Malware Analysis Report

2025-06-16 07:10

Sample ID 240602-bhgvrsde5x
Target a954fa18abd78171b62683f3925dca64742f112981d62bf12b012b4e148df9fe
SHA256 a954fa18abd78171b62683f3925dca64742f112981d62bf12b012b4e148df9fe
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a954fa18abd78171b62683f3925dca64742f112981d62bf12b012b4e148df9fe

Threat Level: Known bad

The file a954fa18abd78171b62683f3925dca64742f112981d62bf12b012b4e148df9fe was found to be: Known bad.

Malicious Activity Summary

persistence

Adds autorun key to be loaded by Explorer.exe on startup

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Unsigned PE

Program crash

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-02 01:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-02 01:08

Reported

2024-06-02 01:11

Platform

win10v2004-20240426-en

Max time kernel

93s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a954fa18abd78171b62683f3925dca64742f112981d62bf12b012b4e148df9fe.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dhnepfpj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Blmacb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lmiciaaj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gbcakg32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pghieg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dohfbj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hkdbpe32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cabfga32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mjeddggd.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nbhkac32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Aaepqjpd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dllmfd32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fopldmcl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gogbdl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hmfbjnbp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Laalifad.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Hkfoeega.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Accfbokl.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mdpalp32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ceoibflm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Miifeq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cdfkolkf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Laciofpa.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cacmah32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dlncan32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Hcbpab32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Njciko32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ipnalhii.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kbdmpqcb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Oneklm32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cddecc32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Faihkbci.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jcbihpel.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Beeflhdh.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Dpemacql.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ebbidj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ejjqeg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Iiffen32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lmqgnhmp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kaemnhla.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kpmfddnf.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fdgdgnbm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nepgjaeg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ceehho32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Eleplc32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jbhmdbnp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jfhbppbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jfcbjk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mlhbal32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kpccnefa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kemhff32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Efneehef.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Gmaioo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Iakaql32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jaedgjjd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Doilmc32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ejgdpg32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fbioei32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kmjqmi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pqnaim32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ebnoikqb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jbhmdbnp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ncgkcl32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Miifeq32.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Clqnjf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ccjfgphj.exe N/A
N/A N/A C:\Windows\SysWOW64\Ceibclgn.exe N/A
N/A N/A C:\Windows\SysWOW64\Cidncj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Clckpf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Coagla32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ccmclp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Cekohk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhjkdg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dlegeemh.exe N/A
N/A N/A C:\Windows\SysWOW64\Doccaall.exe N/A
N/A N/A C:\Windows\SysWOW64\Dcopbp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhlhjf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dlgdkeje.exe N/A
N/A N/A C:\Windows\SysWOW64\Dofpgqji.exe N/A
N/A N/A C:\Windows\SysWOW64\Dcalgo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dephckaf.exe N/A
N/A N/A C:\Windows\SysWOW64\Dhnepfpj.exe N/A
N/A N/A C:\Windows\SysWOW64\Dpemacql.exe N/A
N/A N/A C:\Windows\SysWOW64\Dcdimopp.exe N/A
N/A N/A C:\Windows\SysWOW64\Dagiil32.exe N/A
N/A N/A C:\Windows\SysWOW64\Djnaji32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dllmfd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dokjbp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Dcfebonm.exe N/A
N/A N/A C:\Windows\SysWOW64\Dfdbojmq.exe N/A
N/A N/A C:\Windows\SysWOW64\Djpnohej.exe N/A
N/A N/A C:\Windows\SysWOW64\Dlojkddn.exe N/A
N/A N/A C:\Windows\SysWOW64\Dpjflb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Domfgpca.exe N/A
N/A N/A C:\Windows\SysWOW64\Dakbckbe.exe N/A
N/A N/A C:\Windows\SysWOW64\Efgodj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ehekqe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Elagacbk.exe N/A
N/A N/A C:\Windows\SysWOW64\Eoocmoao.exe N/A
N/A N/A C:\Windows\SysWOW64\Eckonn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebnoikqb.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejegjh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Elccfc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Epopgbia.exe N/A
N/A N/A C:\Windows\SysWOW64\Ecmlcmhe.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebploj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejgdpg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ehjdldfl.exe N/A
N/A N/A C:\Windows\SysWOW64\Eleplc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eqalmafo.exe N/A
N/A N/A C:\Windows\SysWOW64\Ecphimfb.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebbidj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Efneehef.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejjqeg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ehlaaddj.exe N/A
N/A N/A C:\Windows\SysWOW64\Eqciba32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eofinnkf.exe N/A
N/A N/A C:\Windows\SysWOW64\Ebeejijj.exe N/A
N/A N/A C:\Windows\SysWOW64\Efpajh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ejlmkgkl.exe N/A
N/A N/A C:\Windows\SysWOW64\Emjjgbjp.exe N/A
N/A N/A C:\Windows\SysWOW64\Eqfeha32.exe N/A
N/A N/A C:\Windows\SysWOW64\Eoifcnid.exe N/A
N/A N/A C:\Windows\SysWOW64\Ecdbdl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ffbnph32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fjnjqfij.exe N/A
N/A N/A C:\Windows\SysWOW64\Fhajlc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Fqhbmqqg.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Anbkio32.exe C:\Windows\SysWOW64\Aldomc32.exe N/A
File created C:\Windows\SysWOW64\Aaepqjpd.exe C:\Windows\SysWOW64\Angddopp.exe N/A
File created C:\Windows\SysWOW64\Ladjgikj.dll C:\Windows\SysWOW64\Olfobjbg.exe N/A
File opened for modification C:\Windows\SysWOW64\Ebploj32.exe C:\Windows\SysWOW64\Ecmlcmhe.exe N/A
File opened for modification C:\Windows\SysWOW64\Mjcgohig.exe C:\Windows\SysWOW64\Mgekbljc.exe N/A
File created C:\Windows\SysWOW64\Pqnaim32.exe C:\Windows\SysWOW64\Pjdilcla.exe N/A
File opened for modification C:\Windows\SysWOW64\Dcfebonm.exe C:\Windows\SysWOW64\Dokjbp32.exe N/A
File created C:\Windows\SysWOW64\Ifhmhq32.dll C:\Windows\SysWOW64\Hjmoibog.exe N/A
File opened for modification C:\Windows\SysWOW64\Fjnjqfij.exe C:\Windows\SysWOW64\Ffbnph32.exe N/A
File created C:\Windows\SysWOW64\Eplmgmol.dll C:\Windows\SysWOW64\Kpccnefa.exe N/A
File created C:\Windows\SysWOW64\Hnfmbf32.dll C:\Windows\SysWOW64\Mdpalp32.exe N/A
File opened for modification C:\Windows\SysWOW64\Echknh32.exe C:\Windows\SysWOW64\Dlncan32.exe N/A
File created C:\Windows\SysWOW64\Amjknl32.dll C:\Windows\SysWOW64\Daekdooc.exe N/A
File opened for modification C:\Windows\SysWOW64\Emjjgbjp.exe C:\Windows\SysWOW64\Ejlmkgkl.exe N/A
File created C:\Windows\SysWOW64\Ecdbdl32.exe C:\Windows\SysWOW64\Eoifcnid.exe N/A
File opened for modification C:\Windows\SysWOW64\Bbifelba.exe C:\Windows\SysWOW64\Bjbndobo.exe N/A
File opened for modification C:\Windows\SysWOW64\Cabfga32.exe C:\Windows\SysWOW64\Cndikf32.exe N/A
File created C:\Windows\SysWOW64\Gqffnmfa.dll C:\Windows\SysWOW64\Mdiklqhm.exe N/A
File opened for modification C:\Windows\SysWOW64\Alhhhcal.exe C:\Windows\SysWOW64\Aeopki32.exe N/A
File created C:\Windows\SysWOW64\Eagncfoj.dll C:\Windows\SysWOW64\Gppekj32.exe N/A
File created C:\Windows\SysWOW64\Coagla32.exe C:\Windows\SysWOW64\Clckpf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dpjflb32.exe C:\Windows\SysWOW64\Dlojkddn.exe N/A
File created C:\Windows\SysWOW64\Hdaeob32.dll C:\Windows\SysWOW64\Aeopki32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bjghpn32.exe C:\Windows\SysWOW64\Baocghgi.exe N/A
File opened for modification C:\Windows\SysWOW64\Pmoahijl.exe C:\Windows\SysWOW64\Ogbipa32.exe N/A
File created C:\Windows\SysWOW64\Fqohnp32.exe C:\Windows\SysWOW64\Fmclmabe.exe N/A
File opened for modification C:\Windows\SysWOW64\Ifmcdblq.exe C:\Windows\SysWOW64\Ibagcc32.exe N/A
File opened for modification C:\Windows\SysWOW64\Olfobjbg.exe C:\Windows\SysWOW64\Ocnjidkf.exe N/A
File opened for modification C:\Windows\SysWOW64\Ijhodq32.exe C:\Windows\SysWOW64\Ifmcdblq.exe N/A
File created C:\Windows\SysWOW64\Jkdnpo32.exe C:\Windows\SysWOW64\Jfhbppbc.exe N/A
File created C:\Windows\SysWOW64\Doccaall.exe C:\Windows\SysWOW64\Dlegeemh.exe N/A
File created C:\Windows\SysWOW64\Mcgdgamg.dll C:\Windows\SysWOW64\Cajcbgml.exe N/A
File created C:\Windows\SysWOW64\Ecmlcmhe.exe C:\Windows\SysWOW64\Epopgbia.exe N/A
File created C:\Windows\SysWOW64\Helfik32.exe C:\Windows\SysWOW64\Hckjacjg.exe N/A
File created C:\Windows\SysWOW64\Ekiidlll.dll C:\Windows\SysWOW64\Lcbiao32.exe N/A
File created C:\Windows\SysWOW64\Ccgldidg.dll C:\Windows\SysWOW64\Oboaabga.exe N/A
File opened for modification C:\Windows\SysWOW64\Dkljak32.exe C:\Windows\SysWOW64\Dhnnep32.exe N/A
File created C:\Windows\SysWOW64\Accfbokl.exe C:\Windows\SysWOW64\Aadifclh.exe N/A
File opened for modification C:\Windows\SysWOW64\Dohfbj32.exe C:\Windows\SysWOW64\Dkljak32.exe N/A
File created C:\Windows\SysWOW64\Dmgbnq32.exe C:\Windows\SysWOW64\Dkifae32.exe N/A
File created C:\Windows\SysWOW64\Pnfmmb32.dll C:\Windows\SysWOW64\Giofnacd.exe N/A
File created C:\Windows\SysWOW64\Mnfipekh.exe C:\Windows\SysWOW64\Mjjmog32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ddakjkqi.exe C:\Windows\SysWOW64\Daconoae.exe N/A
File opened for modification C:\Windows\SysWOW64\Jmnaakne.exe C:\Windows\SysWOW64\Jibeql32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ojalgcnd.exe C:\Windows\SysWOW64\Ocgdji32.exe N/A
File created C:\Windows\SysWOW64\Pgemphmn.exe C:\Windows\SysWOW64\Oqkdcn32.exe N/A
File created C:\Windows\SysWOW64\Laalifad.exe C:\Windows\SysWOW64\Lkgdml32.exe N/A
File created C:\Windows\SysWOW64\Eocenh32.exe C:\Windows\SysWOW64\Ehimanbq.exe N/A
File created C:\Windows\SysWOW64\Hofddb32.dll C:\Windows\SysWOW64\Fbnhphbp.exe N/A
File created C:\Windows\SysWOW64\Giacca32.exe C:\Windows\SysWOW64\Gfcgge32.exe N/A
File created C:\Windows\SysWOW64\Qqfmde32.exe C:\Windows\SysWOW64\Pgnilpah.exe N/A
File created C:\Windows\SysWOW64\Fcgoilpj.exe C:\Windows\SysWOW64\Fqhbmqqg.exe N/A
File created C:\Windows\SysWOW64\Ddhbep32.dll C:\Windows\SysWOW64\Fjqgff32.exe N/A
File created C:\Windows\SysWOW64\Oggacefk.dll C:\Windows\SysWOW64\Ffgqqaip.exe N/A
File created C:\Windows\SysWOW64\Eqbmje32.dll C:\Windows\SysWOW64\Lpappc32.exe N/A
File created C:\Windows\SysWOW64\Beeflhdh.exe C:\Windows\SysWOW64\Bbgipldd.exe N/A
File opened for modification C:\Windows\SysWOW64\Kkbkamnl.exe C:\Windows\SysWOW64\Kgfoan32.exe N/A
File opened for modification C:\Windows\SysWOW64\Doeiljfn.exe C:\Windows\SysWOW64\Dlgmpogj.exe N/A
File opened for modification C:\Windows\SysWOW64\Cmqmma32.exe C:\Windows\SysWOW64\Cnnlaehj.exe N/A
File opened for modification C:\Windows\SysWOW64\Eofinnkf.exe C:\Windows\SysWOW64\Eqciba32.exe N/A
File created C:\Windows\SysWOW64\Gmhfhp32.exe C:\Windows\SysWOW64\Gfnnlffc.exe N/A
File created C:\Windows\SysWOW64\Mifnjj32.dll C:\Windows\SysWOW64\Eocenh32.exe N/A
File created C:\Windows\SysWOW64\Ljodkeij.dll C:\Windows\SysWOW64\Lpqiemge.exe N/A
File created C:\Windows\SysWOW64\Ndcdmikd.exe C:\Windows\SysWOW64\Njnpppkn.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Dmllipeg.exe

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Efgodj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ndbnboqb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dhbgqohi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Oneklm32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bnhjohkb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ebnoikqb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amhpcomb.dll" C:\Windows\SysWOW64\Lfkaag32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Miifeq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjdgcbkb.dll" C:\Windows\SysWOW64\Bbgipldd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enoogcin.dll" C:\Windows\SysWOW64\Hcpclbfa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Oneklm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbajhpfb.dll" C:\Windows\SysWOW64\Gidphq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmpfpdoi.dll" C:\Windows\SysWOW64\Iidipnal.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jmkdlkph.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Npjebj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dofpgqji.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jidbflcj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jiikak32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ippggbck.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ddonekbl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bejkjg32.dll" C:\Windows\SysWOW64\Hikfip32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acbmpm32.dll" C:\Windows\SysWOW64\Eapedd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fqhbmqqg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Liekmj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aolmfp32.dll" C:\Windows\SysWOW64\Pghieg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Giofnacd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojmmkpmf.dll" C:\Windows\SysWOW64\Kdaldd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlineehd.dll" C:\Windows\SysWOW64\Lmppcbjd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jkdnpo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppaaagol.dll" C:\Windows\SysWOW64\Kphmie32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aomaga32.dll" C:\Windows\SysWOW64\Lgmngglp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ficgacna.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Fakdpb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hkdbpe32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Chdkoa32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll" C:\Windows\SysWOW64\Cndikf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogedoeae.dll" C:\Windows\SysWOW64\Eoifcnid.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jbfpobpb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Jbhmdbnp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfmige32.dll" C:\Windows\SysWOW64\Dagiil32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qcepkg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Kefkme32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpacnb32.dll" C:\Windows\SysWOW64\Gqkhjn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgcqbd32.dll" C:\Windows\SysWOW64\Pndohaqe.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Faihkbci.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ebbidj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baefid32.dll" C:\Windows\SysWOW64\Laalifad.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ddmhja32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hmklen32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anmklllo.dll" C:\Windows\SysWOW64\Jidbflcj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idnljnaa.dll" C:\Windows\SysWOW64\Andqdh32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jkfkfohj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knkffk32.dll" C:\Windows\SysWOW64\Fakdpb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Laciofpa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Gdcdbl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glbandkm.dll" C:\Windows\SysWOW64\Bcebhoii.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Jjmhppqd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdiihjon.dll" C:\Windows\SysWOW64\Kkkdan32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lmccchkn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dmcibama.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjebnamp.dll" C:\Windows\SysWOW64\Ehjdldfl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Icljbg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkfhoiaf.dll" C:\Windows\SysWOW64\Ocnjidkf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll" C:\Windows\SysWOW64\Mjjmog32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3052 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\a954fa18abd78171b62683f3925dca64742f112981d62bf12b012b4e148df9fe.exe C:\Windows\SysWOW64\Clqnjf32.exe
PID 3052 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\a954fa18abd78171b62683f3925dca64742f112981d62bf12b012b4e148df9fe.exe C:\Windows\SysWOW64\Clqnjf32.exe
PID 3052 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\a954fa18abd78171b62683f3925dca64742f112981d62bf12b012b4e148df9fe.exe C:\Windows\SysWOW64\Clqnjf32.exe
PID 2616 wrote to memory of 4552 N/A C:\Windows\SysWOW64\Clqnjf32.exe C:\Windows\SysWOW64\Ccjfgphj.exe
PID 2616 wrote to memory of 4552 N/A C:\Windows\SysWOW64\Clqnjf32.exe C:\Windows\SysWOW64\Ccjfgphj.exe
PID 2616 wrote to memory of 4552 N/A C:\Windows\SysWOW64\Clqnjf32.exe C:\Windows\SysWOW64\Ccjfgphj.exe
PID 4552 wrote to memory of 2672 N/A C:\Windows\SysWOW64\Ccjfgphj.exe C:\Windows\SysWOW64\Ceibclgn.exe
PID 4552 wrote to memory of 2672 N/A C:\Windows\SysWOW64\Ccjfgphj.exe C:\Windows\SysWOW64\Ceibclgn.exe
PID 4552 wrote to memory of 2672 N/A C:\Windows\SysWOW64\Ccjfgphj.exe C:\Windows\SysWOW64\Ceibclgn.exe
PID 2672 wrote to memory of 6064 N/A C:\Windows\SysWOW64\Ceibclgn.exe C:\Windows\SysWOW64\Cidncj32.exe
PID 2672 wrote to memory of 6064 N/A C:\Windows\SysWOW64\Ceibclgn.exe C:\Windows\SysWOW64\Cidncj32.exe
PID 2672 wrote to memory of 6064 N/A C:\Windows\SysWOW64\Ceibclgn.exe C:\Windows\SysWOW64\Cidncj32.exe
PID 6064 wrote to memory of 1664 N/A C:\Windows\SysWOW64\Cidncj32.exe C:\Windows\SysWOW64\Clckpf32.exe
PID 6064 wrote to memory of 1664 N/A C:\Windows\SysWOW64\Cidncj32.exe C:\Windows\SysWOW64\Clckpf32.exe
PID 6064 wrote to memory of 1664 N/A C:\Windows\SysWOW64\Cidncj32.exe C:\Windows\SysWOW64\Clckpf32.exe
PID 1664 wrote to memory of 2528 N/A C:\Windows\SysWOW64\Clckpf32.exe C:\Windows\SysWOW64\Coagla32.exe
PID 1664 wrote to memory of 2528 N/A C:\Windows\SysWOW64\Clckpf32.exe C:\Windows\SysWOW64\Coagla32.exe
PID 1664 wrote to memory of 2528 N/A C:\Windows\SysWOW64\Clckpf32.exe C:\Windows\SysWOW64\Coagla32.exe
PID 2528 wrote to memory of 5968 N/A C:\Windows\SysWOW64\Coagla32.exe C:\Windows\SysWOW64\Ccmclp32.exe
PID 2528 wrote to memory of 5968 N/A C:\Windows\SysWOW64\Coagla32.exe C:\Windows\SysWOW64\Ccmclp32.exe
PID 2528 wrote to memory of 5968 N/A C:\Windows\SysWOW64\Coagla32.exe C:\Windows\SysWOW64\Ccmclp32.exe
PID 5968 wrote to memory of 4296 N/A C:\Windows\SysWOW64\Ccmclp32.exe C:\Windows\SysWOW64\Cekohk32.exe
PID 5968 wrote to memory of 4296 N/A C:\Windows\SysWOW64\Ccmclp32.exe C:\Windows\SysWOW64\Cekohk32.exe
PID 5968 wrote to memory of 4296 N/A C:\Windows\SysWOW64\Ccmclp32.exe C:\Windows\SysWOW64\Cekohk32.exe
PID 4296 wrote to memory of 4452 N/A C:\Windows\SysWOW64\Cekohk32.exe C:\Windows\SysWOW64\Dhjkdg32.exe
PID 4296 wrote to memory of 4452 N/A C:\Windows\SysWOW64\Cekohk32.exe C:\Windows\SysWOW64\Dhjkdg32.exe
PID 4296 wrote to memory of 4452 N/A C:\Windows\SysWOW64\Cekohk32.exe C:\Windows\SysWOW64\Dhjkdg32.exe
PID 4452 wrote to memory of 4228 N/A C:\Windows\SysWOW64\Dhjkdg32.exe C:\Windows\SysWOW64\Dlegeemh.exe
PID 4452 wrote to memory of 4228 N/A C:\Windows\SysWOW64\Dhjkdg32.exe C:\Windows\SysWOW64\Dlegeemh.exe
PID 4452 wrote to memory of 4228 N/A C:\Windows\SysWOW64\Dhjkdg32.exe C:\Windows\SysWOW64\Dlegeemh.exe
PID 4228 wrote to memory of 4112 N/A C:\Windows\SysWOW64\Dlegeemh.exe C:\Windows\SysWOW64\Doccaall.exe
PID 4228 wrote to memory of 4112 N/A C:\Windows\SysWOW64\Dlegeemh.exe C:\Windows\SysWOW64\Doccaall.exe
PID 4228 wrote to memory of 4112 N/A C:\Windows\SysWOW64\Dlegeemh.exe C:\Windows\SysWOW64\Doccaall.exe
PID 4112 wrote to memory of 5364 N/A C:\Windows\SysWOW64\Doccaall.exe C:\Windows\SysWOW64\Dcopbp32.exe
PID 4112 wrote to memory of 5364 N/A C:\Windows\SysWOW64\Doccaall.exe C:\Windows\SysWOW64\Dcopbp32.exe
PID 4112 wrote to memory of 5364 N/A C:\Windows\SysWOW64\Doccaall.exe C:\Windows\SysWOW64\Dcopbp32.exe
PID 5364 wrote to memory of 5872 N/A C:\Windows\SysWOW64\Dcopbp32.exe C:\Windows\SysWOW64\Dhlhjf32.exe
PID 5364 wrote to memory of 5872 N/A C:\Windows\SysWOW64\Dcopbp32.exe C:\Windows\SysWOW64\Dhlhjf32.exe
PID 5364 wrote to memory of 5872 N/A C:\Windows\SysWOW64\Dcopbp32.exe C:\Windows\SysWOW64\Dhlhjf32.exe
PID 5872 wrote to memory of 3860 N/A C:\Windows\SysWOW64\Dhlhjf32.exe C:\Windows\SysWOW64\Dlgdkeje.exe
PID 5872 wrote to memory of 3860 N/A C:\Windows\SysWOW64\Dhlhjf32.exe C:\Windows\SysWOW64\Dlgdkeje.exe
PID 5872 wrote to memory of 3860 N/A C:\Windows\SysWOW64\Dhlhjf32.exe C:\Windows\SysWOW64\Dlgdkeje.exe
PID 3860 wrote to memory of 5332 N/A C:\Windows\SysWOW64\Dlgdkeje.exe C:\Windows\SysWOW64\Dofpgqji.exe
PID 3860 wrote to memory of 5332 N/A C:\Windows\SysWOW64\Dlgdkeje.exe C:\Windows\SysWOW64\Dofpgqji.exe
PID 3860 wrote to memory of 5332 N/A C:\Windows\SysWOW64\Dlgdkeje.exe C:\Windows\SysWOW64\Dofpgqji.exe
PID 5332 wrote to memory of 3256 N/A C:\Windows\SysWOW64\Dofpgqji.exe C:\Windows\SysWOW64\Dcalgo32.exe
PID 5332 wrote to memory of 3256 N/A C:\Windows\SysWOW64\Dofpgqji.exe C:\Windows\SysWOW64\Dcalgo32.exe
PID 5332 wrote to memory of 3256 N/A C:\Windows\SysWOW64\Dofpgqji.exe C:\Windows\SysWOW64\Dcalgo32.exe
PID 3256 wrote to memory of 2428 N/A C:\Windows\SysWOW64\Dcalgo32.exe C:\Windows\SysWOW64\Dephckaf.exe
PID 3256 wrote to memory of 2428 N/A C:\Windows\SysWOW64\Dcalgo32.exe C:\Windows\SysWOW64\Dephckaf.exe
PID 3256 wrote to memory of 2428 N/A C:\Windows\SysWOW64\Dcalgo32.exe C:\Windows\SysWOW64\Dephckaf.exe
PID 2428 wrote to memory of 2120 N/A C:\Windows\SysWOW64\Dephckaf.exe C:\Windows\SysWOW64\Dhnepfpj.exe
PID 2428 wrote to memory of 2120 N/A C:\Windows\SysWOW64\Dephckaf.exe C:\Windows\SysWOW64\Dhnepfpj.exe
PID 2428 wrote to memory of 2120 N/A C:\Windows\SysWOW64\Dephckaf.exe C:\Windows\SysWOW64\Dhnepfpj.exe
PID 2120 wrote to memory of 5288 N/A C:\Windows\SysWOW64\Dhnepfpj.exe C:\Windows\SysWOW64\Dpemacql.exe
PID 2120 wrote to memory of 5288 N/A C:\Windows\SysWOW64\Dhnepfpj.exe C:\Windows\SysWOW64\Dpemacql.exe
PID 2120 wrote to memory of 5288 N/A C:\Windows\SysWOW64\Dhnepfpj.exe C:\Windows\SysWOW64\Dpemacql.exe
PID 5288 wrote to memory of 5664 N/A C:\Windows\SysWOW64\Dpemacql.exe C:\Windows\SysWOW64\Dcdimopp.exe
PID 5288 wrote to memory of 5664 N/A C:\Windows\SysWOW64\Dpemacql.exe C:\Windows\SysWOW64\Dcdimopp.exe
PID 5288 wrote to memory of 5664 N/A C:\Windows\SysWOW64\Dpemacql.exe C:\Windows\SysWOW64\Dcdimopp.exe
PID 5664 wrote to memory of 2104 N/A C:\Windows\SysWOW64\Dcdimopp.exe C:\Windows\SysWOW64\Dagiil32.exe
PID 5664 wrote to memory of 2104 N/A C:\Windows\SysWOW64\Dcdimopp.exe C:\Windows\SysWOW64\Dagiil32.exe
PID 5664 wrote to memory of 2104 N/A C:\Windows\SysWOW64\Dcdimopp.exe C:\Windows\SysWOW64\Dagiil32.exe
PID 2104 wrote to memory of 4436 N/A C:\Windows\SysWOW64\Dagiil32.exe C:\Windows\SysWOW64\Djnaji32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a954fa18abd78171b62683f3925dca64742f112981d62bf12b012b4e148df9fe.exe

