0x000000000029F000-memory.dmp

C:\Windows\SysWOW64\Nfdddm32.exe

MD5 ee30242fdd414dcfdd2771cf83fe5941
SHA1 113887dc58e89fe4e53eebaa112344744a2ee4f1
SHA256 ccc4024e29c2531c692832ab8bbd4221eccd27882e52359477f42d3d4fc8264b
SHA512 abfa74b853c475b518046dec098f462a793f78a86b3685c22cdb394ac4c70f2f159c5c9281bee4434b2db3aec60c8b33b25f6b719aa01de9d12a5c0e55f0c4ae

C:\Windows\SysWOW64\Nefdpjkl.exe

MD5 c8a843cc4760348f5a3de154545d7287
SHA1 f6f64f153affaac29360fbe9230ed098f349b01c
SHA256 cd2eb27653ebaf0a5abf89f05c164f1e88e6eabf5a4496df07be2d5b7a17f0d1
SHA512 3d9e5a5d7cc6d3e20d3f9b840687c766fee547b027d59e3c884977b2c71bf585ffd48e97da2b690db94fbebc9deace7f1c95adc1b747211f9186a4e7ee1b5f4d

memory/2440-432-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2380-433-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2440-438-0x00000000002E0000-0x000000000030F000-memory.dmp

memory/2380-440-0x00000000003D0000-0x00000000003FF000-memory.dmp

C:\Windows\SysWOW64\Nnoiio32.exe

MD5 b9971b44bbdac7b4f113619e63a28343
SHA1 58f47a5e1006d64709ce8b141639f0481b1e4145
SHA256 2a32e93dc5633044fc7f43213e7f5e06fe9be7d277deaea3362007aa9386c601
SHA512 330fca07b7c9be5ed4188a2b948a8e481baec920306b5ba7cde2fcb90ba50a60cba4f8e5247780006a3921e47b32ea7675525b2b759a80d552a89154edc38738

memory/2932-453-0x0000000000400000-0x000000000042F000-memory.dmp

memory/108-455-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1256-454-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1844-452-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Nameek32.exe

MD5 da540fa2b0d92f236ba17284378abc32
SHA1 93ed572cb1b713726720337158c3f145a5c9955d
SHA256 c48ffa52f56632031104f2394b7574da483ed6834de62696d83fb7b365bee4a2
SHA512 756e8f0681fa8de8426830e11fecf5a1597de5a28d84faa680af55b82d67d638695e850d6412973a087cab9c3bf760a6077f3d715a387c7e96f395d42a6097b3

memory/108-462-0x00000000002E0000-0x000000000030F000-memory.dmp

memory/1588-465-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Njfjnpgp.exe

MD5 11381a82f9902e9d0929ef466de16e95
SHA1 7c94e4663a13e50490d8245201d30d79764471d6
SHA256 493cabd6f912879f4dcfbf328a14714a342ec0ad77e9481b709ad1d01870f251
SHA512 74a1456a684bca6d0bf3aab825f899f35cc30536e997f9b905cbe7fa32faf8443e6f41e0bd701bc2e1ab0be9fb9db0d4b7708a794d43a5d1d41031b142072b01

C:\Windows\SysWOW64\Nbmaon32.exe

MD5 5f8ce14c8f076c955cba358da9ab6be4
SHA1 135436da61d3bd02e4f2620845d2b56c61f74594
SHA256 2e342ee5a5606559854239753864ea25b57cf5ae79505cc425b0d473cce86c9a
SHA512 88eb22fb8d915e7ace6b54156d8b1d33098228eb114a063889a358e26e65de3e309281df71cf22d81af3e3c121a6b89a05952be580532cba82f07b531658976b

memory/1588-472-0x0000000000250000-0x000000000027F000-memory.dmp

memory/1128-470-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2080-482-0x00000000002D0000-0x00000000002FF000-memory.dmp

C:\Windows\SysWOW64\Nhjjgd32.exe

MD5 94a9111c2584f128117ddf6a09192a6b
SHA1 a4d4757e6ca93a13f858dd335aecd04e6df6a791
SHA256 01ed89bb33a3862290a4d2553db29fa80c403be5534751daab04aee2acce5401
SHA512 8f3784d89dd473f20659652e7b1fab509983c0f3c3e510e0c369057baa2b0044f3b1a4f5ad38bd25c860bbbd7165d43bef480697bdf13765b957ff938b90318c

memory/2004-480-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2928-495-0x00000000002D0000-0x00000000002FF000-memory.dmp

C:\Windows\SysWOW64\Nlefhcnc.exe

MD5 4336185989db296899a9b8af2c81e6a9
SHA1 84076ee52e9403bde5fd8b2e7698aa529c9bd30e
SHA256 f3e3ada19e4987efe62e8c83ff14b302592b524f00c6e41e6a00fdbb1bf10d58
SHA512 c4628047aba1b1725ebed24bd312a9f6a1c04fd77d2e986a967ab8b32b886df9dd2666a29fc40e80af915b0364799f01086324d73db4970a2cfb64d37cdd5dce

memory/2928-490-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1720-500-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Nabopjmj.exe

MD5 82bd63b321f5adbd1faa2be55a8458e9
SHA1 def41c3547b2e42f98fca5ba47ade1f3b77d3d6a
SHA256 1b49697c4457cea1287bd0bf4cff30197288db1bc2df2122a75f3ee115bd496f
SHA512 ffd023171e654c0764789eb6a8e76c4b8a17aeda778555f6c0d3232a68e053e45aaec679c47a7fbb89aa1cd8d2b6b3266f8eead5a8fc26c8619e23e1893e4631

memory/2376-502-0x0000000000260000-0x000000000028F000-memory.dmp

memory/3016-518-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1624-517-0x00000000002D0000-0x00000000002FF000-memory.dmp

memory/1624-516-0x00000000002D0000-0x00000000002FF000-memory.dmp

C:\Windows\SysWOW64\Nenkqi32.exe

MD5 f99331b265731a4e18c89da8057fb423
SHA1 62ce3e0d098ca105dc8d3ec1918df154725273cf
SHA256 a0bd0132bd05dbdc8326e699c0be1a367bf75b9e93f1ecd8f9d6143d358db192
SHA512 7bad17a7dead998072c8574dd6c549bda26a16b43a00ecf0183e56e635a1ae953c617d8a3527cbcb703969b97998c1f2c42e093765b0d4a18755285ddded2e6d

memory/1884-510-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2376-506-0x0000000000260000-0x000000000028F000-memory.dmp

C:\Windows\SysWOW64\Omioekbo.exe

MD5 4a5d6cae5139ff17aeda8223ff98c980
SHA1 d189e82aeb0afeb2e6df91ac41b4ce991a30f0a1
SHA256 9cfb9b2f316047b3b37605bafec5b69df3d7db5da2e64a83c16ff0dbd303d9ff
SHA512 f20102597757a0ae77400c2f53db580f7ffeecf5836f8f6bc2f8c9a474b0931c4f338533f8131136e578ccf05e13d7471d272248ca27cc13eb841dfe4f158286

memory/2792-524-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Opglafab.exe

MD5 b3f5f0d5a1767a8199b4300de42d73e6
SHA1 eaf5913111cfc64e0c6106892f700366a57eb15f
SHA256 eaf1fc6884da38b1a6bad9ff96efd36b04407abf1795999d96a4f25941cc537c
SHA512 f9c1f72e29e53d24c934fcad60242ded67a18316051d980e7eba1258f2ca89da3b481069fe8a8791876a4dd2bd333f0da9aed060b90623949cab60404cbc1a48

C:\Windows\SysWOW64\Ofadnq32.exe

MD5 b277babac8267d567c9dd7e17b96aab7
SHA1 6d1e184b6e9566cdbb1067f92163c9ef766fd503
SHA256 f376c2fbf8b8f1a277b434cfa8b08db6e8ff03e030adb866990b7942c0223561
SHA512 c90f37222b568013f0f6553bba42862109caeaa89cff67c70fea126707e79a06bf6edf6630409b4cfa362e9184a9f2b582efcb489dca38a93840ffd83b4d2498

C:\Windows\SysWOW64\Oippjl32.exe

MD5 f745113a10112d9ef8950dbf107910b0
SHA1 673149f2ae95c9dea5b6639a87e7fcc3457bb78d
SHA256 b1bce3be8610e14368d81b982981625e1328ec7a0bf891a5b6c08172f23fb8f3
SHA512 312463b8d3f6f31f07cd9a2ed4d8917fc071c6fd102b1c16aec7c90b1d2d637de70ded822af67142a247fb1ff6be745f890f31c77a1b2fab9307ec28e9c982f5

C:\Windows\SysWOW64\Oaghki32.exe

MD5 f375ca6e35af1fd615767b333926abc4
SHA1 1463334cc6752212e3d93acb3bce25afcbf85f32
SHA256 84bec85aa9863a1379c8092cecc769121fb2eec99668740d6761a556672b8fd3
SHA512 d9649dc0ca98f9eb0f1768531867a120aa695132a1b33c9f49ff80890f1ab94b376d39091c722400d21c89c82461e9c8ba9844f2d150605f8028019d906c6f3a

C:\Windows\SysWOW64\Odedge32.exe

MD5 76133420f448fd2b57ffd695dfba21c5
SHA1 97d5cee7fec29887394d4ba6f99ba0dec82986db
SHA256 524fb0aa18f034045fc96fa299bcce0aa8c9486b6499c621fdd25a5d258083fe
SHA512 05fc6e0a252cbcfbf08e94d48c4239373149cbc468b966c574934ea5dc68a79dc21d80805e05100f29b9e3a9832b302befcae9c928dc87f92de7ef438fb1c1ae

C:\Windows\SysWOW64\Ojomdoof.exe

MD5 1a15f501d7bc7b32c38bcd30818fdf8f
SHA1 7fce2b5e56391d3dd16068f2f497b84955cd3384
SHA256 b110666829025985680f3ee25937bb8fd837c8403c7f65ea5d2271150ec5c4bd
SHA512 72da55ac69b62b8579ac393b0a4e5663b966f9dda95123ba97e3eda943b2ecf3ebf7c3d3ae66e26f7b08042bffa3baca807832adfe7f26135a3bcc31c0d9f2c2

C:\Windows\SysWOW64\Oibmpl32.exe

MD5 47d7d5ed630074e8f1764eeed4929860
SHA1 e90886cf45f40b3eece3c528c17780ba4d6f068e
SHA256 f671f27e83deae9a9d343abb221cb270a4c209296e32f38670a13c08cbcee7d6
SHA512 cde23811487cf45f13402df37f5535f1784f0eb1bd1e584e3d58517d3765b00588e87846cb678b91bbad1b505a9d1c3e9cedda9458f1ca66bb4f6b8ccb05cf51

C:\Windows\SysWOW64\Olpilg32.exe

MD5 485f64ba8e74e011d467cd443e7d2d1e
SHA1 5956a6f8798a2bd0a9d44e65e975d5a9e48a4a4e
SHA256 d710d5a15cce4567a5d42a02caed0dd1f48707b8de2c274e06c69cefa670ae5c
SHA512 1d8ab1c3542d0ba6715d3c73ffd2639b89cd840fd785d868aa0b44b7c5ac37ca114404daa8f1698adfc899d0dbd3673d904beb79ca37aeffe98b4d452d7e1c38

C:\Windows\SysWOW64\Odgamdef.exe

MD5 21fcf187e9945559bd43f64e5a162d00
SHA1 661ced8d0e71f4f728ab954a0bff6a5f7b3752f1
SHA256 f71e86961521c20f04bcb9469fa0bb377a1b499643bc462e33d5c9536532bfe4
SHA512 52e107a0bbe52a5be7f6dd005b498028d563fd0cb19dfc5b934a450815de2cfe01febb4ee6963692d6c59ac42b0be5e28e46560937d3967166c1a514e56f4cc1

C:\Windows\SysWOW64\Objaha32.exe

MD5 acf396174bde31d27be312e89e7c5e96
SHA1 d09cf4443753eed7cd8eba64e4c7d382be70c847
SHA256 b9ead3c891c95e7a86ea4856d176471413564ca84bc9cf4d00a6a5f9773e2556
SHA512 ce7aef5665645940ea82e9ca02752ac680a93e7ede6bf92dfad6a0815c9dd0b2332e73954cdb2fdae28580a62b396ae232fe93b64b30e0f4becab29070544a2d

C:\Windows\SysWOW64\Oeindm32.exe

MD5 ab55c75e187fd677303af7322b6bd6bf
SHA1 fda71ac2d35565aec36bec1e7d08355e44d31e47
SHA256 914dd964e856bfd9778d8308796ce70c83d0b1d1778764fc5891f93115bf4134
SHA512 8034a7ec1057fb5f566eab44acc1a1a3df68e82505d8a5cc3c6daf106305dbcb470562e9b92fa0b8e21f8ed90350ba3aacd7f1df6eb51b156b60e6c2b6fb47bb

C:\Windows\SysWOW64\Ompefj32.exe

MD5 17bd5db34c9a10ce7fb6d0e25e35e8fc
SHA1 63f58fb58eec1dbc94a058411f0d434102d6389f
SHA256 5842738a3b0c0afa4337962ff95188f5b1f909e2e69138d68dee48e574598e0b
SHA512 8a346e29062b9a1797dae0a6d35aa47cc719d84d15bf2831a3be51d6b8394925efc8cdf6b3b858b45e02500435f5800e0a5d2d4f75eb83516f9212acad76c96c

C:\Windows\SysWOW64\Opnbbe32.exe

MD5 d224e864c90c3c3fec016659f7a687fa
SHA1 e7023d8f3e5a82d3a5edd00a8fcf86ee8c4d2f2c
SHA256 5559d365fa5c48a3adde04a88079306d3a6a3eb6045d55148c4dc55743444380
SHA512 172ec53cd7f3d092e44009b6f89e38b8f52358c8b59afa935404c586c6ce9f40e37c60a8f6e58027b6654907c15d3941cad2706d414edac6df395c69963ad2aa

C:\Windows\SysWOW64\Obmnna32.exe

MD5 49304bced528025cfda81fd7f4d32bd7
SHA1 57060333f7eaa5736ae7a1cf7c28eed03536f76b
SHA256 a946d81670936f420d4478385aedd43e1b10c0ba1970353d44f4aecdd1c543cc
SHA512 697db483d0279d8e5a5be5daeb3d8b658f5d789055432c340f6be229acf377309213e5dd66165196492ba63518f8a9518afd136209f81a1ebcbf91ffd4f4b4bf

C:\Windows\SysWOW64\Ofhjopbg.exe

MD5 48beee6366b8a08a0f9d1bc7bc95cd87
SHA1 153e6375eb1739184cbbfccc13169f505ed7c525
SHA256 70768b1146637c25dd28812a929982b250ccaebb4b34ad5e0ae28f67c1b83c08
SHA512 7159ebf9654bf8c985d6d4d59caf9203a02bb6ab0f3e3b6a1539c9345ff05d73bad7f2a82fbbdc0665ab6558637fb51baf77367f3e4299750bda6328e7745cc0

