Malware Analysis Report

2024-10-24 17:32

Sample ID 240806-fhlaeatgpe
Target 5f8259916253272ccce5b83769af9bf0N.exe
SHA256 10134077a29c34456ade93bda5e52276ef994f3ecf7082da489bc414eb725a57
Tags
gozi banker discovery isfb persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

10134077a29c34456ade93bda5e52276ef994f3ecf7082da489bc414eb725a57

Threat Level: Known bad

The file 5f8259916253272ccce5b83769af9bf0N.exe was found to be: Known bad.

Malicious Activity Summary

gozi banker discovery isfb persistence trojan

Adds autorun key to be loaded by Explorer.exe on startup

Gozi

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Program crash

System Location Discovery: System Language Discovery

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-06 04:52

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-06 04:52

Reported

2024-08-06 04:54

Platform

win7-20240705-en

Max time kernel

117s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5f8259916253272ccce5b83769af9bf0N.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kgqocoin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mdiefffn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pkjphcff.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Accqnc32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Afffenbp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Alnalh32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Akfkbd32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cjonncab.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nenkqi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Adifpk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bnknoogp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bqlfaj32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Coacbfii.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Caifjn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Users\Admin\AppData\Local\Temp\5f8259916253272ccce5b83769af9bf0N.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mjcaimgg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pdgmlhha.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qppkfhlc.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bgcbhd32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kdbbgdjj.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ofadnq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ojomdoof.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qnghel32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cfmhdpnc.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qcachc32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bqeqqk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ccjoli32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Users\Admin\AppData\Local\Temp\5f8259916253272ccce5b83769af9bf0N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Oococb32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Boljgg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cfkloq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nbflno32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pdeqfhjd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pcljmdmj.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bqlfaj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Clojhf32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lklgbadb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ofadnq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Oibmpl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Pohhna32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qeppdo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Aojabdlf.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pkjphcff.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Aaimopli.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Alqnah32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cbffoabe.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lkgngb32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aohdmdoh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bjdkjpkb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bkegah32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Cfmhdpnc.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mdiefffn.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Phqmgg32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qppkfhlc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qgjccb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Aebmjo32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Coacbfii.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cfkloq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Npjlhcmd.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bfioia32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lcjlnpmo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ppnnai32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qpbglhjq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ajpepm32.exe N/A

Gozi

banker trojan gozi

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Kdbbgdjj.exe N/A
N/A N/A C:\Windows\SysWOW64\Kgqocoin.exe N/A
N/A N/A C:\Windows\SysWOW64\Knmdeioh.exe N/A
N/A N/A C:\Windows\SysWOW64\Lcjlnpmo.exe N/A
N/A N/A C:\Windows\SysWOW64\Lfhhjklc.exe N/A
N/A N/A C:\Windows\SysWOW64\Lfkeokjp.exe N/A
N/A N/A C:\Windows\SysWOW64\Lkgngb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lhknaf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lbcbjlmb.exe N/A
N/A N/A C:\Windows\SysWOW64\Lklgbadb.exe N/A
N/A N/A C:\Windows\SysWOW64\Lhpglecl.exe N/A
N/A N/A C:\Windows\SysWOW64\Mjaddn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mjcaimgg.exe N/A
N/A N/A C:\Windows\SysWOW64\Mdiefffn.exe N/A
N/A N/A C:\Windows\SysWOW64\Mqpflg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mcnbhb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mjkgjl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nbflno32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nedhjj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Npjlhcmd.exe N/A
N/A N/A C:\Windows\SysWOW64\Nbhhdnlh.exe N/A
N/A N/A C:\Windows\SysWOW64\Nnoiio32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nidmfh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nbmaon32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nabopjmj.exe N/A
N/A N/A C:\Windows\SysWOW64\Nenkqi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nhlgmd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Odchbe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ofadnq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Obhdcanc.exe N/A
N/A N/A C:\Windows\SysWOW64\Ojomdoof.exe N/A
N/A N/A C:\Windows\SysWOW64\Oibmpl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ompefj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Opnbbe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ofhjopbg.exe N/A
N/A N/A C:\Windows\SysWOW64\Oiffkkbk.exe N/A
N/A N/A C:\Windows\SysWOW64\Oococb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Oemgplgo.exe N/A
N/A N/A C:\Windows\SysWOW64\Phlclgfc.exe N/A
N/A N/A C:\Windows\SysWOW64\Pkjphcff.exe N/A
N/A N/A C:\Windows\SysWOW64\Pbagipfi.exe N/A
N/A N/A C:\Windows\SysWOW64\Pohhna32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pafdjmkq.exe N/A
N/A N/A C:\Windows\SysWOW64\Pdeqfhjd.exe N/A
N/A N/A C:\Windows\SysWOW64\Phqmgg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pmmeon32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pdgmlhha.exe N/A
N/A N/A C:\Windows\SysWOW64\Pkaehb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pidfdofi.exe N/A
N/A N/A C:\Windows\SysWOW64\Ppnnai32.exe N/A
N/A N/A C:\Windows\SysWOW64\Pcljmdmj.exe N/A
N/A N/A C:\Windows\SysWOW64\Pkcbnanl.exe N/A
N/A N/A C:\Windows\SysWOW64\Pifbjn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qppkfhlc.exe N/A
N/A N/A C:\Windows\SysWOW64\Qdlggg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qgjccb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qiioon32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qpbglhjq.exe N/A
N/A N/A C:\Windows\SysWOW64\Qdncmgbj.exe N/A
N/A N/A C:\Windows\SysWOW64\Qcachc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qeppdo32.exe N/A
N/A N/A C:\Windows\SysWOW64\Qnghel32.exe N/A
N/A N/A C:\Windows\SysWOW64\Alihaioe.exe N/A
N/A N/A C:\Windows\SysWOW64\Aohdmdoh.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5f8259916253272ccce5b83769af9bf0N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5f8259916253272ccce5b83769af9bf0N.exe N/A
N/A N/A C:\Windows\SysWOW64\Kdbbgdjj.exe N/A
N/A N/A C:\Windows\SysWOW64\Kdbbgdjj.exe N/A
N/A N/A C:\Windows\SysWOW64\Kgqocoin.exe N/A
N/A N/A C:\Windows\SysWOW64\Kgqocoin.exe N/A
N/A N/A C:\Windows\SysWOW64\Knmdeioh.exe N/A
N/A N/A C:\Windows\SysWOW64\Knmdeioh.exe N/A
N/A N/A C:\Windows\SysWOW64\Lcjlnpmo.exe N/A
N/A N/A C:\Windows\SysWOW64\Lcjlnpmo.exe N/A
N/A N/A C:\Windows\SysWOW64\Lfhhjklc.exe N/A
N/A N/A C:\Windows\SysWOW64\Lfhhjklc.exe N/A
N/A N/A C:\Windows\SysWOW64\Lfkeokjp.exe N/A
N/A N/A C:\Windows\SysWOW64\Lfkeokjp.exe N/A
N/A N/A C:\Windows\SysWOW64\Lkgngb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lkgngb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lhknaf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lhknaf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lbcbjlmb.exe N/A
N/A N/A C:\Windows\SysWOW64\Lbcbjlmb.exe N/A
N/A N/A C:\Windows\SysWOW64\Lklgbadb.exe N/A
N/A N/A C:\Windows\SysWOW64\Lklgbadb.exe N/A
N/A N/A C:\Windows\SysWOW64\Lhpglecl.exe N/A
N/A N/A C:\Windows\SysWOW64\Lhpglecl.exe N/A
N/A N/A C:\Windows\SysWOW64\Mjaddn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mjaddn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mjcaimgg.exe N/A
N/A N/A C:\Windows\SysWOW64\Mjcaimgg.exe N/A
N/A N/A C:\Windows\SysWOW64\Mdiefffn.exe N/A
N/A N/A C:\Windows\SysWOW64\Mdiefffn.exe N/A
N/A N/A C:\Windows\SysWOW64\Mqpflg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mqpflg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mcnbhb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mcnbhb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mjkgjl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mjkgjl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nbflno32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nbflno32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nedhjj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nedhjj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Npjlhcmd.exe N/A
N/A N/A C:\Windows\SysWOW64\Npjlhcmd.exe N/A
N/A N/A C:\Windows\SysWOW64\Nbhhdnlh.exe N/A
N/A N/A C:\Windows\SysWOW64\Nbhhdnlh.exe N/A
N/A N/A C:\Windows\SysWOW64\Nnoiio32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nnoiio32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nidmfh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nidmfh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nbmaon32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nbmaon32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nabopjmj.exe N/A
N/A N/A C:\Windows\SysWOW64\Nabopjmj.exe N/A
N/A N/A C:\Windows\SysWOW64\Nenkqi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nenkqi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nhlgmd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nhlgmd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Odchbe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Odchbe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ofadnq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ofadnq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Obhdcanc.exe N/A
N/A N/A C:\Windows\SysWOW64\Obhdcanc.exe N/A
N/A N/A C:\Windows\SysWOW64\Ojomdoof.exe N/A
N/A N/A C:\Windows\SysWOW64\Ojomdoof.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Nhlgmd32.exe C:\Windows\SysWOW64\Nenkqi32.exe N/A
File opened for modification C:\Windows\SysWOW64\Coacbfii.exe C:\Windows\SysWOW64\Bkegah32.exe N/A
File created C:\Windows\SysWOW64\Cjonncab.exe C:\Windows\SysWOW64\Cgaaah32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dmbcen32.exe C:\Windows\SysWOW64\Dnpciaef.exe N/A
File created C:\Windows\SysWOW64\Qdncmgbj.exe C:\Windows\SysWOW64\Qpbglhjq.exe N/A
File created C:\Windows\SysWOW64\Egfokakc.dll C:\Windows\SysWOW64\Afffenbp.exe N/A
File created C:\Windows\SysWOW64\Ciohdhad.dll C:\Windows\SysWOW64\Cmpgpond.exe N/A
File created C:\Windows\SysWOW64\Lkgngb32.exe C:\Windows\SysWOW64\Lfkeokjp.exe N/A
File created C:\Windows\SysWOW64\Mjaddn32.exe C:\Windows\SysWOW64\Lhpglecl.exe N/A
File opened for modification C:\Windows\SysWOW64\Qeppdo32.exe C:\Windows\SysWOW64\Qcachc32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bqgmfkhg.exe C:\Windows\SysWOW64\Bniajoic.exe N/A
File created C:\Windows\SysWOW64\Bqlfaj32.exe C:\Windows\SysWOW64\Bjbndpmd.exe N/A
File created C:\Windows\SysWOW64\Abnhjmjc.dll C:\Windows\SysWOW64\Lklgbadb.exe N/A
File created C:\Windows\SysWOW64\Obecdjcn.dll C:\Windows\SysWOW64\Oemgplgo.exe N/A
File created C:\Windows\SysWOW64\Ljamki32.dll C:\Windows\SysWOW64\Qcachc32.exe N/A
File created C:\Windows\SysWOW64\Bfioia32.exe C:\Windows\SysWOW64\Bcjcme32.exe N/A
File created C:\Windows\SysWOW64\Legdph32.dll C:\Windows\SysWOW64\Lbcbjlmb.exe N/A
File created C:\Windows\SysWOW64\Dafqii32.dll C:\Windows\SysWOW64\Ompefj32.exe N/A
File created C:\Windows\SysWOW64\Alihaioe.exe C:\Windows\SysWOW64\Qnghel32.exe N/A
File created C:\Windows\SysWOW64\Fikbiheg.dll C:\Windows\SysWOW64\Dnpciaef.exe N/A
File opened for modification C:\Windows\SysWOW64\Ajpepm32.exe C:\Windows\SysWOW64\Aaimopli.exe N/A
File created C:\Windows\SysWOW64\Ckjamgmk.exe C:\Windows\SysWOW64\Cileqlmg.exe N/A
File created C:\Windows\SysWOW64\Qqfkbadh.dll C:\Windows\SysWOW64\Lhknaf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mdiefffn.exe C:\Windows\SysWOW64\Mjcaimgg.exe N/A
File created C:\Windows\SysWOW64\Nedhjj32.exe C:\Windows\SysWOW64\Nbflno32.exe N/A
File created C:\Windows\SysWOW64\Ojomdoof.exe C:\Windows\SysWOW64\Obhdcanc.exe N/A
File created C:\Windows\SysWOW64\Ihaiqn32.dll C:\Windows\SysWOW64\Oococb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Qgjccb32.exe C:\Windows\SysWOW64\Qdlggg32.exe N/A
File created C:\Windows\SysWOW64\Dmbcen32.exe C:\Windows\SysWOW64\Dnpciaef.exe N/A
File created C:\Windows\SysWOW64\Oomgdcce.dll C:\Windows\SysWOW64\Nhlgmd32.exe N/A
File created C:\Windows\SysWOW64\Apqcdckf.dll C:\Windows\SysWOW64\Pohhna32.exe N/A
File opened for modification C:\Windows\SysWOW64\Pifbjn32.exe C:\Windows\SysWOW64\Pkcbnanl.exe N/A
File created C:\Windows\SysWOW64\Qgjccb32.exe C:\Windows\SysWOW64\Qdlggg32.exe N/A
File created C:\Windows\SysWOW64\Cfhkhd32.exe C:\Windows\SysWOW64\Ccjoli32.exe N/A
File opened for modification C:\Windows\SysWOW64\Cebeem32.exe C:\Windows\SysWOW64\Ckjamgmk.exe N/A
File opened for modification C:\Windows\SysWOW64\Caifjn32.exe C:\Windows\SysWOW64\Cbffoabe.exe N/A
File created C:\Windows\SysWOW64\Plcaioco.dll C:\Windows\SysWOW64\Nedhjj32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ofhjopbg.exe C:\Windows\SysWOW64\Opnbbe32.exe N/A
File opened for modification C:\Windows\SysWOW64\Oococb32.exe C:\Windows\SysWOW64\Oiffkkbk.exe N/A
File created C:\Windows\SysWOW64\Eibkmp32.dll C:\Windows\SysWOW64\Pkcbnanl.exe N/A
File opened for modification C:\Windows\SysWOW64\Aojabdlf.exe C:\Windows\SysWOW64\Apgagg32.exe N/A
File created C:\Windows\SysWOW64\Ahgofi32.exe C:\Windows\SysWOW64\Aficjnpm.exe N/A
File created C:\Windows\SysWOW64\Pmiljc32.dll C:\Windows\SysWOW64\Cfhkhd32.exe N/A
File created C:\Windows\SysWOW64\Oghnkh32.dll C:\Windows\SysWOW64\Coacbfii.exe N/A
File created C:\Windows\SysWOW64\Ckmcef32.dll C:\Windows\SysWOW64\Qiioon32.exe N/A
File created C:\Windows\SysWOW64\Qcachc32.exe C:\Windows\SysWOW64\Qdncmgbj.exe N/A
File created C:\Windows\SysWOW64\Hcopgk32.dll C:\Windows\SysWOW64\Aohdmdoh.exe N/A
File created C:\Windows\SysWOW64\Khpjqgjc.dll C:\Windows\SysWOW64\Accqnc32.exe N/A
File created C:\Windows\SysWOW64\Aomnhd32.exe C:\Windows\SysWOW64\Alnalh32.exe N/A
File created C:\Windows\SysWOW64\Bifbbocj.dll C:\Windows\SysWOW64\Bdqlajbb.exe N/A
File created C:\Windows\SysWOW64\Ompefj32.exe C:\Windows\SysWOW64\Oibmpl32.exe N/A
File created C:\Windows\SysWOW64\Opnbbe32.exe C:\Windows\SysWOW64\Ompefj32.exe N/A
File created C:\Windows\SysWOW64\Oococb32.exe C:\Windows\SysWOW64\Oiffkkbk.exe N/A
File created C:\Windows\SysWOW64\Pafdjmkq.exe C:\Windows\SysWOW64\Pohhna32.exe N/A
File opened for modification C:\Windows\SysWOW64\Pkcbnanl.exe C:\Windows\SysWOW64\Pcljmdmj.exe N/A
File created C:\Windows\SysWOW64\Cbffoabe.exe C:\Windows\SysWOW64\Cjonncab.exe N/A
File created C:\Windows\SysWOW64\Bniajoic.exe C:\Windows\SysWOW64\Bccmmf32.exe N/A
File created C:\Windows\SysWOW64\Bnjdhe32.dll C:\Windows\SysWOW64\Bjdkjpkb.exe N/A
File opened for modification C:\Windows\SysWOW64\Nbhhdnlh.exe C:\Windows\SysWOW64\Npjlhcmd.exe N/A
File created C:\Windows\SysWOW64\Oiffkkbk.exe C:\Windows\SysWOW64\Ofhjopbg.exe N/A
File created C:\Windows\SysWOW64\Cfibop32.dll C:\Windows\SysWOW64\Pdeqfhjd.exe N/A
File opened for modification C:\Windows\SysWOW64\Ppnnai32.exe C:\Windows\SysWOW64\Pidfdofi.exe N/A
File created C:\Windows\SysWOW64\Pifbjn32.exe C:\Windows\SysWOW64\Pkcbnanl.exe N/A
File created C:\Windows\SysWOW64\Aldhcb32.dll C:\Windows\SysWOW64\Qpbglhjq.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Dpapaj32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ofhjopbg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Afffenbp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Alqnah32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cfkloq32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ppnnai32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qeppdo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aaimopli.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kgqocoin.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lfkeokjp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bqgmfkhg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pkjphcff.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mcnbhb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aebmjo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aficjnpm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bjdkjpkb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Obhdcanc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cmpgpond.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ccjoli32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ompefj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qdlggg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Alihaioe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cchbgi32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nbflno32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nbhhdnlh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pdgmlhha.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Apgagg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aomnhd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bqeqqk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Npjlhcmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aohdmdoh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Accqnc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lkgngb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pkaehb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kdbbgdjj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pkcbnanl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ckjamgmk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bqlfaj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lfhhjklc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mqpflg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nabopjmj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Opnbbe32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Phqmgg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Boljgg32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lklgbadb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bnknoogp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bqijljfd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bgcbhd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bfioia32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dnpciaef.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cjonncab.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cnmfdb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ofadnq32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pmmeon32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qppkfhlc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bceibfgj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cfmhdpnc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cgaaah32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Mjkgjl32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bniajoic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bkegah32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cbffoabe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dmbcen32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lhknaf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nedhjj32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Oococb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pkjphcff.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Henjfpgi.dll" C:\Windows\SysWOW64\Mdiefffn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nbhhdnlh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdph32.dll" C:\Windows\SysWOW64\Lbcbjlmb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbnnnbbh.dll" C:\Windows\SysWOW64\Ofadnq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Alihaioe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bniajoic.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgnenf32.dll" C:\Windows\SysWOW64\Bnknoogp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Boljgg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\5f8259916253272ccce5b83769af9bf0N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oepoia32.dll" C:\Windows\SysWOW64\Lcjlnpmo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bqlfaj32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cmpgpond.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qnghel32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnbamjbm.dll" C:\Windows\SysWOW64\Bceibfgj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Coacbfii.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dnpciaef.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Npjlhcmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nidmfh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opobfpee.dll" C:\Windows\SysWOW64\Akfkbd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmbfdl32.dll" C:\Windows\SysWOW64\Cfmhdpnc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaqnpc32.dll" C:\Windows\SysWOW64\Cebeem32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cbffoabe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nbhhdnlh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pdgmlhha.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaaded32.dll" C:\Windows\SysWOW64\Pkaehb32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Aaimopli.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Alnalh32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bgcbhd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Bcjcme32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlbakl32.dll" C:\Windows\SysWOW64\Pbagipfi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pafdjmkq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogqhpm32.dll" C:\Windows\SysWOW64\Oibmpl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pcljmdmj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nhlgmd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Oibmpl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Oemgplgo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Aoojnc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gggpgo32.dll" C:\Windows\SysWOW64\Ahgofi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcaibd32.dll" C:\Windows\SysWOW64\Cnmfdb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmiljc32.dll" C:\Windows\SysWOW64\Cfhkhd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nbflno32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nenkqi32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ccjoli32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nbmaon32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Cchbgi32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nenkqi32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imafcg32.dll" C:\Windows\SysWOW64\Alihaioe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Accqnc32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bjbndpmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dmbcen32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lfhhjklc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nidmfh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qpceaipi.dll" C:\Windows\SysWOW64\Lfkeokjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knqcbd32.dll" C:\Windows\SysWOW64\Mcnbhb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oomgdcce.dll" C:\Windows\SysWOW64\Nhlgmd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdakoaln.dll" C:\Windows\SysWOW64\Pdgmlhha.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Aoojnc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihkhkcdl.dll" C:\Windows\SysWOW64\Bniajoic.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icehdl32.dll" C:\Users\Admin\AppData\Local\Temp\5f8259916253272ccce5b83769af9bf0N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lfhhjklc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pmmeon32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cgaaah32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2052 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\5f8259916253272ccce5b83769af9bf0N.exe C:\Windows\SysWOW64\Kdbbgdjj.exe
PID 2052 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\5f8259916253272ccce5b83769af9bf0N.exe C:\Windows\SysWOW64\Kdbbgdjj.exe
PID 2052 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\5f8259916253272ccce5b83769af9bf0N.exe C:\Windows\SysWOW64\Kdbbgdjj.exe
PID 2052 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\5f8259916253272ccce5b83769af9bf0N.exe C:\Windows\SysWOW64\Kdbbgdjj.exe
PID 2012 wrote to memory of 2488 N/A C:\Windows\SysWOW64\Kdbbgdjj.exe C:\Windows\SysWOW64\Kgqocoin.exe
PID 2012 wrote to memory of 2488 N/A C:\Windows\SysWOW64\Kdbbgdjj.exe C:\Windows\SysWOW64\Kgqocoin.exe
PID 2012 wrote to memory of 2488 N/A C:\Windows\SysWOW64\Kdbbgdjj.exe C:\Windows\SysWOW64\Kgqocoin.exe
PID 2012 wrote to memory of 2488 N/A C:\Windows\SysWOW64\Kdbbgdjj.exe C:\Windows\SysWOW64\Kgqocoin.exe
PID 2488 wrote to memory of 2748 N/A C:\Windows\SysWOW64\Kgqocoin.exe C:\Windows\SysWOW64\Knmdeioh.exe
PID 2488 wrote to memory of 2748 N/A C:\Windows\SysWOW64\Kgqocoin.exe C:\Windows\SysWOW64\Knmdeioh.exe
PID 2488 wrote to memory of 2748 N/A C:\Windows\SysWOW64\Kgqocoin.exe C:\Windows\SysWOW64\Knmdeioh.exe
PID 2488 wrote to memory of 2748 N/A C:\Windows\SysWOW64\Kgqocoin.exe C:\Windows\SysWOW64\Knmdeioh.exe
PID 2748 wrote to memory of 2752 N/A C:\Windows\SysWOW64\Knmdeioh.exe C:\Windows\SysWOW64\Lcjlnpmo.exe
PID 2748 wrote to memory of 2752 N/A C:\Windows\SysWOW64\Knmdeioh.exe C:\Windows\SysWOW64\Lcjlnpmo.exe
PID 2748 wrote to memory of 2752 N/A C:\Windows\SysWOW64\Knmdeioh.exe C:\Windows\SysWOW64\Lcjlnpmo.exe
PID 2748 wrote to memory of 2752 N/A C:\Windows\SysWOW64\Knmdeioh.exe C:\Windows\SysWOW64\Lcjlnpmo.exe
PID 2752 wrote to memory of 2796 N/A C:\Windows\SysWOW64\Lcjlnpmo.exe C:\Windows\SysWOW64\Lfhhjklc.exe
PID 2752 wrote to memory of 2796 N/A C:\Windows\SysWOW64\Lcjlnpmo.exe C:\Windows\SysWOW64\Lfhhjklc.exe
PID 2752 wrote to memory of 2796 N/A C:\Windows\SysWOW64\Lcjlnpmo.exe C:\Windows\SysWOW64\Lfhhjklc.exe
PID 2752 wrote to memory of 2796 N/A C:\Windows\SysWOW64\Lcjlnpmo.exe C:\Windows\SysWOW64\Lfhhjklc.exe
PID 2796 wrote to memory of 2720 N/A C:\Windows\SysWOW64\Lfhhjklc.exe C:\Windows\SysWOW64\Lfkeokjp.exe
PID 2796 wrote to memory of 2720 N/A C:\Windows\SysWOW64\Lfhhjklc.exe C:\Windows\SysWOW64\Lfkeokjp.exe
PID 2796 wrote to memory of 2720 N/A C:\Windows\SysWOW64\Lfhhjklc.exe C:\Windows\SysWOW64\Lfkeokjp.exe
PID 2796 wrote to memory of 2720 N/A C:\Windows\SysWOW64\Lfhhjklc.exe C:\Windows\SysWOW64\Lfkeokjp.exe
PID 2720 wrote to memory of 2680 N/A C:\Windows\SysWOW64\Lfkeokjp.exe C:\Windows\SysWOW64\Lkgngb32.exe
PID 2720 wrote to memory of 2680 N/A C:\Windows\SysWOW64\Lfkeokjp.exe C:\Windows\SysWOW64\Lkgngb32.exe
PID 2720 wrote to memory of 2680 N/A C:\Windows\SysWOW64\Lfkeokjp.exe C:\Windows\SysWOW64\Lkgngb32.exe
PID 2720 wrote to memory of 2680 N/A C:\Windows\SysWOW64\Lfkeokjp.exe C:\Windows\SysWOW64\Lkgngb32.exe
PID 2680 wrote to memory of 3052 N/A C:\Windows\SysWOW64\Lkgngb32.exe C:\Windows\SysWOW64\Lhknaf32.exe
PID 2680 wrote to memory of 3052 N/A C:\Windows\SysWOW64\Lkgngb32.exe C:\Windows\SysWOW64\Lhknaf32.exe
PID 2680 wrote to memory of 3052 N/A C:\Windows\SysWOW64\Lkgngb32.exe C:\Windows\SysWOW64\Lhknaf32.exe
PID 2680 wrote to memory of 3052 N/A C:\Windows\SysWOW64\Lkgngb32.exe C:\Windows\SysWOW64\Lhknaf32.exe
PID 3052 wrote to memory of 2668 N/A C:\Windows\SysWOW64\Lhknaf32.exe C:\Windows\SysWOW64\Lbcbjlmb.exe
PID 3052 wrote to memory of 2668 N/A C:\Windows\SysWOW64\Lhknaf32.exe C:\Windows\SysWOW64\Lbcbjlmb.exe
PID 3052 wrote to memory of 2668 N/A C:\Windows\SysWOW64\Lhknaf32.exe C:\Windows\SysWOW64\Lbcbjlmb.exe
PID 3052 wrote to memory of 2668 N/A C:\Windows\SysWOW64\Lhknaf32.exe C:\Windows\SysWOW64\Lbcbjlmb.exe
PID 2668 wrote to memory of 1624 N/A C:\Windows\SysWOW64\Lbcbjlmb.exe C:\Windows\SysWOW64\Lklgbadb.exe
PID 2668 wrote to memory of 1624 N/A C:\Windows\SysWOW64\Lbcbjlmb.exe C:\Windows\SysWOW64\Lklgbadb.exe
PID 2668 wrote to memory of 1624 N/A C:\Windows\SysWOW64\Lbcbjlmb.exe C:\Windows\SysWOW64\Lklgbadb.exe
PID 2668 wrote to memory of 1624 N/A C:\Windows\SysWOW64\Lbcbjlmb.exe C:\Windows\SysWOW64\Lklgbadb.exe
PID 1624 wrote to memory of 1168 N/A C:\Windows\SysWOW64\Lklgbadb.exe C:\Windows\SysWOW64\Lhpglecl.exe
PID 1624 wrote to memory of 1168 N/A C:\Windows\SysWOW64\Lklgbadb.exe C:\Windows\SysWOW64\Lhpglecl.exe
PID 1624 wrote to memory of 1168 N/A C:\Windows\SysWOW64\Lklgbadb.exe C:\Windows\SysWOW64\Lhpglecl.exe
PID 1624 wrote to memory of 1168 N/A C:\Windows\SysWOW64\Lklgbadb.exe C:\Windows\SysWOW64\Lhpglecl.exe
PID 1168 wrote to memory of 1328 N/A C:\Windows\SysWOW64\Lhpglecl.exe C:\Windows\SysWOW64\Mjaddn32.exe
PID 1168 wrote to memory of 1328 N/A C:\Windows\SysWOW64\Lhpglecl.exe C:\Windows\SysWOW64\Mjaddn32.exe
PID 1168 wrote to memory of 1328 N/A C:\Windows\SysWOW64\Lhpglecl.exe C:\Windows\SysWOW64\Mjaddn32.exe
PID 1168 wrote to memory of 1328 N/A C:\Windows\SysWOW64\Lhpglecl.exe C:\Windows\SysWOW64\Mjaddn32.exe
PID 1328 wrote to memory of 2944 N/A C:\Windows\SysWOW64\Mjaddn32.exe C:\Windows\SysWOW64\Mjcaimgg.exe
PID 1328 wrote to memory of 2944 N/A C:\Windows\SysWOW64\Mjaddn32.exe C:\Windows\SysWOW64\Mjcaimgg.exe
PID 1328 wrote to memory of 2944 N/A C:\Windows\SysWOW64\Mjaddn32.exe C:\Windows\SysWOW64\Mjcaimgg.exe
PID 1328 wrote to memory of 2944 N/A C:\Windows\SysWOW64\Mjaddn32.exe C:\Windows\SysWOW64\Mjcaimgg.exe
PID 2944 wrote to memory of 2704 N/A C:\Windows\SysWOW64\Mjcaimgg.exe C:\Windows\SysWOW64\Mdiefffn.exe
PID 2944 wrote to memory of 2704 N/A C:\Windows\SysWOW64\Mjcaimgg.exe C:\Windows\SysWOW64\Mdiefffn.exe
PID 2944 wrote to memory of 2704 N/A C:\Windows\SysWOW64\Mjcaimgg.exe C:\Windows\SysWOW64\Mdiefffn.exe
PID 2944 wrote to memory of 2704 N/A C:\Windows\SysWOW64\Mjcaimgg.exe C:\Windows\SysWOW64\Mdiefffn.exe
PID 2704 wrote to memory of 1936 N/A C:\Windows\SysWOW64\Mdiefffn.exe C:\Windows\SysWOW64\Mqpflg32.exe
PID 2704 wrote to memory of 1936 N/A C:\Windows\SysWOW64\Mdiefffn.exe C:\Windows\SysWOW64\Mqpflg32.exe
PID 2704 wrote to memory of 1936 N/A C:\Windows\SysWOW64\Mdiefffn.exe C:\Windows\SysWOW64\Mqpflg32.exe
PID 2704 wrote to memory of 1936 N/A C:\Windows\SysWOW64\Mdiefffn.exe C:\Windows\SysWOW64\Mqpflg32.exe
PID 1936 wrote to memory of 1976 N/A C:\Windows\SysWOW64\Mqpflg32.exe C:\Windows\SysWOW64\Mcnbhb32.exe
PID 1936 wrote to memory of 1976 N/A C:\Windows\SysWOW64\Mqpflg32.exe C:\Windows\SysWOW64\Mcnbhb32.exe
PID 1936 wrote to memory of 1976 N/A C:\Windows\SysWOW64\Mqpflg32.exe C:\Windows\SysWOW64\Mcnbhb32.exe
PID 1936 wrote to memory of 1976 N/A C:\Windows\SysWOW64\Mqpflg32.exe C:\Windows\SysWOW64\Mcnbhb32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5f8259916253272ccce5b83769af9bf0N.exe