"C:\Users\Admin\AppData\Local\Temp\a954fa18abd78171b62683f3925dca64742f112981d62bf12b012b4e148df9fe.exe"

C:\Windows\SysWOW64\Clqnjf32.exe

C:\Windows\system32\Clqnjf32.exe

C:\Windows\SysWOW64\Ccjfgphj.exe

C:\Windows\system32\Ccjfgphj.exe

C:\Windows\SysWOW64\Ceibclgn.exe

C:\Windows\system32\Ceibclgn.exe

C:\Windows\SysWOW64\Cidncj32.exe

C:\Windows\system32\Cidncj32.exe

C:\Windows\SysWOW64\Clckpf32.exe

C:\Windows\system32\Clckpf32.exe

C:\Windows\SysWOW64\Coagla32.exe

C:\Windows\system32\Coagla32.exe

C:\Windows\SysWOW64\Ccmclp32.exe

C:\Windows\system32\Ccmclp32.exe

C:\Windows\SysWOW64\Cekohk32.exe

C:\Windows\system32\Cekohk32.exe

C:\Windows\SysWOW64\Dhjkdg32.exe

C:\Windows\system32\Dhjkdg32.exe

C:\Windows\SysWOW64\Dlegeemh.exe

C:\Windows\system32\Dlegeemh.exe

C:\Windows\SysWOW64\Doccaall.exe

C:\Windows\system32\Doccaall.exe

C:\Windows\SysWOW64\Dcopbp32.exe

C:\Windows\system32\Dcopbp32.exe

C:\Windows\SysWOW64\Dhlhjf32.exe

C:\Windows\system32\Dhlhjf32.exe

C:\Windows\SysWOW64\Dlgdkeje.exe

C:\Windows\system32\Dlgdkeje.exe

C:\Windows\SysWOW64\Dofpgqji.exe

C:\Windows\system32\Dofpgqji.exe

C:\Windows\SysWOW64\Dcalgo32.exe

C:\Windows\system32\Dcalgo32.exe

C:\Windows\SysWOW64\Dephckaf.exe

C:\Windows\system32\Dephckaf.exe

C:\Windows\SysWOW64\Dhnepfpj.exe

C:\Windows\system32\Dhnepfpj.exe

C:\Windows\SysWOW64\Dpemacql.exe

C:\Windows\system32\Dpemacql.exe

C:\Windows\SysWOW64\Dcdimopp.exe

C:\Windows\system32\Dcdimopp.exe

C:\Windows\SysWOW64\Dagiil32.exe

C:\Windows\system32\Dagiil32.exe

C:\Windows\SysWOW64\Djnaji32.exe

C:\Windows\system32\Djnaji32.exe

C:\Windows\SysWOW64\Dllmfd32.exe

C:\Windows\system32\Dllmfd32.exe

C:\Windows\SysWOW64\Dokjbp32.exe

C:\Windows\system32\Dokjbp32.exe

C:\Windows\SysWOW64\Dcfebonm.exe

C:\Windows\system32\Dcfebonm.exe

C:\Windows\SysWOW64\Dfdbojmq.exe

C:\Windows\system32\Dfdbojmq.exe

C:\Windows\SysWOW64\Djpnohej.exe

C:\Windows\system32\Djpnohej.exe

C:\Windows\SysWOW64\Dlojkddn.exe

C:\Windows\system32\Dlojkddn.exe

C:\Windows\SysWOW64\Dpjflb32.exe

C:\Windows\system32\Dpjflb32.exe

C:\Windows\SysWOW64\Domfgpca.exe

C:\Windows\system32\Domfgpca.exe

C:\Windows\SysWOW64\Dakbckbe.exe

C:\Windows\system32\Dakbckbe.exe

C:\Windows\SysWOW64\Efgodj32.exe

C:\Windows\system32\Efgodj32.exe

C:\Windows\SysWOW64\Ehekqe32.exe

C:\Windows\system32\Ehekqe32.exe

C:\Windows\SysWOW64\Elagacbk.exe

C:\Windows\system32\Elagacbk.exe

C:\Windows\SysWOW64\Eoocmoao.exe

C:\Windows\system32\Eoocmoao.exe

C:\Windows\SysWOW64\Eckonn32.exe

C:\Windows\system32\Eckonn32.exe

C:\Windows\SysWOW64\Ebnoikqb.exe

C:\Windows\system32\Ebnoikqb.exe

C:\Windows\SysWOW64\Ejegjh32.exe

C:\Windows\system32\Ejegjh32.exe

C:\Windows\SysWOW64\Elccfc32.exe

C:\Windows\system32\Elccfc32.exe

C:\Windows\SysWOW64\Epopgbia.exe

C:\Windows\system32\Epopgbia.exe

C:\Windows\SysWOW64\Ecmlcmhe.exe

C:\Windows\system32\Ecmlcmhe.exe

C:\Windows\SysWOW64\Ebploj32.exe

C:\Windows\system32\Ebploj32.exe

C:\Windows\SysWOW64\Ejgdpg32.exe

C:\Windows\system32\Ejgdpg32.exe

C:\Windows\SysWOW64\Ehjdldfl.exe

C:\Windows\system32\Ehjdldfl.exe

C:\Windows\SysWOW64\Eleplc32.exe

C:\Windows\system32\Eleplc32.exe

C:\Windows\SysWOW64\Eqalmafo.exe

C:\Windows\system32\Eqalmafo.exe

C:\Windows\SysWOW64\Ecphimfb.exe

C:\Windows\system32\Ecphimfb.exe

C:\Windows\SysWOW64\Ebbidj32.exe

C:\Windows\system32\Ebbidj32.exe

C:\Windows\SysWOW64\Efneehef.exe

C:\Windows\system32\Efneehef.exe

C:\Windows\SysWOW64\Ejjqeg32.exe

C:\Windows\system32\Ejjqeg32.exe

C:\Windows\SysWOW64\Ehlaaddj.exe

C:\Windows\system32\Ehlaaddj.exe

C:\Windows\SysWOW64\Eqciba32.exe

C:\Windows\system32\Eqciba32.exe

C:\Windows\SysWOW64\Eofinnkf.exe

C:\Windows\system32\Eofinnkf.exe

C:\Windows\SysWOW64\Ebeejijj.exe

C:\Windows\system32\Ebeejijj.exe

C:\Windows\SysWOW64\Efpajh32.exe

C:\Windows\system32\Efpajh32.exe

C:\Windows\SysWOW64\Ejlmkgkl.exe

C:\Windows\system32\Ejlmkgkl.exe

C:\Windows\SysWOW64\Emjjgbjp.exe

C:\Windows\system32\Emjjgbjp.exe

C:\Windows\SysWOW64\Eqfeha32.exe

C:\Windows\system32\Eqfeha32.exe

C:\Windows\SysWOW64\Eoifcnid.exe

C:\Windows\system32\Eoifcnid.exe

C:\Windows\SysWOW64\Ecdbdl32.exe

C:\Windows\system32\Ecdbdl32.exe

C:\Windows\SysWOW64\Ffbnph32.exe

C:\Windows\system32\Ffbnph32.exe

C:\Windows\SysWOW64\Fjnjqfij.exe

C:\Windows\system32\Fjnjqfij.exe

C:\Windows\SysWOW64\Fhajlc32.exe

C:\Windows\system32\Fhajlc32.exe

C:\Windows\SysWOW64\Fqhbmqqg.exe

C:\Windows\system32\Fqhbmqqg.exe

C:\Windows\SysWOW64\Fcgoilpj.exe

C:\Windows\system32\Fcgoilpj.exe

C:\Windows\SysWOW64\Fcgoilpj.exe

C:\Windows\system32\Fcgoilpj.exe

C:\Windows\SysWOW64\Fbioei32.exe

C:\Windows\system32\Fbioei32.exe

C:\Windows\SysWOW64\Fjqgff32.exe

C:\Windows\system32\Fjqgff32.exe

C:\Windows\SysWOW64\Ficgacna.exe

C:\Windows\system32\Ficgacna.exe

C:\Windows\SysWOW64\Fqkocpod.exe

C:\Windows\system32\Fqkocpod.exe

C:\Windows\SysWOW64\Fomonm32.exe

C:\Windows\system32\Fomonm32.exe

C:\Windows\SysWOW64\Fbllkh32.exe

C:\Windows\system32\Fbllkh32.exe

C:\Windows\SysWOW64\Ffggkgmk.exe

C:\Windows\system32\Ffggkgmk.exe

C:\Windows\SysWOW64\Fifdgblo.exe

C:\Windows\system32\Fifdgblo.exe

C:\Windows\SysWOW64\Fmapha32.exe

C:\Windows\system32\Fmapha32.exe

C:\Windows\SysWOW64\Fopldmcl.exe

C:\Windows\system32\Fopldmcl.exe

C:\Windows\SysWOW64\Fbnhphbp.exe

C:\Windows\system32\Fbnhphbp.exe

C:\Windows\SysWOW64\Ffjdqg32.exe

C:\Windows\system32\Ffjdqg32.exe

C:\Windows\SysWOW64\Fihqmb32.exe

C:\Windows\system32\Fihqmb32.exe

C:\Windows\SysWOW64\Fmclmabe.exe

C:\Windows\system32\Fmclmabe.exe

C:\Windows\SysWOW64\Fqohnp32.exe

C:\Windows\system32\Fqohnp32.exe

C:\Windows\SysWOW64\Fcnejk32.exe

C:\Windows\system32\Fcnejk32.exe

C:\Windows\SysWOW64\Fflaff32.exe

C:\Windows\system32\Fflaff32.exe

C:\Windows\SysWOW64\Fijmbb32.exe

C:\Windows\system32\Fijmbb32.exe

C:\Windows\SysWOW64\Fqaeco32.exe

C:\Windows\system32\Fqaeco32.exe

C:\Windows\SysWOW64\Fodeolof.exe

C:\Windows\system32\Fodeolof.exe

C:\Windows\SysWOW64\Gbcakg32.exe

C:\Windows\system32\Gbcakg32.exe

C:\Windows\SysWOW64\Gfnnlffc.exe

C:\Windows\system32\Gfnnlffc.exe

C:\Windows\SysWOW64\Gmhfhp32.exe

C:\Windows\system32\Gmhfhp32.exe

C:\Windows\SysWOW64\Gqdbiofi.exe

C:\Windows\system32\Gqdbiofi.exe

C:\Windows\SysWOW64\Gogbdl32.exe

C:\Windows\system32\Gogbdl32.exe

C:\Windows\SysWOW64\Gbenqg32.exe

C:\Windows\system32\Gbenqg32.exe

C:\Windows\SysWOW64\Gfqjafdq.exe

C:\Windows\system32\Gfqjafdq.exe

C:\Windows\SysWOW64\Giofnacd.exe

C:\Windows\system32\Giofnacd.exe

C:\Windows\SysWOW64\Gmkbnp32.exe

C:\Windows\system32\Gmkbnp32.exe

C:\Windows\SysWOW64\Goiojk32.exe

C:\Windows\system32\Goiojk32.exe

C:\Windows\SysWOW64\Gcekkjcj.exe

C:\Windows\system32\Gcekkjcj.exe

C:\Windows\SysWOW64\Gfcgge32.exe

C:\Windows\system32\Gfcgge32.exe

C:\Windows\SysWOW64\Giacca32.exe

C:\Windows\system32\Giacca32.exe

C:\Windows\SysWOW64\Gmmocpjk.exe

C:\Windows\system32\Gmmocpjk.exe

C:\Windows\SysWOW64\Gpklpkio.exe

C:\Windows\system32\Gpklpkio.exe

C:\Windows\SysWOW64\Gidphq32.exe

C:\Windows\system32\Gidphq32.exe

C:\Windows\SysWOW64\Gqkhjn32.exe

C:\Windows\system32\Gqkhjn32.exe

C:\Windows\SysWOW64\Gpnhekgl.exe

C:\Windows\system32\Gpnhekgl.exe

C:\Windows\SysWOW64\Gbldaffp.exe

C:\Windows\system32\Gbldaffp.exe

C:\Windows\SysWOW64\Gfhqbe32.exe

C:\Windows\system32\Gfhqbe32.exe

C:\Windows\SysWOW64\Gjclbc32.exe

C:\Windows\system32\Gjclbc32.exe

C:\Windows\SysWOW64\Gmaioo32.exe

C:\Windows\system32\Gmaioo32.exe

C:\Windows\SysWOW64\Gppekj32.exe

C:\Windows\system32\Gppekj32.exe

C:\Windows\SysWOW64\Hboagf32.exe

C:\Windows\system32\Hboagf32.exe

C:\Windows\SysWOW64\Hjfihc32.exe

C:\Windows\system32\Hjfihc32.exe

C:\Windows\SysWOW64\Hihicplj.exe

C:\Windows\system32\Hihicplj.exe

C:\Windows\SysWOW64\Hapaemll.exe

C:\Windows\system32\Hapaemll.exe

C:\Windows\SysWOW64\Hpbaqj32.exe

C:\Windows\system32\Hpbaqj32.exe

C:\Windows\SysWOW64\Hbanme32.exe

C:\Windows\system32\Hbanme32.exe

C:\Windows\SysWOW64\Hfljmdjc.exe

C:\Windows\system32\Hfljmdjc.exe

C:\Windows\SysWOW64\Hikfip32.exe

C:\Windows\system32\Hikfip32.exe

C:\Windows\SysWOW64\Hmfbjnbp.exe

C:\Windows\system32\Hmfbjnbp.exe

C:\Windows\SysWOW64\Hpenfjad.exe

C:\Windows\system32\Hpenfjad.exe

C:\Windows\SysWOW64\Hbckbepg.exe

C:\Windows\system32\Hbckbepg.exe

C:\Windows\SysWOW64\Hfofbd32.exe

C:\Windows\system32\Hfofbd32.exe

C:\Windows\SysWOW64\Hjjbcbqj.exe

C:\Windows\system32\Hjjbcbqj.exe

C:\Windows\SysWOW64\Himcoo32.exe

C:\Windows\system32\Himcoo32.exe

C:\Windows\SysWOW64\Hadkpm32.exe

C:\Windows\system32\Hadkpm32.exe

C:\Windows\SysWOW64\Hpgkkioa.exe

C:\Windows\system32\Hpgkkioa.exe

C:\Windows\SysWOW64\Hccglh32.exe

C:\Windows\system32\Hccglh32.exe

C:\Windows\SysWOW64\Hfachc32.exe

C:\Windows\system32\Hfachc32.exe

C:\Windows\SysWOW64\Hjmoibog.exe

C:\Windows\system32\Hjmoibog.exe

C:\Windows\SysWOW64\Hippdo32.exe

C:\Windows\system32\Hippdo32.exe

C:\Windows\SysWOW64\Hmklen32.exe

C:\Windows\system32\Hmklen32.exe

C:\Windows\SysWOW64\Haggelfd.exe

C:\Windows\system32\Haggelfd.exe

C:\Windows\SysWOW64\Hcedaheh.exe

C:\Windows\system32\Hcedaheh.exe

C:\Windows\SysWOW64\Hbhdmd32.exe

C:\Windows\system32\Hbhdmd32.exe

C:\Windows\SysWOW64\Hfcpncdk.exe

C:\Windows\system32\Hfcpncdk.exe

C:\Windows\SysWOW64\Hibljoco.exe

C:\Windows\system32\Hibljoco.exe

C:\Windows\SysWOW64\Haidklda.exe

C:\Windows\system32\Haidklda.exe

C:\Windows\SysWOW64\Ipldfi32.exe

C:\Windows\system32\Ipldfi32.exe

C:\Windows\SysWOW64\Icgqggce.exe

C:\Windows\system32\Icgqggce.exe

C:\Windows\SysWOW64\Iffmccbi.exe

C:\Windows\system32\Iffmccbi.exe

C:\Windows\SysWOW64\Iidipnal.exe

C:\Windows\system32\Iidipnal.exe

C:\Windows\SysWOW64\Impepm32.exe

C:\Windows\system32\Impepm32.exe

C:\Windows\SysWOW64\Iakaql32.exe

C:\Windows\system32\Iakaql32.exe

C:\Windows\SysWOW64\Ipnalhii.exe

C:\Windows\system32\Ipnalhii.exe

C:\Windows\SysWOW64\Ibmmhdhm.exe

C:\Windows\system32\Ibmmhdhm.exe

C:\Windows\SysWOW64\Ijdeiaio.exe

C:\Windows\system32\Ijdeiaio.exe

C:\Windows\SysWOW64\Iiffen32.exe

C:\Windows\system32\Iiffen32.exe

C:\Windows\SysWOW64\Imbaemhc.exe

C:\Windows\system32\Imbaemhc.exe

C:\Windows\SysWOW64\Ipqnahgf.exe

C:\Windows\system32\Ipqnahgf.exe

C:\Windows\SysWOW64\Icljbg32.exe

C:\Windows\system32\Icljbg32.exe

C:\Windows\SysWOW64\Ibojncfj.exe

C:\Windows\system32\Ibojncfj.exe

C:\Windows\SysWOW64\Ijfboafl.exe

C:\Windows\system32\Ijfboafl.exe

C:\Windows\SysWOW64\Imdnklfp.exe

C:\Windows\system32\Imdnklfp.exe

C:\Windows\SysWOW64\Iapjlk32.exe

C:\Windows\system32\Iapjlk32.exe

C:\Windows\SysWOW64\Idofhfmm.exe

C:\Windows\system32\Idofhfmm.exe

C:\Windows\SysWOW64\Ibagcc32.exe

C:\Windows\system32\Ibagcc32.exe

C:\Windows\SysWOW64\Ifmcdblq.exe

C:\Windows\system32\Ifmcdblq.exe

C:\Windows\SysWOW64\Ijhodq32.exe

C:\Windows\system32\Ijhodq32.exe

C:\Windows\SysWOW64\Imgkql32.exe

C:\Windows\system32\Imgkql32.exe

C:\Windows\SysWOW64\Ipegmg32.exe

C:\Windows\system32\Ipegmg32.exe

C:\Windows\SysWOW64\Ibccic32.exe

C:\Windows\system32\Ibccic32.exe

C:\Windows\SysWOW64\Jaedgjjd.exe

C:\Windows\system32\Jaedgjjd.exe

C:\Windows\SysWOW64\Jpgdbg32.exe

C:\Windows\system32\Jpgdbg32.exe

C:\Windows\SysWOW64\Jbfpobpb.exe

C:\Windows\system32\Jbfpobpb.exe

C:\Windows\SysWOW64\Jfaloa32.exe

C:\Windows\system32\Jfaloa32.exe

C:\Windows\SysWOW64\Jjmhppqd.exe

C:\Windows\system32\Jjmhppqd.exe

C:\Windows\SysWOW64\Jmkdlkph.exe

C:\Windows\system32\Jmkdlkph.exe

C:\Windows\SysWOW64\Jagqlj32.exe

C:\Windows\system32\Jagqlj32.exe

C:\Windows\SysWOW64\Jbhmdbnp.exe

C:\Windows\system32\Jbhmdbnp.exe

C:\Windows\SysWOW64\Jfdida32.exe

C:\Windows\system32\Jfdida32.exe

C:\Windows\SysWOW64\Jibeql32.exe

C:\Windows\system32\Jibeql32.exe

C:\Windows\SysWOW64\Jmnaakne.exe

C:\Windows\system32\Jmnaakne.exe

C:\Windows\SysWOW64\Jaimbj32.exe

C:\Windows\system32\Jaimbj32.exe

C:\Windows\SysWOW64\Jdhine32.exe

C:\Windows\system32\Jdhine32.exe

C:\Windows\SysWOW64\Jbkjjblm.exe

C:\Windows\system32\Jbkjjblm.exe

C:\Windows\SysWOW64\Jfffjqdf.exe

C:\Windows\system32\Jfffjqdf.exe

C:\Windows\SysWOW64\Jidbflcj.exe

C:\Windows\system32\Jidbflcj.exe

C:\Windows\SysWOW64\Jmpngk32.exe

C:\Windows\system32\Jmpngk32.exe

C:\Windows\SysWOW64\Jaljgidl.exe

C:\Windows\system32\Jaljgidl.exe

C:\Windows\SysWOW64\Jpojcf32.exe

C:\Windows\system32\Jpojcf32.exe

C:\Windows\SysWOW64\Jbmfoa32.exe

C:\Windows\system32\Jbmfoa32.exe

C:\Windows\SysWOW64\Jfhbppbc.exe

C:\Windows\system32\Jfhbppbc.exe

C:\Windows\SysWOW64\Jkdnpo32.exe

C:\Windows\system32\Jkdnpo32.exe

C:\Windows\SysWOW64\Jmbklj32.exe

C:\Windows\system32\Jmbklj32.exe

C:\Windows\SysWOW64\Jangmibi.exe

C:\Windows\system32\Jangmibi.exe

C:\Windows\SysWOW64\Jpaghf32.exe

C:\Windows\system32\Jpaghf32.exe

C:\Windows\SysWOW64\Jbocea32.exe

C:\Windows\system32\Jbocea32.exe

C:\Windows\SysWOW64\Jfkoeppq.exe

C:\Windows\system32\Jfkoeppq.exe

C:\Windows\SysWOW64\Jkfkfohj.exe

C:\Windows\system32\Jkfkfohj.exe

C:\Windows\SysWOW64\Jiikak32.exe

C:\Windows\system32\Jiikak32.exe

C:\Windows\SysWOW64\Kaqcbi32.exe

C:\Windows\system32\Kaqcbi32.exe

C:\Windows\SysWOW64\Kpccnefa.exe