C:\Windows\SysWOW64\Ohiffh32.exe

MD5 d7cf04190ec2e757cb47ced63486c618
SHA1 1bf396237585d622e773e1dcc1a8c2a1ad068ffc
SHA256 ccceab42f68a4fb1907dcb478d16b5a9bdbf3db822b48b7aa81f97c9782b830b
SHA512 661bd6327ba4528b700b54611d9a0aef8047a9c423390c474029d83723fd4bac91c026fc9933aad3e2dfcbb01c2688fa6d004a19b708125238ef9bdad5c4bec2

C:\Windows\SysWOW64\Olebgfao.exe

MD5 e02bf5c65f62b8b090980abedfde8bf5
SHA1 df465da4dcadcdd8af9b10bf8443beb0b3391495
SHA256 2d64ee31efe5c55f7d300d6b111462dc4810859349ff6f9c2294ddddc944873a
SHA512 74f43ea150d9df30b025cceacc04fe617c0b2d13edd78104327e69ce6418edd46b7c99fec2070a10085f3dc179dc846071c9238c1a65c4c53270f69d6c74ef47

C:\Windows\SysWOW64\Obokcqhk.exe

MD5 55bbe372ae0a2aa3ed175042271480ba
SHA1 3ca4149bdb859cbfdfa27db810da7b4cb2aa5d93
SHA256 627a24a15a770d6e40579a5366d25b012e3620e5aa5d59473c1a50f1722d9d4a
SHA512 851654d698f4cc3341883a00f17f35fa250c5b91df677d311b7f709e3a471212844ffc6d220e289a8cd6db009b9964694f59563d8c6a1beec95c968fd5022ba3

C:\Windows\SysWOW64\Oemgplgo.exe

MD5 fca20007eb6f3007177e02ad5bfc41bf
SHA1 06ceac193d365d0a18078047d82f5f802ef6c5c6
SHA256 2921bf50aaa359ac8d942b0ee2e00aca09d48d46e35d503af3f51e0572149fa2
SHA512 f837b7e1d75a5dad07a3e9c13b270142589dcfbcf5082d3a1cf9a6660402b2b92dcf2a7f80e383a50139310e3afb6d45dd98781482a66eaf784f76185f4c3fb4

C:\Windows\SysWOW64\Phlclgfc.exe

MD5 f64a90d2842faa0db26171577845eebd
SHA1 851c31fc680cf5e94f75c61cd842f9388506e48b
SHA256 14eefaeb0bc6fc0a8ca02c90618fa12edce8525d658263a7c4f2f493c5a531f0
SHA512 bd35f9e8fb03071d5a6db4a05b3529a6223e4bfcf10979a6ebf3720c76e2f465786f10c30748cb4655b7ba0804b25b48f2186c74c28134079b488248d42e1735

C:\Windows\SysWOW64\Pkjphcff.exe

MD5 ff31460a42f5411ce9a794490d39cd62
SHA1 38544afa89fed8f6806a5b773f1f2985f8012322
SHA256 8839dc4e440b288094208fc01a874ad07b6eee4e7aa0a5fd82a305a17eb9cebb
SHA512 efb4cc58b79ca9b4a7ac8598efcf09169a1555ca2fd4258477c3c6e5cf4d61064779dadb9baecf2fea3634c9e7519b5353f7bf42eb570c210dd7a9659ef62ead

C:\Windows\SysWOW64\Pofkha32.exe

MD5 64693acdb68af6330bee8820eae8d462
SHA1 d820766fd9e764f530741aafb232d8b24745fb2e
SHA256 47d088591e32b2968feef5d177a22d3caf7baecc087599d1d72e3e1a866736d8
SHA512 d073cdd157f6ad169bde8081b083a2982ccf280dd2829d4b18d367e048dde3e1db4987fd5673e25d95e99a09f830376170751a66f3b3f4a3e51461c2b5cdd665

C:\Windows\SysWOW64\Padhdm32.exe

MD5 8bd8601e1f68c2108ac363b27baefebe
SHA1 11a3ce1b006f067fdc2782307fc1a1097e6cbfbe
SHA256 4ee6c4668e82a97f8ec22d0d86adf9c3e02ad125348a120569c0369bb2d13d45
SHA512 30593df833eee8fb2b2973723bd071d71ce98aa7ff8a3390201ee57be234a25e9467630540475d88e2653b94642e0d16d5c7d15c927b210cc97f7f25334ffd7a

C:\Windows\SysWOW64\Pdbdqh32.exe

MD5 258dd5010c4f3dcb89bd79bdd659bcf2
SHA1 d526482379487563f8cf2f064432cebb47ff1d85
SHA256 c5a2e2587c356751cad2b6ec5db5aa73b7c79fd79171fee2d0bf845452790869
SHA512 08f5b88872507a9ae014c4d66c6580e58ca4af47e81fbaa19dde8a93c0547577cd40bf803c47e66a48d18fa95446fc1c5abf792a204f8a3ea5563e6c9acde2c5

C:\Windows\SysWOW64\Pljlbf32.exe

MD5 976d0f834b4558f352d35a5e1c07a34e
SHA1 3c06e6aedfb7a58fed4e4ea871479b28839bb659
SHA256 1b51a6888343387b4bbd7b0862de24af4d830c38965190c8097fbb65b961c8b1
SHA512 b58ed9216fe9bf3d3b337bfc77fc765115496d48584e08dee812db68d025e313bd574d9cc89a5efd14e71309c037f3448622a3cd892b5fc603406b86c2bf0adb

C:\Windows\SysWOW64\Pohhna32.exe

MD5 49df378090453e798dca2c7c681aa152
SHA1 24eb28307c4a48c614d0e08191aa9c50dbbb3e89
SHA256 ae04696726ec246209a58ba6e6848a8b3412b6a9bbb65fe52702781a0a4af01c
SHA512 6593986a5a1a68f02b896434f308f1bd02bfb49fda87b32fb08dc87ffb28817fc938a1bdecd82d59ab8140e1aa8304f63051cfac2ad9e056ed51f77e84a18ee4

C:\Windows\SysWOW64\Pafdjmkq.exe

MD5 4c7caf2174f2ed3fbfc56258ad48b222
SHA1 78e181df7d8975c5487424123e4b74d2227aa24b
SHA256 b39c80edfe75eeaba1c8030a01952601dfc39d7c76eb11a583829ccce74b2335
SHA512 cdbed254ee4fd97e080d4c4bf01e47ddfdbcd98ef484a47ba0dec675b6a76ec600b16f3e1730158bce16f11ec86932d60a8c83215c8793df0d064ea3120d7ebe

C:\Windows\SysWOW64\Pdeqfhjd.exe

MD5 9c0157f23b12d715cfb69e2c04f8a79e
SHA1 dfc469d8e244ffd2033ec5fa1d67ed5119cad97e
SHA256 57258f48666a18d9b7d3e92be27595d8dadd8d6618e35027603a050fe56c607e
SHA512 5e74547a7ac0ced4c7c58711e939a9d541d330bd17d849f2837c5abe7d3b1838357d488a22542b7746411e3c50e68c493f53c81f09a02e788296376b038be103

C:\Windows\SysWOW64\Pgcmbcih.exe

MD5 90fc767f107732324681e0b316e327d9
SHA1 ebb544e9ee49a2b56a5ee73ec78867b6847a578d
SHA256 1595d5c268585af91712d4e36b7729ccc23e33939ea847a32a5e4acc13738a7c
SHA512 a05f1e8f9a3a99550283adba37f76322ac161bdb234d9b3420162490626d20b5949b562046cd51cab507133c640103425ab7479e9799f726be757feeba881f03

C:\Windows\SysWOW64\Pojecajj.exe

MD5 c56f14ec5cfe0de75926442c4cf38c42
SHA1 fb13b03dbc2c8f6b5f823eb80209e73acbc76607
SHA256 cc2a24e45967504d1c79a4a0631bc16f8d1aaf78c7cdfd7ee9aaeaa4d0bd0757
SHA512 a0a9a524f1e27f3d812bab8732e84a73af5343e04cea9922294148ca5cbe5d4a66a2f3d5362bb5ac0758db627bc8a6878a1b9618e6f938a4568cd91ed67502cf

C:\Windows\SysWOW64\Paiaplin.exe

MD5 d86bae3dde981f63c19d1e84317b32e0
SHA1 e02d0cace4807b4b7c8efe4b2263b7ddd4fc3352
SHA256 9823171a9a94b8b1fb2a311b5b0a15a7ff2b70df967bc4a6c6910c83abe75c3e
SHA512 558b63e13221d70cf495a7aeb3a97d47fd188c5b21df98a1a3ce27a09bb46ba7d6e6a32da1afa55559ac71ab3a40e92397fa5e268bba8a643fb032b27e3ed0bd

C:\Windows\SysWOW64\Pdgmlhha.exe

MD5 a1be2b9edff91f7f0b03ef7d7def4212
SHA1 25631d1fc0fe1d3f39f3d5d4b9b89deafeda438d
SHA256 d043603796f43cf89d342f9bb4d63b24c77d6b97b06396a51fd534cde5e44a21
SHA512 3cc114ff23ec038cf13d74f7a744f362b60cd2fed5f596487ff6353fbba57794b42df07274dfc4bd1a8c010b991bf1f72c5d56999ba1491467d0efcbc194c385

C:\Windows\SysWOW64\Phcilf32.exe

MD5 da345341ce7165b05ece452fce5b0885
SHA1 2471a894774bf3d7de84db2b83ca343572d192eb
SHA256 23e30c356b9b9979fb40e3d8bbb76c8c3d9ced7dd138def1a24315c82263dacc
SHA512 26f3485073d22bc227dcc2dba31f61bb96db2f55d0f4582aa3d45a1524b175aaa503296087dc6ab13b7d5663d0c3c8ea639d448a32b3e1211911ca8bfde52e54

C:\Windows\SysWOW64\Pkaehb32.exe

MD5 52168b627f648cb834a248bfed6e7d87
SHA1 d960436557e492fd4f285ba372b9ceadd3f8c2d4
SHA256 79de282fe42208a8d72117754f12cb27c33445114a8318505c4fa96ad83406eb
SHA512 dfb7a484ee23d6726e1df5c5182aa01044f52d6a0cf93d4068ca4e938884a1fcf47ee6b18e3c1e31eb1df8613d8c91ad9ce100fff2d6e4e7f118999b9d17608e

C:\Windows\SysWOW64\Paknelgk.exe

MD5 a87cfb610a8f91b1f2931e55cfc84aaa
SHA1 cc59af64b50f0637166cd9781dd9a000c031ca12
SHA256 54ccc2782740ac7916d8b12dfc83bfb00f0774439b79ddf6f6157bb2cf72f1e5
SHA512 3770e5393cd784384d9171c27a74948d3b9eed8ab1021d5038a6dca9df864aa0e343d8b27565ff1c69bb1ce6770546892f9f15bc21c68fba0dcf8648e8dace9d

C:\Windows\SysWOW64\Ppnnai32.exe

MD5 1eaf91b50fef2ae35ca8e917e1f06f41
SHA1 c201ec7481cdff4923ab452e74729c59e7c31c10
SHA256 0c403f77dcb5d7fa71f1e9a52f60f625311374fad2b3f99ae7f793700f1adcbb
SHA512 872a3e3d3374f6bf726342d6970be2b59a1d85d2338bbd08bb41db72700da2d73fc4a3428b85afa53d41b477982c930c2078fc7f468125228e5828923d46bd7d

C:\Windows\SysWOW64\Pcljmdmj.exe

MD5 dcf26a955d1819c60a72fbaeeb3dc1ea
SHA1 d7708788b0b3a6a9ab73bfa9aec20f6d803f049a
SHA256 04c079f2967371c0b874d50049f2debc1212aa7fe3559016376d578f2e5ce23f
SHA512 35fdaac96756886e4413baba3caccce33b96284c29fbe3c436e7fea72e53eb70011a53440d3c3afb0721a92dc7a7608139d07427935793833fa5f2ca301590e2

C:\Windows\SysWOW64\Pghfnc32.exe

MD5 41f02f2c827cf0bdaeb05d4e16033ee8
SHA1 5807b0fc38ee0545f0ed95de72b89e039e842277
SHA256 4734293412684f3767606da57efe9bf072b1eced605c5ab976fa91ae8fa98357
SHA512 775ca4c8ba52ecb37207639a45f7576452ef4f4878e72aa2e5fd8bd2aec0e7e443b7fcfdadd26846bfda5fd21add5272afd763b2ba8c45b31bb44cf84b45d382

C:\Windows\SysWOW64\Pifbjn32.exe

MD5 f273a0d0514424dc55bfda3bc943880c
SHA1 d95b24ee8fefc0ecdf5daa7fec9739e541c04acd
SHA256 a05195a348a1fb6bd439f5dcc6faa189a66b7db98b5db9c96d76be586a0e6f65
SHA512 5540848ec9f05f22cf8f79e334f5a73e57bc7dd31b44fdd9fa2b0e29b52ace86a918ec30c77c4fcfb0cccff84dbae8429a86341264a52db98b986b5f87cfa97a

C:\Windows\SysWOW64\Pnbojmmp.exe

MD5 d94da7732344729de6ebb1ab44dd3158
SHA1 586c99ee223ba97e225b3fd4fa76a30ca805164b
SHA256 8b633984e46e41ac803dd8716cf9a3465edb157977b9ea810fcd944b7e5659e9
SHA512 0e3a3811b7be20c428860d31cccb47584ec4e065b2ef28ba862277381f36d3784546d8688623980338e418cb7f5cafb29dbd99684541d89882b96b1a1e9df657

C:\Windows\SysWOW64\Qdlggg32.exe

MD5 7f361a57e0c433a01fac2a7db7de7b75
SHA1 160e9f419a9f8e6623acb849fd898265d3066bb1
SHA256 60387b954e0290e2ef912719c335d8ad20c15a630af08669bb8edec43891751e
SHA512 422e96e3728c62e18d93351610b4445b89b95e66878421510b0def45616b3a0585066e7d95c610007a5a9a081b50b9e3df6c863a5ac2ee005a92bfc74e6dd711

C:\Windows\SysWOW64\Qkfocaki.exe

MD5 522184f93945274ed62f20ba4ad99624
SHA1 58ee3b019d8779e0069553404b133ba93d32b710
SHA256 2844da6f152c830efe307eb85a28c256f06d62fcfa1207aaa917c2a4732686b4
SHA512 615f764624bde085abe6170e53b6bf528b27e61a05c0dd1f8b41261ed8ed739384667b24985d8aa3e76612814a469cb028a9db8d4d6f8290fffd13014c4b45dc

C:\Windows\SysWOW64\Qndkpmkm.exe

MD5 43f55e12a9fbec3988a1c07d2391970c
SHA1 f3f88cdaf03b70eb1c78b651b3af11850f95b78d
SHA256 8f8edd67754a173fe5db54cb75ece22a596dd982d973cf4aeb0407af7d76136d
SHA512 96b9e5a81dba02138373d28903ba2b71a89229a943793e6fed4fcf678b954757c0e504396c7201473b9bca8e35b6b0a114892723010aadb96bfbbff55fa66373

C:\Windows\SysWOW64\Qpbglhjq.exe

MD5 58d29cf3c6a8ba989d77961568215ab9
SHA1 3313f02b7c7722cbe01a65662e52220e1ace1bd9
SHA256 bd60e4e8781294e3f78c54f11215eaa84ed8fa2f0b4a521dd3bce12821fe32cf
SHA512 a2a78676e71fc1fc5cbc76f07cf3560e356612fdac495d5d65b6751ebb34339c1b595b07bd242c9e7ed54d664002fbac140d0e88093e11d4ecf970c981c487d2