"C:\Users\Admin\AppData\Local\Temp\5f8259916253272ccce5b83769af9bf0N.exe"

C:\Windows\SysWOW64\Kdbbgdjj.exe

C:\Windows\system32\Kdbbgdjj.exe

C:\Windows\SysWOW64\Kgqocoin.exe

C:\Windows\system32\Kgqocoin.exe

C:\Windows\SysWOW64\Knmdeioh.exe

C:\Windows\system32\Knmdeioh.exe

C:\Windows\SysWOW64\Lcjlnpmo.exe

C:\Windows\system32\Lcjlnpmo.exe

C:\Windows\SysWOW64\Lfhhjklc.exe

C:\Windows\system32\Lfhhjklc.exe

C:\Windows\SysWOW64\Lfkeokjp.exe

C:\Windows\system32\Lfkeokjp.exe

C:\Windows\SysWOW64\Lkgngb32.exe

C:\Windows\system32\Lkgngb32.exe

C:\Windows\SysWOW64\Lhknaf32.exe

C:\Windows\system32\Lhknaf32.exe

C:\Windows\SysWOW64\Lbcbjlmb.exe

C:\Windows\system32\Lbcbjlmb.exe

C:\Windows\SysWOW64\Lklgbadb.exe

C:\Windows\system32\Lklgbadb.exe

C:\Windows\SysWOW64\Lhpglecl.exe

C:\Windows\system32\Lhpglecl.exe

C:\Windows\SysWOW64\Mjaddn32.exe

C:\Windows\system32\Mjaddn32.exe

C:\Windows\SysWOW64\Mjcaimgg.exe

C:\Windows\system32\Mjcaimgg.exe

C:\Windows\SysWOW64\Mdiefffn.exe

C:\Windows\system32\Mdiefffn.exe

C:\Windows\SysWOW64\Mqpflg32.exe

C:\Windows\system32\Mqpflg32.exe

C:\Windows\SysWOW64\Mcnbhb32.exe

C:\Windows\system32\Mcnbhb32.exe

C:\Windows\SysWOW64\Mjkgjl32.exe

C:\Windows\system32\Mjkgjl32.exe

C:\Windows\SysWOW64\Nbflno32.exe

C:\Windows\system32\Nbflno32.exe

C:\Windows\SysWOW64\Nedhjj32.exe

C:\Windows\system32\Nedhjj32.exe

C:\Windows\SysWOW64\Npjlhcmd.exe

C:\Windows\system32\Npjlhcmd.exe

C:\Windows\SysWOW64\Nbhhdnlh.exe

C:\Windows\system32\Nbhhdnlh.exe

C:\Windows\SysWOW64\Nnoiio32.exe

C:\Windows\system32\Nnoiio32.exe

C:\Windows\SysWOW64\Nidmfh32.exe

C:\Windows\system32\Nidmfh32.exe

C:\Windows\SysWOW64\Nbmaon32.exe

C:\Windows\system32\Nbmaon32.exe

C:\Windows\SysWOW64\Nabopjmj.exe

C:\Windows\system32\Nabopjmj.exe

C:\Windows\SysWOW64\Nenkqi32.exe

C:\Windows\system32\Nenkqi32.exe

C:\Windows\SysWOW64\Nhlgmd32.exe

C:\Windows\system32\Nhlgmd32.exe

C:\Windows\SysWOW64\Odchbe32.exe

C:\Windows\system32\Odchbe32.exe

C:\Windows\SysWOW64\Ofadnq32.exe

C:\Windows\system32\Ofadnq32.exe

C:\Windows\SysWOW64\Obhdcanc.exe

C:\Windows\system32\Obhdcanc.exe

C:\Windows\SysWOW64\Ojomdoof.exe

C:\Windows\system32\Ojomdoof.exe

C:\Windows\SysWOW64\Oibmpl32.exe

C:\Windows\system32\Oibmpl32.exe

C:\Windows\SysWOW64\Ompefj32.exe

C:\Windows\system32\Ompefj32.exe

C:\Windows\SysWOW64\Opnbbe32.exe

C:\Windows\system32\Opnbbe32.exe

C:\Windows\SysWOW64\Ofhjopbg.exe

C:\Windows\system32\Ofhjopbg.exe

C:\Windows\SysWOW64\Oiffkkbk.exe

C:\Windows\system32\Oiffkkbk.exe

C:\Windows\SysWOW64\Oococb32.exe

C:\Windows\system32\Oococb32.exe

C:\Windows\SysWOW64\Oemgplgo.exe

C:\Windows\system32\Oemgplgo.exe

C:\Windows\SysWOW64\Phlclgfc.exe

C:\Windows\system32\Phlclgfc.exe

C:\Windows\SysWOW64\Pkjphcff.exe

C:\Windows\system32\Pkjphcff.exe

C:\Windows\SysWOW64\Pbagipfi.exe

C:\Windows\system32\Pbagipfi.exe

C:\Windows\SysWOW64\Pohhna32.exe

C:\Windows\system32\Pohhna32.exe

C:\Windows\SysWOW64\Pafdjmkq.exe

C:\Windows\system32\Pafdjmkq.exe

C:\Windows\SysWOW64\Pdeqfhjd.exe

C:\Windows\system32\Pdeqfhjd.exe

C:\Windows\SysWOW64\Phqmgg32.exe

C:\Windows\system32\Phqmgg32.exe

C:\Windows\SysWOW64\Pmmeon32.exe

C:\Windows\system32\Pmmeon32.exe

C:\Windows\SysWOW64\Pdgmlhha.exe

C:\Windows\system32\Pdgmlhha.exe

C:\Windows\SysWOW64\Pkaehb32.exe

C:\Windows\system32\Pkaehb32.exe

C:\Windows\SysWOW64\Pidfdofi.exe

C:\Windows\system32\Pidfdofi.exe

C:\Windows\SysWOW64\Ppnnai32.exe

C:\Windows\system32\Ppnnai32.exe

C:\Windows\SysWOW64\Pcljmdmj.exe

C:\Windows\system32\Pcljmdmj.exe

C:\Windows\SysWOW64\Pkcbnanl.exe

C:\Windows\system32\Pkcbnanl.exe

C:\Windows\SysWOW64\Pifbjn32.exe

C:\Windows\system32\Pifbjn32.exe

C:\Windows\SysWOW64\Qppkfhlc.exe

C:\Windows\system32\Qppkfhlc.exe

C:\Windows\SysWOW64\Qdlggg32.exe

C:\Windows\system32\Qdlggg32.exe

C:\Windows\SysWOW64\Qgjccb32.exe

C:\Windows\system32\Qgjccb32.exe

C:\Windows\SysWOW64\Qiioon32.exe

C:\Windows\system32\Qiioon32.exe

C:\Windows\SysWOW64\Qpbglhjq.exe

C:\Windows\system32\Qpbglhjq.exe

C:\Windows\SysWOW64\Qdncmgbj.exe

C:\Windows\system32\Qdncmgbj.exe

C:\Windows\SysWOW64\Qcachc32.exe

C:\Windows\system32\Qcachc32.exe

C:\Windows\SysWOW64\Qeppdo32.exe

C:\Windows\system32\Qeppdo32.exe

C:\Windows\SysWOW64\Qnghel32.exe

C:\Windows\system32\Qnghel32.exe

C:\Windows\SysWOW64\Alihaioe.exe

C:\Windows\system32\Alihaioe.exe

C:\Windows\SysWOW64\Aohdmdoh.exe

C:\Windows\system32\Aohdmdoh.exe

C:\Windows\SysWOW64\Accqnc32.exe

C:\Windows\system32\Accqnc32.exe

C:\Windows\SysWOW64\Aebmjo32.exe

C:\Windows\system32\Aebmjo32.exe

C:\Windows\SysWOW64\Ajmijmnn.exe

C:\Windows\system32\Ajmijmnn.exe

C:\Windows\SysWOW64\Apgagg32.exe

C:\Windows\system32\Apgagg32.exe

C:\Windows\SysWOW64\Aojabdlf.exe

C:\Windows\system32\Aojabdlf.exe

C:\Windows\SysWOW64\Aaimopli.exe

C:\Windows\system32\Aaimopli.exe

C:\Windows\SysWOW64\Ajpepm32.exe

C:\Windows\system32\Ajpepm32.exe

C:\Windows\SysWOW64\Alnalh32.exe

C:\Windows\system32\Alnalh32.exe

C:\Windows\SysWOW64\Aomnhd32.exe

C:\Windows\system32\Aomnhd32.exe

C:\Windows\SysWOW64\Afffenbp.exe

C:\Windows\system32\Afffenbp.exe

C:\Windows\SysWOW64\Adifpk32.exe

C:\Windows\system32\Adifpk32.exe

C:\Windows\SysWOW64\Alqnah32.exe

C:\Windows\system32\Alqnah32.exe

C:\Windows\SysWOW64\Aoojnc32.exe

C:\Windows\system32\Aoojnc32.exe

C:\Windows\SysWOW64\Aficjnpm.exe

C:\Windows\system32\Aficjnpm.exe

C:\Windows\SysWOW64\Ahgofi32.exe

C:\Windows\system32\Ahgofi32.exe

C:\Windows\SysWOW64\Akfkbd32.exe

C:\Windows\system32\Akfkbd32.exe

C:\Windows\SysWOW64\Bqeqqk32.exe

C:\Windows\system32\Bqeqqk32.exe

C:\Windows\SysWOW64\Bdqlajbb.exe

C:\Windows\system32\Bdqlajbb.exe

C:\Windows\SysWOW64\Bccmmf32.exe

C:\Windows\system32\Bccmmf32.exe

C:\Windows\SysWOW64\Bniajoic.exe

C:\Windows\system32\Bniajoic.exe

C:\Windows\SysWOW64\Bqgmfkhg.exe

C:\Windows\system32\Bqgmfkhg.exe

C:\Windows\SysWOW64\Bceibfgj.exe

C:\Windows\system32\Bceibfgj.exe

C:\Windows\SysWOW64\Bfdenafn.exe

C:\Windows\system32\Bfdenafn.exe

C:\Windows\SysWOW64\Bnknoogp.exe

C:\Windows\system32\Bnknoogp.exe

C:\Windows\SysWOW64\Bqijljfd.exe

C:\Windows\system32\Bqijljfd.exe

C:\Windows\SysWOW64\Boljgg32.exe

C:\Windows\system32\Boljgg32.exe

C:\Windows\SysWOW64\Bgcbhd32.exe

C:\Windows\system32\Bgcbhd32.exe

C:\Windows\SysWOW64\Bjbndpmd.exe

C:\Windows\system32\Bjbndpmd.exe

C:\Windows\SysWOW64\Bqlfaj32.exe

C:\Windows\system32\Bqlfaj32.exe

C:\Windows\SysWOW64\Bcjcme32.exe

C:\Windows\system32\Bcjcme32.exe

C:\Windows\SysWOW64\Bfioia32.exe

C:\Windows\system32\Bfioia32.exe

C:\Windows\SysWOW64\Bjdkjpkb.exe

C:\Windows\system32\Bjdkjpkb.exe

C:\Windows\SysWOW64\Bkegah32.exe

C:\Windows\system32\Bkegah32.exe

C:\Windows\SysWOW64\Coacbfii.exe

C:\Windows\system32\Coacbfii.exe

C:\Windows\SysWOW64\Cfkloq32.exe

C:\Windows\system32\Cfkloq32.exe

C:\Windows\SysWOW64\Cocphf32.exe

C:\Windows\system32\Cocphf32.exe

C:\Windows\SysWOW64\Cfmhdpnc.exe

C:\Windows\system32\Cfmhdpnc.exe

C:\Windows\SysWOW64\Cileqlmg.exe

C:\Windows\system32\Cileqlmg.exe

C:\Windows\SysWOW64\Ckjamgmk.exe

C:\Windows\system32\Ckjamgmk.exe

C:\Windows\SysWOW64\Cebeem32.exe

C:\Windows\system32\Cebeem32.exe

C:\Windows\SysWOW64\Cgaaah32.exe

C:\Windows\system32\Cgaaah32.exe

C:\Windows\SysWOW64\Cjonncab.exe

C:\Windows\system32\Cjonncab.exe

C:\Windows\SysWOW64\Cbffoabe.exe

C:\Windows\system32\Cbffoabe.exe

C:\Windows\SysWOW64\Caifjn32.exe

C:\Windows\system32\Caifjn32.exe

C:\Windows\SysWOW64\Cchbgi32.exe

C:\Windows\system32\Cchbgi32.exe

C:\Windows\SysWOW64\Clojhf32.exe

C:\Windows\system32\Clojhf32.exe

C:\Windows\SysWOW64\Cnmfdb32.exe

C:\Windows\system32\Cnmfdb32.exe

C:\Windows\SysWOW64\Cmpgpond.exe

C:\Windows\system32\Cmpgpond.exe

C:\Windows\SysWOW64\Ccjoli32.exe

C:\Windows\system32\Ccjoli32.exe

C:\Windows\SysWOW64\Cfhkhd32.exe

C:\Windows\system32\Cfhkhd32.exe

C:\Windows\SysWOW64\Dnpciaef.exe

C:\Windows\system32\Dnpciaef.exe

C:\Windows\SysWOW64\Dmbcen32.exe

C:\Windows\system32\Dmbcen32.exe

C:\Windows\SysWOW64\Dpapaj32.exe

C:\Windows\system32\Dpapaj32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1944 -s 144

Network

N/A

Files

memory/2052-0-0x0000000000400000-0x0000000000468000-memory.dmp

\Windows\SysWOW64\Kgqocoin.exe

MD5 cf22b4a5d49e51edcfc4e969831d5313
SHA1 4e2f69ccc3fe89860a69aef5b3f7da73b66ca913
SHA256 3c7b4405fe11fab1c882835fbe2fdc09d34250fbfbe95724836c9515e9aee1e0
SHA512 a55165ed3f8dae1ee6963a581203b095444e483c535bf1318b0886bda78e1c886ede53c4cf85d0ace2a31e25bec006d469cafe2568b45613562ec2625ab3d5ca

C:\Windows\SysWOW64\Kdbbgdjj.exe

MD5 300148e614675edc27cf8895e2ea6c2a
SHA1 48a6a0f95f62d2cf42721c852b20198fc55ad305
SHA256 7dadd1015ac008cfe5a691dd92ae81c6bb67aec030927e7aee02ce1837372a7b
SHA512 ae8c8f7dfe52334bc904afaad27995f8b965909d7c39db6488003a99ae73256ca6ba75effd0c6a11fa4ae5cd62e22eab1ab355a2cd2c0d494d8820f15864f694

memory/2052-18-0x0000000000270000-0x00000000002D8000-memory.dmp

memory/2052-12-0x0000000000270000-0x00000000002D8000-memory.dmp

memory/2012-21-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2488-27-0x0000000000400000-0x0000000000468000-memory.dmp

\Windows\SysWOW64\Knmdeioh.exe

MD5 56e4237b493f01dc81da9df2dad694d9
SHA1 766565d9ed27ca68e117e30285dadb982fa933dd
SHA256 47ec4aa8a0770c44d2bdb6864683ed537ab4d766029c59f26d2374598c0b2e3d
SHA512 b4847697da2aa65c48b5d6302f082e419161212f646ceaf98b281957b17bb6e873df2af827db8c66ff546e6c9150a5446def3551a66a1b6fdf9aeb65d3e0898b

memory/2488-40-0x0000000000290000-0x00000000002F8000-memory.dmp

memory/2488-39-0x0000000000290000-0x00000000002F8000-memory.dmp

\Windows\SysWOW64\Lcjlnpmo.exe

MD5 6332fcb37739008aa482c144e762fb3a
SHA1 8922540460c5166e12f0ecec9a017bce6757220b
SHA256 0673dd9bff323a728d0344bd7ffb847538f66546d0a1cbea2e87a1b89e9d9dba
SHA512 0b9a3636c24cb5e39d4bced2e0a39ba0965d8b1f14d554f42eabb77f62a2054a9bf3be96791dd2888cdee0bff6d7461351448b4d45098d72e7099e75b3e70b32

memory/2752-57-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2748-42-0x0000000000400000-0x0000000000468000-memory.dmp

\Windows\SysWOW64\Lfhhjklc.exe

MD5 42ad852071a61281f73996d06b9be220
SHA1 cb27e1ca865bc7bf39fbfda70c6869cd710181b8
SHA256 a6e07192e83cb2638dad0820654b5ef07f7f688a1e729d26e3563b467fa6bada
SHA512 df0e3ba7ed2675894c97e9f3de75c0e6876891935bc22908ca7e7b6ecafdf58ac288e795beccf4b04e728da7f92b8cb00ffaf661e37dde734af841440b7000dd

memory/2752-64-0x0000000000470000-0x00000000004D8000-memory.dmp

memory/2796-70-0x0000000000400000-0x0000000000468000-memory.dmp

C:\Windows\SysWOW64\Lfkeokjp.exe

MD5 445d3b550cb106960906eb0e7eda5278
SHA1 a8a25702692f51e46092038f5efdfc36fa9aaff3
SHA256 97d2abafb60ca1302885863c98b99f0003bbdb19ed42d675ba6ca264f55e7c5e
SHA512 a6300d3e6243b7595b6405e7d02b6725e3793787d36cad1b8272e52818d7746d019b027e52ba416a5f2fb823003ee84fb175c65f2b1f66d73033c91d3297f616

memory/2720-83-0x0000000000400000-0x0000000000468000-memory.dmp

\Windows\SysWOW64\Lkgngb32.exe

MD5 716302f022183f99d579133ba7423d2a
SHA1 63ca41b2018feca3d5db9eb0234d001b6654f72b
SHA256 ee50349644a93c8bae450cc7c8f0b5bb7cf4382ec37f545ec8001ac2b6d82a29
SHA512 47ecb5197807e36933ddaf64e48b8a49d5f0bbf15ac8400eb140155c1b1d3b35c51f6ef237859c5b21bf9b60ce5ec467c0edbd9a43ae322c56d76b3b2ba46ab9

memory/2720-94-0x0000000000250000-0x00000000002B8000-memory.dmp

\Windows\SysWOW64\Lhknaf32.exe

MD5 b861cf8138d75134b587141af2d92b66
SHA1 edbe99a25cc1546e021455114e834407e450e69b
SHA256 f662e9d0fab1a5863241ba123d9d14f8bd988bc25a951a5a9cdaa4aca304f1bd
SHA512 eaf2e4f51b6b90627cc1701be57eb8d364876e7c08e091a0137d5e37486282ab3332afbcecde81f604e681a5122f37e58e1e70f35c503da142f0cea7cdd15b8d

memory/3052-108-0x0000000000400000-0x0000000000468000-memory.dmp

\Windows\SysWOW64\Lbcbjlmb.exe

MD5 934dc1d97ac5559e78d025510c1c401f
SHA1 cde38b82f559b86476b9bc4f62376e67f36d777c
SHA256 37e03940eeed3e20c7c5142c0b6d0b2744745f920299379a7d154e21261c31ce
SHA512 96003cfde6be7763e996077653323096ac2d72e71b7ef3ade2ba8f408777f4e9dd2f5d76a269501d5fb1731d8c0668350daf220d7c90de29c0e698acd9f6ef2f

memory/3052-116-0x00000000004E0000-0x0000000000548000-memory.dmp

memory/2668-122-0x0000000000400000-0x0000000000468000-memory.dmp

\Windows\SysWOW64\Lklgbadb.exe

MD5 b79b3b13351163111043ea6bb93f0d01
SHA1 25f4b2d2a30a4f8947dc231c961734f487066162
SHA256 3b504dc7cc43a342c2a07b92f07367a9973360bd75e085ec4a02e284ec546c93
SHA512 f8c3398291f8b221710770d29f1e56850dcba141ce17e630fd7500ce443c7cc1d7d7755bc22bde43fddf50968e317f740dce6225106ef172d1a5db8bd1ecd163

memory/1624-135-0x0000000000400000-0x0000000000468000-memory.dmp

\Windows\SysWOW64\Lhpglecl.exe

MD5 ded352c8b8152ef9998a8aec7b19a1d6
SHA1 63e5ea678d2bae136db8cc1ddc8f26cb713415fd
SHA256 3b346aa8816a49a888a966c3f1af37b743c8184981a5f6bec78038f6459e0812
SHA512 df697e1fedfbbb9649acf1f3d5e9c416e20c5183baf93e3f916ae94fed2946b20bd5c8299e9c5df61aa0642f3226e975a9a7e66cb5b9b3b72557c8f06f5c283f

memory/1624-147-0x0000000000330000-0x0000000000398000-memory.dmp

memory/1168-149-0x0000000000400000-0x0000000000468000-memory.dmp

\Windows\SysWOW64\Mjaddn32.exe

MD5 4be5c5ba8ef4408657b370a32f35f934
SHA1 f6585efb988e76c9f9ad80215bc121b06a8309dd
SHA256 8f203954ca3301071a3adea9b061b0ca6708720a00cb77bfbe93281655e0261e
SHA512 c837662b69d2361380c52ad734b6eea1aa7e9e631d25525ef14a2435feea1c5228e797c0632414d253629dff8ec8f78686127de4ceacc3e5056fe187c07f8665

memory/1168-161-0x0000000000300000-0x0000000000368000-memory.dmp

memory/1328-163-0x0000000000400000-0x0000000000468000-memory.dmp

\Windows\SysWOW64\Mjcaimgg.exe

MD5 1648e576c3c87aa123b18f4187b88d15
SHA1 a711333def5b0f1f9bf5c7a2010f5eca0d77c0c8
SHA256 4e50bfd1c27fdfd8580715b70727914f4ad159986198e37d2e4362c5128de5e7
SHA512 452d7ad2b20a5f2626754541338806ee436f752118e19f20cddc6ad51835a3f7b036449ee1045b75afc0f0b6ca2ed86186933e98636fb6ece09cfd942e5757d3

memory/1328-175-0x0000000000470000-0x00000000004D8000-memory.dmp

memory/2944-182-0x0000000000400000-0x0000000000468000-memory.dmp

\Windows\SysWOW64\Mdiefffn.exe

MD5 98023b1c44258fa7c4741977338929fb
SHA1 e4fcbec06677acf897cce0b555713485ad390d86
SHA256 94d5d324f455040b06f823712dea69a00e8a68ffd54de9c9ecac5d77eda6f4da
SHA512 6d781490200cd9770e857f44354f71ee9b334c086a1559aee728b240f25e88253fdef58307ee4fe9e2e42c94396b7e570b3e3b5a342505c6a81dd475c3e4dcb6

memory/2944-190-0x0000000000310000-0x0000000000378000-memory.dmp

memory/2944-189-0x0000000000310000-0x0000000000378000-memory.dmp

\Windows\SysWOW64\Mqpflg32.exe

MD5 05af2a9b026eade1b594705e8a4b77ad
SHA1 d4da5c80a1c54578b49905720b508a3bf9e307be
SHA256 627aea4fb25c650dcd8ab7a1411540e0c1d207600da7a4336042b96c185744d7
SHA512 a40bf3d8bf28527cbd6f2e4d2c4db63ffc27cd733adcd068ab8c739788050163316efe8261f2148908ec0271bcf7b4e944048fb5faf8b48c2e0182912283c69d

memory/2704-206-0x0000000000250000-0x00000000002B8000-memory.dmp

memory/1936-205-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2704-204-0x0000000000250000-0x00000000002B8000-memory.dmp

\Windows\SysWOW64\Mcnbhb32.exe

MD5 807ebbb7e7229459e8cb30fe176cb36d
SHA1 92cb0d1b170fa937772a51320513e093eefcba48
SHA256 a852f888cc8f0a274b09b331bf9038cfb59fc3d68e21c6178e4e636727d2c123
SHA512 def658829eedef25d30ccf3a0821cc68f93af9f1f4fe465667a55960478a390b32a7b7f624faea8f06280da276cd725299134e6c07c52f1b430eed3603eca699

memory/1976-221-0x0000000000400000-0x0000000000468000-memory.dmp

memory/1936-219-0x0000000000250000-0x00000000002B8000-memory.dmp

memory/1936-218-0x0000000000250000-0x00000000002B8000-memory.dmp

C:\Windows\SysWOW64\Mjkgjl32.exe

MD5 bc027175232578703ffce8a87a32b466
SHA1 b461461e4d49711babcae5bb167f5043d8409ea9
SHA256 16b44d11a49c39881dc2010366430b7a5453eb07ca0f372b1c4bb558210d0372
SHA512 6e66b4c0d489691e53b3437a2aa827cca32ec3ba372e5392ed90035e327f2729aa1190aa7d92f7c0e7a50a575dc05d36f8309425f4cdcde56bead2dbb766effd

memory/1580-233-0x0000000000400000-0x0000000000468000-memory.dmp

memory/1976-232-0x00000000002D0000-0x0000000000338000-memory.dmp

memory/1976-231-0x00000000002D0000-0x0000000000338000-memory.dmp

C:\Windows\SysWOW64\Nbflno32.exe

MD5 65b48b2ab748f8a3ce4c2deaa13ec88f
SHA1 f3a194b8c68e4557892c65afd80b8e0fb28d2b34
SHA256 8f535c924a01b33fc4cdced141867c65a47f35abcc1782a095d9250e2f842f99
SHA512 d44588fa1accf097f2e481d8e7f701a89d60f6d08dc5d48094c632aaf98c33530bad2d6d64e7fb7c90457987c695b6e1917b0313e6bd529c94c74eaa0dd09c7f

memory/1580-242-0x0000000000250000-0x00000000002B8000-memory.dmp

memory/1160-248-0x0000000000400000-0x0000000000468000-memory.dmp

memory/1580-247-0x0000000000250000-0x00000000002B8000-memory.dmp

C:\Windows\SysWOW64\Nedhjj32.exe

MD5 2bcb5357edf55c9e4165fb257ca6e3cd
SHA1 22cf780df64e6a7ae70ba7f8620f04a721f9aff4
SHA256 bab8a7068419476e1d955d8667e92070daf7e867a2ed30ffb173292ee31ac112
SHA512 8049aa159786071e37f8fbf4f3eb2f47ccd20fbf184bbacd2fd6dc914c151159997561cc4ecf685ba6764805a65294541bc7fd9fcf147502e480b799f004a64d

memory/1160-256-0x00000000002D0000-0x0000000000338000-memory.dmp

C:\Windows\SysWOW64\Npjlhcmd.exe

MD5 7a056ed268e96fdbab72c5e7ee716950
SHA1 fecb1a5ca5b86596f73380dfd197fa4bafd23e9d
SHA256 18c5e178ad06822aa6823c1be9f4e44d6ca790f49b845dffcc6dca8f369df02e
SHA512 f13090d3abfd39b072f3db4b6791be90866411c77a509df32a1fbdcb3e89890e913b803ca7e54eb2ecd10b09616299640fb24a83dd3195c378516b3b9aaccd61

memory/3012-260-0x0000000000400000-0x0000000000468000-memory.dmp

memory/3012-270-0x0000000000250000-0x00000000002B8000-memory.dmp

memory/1504-265-0x0000000000400000-0x0000000000468000-memory.dmp

memory/3012-264-0x0000000000250000-0x00000000002B8000-memory.dmp

memory/1160-258-0x00000000002D0000-0x0000000000338000-memory.dmp

C:\Windows\SysWOW64\Nbhhdnlh.exe

MD5 46a9104b285c2881b4fb91d4c6e02d4b
SHA1 3d0f3f533f39e8bdfa462610cdb02b96e3633f0a
SHA256 e390693aed9ae2ec824ab5045581b8fddaeda107f265dc3609c90c4ec7e9c56b
SHA512 1f6f5a55eb732913a73f84b998822c407879d281c3cdb4b460d64724614f2b6e1cbf4996c2162b79a84638238be3e7ac27131985535f2f5f4e4e0275f767652e

memory/2044-277-0x0000000000400000-0x0000000000468000-memory.dmp

memory/1504-276-0x00000000004E0000-0x0000000000548000-memory.dmp

memory/1504-275-0x00000000004E0000-0x0000000000548000-memory.dmp

C:\Windows\SysWOW64\Nnoiio32.exe

MD5 c0bd85982182da71168f65bf115f91ba
SHA1 046f6cd32467da60984a7d3e7a34a603bceade1f
SHA256 97de10ff446d138620bd2b728708f60388e6dd493e2ad54aeb68670c3ada70d2
SHA512 a5a9bf46381b097c3f58f75218810b9a4285e4daf270e40caa411d77355a9bb1440f3a44fff15e44ea06c7476b6ba9e6601279d3073b7ef5c519d1019349d3d0

memory/2044-287-0x00000000002D0000-0x0000000000338000-memory.dmp

memory/780-288-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2044-286-0x00000000002D0000-0x0000000000338000-memory.dmp

memory/780-298-0x0000000000270000-0x00000000002D8000-memory.dmp

memory/780-297-0x0000000000270000-0x00000000002D8000-memory.dmp

C:\Windows\SysWOW64\Nidmfh32.exe

MD5 8b7027d1694d23ba5a0c26f545fc8060
SHA1 aa0eb43d49cc62cb2d88258edaa2df61cb3fed18
SHA256 a6513f11b793992225fe3ea39725c9d3d12f8bc74cbdb13f50b8b711abde69c0
SHA512 9676f5313d20147dd1c7a2d858e00053460f75627b68a77bc31ec2e9d714399d8ff07377f1ad3edc09e7348e08101881a68d228ec42597cda2e87e4564db403d

memory/2352-310-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2524-309-0x0000000000470000-0x00000000004D8000-memory.dmp

memory/2524-308-0x0000000000470000-0x00000000004D8000-memory.dmp

memory/2524-307-0x0000000000400000-0x0000000000468000-memory.dmp

C:\Windows\SysWOW64\Nbmaon32.exe

MD5 230014c9d009dbb75c65b0de68cf1c9f
SHA1 327a1a702f90b23f7a4da6d888fd7ff456c5bb95
SHA256 3778153218a35697635d86c57391e114d45d72b06177a7ff628a9682eed8ba9a
SHA512 79f77bca57b3d8ee93e417c54f2b10905fe135d41d1d774d6b3380dff62c8275483614721c20c7da00b2f7a383a92f51fa7addd06b643866d1fbe251dad9e976