C:\Windows\system32\Kpccnefa.exe

C:\Windows\SysWOW64\Kdopod32.exe

C:\Windows\system32\Kdopod32.exe

C:\Windows\SysWOW64\Kgmlkp32.exe

C:\Windows\system32\Kgmlkp32.exe

C:\Windows\SysWOW64\Kkihknfg.exe

C:\Windows\system32\Kkihknfg.exe

C:\Windows\SysWOW64\Kilhgk32.exe

C:\Windows\system32\Kilhgk32.exe

C:\Windows\SysWOW64\Kmgdgjek.exe

C:\Windows\system32\Kmgdgjek.exe

C:\Windows\SysWOW64\Kacphh32.exe

C:\Windows\system32\Kacphh32.exe

C:\Windows\SysWOW64\Kdaldd32.exe

C:\Windows\system32\Kdaldd32.exe

C:\Windows\SysWOW64\Kbdmpqcb.exe

C:\Windows\system32\Kbdmpqcb.exe

C:\Windows\SysWOW64\Kkkdan32.exe

C:\Windows\system32\Kkkdan32.exe

C:\Windows\SysWOW64\Kinemkko.exe

C:\Windows\system32\Kinemkko.exe

C:\Windows\SysWOW64\Kmjqmi32.exe

C:\Windows\system32\Kmjqmi32.exe

C:\Windows\SysWOW64\Kaemnhla.exe

C:\Windows\system32\Kaemnhla.exe

C:\Windows\SysWOW64\Kphmie32.exe

C:\Windows\system32\Kphmie32.exe

C:\Windows\SysWOW64\Kbfiep32.exe

C:\Windows\system32\Kbfiep32.exe

C:\Windows\SysWOW64\Kgbefoji.exe

C:\Windows\system32\Kgbefoji.exe

C:\Windows\SysWOW64\Kknafn32.exe

C:\Windows\system32\Kknafn32.exe

C:\Windows\SysWOW64\Kipabjil.exe

C:\Windows\system32\Kipabjil.exe

C:\Windows\SysWOW64\Kagichjo.exe

C:\Windows\system32\Kagichjo.exe

C:\Windows\SysWOW64\Kpjjod32.exe

C:\Windows\system32\Kpjjod32.exe

C:\Windows\SysWOW64\Kdffocib.exe

C:\Windows\system32\Kdffocib.exe

C:\Windows\SysWOW64\Kcifkp32.exe

C:\Windows\system32\Kcifkp32.exe

C:\Windows\SysWOW64\Kgdbkohf.exe

C:\Windows\system32\Kgdbkohf.exe

C:\Windows\SysWOW64\Kpmfddnf.exe

C:\Windows\system32\Kpmfddnf.exe

C:\Windows\SysWOW64\Kdhbec32.exe

C:\Windows\system32\Kdhbec32.exe

C:\Windows\SysWOW64\Kckbqpnj.exe

C:\Windows\system32\Kckbqpnj.exe

C:\Windows\SysWOW64\Kgfoan32.exe

C:\Windows\system32\Kgfoan32.exe

C:\Windows\SysWOW64\Kkbkamnl.exe

C:\Windows\system32\Kkbkamnl.exe

C:\Windows\SysWOW64\Liekmj32.exe

C:\Windows\system32\Liekmj32.exe

C:\Windows\SysWOW64\Lmqgnhmp.exe

C:\Windows\system32\Lmqgnhmp.exe

C:\Windows\SysWOW64\Lalcng32.exe

C:\Windows\system32\Lalcng32.exe

C:\Windows\SysWOW64\Ldkojb32.exe

C:\Windows\system32\Ldkojb32.exe

C:\Windows\SysWOW64\Lcmofolg.exe

C:\Windows\system32\Lcmofolg.exe

C:\Windows\SysWOW64\Lkdggmlj.exe

C:\Windows\system32\Lkdggmlj.exe

C:\Windows\SysWOW64\Liggbi32.exe

C:\Windows\system32\Liggbi32.exe

C:\Windows\SysWOW64\Lmccchkn.exe

C:\Windows\system32\Lmccchkn.exe

C:\Windows\SysWOW64\Lpappc32.exe

C:\Windows\system32\Lpappc32.exe

C:\Windows\SysWOW64\Ldmlpbbj.exe

C:\Windows\system32\Ldmlpbbj.exe

C:\Windows\SysWOW64\Lkgdml32.exe

C:\Windows\system32\Lkgdml32.exe

C:\Windows\SysWOW64\Laalifad.exe

C:\Windows\system32\Laalifad.exe

C:\Windows\SysWOW64\Lpcmec32.exe

C:\Windows\system32\Lpcmec32.exe

C:\Windows\SysWOW64\Lcbiao32.exe

C:\Windows\system32\Lcbiao32.exe

C:\Windows\SysWOW64\Lkiqbl32.exe

C:\Windows\system32\Lkiqbl32.exe

C:\Windows\SysWOW64\Lnhmng32.exe

C:\Windows\system32\Lnhmng32.exe

C:\Windows\SysWOW64\Laciofpa.exe

C:\Windows\system32\Laciofpa.exe

C:\Windows\SysWOW64\Lcdegnep.exe

C:\Windows\system32\Lcdegnep.exe

C:\Windows\SysWOW64\Lklnhlfb.exe

C:\Windows\system32\Lklnhlfb.exe

C:\Windows\SysWOW64\Lnjjdgee.exe

C:\Windows\system32\Lnjjdgee.exe

C:\Windows\SysWOW64\Lgbnmm32.exe

C:\Windows\system32\Lgbnmm32.exe

C:\Windows\SysWOW64\Mahbje32.exe

C:\Windows\system32\Mahbje32.exe

C:\Windows\SysWOW64\Mgekbljc.exe

C:\Windows\system32\Mgekbljc.exe

C:\Windows\SysWOW64\Mjcgohig.exe

C:\Windows\system32\Mjcgohig.exe

C:\Windows\SysWOW64\Mdiklqhm.exe

C:\Windows\system32\Mdiklqhm.exe

C:\Windows\SysWOW64\Mkbchk32.exe

C:\Windows\system32\Mkbchk32.exe

C:\Windows\SysWOW64\Mjeddggd.exe

C:\Windows\system32\Mjeddggd.exe

C:\Windows\SysWOW64\Mnapdf32.exe

C:\Windows\system32\Mnapdf32.exe

C:\Windows\SysWOW64\Mdkhapfj.exe

C:\Windows\system32\Mdkhapfj.exe

C:\Windows\SysWOW64\Mncmjfmk.exe

C:\Windows\system32\Mncmjfmk.exe

C:\Windows\SysWOW64\Mpaifalo.exe

C:\Windows\system32\Mpaifalo.exe

C:\Windows\SysWOW64\Mglack32.exe

C:\Windows\system32\Mglack32.exe

C:\Windows\SysWOW64\Mjjmog32.exe

C:\Windows\system32\Mjjmog32.exe

C:\Windows\SysWOW64\Mnfipekh.exe

C:\Windows\system32\Mnfipekh.exe

C:\Windows\SysWOW64\Mdpalp32.exe

C:\Windows\system32\Mdpalp32.exe

C:\Windows\SysWOW64\Mgnnhk32.exe

C:\Windows\system32\Mgnnhk32.exe

C:\Windows\SysWOW64\Njljefql.exe

C:\Windows\system32\Njljefql.exe

C:\Windows\SysWOW64\Ndbnboqb.exe

C:\Windows\system32\Ndbnboqb.exe

C:\Windows\SysWOW64\Ngpjnkpf.exe

C:\Windows\system32\Ngpjnkpf.exe

C:\Windows\SysWOW64\Nafokcol.exe

C:\Windows\system32\Nafokcol.exe

C:\Windows\SysWOW64\Ncgkcl32.exe

C:\Windows\system32\Ncgkcl32.exe

C:\Windows\SysWOW64\Nkncdifl.exe

C:\Windows\system32\Nkncdifl.exe

C:\Windows\SysWOW64\Nbhkac32.exe

C:\Windows\system32\Nbhkac32.exe

C:\Windows\SysWOW64\Ngedij32.exe

C:\Windows\system32\Ngedij32.exe

C:\Windows\SysWOW64\Nbkhfc32.exe

C:\Windows\system32\Nbkhfc32.exe

C:\Windows\SysWOW64\Ncldnkae.exe

C:\Windows\system32\Ncldnkae.exe

C:\Windows\SysWOW64\Nbmelbid.exe

C:\Windows\system32\Nbmelbid.exe

C:\Windows\SysWOW64\Okeieh32.exe

C:\Windows\system32\Okeieh32.exe

C:\Windows\SysWOW64\Oboaabga.exe

C:\Windows\system32\Oboaabga.exe

C:\Windows\SysWOW64\Odnnnnfe.exe

C:\Windows\system32\Odnnnnfe.exe

C:\Windows\SysWOW64\Ogljjiei.exe

C:\Windows\system32\Ogljjiei.exe

C:\Windows\SysWOW64\Ojjffddl.exe

C:\Windows\system32\Ojjffddl.exe

C:\Windows\SysWOW64\Occkojkm.exe

C:\Windows\system32\Occkojkm.exe

C:\Windows\SysWOW64\Okjbpglo.exe

C:\Windows\system32\Okjbpglo.exe

C:\Windows\SysWOW64\Obdkma32.exe

C:\Windows\system32\Obdkma32.exe

C:\Windows\SysWOW64\Ocegdjij.exe

C:\Windows\system32\Ocegdjij.exe

C:\Windows\SysWOW64\Ojopad32.exe

C:\Windows\system32\Ojopad32.exe

C:\Windows\SysWOW64\Onklabip.exe

C:\Windows\system32\Onklabip.exe

C:\Windows\SysWOW64\Oqihnn32.exe

C:\Windows\system32\Oqihnn32.exe

C:\Windows\SysWOW64\Ocgdji32.exe

C:\Windows\system32\Ocgdji32.exe

C:\Windows\SysWOW64\Ojalgcnd.exe

C:\Windows\system32\Ojalgcnd.exe

C:\Windows\SysWOW64\Oqkdcn32.exe

C:\Windows\system32\Oqkdcn32.exe

C:\Windows\SysWOW64\Pgemphmn.exe

C:\Windows\system32\Pgemphmn.exe

C:\Windows\SysWOW64\Pjdilcla.exe

C:\Windows\system32\Pjdilcla.exe

C:\Windows\SysWOW64\Pqnaim32.exe

C:\Windows\system32\Pqnaim32.exe

C:\Windows\SysWOW64\Pghieg32.exe

C:\Windows\system32\Pghieg32.exe

C:\Windows\SysWOW64\Pnbbbabh.exe

C:\Windows\system32\Pnbbbabh.exe

C:\Windows\SysWOW64\Pcojkhap.exe

C:\Windows\system32\Pcojkhap.exe

C:\Windows\SysWOW64\Pndohaqe.exe

C:\Windows\system32\Pndohaqe.exe

C:\Windows\SysWOW64\Pabkdmpi.exe

C:\Windows\system32\Pabkdmpi.exe

C:\Windows\SysWOW64\Pgmcqggf.exe

C:\Windows\system32\Pgmcqggf.exe

C:\Windows\SysWOW64\Pbbgnpgl.exe

C:\Windows\system32\Pbbgnpgl.exe

C:\Windows\SysWOW64\Pcccfh32.exe

C:\Windows\system32\Pcccfh32.exe

C:\Windows\SysWOW64\Pnihcq32.exe

C:\Windows\system32\Pnihcq32.exe

C:\Windows\SysWOW64\Qcepkg32.exe

C:\Windows\system32\Qcepkg32.exe

C:\Windows\SysWOW64\Qbgqio32.exe

C:\Windows\system32\Qbgqio32.exe

C:\Windows\SysWOW64\Qgciaf32.exe

C:\Windows\system32\Qgciaf32.exe

C:\Windows\SysWOW64\Qbimoo32.exe

C:\Windows\system32\Qbimoo32.exe

C:\Windows\SysWOW64\Agffge32.exe

C:\Windows\system32\Agffge32.exe

C:\Windows\SysWOW64\Ajdbcano.exe

C:\Windows\system32\Ajdbcano.exe

C:\Windows\SysWOW64\Abkjdnoa.exe

C:\Windows\system32\Abkjdnoa.exe

C:\Windows\SysWOW64\Aejfpjne.exe

C:\Windows\system32\Aejfpjne.exe

C:\Windows\SysWOW64\Ahhblemi.exe

C:\Windows\system32\Ahhblemi.exe

C:\Windows\SysWOW64\Aldomc32.exe

C:\Windows\system32\Aldomc32.exe

C:\Windows\SysWOW64\Anbkio32.exe

C:\Windows\system32\Anbkio32.exe

C:\Windows\SysWOW64\Aelcfilb.exe

C:\Windows\system32\Aelcfilb.exe

C:\Windows\SysWOW64\Acocaf32.exe

C:\Windows\system32\Acocaf32.exe

C:\Windows\SysWOW64\Alfkbc32.exe

C:\Windows\system32\Alfkbc32.exe

C:\Windows\SysWOW64\Abpcon32.exe

C:\Windows\system32\Abpcon32.exe

C:\Windows\SysWOW64\Aeopki32.exe

C:\Windows\system32\Aeopki32.exe

C:\Windows\SysWOW64\Alhhhcal.exe

C:\Windows\system32\Alhhhcal.exe

C:\Windows\SysWOW64\Angddopp.exe

C:\Windows\system32\Angddopp.exe

C:\Windows\SysWOW64\Aaepqjpd.exe

C:\Windows\system32\Aaepqjpd.exe

C:\Windows\SysWOW64\Adcmmeog.exe

C:\Windows\system32\Adcmmeog.exe

C:\Windows\SysWOW64\Alkdnboj.exe

C:\Windows\system32\Alkdnboj.exe

C:\Windows\SysWOW64\Abemjmgg.exe

C:\Windows\system32\Abemjmgg.exe

C:\Windows\SysWOW64\Becifhfj.exe

C:\Windows\system32\Becifhfj.exe

C:\Windows\SysWOW64\Bhaebcen.exe

C:\Windows\system32\Bhaebcen.exe

C:\Windows\SysWOW64\Blmacb32.exe

C:\Windows\system32\Blmacb32.exe

C:\Windows\SysWOW64\Bbgipldd.exe

C:\Windows\system32\Bbgipldd.exe

C:\Windows\SysWOW64\Beeflhdh.exe

C:\Windows\system32\Beeflhdh.exe

C:\Windows\SysWOW64\Bhdbhcck.exe

C:\Windows\system32\Bhdbhcck.exe

C:\Windows\SysWOW64\Bjbndobo.exe

C:\Windows\system32\Bjbndobo.exe

C:\Windows\SysWOW64\Bbifelba.exe

C:\Windows\system32\Bbifelba.exe

C:\Windows\SysWOW64\Bdkcmdhp.exe

C:\Windows\system32\Bdkcmdhp.exe

C:\Windows\SysWOW64\Bopgjmhe.exe

C:\Windows\system32\Bopgjmhe.exe

C:\Windows\SysWOW64\Baocghgi.exe

C:\Windows\system32\Baocghgi.exe

C:\Windows\SysWOW64\Bjghpn32.exe

C:\Windows\system32\Bjghpn32.exe

C:\Windows\SysWOW64\Blfdia32.exe

C:\Windows\system32\Blfdia32.exe

C:\Windows\SysWOW64\Cacmah32.exe

C:\Windows\system32\Cacmah32.exe

C:\Windows\SysWOW64\Ceoibflm.exe

C:\Windows\system32\Ceoibflm.exe

C:\Windows\SysWOW64\Cliaoq32.exe

C:\Windows\system32\Cliaoq32.exe

C:\Windows\SysWOW64\Cogmkl32.exe

C:\Windows\system32\Cogmkl32.exe

C:\Windows\SysWOW64\Cddecc32.exe

C:\Windows\system32\Cddecc32.exe

C:\Windows\SysWOW64\Clkndpag.exe

C:\Windows\system32\Clkndpag.exe

C:\Windows\SysWOW64\Cojjqlpk.exe

C:\Windows\system32\Cojjqlpk.exe

C:\Windows\SysWOW64\Cecbmf32.exe

C:\Windows\system32\Cecbmf32.exe

C:\Windows\SysWOW64\Clnjjpod.exe

C:\Windows\system32\Clnjjpod.exe

C:\Windows\SysWOW64\Colffknh.exe

C:\Windows\system32\Colffknh.exe

C:\Windows\SysWOW64\Cajcbgml.exe

C:\Windows\system32\Cajcbgml.exe

C:\Windows\SysWOW64\Chdkoa32.exe

C:\Windows\system32\Chdkoa32.exe

C:\Windows\SysWOW64\Ckcgkldl.exe

C:\Windows\system32\Ckcgkldl.exe

C:\Windows\SysWOW64\Conclk32.exe

C:\Windows\system32\Conclk32.exe

C:\Windows\SysWOW64\Cehkhecb.exe

C:\Windows\system32\Cehkhecb.exe

C:\Windows\SysWOW64\Cdkldb32.exe

C:\Windows\system32\Cdkldb32.exe

C:\Windows\SysWOW64\Clbceo32.exe

C:\Windows\system32\Clbceo32.exe

C:\Windows\SysWOW64\Ckedalaj.exe

C:\Windows\system32\Ckedalaj.exe

C:\Windows\SysWOW64\Daolnf32.exe

C:\Windows\system32\Daolnf32.exe

C:\Windows\SysWOW64\Dekhneap.exe

C:\Windows\system32\Dekhneap.exe

C:\Windows\SysWOW64\Ddmhja32.exe

C:\Windows\system32\Ddmhja32.exe

C:\Windows\SysWOW64\Dkgqfl32.exe

C:\Windows\system32\Dkgqfl32.exe

C:\Windows\SysWOW64\Docmgjhp.exe

C:\Windows\system32\Docmgjhp.exe

C:\Windows\SysWOW64\Daaicfgd.exe

C:\Windows\system32\Daaicfgd.exe

C:\Windows\SysWOW64\Demecd32.exe

C:\Windows\system32\Demecd32.exe

C:\Windows\SysWOW64\Dhkapp32.exe

C:\Windows\system32\Dhkapp32.exe

C:\Windows\SysWOW64\Dlgmpogj.exe

C:\Windows\system32\Dlgmpogj.exe

C:\Windows\SysWOW64\Doeiljfn.exe

C:\Windows\system32\Doeiljfn.exe

C:\Windows\SysWOW64\Dadeieea.exe

C:\Windows\system32\Dadeieea.exe

C:\Windows\SysWOW64\Deoaid32.exe

C:\Windows\system32\Deoaid32.exe

C:\Windows\SysWOW64\Dhnnep32.exe

C:\Windows\system32\Dhnnep32.exe

C:\Windows\SysWOW64\Dkljak32.exe

C:\Windows\system32\Dkljak32.exe

C:\Windows\SysWOW64\Dohfbj32.exe

C:\Windows\system32\Dohfbj32.exe

C:\Windows\SysWOW64\Deanodkh.exe

C:\Windows\system32\Deanodkh.exe

C:\Windows\SysWOW64\Dhpjkojk.exe

C:\Windows\system32\Dhpjkojk.exe

C:\Windows\SysWOW64\Dllfkn32.exe

C:\Windows\system32\Dllfkn32.exe

C:\Windows\SysWOW64\Dojcgi32.exe

C:\Windows\system32\Dojcgi32.exe

C:\Windows\SysWOW64\Dahode32.exe

C:\Windows\system32\Dahode32.exe

C:\Windows\SysWOW64\Dhbgqohi.exe

C:\Windows\system32\Dhbgqohi.exe

C:\Windows\SysWOW64\Dlncan32.exe

C:\Windows\system32\Dlncan32.exe

C:\Windows\SysWOW64\Echknh32.exe

C:\Windows\system32\Echknh32.exe

C:\Windows\SysWOW64\Eefhjc32.exe

C:\Windows\system32\Eefhjc32.exe

C:\Windows\SysWOW64\Ekcpbj32.exe

C:\Windows\system32\Ekcpbj32.exe

C:\Windows\SysWOW64\Ecjhcg32.exe

C:\Windows\system32\Ecjhcg32.exe

C:\Windows\SysWOW64\Eamhodmf.exe

C:\Windows\system32\Eamhodmf.exe

C:\Windows\SysWOW64\Ehgqln32.exe

C:\Windows\system32\Ehgqln32.exe

C:\Windows\SysWOW64\Eoaihhlp.exe

C:\Windows\system32\Eoaihhlp.exe

C:\Windows\SysWOW64\Eapedd32.exe

C:\Windows\system32\Eapedd32.exe

C:\Windows\SysWOW64\Ehimanbq.exe

C:\Windows\system32\Ehimanbq.exe

C:\Windows\SysWOW64\Eocenh32.exe

C:\Windows\system32\Eocenh32.exe

C:\Windows\SysWOW64\Eabbjc32.exe

C:\Windows\system32\Eabbjc32.exe

C:\Windows\SysWOW64\Ekjfcipa.exe

C:\Windows\system32\Ekjfcipa.exe

C:\Windows\SysWOW64\Edbklofb.exe

C:\Windows\system32\Edbklofb.exe

C:\Windows\SysWOW64\Fljcmlfd.exe

C:\Windows\system32\Fljcmlfd.exe

C:\Windows\SysWOW64\Fohoigfh.exe

C:\Windows\system32\Fohoigfh.exe

C:\Windows\SysWOW64\Febgea32.exe

C:\Windows\system32\Febgea32.exe