C:\Windows\SysWOW64\Qdncmgbj.exe

MD5 3256af3056fbf1e842be5ddd19ea727b
SHA1 f007b2367915245bf0b9f55bbe062e07066300b2
SHA256 67eeb1fbe06e2c7eecde1c3ce9729ad609308fb7a890c32356812f260f36d3f0
SHA512 3b197f16425087f20fcd648a5950fbd210a3ac27e78383c379dec171bdd127575b08414063e06292d154deb75c5ec020d497888243c05df4ba6850f5f6d5a9d8

C:\Windows\SysWOW64\Qcachc32.exe

MD5 7faf05c80125624d95d22971efefd72d
SHA1 0e1247223e5118538dc891166179020c047e6347
SHA256 ec7ddaa40884b53c9d5514fc57c2e9f26b80e81886c03342b1fd887ed21c6746
SHA512 577f9a4654ed162014fcf460374b2e42ddceb1ab9b738d4103310f9062b8bb88c3c01f32a0a1d039824ff284946e22bf8b67c903e01e7983204f4cf98eaf7dca

C:\Windows\SysWOW64\Qeppdo32.exe

MD5 522b6e94b6f39e09d8262fe177fdc874
SHA1 1beafbac9b5d97ccb03b9851ec2ccfdb281d7af8
SHA256 6b6d9f540e6faa9aa49789478283f082de10ac03f282f67d03354f33519ff3d1
SHA512 c1b767bd783b4ab5462c406e5c334319beb8c2772c700052ad49fdf29283a71fc9ccc0bb61aa42e7835ae9af56f846492f94e73e6f95cb4470bac497ebee31d4

C:\Windows\SysWOW64\Qjklenpa.exe

MD5 f63f2f648b627f51b579e062d2b6bbf4
SHA1 5b4b1d0da6ad6aa5b3679ba92519bf5c9262c446
SHA256 b78ba50e88ea22a7848cfc74ee9bd69a2507cd315f8ce6beadac0bf37b2cfb90
SHA512 d5a48f602d87fa02b80eecfc6177c5ed021785b674d829e7d436ca5e22cf2e3dd93eaf453fb43e30ebbfd5f26414ab554636775dc109435823eeca9d9b3397d3

C:\Windows\SysWOW64\Alihaioe.exe

MD5 260aec022e77840d5c1184bc016229fc
SHA1 119203af9951e7786892c917b4972051d0d9bb66
SHA256 2bf3f12ddbb2eebf7204024f580608098244eecfc6f3eb59b66943b5ecd527da
SHA512 699bb39b9a3f66ee41ef83302164bb45f8a270b47201fc2e9fcb6d28795b577f49d96dd81b403a6e2f190d5a27cf9606ebd923c2bc0e4bae461e6a3fb1dd4bf3

C:\Windows\SysWOW64\Aohdmdoh.exe

MD5 4fe221073114a38bd58fc183cfdac772
SHA1 1a7b9ec2ee5c749e0dc6b6f8cfab8d67a4901ad6
SHA256 76c4044d32b6cc04235eaf78a9df070ce47a931f136c8b41be727bcd8f400237
SHA512 fea14690726d52bc52a0073fe8d4a7938aa373f986dfef7065daf93878444ad6ea554005d226828ef57c5e45bd524ed3043051e63963710e49265bf29fd4b552

C:\Windows\SysWOW64\Agolnbok.exe

MD5 2ae4854ee0d96dccd395192270193e4c
SHA1 0b2c1f6093927d77ab434516bbd6b467bf4d8a66
SHA256 cbda29b8975a0fc56dd71761547d91faab3f350242f0e9715d03978f055042e4
SHA512 538efc9e7d2c4fab91e9f6ba2196af86d8231f80978a6bcf4583cddcf8f7acf8d416e28a2aad6abd26a3276dd01010ba2c31d8028bb43a2b64d86da8ad96e831

C:\Windows\SysWOW64\Ajmijmnn.exe

MD5 7e584a062d9829a1cdb266add93c15ac
SHA1 9788779c18aa739818f549bc8ef6fc1a7524aced
SHA256 b42026f5a3435eb5cd8dfa1382a2bea6230913785bc23ffe69632067b39ad865
SHA512 d6a2f3e6811a9fe7dc914fcb55a160c934577d34f7aec6f0564f8980958d69bd6cbc8e42ea580bdc28c5844173e1dd4569f862a05c543d5f7d55017242a704bb

C:\Windows\SysWOW64\Allefimb.exe

MD5 0bb33761b420710ea0bec59c1f8daab8
SHA1 9775648306569f78142a03807289f60adc617463
SHA256 da607984e573c43e14008b0f6f5bfd42f7ac5bcb18822b96a21d4acf1a73116c
SHA512 68bd252bf7f9ae7289336dec286cc95bf1e70b880aa81ce9d274e2e056b3cde0472eaed592b70490d7d375339f6cc96b629a69d661e4ce5c4e0dc34bdf332069

C:\Windows\SysWOW64\Apgagg32.exe

MD5 ce90cc38fcd39041b0e3167d4cded35f
SHA1 cd7d260c63d70423e7c4a341a1b504339f70784c
SHA256 26251d974ae988594ba4c9ac023e8b8dfae203c52856161105e6331e4768bfd3
SHA512 c56615ff56c268e6378dbd9a268f1b0ad52d9e903acbdd53086e3396ec2d1bd9e712db6d6d3260f99d0e59281e06d1618d5ab5970ec3f8d02b68af15b39a3f51

C:\Windows\SysWOW64\Acfmcc32.exe

MD5 1f217bd34e883a22ad49760b0d11ff83
SHA1 5e13ac491b08950ec4cb19f8f2d5bda36ff19e33
SHA256 764e66d996fdd696a41154c25c6de6a9785bd299547652e966c94814414623bc
SHA512 707e114876d0ddcc31dfaa311c09c62a71d48abbbd2025cd8a9549d591216a1992b7dec7a50bba5eb20c21c64f27acb7ade0eeb68fe05b7326311ff8a197c9a7

C:\Windows\SysWOW64\Afdiondb.exe

MD5 42200a5782c36ba8716207dec22a764b
SHA1 6992126dcd199a6a225b821e0e78957fbf50399a
SHA256 9ffbd1517761f0d50ef68d75984f942e5d652e17026d45e8ecde21bddd18877f
SHA512 109781fc22e0ed7c4a9891880e6d39fb373e58c957e6422f8d80f7223ab6f1104b133f8650d17fac3c095e3c950462866d6485298ec5f32827fa7b4e0b49b3aa

C:\Windows\SysWOW64\Ajpepm32.exe

MD5 a30bb1bccaa9e96e574145dbf743e1dd
SHA1 58f6af768e3bddec66c14214f27c6de6d44a78b3
SHA256 90280090fbadb37e16bcb2ba95f8c9fb2258e11d6cda44db83d5efa41b3fa3ad
SHA512 f94ffb0e289b540e9ec482c7c83124e0fd7eec8ff2502a17262f872917d7fec3f552c20def5110fbffe7372ca0a6fa5ff6a6f8875c65b8b6c74debe317ac9b2e

C:\Windows\SysWOW64\Ahbekjcf.exe

MD5 f94992ce1abb3981fcb4fe6ec6bf2b92
SHA1 bf326abf1917a2b570e26d31d2c20307dbc4e1e5
SHA256 4d1680593f1d300ffda011c6038401180d928f670075a47695e6abbf1b05a150
SHA512 2afc651e82aadd9f37a817f0da15183ec26a993ad9896e0ff591e7a3329c4c4bfeb5b1f7f75d7d168fb07fccdeb06c386c8c853477c5e449aef266a0cdd66a2b

C:\Windows\SysWOW64\Alnalh32.exe

MD5 dd7d8a233e9cd663ad09c173b909d569
SHA1 3d2446bba7dd799eb7ea0bce05a13c1de382a930
SHA256 f7957d79df2f6993b01f9306e84085c252f6d320ed0364d35b29a0d90a63d10c
SHA512 900f2810c074b473cfb9fad83d3aa20f49d014491fdb7d494b57010d09cebd0860b392812590d2309497d0618cbe2d03fc86de8dfacaf54a93235d7a0fd3091c

C:\Windows\SysWOW64\Aomnhd32.exe

MD5 7e347f9d49a2f5ecca97b43e84f1444a
SHA1 fa4acf56f8af3a1313cb0f2104b019a4a9af2021
SHA256 59828f9090f2ef33d0a0f3496adcc21908679301949fee78b22a77a17fdb8ce2
SHA512 94274da0035c37ab498af37d0b208ecc808c0f0ad368658cda3b32002941beeaa21207bf1026a3726d219cfb09e42a153fd773a3b407f1ac60ebe2be14a4f63f

C:\Windows\SysWOW64\Aakjdo32.exe

MD5 8f46778052121fc8d94190dc353a9112
SHA1 2c44b426b2b55fff463bf441a05d382213827dd7
SHA256 1c16f612f5938d440596febc90ad5459c5665df7be7bab84a4bc04f02377c444
SHA512 21c42075430d17c87f83e3bfecda03e689f46804e78a0b50cb661b26063266c9c9bb10488240c0dccdbda1363b54073a5467ef6968c485877370e9c3b9c44599

C:\Windows\SysWOW64\Adifpk32.exe

MD5 71568d32391a632500dc076d1238020c
SHA1 c863f8fa2e85e0f953003eea3597397a133005e3
SHA256 1068e6a4a43f8beadff64c6d3927fe6b8b748388dd2d52f783f2a8ee0f139da7
SHA512 d2c0fcbda62b646cdb4f747c11b6f14c0665bb462d0566e0a3140936f5ab1759d0008b24f4b8d52b7297a64291dea59940d619be45fcbc0d6fe3bf3c31edd3a9

C:\Windows\SysWOW64\Ahebaiac.exe

MD5 0a6292db244dc9f08f1d8bcf8bc171a4
SHA1 3cd17865adf504fc7350b0f452b53b07199b9f3d
SHA256 b33ece486dd0a0f2833e7517430d7d9e8873539d8b0292418c70f7cd61d55b22
SHA512 1059f8082191cdf1bb2a46f4db0547698074947c62e996af1b50905860a4b1260270cc6e29e17398ed4cb745d68b59401bf5533e8ab34e0de76c4ca26e1231c8

C:\Windows\SysWOW64\Akcomepg.exe

MD5 4eb031e1e39c07bbc8579e8f46d1fa9d
SHA1 ba0c861cf6df8ccb7e021a9c56993109708af146
SHA256 9bf82d7a59ea8a682a4273eef2109787b719e4f657524196e299cbd891c7130b
SHA512 18b9a7fe741043be87362618e0a0d757791fcb6994d0682be988a447ca75ee3098033edc9a8301cbe47b39df00c844ccbcbcf816c1804aaf7523cfe70ce134a4

C:\Windows\SysWOW64\Aoojnc32.exe

MD5 77dc12d28b37b3680ee62a6af3669ddd
SHA1 1b59699e12d65a4ecc640639a057b726ae06ea48
SHA256 32660e6ef11b609aad9bf738029cfb840c0f91853d74cfbe7bbadd7c47fa0749
SHA512 80d88f32d6d3f53a23d2fa29a2ca084f5296f248bcfc7899fdfee331c47bffe9f2dfb930c20d85044a50c351d629aa8ab142cb6e8855bda944f253df4f224c8f

C:\Windows\SysWOW64\Abmgjo32.exe

MD5 d5668596cee4b5c937a0835ba8762cdd
SHA1 24f9a33b452a3d1a1ec4c01a09c9652816b7ab8a
SHA256 7b3e09859c1f883d198c3e3aefe456e83ac158efc4f6d90528052f77dbfc15a6
SHA512 5a9504f0d787bd4bb12b5be36e5a97df940d8121e5d0e83c7e359ada971a9962caa52dbaab86740b533f59a7dc4c9baca752c0f4857ddec5d080011dce3f6f1d

C:\Windows\SysWOW64\Adlcfjgh.exe

MD5 7ff4bdc52bace6593cac0dda0298894a
SHA1 793bd4fac97dcc8d4094ed205a4fccbb271ae268
SHA256 4d8ab4dcd741f59a3dcbb81ddacc30716137510c9136d8533c7271bcfa2619d9
SHA512 e3cfb9bfb9d0be29fca9a4b76a58b8e81316ec66b8f36f089f6c26c8f80d5521ae2473e41a09fadd6057c1be10c7fdfde883710a5d91ebc0de14dfc502d84a4d

C:\Windows\SysWOW64\Ahgofi32.exe

MD5 6e3be45035f9c8c2c64000c82e300383
SHA1 7a4e592fd8e956c5d93ea99428765bba53f0da6e
SHA256 23d6c3bdd2242ebd89a6da1c590da91ac0919d63a19f8ffb299d2ec6130b5d9a
SHA512 3f0bbb5e02316dbef2edbebbbdcabdd8c30dab50ca730f6bc5f78c6fe8d3c0f07bfb58f177897e3243cfae9f5901d9456e833108d8b3e439e8b537670b2b4a3c

C:\Windows\SysWOW64\Aoagccfn.exe

MD5 f810c6f1a38167fb1264e7e9c79e1747
SHA1 421249339d3d42c5e4ba594877035b4791ec359c
SHA256 c5dda7c5b5cce623761164e844ccecc59afae209b4a2b3809dcfa7474738bf53
SHA512 dc40f68e9f34192143909cbb395803f9c19f43134891f628b9f80ad7453b2e3148358ae3bf809f7891dbc4b36c8005d5bdad3a46201229b2a02c252f5a8c4691

C:\Windows\SysWOW64\Abpcooea.exe

MD5 f06f9465b26ac42d26ffa05f7e5ba944
SHA1 0cdb73c2d0556592180e89d01e058a230ab3b2ac
SHA256 15d0ece2abf8af91aa571c01e2dc518938b2d2edf415068be656a0fed459f78d
SHA512 4777a6f7ad4b525fa24f2ae0fa3ce29572d938911d809eed1f25f245641bd15a7d589875aa15f580d7dfc5a12a349b024c1679b7d8d284a9f996aae912de1015

C:\Windows\SysWOW64\Adnpkjde.exe

MD5 5efb04c10e40d44150be88037e0b5ac6
SHA1 18f7c02f3ccbb1b82deb11f39ff4b15d9b42bcd1
SHA256 a5ac8b7ba8751f331fd9f34c56bc87bc6fd5225b7cd0bf3f7ad28d2ef5472e3e
SHA512 2d88523fa8a7f63831a825991879a8d045a4ae92eadb403fdca52b249429d3242d5ba418f511d027a4d340e0d31ba544be51ea8be5d151c5018f69a2fbd1fcac

C:\Windows\SysWOW64\Bhjlli32.exe

MD5 9ae5600d2a520801ae85b94da778327e
SHA1 659c27377e4e63a0c4f17f0ece0ad60ac044f3c3
SHA256 4c7bed94341243848b70b8f33082ea2a559f38f02afd181ac4043ffe3dbc6b59
SHA512 94c7d8d2d201ec7ded62fc727ac749cf9d46618608c9db45272adaa5d9fd6691024002a946f23b1bea3b6e60693a56da2fd6b9b5d2e495c92fab40b34c414d85