C:\Windows\SysWOW64\Nabopjmj.exe

MD5 95b69a00f958dee3b4c81c9d3837ed31
SHA1 1d91f6e68abd0df7988546e43c82943cf3ce8e46
SHA256 9d1d95f3f27e393c2992079460dc269e0a7efbf439b18ed5d325f2feb4622025
SHA512 5a89a0e0d00f5cbed4774271c705ef3bfc01601622a8fbdb266f0c71164f0e02357272443f54afae16078df9fd424e5a6d770dbf577da18f453ed68e758a6ce9

memory/2352-324-0x0000000000250000-0x00000000002B8000-memory.dmp

memory/2352-328-0x0000000000250000-0x00000000002B8000-memory.dmp

memory/3056-336-0x0000000001F80000-0x0000000001FE8000-memory.dmp

memory/1648-337-0x0000000000350000-0x00000000003B8000-memory.dmp

memory/3056-335-0x0000000001F80000-0x0000000001FE8000-memory.dmp

memory/1648-330-0x0000000000400000-0x0000000000468000-memory.dmp

memory/3056-329-0x0000000000400000-0x0000000000468000-memory.dmp

C:\Windows\SysWOW64\Nenkqi32.exe

MD5 2be3184464d7ad568ea37f19cce111f9
SHA1 4b4dee35c8fae3c83c4be049a70f67ea99314182
SHA256 c23c4fe592d2b7493c24e71689412bf85fd4b089bec40a537db1b52e77d4e567
SHA512 ec02c74e0fc27ad203f5d017c6f21f5682e5ff5f66c1b3edfbc458aee9673256ab5d2e65904dd2494ab128c513d83ad1953020059a8b1916d6d91d805cd1ae7c

C:\Windows\SysWOW64\Nhlgmd32.exe

MD5 fc0573e9b645354b69aade30d42b4e39
SHA1 8532f7d2ea0d9c07fcf22b262dacc1af688d216f
SHA256 18677bd311c9a8c94eaf4c0a4e3fc2e3de17c2bb177690c47155f5db6d6a67fa
SHA512 ba359d6686ae9f0397676f9d41edb5018e60489bcf7c126448821b8194b6bf4b22017dd1e562074ccd8a1af83083905f6604da355f6ed93c4c177504c8d5c8e7

C:\Windows\SysWOW64\Odchbe32.exe

MD5 e48b9893d8b8006433ee697dafabc422
SHA1 beb01434af49fd52068f38ce64cb75541d842f85
SHA256 e82cc4ac5e5601e462e82ca6761e7ae81ee4167b2d2794e218c2be2c246a3d78
SHA512 921364b8282ac390fa8f3825acdf0df0e56d7db151fa6b3803a070a812803b3bdd90ae92baffc5ae7cb9e2e207e446b575b42cb2b1e4953da9ab2956561cbabc

memory/2148-363-0x0000000000250000-0x00000000002B8000-memory.dmp

memory/2408-356-0x0000000002030000-0x0000000002098000-memory.dmp

C:\Windows\SysWOW64\Ofadnq32.exe

MD5 d7b924845f92ab69c2b999d2e2a80fe5
SHA1 1d126e4ee902f5b0bb16601450dba79559e2875a
SHA256 83e0a1d06a2604db7e0051d5c96520f105fa0f156282a932340ac55b8a773ef8
SHA512 2382cc5d5db5538c187cec16c0864266a73dab303801b98e22f71262cab2714c877432b8d49160d15944a499e8328cb52daff1c71469190c1492139e98c838fd

memory/2408-351-0x0000000002030000-0x0000000002098000-memory.dmp

memory/1648-350-0x0000000000350000-0x00000000003B8000-memory.dmp

memory/2148-362-0x0000000000250000-0x00000000002B8000-memory.dmp

memory/2148-358-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2120-364-0x0000000000400000-0x0000000000468000-memory.dmp

C:\Windows\SysWOW64\Obhdcanc.exe

MD5 8cc342d938eed54b51fa4b0de20c40ea
SHA1 ac5417cc9880c52fe0094bef07480d6d3779d9ba
SHA256 aa5123f614b4beb185deb8a6462613c6877b234ea27e0825b726891c784df270
SHA512 451bda70405a65c4035251d5a27554198e33a7a140fd74fcebf54195e0fc56d1020886e25168c4f7752507f494fc7617b7c4fe8a1587181a9b598b86cc486aab

C:\Windows\SysWOW64\Ojomdoof.exe

MD5 50f8b9a6c7d1af515518476aae1cbb29
SHA1 76ffee0c72d17528076dd008b5046777cd4860fe
SHA256 8375ec81a0bfd2504173d7021ed1caf24e4947ae9973618264389d27cd53e4b8
SHA512 1d8b7cfcdb4fec028036480902ca3c8f70c77d8c2a093f22b19df705c13030aac317f45c75f660e762577de8bbb0f7d90054fb19db4407761a30c4a0b2c1cdd4

memory/2120-373-0x0000000000330000-0x0000000000398000-memory.dmp

memory/2620-384-0x0000000000250000-0x00000000002B8000-memory.dmp

memory/2620-379-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2120-378-0x0000000000330000-0x0000000000398000-memory.dmp

memory/2656-394-0x0000000000470000-0x00000000004D8000-memory.dmp

memory/2656-393-0x0000000000400000-0x0000000000468000-memory.dmp

C:\Windows\SysWOW64\Oibmpl32.exe

MD5 93b61e32795f13ee449455a023457b3a
SHA1 2a2c2a4c32782c548f9f2cfb838eb3cd82a75feb
SHA256 46ec05698885965fbf42145b39b2e70e0dc0253ab0d7c8a91b4b53cb05d9da16
SHA512 d2469f668f638f23cf7d7fae3d9b01fffdce80c4fadb55df4f7e06a347e15556e1b2b6339b91c3fe8b64199d6b814b399d8eec41354f294b91ea7f251dde45c4

memory/2900-395-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2900-405-0x0000000000280000-0x00000000002E8000-memory.dmp

C:\Windows\SysWOW64\Ompefj32.exe

MD5 75e3b68befb89dbc8f8b2f2a9a66f5c1
SHA1 3e29cec64d5a480697de7d57c30e38fd93c8aaed
SHA256 846eb8ebc68beb7bcd9f838284cbb1e7c10b99375232a0484e8cfa721074f82f
SHA512 e6d657114fb57aa18264f5a144ced88974ad1b12ce6180f433a7028ad9e704f8fb6407c92ff2a8b6f4278713f6386c932e2908732acf0ba2a6a99dbcf824ca24

memory/2900-404-0x0000000000280000-0x00000000002E8000-memory.dmp

C:\Windows\SysWOW64\Opnbbe32.exe

MD5 b2687f8da53ac3e71496be8775adddc8
SHA1 f044b63bf417e34fb1ad70359f13f03c459ab22b
SHA256 6e95546c1ad582a02ece5220c5e1337c822ff3084228bfb660a6919e89b7b36a
SHA512 31445201ec459740d011e40ed832adcbe29e4cd0e1ae03b243a98f2b149e29df275bbcc01c694b8a8a4514c6b2ee1b0d10dd88ca00c0507e2d808e375e1261e2

memory/2404-410-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2404-415-0x0000000000250000-0x00000000002B8000-memory.dmp

memory/2404-420-0x0000000000250000-0x00000000002B8000-memory.dmp

memory/1800-425-0x0000000000260000-0x00000000002C8000-memory.dmp

memory/1748-430-0x0000000000400000-0x0000000000468000-memory.dmp

C:\Windows\SysWOW64\Ofhjopbg.exe

MD5 a32dc4225c727a246ec4aade486ce304
SHA1 4a78d8aa8885b71ae7e53f06140287962572c912
SHA256 e68b9a3f617ab1ddd9445bda824f517ed0061158dbfb316042fdba9e81ff2ea6
SHA512 2e727befaeb135fe4aafcb420433a653a493d8e5141642d35eebb2737f95c67fb46c9e27f405d55b0538b8edadf633e11a344dd9fb8ecd9569f38b3ebec72bfb

C:\Windows\SysWOW64\Oiffkkbk.exe

MD5 89b743c0ff7a3fe9f07c4dcffcc2f86d
SHA1 7e4892b54f6cce565c944ffce0688fa759a764d8
SHA256 50131b47adc74ceb608dc8652e6d3ce2e9df356530d6c7a6f74747fd06ca3654
SHA512 a78c6bb673a69aceaff7ce921a1076e458f227a8713396a46717d9a938979ebb460d5706cbfdcc929654372a6bbb806d0374f0ef35ccc8e324c2acebc4153a77

memory/2452-436-0x0000000000400000-0x0000000000468000-memory.dmp

memory/1748-435-0x00000000002F0000-0x0000000000358000-memory.dmp

C:\Windows\SysWOW64\Oococb32.exe

MD5 86394656b572c3d7d7ab4785eedecd9f
SHA1 42d1f7d974027b323cea6d2e8adb8df18f518be1
SHA256 e25e35bacfc3f46fc01a7001b5bf4b2d43e0532928b568acf321573c588ca828
SHA512 07e3e4ca58af7116119157df17e874ffff6030e4ab3c7ce17a6a6f74d9bca94a85bd4ddeb853a9a034dc6557bf832ce66b163cf03c1930cc317e03f334904989

memory/2452-446-0x0000000000250000-0x00000000002B8000-memory.dmp

memory/2452-445-0x0000000000250000-0x00000000002B8000-memory.dmp

C:\Windows\SysWOW64\Oemgplgo.exe

MD5 048ee545dc5a914736a6b5bf901bff04
SHA1 e69631d9811be73a4c260634bf2f9d37b4223d41
SHA256 1ea09719b8929a19c08df380ec5da49a650850ae5efb1d9a7fe7432284d1fad8
SHA512 52fe1e05b51788024dd1b9807192e9cae7d037975d641c2105ad850fc56a86b4775866b0f40cab939c4857cbaf45d9a62a8244be37bd664bb3eca1a28b5ad698

memory/2216-460-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2052-466-0x0000000000270000-0x00000000002D8000-memory.dmp

memory/2052-471-0x0000000000400000-0x0000000000468000-memory.dmp

C:\Windows\SysWOW64\Pkjphcff.exe

MD5 6ea9e51852ff6e504fac5b9e8c94177b
SHA1 426d24b7eb3049b91c10bb708547130e3bfd0a7d
SHA256 515fbadec4228df60cc6ad0d8d6a397c7c7acd76e9a2091a53daf7d200612087
SHA512 fd326fed79d3eb19b9af69199c1b314773c43ac9f08750d1397277cd162a117998589bc9c6a650945fb978da25d437520bce5dde5893ee1cec452f51bc221817

C:\Windows\SysWOW64\Pbagipfi.exe

MD5 6534d4aae1c447c8d0bc7a1e32e96ef1
SHA1 32a002f67b4d2f52c2c1dec35b8a2b3e742cdf63
SHA256 f74378f585906af37dbec3dbd31ccf7c9ba8a113fd78bc0c8de570015b90b968
SHA512 72fd7803f654cfe5d07ff00d42867a1c946da4a25efded05e1035f8c817abccbff66469bcacc6a30d199ded77e0239c5341065b56cab2f8a5b1637281825a6c8

memory/2220-465-0x00000000004E0000-0x0000000000548000-memory.dmp

memory/448-477-0x0000000002000000-0x0000000002068000-memory.dmp

memory/448-476-0x0000000000400000-0x0000000000468000-memory.dmp

memory/884-486-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2216-464-0x0000000001FD0000-0x0000000002038000-memory.dmp

C:\Windows\SysWOW64\Phlclgfc.exe

MD5 666c104c4a1bab1a855fad5fcf91fcd9
SHA1 1a3458807519a84775ad99307d4564f4ebca409b
SHA256 c1329b17742b2b1c8c38f18d70b2f56965080f633f3586a087e3d73cf7b73f6e
SHA512 6fcd2db71e685eef39148871683564e707aa5d6d026e674faa06c4384bfd2051ac116d00e4406ba585f2583ec86643e99896be37713e127d4cbb8cdb8915886e

C:\Windows\SysWOW64\Pohhna32.exe

MD5 6f4c43e29e1ad23340d20947b332d18e
SHA1 7a405413c40cc09429a2bbe8d4f817ffde50fecb
SHA256 07293f04b8e2d500d3e12e92388b5e695a0a8460938588304c22b90502d1b7ed
SHA512 4515dec11ce565a4bf04a024b98f04ece0d1b2c89c46356b29cce4638bcd778863fc01fe96f433c3e5551aeb91797c229ac02c334a1cdb1116e871922257797a

memory/1792-500-0x0000000000250000-0x00000000002B8000-memory.dmp

C:\Windows\SysWOW64\Pafdjmkq.exe

MD5 78c4f726a08b98854bc70fb77eb07633
SHA1 05fbea11e5b0f12e17f5d31cb372573bac5aa3ef
SHA256 dd2738e25fad08a5e3896f338b9f34ae24795daddc32c6d6bbb80bafdb1f39a0
SHA512 0dc4420374cde6dbac7a8f3a9a9e91102d9ebd710502de287628ef3d5c4da5dcfd0aa4091171a71bf4fa6767dc71187a8a06aff8c6fd55057174acbdcf21552b

C:\Windows\SysWOW64\Pdeqfhjd.exe

MD5 825e19f1453df94ac81c68c500be1535
SHA1 d17a06583b89cb074a3bd5631e0e7dfb28b1fa41
SHA256 78174ad5f951edffc63c6bbaef19f6062da1386e71f5c804cabe97932b5a368b
SHA512 a069446b4e87e6c26bfc9eaa6da116cc171f7ca2c37714162cae378aef947f6a6069b59b4f52eba033607406a5b227fc49f13888e3bb6379c59dadfdc2811a5b

C:\Windows\SysWOW64\Phqmgg32.exe

MD5 698f7c6d649b0dfedbeac362154984e7
SHA1 1ac032afe71c4b7c5f8d22ce2cb83682e955231f
SHA256 c9062bfffb2e11c8f08e2b66cc477a59e8d10561699a3c26afc92f3a23660dd3
SHA512 2b4ce80fa513bccb78fa8592b336356b70891eeec127e94481d614242dfd21f22f074d31b51fb68447f72381f5fe657ecd88e18aefbfa2a046f0450ac5a41c57

C:\Windows\SysWOW64\Pmmeon32.exe

MD5 a3917a114d1096f297c2552825f79f74
SHA1 5e0b5828d276bb09c8480f617a14a11fe09c4517
SHA256 672c5db4acbfc95df9f1e895d267378ec1c105c014e75ecd46e31b9d1603bf28
SHA512 41361ddb4c9c3aa77c8284bbac1beec025ee9e567d0fc82efb32a26b98ee8a9393463c7b795ac36804153f9b8f7a4a6b1a28fbf7f45cd1516ab82075922b00c1

C:\Windows\SysWOW64\Pdgmlhha.exe

MD5 81837acf987cb193b685b91e90a9de8f
SHA1 fc095005846edd91b95bc92406916aa214a45fe0
SHA256 9fb61c3969952e0fd0b3fb460e8c1f2ec879875f325a16b094ed42f63b2c6d45
SHA512 518ba710dc9b3aad2602c5c51a00f44ba1661299915373c2605f24110ac553bcf3e6e5ad36e5b4ae824df9a0d127f863ccf11828e3655aad1d537b7678cc611f

C:\Windows\SysWOW64\Pkaehb32.exe

MD5 8d9bc1717e5a6b8cbabf081b4e36d4e9
SHA1 c110994cd959c8f456e6dc7314296988345a302a
SHA256 e293a7f27a6111e8afea400176994fba3f74af012a43fdae4cddd8cddf7b778e
SHA512 93543b6bd5a9f99580c0921e289a58dd26f165911b41fe19ee608e04cbd13feaea1dae0123dde7839addeca110c92c165e04db2962bef37d665e197968d1772c

C:\Windows\SysWOW64\Pidfdofi.exe

MD5 4e0e30ba6e571b481d0e10f07f583b3c
SHA1 aebac2ae76f7b0253c347def475dc7691e33f003
SHA256 58d212c3a6ca9d8683189ec673d1dd2af8ed23a75b411fd9ac1a4c9669d899dc
SHA512 21244fded0efc25a0762d7becf4a445e5ff38940c959e9214f684362ddc34d8c87ebd213cf37ae0a3d3aeb83c7b64b405eab6ec68cf77954b6f9e3dede5f89a7

C:\Windows\SysWOW64\Ppnnai32.exe

MD5 66e9a693161a2cd8037757451b4b6f5e
SHA1 7e8b5757af207942187742486662b9f7b6f432ca
SHA256 807bae1eccb1f6ce982a92bbdb3ee7a387696aa45ccf1e44a1f32f4ecfada3eb
SHA512 97c3dcc5b57a8dae23c8cf189457735a428cc0d6f49c693a7d36abe418ff17e145a419379be3671e083c4c39463a07a6ca539d167a03a3cd5ccd92570cfe818e

C:\Windows\SysWOW64\Pcljmdmj.exe

MD5 66e83f6bbefa444edb9d21b03c21d67b
SHA1 13b28bb8031c29e499dbf430af596f27c121fe2d
SHA256 0cd703703f61623a5998ff4a308bd9ac44d7a8a4d78bb7fe868ef1341b793a5d
SHA512 712a2a0b6d165f5bd79c500763ef761c261040bf82889b5927bc5107609f7c67c3012965a38e073904479108281bafcdfb612fef3924fd98a22980de3fde76c3

C:\Windows\SysWOW64\Pkcbnanl.exe

MD5 a3c0cd66d5cdc62ee4be09ecb8af2ede
SHA1 6ecc2d0e458239371ed0de35a2eb939792318744
SHA256 d7e60dfa2b319811c2918779014403b0b8ad32c9c55648b08bcba5d800765270
SHA512 fc9bd373ad90792f43f5ef0b0eac75b3d7617c3377e75840037334ba0a4bc005000b5d69f577746a054707baa627dd97af46bdec37f842c6878a00c8d5658618

C:\Windows\SysWOW64\Pifbjn32.exe

MD5 da7229ceb9c8fa8154454592279bd4ed
SHA1 d6a4337b9a63a641ff24f1d2285adcfda947aac8
SHA256 6bc3ad780f3608fc69c428de7bd7e7907fde54aad7a65c43be87baff5e562c39
SHA512 ee07b0327930d9016ad89e1e110c511b3691c849f10fcb5ce254e226b953c1317b2265a9d2725ff5b97edecf944147633c93a845ec95642cdc551dd34e38ab10

C:\Windows\SysWOW64\Qppkfhlc.exe

MD5 0d235de15c64248a9ad4816752df2fca
SHA1 4f36e2159724aabaf50fd76150a8d56e733c068a
SHA256 7dbfd4cc630c7d44e469ffe758e137a2c1b7acdd4795d4a06a68cffead3cb45a
SHA512 d45a8dea7380374c9b33290319fde1088d961c6828993a4f440dda6f7d8e8d123185e56f6c9ffa5061d81f1537f0c8e4049154a2ed6074a5d3db2fdb4eadcf85

C:\Windows\SysWOW64\Qdlggg32.exe

MD5 f03e85411f81c9346843940b0a3ad540
SHA1 bd66a518883a4c484b5452fa02df93f13f7365d8
SHA256 cd45f0366373e08f820759fdf718a2049a1058188ff5745b8e11f6d62bd1ad05
SHA512 a10da1561c3a6008be7e4d31ad6c4d463dd7296b7da876149e2b666b0024b1e21bdfa5514d5187962e30d8212c8bb4b02da70052fd29c9a5140d26fcd255ce8e

C:\Windows\SysWOW64\Qgjccb32.exe

MD5 9783d4abc74d25de508ad3c397a49f39
SHA1 3f9999cfbb16cb2b5c1fbf33aa3a50c2599d12ac
SHA256 b6b99d2a4bbf68156e27831a558521915af6bb9dd0112a37db44729cb9dc55fc
SHA512 9322988d39b0aeb6b08c5ef3cd72382680ce14c281d7add56e21aa734c6077497f3177e2e6c5ee3d37e485e05fc7dcb88187ca974c327425a2a8861c5ec534f2

C:\Windows\SysWOW64\Qiioon32.exe

MD5 572eb0feafb20b73d172802ed2322195
SHA1 38ec7466b9bd7a67ee328ee8be2c957899e56d2b
SHA256 ed02f116d3341cae7a3a3231d17f0b4c0fcff65b9a9daf32413d9b342ed71462
SHA512 cb1ba97579e2785f0f79f76c6f970ee97e7379c0ecf8ac2dd204bae6a61105083a429f6cf05b7b72bdcd5c5135a2b48cba1ef29cbf4020afc387f696244cb859

C:\Windows\SysWOW64\Qpbglhjq.exe

MD5 f063502208fa3f9f49c0798733d04c75
SHA1 b5858bbd7655c218420acdbbb1be786cfe66e76a
SHA256 9883446cddd2af5f71552053a6ec41f6d4e3a9cfa8665264d0160d92937e0604
SHA512 6eab4edaeead9f8677c8e9ec0ff8eca6b8b9c05fbb45607fa8adcf13934344b79db7f3499df58fd78995d9f74de24ce2a9e6ac72c9dc27cc63960641031e7f48

C:\Windows\SysWOW64\Qdncmgbj.exe

MD5 7a983d6e26aae03d377d752100725370
SHA1 7a595b5ac6654302b3e7b1525d1d89e5b1728ef8
SHA256 df9630af9a00faac7b1aa7cf0af2f3353c62052d7f14c32c3954683f34af7814
SHA512 3628ce66864fe98eb0dac09046c1043a80794c48ecf67accbc3baa19959be80d08d4080c45454dfe61dcf0a8d1221ee6e46f5167dc19486cd3110a12c936ccf4

C:\Windows\SysWOW64\Qcachc32.exe

MD5 c446df9f3a377284d3543a9be595827d
SHA1 1f516f28fe3e20ce8851c48d250833c9a2f715b7
SHA256 4764d9b6941ad546f2503420b44bdaadfb8a33ba1c0efe5bea083a6b8c0ea5ed
SHA512 a06a508fdc33e27f001a163eed6019fd6d833847c5c9f56aa956e42cb928867024fa4217104467a14c917d9c24e1ae4886a1b21f7ec2f2a162c90e6b640b06ac

C:\Windows\SysWOW64\Qeppdo32.exe

MD5 679692ca939d53dae21b58995d88a10b
SHA1 fda07a0850a7efefb8020977e4bd5707628167bf
SHA256 0b03b6b294f1dc38bca32519f2c406d9be9b3609ac00c576527b637e21012bde
SHA512 8eef332f2971e49b7965a5be059a859cda009692e12ae2ea2fe7cf501126fade13cb672e1a51441f45797847ae731a5fc84b6af41185edd0a8ec82bb274e6a92

C:\Windows\SysWOW64\Qnghel32.exe

MD5 29a63c5cc80feb975cd53b8fec4a7c2b
SHA1 0ed8f380b61e57187eff0ccda92b792486340e00
SHA256 792df6d351424c90fdb5f303ecf7f9b734fdd1de5fa5ab0e9320e67c533e733b
SHA512 3babc8c7bb9c4151efb9580c8623d086bb3665db3cc007ebf8f48b2248018877b7154d28cad9d9f059b584ca8fc2a7745daf12fc3ba3ed5420246a6d1cbf9d01

C:\Windows\SysWOW64\Alihaioe.exe

MD5 cff7105b80bf0a8502bffd2252ec90ef
SHA1 68de7962617da22748d983711d9ac823cc9eee6e
SHA256 3c74f2a8602a8b3003456860df5e01c361978a3a1634b875b53cdec1974d3c8f
SHA512 b67e48b305620dbd56d92e841012668f26dec255f14d5c815821d0e4527d874536fb1fa9fe1d7844dc5d040e563ce7b195c2f5f126e6df0eb80f0ad8af693c09

C:\Windows\SysWOW64\Aohdmdoh.exe

MD5 17d04a46061320e34eb089ea882d46a8
SHA1 b94063171923e9c3f3283fcf4b8d76f7c38c87db
SHA256 c6305003fa207d9c81d605527e0e73e7b57039ade9211ccffd0798218664b8d9
SHA512 0f8c2eb4e93ebc274ca432b55f29b9fb4a2d622661d793fc620913a91e76075874857a13e6f88079ba1071c52b6d0608374db3318138d1e6c193d4932be9808f

C:\Windows\SysWOW64\Accqnc32.exe

MD5 b53f38068e3e790b0a0215f9785c286f
SHA1 7dbaabefab41b324784384d56e598315b7398f2d
SHA256 9a140d52e6ae678112a39bc7a0dae02bed3a73e3ff44f944b3deafd18663098a
SHA512 9a28f46d62a891f18667f05c3fd48fb937d7e4380b59c52d1f11c1f40a22211313b9e40453b259fdebb62c6222887db115a97d76430cfe8e3a701e9c10f81ac9

C:\Windows\SysWOW64\Aebmjo32.exe

MD5 28a06e18e46a1d3b1080f9801913b0a5
SHA1 c03e8670772fc7bf8e30b07ab9bf399e140836ca
SHA256 9f4c261e0f17c1fc4b1bc7954e64b114824e8b993aeece787fea43e8c7f3153d
SHA512 02a73f8b3bff328cf152c3c3c2b2599341d2aa3a09f77b1f8dbb9a85643e907c68121c77069428eb4fdeceecb93311770d6ca7e8d59b615be3fe6ce3445cf402

C:\Windows\SysWOW64\Ajmijmnn.exe

MD5 06f0b4ef95fc1da662d2e3fa87d4bfbf
SHA1 962dfdd90b9e7c9c430c1ec364ac37196c642388
SHA256 6e6e700fd5888bae321239d91090fafde5e12a45f9ed0d35f110875d7e606f63
SHA512 72a9d61c862a50c01ad261e1391a2cdf63be56d12c4032eb358dedf2ebb531d205692babc6f15c9390fd5c76bac62029579934d67c0fffd63cd92be5f3bda971

C:\Windows\SysWOW64\Apgagg32.exe

MD5 e209468b6d7e9bebf1c0664c5b8ba1f1
SHA1 66eb46e9164a621a4f22e4a71d5944e3728cb526
SHA256 094962628b38fb23b06f7e71ad61539c60a647af9bdc78df174d546603904ee3
SHA512 2b27fb16ad3ec4d4017d243076b829c6adfbf830779a055dfa9f9ce7a86723b2ed55aa4217e41f089abdc31e77bd2ec51362f5643353324a24e0fab535f0421f

C:\Windows\SysWOW64\Aojabdlf.exe

MD5 b05679ed1108515b1588cc9a29bccffe
SHA1 a76d9683e6452f68f42f691918be135a831711b9
SHA256 f5d32e7ea380f50b1850ced9e9e159a1211cf7ee2340dccdc6758b33de193ada
SHA512 cf8b4c408faa62145b6382ec95d769ecaa0c97b35429a7f1a85decff23dbc605bf1d1ffeb8303b4a536a262fe3107b969fcbbc41b9aed641fc94a36a02ba72f0