C:\Windows\SysWOW64\Fhqcam32.exe

C:\Windows\system32\Fhqcam32.exe

C:\Windows\SysWOW64\Fkopnh32.exe

C:\Windows\system32\Fkopnh32.exe

C:\Windows\SysWOW64\Faihkbci.exe

C:\Windows\system32\Faihkbci.exe

C:\Windows\SysWOW64\Fdgdgnbm.exe

C:\Windows\system32\Fdgdgnbm.exe

C:\Windows\SysWOW64\Flnlhk32.exe

C:\Windows\system32\Flnlhk32.exe

C:\Windows\SysWOW64\Fakdpb32.exe

C:\Windows\system32\Fakdpb32.exe

C:\Windows\SysWOW64\Ffgqqaip.exe

C:\Windows\system32\Ffgqqaip.exe

C:\Windows\SysWOW64\Flqimk32.exe

C:\Windows\system32\Flqimk32.exe

C:\Windows\SysWOW64\Fckajehi.exe

C:\Windows\system32\Fckajehi.exe

C:\Windows\SysWOW64\Fhgjblfq.exe

C:\Windows\system32\Fhgjblfq.exe

C:\Windows\SysWOW64\Gododflk.exe

C:\Windows\system32\Gododflk.exe

C:\Windows\SysWOW64\Ghlcnk32.exe

C:\Windows\system32\Ghlcnk32.exe

C:\Windows\SysWOW64\Gcagkdba.exe

C:\Windows\system32\Gcagkdba.exe

C:\Windows\SysWOW64\Gdcdbl32.exe

C:\Windows\system32\Gdcdbl32.exe

C:\Windows\SysWOW64\Gkmlofol.exe

C:\Windows\system32\Gkmlofol.exe

C:\Windows\SysWOW64\Gbgdlq32.exe

C:\Windows\system32\Gbgdlq32.exe

C:\Windows\SysWOW64\Gdeqhl32.exe

C:\Windows\system32\Gdeqhl32.exe

C:\Windows\SysWOW64\Gmlhii32.exe

C:\Windows\system32\Gmlhii32.exe

C:\Windows\SysWOW64\Gfembo32.exe

C:\Windows\system32\Gfembo32.exe

C:\Windows\SysWOW64\Gmoeoidl.exe

C:\Windows\system32\Gmoeoidl.exe

C:\Windows\SysWOW64\Gcimkc32.exe

C:\Windows\system32\Gcimkc32.exe

C:\Windows\SysWOW64\Hkdbpe32.exe

C:\Windows\system32\Hkdbpe32.exe

C:\Windows\SysWOW64\Hckjacjg.exe

C:\Windows\system32\Hckjacjg.exe

C:\Windows\SysWOW64\Helfik32.exe

C:\Windows\system32\Helfik32.exe

C:\Windows\SysWOW64\Hmcojh32.exe

C:\Windows\system32\Hmcojh32.exe

C:\Windows\SysWOW64\Hkfoeega.exe

C:\Windows\system32\Hkfoeega.exe

C:\Windows\SysWOW64\Hcmgfbhd.exe

C:\Windows\system32\Hcmgfbhd.exe

C:\Windows\SysWOW64\Hflcbngh.exe

C:\Windows\system32\Hflcbngh.exe

C:\Windows\SysWOW64\Hijooifk.exe

C:\Windows\system32\Hijooifk.exe

C:\Windows\SysWOW64\Hkikkeeo.exe

C:\Windows\system32\Hkikkeeo.exe

C:\Windows\SysWOW64\Hcpclbfa.exe

C:\Windows\system32\Hcpclbfa.exe

C:\Windows\SysWOW64\Hfnphn32.exe

C:\Windows\system32\Hfnphn32.exe

C:\Windows\SysWOW64\Hkkhqd32.exe

C:\Windows\system32\Hkkhqd32.exe

C:\Windows\SysWOW64\Hcbpab32.exe

C:\Windows\system32\Hcbpab32.exe

C:\Windows\SysWOW64\Hecmijim.exe

C:\Windows\system32\Hecmijim.exe

C:\Windows\SysWOW64\Hioiji32.exe

C:\Windows\system32\Hioiji32.exe

C:\Windows\SysWOW64\Hkmefd32.exe

C:\Windows\system32\Hkmefd32.exe

C:\Windows\SysWOW64\Hbgmcnhf.exe

C:\Windows\system32\Hbgmcnhf.exe

C:\Windows\SysWOW64\Ipknlb32.exe

C:\Windows\system32\Ipknlb32.exe

C:\Windows\SysWOW64\Icifbang.exe

C:\Windows\system32\Icifbang.exe

C:\Windows\SysWOW64\Ippggbck.exe

C:\Windows\system32\Ippggbck.exe

C:\Windows\SysWOW64\Ifjodl32.exe

C:\Windows\system32\Ifjodl32.exe

C:\Windows\SysWOW64\Icnpmp32.exe

C:\Windows\system32\Icnpmp32.exe

C:\Windows\SysWOW64\Iikhfg32.exe

C:\Windows\system32\Iikhfg32.exe

C:\Windows\SysWOW64\Ibcmom32.exe

C:\Windows\system32\Ibcmom32.exe

C:\Windows\SysWOW64\Jlkagbej.exe

C:\Windows\system32\Jlkagbej.exe

C:\Windows\SysWOW64\Jcbihpel.exe

C:\Windows\system32\Jcbihpel.exe

C:\Windows\SysWOW64\Jedeph32.exe

C:\Windows\system32\Jedeph32.exe

C:\Windows\SysWOW64\Jmknaell.exe

C:\Windows\system32\Jmknaell.exe

C:\Windows\SysWOW64\Jfcbjk32.exe

C:\Windows\system32\Jfcbjk32.exe

C:\Windows\SysWOW64\Jlpkba32.exe

C:\Windows\system32\Jlpkba32.exe

C:\Windows\SysWOW64\Jbjcolha.exe

C:\Windows\system32\Jbjcolha.exe

C:\Windows\SysWOW64\Jmpgldhg.exe

C:\Windows\system32\Jmpgldhg.exe

C:\Windows\SysWOW64\Jblpek32.exe

C:\Windows\system32\Jblpek32.exe

C:\Windows\SysWOW64\Kboljk32.exe

C:\Windows\system32\Kboljk32.exe

C:\Windows\SysWOW64\Kemhff32.exe

C:\Windows\system32\Kemhff32.exe

C:\Windows\SysWOW64\Kpbmco32.exe

C:\Windows\system32\Kpbmco32.exe

C:\Windows\SysWOW64\Kmfmmcbo.exe

C:\Windows\system32\Kmfmmcbo.exe

C:\Windows\SysWOW64\Kmijbcpl.exe

C:\Windows\system32\Kmijbcpl.exe

C:\Windows\SysWOW64\Kfankifm.exe

C:\Windows\system32\Kfankifm.exe

C:\Windows\SysWOW64\Kpjcdn32.exe

C:\Windows\system32\Kpjcdn32.exe

C:\Windows\SysWOW64\Kefkme32.exe

C:\Windows\system32\Kefkme32.exe

C:\Windows\SysWOW64\Lbjlfi32.exe

C:\Windows\system32\Lbjlfi32.exe

C:\Windows\SysWOW64\Lmppcbjd.exe

C:\Windows\system32\Lmppcbjd.exe

C:\Windows\SysWOW64\Ldjhpl32.exe

C:\Windows\system32\Ldjhpl32.exe

C:\Windows\SysWOW64\Ligqhc32.exe

C:\Windows\system32\Ligqhc32.exe

C:\Windows\SysWOW64\Lpqiemge.exe

C:\Windows\system32\Lpqiemge.exe

C:\Windows\SysWOW64\Lfkaag32.exe

C:\Windows\system32\Lfkaag32.exe

C:\Windows\SysWOW64\Lpcfkm32.exe

C:\Windows\system32\Lpcfkm32.exe

C:\Windows\SysWOW64\Lgmngglp.exe

C:\Windows\system32\Lgmngglp.exe

C:\Windows\SysWOW64\Lpebpm32.exe

C:\Windows\system32\Lpebpm32.exe

C:\Windows\SysWOW64\Lmiciaaj.exe

C:\Windows\system32\Lmiciaaj.exe

C:\Windows\SysWOW64\Mmlpoqpg.exe

C:\Windows\system32\Mmlpoqpg.exe

C:\Windows\SysWOW64\Mpjlklok.exe

C:\Windows\system32\Mpjlklok.exe

C:\Windows\SysWOW64\Mmnldp32.exe

C:\Windows\system32\Mmnldp32.exe

C:\Windows\SysWOW64\Mplhql32.exe

C:\Windows\system32\Mplhql32.exe

C:\Windows\SysWOW64\Miemjaci.exe

C:\Windows\system32\Miemjaci.exe

C:\Windows\SysWOW64\Mdjagjco.exe

C:\Windows\system32\Mdjagjco.exe

C:\Windows\SysWOW64\Mcmabg32.exe

C:\Windows\system32\Mcmabg32.exe

C:\Windows\SysWOW64\Mmbfpp32.exe

C:\Windows\system32\Mmbfpp32.exe

C:\Windows\SysWOW64\Mlefklpj.exe

C:\Windows\system32\Mlefklpj.exe

C:\Windows\SysWOW64\Mpablkhc.exe

C:\Windows\system32\Mpablkhc.exe

C:\Windows\SysWOW64\Mcpnhfhf.exe

C:\Windows\system32\Mcpnhfhf.exe

C:\Windows\SysWOW64\Mgkjhe32.exe

C:\Windows\system32\Mgkjhe32.exe

C:\Windows\SysWOW64\Menjdbgj.exe

C:\Windows\system32\Menjdbgj.exe

C:\Windows\SysWOW64\Miifeq32.exe

C:\Windows\system32\Miifeq32.exe

C:\Windows\SysWOW64\Mlhbal32.exe

C:\Windows\system32\Mlhbal32.exe

C:\Windows\SysWOW64\Ncbknfed.exe

C:\Windows\system32\Ncbknfed.exe

C:\Windows\SysWOW64\Nepgjaeg.exe

C:\Windows\system32\Nepgjaeg.exe

C:\Windows\SysWOW64\Njnpppkn.exe

C:\Windows\system32\Njnpppkn.exe

C:\Windows\SysWOW64\Ndcdmikd.exe

C:\Windows\system32\Ndcdmikd.exe

C:\Windows\SysWOW64\Npjebj32.exe

C:\Windows\system32\Npjebj32.exe

C:\Windows\SysWOW64\Njciko32.exe

C:\Windows\system32\Njciko32.exe

C:\Windows\SysWOW64\Npmagine.exe

C:\Windows\system32\Npmagine.exe

C:\Windows\SysWOW64\Nggjdc32.exe

C:\Windows\system32\Nggjdc32.exe

C:\Windows\SysWOW64\Ocnjidkf.exe

C:\Windows\system32\Ocnjidkf.exe

C:\Windows\SysWOW64\Olfobjbg.exe

C:\Windows\system32\Olfobjbg.exe

C:\Windows\SysWOW64\Oneklm32.exe

C:\Windows\system32\Oneklm32.exe

C:\Windows\SysWOW64\Ocbddc32.exe

C:\Windows\system32\Ocbddc32.exe

C:\Windows\SysWOW64\Odapnf32.exe

C:\Windows\system32\Odapnf32.exe

C:\Windows\SysWOW64\Onjegled.exe

C:\Windows\system32\Onjegled.exe

C:\Windows\SysWOW64\Ogbipa32.exe

C:\Windows\system32\Ogbipa32.exe

C:\Windows\SysWOW64\Pmoahijl.exe

C:\Windows\system32\Pmoahijl.exe

C:\Windows\SysWOW64\Pnonbk32.exe

C:\Windows\system32\Pnonbk32.exe

C:\Windows\SysWOW64\Pfjcgn32.exe

C:\Windows\system32\Pfjcgn32.exe

C:\Windows\SysWOW64\Pmdkch32.exe

C:\Windows\system32\Pmdkch32.exe

C:\Windows\SysWOW64\Pcncpbmd.exe

C:\Windows\system32\Pcncpbmd.exe

C:\Windows\SysWOW64\Pncgmkmj.exe

C:\Windows\system32\Pncgmkmj.exe

C:\Windows\SysWOW64\Pdmpje32.exe

C:\Windows\system32\Pdmpje32.exe

C:\Windows\SysWOW64\Pgllfp32.exe

C:\Windows\system32\Pgllfp32.exe

C:\Windows\SysWOW64\Pjjhbl32.exe

C:\Windows\system32\Pjjhbl32.exe

C:\Windows\SysWOW64\Pqdqof32.exe

C:\Windows\system32\Pqdqof32.exe

C:\Windows\SysWOW64\Pgnilpah.exe

C:\Windows\system32\Pgnilpah.exe

C:\Windows\SysWOW64\Qqfmde32.exe

C:\Windows\system32\Qqfmde32.exe

C:\Windows\SysWOW64\Qjoankoi.exe

C:\Windows\system32\Qjoankoi.exe

C:\Windows\SysWOW64\Qddfkd32.exe

C:\Windows\system32\Qddfkd32.exe

C:\Windows\SysWOW64\Qffbbldm.exe

C:\Windows\system32\Qffbbldm.exe

C:\Windows\SysWOW64\Ampkof32.exe

C:\Windows\system32\Ampkof32.exe

C:\Windows\SysWOW64\Ageolo32.exe

C:\Windows\system32\Ageolo32.exe

C:\Windows\SysWOW64\Anogiicl.exe

C:\Windows\system32\Anogiicl.exe

C:\Windows\SysWOW64\Aeiofcji.exe

C:\Windows\system32\Aeiofcji.exe

C:\Windows\SysWOW64\Afjlnk32.exe

C:\Windows\system32\Afjlnk32.exe

C:\Windows\SysWOW64\Amddjegd.exe

C:\Windows\system32\Amddjegd.exe

C:\Windows\SysWOW64\Agjhgngj.exe

C:\Windows\system32\Agjhgngj.exe

C:\Windows\SysWOW64\Andqdh32.exe

C:\Windows\system32\Andqdh32.exe

C:\Windows\SysWOW64\Aabmqd32.exe

C:\Windows\system32\Aabmqd32.exe

C:\Windows\SysWOW64\Acqimo32.exe

C:\Windows\system32\Acqimo32.exe

C:\Windows\SysWOW64\Afoeiklb.exe

C:\Windows\system32\Afoeiklb.exe

C:\Windows\SysWOW64\Anfmjhmd.exe

C:\Windows\system32\Anfmjhmd.exe

C:\Windows\SysWOW64\Aadifclh.exe

C:\Windows\system32\Aadifclh.exe

C:\Windows\SysWOW64\Accfbokl.exe

C:\Windows\system32\Accfbokl.exe

C:\Windows\SysWOW64\Bfabnjjp.exe

C:\Windows\system32\Bfabnjjp.exe

C:\Windows\SysWOW64\Bnhjohkb.exe

C:\Windows\system32\Bnhjohkb.exe

C:\Windows\SysWOW64\Bagflcje.exe

C:\Windows\system32\Bagflcje.exe

C:\Windows\SysWOW64\Bcebhoii.exe

C:\Windows\system32\Bcebhoii.exe

C:\Windows\SysWOW64\Bfdodjhm.exe

C:\Windows\system32\Bfdodjhm.exe

C:\Windows\SysWOW64\Bnkgeg32.exe

C:\Windows\system32\Bnkgeg32.exe

C:\Windows\SysWOW64\Baicac32.exe

C:\Windows\system32\Baicac32.exe

C:\Windows\SysWOW64\Bchomn32.exe

C:\Windows\system32\Bchomn32.exe

C:\Windows\SysWOW64\Bffkij32.exe

C:\Windows\system32\Bffkij32.exe

C:\Windows\SysWOW64\Bjagjhnc.exe

C:\Windows\system32\Bjagjhnc.exe

C:\Windows\SysWOW64\Balpgb32.exe

C:\Windows\system32\Balpgb32.exe

C:\Windows\SysWOW64\Bgehcmmm.exe

C:\Windows\system32\Bgehcmmm.exe

C:\Windows\SysWOW64\Bjddphlq.exe

C:\Windows\system32\Bjddphlq.exe

C:\Windows\SysWOW64\Bmbplc32.exe

C:\Windows\system32\Bmbplc32.exe

C:\Windows\SysWOW64\Beihma32.exe

C:\Windows\system32\Beihma32.exe

C:\Windows\SysWOW64\Bhhdil32.exe

C:\Windows\system32\Bhhdil32.exe

C:\Windows\SysWOW64\Bjfaeh32.exe

C:\Windows\system32\Bjfaeh32.exe

C:\Windows\SysWOW64\Bapiabak.exe

C:\Windows\system32\Bapiabak.exe

C:\Windows\SysWOW64\Bcoenmao.exe

C:\Windows\system32\Bcoenmao.exe

C:\Windows\SysWOW64\Cfmajipb.exe

C:\Windows\system32\Cfmajipb.exe

C:\Windows\SysWOW64\Cndikf32.exe

C:\Windows\system32\Cndikf32.exe

C:\Windows\SysWOW64\Cabfga32.exe

C:\Windows\system32\Cabfga32.exe

C:\Windows\SysWOW64\Cenahpha.exe

C:\Windows\system32\Cenahpha.exe

C:\Windows\SysWOW64\Chmndlge.exe

C:\Windows\system32\Chmndlge.exe

C:\Windows\SysWOW64\Cjkjpgfi.exe

C:\Windows\system32\Cjkjpgfi.exe

C:\Windows\SysWOW64\Caebma32.exe

C:\Windows\system32\Caebma32.exe

C:\Windows\SysWOW64\Chokikeb.exe

C:\Windows\system32\Chokikeb.exe

C:\Windows\SysWOW64\Cjmgfgdf.exe

C:\Windows\system32\Cjmgfgdf.exe

C:\Windows\SysWOW64\Cnicfe32.exe

C:\Windows\system32\Cnicfe32.exe

C:\Windows\SysWOW64\Cagobalc.exe

C:\Windows\system32\Cagobalc.exe

C:\Windows\SysWOW64\Cdfkolkf.exe

C:\Windows\system32\Cdfkolkf.exe

C:\Windows\SysWOW64\Cfdhkhjj.exe

C:\Windows\system32\Cfdhkhjj.exe

C:\Windows\SysWOW64\Cnkplejl.exe

C:\Windows\system32\Cnkplejl.exe

C:\Windows\SysWOW64\Cmnpgb32.exe

C:\Windows\system32\Cmnpgb32.exe

C:\Windows\SysWOW64\Ceehho32.exe

C:\Windows\system32\Ceehho32.exe

C:\Windows\SysWOW64\Chcddk32.exe

C:\Windows\system32\Chcddk32.exe

C:\Windows\SysWOW64\Cnnlaehj.exe

C:\Windows\system32\Cnnlaehj.exe

C:\Windows\SysWOW64\Cmqmma32.exe

C:\Windows\system32\Cmqmma32.exe

C:\Windows\SysWOW64\Cegdnopg.exe

C:\Windows\system32\Cegdnopg.exe

C:\Windows\SysWOW64\Ddjejl32.exe

C:\Windows\system32\Ddjejl32.exe

C:\Windows\SysWOW64\Djdmffnn.exe

C:\Windows\system32\Djdmffnn.exe

C:\Windows\SysWOW64\Dmcibama.exe

C:\Windows\system32\Dmcibama.exe

C:\Windows\SysWOW64\Danecp32.exe

C:\Windows\system32\Danecp32.exe

C:\Windows\SysWOW64\Ddmaok32.exe

C:\Windows\system32\Ddmaok32.exe

C:\Windows\SysWOW64\Dfknkg32.exe

C:\Windows\system32\Dfknkg32.exe

C:\Windows\SysWOW64\Dobfld32.exe

C:\Windows\system32\Dobfld32.exe

C:\Windows\SysWOW64\Dmefhako.exe

C:\Windows\system32\Dmefhako.exe

C:\Windows\SysWOW64\Ddonekbl.exe

C:\Windows\system32\Ddonekbl.exe

C:\Windows\SysWOW64\Dhkjej32.exe

C:\Windows\system32\Dhkjej32.exe

C:\Windows\SysWOW64\Dkifae32.exe

C:\Windows\system32\Dkifae32.exe

C:\Windows\SysWOW64\Dmgbnq32.exe

C:\Windows\system32\Dmgbnq32.exe

C:\Windows\SysWOW64\Daconoae.exe

C:\Windows\system32\Daconoae.exe

C:\Windows\SysWOW64\Ddakjkqi.exe

C:\Windows\system32\Ddakjkqi.exe

C:\Windows\SysWOW64\Dfpgffpm.exe

C:\Windows\system32\Dfpgffpm.exe

C:\Windows\SysWOW64\Dkkcge32.exe

C:\Windows\system32\Dkkcge32.exe

C:\Windows\SysWOW64\Daekdooc.exe

C:\Windows\system32\Daekdooc.exe

C:\Windows\SysWOW64\Dddhpjof.exe

C:\Windows\system32\Dddhpjof.exe

C:\Windows\SysWOW64\Dgbdlf32.exe

C:\Windows\system32\Dgbdlf32.exe

C:\Windows\SysWOW64\Doilmc32.exe

C:\Windows\system32\Doilmc32.exe

C:\Windows\SysWOW64\Dmllipeg.exe

C:\Windows\system32\Dmllipeg.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 12304 -ip 12304