C:\Windows\SysWOW64\Bkhhhd32.exe

MD5 eaea0c4d2df471e0ad6e72deab38cb60
SHA1 de37301b18bde82e139e4943fd933666d1491385
SHA256 4c36a2fbf0b36778d1dce60836ade012962523b7419ce9970bfccce0231c8621
SHA512 2eeda575f9e3bf684962063c3b0a757167b5bfa8ef79ea050367af42c38691050aeb2e819f6ace4bfef56fc67488098e9954d7e4f5537429c4177126d8946a68

C:\Windows\SysWOW64\Bjkhdacm.exe

MD5 f5df70b27d8fa9616bde2285f62cd2d4
SHA1 9a4e359673a475bd8feb00ff421cc3d39821c623
SHA256 eca880788b64f61b8be46963b582d02f049c39c0861cffaf59f8b82f0b6c4a3c
SHA512 8e08a28b02dec033e82aeba94570054d5346fa2dce732b0654ed80980b0fb04110bcffdbbda1b36036857336e5571fea6c35b6618f8cd66988dd9d6264b36b0e

C:\Windows\SysWOW64\Bbbpenco.exe

MD5 5c930024b6a8522b8fac522e33148efd
SHA1 430e77343d656892bad25252dc4888736cd41d09
SHA256 98270eac6518a02caafe5834c6016ed799b747db7ea7c1dac9b65ad70fbc7302
SHA512 93407761171151caa914f4ca569abf1913af7f23c25f3eba578dfb370bacf969056c13c2509ca41e84955ca5b0f767537822483b439b551ba55c14142fd4a8e3

C:\Windows\SysWOW64\Bdqlajbb.exe

MD5 06d668d77a235fd578149c68fe810567
SHA1 9574e1066bbeb002335bea93f6098ac5511924ee
SHA256 84888dbc0c68b2e117c444828ccd45ce7f8ac95e683c503c843df269516f1c0e
SHA512 e0460efab1c77cdfa74f20eb72def29e46a3d2cbea523c88108541da921b419b997972de75318595d5c0b33c93c711ae29eca0f1963bd265ee3e88a40e0bb9b6

C:\Windows\SysWOW64\Bgoime32.exe

MD5 c375b533275bc5c655cfbc014b5be00d
SHA1 b4bee334320d032daf938708b68bea75bd8bda9f
SHA256 82de91a327862a3386c4d8bb1d06a18da9cd818b40f80ce57041a8588665f6ed
SHA512 677f8078f878e39efa801ba796bd72fd2ebfe8391232b25ebe4f1ece1ddd54eb6636d682b425b187798171430153e6f2f6b13e2ce7e5cd0912cdefa60ef139c4

C:\Windows\SysWOW64\Bjmeiq32.exe

MD5 06de58a5a026ceddea9998c18fd88156
SHA1 ccca5321970a2d70fce830214429797b004a4fac
SHA256 7e16ada5e357f9ec93ef14f468bf0251f54e1bd77e6a58c69e97ff4a5bb6a01f
SHA512 b9126f59e8ee5679109e97bd131b59e678c8ade66b76649b734843d0e506ed6014f846814d3507987fb0a61c1e50e18620283ea1b57f9474698b96b805bc7c99

C:\Windows\SysWOW64\Bmlael32.exe

MD5 f13ebd9559b56c9deeb7833b72211d41
SHA1 3f9d711dfa4ce56fd812395c2d5be23d9bcc7c00
SHA256 a9e703fb829e0b99e16368e07aa008b3f13b0121985c9a78f95684c16e222b35
SHA512 36aaef27113e8260e2b43d0147d02a3a76c82383e022ab3cc4f17555dd8b9343c4ff0bf1194a05c6b9a18a00afe6ce14ea54e446771051009e8dc1ab6621f4bb

C:\Windows\SysWOW64\Bdcifi32.exe

MD5 b093f87559d24515cf7e113c8fb3e85e
SHA1 bc42e1a06d0d0e4fcd119748fd021ded0bf72e0a
SHA256 970469e8430fad3304b60b41f7a1e65dd11a21a2677e3525c433bd094b73d38c
SHA512 6e97ea39f6188d3822087173285b2e5ad721ef063f9becccecfe9f3bbe6a50986e8e61f6e9fb2095e80529c88304348d8d55bf8a91504b62b71dac50409ae35d

C:\Windows\SysWOW64\Bgaebe32.exe

MD5 0f3af2bdc79add28ca2fc02da67c6edd
SHA1 d01a401861e802e828c306959c5baaaca105c7ce
SHA256 58644f24b2536d7f6b654c357120b2f5e737a2d1055f3a7a12aa65cadf470f38
SHA512 24cb3f0e18e0507b44b28428230be50cc8cea96d228e2d30dd88d4b23f2485eded54992c4f63460b6154b963fb141a536d51f70677b1fbc3b091c35dc66d7a84

C:\Windows\SysWOW64\Bfdenafn.exe

MD5 cca81b77528531d856e95e691bd66e05
SHA1 73262cd03aa034d8f7a66c2265e7e923aff0aae2
SHA256 300b6218000da11867baab193f3bb6c5a8b4dfd6b3ec97f77641053b807eecf6
SHA512 ff5d03e7cb9092edb2607e9584a0005cafa06ffbaec97fb2ef558b9acf57a9d177f88b88404c66b53b7d50bd8d9686554e4d2598e43671ec07b5c25b2f7325fa

C:\Windows\SysWOW64\Bnknoogp.exe

MD5 9958d391ef20a6f177d8d94a4c599fcf
SHA1 f9bb449250db6598c0c65e327ef7b475873f0a46
SHA256 e8616813b90c4a4dd75266d63f1098020bed07a1d557729acbfe6b14b426aecd
SHA512 93d8485c40f7a4935e554e0132b0fb4f2e802737f00c6b35daaebf1414ebe6f133b565bfddd551988b109097aea0ba1f2f958e3534f2e78e77087bd284ff4db2

C:\Windows\SysWOW64\Bmnnkl32.exe

MD5 7709efd47199cd9ddde372c7d72ea9f9
SHA1 feb6d5e2b306192467e967ff51f07179daf3b007
SHA256 8b4394a8de0586d730a10fcba4acc333812fc70e3da6584d08e8cb70a33d2a1b
SHA512 c18ad66a9a45008ff3ddebdc99c039da50dca6e10220c03b483de4f36d620aab2cbd55ba95fe21698b0c1e71515a73fb1515b7166dd86e6350bb5a9432ad03c7

C:\Windows\SysWOW64\Bchfhfeh.exe

MD5 1989ae18df289131e82abbc252ca45a7
SHA1 f247cc7200e104721543f63172f00c000173435e
SHA256 3f33c9269f3597ce22f0003fcf05ca2dd56cb79523c33bcb664bf58ae78dc5bb
SHA512 0482d5ab1a41aaa7a4d1543d415dbabbc30ed030c818d9870ff452d3698f8e16b5156d17885bbe7f79844203ddcbb2bc6c2f606c9bd0ff946997d39d796fe95e

C:\Windows\SysWOW64\Bjbndpmd.exe

MD5 ee4311c73f0d4316a852d3c1651a58cb
SHA1 39f6376cbcd29d38e1b6a19aeadf70fa9ea9d2c4
SHA256 52b3bbab2b8b7a785bca308c924cb53e3b73dbeb3b4c10cff3a5e86defd2cbcf
SHA512 b4dded200b8ea17be0288133bd665de093acb4f7a02e5a38eab9844561989b1120157048b3bbaa98fae4b15e036eef0239556fce006a630601b263d2552a5711

C:\Windows\SysWOW64\Bieopm32.exe

MD5 996364750acfab9ef449f637562e6517
SHA1 ec23644662498b586c28ecf9b9258ac5a18db82a
SHA256 f1551de1b25b8824e5b38fa9780b9145ce5387cae339f747001f26bd84f3a005
SHA512 2e2e24e478e40c890342d1db192e2a4351ed9511eb871027afbaae4d1557858fe6a879aafef654b6372c1e04a81a5361de55850f70cbaab61da478b7ca855797

C:\Windows\SysWOW64\Bqlfaj32.exe

MD5 b52377054296d21abbc7211401836faa
SHA1 cd122a9965a680fc894b8b6a0bba39ea8309b51a
SHA256 ec535b3a98b52905629ae88b5378ed5253462cb5816c8bc76a9595735f5701ec
SHA512 727134f0343baecbf681f2d20f6800807054156f3074e0a28ffdbffaadba4d9250d0ed03e94f05c2a1bae96e151afc1ad530c38591882d8d82053c6a45be2083

C:\Windows\SysWOW64\Bcjcme32.exe

MD5 3420fa5060584d2e74994babcd00ec24
SHA1 f453e9b2f295c8a9311a72d8900765ca36ead6c3
SHA256 6301dd2105a6fa5c24d11345167069606690c9a1e76838d319b84970df56ac70
SHA512 ffffcded447ef109b752e652d41f9b2e1964c8599aa23b6d829a88c20313854cb25a0409b3613553cd25ab33adb28720f5278efc05dbde01e4c0a7e4fbe9130d

C:\Windows\SysWOW64\Bfioia32.exe

MD5 a414a3d7d4f2e4eb74379397466bbbb7
SHA1 52a4bcfbe1572ca5be998adc163ffc09b1e202c2
SHA256 4dba8dbe45327699d3d8872a72299014b2dff9f9c911685980057a4a377fb96c
SHA512 04b7766dc4ee13afb2a0d09a7eb65740c3af31be4037dda077fff664c7fa5205fbc9059a9a35cd42109c4f7baff64ccc8b69a7e0b7be6719c71f197466e21f8d

C:\Windows\SysWOW64\Bjdkjpkb.exe

MD5 2b0d6354051d7433fe43b31843389f0a
SHA1 ed4792781bfb93e7053fb171eec86bb6292e4b3c
SHA256 2bf26b59866b531ecdda24062efcc12e3596fc28cccb4b23ef804e44b6841feb
SHA512 2b463f9bfc9e27bd6653fb558d9d427ffd70c0eeb11733170c36f82b5ab6ed23b8a25ad0f56c9434ad1b21062ecabf27c67ebf5d40f0e32ad3c18134019bb287

C:\Windows\SysWOW64\Bigkel32.exe

MD5 72924c0cfb40647805d72710e1cd8716
SHA1 bb7f5d7afedd08bc4975c48ae661b42683a209c2
SHA256 a9fdfc5c69a934f4be0a1746c0c3e42c3536bc64cded4cad11cbcdaf752a824c
SHA512 bf5433bc301f38cd58a11441aec5569f519c0ca3d807fd8499d99267961e94e51529c88f7fb93fc0293d21c7a290caf3f2816b2a540bb44a730003893ef68bb7

C:\Windows\SysWOW64\Bkegah32.exe

MD5 aa5aa290a60825cfd7b425997b96598d
SHA1 06178cea2f37eb70fb8d394c83a2fb35e3c5cbf6
SHA256 151e7d07f1e85945c056aa846c6369f35c5a7ae2c557cc7ced72ca4d6555a8e1
SHA512 653b3ba09300db83066dd2428bfdc1d4f6b60beaddc721744ba1874abbc8c723f96e25b5b609a5aa5245bafdb821f8c4e660c947dbea130bc6a4df9eb2f82f5b

C:\Windows\SysWOW64\Ccmpce32.exe

MD5 d4a5d8069706537a60a002ea9dbc8bc4
SHA1 5584359659366376e65192f2cf3af068b1c23cd0
SHA256 14f570d80b8004aad9f0e003127b8acd3be62188d3222b7625e8e8af4a6a1107
SHA512 0c9c78a67074e9849f3c0bbc48ba6644a3b09376e4ff1cd41a3e8ae3b073a616172fbf5bd23917cb9d6c9cc3080261a70b1e653c43fcf76d6fc64a581312163d

C:\Windows\SysWOW64\Cfkloq32.exe

MD5 17f9d288859830ef9afab4765247e5fe
SHA1 19b01b45816a7c49f1925840a283f6182e9e674f
SHA256 760cac34c59ced09a73c83624d71c008b7fc07a1e4a48fe6da8f9eb7dc5e9492
SHA512 d23238d99ebfff4181e3965754902b3cb3cd9e2441f4df9d03fcabad7f4fbd779f8965ca9b29c950b95cf2c6cc0868b8ec3a4b590be0559f2925ba79b887ceb8

C:\Windows\SysWOW64\Ciihklpj.exe

MD5 b10d9fc46df611be92e86ed506b0513c
SHA1 54198d1445fd8e6902ea351119d9db503e1fe6f5
SHA256 d669b7957089ffb9d5c3bff901d8220b06d6935c14b01b5f855679de262a0e83
SHA512 ec6f13e492843b59bfa8568c916bbfb48ad88583ece2cf5bdc01428dc092901ddaddfeaa30640c9d334a5d79315337038835c24ddb94bfffa00c60f975bf7ffd

C:\Windows\SysWOW64\Ckhdggom.exe

MD5 1d3c59a658c76cf374e21eb825879f07
SHA1 fe56332ecf168239ac33080f1abeb358e7ab3693
SHA256 d4354a7416a3fcb9279575410ff9e3948207acd5cf09472423460aab43ef9726
SHA512 72c28ba1f2c7dc6ced268778c0e8db0770b137033190254824e2c8ffa54131722f0cbb8d90c22b1eae0f1dfa6f5b23427f3ed5e3612ad50688748a6cead7c823

C:\Windows\SysWOW64\Cnfqccna.exe

MD5 a79fa8c35ca8ba7c60010b61fd5b21bc
SHA1 28bff0e0851addf58a86a673a84b6565e1cd0272
SHA256 ce72bb9898137896a22e6415f1e3454a4ba8088ac97fd9c0171e05ece7f4c340
SHA512 7547d107bd479052560334e9980b37f0e17800821b87a06dfad000f5ab2b487b043471f211d6a62c0bafc8b3e74f28b85191cb6739bae7464bc0874a83a35010

C:\Windows\SysWOW64\Cfmhdpnc.exe

MD5 14ed8aa26c8361dee8adbd990660d1d3
SHA1 b4fd3970b0465d500e66a6ecf22a4edb404132af
SHA256 cbf03315f45c36ad9c3e0ade1f4b262322e5c7e7d18d70496498cf5a03110c16
SHA512 be2e6e50470749f79010e14482719f370080679e469cc16242042cdcb2b67a02a21b78f315bf46eb098183e76f81c5fdc8bff1fdbe2838f900ece57c280c2e13

C:\Windows\SysWOW64\Cileqlmg.exe

MD5 d8a514b2e375b6a6b0d39910d84914a3
SHA1 54f7007d333eef83ceeded4c81eb0728ba3e54d0
SHA256 baa4ff329d464e874bb21686cfa372f74b4c94521f4c9daf609f4763949dd4d6
SHA512 21497c4e5963aa42635dc83718e3d59ef1e6eb5341aba514de4a2f6f4f4341bc427144435a572515a83861b045a2809b678e7f4ba81d42328430b921a9ca8d70