C:\Windows\SysWOW64\Aaimopli.exe

MD5 8cf1609d72a0892357cb1aafa77ff6e1
SHA1 e64f56476ea1e4377725a14aed864c455ddd64f9
SHA256 f5926d1856dc3dba151bcaf48fc21c7c60c9e7900523434b10a091c6718b72d9
SHA512 5a68c8c5de24eebf56472fcec421e78fdee3d5abc5115c299a85e5b0f286de49151eca8abe841253b4d2873732638085c49ad9f43b8b5d522e235645e52a6aba

C:\Windows\SysWOW64\Ajpepm32.exe

MD5 d958e6206384a407b72032273d059468
SHA1 7756dec093705e037c676acd1d5e358f370daf09
SHA256 cef635d09d3404c5c9994bdebcc9b443c41c1fc7bfaca25861cf6ca9fd9afdc3
SHA512 45f4847cef3536b78bedab9946e01556c6be8faa36bdc6aa1e85cc89541ed1e11d615ab0b6f1db6300ae8e9558e1dc97f2493cfa4c62b31b09997fd5ad32c6a7

C:\Windows\SysWOW64\Alnalh32.exe

MD5 ac7427a26fce30e0ceca86de959d2415
SHA1 f054f2b9c02ebec839d1c492db0e7ef0b70ff93d
SHA256 06c98a5c4a00b5706b797ec7b0f97cabff2d938c11fb28401444a94cde023e51
SHA512 6ab2d247fb38df20c2aa0d2fddf0b746c06e7467731a153ba12559d45a7e6cd453630b881be490e30cf89458467392e129c11c023742e141899622f1d9cd18f8

C:\Windows\SysWOW64\Aomnhd32.exe

MD5 7e3baeb08fe5bb84219b80ac035f1e2d
SHA1 c03ba1685e22cd6d8c028cdf1deb25d10fb49b19
SHA256 1aca8f465b0ecdb6f80fe44f8487d28b4794dbe5583adb78a32ec1280b3591a4
SHA512 ad88f549eb61bd01a4c11691e4e87e2dadab77911b6c778eda0e193fa33ebad8a67ad0eaf91807f388645382bd0c97e75e4d4695f89a97f000b14ce9db43d6d3

C:\Windows\SysWOW64\Afffenbp.exe

MD5 028c133ce3304ee58ee217d9d1878294
SHA1 6465108de270d362cbd2bbd936183ae78c868a0a
SHA256 274cdfcb428de7974546112e4c576c0742babcd129b02fd8f5d26672b3b84678
SHA512 35ff356445ff0f6e8b4aa6b74eeb5ed840646b41dfe73a0226ae36d403c6f2b34f7780e957fce4f18effdf2027d951347189509ea957de8aecd297abadda7598

C:\Windows\SysWOW64\Adifpk32.exe

MD5 1f4a24f9026da4d96e9f2fc82da19e16
SHA1 e70053e88032adad3bf38bd900e36fdf428704b1
SHA256 22847838ae9adb7146b8c3d67f4e71f380c7c8de40de6574c9a46347fdf93d27
SHA512 5e3f9d335e4a140997b6ff2a14768905b4549676b528ae99805ac816ee9e75ceb1d0f88b47e7f53ae2dd3aae74577debf428f0f6b963d1124456c3491c4e7ee8

C:\Windows\SysWOW64\Alqnah32.exe

MD5 710e907342f5a85fba7ce7c3a746b4a7
SHA1 1e115a9caf890719c16b9cd58bf33fe442ddc6a5
SHA256 68ff41dd18387a27d49272b72b911b903c10fb59f738cc3f73432b44863c0b73
SHA512 7f88c5251303423034d8247b9cf9f8c3d0d47c4666ddb307b264fed768ffc378727689dd23d27f91fb5a97a37b988565c9daa43ca0c40403ebb961c253a9ad96

C:\Windows\SysWOW64\Aoojnc32.exe

MD5 7f2d3a8811033fa2db142eb11f91d088
SHA1 299d643cf118b6889ef7174d6a795dffd3e422f5
SHA256 aebdaae7430ce4b5c91376772c290698ed984f730c22bc3961bdcb200c85e15f
SHA512 12759f2facf2832832cafae31f3a306401316c31cfdb5c0d75ff45aa36b83347662629c552628a341205d5bb0a811857f32dd68d14ca9bb70639e8f0b434d6ea

C:\Windows\SysWOW64\Aficjnpm.exe

MD5 056f9f9063c6411081329a748a0d85d0
SHA1 667b8e5c1783d2a04b3b06ed6935477df3ffeccf
SHA256 0961726fb5c41c34fa2f313ae60ca38df930c3ee4ce3e19a9f9a76c55db138d3
SHA512 c603b0a562f5a983812f6b380d2d6a5c186ba44e0aaf3de605864e52486560d2089f963e11ac61f2322297e21de4dc7f9dcefbe11785bca96c83e1ad6a3f1a35

C:\Windows\SysWOW64\Ahgofi32.exe

MD5 2b8a3735337afb4aebf5b20fc8b4b775
SHA1 d1ed4701a4e63d85bf1ebc4204c643bf691a7aa1
SHA256 7f0bf65858d0f37d3e57b71863260359d9c2e55957bc28179e3216ffe743aa37
SHA512 320331bc3164be7456404131da7334e299532e208fa929f042e962743336c36caf932672150b2eb3e657f10d966e571670f24feedef36d942ad22a0a44a55a19

C:\Windows\SysWOW64\Akfkbd32.exe

MD5 b2297020a714670d72a20b142c9a7aaa
SHA1 eb91ec7d2e5da5552bf44426918bfbfcd8c19f04
SHA256 3e96efefea84bb5c10dc6e93c5e86f754f2a565981fbaf398e78cd15899df7ba
SHA512 bd9d55292c64ca0f7493ec048f86ca84dd934c5faa10eabb39ee60e12008296645080cd71faf6803a3abb341841cc4ff0da7ea62e0beb4f511b25889e7e35baa

C:\Windows\SysWOW64\Bqeqqk32.exe

MD5 bbde9a2f0a800dc2a222d7f7dcecd16d
SHA1 d4d894b6e62b0809056dc818896dd94830b32020
SHA256 491e2f5025e5d18266a0ce316744d5f4c5eb825510cd8d9924dbcd0a99054c1b
SHA512 3be09e0cecae6f3a2d41c1439d8c27b3a25d234703a22efca751a06751f62bb032c74884022eb59de83fc9cb2220cf29d7abc8e4c74b28a4d004370f226b2b67

C:\Windows\SysWOW64\Bdqlajbb.exe

MD5 2fb8bf3fc8842890618b455019b7382a
SHA1 23848017713f8edbf4a52fd05ebe87f6e9185fbd
SHA256 c385b5c9351405b109b7312c06fcea8429dbe917003417e2aadd637cb547cda2
SHA512 ba686a6014c0c10125a4068131b95ca83904215ef124d213cf1d6dfc9dc00d2422e355ed399962c7015fa8761e5f6056746df81c2c1d7b920d8109ac0022a030

C:\Windows\SysWOW64\Bccmmf32.exe

MD5 a49e0a8677fe85295d9628a906446707
SHA1 52d2f4e77ca2f46f5cbfe47b667e1abbdff7cb37
SHA256 2d7cf59b197e50d4c522129c9086fff0ff4e6fb6da860de4813ce79494a0ee17
SHA512 c58bdb1b703e1afe761c5fa5c1d121dbfa06e8a9a7287d35e7b92a7c08933dbc0e862f1d8350da3168c31fc503d7cddeac8d6ac95e030a58b8b67f77423856cb

C:\Windows\SysWOW64\Bniajoic.exe

MD5 96bcb5df30425004b69a09a59c4a1c98
SHA1 6065f43daa27300b16dc5c4dc50f78ce1009755b
SHA256 046833a46ed9666523adcc351dc55d9058a173296bf6dfaa760c9ba6759ad1cf
SHA512 507f3b384be68e4c9872892fba88cdcd06893601fe18830140ac72813d1666b46ca31b3b2c6353994c86e374f8a1dd70634eba2f5ecac4f7e144cfe317404cad

C:\Windows\SysWOW64\Bqgmfkhg.exe

MD5 d2283d2107fc3085da5f01a6193e1165
SHA1 c222a0e3d6f550b3c54d1cbd4606b8d5ed1de904
SHA256 341c4a86d17ce7a233c542ee452960557778bcea20a25bf51ad4f33c9abf75f4
SHA512 47682fa437c734578d70c0ae68ba160933b3c39eb8e0eff2f29c5308dfe2ff4562fde63bf5eacb25ab65ee5606cad58467811264f9a0931123d4ff28f52ad0ba

C:\Windows\SysWOW64\Bceibfgj.exe

MD5 5157296e3cb713039e5bca8c52de7d0d
SHA1 98bc964167febce651653e75bbf0147ce92a4ed0
SHA256 b9abd898220c82bec53efa992dfa955595eca15cd5efcdcf8944dad07c398b29
SHA512 86bccf06c2fdca24eb7e0c387b10cb9e528c1f66468a614dec75b6710ca96e05ecb550966f8b5c3bab012fe6d5bc42cf29daa43fb80886cd478d7e9bb5469340

C:\Windows\SysWOW64\Bfdenafn.exe

MD5 6bdb54bdfc0875510097e0a5261ce559
SHA1 ea5466b96b263b2e213aeecd44b94bbc0f70feff
SHA256 3b98216af50fc4c915130ee84e9634713c0042fb4cedff404899c0e810a3b491
SHA512 b2840c0aa44e207d1043e97121b9b7cd7be7a582e288c0c55d17b62e866ce2d92124c5adbb77ee3df695edd3a293e5b073d5bb4ef428fbf507567ab76d7dc520

C:\Windows\SysWOW64\Bnknoogp.exe

MD5 cde3b3a423ab147e165f2b27dcebefbe
SHA1 fe63097f06782829f22ede803f657c6a2643d8e6
SHA256 d4442ad3f54fd7be349d6279b65bc829534813153206c3e328d3bd68297d034d
SHA512 8ee1b9aebc02e2c3e4937bcb21660a01d11ce502b6a5b5456aad14a644f0b41cc17530e6cf35f345712cb2e207bc991cf22eeb57878bc2497e6f281f1de2b32f

C:\Windows\SysWOW64\Bqijljfd.exe

MD5 feeccc7db4bd1f0bc981f875430abf1e
SHA1 9fb040f18f390e86cb8694439492da6780d7a6fe
SHA256 016bec91f12f2ad506159231f62078225329ab762f59bdb41745efcfdc54fd8c
SHA512 971f1cd9a0af46b502fa209b7d219368d1c5fd8e77e500a30ebc2bf949513ae4e54dc44c0d651fbe5971ea1aec4d02f523c2d903e461cc16dfa351a043db9016

C:\Windows\SysWOW64\Boljgg32.exe

MD5 81e0de100347195e4d8401ad12f2ccfc
SHA1 d6bdcaa036889d7bde8e8b89c62d5b5d234cc781
SHA256 af7f6180089861090194154f058602505272712feb64a8a2d7e747e908c2e953
SHA512 33c41ddf295eceb82fc8cf82c1474707e60ad45f2afd084bd71164328c60abe1352cb1971a1e5933b288cde634615dc5ecb6f22a98d0ec7e7238f669b50927a1

C:\Windows\SysWOW64\Bgcbhd32.exe

MD5 37d479fc1ca9a5d21b6ab7f6b1feb300
SHA1 617ac75978ff4a9f226a347792b160c659ffc399
SHA256 cb599b2085299dd34796da8efafdeaf4964668df230e8b32111ff227659a5fd7
SHA512 188c1ad8cfcdf4fcb1bcd535ca54354de425890f995a881d7458eda65664ddcfd435ac79508f7aceaab62ec058366c6c1f2bc1e48ed78eab708996907a3cdd44

C:\Windows\SysWOW64\Bjbndpmd.exe

MD5 e82f8a860294f373b616808bf9add006
SHA1 44c89d04944460fd100cbeef09480f862d156582
SHA256 75ec259b6eaadfea735113d87174ba985c485fbbdd060d2dc1370790469956bc
SHA512 2fbd8944ea87e0fa93ba4b6402b0f261dcff7e713274b1888f9b4c68a4d9fe5416ca3421b74cf0e14e945f1bf9e250a83bec57f9872ca11dcbca5549918ac364

C:\Windows\SysWOW64\Bqlfaj32.exe

MD5 46e8db3be514ac9b424e9e3eaa19feff
SHA1 9d202ba44dd72ce5e7b36160dbefd9b31aa92240
SHA256 c2df54b0e78f99edd4fa8634c3d689c22d0073ef76ecf7e5bf5b5c4776918413
SHA512 61d87f721c02986715ec6be06986042a61ee6404bc009c2a60db1cb7479877406a7c83dd3e2d4e42a9dfe40bc68fed407a365b10cdd1613c963b60e1aa2940f3

C:\Windows\SysWOW64\Bcjcme32.exe

MD5 a052ddefa6bc59a0a6a9eab09fe79a5d
SHA1 a630443aca7f7a7b1fd87477c3885f1103c16a3e
SHA256 5024374bded57c16330192da9f8063c2334dc719f550b8a59268c9071b7f102c
SHA512 58808ca64120577580b8f71219e79426f53b75b8a485e9d5ffd4beeb0b3895c935b46592344e1a69bb1d57fe6d6c7a8dd6c6ae56b5de62e69c9a621ddad06ac9

C:\Windows\SysWOW64\Bfioia32.exe

MD5 1dd59d4eb99234973d6e3e225058906c
SHA1 e3ee8fcb66af7d8dc6cac39bbfb55e7abcb1c049
SHA256 c4917532ec63604df1ecccff895cc851e21fa7f6ff6c0a642c07446de54f4c04
SHA512 dce146590432d0e8b666073e87b2b047f5f72528b7a43055e7fbbb5e861b8369679a684edafa02c2e6f725e4429c795e625d8cef06cdc5151e4405b6ce83fc3a

C:\Windows\SysWOW64\Bjdkjpkb.exe

MD5 99b501e585c783091029af6ef4220f77
SHA1 a61ed05f97deb11b976b8f91e4af1b7573753eae
SHA256 80aa3668e3a1caafc25ae32a76aca29d3598d3aba3ee73f7b31f1bddd689459f
SHA512 518c1169b170850e18a7be07501068d1c353de5caa73b8a2ae5bd4d02494fabade3cb5bb4883d29679bffaa7edd6674272d17cb093e52aabc1826fbdc9b8fcf0

C:\Windows\SysWOW64\Bkegah32.exe

MD5 027ffc4876d9da00b5923957d041d748
SHA1 00d5e570bee82fca74af1b9b68863375db755a1f
SHA256 6c0d63160b6235502c9287f907a196daf4d0d3b8f4fe44b707d422a90dea9ab4
SHA512 51227c6e676ee2254290bdfb7480a29a6607ef63d9a3149190e5e1f73ae064a42e1abc9cb0f0276e9d91b25cc1439793860a841d578e1baf144b0334de068146

C:\Windows\SysWOW64\Coacbfii.exe

MD5 7ff07557b7f2dfaef274abf1f2438d69
SHA1 a105d2e20ab27ca2985095086fcee1cdfd8edd48
SHA256 f8ec06dec3cec00fcbe07f89ddd6fc00e4d8284c12e6bc42c0626984cf749007
SHA512 e222fa3db373ad8d76166a263e0e5cf811bad5e10dc2ac8d9537a78bbce90b49ebf6798196d7e561091d3a659884a827ac3cf6d52344bf7624ae015643f0aeee

C:\Windows\SysWOW64\Cfkloq32.exe

MD5 f26c29924c7d2086ea74ac3667846ac3
SHA1 3cdcdf9935dc877442a71b1d377579c8cab5d538
SHA256 6bf003de6b8fd956da0cac3ae51bc219b518b753dde57d979bed768366e80356
SHA512 bbea0fa424c0deb64c61b450013ebfa0daf69d578f1fe9ba1d6dd2972179e37dd5286ff1cf37a6ea5dff63c537b5634d693576a8a7d14ea0612128ea500d461b

C:\Windows\SysWOW64\Cocphf32.exe

MD5 795d2601f90cd482c17cb94b7ae2e346
SHA1 3dc88329fc77a7c47bde868ecc3daac8ee35e0f3
SHA256 4a7664eb37d1f839d73f67c09e8abeb591ffbbf0cb3a9677d7b37b5b254da873
SHA512 6b531cebdcac685ee36d4d2b9931b47bce76153fa43c96ca6ebb0473a8aca0eb9c4951ba791ac3defcab9242cf1ab7e259bd91f600768d60990e09478f2e851b

C:\Windows\SysWOW64\Cfmhdpnc.exe

MD5 2bb69267e0788efe9cd5d0c0f4334099
SHA1 a526c9607f3b6601a7a90c4ff212ec4677827165
SHA256 91d9f9660ef0a4e31438196255c9a9c18279590ba298513efea834026160e578
SHA512 a9d53dfd7ea4eb842eb99d3208e4d120e10ff9472f230e3bab7ed41850ee5d17503e1e052f450761289f0257099e76998e9757d52dc9a1ba1aa65497d6622536

C:\Windows\SysWOW64\Cileqlmg.exe

MD5 341b606ddfc86a2cff7e51babcb4f1d2
SHA1 3f7af962c6ad7139fb084c79a4b8a373b9631ca5
SHA256 6196b7f1f6e0c17ceb3bd1901bed27fcabf4f53f16cb75d22685c83634f7a06e
SHA512 45737d4dc6e3cef8fbac7064e807a1e0cb47b0d931fd8a0a2ec6bd93bdcc054c4bd5884e74801fc2d143813ca2e36f8fac67b7f4a3a616c8502384a0563079d2

C:\Windows\SysWOW64\Ckjamgmk.exe

MD5 cdea817344eb45afe41093c7a58bea20
SHA1 c6a7139d7731bf9044b33e83365bd0788a5a0aad
SHA256 ad976e187cc91e980e75de82bf1743b65f36c3091bb3f5cd6e99dc9a2cafb88c
SHA512 4cadf63bc84ba8faa51b8451b685156b587c7fec1a318b280c713ab12b8082b53a9aef87a9955865706a61d59bb38c38b72032ade7f32551db2048b2e7239abc

C:\Windows\SysWOW64\Cebeem32.exe

MD5 83d4f2b66ecd71332001f4cd12b22622
SHA1 f773fc2b7ad56d5e582c701efa3ec387c673446f
SHA256 2eb48fa663989642d46d622e60c13fc1c500d96ed7d56f2eac27c42706cb5f72
SHA512 05ad5451ecc5860488590e9111bfc77e121b2a5e88d6f76c3081738729188aa79d8412f4857513b9af6a96839c8fd7387ce2e1825d970d28a841cc81e5e36960

C:\Windows\SysWOW64\Cgaaah32.exe

MD5 6697a69bee0d8ad74879cb2de4efa803
SHA1 09b12f5691f5d1ad3fbad8d2752ac7608ca892be
SHA256 5d0756f7549bc5c22630e6425cf95f7d863056362bd11cfe38c9cce214e3ce9b
SHA512 30ef86dc84e8d6d212f112e14c57894bbf4f928ab20ecc3a293c0e824a3f4cfd173856d21beb731dd03157c52fb035feff700ad1805429a1ea08bdcc9bb4fb48

C:\Windows\SysWOW64\Cjonncab.exe

MD5 54976e6d76e2cc085150917718066d0b
SHA1 c1abc43d07d2d2af7440abe961ee72689720395e
SHA256 2877a8b4654f822e4c8169fa709dd3d65929bd7c892808e4f4f72f243e63b1e6
SHA512 3e20de208595f456e75d923a97d7b32780be950d1e7bff0559fec41698083e2bc5035457da5bebcbdb63036a288a81b7ba9e91e6273a1e876c3aa4fb2e2561a5

C:\Windows\SysWOW64\Cbffoabe.exe

MD5 613accad1a69f25036ecc3a723256884
SHA1 49e06d08bb5d0be7f1890d77268872469524750d
SHA256 70d42d96d8f7d73d987f43ff4ba8dc158fb1922637ace57bb317ef79b1fd8a0e
SHA512 78c4f825e02b3c570ed6c8b9782faa0c435d36af55bdfca1b05d6e0c5e21ea13dfb3805238fee8b46886114f51a89ef954e00a2b79ecbf415a2d4262d4279bd0

C:\Windows\SysWOW64\Caifjn32.exe

MD5 96b7c39ea1f0f4c73f61b8f667f7b998
SHA1 0f0e14f6498d671378d88c2ef34cb30b8bcca1d2
SHA256 6cbc8d8a6ed3d4c43206e31dab913d3c3bcce56d4222c0000892c928985b1d13
SHA512 81a777a4538633e46079c18a39441b22fe71f2e24e83c06c39f11fd3adba12c7c7d33c6eab2bcb6ed8a2e9ffab4bf2c7eb33259290a64d7949b7d8406760b98d

C:\Windows\SysWOW64\Cchbgi32.exe

MD5 214c227970a9970245329a94f985011b
SHA1 42664ed2bd8adee76069293a60e5076724bd53d3
SHA256 7ad7f8a90220f991ae51d54f520eef8b8fda9a57b5257091b31b34f7244e8f55
SHA512 ea6f3c760d1408ba69bbeea28471d85da7314bfab39f5d5606bb2f740b76fb38db28154c491a9920669862aa8ee3bd9df2873b0929cc7cb9ed2ec44fc072c777

C:\Windows\SysWOW64\Clojhf32.exe

MD5 f98b6e3ae72180b65184af307e09ae3d
SHA1 5a4a4a8c28fd5e60d1165f37b05e1e3e4dec6b0f
SHA256 8ea49f6208d730b507fec614866cbc19811c617e4fb804621b85400ba1ebbf30
SHA512 af2ceaf88560075b7b50cebe45b84fb554fe2876e9d857a092abf9e37b5f465aea03774c18fc0713ed8d1bcc59e81b018c2c68c3deb28b953973c1f4ff9b6dbc

C:\Windows\SysWOW64\Cnmfdb32.exe

MD5 4384d137ae32505863da29a6c3888e55
SHA1 f4752dcc62eac082e0c8f5a9d1692fcb813f962b
SHA256 7d15a25b0fb02f2316c9df75459251f3a1ac76f246a0455c87594d98eaf74d59
SHA512 180f313e11ec70581408aa71dc7fea8ce25ba11f3e479a0db76224eca9a2955d0ac05f0237338c013fa249fa57199eae17087c9d662a1c7afd1b1e1e66ed77b8

C:\Windows\SysWOW64\Cmpgpond.exe

MD5 11a56fb775d186d5fdf74cdf0bcdb253
SHA1 38834106e0959eb706cdd9206c532c5f7de59b28
SHA256 98339905bc55eae3254198df3ba7785097976c1c00aad729550fcadaf5fb4ed3
SHA512 ad38ad6d82c8335d1c2039b6ee5a8002d1da282da2d90860977590fbcfa9f75d3715d3f0e0c7254f1590915ed4b7aff1ac6398a8c023505fa650e6f3bd4b3590

C:\Windows\SysWOW64\Ccjoli32.exe

MD5 8bd0b58121bf3636df1d8ff88544a7e0
SHA1 096163b5f8e6e920e48f0d8a3540ed24d4406ad5
SHA256 f028bc73d6a725757d6230563cab49e78131a63d29cef67331107fc2ccac6210
SHA512 e11ae56fd81a3eb67b8cbb5abce40257a89cd510c76f8763eda3fe052a500dd1a051a540e0fc39127ad5f5e34dc213da035106f813287434c00efbdc58cb07fe

C:\Windows\SysWOW64\Cfhkhd32.exe

MD5 f74b1168416724d4678745214cb8be44
SHA1 19ce24029442d0b94b89a01e729f0ad79497354b
SHA256 cdaff1d5a8380c944140f018abef0967d005c33e655cbc9aa003cea0f4d898c9
SHA512 bc17c85a39ad90a49517af6e16e7adadabcf60949858153242f57d6868817c365b4224d8f2a83e76deb4ca4bd0e3071ec15243d1b25f49093d107dc9e94e2ab2

C:\Windows\SysWOW64\Dnpciaef.exe

MD5 81f2c47e162a70f8020b6ea4d83f2999
SHA1 d3e975b0a03170affab610a3a1d844b6d83d51c7
SHA256 ca436dc38771d36441c4f7da2a87f281954d33fb04dc92237ec7cf8b739b4432
SHA512 4e269f58592d97fa5b18061e0707c8d60eefd8ed404dfdc214018f29be1d0011d095aff85552e029af636d70d24a488c20c17954707ca875bececb647e4fa397

C:\Windows\SysWOW64\Dmbcen32.exe

MD5 f13238043b0e94ddd00569f0274fe615
SHA1 ee0f744e964b9096902e9d6e4697acf002e99eed
SHA256 9c5f8cf254af505f1cccbbd44476a31861e56e1304700a73c494b178686e862f
SHA512 1e3c20c5939c81af61a296692b238245b38fd0ed9739647c23eafbc4b4f88f94da3fabc9c8b9ba2408d03d84160e6eac2078250e1fcf10f8d06f2386a1573a08

C:\Windows\SysWOW64\Dpapaj32.exe

MD5 877b3d9e0cacee9911166e47f9dd66fe
SHA1 75e2e72d5df2d48522fc2f7b36e92c88da574e5a
SHA256 23ccdc2fd238ea2e4b29b645db3e25a4270595e937f10cc3d4cb22d6ef8208a3
SHA512 04f65aaf94a4bf116ae1070c7f0df76bc64796bbf8dfcb8c46aef761f7c819431c47956d40801d799c447b83ed3bccbbcd42fcadd521fe11d2af0e8a4def338c

memory/2352-1429-0x0000000000400000-0x0000000000468000-memory.dmp

memory/1440-1603-0x0000000000400000-0x0000000000468000-memory.dmp

memory/944-1607-0x0000000000400000-0x0000000000468000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-06 04:52