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 12304 -s 212

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

memory/3052-0-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3052-1-0x0000000000431000-0x0000000000432000-memory.dmp

C:\Windows\SysWOW64\Clqnjf32.exe

MD5 cc13feeb6ead7d372a2a77c5c6f2f82d
SHA1 7abb60d59eb5387503b3e99b171297495fb80497
SHA256 7880e5c70392b9c7efed6cf742161123738b075fba3a20f730e7e20400370398
SHA512 51ecd4307a3be060831e1595a372d234bad0f53d38d55461424f70da4c69d519eab88a81d3d47b1e98ff00ded71e6ec6d49e3d3fae4071e71d2a8ced2a0dae2b

memory/2616-8-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Ccjfgphj.exe

MD5 3195d9a02b7cef1b20d0a0d08bd5f4c4
SHA1 7ab52e470393bbeab86418e077f294a7c48e2edf
SHA256 b2c837026fd98ed9ee67480219d866cab4529f757ff08ee954a50fb92e37745e
SHA512 49779596f36b077ae2a30252361a1f3dd6571dd1f80b1193f5975b1f0bd9977f9160b8e7ca789509a31747cb8c272e5015fb95002664eab6ba53d1802b51050c

memory/4552-17-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Ceibclgn.exe

MD5 46cca0f4e5ffb15ca3c947b18dc6b96c
SHA1 e20b30fb4bb05b34de2ce3c1a01d328cffd20ed2
SHA256 7b206b6d03ec2b177f9b05ff8a190f9da3eb88de38d22b17fedc25c74f9daca3
SHA512 fd1942705c81fe31836013d0ffa05432c5d9f3544ad911dda363738b82fbbe362999f1f0b398717594853f2f990d748f90e1f5b64f26874e06ad454b6716cd5a

C:\Windows\SysWOW64\Cidncj32.exe

MD5 b16d341cd773a151c2988760863132da
SHA1 c304b1bb0d865b34a2cf5ef55ad10592229d40db
SHA256 4ea1e8613564ebe2659ffcfd603be1b3b43bcc51e134ac6a610cceaa6882c6f1
SHA512 657133029d4ec24e185b61044964c65f3bed1f9a8d5639d7aab191bd43b80a2523c80300dab8fb736b33c5fec9241e6c696802bc852fd9be107e05072f46f31a

memory/2672-29-0x0000000000400000-0x000000000043E000-memory.dmp

memory/6064-33-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Clckpf32.exe

MD5 dbb178b367a009e3207b5db96b7917cb
SHA1 70687d663c92833cc9589a5d9b7878d3ea230ecc
SHA256 babce991440633f960d18a8fae99fcc31eae3143e7a3b1a7ba7fa22655405133
SHA512 8f2ba561c9d9e9d2a2bb1170b61df5db0a9c4872bfd9a48c43e493206b0bc87f85c7c5ea979947611e8d3e2b6ebc86dec888bff49280883c2d7068da2ed084c4

memory/2528-49-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Coagla32.exe

MD5 8eb7778c7c0077622279666759660f0e
SHA1 9cee6d1e575333ffbcfb507d2de23306c8bc2ba4
SHA256 5c61770e763940f711fa0362398779f2433854afbf79c73c6d9004e0e7de12cc
SHA512 e3f231f747b874b82191d90917f4a2f2ac68f4386319d25bedf9c8d655f3554ededac61c7a7c4856fe8f1c184336b07f9301a5d396d1d1cd8425534fef56ac17

C:\Windows\SysWOW64\Ccmclp32.exe

MD5 fd4a145ca2b1ba44887aed1a7a95fc29
SHA1 82cdfb4a6bdaebc8ecf2490760d30a2d453d339b
SHA256 b1f852cd01896c2104861828911082272d0056060f0dfc9d00e677e1515f2034
SHA512 09a268cfabf2a53a64117fe4423c01b1efac4e81b717e56b1ccad24ba638983dbe19242b6394a84eccfdbdb689810627f9a5781a21f89b9372a8a428f2e6ce81

memory/1664-41-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Cekohk32.exe

MD5 1e4af5379378e4856b157737ae1b2bb8
SHA1 40c778d243349b9e04b816618faf938a21a3ce70
SHA256 d3d0aa064a8b069872ce86848f2b44f64cfab68deadf800a69304847a2d31efc
SHA512 83c53ef5f5f8072568f985a8d1e3f494767b89f7f8b1ac0f707a9904dc46f6fae955236f99337b82d2c0b5eaeaf45e65139467fe9c707cc77c1a21138be3ff55

memory/5968-57-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Dhjkdg32.exe

MD5 5f3bf21fc02b6d17b3b3dc64fe3a90e9
SHA1 69e3c924a0ce370810c550773afa075d0768eba6
SHA256 6f04236ebd059b74e698f5727b235e2cb9349abc27ac002e7482429d860a775f
SHA512 f808263086ea669bc2d0ca6dac4bcce0afc509db286c3a6221632b7f18b2c8f33067c080aa9e952d466014567e3c94aa33094329b1f38e4e58dbd63040979ff0

C:\Windows\SysWOW64\Dlegeemh.exe

MD5 89ab62a3c3283b2cd3e8cd0fbaa01e5b
SHA1 8ba8be53e3920b7ef660a8266df671db80e1ad38
SHA256 6a434ab1f9679e5341a35949d627a5e292a3093ca845c7f4cb3642f7961aa398
SHA512 305dcb662e1b3a42647b3a0a57a670ce1b33fd84f09c17fbb38a0ae3703c5c3b9462a4fcf14e774c223c231f2c8c64dd942296f281553cda13ec1f4dc32fae99

memory/4228-81-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4112-89-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Dcopbp32.exe

MD5 a070a977ea2fa28c3457476f4facb16c
SHA1 0641949a01b9bc5d43ad023a56697d1bb5714a20
SHA256 0f0fec40a837d26a80872e7f67569434fc6ee2a08d824593f7000b5f70b86755
SHA512 b88724917ea423752b6faae44e4b4dc0e666c2495c227053e7c45165c3f8a29ed599f0a8887b13d86f77f7315a32fa35bc8e524d567ef9404cc8a1190305ca60

C:\Windows\SysWOW64\Dhlhjf32.exe

MD5 a94308ef8ce56b493962bb42bab1fb51
SHA1 2dfdcffcf1a2408eaf33e6202ec052f5cd09607e
SHA256 a8d6852bd35ac175136ad0c5c3c13de4424fff3d26ddac28ac31d5a7ab750e99
SHA512 49ff2300dd89afecbab982b57ab920535f253c301a3bc48238323537c68ff9787f12be92be51c60abf02c9367e2a4b355d8df35c31542b6283f1c83daf64e220

C:\Windows\SysWOW64\Dlgdkeje.exe

MD5 99626d4174f1371ff39ef3c02036e512
SHA1 30ace0dc4ad46e5491f7b7ab4a0939155b3a237a
SHA256 a6aead898c2a4e54119562468efd6ef05e554c0cebb1027f646bc72ce49afea7
SHA512 5eff3d02dff718e247da0c0c9fe178587d4e4d59100ca176c83f0e71952e44cc2a066163f497635da6dc01cc5c34f4b0f41aea7458ffb798c5cc4f871a681f9f

C:\Windows\SysWOW64\Dofpgqji.exe

MD5 755b0e66211382c7ccb81a4fbb634ee7
SHA1 4a41ca7538ed1bcfe4e9b58cae02dcdb87760dd9
SHA256 368b7ff1dbe17de8211d3217f1bc99623345286fddd51508b569265045da8ae2
SHA512 23421aaf59697556c0be6b45b2de3ab0b64a7cd3a85d506e349d1295aae96aba20aad79d70f3eda79c9b30ca4a8884ead01f182ebf1a0003607fa6a35f546ba8

memory/3256-129-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Dcalgo32.exe

MD5 e76d992fa49f4a4f01d0bf0c49ea4494
SHA1 6b4a5b2bf4010d823782823d7a50961150309752
SHA256 82f8ff6815867ff44655f1f064f2c9f1b22563e9673f02f6a39bb6dbff43605d
SHA512 adf873071dd15e3fa9fafe6c9adc0aadc2f3c20d73970670ba2cf0b3259e8c5ef47de718a7886bbde17d7a363602f041f5af5f82d2ee468544230370d5967fd9

memory/2120-145-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5288-153-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Dagiil32.exe

MD5 c2b9b859ede7ea7090a0df9f1bf83715
SHA1 fa461d5e84df031e7c4f88441a4b91d852e6c8db
SHA256 daf5339068773f9194c88f01b57b4ed8b2bd04742efd4105cd01a2a7438bc24c
SHA512 dd49a817104451920940b0d871be3785ced7cd9d215910a7f7791907841b8c29e98ab37377277b8d6bbbc77ef07fc5b489a8f94d55946bb1efbc52d36d018b0c

memory/2104-169-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Djnaji32.exe

MD5 1136be582fe63ef913ec3b45ac1080df
SHA1 365346ea71e1728d7c7305f9c35c4ff2304ecb0c
SHA256 79bd0bd147f06c538d84009d92a766f5a0273d866d0c878ed0b9ece6518de197
SHA512 6bc18b11059e3e1a04044d4c601d9361968cbd522198acba92944fb3009dc91737e2d8351397972b025484f88bdc599e195414023ff414c08b877c0840cf15c3

C:\Windows\SysWOW64\Dllmfd32.exe

MD5 a2c3fab9e1c5234fed5524e06de98106
SHA1 d38b3438f24a7d236804f34df02a7d4629c8fc56
SHA256 ad3f86351709e7a2823abc5f8d42b7b58dde0c8600bbc5176c98b1c1b88d1f74
SHA512 3854a2bab6e54c6a42d4f837f6812fb1cadf32b17d7223c663854314148b9149d7cbe1ee0fbdccd9c97196996a4ae48bea7582314ae4fbefc2df5daacdc79afb

memory/1604-193-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Dfdbojmq.exe

MD5 7671a6be795ec6b0323d9cb67496604f
SHA1 90857aa5bd76f96508f498e7c5d5615e9a9c9ee1
SHA256 86b0af21e64e379a242ffa8b36384cf55b7e4844b626320ca6e3ed0732c8ed1e
SHA512 938f22e16ecd64d99fbfef3cee1450f463a437d3736b12b1263431c376b1b5f94a081824a9e4b96cd08d97df033b0d6fda659906b4882f3e16c777f7019cfaa4

C:\Windows\SysWOW64\Efgodj32.exe

MD5 36408cf4aa9f946bbdf7a377d2993834
SHA1 9758c64021f1a75d09d771979424530ffc326de9
SHA256 06c731e747e0de201e40a351ca41719eef9ca8f982b758da17862d3ec74e97dd
SHA512 409c2c8c74f38d93fa226b81aea045b9938b135721105cff6a1a1b63ebfca41b72dc953bb2fe3746f70168a52302e5b0b24b65f9d9caad74ec075488875a9ad9

memory/5152-281-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3236-293-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Ecmlcmhe.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/3596-315-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2784-323-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5536-345-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5092-363-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2312-447-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1392-493-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4692-516-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2868-534-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4552-555-0x0000000000400000-0x000000000043E000-memory.dmp

memory/6064-568-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1860-569-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5044-576-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Gcekkjcj.exe

MD5 deae33338e17a2a0a2ca199dfaa30eb9
SHA1 37bfbbc64746960557efd4fb231d5faee2059df3
SHA256 ec03233a9d277e24c9ede6077f645d2b62436ff11b7daa41c00f917be6f4fd9e
SHA512 110ecec34955a5a094c16922685d35d2dca91f9d4e28667b0eab5a41357af84d3e12f9bdf92a4b88ebb9343fe84f75d94984fe73142c81e28e1c26f820e20053

C:\Windows\SysWOW64\Haggelfd.exe

MD5 594144c10193c61d29aea0c3f8ec6b9f
SHA1 489f9d37d8261d93a4a4d53349f6085e519fa9a1
SHA256 55d62649b7b26206a53ce34171ecf1a301e2eac480fae89361151d828d6cef94
SHA512 d7915253b85eb30f1d6cae2dfb3c79696a237122dcc791928d88a2776484d6751cf5077e46bf3bad884ef031c0de6725a8d1efd126e96ee9955e233208ebe131

C:\Windows\SysWOW64\Hbhdmd32.exe

MD5 0f1cecb2f60a6b6c29a279784260f9a4
SHA1 f8c10b6ca06f59826743249610724932a5e7ed89
SHA256 ca09cd8cfc12eddbfb083a29c223d296778ca92cd046fc8918a9505309f4a3ac
SHA512 adce28a9e4011dce9f38f62b06e15da132ba3cbbf1d6e0a9e1e2e776f282d44ba93fec4f5021a664e7a25cea9d637f0ce03052d9ad8c741610f216a9ca9f9b2e

C:\Windows\SysWOW64\Imbaemhc.exe

MD5 6d3efc7789949cd3318bce200d3e48ce
SHA1 42fdd0b8f520e317b25da2428458bba1ded36271
SHA256 3565755914d76c093a788e92008b886412143e431c58eb464cbd5b6041b8a0b6
SHA512 2e0b96aacdeafc5edd535a0e426e99c60f1c3f663b364bba76b3d67c135d365a52feb6966a377ea7e01573af7b04fd6f8c1c480cc60a359cd1e8709cc756ada6

C:\Windows\SysWOW64\Jmpngk32.exe

MD5 69ade24955589eefdf45fc4ce78040ec
SHA1 41bfb416cf72664962f2b49dcc446849dd997c20
SHA256 32d25477db89d842862e365503f146dfb8cb72434625623fd46d84e15088bc48
SHA512 cf6e173b0aa5bf8cd0ecb14790a512cce00aa23413d7435c1a618545c6953882f890d8d5f1962f716688a567966e0faaceff520c3bb39c296f1023de58e6a72c

C:\Windows\SysWOW64\Jfkoeppq.exe

MD5 c4825c283c8abd664ed16980ad027bc7
SHA1 9a8e7c91eb40fcba3bf3fd69dd1929ba379f150b
SHA256 57c25d39d3ceee025c149ae433382ce8167ff19a20eac37e6744705837eb9c65
SHA512 062bba96a1aa13f241d6a3fc34b502cab3d1f9c9116e1f31bc8624638db010ea49d5180dd75ccd04d7ace51c7a0d841d0a2088dce39b37dae52f2c50b29f1d03

C:\Windows\SysWOW64\Kdffocib.exe

MD5 e50d66eb2523d565cac8838551adc33a
SHA1 b688f5f367c5f6e8101bd4395ca0e0353cb327d6
SHA256 9076d94537a65a6b0b6dd4422989ff5e460d9b33f6e2f0556a820a81bf8aba9f
SHA512 9d70144b293819fbdfbfd11da20bd9945568f50b5c316605bef324e186a87fe46345e9e24dcac61243ee554a26614cde647f0e2a26351a2794e437cee9ead031

C:\Windows\SysWOW64\Kphmie32.exe

MD5 afe859c2ca53db3628a2112e956bee32
SHA1 04ce5ce60a669b0c0e22c45cad924b0c3f746cc7
SHA256 b6da8833d8c5833ff59606be1331f2ddb4c62375b5db844f6bd0b50a2db7ff63
SHA512 3a5a5ebbeada42d2e393bcd7297bff940cd454d9c0cf0b2cf20ee6f8a67b63c7b9308348874d7783ebc09c176937a4b9ef5953087de0eac0141dcba162bb821a

C:\Windows\SysWOW64\Kkihknfg.exe

MD5 a2c02f7369780b86c8a68e09e4f5c364
SHA1 a4ac1e3ee191563822a3621136e17ba387d42e82
SHA256 fce551148a36d02b7524930926684f17cf3009e3c074d9bbc4d37d277074ccee
SHA512 cd27c2111743a252b7afe31b4d5cdd94e6eaec2b9bfc236bccc1e25186a8acc3469ad5317acdc05c98bd32f96ff3cc388746081f4dcbdaba403e8be9fd03ac1c

C:\Windows\SysWOW64\Kdopod32.exe

MD5 34e0a8314498ab6e52d37e7bcd8abf44
SHA1 f4b538da04b72721e307ca8fd710b0e7017f3715
SHA256 0cb3be258cdca52454897688e332d370dc0a0721eede3ce1a36549bdf94585e4
SHA512 b5fdb250aa37fc54a79ce41823d539b677d98e3b82f06d3dc365a09c90ecd2dc6115aa1efe5ed101bf8451a7d3a9dd9a143c4714e90e7645f70fd45d88645909

C:\Windows\SysWOW64\Jiikak32.exe

MD5 6c61b478e69e7bca188507b247a5d31b
SHA1 e1688e76ba385aff6da6f554d3f3ad73e0dc0ba0
SHA256 c77d343fefb4c83fed84e70153f7c713dd224bd155073874a2093c487afc9454
SHA512 570077718d3d4e0ad7eab1b4e67bc6d757ee6dbfdb5cc4e1377609c96ed9428b1d2a57997a886eff173adff3527f2cde881813f9e19c5b6ea0710ee23cfde7d9

C:\Windows\SysWOW64\Jpaghf32.exe

MD5 24ac50d54c2ba336058e0db850fdb7ad
SHA1 7ee77d5a3e5c7b7bc1d9aa4149e6aa30f83418ec
SHA256 89b84232f421f6ccc0639c3b355f77f7a5865fbd3d813997dd389d6b2c9a0b4b
SHA512 66a0808408f401cafd7c7ce78471f0bd66e04d7f7e7c22ec619f9fbf70d6563676e80bd18b31e74855d5e85a93aa5e33adbdb45cf7145d97675a0c9e3564fcf1

C:\Windows\SysWOW64\Jkdnpo32.exe

MD5 bbb051e3e22a129c32360f2bff7c0643
SHA1 8cb70d0e993faf1f54392729293fdd83769a1d44
SHA256 2e117031690e9f25fa3969989b529d5a4ed0597421c45932b299f991fbc708ad
SHA512 53c7288117ade326046eaeb83cff554673f225b6b31f007d602a68d9bb17d7b05c5810a08d39ef7f9fd97a5643e2ba093a026a3466c020c35ec55c92215294b6

C:\Windows\SysWOW64\Jbkjjblm.exe

MD5 89b10e555067d5e329adca9acb694481
SHA1 989a104e40e44c87918e0cb164e48b630f82c76f
SHA256 b24d5cbeaeefaf9aae135d791367ff4c7c0fd147145eb668b3127eca2a8217f7
SHA512 cf710bb2ef3c92a91096c9af77193054e73d863df4106ac9155d32dada1f0771d9b0690b62fdfb8008d94057a1d34cdf865d69c4a0e01e58e3a308b5268037ff

C:\Windows\SysWOW64\Jagqlj32.exe

MD5 15ee127faaa07defeecefb19a67de0fb
SHA1 b3df3fe320769e4194bd7d2c003a31144936e93d
SHA256 8c51a047c13bed75b7e9315bb94d6ce5f6a2acfec45ecd930c29242c69c7da40
SHA512 413262f15db1ae803fdfde8de58c8d05668f6adc2385ed6976b28c17a6a54ef8150e4907e649b2d4766af365d163e14ad870500bee649be0a6fb57c3115572d4

C:\Windows\SysWOW64\Jjmhppqd.exe

MD5 ae403d139b89407c79dc5e3fffb3aa88
SHA1 82541630d4a2bd3c72407be8242ea91e89297655
SHA256 e9abe062ca90aa291459fc8e216f26e48b89e63440c65cf7519fd942cb9b3c0f
SHA512 7529cf9c680e1d1dfddabee7f8e8be0dfd6da6be701f48a7f2a1e59001c47a129f6c32516745ebeefaf6ce0f54cb43f48c92c2043fe6f92cfe35c9e463cb06f9

C:\Windows\SysWOW64\Ijfboafl.exe

MD5 ce77e6856164d26b7be8b360b99748b2
SHA1 d2d62eef4f83c0c2bdeecb05695948b6c5f3e6ef
SHA256 0c26738fcc04fdae2451152060acbc624f0a19bb71a89845140ac68bf4de58d1
SHA512 368ab7bf9e70c27b934fcb84f8f90d9f6218f90a4620205b67eae5beebe1a17e7ff6031aad15fee4932291b9f184d427291e0b0db53114f0025a9cc3eaecceff

C:\Windows\SysWOW64\Impepm32.exe

MD5 e464d06a7850ab0629382be504efd8e5
SHA1 320902c9a00621a17428f181772f00edf13b1973
SHA256 2198b63c269252a5725b93e915710559af40f1b6260ca306e2df054451d16424
SHA512 8e83b00da1a5b0f1b1d37a5884ddb13949199b32ba48d08ee723a7f375d93f5f68262485331a3ecf36acf8420bb5eac728c736df65d9b84c8851eb0099b23eb3

C:\Windows\SysWOW64\Icgqggce.exe

MD5 a7cbddf103345a4b14283bcc11b2e616
SHA1 f6af6026c0a4bb1f4e479fdcfdb47265e0126972
SHA256 e9eb0b4293c9431fdca34da2dcff4c0ff86dc958cecc3bc7239ad39bd95cac38
SHA512 f01ca4f3b21e140a1a5e5e19db2b23b761c39a0fad521ca8a1ea7e5473cb0d0948d2ac5dc36ff40a27e4ac954dfd0bfbdeef39d1418eea77d3d10233c1b60cea

C:\Windows\SysWOW64\Hihicplj.exe

MD5 dfa038496477e6a81d02f36b350fc9de
SHA1 62c5ee8639f41c14b5b556b2df38736a603f7c72
SHA256 ba1973fcf0fa422dd242fcd14bc65ae23066d27092fc8c02380d867329e73bc5
SHA512 96534a69081752f26b331e31174e61ea4091143228413c5ad1b4f192ed4ea6b684630851c135a15727d9b7754180a2964132134cacb3fe5ccbe51400d0d7721c

C:\Windows\SysWOW64\Gjclbc32.exe

MD5 c37b632bb1de3bd0d73e5eaea782d158
SHA1 215f718d915446b535568552ea048b1a17da1613
SHA256 744fbc10f1bf4fe25ac52ddab54ccfcf34bdb3fac595eb879022d1961d97aa22
SHA512 30ce170f6500a3c2a8f09590bd1f571b0dbced46625a652c169e859fa0ca6f9d86e8d346d892dca671edfd16a61a263f18d0f729f543635ad9dc55e9c1ecce82