C:\Windows\SysWOW64\Ckjamgmk.exe

MD5 caa01d880130e296fb28bcffc85fcec9
SHA1 98b033d069ba3a670845312f9fb57b09e2079d4b
SHA256 321267376c827c1bba32c0b768475b5532d2275e045b001ced447c97cc4d6bfd
SHA512 4ae66cde2c0341385628f00a01e83bc39f55da3c299d57844d3d55790441c78138919e048b3dfdf27e4c7c7899f2fc8a0ca0b6463e59ee9e9d731b410f80074f

C:\Windows\SysWOW64\Cbdiia32.exe

MD5 c43e767cd51317b5f3dc154c294826a5
SHA1 8651451452d0ba08de8672b5111ba1c4b53d5522
SHA256 ce4345003ad2687eefc1f9d7f1a8a5621f551561e99003575ccbb5cc3ca8ca60
SHA512 9bc2438e7b8c858161416e7f10a90d6004e71463dd28dc45efdfb5461d631cbff503da0ce6fa2dc7d90efe5702ac413b86721f1c7919b9f8bc6b2e81b03667ca

C:\Windows\SysWOW64\Cebeem32.exe

MD5 e2227296640a427a3aebe979d0b604f2
SHA1 d1833444a1d48ad82dd602074d35f994f4d72a7f
SHA256 92c5cef5e6a181e0c7b778029533961bc518b38440a4234ef2a20cb5ba4cb266
SHA512 3a981324ec5053480b568b4cf073dd1a2fa531afddd7ee87a8f1d87011dc53e5eeccbf3af9b3abad299933f3f3367746864e2402852c929fd43c2f006d15dd88

C:\Windows\SysWOW64\Cgaaah32.exe

MD5 56ce97bca62f14b6c4c121ceb34dce7a
SHA1 5b8af182eef1cf5f6582953fd2a6a535ed50047d
SHA256 cf48b8467baa2a5b02af6b81575450dfe2124c2c5d5b7a6e29918f83aeba0689
SHA512 96a3fcce3ce3a25ec6185fd71859d1fa66b7d0fdb3a49967f9e50d6d87e0528e3a35f52743ab8d18268d96212082b103b58066bab11c09e22fecccb9f4d2ff72

C:\Windows\SysWOW64\Cjonncab.exe

MD5 44e9579ee005d2403030907a37e09901
SHA1 0efc30ec680f709106b68e2fcb49389b9bf79a55
SHA256 44fd796d1bb6d5ea06aea587c73a76cc9d0ebab7908e05d481a4afd87b75120d
SHA512 dddf749149fc1eb1d249be6dafb66936671ba2789690ec621c0122ecb5211e6cd2ec06745fac53e2e987dcfd61e124b0a39362b25dcf904ed72705c4190987d7

C:\Windows\SysWOW64\Cnkjnb32.exe

MD5 0ee45fd69d1c9208dd713880b126cf86
SHA1 2934624f2039c2219df03f4a3d1138ad35a1ac0b
SHA256 e3a9f0e91eda88b960e06215accca63bd8295649466b444e62b772d992756661
SHA512 665529f21887a0a7c7678fe97b19d36c3e75ebdf752356475d16870d4ae8f6ec425d9f38546ab3581974090b4210a1a5740196f8d0d624ac7e9de377e6342721

C:\Windows\SysWOW64\Ceebklai.exe

MD5 0e256536a683bcbd7d56c4281395ed08
SHA1 a88bf68c713f5bddaf1e3c1f7af92d78bec88194
SHA256 42011176f07cfdda3160abd69cf3ac291d1821580bf0f787e7947adb3aec762f
SHA512 dbfc74a2fb342c79aa0df54aed4df8907b45510ce5c4f80d0e8267f8939809537228442a7811fafde781b31d24957b894d4b3ed86ec15bfb7e3e7deaf5fdb0b0

C:\Windows\SysWOW64\Cgcnghpl.exe

MD5 0a63e4ed6175ad8e39a978065c6015b9
SHA1 1df11e7d14c9c5050ee5e4eb61e9918dbc5f1b27
SHA256 11089f4f09e9e4aac2958e3a3dd20f1e655efabaf8568deab876b34c0ccfb40e
SHA512 209ac1a29163b4e2ec546be47256891ed82e0f85f3e5189fc3d91cad0b94339ca85792a926f9ea4042452318b36e925554d8fbc533adeb1739a11255e4c04e72

C:\Windows\SysWOW64\Calcpm32.exe

MD5 f52afd0f71d09fa79964d23ae56dc6bc
SHA1 329cf6c60b600bfb900792421bb8868b892951b1
SHA256 dfaa600014d06c8e7edb1f144e584221825829d1289fa8496e377def80ebb7a3
SHA512 502e38488ccf91d2b64073374aac3680f43a8088a20ef2574cd082508aa9508496a771d82d9f885efae7cc9a31f92ec638ec82d2e9a6971db1bf2133776a16fd

C:\Windows\SysWOW64\Cgfkmgnj.exe

MD5 29b36cf0286e5b337a9de9e02fd3bd66
SHA1 4fea2a071b4255a1418e4bac4410ec21cd461423
SHA256 2e5370be9c4f8e9111da5ddcbf2da3d2fb3e0f4981706ec769167cb38669a025
SHA512 2e3be36822ea0a695ede23b34b55a0ff1adf0f37858e609e5d1df4e7e8c80d64c06c7a5c6678eae8bc8dc3234802e203748c6cef4c192b30c7d610edb261a69f

C:\Windows\SysWOW64\Dnpciaef.exe

MD5 b9f5f2db6c96658f3489ce88863082da
SHA1 cb30ccaefb98b832d7207592f6b721d2bf1f0d21
SHA256 ad1d78cc16a9a8be2c71749808c666cc3327e2b0ec53e3f5aaccd543239fa167
SHA512 9202594447c75121ab8c0125e6ad0d8cc2f235562c089a2ea956509868fd5332071cbed9856c8234525ba59b24d62d8be45182a11aa5f699e6237d821f7c5f79

C:\Windows\SysWOW64\Danpemej.exe

MD5 3726adfedb30053bad8b07b354589022
SHA1 345b0d79383b5c09a4e018bfd7c78a38c3791c07
SHA256 9d1b28b6b7946835e8d86eed2bbd197c2bcc3a1b3c8c7563cd0ccac3538a5c4d
SHA512 0983d9df2353708e69e5ba5aafeffa4e5dda6e1c93e38800b53af67de097ecfe65a40dd30097f24d6f8918cb06dcf932220a8012b4cdd2281037c162e42937b9

C:\Windows\SysWOW64\Dpapaj32.exe

MD5 9ad9e65a619e83d129f6523a67824c47
SHA1 fff40cf73504a498aeb84bb5412679b1625f2f81
SHA256 cca29ed7365c0c3538bf18bd52a7b10134413475c282734c82d3cfbbce6e1179
SHA512 97b56feea475ee376a68719613e20c85b1c1d91fa9e6f747599c88ae9cd9d0d480ca6dad270f344ec117861af7e52fc520c0e5553ff1c110b1d8d4fe0be24ccb

memory/2068-1839-0x0000000000400000-0x000000000042F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 17:08

Reported

2024-11-13 17:10

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

97s

Command Line

"C:\Users\Admin\AppData\Local\Temp\da5485cb2f532d87e55d9f8189f877bb6cbea5d66b893fa53a8dbdca4d22d716.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ajhddjfn.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ddmaok32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dkkcge32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Amgapeea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bmbplc32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Chjaol32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dfnjafap.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Deokon32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dgbdlf32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bmbplc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cmlcbbcj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Danecp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dodbbdbb.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Doilmc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Aeklkchg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cdhhdlid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dfknkg32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Deagdn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cajlhqjp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ddonekbl.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Afjlnk32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aeklkchg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bhhdil32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ceckcp32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aadifclh.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bfabnjjp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Daqbip32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Afhohlbj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Anogiicl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ambgef32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Aqncedbp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Chcddk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dopigd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dmjocp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Afoeiklb.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bffkij32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bcjlcn32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cdhhdlid.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aeniabfd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Anfmjhmd.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dobfld32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Agjhgngj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bnmcjg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dobfld32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dmgbnq32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ajhddjfn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bcebhoii.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dfknkg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cjpckf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Agjhgngj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bnmcjg32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bnpppgdj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Doilmc32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aqncedbp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bfabnjjp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bmngqdpj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bfhhoi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cjmgfgdf.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Chagok32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cegdnopg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Daqbip32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ddonekbl.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dodbbdbb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Users\Admin\AppData\Local\Temp\da5485cb2f532d87e55d9f8189f877bb6cbea5d66b893fa53a8dbdca4d22d716.exe N/A