Reported

2024-08-06 04:54

Platform

win10v2004-20240802-en

Max time kernel

96s

Max time network

100s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5f8259916253272ccce5b83769af9bf0N.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ohfami32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Kcmmhj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qhkdof32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bddcenpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nlhkgi32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qmgelf32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lgdidgjg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mjlhgaqp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nfcabp32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Onapdl32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cpbjkn32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cpfcfmlp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Jqhafffk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Eoideh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Fpimlfke.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lncjlq32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Bogkmgba.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Phdnngdn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Dngjff32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jghpbk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Paelfmaf.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Jjpode32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pnmopk32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ekdnei32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Neclenfo.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ohhnbhok.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cofnik32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ofmdio32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mkhapk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Koodbl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Loighj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qachgk32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Fmfgek32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Qhmqdemc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kfnfjehl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bklfgo32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Njjdho32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nnkpnclp.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ohmhmh32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Paeelgnj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Badanigc.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Iinjhh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mjodla32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lkeekk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kgninn32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mmpdhboj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Odhifjkg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kngkqbgl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Qobhkjdi.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Malpia32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mkadfj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Aeaanjkl.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Imgicgca.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ifomll32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nopfpgip.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Gppcmeem.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Pjkmomfn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Bnlhncgi.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Meiioonj.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cfipef32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Cbbnpg32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Aaldccip.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Kdmqmc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ojgjndno.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Jpdhkf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jcbdgb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jjlmclqa.exe N/A
N/A N/A C:\Windows\SysWOW64\Jlkipgpe.exe N/A
N/A N/A C:\Windows\SysWOW64\Jqhafffk.exe N/A
N/A N/A C:\Windows\SysWOW64\Jcgnbaeo.exe N/A
N/A N/A C:\Windows\SysWOW64\Jgbjbp32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jnlbojee.exe N/A
N/A N/A C:\Windows\SysWOW64\Jlobkg32.exe N/A
N/A N/A C:\Windows\SysWOW64\Jdfjld32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kkpbin32.exe N/A
N/A N/A C:\Windows\SysWOW64\Knooej32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kqmkae32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kmdlffhj.exe N/A
N/A N/A C:\Windows\SysWOW64\Kqbdldnq.exe N/A
N/A N/A C:\Windows\SysWOW64\Kdmqmc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kkgiimng.exe N/A
N/A N/A C:\Windows\SysWOW64\Knfeeimj.exe N/A
N/A N/A C:\Windows\SysWOW64\Kqdaadln.exe N/A
N/A N/A C:\Windows\SysWOW64\Kdpmbc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kgninn32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kkjeomld.exe N/A
N/A N/A C:\Windows\SysWOW64\Knhakh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Kqfngd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lgqfdnah.exe N/A
N/A N/A C:\Windows\SysWOW64\Lklbdm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ljobpiql.exe N/A
N/A N/A C:\Windows\SysWOW64\Lmmolepp.exe N/A
N/A N/A C:\Windows\SysWOW64\Lcggio32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lgccinoe.exe N/A
N/A N/A C:\Windows\SysWOW64\Lknojl32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lekmnajj.exe N/A
N/A N/A C:\Windows\SysWOW64\Lcnmin32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lkeekk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lmgabcge.exe N/A
N/A N/A C:\Windows\SysWOW64\Lqbncb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mkhapk32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mjkblhfo.exe N/A
N/A N/A C:\Windows\SysWOW64\Mminhceb.exe N/A
N/A N/A C:\Windows\SysWOW64\Madjhb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mccfdmmo.exe N/A
N/A N/A C:\Windows\SysWOW64\Mnmdme32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mmpdhboj.exe N/A
N/A N/A C:\Windows\SysWOW64\Malpia32.exe N/A
N/A N/A C:\Windows\SysWOW64\Megljppl.exe N/A
N/A N/A C:\Windows\SysWOW64\Mgehfkop.exe N/A
N/A N/A C:\Windows\SysWOW64\Mkadfj32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mjdebfnd.exe N/A
N/A N/A C:\Windows\SysWOW64\Mnpabe32.exe N/A
N/A N/A C:\Windows\SysWOW64\Manmoq32.exe N/A
N/A N/A C:\Windows\SysWOW64\Meiioonj.exe N/A
N/A N/A C:\Windows\SysWOW64\Nghekkmn.exe N/A
N/A N/A C:\Windows\SysWOW64\Njfagf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nmenca32.exe N/A
N/A N/A C:\Windows\SysWOW64\Napjdpcn.exe N/A
N/A N/A C:\Windows\SysWOW64\Ncofplba.exe N/A
N/A N/A C:\Windows\SysWOW64\Nmgjia32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nlhkgi32.exe N/A
N/A N/A C:\Windows\SysWOW64\Njkkbehl.exe N/A
N/A N/A C:\Windows\SysWOW64\Nnfgcd32.exe N/A
N/A N/A C:\Windows\SysWOW64\Naecop32.exe N/A
N/A N/A C:\Windows\SysWOW64\Neqopnhb.exe N/A
N/A N/A C:\Windows\SysWOW64\Nlkgmh32.exe N/A
N/A N/A C:\Windows\SysWOW64\Njmhhefi.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Bomkcm32.exe C:\Windows\SysWOW64\Bhbcfbjk.exe N/A
File created C:\Windows\SysWOW64\Fmfgek32.exe C:\Windows\SysWOW64\Fbpchb32.exe N/A
File created C:\Windows\SysWOW64\Cpfcfmlp.exe C:\Windows\SysWOW64\Coegoe32.exe N/A
File created C:\Windows\SysWOW64\Jjpode32.exe C:\Windows\SysWOW64\Jgbchj32.exe N/A
File created C:\Windows\SysWOW64\Clahmb32.dll C:\Windows\SysWOW64\Lobjni32.exe N/A
File opened for modification C:\Windows\SysWOW64\Njfkmphe.exe C:\Windows\SysWOW64\Nggnadib.exe N/A
File created C:\Windows\SysWOW64\Ijilflah.dll C:\Windows\SysWOW64\Cdpcal32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dafppp32.exe C:\Windows\SysWOW64\Cogddd32.exe N/A
File created C:\Windows\SysWOW64\Lfojjf32.dll C:\Windows\SysWOW64\Jcbdgb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mjkblhfo.exe C:\Windows\SysWOW64\Mkhapk32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mkadfj32.exe C:\Windows\SysWOW64\Mgehfkop.exe N/A
File created C:\Windows\SysWOW64\Chnidloo.dll C:\Windows\SysWOW64\Bheplb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Onmfimga.exe C:\Windows\SysWOW64\Ogcnmc32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ohlqcagj.exe C:\Windows\SysWOW64\Oabhfg32.exe N/A
File created C:\Windows\SysWOW64\Ecpfpo32.dll C:\Windows\SysWOW64\Bdagpnbk.exe N/A
File created C:\Windows\SysWOW64\Hponje32.dll C:\Windows\SysWOW64\Ohmhmh32.exe N/A
File created C:\Windows\SysWOW64\Abdkep32.dll C:\Windows\SysWOW64\Ekodjiol.exe N/A
File created C:\Windows\SysWOW64\Hmkqgckn.dll C:\Windows\SysWOW64\Loighj32.exe N/A
File created C:\Windows\SysWOW64\Kmeddp32.dll C:\Windows\SysWOW64\Bochmn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Lmdnbn32.exe C:\Windows\SysWOW64\Lfjfecno.exe N/A
File opened for modification C:\Windows\SysWOW64\Paoollik.exe C:\Windows\SysWOW64\Popbpqjh.exe N/A
File opened for modification C:\Windows\SysWOW64\Anaomkdb.exe C:\Windows\SysWOW64\Akccap32.exe N/A
File created C:\Windows\SysWOW64\Kodnmkap.exe C:\Windows\SysWOW64\Kncaec32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mgeakekd.exe C:\Windows\SysWOW64\Mqkiok32.exe N/A
File created C:\Windows\SysWOW64\Onkidm32.exe C:\Windows\SysWOW64\Nfcabp32.exe N/A
File created C:\Windows\SysWOW64\Dhbebj32.exe C:\Windows\SysWOW64\Dpkmal32.exe N/A
File created C:\Windows\SysWOW64\Balenlhn.dll C:\Windows\SysWOW64\Oejbfmpg.exe N/A
File created C:\Windows\SysWOW64\Ogpoeg32.dll C:\Windows\SysWOW64\Anmfbl32.exe N/A
File created C:\Windows\SysWOW64\Jofalmmp.exe C:\Windows\SysWOW64\Jocefm32.exe N/A
File created C:\Windows\SysWOW64\Bghgmioe.dll C:\Windows\SysWOW64\Cogddd32.exe N/A
File opened for modification C:\Windows\SysWOW64\Bgkiaj32.exe C:\Windows\SysWOW64\Apaadpng.exe N/A
File opened for modification C:\Windows\SysWOW64\Kkgiimng.exe C:\Windows\SysWOW64\Kdmqmc32.exe N/A
File created C:\Windows\SysWOW64\Mdeodj32.dll C:\Windows\SysWOW64\Lkeekk32.exe N/A
File created C:\Windows\SysWOW64\Mokmdh32.exe C:\Windows\SysWOW64\Mmmqhl32.exe N/A
File created C:\Windows\SysWOW64\Bffcpg32.exe C:\Windows\SysWOW64\Bomkcm32.exe N/A
File created C:\Windows\SysWOW64\Flfkkhid.exe C:\Windows\SysWOW64\Efjbcakl.exe N/A
File created C:\Windows\SysWOW64\Eanmnefk.dll C:\Windows\SysWOW64\Llmhaold.exe N/A
File created C:\Windows\SysWOW64\Ombcji32.exe C:\Windows\SysWOW64\Ofhknodl.exe N/A
File created C:\Windows\SysWOW64\Odhifjkg.exe C:\Windows\SysWOW64\Nnkpnclp.exe N/A
File created C:\Windows\SysWOW64\Ejoaandc.dll C:\Windows\SysWOW64\Aekddhcb.exe N/A
File created C:\Windows\SysWOW64\Abjfai32.dll C:\Windows\SysWOW64\Ahippdbe.exe N/A
File created C:\Windows\SysWOW64\Anhejhfp.dll C:\Windows\SysWOW64\Jocefm32.exe N/A
File created C:\Windows\SysWOW64\Kngkqbgl.exe C:\Windows\SysWOW64\Kfpcoefj.exe N/A
File created C:\Windows\SysWOW64\Fenpmnno.dll C:\Windows\SysWOW64\Ogcnmc32.exe N/A
File created C:\Windows\SysWOW64\Aijjhbli.dll C:\Windows\SysWOW64\Cgifbhid.exe N/A
File opened for modification C:\Windows\SysWOW64\Oejbfmpg.exe C:\Windows\SysWOW64\Omcjep32.exe N/A
File created C:\Windows\SysWOW64\Oodcdb32.exe C:\Windows\SysWOW64\Ohkkhhmh.exe N/A
File opened for modification C:\Windows\SysWOW64\Hlglidlo.exe C:\Windows\SysWOW64\Hiipmhmk.exe N/A
File created C:\Windows\SysWOW64\Qdbdcg32.exe C:\Windows\SysWOW64\Qachgk32.exe N/A
File created C:\Windows\SysWOW64\Nagiji32.exe C:\Windows\SysWOW64\Nnhmnn32.exe N/A
File opened for modification C:\Windows\SysWOW64\Qjiipk32.exe C:\Windows\SysWOW64\Qhjmdp32.exe N/A
File created C:\Windows\SysWOW64\Kdpmbc32.exe C:\Windows\SysWOW64\Kqdaadln.exe N/A
File opened for modification C:\Windows\SysWOW64\Akqfkp32.exe C:\Windows\SysWOW64\Ahbjoe32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dmadco32.exe C:\Windows\SysWOW64\Dbkqfe32.exe N/A
File opened for modification C:\Windows\SysWOW64\Nnhmnn32.exe C:\Windows\SysWOW64\Nfaemp32.exe N/A
File created C:\Windows\SysWOW64\Blqhpg32.dll C:\Windows\SysWOW64\Onkidm32.exe N/A
File opened for modification C:\Windows\SysWOW64\Onapdl32.exe C:\Windows\SysWOW64\Ofkgcobj.exe N/A
File created C:\Windows\SysWOW64\Ndikch32.dll C:\Windows\SysWOW64\Baegibae.exe N/A
File created C:\Windows\SysWOW64\Gfhndpol.exe C:\Windows\SysWOW64\Gpnfge32.exe N/A
File created C:\Windows\SysWOW64\Gbnoiqdq.exe C:\Windows\SysWOW64\Gppcmeem.exe N/A
File created C:\Windows\SysWOW64\Fopjdidn.dll C:\Windows\SysWOW64\Mqkiok32.exe N/A
File created C:\Windows\SysWOW64\Lobjni32.exe C:\Windows\SysWOW64\Lmdnbn32.exe N/A
File created C:\Windows\SysWOW64\Bdlgcp32.dll C:\Windows\SysWOW64\Ohlqcagj.exe N/A
File created C:\Windows\SysWOW64\Pjehnm32.dll C:\Windows\SysWOW64\Pplobcpp.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Dkqaoe32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jokkgl32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Agimkk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kqfngd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Megljppl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Omcjep32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ahdged32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nqbpojnp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jgbchj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Qjiipk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Omgmeigd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aknbkjfh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dafppp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jpdhkf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Lekmnajj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nnfgcd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nceefd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gifkpknp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ibaeen32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Llmhaold.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bkibgh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bgelgi32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pecellgl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Emhkdmlg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Onkidm32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ocohmc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bnlhncgi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Njfagf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gnepna32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aagkhd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pkegpb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dbpjaeoc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kqdaadln.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pmblagmf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Adkqoohc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Anaomkdb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ffnknafg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Kncaec32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cdbfab32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Gppcmeem.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oodcdb32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Njjdho32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cpmapodj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Albpkc32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dhbebj32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Nagiji32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Koodbl32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Pnmopk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Adcjop32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Aknifq32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Hiipmhmk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Jghpbk32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oakbehfe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Addaif32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dmadco32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Eoideh32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Oalipoiq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Bhbcfbjk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Chdialdl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Cdkifmjq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Njmhhefi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Dpkmal32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Apmhiq32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Ncofplba.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Phdnngdn.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifomef32.dll" C:\Windows\SysWOW64\Ocjoadei.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nlkgmh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pkegpb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfklem32.dll" C:\Windows\SysWOW64\Adkgje32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhhfif32.dll" C:\Windows\SysWOW64\Johnamkm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nopfpgip.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nglhld32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nceefd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glfdiedd.dll" C:\Windows\SysWOW64\Dhbebj32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Kofkbk32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nlkgmh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oibqpk32.dll" C:\Windows\SysWOW64\Nlmdbh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ojbacd32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlgaff32.dll" C:\Windows\SysWOW64\Anaomkdb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dbkqfe32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dmadco32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Hlglidlo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lgdidgjg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Moipoh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnpkdp32.dll" C:\Windows\SysWOW64\Oabhfg32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Aokkahlo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lgibpf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Aggpfkjj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Apmhiq32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hponje32.dll" C:\Windows\SysWOW64\Ohmhmh32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ddgplado.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dmcain32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Llmhaold.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Adkqoohc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Qmgelf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Chdialdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffchaq32.dll" C:\Windows\SysWOW64\Aehgnied.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mqafhl32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mfnoqc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpghll32.dll" C:\Windows\SysWOW64\Oakbehfe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ohlqcagj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pjpfjl32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Pdmdnadc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dbpjaeoc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Gbchdp32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lebcnn32.dll" C:\Windows\SysWOW64\Oaqbkn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Fnipbc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Chdialdl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egjgdg32.dll" C:\Windows\SysWOW64\Aoalgn32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Doaneiop.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dngjff32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfnmog32.dll" C:\Windows\SysWOW64\Gifkpknp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Oplfkeob.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Bddcenpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Napjdpcn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nmgjia32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ojdnid32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mnmmboed.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Cogddd32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Dnmaea32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Dijbno32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmfqknfm.dll" C:\Windows\SysWOW64\Lfjfecno.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Albpkc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdahdiml.dll" C:\Windows\SysWOW64\Igajal32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mjodla32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdeodj32.dll" C:\Windows\SysWOW64\Lkeekk32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Njfkmphe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nnhmnn32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Pnmopk32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1032 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\5f8259916253272ccce5b83769af9bf0N.exe C:\Windows\SysWOW64\Jpdhkf32.exe
PID 1032 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\5f8259916253272ccce5b83769af9bf0N.exe C:\Windows\SysWOW64\Jpdhkf32.exe
PID 1032 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\5f8259916253272ccce5b83769af9bf0N.exe C:\Windows\SysWOW64\Jpdhkf32.exe
PID 400 wrote to memory of 3608 N/A C:\Windows\SysWOW64\Jpdhkf32.exe C:\Windows\SysWOW64\Jcbdgb32.exe
PID 400 wrote to memory of 3608 N/A C:\Windows\SysWOW64\Jpdhkf32.exe C:\Windows\SysWOW64\Jcbdgb32.exe
PID 400 wrote to memory of 3608 N/A C:\Windows\SysWOW64\Jpdhkf32.exe C:\Windows\SysWOW64\Jcbdgb32.exe
PID 3608 wrote to memory of 4176 N/A C:\Windows\SysWOW64\Jcbdgb32.exe C:\Windows\SysWOW64\Jjlmclqa.exe
PID 3608 wrote to memory of 4176 N/A C:\Windows\SysWOW64\Jcbdgb32.exe C:\Windows\SysWOW64\Jjlmclqa.exe
PID 3608 wrote to memory of 4176 N/A C:\Windows\SysWOW64\Jcbdgb32.exe C:\Windows\SysWOW64\Jjlmclqa.exe
PID 4176 wrote to memory of 2952 N/A C:\Windows\SysWOW64\Jjlmclqa.exe C:\Windows\SysWOW64\Jlkipgpe.exe
PID 4176 wrote to memory of 2952 N/A C:\Windows\SysWOW64\Jjlmclqa.exe C:\Windows\SysWOW64\Jlkipgpe.exe
PID 4176 wrote to memory of 2952 N/A C:\Windows\SysWOW64\Jjlmclqa.exe C:\Windows\SysWOW64\Jlkipgpe.exe
PID 2952 wrote to memory of 2908 N/A C:\Windows\SysWOW64\Jlkipgpe.exe C:\Windows\SysWOW64\Jqhafffk.exe
PID 2952 wrote to memory of 2908 N/A C:\Windows\SysWOW64\Jlkipgpe.exe C:\Windows\SysWOW64\Jqhafffk.exe
PID 2952 wrote to memory of 2908 N/A C:\Windows\SysWOW64\Jlkipgpe.exe C:\Windows\SysWOW64\Jqhafffk.exe
PID 2908 wrote to memory of 1340 N/A C:\Windows\SysWOW64\Jqhafffk.exe C:\Windows\SysWOW64\Jcgnbaeo.exe
PID 2908 wrote to memory of 1340 N/A C:\Windows\SysWOW64\Jqhafffk.exe C:\Windows\SysWOW64\Jcgnbaeo.exe
PID 2908 wrote to memory of 1340 N/A C:\Windows\SysWOW64\Jqhafffk.exe C:\Windows\SysWOW64\Jcgnbaeo.exe
PID 1340 wrote to memory of 3356 N/A C:\Windows\SysWOW64\Jcgnbaeo.exe C:\Windows\SysWOW64\Jgbjbp32.exe
PID 1340 wrote to memory of 3356 N/A C:\Windows\SysWOW64\Jcgnbaeo.exe C:\Windows\SysWOW64\Jgbjbp32.exe
PID 1340 wrote to memory of 3356 N/A C:\Windows\SysWOW64\Jcgnbaeo.exe C:\Windows\SysWOW64\Jgbjbp32.exe
PID 3356 wrote to memory of 3776 N/A C:\Windows\SysWOW64\Jgbjbp32.exe C:\Windows\SysWOW64\Jnlbojee.exe
PID 3356 wrote to memory of 3776 N/A C:\Windows\SysWOW64\Jgbjbp32.exe C:\Windows\SysWOW64\Jnlbojee.exe
PID 3356 wrote to memory of 3776 N/A C:\Windows\SysWOW64\Jgbjbp32.exe C:\Windows\SysWOW64\Jnlbojee.exe
PID 3776 wrote to memory of 4944 N/A C:\Windows\SysWOW64\Jnlbojee.exe C:\Windows\SysWOW64\Jlobkg32.exe
PID 3776 wrote to memory of 4944 N/A C:\Windows\SysWOW64\Jnlbojee.exe C:\Windows\SysWOW64\Jlobkg32.exe
PID 3776 wrote to memory of 4944 N/A C:\Windows\SysWOW64\Jnlbojee.exe C:\Windows\SysWOW64\Jlobkg32.exe
PID 4944 wrote to memory of 436 N/A C:\Windows\SysWOW64\Jlobkg32.exe C:\Windows\SysWOW64\Jdfjld32.exe
PID 4944 wrote to memory of 436 N/A C:\Windows\SysWOW64\Jlobkg32.exe C:\Windows\SysWOW64\Jdfjld32.exe
PID 4944 wrote to memory of 436 N/A C:\Windows\SysWOW64\Jlobkg32.exe C:\Windows\SysWOW64\Jdfjld32.exe
PID 436 wrote to memory of 3588 N/A C:\Windows\SysWOW64\Jdfjld32.exe C:\Windows\SysWOW64\Kkpbin32.exe
PID 436 wrote to memory of 3588 N/A C:\Windows\SysWOW64\Jdfjld32.exe C:\Windows\SysWOW64\Kkpbin32.exe
PID 436 wrote to memory of 3588 N/A C:\Windows\SysWOW64\Jdfjld32.exe C:\Windows\SysWOW64\Kkpbin32.exe
PID 3588 wrote to memory of 1908 N/A C:\Windows\SysWOW64\Kkpbin32.exe C:\Windows\SysWOW64\Knooej32.exe
PID 3588 wrote to memory of 1908 N/A C:\Windows\SysWOW64\Kkpbin32.exe C:\Windows\SysWOW64\Knooej32.exe
PID 3588 wrote to memory of 1908 N/A C:\Windows\SysWOW64\Kkpbin32.exe C:\Windows\SysWOW64\Knooej32.exe
PID 1908 wrote to memory of 4528 N/A C:\Windows\SysWOW64\Knooej32.exe C:\Windows\SysWOW64\Kqmkae32.exe
PID 1908 wrote to memory of 4528 N/A C:\Windows\SysWOW64\Knooej32.exe C:\Windows\SysWOW64\Kqmkae32.exe
PID 1908 wrote to memory of 4528 N/A C:\Windows\SysWOW64\Knooej32.exe C:\Windows\SysWOW64\Kqmkae32.exe
PID 4528 wrote to memory of 4240 N/A C:\Windows\SysWOW64\Kqmkae32.exe C:\Windows\SysWOW64\Kmdlffhj.exe
PID 4528 wrote to memory of 4240 N/A C:\Windows\SysWOW64\Kqmkae32.exe C:\Windows\SysWOW64\Kmdlffhj.exe
PID 4528 wrote to memory of 4240 N/A C:\Windows\SysWOW64\Kqmkae32.exe C:\Windows\SysWOW64\Kmdlffhj.exe
PID 4240 wrote to memory of 4948 N/A C:\Windows\SysWOW64\Kmdlffhj.exe C:\Windows\SysWOW64\Kqbdldnq.exe
PID 4240 wrote to memory of 4948 N/A C:\Windows\SysWOW64\Kmdlffhj.exe C:\Windows\SysWOW64\Kqbdldnq.exe
PID 4240 wrote to memory of 4948 N/A C:\Windows\SysWOW64\Kmdlffhj.exe C:\Windows\SysWOW64\Kqbdldnq.exe
PID 4948 wrote to memory of 2504 N/A C:\Windows\SysWOW64\Kqbdldnq.exe C:\Windows\SysWOW64\Kdmqmc32.exe
PID 4948 wrote to memory of 2504 N/A C:\Windows\SysWOW64\Kqbdldnq.exe C:\Windows\SysWOW64\Kdmqmc32.exe
PID 4948 wrote to memory of 2504 N/A C:\Windows\SysWOW64\Kqbdldnq.exe C:\Windows\SysWOW64\Kdmqmc32.exe
PID 2504 wrote to memory of 4036 N/A C:\Windows\SysWOW64\Kdmqmc32.exe C:\Windows\SysWOW64\Kkgiimng.exe
PID 2504 wrote to memory of 4036 N/A C:\Windows\SysWOW64\Kdmqmc32.exe C:\Windows\SysWOW64\Kkgiimng.exe
PID 2504 wrote to memory of 4036 N/A C:\Windows\SysWOW64\Kdmqmc32.exe C:\Windows\SysWOW64\Kkgiimng.exe
PID 4036 wrote to memory of 2284 N/A C:\Windows\SysWOW64\Kkgiimng.exe C:\Windows\SysWOW64\Knfeeimj.exe
PID 4036 wrote to memory of 2284 N/A C:\Windows\SysWOW64\Kkgiimng.exe C:\Windows\SysWOW64\Knfeeimj.exe
PID 4036 wrote to memory of 2284 N/A C:\Windows\SysWOW64\Kkgiimng.exe C:\Windows\SysWOW64\Knfeeimj.exe
PID 2284 wrote to memory of 2716 N/A C:\Windows\SysWOW64\Knfeeimj.exe C:\Windows\SysWOW64\Kqdaadln.exe
PID 2284 wrote to memory of 2716 N/A C:\Windows\SysWOW64\Knfeeimj.exe C:\Windows\SysWOW64\Kqdaadln.exe
PID 2284 wrote to memory of 2716 N/A C:\Windows\SysWOW64\Knfeeimj.exe C:\Windows\SysWOW64\Kqdaadln.exe
PID 2716 wrote to memory of 556 N/A C:\Windows\SysWOW64\Kqdaadln.exe C:\Windows\SysWOW64\Kdpmbc32.exe
PID 2716 wrote to memory of 556 N/A C:\Windows\SysWOW64\Kqdaadln.exe C:\Windows\SysWOW64\Kdpmbc32.exe
PID 2716 wrote to memory of 556 N/A C:\Windows\SysWOW64\Kqdaadln.exe C:\Windows\SysWOW64\Kdpmbc32.exe
PID 556 wrote to memory of 4808 N/A C:\Windows\SysWOW64\Kdpmbc32.exe C:\Windows\SysWOW64\Kgninn32.exe
PID 556 wrote to memory of 4808 N/A C:\Windows\SysWOW64\Kdpmbc32.exe C:\Windows\SysWOW64\Kgninn32.exe
PID 556 wrote to memory of 4808 N/A C:\Windows\SysWOW64\Kdpmbc32.exe C:\Windows\SysWOW64\Kgninn32.exe
PID 4808 wrote to memory of 4864 N/A C:\Windows\SysWOW64\Kgninn32.exe C:\Windows\SysWOW64\Kkjeomld.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5f8259916253272ccce5b83769af9bf0N.exe

"C:\Users\Admin\AppData\Local\Temp\5f8259916253272ccce5b83769af9bf0N.exe"