C:\Windows\SysWOW64\Gpnhekgl.exe

MD5 204fba5acad038607e262ba5bfe1e5df
SHA1 49570600ca3532cd3e7dc972a5791b06b47f489e
SHA256 699fad4c1c54021f4e9de0d663d2869347166d2a5cc641e5af85badedf357091
SHA512 e94d12f79ed95a0b5fbf360120351877efc546b19990086e22afaec998b651e4307069ad2e6bcd126bff8611c430925a593b7cfad0866265e0af8b717087b7f6

C:\Windows\SysWOW64\Gogbdl32.exe

MD5 e0b33ca74d4b50ebf1212acaea883796
SHA1 4ea76019db3a7afcace1d8ce6891459ab3dddabc
SHA256 5e680434e6597af5a3a65ce7a8285cbb4e05dfa26055444f3c759c428c983c7d
SHA512 9e5a812f64baefd8e47c6787cbdc7ed53132098343d2202ff480e167ee1afaea0835127fa242d668712a92baeaaee150860fefb4a096bac0d29a9f53fc2c2f61

memory/5404-595-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5968-593-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Gbcakg32.exe

MD5 b1ec265b9285ecb6cf440c6e3d7c51f8
SHA1 9a6fb86269a2439c87bb05d636fa32ee0ad84652
SHA256 5480ebaa6dc23e0d95309c7fb9468c8c6ddc305d3189e0a2af7d85a03e2fb5d2
SHA512 63dffb4ff5d8566a184c5d04bdc84462bfd02968fb402ed84ee928512e586d13be6a3997990d3ec931d531131b9ef4ba96b4f0f13156820424d0c03865ae240c

memory/2264-583-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2528-582-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1664-575-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4008-566-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3896-560-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Fcnejk32.exe

MD5 ad11b1cee2012afba59a77784e496c95
SHA1 54d4a4fd609d5769277e2b70749c1549180f0a9d
SHA256 9c9827bd701a0251b977cf1582f618bbb25fa4323977f77ae3d2a98a9a9081fb
SHA512 8855e3c35a00b0bd0358dad42d46dde8854b4a0340b25a8863f46943eb5788843396b347354b2152cac84184028827ca2b990b92808a739e05e1eeb8f9b9b091

memory/5904-549-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4624-547-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2616-546-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Fmclmabe.exe

MD5 ddc94fcd9babaa4ac2a256b17e759178
SHA1 b57320f4ac1f988bf766f443b43bfc1dff236c57
SHA256 b9d4275e6012e8fe831bc8681908a7775f87ecb1404e4aeaa80edc4080921c98
SHA512 c82d901e5167ae03b3db89f08b4fb939968dd3d6024301855a133a29617240adb269ccb07ca220d364c7937658d8a6924d35b43557613a90f76d1df16fdb27b6

memory/804-536-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3052-535-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5440-523-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Fbnhphbp.exe

MD5 d30c70ccc7a88ef213b4081a905673a5
SHA1 289a02cc1fb59cbcf5e2d47c14cf16612f64f7e4
SHA256 bf97349675ec37e446dc08076681589a4764e6f6b2a6ef892af38ae54b97cf67
SHA512 dd0cbc3fafbc61f9a0f8f55af5a740335d710f5e89109c955629eaee002d5b7f8a405c1dfa3e397c52150115544a340e4b50bde8f93923b00d9dbb741cfa1218

memory/2348-517-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1944-509-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Fmapha32.exe

MD5 691c91728c8d0f86ca3a1d0e9b74e546
SHA1 75ce1c5497c51c3150de57a9131da0a56376669a
SHA256 cf1de5bf73df9a94b0516f3ce554a0ec2b31c6fcf71f20dad45ae3cc33f75681
SHA512 0a2ea5d587d015e6324c8389a7576a773dfe630317ba2dc8c01f8be86a4b33f05919bb175d5c6b4bcda4d650ea8fec5a77e79c5aca81183ade561283f985765f

memory/3064-499-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Ffggkgmk.exe

MD5 718e73590c1094f67e672eab58addd6f
SHA1 6f7a7bcab031144710695088a51a9d8658dcbea3
SHA256 9d1c66cd8495dc090c7ff9a28fdbf8327099495d745622a924e4bf5b67995775
SHA512 a815b20b3dff671f5e57799bf686cb7f0c53ca49b754c6c46372368a795206aabf45320751caad67bc3251f0c931529b2fbcdec42cf55bdac77983df58bb5e40

memory/5708-487-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5860-481-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1972-475-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1628-469-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4668-467-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3100-457-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4660-456-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Fcgoilpj.exe

MD5 301918dbff37358a58bf805a09fff980
SHA1 82c122c4661ba2e59817c828b10d59dddc66fd95
SHA256 983e730d51965d381e492ab78c69e84adf5e59c78e8432f6932bbeb5a4d9d1af
SHA512 08c8891d3b2c8ca0eddce0387aec5d76843cd8c2942efa6bfa8ec1fb18cbf0fea744ad5f85dd6c5151fabdeb878acaa2ba0992668e9973548afd80ef822196d0

memory/2628-449-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Fhajlc32.exe

MD5 bc6676264f91ba684d66e9ca64d567ba
SHA1 bc681e1b9cdebe19de38d564f75b6c2cbde1158e
SHA256 b23f36cb62289749e6e3ce69384c3b517ca246056c32b140d11e9df283013b81
SHA512 6150a6402eecd226ccdc046a1653bdd3a23ef4fcaca47745b8c5c6120b598621e5a50587dff2aeb99c0d139f3ace108d6e439cedb4d88572dbc57953f021ff88

memory/4044-437-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1172-435-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4848-425-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4480-424-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2344-413-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4824-407-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2556-405-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Ejlmkgkl.exe

MD5 8824b6f4eed74589c327be696bcf938e
SHA1 39c6febae7c90389fd8f8dcbc9111aa24ce6ff3a
SHA256 c3eff9af80fb1e9fa8c63e9e70c71d6292f95257a0002c67dee89461de7488ee
SHA512 c4a7c55b2d1e4b942b4a5b7ba08730d93581783adf63c3976d0d55699ea7a4b77a5d1fd46d4ab1d7c950c5a2313dea2a8d76eca02540010919d215fb5df90633

memory/1764-395-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4672-390-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4988-387-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Eofinnkf.exe

MD5 78cac5acb19cffc8e153fa38aa745bc0
SHA1 28f32ec6c445559af8054481cb17107f372c2510
SHA256 b8ada66eef463790ecca7c00a4c95c3795f5eeeb0ac10a6202d728f394b32088
SHA512 209d465c78c5b31d32606f5f14f5f374dbf274cf6e61848cec1230bdec77d57027df62071bcee3555dbf086a5789f7aba607470f317b10fc0864609bc920dd8e

memory/5732-377-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5444-371-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Ehlaaddj.exe

MD5 36cbd35d72865af50c32f9a5c840eb9f
SHA1 6511e8973f3c488504fa1ed292ab58572fc187fc
SHA256 536494e19997f0e852569756c8c8c52afd22b5bf52eeb72c8d3576d76ba15c07
SHA512 0dbaf1b204438dbaf73c5b16b95c368df4dc31744083340aebd0811fd831adf4d63d313df9eeac56bd58cf5bf402227a2ce8fcb5d8fb98d5cc0c45fec5767c0c

memory/5472-365-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1420-353-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5396-351-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3252-335-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1584-334-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Eleplc32.exe

MD5 24f9ab3a8fbd5dc520520d48d1ab4dae
SHA1 657d6a57cb2d271dd72f8645f4dd8d8154ce39ae
SHA256 2d8263d46dc6413ddd623cf0b8a2b20565d00d0eb37881a2403a357fa0f3448c
SHA512 0b93dd39dbf590a0590da2c53563e4fb99445511fdad1d9211954f6ada35541536910a91a4ead108fcc52b329b34e8e8536b0814bd29749fc31a788895410ce1

memory/976-321-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3180-305-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4580-303-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Elccfc32.exe

MD5 88a3b8aa0baa1d1ac5e0bf71213b3f18
SHA1 8666eb12ac20dd009c4860ad614c352095ec0a30
SHA256 169bffdc4d6f86c193e55c227a197156d50707abb54e3622be8450ae1d7c0d13
SHA512 cdb2ce74e8b7d781e78ea320df78d808d515f351a7dc55ea8aaa4085abd9903ba54cc903857c6c84ff822713846e4b65264ea3d2245373e8f5ef101bb0a08476

memory/2892-288-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Eckonn32.exe

MD5 701bde471835ec6e95f8c6c6f8530612
SHA1 d1d997f4e334f10e81c139bcb11f0e1fd75c89ca
SHA256 ae9930b56ba57bded19c72d1bac939481b80f66c22d696b232e958b5f7c264e8
SHA512 5c1e69607ff258dea825ccf362eef067b3b017bcd5ec0b8a9588af37dcb7c7faf1af2e043fde9f6b48d3bb256c2de31defa2628da9e31301dbf5435bd8714e6c

memory/4028-275-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5144-273-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1840-263-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Ehekqe32.exe

MD5 7643523e9ece97f08646f6ef9803cc48
SHA1 380f913992d9c5d30566d93a7d5b83358da8fdfb
SHA256 438e7029cdeb64e8e579a88eed5f345d08a6916ae15c37bf1643b52516e0780f
SHA512 de6479bbf2923ce30354ebdc18f7dba7ec503a3ffc528e70e1fb2cc2ab59f5e71138af17c1687fd019e8c72b7bdc52dbe2606b87b13583ab364bd0f5a353a539

memory/4812-257-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Dakbckbe.exe

MD5 eb465e2209a9a2b0142a73da0a79bc13
SHA1 7836bb185ed89f7073e42c3ed5e249c5449371d1
SHA256 465758b5018268de028de05e6eadca0a945f2238ec177ec68fa524d12a4b04f3
SHA512 cb2d6de756a12738ebd182561b13dbf51300d7913da74233f54b30279ba7bc9a35ee33f7d1b6ffd432ca2309fc384857d0e83f64542e364bfee7af8530189cf2

memory/2624-248-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1372-245-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Domfgpca.exe

MD5 dd539363edecd0677cb47d4b48ed797d
SHA1 31fe35fcf1656f8235fbbd8d41ceacaa0a864c25
SHA256 e2ca46be0b5144ffef8deec3a0cc5fb51b21f22dd9be7b9eea5cc15a1048ec4d
SHA512 5571bb935f5f49465d74de8ca9bc0bff430ed899f79da4e659f1d14add75a0dd9a7ac24c92774dd6343aa14c3d4a78f58169e2e385d4d4c515bab95b27462126

memory/944-233-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Dpjflb32.exe

MD5 dbc6fb1849028eaab2f99ceb69021051
SHA1 08af4c2479a49451ef839f0da122354a4723047f
SHA256 894a22da21c1732583301c71a3a4a87cf59ab1a8db50b6e4cf3159c5c637bd52
SHA512 66ff5b1752b83fea6083e7f70d3ba2985aa99313665e6bc962516757902593e14fc9f2daeb8c41d146cdbcec7bf86d76827a56138426aad924a7a39632a99fdd

memory/364-226-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Dlojkddn.exe

MD5 635ab5ccd6150fb454ce94b1c891aa67
SHA1 f66298e278f7b41c4ae9fb58202bf3658b88fde4
SHA256 0779d31f7c4103609ec64ba3a5243960d91128ef63d0b7a531a5cc94c7acbfce
SHA512 65daa21be3c9ff45efbb0e7b067932ca2d43311bfff939f700c886188208bf406a35d0cd382b07882197903ab6324594c6ea9af96178b4752b6279af0cf321b4

memory/860-221-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Djpnohej.exe

MD5 2354cdad7ffe9a06d3e15f15864a40fb
SHA1 198d7f287ebb2b6e169df4b514c4271433019b73
SHA256 37addbf2347667875d143786cde0ec704bf4d23f98ae43886d1f5b1d3aa3ce61
SHA512 5c6c5ac01f479462ff931dcac3561fdc3f23ff0d2fbb5e1217778ea9473cc85f8f71fe2729c42672fa0fbe787745d3d4caf0c07e55e613d88b1f800262cf21e1

memory/2076-209-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5628-201-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Dcfebonm.exe

MD5 918f7f63579b2e3bd67f1743b15ca2f8
SHA1 d8d360399c1d51900cc3b49457b35d7624fad6a6
SHA256 0da05f81094edb25db3d01e32907361072d06024ab6f76fda5b88b61c074da0b
SHA512 e50bcb615536c10a02469a9ea6506a45c94737a6efc0fcba38a97d6c5362013b965ca7821ee5d754b303986a5d5196663ca41aad5b26f6d5b52dcd24e14f1d7b

C:\Windows\SysWOW64\Dokjbp32.exe

MD5 11d493b21f2143572a8bfd612861ed3b
SHA1 d9ccedd986a53b5c954ddc8d7248eb59e8d1f5c4
SHA256 4c6809a55eebef97f5a309bbfa897e405ac4e584727353380021eb9b9936745a
SHA512 551551bd27e97126553e478a74d3f3bec089a50dac7b049abb6053876d37a59e44e7ecebf04b5642b7389008d72cdf466d7ace0f70ca3117975a3a2354d86df2

memory/2436-189-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4436-177-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5664-161-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Dcdimopp.exe

MD5 84e801176b16872e0c3783b5f63b3465
SHA1 55f9d5c96f6b3624dd9df73aae44b001a6705a70
SHA256 8414a10c0396d89c9ae91cc7cf2a68921cafeb800411b297b8269b9f121dcf40
SHA512 d1cfbf00141adc92b4fc2d59d711dcdd2b20c5f2bc4a7e913ec2af11b5bc22c59520f4df6cbf826091eeee72c0711d40d9d8fe03f71c7c991538752c630c713d

C:\Windows\SysWOW64\Dpemacql.exe

MD5 abc1f27875f06a704cbb9b6c2b0241da
SHA1 17b28bc07f210ae7357c3fd8c7b872d8e179b2aa
SHA256 ea079d8e8cde58637f6bb26442301e100ea8891615be1f0c40c449b11f98e31c
SHA512 f76eb32753da32b01b4420a9b8c4588066459ee8dd9c31bd7cd19bf33a17f1bacfaa83f4885de5ce15c1af45c91cdb0f01044412d896aadf3212d2e6ad75d747

C:\Windows\SysWOW64\Dhnepfpj.exe

MD5 ddff7f1690387444003fb9fef272befb
SHA1 8b8e9c616e6f5956511feb91cda249a0e2fe5ece
SHA256 ab9190e1f9ebd66eefc55df94bd2bd2bc360dfa475569eae5d3a771c2a68e8e2
SHA512 edc5a0d1f37caa18c3381d0e04840160736ec9b73914d33c09799e29ef2c4915fbdb450bc442c5e4ab79d245e14f8f334eee269bc01df0dca756584d1aab1dc1

memory/2428-137-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Dephckaf.exe

MD5 cd1138fce857a44d536beb50a10fbba0
SHA1 fb610f180f1648091c5aead3edd5e2b3f3b1096e
SHA256 e52a05613f442460014a1b6d472d47952ec99049c756f77d95cc41726bff4296
SHA512 2d9125a3e72101fc9cc57e32f463a4d8996079107e44f7433961cb7fe7d07f69c6080b6d3d3b40d6d9209a70a724f3816ff4899aecdb73d1792666a284e29ef9

memory/5332-121-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3860-113-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5872-105-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5364-97-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Lkdggmlj.exe

MD5 a7f478e8d52cf57a2bc29dcc0ca777f7
SHA1 45e9471f0da1089827ffcae91db2def71c967909
SHA256 a1ef94b940629eb487566a8eb571c750da9af9618c0b30a50801fe0bd8e8499d
SHA512 28bbc1b7258b3d3ef545800587794fd601407228d90618f51759db323612b4e17182d9fc34cdfa3697acf111857e34d8e45deca2e353ce8cd42a831158e25329

C:\Windows\SysWOW64\Doccaall.exe

MD5 55aaae09dd14e7c37c8a7eb900f7eafa
SHA1 88cc7c1c072fbf808e49edb7c70ca481a0ef9ff5
SHA256 803e0db94858d71bae6ad35723afda450992c201a99535a556db29e109bfe75d
SHA512 565131616e46fff852afd3da53a8c414d0d6e98ca71fc8c362a06d07bcd9d2e059065b7ca16c2824fabf5fcd25a1eb8ddf16fb3990996d708a5c398a063139bb

memory/4452-73-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4296-65-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Lkgdml32.exe

MD5 da7ae26cfc0be24e157cd3b1abd9695b
SHA1 90dff86db8cd36e226334f92488298832f0bc553
SHA256 febf5cc779edf755a136342034d78a8c7b7bfbd54e4a5c53eebcae0ef808442e
SHA512 83da20cabfaa4708877fec5c0ed52c1e62217cf97a5899d09b666fcccf307361fb57093fcc8ff81abbfdeea74f63304929995b6cbffb612eedb8ff7ee483eab6

C:\Windows\SysWOW64\Lnjjdgee.exe

MD5 220d6463f7453923343a352dc12e8a24
SHA1 01bb956661c41688d8d273c06e23bd2bb8b34fc9
SHA256 defa6659d33e6c18ec1d4d9877ca094f92bbca01839a9da1785b197b4428d767
SHA512 c90f25b61c36115804936eb7912d132bb7c782b32b07c98c1b86c89adac4520c6b62389d4c91cf9cb97100113cd6126985ccd9a544bb4602ab9eb52375d005fb

C:\Windows\SysWOW64\Mahbje32.exe

MD5 7f9289e16821f603acd14901d28b2e36
SHA1 5367d540181d98713f2de54ec258ab63bb6ddbee
SHA256 479b19484143aca47eae83f5de2d4663f4e4ca6145b11db6e1ae46d3ba394ecc
SHA512 4c65db89bcaad087bbed78a8f35c366bd520583465a37eea7610adb5bffb7b65e460695b48f74e3966ebf80aeed7a1be396b923aa30d3b7b04551e901e60d3f4

C:\Windows\SysWOW64\Mdiklqhm.exe

MD5 86150f1c9125a5843d1d74bbd4ff42ac
SHA1 e71712274f46b25758cf4f078bb039704103c4b5
SHA256 19f8d574af74132791298ddbc247107e1d2ffe18aa14db9b6a546936c1e95f42
SHA512 8adc5fd53179b2fd2479b0bffdb655d99313e24c866ce76578ec7f28f969136f67728a296077e5ed0df135d5d9241ed2a0ddb576ba8be51adfc49e9e9aa2951a

C:\Windows\SysWOW64\Mdkhapfj.exe

MD5 430cc56ec3c0e3c1e2203062432dc6e1
SHA1 6e96beb2b24c012f18b4855fe6ee27179964dcb7
SHA256 2548673406539d49c3d02657dc3f55fc7b8c38c9f61894beca37d20ac73d1c76
SHA512 db22eb75e6c116e84d7877c54e6969e245c7bc00702f60e7927fa376c0a8f6e4b9d792d8b793303c2d359d88ec84e099ac1000d17ea428e2af6e1c0941d30d3b

C:\Windows\SysWOW64\Ndbnboqb.exe

MD5 e5457941cab77baf99e4210b80567f40
SHA1 b52c372fbc9d6f587bbc30f300053ac4a876a9cd
SHA256 ea305937ecdef5262ccf81f5535fae258a1b590fb80ddf4c3585cccf9d472cb4
SHA512 3aebc3a7596fb203b83abbca26445fee4cc2039004ce3eda3d7d2b71f381f7b5d865e7dfa88cf46f11f0272e7a1431e3e78e7109ef3272c848cf62e9f88da2b7

C:\Windows\SysWOW64\Nafokcol.exe

MD5 81d56f786fb310d30a17971938b6285f
SHA1 ac52342010fb282e7e7f3c9de1258e4b763ab454
SHA256 da1bd291d000639cc8df7710eae4955babc5e1bea1980ec26c2182d3ba17a90e
SHA512 d9e0d76195e0ace446c25747ac57d0987d34fa8d3ca4ad5bf16e5833a0c6b308c78465b21c6c223d8376dab38a61c96c9f0e2d125099a4fa5729fa925bf483c2

C:\Windows\SysWOW64\Ngedij32.exe

MD5 dee84f5f470eb34acb50a49485b2c877
SHA1 92dcf4197910fa4e20e98fb4ce4b610911c686d8
SHA256 2367d0d83147b505066242fc8098c21cf929d200da5de01663c43516aaaa0a84
SHA512 af1d2dcfcb3fa6ef503f4d7f7f41fb293bd11aead36f7c72c0c0a8e991df504dd2378e4965c7628e5eaec8644a822e62050d390bc766d09c8504d20db7dea17c

C:\Windows\SysWOW64\Ncldnkae.exe

MD5 92cc59a15eba2b693feeeccc2d755ea6
SHA1 5826605db00eb2393bea02d2086ee263665d282d
SHA256 e3df04f6e9adb835c3c5957471a39adc006d8e3b2e7d662535d836577f6eb9ef
SHA512 702f2b7aa670c9977bb4b5391416c7ae104a417839d11829e83b2fab7ca06e2ce158b1be51d486a3d2c2d877bc53930fc8796df7f651c47313abb27f6a717f5a

C:\Windows\SysWOW64\Ojjffddl.exe

MD5 777727901d955dd43cbdabb54538562d
SHA1 9c828ef269b83c9b280c1526495450e46790523a
SHA256 7ac7d0754208123438db3a56c575d54c8c9513bb96edb3c7c844cb69c0e5aa49
SHA512 88fdd7add7cfbf36b88cf998475921e3e0c07c9a673d69e2a914c65a94904ed88bba09b394b41a1855114ca6c68246df87c7b85183f9e79565759df271c64051

C:\Windows\SysWOW64\Ocegdjij.exe

MD5 0c4b9a49caf1da4e47d49b95421bcf41
SHA1 277cc74714e197b6b4d20728653ce57dcea0aadc
SHA256 0c6b38815c96b5580650793ca140755189c16590ae490fc9413eb64b9de66a3f
SHA512 e8802d20b1b5da085f603ba752e9ecb0dd80e4d9bbaf6675caac111e4eabef4265feeaafefbed8a773fff2885e26a2d7ead47dcb6ec806ff2eb214f436100008

C:\Windows\SysWOW64\Pqnaim32.exe

MD5 6df2731c6f69b4d8948a10b34d8a452e
SHA1 184af7d48aefcc81125bf6d6ca2cdb16f4d0c03a
SHA256 588b34aa264cee0d929ef070770e99f4868810c7baf59374949594c7e476e6aa
SHA512 1d6d96909988ac46468a57906483cff644c5a9a520ee6a3c700c10bccacc3dd9eb11a7964112a5adff9d014de4da0e70630431e2acaa0da953f183a3bcdeb238