Berbew

backdoor berbew

Berbew family

berbew

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Afhohlbj.exe N/A
N/A N/A C:\Windows\SysWOW64\Anogiicl.exe N/A
N/A N/A C:\Windows\SysWOW64\Ambgef32.exe N/A
N/A N/A C:\Windows\SysWOW64\Aqncedbp.exe N/A
N/A N/A C:\Windows\SysWOW64\Aclpap32.exe N/A
N/A N/A C:\Windows\SysWOW64\Afjlnk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Amddjegd.exe N/A
N/A N/A C:\Windows\SysWOW64\Aeklkchg.exe N/A
N/A N/A C:\Windows\SysWOW64\Agjhgngj.exe N/A
N/A N/A C:\Windows\SysWOW64\Ajhddjfn.exe N/A
N/A N/A C:\Windows\SysWOW64\Amgapeea.exe N/A
N/A N/A C:\Windows\SysWOW64\Aeniabfd.exe N/A
N/A N/A C:\Windows\SysWOW64\Afoeiklb.exe N/A
N/A N/A C:\Windows\SysWOW64\Anfmjhmd.exe N/A
N/A N/A C:\Windows\SysWOW64\Aadifclh.exe N/A
N/A N/A C:\Windows\SysWOW64\Accfbokl.exe N/A
N/A N/A C:\Windows\SysWOW64\Bfabnjjp.exe N/A
N/A N/A C:\Windows\SysWOW64\Bnhjohkb.exe N/A
N/A N/A C:\Windows\SysWOW64\Bcebhoii.exe N/A
N/A N/A C:\Windows\SysWOW64\Bjokdipf.exe N/A
N/A N/A C:\Windows\SysWOW64\Bmngqdpj.exe N/A
N/A N/A C:\Windows\SysWOW64\Bchomn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bffkij32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bnmcjg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Balpgb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bcjlcn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bfhhoi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bnpppgdj.exe N/A
N/A N/A C:\Windows\SysWOW64\Beihma32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bhhdil32.exe N/A
N/A N/A C:\Windows\SysWOW64\Bnbmefbg.exe N/A
N/A N/A C:\Windows\SysWOW64\Bmemac32.exe N/A
N/A N/A C:\Windows\SysWOW64\Chjaol32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cjmgfgdf.exe N/A
N/A N/A C:\Windows\SysWOW64\Cmlcbbcj.exe N/A
N/A N/A C:\Windows\SysWOW64\Ceckcp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Chagok32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cjpckf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cajlhqjp.exe N/A
N/A N/A C:\Windows\SysWOW64\Cdhhdlid.exe N/A
N/A N/A C:\Windows\SysWOW64\Chcddk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cjbpaf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cmqmma32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cegdnopg.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhfajjoj.exe N/A
N/A N/A C:\Windows\SysWOW64\Dopigd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Danecp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ddmaok32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dfknkg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dobfld32.exe N/A
N/A N/A C:\Windows\SysWOW64\Daqbip32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ddonekbl.exe N/A
N/A N/A C:\Windows\SysWOW64\Dfnjafap.exe N/A
N/A N/A C:\Windows\SysWOW64\Dodbbdbb.exe N/A
N/A N/A C:\Windows\SysWOW64\Dmgbnq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Deokon32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhmgki32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dkkcge32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dmjocp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Deagdn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dgbdlf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Doilmc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dmllipeg.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Agjbpg32.dll C:\Windows\SysWOW64\Dopigd32.exe N/A
File created C:\Windows\SysWOW64\Anogiicl.exe C:\Windows\SysWOW64\Afhohlbj.exe N/A
File created C:\Windows\SysWOW64\Cmqmma32.exe C:\Windows\SysWOW64\Cjbpaf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cmqmma32.exe C:\Windows\SysWOW64\Cjbpaf32.exe N/A
File created C:\Windows\SysWOW64\Bcjlcn32.exe C:\Windows\SysWOW64\Balpgb32.exe N/A
File created C:\Windows\SysWOW64\Iqjikg32.dll C:\Windows\SysWOW64\Beihma32.exe N/A
File created C:\Windows\SysWOW64\Dfnjafap.exe C:\Windows\SysWOW64\Ddonekbl.exe N/A
File opened for modification C:\Windows\SysWOW64\Ambgef32.exe C:\Windows\SysWOW64\Anogiicl.exe N/A
File opened for modification C:\Windows\SysWOW64\Ajhddjfn.exe C:\Windows\SysWOW64\Agjhgngj.exe N/A
File created C:\Windows\SysWOW64\Accfbokl.exe C:\Windows\SysWOW64\Aadifclh.exe N/A
File opened for modification C:\Windows\SysWOW64\Bnmcjg32.exe C:\Windows\SysWOW64\Bffkij32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ddmaok32.exe C:\Windows\SysWOW64\Danecp32.exe N/A
File created C:\Windows\SysWOW64\Fnmnbf32.dll C:\Windows\SysWOW64\Dfnjafap.exe N/A
File opened for modification C:\Windows\SysWOW64\Afhohlbj.exe C:\Users\Admin\AppData\Local\Temp\da5485cb2f532d87e55d9f8189f877bb6cbea5d66b893fa53a8dbdca4d22d716.exe N/A
File created C:\Windows\SysWOW64\Afjlnk32.exe C:\Windows\SysWOW64\Aclpap32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bffkij32.exe C:\Windows\SysWOW64\Bchomn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cegdnopg.exe C:\Windows\SysWOW64\Cmqmma32.exe N/A
File created C:\Windows\SysWOW64\Bobiobnp.dll C:\Windows\SysWOW64\Dkkcge32.exe N/A
File opened for modification C:\Windows\SysWOW64\Aqncedbp.exe C:\Windows\SysWOW64\Ambgef32.exe N/A
File created C:\Windows\SysWOW64\Cdlgno32.dll C:\Windows\SysWOW64\Bcebhoii.exe N/A
File created C:\Windows\SysWOW64\Cjmgfgdf.exe C:\Windows\SysWOW64\Chjaol32.exe N/A
File created C:\Windows\SysWOW64\Ooojbbid.dll C:\Windows\SysWOW64\Anfmjhmd.exe N/A
File opened for modification C:\Windows\SysWOW64\Bmngqdpj.exe C:\Windows\SysWOW64\Bjokdipf.exe N/A
File created C:\Windows\SysWOW64\Hjjdjk32.dll C:\Windows\SysWOW64\Balpgb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cmlcbbcj.exe C:\Windows\SysWOW64\Cjmgfgdf.exe N/A
File opened for modification C:\Windows\SysWOW64\Dmgbnq32.exe C:\Windows\SysWOW64\Dodbbdbb.exe N/A
File created C:\Windows\SysWOW64\Amddjegd.exe C:\Windows\SysWOW64\Afjlnk32.exe N/A
File created C:\Windows\SysWOW64\Amgapeea.exe C:\Windows\SysWOW64\Ajhddjfn.exe N/A
File created C:\Windows\SysWOW64\Aadifclh.exe C:\Windows\SysWOW64\Anfmjhmd.exe N/A
File opened for modification C:\Windows\SysWOW64\Dkkcge32.exe C:\Windows\SysWOW64\Dhmgki32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dmllipeg.exe C:\Windows\SysWOW64\Doilmc32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bjokdipf.exe C:\Windows\SysWOW64\Bcebhoii.exe N/A
File created C:\Windows\SysWOW64\Dhfajjoj.exe C:\Windows\SysWOW64\Cegdnopg.exe N/A
File opened for modification C:\Windows\SysWOW64\Danecp32.exe C:\Windows\SysWOW64\Dopigd32.exe N/A
File created C:\Windows\SysWOW64\Cogflbdn.dll C:\Windows\SysWOW64\Ddmaok32.exe N/A
File created C:\Windows\SysWOW64\Dmllipeg.exe C:\Windows\SysWOW64\Doilmc32.exe N/A
File created C:\Windows\SysWOW64\Jmmmebhb.dll C:\Windows\SysWOW64\Aclpap32.exe N/A
File opened for modification C:\Windows\SysWOW64\Accfbokl.exe C:\Windows\SysWOW64\Aadifclh.exe N/A
File created C:\Windows\SysWOW64\Bjokdipf.exe C:\Windows\SysWOW64\Bcebhoii.exe N/A
File created C:\Windows\SysWOW64\Fmjkjk32.dll C:\Windows\SysWOW64\Cjmgfgdf.exe N/A
File created C:\Windows\SysWOW64\Bilonkon.dll C:\Windows\SysWOW64\Cdhhdlid.exe N/A
File created C:\Windows\SysWOW64\Dhmgki32.exe C:\Windows\SysWOW64\Deokon32.exe N/A
File created C:\Windows\SysWOW64\Gfghpl32.dll C:\Windows\SysWOW64\Deagdn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Amddjegd.exe C:\Windows\SysWOW64\Afjlnk32.exe N/A
File created C:\Windows\SysWOW64\Agjhgngj.exe C:\Windows\SysWOW64\Aeklkchg.exe N/A
File created C:\Windows\SysWOW64\Bnbmefbg.exe C:\Windows\SysWOW64\Bhhdil32.exe N/A
File created C:\Windows\SysWOW64\Jgilhm32.dll C:\Windows\SysWOW64\Chcddk32.exe N/A
File created C:\Windows\SysWOW64\Dmjapi32.dll C:\Windows\SysWOW64\Bffkij32.exe N/A
File created C:\Windows\SysWOW64\Chjaol32.exe C:\Windows\SysWOW64\Bmemac32.exe N/A
File created C:\Windows\SysWOW64\Maickled.dll C:\Windows\SysWOW64\Chjaol32.exe N/A
File created C:\Windows\SysWOW64\Dfknkg32.exe C:\Windows\SysWOW64\Ddmaok32.exe N/A
File created C:\Windows\SysWOW64\Dodbbdbb.exe C:\Windows\SysWOW64\Dfnjafap.exe N/A
File created C:\Windows\SysWOW64\Doilmc32.exe C:\Windows\SysWOW64\Dgbdlf32.exe N/A
File created C:\Windows\SysWOW64\Hjlena32.dll C:\Windows\SysWOW64\Amgapeea.exe N/A
File created C:\Windows\SysWOW64\Bchomn32.exe C:\Windows\SysWOW64\Bmngqdpj.exe N/A
File created C:\Windows\SysWOW64\Bnmcjg32.exe C:\Windows\SysWOW64\Bffkij32.exe N/A
File opened for modification C:\Windows\SysWOW64\Amgapeea.exe C:\Windows\SysWOW64\Ajhddjfn.exe N/A
File created C:\Windows\SysWOW64\Bnhjohkb.exe C:\Windows\SysWOW64\Bfabnjjp.exe N/A
File opened for modification C:\Windows\SysWOW64\Chjaol32.exe C:\Windows\SysWOW64\Bmemac32.exe N/A
File created C:\Windows\SysWOW64\Jfihel32.dll C:\Windows\SysWOW64\Bmemac32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cjmgfgdf.exe C:\Windows\SysWOW64\Chjaol32.exe N/A
File created C:\Windows\SysWOW64\Cmlcbbcj.exe C:\Windows\SysWOW64\Cjmgfgdf.exe N/A
File opened for modification C:\Windows\SysWOW64\Dopigd32.exe C:\Windows\SysWOW64\Dhfajjoj.exe N/A
File opened for modification C:\Windows\SysWOW64\Dobfld32.exe C:\Windows\SysWOW64\Dfknkg32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Dmllipeg.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dopigd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Doilmc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aqncedbp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bcjlcn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bmbplc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dkkcge32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Afoeiklb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bfabnjjp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bchomn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bmemac32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ceckcp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Anogiicl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aclpap32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aeklkchg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dobfld32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Deagdn32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dgbdlf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cajlhqjp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dfnjafap.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Afjlnk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bjokdipf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bhhdil32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Chjaol32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Chagok32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ddmaok32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dodbbdbb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dmjocp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Amddjegd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Anfmjhmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bnpppgdj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cegdnopg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Daqbip32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dmgbnq32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Afhohlbj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ambgef32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dhfajjoj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bnhjohkb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bmngqdpj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Balpgb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cdhhdlid.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Danecp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aadifclh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bffkij32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cjmgfgdf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cjbpaf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ddonekbl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Agjhgngj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aeniabfd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bnbmefbg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dmllipeg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Amgapeea.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Accfbokl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bfhhoi32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dfknkg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Deokon32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ajhddjfn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bnmcjg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Beihma32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bcebhoii.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cjpckf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dhmgki32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cmqmma32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\da5485cb2f532d87e55d9f8189f877bb6cbea5d66b893fa53a8dbdca4d22d716.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cmlcbbcj.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dmgbnq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll" C:\Windows\SysWOW64\Dkkcge32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll" C:\Windows\SysWOW64\Dmjocp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofpij32.dll" C:\Windows\SysWOW64\Bcjlcn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Chjaol32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll" C:\Windows\SysWOW64\Cjpckf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cdhhdlid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dmgbnq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cajlhqjp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dmjocp32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dgbdlf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjlena32.dll" C:\Windows\SysWOW64\Amgapeea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdlgno32.dll" C:\Windows\SysWOW64\Bcebhoii.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcid32.dll" C:\Windows\SysWOW64\Bjokdipf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnnia32.dll" C:\Windows\SysWOW64\Bchomn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bfhhoi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bmemac32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll" C:\Windows\SysWOW64\Chjaol32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cdhhdlid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ambgef32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiojlkkj.dll" C:\Windows\SysWOW64\Aqncedbp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Amddjegd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Anfmjhmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bnpppgdj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dgbdlf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} C:\Users\Admin\AppData\Local\Temp\da5485cb2f532d87e55d9f8189f877bb6cbea5d66b893fa53a8dbdca4d22d716.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffcnippo.dll" C:\Windows\SysWOW64\Aeklkchg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Anfmjhmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cjmgfgdf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfihel32.dll" C:\Windows\SysWOW64\Bmemac32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll" C:\Windows\SysWOW64\Chagok32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll" C:\Windows\SysWOW64\Cjbpaf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Afhohlbj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Afjlnk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aadifclh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bmngqdpj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqjikg32.dll" C:\Windows\SysWOW64\Beihma32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll" C:\Windows\SysWOW64\Ddonekbl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dkkcge32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bnhjohkb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll" C:\Windows\SysWOW64\Cmqmma32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dhfajjoj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Danecp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmmebhb.dll" C:\Windows\SysWOW64\Aclpap32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bmemac32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Deokon32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dfnjafap.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll" C:\Windows\SysWOW64\Dmgbnq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdeahgnm.dll" C:\Windows\SysWOW64\Amddjegd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oicmfmok.dll" C:\Windows\SysWOW64\Agjhgngj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bcebhoii.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Beihma32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll" C:\Windows\SysWOW64\Dfknkg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ajhddjfn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Accfbokl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bfhhoi32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\da5485cb2f532d87e55d9f8189f877bb6cbea5d66b893fa53a8dbdca4d22d716.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\da5485cb2f532d87e55d9f8189f877bb6cbea5d66b893fa53a8dbdca4d22d716.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Afhohlbj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Anogiicl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibaabn32.dll" C:\Windows\SysWOW64\Anogiicl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll" C:\Windows\SysWOW64\Bnpppgdj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll" C:\Windows\SysWOW64\Cajlhqjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Deagdn32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1124 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\da5485cb2f532d87e55d9f8189f877bb6cbea5d66b893fa53a8dbdca4d22d716.exe C:\Windows\SysWOW64\Afhohlbj.exe
PID 1124 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\da5485cb2f532d87e55d9f8189f877bb6cbea5d66b893fa53a8dbdca4d22d716.exe C:\Windows\SysWOW64\Afhohlbj.exe
PID 1124 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\da5485cb2f532d87e55d9f8189f877bb6cbea5d66b893fa53a8dbdca4d22d716.exe C:\Windows\SysWOW64\Afhohlbj.exe
PID 3888 wrote to memory of 3300 N/A C:\Windows\SysWOW64\Afhohlbj.exe C:\Windows\SysWOW64\Anogiicl.exe
PID 3888 wrote to memory of 3300 N/A C:\Windows\SysWOW64\Afhohlbj.exe C:\Windows\SysWOW64\Anogiicl.exe
PID 3888 wrote to memory of 3300 N/A C:\Windows\SysWOW64\Afhohlbj.exe C:\Windows\SysWOW64\Anogiicl.exe
PID 3300 wrote to memory of 1312 N/A C:\Windows\SysWOW64\Anogiicl.exe C:\Windows\SysWOW64\Ambgef32.exe
PID 3300 wrote to memory of 1312 N/A C:\Windows\SysWOW64\Anogiicl.exe C:\Windows\SysWOW64\Ambgef32.exe
PID 3300 wrote to memory of 1312 N/A C:\Windows\SysWOW64\Anogiicl.exe C:\Windows\SysWOW64\Ambgef32.exe
PID 1312 wrote to memory of 3068 N/A C:\Windows\SysWOW64\Ambgef32.exe C:\Windows\SysWOW64\Aqncedbp.exe
PID 1312 wrote to memory of 3068 N/A C:\Windows\SysWOW64\Ambgef32.exe C:\Windows\SysWOW64\Aqncedbp.exe
PID 1312 wrote to memory of 3068 N/A C:\Windows\SysWOW64\Ambgef32.exe C:\Windows\SysWOW64\Aqncedbp.exe
PID 3068 wrote to memory of 3932 N/A C:\Windows\SysWOW64\Aqncedbp.exe C:\Windows\SysWOW64\Aclpap32.exe
PID 3068 wrote to memory of 3932 N/A C:\Windows\SysWOW64\Aqncedbp.exe C:\Windows\SysWOW64\Aclpap32.exe
PID 3068 wrote to memory of 3932 N/A C:\Windows\SysWOW64\Aqncedbp.exe C:\Windows\SysWOW64\Aclpap32.exe
PID 3932 wrote to memory of 4820 N/A C:\Windows\SysWOW64\Aclpap32.exe C:\Windows\SysWOW64\Afjlnk32.exe
PID 3932 wrote to memory of 4820 N/A C:\Windows\SysWOW64\Aclpap32.exe C:\Windows\SysWOW64\Afjlnk32.exe
PID 3932 wrote to memory of 4820 N/A C:\Windows\SysWOW64\Aclpap32.exe C:\Windows\SysWOW64\Afjlnk32.exe
PID 4820 wrote to memory of 2508 N/A C:\Windows\SysWOW64\Afjlnk32.exe C:\Windows\SysWOW64\Amddjegd.exe
PID 4820 wrote to memory of 2508 N/A C:\Windows\SysWOW64\Afjlnk32.exe C:\Windows\SysWOW64\Amddjegd.exe
PID 4820 wrote to memory of 2508 N/A C:\Windows\SysWOW64\Afjlnk32.exe C:\Windows\SysWOW64\Amddjegd.exe
PID 2508 wrote to memory of 3212 N/A C:\Windows\SysWOW64\Amddjegd.exe C:\Windows\SysWOW64\Aeklkchg.exe
PID 2508 wrote to memory of 3212 N/A C:\Windows\SysWOW64\Amddjegd.exe C:\Windows\SysWOW64\Aeklkchg.exe
PID 2508 wrote to memory of 3212 N/A C:\Windows\SysWOW64\Amddjegd.exe C:\Windows\SysWOW64\Aeklkchg.exe
PID 3212 wrote to memory of 3712 N/A C:\Windows\SysWOW64\Aeklkchg.exe C:\Windows\SysWOW64\Agjhgngj.exe
PID 3212 wrote to memory of 3712 N/A C:\Windows\SysWOW64\Aeklkchg.exe C:\Windows\SysWOW64\Agjhgngj.exe
PID 3212 wrote to memory of 3712 N/A C:\Windows\SysWOW64\Aeklkchg.exe C:\Windows\SysWOW64\Agjhgngj.exe
PID 3712 wrote to memory of 4864 N/A C:\Windows\SysWOW64\Agjhgngj.exe C:\Windows\SysWOW64\Ajhddjfn.exe
PID 3712 wrote to memory of 4864 N/A C:\Windows\SysWOW64\Agjhgngj.exe C:\Windows\SysWOW64\Ajhddjfn.exe
PID 3712 wrote to memory of 4864 N/A C:\Windows\SysWOW64\Agjhgngj.exe C:\Windows\SysWOW64\Ajhddjfn.exe
PID 4864 wrote to memory of 4388 N/A C:\Windows\SysWOW64\Ajhddjfn.exe C:\Windows\SysWOW64\Amgapeea.exe
PID 4864 wrote to memory of 4388 N/A C:\Windows\SysWOW64\Ajhddjfn.exe C:\Windows\SysWOW64\Amgapeea.exe
PID 4864 wrote to memory of 4388 N/A C:\Windows\SysWOW64\Ajhddjfn.exe C:\Windows\SysWOW64\Amgapeea.exe
PID 4388 wrote to memory of 4308 N/A C:\Windows\SysWOW64\Amgapeea.exe C:\Windows\SysWOW64\Aeniabfd.exe
PID 4388 wrote to memory of 4308 N/A C:\Windows\SysWOW64\Amgapeea.exe C:\Windows\SysWOW64\Aeniabfd.exe
PID 4388 wrote to memory of 4308 N/A C:\Windows\SysWOW64\Amgapeea.exe C:\Windows\SysWOW64\Aeniabfd.exe
PID 4308 wrote to memory of 4868 N/A C:\Windows\SysWOW64\Aeniabfd.exe C:\Windows\SysWOW64\Afoeiklb.exe
PID 4308 wrote to memory of 4868 N/A C:\Windows\SysWOW64\Aeniabfd.exe C:\Windows\SysWOW64\Afoeiklb.exe
PID 4308 wrote to memory of 4868 N/A C:\Windows\SysWOW64\Aeniabfd.exe C:\Windows\SysWOW64\Afoeiklb.exe
PID 4868 wrote to memory of 4016 N/A C:\Windows\SysWOW64\Afoeiklb.exe C:\Windows\SysWOW64\Anfmjhmd.exe
PID 4868 wrote to memory of 4016 N/A C:\Windows\SysWOW64\Afoeiklb.exe C:\Windows\SysWOW64\Anfmjhmd.exe
PID 4868 wrote to memory of 4016 N/A C:\Windows\SysWOW64\Afoeiklb.exe C:\Windows\SysWOW64\Anfmjhmd.exe
PID 4016 wrote to memory of 3224 N/A C:\Windows\SysWOW64\Anfmjhmd.exe C:\Windows\SysWOW64\Aadifclh.exe
PID 4016 wrote to memory of 3224 N/A C:\Windows\SysWOW64\Anfmjhmd.exe C:\Windows\SysWOW64\Aadifclh.exe
PID 4016 wrote to memory of 3224 N/A C:\Windows\SysWOW64\Anfmjhmd.exe C:\Windows\SysWOW64\Aadifclh.exe
PID 3224 wrote to memory of 4248 N/A C:\Windows\SysWOW64\Aadifclh.exe C:\Windows\SysWOW64\Accfbokl.exe
PID 3224 wrote to memory of 4248 N/A C:\Windows\SysWOW64\Aadifclh.exe C:\Windows\SysWOW64\Accfbokl.exe
PID 3224 wrote to memory of 4248 N/A C:\Windows\SysWOW64\Aadifclh.exe C:\Windows\SysWOW64\Accfbokl.exe
PID 4248 wrote to memory of 2172 N/A C:\Windows\SysWOW64\Accfbokl.exe C:\Windows\SysWOW64\Bfabnjjp.exe
PID 4248 wrote to memory of 2172 N/A C:\Windows\SysWOW64\Accfbokl.exe C:\Windows\SysWOW64\Bfabnjjp.exe
PID 4248 wrote to memory of 2172 N/A C:\Windows\SysWOW64\Accfbokl.exe C:\Windows\SysWOW64\Bfabnjjp.exe
PID 2172 wrote to memory of 1780 N/A C:\Windows\SysWOW64\Bfabnjjp.exe C:\Windows\SysWOW64\Bnhjohkb.exe
PID 2172 wrote to memory of 1780 N/A C:\Windows\SysWOW64\Bfabnjjp.exe C:\Windows\SysWOW64\Bnhjohkb.exe
PID 2172 wrote to memory of 1780 N/A C:\Windows\SysWOW64\Bfabnjjp.exe C:\Windows\SysWOW64\Bnhjohkb.exe
PID 1780 wrote to memory of 3208 N/A C:\Windows\SysWOW64\Bnhjohkb.exe C:\Windows\SysWOW64\Bcebhoii.exe
PID 1780 wrote to memory of 3208 N/A C:\Windows\SysWOW64\Bnhjohkb.exe C:\Windows\SysWOW64\Bcebhoii.exe
PID 1780 wrote to memory of 3208 N/A C:\Windows\SysWOW64\Bnhjohkb.exe C:\Windows\SysWOW64\Bcebhoii.exe
PID 3208 wrote to memory of 4744 N/A C:\Windows\SysWOW64\Bcebhoii.exe C:\Windows\SysWOW64\Bjokdipf.exe
PID 3208 wrote to memory of 4744 N/A C:\Windows\SysWOW64\Bcebhoii.exe C:\Windows\SysWOW64\Bjokdipf.exe
PID 3208 wrote to memory of 4744 N/A C:\Windows\SysWOW64\Bcebhoii.exe C:\Windows\SysWOW64\Bjokdipf.exe
PID 4744 wrote to memory of 4232 N/A C:\Windows\SysWOW64\Bjokdipf.exe C:\Windows\SysWOW64\Bmngqdpj.exe
PID 4744 wrote to memory of 4232 N/A C:\Windows\SysWOW64\Bjokdipf.exe C:\Windows\SysWOW64\Bmngqdpj.exe
PID 4744 wrote to memory of 4232 N/A C:\Windows\SysWOW64\Bjokdipf.exe C:\Windows\SysWOW64\Bmngqdpj.exe
PID 4232 wrote to memory of 4748 N/A C:\Windows\SysWOW64\Bmngqdpj.exe C:\Windows\SysWOW64\Bchomn32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\da5485cb2f532d87e55d9f8189f877bb6cbea5d66b893fa53a8dbdca4d22d716.exe