C:\Windows\SysWOW64\Jpdhkf32.exe

C:\Windows\system32\Jpdhkf32.exe

C:\Windows\SysWOW64\Jcbdgb32.exe

C:\Windows\system32\Jcbdgb32.exe

C:\Windows\SysWOW64\Jjlmclqa.exe

C:\Windows\system32\Jjlmclqa.exe

C:\Windows\SysWOW64\Jlkipgpe.exe

C:\Windows\system32\Jlkipgpe.exe

C:\Windows\SysWOW64\Jqhafffk.exe

C:\Windows\system32\Jqhafffk.exe

C:\Windows\SysWOW64\Jcgnbaeo.exe

C:\Windows\system32\Jcgnbaeo.exe

C:\Windows\SysWOW64\Jgbjbp32.exe

C:\Windows\system32\Jgbjbp32.exe

C:\Windows\SysWOW64\Jnlbojee.exe

C:\Windows\system32\Jnlbojee.exe

C:\Windows\SysWOW64\Jlobkg32.exe

C:\Windows\system32\Jlobkg32.exe

C:\Windows\SysWOW64\Jdfjld32.exe

C:\Windows\system32\Jdfjld32.exe

C:\Windows\SysWOW64\Kkpbin32.exe

C:\Windows\system32\Kkpbin32.exe

C:\Windows\SysWOW64\Knooej32.exe

C:\Windows\system32\Knooej32.exe

C:\Windows\SysWOW64\Kqmkae32.exe

C:\Windows\system32\Kqmkae32.exe

C:\Windows\SysWOW64\Kmdlffhj.exe

C:\Windows\system32\Kmdlffhj.exe

C:\Windows\SysWOW64\Kqbdldnq.exe

C:\Windows\system32\Kqbdldnq.exe

C:\Windows\SysWOW64\Kdmqmc32.exe

C:\Windows\system32\Kdmqmc32.exe

C:\Windows\SysWOW64\Kkgiimng.exe

C:\Windows\system32\Kkgiimng.exe

C:\Windows\SysWOW64\Knfeeimj.exe

C:\Windows\system32\Knfeeimj.exe

C:\Windows\SysWOW64\Kqdaadln.exe

C:\Windows\system32\Kqdaadln.exe

C:\Windows\SysWOW64\Kdpmbc32.exe

C:\Windows\system32\Kdpmbc32.exe

C:\Windows\SysWOW64\Kgninn32.exe

C:\Windows\system32\Kgninn32.exe

C:\Windows\SysWOW64\Kkjeomld.exe

C:\Windows\system32\Kkjeomld.exe

C:\Windows\SysWOW64\Knhakh32.exe

C:\Windows\system32\Knhakh32.exe

C:\Windows\SysWOW64\Kqfngd32.exe

C:\Windows\system32\Kqfngd32.exe

C:\Windows\SysWOW64\Lgqfdnah.exe

C:\Windows\system32\Lgqfdnah.exe

C:\Windows\SysWOW64\Lklbdm32.exe

C:\Windows\system32\Lklbdm32.exe

C:\Windows\SysWOW64\Ljobpiql.exe

C:\Windows\system32\Ljobpiql.exe

C:\Windows\SysWOW64\Lmmolepp.exe

C:\Windows\system32\Lmmolepp.exe

C:\Windows\SysWOW64\Lcggio32.exe

C:\Windows\system32\Lcggio32.exe

C:\Windows\SysWOW64\Lgccinoe.exe

C:\Windows\system32\Lgccinoe.exe

C:\Windows\SysWOW64\Lknojl32.exe

C:\Windows\system32\Lknojl32.exe

C:\Windows\SysWOW64\Lekmnajj.exe

C:\Windows\system32\Lekmnajj.exe

C:\Windows\SysWOW64\Lcnmin32.exe

C:\Windows\system32\Lcnmin32.exe

C:\Windows\SysWOW64\Lkeekk32.exe

C:\Windows\system32\Lkeekk32.exe

C:\Windows\SysWOW64\Lmgabcge.exe

C:\Windows\system32\Lmgabcge.exe

C:\Windows\SysWOW64\Lqbncb32.exe

C:\Windows\system32\Lqbncb32.exe

C:\Windows\SysWOW64\Mkhapk32.exe

C:\Windows\system32\Mkhapk32.exe

C:\Windows\SysWOW64\Mjkblhfo.exe

C:\Windows\system32\Mjkblhfo.exe

C:\Windows\SysWOW64\Mminhceb.exe

C:\Windows\system32\Mminhceb.exe

C:\Windows\SysWOW64\Madjhb32.exe

C:\Windows\system32\Madjhb32.exe

C:\Windows\SysWOW64\Mccfdmmo.exe

C:\Windows\system32\Mccfdmmo.exe

C:\Windows\SysWOW64\Mnmdme32.exe

C:\Windows\system32\Mnmdme32.exe

C:\Windows\SysWOW64\Mmpdhboj.exe

C:\Windows\system32\Mmpdhboj.exe

C:\Windows\SysWOW64\Malpia32.exe

C:\Windows\system32\Malpia32.exe

C:\Windows\SysWOW64\Megljppl.exe

C:\Windows\system32\Megljppl.exe

C:\Windows\SysWOW64\Mgehfkop.exe

C:\Windows\system32\Mgehfkop.exe

C:\Windows\SysWOW64\Mkadfj32.exe

C:\Windows\system32\Mkadfj32.exe

C:\Windows\SysWOW64\Mjdebfnd.exe

C:\Windows\system32\Mjdebfnd.exe

C:\Windows\SysWOW64\Mnpabe32.exe

C:\Windows\system32\Mnpabe32.exe

C:\Windows\SysWOW64\Manmoq32.exe

C:\Windows\system32\Manmoq32.exe

C:\Windows\SysWOW64\Meiioonj.exe

C:\Windows\system32\Meiioonj.exe

C:\Windows\SysWOW64\Nghekkmn.exe

C:\Windows\system32\Nghekkmn.exe

C:\Windows\SysWOW64\Njfagf32.exe

C:\Windows\system32\Njfagf32.exe

C:\Windows\SysWOW64\Nmenca32.exe

C:\Windows\system32\Nmenca32.exe

C:\Windows\SysWOW64\Napjdpcn.exe

C:\Windows\system32\Napjdpcn.exe

C:\Windows\SysWOW64\Ncofplba.exe

C:\Windows\system32\Ncofplba.exe

C:\Windows\SysWOW64\Nmgjia32.exe

C:\Windows\system32\Nmgjia32.exe

C:\Windows\SysWOW64\Nlhkgi32.exe

C:\Windows\system32\Nlhkgi32.exe

C:\Windows\SysWOW64\Njkkbehl.exe

C:\Windows\system32\Njkkbehl.exe

C:\Windows\SysWOW64\Nnfgcd32.exe

C:\Windows\system32\Nnfgcd32.exe

C:\Windows\SysWOW64\Naecop32.exe

C:\Windows\system32\Naecop32.exe

C:\Windows\SysWOW64\Neqopnhb.exe

C:\Windows\system32\Neqopnhb.exe

C:\Windows\SysWOW64\Nlkgmh32.exe

C:\Windows\system32\Nlkgmh32.exe

C:\Windows\SysWOW64\Njmhhefi.exe

C:\Windows\system32\Njmhhefi.exe

C:\Windows\SysWOW64\Nmlddqem.exe

C:\Windows\system32\Nmlddqem.exe

C:\Windows\SysWOW64\Neclenfo.exe

C:\Windows\system32\Neclenfo.exe

C:\Windows\SysWOW64\Nlmdbh32.exe

C:\Windows\system32\Nlmdbh32.exe

C:\Windows\SysWOW64\Nnkpnclp.exe

C:\Windows\system32\Nnkpnclp.exe

C:\Windows\SysWOW64\Odhifjkg.exe

C:\Windows\system32\Odhifjkg.exe

C:\Windows\SysWOW64\Oloahhki.exe

C:\Windows\system32\Oloahhki.exe

C:\Windows\SysWOW64\Ojbacd32.exe

C:\Windows\system32\Ojbacd32.exe

C:\Windows\SysWOW64\Omqmop32.exe

C:\Windows\system32\Omqmop32.exe

C:\Windows\SysWOW64\Oalipoiq.exe

C:\Windows\system32\Oalipoiq.exe

C:\Windows\SysWOW64\Ohfami32.exe

C:\Windows\system32\Ohfami32.exe

C:\Windows\SysWOW64\Ojdnid32.exe

C:\Windows\system32\Ojdnid32.exe

C:\Windows\SysWOW64\Omcjep32.exe

C:\Windows\system32\Omcjep32.exe

C:\Windows\SysWOW64\Oejbfmpg.exe

C:\Windows\system32\Oejbfmpg.exe

C:\Windows\SysWOW64\Ohhnbhok.exe

C:\Windows\system32\Ohhnbhok.exe

C:\Windows\SysWOW64\Ojgjndno.exe

C:\Windows\system32\Ojgjndno.exe

C:\Windows\SysWOW64\Oaqbkn32.exe

C:\Windows\system32\Oaqbkn32.exe

C:\Windows\SysWOW64\Odoogi32.exe

C:\Windows\system32\Odoogi32.exe

C:\Windows\SysWOW64\Ohkkhhmh.exe

C:\Windows\system32\Ohkkhhmh.exe

C:\Windows\SysWOW64\Oodcdb32.exe

C:\Windows\system32\Oodcdb32.exe

C:\Windows\SysWOW64\Ohmhmh32.exe

C:\Windows\system32\Ohmhmh32.exe

C:\Windows\SysWOW64\Okkdic32.exe

C:\Windows\system32\Okkdic32.exe

C:\Windows\SysWOW64\Paelfmaf.exe

C:\Windows\system32\Paelfmaf.exe

C:\Windows\SysWOW64\Pddhbipj.exe

C:\Windows\system32\Pddhbipj.exe

C:\Windows\SysWOW64\Poimpapp.exe

C:\Windows\system32\Poimpapp.exe

C:\Windows\SysWOW64\Pecellgl.exe

C:\Windows\system32\Pecellgl.exe

C:\Windows\SysWOW64\Plmmif32.exe

C:\Windows\system32\Plmmif32.exe

C:\Windows\SysWOW64\Poliea32.exe

C:\Windows\system32\Poliea32.exe

C:\Windows\SysWOW64\Pefabkej.exe

C:\Windows\system32\Pefabkej.exe

C:\Windows\SysWOW64\Phdnngdn.exe

C:\Windows\system32\Phdnngdn.exe

C:\Windows\SysWOW64\Pkbjjbda.exe

C:\Windows\system32\Pkbjjbda.exe

C:\Windows\SysWOW64\Pmaffnce.exe

C:\Windows\system32\Pmaffnce.exe

C:\Windows\SysWOW64\Pkegpb32.exe

C:\Windows\system32\Pkegpb32.exe

C:\Windows\SysWOW64\Popbpqjh.exe

C:\Windows\system32\Popbpqjh.exe

C:\Windows\SysWOW64\Paoollik.exe

C:\Windows\system32\Paoollik.exe

C:\Windows\SysWOW64\Pldcjeia.exe

C:\Windows\system32\Pldcjeia.exe

C:\Windows\SysWOW64\Pkgcea32.exe

C:\Windows\system32\Pkgcea32.exe

C:\Windows\SysWOW64\Qmepam32.exe

C:\Windows\system32\Qmepam32.exe

C:\Windows\SysWOW64\Qemhbj32.exe

C:\Windows\system32\Qemhbj32.exe

C:\Windows\SysWOW64\Qhkdof32.exe

C:\Windows\system32\Qhkdof32.exe

C:\Windows\SysWOW64\Qlgpod32.exe

C:\Windows\system32\Qlgpod32.exe

C:\Windows\SysWOW64\Qoelkp32.exe

C:\Windows\system32\Qoelkp32.exe

C:\Windows\SysWOW64\Qachgk32.exe

C:\Windows\system32\Qachgk32.exe

C:\Windows\SysWOW64\Qdbdcg32.exe

C:\Windows\system32\Qdbdcg32.exe

C:\Windows\SysWOW64\Qhmqdemc.exe

C:\Windows\system32\Qhmqdemc.exe

C:\Windows\SysWOW64\Qklmpalf.exe

C:\Windows\system32\Qklmpalf.exe

C:\Windows\SysWOW64\Amjillkj.exe

C:\Windows\system32\Amjillkj.exe

C:\Windows\SysWOW64\Aeaanjkl.exe

C:\Windows\system32\Aeaanjkl.exe

C:\Windows\SysWOW64\Addaif32.exe

C:\Windows\system32\Addaif32.exe

C:\Windows\SysWOW64\Aknifq32.exe

C:\Windows\system32\Aknifq32.exe

C:\Windows\SysWOW64\Anmfbl32.exe

C:\Windows\system32\Anmfbl32.exe

C:\Windows\SysWOW64\Aahbbkaq.exe

C:\Windows\system32\Aahbbkaq.exe

C:\Windows\SysWOW64\Adfnofpd.exe

C:\Windows\system32\Adfnofpd.exe

C:\Windows\SysWOW64\Ahbjoe32.exe

C:\Windows\system32\Ahbjoe32.exe

C:\Windows\SysWOW64\Akqfkp32.exe

C:\Windows\system32\Akqfkp32.exe

C:\Windows\SysWOW64\Aolblopj.exe

C:\Windows\system32\Aolblopj.exe

C:\Windows\SysWOW64\Aefjii32.exe

C:\Windows\system32\Aefjii32.exe

C:\Windows\SysWOW64\Adikdfna.exe

C:\Windows\system32\Adikdfna.exe

C:\Windows\SysWOW64\Ahdged32.exe

C:\Windows\system32\Ahdged32.exe

C:\Windows\SysWOW64\Akccap32.exe

C:\Windows\system32\Akccap32.exe

C:\Windows\SysWOW64\Anaomkdb.exe

C:\Windows\system32\Anaomkdb.exe

C:\Windows\SysWOW64\Aehgnied.exe

C:\Windows\system32\Aehgnied.exe

C:\Windows\SysWOW64\Adkgje32.exe

C:\Windows\system32\Adkgje32.exe

C:\Windows\SysWOW64\Albpkc32.exe

C:\Windows\system32\Albpkc32.exe

C:\Windows\SysWOW64\Aoalgn32.exe

C:\Windows\system32\Aoalgn32.exe

C:\Windows\SysWOW64\Anclbkbp.exe

C:\Windows\system32\Anclbkbp.exe

C:\Windows\SysWOW64\Aekddhcb.exe

C:\Windows\system32\Aekddhcb.exe

C:\Windows\SysWOW64\Ahippdbe.exe

C:\Windows\system32\Ahippdbe.exe

C:\Windows\SysWOW64\Alelqb32.exe

C:\Windows\system32\Alelqb32.exe

C:\Windows\SysWOW64\Bochmn32.exe

C:\Windows\system32\Bochmn32.exe

C:\Windows\SysWOW64\Baadiiif.exe

C:\Windows\system32\Baadiiif.exe

C:\Windows\SysWOW64\Bemqih32.exe

C:\Windows\system32\Bemqih32.exe

C:\Windows\SysWOW64\Bkjiao32.exe

C:\Windows\system32\Bkjiao32.exe

C:\Windows\SysWOW64\Badanigc.exe

C:\Windows\system32\Badanigc.exe

C:\Windows\SysWOW64\Bhnikc32.exe

C:\Windows\system32\Bhnikc32.exe

C:\Windows\SysWOW64\Bklfgo32.exe

C:\Windows\system32\Bklfgo32.exe

C:\Windows\SysWOW64\Bafndi32.exe

C:\Windows\system32\Bafndi32.exe

C:\Windows\SysWOW64\Bddjpd32.exe

C:\Windows\system32\Bddjpd32.exe

C:\Windows\SysWOW64\Bllbaa32.exe

C:\Windows\system32\Bllbaa32.exe

C:\Windows\SysWOW64\Bnmoijje.exe

C:\Windows\system32\Bnmoijje.exe

C:\Windows\SysWOW64\Bedgjgkg.exe

C:\Windows\system32\Bedgjgkg.exe

C:\Windows\SysWOW64\Bhbcfbjk.exe

C:\Windows\system32\Bhbcfbjk.exe

C:\Windows\SysWOW64\Bomkcm32.exe

C:\Windows\system32\Bomkcm32.exe

C:\Windows\SysWOW64\Bffcpg32.exe

C:\Windows\system32\Bffcpg32.exe

C:\Windows\SysWOW64\Bheplb32.exe

C:\Windows\system32\Bheplb32.exe

C:\Windows\SysWOW64\Ckclhn32.exe

C:\Windows\system32\Ckclhn32.exe

C:\Windows\SysWOW64\Cfipef32.exe

C:\Windows\system32\Cfipef32.exe

C:\Windows\SysWOW64\Chglab32.exe

C:\Windows\system32\Chglab32.exe

C:\Windows\SysWOW64\Cbpajgmf.exe

C:\Windows\system32\Cbpajgmf.exe

C:\Windows\SysWOW64\Chiigadc.exe

C:\Windows\system32\Chiigadc.exe

C:\Windows\SysWOW64\Ckhecmcf.exe

C:\Windows\system32\Ckhecmcf.exe

C:\Windows\SysWOW64\Cbbnpg32.exe

C:\Windows\system32\Cbbnpg32.exe

C:\Windows\SysWOW64\Clgbmp32.exe

C:\Windows\system32\Clgbmp32.exe

C:\Windows\SysWOW64\Cofnik32.exe

C:\Windows\system32\Cofnik32.exe

C:\Windows\SysWOW64\Cbdjeg32.exe

C:\Windows\system32\Cbdjeg32.exe

C:\Windows\SysWOW64\Cdbfab32.exe

C:\Windows\system32\Cdbfab32.exe

C:\Windows\SysWOW64\Cohkokgj.exe

C:\Windows\system32\Cohkokgj.exe

C:\Windows\SysWOW64\Cbfgkffn.exe

C:\Windows\system32\Cbfgkffn.exe

C:\Windows\SysWOW64\Ddgplado.exe

C:\Windows\system32\Ddgplado.exe

C:\Windows\SysWOW64\Dbkqfe32.exe

C:\Windows\system32\Dbkqfe32.exe

C:\Windows\SysWOW64\Dmadco32.exe

C:\Windows\system32\Dmadco32.exe

C:\Windows\SysWOW64\Dbnmke32.exe

C:\Windows\system32\Dbnmke32.exe

C:\Windows\SysWOW64\Dmcain32.exe

C:\Windows\system32\Dmcain32.exe

C:\Windows\SysWOW64\Doaneiop.exe

C:\Windows\system32\Doaneiop.exe

C:\Windows\SysWOW64\Dbpjaeoc.exe

C:\Windows\system32\Dbpjaeoc.exe

C:\Windows\SysWOW64\Dijbno32.exe

C:\Windows\system32\Dijbno32.exe

C:\Windows\SysWOW64\Dngjff32.exe

C:\Windows\system32\Dngjff32.exe

C:\Windows\SysWOW64\Dfnbgc32.exe

C:\Windows\system32\Dfnbgc32.exe

C:\Windows\SysWOW64\Emhkdmlg.exe

C:\Windows\system32\Emhkdmlg.exe

C:\Windows\SysWOW64\Eofgpikj.exe

C:\Windows\system32\Eofgpikj.exe

C:\Windows\SysWOW64\Eecphp32.exe

C:\Windows\system32\Eecphp32.exe

C:\Windows\SysWOW64\Emjgim32.exe

C:\Windows\system32\Emjgim32.exe

C:\Windows\SysWOW64\Eoideh32.exe

C:\Windows\system32\Eoideh32.exe

C:\Windows\SysWOW64\Ebgpad32.exe

C:\Windows\system32\Ebgpad32.exe

C:\Windows\SysWOW64\Eiahnnph.exe

C:\Windows\system32\Eiahnnph.exe

C:\Windows\SysWOW64\Ekodjiol.exe

C:\Windows\system32\Ekodjiol.exe

C:\Windows\SysWOW64\Ennqfenp.exe

C:\Windows\system32\Ennqfenp.exe

C:\Windows\SysWOW64\Eicedn32.exe

C:\Windows\system32\Eicedn32.exe

C:\Windows\SysWOW64\Epmmqheb.exe

C:\Windows\system32\Epmmqheb.exe

C:\Windows\SysWOW64\Eifaim32.exe

C:\Windows\system32\Eifaim32.exe

C:\Windows\SysWOW64\Ekdnei32.exe

C:\Windows\system32\Ekdnei32.exe

C:\Windows\SysWOW64\Efjbcakl.exe

C:\Windows\system32\Efjbcakl.exe

C:\Windows\SysWOW64\Flfkkhid.exe

C:\Windows\system32\Flfkkhid.exe

C:\Windows\SysWOW64\Fbpchb32.exe

C:\Windows\system32\Fbpchb32.exe

C:\Windows\SysWOW64\Fmfgek32.exe

C:\Windows\system32\Fmfgek32.exe

C:\Windows\SysWOW64\Fpdcag32.exe

C:\Windows\system32\Fpdcag32.exe

C:\Windows\SysWOW64\Ffnknafg.exe

C:\Windows\system32\Ffnknafg.exe

C:\Windows\SysWOW64\Fimhjl32.exe

C:\Windows\system32\Fimhjl32.exe

C:\Windows\SysWOW64\Fnipbc32.exe

C:\Windows\system32\Fnipbc32.exe

C:\Windows\SysWOW64\Fiodpl32.exe

C:\Windows\system32\Fiodpl32.exe

C:\Windows\SysWOW64\Fpimlfke.exe

C:\Windows\system32\Fpimlfke.exe

C:\Windows\SysWOW64\Ffceip32.exe

C:\Windows\system32\Ffceip32.exe

C:\Windows\SysWOW64\Fmmmfj32.exe

C:\Windows\system32\Fmmmfj32.exe

C:\Windows\SysWOW64\Fpkibf32.exe

C:\Windows\system32\Fpkibf32.exe

C:\Windows\SysWOW64\Gidnkkpc.exe

C:\Windows\system32\Gidnkkpc.exe

C:\Windows\SysWOW64\Gpnfge32.exe

C:\Windows\system32\Gpnfge32.exe

C:\Windows\SysWOW64\Gfhndpol.exe

C:\Windows\system32\Gfhndpol.exe

C:\Windows\SysWOW64\Gifkpknp.exe

C:\Windows\system32\Gifkpknp.exe

C:\Windows\SysWOW64\Gppcmeem.exe

C:\Windows\system32\Gppcmeem.exe

C:\Windows\SysWOW64\Gbnoiqdq.exe

C:\Windows\system32\Gbnoiqdq.exe

C:\Windows\SysWOW64\Gihgfk32.exe

C:\Windows\system32\Gihgfk32.exe

C:\Windows\SysWOW64\Gnepna32.exe

C:\Windows\system32\Gnepna32.exe

C:\Windows\SysWOW64\Gikdkj32.exe

C:\Windows\system32\Gikdkj32.exe

C:\Windows\SysWOW64\Gpelhd32.exe

C:\Windows\system32\Gpelhd32.exe

C:\Windows\SysWOW64\Gbchdp32.exe

C:\Windows\system32\Gbchdp32.exe

C:\Windows\SysWOW64\Gimqajgh.exe

C:\Windows\system32\Gimqajgh.exe

C:\Windows\SysWOW64\Glkmmefl.exe

C:\Windows\system32\Glkmmefl.exe

C:\Windows\SysWOW64\Hedafk32.exe

C:\Windows\system32\Hedafk32.exe

C:\Windows\SysWOW64\Hbhboolf.exe

C:\Windows\system32\Hbhboolf.exe

C:\Windows\SysWOW64\Hmmfmhll.exe

C:\Windows\system32\Hmmfmhll.exe

C:\Windows\SysWOW64\Hbjoeojc.exe

C:\Windows\system32\Hbjoeojc.exe

C:\Windows\SysWOW64\Hmpcbhji.exe

C:\Windows\system32\Hmpcbhji.exe

C:\Windows\SysWOW64\Hmbphg32.exe

C:\Windows\system32\Hmbphg32.exe

C:\Windows\SysWOW64\Hpqldc32.exe

C:\Windows\system32\Hpqldc32.exe

C:\Windows\SysWOW64\Hbohpn32.exe

C:\Windows\system32\Hbohpn32.exe

C:\Windows\SysWOW64\Hiipmhmk.exe

C:\Windows\system32\Hiipmhmk.exe

C:\Windows\SysWOW64\Hlglidlo.exe

C:\Windows\system32\Hlglidlo.exe

C:\Windows\SysWOW64\Ibaeen32.exe

C:\Windows\system32\Ibaeen32.exe

C:\Windows\SysWOW64\Imgicgca.exe

C:\Windows\system32\Imgicgca.exe

C:\Windows\SysWOW64\Ifomll32.exe

C:\Windows\system32\Ifomll32.exe

C:\Windows\SysWOW64\Iinjhh32.exe

C:\Windows\system32\Iinjhh32.exe

C:\Windows\SysWOW64\Igajal32.exe

C:\Windows\system32\Igajal32.exe

C:\Windows\SysWOW64\Imkbnf32.exe

C:\Windows\system32\Imkbnf32.exe

C:\Windows\SysWOW64\Ibhkfm32.exe

C:\Windows\system32\Ibhkfm32.exe

C:\Windows\SysWOW64\Ieidhh32.exe

C:\Windows\system32\Ieidhh32.exe

C:\Windows\SysWOW64\Jghpbk32.exe

C:\Windows\system32\Jghpbk32.exe

C:\Windows\SysWOW64\Jocefm32.exe

C:\Windows\system32\Jocefm32.exe

C:\Windows\SysWOW64\Jofalmmp.exe

C:\Windows\system32\Jofalmmp.exe

C:\Windows\SysWOW64\Johnamkm.exe

C:\Windows\system32\Johnamkm.exe

C:\Windows\SysWOW64\Jgpfbjlo.exe

C:\Windows\system32\Jgpfbjlo.exe

C:\Windows\SysWOW64\Jokkgl32.exe

C:\Windows\system32\Jokkgl32.exe

C:\Windows\SysWOW64\Jgbchj32.exe

C:\Windows\system32\Jgbchj32.exe

C:\Windows\SysWOW64\Jjpode32.exe

C:\Windows\system32\Jjpode32.exe

C:\Windows\SysWOW64\Kjblje32.exe

C:\Windows\system32\Kjblje32.exe

C:\Windows\SysWOW64\Koodbl32.exe

C:\Windows\system32\Koodbl32.exe

C:\Windows\SysWOW64\Kcmmhj32.exe

C:\Windows\system32\Kcmmhj32.exe

C:\Windows\SysWOW64\Kncaec32.exe

C:\Windows\system32\Kncaec32.exe

C:\Windows\SysWOW64\Kodnmkap.exe

C:\Windows\system32\Kodnmkap.exe

C:\Windows\SysWOW64\Kfnfjehl.exe

C:\Windows\system32\Kfnfjehl.exe

C:\Windows\SysWOW64\Kofkbk32.exe

C:\Windows\system32\Kofkbk32.exe

C:\Windows\SysWOW64\Kfpcoefj.exe

C:\Windows\system32\Kfpcoefj.exe

C:\Windows\SysWOW64\Kngkqbgl.exe

C:\Windows\system32\Kngkqbgl.exe

C:\Windows\SysWOW64\Loighj32.exe

C:\Windows\system32\Loighj32.exe

C:\Windows\SysWOW64\Llmhaold.exe

C:\Windows\system32\Llmhaold.exe

C:\Windows\SysWOW64\Lgdidgjg.exe

C:\Windows\system32\Lgdidgjg.exe

C:\Windows\SysWOW64\Lfjfecno.exe

C:\Windows\system32\Lfjfecno.exe

C:\Windows\SysWOW64\Lmdnbn32.exe

C:\Windows\system32\Lmdnbn32.exe

C:\Windows\SysWOW64\Lobjni32.exe

C:\Windows\system32\Lobjni32.exe

C:\Windows\SysWOW64\Lgibpf32.exe

C:\Windows\system32\Lgibpf32.exe

C:\Windows\SysWOW64\Lncjlq32.exe

C:\Windows\system32\Lncjlq32.exe

C:\Windows\SysWOW64\Mqafhl32.exe

C:\Windows\system32\Mqafhl32.exe

C:\Windows\SysWOW64\Mcpcdg32.exe

C:\Windows\system32\Mcpcdg32.exe

C:\Windows\SysWOW64\Mfnoqc32.exe

C:\Windows\system32\Mfnoqc32.exe

C:\Windows\SysWOW64\Mnegbp32.exe

C:\Windows\system32\Mnegbp32.exe

C:\Windows\SysWOW64\Mogcihaj.exe

C:\Windows\system32\Mogcihaj.exe

C:\Windows\SysWOW64\Mgnlkfal.exe

C:\Windows\system32\Mgnlkfal.exe

C:\Windows\SysWOW64\Mjlhgaqp.exe

C:\Windows\system32\Mjlhgaqp.exe

C:\Windows\SysWOW64\Mmkdcm32.exe

C:\Windows\system32\Mmkdcm32.exe

C:\Windows\SysWOW64\Moipoh32.exe

C:\Windows\system32\Moipoh32.exe

C:\Windows\SysWOW64\Mgphpe32.exe

C:\Windows\system32\Mgphpe32.exe

C:\Windows\SysWOW64\Mjodla32.exe

C:\Windows\system32\Mjodla32.exe

C:\Windows\SysWOW64\Mmmqhl32.exe

C:\Windows\system32\Mmmqhl32.exe

C:\Windows\SysWOW64\Mokmdh32.exe

C:\Windows\system32\Mokmdh32.exe

C:\Windows\SysWOW64\Mfeeabda.exe

C:\Windows\system32\Mfeeabda.exe

C:\Windows\SysWOW64\Mnmmboed.exe

C:\Windows\system32\Mnmmboed.exe

C:\Windows\SysWOW64\Mqkiok32.exe

C:\Windows\system32\Mqkiok32.exe

C:\Windows\SysWOW64\Mgeakekd.exe

C:\Windows\system32\Mgeakekd.exe

C:\Windows\SysWOW64\Mjcngpjh.exe

C:\Windows\system32\Mjcngpjh.exe

C:\Windows\SysWOW64\Nmbjcljl.exe

C:\Windows\system32\Nmbjcljl.exe

C:\Windows\SysWOW64\Nopfpgip.exe

C:\Windows\system32\Nopfpgip.exe

C:\Windows\SysWOW64\Nggnadib.exe

C:\Windows\system32\Nggnadib.exe

C:\Windows\SysWOW64\Njfkmphe.exe

C:\Windows\system32\Njfkmphe.exe

C:\Windows\SysWOW64\Nmdgikhi.exe

C:\Windows\system32\Nmdgikhi.exe

C:\Windows\SysWOW64\Npbceggm.exe

C:\Windows\system32\Npbceggm.exe

C:\Windows\SysWOW64\Ngjkfd32.exe

C:\Windows\system32\Ngjkfd32.exe

C:\Windows\SysWOW64\Njhgbp32.exe

C:\Windows\system32\Njhgbp32.exe

C:\Windows\SysWOW64\Nqbpojnp.exe

C:\Windows\system32\Nqbpojnp.exe

C:\Windows\SysWOW64\Nglhld32.exe

C:\Windows\system32\Nglhld32.exe

C:\Windows\SysWOW64\Njjdho32.exe

C:\Windows\system32\Njjdho32.exe

C:\Windows\SysWOW64\Nnfpinmi.exe

C:\Windows\system32\Nnfpinmi.exe

C:\Windows\SysWOW64\Ncchae32.exe

C:\Windows\system32\Ncchae32.exe

C:\Windows\SysWOW64\Nfaemp32.exe

C:\Windows\system32\Nfaemp32.exe

C:\Windows\SysWOW64\Nnhmnn32.exe

C:\Windows\system32\Nnhmnn32.exe

C:\Windows\SysWOW64\Nagiji32.exe

C:\Windows\system32\Nagiji32.exe

C:\Windows\SysWOW64\Nceefd32.exe

C:\Windows\system32\Nceefd32.exe

C:\Windows\SysWOW64\Nfcabp32.exe

C:\Windows\system32\Nfcabp32.exe

C:\Windows\SysWOW64\Onkidm32.exe

C:\Windows\system32\Onkidm32.exe

C:\Windows\SysWOW64\Oplfkeob.exe

C:\Windows\system32\Oplfkeob.exe

C:\Windows\SysWOW64\Ogcnmc32.exe

C:\Windows\system32\Ogcnmc32.exe

C:\Windows\SysWOW64\Onmfimga.exe

C:\Windows\system32\Onmfimga.exe

C:\Windows\SysWOW64\Oakbehfe.exe

C:\Windows\system32\Oakbehfe.exe

C:\Windows\SysWOW64\Ocjoadei.exe

C:\Windows\system32\Ocjoadei.exe

C:\Windows\SysWOW64\Ofhknodl.exe

C:\Windows\system32\Ofhknodl.exe

C:\Windows\SysWOW64\Ombcji32.exe

C:\Windows\system32\Ombcji32.exe

C:\Windows\SysWOW64\Opqofe32.exe

C:\Windows\system32\Opqofe32.exe

C:\Windows\SysWOW64\Ofkgcobj.exe

C:\Windows\system32\Ofkgcobj.exe

C:\Windows\SysWOW64\Onapdl32.exe

C:\Windows\system32\Onapdl32.exe

C:\Windows\SysWOW64\Oaplqh32.exe

C:\Windows\system32\Oaplqh32.exe

C:\Windows\SysWOW64\Ocohmc32.exe

C:\Windows\system32\Ocohmc32.exe

C:\Windows\SysWOW64\Ofmdio32.exe

C:\Windows\system32\Ofmdio32.exe

C:\Windows\SysWOW64\Omgmeigd.exe

C:\Windows\system32\Omgmeigd.exe

C:\Windows\SysWOW64\Oabhfg32.exe

C:\Windows\system32\Oabhfg32.exe

C:\Windows\SysWOW64\Ohlqcagj.exe

C:\Windows\system32\Ohlqcagj.exe

C:\Windows\SysWOW64\Pjkmomfn.exe

C:\Windows\system32\Pjkmomfn.exe

C:\Windows\SysWOW64\Paeelgnj.exe