C:\Windows\SysWOW64\Pnbbbabh.exe

MD5 8ed775a748aea73b6d781f03c76903f0
SHA1 98e363d803d3d056d30b5f92b99641ed757ec6b9
SHA256 a5642a71e2dbdba3ea6a703cd308cf66ca5a368a8b15649708634c01ecdab2a4
SHA512 9e24cc9944a5887afa36543ea0f7869a3a276e136acf63aa1dcee89b1fbccbcd4dd7dd5776ce8098ae7f4462a4a48e011f4dac6c1bbc7f7bdbedc00202e25b15

C:\Windows\SysWOW64\Pndohaqe.exe

MD5 fe5cabc704c2098331a056cdfdac72f0
SHA1 c94f7a9e9b342d62f74671de6a015c79e8516712
SHA256 851ed7ac55366b7ad958b868bd5d0e97285637ab96b10e97f313471554c6cd21
SHA512 31ad50d624063853b7591f5f5e7a357014d312ff16fb1fbec40f525d04eda0a4f4487f6526b5dec75425797135fa0a0bb7d265b3c3007638cb87f477055dc3e3

C:\Windows\SysWOW64\Pbbgnpgl.exe

MD5 894c429b475afb966cabfca5ed1cbf64
SHA1 99a3e550de804c5edd6ba235860cab8a0dfc8c5d
SHA256 fd8d88d02cedcde0d94e994c70ddb35ceb820caa7d32206582120e92d25ec429
SHA512 dfc947d7a673320dc8b63a52e92edbe461871a5ab09a76fbf58c84a799856530b174d28da6520b70cc5936042a68533563442cbbba20bd37e9ebf83afcba7a34

C:\Windows\SysWOW64\Pnihcq32.exe

MD5 c8de61278444bfc903d34c311ed348f6
SHA1 f784f1709038534c894752c61b0b40caa4ef4750
SHA256 828e1ef556300e1d3bf3ce8ee6a53e3443c71c133d6e4fac9ce78d11fa88d11c
SHA512 a6e89c422311fda5029def17d6e94efb39181f65d12a6f6a64349bb72b060a385b7daa25d6a583dbd5fec5389543dd9b8f23a61b14619586a69e214ef42510a3

C:\Windows\SysWOW64\Qgciaf32.exe

MD5 a70ad7df42ff2deb819b95a9d27f630e
SHA1 9570d2f80e2000d0fee72e6cf7c5e8b4d63f4b87
SHA256 3c4f731d74b3bbf7773cd5725f92ce0ff852c5ebd1d7181135daf4f3da3209ce
SHA512 05f5d4b8fb0f0b3e8c22c9da0f5a36bb89f336cd68d1bfadd68f9af3b89a6d80899e6356feab342a122ef278f9ddf4be82afdcd841b2fd47ddb5c5f74707356b

C:\Windows\SysWOW64\Abemjmgg.exe

MD5 d00479dae2d03ba93349d0e8aec35bb3
SHA1 29686b1db527521d5721c012e8b41abc2e249d74
SHA256 5079ffd5d20e832a56faa6610e274d4ab0608cb65049e5c903f699543a7dfdb1
SHA512 23eca3c9a39b28cf4fba2d12510c3e8494dd23ad98e6262f6f26c5ac271dd4350db58027fc29769368340206e031a7aa8288b1d58062653079c575c9c94caef2

C:\Windows\SysWOW64\Bbgipldd.exe

MD5 0e194d91c6495713599fa51f6f61e472
SHA1 37dda2708a9eb5897535aaed782c3da2c5aafecd
SHA256 5ad7d04cab135e19733493af9e3f9de9680ffc04c2a5931db6f17ac0e0266736
SHA512 f70b34491a659fa2316829a5faa70d64b0dc9f30119ef50e7d099302e6aaff423c47590ce06855873729067ce648d78a092eb6a0ea4561201f3a5dbaa9c944f8

C:\Windows\SysWOW64\Blfdia32.exe

MD5 55e63d4a26267741bb93ae33fe8985de
SHA1 89de34dd0b96b62f4eb672e8449d0b0cdd54acca
SHA256 eb383b55b6f055e5bb84b3776d10f35aeb977651f92484e2e28653ae7719ccf1
SHA512 281452510ce7824ce5fe54a5afd41d58ded9d2929afa8fa192ee8810dc1bc273447c07124b5899bbbeaacdfa5e20b5595c77632ad0c4e83da10b1e6eb5307b7c

C:\Windows\SysWOW64\Cddecc32.exe

MD5 d2905069cf8e98f4427955f40aed4f6d
SHA1 d59c0c1375b84d394c9e4f957704f35a76324560
SHA256 c69d0085fa5651f1683912a0f282fad92c19097ec1ddfcb1832430804d2f5cf9
SHA512 a47cec3263b294deb70724f0c6d901d2d89a6a4341ac50b5240e3abc750d75f540efa38c16072c4e56bf38abc0f50fc2bd674f8f9fa4fb9841c2131531548676

C:\Windows\SysWOW64\Cecbmf32.exe

MD5 a551f1210a9339822f344e444d0478f2
SHA1 9e37fde7b6159ff2a4fc3ac63042421936233974
SHA256 27d03485c544789b2ed677f7f49744a23cad431439bb644441a418bfa461df6e
SHA512 dc42d1043d3d9d103aa7d817e57ba658eb5c0965496dd9fd08e1cc91869afdeeed0a9a81dd19466c5fc83e98ced97199cc264dd8b2dea9bb5e412523af7d1ab4

C:\Windows\SysWOW64\Cajcbgml.exe

MD5 cdc9f40fab5eaa6afaf3ab3c99624921
SHA1 bb2ed62297d1c6a1c5ec7da9856a209a5cb0c76f
SHA256 49ded5e413079d1ef904e8f7d28cee6bb47f468495b1983dd7bf853f52964a38
SHA512 cb602e9dfba438fa4e4812c0b1ba0c1f97fde97be27729c3e428003d02484af9776997bd820dabd9ab6ac47a13fcf4f2377124da892cc939c045a530f31325eb

C:\Windows\SysWOW64\Dlncan32.exe

MD5 53ab524d61c59896e15de0d233481b54
SHA1 4988d73670a85987f2aef77e33ad3e8a22bc0652
SHA256 23eb874147b202a244fe4a440f226c3803a2c92659a07e91d81b09e4799fa44c
SHA512 db868768a5bc33671e74c11963ef9e510fcbd9fba8fb215cdd4d392152326394995e225e963221d3312d8070766787972a7551883233b2be7db75ae11d5a9e49

C:\Windows\SysWOW64\Ekcpbj32.exe

MD5 41167456f13692adfa1264c436713b83
SHA1 0ad2a37d6b3d362564c52a5f9854625b453c06a5
SHA256 7ce9b8afdc7c910d83d3d9abf93a998a70cae5f2c97233257fc49342b8d382bc
SHA512 bd98d4e3d8da354d2619f1b638ea1844fbc0b8336f41f8f2a0e041bcfbd729bebc1ffdd5a38455e8eba409921f3b28a699c59ac0fda124f766e8f7bcba721063

C:\Windows\SysWOW64\Ehgqln32.exe

MD5 69311bceb0cfb6509c6af078c4b640c3
SHA1 195f5b4b5df450c73924cc1f40ea25c2365ea72c
SHA256 bf73420e52c0d922528e1487501125dc37f55da3cfade1bc84bba64ea56dcd2b
SHA512 67d9104b6c0512ec7365bd6c732dbfa764e0c73c8eed3b30d7a8c9ba2e3a113dfae407dae1f45f9e9eeb9b379170f8bd96ffac5c3bcaf907fc2061066ba34d7d

C:\Windows\SysWOW64\Eapedd32.exe

MD5 1b34f5362ce26008ae5ada71e19169bf
SHA1 9d55963518c461ecc1c49e5d457da9ee9899ef4e
SHA256 7383a4f2b8b3e96ae4201203aff1f9de5f7785a0747b49b64f475c60e6fb793d
SHA512 d23f6dcd45222af171c84035e5ec0cc5dcf18ef99585c97be6a1692fd76ee8c7d2f44ab637c3e80d62d45448e1602171ce63f529375391cc27c5cdbd5fd30a0f

C:\Windows\SysWOW64\Ekjfcipa.exe

MD5 a231243a59d729280d37dc7806579932
SHA1 93f4c6768eb2f4abfc8ea7e7a8c47b7c3dd11937
SHA256 fb5ee24ddfbad0f6413598c7c8a949f585fbcd194b24ffc31f95db6d468ea40f
SHA512 f5f22b74009b6f3be0a263954637a37994e801280ca1a9021e5db6d67991ab2dc530de245d62ad9f259a6484d68229adf90611f9769d00b62d716143140cd21c

C:\Windows\SysWOW64\Fkopnh32.exe

MD5 8c8b13d006306f311242e7c7bbc77f39
SHA1 8166974b4248846cb1172e0d0c33622e08e4aa03
SHA256 f5eb63866151c00de79f46f1c498a4c9e9c529b87e5d0f8a060b1897081d2c78
SHA512 1cc804e5c7df99c425872b36cb5a242c33899b733578b9d84ee1f3bec776848cff65abe1142ae99a39bb4dcfd261a65bf9b82a85bc9170e7f0c092f33d031252

C:\Windows\SysWOW64\Flnlhk32.exe

MD5 db342ca67b730d466ba05b1735a6e2f6
SHA1 9c5f4fd5c735a679530e02566b305a4eb777cf40
SHA256 6aa9e01b06ae85eff1956375e806589ec6124b26a1b42663eb1443cb49ab8a8b
SHA512 6619c57d4ce1c68a923514deb14dbb26d9d1d7053d15b9c83aef6d22e0f6b545a1483ff6020cc4addc8f1fa5c96498be2eab45ab56399a5f357216860c36b2e7

C:\Windows\SysWOW64\Fckajehi.exe

MD5 f65070392291ff635c851938604c4841
SHA1 2b1f98da7899d2378fae1422488cd92d07e8ce31
SHA256 7c47460d4def4339eb5d8313850a27503851200d94126a4f4c802e87455992d0
SHA512 297cbefef9fb15d7baf5f6a1735e3bcd8233d49a0544c86bd3e4dfa9ea2bc8b795a4f62aa85bbe1a4693d18d029f61c0a14b3035f2edaedd4944dcd2805384d3

C:\Windows\SysWOW64\Gkmlofol.exe

MD5 0c6c7228a5964c018eddd16d4532702b
SHA1 47526470a71a357bcb47aab476effde7aae71ca8
SHA256 6e089f5c5e60db20d083aabf840b64bd96ef1c77cf33d8cab044684fed84fa00
SHA512 e634836f2d35a352c0d7eacd26f02e5ff08f52f48a9fd7918bd3bdc511ec845e9598fb935e9d95fcdfe0a9747d176b88b4b3b4ba344b0bd1bbbe55f2abeaf95d

C:\Windows\SysWOW64\Gfembo32.exe

MD5 400e7e3a643acc1825dc9918e333fd95
SHA1 81f7b96d3d3ba5b92db2dec9de29221f630d4e2c
SHA256 62b48718cce77d3caf853d10a3701aac0b076efb5db9054ef5aaab08b78bde1b
SHA512 9badd5004d442938c05451250f3c458b8ded95dd28852c220b1ac8e45c4cb3bb3143dcf050f458435f069e0793e57dac40c6634fd12b2a2eeca8c6ae952fa179

C:\Windows\SysWOW64\Hkikkeeo.exe

MD5 50783822b1dc3f904ee721f172e2161c
SHA1 0943353ae42969259c018b5d9c910719323e489a
SHA256 554dcb530d55aded83dc25d0b569b07f9ec1311b476806a8407b65ee554f3544
SHA512 2e4d37a2b72ce0fd5ccd30c9fc37c7e9963142551aef3b5748a7589c13dadecb836c5892e68797bca7d1755475f701a21c3249316f59d278778f1bdd0be1ddf9

C:\Windows\SysWOW64\Hkkhqd32.exe

MD5 ae1c98923a20a0976e6042506888d310
SHA1 410cf2d12e00479ecaa952170e211f34a1918cfb
SHA256 baa71fd971251b93cb67259d927c41b2820b33a91b89600fb569bc7e940bb0e3
SHA512 34bd813b5bf02d78ba2debcbd97ea120e9381c1c21401fc6746cf3023eb9064d99a183efb35fad292947a03711f981753bdd424f2db4818ea628c6d839959d1d

C:\Windows\SysWOW64\Hkmefd32.exe

MD5 b2310e25af559d72d38ac584260e8af1
SHA1 e76a3500caedc8b0791afa07578b20148ebc4cf1
SHA256 948b296cd8931879577caced505e5f67d01451ac634d3b9f790055566a05a359
SHA512 7b43620404eeffd20d54b13df0d7025b1dd9c53a22195357242afd2c1501127900583e4f9df8adabfe4560ed12edf03d8656809f3b845ec9e2317d74df2c4fa6

C:\Windows\SysWOW64\Ipknlb32.exe

MD5 b8fd923fcbca2ca83964c6899cece637
SHA1 1cd4d338eafedb4d009776781a56db37bb07453c
SHA256 91af5b5feed84104565cb1fbb7db785a50780b8654a5aaf4b5844a0c72cf746b
SHA512 6768fa61c5e5bfad1e089c87bd7c99ac51b7ecc96fed19d5f996469a852b538e0665bf0561eed59f152481c8ff9ad0a3e2c9e1cdeb3534f61430db00acf47b3a

C:\Windows\SysWOW64\Ifjodl32.exe

MD5 9806a1058172b48fc5ab3120c3ece7fa
SHA1 48807782500691594d22babdcd218ae83abb0c78
SHA256 0db03b3c393f633347766aa4deb50d6e7b4ae8f9d7b2939704c348ba37807fbb
SHA512 d6b7580b22196a90fe35f758fec20db35838879f1c8c83fb27a8a9ca818605559f3cd421123c74cda2553e4a985733fd3d587582aaf6a54b473b344140840750

C:\Windows\SysWOW64\Ibcmom32.exe

MD5 6e8a31623465429d764f1a02330de46b
SHA1 8f72720ba3b024dc977654b74dd0654883a4dfc7
SHA256 9e722dcad4d27d703087685ec62c0a27b14c8af40bede280ab7829de6edabe9e
SHA512 0a07cceee28e7c8d26ece8d17b970f8e02f3db63f5432aa9780bfa9de90119bec1d0fb692f3e636a3081bb8f3cbd00f6f61e765e0489eaedb8ddc9f389538f91

C:\Windows\SysWOW64\Jfcbjk32.exe

MD5 5e39c08809e5751dc8a5f4eb4debe4fc
SHA1 801e670b2a729af69acfcfde909010fe545429ec
SHA256 c785f15f352ec051889032cdd7e773ed197baf2f15a84a2a626353795fa6f82e
SHA512 ac076bf993750482ea592abad1d3d5bc42f2d6a832602af627388bcc1087d07cc6a02b48f57a72adb3f0a262ff524e0f676261eb802cd2d2107df9b2eb487225

C:\Windows\SysWOW64\Jmpgldhg.exe

MD5 14bb55578c0572f166afeb15c5bab138
SHA1 d1078e2b58cc6699b1931483642165ce0133c7a1
SHA256 872c4663bd3f5d8d3ea3cae13fe96d88cc4bd91f2c2fe79a463de8fc0a8276eb
SHA512 e1fd01eb2645b5a362b2f43899d2b1531353e9d087892c91ca92282708da6d50bbc48d8df9ef6cd9c01751d04325d29d756f54c8f0e0b1851cc0e3909e208e3c

C:\Windows\SysWOW64\Kmfmmcbo.exe

MD5 a40ff987f5abd7cf54ea17ec0566cffc
SHA1 b184894b87f86d5c4e2eeb3e6731541d929c6aa1
SHA256 7ad89fad26daa71903ae49812b7f64f0d937061655118c432239d209175c9a1c
SHA512 acab650f634dcd55f26d9a936443c7f4a46e4f21c73888093fea99034c811db8b7cb03a390ef2aa4cc6088443cf3c08faddb5fa9eb9072d42bc8b8384154f163

C:\Windows\SysWOW64\Kpjcdn32.exe

MD5 ef7cabef0bbe82b072f75a3f46ebfd32
SHA1 f323fa397bf50de6e22783af54494e1a2011a6ad
SHA256 1575ddf725b72e904e86ef2cafa28ba29693f2550ac2feca486027c81ab99709
SHA512 375a1e5dd56459164e98506b1efec9995e45c000dec706349ebe6b22c396c3f28a1e79035c0344098c8fe6df165376269c855e661e8f580d318a209a348e36c0

C:\Windows\SysWOW64\Ligqhc32.exe

MD5 594a02a9f8d61b227c467622a88687c9
SHA1 c2605be4100d26c0293968970561dd68118fc19c
SHA256 e2ad342a66ff5548c29bffd0a2b5f115710fd418811e345741055728448a92ea
SHA512 8e4d696d59fe376ac7c9f677c4f026e10af6aec6c613d4033f5113e77082731015820f69d6b97441a64a3eda9f3bb344c74779bb1f1377c7aeaec27b69bed481

C:\Windows\SysWOW64\Lpcfkm32.exe

MD5 87744696e746cd8ff88a4900ff563ce2
SHA1 2b0616b566bb394762ca1f182ae6dab031515336
SHA256 a2894ebc3b294b229e31ba4d8a08c6a4ede9712e43b203d984b277ac2e073432
SHA512 7896a651e410bbb2e90956f4bee263a854aeb4cc4aefcd106b64faf0b25dc58bf5cac2ae5aa5e24406aec7922b3ca21c7e1c94a30067c8725bfda585f088fa4d

C:\Windows\SysWOW64\Lpebpm32.exe

MD5 1e2aa8406decfbe401ceac1755d07bf4
SHA1 86395d599f7e9b6545e52645ca726f2b98abab71
SHA256 e310606e0fedef1c441f23045342080a60d2346ea80a2d54e11c7b6bef618ab7
SHA512 85aaaec9e6c5b01e29b76a15ee766b218a9dbb167fde2494475a315f0ce514506c79ff9b7c2de8ca8c4ee63f0c4a5e30d3bf4e9cdab4094f3bd7df7414069a16

C:\Windows\SysWOW64\Mmnldp32.exe

MD5 d9fba85f319a562491c7f9f4cc86b952
SHA1 0ecc2fd9b9041389d9e43e51609fb62a653438cd
SHA256 3c360a77c8a83db347c9e0962a0a913c1a08c65afbdaecd50bf450f7f3df1616
SHA512 0dfeea61154679083e05aae26280b6ec5880d1b351ffe52fa88602cb3615dbbd45fa7513b9d120f84e623f7e489be77219e8c9103236c089b379a87bc5f13b06

C:\Windows\SysWOW64\Mdjagjco.exe

MD5 ae0870e9f4f2ae00f05ee1bd36cae6e1
SHA1 d4a40c9a209e90447b2b1f7515adc2d34b7eef63
SHA256 98352343b93d7bce8cdd065e0eba8ac13d57d65a3e2bc81352202d7fd13175eb
SHA512 db3afb2bfe92dde44cd5aecd003ed2e20d5aebc224cce84e3bda65449983dac1c1349331bee660410b0703588ad5a6cbd14b8e890f2cb2a8e8129940350f970e

C:\Windows\SysWOW64\Mpablkhc.exe

MD5 d11ff1e539377a032d20521e16068ea5
SHA1 17654efae5c1267c8964e47ddf1654af915a3053
SHA256 9c2181f28a47872e9abb73ff8e4c24829139259bf9cfd9ef3cd1d0936dc76664
SHA512 2d2c18444bcad16298396a8b5039848a647b3fe2e04c83dda04ff1cf77784ff1b9197092bc8da62225b51b3d0f075d3691d3ad6d017c4b76097e2d6db65ceaa4

C:\Windows\SysWOW64\Nepgjaeg.exe

MD5 8e69b33b4951b3f1fca2b1903e9b7410
SHA1 c1a069faf62c1b09ef23aa118de87e8b84236008
SHA256 d775fd0d6dc1f96b65a7b9cc7a9d5aa0b71a8275913f388e38991b1d08cb134d
SHA512 968c5a809b7d4b1320c99aa5e0afbbd4608ec6ce8a478e697d881f027042de5897e6b5717487a5254087e577d362e070232023d20fd880fd846ef5e48d6e3d4d

C:\Windows\SysWOW64\Ndcdmikd.exe

MD5 c50b19b52f2c544c8228844b36b54a91
SHA1 6a6e4a6a264464c8ee01051cf72893b0b1c605c8
SHA256 82ad21d3d0c0cc99857b7af2a2315ace86e84c9a59c923e2b7777fb310c42a89
SHA512 ab46fd76fbf4b269276d8d8847e2c15ee4981b0628fd579bab5618a1a7f8733fd522ca4479e40d826abaf6e40a53629d599c74160df4ca240bef0892433f3c7a

C:\Windows\SysWOW64\Ogbipa32.exe

MD5 8eb0befa1b51e572541f259806be7f0f
SHA1 9f574b8bf1ef304c2fba057d06f7caad040bdb72
SHA256 216c7ec1dc390a48c1fc02f96830382033389510e0ad0ff84f5ebde196885a5a
SHA512 99618ff052ad89892e1159c1879744e54a76b072203270cd9af6524dc819c2b00f869187ed1fde4ef5db525136e6689688b64380fe4163f722a7165215a6f2c7

C:\Windows\SysWOW64\Pncgmkmj.exe

MD5 e2c0dc5fd4f3d792a3b49de189478bff
SHA1 43c5e4d6a5948a2a10736c344cb3f704b0241b26
SHA256 c19ae95238f1d33b9cb20a7edbf34f457ef2fa0017726cda52f1596d70242538
SHA512 cead8ad97cc834d585a5979fe71d025a0842bd6a904bffc18166cb705412fbc2d6a88cd411daad96639097c93adf921f6ade906433c7bf9e83c24880910909ed

C:\Windows\SysWOW64\Pgllfp32.exe

MD5 bf3d44df3885c3e76284d1f379032bfd
SHA1 6102f440f725dea8ee9c8e61de357c9e89e7178d
SHA256 717c79c6dd36a4a4cf6cf1271dad6934093ed863cc12b21899fe0dea2924a305
SHA512 91d802a5b5531b8144b324b0956e4660aa2a33199c39a81c3829f397e607416ccd6851244a765ea136b3acb723aebb335a29f8b5453964fcf40dc98b275b619f