"C:\Users\Admin\AppData\Local\Temp\da5485cb2f532d87e55d9f8189f877bb6cbea5d66b893fa53a8dbdca4d22d716.exe"

C:\Windows\SysWOW64\Afhohlbj.exe

C:\Windows\system32\Afhohlbj.exe

C:\Windows\SysWOW64\Anogiicl.exe

C:\Windows\system32\Anogiicl.exe

C:\Windows\SysWOW64\Ambgef32.exe

C:\Windows\system32\Ambgef32.exe

C:\Windows\SysWOW64\Aqncedbp.exe

C:\Windows\system32\Aqncedbp.exe

C:\Windows\SysWOW64\Aclpap32.exe

C:\Windows\system32\Aclpap32.exe

C:\Windows\SysWOW64\Afjlnk32.exe

C:\Windows\system32\Afjlnk32.exe

C:\Windows\SysWOW64\Amddjegd.exe

C:\Windows\system32\Amddjegd.exe

C:\Windows\SysWOW64\Aeklkchg.exe

C:\Windows\system32\Aeklkchg.exe

C:\Windows\SysWOW64\Agjhgngj.exe

C:\Windows\system32\Agjhgngj.exe

C:\Windows\SysWOW64\Ajhddjfn.exe

C:\Windows\system32\Ajhddjfn.exe

C:\Windows\SysWOW64\Amgapeea.exe

C:\Windows\system32\Amgapeea.exe

C:\Windows\SysWOW64\Aeniabfd.exe

C:\Windows\system32\Aeniabfd.exe

C:\Windows\SysWOW64\Afoeiklb.exe

C:\Windows\system32\Afoeiklb.exe

C:\Windows\SysWOW64\Anfmjhmd.exe

C:\Windows\system32\Anfmjhmd.exe

C:\Windows\SysWOW64\Aadifclh.exe

C:\Windows\system32\Aadifclh.exe

C:\Windows\SysWOW64\Accfbokl.exe

C:\Windows\system32\Accfbokl.exe

C:\Windows\SysWOW64\Bfabnjjp.exe

C:\Windows\system32\Bfabnjjp.exe

C:\Windows\SysWOW64\Bnhjohkb.exe

C:\Windows\system32\Bnhjohkb.exe

C:\Windows\SysWOW64\Bcebhoii.exe

C:\Windows\system32\Bcebhoii.exe

C:\Windows\SysWOW64\Bjokdipf.exe

C:\Windows\system32\Bjokdipf.exe

C:\Windows\SysWOW64\Bmngqdpj.exe

C:\Windows\system32\Bmngqdpj.exe

C:\Windows\SysWOW64\Bchomn32.exe

C:\Windows\system32\Bchomn32.exe

C:\Windows\SysWOW64\Bffkij32.exe

C:\Windows\system32\Bffkij32.exe

C:\Windows\SysWOW64\Bnmcjg32.exe

C:\Windows\system32\Bnmcjg32.exe

C:\Windows\SysWOW64\Balpgb32.exe

C:\Windows\system32\Balpgb32.exe

C:\Windows\SysWOW64\Bcjlcn32.exe

C:\Windows\system32\Bcjlcn32.exe

C:\Windows\SysWOW64\Bfhhoi32.exe

C:\Windows\system32\Bfhhoi32.exe

C:\Windows\SysWOW64\Bnpppgdj.exe

C:\Windows\system32\Bnpppgdj.exe

C:\Windows\SysWOW64\Bmbplc32.exe

C:\Windows\system32\Bmbplc32.exe

C:\Windows\SysWOW64\Beihma32.exe

C:\Windows\system32\Beihma32.exe

C:\Windows\SysWOW64\Bhhdil32.exe

C:\Windows\system32\Bhhdil32.exe

C:\Windows\SysWOW64\Bnbmefbg.exe

C:\Windows\system32\Bnbmefbg.exe

C:\Windows\SysWOW64\Bmemac32.exe

C:\Windows\system32\Bmemac32.exe

C:\Windows\SysWOW64\Chjaol32.exe

C:\Windows\system32\Chjaol32.exe

C:\Windows\SysWOW64\Cjmgfgdf.exe

C:\Windows\system32\Cjmgfgdf.exe

C:\Windows\SysWOW64\Cmlcbbcj.exe

C:\Windows\system32\Cmlcbbcj.exe

C:\Windows\SysWOW64\Ceckcp32.exe

C:\Windows\system32\Ceckcp32.exe

C:\Windows\SysWOW64\Chagok32.exe

C:\Windows\system32\Chagok32.exe

C:\Windows\SysWOW64\Cjpckf32.exe

C:\Windows\system32\Cjpckf32.exe

C:\Windows\SysWOW64\Cajlhqjp.exe

C:\Windows\system32\Cajlhqjp.exe

C:\Windows\SysWOW64\Cdhhdlid.exe

C:\Windows\system32\Cdhhdlid.exe

C:\Windows\SysWOW64\Chcddk32.exe

C:\Windows\system32\Chcddk32.exe

C:\Windows\SysWOW64\Cjbpaf32.exe

C:\Windows\system32\Cjbpaf32.exe

C:\Windows\SysWOW64\Cmqmma32.exe

C:\Windows\system32\Cmqmma32.exe

C:\Windows\SysWOW64\Cegdnopg.exe

C:\Windows\system32\Cegdnopg.exe

C:\Windows\SysWOW64\Dhfajjoj.exe

C:\Windows\system32\Dhfajjoj.exe

C:\Windows\SysWOW64\Dopigd32.exe

C:\Windows\system32\Dopigd32.exe

C:\Windows\SysWOW64\Danecp32.exe

C:\Windows\system32\Danecp32.exe

C:\Windows\SysWOW64\Ddmaok32.exe

C:\Windows\system32\Ddmaok32.exe

C:\Windows\SysWOW64\Dfknkg32.exe

C:\Windows\system32\Dfknkg32.exe

C:\Windows\SysWOW64\Dobfld32.exe

C:\Windows\system32\Dobfld32.exe

C:\Windows\SysWOW64\Daqbip32.exe

C:\Windows\system32\Daqbip32.exe

C:\Windows\SysWOW64\Ddonekbl.exe

C:\Windows\system32\Ddonekbl.exe

C:\Windows\SysWOW64\Dfnjafap.exe

C:\Windows\system32\Dfnjafap.exe

C:\Windows\SysWOW64\Dodbbdbb.exe

C:\Windows\system32\Dodbbdbb.exe

C:\Windows\SysWOW64\Dmgbnq32.exe

C:\Windows\system32\Dmgbnq32.exe

C:\Windows\SysWOW64\Deokon32.exe

C:\Windows\system32\Deokon32.exe

C:\Windows\SysWOW64\Dhmgki32.exe

C:\Windows\system32\Dhmgki32.exe

C:\Windows\SysWOW64\Dkkcge32.exe

C:\Windows\system32\Dkkcge32.exe

C:\Windows\SysWOW64\Dmjocp32.exe

C:\Windows\system32\Dmjocp32.exe

C:\Windows\SysWOW64\Deagdn32.exe

C:\Windows\system32\Deagdn32.exe

C:\Windows\SysWOW64\Dgbdlf32.exe

C:\Windows\system32\Dgbdlf32.exe

C:\Windows\SysWOW64\Doilmc32.exe

C:\Windows\system32\Doilmc32.exe

C:\Windows\SysWOW64\Dmllipeg.exe

C:\Windows\system32\Dmllipeg.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 208 -ip 208

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 208 -s 396

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 73.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/1124-0-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Afhohlbj.exe

MD5 449dc24a5b37663c86265c6866191f31
SHA1 dfd54e09144b390562be70f3a24bb56c8a48384c
SHA256 fa851bd1537fd04e1e4819ae50bd2287b14e0c58bf1a953284c3385893ae8877
SHA512 622798585ce2669efceadba7f5648c4ec3d8dea919540c6ff4c751d8031322735f0846ef9a1cde7f29a569984a2c489478b45885a8385cfe5c93867f7d9aa7b0

memory/3888-8-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Anogiicl.exe

MD5 8e07b22422e1141a054544ab29b939ae
SHA1 c59a61e1ded88970deafb817d15c46a820bb4ef1
SHA256 c5e32cbb473b18bb6b15172e39ff9e209f1cc68aefe941abcf12e7e6048bdbd0
SHA512 954460734b5c6e3126b5e73dee4a2de6817a015e3cec9f4dee05148e4e0c7e7e4ce1e002e1b58dbd391754942cbc75d614d7dcdf317c719c6ede8e16c01b12e9

memory/3300-20-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1312-24-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Ambgef32.exe

MD5 00cc46a45260273f5d720429496db84a
SHA1 414ec877f25dab9421ad528f192170ed9254aff9
SHA256 70be01a48438776c4b47e049724fcd7a2883bf6c60dee499e75a3cdd91fe38a9
SHA512 bf3e8123c643297b2eddd5331099b409314593dd7c6f02c347425d4ec7c9322ce659633f4e9adda4cb58a9fe2779485c0cf1c60253cc875124f8629b3b8a3b85

C:\Windows\SysWOW64\Aqncedbp.exe

MD5 b7aef5fc5fd93e9975d4e9c7f42fd020
SHA1 c0dcd25d5fcf19adc3fc072e27430a6ff4569e85
SHA256 be480c219d1c5eecb8fd2e6f282b53cbc175b73d5573af7f7851f6393fc6e16d
SHA512 77336cbed35dc22870553e92d8559055ee252970ecb40e101e5b72eaebd6bc42de8ed20a0ce677ec1491540bcd7c5c9b27b6b1181d4a26d04895f111cd4a7441

memory/3068-32-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3932-39-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Aclpap32.exe

MD5 5d20ad367eaf1a961cd9921bee8766e3
SHA1 07624a57c09123fb9ca615053505e374b6e4ceda
SHA256 5e09a7ffcc97ab9f6603de6dc6139e51839404c37ae12148860d113dca7e6a1a
SHA512 5bd0d5e38caf97d292d72a6a92b6c9792f390026bc993d9145604912bd67e9d383a0e9db517dbec8088532b5f859db7849dbd58b3040c43b503115be0e9ba84b