C:\Windows\system32\Paeelgnj.exe

C:\Windows\SysWOW64\Phonha32.exe

C:\Windows\system32\Phonha32.exe

C:\Windows\SysWOW64\Pjmjdm32.exe

C:\Windows\system32\Pjmjdm32.exe

C:\Windows\SysWOW64\Pagbaglh.exe

C:\Windows\system32\Pagbaglh.exe

C:\Windows\SysWOW64\Phajna32.exe

C:\Windows\system32\Phajna32.exe

C:\Windows\SysWOW64\Pjpfjl32.exe

C:\Windows\system32\Pjpfjl32.exe

C:\Windows\SysWOW64\Pmnbfhal.exe

C:\Windows\system32\Pmnbfhal.exe

C:\Windows\SysWOW64\Pplobcpp.exe

C:\Windows\system32\Pplobcpp.exe

C:\Windows\SysWOW64\Pffgom32.exe

C:\Windows\system32\Pffgom32.exe

C:\Windows\SysWOW64\Pnmopk32.exe

C:\Windows\system32\Pnmopk32.exe

C:\Windows\SysWOW64\Palklf32.exe

C:\Windows\system32\Palklf32.exe

C:\Windows\SysWOW64\Phfcipoo.exe

C:\Windows\system32\Phfcipoo.exe

C:\Windows\SysWOW64\Pjdpelnc.exe

C:\Windows\system32\Pjdpelnc.exe

C:\Windows\SysWOW64\Pmblagmf.exe

C:\Windows\system32\Pmblagmf.exe

C:\Windows\SysWOW64\Pdmdnadc.exe

C:\Windows\system32\Pdmdnadc.exe

C:\Windows\SysWOW64\Qfkqjmdg.exe

C:\Windows\system32\Qfkqjmdg.exe

C:\Windows\SysWOW64\Qobhkjdi.exe

C:\Windows\system32\Qobhkjdi.exe

C:\Windows\SysWOW64\Qaqegecm.exe

C:\Windows\system32\Qaqegecm.exe

C:\Windows\SysWOW64\Qhjmdp32.exe

C:\Windows\system32\Qhjmdp32.exe

C:\Windows\SysWOW64\Qjiipk32.exe

C:\Windows\system32\Qjiipk32.exe

C:\Windows\SysWOW64\Qmgelf32.exe

C:\Windows\system32\Qmgelf32.exe

C:\Windows\SysWOW64\Qdaniq32.exe

C:\Windows\system32\Qdaniq32.exe

C:\Windows\SysWOW64\Afpjel32.exe

C:\Windows\system32\Afpjel32.exe

C:\Windows\SysWOW64\Aogbfi32.exe

C:\Windows\system32\Aogbfi32.exe

C:\Windows\SysWOW64\Aphnnafb.exe

C:\Windows\system32\Aphnnafb.exe

C:\Windows\SysWOW64\Adcjop32.exe

C:\Windows\system32\Adcjop32.exe

C:\Windows\SysWOW64\Aknbkjfh.exe

C:\Windows\system32\Aknbkjfh.exe

C:\Windows\SysWOW64\Aagkhd32.exe

C:\Windows\system32\Aagkhd32.exe

C:\Windows\SysWOW64\Adfgdpmi.exe

C:\Windows\system32\Adfgdpmi.exe

C:\Windows\SysWOW64\Agdcpkll.exe

C:\Windows\system32\Agdcpkll.exe

C:\Windows\SysWOW64\Aokkahlo.exe

C:\Windows\system32\Aokkahlo.exe

C:\Windows\SysWOW64\Apmhiq32.exe

C:\Windows\system32\Apmhiq32.exe

C:\Windows\SysWOW64\Aggpfkjj.exe

C:\Windows\system32\Aggpfkjj.exe

C:\Windows\SysWOW64\Aonhghjl.exe

C:\Windows\system32\Aonhghjl.exe

C:\Windows\SysWOW64\Aaldccip.exe

C:\Windows\system32\Aaldccip.exe

C:\Windows\SysWOW64\Adkqoohc.exe

C:\Windows\system32\Adkqoohc.exe

C:\Windows\SysWOW64\Agimkk32.exe

C:\Windows\system32\Agimkk32.exe

C:\Windows\SysWOW64\Amcehdod.exe

C:\Windows\system32\Amcehdod.exe

C:\Windows\SysWOW64\Apaadpng.exe

C:\Windows\system32\Apaadpng.exe

C:\Windows\SysWOW64\Bgkiaj32.exe

C:\Windows\system32\Bgkiaj32.exe

C:\Windows\SysWOW64\Bobabg32.exe

C:\Windows\system32\Bobabg32.exe

C:\Windows\SysWOW64\Baannc32.exe

C:\Windows\system32\Baannc32.exe

C:\Windows\SysWOW64\Bdojjo32.exe

C:\Windows\system32\Bdojjo32.exe

C:\Windows\SysWOW64\Bkibgh32.exe

C:\Windows\system32\Bkibgh32.exe

C:\Windows\SysWOW64\Bacjdbch.exe

C:\Windows\system32\Bacjdbch.exe

C:\Windows\SysWOW64\Bdagpnbk.exe

C:\Windows\system32\Bdagpnbk.exe

C:\Windows\SysWOW64\Bgpcliao.exe

C:\Windows\system32\Bgpcliao.exe

C:\Windows\SysWOW64\Bogkmgba.exe

C:\Windows\system32\Bogkmgba.exe

C:\Windows\SysWOW64\Baegibae.exe

C:\Windows\system32\Baegibae.exe

C:\Windows\SysWOW64\Bddcenpi.exe

C:\Windows\system32\Bddcenpi.exe

C:\Windows\SysWOW64\Bgbpaipl.exe

C:\Windows\system32\Bgbpaipl.exe

C:\Windows\SysWOW64\Bnlhncgi.exe

C:\Windows\system32\Bnlhncgi.exe

C:\Windows\SysWOW64\Bdfpkm32.exe

C:\Windows\system32\Bdfpkm32.exe

C:\Windows\SysWOW64\Bgelgi32.exe

C:\Windows\system32\Bgelgi32.exe

C:\Windows\SysWOW64\Bnoddcef.exe

C:\Windows\system32\Bnoddcef.exe

C:\Windows\SysWOW64\Cpmapodj.exe

C:\Windows\system32\Cpmapodj.exe

C:\Windows\SysWOW64\Chdialdl.exe

C:\Windows\system32\Chdialdl.exe

C:\Windows\SysWOW64\Conanfli.exe

C:\Windows\system32\Conanfli.exe

C:\Windows\SysWOW64\Cammjakm.exe

C:\Windows\system32\Cammjakm.exe

C:\Windows\SysWOW64\Cdkifmjq.exe

C:\Windows\system32\Cdkifmjq.exe

C:\Windows\SysWOW64\Cgifbhid.exe

C:\Windows\system32\Cgifbhid.exe

C:\Windows\SysWOW64\Ckebcg32.exe

C:\Windows\system32\Ckebcg32.exe

C:\Windows\SysWOW64\Cpbjkn32.exe

C:\Windows\system32\Cpbjkn32.exe

C:\Windows\SysWOW64\Chiblk32.exe

C:\Windows\system32\Chiblk32.exe

C:\Windows\SysWOW64\Ckgohf32.exe

C:\Windows\system32\Ckgohf32.exe

C:\Windows\SysWOW64\Cdpcal32.exe

C:\Windows\system32\Cdpcal32.exe

C:\Windows\SysWOW64\Cgnomg32.exe

C:\Windows\system32\Cgnomg32.exe

C:\Windows\SysWOW64\Coegoe32.exe

C:\Windows\system32\Coegoe32.exe

C:\Windows\SysWOW64\Cpfcfmlp.exe

C:\Windows\system32\Cpfcfmlp.exe

C:\Windows\SysWOW64\Cgqlcg32.exe

C:\Windows\system32\Cgqlcg32.exe

C:\Windows\SysWOW64\Cogddd32.exe

C:\Windows\system32\Cogddd32.exe

C:\Windows\SysWOW64\Dafppp32.exe

C:\Windows\system32\Dafppp32.exe

C:\Windows\SysWOW64\Dddllkbf.exe

C:\Windows\system32\Dddllkbf.exe

C:\Windows\SysWOW64\Dkndie32.exe

C:\Windows\system32\Dkndie32.exe

C:\Windows\SysWOW64\Dnmaea32.exe

C:\Windows\system32\Dnmaea32.exe

C:\Windows\SysWOW64\Dpkmal32.exe

C:\Windows\system32\Dpkmal32.exe

C:\Windows\SysWOW64\Dhbebj32.exe

C:\Windows\system32\Dhbebj32.exe

C:\Windows\SysWOW64\Dkqaoe32.exe

C:\Windows\system32\Dkqaoe32.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 9388 -ip 9388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 9388 -s 412

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/1032-0-0x0000000000400000-0x0000000000468000-memory.dmp

C:\Windows\SysWOW64\Jpdhkf32.exe

MD5 70a997c3712092fa3a1c37622072ada3
SHA1 e407dd06bc06e7810ec78be1a4789865361951ae
SHA256 cf35a684c1ff1134ea2d631ce8f40ad6e904aa8367bfeb5afa0588e61004eff7
SHA512 f164b693caf8e54511e95f6b85659dee51b3c4a3a542650ec70993881d9fc05c7a349cc80c78e156501f874b5ac5ffe009240059355f6cc07b80abef5ddd3de2

memory/1032-7-0x0000000000431000-0x0000000000432000-memory.dmp

memory/400-8-0x0000000000400000-0x0000000000468000-memory.dmp

C:\Windows\SysWOW64\Jcbdgb32.exe

MD5 4867011810cb2682379b4de96595c663
SHA1 1938c91ac3c912d9386c5bdba484ecd33f3d634b
SHA256 25fd69a5ff73833eec3cb8dff6113c0b48f7cdf57a4085a2c0e739ecc58e7c93
SHA512 dc37861db6c6be288795d20864aa5aa503bcf5bbe1658502d71ace5c99ecc5f27a14cf772e3b3c11b77dcfe1fc6c94fc5fc8b31fffb267778e7d32c8655115f5

C:\Windows\SysWOW64\Jjlmclqa.exe

MD5 37a79bbb0abbfb096eed029696ad4e60
SHA1 951bb9b53f3bc5c8778e27e4b02446a1c2b0976d
SHA256 bfaf073f96c52b312f21ae4ad89ade00e6c7ee7041e8807707228d96080bd9a4
SHA512 e6ae4c755d2fe0785d2fae53d2f21a928821434c9fed6092a7ae59c5a451bca1eda86f7a066d4fd84e4dc0af56702bd25c2406ef75fc3f7a2c5691eca7f9a234

memory/3608-16-0x0000000000400000-0x0000000000468000-memory.dmp

C:\Windows\SysWOW64\Jlkipgpe.exe

MD5 05c90992fd4a3f68250cedf04027ac6a
SHA1 831104d812f6ca9a2de846bc458dfe1e3623f550
SHA256 4d7e64d4c27ce3dff4abaf182c0fc5586cf94e207de3a4ccd255a5d6b1ab3beb
SHA512 838220defafd739dda4e0cad3b4fbca7f480ae5d2013bab7b4174542bb26450860bb44345189282b5124956b671b1fa091683abe25508c0124e2e2b244c0ea71

memory/4176-25-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2952-33-0x0000000000400000-0x0000000000468000-memory.dmp

C:\Windows\SysWOW64\Jqhafffk.exe

MD5 276a5a4d34cd669da53ca73804b68f06
SHA1 abaafcba6db59299f5a70e05ab6e348b2fdc7207
SHA256 b470fefe82c24f9962d3ba072d8a0f7377fcb21b9bbc3305d48b3017ef101f7c
SHA512 b69da5bb90cbd0e933d1477dc8d9b8ef3a73dc553d220f19533b3b95d8cb12f55168aebc7a89ee3bfc14686aaa4520f663f134aadc47f54fe4cfec5753a883d3

C:\Windows\SysWOW64\Jcgnbaeo.exe

MD5 7ecbeca0e79d5062a1fda1504820957a
SHA1 1d9603ff9a41454e69984d40e8db59d667cb1434
SHA256 f3ad3573eee1657821ecf7d59a678935ed840a629b42fae897c567e11558cec2
SHA512 65f0245a02f2a3c21678192346539342f314f7ecca0adcca09deb8f3c3be67800f9437e033ba68436e4718ac6778817b9d67bb0e32a62d4299b3e75e29080453

memory/2908-46-0x0000000000400000-0x0000000000468000-memory.dmp

C:\Windows\SysWOW64\Jgbjbp32.exe

MD5 610f813ec976e42cdc80c716edb8dac5
SHA1 6b7e52827b552f5308b101a46a3dfb1a14f3dc01
SHA256 778f3d1727392a243782fddc267c556340e4b38dbfb3e42e81a15de7058d3334
SHA512 a59cb82c77254cdc5f3b26f7157d128d5bb1ecce930d284f595ed5d7bf6e25a691b7eb5ab856a8ee1d77ae7863e3713d24aa4ba4c6b28140496c5e77cb3ef997

memory/3356-57-0x0000000000400000-0x0000000000468000-memory.dmp

C:\Windows\SysWOW64\Jnlbojee.exe

MD5 dac168052cdb952d4b7bafaf7c77b911
SHA1 dbc1c504e69525b1a4d26a331745ed068ba7e2f0
SHA256 06a9b0a5f4ffe522b806149197d242f1643a9b64a49d82bc98e7b11c42690543
SHA512 9a02ea6433a270827d37d81aa70b5b2b22e5b4eaba0c3d3520f4ab76ad8f4a04be7070447d32cfc66935c1410e6498a8e2f6b666bc3a63d960eb183ebcd28380

memory/3776-69-0x0000000000400000-0x0000000000468000-memory.dmp

C:\Windows\SysWOW64\Jlobkg32.exe

MD5 3f1d8ec5413ec4f2858f1de7c90c0baf
SHA1 8be39fcddd2e3ab74c497f17ec3de6b69ec3a12c
SHA256 9dc53da9795debe32e325f62ce76d57060cb21cf7ea82cdf7215a3f1dd32a3f2
SHA512 aa2f403ec084295300dbe7209ffa1f2b2224910de759269610e4f88d6bcd32775f05268a814ab925980f5d51a0d8acb6c1cc948041f83b3ea0631c51a6a739a2

memory/4944-73-0x0000000000400000-0x0000000000468000-memory.dmp

C:\Windows\SysWOW64\Kkpbin32.exe

MD5 8f2f3e4613b2f1886898ac949f49ee47
SHA1 02f650ab0f41f2d23bfe260d254544174c89e9a7
SHA256 6e5a1b1e9b68f1b1f71c263addc8fb54c28c8ad99594ea7fd1e2211b82fe8d04
SHA512 d5aee9d0690c229919b341ea76c4fdd72f95c7557894d35e26c3a7635f0727921e6285973d7cfbf35b7ddb0a20d86fb573b775211830baa7466649ba2a4144cb

memory/1908-97-0x0000000000400000-0x0000000000468000-memory.dmp

C:\Windows\SysWOW64\Knooej32.exe

MD5 51ea976890e89e05bb6457e89f55040c
SHA1 1d9e30a0c1651cf73c13b4d4966fb22fcd891854
SHA256 b1ed2a170f3c67f51bef7a12421033469ad8a08797561613ef1674585c053451
SHA512 342e786f9a23b05d1c13d66ec123eb82f09c4da2d79b6c00f5895d826bd0530e55b93be38c7f5062c42b7a141cae18ca60fb85164962e88eae149de6d31b8073

C:\Windows\SysWOW64\Kqmkae32.exe

MD5 a5efab64e06ff839e7e1fead4adc3a88
SHA1 813b2197c4f7d63a371755dcc8dbd99cc8b03486
SHA256 ff509876a1ba71a051b424d5465becd15971499169344aadd9c65e9dd4ff98b2
SHA512 7aaead7498a8cde0fc2885d45da09fffbd5e19389cb3d12a2734fe9eb7e38c90124edc1f2ca94eee30e3733e5ef86133ac0de5ecd096004b89a81544c9e8ce2c

memory/4528-105-0x0000000000400000-0x0000000000468000-memory.dmp

C:\Windows\SysWOW64\Kmdlffhj.exe

MD5 63878d10ad2cc956d98ef3145b7f62b4
SHA1 d943aa35f59e112d830bb5fde6e6821b3844c2e1
SHA256 7869017befd2548aee9c1802e753ebb7fdef86d539f497ff0b673050154ef2cd
SHA512 20c84c8179cdc1cca10beded143a47525c4b1a32f1e63b019c77ba8b2c99c518fdc6e6c814c3cbbe2eb609164f87dd5cea8a3785dd39f730afef7ac9206bdf29

memory/3588-88-0x0000000000400000-0x0000000000468000-memory.dmp

memory/4948-121-0x0000000000400000-0x0000000000468000-memory.dmp

memory/4036-137-0x0000000000400000-0x0000000000468000-memory.dmp

C:\Windows\SysWOW64\Kkgiimng.exe

MD5 8a95b41c389d7d0517e886728d6c4a5f
SHA1 49df86fbb29c76d6341571cf8729b037c9570d98
SHA256 2ef1338cfd774ce60c22517591a895fdc09b81ac100cc91c3ad10843a40fde41
SHA512 788966a2395b201c61c66f095dedee55cd9f48a42a9a10cdbe8e993d7fc3169e05049f51e0554b2d4a14dc2886192847edb2e41a44e56e90a6a79faab6668788

C:\Windows\SysWOW64\Kqdaadln.exe

MD5 0eb5a4b4c9f424aedd6549f9726f9d15
SHA1 cc3208322ea21e19a5fb04a6c0bced9e1ffa1858
SHA256 048b7f84da971ec1e2dd9c93480ab4ca6c1ab24620dc59dff99a3cae49cc3545
SHA512 1266f58ac2f8b8d9ae746a5cb4d02adb8fbeaf7a630bb78684d871d9ea00a78a7e33b5ec06d5e9d536b980bff13dec33630866a496964abcf5324e1f27b3fce0

C:\Windows\SysWOW64\Kgninn32.exe

MD5 cacc6ad516eb36bd172321c4d81bcc32
SHA1 4ea2010f5d759fd19b542f6f751870b36ed91e72
SHA256 0b39e1e26da39a5c91f00e6fe214b07a488fe2121aa9371ba912af6e975cdd88
SHA512 4685f8e5e3921342b3af3efceeca1336306ccbda8228eb00676980a8ee0370e9c631dad904ffcea9582d0ba240c88faee36c7f55ea55b353447ca3b124f11694

memory/556-166-0x0000000000400000-0x0000000000468000-memory.dmp

memory/4864-182-0x0000000000400000-0x0000000000468000-memory.dmp

C:\Windows\SysWOW64\Knhakh32.exe

MD5 0b9dde73260267955189d33d181d82fd
SHA1 3d70864d22536d48c2c4458e1f2d2d3cd3459dd8
SHA256 96294179a0d1088f6f3709304f373d913d74691bc7c470955f1f800c3b63f3c0
SHA512 44955880b6d19b7d6244ea5fb111d5afd175bdfe0a9b40027e4418058eda5cdff4f934a8a03d2c768d26198743a7d0dbea9e848ee5562d5685e4a3cbfdd75f05

C:\Windows\SysWOW64\Ljobpiql.exe

MD5 0abcc718bb0e53434a99674955d7803a
SHA1 eba072e42e681fcb48983ff8939e387043179be2
SHA256 7595439c1368ca6d1252a4c1467eed56600706f4b8912968db90a2180be25f0d
SHA512 b7f5d404de03913bea70e102b002e656ff0a65f5343c1d356596ea8c75103095e33a33980e2a47a1112280a8d57f1ed2d9e2613fc1923f049e1a70749f50184f

memory/4920-220-0x0000000000400000-0x0000000000468000-memory.dmp

C:\Windows\SysWOW64\Lmmolepp.exe

MD5 1715c7b5a1bbba477c0280238f1eb42a
SHA1 398eee0b55033f44c9db6b69219bcdba43378b33
SHA256 f5a628fc75dd9e1682fbadee1ac206f629efcad9dceedd7f67e284549bee055f
SHA512 cb4dd5cf625e168cd8c87399b49143ae1d46678499c694c7ef1dea11ea97cfa56d3b205eea7b146f88810a4bb92307d9bf8afa4d515b965b97c4fd8d24e6da08

C:\Windows\SysWOW64\Lcggio32.exe

MD5 93f69b4721f1922d0bdf40aa15896bf0
SHA1 d1ae311a76b3c9026328437a4ec86fc194d40811
SHA256 c8dd3e570e491dbe25b74c0171d420821b8519d1def55443bc1475b5ac5ec454
SHA512 1f7845da6d0918f9f1ff3d5164c2d325a7aa76afdf39f24061e504cb44cb006a5ac5fb390a360799826e018edf64f211c70284bc232da2055af01eb0d22e2561

C:\Windows\SysWOW64\Lgccinoe.exe

MD5 ed15a81e1b8e7174083d08b183aa4f39
SHA1 731de38520ba0ea5a83ce59f091725089379ed6d
SHA256 a81dfd99cb8614f9c6096a437432c7ff2e4794806fdcabe398bc09e9dcec526a
SHA512 c128d8ca6b250cc1d56704add2509ca2948328eb7fa26ac6a41c8a9880d150ada955e16c16f8ad1943666b2c3324d8144eb3d0f51ae091b40e0ea4d93ef788d7

C:\Windows\SysWOW64\Lknojl32.exe

MD5 eab1a300dc433d566ac0062ec4cdf813
SHA1 eae35081867d4aa01ec29f6f68fa310aab76ea5a
SHA256 9c78113b33d932c23febd692d14ac4e446e21ee8091349e60c44184dae126c30
SHA512 9ea882af14e3d4fab5ddb142dbcedc863e60a0a4627812d5a7de994a710aabd20d61fdbcae564e2266bcf8fe6d8e16c267d129adf9106d90ce44da2065b0139c

memory/8-248-0x0000000000400000-0x0000000000468000-memory.dmp

memory/1488-245-0x0000000000400000-0x0000000000468000-memory.dmp

memory/3188-243-0x0000000000400000-0x0000000000468000-memory.dmp

memory/700-273-0x0000000000400000-0x0000000000468000-memory.dmp

memory/1520-279-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2920-289-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2044-302-0x0000000000400000-0x0000000000468000-memory.dmp

C:\Windows\SysWOW64\Mminhceb.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/4508-308-0x0000000000400000-0x0000000000468000-memory.dmp

memory/3728-291-0x0000000000400000-0x0000000000468000-memory.dmp

C:\Windows\SysWOW64\Mkhapk32.exe

MD5 c1b6a786d40ef0f7de65af361594d07b
SHA1 123683078d62a980153f71b3d05e72ef07c99a7b
SHA256 615a5f23aa6396c3458abdb8cda166e00aa26b753e5cbcfbb7bf76bfe2525fab
SHA512 f64bc968902ceb33383d68c2db1043071a20bbdca8965cc28e6b6c1107be9cedbaff34a6de6644aadff62a80dcb7580a43c09b291f154999322fa54feddf989e

memory/2648-267-0x0000000000400000-0x0000000000468000-memory.dmp

C:\Windows\SysWOW64\Lkeekk32.exe

MD5 56084bc82064c3c277f307c2c31ce83e
SHA1 bc5c0a2e1e0862d71537024807366b40771da9c9
SHA256 c7ae057b963e55b0f3a75f16893e2eb562f38447b66d55833adc7345af968e3c
SHA512 4f009f9e66a8999bad831da14ca26a851515905df06e8ed2bc046abaec925a7f54605fbe604146e439d3402961b6294866391ced93332496cbedaef5636adfd3

memory/4792-261-0x0000000000400000-0x0000000000468000-memory.dmp

C:\Windows\SysWOW64\Lekmnajj.exe

MD5 799f949c28fc6dc72ad6d51175b8b95a
SHA1 082ebcc322d6f6cb74eb2314cf69cb1f8d599ccb
SHA256 29a44f4e724e337cbb0ab7a2eadfaeb36b9572380277a2081b7d5c1ce24b9dc4
SHA512 a385941b1aa0c6f9ab88e10277ff03b3842e46c73c7bcea6027af8d744f73166db2c0bb9be1dbc708a7ca8f941d3d14247d14d13d9142195b0c72a0b1707f570

memory/3308-331-0x0000000000400000-0x0000000000468000-memory.dmp

memory/1192-341-0x0000000000400000-0x0000000000468000-memory.dmp

memory/1524-354-0x0000000000400000-0x0000000000468000-memory.dmp

memory/3528-362-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2408-373-0x0000000000400000-0x0000000000468000-memory.dmp

memory/1704-383-0x0000000000400000-0x0000000000468000-memory.dmp

memory/4368-356-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2364-391-0x0000000000400000-0x0000000000468000-memory.dmp

memory/1716-397-0x0000000000400000-0x0000000000468000-memory.dmp

C:\Windows\SysWOW64\Ncofplba.exe

MD5 299c9eb0e80ea88173a297446af5b6ac
SHA1 a900efec2ab7a04c5f224f1d6f8c3d085f1e3f90
SHA256 b54a6724164fdba7c012946056c93efe132be232507300dea617bebf8ce97db4
SHA512 7e0d6b9137ccc563cea33a3a3d2f85d6ad398710d3697f0d41fae6805c148c109e3dee406e9a934e29842768247f41b914b02b7f89e788f86d8bf957b121d232

memory/2400-385-0x0000000000400000-0x0000000000468000-memory.dmp

memory/3544-408-0x0000000000400000-0x0000000000468000-memory.dmp

memory/3944-419-0x0000000000400000-0x0000000000468000-memory.dmp

memory/1328-431-0x0000000000400000-0x0000000000468000-memory.dmp

memory/4564-441-0x0000000000400000-0x0000000000468000-memory.dmp

memory/448-455-0x0000000000400000-0x0000000000468000-memory.dmp

memory/4672-449-0x0000000000400000-0x0000000000468000-memory.dmp

memory/4108-448-0x0000000000400000-0x0000000000468000-memory.dmp

C:\Windows\SysWOW64\Nmlddqem.exe

MD5 376f56c92c28b2acd186edf266d8d6b7
SHA1 584edf5ed961c1792255f1603dc6764a12dadca4
SHA256 a2b9c2555e706e36eb2a49459dc63d61759079ca2425f97f5b8a0f92d8720ed4
SHA512 e4b910a1592b2ad5634a68e9df3ed539b651359c9242d9ee98d49e155e61bcb49bc1646cd7152a8637862d8de740008c0274170f02e50e54ba2186afff26be25

memory/2724-430-0x0000000000400000-0x0000000000468000-memory.dmp

memory/4536-478-0x0000000000400000-0x0000000000468000-memory.dmp

memory/1780-484-0x0000000000400000-0x0000000000468000-memory.dmp

memory/4816-495-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2272-502-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2944-496-0x0000000000400000-0x0000000000468000-memory.dmp

memory/336-473-0x0000000000400000-0x0000000000468000-memory.dmp

C:\Windows\SysWOW64\Oloahhki.exe

MD5 06b211e3d6e8675541581201ad9024f5
SHA1 138fd044dc29fd9581c1d884d2eb73412f56b40a
SHA256 68f716b96fc9d1901cfc75e73cb92d3989a847691eca476485ab72ab41f3cfa6
SHA512 451067db64a934fc2e2a22981a1c91a24ba07480495aa06935edb633a4bb3c3b761a31856f1ec0d58a072bf02600f22a951b76fbeb7f07185af2a2d5148cd532

memory/4884-466-0x0000000000400000-0x0000000000468000-memory.dmp

memory/1480-512-0x0000000000400000-0x0000000000468000-memory.dmp

memory/3988-514-0x0000000000400000-0x0000000000468000-memory.dmp

C:\Windows\SysWOW64\Mjdebfnd.exe

MD5 33b441454c87403eea2537a2067a8bae
SHA1 0f8fdb5a04c07dda4c390484375abc7731a9a2d2
SHA256 95afd7a56f34c081c888ec70927691af818acc9796cedd8f4d91c5d7bd94d6ce
SHA512 849a698e87452841c81c27d58b0e7568719392b1bec7227d124230238cadd424044e583b8cd12cd83e45d44140497ff050167264b0b94b13c43d63cc8b503cbd

memory/2640-344-0x0000000000400000-0x0000000000468000-memory.dmp

memory/264-332-0x0000000000400000-0x0000000000468000-memory.dmp

memory/3992-525-0x0000000000400000-0x0000000000468000-memory.dmp

memory/4820-320-0x0000000000400000-0x0000000000468000-memory.dmp

memory/4824-314-0x0000000000400000-0x0000000000468000-memory.dmp

memory/1432-213-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2484-208-0x0000000000400000-0x0000000000468000-memory.dmp

C:\Windows\SysWOW64\Lklbdm32.exe

MD5 f655dd82eaa71c25d276ffc46770b804
SHA1 9f8630509ee10f4faf7b3896f393c7c28d5fb66e
SHA256 f1490fc98c305008ea84630e145fb9b7acfa6a5c36a9ac8d3215c08fe3481ccb
SHA512 8fb02f9bfa0734dc284a881ba8efa6f37f655f0cd228f2e2713ffe371002a6e65bd325ebe10f49a379415bb17772e7f745e280538c97a171eb42d55827081c32

C:\Windows\SysWOW64\Lgqfdnah.exe

MD5 f35b783b2b9d820571b70d997a37b84d
SHA1 2aabe50d672b3927555b0d7a2c604fb77fcadfde
SHA256 3dddb2d302226ca1088fcbc958cbc5e4f7f9d9d280342200d313ab71d074c36d
SHA512 915db7e2654e061a7d640b4df678c6c10459dc26ab2d1fa00ee576dff7c1007d4f49d0f5357eca96a0bb4eb8e3cdec61c854a0c0e4c251d2380020f2119801f1

memory/2012-193-0x0000000000400000-0x0000000000468000-memory.dmp

C:\Windows\SysWOW64\Kqfngd32.exe

MD5 b4ef4a25b274fc5b59fec8cb86be5ab2
SHA1 dd277a385c11602c7c701a134d19da37b5b29745
SHA256 81ee5aca923a00752d8cac2d73e9b12d0550180f1d992384df12447568d86575
SHA512 5343375248246edcf0b09ccb6b00caf2a77ad650eb6018c3fbd0ee282ced627c4dec31c145684499451124f776a4836e117858d748bc57276cd0c81943232e4c

memory/1592-541-0x0000000000400000-0x0000000000468000-memory.dmp

memory/3792-185-0x0000000000400000-0x0000000000468000-memory.dmp

memory/1492-546-0x0000000000400000-0x0000000000468000-memory.dmp

memory/3608-548-0x0000000000400000-0x0000000000468000-memory.dmp

C:\Windows\SysWOW64\Kkjeomld.exe

MD5 3cc5c75784961740ebc86a7d864a424f
SHA1 0a287269d2cc03e743fa336700b69aa3bf3aeb92
SHA256 71e4e8f22b1ad820b170f71078cad5f2b92a464a043a395a029bfe72f8fd57a0
SHA512 4da14cfe74239bea8b165c47f978851de4c69140c8087be9a775737e35987d3b157a7fca9b49eae150bf4e3641ed88837eae9f2d1e8b0f5443a003ef286bfeaf

memory/4808-173-0x0000000000400000-0x0000000000468000-memory.dmp

memory/1032-549-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2780-550-0x0000000000400000-0x0000000000468000-memory.dmp