C:\Windows\SysWOW64\Pgnilpah.exe

MD5 a925b2b3d0e5c6af6215e96e59c2f20c
SHA1 fbfce97c3f95a2683b82fa23453dff7f01a8f1b9
SHA256 60773e96f9ffcc87c8d4d18b83a04c9aaf2370424b398ee0a19aa7c02ff91bdb
SHA512 064d16af56cd893a17db922d631e5f9344d7c21984b406bef049684f73a89e2dad114ebb6c40804e0ac50d44f6bf2aa3a05745447d0a04fb06bfdc7f25568da9

C:\Windows\SysWOW64\Qjoankoi.exe

MD5 6f1387d799524636455e0fc0b1760613
SHA1 a0476d53e432411dc4866472ee81b7b5179316ba
SHA256 38b27594c17f7ea730e6e7cdc8ce0fec5bb25963de88548d55836460ff670512
SHA512 d276ca4cdbaef06d0cd8165959f1cc37bb9eccfb18bd36a56f455795746f207c3412e32d5f8b7d358ee18ed6b9b86f4e10a61dc54fe04578832924b7087d3be6

C:\Windows\SysWOW64\Ageolo32.exe

MD5 00d64b2f1c87037d3f6e8c07e2c46b4b
SHA1 79e9fd70c77877b7f1dd8a3080f92892b6fe678c
SHA256 5f0d9874fc43495261ee910bf6f1cf3b089d0aab053e0e99e96988cdb633a061
SHA512 1fd2aab2edf0407f712a26fc27b9acd2b94b1c744fe5feb1015ed0b0b57a876f8a76cc2e8a321a8431ffc64e100e5f8b5e32da2b7b16b23225c405026828bcca

C:\Windows\SysWOW64\Amddjegd.exe

MD5 e6f518cc8a84bc4e68cbf00013550255
SHA1 12d9e0eb2d9a272bf71bb001733a815fd9e3387f
SHA256 7ccb6255de4a1bfc120e52e344979eabb2a84d388117ccfd0f6230adeeba1eb1
SHA512 8b1b3f41265fb9a382a1237195d211809c25f066a21c9b86bf5fc289eb02decb8487bb5a4a2c3f4329a143e7ed2fdf34d7910dce31b6ed02089663ae184e0253

C:\Windows\SysWOW64\Afoeiklb.exe

MD5 f41d1e1b33f661d67605232dc858ed8e
SHA1 ae431d31642eb13311271e52eaf10fb2a797ae28
SHA256 5b9f2d30e58f5555b81a41de7497b541461c6c35fed4dc59834552c61117e54e
SHA512 bc80d897db4dff22722520fa72dbfebb6aeadf1b08662ef6d3abf8867caab227c41f894b4509180c2ef965db68c41cef287468ce89d5e70dec14b4d5f9072bb6

C:\Windows\SysWOW64\Accfbokl.exe

MD5 65c87b8e7abe064beb34c9dd91984e57
SHA1 80079ab7224344b33410a8f627220378ebd5a1e0
SHA256 783ece297ad8f8b11d433d28887729f31a9587efd1e6b0dbe05e5fb4f4e9a334
SHA512 e2244552639471ebf05bb8abd7ba9a973d918620c3eac307cf3f14987c644b5bc36247597ff69807b25a95dc32bd11b5e0c832dda24dbae3fca4a2fea5623b47

C:\Windows\SysWOW64\Bjddphlq.exe

MD5 9c40f5d76ff97b70e567f7bd7a9f8dba
SHA1 8754535c1c65b006ad38cdcf5b466e51671a00fe
SHA256 f4ecd37b8c4814c35978b1befd81a82a25510eb22c466cf5ebb76b87768b16f6
SHA512 8e777c3ad3b8407383018381b70ba4a62d552001f73c330ca83928c1d0bad137f399b0489d98bec91cb327cd0d3bfe2b5067765c28103694fcd3ccb037d7e8b9

C:\Windows\SysWOW64\Bjfaeh32.exe

MD5 b7357637c5612e2f4432c05b1271c3b0
SHA1 d877f5d4524eabdcce7bfc9a5b4210ca2261431f
SHA256 157bc652ea99556e784228e19f9ef7db636fa8460ef8d2cda032f45383dac3e2
SHA512 75c1439ef7ae3a57c7ec6acc56ee243b9a21c7947129c817e02802c32343bcc0443131ce5970ae998fb32d1ca781c0ddf73ae074a507fc8638c38e46e4a238b8

C:\Windows\SysWOW64\Cenahpha.exe

MD5 7fffe038ba54425246523a77e923001f
SHA1 34b658fcf6611aae0219972db2c7a130140dd65c
SHA256 7928b5d215b83c2a75abe03bb35aa48ccfe6c1071fe2350e4646fc181de8d02c
SHA512 9ed1093611d63042a0ef0f3685fc1e7b9f974a819d073533c4b0d0e95e7f5f25f0cfebfe506ca17191ba701b290bbe37967fa11a041e660d77817b4cd737045b

C:\Windows\SysWOW64\Caebma32.exe

MD5 bf6ce802efb8a1d329a360ebc5cf1507
SHA1 7380273dc38bd34006e668c7982e121fe33a39cc
SHA256 58bf0908d7d386e32737610b8dc8ae78ec23ce60781374c49f88e53e828965ce
SHA512 d11b2c74cec45e3a6ccc998a563ad0e1db54548560e32637589535d4635a61e64b69e0310c9a0d2331f4a9f0e9016a60420319aab6be975082eab119f875858a

C:\Windows\SysWOW64\Cnicfe32.exe

MD5 27580204e117cf08ead08357b0ffc393
SHA1 78318f5a87e380aad8b09e27c1930bf54033ee7d
SHA256 66556294ab3a94a8bf28b8db9ede858a772dd32a58cda8bc6bb2c1ffdf2b1b10
SHA512 7f4010e3c82e109964861bce4cade580538f4325fb2bd0e33d5a46d5cc2c8eb3990dbbaf90244ec23d60dc0100e2d5ceffddc3092bbbbac7a6ec6b89b47c51ab

C:\Windows\SysWOW64\Chcddk32.exe

MD5 0d4b0acac2b8e21343e584a704659acb
SHA1 100c3b67f558c38bcabc58913810543d75ebb9f9
SHA256 f7461b9d74578d29e08acc92c5d929850ef108718ba6067f26e776f6f23af518
SHA512 a68203cee6f5970c27bcebe9e934266db8664eaed3575060f5c5cf6c8f30367c8592c2acd7d179bd7bf80419740d355930d6c69be08349d4d9ffae3cf5658c66

C:\Windows\SysWOW64\Ddmaok32.exe

MD5 1dd92271c4965eadd072aab39d9514f5
SHA1 5d4aa8c247b6be650bb9c486642b980eabd161e7
SHA256 4809d8a41d121a719b499913a683879344b6df2261eb6bb5c1c8058d29fa64ba
SHA512 0f6873ddfb387a36c27f5e80a1ec6900d0e9ed9a950587636db259ba14578bd399398f9af0554123c9635878ef0a98a96da24109c62f695ef0fbe80c7fd85078

C:\Windows\SysWOW64\Daekdooc.exe

MD5 ed4db92f0ba4e15760213d62b88fa9ed
SHA1 3e79e502b0d050169d49749e54c66462037d2182
SHA256 66dd6fb48efb3bdc270704f7466e8ffa43dabb722287b5968180787f28e121ad
SHA512 09d5b37aaca81931043f7917e5e9cea027a0d4d1ad406bffcd9640e17233236c0389ca5545bf97f5393d54db19c0f356255493088a2b17e057f04372efb34837

C:\Windows\SysWOW64\Dgbdlf32.exe

MD5 0961c0f5c644f3785cff5191c2542fea
SHA1 a394046379f54b574676a6a244c21a4e9d8aa9bc
SHA256 0ef20e3834e9e51567ec23fec8a8956fd45351614b6de197180ec61f48783844
SHA512 4074cbbb4b2e61d2c30b11eab0ce6492f880e9c76a909f03a09faca3f9ead80eb3da4a0d7acf9c94a5397dd137af9966f2bccdc1fc58448feb516b88a15ee7dd

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-02 01:08

Reported

2024-06-02 01:11

Platform

win7-20231129-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a954fa18abd78171b62683f3925dca64742f112981d62bf12b012b4e148df9fe.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Users\Admin\AppData\Local\Temp\a954fa18abd78171b62683f3925dca64742f112981d62bf12b012b4e148df9fe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nodgel32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ngkogj32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nlekia32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nodgel32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ngkogj32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Users\Admin\AppData\Local\Temp\a954fa18abd78171b62683f3925dca64742f112981d62bf12b012b4e148df9fe.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ncpcfkbg.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Niikceid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Niikceid.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nhllob32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nhllob32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nlekia32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ncpcfkbg.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Nodgel32.exe C:\Windows\SysWOW64\Nlekia32.exe N/A
File created C:\Windows\SysWOW64\Ncpcfkbg.exe C:\Windows\SysWOW64\Nodgel32.exe N/A
File created C:\Windows\SysWOW64\Ngkogj32.exe C:\Windows\SysWOW64\Ncpcfkbg.exe N/A
File created C:\Windows\SysWOW64\Nlhgoqhh.exe C:\Windows\SysWOW64\Nhllob32.exe N/A
File created C:\Windows\SysWOW64\Phmkjbfe.dll C:\Users\Admin\AppData\Local\Temp\a954fa18abd78171b62683f3925dca64742f112981d62bf12b012b4e148df9fe.exe N/A
File created C:\Windows\SysWOW64\Niikceid.exe C:\Windows\SysWOW64\Ngkogj32.exe N/A
File opened for modification C:\Windows\SysWOW64\Niikceid.exe C:\Windows\SysWOW64\Ngkogj32.exe N/A
File created C:\Windows\SysWOW64\Fhhiii32.dll C:\Windows\SysWOW64\Niikceid.exe N/A
File created C:\Windows\SysWOW64\Lamajm32.dll C:\Windows\SysWOW64\Nhllob32.exe N/A
File created C:\Windows\SysWOW64\Pfdmil32.dll C:\Windows\SysWOW64\Nodgel32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ngkogj32.exe C:\Windows\SysWOW64\Ncpcfkbg.exe N/A
File created C:\Windows\SysWOW64\Kklcab32.dll C:\Windows\SysWOW64\Ncpcfkbg.exe N/A
File created C:\Windows\SysWOW64\Nlekia32.exe C:\Users\Admin\AppData\Local\Temp\a954fa18abd78171b62683f3925dca64742f112981d62bf12b012b4e148df9fe.exe N/A
File opened for modification C:\Windows\SysWOW64\Nlekia32.exe C:\Users\Admin\AppData\Local\Temp\a954fa18abd78171b62683f3925dca64742f112981d62bf12b012b4e148df9fe.exe N/A
File created C:\Windows\SysWOW64\Nodgel32.exe C:\Windows\SysWOW64\Nlekia32.exe N/A
File created C:\Windows\SysWOW64\Cnjgia32.dll C:\Windows\SysWOW64\Nlekia32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ncpcfkbg.exe C:\Windows\SysWOW64\Nodgel32.exe N/A
File created C:\Windows\SysWOW64\Nhllob32.exe C:\Windows\SysWOW64\Niikceid.exe N/A
File created C:\Windows\SysWOW64\Dnlbnp32.dll C:\Windows\SysWOW64\Ngkogj32.exe N/A
File opened for modification C:\Windows\SysWOW64\Nhllob32.exe C:\Windows\SysWOW64\Niikceid.exe N/A
File opened for modification C:\Windows\SysWOW64\Nlhgoqhh.exe C:\Windows\SysWOW64\Nhllob32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhhiii32.dll" C:\Windows\SysWOW64\Niikceid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phmkjbfe.dll" C:\Users\Admin\AppData\Local\Temp\a954fa18abd78171b62683f3925dca64742f112981d62bf12b012b4e148df9fe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\a954fa18abd78171b62683f3925dca64742f112981d62bf12b012b4e148df9fe.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nlekia32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nlekia32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnlbnp32.dll" C:\Windows\SysWOW64\Ngkogj32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nhllob32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nhllob32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\a954fa18abd78171b62683f3925dca64742f112981d62bf12b012b4e148df9fe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfdmil32.dll" C:\Windows\SysWOW64\Nodgel32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nodgel32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ngkogj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Niikceid.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ncpcfkbg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lamajm32.dll" C:\Windows\SysWOW64\Nhllob32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node C:\Users\Admin\AppData\Local\Temp\a954fa18abd78171b62683f3925dca64742f112981d62bf12b012b4e148df9fe.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} C:\Users\Admin\AppData\Local\Temp\a954fa18abd78171b62683f3925dca64742f112981d62bf12b012b4e148df9fe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnjgia32.dll" C:\Windows\SysWOW64\Nlekia32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nodgel32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kklcab32.dll" C:\Windows\SysWOW64\Ncpcfkbg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\a954fa18abd78171b62683f3925dca64742f112981d62bf12b012b4e148df9fe.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ncpcfkbg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ngkogj32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Niikceid.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2992 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\a954fa18abd78171b62683f3925dca64742f112981d62bf12b012b4e148df9fe.exe C:\Windows\SysWOW64\Nlekia32.exe
PID 2992 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\a954fa18abd78171b62683f3925dca64742f112981d62bf12b012b4e148df9fe.exe C:\Windows\SysWOW64\Nlekia32.exe
PID 2992 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\a954fa18abd78171b62683f3925dca64742f112981d62bf12b012b4e148df9fe.exe C:\Windows\SysWOW64\Nlekia32.exe
PID 2992 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\a954fa18abd78171b62683f3925dca64742f112981d62bf12b012b4e148df9fe.exe C:\Windows\SysWOW64\Nlekia32.exe
PID 2876 wrote to memory of 848 N/A C:\Windows\SysWOW64\Nlekia32.exe C:\Windows\SysWOW64\Nodgel32.exe
PID 2876 wrote to memory of 848 N/A C:\Windows\SysWOW64\Nlekia32.exe C:\Windows\SysWOW64\Nodgel32.exe
PID 2876 wrote to memory of 848 N/A C:\Windows\SysWOW64\Nlekia32.exe C:\Windows\SysWOW64\Nodgel32.exe
PID 2876 wrote to memory of 848 N/A C:\Windows\SysWOW64\Nlekia32.exe C:\Windows\SysWOW64\Nodgel32.exe
PID 848 wrote to memory of 2692 N/A C:\Windows\SysWOW64\Nodgel32.exe C:\Windows\SysWOW64\Ncpcfkbg.exe
PID 848 wrote to memory of 2692 N/A C:\Windows\SysWOW64\Nodgel32.exe C:\Windows\SysWOW64\Ncpcfkbg.exe
PID 848 wrote to memory of 2692 N/A C:\Windows\SysWOW64\Nodgel32.exe C:\Windows\SysWOW64\Ncpcfkbg.exe
PID 848 wrote to memory of 2692 N/A C:\Windows\SysWOW64\Nodgel32.exe C:\Windows\SysWOW64\Ncpcfkbg.exe
PID 2692 wrote to memory of 2584 N/A C:\Windows\SysWOW64\Ncpcfkbg.exe C:\Windows\SysWOW64\Ngkogj32.exe
PID 2692 wrote to memory of 2584 N/A C:\Windows\SysWOW64\Ncpcfkbg.exe C:\Windows\SysWOW64\Ngkogj32.exe
PID 2692 wrote to memory of 2584 N/A C:\Windows\SysWOW64\Ncpcfkbg.exe C:\Windows\SysWOW64\Ngkogj32.exe
PID 2692 wrote to memory of 2584 N/A C:\Windows\SysWOW64\Ncpcfkbg.exe C:\Windows\SysWOW64\Ngkogj32.exe
PID 2584 wrote to memory of 2508 N/A C:\Windows\SysWOW64\Ngkogj32.exe C:\Windows\SysWOW64\Niikceid.exe
PID 2584 wrote to memory of 2508 N/A C:\Windows\SysWOW64\Ngkogj32.exe C:\Windows\SysWOW64\Niikceid.exe
PID 2584 wrote to memory of 2508 N/A C:\Windows\SysWOW64\Ngkogj32.exe C:\Windows\SysWOW64\Niikceid.exe
PID 2584 wrote to memory of 2508 N/A C:\Windows\SysWOW64\Ngkogj32.exe C:\Windows\SysWOW64\Niikceid.exe
PID 2508 wrote to memory of 2480 N/A C:\Windows\SysWOW64\Niikceid.exe C:\Windows\SysWOW64\Nhllob32.exe
PID 2508 wrote to memory of 2480 N/A C:\Windows\SysWOW64\Niikceid.exe C:\Windows\SysWOW64\Nhllob32.exe
PID 2508 wrote to memory of 2480 N/A C:\Windows\SysWOW64\Niikceid.exe C:\Windows\SysWOW64\Nhllob32.exe
PID 2508 wrote to memory of 2480 N/A C:\Windows\SysWOW64\Niikceid.exe C:\Windows\SysWOW64\Nhllob32.exe
PID 2480 wrote to memory of 2964 N/A C:\Windows\SysWOW64\Nhllob32.exe C:\Windows\SysWOW64\Nlhgoqhh.exe
PID 2480 wrote to memory of 2964 N/A C:\Windows\SysWOW64\Nhllob32.exe C:\Windows\SysWOW64\Nlhgoqhh.exe
PID 2480 wrote to memory of 2964 N/A C:\Windows\SysWOW64\Nhllob32.exe C:\Windows\SysWOW64\Nlhgoqhh.exe
PID 2480 wrote to memory of 2964 N/A C:\Windows\SysWOW64\Nhllob32.exe C:\Windows\SysWOW64\Nlhgoqhh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a954fa18abd78171b62683f3925dca64742f112981d62bf12b012b4e148df9fe.exe

"C:\Users\Admin\AppData\Local\Temp\a954fa18abd78171b62683f3925dca64742f112981d62bf12b012b4e148df9fe.exe"

C:\Windows\SysWOW64\Nlekia32.exe

C:\Windows\system32\Nlekia32.exe

C:\Windows\SysWOW64\Nodgel32.exe

C:\Windows\system32\Nodgel32.exe

C:\Windows\SysWOW64\Ncpcfkbg.exe

C:\Windows\system32\Ncpcfkbg.exe

C:\Windows\SysWOW64\Ngkogj32.exe

C:\Windows\system32\Ngkogj32.exe

C:\Windows\SysWOW64\Niikceid.exe

C:\Windows\system32\Niikceid.exe

C:\Windows\SysWOW64\Nhllob32.exe

C:\Windows\system32\Nhllob32.exe

C:\Windows\SysWOW64\Nlhgoqhh.exe

C:\Windows\system32\Nlhgoqhh.exe

Network

N/A

Files

C:\Windows\SysWOW64\Nlekia32.exe

MD5 fb958fd5e0d70591ab337766b1ccbf27
SHA1 c1fc4a53a4bbed71d831d855c6c4ba3583ea42b4
SHA256 adad858729ec4ba02934b41331f58cba9d1dde47eba74f8f4bb4fe7cb16913c2
SHA512 c74497cfe63b4012a8e3e0790a8331effd2bff4130b1ec6a2b6a10e92934a8766cc32b968e3070c32d7a0e4060aa9d1ba49dc2dc9ff9a78ff06222c390601e3d

\Windows\SysWOW64\Nodgel32.exe

MD5 60823e63a894a08b43b742f56367d95a
SHA1 19f766f5c0b15a107799a5ccaa6f8bc02425edcd
SHA256 c8ff502b6d39ce674d6ff3d623b1ecc0ccac40627a5999cbe5b68e71e6f8c488
SHA512 ef180c19edb42bd519f64afac9eb04a476b3b5a0f9597cf37349b58c695b493813e4a16889bbca56b8fa8fc1dde7ca4934cb37185749fd8abe32924e3676cace

\Windows\SysWOW64\Ngkogj32.exe

MD5 627ae0e635f5efcf0105d65730eb16ff
SHA1 433d9757ebbdbc4dd961599a706519baabb40289
SHA256 a2977ea75041b120160591452308545311d78d0accb2216f64f2203dd69399a1
SHA512 5a2b5f18c8b598e87c2f08d57bb57c285a50718925acd30779f15a1afbb47bc4d0e337cd2b447d4583079e47449f9ae64cbbd546597d6c01b7508f85bb7c9899

\Windows\SysWOW64\Nhllob32.exe

MD5 5f2d37b0a442f6ce8384b9f6b03c4eb4
SHA1 6fa3386579678b078d44a5d675f6ba41f6e98cbf
SHA256 fe823c5b88dace51c40237d0e7755b87593bcf1dc2bed01f575788271526b3ee
SHA512 a0525bb127c8f06972530d4299d29e552c59424073b94af2dff8772c4f3f325ba67aa6859585897650de586bb2123baef27280d5d694ff034f37bef95f45c8b8

C:\Windows\SysWOW64\Nlhgoqhh.exe

MD5 a6fd53db9dad319e7a0029d9a68c12c5
SHA1 4dc19c9626ddf7ea507c88114b800edd84139b22
SHA256 61b1eeb77be5dc023c547fd74d71f6cd4143b20fb5812640194dd49a2be43b4b
SHA512 fc2a0430308d23069b1ff462d8500b66124e381825bb42e74af4408b4ba3010db1c7c192246a5167104d0335d7e3baa828178ad70ef65076c2ece3fdc16dbfaa

memory/2876-99-0x0000000000400000-0x000000000043E000-memory.dmp

memory/848-98-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2992-97-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2508-96-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2964-95-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2584-94-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2964-93-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2480-87-0x00000000002E0000-0x000000000031E000-memory.dmp

memory/2480-84-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Niikceid.exe

MD5 313ecfbc8891794c01ac09564474cb3e
SHA1 db4daab38fcd4156e83aa284d7e040ca62229fe4
SHA256 b38a8a1f1b1ccabbb8aab90132d0d3fe46eb47e6fd5f0643bacaf4487966bb57
SHA512 9e16e8d43c89bb0a8e94675e17952e2d590395bffb0b75350f890be7eb552733717b8a12e626324858d1c85560bf95d094cf95daa9f4f5b2d523adab93704658

memory/2508-66-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2584-58-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2692-45-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\SysWOW64\Ncpcfkbg.exe

MD5 2fac0044410f73850df5a80abeb51bef
SHA1 0d0d0c2d22a32786417fd90772d7ff25b14479b7
SHA256 dd8eddd7250129215c130ea75d72c0d46d52f71c0a4207a21c3231ba4f8226fe
SHA512 9be9cd02b8564f26a8866a0b25f72c900d675166b376e817a578469ac7efabdc7662cdec6a56c0b9768ea2d09bd6bc47444fe5d102f3fec3911f39fa6da8a38e

memory/848-27-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2876-14-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2992-13-0x0000000000250000-0x000000000028E000-memory.dmp

memory/2992-6-0x0000000000250000-0x000000000028E000-memory.dmp

memory/2992-0-0x0000000000400000-0x000000000043E000-memory.dmp