C:\Windows\SysWOW64\Afjlnk32.exe

MD5 5af502d5d151ac040fd0841535db11f5
SHA1 a31e88fe9ced4bb20aa660cfe4d5813b06a17468
SHA256 f0c29d22b4e412316a76f6f41baf036dde094328cf9ca61da86adc670e9fec03
SHA512 fe8694e1b98d13096dccf2da7612465684efa44e225950ce15a436484894a078b4ab1bd4e69e4fdfa2943e44c39fad769dd65517521a915edfce4af3ad9af448

memory/4820-47-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Amddjegd.exe

MD5 a086d050390a4643b018b0bf6d9fd69a
SHA1 66917202f1efa67e66f97ae818d25cdceaf92e94
SHA256 55b0842dc41be38e2c73eeedc272a2917d2327b6c31c3fff0ac1a90d83c3e84b
SHA512 a2703fba6c1b69e55f73a561a4291782f393f93a2e6db8ef4cc84be076db7384476d75426a6d6ac129f03a4526c0068049d53b521fec36636d5495246d91f76d

memory/2508-55-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Aeklkchg.exe

MD5 6c303c0e2553fb10029daf840dcdbaea
SHA1 6fb7ae6df0fb971d12e6bfd27bb58a1d3ac122a3
SHA256 2bd0003a2192505fe7d2b5e40c0a068c72ff51dbc166b343fa00ac2185d55bea
SHA512 f28b191ffeb1b2b776c76c953b7877ab35e82f0ecab6c4e5bc2122c739f7dd1f6b112c1fe0db7654350cf30fa0c5f7353c9d7d9b8155993394fc02bc09810ced

memory/3212-63-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Agjhgngj.exe

MD5 4164d58af6a382a4ddc9c626b53f09f3
SHA1 c9f9184a5e60a08472614ba2d38798a557dffce1
SHA256 78db79e7c2ec934a7e5231d2d7bdbd5f36231c13c1dca4de617dcb22ebcf8ac8
SHA512 35c608620849317c5195d868367dd8cba18115baad0c95507656ef04c1beb1203c4b2ed984de28c9f0bf467f4890f8652824aff7cf0445e95450c63b3d535c5f

memory/3712-71-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Ajhddjfn.exe

MD5 91ec7bfaba58306f9dd2c86dae527085
SHA1 86a88773f5df3ab4ac84ef5f785addb6f231e052
SHA256 822ffcdd6231efd11fe5313d78077a1e8b3f6a2ebd5f24dee446c45007b03d94
SHA512 cbc7bf6f0aa6fa754b0b796d8338f97145e9fb4c1baf6f43aff26fd13c9bee98ffaea2e0acef517e9d53600252935d8293ffe565f3b66bac7a9e849cf7d0ae88

memory/4864-79-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Amgapeea.exe

MD5 e3f127aacf6955cb0a4b849cb60160af
SHA1 b25396b078dc15d3b91087e0c1876112714e3d16
SHA256 e738dc4cfcadf377a82d72d4fa70ebccf5256e1baddd5c7fd1eebe19f943a5e6
SHA512 34f99ebc8f32e15b6aa76922e90ad12bc0684e0b4088ecabc518696cfeca1cf520f507e574705775b3055eedef466b07d0e97488dde143816b12f1bf491995c5

memory/4388-88-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Aeniabfd.exe

MD5 644a917bc1ce8085de0847c798e80bcb
SHA1 14989a88c588f53831f7129cb41f02e682c41745
SHA256 55e4c9e451c2099555c8f751b071fc26cc96532e57ee674820bdb5e91f50798f
SHA512 99d5f150ec90ee26334b6961b892be47168a4da188958f213c2536e0aaf4763c4a44ee77ae01757c7959a3680678bc14f6909e9bf98be26c51d3b6a6ef5dd002

memory/4308-95-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Afoeiklb.exe

MD5 4850824d64ff7167b5eef191d4972ebd
SHA1 3b33eab289d0f2b52d10d66596553ef7b4c2567b
SHA256 6120ef875fa437cc4ee70bc5f6de9988e961fa76c7635bb93240dea8e2940ad9
SHA512 12c23d2b64420b3c100f4cd8daf2603f17c863cef7e671a15795505a72d10ac7f013e7ead14d9f49d72b0be1a9ffebec6919af0d15f3b7eabab0f70ca14cccae

memory/4868-104-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Anfmjhmd.exe

MD5 ec854ba29421f1fe4776f526fd5824bb
SHA1 de6d9d872ebacc6a7d94564b73a994a4828b3394
SHA256 7fbc58f58e230bfa7cf12d8742c56c2c9cc26dfcf5bc6ca43b42e4051d6a27ee
SHA512 c5aeb0c6adde60c95f6201a2ecc939702250046aee0c0548dbfa008dabae0bcedaa0d4624f4de3ecc3f62425b044e6dd55914ac491f40319b2e8eb4c2a694244

memory/4016-111-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Aadifclh.exe

MD5 61b849ac5eff84e4531b0720723e3834
SHA1 86aacf713d0bdf5ee60f16e555111110d902e561
SHA256 8e8d4afbfd2b56e23c85981264d800afec740670b7edcd762e6e39d168a2bd51
SHA512 e51c5eda91a4ff20822794f3b98612ff21af6db0e110dcc9b5c1bb84656953b4443415596620267e0a5c77c4a7187c6cb4582a3b670025d730db73cd4290643f

memory/3224-120-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Accfbokl.exe

MD5 febcb736ec988a8d82fd2a8fccb60377
SHA1 04fa47a068f6c60cb56620fee3aad7e14e4b1033
SHA256 67158e527964f4e40f976825b1cc3555bfc090f3ea21796c61b86b7dea7ed618
SHA512 7a95708cffe32f4ef4c853e1e1efb672448212efd56746bc94ce4f1193819163a64b30eb0a18cbad14e968fc9e5d6782b8bcfd831d85f4830e44f8a87e47ca12

memory/4248-127-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Bfabnjjp.exe

MD5 66448c7387eab0a57beb41c997fa969c
SHA1 4e8254b5ac371b1f6f0874da3895c8df243e7011
SHA256 834df5529b198af5497cc463c80efd8fadb97c3f8f1bc062efb87f55c9985d83
SHA512 0fd4f809c60d6af1b784407dd6eb6837066c86147e5b3890c524efc243ea30f99ae75321ce6081af2d12c391080e8628153a25060c772cf4798d94350df7e638

memory/2172-135-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Bnhjohkb.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\SysWOW64\Bnhjohkb.exe

MD5 caa607c88915dca3b02c71f0c3fff531
SHA1 6c86f4309ecd2bb91daf3ccf2d598204c26187f3
SHA256 f270ade1921d7c7b12631a05ff6edb08350501d6e78a9737bb1e742e9717ecf2
SHA512 797cd70027f8c8805015e0d69c1aa95d3f84b52120699aad1f33852230c622bf70aa0d127a3e5991cbc85990788f1ce0ac0d4067c47ce4bc6363453ab7d280f1

memory/1780-143-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3208-151-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Bcebhoii.exe

MD5 e1964255aef443d00307c192579c081b
SHA1 1be53b541acaab47ba10163a5fbdf92274fe1bd7
SHA256 bbce5602124372e37a9044c9f9d31221611343b4d4f096067a2390ff7ef7405f
SHA512 867e85e84c89a34db1b75464a3906c846640b76868a766153d221c9bd89e9a44cb2c26f0816af28681662ae2951d784d3d028d155ea1f1ddb373c471d1cdcd39

memory/4744-159-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Bjokdipf.exe

MD5 e931729e1540a04d9e7faab99978ff21
SHA1 9ce32cf90a663f4cb43d5c7cea3d29cb91502ab5
SHA256 a58e880c3835b9b49530860de470f30ca7bfd4484309c3404595946aaa9b9538
SHA512 65c13da4a5a656afce74dcfaba74cde8b0b8c4f00839c25188cd7c0888816308104bdc6ad511d6ab19fdac917f72afd6c83c036ef48131d53891b513d0d21384

C:\Windows\SysWOW64\Bmngqdpj.exe

MD5 a42cfee061626f6c4b03fe8c629f1cd2
SHA1 3eb2e5e34a4c169f15bea3ecc0ebac3aeec927eb
SHA256 467e951a7ac9ca495226a75a9fefa001e3de50f5960132faa7cb31a760bad179
SHA512 262dadd4a6e54b126008fe3694c7586378d374a86ccda4f27ce71b21284a48da189f9295372eec82abb0a16fa800bb2e3e9074a9e0922ec4304442910385a5a5

memory/4232-167-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Bchomn32.exe

MD5 27d6b4061dd02c8cabfdeaf6a04985cf
SHA1 d7ac99d86296af3e5038836b1c2b15d5c5888aec
SHA256 0d0c54a048d96e10db276876cf410359ddd36f8a35ac9d1ac84603fb87e2c5c6
SHA512 d5cbdec1f9481895c5e5c11260735094c35552d51094c1df2f82041125395db071c9dee72fc7c675bf3a5cd93685d40631f3d4fa1218805065793697b8f1f9f1

memory/4748-175-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Bffkij32.exe

MD5 32ac0b8ee203d3404a80ed65a292769b
SHA1 5ef43771931c26a095993b75a711df2ed666b3ae
SHA256 659390c697cace066d43a3d62d757e662d8c97cdc7fe2ad579143938e4df40c9
SHA512 788fe16cacf649930b901067b17dcefa493f853aac57ba7aa38e05bbd2ecbdaace16c8f0c8e58b77f2ca5c757c33815a72e793a57ddd296bc25b7cb7d98200c5

memory/3728-183-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Bnmcjg32.exe

MD5 71288221df0faf83141f191fb78415be
SHA1 c49325aebcad190fe9e6ddf466bfddf659f18fb3
SHA256 af9d7cc2e74f3f109383a5c7e03be55c3a70a1fa657a512bc63310257201a51c
SHA512 e25586c2c53a5a1270ade2eb84aa642c2b1e840a8178eba32172586848144e14f8d64c897af4370d1b42185878a9ebb383dc0bcda82cdac0b34ce34ff31cc88e

memory/4344-191-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Balpgb32.exe

MD5 0e0ac72fa44268719b1453ba158d82d8
SHA1 1b1a6eccc1c2999e5d2ec7531ac45f84a71867c1
SHA256 8c6de298ca786d18b5d573f8aa15e9708bc01d3b978eb835aedac5cb61d2c81d
SHA512 281e486e610d9f00539026ab23110d92db1795f24d14bb263e87c04487ea2cc08791378d14647e296a0d563bbc5a6f0a8448dc9215a18e7247de81e5464cfdae

memory/4760-199-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Bcjlcn32.exe

MD5 ddd98ad4160f70dd075afe38c23c3162
SHA1 f08028c7ec2a82655d36f619a62c17b7869636ca
SHA256 fd6088e9caf91a2cabd70623b8e20a037819bdd43a106c64eb72f3b024bd86f6
SHA512 6a08ad2a74e722ee66bcb829afa8ec20e6c9cf52169671aa706555e5607c58b98574a3dade31d4f02062ccf6713399e499a559848a4ed45cb00701ba02814c29

memory/3504-207-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Bfhhoi32.exe

MD5 5ed541f4cd049ce2f15308b76c965a7f
SHA1 bcde421f87cd9520e80b90a1657faa7d4a0a88e4
SHA256 87b7656acf94d47c86cef64fbc357777f26d83020bd4355ac6b0981b29a4fbda
SHA512 6bb02133b6d1870cbb536bc2f0bed248299a00590cf069d55baf4de5dc65b5ebf5a0ed13a55b1b0dc32cc0f8be6ed42c755aae10dd25f05dcc65be3034883ff7

memory/768-220-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Bnpppgdj.exe

MD5 746ac6afbbd2b564b5c7a4c5bcac0e48
SHA1 0840935da32cebcc8cc4c508c942a0680a081662
SHA256 ce63e770545b82cb54793f6b70de4cdee14f0792b6a24865831a14f46941e900
SHA512 ed34113d81c77f51f1a79408fbf28a2d5c524b70d0ac93156ec4e38e6c2de0e3d16c1a2b3a0cfa8ed3318844db7534230af5fb6b2e5ba7c2bd27af917a61a7fd

memory/3464-223-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4352-224-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Beihma32.exe

MD5 e689f4a980194d9e66b08db2ba34678a
SHA1 f15b471d3c255a0099f4d9855a8bfbe57544cd7b
SHA256 181e716750f5fc5499e2422a7cc6e19d302e2d130a9e1732b17d5d7bedb78c58
SHA512 17402c565fd4c504a427e53040956b555e68c7809878cc2ebc66cc2e79b536bb090293240a54d0b3ae4ef7c340bee5ebd3654016bfe8335d9115099cb41c5585

memory/1988-231-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Bhhdil32.exe

MD5 91a51e543e345873ad61b9ff4ca1b123
SHA1 c633ca17448a814b77496728bf993a9d356ed34b
SHA256 7dea3798b6e778f2a307466ca9cae510b9b51f62490f1161d02d2ced9368112e
SHA512 0a1fbdaf3ed99e847b6c541e375c751ef96efd93957f438c1842a266faf7df02fe0c66ad0586e6904ea96d81362f7db9c0c67c46dd6543fb39878dfec66658fa

memory/5016-239-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Bnbmefbg.exe

MD5 6467cbe283e5d958c84f257b35167bb2
SHA1 80abd0ff71ed99488b234664ad1920afdab65b29
SHA256 4fb862e509a43d0403935d7892705a6333da5e5aa69c1fec02ae5fb7ef7ec507
SHA512 331066aa0ac4ee5c94b34babf547f693a14a82a88350da3ea7e34f0f0fea3469fdc289ab4b7a4d4caa463768c493282afb87a330ba385508a755625cd1b747ce

memory/4012-247-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Bmemac32.exe

MD5 0e8d8ad2c3919cbcafc59129afb8e188
SHA1 84cb9a845e4f4b83e8b23edf601ab4a2d32d654c
SHA256 964dbb1bc03bc21c06c8c791090fe972fe01a96a81c9014b2ae3d479d0d25938
SHA512 a4f287814389a4fda15eadaa3de25ed395d66daadd03ab98fe3c196254bf7c2b8b712505c6b01e849c5ab1c0d77e4af34613f20bc0ea5861827e4f98ca19d0f4

memory/3032-255-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\Chjaol32.exe

MD5 d5c267761015132d76d8855e064b6d9b
SHA1 a39355e843b4153facdf8cae227780fe32589ab4
SHA256 b9732da5104526f374dcdcafd81f5ba394a9f0153990867db5550b734a2a4006
SHA512 d51b48a74a02180508e4c31abd91891cb8a890a53f5897267d4a4f33f00eae5e5f5832d566bd2e08bda51f1cb5ca51e94a736c327905721718a70803121581b0

memory/1904-263-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1936-269-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3772-279-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2480-281-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4460-287-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1500-293-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1552-299-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2560-305-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3176-311-0x0000000000400000-0x000000000042F000-memory.dmp

memory/436-321-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2440-323-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4920-329-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1732-335-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1684-341-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3748-347-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3908-353-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4552-359-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4960-365-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1252-371-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3960-377-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3972-383-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3012-389-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2184-399-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2688-401-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2080-407-0x0000000000400000-0x000000000042F000-memory.dmp

memory/868-413-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4272-419-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2096-425-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2092-431-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2620-437-0x0000000000400000-0x000000000042F000-memory.dmp

memory/208-443-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2092-450-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2620-447-0x0000000000400000-0x000000000042F000-memory.dmp

memory/208-446-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4272-453-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3972-463-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1552-490-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3772-498-0x0000000000400000-0x000000000042F000-memory.dmp

memory/5016-508-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4012-506-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3032-504-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1904-502-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1936-500-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2480-496-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4460-494-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1500-492-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2560-488-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3176-486-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2440-483-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4920-481-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1732-479-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1684-477-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3748-475-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3908-473-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4552-471-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4960-469-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1252-467-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3960-465-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3012-461-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2688-458-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2080-456-0x0000000000400000-0x000000000042F000-memory.dmp

memory/868-455-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2096-451-0x0000000000400000-0x000000000042F000-memory.dmp