C:\Windows\SysWOW64\Kdpmbc32.exe

MD5 80c452b73d3e6d660776aecf72f0f796
SHA1 6f04970515b69dedd38084f26c22b458b072a91b
SHA256 8749dd7edc654046bfbeac4a08c3443396de4e258738d381d2174d158c5661cf
SHA512 d3a9ae8a3e5ed27e056b724c37bec6290a8b5875b589e43dc1a87baa39ec7348d6ffd1234bdf1024cfa4dffe72c79c4e1bda1aea564d63cbca9de4aba73be358

memory/2716-152-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2284-151-0x0000000000400000-0x0000000000468000-memory.dmp

C:\Windows\SysWOW64\Knfeeimj.exe

MD5 6db27a623038c2d9c50d69466def8f52
SHA1 6d157d48c48c3f49164ba309d8799b292bb15d1a
SHA256 f1c96169140627f4d7a60e6775ffd62e0f05dc7aa04f7c0cb4284586f5687e19
SHA512 022cd952f6faa05bec23f06c44e96ec01fd993267243d1442613b544271054b9a35422dd2b39f74a0ddc07cf2c6b5f165b07f02186dd412c113e9104e2602cee

memory/2504-129-0x0000000000400000-0x0000000000468000-memory.dmp

C:\Windows\SysWOW64\Kdmqmc32.exe

MD5 b3962b475fadab0ef02b499fe2a3e3e3
SHA1 8636cea70445d164bbf78a219f598ece60a3dd2e
SHA256 e2ddacbf1b1fa87b41b35cf5e51362d5d83363ac4b4982c5e72332358ca78faa
SHA512 b2978bf337855d85fe3da61de18e4c0dc06a500f878e224505accbc5ed438dea93da0593eb1e9224ddce92f451246ac18949fb28115424e2774b19126a26ee4d

C:\Windows\SysWOW64\Kqbdldnq.exe

MD5 b9b2051eb7ce7e0e132546bc4a7f6440
SHA1 2af33e74ccc293f42d25e00a047d08322253483a
SHA256 e1f87b40a63dd4fa888d57494fd266e7de570de251f449e8b5511eb2d309031b
SHA512 df2fe52fa4b36eea758b915c9ca4a98663f6d1beffb896a8c109801afa59e64e929887b9a72d61149cf4a4099cb767ee6d58529350ecc49230cc7d7bdc15687f

memory/4240-113-0x0000000000400000-0x0000000000468000-memory.dmp

memory/436-81-0x0000000000400000-0x0000000000468000-memory.dmp

C:\Windows\SysWOW64\Jdfjld32.exe

MD5 166d54269cefbc5a243cb7e461e9d85f
SHA1 43b862bb28bdb0a6dc43c3b6a2930288b42bb9cf
SHA256 7ffeda474aeae8ae52c1ebdab8c2eefa8b46bc19b78eb1bc8da7eb11feb88f51
SHA512 2141ca6b71289f247e6fa1cbf6677526bf85bd172fcf2ad5826cfa3e6e387b6931a11f53df974f01dcefb7ffa1a0560ccf34c9ccb945280269e8abfdd9b73b89

memory/1340-53-0x0000000000400000-0x0000000000468000-memory.dmp

memory/400-556-0x0000000000400000-0x0000000000468000-memory.dmp

memory/4176-567-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2952-577-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2908-579-0x0000000000400000-0x0000000000468000-memory.dmp

memory/4160-580-0x0000000000400000-0x0000000000468000-memory.dmp

memory/1340-586-0x0000000000400000-0x0000000000468000-memory.dmp

memory/3356-596-0x0000000000400000-0x0000000000468000-memory.dmp

memory/3776-598-0x0000000000400000-0x0000000000468000-memory.dmp

memory/4944-604-0x0000000000400000-0x0000000000468000-memory.dmp

memory/436-605-0x0000000000400000-0x0000000000468000-memory.dmp

memory/3588-616-0x0000000000400000-0x0000000000468000-memory.dmp

memory/1908-622-0x0000000000400000-0x0000000000468000-memory.dmp

memory/5212-623-0x0000000000400000-0x0000000000468000-memory.dmp

memory/5256-630-0x0000000000400000-0x0000000000468000-memory.dmp

memory/4528-629-0x0000000000400000-0x0000000000468000-memory.dmp

memory/4240-636-0x0000000000400000-0x0000000000468000-memory.dmp

memory/5300-637-0x0000000000400000-0x0000000000468000-memory.dmp

memory/4948-643-0x0000000000400000-0x0000000000468000-memory.dmp

memory/5340-644-0x0000000000400000-0x0000000000468000-memory.dmp

C:\Windows\SysWOW64\Ahippdbe.exe

MD5 933e2e0655f9c97935a6880a05c7c702
SHA1 245e330b95f9217eb11cfee41cd288d9aee830cc
SHA256 a8d363aa326811b9805eebae0515e8ef6065fc8e6feb79fcffff57a0e482394a
SHA512 1d07e2ed36a30d0451ce2a8060e1c085ad095bbc96db6bfb88ea0b56c028c03f7c6ade8af912c43a5079f4da5963fe0c38554ff25e18fa897662687783d66ba7

C:\Windows\SysWOW64\Bkjiao32.exe

MD5 4813d1dcf7488849416f2471fc6ef5d8
SHA1 dfc9e408716c0f732f0b6a3d0f459ce3c85f860c
SHA256 c13e0616d3ae3dfa14d96668b68942dfce6a6f13c537ed7a420a44a30ae32b97
SHA512 28aa17b18130fe11e0178c119824d34f7adfab2abd256967496961be12fbacdb51a56d3324478e7f100657418f6f9450f4f565c80e3556a16c46426f437a6ffb

C:\Windows\SysWOW64\Cbbnpg32.exe

MD5 afd5ae15b84a1b29dbfa968b537eda79
SHA1 4f523cce791f00bf63c26da897f67b00ac46536d
SHA256 c0cdd0c417e6cb13020e5a7b8a42afc9182f6bb83d9baee646d8d1d80ca2a134
SHA512 31123a4e1d4c0c212f5cbfb7e56abcfd5ead6e696a32781e3462f319d9b8f26e495626b0a19073c79ca9883d5dce6f0ee92ca984e5ad19945a8637ac27524863

C:\Windows\SysWOW64\Cdbfab32.exe

MD5 00c9b613ce4ea26dc72c015becd082ab
SHA1 23362819754e428ad5b4837006aabcfa9e36b241
SHA256 ebfebb7552b9a5dac14a8bb5c3399be5306fa1d44d73a7ec03654798babc26e2
SHA512 feb4d7c99fe51988e9cff5f5fcf037cfb21e1866ce88754ee184b9e0793a29bcc262a2e94cf7dcc83722b6a75b3fa8865a6d514060ac95edb641f9303c6fa109

C:\Windows\SysWOW64\Cbfgkffn.exe

MD5 2b1e2015f3df172ec3ae3f4cc83bcad1
SHA1 cb575e05302bd857c22c10e3fa3ad92d2f0f040b
SHA256 107c44e252d1f3aaeccb99c6de1c224a8dc076364daa1362bba75744c23f298d
SHA512 d395b35cc9ccd223a1eebef4968cae4a86420221da57799c944ce8e6c6b4f1eb2efbd4ddc02cdd2618a69501e36606a1bbfb46fac3510aaabf8284ff4e5e4e8e

C:\Windows\SysWOW64\Dmadco32.exe

MD5 0790e44a3b5f15963c3c6b5ea2a2112e
SHA1 ea830974c269da0fecaa6c466101aa4deb86276a
SHA256 4d3824e01dc050e2566720ed46d254a13112f6eb5f351dd8999f0f3720be2c19
SHA512 9d2af994386a0d13232d9edc525e3d2452e35f934d3a1ae76765048bfefdda848f07027158eac01b73c04e94d2faf5693f1a2c008457864b284526f650dae758

C:\Windows\SysWOW64\Eecphp32.exe

MD5 c4f011f8bbb0ce5729d9d93bedf6ec38
SHA1 580659ba68105df59b0eb3c9eb27fc19a4dc4a39
SHA256 7acc5f9e3bba73b1d64e6e4a744c781f72265fc8f7dae3071c66ef106ca72e9b
SHA512 11927bb2ce43e9cc861a364b7d5b99572728b3175f92e05ea4aa9c11736f59b7fe8fd1e4826fb95e6dc240fab100b97493ed4de93b803a55f0df7db0eba3d909

C:\Windows\SysWOW64\Ennqfenp.exe

MD5 b40e00def3e370b9eba81a92019dc430
SHA1 d2ebbca47dd731fffbcd83b2d3a1a9ced3cfa53d
SHA256 bd68fbdad27b1e469d4ebceff551be7ffa5461d3e1a1388aac59464bd1122aa6
SHA512 d03846b41ecb20a0edd8d053c5056a80c2439f6c896cb3957e6270e48e9111ebdf2822109b9ecd9c6cdc6c8456c3c57da3ca0adb60c04be092c7ff8a283a9295

C:\Windows\SysWOW64\Eifaim32.exe

MD5 0ad4e243e29e18f11c4e7c4e9eaebd79
SHA1 2008eba39ac5538e54476eba99d10db004868a7b
SHA256 5469756c468ae8eb25d66068f583767964a204d73080d4bed7718348aa10385b
SHA512 d4b6ec3c06291dc6545cfce3738ed650507dacab337bdd7e7a179d7a10149af0b41f7e049d4dd496541141094467a9712952870de57115250a3a5b561d19e5ae

C:\Windows\SysWOW64\Flfkkhid.exe

MD5 853bdfe4af2aa1a74b583655c66ed874
SHA1 8e153db85fa7c7adac186f24a63ac1b7a38f3dbe
SHA256 399d8a652f9d4e1e02310602d42485f7ff7cdbe2d6f193fa7480b3647bfec53a
SHA512 82d740ccf640324037ea8924af8a30bc06cce0f56078cb8e112494693a2511c2311feb16888a3d8b7df61daecf6622219d32055599ef60a3ec1bc5d06c955c0a

C:\Windows\SysWOW64\Fnipbc32.exe

MD5 9931c9a1ab9fdbefe71ca9fc77e1c01e
SHA1 1ee2f8550f34ba972d0f5ddb9543c17acc00f6b3
SHA256 8cfa1145b96530eb57e42e0e2ea1357a7255916847a12502e8e39d1701fed770
SHA512 0910e5195885d23aaa4aeb7ca5b464e9035014289d08407485ccc34add67afc933f0012867bfc4220f1758b3712ecbcdd20b176abc7ab30f1f2c24b0e8c73acf

C:\Windows\SysWOW64\Gidnkkpc.exe

MD5 e173086ee4b8830aec2a77fb0cb42793
SHA1 3c3c2cbcd99a4d509214d15006bf225e1647ee6e
SHA256 dc3488adf2b9a0e181742754eef88f685473ed1d743b0f8ae238899f8c01aac6
SHA512 1010679a02b4b86ebad2d600b8f85f0fa880957e07fa6cbeadbcc16342c5661a6237dd28a6825a87390476adac93103ecf3c05f714d64e68ac843e54660076fd

C:\Windows\SysWOW64\Gihgfk32.exe

MD5 0496cfabc43601e83bde45db7482c741
SHA1 d63c15d3daf534f2a0ea4f80d90c90a8aa595850
SHA256 2674b47e15a5b4ed608ab06d6ac0e9dd65de597de9fda5cdba2f2bedc8c2bbb8
SHA512 4465579d4f40d1c3dd26ec284aac87f2937560e72589d0c07508b01b28dc3f3773779eb4239b1b3c74fb12e2067576272bbdfa38805f8ff04858d5e3563842fb

C:\Windows\SysWOW64\Gbchdp32.exe

MD5 c33ae63be229ad2286afbaf305103a53
SHA1 f314872c2841523619615cbff05ec89deb699ce3
SHA256 ecf53430e97ab5cd65e899a482ff041e713a6ca791cacff99b1a9add8a8433d1
SHA512 9023b67c558ef5bbb33ec602184a44029c3178bdecdbed90245f23479c6fb9e215b5c77ef558590f443cea7ac5c69de48edf19b6f8b93260698da86d472eaf11

C:\Windows\SysWOW64\Hedafk32.exe

MD5 d17bc4692c3f057a7b738a379fc2af8f
SHA1 73f1e785e9a02b31b80813f7162d00e6110089bd
SHA256 01ecf724e41975da48f3b07fc80893306bfd7b09abb2fcec5cfca0f45d6d287c
SHA512 ef6a9c927140debb2cd49ff10f27d7eebd0c5e4b1d6915afb4f25ee9416194c346ae1c1bfd53f3e257a7ff27e8259dd2ab8136546f1894342a44d94b81d71489

C:\Windows\SysWOW64\Hmpcbhji.exe

MD5 d8e37e50ca951748e48aa03f43937e89
SHA1 8805267e9eb39f1092dccb4f6c17e3e5d854e764
SHA256 8f2a35bf56578ea1fc3a4922750c915216f775f4a523bc7eecdeccb87f890079
SHA512 2676b752d24b8322f538a4e21f6d7a6ffe3007eb96ba023d39840383a1c367ea6f8d96765588e65c6095e18e6d2bfb372d7212f5ffb9419dec4cb57420b50802

C:\Windows\SysWOW64\Ibaeen32.exe

MD5 048647054ab7236e9b1c3f054a0d1475
SHA1 88a4a8ce8e02fc68bd2da9f22b36c92d78c60eab
SHA256 4234136305001f3e9386bfcb83b3a6b3c77b0a7dc0fddcfee4085f1517c7179c
SHA512 22f2fb72a53b823e7b47ddc3e6cf60958acc31473b149837c480b576fbba57029064301b7b9f82d497c69fb88780a19aa62ee7b95e6b64b3c18f13c3e3604380

C:\Windows\SysWOW64\Imkbnf32.exe

MD5 a97fde60b93d235fbcf891150402a592
SHA1 3e7e57d2bfc6043e35c816b3da544afc2801451e
SHA256 6d3195965ad5fe9d842172d9a79a3ecba2c02bb8b337d0178f43a3289057af51
SHA512 571ca56607e67d614174fcc7a9c67f4efcddd9f7e720d7db67e73ef6bc24fcd32c552659ec1f5423f2ec230d566c3b2f605d9d874727d25299a3874a01403327

C:\Windows\SysWOW64\Ieidhh32.exe

MD5 c9013756a0e8923b0a4298c9c59eab27
SHA1 673bde7893da01af56ed0719a6f322f72b824b09
SHA256 c65fa31c1b7258b10941e1f847c6adcb8d36f2626def70dece005d225f0d0987
SHA512 58e9f717cb3568715f81a19540a1930797dcb4ba8e4e4f638630cd0f1516a5ed74c1df6458b4650f0fabd1abed71c4092229d5daa2601a0b42b5df9dcfdebc1c

C:\Windows\SysWOW64\Jjpode32.exe

MD5 d5a52def37af3d7500c508f1ce1cf197
SHA1 fb1ed577f3ea87e88f9d9c6efab089a527cfcdf3
SHA256 a8793bf838b6a3644a89c89740966765e630dc9c1b053a64b84cab05bd9bebe8
SHA512 28054c47402616f7605e94a85293972463d22205fc9c8a95e652ae094159943b39b02e954b561a34a91722ad42626ddc0232549a6017785a07957cd36dc38333

C:\Windows\SysWOW64\Kcmmhj32.exe

MD5 acf9b320da295f06b35a9b2c914ad2de
SHA1 8e66b5c5ebae8537041af21dd71d49f7d5abcb7f
SHA256 0f2e383831288f083d58ea87a47b381ef1ac3b61e0d8824f31b0cdbd0fb5360c
SHA512 19e9d91b8563e16c37eab796afa56548896684eab98fa02d3a402c019354303a88190b5b5e8f44c6a1abb27ac24ef0e93b84e2f724e120ad60311de346cdd236

C:\Windows\SysWOW64\Kfnfjehl.exe

MD5 443401cf586a2c4f2d77fc42c0534ced
SHA1 714f8b84ad6c961cb4a5e650677e438fbc20318f
SHA256 0bddfefa1d1bd5527bd39b7e323ce8c0b7032f0f24cede25da9cde159833f01d
SHA512 cb214a1e8da75bde40150b55b7acc1f5cfbce7ef2be321780f25e942e47020da7b6c7f4c4322a4d719aee853db1e0e58751697da852b11bd105fb883614a7b2f

C:\Windows\SysWOW64\Llmhaold.exe

MD5 debc168e76f58ee12f52f3a05057edab
SHA1 27f4f82e44d853dc3aaaac1ccc1de9afc521ff3c
SHA256 73459c14ffdefbe27110adce060f6ad89bf3356b249d1b96833b3b20c3d4f128
SHA512 4a549a8de60c3d6c6c5dbea0d8d116c1823c11cf0cc89654c09b61f0d3226eed0a9ccba4d8cb21052cc6e94c16916eb2a040ed69c4990e58fac60ef1aef728ee

C:\Windows\SysWOW64\Lgibpf32.exe

MD5 a881b521b77f3471ce5deab3894ab129
SHA1 e99565d307cb0ce8f70a2a296e367bc7f1ee2542
SHA256 3f2b590e3d742229dd574d6f7f0b34c29f6072cd00f5d4e0bf1fb3aebef02118
SHA512 491c804605091533aba0f27e760cc8ed8561e7a6dca7e876c0c5f0f438c8a299f694fc8e50fb67b5919870dd6a5e16e5cb323670ca70378280abec8a837e5619

C:\Windows\SysWOW64\Mokmdh32.exe

MD5 e8c450633551f63ca0d03a54e0f9911c
SHA1 de3a3e64d08b24f7b5ea1b6da2c94b3a36c44080
SHA256 bb1484fecac6d936522e420fbdd7e60258e7c61d8e674c5ad0742885e0ef21c1
SHA512 89910ca98e0637fec7136a6e895db65373eacf366aaf9fcbe2e5578c30a4e136e94a6afccda70e7a066c13cedb0f433aa77eb03b7c1c5db539385cf5b9a5a892

C:\Windows\SysWOW64\Nggnadib.exe

MD5 d80ce1e88085a8cf043c3cf7bddb41e7
SHA1 c78af99d6c482560584d5a734d2a062c727effb7
SHA256 beb3c24bfb09f0fe9f7e1cbcd9d3763e85f2f102a1b07687b1679471017fc997
SHA512 7b7e1a2612ead36085f9696f61f69f7cebc3c6a96ef9265a1cf85dcb15b5f0f4b3c5bac0efbae87f46075fc42fb7d477cec52a5ac1882fd7eb6df0c3a917f813

C:\Windows\SysWOW64\Nqbpojnp.exe

MD5 93979db199cc8357c22a4d80e7553358
SHA1 4a8304ab5177a8128b627020f6922a7dab6c946b
SHA256 40ac891c97f4fc2c61c865e702b135db7854032f48f167a8d49b089d73f2cb8c
SHA512 64fd8effa6380127b81138236bb13b1866936ae0b596dfc016bef1f4948a27844cf584df23d10285fca35118229d9987866d472886f042091c2f89aac4a35d34

C:\Windows\SysWOW64\Nnfpinmi.exe

MD5 008115b4fb88dba1eceb3c55f1d0bd6e
SHA1 1734094ad43e8b4501afe4e6ca49d70d8329a921
SHA256 f577198cdf343e2744df9579721df50b2839a04f09e59a9d4d13d7f39ed22035
SHA512 73fb40a3a521bf9e855ab9ed94054ba24dedaa26f6e5af8c0485985f87a2f51b52587a0abe98cbc36f681c8057a7003274b18d998784312f39db7a8b10849bc9

C:\Windows\SysWOW64\Onkidm32.exe

MD5 ecbbbcc488f499decfdea1e26f44cd33
SHA1 e14d6b680213e3c6c24cadd93bee89f633477f32
SHA256 b6d0bc0f3ea4096659faca370eaf434b01cb8c1c39eda33c4409ebfc1dfe989a
SHA512 2634c9b7df13943e8148cedf5e85cfdf045d1a3ad6da954aba2b86ec1701aac79175331972fefa1bca65e7b4e1c947098df777b1b7c1de3729c71a4b9ec922bd

C:\Windows\SysWOW64\Opqofe32.exe

MD5 792f294e40cdc0cf9adf21f44ad1ba50
SHA1 0a2043fcd8f7cdcd19adfab4068c2e5c0c8263c4
SHA256 fbb42f7dfd2b68977528a9dc897c6fcef6de01009cf5585c492832d818d4da99
SHA512 37a21e1978e382aa4f9dcd421dea6e12db63d263c8eabfa391bd3c8af3df9acb523e00d22545ed8df54633a4108ed1149e8c70c1ca411503e5483a3d0fe63fb1

C:\Windows\SysWOW64\Ofmdio32.exe

MD5 fbbfafd607ed93dde258a5f72c437fe4
SHA1 6266caff6de84ace33a9d9ee4e95e5a0ac224dad
SHA256 006a8de383847f6693f2c6e1a0bc3db2779c40c2138d652d85528bcf36835c02
SHA512 c539d9676e7e4156b7b568fe9c241e24943d80445a39a5d5595f6a239a304ae73a25f7bc8841fd86ab2ad6992ff670b6bdffa3b770b8e480f5aac2b2c59f7e5e

C:\Windows\SysWOW64\Ohlqcagj.exe

MD5 b037e097abea240791b07b3b207e1234
SHA1 a3d365e644286341b97ccf28e4033d755c6fac5b
SHA256 5ab62dc0f46b09418a924ed4e7c08670f35af1f0b8a5dec2f74003f9e356c320
SHA512 53f41f3a071358c040f2d1ef6eda803785164dc045759c8cdfbc7e8abd16a1057d97d66b1bf454ca3ccb8ee6ab2ce50938ad2aa283625b4711b15b3d0dfadd80

C:\Windows\SysWOW64\Paeelgnj.exe

MD5 d0d0ed468b32487588f98aac244c353a
SHA1 dcf5b189b6e73500d7401694666486f8f1839de4
SHA256 e90c437c50c8d8ba049b42c48114184e65d704e9473bf39c933f0331c14c3090
SHA512 828c5fd61ee98864d10b3a3326c4374d5653963ca4d00287dfaa060a678404a66ec1e8c223feff8bdebcb9e0c2dcc0640592eab0614c18146c7406cbfc385a79

C:\Windows\SysWOW64\Pagbaglh.exe

MD5 0d45bbd3fb77900bba49f15425905b43
SHA1 418cbe535eeb7bf05b23c3589d2594a68682b285
SHA256 1d0fa6c00ed57d6ae9ae4e7d591cbea8ef4c673ddeaef0f167ae4dc7b8dcccdc
SHA512 e79c4bacf57ac5144453ac98dc5209c5e5cc44939687cd789ba96279ebe82e0309904ef122591a1a30753ef46480e9d0a77cd758030b5ee2815aef4d80e30882

C:\Windows\SysWOW64\Aknbkjfh.exe

MD5 76f8e1159e615835f150e41baf199436
SHA1 96cabbc718011ed45e5d92c98766839a4bb958f4
SHA256 f7adf45e4f3a5029e4de3b076865afeba1269cae7b658150b95671ec630ba707
SHA512 e9fbf54d86f9e3842946ab59394ca977d4cedc1c8fb35e3c911e2d326ebc1be20b20ad3178d4ace109b27b60d856033d71570b2b7f2ef74d33fc1b1d8b1f2cbf

C:\Windows\SysWOW64\Aokkahlo.exe

MD5 786d1f57f0e2c46344f2d0725e6170c3
SHA1 f7a0091ec96785db119aca5b46be50d7ba6ace34
SHA256 c8c110520d6e56dfc4c6b242ea91208a54fb96fcfde6815e7ccff5b89399b42f
SHA512 26b10249cd824d9a23b10aa0f62665cf44e3d2b64cfef72ef6762a741ca43b85d2554fb45024cfb712ea22665fcea2e199866d2277d7807d3a6161d5936e3789

C:\Windows\SysWOW64\Amcehdod.exe

MD5 06ce9b46e1719d7fd160a2d50b227efb
SHA1 22985877a68e6b37543fdd1501ad317a30782267
SHA256 d2b4f3eba4ec047fb74bcfbf61ebcbb965a4a0a4d6fda846a8ff2c4514260805
SHA512 357e1eef7b2b4266052300d830113ca6d5a953e1c6db7dd3c6f76459f00c2750ac0df935d11063acfce563464e063aa39d08c9aef05036eb20efd8e0c83092ac

C:\Windows\SysWOW64\Bkibgh32.exe

MD5 80c4f79dd2a012497b8a48a34cf83d70
SHA1 b3b4449fe8e422da6d10ce410f3bbd0a6a4fb383
SHA256 6a57f80150f8b86345ca6d7c9bd288ca567b69f826d9a25d972efba214aeac46
SHA512 a70044e28c30b4af5974eccb15f3ed5979ee17a1ad06c7020f5a7e7f8509a31d8f81f0becb3f0b88acca3087efec1403da206e871ffbbdf38813777e17f039c8

C:\Windows\SysWOW64\Bddcenpi.exe

MD5 d8d55ae819f6847af26ca7477ac3b75b
SHA1 f28ce9ecd07542369e8f0325d1517d525e02eca2
SHA256 01b1e0ef71f13c6092aeff0124e9bd3141d072309c97b2414c938d678073f8ff
SHA512 b9663e2a9e8b0c001cf0708a36c999cdd66bd9f85989586688c9f48444bd8fd32e47052e94e6fe7c113942f9b0ca2b224808578ff3f86d6a6c92ea74b3601a59

C:\Windows\SysWOW64\Bnlhncgi.exe

MD5 78036442974bbd1d57aa5fb0976b4d76
SHA1 41e734f8b399f18f67b25cf8e148f4373141e318
SHA256 62839c5efd39fb7168fd4989c8596b3115117b0e7f1ad18d3a726fe5c7e9053e
SHA512 64b4693ff12c0bc537da37fad33e54b1df6a4f9d7b4408f26d9e5a479cd3d1adbb0375fa6f14bc409755a62211e51b74729812d9437c5c439a4f85fc8bbb367f

C:\Windows\SysWOW64\Cpbjkn32.exe

MD5 11e1d0837bebad7f8a1eb271efd53b74
SHA1 6e5134fa6fe02693749bc55959b4a2eac6446145
SHA256 a3274184e181ab9eb2ab5f26fa6566736b629be7285cc8c1ebbd5160fa605d1f
SHA512 6b504052e926a1f9bd6894c174d0389e66e241cc71baced1b33c433460de93e7031e46e03a222a70e193a736a55f5629f98fb1577f5cec744ae1d5ffa624bbf5

C:\Windows\SysWOW64\Ckgohf32.exe

MD5 79acd1a471b8620534ecf7b2bb5ffef2
SHA1 d4e4040353a618c69b06fbbe0dafb6852e5ec7c5
SHA256 27d021c6a3c3728323853e786f1a3a90d025dc30838e6f37af60d1236a8e1fda
SHA512 03c6505e7560d5fec63ebf13bf3112ad41a78fda91403e09331e06d9eb5410c39fa99a25628530ae17bc10f3698f222ac05db67ac668f4d6b9b294516afdaa52

C:\Windows\SysWOW64\Coegoe32.exe

MD5 27c05a22103440ce766d82f3bb02a1b2
SHA1 6bcf95a08f3b972a456f25370dcea26ef7cd28ad
SHA256 67d1b1f05a56246e645dcd2e89b1ba6ed9910c058f0672b1c98c227375e2ee6a
SHA512 8010772ab50cf5ade41d5d446e9233e3995813ec86064438b140999c3e437b855d3564a4ee088628dd6b9f16e667ba132de0d065790d105a8a21a5bc852f67ba

C:\Windows\SysWOW64\Dkqaoe32.exe

MD5 958f1d7d5acd17197f672f6a94cd934d
SHA1 26a8f740c5bdc81bdb12d23af0796954e2526a94
SHA256 1acf64fff84d6533b74d79b9eab39adbe2e55716329afb94aafc08c6d1c93221
SHA512 af7a1bc5f5c317545165e63c7d89f40665afe1984bf6a3aa659031d259c7bd279320ca59c422a869f1ae85dd7c689ce19bbcce70714aaca99cee48dbe21c8d60

memory/9940-2282-0x0000000000400000-0x0000000000468000-memory.dmp

memory/9428-2296-0x0000000000400000-0x0000000000468000-memory.dmp

memory/8576-2311-0x0000000000400000-0x0000000000468000-memory.dmp

memory/7228-2378-0x0000000000400000-0x0000000000468000-memory.dmp

memory/6336-2568-0x0000000000400000-0x0000000000468000-memory.dmp

memory/6632-2552-0x0000000000400000-0x0000000000468000-memory.dmp

memory/6184-2577-0x0000000000400000-0x0000000000468000-memory.dmp

memory/5680-2628-0x0000000000400000-0x0000000000468000-memory.dmp

memory/3240-2768-0x0000000000400000-0x0000000000468000-memory.dmp

memory/4564-2776-0x0000000000400000-0x0000000000468000-memory.dmp